Tag: data breach

22 Jan 2017

Healthcare Security in Critical Condition

Are healthcare organizations more vulnerable to data breaches than other industries?

Healthcare organizations (69 percent) and their third-party business associate (BA) partners (63 percent) certainly seem to feel they have a target on their backs, according to Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.  However, knowledge hasn’t necessarily led to preventative action in many healthcare firms or the BAs that support them. Data breaches in healthcare continue to put patient data at risk and are becoming increasingly costly and frequent. According to Ponemon estimates, data breaches could have already costed the healthcare industry $6.2 billion.

While many of the breaches reported by survey respondents were small, containing fewer than 500 records, nearly 90 percent of healthcare organizations taking part in the study reported they were victim to a data breach over the past two years, and 45 percent had more than five data breaches during that same period. Ponemon estimates that the average cost of a data breach for healthcare organizations over the past two years was more than $2.2 million, while the costs to BAs was more than $1 million. The top stolen files: medical files, billing and insurance records, and payment details, putting patients not only at risk for exposing personal details, but also for financial identity theft.

What’s evident from the data is that employee negligence and mishandling of sensitive patient data is still a huge cause for concern; according to Verizon’s Data Breach Digest, 20 percent of data beaches reported in healthcare are from inside privilege and misuses. In the Ponemon report, 69 percent of health organization respondents cited “negligent or careless employees” as the type of security incident that worries them the most, compared with 45 percent for cyber attackers and 30 percent for insecure mobile devices.

At BAs, negligent or careless employees was cited by 53 percent of respondents as their most feared security incident. Healthcare organizations may be overly worried, as only 36 percent of healthcare organizations named unintentional employee action as a breach cause.  However, the numbers aligned as well for BAs, as 55 percent of BAs named unintentional employee action as a breach cause.

According to a second report from Ponemon and Thales, which tracked extensive usage of encryption solutions for 10 industry sectors over three years, healthcare and pharmaceutical organizations have seen the largest jump in use of encryption solutions, with 40 percent of organizations now reporting encryption use. However, the same report also shows that the least likely data type organizations overall encrypt (at 21 percent) is health-related information, quite a surprising result given the regulatory requirements, sensitivity of the data, and the recent high-profile data breaches in healthcare.

Despite the increased frequency of breaches, and the rising costs to deal with the aftermath, half of these organizations still feel they lack the funding and resources to manage data breaches. The intent is there, as most companies have reevaluated their security practices and have implemented policies and procedures designed to curtail breaches. Those practices—however well intentioned—seem to be doing little to stop breaches from occurring.

For many organizations, it comes down to budget restraints; the majority of both healthcare organizations and BAs feel their organization:

  • Has not invested in the technologies necessary to mitigate a data breach
  • Has not hired enough skilled IT security practitioners
  • Has not adequately funded or provided resources for the incident response process

Healthcare organizations report budgets have decreased since last year (10 percent of respondents) or stayed the same (52 percent). The scenario is similar for BAs: 11 percent reported decreases and 50 percent the budget stayed the same.

Based on these reports, healthcare security is in critical condition. Breaches are happening frequently and are costing both healthcare organizations and BAs more. According to the Ponemon report, accountability for the data breach incident response process is dispersed throughout the organization, however, both healthcare organizations (30 percent) and business associates (41 percent) say IT is the function most accountable for the data breach response process. But who is responsible for stopping these breaches before a response is required?

CIOs and CISOs need to continue to push the envelope in their organization on breach prevention, escalating it to become a key business priority. They can start by putting their policies and procedures under a microscope, and locating where the black hole is when it comes to putting those policies and procedures into practice with employees. The next step is investing in encryption technology to prevent breaches, not just in insurance policies for when they occur.

If you would like to find out how to ensure your critical communication touch points are protected, the additional content listed below may be of interest.

  • Download our REPORT    Do You Trust Email?
  • Read our MARKET REPORT     Enterprise Encryption and Authentication Usage
  • Read our REPORT    Fraudsters, Hackers, and Thieves

By Chris Peel, ‎VP Engineering, Echoworx

15 Nov 2016

Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cybersecurity is one of the most debated issues in any organization. Although the need to immunize your company from all kinds of cyberattacks remains urgent, the full impact of a cyber incident is still largely unproven.

Recently I read an article by Deloitte which talked about how difficult it is for executives to gauge the impact of cyberattacks on their companies because they aren’t really aware of the work and effort that’s put into making a company cyber secure, or of the consequences of not doing so until it’s too late.

The DNC hack was the biggest election hack in the US history. Every other day WikiLeaks is busy making public the “private” conversations that took place within the DNC networks. These private conversations spread like wildfire on social media. Cyberattacks such as the one against the DNC are not uncommon. Every other day, there is a breach after breach, just look at the Yahoo data breach, Anthem medical records breach, and so on.

Emails are used for corporate communications, including classified communications, every day. Sadly, even after all these widely public incidents and demonstrated lessons, a lot of companies still shy away from using encryption. The reasons range from the complexity of the software to overconfidence in the minimal probability of a cyberattack against them. But guess what? No one is secure. No matter how big or how small a company is.

Emails being the bedrock of the internet, need to be and deserve to be shielded. The costs and impacts of a data breach and cyberattacks include:

  • Notification costs: All necessary activities required to report the breach to appropriate personnel within a specified period.
  • Breach response costs: All activities required to notify data subjects with a letter, telephone call, email or general notice that personal information was lost or stolen.
  • The cost of providing credit-monitoring services for at least a year.
  • Reputational damage.
  • Loss of business.
  • Negative publicity: Extensive media coverage, further damaging the organization’s reputation.
  • Attorney fees and litigation
  • Increase in insurance premium
  • Devaluation of trade name
  • Loss of intellectual property (IP)

It’s in your hands to protect your company’s privacy. And the time to act is now.

If you would like to find out more about the most significant cybersecurity risks and sure ways encryption can mitigate them, the additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • Read our COVERAGE  | Email security: These steps can stop the hackers

By Chris Grossi, Echoworx

08 Nov 2016

Combating Insider Threats

When Edward Snowden leaked NSA’s classified documents of their surveillance program, it sent a message out and loud to companies; if an employee can steal sensitive documents from the NSA, an employee can do that with anyone.  The authorized access of employees to a company’s confidential data poses a self-evident risk to its cyber & financial security because such data can be used to exploit the company.

The motivation behind such treasons? It could range from a fraudulent opportunity dangled in front of an employee to resentment harbored by them which foments into action. It may be because of deeply held morals or beliefs of an employee or in fact, the financial gain. Access to the company’s best kept secrets and inside knowledge of its security weaknesses, always gives the culprits an upper-hand.

Intentional theft isn’t the only insider threat.

Imagine your company, now imagine an employee in your company sending a confidential document to a customer. Maybe he is in a rush, or he is groggy or he is sending the email before his caffeine kicks in and he sends the confidential document without encrypting it. The hacker is waiting at the end-point to find a vulnerability, and guess what, your employee of the month just handed your company’s security to him on a silver platter. In 2015 over 116 billion business messages were sent a day. That’s 116 billion chances for sensitive information to be intercepted – either with malicious intent or accidentally.

The amount of data which circulates within business networks everyday can be staggering and much of it is deemed to be confidential. Companies in highly regulated industries hold large amounts of confidential data- information which includes biometrics, health records, financial transactions & inventory tracking. Simply the chance of getting hands on a wealth of highly confidential info in a single hit, makes highly regulated industries a top target.

Since many companies are favoring firewalls and server security, and shying away from email encryption- they are leaving a huge loophole for message interception and are putting information at risk. Policy-based email encryption is a key to combating cybercriminals who are dedicating even more effort to breaching corporate email data.

Email encryption solutions, which can be configured to recognize and encrypt specified email based on a company’s preset policies, provides a user-friendly experience for employees and peace of mind for IT management. But will your workforce reliably use it? Case after case has shown us that companies and even entire industries have neglected to ask the question.

If email security solutions – or any other technologies for that matter – are too complicated, employees will almost certainly find easier means to complete a task. In this scenario, security is the ball that is dropped. Insider threats continue to keep senior business leaders awake at night. A recent PwC report in the US found that 32 per cent of respondents consider insider threats to be costlier and more damaging than external incidents.

Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest. If you would like to find out more about how email encryption can help your business and your employees protect sensitive data, the additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • View our INFOGRAPH  | 5 Encryption Factors to Consider

By Ali Kiassat, Echoworx

29 Aug 2016

War on Encryption

Governments, and specifically their law enforcement, see encryption apps as potential barriers in investigations. We all remember the infamous Apple and FBI case, where the FBI wanted Apple to break their own security. Similarly, by weakening encryption in apps like Facebook’s WhatsApp and Apple’s iMessage, governments look to gain golden surveillance keys, with the privacy rights of the average person to be expectedly disregarded.

Jacob Ginsberg, senior director at Echoworx, argues that ” If you look inside all houses, you will catch more criminals, but is this going too far? We also have to consider how this places the majority of law-abiding citizens at risk.”

article_will

Read the full article here

The need to provide personal security to people is as crucial as providing physical security. The demands to weaken encryption merely add to the already uphill battle CISOs are facing! Recently, Avivah Litan, a Gartner analyst was quoted saying, “Companies are worse off by 100% [with cybersecurity] in comparison to ten years ago because the world is more complicated now.” That explains the fact that 16 billion USD were stolen from 12.7 million identity fraud victims last year.

The average cost of addressing a data breach tops 3.8 million USD. The cost of a data breach varies by industry. The average cost of a data breach per lost or stolen record globally is 154 USD. However, if a healthcare organization has a breach, the average cost could be as high as 363 USD. Further, a data breach due to human error or negligence costs 137 USD per record.

Echoworx believes in strong cyber security, preserving privacy rights, and the expectation of secure digital communication. Its email encryption software, OneWorld helps corporations from all industries to secure information and communication in and outside of their enterprise. To know more about strong email encryption, the risks associated with weakened encryption,  and why it is a must for your company:

  • Download our REPORT  | How Much Do You Trust Email?
  • Download our DATA SHEET  | OneWorld Enterprise Encryption

By Will Nathan, Enterprise Account Executive, Echoworx