» 

Blog

Posts Tagged with "DATA BREACH"

8 Ways to Protect Your Healthcare Organization from a Data Breach

Last year there were 328 data breaches of healthcare organizations. That’s a new record, up from 268 the previous year. In these breaches, the records of approximately 16.6 million Americans were exposed. These incidents occurred at all types of organizations in the industry, including clinics, insurance providers and their healthsystem business associates.

If you’re in the healthcare industry, here are eight steps you can take to ensure that your organization isn’t the next one in the news.

#1. Continually Evaluate HIPAA Compliance

You’re in healthcare, so you already know about HIPAA, the Health Insurance Portability and Accountability Act that safeguards Protected Health Information (PHI). Fines for non-compliance can reach millions of dollars and even include jail time, which should be enough to ensure that you take HIPAA seriously. But you should also think of HIPAA as a solid starting point for avoiding major cybersecurity threats.

HIPAA requires annual risk assessments, and it’s not a bad idea to assess your security and compliance even more frequently. In a typical organization a lot of changes are made in a year, including new software implementations and upgrades, employee turnover and role changes, or mergers and acquisitions—all of which can create vulnerabilities. These assessments are also a great chance to evaluate your internal security policy and incident response plan.

#2. Educate Your Employees

We all worry about the nefarious hacker, lurking in a dark room and furiously typing code to steal your organization’s records. The truth is that one of the leading causes of healthcare data breaches in 2016 was employee error.

Make sure that all employees in your organization know what personal information can be shared with patients, caregivers, and others according to HIPAA and any state regulations you need to follow. Give your employees a test of their security knowledge or run simulations through phone calls and emails, and reward the employees who respond correctly.

#3. Manage Roles and Access

Keeping medical records secure can be a challenge because they pass through so many hands, but the access that a doctor needs is different than that of a member of the finance or IT staff. It’s essential that every user has an individual account with role-based access appropriate for their position. The IT administrator should also have full visibility into who accesses or manipulates what data and when, so they can identify suspicious activity such as downloading large volumes of data to an unknown IP address.

#4. Subnet Your Network

It may seem like a basic mistake to an IT or security professional, but you might be surprised how many healthcare providers leave patient records exposed to anyone who accesses the publicly available internet. Subnetting, or creating separate subnetworks, allows you to set aside part of your network for the public and others (with more security) for any applications that touch medical records or credit cards.

#5. Use Multi-Factor Authentication

The standard username and password isn’t secure enough for users who need to access private patient information. Multi-factor authentication typically requires at least two of the following: something you know (like your password), something you have (like a token), or something you are (like a fingerprint). A 2015 report by the Office of the National Coordinator for Health IT found that, while hospital support for multi-factor authentication had risen by 53 percent since 2010, only half of small urban hospitals were capable of it. Fifty-nine percent of medium and 63 percent of large institutions had the capability.

If you are a healthcare organization that still doesn’t support multi-factor authentication, it’s a key step to take toward securing your data.

#6. Protect Devices and Be Cautious with BYOD

The majority of healthcare data breaches occur not because of hackers, but because of stolen or lost devices. For devices owned by your organization, make sure they are encrypted and that you have the ability to wipe them remotely.

You should also adopt strong security measures in your BYOD policy. Employees will want to have the convenience of easily accessing PHI from their tablets, laptops, or mobile phones, but if one of these devices falls into the wrong hands, the result could be devastating to your company. Here are some steps you should take in your BYOD policy:

  • Require strong authentication methods
  • Don’t allow medical records to be stored on employee devices
  • Prevent devices from connecting to healthcare applications beyond a certain distance from your facility

#7. Ensure Business Associates are Protecting PHI

Healthcare providers rely on a wide network of associated companies and services. Business associates of organizations that must comply with HIPAA are also held to HIPAA standards for protecting patient data and will be fined if they fail to do so. Your business associate agreements with these organizations should be tailored to both HIPAA and any state regulations that apply to your organization. The associates should be required to develop internal processes to assess security, and discover and report data breaches. Choose business partners that are agreeable to complying with security best practices or they will be a liability.

#8. Encrypt Data at Rest and in Transit

HIPAA states that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate.” That can be a little hard to interpret, but regardless of HIPAA or other regulations, strong encryption is the best way to protect your data.

HIPAA also says that if encrypted data is stolen, the incident does not constitute a data breach. In other words, you can avoid damaging your reputation by having to notify your patients, the media, and the government by using encryption.

managed file transfer solution can encrypt your files both at rest and in transit using modern, secure encryption methods. Good MFT software will help ensure that you stay up-to-date as encryption standards change over time, while also making your data transfers simple to manage and audit.

To find out how GoAnywhere MFT can help you stay HIPAA compliant, download the guide.

 


3 Data Breaches That May Have Been Avoided through PCI DSS Compliance

data breaches avoided with PCI DSS compliance

 

“Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores.”

 

This is an excerpt from an actual email distributed by a large retailer, in the wake of a massive data breach jeopardizing over 50 million credit cards. Since 2004, Payment Card Industry Data Security Standards (PCI DSS) has stood as a core regulation aimed at thwarting breaches like the above, and any organization that accepts, transmits or stores cardholder data must comply.

Now, here’s the shocking truth: In the latest PCI DSS Compliance Report conducted by Verizon, none of the companies it had investigated in ten years had been fully PCI DSS compliant at the time they were breached.

In many cases, companies achieve total PCI DSS compliance once but don’t sustain it. According to the Verizon report, 80 percent of companies fail at interim assessment. Technology moves quickly, and compliance solutions and policies implemented in past years may not be enough to stand up to modern security threats.

Other organizations believe that they don’t have to worry about protecting data. They believe their business is too small to be the target of hackers, or too large and successful to be using outdated, inadequate security practices. Sometimes they believe that data breaches only affect big retailers, not other industries.

But PCI DSS compliance needs to be taken seriously by everyone or the consequences can be devastating. Here are three organizations that experienced the detriment of non-compliance.

home depot data breach logo#1: Data Breach at Home Depot Compromises 56 Million Credit Cards

In what went down in history as one of the worst retail data breaches of all time, malware infected Home Depot point-of-sale systems and stole millions of customer credit and debit cards. The Home Depot attack seems to be a case of relying on inadequate software solutions and policies for data breach prevention. Employees later said that the company used outdated antivirus software and failed to monitor the network for unusual behavior.

PCI DSS standards require routine vulnerability scans, but according to employees, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. In Home Depot’s case, investing in a security software with the ability to audit security infrastructure for PCI DSS compliance, may have been the difference between a $19.5 million data breach settlement, and business as usual.

OPM data breach logo#2: Office of Personnel Management Data Breach Affects Millions

After hackers attacked the Office of Personnel Management (OPM)’s servers and stole the personnel files of 4.2 million former and current government employees, as well as the security clearance background investigation information of millions more, a congressional investigation uncovered the organization’s security shortcomings.

Among many other findings, the report took especial issue with the department’s lack of two-factor authentication for employee access to sensitive data, claiming it was an oversight that could have prevented the security breach. This points to a key problem that PCI DSS compliance is meant to address. It’s not enough to encrypt and protect your files during transfer, you need to monitor internal actors as well. A robust security solution will authenticate users, give them only the access they need, and maintain a detailed log of each user’s actions.

TJX data breach logo#3: Over 45 Million Credit Card Numbers Stolen in TJX Breach

TJX Companies, owner of popular home brands such as TJ Maxx, Marshalls, and HomeGoods, experienced a data breach in which more than 80GB of cardholder data was stolen over a period of 18 months. Before the company was able to detect and halt the breach, 45.6 records had been stolen.

Documents filed in court after the breach claimed that TJX had failed to comply with nine out of the twelve PCI DSS requirements. Factors contributing to the incident included an improperly configured wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network, and the storage of prohibited data. Two members of the PCI DSS Standards Council later pointed to PCI DSS compliance as the clearest way to protect data against a TJX-style breach.

PCI DSS Compliance Can be Tricky, We Get It.

No company embarks on an initiative to avoid PCI DSS compliance. You are trusted by your customers, partners and vendors to take the proper measures to secure and protect their sensitive payment data. It’s that trust that has kept your company successful for so many years!

We read about data breaches and attacks like these in the news on a regular basis, but we don’t pause often enough to audit our own data security practices. IT infrastructure in today’s enterprises is increasingly complex, especially for large companies with systems spread around the world like Home Depot. Add to that the fact that PCI DSS compliance has multiple, complex requirements, and it can be daunting for IT and security teams to implement a sustainable process that ensures ongoing compliance.

PCI DSS compliance can be greatly simplified by using software solutions with features designed to help you achieve security and compliance. This type of software addresses PCI DSS requirements, provides the information you need to satisfy an audit, and in some cases even helps you check whether you are meeting compliance standards.

PCI DSS Compliance with Secure Managed File Transfer

File transfers are an essential point of vulnerability to consider when developing your security strategy. The most common file transfer pitfall is relying on inadequate methods such as poor FTP implementation practices, file sharing apps, and unencrypted email attachments.

A secure managed file transfer (MFT) platform guards your sensitive data against attacks with robust security and encryption methods, all while streamlining the file transfer process and saving your team time and resources that can be used to tackle other potential security issues.  Furthermore, a good MFT solution will have features like detailed audit logging and compliance assessments to eliminate the headache involved with ensuring your file transfers are compliant.

To make protecting data transfers as easy as possible, make sure your managed file transfer platform provides:

  • Secure connections for the transmission of sensitive data
  • Integration with existing critical applications
  • Role-based security and user authentication
  • Strong encryption methods
  • Detailed logs for audit reporting

Securely managing your data transfers is just one aspect of achieving PCI DSS compliance, but it is an essential step toward fully protecting your enterprise against security threats.

 

Interested in learning more about PCI DSS compliance? Explore our PCI DSS resource section for requirement details, industry whitepapers and recent articles.

 

Assess the PCI DSS compliance of your file transfers for free when you try GoAnywhere MFT for 30 days. Sign up for a trial here.


Data Breach Response Plan | Templates & Resources

What is a data breach?

The definition seems obvious for any organization.  A data breach occurs when data that was supposed to be protected from unauthorized access is exposed.

What may not be as clear cut is all the ways that sensitive data can be compromised.  These include malicious attacks, accidental mistakes, and employee incompetence.  Confidential information can fall into the wrong hands during electronic file transfers, accessing lost or stolen devices, or because of hackers' infiltration into a company's servers.  Even sending an unsecure email could qualify as a data breach, depending on the information it contained.

five resources for developing a data breach response planWhat is your data breach response plan?

Sometimes known as an incident response plan, a data breach response plan is a critical component for ensuring your company is able to properly respond to a data breach. As complex as the causes of data breaches can be, the steps for responding are fairly straightforward, though time-consuming, stressful, and expensive.  Dealing with the breach will be monumentally more challenging if you don't already have a data breach response plan in place.

Generally agreed upon steps include

  1. thorough, extensive documentation of events leading up to and immediately following the discovery of the breach
  2. clear and immediate communication with everyone in the company about what happened, and how they should respond to any external inquiries
  3. immediate notification and activation of the designated response team, especially legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved
  4. identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem
  5. development of messaging and deployment schedule for notifying those whose data was compromised, based on counsel from lawyers who will review state laws, compliance regulations, and other mandates affecting what the messaging must say and how soon notification must occur, as well as what compensation to affected victims should be provided

4 Data Breach Resources

If your company does not yet have a data breach plan in place, or if you've been thinking it might be time to update your current policy, here are four great resources that you'll want to review.

Data Breach Response Guide (Experian Data Breach Resolution Team)

Here is a comprehensive 27-page PDF that overviews how to create your data breach response plan, practicing your plan, responding to a data breach and auditing your plan.

Security Breach Response Plan Toolkit (International Association of Privacy Professionals (IAPP))

Use this questionnaire to guide the development of your incident response plan.  Involve your executive and IT team so everyone can better understand all facets of the process.

Specifically designed for small businesses, the BBB provides a series of articles and resources to help companies understand the issues surrounding data security, as well as how to build a response plan.

Model Data Security Breach Preparedness Guide (American Bar Association)

For those with limited access to legal counsel, this PDF provides an overview from the legal perspective of how to prepare for a data breach.  It obviously isn't a substitute for seeking advice from a lawyer who knows or can learn the details of your specific situation as well as the laws that apply in your state and industry.  However, it does provide some good general information that could help you launch a discussion with your legal team.

Definitions of Personal Information and Breach of Security by State (Baker Hostetler law firm)

If your company does business in more than one state, this is a great starting point to review how different states' data breach laws compare.  Again, it doesn't take the place of your legal team, but it's a helpful overview.

What other resources do you know about that should be included in this list?  Let us know in the comments!  

 

 

 

Learn how IT management can defend against data breaches in our whitepaper, “Defending Against Data Breach: Developing the Right Strategy for Data Encryption.” 

 

 

 

 

 


Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  

 

The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  


Retailers Struggle to Protect Against Data Breach

data breach, data securityAs thousands of harried spouses and romantically entangled Americans scramble to find the right Valentine's Day gifts this week, many are pulling out the credit cards and ordering online or over the phone or waiting in line to swipe their debit cards at the florist or candy store.  That's a lot of personal data zooming through cyberspace, which can make the perfect gift for hackers.

One of the compliance regulations that controls how merchants and others handle credit card data is PCI DSS, established to prevent, detect and react to unauthorized access to personal payment information.  The standards are strict and penalties can be stiff.

The challenge comes when retailers, overwhelmed with busy shopping seasons and lines of customers, have so many things to manage that their vigilance protecting customer data can lose priority.  And yet, it just takes one misstep to open the doors to a data breach.

That's why it's critical that retailers and other organizations who handle credit card information regularly assess their data protection policies and processes, and implement effective encryption and data transfer tools that can automate the process of keeping data secure so they can focus on keeping their customers happy.

For more information about how Linoma Software can help keep your data safe at rest and in motion, email linoma.solutions@helpsystems.com.


New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.


Healthcare Data Breaches on the Rise

Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.

Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon's RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.

data breach statistics for 2012

What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls.  The graphic (see right) is one of the many included in Verizon's study.

Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.

Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of  patients' information residing on these servers.

IT managers must be vigilant to combat hackers' ever more sophisticated tools and methods, and that begins with better security procedures at the office.

Security Policy and Procedures Document

The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.

Next, all employees must be trained and expectations for compliance made clear,  because it takes a concerted effort on everyone's part to ensure the required protections are implemented consistently.

Secure Data Files In Motion

One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet.  In an earlier blog post, we talked about how standard FTP is commonly used to send files. However, FTP sends the files in unencrypted form, and offers no protection for the server's login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.

While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.


HITECH Compliance Offers Challenges for IT

Outside of the finance industry, healthcare is one of the most regulated industries in the U.S.  As the healthcare policy debates rage on, one issue on which most Americans can agree is the need to keep personal healthcare information confidential and secure.

Major regulations such as HIPAA and HITECH have been passed into law to increase the security of our personal health information.  For better or worse, a major portion of the burden to comply with the regulations and all of their revisions falls upon the IT professionals.

HIPAA and HITECH: a brief overviewHITECH, data security, compliance

While HIPAA (Health Insurance Portability Accountability Act), passed in 1996, has received the most attention (see our blog), the more recently implemented HITECH law is quickly having an impact.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed into law in 2009. The goal for the  HITECH is to strengthen the civil and criminal enforcement of already existing HIPAA regulations that require health organizations and their business partners to report data breaches.  HITECH also increases the penalties for security violations, and implements new rules for tracking and disclosing patient information breaches.

Data breach notification

Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost or even transmitted in an unencrypted fashion.  If such a breach -- or potential breach -- affects 500 people or more, the media must also be notified.   Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals' records are affected, healthcare organizations can report the breach via the HHS website on an annual basis.  Larger breaches must be reported to HHS within 60 days.

Penalties for data breach

The HITECH Act implements a four tier system of financial penalties assessed based on the level of "willful neglect" a healthcare organization demonstrated resulting in the breach. Fines range from  $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when "willful neglect" is demonstrated.

Access to electronic health records (EHRs)

HITECH requires that the software that a health organization uses to manage its EHRs must make a person's electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.  Not surprisingly, email is not considered a secure method of data transmission.

Business associates

Before HITECH,  business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI.  HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI.  Business associates are also required to report any data breaches and are subject to the same penalties as their healthcare business partners.


Are Insurance Companies Managing Their Risk of Data Breach?

An injury that doesn't happen needs no treatment. An emergency that doesn't occur requires no response. An illness that doesn't develop demands no remedy. The best way to stay safe ½ is to avoid getting into trouble in the first place. That requires planning, training, leadership, good judgment, and accepting responsibility--in short, risk management.  

 -- Boy Scout Field Book

Insurance companies are the experts at analyzing and managing risk. They identify, quantify and set pricing based on the calculated costs of risk. Naturally, the higher the perceived risk, the higher the cost to mitigate the potential losses.

Yet here is the irony.  While those in the insurance industry excel at evaluating risk management for their clients, they often neglect risk mitigation within their own operation.

Exposed data is serious risk

The insurance industry collects and analyzes overwhelming amounts of data. This often sensitive and confidential information becomes the basis upon which many critical decisions are made, and which produces the competitive advantage to provide better policies, prices, and solutions to the market.

All of this data, both historical and cutting-edge, is truly the lifeblood of the insurance industry. Therefore, the astute management and protection of this data is the infrastructure of arteries and veins delivering this lifeblood to all of the appendages of the company that need the results of this data compilation.

In addition, this sensitive and private information is disseminated to various internal and external associates, customers, partners and collaborators usually via the Internet, which exposes this data to compromise.

And yet, despite their expertise in risk analysis, many in the insurance industry fail to ask these questions:

  • Given how much data we're exchanging with clients, partners, financial institutions, healthcare organizations, etc., what is our risk of a data breach?
  • What is our liability if we suffer a data breach?
  • What can be done to mitigate potential losses?

When examined this way, any underwriter would agree that failure to adequately protect the sensitive data continually in transit in an insurance company's daily workflow presents an extremely high risk.

Insurance industry, heal thyself

If data really is the lifeblood of the insurance business, and the data center is at the heart of the company, then the arteries and veins are the methods of moving that data to and from your departments, clients, business partners, and others.

While adding layers of physical security to the data center is a top priority for insurance IT professionals, securing the pathways in and out of that data center tends to be overlooked, despite media coverage of data breaches at companies worldwide.   This lack of action underestimates the extent of the public's concern that their private data may be compromised, and state and federal efforts to more strictly regulate data storage and transfer policies.

Effectively managing FTP transactions is essential to mitigating the risks of data loss.  The costs of implementing managed file transfer solutions are minimal and provide tremendous flexibility when striving to meet the requirements of trading partners and compliance regulations.

As the insurance industry knows better than anyone, the best approach is to mitigate risk with a cost efficient solution.  In this case, taking direct action to protect data transfers is the obvious prescription for any organization -- especially one based on risk management.