Posts Tagged Data Security

Who is Protecting Your Health Care Records?

Posted by on Monday, 7 March, 2011

Patient Privacy in JeopardyHealth Care Records

How important is a patient’s privacy? If your organization is a health care facility, the instinctive answer that comes to mind is “Very important!” After all, a patient’s privacy is the basis upon which the doctor/patient relationship is based. Right?

But the real answer, when it comes to patient data, may surprise you. According to a study released by the Ponemon Institute, “patient data is being unknowingly exposed until the patients themselves detect the breach.”

The independent study, entitled “Benchmark Study on Patient Privacy and Data Securitypublished in November of 2010 examined  the privacy and data protection policies of 65 health care organizations, in accordance with the mandated Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached.

Patient Data Protection Not a Priority?

According to the study, seventy percent of hospitals say that protecting patient data is not a top priority. Most at risk is billing information and medical records which are not being protected. More significantly, there is little or no oversight of the data itself, as patients are the first to detect breaches and end up notifying the health care facility themselves.

The study reports that most health care organizations do not have the staff or the technology to adequately protect their patients’ information. The majority (67 percent) say that they have fewer than two staff members dedicated to data protection management.

And perhaps because of this lack of resources, sixty percent of organizations in the study had more than two data breaches in the past two years, at a cost of almost $2M per organization. The estimated cost per year to our health care systems is over $6B.

This begs the question: Why?

HITECH Rules Fail to Ensure Protection

HITECH encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, the majority of those organizations in the studies (89 percent) said they have either fully implemented or planned soon to fully implement EHR. Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and the Ponemon Institute’s study provides a sobering evaluation:

Despite the intent of these rules (HITECH), the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

Unintentional Actions – The Primary Cause of Breaches

According to the report, the primary causes of data loss or theft were unintentional employee action (52 percent), lost or stolen computing device (41 percent) and third-party mistakes (34 percent).

Indeed, it would seem that – with the use of EHR systems – technologies should be deployed to assist in these unintentional breaches. And while 85 percent believe they do comply with the loose legal privacy requirements of HIPAA, only 10 percent are confident that they are able to protect patient information when used by outsourcers and cloud computing providers. More significantly, only 23 percent of respondents believed they were capable of curtailing physical access to data storage devices and severs.

The study lists 20 commonly used technology methodologies encouraged by HITECH and deployed by these institutions, including firewalls, intrusion prevention systems, monitoring systems, and encryption. The confidence these institutions feel in these technologies are also listed. Firewalls are the top choice for both data breach prevention and compliance with HIPAA. Also popular for accomplishing both are access governance systems and privileged user management. Respondents favor anti-virus and anti-malware for data breach prevention and for compliance with HIPAA they favor encryption for data at rest.

The Value of Encryption

The study points to the value of encryption technologies – for both compliance purposes and for the prevention of unintended disclosure – and this value is perceived as particularly high by those who participated in the study: 72 percent see it as a necessary technology for compliance, even though only 60 percent are currently deploying it for data breach prevention. These identified needs for encryption falls just behind the use of firewalls (78 percent), and the requirements of access governance (73 percent).

Encryption for data-at-rest is one of the key technologies that HITECH specifically identifies: An encrypted file can not be accidentally examined without the appropriate credentials. In addition, some encryption packages, such as Linoma’s Crypto Complete, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that – should a intrusion breach occur – the scope and seriousness of the breach can be assessed quickly and confidently.

So how important is a patient’s privacy? We believe it’s vitally important. And this report from the Ponemon Institute should make good reading to help your organization come to terms with the growing epidemic of security breaches.

Read how Bristol Hospital utilizes GoAnywhere Director to secure sensitive data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

FTP “Lack of Security” Exposed

Posted by on Monday, 24 January, 2011

Apollo Project CSM Simulator Computers and ConsolesFTP was designed as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. (Right is a reminder of how much technology has advanced since the 1970s. The photograph,  taken December 11, 1975, is the Apollo Project CSM Simulator Computers and Consoles. Photo Courtesy of NASA.)

The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn’t designed for the requirements of the modern, globally connected enterprise. FTP’s basic security mechanisms – the User ID and password — have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

Risks associated with using native (standard) FTP include:

  • Native FTP does not encrypt data.
  • A user’s name and password are transferred in clear text when logging on and can therefore be easily recognized.
  • The use of FTP scripts or batch files leaves User IDs and passwords in the open, where they can easily be hacked.
  • FTP alone, does not meet compliance regulations. (For example: HIPAA, SOX, State Privacy Laws, etc.)
  • When using an FTP connection, the transferred data could “stray” to a remote computer and not arrive at their intended destination leaving your data exposed for third parties or hackers to intercept.
  • Conventional FTP does not natively maintain a record of file transfers.

The first step is to examine how FTP is being used in your organization. The next step is to identify how your organization needs to manage and secure everyone’s file transfers. The final step is to evaluate what type of Managed File Transfer Product your company needs.

For more information download our White Paper – Beyond FTP: Securing and Managing File Transfers.

Cyber Threats: Beyond Entertainment Value!

Posted by on Tuesday, 7 September, 2010

On June 8th, 2010 the National Public Radio (NPR) broadcast a debate by the public charity Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated.” The show’s format is based on the traditional Oxford-style debate, with one side proposing and the other side opposing a sharply-framed motion.

The broadcast pitted Marc Rotenberg (executive director of the Electronic Privacy Information Center) and Bruce Schneier, (a security technologist), against Jonathan Zittrain, (a Harvard Law School professor), and the former U.S. Director of National Intelligence, Mike McConnell. Zittrain and McConnell rolled out the heavy security artillery, describing the threats and touting facts and figures, while Zittrain and Schneier pooh-poohed the seriousness of the threat, and tried to cast suspicion onto the U.S. government’s C.I.A., claiming that they just want to spy on us.

The debate was both entertaining and informative, but it also shed light on an unusual dichotomy in our public subconscious regarding cyber security: We – as denizens of computer technology – are as wary as Jason Bourne about where, exactly, our cyber security threats are coming from. Are they coming from real terrorists and enemy spies? Is there really some vast criminal conspiracy afloat? Or are these threats perhaps coming from within the very ranks of government itself?  Who do you really trust and why?

Even the term “cyber” is a subconscious mnemonic to the old Marvel Comics super-villain of the same name, and enemy of Wolverine. Cyber, (alias Silas Burr) in the comic book, was once an agent of the Pinkerton Detective Service before he turned into a criminal mastermind. Why wouldn’t we be suspicious of government representatives telling us that we’re engaged in a kind of comic book war?

But data security is obviously not an issue about comic book super-villains, or government conspiracies. For example, in this same month that IQ2US was airing their debate many of us were receiving notices about a class action settlement. Countrywide Financial – the behemoth that sold mortgages during the real estate bubble and which is now owned by BofA – has begun the process of contacting customers whose identities may have been stolen when their records were pilfered by an employee.

No, it was not Jason Bourne nor Silas Burr, but a former Countrywide senior financial advisor who wanted to sell the names, SS#s, credit information, employment history, and other personal information of mortgage applicants.

The U.S. District Court’s remedy in the settlement will be to require Countrywide to provide free credit monitoring of all those involved in the class action suite for a period of 2 years, along with a potential liability against Countrywide of up to $50,000 for each incident of identity theft.

Isn’t it time we, in our organizations, got serious about data encryption? Shouldn’t we be stepping into this battlefield to fight back with a secure, managed file transfer system between our workstations and servers?

The cyber wars of comic books may populate our imagination, but our company’s challenges are much more real. And if we’re not mindful to use the right tools in our IT departments, we may all be faced with a customer base of angry Jason Bourne’s who have lost their identities through our security lapses.

(Listen or watch the televised debate produced by Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated” by clicking here.)

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Who Insures the Insurer?

Posted by on Monday, 2 August, 2010

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  It’s one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised?  As absurd as it may seem at first glance, it’s really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record.  This would mean that Anthem Blue Cross’s breach last month created a liability as great as $40M.

Moreover, there’s a ripple effect to organizations that do business with insurance companies that suffer such an information security breach.  Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission.  Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers.  And by the time these organizations realize their vulnerability, it’s often too late.  These companies are often performing these FTP transfers below the radar of their IT departments.  How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left “in the open” on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it’s subject to theft or secondary security flaws. Insurance agents – whose jobs are to facilitate the processing of the data with their insurance providers – can also suffer from such breaches. The loss of an agent’s laptop – through theft, accident, or routine use of USB thumb-drives – poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database.  Linoma’s CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company’s information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual’s personal computer.  By removing FTP access to the data by any employee’s PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring.  Linoma’s GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution.  But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs?  The real answer is IT itself.  And helping IT achieve a better result will be the subject of this blog over the next few months.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2015 Linoma Software  |  All rights reserved