How Worried Should We Be about the Hacks on the Government?

Every time we look to the news we find at least one data breach incident, some more minor than others. However, at that time it was businesses in retail, finance or in healthcare. Now we look to the news and we discover that more and more data breaches are focused on the government. From third party contractors that deal with government to household names such as the Internal Revenue Service, The White House, and most recently the Office of Personnel Management (OPM).

Initially, last year the OPM reported that about 4 million government employees had their personal data compromised. However, now records reveal that a possible 18 million people, possibly more have had their information compromised. This is now one of the largest data breaches in US history.

We’ve come to realize that much like other businesses the data in these government data breaches are not encrypted. The hackers are having a no problem going after the information and selling it out on the black market. The continuing focus on protecting the perimeter is no hopeless against those who are already inside or if somehow the hackers get in.

What have we always preached from day one?

Protect the data itself.

Is it time to move on from a perimeter-centric approach and start to use a data-centric security model such as digital rights management to encrypt their data? In this case, it is clearly a necessary shift for the government. There should be no more talk about we need better security, it is now time to act upon this talk, pass the reforms that are needed for cyber security and require data to be encrypted. As some states are already taking these steps, the federal government needs to do the same to close the gap against these threats.

Every organization including the government needs to refocus on what they will do to protect their most valuable data and what is already out there to protect their data. From start to finish, a complete data security framework needs to be implemented to not only protect your data but be able to have structured data and also be able to determine the risks that you have after you have protected your data against insiders.

Photo Credit: NCinDC

New Trend: Healthcare Data Breaches

I don’t know how much more we can continue talking about healthcare data breaches. This is again a multi week of data breaches in the healthcare industry, and again over and over. With Anthem Inc. and then again with Premera Blue Cross, and Advantage Dental, all announced they had data breaches, however nothing about if there data was encrypted.

How can 80 million and then 11 million then finally 150,000 patient records all in a month or so get exposed? Have we become so sure that we will not be a target to hackers and insider threats? The question now is not if, but when will a data breach happen. This is even more common in the healthcare industry.

Just by looking through the list of blogs that we have written alone, covers a lot about how we can help the healthcare industry protect PHI against being exposed. This is not only against outside attacks, but also to malicious and accidental insider threats. What is the reason behind this? The reason is that we protect the data itself, no matter where it is.

In addition, many states are very close to imposing regulations and laws to protect patient health information. They will also penalize organization that deal with this information and do not have the proper protection against such attacks.

It’s time to also not focus on the perimeter as for the past couple years, that perimeter can no longer be defined as it has become so wide. Meeting the proper steps to protect sensitive information of this nature must currently be paramount to all healthcare organizations.

Making sure that data is DRM protected, as this can prevent hackers from accessing the data even after the data has been stolen.

Remember the new threat even now is that your data is under attack. Even at this very moment it could be with all the recent APT (Advanced Persistent Threat) attacks. Don’t ignore the threat as it has become very real at a big scale.

Picture Credit: Adrian Clark

Healthcare Industry has the Worst Data Security Practices

Following the biggest data breach yet this year, with over 80 million Americans patient records being exposed from Anthem, the healthcare industry reputation for data security is at an all-time low. All of last year there were issues with insider threats, from malicious to accidental. To add on to this, there are now reports that it was email that was used to get into the Anthem network and steal all that data.

The data which was not encrypted was stolen and hacking started from employees email accounts.

This is not the first time, although it being the most covered by media, however, there have been many, many times last year when laptops were stolen or former employees accessed the network to steal patient related sensitive information. Already many states have seen this and are saying that “enough is enough!” The push for better data security such encryption is now close to being considered law for those organizations that deal with customer personally identifiable information.

A lot of healthcare organizations have performed security and compliance training however, with the failure rate of over 70 percent according to a 2011 report on IT security best practices, human error is more than possible over security technologies.

Isn’t it time to make sure that data is secured no matter what?

Although retail and finance have taken over the majority of data breaches due to their large numbers of records exposed, judging by the headlines, healthcare seems to take the lead of how common those breaches are. To be more exact, the healthcare industry accounted for 43% of all major breaches in 2014, according to the Ponemon Institute.

Within healthcare organizations, a whopping 93% of information held requires protection, according to EMC’s The Digital Universe report. The data includes claims requests, PHI, and medical records. Yet only 57% of this information is “somewhat protected,” while 43% is inadequately safeguarded, the report found. Somewhat protected, inadequately safeguarded?

The best way to ensure that data is secure is to make sure it is DRM protected. Fasoo Enterprise DRM or Digital Rights Management protects the data itself to provide a more secure work environment. Meeting compliances and regulations is one thing, but ultimately protecting data and protecting patient health information should be the 2015 goal for the whole healthcare industry.

Photo Credit: Daniel Lobo

Mandating Encryption for Organizations

Connecticut is taking the next step in guaranteeing that customer data is secure. Therefore, if companies want to do business in this state, they will have to make sure that all personal data that is stored and transmitted is encrypted. In addition this soon to be law would require business to enable stronger password protections and control how much personal identifying information can be downloaded at one time, to help mitigate damage in the event any data is stolen.

For Connecticut residents, nearly one-third of them, were affected by the Anthem breach. It is no wonder that states like Connecticut, Maryland and New Jersey have made headlines pushing for all organizations to encrypt any sensitive data they have that pertains especially to customers. Connecticut Senate Majority Leader Bob Duff, D-Norwalk explains that, “In the long run, I think that companies will find it cheaper to implement these protocols than to have to clean up the mess of a data breach.”

How should we feel about these new laws? Well for one thing as a customer, we are glad that steps are being taken to protect our data. As an organization, not only does this help them build confidence in the customers, but also among other things is protecting an organization own sensitive data as well.

With the lack of encryption, there is no way that companies can protect their data against the hackers even if it is stolen from their organization. To trust security policies, programs, training, strategies, etc. is useless against insider threats.

However, there is a solution and all organizations who have not known about it before sure have heard about it now. Fasoo Enterprise DRM (Digital Rights Management) to protect organizations and also build confidence for customers about having their data secured. If data is DRM protected then, this is one less concern organizations now in Connecticut, Maryland, New Jersey, Massachusetts, and more states have to have.

Photo Credit: Dug Song

It’s a Bad Week for the Healthcare Industry

It definitely has been one of the worst weeks for data breaches in the healthcare industry. We went from big news from Worcester, MA with UMASS Memorial Medical Group (UMMG) reporting an insider data breach of about 14,000 patient health information, to probably the biggest not healthcare data breach but potentially the biggest breach of the year with up to 80 million patient personal records on the line. The recent breaches have sparked debate whether federal law should be changed so healthcare companies would be required to encrypt sensitive data they hold. The FBI last year also warned healthcare companies industry wide that their data security practices needed to be strengthened amid the growing threat of cyberattacks.

Although the Anthem Inc. breach was commended for detecting the breach only weeks after it apparently began, unlike the UMMG breach, it still says to patients who entrust their sensitive information to these organizations that these breaches will continue to occur. However, with big names like Anthem making the headlines, it is with great hope that these organizations are coming along and understanding the need to protect their data. Healthcare data holds a much longer shelf life than just a stolen credit card, which is

why that data is becoming increasingly popular to cyber criminals. That type of information can be used to open up credit accounts, perform identity theft, medical billing fraud, and insurance fraud.

Although security awareness and training is valuable and helpful, the time to make sure that data itself is secure is now. Making sure that the data is encrypted and permissions to those data are in control proves to mitigate the risk of exposure even after the data is stolen. Whether this is by outside hackers or insiders, data itself must be persistently secure.

Fasoo Enterprise DRM (Digital Rights Management) provides organization such as the two mentioned above and whole lot more in many different industries with the ability to protect, control and trace sensitive data containing intellectual property, patient health information (PHI), personally identifiable information (PII) and more. It maintains file protection and prevents unintended information disclosure no matter where the data is.

Having your data DRM protected with Fasoo, will mitigate the risk and ensure that you won’t make the news for the same reasons as UMMG or Anthem Inc. are. Doesn’t that sound like a plan?

Photo Credit: Perspecsys Photos

When Data Breaches Come from Within

Insider threats still remain to be a higher concern for business not only in the United States, but around the world. Businesses are more than ever expected to maintain or increase their data security and data protection budgets to mitigate the risk of insider threats. When we look at business today, more than 93% of U.S. respondents to a survey say the feel vulnerable to insider attacks. There is no doubt that those that come from within in a business pose the most threats.

Nowadays, preventing data breaches have become the one of the highest priority for IT security spending and based on recent headlines, the cloud and databases are the most at risk. Unfortunately, it is only until after an organization experiences a data breach or fails a compliance audit, do organizations “play catch-up” to secure the their sensitive data. Privileged users still remain the greatest threat, but contractors and service provide, along with business partners still pose a threat within the inside. Whether it is malicious or unintentional, the fact that sensitive information remains unprotected even with all these headlines is beyond any consumer’s guess.

Some of you may think, our perimeter defenses is strong, we don’t have to worry about data breaches. In this case, they won’t stop an insider attack from happening. Insiders have two major things that make them more dangerous than an outsider. Insiders already have network access, sometimes at a high level. They also know much of what is on the network as well as where.

To truly combat the insider threat, a much more persistent and complete approach to security is needed. As always mentioned, it is not so much about the user or the perimeter as it is about the data itself. Any data that is protected by Fasoo Enterprise DRM (Digital Rights Management) can provide that security both against insider threats and external hackers. The reason here, is as mentioned, Fasoo protects the data itself no matter where it goes. Whether it is malicious or accidental, insider threats continue to make the headlines each month, and we cannot sit back and let these incidents continue to happen.

With you data DRM protected, and secure with the right security against data breaches, organizations can take a stand and say enough is enough. Keep your data secure with Fasoo Enterprise DRM.

Photo Credit: Perspecsys Photos

Is Data Encryption the Answer?

Organizations are beginning to contemplate what the best solution is to prevent data breaches from happening to them. Recently the NCUA experienced a data breach when an examiner lost a flash drive with member’s personal information. Soon after NCUA Board Chairman, Debbie Matz contemplated a rule that would require encryption of the data.

Matz said it right though when referring that, “That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected.”

In the era of data breaches to be honest, you don’t hear a lot of headlines of organizations even contemplating to require encryption of their data. However, it is about time and it is probably in a lot people’s minds on why other major retailers, healthcare organizations, financial institutions, etc. are not making the headlines saying the same thing. Regardless of information was hacked from the outside, or stolen from insider threats, if the data was encrypted, there is reassurance on the part of both organizations and customers that their data is protected.

Data-centric security such as digital rights management, can prevent the exposure of sensitive and confidential files. By being able to encrypt and assign specific permission to your data as soon as they are created, you can have complete control and protection regardless of location or format.

As we continue to see the headlines of data breach start again in this new year, now is the time to make the decision to protect “the bottom line”. There is no excuse now, protect the data at all costs.

Photo Credit: PrivateWave

Insider Threats Continue in the Health Care Industry for 2014

We are in the last month of 2014, and we continue to hear about insider threats in the healthcare industry. In a recent headline, a hospital in Cleveland, Ohio reported that an employee improperly accessed medical and personal information of about 700 patients over a three-year period. The employee breached the hospital system’s electronic medical records, and was able to access names, home addresses, phone numbers, email addresses, medical and health insurance account numbers and other patient personally identifiable information.

It upsets me and probably a lot of the hospital patients that a spokesperson for the hospital said that “it appears the employee simply was snooping”. If an employee was just snooping for the past three years, there would be nothing to worry about. However it is obvious that there was more than snooping going around. Regardless, data has been stolen, and there was no mention if the information had been encrypted or monitored. Training, education and counseling of their employees in regards to privacy matters, in everyone’s guess is not enough. It has been said over and over again this year, especially because of the concern of insider threats. Any solution must protect the data itself no matter what. This is especially the case when we are dealing with insider threats.

If such information has been protected with DRM or digital rights management, such permission could be assigned on what this employee could and couldn’t do. In addition, the monitoring of this unusual behavior which obviously was not spontaneous was never brought to an administrator’s attention for the past 3 years. If identified then with a DRM protected document that contains patient’s confidential information the now former employee could have had his access revoked, as well.

We’ve said this over and over every time an insider threats has happened, and even more so in the health care industry. Patients continue to become impatient with the lack of security that these organizations have for their personal information. Make sure that you have the right solution to protect their sensitive information with data-centric solutions such as Fasoo Enterprise DRM.

Photo Credit: Jason Rosenberg

Insider Threats Still Making Headlines in 2014

This year has really been the year for the insider threats as employees or former employees have either maliciously or unintentionally caused data exposure. Even as late as November of this year a former employee of a major beverage company filed a lawsuit against the company because of negligence, breach of contract and a number of other violations. The data breech occurred over a six year period from 2007 to 2013, when a former employee routinely too company laptops that contained personal employee information and kept them for future use. These kinds of problems have definitely kept CEOs up at night thinking of how to address this problem.

This year’s insider threats have caused enough of an impact for the Department of Homeland Security and the FBI to issue a warning regarding them. According to the 2014 Verizon Data Breach Investigations Report, one of the key attack categories was classified as insider misuse, with 11,698 instances reported. The primary driver of insider theft is financial gain, or fraud.

Now the question here is how do we protect ourselves against insider threats when they could very much be people that we have trusted our sensitive data with? Although there are several security measures that are out there, they do not fully address the insider threat. With many different solutions in use there are bound to be gaps and some of these solutions are not designed to protect the data itself from the insider threat. One of the solutions out there that is focused on protecting actual data itself is digital rights management (DRM).

Fasoo Enterprise DRM provides encryption for all documents from the creation and is monitored throughout their entire document lifecycle. No other security technology is designed specifically to classify every file, apply policy to it and monitor it from the moment of creation. A DRM protected document uses an encryption in this solution to protect and manage sensitive documents in any environment whether it is saved to a PC, downloaded from a server, printed, or sent by email.

More and more organizations are addressing the insider threat, not just because they perceive this to be a problem, but also but also increasingly because they have been a victim of a data breach through an insider’s carelessness or malicious behavior. To protect against the insider threat, they need to look beyond the traditional security technologies that they have already deployed for pervasive protection of data. To this end many are overcoming previously held misconceptions and turning to DRM.

In comparison to other conventional security technologies, DRM arguably provides superior protection against insider threats. It provides protection against insiders who could be abusing their insider access accidentally or maliciously while enabling legitimate users to safely and appropriately access data. It provides protection against insiders who could be abusing their insider access accidentally or maliciously while enabling legitimate users to safely and appropriately access data. That should see many CEOs get a better night’s sleep.

Photo Credit: DonkeyHotey

Recovering From a Data Breach

A recent article explained that “recovering from a data breach is like recovering from a skunk attack. No matter where or when you go in the house the stink still clings.” Obviously for those data breaches that have happened this year still have not had the dust settle as the impact of those breaches still linger. However, earlier in 2011 Sony’s PlayStation data breach exposed 77 million user personal account information. It wasn’twasen’t until July 2014 for the “dust to start to settle on this one” and Sony offered $15 million in court settlements to U.S. users of its PlayStation Network (PSN).

That same year in June of 2011, Citigroup also announce that hackers acquired 200,000 credit card holders’ personal information. This took them until 2013 when they found out and revealed that the breach actually exposed more than 360,000 North American Citi-issued customers’ names, account number and contact information.

Aside from the notification and public relation headache that has to get done and continuing to do whatever it takes to protect the victims, it is important to actually publicize what is being done to protect future customers’ personally identifiable information (PII) from being leaked. “Remember it ain’t over when it’s over.” Even when investigations are done, and flaws are fixed, there maintains a sense of concern and fear of trusting an organization who was affected by a data breach. Data breaches have the ability to deliver long-term damage to an organization reputation.

Even if they didn’t encrypt with digital rights management (DRM) their files to protect he sensitive information that they contains the customers personally information, it is equally important to say that they are going to make sure that from now on their information will be secure because their information that contains this information is encrypted, especially when it is DRM protected.

Back then there may have not been enough interest in this kind of data security, but now there is no excuse not to have them as they can protect the lingering pain of a data breach for a very long, long time.

Photo Credit: Don DeBold

Blog