Recently ProMedica Bixby and Herrick Hospitals contacted 3,472 patients informing them that their private medical records had been improperly accessed by seven employees. As is standard practice with the breach of patient information, patients received letters from ProMedica explaining the situation, the hospital’s action plan to prevent additional breaches and offering a full year of free credit protection monitoring. The hospital also reported this incident of an insider threat to the U.S. Department of Health and Human Services.
The breach was discovered on April 7, 2016. An internal investigation revealed that seven employees accessed patient medical records for patients they were not treating, without a valid business or clinical reason between May 1, 2014 and April 26, 2016. The information accessed included the patient’s full name, address, phone number, date of birth, insurance, diagnosis, medications and other clinical information. ProMedica commented that it did not appear that the employees intended to retain or use the information accessed, but could not verify it. Not being able to verify intent or access is a major problem with sensitive information.
On May 12, 2016 during a congressional hearing, FDIC CIO Lawrence Gross Jr. was questioned by Congresswoman Lofgren about 7 recent data breaches by employees and if the FDIC had any technology in place to ensure that information that was inappropriately accessed and returned was not indeed further copied or reproduced. Lawrence Gross commented the FDIC did not have the technology in place.
These examples illustrate the challenges security officers and other executives face when trying to protect sensitive information. What was once considered sufficient to guard an organization’s IT perimeter is no longer effective by itself against the most damaging problem – insider threats.
Today, the right solution is to add data-centric security to traditional perimeter security. Data-centric security includes methods to protect data as it travels both within the organizational perimeter and beyond, by limiting access to sensitive data according to policies that cover both users and activities. With this approach, an organization can locate sensitive data and monitor the ways users copy, move, and access it over time. Since data-centric security incorporates identity management systems to correlate specific users with activity on sensitive data, security officers can not only prevent unauthorized activity automatically, they can detect suspicious behavior patterns to take action before it’s too late. When necessary, they can even render sensitive data useless with a simple click of a mouse.
A particular set of data-centric security techniques focuses on unstructured data – files stored on PCs, file servers, other repositories and the mobile devices that more people are using to access enterprise networks – as it is stored, accessed, moved, and used over time.
Data-centric security should also allow users to work without undue interruptions as they pass information among multiple devices. A people-centric policy allows for flexibility and dynamic enforce-ability based on the contexts of content, users, devices, time of day, location, and so on, acknowledging the need for exceptions to predefined policies based on the unpredictable nature of legitimate data creation and usage while relying on advanced analytics to catch excessive deviations from the norm.
If the hospitals and the FDIC has used these approaches, no sensitive data would have been breached or misused, since only authorized users could have accessed the information. Are you looking at a better way to protect your data from insider threats?
The Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information. This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media. According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.
I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information. DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device. It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information. This applies to both internal and external users.
As a bit of background, Lawrence Gross, Chief Information Officer and Chief Privacy Officer of the FDIC, recently spoke to a congressional subcommittee on its program to identify, analyze, report, and remediate security incidents. The criteria used to determine the severity of an incident is based on the risk of harm it poses to individuals or entities supervised by the FDIC. The agency uses guidelines from the Office of Management and Budget (OMB), which recently changed its definition of what is a major incident.
As a result the FDIC upgraded the incidents where departing employees inadvertently downloaded personally identifiable information (PII) to thumb drives and other portable media. The CIO’s initial judgment was these were inadvertent and posed minimal risk. The new guidelines changed that, hence the reevaluation.
As part of its remediation efforts, the FDIC is conducting an end-to-end assessment of the FDIC IT Security and Privacy Programs in addition to implementing the Digital Rights Management software. The agency will also eliminate the ability of employees or contractors to download to portable media, but there are cases when certain employees still need to do that as part of their job. The CIO said the FDIC is working to identify and implement alternative means to securely exchange data with outside organizations, like state banking departments, by the end of 2016.
The CIO is planning to implement technology that also can help securely share information with external organizations. DRM can protect information shared with third parties and provide the same level of protection the agency needs for its internal employees. Rather than using two systems, the FDIC should leverage the same system for both purposes.
Implementing DRM also provides a proactive approach to data security, rather than reactive technologies that identify issues after they happened. By protecting the data as its created, it helps mitigate the risks of data exfiltration that is becoming more common as both hackers and insider threats pose a risk to valuable information from government and the private sector.
Photo credit Josh Bancroft
There is a lot happening lately in the financial sector to help stem the tide of constant data breaches. This week a financial industry coalition in the US is promoting a campaign called “Stop The Data Breaches” to encourage people to get their members of congress to pass The Data Security Act of 2015 (H.R. 2205 and S. 961).
The effort is backed by seven trade groups, including the American Bankers Association, the Consumer Bankers Association, the Credit Union National Association and the National Association of Federal Credit Unions (NAFCU). By running online and print ads, they are trying to get Congress to enact this important legislation that would protect consumer data.
A few weeks ago, on May 12, 2016, the Federal Deposit Insurance Corporation (FDIC) was in front of a Congressional Subcommittee to answer if Americans can trust the FDIC to protect their private banking information. One of the interesting outcomes was the FDIC announcing a new cyber security initiative after 5 more breaches. Part of this initiative is the implementation of Digital Rights Management technology to locate, recall and/or render data useless when appropriate. This new development should have a major impact on the financial sector who will follow suit if they have not implemented this type of data-centric and people-centric security approach already.
According to a National Association of Federal Credit Unions (NAFCU) survey, the average cost of a merchant data breach in 2014 was near a quarter of a million dollars, while some breach costs reached tens of millions. Passing the pending federal legislation will help improve the security posture of financial institutions and any organization that handles personally identifiable and financial information. It requires any entity that handles sensitive personal and financial data to protect that data. It builds upon existing legislation and replaces the current patchwork of inconsistent state data security and breach notification laws with a clearly defined, uniform set of standards.
Consumer data remains vulnerable. Security should not be an afterthought. Rather than pointing fingers at who is responsible for consumer data security, everyone should protect consumer data. Below is a short list of 3 key steps you may want to use as your Security Blueprint for your data:
• Find your sensitive data and classify it.
• Implement usage policies to limit who can access it and what they can do with it.
• Monitor usage to detect unusual behavior.
This is a good start to help Stop the Data Breaches. Call, write, email or text your legislator today to get them to pass The Data Security Act of 2015.
On Thursday May 12, 2016, the Congressional Subcommittee on Science, Space and Technology held a special hearing in Room 2318 of the Rayburn House Office Building. The hearing addressed if Americans can trust their private banking information is secure by relying on the Federal Deposit Insurance Corporation (FDIC).
During the session, lawmakers stated that the FDIC has a long history of cyber-security incidents and that it is failing to safeguard private banking information of millions of Americans who rely on the FDIC.
In the last seven months alone, seven departing employees at the FDIC have left with personal banking information on thumb drives and other removable media.
While Lawrence Gross Jr., the FDIC’s CIO told lawmakers that the FDIC considered the data breaches as “inadvertent” copying of personal banking information that happened when departing employees were copying personal information to removable media, some of lawmakers called taking something that does not belong to employees as “theft”.
One of the sticking points during the hearing was that the FDIC didn’t immediately report the incidents as major breaches to Congress until prompted by its Inspector General’s Office. Gross stated that he didn’t originally classify the incidents as major breaches because they seemed to be accidental copying of files during “non-adversarial” departures of employees. Furthermore, Gross pointed out that employees involved had signed affidavits saying they didn’t share the data with others.
Are the American people buying this explanation? Since when has it been acceptable to have people accidentally or knowingly copying information that does not belong to them to removable devices?
The FDIC now commented about having controls around usage of information so sensitive data cannot be copied onto removable devices. Gross went further by stating the Agency is adding digital rights management software to their environment. This is a significant comment by the head of a significant Agency. The FDIC is now going about adding DRM on top of traditional perimeter solutions to control sensitive information while it is in use.
It is of utmost importance that organizations adopt technologies like Digital Rights Management as part of a data-centric security approach to protect sensitive information to maintain stability and public confidence. Fasoo provides a Data Security Framework to public and private entities alike to enhance their information security program to keep up with the threat gaps. Please contact us or visit us during the Gartner Security and Risk Management Summit in National Harbor, Maryland between June 13-16 at Booth #200 .
Find out what Fasoo can do for you
