Data Privacy in a Digital World

Data privacy is top of mind these days – for good reason. The number of exposed online records has doubled since last year, reaching a total of 446.5 million. International regulations such as the EU’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA) in the U.S., and the Personal Information Privacy Act (PIPEDA) in Canada have helped to provide standards for governance over our information, but it is not always simple.

We Are Our Data

When all our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we somehow managed to sacrifice our data privacy along the way. We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes of data around in the cloud — and somehow this shift made the data seem less valuable…for a while.

When it comes to data protection, most people fall into one of three categories:

  1. Just stay offline.
  2. My data will be used/misused and it’s no big deal.
  3. Wait a second – that data is who I am!

Despite your opinion however, there have been too many stories about organizations mishandling data recently including negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and on the list goes on.

A Responsibility to Protect PII

There are several reasons why organizations should do everything in their power to protect Personally Identifiable Information (PII). Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.

Secondly — and more importantly — there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for a government to impose it.

The C-suite has a responsibility to take an active role in ensuring that data security and privacy controls are in place. Failure to do so puts innocent people at risk and could be likened to the digital world’s version of reckless endangerment.

3 Simple Aspects of Data Privacy

Data Residency. Your organization is full of sensitive data and, unfortunately, employees unwittingly put it at risk all the time.  An organization is responsible for understanding where the data it collects and stores resides, especially if it is stored in another country. However, your data sits out there on more endpoints than you think, not to mention what happens when one of those devices goes missing.

You need the equivalent of Google for your endpoint data — a lexicographical crawler for PII that can alert you to any unauthorized data hiding out there on endpoint devices. Unless you have that, you simply won’t be able to track all the places where the data resides.

Orchestration of Controls. There is no shortage of security controls, whether they be native in the operating system or come as third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place where data resides is secure.

The problem is in ensuring that the third-party controls remain in place and functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should, or if the user of the device is acting suspiciously.

Continuous Monitoring. Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.

Data privacy affects all of us. As the speed at which the world operates in digital increases, we can expect everyone to take a greater interest in their personal data. The organizations that act now to build data privacy into their company’s mission statement will be the ones that retain customer trust.

For more information on data privacy in our digital world, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:

Welcome back! Josh here from Absolute. If you’ve been on planet Earth the last couple of years, you know one topic in Information Security is grabbing everyone’s attention: Data Privacy

Look around at a home of 2019 and compare it with a home of 1980s or even the 90s. Take notice of what’s likely missing…

  • Answering machines
  • Rolodex
  • Alarm clock
  • Maps
  • Vinyl records, VHS tapes, cassettes, CDs or DVDs

Each (and there are many more) have been replaced by a smartphone. Digital has dematerialized our world. The things people need are no longer dependent on physical stuff but are satisfied by digital technology.

What this have to do with data privacy?

Well, digital has also dematerialized people. We live in a digital reality. Who we are has become a collection of individual pieces of data; we call it Personally Identifiable Information or PII.

People have always been conscientious about their personal privacy, but now that we’ve been dematerialized, personal privacy takes a new shape. Each person’s right to privacy is more easily overthrown, because we’re not moving physical material around in space, but manipulating bits and bytes that compose a person.

One school of thought says, ‘Just stay offline.’

Another way of thinking says, ‘Hey, my data will be used (or misused), it’s no big deal.’

While others contend this by saying, ‘Wait! That’s my data and that is who I am!’

For starters, just saying ‘stay offline’ isn’t reasonable for a 21st century person: the digital world is where things happen. That’s why we call it The Digital Transformation. Business, government, school, research, and even friend-to-friend interactions, all happen in the digital town square.

For those saying ‘No big deal’, would you say that if you were being harassed or stalked by someone in the physical world? And even if you don’t care about how your data is used, other people do… and they want assurances that their privacy is always secure.

You can see why data privacy is all the rage right now. And it’s not just social media data scraping to create ‘fake news’; we see credit bureaus, city governments, and even hospitals, schools and universities all fail to safeguard individual privacy.

Data privacy goes to the heart of what we value as a society, which demands that we do our best work to protect those digital persons in our care.

Be sure to subscribe and put your comments below. I’ll see you next time, and we’re gonna take a deeper dive into the laws that are designed to protect personal privacy.

How L.A. Tourism Secures a Distributed Workforce

The structure of work is changing rapidly. Driven by technology advancement, a global economy and a constant push for more productivity, there is a fast-moving trend toward enabling a distributed workforce. A 2018 study by Upwork illustrates the prevalence of remote work:

  • 63 percent of companies now have remote workers (homebound employees, partly homebound employees, freelancers and those that co-work)
  • 48 percent of companies use freelancers and work done by freelancers increased 168 percent in one year
  • 3 times as many people over the previous year believe offices will become temporary anchor points versus daily travel destinations

Remote work is already status quo for the Los Angeles Tourism & Convention Board. As the official marketing and sales organization for the City of Los Angeles, the L.A. Tourism inspires travelers around the world to visit L.A. for leisure, business, conventions, and events. The very nature of their business requires a highly distributed workforce. To do their jobs effectively, sales and marketing teams must be able to work collaboratively from every corner of the globe.

To accommodate out of office workers, the entire organization recently moved to a 100 percent mobile device fleet model. This enabled productivity but, as work increasingly gets done outside the corporate network, securing the devices and the apps and data that resides on them became exponentially more difficult. The organization knew they needed a comprehensive IT asset management program for full visibility, global asset intelligence, regulatory compliance, and lease management.

The Power of Absolute

By taking advantage of Absolute’s endpoint visibility and control platform, L.A. Tourism now has an unbreakable connection to their entire device fleet at all times. This level of visibility allows their IT team to know where their endpoints are located, understand when users drop off the network or the domain, or inadvertently change the device configuration. In addition, they now have enhanced levels of control that enable them to fix device issues remotely.

With the power of the Absolute platform, L.A. Tourism has a stronger security posture and increased team efficiency. The transparency and connection to the devices they use allows L.A. Tourism to better understand where their sensitive data is stored and prove compliance with data security standards and regulations.

Additionally, whenever a laptop is misplaced or stolen, or an employee or a contractor leaves the organization, L.A. Tourism’s IT team is now able to freeze the device to render it useless or wipe it clean remotely to protect any sensitive data that it may contain.

For more on how L.A. Tourism gained a clear view of their global endpoint population, download the full story: Red Carpet Event: L.A. Tourism Secures Endpoint Population with Absolute. For additional insight, learn practical guidelines for securing public sector data with the whitepaper, Implementing the NIST Cybersecurity Framework in Government.  

Why IT Asset Management Is Key to Data Security

Information security is a growing concern for many organizations and while the ways you access and protect your data continue to evolve, the reasons for it stay the same – your data is the driving force of your organization. To effectively protect it, you need visibility and control over all your assets.

IT asset management is the foundation of many risk management frameworks for good reason. Having an informed understanding of your IT environment – your expectations for performance, configuration, and behavior – across the complete lifecycle of your assets will improve not only your operational awareness but your security posture too.

It’s tempting to consider IT asset management as mundane work. And that would be true if your approach to it was creating a simple device register and then setting it aside for your next inventory audit. In reality, though, true IT asset management is your key to managing the explosion of devices and systems your organization is likely experiencing.

It also serves as your canary in a coal mine. A strategic IT asset management program will help you identify risk earlier in the event of a security breach and deliver a quick, effective response.

3 Objectives of an Asset Management Program

When thinking through an IT asset management program, it helps to first break it down into three primary objectives:

1.      Plan and organize your devices

Setup your asset management tools to reflect your organization’s plan. Consider all of your devices no matter whether they are on or off your corporate network. Then, document the purpose of each device. What business functions do they perform? How and where are they used? Who is responsible for them? Also, document the expected lifespan of each device including the refresh cycles, lease date or end of life warranty.endpoint security

Last but certainly not least, determine whether or not it might hold or access sensitive, confidential information. If it’s to be used by the CEO or HR, for example, the answer is yes.

Establishing your expectations before you place devices in the hands of your end users ensures that you can detect and control unexpected changes as they happen, minimizing their impact and increasing your effectiveness.

2.      Keep devices visible and healthy

Developing and implementing your IT asset management plan ensures that you have a living baseline to measure your population against. With this knowledge, you can effectively monitor your devices’ performance, health, and risk exposure, and make informed decisions about changes to your environment.

Are your security applications working and up-to-date?  Users regularly delay patches, remove and/or disable applications, unwittingly putting the devices at risk. How are you able to identify the scope of unexpected changes in your environment and how can you address them at-scale when they occur?  What’s your action plan if a device is lost or stolen? How will you discover that it’s gone?

Also Read Lost or Stolen Devices: What to Do in 4 Steps.

3.      Retire devices

To have an effective IT asset management plan and a capable information security practice, you need to trust your data and ensure that the devices important to you are monitored and protected. This means that your devices need a retirement plan. Establishing a process for your devices’ end of life from the time they first enter your environment means that your devices are collected, secured, sanitized, and removed from your environment when the time comes. It also means that the information you rely on to make critical information security and IT operations decisions is accurate and the alerts you receive when something unexpected happens are real.

How will you manage device returns when employees leave or change roles? How do you manage timely and secure device end-of-life? How can you confirm that are they safely decommissioned from your organization? Having a process in place enables you to answer these questions.

As the population of devices your organization comes to rely on grows and the volume of data you hold rises, it’s critical you maintain visibility and control. Proactive IT asset management is how you accomplish that goal.

If you would like more information on how to effectively manage your growing number of assets across their lifecycle as well as how to deploy, manage, monitor, and decommission your IT assets using Absolute, join our webinar: Effective Lifecycle Management with Absolute.

Healthcare Cybersecurity & Data Security in 2019

The healthcare industry is one of the hottest sectors for employment, creating new jobs consistently. According to data released at the end of 2018 by the Bureau of Labor Statistics, healthcare created a total of 346,000 jobs — nearly 29,000 new jobs each month and employment in the sector is expected to grow 18% from 2016 to 2026, “much faster than the average for all occupations, adding about 2.4 million new jobs.”

State of Cybersecurity in the Healthcare Industry

The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.

To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.

The need for better endpoint visibility and control has never been greater.

Why is Data Security the Biggest IT Concern for Healthcare Organizations?

While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.

By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.

The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.

The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.

According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.

Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.

Most Common Cybersecurity Threats in Healthcare

The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.

Ransomware

We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.

Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.

Insider Threats

This one may not seem as obvious, but the threat is real.

So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data. 

IoT Healthcare Attacks

As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.

In fact, hacked medical IoT devices may be used to launch ransomware attacks.

Due to the severity of risks involved, IoT security mustn’t be overlooked.

Supply Chain Attacks

You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.

security breaches in healthcareA supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.

Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”

3 Ways to Improve Healthcare Data Security

Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.

1. Take Back Control Of Your Endpoints

When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.

The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.

2. Strengthen Your Security Posture

Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.

Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.

3. Get Real About Real-Time Evaluation and Response

Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.

According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.

Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.

We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.

The Cost of a Healthcare Data Breach

Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.

Read The Cost of a Data Breach in Healthcare

Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

security breaches in healthcare

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.

The Burden of Proof for HIPAA Compliance

To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

Gain continuous compliance

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.

HIPAA complianceDevices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.

Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.