Category: Compliance

HIPAA Compliance Checklist for 2020

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
In 2018, Anthem, one of the nation’s largest health benefits companies, paid what is still the largest HIPAA fine in history of $16 million in for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals. Earlier this year, we learned hackers compromised two employees’ email accounts at a Michigan healthcare group which exposed patient data and went undetected for six months.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

What is Cyber Resilience and How Can You Achieve It?

What Is Cyber Resilience?
As the cyberthreat landscape darkens each day, the term, cyber resilience is increasing in importance.
A cyber resilient company is in the best position to prepare for, respond to, and recover from a cyberattack. Being resilient, however, means much more than attack prevention or response. A cyber resilient enterprise can continue to function during an attack and is agile enough to adapt and recover from the incident.
While a protection-focused approach may have worked in the past, today’s enterprise must now move to adopt a strategy that is based more on endpoint resilience which, beyond protection, emphasizes adaptability, exposure reduction, information gathering and discovery.
Cyber resilience transcends technology and can protect the interests of everyone involved, including the C-suite, staff, shareholders, and the board of directors.
Resilience comes down to having a self-healing capability. Think of it this way: if your company must rely on an external source to resurrect you, then you can’t call yourself resilient. Only those organizations with a self-healing property (being able to recover without human intervention) can be truly classified as resilient.
Ultimately, if the organization has its eye on becoming more resilient, then it must incorporate technologies with the capacity of self-healing. Running around putting things back together isn’t the preferred state of a resilient enterprise.
Self-healing: The Only True Resilience
In the hardware world, we buy and deploy redundant systems: multiple firewalls, routers, switches, clouds, and cables. We do this because we expect our hardware defenses to fail; there’s even a name for it: “failover”. The other term used often is High Availability, which just means more hardware deployed for failover.
In the software universe, the equivalent is resilience. But unlike hardware, you can’t just have clones of the same tools, controls, apps, and agents that play understudy to the primary control. When the primary control fails, the clone steps into the spotlight is not an idea that exists with software.
So, enterprises need to rely on resilient software controls, apps, and agents. But the only way you can claim you are resilient is if you have a self-healing capability. Without it, you don’t have the replacement, so there is no failover. It’s a crack in your security fabric.
It All Starts With A Framework
While this resiliency may sound daunting and difficult to achieve, thankfully there is an existing framework from which the enterprise can leverage to improve their resiliency. The NIST Cybersecurity Framework (NIST CSF) outlines specific actions that organizations can perform to see success in their cybersecurity programs.
Related: See Everything With the NIST Cybersecurity Framework
The five pillars or actions of the NIST CSF are:

Identify each endpoint for a comprehensive inventory
Identify authorized and unauthorized hardware and software
Prioritize endpoints based on classification, criticality, and business use
Benchmark device controls against security standards and policy
Quantify risk based on device vulnerabilities and exposures
Catalog device, data, user, and application relationships across the end point population


Gain physical access control and geofencing for distributed endpoints
Freeze, delete, and wipe devices through remote commands
Enable secure remote access systems (e.g. VPN) on all endpoints
Validate and restore encryption for at-risk data
Automate validation for data integrity in software, firmware, and cloud storage apps
Control communication from endpoints to the corporate network or domain
Authorize telemetry analysis and remote command for maintenance and repair


Establish baseline behaviors for users, data, devices, and applications
Unify asset intelligence across the device population
Monitor user activity and enforce role-based security controls
Score high-risk users with access to sensitive data
Access geo-tracking and user-device awareness
Detect and log configuration changes


Utilize dynamic remediation and control changes
Perform role-based access control for in-console response commands
Deliver continuous device logs and forensic documentation
Isolate a device or group of devices for containment
Push control changes to prevent spread of detected compromise
Command hotfixes to mitigate indicators of exposure (IOEs)


Enforce policies within device controls
Monitor device use and locally accessed sensitive data
Control incident investigations, digital forensics, and documentation
Augment and push new controls for endpoint hygiene
Access documentation instantly for continuous improvement to endpoint hygiene and data protection

A Blueprint for Resilience
Each focal point of the NIST CSF is designed for resilient cyber defense and protection and aims to ensure data confidentiality, integrity, and availability. Much of the work that’s needed to be resilient is simply doing the basics: patching, strong authentication, control monitoring, etc.
What’s practical about something like NIST CSF (or CIS Top 20 or ISO or any others for that matter) is that it is a blueprint. Just like a blueprint to a building, the CSF is like having the architect’s plans for a well-engineered structure.
With NIST in particular, the goal is resilience —especially in the protect and recover sections. The Protect (initial resilience) and Recover (learn and grow more resilient) steps are emphasized as the target/goal.
Learn more about Absolute Persistence technology. With it, IT and security teams get an unrivaled view and command of their device population to enable data protection and improve security posture — all through automated endpoint hygiene.

How to Improve Data Security in the Financial Sector

Financial service organizations including banks, wealth advisors, insurance providers and others rely on data to power their business. As a result, they hold vast amounts of highly sensitive, personal information and today, all of it is of course digital. This treasure trove of data makes the financial services industry a highly valued target for cyber criminals and a quick check of headlines prove they have been busy taking what they want from many. From Capital One to Equifax and countless others in between, data breaches across the financial sector are massive both in scope and cost.
High Cost of Data Breaches
As this year’s Cost of a Data Breach Report by the Ponemon Institute again shows, the price tag for falling victim to hackers continues to climb. The global, cross-industry average cost is now $3.92 million – an increase of 12% over what it was just 5 years ago. Driving the rising costs for all U.S. organizations is the lost business that results from a breach including lost customers, system downtime and general business disruption.
Adding further insult to injury, the financial impact of a data breach can last for years, particularly for highly regulated industries like financial services. Long, complex governance processes in which legal fees and fines are dragged out for long periods of time are painfully common. As the regulatory environment continues to evolve, with new state data protection laws such as the California Consumer Privacy Act (CCPA) coming onto the scene for example, compliance challenges and associated fines for financial services and other industries will only grow.
3 Steps to Better Data Security
How are cyber attackers getting in? There are several studies on this and for the financial services industry specifically right now, most point to phishing attacks as the primary culprit. Intended targets include both the institution’s employees and their customers.
Regardless of tactic however, there are a few steps you can take to improve your security posture.

Know your endpoints. Comprehensive asset intelligence equips IT and security teams with the full story of their device population and provides a single source of truth into where your devices are, how they are being used, and whether or not your security controls are working as they should. The 2019 Endpoint Security Trends report found 42 percent of all endpoints are unprotected at any given time and 100 percent of endpoint security agents eventually fail. Timely insight into your users, device fleet, the apps they run, and the data they touch will help you identify blind spots that often represent a breach waiting to happen.

Fortify endpoint resilience. To mitigate risks and potential security exposures, ensure your endpoints are self-healing machines capable of safeguarding distributed data without the need for human intervention. Automated self-healing is critical when it comes to fending off the barrage of attacks you (and your users) face every day. Absolute is already embedded in your devices; you just have to activate it. OEMs, including Dell, HP, Lenovo, and Microsoft, ship their machines with Absolute’s firmware-enabled Persistence™ module. With this unshakable connection to every device, Absolute examines hygiene and compliance drift, regenerates controls and boosts the resiliency of all your endpoints.

Implement the NIST Cybersecurity Framework (NIST CSF). Because much of the high cost of a data breach comes from compliance failures, continuous compliance must become your new normal. Ongoing, flexible checks that adapt to any standard like GDPR, SOX, PIPEDA (among others) are needed to identify and restore critical security controls including AV, encryption, EDR, DLP, VPN and others that cause compliance drift when disabled or outdated. One-way organizations are responding to this continuous need for visibility and control is by adopting the NIST CSF. The repeatable framework supports proactive cybersecurity disciplines and enables scalable operations. For more, read: How to Use the NIST Cybersecurity Framework.

The financial services industry doesn’t have the sole attention of cyber criminals – no industry is immune to attack anymore. But knowing your specific risks is the first step in providing better protection for your organization as well as your customers.
For more information on how Absolute helps financial organizations protect data and remain compliant, see our solution sheet.

Why a Vulnerability Management Program Is Critical For Your Company: All Your Questions Answered

What is a vulnerability management program, anyway?
A vulnerability management program (VMP) is used to identify and manage weaknesses within an organization that could be used to exploit or gain access to the company’s computers and stored data.
Companies must understand that a VMP is much more than just patch or inventory management. While these elements are crucial to a good VMP, even more critical to the program are the employees. 
Why are employees so critical to the success of a VMP?
By training employees not to click on suspicious email links, open unknown documents, or even allow someone to enter a secure area without badging in, companies can go a long way to minimize potential vulnerabilities within the organization.
I often think of the “In this corner we have Dave” cartoon. We all have good intentions and a desire to be effective. Without proper education, our intentions often lead us to very vulnerable places.
In the “User Dave” scenario, you have to educate employees on issues like phishing and things like not letting somebody tailgate and walk into the building behind you. Because at the end of the day, the best tools in the world aren’t going to defeat Dave, who may leave his laptop open as he’s picking up his coffee at Starbucks while he’s VPN’d into the network.
It’s really about the education.
There should be an understanding among employees about why it’s important to accept that patch, why it’s important to have VPN on when you’re at Starbucks, and why you should also the at the very least lock your computer if you’re going to walk away from your laptop.
Where do I even start in developing a VMP?
Start with the NIST cybersecurity framework. If you really peel back the onion on the cybersecurity framework, it’s not about telling you that you must have VPN, or a password that’s 12 pages long and you must change it every 90 days. It’s a tool for you to start getting your organization to ask questions.
For example, how do we feel about this type of vulnerability and how are we doing perimeter management? How are we securing PII and things of that nature?
So if I were going to start anywhere, it would be the higher level of the NIST cybersecurity framework. And then once you’ve gone through that, you can score yourself on where you are risky and where are you not risky. Are you doing patch management and are you rolling it out at the appropriate time?
Then you’ll hopefully have a grasp on the posture of your risk tolerance and can find a program that works for your organization.
That’s where I think the VMP falls into place. If your risk tolerance isn’t matching up to your perceived level of protection, then you need to start looking into how to protect yourself.
Essentially, you need to ask yourself how to best assess your vulnerability management to ensure that you can put your head on your pillow and sleep at night.
Why is it important for an organization to have a VMP?
Without a VMP, it would be difficult for an organization to determine its posture on cybersecurity risk.
Because without the vulnerability management program, everything else becomes a shot in the dark.
Which elements are a must to include in your VMP?
I can’t stress enough the importance of training everyone connected to the organization, which includes full-time employees, contractors, receptionists, and C-level staff.
But it is also critical to understand the true state of every device connected to your environment.
For instance: How out of date are the browsers being used in your networks? What are employees using multimedia software platforms for? What happened to that laptop that was issued two years ago to the employee who is no longer working for you?
Finally, include an “end of life” strategy for everything and review it regularly. It includes devices, software, cloud service providers, VMPs, etc. Don’t just assume that once you have started a program that everyone is on board and it will be executed properly tomorrow. It needs constant maintenance.
Which company departments should be involved in creating the VMP?
At a high level, to get the proper buy-in for a successful VMP you need stakeholders from HR, legal, governance, IT Ops, security and the C-staff.  Buy-in needs to come from the top and demanded from everyone throughout the organization.
While you may not want frontline employees to dictate policy, getting them involved and encouraging feedback is important. You want a rational conversation where the company can find the right point at which employees feel less productive because of security measures. Once you find that line, you don’t want to step over it.
As long as you have that open dialogue, I think buy-in is easier.
What are the tangible benefits of having a VMP? 
There are three tangible benefits to having a VMP:

Once completed, you will have a better understanding of your organization’s risk posture.
You will be better prepared on how to react when — not if — you have a vulnerability that is exploited.
Your organization can experience a sense of unity in coming together as a team to protect and defend against malicious actors.

What questions should CIOs ask themselves when creating a VMP?
You need to understand your environment.
Do you have a “Single Point of Truth” of the state of your environment? From BIOS up to the latest browser plugin? Can you logically group assets by location, by user role, by privilege?
All of these make it easier for IT Ops and Security to more quickly identify and isolate more critical issues than ones that are less likely to cause concern.
More questions: Is your outside sales organization using an older version of a VPN tool because their systems are regularly missing patch management events? Does this suggest a greater vulnerability than a computer sitting in a training lab with the same old VPN client installed?
Do you have users that are technically savvy enough to change a hard drive, boot from a USB device, or even try to circumvent existing processes to satisfy their own needs? Can you track that behavior today, and if not, how can you ensure that your data and the PII data that you are protecting is safe?
Is a VMP useful for small businesses?
A VMP is useful for all organizations, but it’s understandable to wonder how to get this kind of thing going with limited resources.
But when you think about it, I don’t think any company has enough resources to deal with these problems. Whether you’re a Fortune 500 or Fortune 1 Million you’ve got to make decisions and prioritize how you’re going to act. You still have to make that concerted effort to think about your tolerance to risk management and vulnerability management, and then assess how to prioritize to arrive at the key things that’ll make everybody sleep a little bit better at night.
How can technology help in creating a VMP?
With Absolute, we offer that “Single Point of Truth” that provides visibility into the (approved and unapproved) software on a device, and logically group those devices by location, role, type, software, BIOS and more — to help your organization better understand how the device is being used. Absolute provides visibility and resilience for every endpoint with self-healing endpoint security and always-connected IT asset management to protect devices, data, applications and users — on and off the network.
I want to start with the NIST Cybersecurity Framework. How do I begin?
The threat landscape has evolved, the attack surface has mutated, and everywhere you look, the cybersecurity skills shortage leaves more work to do than there are people to do it. As I mentioned before, the NIST Cybersecurity Framework is a great way to get the ball rolling.
Download our NIST CSF Implementation Overview whitepaper to learn how the NIST Cybersecurity Framework (NIST CSF) supports organizations who want to formalize their security discipline and scale their operations.

Creating an Information Security Policy that Works

Before we talk about how to create an information security policy, it is important to clarify what information security really is.
Information security — sometimes shortened to InfoSec — is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.
CIA Triad: Confidentiality, Integrity, Availability
If you’ve been in the security field for a while, you probably know that information security is threefold. However, for those new to the field, information security involves three critical components of confidentiality, integrity, and availability (CIA):

Confidentiality: protection from unauthorized access
Integrity: protection from unauthorized alterations of data
Availability: ensuring timely and reliable access to and use of information

Understanding the security CIA Triad, the various principles behind it, and how it applies to your organization will help you implement a sound security policy.
Why Create an Information Security Policy?
Organizations commonly create an information security policy because “ISO 27001 says we should have one” or “it’s required for the audit.” Sure, but that’s not the primary reason for having a policy.
A security policy, or policies, are designed to mitigate risk (e.g., data breach) and are usually developed in response to an actual or perceived threat (a situation that could potentially cause undesirable consequences or impacts). The policy will contain a high-level statement of management intent and direction and should be developed or modified to support an organization’s strategic objectives.
Security policies on their own are not enough. Employees must understand what the rules are for protecting information and assets, and the reasons why security standards are developed.
Security standards are developed to set boundaries for people, processes, technologies, and procedures to help maintain compliance with policies and support the achievement of the organization’s goals and objectives.
Best Practices in Creating an Information Security Policy
After over a decade of creating security policies, perhaps the most important advice I can give any organization for creating a successful policy is to write it specifically with the organization’s strategic objectives, risk appetite and tolerance, and culture in mind.
Ensure that the policy is written by an individual that can translate security requirements at a high level in business terms. It should be written in a way employees can understand; just like a good app, it should be user-friendly. It should explain why security is important within the organization, and define everyone’s responsibilities for protecting the organization’s information and assets.
What Makes an Effective Security Policy?
What you don’t want to include in your policy is a list of “thou shalt nots.” Because in my experience, whenever a policy is full of strict directives that sound more like commandments it’s doomed to fail and it’s difficult to monitor compliance. You can avoid bloating your policy by constructing one that is clear, concise, relatable and easy to understand.
A good rule of thumb is to write it for the average, non-technical person. Within 60 seconds, it should be clear to the reader what the security policy is about. Any struggle comprehending it, and you may need to go back to the drawing board.
As mentioned earlier, an effective security policy should not only align with an organization’s strategic objectives but it should also consider the organization’s overall risk profile.
You should be able to answer these questions: How much security risk is the organization willing to tolerate? What is the consensus on security risk and do the policies and corporate mandate address that? How is the tone at the top? What is the organization’s culture towards security?
Finally, your policy should be updated annually as it helps your organization keep up to date with regulations, changes in technology and threat landscape, and industry best practices.
But the truth is too many organization’s searches for a boilerplate policy and don’t make many changes. If the policy isn’t tailored to your organization, it probably won’t be followed — I’ve seen it happen far too often.
What Should Your Security Policy Cover?
To get you started, here are 10 potential policy elements and relevant questions that should be answered when designing an enterprise security policy:

Purpose: Why do you need this policy?
Scope and Applicability: What’s the scope of the policy? Whom does this policy apply to?
Policy Authority and Review Cycle: Who has the Board or CEO granted authority to establish security policies and standards? Who can approve the policy? Who can update the policy? If there is a requirement in the policy that cannot be met, is a policy exemption request submitted?
Policy Review Cycle: How often will the policy be reviewed?
Company Culture: How can the policy adapt to your corporate culture? Does your organization’s culture support your security efforts? Do you have commitment and support from senior executives?
Topics of Focus: What topics (e.g., Email & Internet, BYOD, Social Media), should be included in your policy that you would like employees to be aware of as it relates to security responsibilities around your organization’s information and assets?
Specific Information Security Policies: What policies will cover a subsidiary area of information security (e.g., Key Management, Security Incident Response, Firewall) that further mandates the information security controls required at an operational level?
Training: How does the organization approach security awareness? What methods are used for awareness training and how often does training occur?
Communication: Who do employees contact when they have questions about anything security-related? How will you communicate the security policy? Will you require employees to acknowledge and sign off on your policy?
Compliance: How will you monitor compliance with this policy?

Read: 5 Quick Tips To Mitigate Insider Threats
The Importance of Policy Enforcement
A security policy can only be effective if employees are confident that rules will be enforced. There must be clear responsibilities defined for compliance as well as stipulations regarding steps that will be taken for non-compliance.
Depending on an organization’s industry, the security policy should reference the importance of adherence to that industry’s regulations. This may include the PCI Data Security Standard, the Dodd-Frank Wall Street Reform, the Federal Risk and Authorization Management Program (FedRAMP), the General Data Protection Regulation (GDPR) or HIPAA (Health Insurance Portability and Accountability Act), to name a few.
Read: What Is Regulatory Compliance?
To achieve best enforcement results, your policy should be in-sync with the current threat landscape as well as privacy regulations. When a policy reflects what is happening online (think phishing, ransomware (malware), privacy fines etc.), you have a better chance of employees following along. If that policy is clear and understandable, enforcement is easier.
When writing your policy, keep compliance and enforcement in mind. If you don’t think you can follow through with the rules for a specific element of the policy, it may need to be re-written.
Ultimately, the policy must not impede the organization and its employees from achieving its mission or goals.
To find out how to benchmark your security posture, download our Cybersecurity Frameworks Solution Sheet 

Brexit Uncertainity and Resulting Cybersecurity Concerns

Will it be deal or no-deal? With Theresa May no longer officially the Prime Minister and the race to name her next successer in full swing, British exit (Brexit) deal negotiations have been called further into question while the successor is sought. The previous European Parliament election results further complicated the matter, with both the far-right and liberal parties gaining ground, shaking up the traditional system.
The biggest question surrounding the next phase of changes we are seeing is whether the UK will leave the European Union with an agreement designed to minimise economic disruption and create a beneficial agreement or will they step out with a no-departure pact?
Securing the necessary votes in the House of Commons will require concesssions from the EU around some areas of the deal, and a potential compromise on elements of the backstop agreement with MPs.  The clock is ticking and the next Prime Minister, whatever their political stance on the issue, will have a huge task on their hands.
Since UK citizens voted to withdraw from the EU in 2016, Brexit details have been a delicate and complicated dialogue. The resulting fragmented international architecture could have far-reaching impact on business relations, information flow, regulatory standards and of course, cyber-security concerns with many businesses concerned about what this means for their future.
Information sharing
One early concern surrounding Brexit and cybersecurity practices is information sharing, or lack thereof, among intelligence organisations in the UK and the EU. Particularly in the case of a no-deal Brexit, could and would European countries continue to work together efficiently to fight cyberattacks? In the absence of timely information sharing and a cooperative response, cyber-criminals — who regularly sell exploit kits and vulnerability details with other hackers — are at a distinct advantage. That leaves everyone vulnerable to a breach and opens up a problem that doesn’t necessarily need to exist.
While sharing threat intelligence is a real concern, so is GDPR compliance. The new legislation around data protection is only just finding its feet within Europe and Brexit is set to affect this. Both the UK government and the GDPR’s enforcement arm, the Information Commissioner’s Office (ICO) maintain the one-year-old data protection regulation will remain law in the UK post-Brexit.
The challenge, however, is that GDPR contains provisions prohibiting the transfer of personal data to ‘third countries’ outside the EU that do not ensure adequate protection. Post-Brexit, the UK could become a ‘third country’. In this scenario, EU Member states would not be able to transfer personal information to the UK unless an appropriate data transfer solution is in place.
With so many unknown factors around Brexit, most organisations are moving forward with the better-safe-than-sorry principle when it comes to complying with GDPR which is ultimately what we need to see. Smarter security, including heightened visibility over your growing number of endpoints and formalised data breach notification procedures are but two ways they are staying audit-ready.
Whilst many have feared the heafty fines the ICO have set (Up to €10 million, or two percent annual global turnover – whichever is greater or up to €20 million, or four percent of annual global turnover – whichever is greater depending on the seriousness of the breach) we have only now seen an organisation in the UK hit by GDPR, with yesterdays BA fine of £183 million.
Earlier French data protection authority CNIL issued Google a €50m fine for violating GDPR transparency rules and failing to have a legal basis for processing user data in advertising.
Adapting to change
The international business climate can be tenuous at the best of times. It often seems as if there is little we can do about sweeping global change but adapt to it. Continuous endpoint device compliance can be achieved with active compliance checks, sensitive data discovery, and automated workflows to restore protections.
Whilst the road ahead may be complex, ensuring the highest standards of data security across borders and within businesses is paramount. Whatever the final outcome of Brexit, companies need to have the highest standards of data security in place, at all times.
This article was originally published in SC Magazine UK.
Learn more about how Absolute helps organizations comply with GDPR on our website.

Escalating Risks to Healthcare Data

The challenges of securing medical devices from cyberattacks made headlines again last week as the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and is providing patients with alternative pumps.
As the healthcare industry quickens its pace toward incorporating more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. The connectivity inherent in these same medical devices can also pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. Due to the high value of healthcare data, the risks are escalating rapidly.
Weighing Risks and Rewards
Healthcare organizations and patients alike must weigh the risks and rewards of relying on such medical devices the same way they already consider the pros and cons of their network connected endpoints. Laptops, tablets and phones have proven to be a critically important piece to delivering cutting-edge patient care as well as growing organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints has long been a real problem for the industry. More than 2 million people saw their information exposed via a healthcare data breach in May alone.
Government regulations that oversee the protection of personal information — including HIPAA and a host of others — are busy trying to keep up with breach investigations. Large fines are regularly doled out, yet the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers.
Read: The State of Endpoint Health in 2019
Now What?
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their more than 10,000 devices.
With Absolute, Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove that security controls such as patch management, antivirus and encryption are always in place. In addition, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.

Education & Internet Safety: Prove CIPA Compliance with Absolute

As technology continues to be rapidly adopted in education, the pressure is on to secure and retain the grants that make devices in the classroom possible. Schools must compete to prove effective technology utilization while taking steps to ensure compliance with the Children’s Internet Protection Act (CIPA), and the E-Rate Program.
The E-Rate Program supports connectivity. Through grants, it provides discounts up to 90 percent to help schools and libraries obtain affordable internet and telecommunication access.
Eligible schools need to certify they have an online safety policy in place that is supported by technology protection measures. These measures must block or filter harmful content, and monitor the activities of minors.
While school districts can meet CIPA compliance requirements by installing software that filters web content, it’s another challenge to know and prove these programs remain installed and are effective.
With Absolute’s unique solutions for education, K-12 school districts have uncompromised visibility and remediation of their devices – whether inside or outside the school network. Absolute also gives districts true, layered visibility into data and applications that can’t be removed or tampered with by overzealous students, or malicious attackers.
The self-healing capabilities of Absolute’s Persistence technology helps school districts ensure that critical security features such as web filtering or cyber-attack protection remain in place and stay functional – making it easier to prove CIPA and E-Rate compliance.
Absolute’s Student Technology Analytics unlocks the door to a host of detailed information that can be applied to contextualize device and end-user activity.
Using data from Student Technology Analytics, schools can better analyze the impact and outcomes of their technology investments. Districts not only see how users interact with technology, but gain insight into online behaviors like application use, websites visited, and device usage.
Absolute is empowering schools globally to deliver safe, secure, and more productive learning environments. Read our whitepaper to learn three important ways that integrating Student Technology Analytics into your technology plans can help your school district.
Read 3 Ways Student Technology Analytics Validate Technology Analytics in Classrooms

What is Regulatory Compliance?

A Brief Definition of Regulatory Compliance
While regulatory compliance is a broad topic, the definition is quite simple – it’s all about making sure an organization is following the rules for its industry. With regulatory compliance, you are required by an outside authority to perform certain obligations or comply with regulations, and there are consequences for not doing so.
Regulatory compliance should not be confused with corporate or internal compliance, as the mandate between an internal and external policy may differ significantly. Essentially, being compliant can save a company from potential legal entanglements.
Why Is Regulatory Compliance Important?
Today, concerns surrounding privacy and IT security are of top importance with regulatory compliance. Especially over the last five years, people are catching on to how often privacy is being abused. While compliance regulations have existed for many years now, they weren’t created with privacy in mind — it’s only recently where we see a merging with IT security.
If you’re fully compliant, it represents a big step in the right direction for data protection. However, compliance should be viewed as a minimum standard — an organization should strive to reach higher.
What does this mean? It means doing the right things and having sound controls. If you’re doing those things, the compliance should come naturally.
If you think about SOX (Sarbanes-Oxley), one of the earlier compliance acts, at the end of the day you’re required to understand the risks, and you need to have controls and processes to address those risks to prevent a financial mistake. It means you need to understand your environment, its associated risks and the controls to mitigate risks. SOX was one of the first regulatory compliance acts in which risk was the main driver — and mitigating risk (especially from a privacy perspective) is prominent in many recent regulatory compliance acts.
The recent General Data Protection Regulation (GDPR), for instance, was developed with risk in mind and focuses on the need to understand the risks of processing certain types of information.
Once you have your risks and compliance methodologies in place, you can leverage them to not only comply with one regulation but comply with many. Besides, compliance can be used as a stepping stone for your organization as a whole. Further, if there’s a new regulatory compliance law coming up in the future, you may already be compliant.
On the other hand, if you’re not compliant, the costs can be damaging. There may be fines, reputational risks, impacts to stock price or revenue, or a loss of customers. Over and above that, there are industry risks to consider. If you’re not compliant with PCI regulations for credit card processing, for example, your ability to process transactions may go away.
The risk of continuing to do business may even be at stake.
Compliance Challenges
There are numerous challenges companies face in order to remain compliant, but the primary obstacles impact finance, HR, and IT.
It’s unfortunate, but the biggest challenge for compliance is that it can be expensive. Let’s face it: many organizations are running lean as it is, and now they’re faced with an edict of “You shall manage risk.” Then, organizations must decide whether to outsource or dedicate internal resources to compliance. From a human resources standpoint, it can be time-consuming. In some companies, these developments may require the introduction of compliance-centric positions such as Regulatory Compliance Officer or Manager.
For the IT department, the never-ending stream of new technologies creates considerable compliance complications. As employees continue to incorporate their own devices in today’s BYOD (bring your own device) landscape, we must understand that those endpoints store sensitive, compliance-relevant company data. Compounding the issue is the massive growth of IoT — meaning even more endpoints and interconnected devices (which may or may not be secure) on an organization’s network.
Keeping up with updates, patching software quickly, and staying on top of vulnerabilities are all requirements for maintaining compliance.
Endpoint management is a crucial component of regulatory compliance.
Regulatory Compliance Examples 
One of the most prominent examples of regulatory compliance, especially today, is HIPAA. Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.

If your organization has anything to do with the healthcare industry, you’ll want to check out our HIPAA compliance checklist.
The Sarbanes-Oxley or SOX Act of 2002 mentioned above was created to oversee corporate fraud from a financial perspective. Along with protecting whistleblowers, SOX banned company loans to executives, and holds CEOs personally accountable for financial missteps.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was created to reorganize and improve financial regulation and also created the Consumer Financial Protection Bureau. It may be one of the most complex pieces of legislation written.
Two new regulatory compliance acts to look out for, especially pertaining to privacy, are the California Consumer Privacy Act and the New York State Personal Privacy Protection Law. The California act, which takes effect in 2020, “gives consumers sweeping control over their personal data. It grants them the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and who they are sharing it with. The New York law “protects you from the random collection of personal information by state agencies. The law enables you to access and/or correct information on file which pertains to you. It also regulates disclosure of personal information to persons authorized by law to have access for official use.”

How Can I Learn More?
As 2020 approaches, protecting privacy is going to be more critical than ever and will be a critical element for regulatory compliance.
Privacy laws give organizations parameters to work within and help ensure accountability. However, in the face of resource constraints and rapidly evolving threats, IT is often caught in the crossfire in choosing where efforts should be focused.
If you need a path for harmonious co-existence between working within the law and advancing technology, we’re here to help.
Watch our IT on Trial — Guilty Until Proven Innocent? webinar to learn legal and ethical considerations for data privacy, the value legal frameworks provide to technological advancement, and get predictions about the direction and increasing importance of privacy laws.
This article is for informational purposes only.  The information in this article is not legal advice, is not to be acted on as such, is not intended to substitute for professional legal advice, may not be current, and is subject to change without notice.  You should contact a licensed lawyer in your area to assist you in legal and regulatory matters.  Absolute expressly disclaims all liability with respect to actions taken or not taken by a reader based on any or all of the information and commentary in this article. 
©2019 Absolute Software Corporation.  All rights reserved.  ABSOLUTE and the ABSOLUTE logo are trademarks of Absolute Software Corporation.   Other names or logos mentioned herein may be the trademarks of their respective owners.

The Biggest Challenges of Encryption

Encryption is a staple security control for most organizations. In a recent Ponemon study, enterprise use of encryption hit an all-time high this year with 45 percent of organizations now having a comprehensive encryption policy in place. Conversely, just 13 percent of organizations have no encryption capabilities. What is the biggest challenge organizations face in implementing their encryption policy? Simply having visibility into their data and knowing which needs to be protected.
What is Encryption?
According to Techopedia, Encryption is the process of algorithmically transforming information to make it unreadable for unauthorized users. The encoded data may only be decrypted or made readable with a key and while it can be used to protect data at rest, it’s most often used during the transfer of information. In 2018, encrypted traffic reached 72 percent of all network traffic – a 20 percent increase over the year prior.
Encryption means data is only readable by senders and receivers, not third parties who may be trying to get their hands on it. In the age of big data, where organizations collect and share information at unprecedented rates, encryption is a critically important tool.
Adoption Driver: Compliance
Along with the need to protect against rising data breaches, another primary driver behind increasing encryption use is compliance. Data protection laws – including GDPR, CCPA, PIPEDA – require organizations to prove that encryption was in place at the time of a security incident or face some hefty fines – to the tune of $3.86 million dollars which is the average cost of a data breach now.
GDPR repeatedly highlights encryption as an ‘appropriate technical and organizational measure of personal data security.’ Under GDPR, organizations must notify regulators and impacted individuals of a data breach within 72 hours of the incident unless the data in question was sufficiently encrypted.
Having encryption in place can save your organization from potentially disastrous reputational damage. More than the cost of the fines, reputational damage caused by losing the trust in the eyes of customers and the public can ultimately be the factor that destroys an organization’s success.
The Human Element
Encryption isn’t without its challenges however and a big one is the very people who use it. Users are often the weak link in your security chain – another new study found employee mistakes continue to be the most significant threat to data security. Encryption may be mathematically guaranteed but it can also be complicated to implement and confusing for users. This often leads to employees disabling it or insecurely sharing decrypt keys which makes the entire program void.
Device Complexity Creates False Sense of Security
Encryption is a powerful tool but it’s still just one ingredient in your overall security mix. It is most often paired with other endpoint security solutions such as patch management, antivirus and antimalware along with firewalls, SIEM solutions and many others. All have their place, but the rising number of solutions deployed on any given device contributes to significant complexity making monitoring them a challenge. Tools don’t always integrate or work well together and/or controls easily become misconfigured.
The high volume of security tools often provides a false sense of security because broken tools can leave big gaps in an organization’s defenses. Instead, IT and security teams need to be able to better understand what’s happening on their devices and respond to suspicious events to reduce security failures. Adding more and more security controls to the endpoint may perpetuate the risk.
It’s imperative that encryption and any other fundamental security tools are working at all times, as intended in order to have visibility and control over devices that contain data or network access.
To learn more about how security tools degrade and how you can analyze the tools you already have to identify blind spots or opportunities to strengthen your defenses, listen to the recent webinar we did with Forrester analyst, Renee Murphy titled The State of Endpoint Security in 2019.