Category: Compliance

The Role of Dematerialization in Data Privacy

In the constant push for bigger, better, faster, it’s normal to see products and services evolve to meet shifting customer expectations. What’s different about today though, is how customers themselves are changing. Everyone has a growing digital footprint, regardless of whether or not they want one. What does this mean for personal data privacy?
The Dematerialization of Society
Look around your home today and compare it with a home in the 1980s or 90s. What’s missing? An answering machine, Rolodex, calendar, alarm clock, road maps, vinyl records, VHS tapes, cassettes, CDs, and DVDs, the list goes on. Each of those material goods has been replaced by our smartphones. Digital has “dematerialized” our world —even our money has been digitized, for the most part. It’s safe to say we’re much less dependent on physical stuff.
Digital has also dematerialized people. A person is a person because of the data that exists about them — our digital selves. We have become a collection of individual pieces of data made up of Personally Identifiable Information or PII.
Personal Privacy in a Dematerialized World
When all of our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we have somehow managed to sacrifice our personal privacy along the way.
We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes around in the cloud — and somehow this shift made the data seem less valuable for a while.
For more on the three general attitudes people have on data protection, read
Data Privacy in Our Digital World.
New and Updated Regulations to Protect Our Digital Selves
There have been too many stories in the news about organizations and institutions for all the wrong reasons — negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and so on.
As a result, governments around the world are stepping up to the challenge of protecting the privacy of the individual with strict regulations (backed by law) that govern the use and misuse of digital data, and shift power back to the individual.
Sweeping regulations, such as the EU General Data Protection Regulation (GDPR), are prompting regulators around the world to implement compatible standards and, in some cases, start levying their own fines.
Most recently, the California Consumer Privacy Act (CCPA) as well as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) were introduced. Both have been heavily influenced by GDPR and give people more control over the personal information that is being collected about them.

The C-Suite Has an Ethical Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect PII. Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.
Secondly — and more importantly —there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for the government to impose it.
The C-suite has a responsibility to take an active role in ensuring data security and privacy controls are in place — failure to do so puts innocent people at risk and could potentially be the digital world equivalent of reckless endangerment.
In my next post on C-suite responsibility, I’ll discuss the different data privacy considerations that too often go overlooked. In the meantime, if you’d like to learn more, get our new eBook, 3 Overlooked Data Privacy Considerations. 

Global Data Privacy Laws in 2019

As our personal information becomes digitized and organizations push to collect more and more of it, data privacy has become a critical issue. Regulations are needed to protect the growing volume of data and a majority of nations’ governments are responding with a multitude of global data privacy laws.
The Road to Regulation
According to a new, interactive map by the United Nations Conference on Trade and Development (UNCTAD), 58 percent of the 194 UNCTAD member countries report having data protection and/or privacy legislation on the books and another 10 percent have draft legislation in the works. Unfortunately, 21 percent of countries have no legislation or anything in process.
A global map of cyberlaws, the Global Cyberlaw Tracker monitors the state of e-commerce legislation including laws over e-transactions, consumer protection, data protection/privacy, and cybercrime. It’s a helpful tool for organizations as they work to safeguard the personal information of citizens around the globe. However, it’s also a good illustration of the significant challenge organizations face in data protection compliance.
To further complicate matters for the companies that do business with Americans, there is no federal data privacy law in the United States. Instead, companies are left to interpret and comply with a growing patchwork of individual state laws — a movement now gaining momentum thanks to the California Consumer Privacy Act (CCPA) of 2018.
Read: Will CCPA Pave the Way to a Federal Data Privacy Law?
Is GDPR the Future of Global Data Privacy Laws?
To avoid having to comply with 50 different state laws, big tech companies are calling for a unified law similar to the European Union’s GDPR, though more so in concept than in scope. Most data privacy activists champion the regulation, however many organizations are cautious about what they ask for. GDPR is considered the world’s most stringent data protection law. Since going into effect in May of last year, nearly 60,000 data breaches have been reported but only 91 fines have been imposed to-date. According to one report by international law firm DLA Piper, the three biggest offenders so far are the Netherlands, Germany, and the United Kingdom.
Keeping up with the evolving regulatory landscape requires constant attention – just like monitoring sensitive data that is always on the move. While the world’s lawmakers scramble to keep up with escalating data privacy issues, costly fines and the court of public opinion is already underway. It’s important to understand what data you collect, where it’s shared, and how it’s protected. While many data privacy regulations are still being developed, implementing measures to align with larger privacy frameworks like GDPR can ensure your organization’s data is protected and you’re prepared for forthcoming regulations.
For more information on the global state of data privacy, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to or full Cybersecurity Insights video series on YouTube.
 
global data privacy laws
Video Transcript:
Hello again! Josh here from Absolute. In our last episode, we saw how the digital world has made data privacy a top priority. In this episode, we’ll look at some of the laws designed to protect data privacy.
The most obvious place to start is with the General Data Protection Regulation (GDPR) which is fashioned as a statement of rights, including:
-The right to rectify
-The right to be forgotten
-And the right to civil action
Rectify simply means when someone requests a change details of her digital self, you must find every place her data could be so that you can rectify the information and comply with GDPR.
The right to be forgotten is also key, a person’s digital identity to be purged; in legal jargon this is called the ‘right to erasure’.
Once again, we need to find it, which means we need to probe every endpoint to discover where the data is so that we can remove it.
Finally, the GDPR guarantees the right to sue for damages when personal data is misused or left unprotected.
Okay… well, now we have to demonstrate safeguards are active, up-to-date, and working effectively,
It’s the only way to prove your innocence and avoid a fine, which can be as high as 4% of your organization’s annual revenue.
Fumbling on data privacy is a costly mistake.
What about outside Europe?
In the US, we find laws like HIPAA (for health information) and S-P and S-ID statutes for personal financial information, enforced by the SEC. But no national privacy standard.
In the meantime, we need to follow state laws like CCPA in California. Some have called CCPA, ‘GDPR-lite’. But that’s only for the penalty amounts. CCPA imposes more restrictions, demands faster reporting and tighter controls than GDPR. If it’s true as they say, ‘As California goes, so goes the country’, then we can expect the US to end up with more stringent standards than the EU.
Then, we come to PIPEDA, Canada’s newly refreshed hammer for privacy. Not only is reporting unauthorized access required (like GDPR), but even if the safeguards – anti-virus, encryption, security agents – have broken, regardless if the attacker was successful.
Wait! You have to prove your security posture was airtight when incident happened, not just if data was stolen? Yep, that’s what we’re sayin'(eh)!
Data Privacy is today’s great challenge for IT and security teams, and with 35% of sensitive data on out-of-sight on endpoints, there has never been a stronger need for persistent endpoint visibility and control.
Next time we will explore the steps you can take to ensure data remains private. Be sure to subscribe and drop your comments below, I’ll see you then.
 
 

Will CCPA Pave the Way to a Federal Data Privacy Law?

If GDPR is the unification of data privacy laws across Europe, could the California Consumer Privacy Act of 2018 (CCPA) serve the same role in the U.S.? While many privacy advocates hope it does, there’s no question that there is still much work to be done on the new California law.
What is CCPA?
CCPA was signed into law on June 28, 2018 and will go into effect January 1, 2020. Under California law, citizens can propose new laws and can incite a vote if they have enough signatures. That’s how CCPA was brought into play – and very quickly made into a reality. As it stands, the law currently provides California residents with four basic data privacy rights:

The right to know which personal information a business is collecting about them, where it’s being sourced, what it’s being used for, whether it’s being disclosed/sold and if so, to whom
The right to opt out of allowing a business to sell their personal information to third parties
The right to have a business delete their personal information, with a few exceptions
The right to receive equal service and pricing from a business even if they exercise their privacy rights

Read our blog post about Data Privacy
Unlike GDPR, CCPA comes with a narrower scope to whom the data privacy requirements apply. CCPA impacts any company that does business in the state and meets one of the following criteria:

annual gross revenues over $25 million
receives/discloses the personal information of 50,000 or more CA residents
derives 50 percent or more of their annual revenues from selling CA residents information

Violation comes with a civil penalty of up to $7,500 per incident and gives consumers the ability to seek damages either individually or collectively.
CCPA in 2019
Starting in January 2019, the Attorney General (AG) of California has been holding forums across the state to gather comments from the interested public. The input gathered during this rulemaking process — which is set to end on March 8 — will then be considered as legislators draft CCPA rules in the coming months. The first draft of CCPA regulations is expected to be published this fall whereby another public comment period will be scheduled.
CCPA is by no means final, yet already several copycat laws are popping up across the country —Massachusetts, Rhode Island, Washington and New York have all introduced their own state laws too. Other state AGs have said they will take California’s lead on data privacy. Separately, a couple of data privacy bills have been introduced – one back in December by a group of 15 Senators and another by Florida Senator Marc Rubio last month.

The evolving patchwork of U.S. data privacy laws begs the question – when will federal lawmakers finally step in and address consumer privacy rights as was done in the EU with GDPR? Tech giants Cisco, Apple, Facebook and Google recently joined forces calling for this. CCPA and others like it are building awareness and driving momentum for the effort.
Regardless, it’s increasingly important to pay close attention to the legislative landscape as compliance fees continue to climb. Perhaps equally as important though, companies should be taking a stand on data privacy because it’s morally, ethically and legally the right thing to do. It also makes good business sense. Consumers want to do business with companies they trust. In California at least, they are the ones driving data privacy into law.
If you would like more information on how you can be sure your organization is doing what it can to protect the data in its care, download our new eBook The C-Suite’s Moral, Ethical, and Legal Responsibility to Protect PII.

Data Privacy in a Digital World

Data privacy is top of mind these days – for good reason. The number of exposed online records has doubled since last year, reaching a total of 446.5 million. International regulations such as the EU’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA) in the U.S., and the Personal Information Privacy Act (PIPEDA) in Canada have helped to provide standards for governance over our information, but it is not always simple.
We Are Our Data
When all our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we somehow managed to sacrifice our data privacy along the way. We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes of data around in the cloud — and somehow this shift made the data seem less valuable…for a while.
When it comes to data protection, most people fall into one of three categories:

Just stay offline.
My data will be used/misused and it’s no big deal.
Wait a second – that data is who I am!

Despite your opinion however, there have been too many stories about organizations mishandling data recently including negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and on the list goes on.
A Responsibility to Protect PII
There are several reasons why organizations should do everything in their power to protect Personally Identifiable Information (PII). Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.

Secondly — and more importantly — there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for a government to impose it.
The C-suite has a responsibility to take an active role in ensuring that data security and privacy controls are in place. Failure to do so puts innocent people at risk and could be likened to the digital world’s version of reckless endangerment.
3 Simple Aspects of Data Privacy
Data Residency. Your organization is full of sensitive data and, unfortunately, employees unwittingly put it at risk all the time.  An organization is responsible for understanding where the data it collects and stores resides, especially if it is stored in another country. However, your data sits out there on more endpoints than you think, not to mention what happens when one of those devices goes missing.
You need the equivalent of Google for your endpoint data — a lexicographical crawler for PII that can alert you to any unauthorized data hiding out there on endpoint devices. Unless you have that, you simply won’t be able to track all the places where the data resides.
Orchestration of Controls. There is no shortage of security controls, whether they be native in the operating system or come as third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place where data resides is secure.
The problem is in ensuring that the third-party controls remain in place and functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should, or if the user of the device is acting suspiciously.
Continuous Monitoring. Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.
Data privacy affects all of us. As the speed at which the world operates in digital increases, we can expect everyone to take a greater interest in their personal data. The organizations that act now to build data privacy into their company’s mission statement will be the ones that retain customer trust.
For more information on data privacy in our digital world, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Welcome back! Josh here from Absolute. If you’ve been on planet Earth the last couple of years, you know one topic in Information Security is grabbing everyone’s attention: Data Privacy
Look around at a home of 2019 and compare it with a home of 1980s or even the 90s. Take notice of what’s likely missing…

Answering machines
Rolodex
Alarm clock
Maps
Vinyl records, VHS tapes, cassettes, CDs or DVDs

Each (and there are many more) have been replaced by a smartphone. Digital has dematerialized our world. The things people need are no longer dependent on physical stuff but are satisfied by digital technology.
What this have to do with data privacy?
Well, digital has also dematerialized people. We live in a digital reality. Who we are has become a collection of individual pieces of data; we call it Personally Identifiable Information or PII.
People have always been conscientious about their personal privacy, but now that we’ve been dematerialized, personal privacy takes a new shape. Each person’s right to privacy is more easily overthrown, because we’re not moving physical material around in space, but manipulating bits and bytes that compose a person.
One school of thought says, ‘Just stay offline.’
Another way of thinking says, ‘Hey, my data will be used (or misused), it’s no big deal.’
While others contend this by saying, ‘Wait! That’s my data and that is who I am!’
For starters, just saying ‘stay offline’ isn’t reasonable for a 21st century person: the digital world is where things happen. That’s why we call it The Digital Transformation. Business, government, school, research, and even friend-to-friend interactions, all happen in the digital town square.
For those saying ‘No big deal’, would you say that if you were being harassed or stalked by someone in the physical world? And even if you don’t care about how your data is used, other people do… and they want assurances that their privacy is always secure.
You can see why data privacy is all the rage right now. And it’s not just social media data scraping to create ‘fake news’; we see credit bureaus, city governments, and even hospitals, schools and universities all fail to safeguard individual privacy.
Data privacy goes to the heart of what we value as a society, which demands that we do our best work to protect those digital persons in our care.
Be sure to subscribe and put your comments below. I’ll see you next time, and we’re gonna take a deeper dive into the laws that are designed to protect personal privacy.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.

Will 2019 Be the Year of GDPR Fines?

Is 2019 the year we will feel the full impact of GDPR? Chances are good the answer to that question is a resounding “yes!”
GDPR went into effect May 25, 2018 and, as of yet, no sizable fines have been levied for data privacy missteps in the protection of personally identifiable information (PII) of EU citizens. Despite light action in actual enforcement to date, there is plenty of evidence to suggest regulators have been very busy with all of the details that will inevitably lead up to the big penalties the regulation has become known for.
Last year, data privacy groups filed the first complaints under GDPR against Facebook and Google. Since then, nearly every European data protection agency (DPAs) reports a significant increase in both data privacy complaints and breach notifications. The newly formed European Data Protection Board (EDPB) is tasked with enforcing GDPR and says well over 40,000 complaints have so far been lodged across the EU.
As the number of complaints continues to rise, DPAs are staffing up to investigate and handle resulting enforcement action. The Irish Data Protection Commission (DPC) for example, has grown from less than 30 employees in 2014 to 130 employees in 2018, with further expansion planned for 2019. Many of the world’s largest tech companies have their EU headquarters in Ireland, including Facebook, Twitter, Microsoft and LinkedIn and, therefore, fall under the purview of the DPC.
All DPAs aren’t exclusively focused on hand-slapping however. Some have been consulting with businesses on how to better protect their data. And, in December, the EDPB issued guidelines for how to comply with the geographic scope currently outlined in Article 3 of GDPR which could be interpreted as anyone who processes EU citizen data must comply, regardless of where the business is located.
Monitor and Secure PII
What can you do to address GDPR compliance and ensure you won’t be making headlines for the wrong reasons in 2019 and beyond? Because you can’t secure what you can’t see, the first step is to maintain uncompromised visibility and control over all of your endpoints, whether they are on or off your corporate network.
To help you determine where your PII is located (as defined by any of the 31 European countries subject to GDPR) by device ID and username, Absolute today introduced a new GDPR Compliance Report that is now part of the Absolute Platform.
In addition to where your data is located, the report also shows you whether or not that data has been encrypted and when – required pieces of information for compliance. The report generates a GDPR aggregate match score which is a sum of all matches for compliance with rules that have been built in to the system as well as any custom rules you’d like to add.
Watch this video, Strengthen Your GDPR Compliance with Absolute for a quick overview of how Absolute helps you identify EU-specific PII data residing on all of your endpoint devices, and the importance of having the ability to take immediate action to remotely remediate the risk.

What is HIPAA Compliance and Why is it Important to Healthcare Security?

If you are involved with the healthcare industry, you’ve probably heard of HIPAA, the Health Insurance Portability and Accountability Act. Regulations and best practices surrounding HIPAA can be confusing, but it’s critical that anyone connected to the healthcare industry understand at least the basics.
So we’re here to break things down for you.
First, and perhaps most important, is to answer one of the most commonly asked questions:
What is HIPAA compliance?
HIPPA Compliance Definition
Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. HIPAA compliance requirements are discussed near the end of this post.
Before we continue, three more acronyms need to be highlighted which figure prominently in the definition:

PHI = Protected Health Information
HHS = Department of Health and Human Services
OCR = Office for Civil Rights

HIPAA’s regulatory standards were created to establish the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for Civil Rights (OCR) enforces compliance.
The OCR also provides ongoing guidance on developments affecting health care and is responsible for investigating HIPAA violations.
Need a HIPAA compliance checklist? Absolute’s got you covered! 
Decoding PHI
While HHS and OCR are self-explanatory, PHI requires further explanation.
Protected Health Information (PHI) is the combination of one’s identifying information — such as your name or address) — and any health-related data collected from a healthcare practitioner or facility, such as your medical record, any conversations with providers, or billing/insurance information.
PHI is anything that contains both your Personally Identifiable Information (PII) and your health information.
For example, if we know that Sheldon Cooper is diagnosed with obsessive-compulsive disorder, that’s PHI. Why? Because it contains PII — Sheldon Cooper, and also health information — obsessive-compulsive disorder. Sheldon’s PHI would, therefore, be protected by HIPAA.
One more definition: ePHI, electronic protected health information, is when PHI is transmitted, stored, or accessed electronically. ePHI falls under the HIPAA Security Rule, a HIPAA regulation addendum which came into effect to address the rapid changes in medical technology and how health records are stored.
Why HIPAA is Important
There are countless reasons why HIPAA is important, but the key takeaways are these: it aims to ensure privacy and confidentiality; it allows patients access to their healthcare data; and also reduces fraudulent activity and improves data systems. It all boils down to data security.
For healthcare organizations, HIPAA provides a framework that safeguards who has access to and who can view specific health data while restricting to whom that information can be shared with. Any organization dealing with PHI must also have physical, network, and process security measures in place to be compliant.
Even subcontractors and any other related business associates must be compliant.
HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information.
All healthcare entities and companies which handle, store, maintain, or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law.
By adhering to HIPAA laws, providers can save millions of dollars annually just by properly managing security risks.
David Harlow, an attorney, and consultant specializing in healthcare data and digital health matters, states that HIPAA should be seen as the minimum standard regarding privacy and security standards and protections. “Simply complying with HIPAA is not enough,” he said. “There are more stringent state laws (which vary, state to state) and some industry best practices which are more protective of patient data.”
What are HIPAA Guidelines
With HIPAA, there’s a lot of information to digest when it comes to the guidelines providers must follow to be compliant. What’s most important — and what we will be focusing on — is to clarify what HIPAA violations are, as well as to define what it means to be HIPAA compliant.
For specific guidelines, we recommend the official HIPAA site — a useful resource from the U.S. Department of Health & Human Services.
HIPAA Violations
A HIPAA violation occurs when there is a breach of an organization’s compliance program in which the integrity of PHI or ePHI is compromised.
It’s important to note that data breaches are not the same as HIPAA violations. A data breach can also be a HIPAA violation, but only when that breach is caused by a breakdown in the HIPAA compliance program or by a specific violation of an organization’s HIPAA policies.
For example, a data breach would be if a laptop belonging to an organizations’ doctor is stolen and that laptop contains unencrypted access to medical records. If that organization did not have a policy which stated laptops couldn’t be taken offsite then it would also be a HIPAA violation.
According to Harlow, publisher of HealthBlawg, enforcement of violations is likely more limited to cases in which there has been a data breach. In his definition, a data breach is when PHI is released to or obtained by a third party without the patient’s authorization, other than for purposes of treatment, payment or healthcare operations.
“We can learn from cases where the OCR has entered into settlement agreements with Covered Entities (practitioners) or Business Associates (third parties) that have experienced data breaches,” he said. “The settlement agreements are made public, together with case summaries. From my perspective, it is critical that the regulated community understand and appreciate that the weakest link is the often the human link.”
One data breach we can all learn from is the Anthem Insurance Company hack, which relied on an unsuspecting employee clicking on a link in a phishing email.
“Staff must be trained and tested, and systems and failsafes must be put into place,” said Harlow. “Hundreds of millions of dollars of remediation costs, class action settlement payments and fines were paid out by Anthem as a result of that click.”
He advises that the government does not discriminate when enforcing the rules, as they will fine the small entities along with the large companies. Perhaps not in millions of dollars, but significant sums nonetheless.
To further break down the takeaways from healthcare security breaches, you’ll find some great lessons here from Josh Mayfield, Absolute’s Director of Security Strategy.
Finally, it’s critical to point out that if you’ve been breached, you need to report the breach in a timely manner. In 2017, OCR brought about its first HIPAA settlement for a violation of the Breach Notification Rule levying a $475,000 fine against Presence Health for failure to properly follow the rule.
Common HIPAA violations include:

Stolen smartphones, laptops or USB devices
Cyber hack or attack, including malware incidents and ransomware attacks
Business associate breach
Electronic health record (EHR) breach
Office break-in
Sending PHI to the wrong patient/contact
Discussing PHI outside of the office
Social media posts

HIPAA Compliance Requirements
This compliance list represents a baseline for processes that businesses should be following:

Self-Audits
Remediation Plans
Policies, Procedures, Employee Training
Documentation
Business Associate Management
Incident Management

While all of these are important, Harlow recommends focusing on the need to address the privacy and security of PHI holistically, through continuous review and improvement of systems, policies and procedures, training and implementation.
“This is not a ‘set it and forget it’ sort of compliance exercise,” he said. “I would also emphasize that the HIPAA rules are written as flexible standards that are to be implemented based on the size and nature of the covered entity or business associate.” For instance, Amazon’s compliance program for its HIPAA-compliant cloud services will not be the same as the compliance program implemented by a multi-specialty physician practice.
At the end of the day, complying with HIPAA regulations may seem tedious, but in today’s threat landscape we all need to practice proper security hygiene anyway to protect ourselves.
The ramifications of not doing so are too severe to ignore.
We’ve covered plenty of ground, but to learn even more about achieving HIPAA compliance and how Absolute can help your business, download our white paper here.

HIPAA Compliance Checklist for 2019

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
Anthem, one of the nation’s largest health benefits companies, paid a record $16 million in 2018 for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

How to Regain Trust After a Data Breach

Data breaches come with a hefty price tag – from IT costs to notification expenses, insurance premiums and operational down time, organizations are very often faced with a financial crisis that can take years to overcome. Shaken consumer confidence only amplifies the hurt.
When Equifax announced that they had suffered a data breach in 2017 (along with the fact that the personal information of more than 147 million customers had been compromised) the public was rightfully enraged. They had trusted the consumer credit agency to protect their data and it was shocking to see a well-known enterprise fail – and on such a massive scale.
Immediately following the incident, a YouGov survey showed that Equifax’s public perception took a serious hit, not to mention an 18% loss in stock price. At the time, the company’s Buzz Metric fell to negative 34 – meaning most people had only heard adverse things about the company.
According to some reports, the fallout was so bad, it even negatively affected the perceptions of other credit rating agencies such as Experian and TransUnion despite the fact they were never breached. As a result of a growing trend around mega breaches like Equifax, Moody’s announced a new rating to evaluate the cyber risk of a company.
Timely Communication
Over the last year, Equifax has worked to regain the trust of the American people and their efforts are starting to pay off. Last month, Equifax’s public opinion metric was around negative 2 – about where it was pre-breach. How did they orchestrate such a turnaround despite some very public pitfalls along the way? Good, timely communication.
Immediately following the breach news, Equifax CEO Richard Smith issued an official apology and then stepped down. The new, interim CEO then made a series of additional apologies and introduced a free, self-service portal that gives customers more control over their own data, though that too has had its own set of issues that the company has also had to remediate. With last week’s House Oversight Committee report that called the Equifax breach ‘preventable,’ the company’s leadership team again has more damage control to do.
From Home Depot to Nordstrom and countless other data breaches, post mortems often show quick, transparent communication is a key ingredient in maintaining credibility and rebuilding trust in the eyes of stakeholders.

Data Breach Prevention
For Equifax and other companies who must deal with the fallout of a data breach, the NIST Cybersecurity Framework can be a guide to response best practices. It was designed to safeguard organizations and the data they hold with 5 pillars: identify, protect, detect, respond and recover. The fourth, Respond, outlines the implementation of three required elements for an effective data breach response:

Response planning
Communication
Analysis

While recovering from a data breach can mean months – sometimes years – worth of work, responding with clear communication, an incident response plan and post event analysis can help an organization get back to business.
For more on how to use the fourth pillar, Respond, watch this video below. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:
Hi! Josh here from Absolute. Today’s video is all about the Respond pillar of the NIST Cybersecurity Framework.
Think of the term ‘efficient’ as doing things right, while ‘effective’ should be thought of as doing the right things. We need both. And nestled inside this section are focus areas for improving effectiveness and efficiency.
It starts with Response Planning.
I know, I know. The famous quote from Mike Tyson: “Everyone has a plan until they get punched in the face”. But when you think about it, even world champion boxers will train, simulate, and spar to plan for what happens after the punch.
A good place to start your response planning is to return to the five questions: What could happen? What should happen? What would happen? What is happening? What did happen? Each of these questions demands answers; and those answers become the foundation of the response plan.
Next is Communication.
Marketing and advertising teams will often lean on ‘style guides’ to have consistent tone, voice, and terminology for any outbound communications.
It was only when I saw this same style implemented by IT and security teams that I realized good ideas are not imprisoned in the place of birth.
Then comes, Analysis. A detailed examination of something; leading to interpretation and sharing. That’s the definition of analysis. We’ll talk more about root-causes and forensics in the next episode. For now, to win at the NIST framework, and response effectively, we need to direct analysis toward recover. Which is the effect we’re going for in the first place, so… effectiveness.
This helps to prevent the incident expansion, and mitigate its effects. Because if we analyze where something is, and where it is going, we can stop it dead it its tracks.
Finally… NIST call for us to eradicate the incident. Returning resources back to a state of cyber hygiene.
These are just some of NIST’s timely advisories to level-up incident response. When you plan, communicate, analyze, and mitigate you naturally improve, in both, effectiveness and efficiency.
Happy holidays everyone. We’ll see you again after the calendar rolls over into 2019 where we will wrap up with the final pillar of NIST.

How to Evade the Real Holiday Grinch

If the holidays have you busy running from one commitment to another, you’re not alone. Dashing out of a year-end budget meeting to your kid’s school production and then back for a departmental holiday party is a painfully common schedule for many right now. While it can be exhausting, the holiday season only comes once a year, so why would you miss any of these get-togethers or unique opportunities?
The same can be said for cyber criminals.
This time of year is busy for them too because, for cyber thieves, it’s also all about opportunities. But rather than looking for chances to fill your holiday with joy, they come to swindle and steal your data while you aren’t looking.
If you’re thinking this sounds like a familiar storyline, you’re right. It’s like the Grinch who silently sneaks into Whoville to swipe everything he can before escaping back onto his mountaintop.
The biggest celebration of the year for the Whos of Whoville presents the perfect opportunity for the holiday-hating Grinch to strike. While everyone is asleep, he has the chance to quietly take everything because, as the story goes, his heart is two sizes too small. Without passing judgement on the capacity for compassion of cyber criminals, we do know their pilfering is for profit. Stealing your data is their money-making venture and they always have their eyes open for an easy score.
So, what can you do to evade these Grinch-like advances?
Most threats can be prevented by closing the opportunity gap. An important component of effective risk mitigation includes reducing the probability of their success. In other words: make it harder for them so they move on to the next Whoville. To do this, I’m not suggesting you cancel your holiday but rather make it incrementally harder for them to get in.
This is where the NIST Cybersecurity Framework (NIST CSF) can help you. Using five primary pillars, NIST CSF has outlined a series of best practices to guide you in making it harder for cyber crooks to break in. Following the first two pillars, identify and protect, the third pillar, Detect lays out three ways to detect a possible breach so that you can shut it down quickly:

Anomalies and events: what are you hunting for
Security continuous monitoring: when you hunt for it
Detection processes: how you hunt

If you are looking for more information on how NIST CSF can help your organization avoid Grinch-like opportunity seekers, we created a series of short videos on the framework and other essential cybersecurity tips. For more on how to detect a breach, watch this video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.
 
NIST Cybersecurity Framework
 
Video transcript
Hey! Josh here from Absolute.
We’re going to continue looking at the NIST cybersecurity framework, with a special attention
put on the third pillar “Detect”.
The real-world doesn’t seem all that interested in your cyber resilience. New threats, exposures, vulnerabilities, and blunders that can wreck the show. But, here, we can lean on the techniques of the NIST CSF.
Let’s start with strange things happening. By definition an anomaly is simply anything that deviates from the standard, the norm, or the expected.
Imagine you have an endpoint running a PHP process with a connection to an IP address in another country:
– Is it anomalous?
– Well… Do we have a baseline?
– What’s the endpoint’s hygiene status?
– Who is using it?
– Where is the device physically located?
– What were the activities this time last week, last month, last year, or any time period?
Well… we have built the foundation with the first two pillars (Identify and Protect) so we can see when things start to fall outside of our expectations.
Within the “Detect” pillar, we can see how anomalies are the ‘what’ we need to detect, and continuous monitoring is ‘when’ we need to detect.
Spoiler alert: always be watching.
Start with a digital tether to your endpoints, where a firmware-based module that has a persistent connection that never loses its grip on any device. Which allows you to have a recursive index, updating your asset intelligence with new inputs from the real world.
Then, use Attack Simulation to play ‘what-if’ scenarios based on hygiene profiles and shifting circumstances, to adapt before disaster strikes the ‘Detect’ pillar of NIST is a crucial discipline that forces us to be honest about our base-rate (to determine if something even is an anomaly) and extends visibility in time and in space across the TAC surface to rapidly discover trouble and capture every last shard of the environment.
In our next episode we’ll go deeper into the NIST CSF for a more effective incident response.
Be sure to subscribe, you won’t want to miss it.
See you then!

Loading

Categories