ISACA recently conducted a survey of over 900 security experts around the globe to get their opinions on the risks of mobile payment systems. While most of the data won’t surprise you, the number of security experts using mobile payments, even though they are aware of the risks, might. Is the level of convenience enough to overlook the security risk? Read on and decide for yourself.
It seems like we have barely gone a week in the past year without waking up to another story on a healthcare breach and another million medical records exposed. This week it was 1.5 million Americans whose records were posted to Amazon's cloud services. Earlier this year, it was UCLA Medical, Anthem, Summit; the list goes on.
Did you know that 34% of the total breaches in the U.S. this year came from healthcare? Or
that over 84 million records have been compromised to date? The number one cause of these attacks are malicious outsiders who worm their way into your system, not by crashing through the front gate, but by carefully making their way through your system and extracting data slowly enough not to be noticed until it is too late.
So how do you stop them? With phishing, spear-phishing, malware, and the increasing number of stolen user credentials, it has become almost impossible to keep them from getting in; how do you notice them before they extract your valuable data? The answer is easy: continuous and proactive monitoring.
The days of having only five people accessing your system are over. With the rise of electronic health records and integrated health systems, your patient records are being accessed by more users than ever. It is impossible for one person, or even one team, to monitor everything that these users are doing, and that is what the hackers are counting on. They are looking for ways to enter your system quietly — typically through stolen user credentials — and do their best to act like any other user while extracting small enough amounts of data to stay under the radar.
Sounds crazy, right? How wouldn't you notice if Bob from accounting was downloading too many patient financials? It is his job after all. However, it isn't Bob. It is a hacker using a spear-phishing attack who has been in your system for 13 months. Still sound crazy? That’s what the OPM office thought, too, before they realized that a hacker had been siphoning off their records for 18 months before they noticed and even longer before they could put a stop to it.
It sounds scary; and it is. However, by integrating intelligent real-time monitoring and analytics into your IAM system, you can watch over your entire system for things such as orphaned accounts, excessive use, or segregation of duties violations. By proactively monitoring your system, you can be alerted when something is out of the norm.
Risk changes just as constantly as your users and their access rights. Not only will a proactive risk-aware IAM system catch immediate threats to your system, but it will improve ongoing provisioning and governance of user access which will help keep your user credentials safe. With predictive analytics applied to the data across your organization, data is synthesized and risk is calculated in real time by calculating the probability of an event occurring and alerting you before the damage is done.
There is no silver bullet when it comes to keeping your network safe. Hackers are getting smarter and organizations have to be able to adapt and remain vigilant when it comes to protecting our data. By using an intelligent IAM solution to continuously monitor your data, you can take some of the guesswork out of what is going on in your system by applying analytics and historical data. This way you can find vulnerabilities before they turn into a breach and prevent your organization’s name from being front page in tomorrow's news.
For more information on how intelligence can improve your security, download our eBook or contact us at email@example.com.
Did you see the news this week? Another data breach and another group of patients’ healthcare records are out in the open and being manipulated by hackers. It seems as if these stories happen so often now that we hardly even stop to think what they really mean. Do you know the real cost of a data breach to your organization?
Data breaches happen every day. However, sometimes it takes cases like Ashley Madison or the OPM hack to get people talking about cybersecurity and what they can do to keep this from happening to them.
According to the Ponemon Institute, the average cost of a breached record rose 23% last year to an average of $154 per record. The number for healthcare is even higher at $398 while transportation records are a mere $66. While those numbers might not seem so bad to an SMB, the Office of Personnel Management (OPM) hack had 21.5 million records leaked. Ashley Madison doubled that with over 40 million records that are now on the auction block for hackers all over the world.
So what is there to learn here? (Other than maybe don't use the internet to try and cheat on your spouse.) Here are the top things we learned from these businesses critical mistakes:
1. Beware of 'Hacktivism'
While most hackers are just out for information, regardless of the reasoning, the growth of 'Hacktivism' is something you need to pay attention to. Healthcare can get into some ethically gray areas. Some companies test on animals. If you have a group that has targeted you in the past, hacking may be its next approach.
2. Know Your Vulnerabilities
Sit back and think about your data flow. How it gets from one location to another. Where it is stored in the interim. Where it goes when you no longer need it. Now, where are the vulnerabilities in that system? This is one of the easiest ways to spot areas for improvement. If you know your weaknesses then you can put a plan in place to fix them. (Need more help on this? Sign up for a Courion Quick Scan and see where your risks lie)
3. Institute an Email Policy
The number of members in the Ashley Madison database that used company email addresses is enough to give your HR department a heart attack. The number of military addresses alone reached into the millions. While this might not help your brand image, it could also hurt your bottom line. If an employee uses a corporate email and/or password then the hackers have it, too. That is millions of corporations that are now vulnerable. Institute a policy for email so that employee’s personal business stays that way.
4. You Aren't the Only Ones at Risk
Yes, Ashley Madison's name is in the news and its brand and bottom line have both taken a beating. However, now their customers are at risk of ID theft and extortion (not to mention the possible divorce settlements). While your company is going to be your number one concern, remember that your customers are also at risk.
5. Public and Private Sector are Both Targets
Ashley Madison was a private company. The OPM is a government entity. Home Depot is publically traded. None of that mattered when it came to their information being breached. No matter if you are public, private, small, medium, or large, your data is valuable and people are coming for it.
6. Implement a Governance Policy
Do you know how long it takes for an ex-employee (or non-employee) to be de-provisioned from your network? For some it can take a week, for some it gets overlooked and never happens. Allegedly, this is what happened in the Ashley Madison attack. An old contractor was able to get back into the system and effortlessly steal all of their data. With a governance solution you can search for unused, orphaned, or abandoned accounts to make sure only the right people have access to your network.
7. Encrypt Your Data
Didn't we learn this by passing notes in middle school? When you have something you want kept secret you use code words. While I hope your encryption formulas are more complex than my middle school days, the point is you need to always encrypt your data and add another layer of protection. Speaking of data, store less of it. Ask yourself if all of the data you are collecting is actually needed or if its "just in case". The less data you have, the less you can lose.
8. Secure Your Passwords
I was embarrassed to learn the number of people in the Ashley Madison hack who had the password "Password" or "123456". Were they asking to be hacked? Did they want someone to find them? That may be a question better suited for their shrink but when it comes to my personal data I want something unbreakable. Make sure you are securing your passwords by changing them regularly, not sharing them with anyone, and, where available, using multi-factor authentication to keep your data secure.
With the rising use of mobile devices, EHR solutions, BYOD policies, and the amount of shared and saved data comes the rising risk of HIPAA compliance. While this can seem like
an insurmountable task, you don't have to try and tackle everything at once! We've broken the process down to 3 easy, repeatable steps to make your organization HIPAA compliant.
1. Perform a Risk Analysis
How do you secure your devices? What are the processes for PHI handoff? What are your password rules? To perform a risk analysis, you not only need the answers to these questions, you need to know your data flow. Knowing where your PHI information enters, resides, and exits your environment will help you to know where your vulnerabilities are. Make sure that you look at all of your devices, servers, and applications to make sure you have an understanding of how each of these work and, more importantly, where they do not.
There are plenty of options from vulnerability scans, to penetration tests to look for vulnerabilities. Here are Courion, we have our very own Quick Scan process to help find your weaknesses and create plans to help fix them.
Once you see all of your vulnerabilities, analyze the HIPAA risk level and potential impact to your organization by asking:
Then assign each vulnerability a high, medium, or low risk value based on your findings so that you have an understanding of which risks to tackle first.
2. Create a Risk Management Plan
Your risk plan can be as simple or as detailed as you want to make it. However, remember that being able to show HIPAA extensive documentation of intent to mitigate risk will go a long way in your quest for compliance.
An easy way to do this is to answer the following four questions:
Remember you need to have a plan in place for the risks to the system and for each of your employee types that use the system.
Employees: Focus on training and education around security practices and HIPAA compliance. Put blockers in place to help stop breaches before they start. Teach the importance of HIPAA compliant passwords
Business Administration: Anyone who touches your data should follow your rules. Whether this is a medical device repairman or a contractor, they should be held accountable for their involvement in your data.
IT Department: IT doesn't always mean security. Make sure that your IT team is constantly updating your software and applications so that you have the most up to date security features.
3. Implement Your Plan
Once you see all of your vulnerabilities laid out with their management plans, you will quickly see which of these are top priorities. Make a plan to take care of the biggest risks first and then start over. Keep identifying the top risks in your organization and working on implementing security fixes.
What's next? Rinse and repeat. While this is only a three step system it will still take you time to dig through your systems, solutions, and data to find where your greatest risks lie and even more time to find and implement the security fix. However, with an IAM solution you could automate much of this process. An IAM solution will continuously monitor your system and alert you to any variables that may lead to a breach.
Tags: cybersecurity, cyber risk, EHR security, emr security, hipaa compliance, healthcare data, healthcare, cyber security, EMR, EHR, electronic medical record, healthcare IT, medical records, cyber attack, compliance, HIPAA, #HIT, healthcare security