"I've said it before and I'll say it again. It's not if your data is hacked, but when." - Dr. Seuss (probably)
Ok, so maybe Dr. Seuss isn’t the person who spoke those words, but the sentiment behind it is true. There is no more hoping that your information is safe. It's time to plan for an attack.
In case you haven't heard, online medical records are big ticket items for cyber criminals. Don't believe me? Just ask Anthem or the UCLA Health System. Or you can read the recent report in Modern Healthcare stating that the average cost of healthcare breach worldwide is $363 per exposed PHI record. In the US the average cost was even higher at $398! How many records do you have in your system? Hundreds? Thousands? Do you want to take a second and do the math or would you rather hear what you can do to mitigate this risk?
That’s what I thought. It's time to get serious about your healthcare data. Keep reading for 7 ways you can keep your healthcare data safe from cyber attacks.
Target, AshleyMadison, and the IRS all made news this week for being hacked and information being stolen. The difference between these? 2 years. The lesson? A hack to your system may happen over a few seconds or a few months but the effects can linger for years on your brand reputation and your bottom line. Today I want to talk about the real and lasting effects of a data breach and what it could mean for your organization.
Brand Reputation: Confession. I am a fan of Target. As in, I will drive out of my way to go there over another store that might be closer to my house,and I’m ok with knowing that I might pay more there because I believe in their quality and customer service. However, even I was worried when they announced the massive hack in 2013. Was I shopping at Target on that date? Please re-read the first line and make your own assumptions there. But was I hacked? And how would I know? Would Target tell me that my information was stolen and out in the open for anyone to see, use, and exploit? I was worried and, I'll admit, it took me a while to go back.
Did I go back? Of course I did, and so did millions of other customers. However, their brand reputation suffered in the short term with even avid fans like myself backing away and it continues to suffer in the long term. We all saw that Target’s brand reputation dropped dramatically after the hack. However, what you may not have seen is that every time a major hack happens, most likely, Target is mentioned. Imagine what it does to their brand reputation each time by reminding customers what happened. If you’re imagining more dips than peaks; you’re right. Just this week, Target settled with Visa with a $67 Million claim. Another reminder means another dip in the graph. Source: Huffington Post
Bottom line: Recently the FBI apprehended a group of hackers that were using press releases to get inside trading information. When banks are hacked, often they watch the money they control go into another account, another bank, another country that they can't get back. But what about when the hackers aren't targeting your money? What about when they go for your seemingly innocuous information?
The possibilities are still endless and are just as damaging to your bottom line. We mentioned that the decline in brand reputation causes decreased sales/business for the organization but what about the other costs to your organization? Such as:
Cost of Settlement:
As mentioned earlier, Target just settled with Visa for a cool $67 Million resulting from the 2013 hack. That was two years ago and they are still paying for the breach. Oh and they still haven’t settled with MasterCard. More to come on that I’m sure.
Cost of Fines:
Are you a hospital? Then you have even more rules and regulations to worry about. If HIPAA deems you non-compliant then you are at risk for a fine. Recently a Mass. Hospital was fined $218,000 for being non-compliant. Probably not something they planned in the yearly budget.
Cost of Monitoring/Customer Support:
Home Depot, another major retailer, another massive hack. However, when Home Depot announced to its consumers that they could be in danger, they offered to pay for one year of credit monitoring to make sure they were protected. While this did a great deal of damage control, it cost them dearly.
Looking for ways to mitigate these effects? Our infographic below includes suggestions from our own security executives. If you want to know know, contact us at email@example.com or leave a comment below.
The past week has been bad news for drug pumps. The FDA issued its first warning about them, and a video has been making its way around the blogosphere showing a drug pump hack. While these issues have been spotlighted this week, they are not the only devices at risk. In the past year we have seen the rise of Electronic Health Record (EHR) systems flourish along with the ease of housing them on mobile devices which we all know have a not so solid record when it comes to being breached.
So the question is, why are we still using these devices if we know they are so vulnerable? Simply put, the same reason we allow smart thermostats and refrigerators in our home - convenience.
Drug pumps are easily accessed by nurses and doctors who can give doses to patients from the nurse’s station rather than having to walk to their room. Medical records can be pulled up on a tablet in radiology and billing at the same time without having to manually walk them from one place to the other. These are all highly convenient and keep the costs, not to mention the time spent by each employee, to a minimum.
Medical devices are convenient and are improving the way we do business and the way we treat our patients. They aren't going anywhere, so rather than look to replace them, we need to learn how to secure them.
Differentiated Networks: Just like you keep your valuables out of reach of your three year old, you have to keep your devices out of reach of the public. This week in his blog, Dr. John Halamka expounded on this topic, and it was so simple and so logical it’s no wonder it often gets overlooked. He suggested setting up three different networks:
- Public: This Wi-Fi network would be accessible by patients and families and would be open and free. While you would put up firewalls and ensure some measure of security you would not need to monitor this system as you wouldn't be sharing any data over it.
- Private: This network would be for employees only. While it would be more secure it, would still be an open network, accessible to anyone with a password and would need to be monitored and governed. Only approved and secure messaging should be used on any device when sharing medical information, even if it is directly with a patient.
In the most recent Spok survey on BYOD devices, it is noted that—on average—48% of mobile devices used in hospitals are personal and not issued by the organization. With such a high percentage, your BYOD policies and security policies should be even higher to keep the risk of network penetration at a minimum.
- Device-Only: This network would not be hooked to any other systems or personal devices and would have no access to the outside internet. The only access to this network would be through a key provided by the security team or through an authorized device.
Firewalls: Build a gate and dig a moat. You need to make sure that you have a firewall in place to catch anything that is coming in or going out on any of your networks. While no one
has ever laid down their weapons when approaching a gate, they do have to try a lot harder and you want to put every barrier possible in their way.
Provisioning: You're a hospital administrator with 400 nurses, 200 doctors, and another 500 people making up your maintenance, billing, support, and other staff. Quick: what access does Bob Smith, RN need? Ok that was a hard one, because we don't know what area he works in. What about Sally in HR? Do you know what access she has? What she actually needs?
Hospitals are huge organizations and between the thousands of employees, both full-time and contract, and just like each patient needs a different diagnosis they all need different access to get their job done. With a proper provisioning tool you can automate access for specific roles, properly approve excess requests, and ensure that only the right people have the right access and that you aren't rubber stamping access to people who may not need what they ask for.
Culture of Security: We all know the number one reason for security breaches: user error. The number one reason for this is lack of awareness. This might be one of the cheapest fixes you could ever have. All you need is education. Build a training program that goes into new employee onboarding to discuss the importance of security in your culture. Reinforce this
with articles in your monthly newsletter or tips on how to protect yourself and your information. Improve your password policies and make sure that everyone is changing them on a frequent basis so that the chance of being hacked is reduced. Lastly, build an incident response plan. Make sure that everyone knows what to do, or at least knows where to find the plan, when something goes wrong.
Benjamin Franklin stated that an ounce of preparation is worth a pound of cure. It's time to create a wellness plan to take care of our security systems just like we take care of our patients. Set yourself and your organization up for success with plans, policies, and solutions to keep your medical devices, records, and employees safe.
Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity.
1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year.
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.
2. Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?
Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk".
3. Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible.
By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.
4. Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.
5. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.
While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.
Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about:
|- What is Intelligent IAM?
- Intelligence for Provisioning
- Intelligence for Governance
- Intelligence for Risk
- And More!
This week we are proud to present a spotlight blog from one of our trusted partners, Mr. Andy Osburn at SecureReset. With over 15 years of experience in network password reset, Andy and his team are an integral part of what makes Courion great. Take it away Andy!
Andy Osburn, Secure Reset
You can’t throw a digital rock in the IT security blogspace without hitting an article concerning the risks and consequences related to password compromise. This attention is well-placed given the numerous high profile cases of data theft and reputational losses that can be traced back to either weak or stolen passwords.
The recognition of the inherent risk in any single-factor authentication method is not new. In 2001, the US Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication in the electronic banking environment, identified the risks and controls, and concluded that, “single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions.”This reality has generated a wider call to move beyond authentication, security’s reliance on passwords, and their ever-increasing complexity and rotation. When employed as a single-factor to verify identity and grant access to critical enterprise resources, the overwhelming conclusion is that the password is simply not good enough.
The FFIEC went further to advocate the use of multi-factor authentication (MFA) where two or more of the three basic factors are used in combination.
So it begs the question: if the risks, consequences, and potential solutions have been known for 15+ years, why has there not been wider adoption and usage of MFA?
Well, the answer lies in the fact that the implementationof additional authentication control methods in the IT Security environment must take into account many considerations, not the least of which is user experience, cost, and convenience.
Early MFA solutions that incorporated smart cards, biometric scanners, and hardware tokens, in addition to knowledge authentication, made significant strides in elevating the security of user authentication. However, the relative complexity and inconvenience of these MFA solutions hampered widespread adoption in the enterprise marketplace. This experience, together with the relatively high lifecycle management costs of the solutions, limited the scope of usage to environments requiring higher-end authentication security.
So what has changed in this intervening period through to today’s reality of enterprise environments and authentication challenges? Two things: the first of which is the acceptance of the high risk inherent in single-factor authentication and the corresponding potential for significant data and reputational losses. The second is the ubiquity of the mobile smart device.
Each of us now carry a mobile device that has tremendous capability to behave as a security token. Not only is there exceptional computing capacity, but perhaps even more importantly, we as users are now completely comfortable with employing these devices for a myriad of daily common routines. It is only natural that we now look to use these devices as part of an enterprise MFA strategy.
This new mobile MFA capability is being reflected in the products available to enterprise customers from Courion partners such as QuickFactor and Ping Identity. Both companies are members of the FIDO ("Fast Identity Online") Alliance which is an industry organization created to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
These advances in mobile products and standards means that the new reality of enterprise user authentication strikes a better balance between security and convenience. End users have more flexible authentication choices where the enterprise can now leverage the significant capabilities of mobile authentication with three true factors.
Coming full circle then, it is unlikely that the password will completely go away. However, it is equally unlikely that it will continue to exist in the familiar form as we know it today. What we can expect to see is that the password will play a role as a one-time-use or rotating knowledge-based authentication component of the mobile MFA model. When employed wisely in an MFA structure, the password can still prove to be a valuable authentication factor.
For more information on how Courion works with SecureReset to create the most innovative and industry leading technology, read more on our datasheet or click here for information on SecureReset and our other partners.