Category Archives: Data Security

Weak Cybersecurity? Here’s Something You Can Do About It

News that Virtual Private Network (VPN) provider NordVPN was breached spread quickly. While the breach of a major VPN service is newsworthy, this one wasn’t particularly. A single server was compromised, one of many, and according to NordVPN only 50-200 customers were affected.

But one of the watchwords of good cyber hygiene, a VPN, was breached. The incident put NordVPN in the hot seat. They blamed a vendor. Compared to seismic events like the Capital One and Equifax data breaches, it was a non-event.

Especially in North America, where the technology has been slow to catch on, the NordVPN breach may seem overblown, but it has raised a crucial question for small to medium sized businesses and large corporations alike: Are VPNs effective?

Who Is Using VPNs?

Information about VPN use is hard to come by, and that’s the general idea. VPNs are supposed to be a protective measure, one that becomes decidedly less effective if your adversaries know about it.

When businesses in North America use them, their own IT teams manage their sourcing and implementation, and no one in the cybersecurity business discloses anything about their protocols. Commercial VPN services often advertise their privacy and anonymity practices, but it is not clear how above-board their claims are. Having hard data on how customers utilize any given VPN service more or less defeats the purpose of that service.

A 2018 study regarding VPN use worldwide is worth considering.

The first takeaway was that the global market for VPNs is booming. Usage increased 185% from 2016 to 2017 and 165% from 2017 to 2018.

The second takeaway is that the growth of VPN adoption is primarily on the consumer side, not business, with 51% of users polled reporting that access to entertainment is a key factor (streaming catalogs for services like Netflix vary by country due to usage rights), followed by 34% for social media activity.

Only 30% of users worldwide use VPNs for business and work-related activity, roughly the same percentage who use them for BitTorrent-related activity.

The same study shows that VPN usage is highest in Asia and the Middle East. North America and Europe lag well behind, comprising a scant 17% of users.

While it’s not exactly scientific, these figures can help ascertain a ballpark number for corporate adoption of VPNs: If less than a third of VPN use is for work, and less than a fifth of users in North America use a VPN, it’s not too much of a leap to assume that most businesses in the U.S. are not.

SMB vs. Enterprise

If you are responsible for keeping your business safe, don’t panic. With the growth of personal VPN use, many enterprises are phasing them out in favor of more advanced cloud-based solutions, including zero-trust architecturesoftware-defined perimeters, and micro-segmentation.

Implementation of these approaches requires a dedicated team of specialists, and that’s where small to medium sized businesses are left literally unprotected. Even if the average SMB could afford the investment in network infrastructure (it can’t), implementing it would still be a monumental undertaking and one well beyond the financial capabilities of most smaller operations.

Also worth noting: Giving experienced cloud technicians access to your network doesn’t always end well, take Capital One for instance.

Can VPNs Help Your Business?

There is no shortage of misinformation about VPNs online, but if you stop reading here, remember this: Never use a “free” VPN service. As with everything else online, if you’re not paying money for a product or service, you’re paying with your data.

A VPN is a secure tunnel for network traffic, routing it from one place to another, typically with some form of authentication. If, for example, a user resides in a country with major Internet restrictions (think: the Great Firewall of China), he or she may connect to a VPN outside of that country and bypass local laws.

Getting around obstacles is a well-known use for VPNs but they just as readily might be deployed to erect walls around businesses and their data. With so many employees ferrying devices between their homes and offices, it’s difficult to know who is accessing a company’s network. Incoming traffic from another country could be a hacker probing for network vulnerabilities, or it could be vacationing employee trying to check email.

A VPN is able to authenticate employees and have them access resources on a company’s network using a consistent IP address. (IP addresses otherwise change for a variety of reasons). While it may seem like a minor consideration, setting up limited network access to a static number of particular IP addresses can make a hacking attempt more visible. If a system is getting requests from devices outside of that range, it’s a good indicator of suspicious activities.

Another SMB use for a VPN is to keep resources off the internet. If data breaches are the third certainty in life, data leaks and compromises have become the fourth; Brazil, Ecuador, Russia, China, and countless companies have suffered major security leaks due to the accidental exposure of a database online. The tunneling effect of a VPN can be used here to limit access to servers storing sensitive data.

Are VPNs a Silver Bullet for Small to Medium Sized Business?

VPNs are not a silver bullet.

A poorly secured lost or misplaced device connected to a company’s VPN could easily lead to the loss of data. As NordVPN demonstrated, VPN providers can be breached. VPN software can also be exploited–especially the free versions. The technology is by no means perfect.

But nothing is perfect, especially in the digital world. You can use two-factor authentication, strong passwords, antivirus software, firewalls, employee training and still “get got.” No cybersecurity strategy or protocol is foolproof. That said, using a VPN can add another layer to your company’s cyber defenses and, with that, shrink its attackable surface, which is why you may want to consider using one.

The post Weak Cybersecurity? Here’s Something You Can Do About It appeared first on Adam Levin.

IT professionals deem hybrid cloud as most secure

Enterprises plan to aggressively shift investment to hybrid cloud architectures, with respondents reporting steady and substantial hybrid deployment plans over the next five years, according to a Nutanix survey. Hybrid cloud as the ideal IT operating model The vast majority of 2019 survey respondents (85%) selected hybrid cloud as their ideal IT operating model. Vanson Bourne surveyed 2,650 IT decision-makers in 24 countries around the world about where they’re running their business applications today, where … More

The post IT professionals deem hybrid cloud as most secure appeared first on Help Net Security.

Google’s Project Nightingale Health Data Practice Raises Privacy Concerns

Google is collecting the health record data of millions of U.S. citizens, raising serious concerns about patient privacy.

According to a recent story published in The Wall Street Journal, Google has partnered with Ascension, the nation’s second largest health care system for Project Nightingale. 

The partnership gives Google full, non-anonymized access to “lab results, doctor diagnoses and hospitalization records… and amounts to a complete health history, including patient names and dates of birth” for millions of patients in 21 states.

The stated intention of Project Nightingale is “ultimately improving outcomes, reducing costs, and saving lives,” according to Google Cloud president Tariq Shaukat, who also see it helping developers “design new software, underpinned by advanced artificial intelligence and machine learning, that zeros in on individual patients to suggest changes to their care.”

Google’s access to patient data raises concerns among privacy advocates, particularly because at least 150 of the company’s employees have full access to highly personal information without patient consent or notification. 

Of perhaps even greater concern is the fact that Google’s apparent data mining is legal according to federal law, specifically the Health Insurance Portability and Accountability Act of 1996, or HIPAA. According to the U.S. Department of Health and Human Services, medical providers “may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions.”

Google has recently made similar moves to expand its access to health and medical data, including its acquisition of Fitbit and that company’s data sharing partnership with the University of Chicago Medical Center. That move resulted in a class action lawsuit.

The post Google’s Project Nightingale Health Data Practice Raises Privacy Concerns appeared first on Adam Levin.

Desjardins Data Breach Worse Than Originally Reported

The June data breach of Canadian financial institution Desjardins was wider in scope than initially reported and compromised the data of all 4.2 million of its individual members.

The breach, initially detected in December 2018 and announced in July 2019, was originally estimated to have affected 2.7 customers and 173,000 businesses. Desjardins announced the revised figure based on information shared by the Sûreté du Québec (SQ), the Quebec province’s police force. It is possible more businesses were impacted by the breach than originally estimated.

Compromised member data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories.

“This is not a new breach, this is the same breach with the same employee who did the same pattern [sic], but the bad news today is that the SQ is sure that it’s for the whole group and all the 4.2 million members,” said Desjardins chief executive Guy Cormier.

While Desjardins attributed the data breach to a single employee, no arrests have been made and an investigation is still ongoing.

The post Desjardins Data Breach Worse Than Originally Reported appeared first on Adam Levin.

Sensitive Data Management Guide For companies and Individuals

Keeping sensitive data secure against theft and vulnerability should be a priority for most organizations. However, this isn’t as easy as it may seem especially with new technologies and evolving digital world. Even with the right precautions, sensitive data management can still be breached and information can be stolen by those with bad intentions.

In order to help individuals and corporations with sensitive data management, we talked with several different cybersecurity experts regarding their thoughts on proper data management and protection. We have compiled the most prevalent answers to the following questions:

What is the Biggest Mistake that People and Companies Make in Sensitive Data Management?

First major mistake of companies is to not classify their data. Without proper classification, they are not aware that certain data needs extra protection. This leaves the data vulnerable since no security measures are in place. Basically, a lot of users can access the data.

Encryption is another big issue with companies and employees. Sometimes, even they know that the data being handled is sensitive, they neglect to encrypt it during storage or transit. This leaves the data vulnerable and easily accessible to anyone which is not proper sensitive data management practice.

And last is not having the right protocols and policies in place in order to safeguard sensitive data against external and internal threats. Knowing what to do and how to act at certain points are critical in protecting sensitive information within the company. This has become a huge challenge for both private and public organizations.

How should Companies Address Data Security?

Companies need to address sensitive data management depending on their own needs. There is no one-size-fits-all solution in terms of securing important information. But, there are steps that every company and organization need to take in order to address the most common data security challenges.

Train Employees

Phishing, malware, ransomware, and many other types of attacks are reliant on an employee making a mistake in order for these malicious programs to take hold and be able to steal data. The best way to avert this is to train all employees about sensitive data management.

The training would include learning about the different types of attacks, what to look out for, and what to do in case they notice something suspicious.

Social engineering should be a huge part of these trainings as well. As attackers develop more sophisticated and well-thought about attacks, employees should be trained about them to sniff them out.

Implement Security Measures

It is always important to have the right security applications within the system. This includes firewalls, anti-virus protection, anti-malware programs, and detection systems. These allow for immediate screening and blocking of potential threats against the company.

Keep Software Updated

Companies would be using different kinds of software. From operating systems to spreadsheets, all these programs can be targeted by malicious software. In order to prevent that from happening, it is recommended to update every program as part of sensitive data management as soon as new versions are available.

Updates from the makers of these programs would usually involve security. They add patches for vulnerabilities found so that malicious attackers can no longer exploit that weakness. 

Password Management

A simple but still very powerful aspect of sensitive data management is the password. Employees and users should be made to use strong passwords that contain both upper- and lower-case letters, numbers, and symbols. They should be about 10 characters in length at least. And, all users should be made to change their passwords at regular intervals to keep them safe.

All in all, sensitive data management should be a conscious effort from each member of the organization. Top-level management should buy-in to the idea of protecting their sensitive information to allocate the proper resources to achieve that goal. All employees should also do their part in order to protect the organization.

The post Sensitive Data Management Guide For companies and Individuals appeared first on .

Singapore Firms Struggling To Keep Up With Software Patches

Yes, you read it right! Organizations in Singapore are struggling to cope up with the volume of software patches. According to new research released by ServiceNow, Inc has, this year alone, Singapore firms saw an 18% increase in cyber attacks when compared to the past year, with 58% of data breaches associated with a vulnerability for which patch was available but not applied on time.

ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 cyber security professionals across nine countries, Singapore, Japan, United States, France, Australia, Netherlands, Germany, New Zealand, and the United Kingdom. 

The study reveals that nearly 79 percent of firms did not have adequate staff to deploy security patches promptly to prevent a data breach.

The study further revealed that 72 percent of Singapore firms planned to hire more staff, an average of five additional staff members, dedicated to patching over the next one year. 

It might be especially critical, considering that 67 percent of respondents pointed to the lack of coordination between their teams. Another 69 percent of respondents in Singapore revealed that their teams could not take critical applications and systems offline to patch them quickly, while another 45 percent of respondents said that their teams struggled to prioritize the patching process. 

As a result, IT staff in Singapore spent an average of 10 days manually coordinating patching activities across their teams, though 49 percent of respondents said that manual patching processes placed them at a significant disadvantage with regards to patching vulnerabilities.

Nearly 60 percent of respondents in Singapore believed that cyber attackers currently were ahead of their businesses in their use of technology, such as AI and Machine Learning. Some 80 percent of respondents revealed that deploying automation tools to patch vulnerabilities helped them respond more quickly.

Meanwhile, respondents in Japan seemed to have a more difficult time coping with security patches, with 99 percent of Japanese respondents stating that their teams lacked sufficient resources to keep up with the volume of security patches. 

The study further revealed that IT staff in Japan lose an average of 13 days manually coordinating with other relevant teams before a security patch was applied. 

Globally, respondents reported a 34 percent increase in weekly costs spent on patching compared to the last year. Plus, 30 percent more downtime vs. 2018, due to delays in patching vulnerabilities. 

There is also a 17 percent increase in the volume of cyberattacks in the last 12 months compared to the same timeframe the previous year. Plus, there is a nearly 27 percent increase in cyberattack severity compared to 2018.

As per the study, automation tools offer a significant advantage in terms of being able to respond quickly to data breaches and effectively patch software vulnerabilities. Nearly 80 percent of respondents who employ automation tools said that they respond to software vulnerabilities in a shorter timeframe with the help of automation.

ServiceNow’s general manager for security and risk, Sean Convery, said: “Companies saw a 30 percent increase in downtime due to patching of security vulnerabilities, which hurts customers, employees, and brands. Many firms have the motivation to address this challenge, but struggle to leverage their resources for more impactful vulnerability management effectively. IT Teams that invest in automation tools and developing their IT and security team interactions will strengthen the security posture across their organizations.” 

Other findings of the ServiceNow study:

  • Nearly 76 percent of respondents stated that they don’t have adequate resources to cope with the volume of security patches.
  • Nearly 58 percent of respondents said that their data breaches are due to human error.
  • Nearly 96 percent of firms in Singapore experienced a data breach over the past year, with 98 percent of firms expressing security concerns involving 5G network deployments and digital transformation initiatives.
  • Nearly 88 percent of respondents stated that they must engage with other teams across their organizations, which results in silos that delay security patching by an average of 12 days.
  • Annual spending on software patching and vulnerability management initiatives rose to $1.4 million, an increase of an average of $282,750 from 2018. 

With cybercriminals harnessing the power of new-age technologies such as AI and Machine Learning to break through advanced security systems, building the culture of security into the vision and values of all organizations is a must.

The post Singapore Firms Struggling To Keep Up With Software Patches appeared first on .

Leaked Memo Warns of Poor Cybersecurity in White House

A leaked memo from the Office of the Chief Information Security Officer (OCISO) delivered alarming news about the state of cybersecurity at the White House.

Acquired and published online by Axios, the memo was included in a resignation letter from Branch Chief of White House Computer Network Defense Dimitrios Vastakis. In the document, Vastakis details several concerns about staffing and organizational policies that he felt were harming cybersecurity at the White House and causing personnel to leave “at an alarming rate.”

Vastakis took particular issue with the recent decision to fold the OCISO into the Office of the Chief Information Officer.

“This is a significant shift in the proprieties of senior leadership where business operations and quality of service take precedence over securing the President’s network,” Vastakis wrote.

The memo comes in the wake of several resignations or terminations from the office, which was established in 2014 in response to a successful Russian cyberattack.

“It is my express opinion that the remaining incumbent OCISO staff is being systematically targeted for removal from the Office of Administration (OA) through various means,” wrote Vastakis, concluding that “the White House is posturing itself to be electronically compromised once again.”

Other former cybersecurity officials for the White House have expressed similar concerns and misgivings with the current administration’s cyber policies.

“The termination of the cyber czar position compounded with placing individuals like Giuliani in charge of cyber has created the perfect storm,” wrote Tom Kellermann, the former cybersecurity commissioner for the Obama administration. “We are under siege by an axis of evil in cyberspace and we must appreciate that American cybersecurity is tenuous as we fight an ongoing cyber insurgency.”

The post Leaked Memo Warns of Poor Cybersecurity in White House appeared first on Adam Levin.

Device & App Safety Guide for Families

app safetyWhile we talk about online safety each week on this blog, October is National Cybersecurity Awareness Month (NCSAM), a time to come together and turn up the volume on the digital safety and security conversation worldwide.

To kick off that effort, here’s a comprehensive Device and App Safety Guide to give your family quick ways to boost safety and security.

Device Safety Tips

  • Update devices. Updates play a critical role in protecting family devices from hackers and malware, so check for updates and install promptly.
  • Disable geotagging. To keep photo data private, turn off geotagging, which is a code that embeds location information into digital photos.
  • Turn off location services. To safeguard personal activity from apps, turn off location services on all devices and within the app. 
  • Review phone records. Monitor your child’s cell phone records for unknown numbers or excessive late-night texting or calls.
  • Lock devices. Most every phone comes with a passcode, facial, or fingerprint lock. Make locking devices a habit and don’t share passcodes with friends. 
  • Add ICE to contacts. Make sure to put a parent’s name followed by ICE (in case of emergency) into each child’s contact list.
  • Back up data. To secure family photos and prevent data loss due to malware, viruses, or theft, regularly back up family data. 
  • Use strong passwords. Passwords should be more than eight characters in length and contain a mix of capital and lower case letters and at least one numeric or non-alphabetical character. Also, use two-factor authentication whenever possible.  
  • Stop spying. Adopting healthy online habits takes a full-court family press, so choose to equip over spying. Talk candidly about online risks, solutions, family ground rules, and consequences. If you monitor devices, make sure your child understands why. 
  • Share wisely. Discuss the risks of sharing photos online with your kids and the effect it has on reputation now and in the future. 
  • Protect your devices. Add an extra layer of protection to family devices with anti-virus and malware protection and consider content filtering
  • Secure IoT devices. IoT devices such as smart TVs, toys, smart speakers, and wearables are also part of the devices families need to safeguard. Configure privacy settings, read product reviews, secure your router, use a firewall, and use strong passwords at all connection points. 

App Safety Tips

  • Evaluate apps. Apps have been known to put malware on devices, spy, grab data illegally, and track location and purchasing data without permission. Check app reviews for potential dangers and respect app age requirements.app safety
  • Max privacy settings. Always choose the least amount of data-sharing possible within every app and make app profiles private.
  • Explore apps together. Learn about your child’s favorite apps, what the risks are, and how to adjust app settings to make them as safe as possible. Look at the apps on your child’s phone. Also, ask your child questions about his or her favorite apps and download and explore the app yourself. 
  • Understand app cultures. Some of the most popular social networking apps can also contain inappropriate content that promotes pornography, hate, racism, violence, cruelty, self-harm, or even terrorism.
  • Monitor gaming. Many games allow real-time in-game messaging. Players can chat using text, audio, and video, which presents the same potential safety concerns as other social and messaging apps.
  • Discuss app risks. New, popular apps come out every week. Discuss risks such as anonymous bullying, inappropriate content, sexting, fake profiles, and data stealing. 
  • Avoid anonymous apps. Dozens of apps allow users to create anonymous profiles. Avoid these apps and the inherent cyberbullying risks they pose.
  • Limit your digital circle. Only accept friend requests from people you know. And remember, “friends” aren’t always who they say they are. Review and reduce your friend list regularly.
  • Monitor in-app purchases. It’s easy for kids to go overboard with in-app purchases, especially on gaming apps.

Our biggest tip? Keep on talking. Talk about the risks inherent to the internet. Talk about personal situations that arise. Talk about mistakes. Nurturing honest, ongoing family dialogue takes time and effort but the payoff is knowing your kids can handle any situation they encounter online.

Stay tuned throughout October for more NCSAM highlights and information designed to help you keep your family safe and secure in the online world.

The post Device & App Safety Guide for Families appeared first on McAfee Blogs.

Data Residency: A Concept Not Found In The GDPR

Are you facing customers telling you that their data must be stored in a particular location?

Be reassured: As a processor of data, we often encounter a discussion about where the data is resident, and we are often facing people certain that their data must be stored in a given country. But the truth is, most people don’t have the right answer to this legal requirement.

To understand the obligations and requirements surrounding data storage, you first need to understand the difference in concepts between “data residency” and “data localization.”

What Are Data Residency and Data Localization?

Data residency is when an organization specifies that their data must be stored in a geographical location of their choice, usually for regulatory, tax or policy reasons. By contrast, data localization is when a law requires that data created within a certain territory stays within that territory.

People arguing that data must be stored in a certain location are usually pursuing at least one of the following three objectives:

  1. To allow data protection authorities to exert more control over data retention and thereby have greater control over compliance.
  2. In the EU, it is seen as means to encourage data controllers to store and process data within the EU or within those countries deemed to have the same level of data protection as in the EU, as opposed to moving data to those territories considered to have less than “adequate” data protection regimes. The EU has issued only 13 adequacy decisions: for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, US (Privacy Shield only) and Uruguay.
  3. Finally, it is seen by some as a tool to strengthen the market position of local data center providers by forcing data to be stored in-country.

However, it is important to note that accessing personal data is considered a “transfer” under data protection law—so even if data is stored in Germany (for example), if a company has engineers in India access the data for customer service or support purposes, it has now “moved” out of Germany. Therefore, you can’t claim “residency” in Germany if there is access by a support function outside the country. Additionally, payment processing functions also sometimes occur in other countries, so make sure to consider them as well. This is an important point that is often missed or misunderstood.

Having understood the concept of data residency and data localization, the next question is, are there data residency or localization requirements under GDPR?

In short: No. GDPR does not introduce and does not include any data residency or localization obligations. There were also no data residency or localization obligations under the GDPR’s predecessor, the Data Protection Directive (95/46/EC). In fact, both the Directive and the GDPR establish methods for transferring data outside the EU.

Having said that, it is important to note that local law may impose certain requirements on the location of the data storage (e.g., Russia’s data localization law, German localization law for health and telecom data, etc.).

So, if there is no data residency or localization requirement under GDPR, can we transfer the data to other locations?

The GDPR substantially repeats the requirements of the Data Protection Directive, which states that you need to have legal transfer means if you move data outside of the EU into a jurisdiction with inappropriate safeguards (see map here). The legal transfer means are:

  • Adequacy— A decision by the EU Commission that a country has adequate protection level;
  • Binding Corporate Rules— Binding internal rules of a company to be approved by data protection authorities;
  • Standard Contractual Clauses / Model Clauses—Individually negotiated contracts between controller and processor
  • Privacy Shield— For US companies only; this is a replacement self-certification program for the Safe Harbor.

I have heard that Privacy Shield and Standard Contractual Clauses are under serious scrutiny? What is this all about?

Following the European Court of Justice decision that the EU-US Safe Harbor arrangement does not provide adequate protection for the personal data of EU data subjects, the EU and US entered into a new arrangement to enable the transfer of data (the Privacy Shield). However, a number of non-governmental organizations and privacy advocates have started legal action to seek decisions that the Privacy Shield and the EU Standard Contractual Clauses do not provide sufficient protection of data subjects’ personal data.

It remains to be seen how the European Court of Justice will decide in these cases. They are expected to rule on these matters by the end of 2019.

I have heard that the Standard Contractual Clauses/Model Clauses might be updated.  What is that all about? 

In order to protect data being transferred outside of the European Union, the Union issued three Standard Contractual Clause templates (for controller to controller transfers and for controller to processor transfers). These have not been updated since they were first introduced in 2001, 2004 and 2010, respectively. However, the European Union’s consumer commissioner, under whom privacy falls, has indicated that the EU is working on an updated version of the Standard Contractual Clauses. It remains to be seen how the Clauses will be modernized and whether the shortcomings, concerns and gripes of existing Standard Contractual Clauses will be addressed to the satisfaction of all parties.

One thing is for certain, however—the data protection space will only get more attention from here on out, and those of us working in this space will have to become more accustomed to complexities such as those surrounding Data Residency.

 

This blog is for information purposes only and does not constitute legal advice, contractual commitment or advice on how to meet the requirements of any applicable law or achieve operational privacy and security. It is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of applicable privacy laws, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with privacy laws or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

 

The post Data Residency: A Concept Not Found In The GDPR appeared first on McAfee Blogs.

Data Privacy and Security Risks in Healthcare

Healthcare is a business much like all verticals I work with; however, it has a whole different set of concerns beyond those of traditional businesses. The compounding threats of malware, data thieves, supply chain issues, and the limited understanding of security within healthcare introduces astronomical risk. Walking through a hospital a few weeks ago, I was quickly reminded of how many different devices are used in healthcare—CT scanners, traditional laptops, desktops, and various other devices that could be classified as IoT.

Sitting in the hospital, I witnessed people reporting for treatment being required to sign and date various forms electronically. Then, on a fixed-function device, patients were asked to provide a palm scan for additional biometric confirmation. Credit card information, patient history, and all sorts of other data was also exchanged. In my opinion, patients should be asking, “Once the sign-in process is complete, where is the patient data stored, and who has access to it? Is it locked away, encrypted, or sent to the “cloud” where it’s stored and retrieved as necessary? If it’s stored on the cloud, who has access to that?” I do recall seeing a form asking that I consent to releasing records electronically, but that brings up a whole new line of questions. I could go on and on …

Are these challenges unique to healthcare? I would contend that at some level, no, they’re not. Every vertical I work with has compounding pressures based on the ever-increasing attack surface area. More devices mean more potential vulnerabilities and risk. Think about your home: You no doubt have internet access through a device you don’t control, a router, and many other devices attached to that network. Each device generally has a unique operating system with its own set of capabilities and with its own set of complexities. Heck, my refrigerator has an IP address associated with it these days! In healthcare, the risks are the same, but on a bigger scale. There are lives at stake, and the various staff members—from doctors, to nurses, to administrators—are there to hopefully focus on the patient and the experience. They don’t have the time or necessarily the education to understand the threat landscape—they simply need the devices and systems in the hospital network to “just work.”

Many times, I see doctors in hospital networks and clinics get fed up with having to enter and change passwords. As a result, they’ll bring in their personal laptops to bypass what IT security has put in place. Rogue devices have always been an issue, and since those devices are accessing patient records without tight security controls, they are a conduit for data loss. Furthermore, that data is being accessed from outside the network using cloud services. Teleradiology is a great example of how many different access points there are for patient data—from the referring doctor, to the radiologist, to the hospital, and more.

Figure 1:  Remote Tele-radiology Architecture

With healthcare, as in most industries, the exposure risk is potentially great. The solution, as always, will come from identifying the most important thing that needs to be protected, and figuring out the best way to safeguard it. In this case, it is patient data, but that data is not just sitting locked up in a file cabinet in the back of the office anymore. The data is everywhere—it’s on laptops, mobile devices, servers, and now more than ever in cloud services such as IaaS, PaaS and SaaS. Fragmented data drives great uncertainty as to where the data is and who has access to it.

The security industry as a whole needs to step up. There is a need for a unified approach to healthcare data. No matter where it sits, there needs to be some level of technical control over it based on who needs access to it. Furthermore, as that data is traversing between traditional data centers and the cloud, we need to be able to track where it is and whether or not it has the right permissions assigned to it.

The market has sped up, and new trends in technology are challenging organizations every day. In order to help you keep up, McAfee for Healthcare (and other verticals) are focusing on the following areas:

  • Device – OS platforms—including mobile devices, Chrome Books and IoT—are increasingly locked down, but the steadily increasing number of devices provides other avenues for attack and data loss.
  • Network – Networks are becoming more opaque. HTTP is rarely used anymore in favor of HTTPS, so the need for a CASB safety net is essential in order to see the data stored with services such as Box or OneDrive.
  • Cloud – With workloads increasingly moving to the cloud, the traditional datacenter has been largely replaced by IaaS and PaaS environments. Lines of business are moving to the cloud with little oversight from the security teams.
  • Talent – Security expertise is extremely difficult to find. The talent shortage is real, particularly when it comes to cloud and cloud security. There is also a major shortage in quality security professionals capable of threat hunting and incident response.

McAfee has a three-pronged approach to addressing and mitigating these concerns:

  • Platform Approach – Unified management and orchestration with a consistent user experience and differentiated insights, delivered in the cloud.
    • To enhance the platform, there is a large focus on Platform Driven Managed Services—focused on selling outcomes, not just technology.
  • Minimized Device Footprint – Powerful yet minimally invasive protection, detection and response spanning full-stack tech, native engine management and ‘as a service’ browser isolation. This is becoming increasingly important as the typical healthcare environment has an increasing variety of endpoints but continues to be limited in resources such as RAM and CPU.
  • Unified Cloud Security – Spanning data centers, integrated web gateway/SaaS, DLP and CASB. The unification of these technologies provides a safety net for data moving to the cloud, as well as the ability to enforce controls as data moves from on-premise to cloud services. Furthermore, the unification of DLP and CASB offers a “1 Policy” for both models, making administration simpler and more consistent. Consistent policy definition and enforcement is ideal for healthcare, where patient data privacy is essential.

In summary, security in healthcare is a complex undertaking. A vast attack surface area, the transformation to cloud services, the need for data privacy and the talent shortage compound the overall problem of security in healthcare. At McAfee, we plan to address these issues through innovative technologies that offer a consistent way to define policy by leveraging a superior platform. We’re also utilizing sophisticated machine learning to simplify the detection of and response to bad actors and malware. These technologies are ideal for healthcare and will offer any healthcare organization long-term stability across the spectrum of security requirements.

The post Data Privacy and Security Risks in Healthcare appeared first on McAfee Blogs.