[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* Are Data Breaches Becoming More Common?
\n* Time to scale up cyber security to meet emerging threats: Deputy Governor, RBI
\n* Don’t use a VPN in United Arab Emirates \u2013 unless you wanna risk jail and a $545,000 fine
\n* Becoming a Global Chief Security Executive Officer
\n* The SEC Audit Trail – Several Industry Groups See Problems as Currently Proposed
\n* ISF Updates Security Standard, While Encouraging Accountability<\/p>\n
Are Data Breaches Becoming More Common?
\nAccording to data from one breach notification site, that perception may be right.
\nListings on Vigilante.pw, a site that provides an archive of consumer-focused hacks stretching back to 2007, suggest that data breaches have become more frequent over the past few years.
\nAccording to Keen, the pseudonymous owner of Vigilante.pw, there were 64 dumps in 2011, followed by 71 in 2012, 107 in 2013, and 158 in 2014.
\nBut the following year, the number of breaches nearly doubled to 317.
\nThis year, there have been 183 breaches so far.
\nOf course, Vigilante.pw’s data is not complete.
\nIt’s very likely other data breaches haven’t been picked up by the site, or perhaps any sort of breach notification service.
\nIndeed, the years-old hack of Myspace only just surfaced in May.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=316aab92ed&e=20056c7556<\/p>\n
Time to scale up cyber security to meet emerging threats: Deputy Governor, RBI
\nNEW DELHI: Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real \/ near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes, said R.
\nGandhi, Deputy Governor RBI at an ASSOCHAM event.
\nNEW DELHI: Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real \/ near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes, said R.
\nGandhi, Deputy Governor RBI at an ASSOCHAM event.
\n\u201cInformation dissemination is a key facilitator in combating the menace of cyber related incidents.
\nWhile the Reserve Bank obtains information from banks on cyber incidents, including those which did not fructify into loss of money or information, such information is also shared amongst the banks along with suggestions aimed at best practices,\u201d he added.
\nThe Institute for Development and Research in Banking Technology (IDRBT) also has a system to collate such information and share the generic aspects amongst the CISOs of banks.
\nAll these, I am sure will help the banks in further enhancing their cyber security related capabilities, said RBI Deputy Governor.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=562fd1e3f2&e=20056c7556<\/p>\n
Don’t use a VPN in United Arab Emirates \u2013 unless you wanna risk jail and a $545,000 fine
\nA royal edict from the president of the United Arab Emirates (UAE) may have effectively made it illegal for anyone in the country to use a VPN or secure proxy service.
\nThe tweaked law now reads as follows:
\nWhoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs 500,000 and not exceeding Dhs 2,000,000, or either of these two penalties.
\nIn the meantime, if you’re visiting the UAE, using a VPN or proxy server may be problematic.
\nThe new law is now in effect, and you may get a knock on the door by the police if you try using one of those services.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6d6b0205c9&e=20056c7556<\/p>\n
Becoming a Global Chief Security Executive Officer
\nIn this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, author Roland Cloutier discusses the primary role of the chief security officer.
\nNo matter how the position of the CSO develops, there are some basic fundamental concepts and requirements of which each senior security executive should be aware.
\nThis section of the chapter touches on some of these critical concepts to create a baseline expectation to be used when thinking about how you lead, how you manage, and how you drive your own organization.
\nThese expectations are not just assumed practitioner requirements; they are the expectations of your business in how you carry out and assume these responsibilities, which determine the success you have within your position.
\nTo Protect
\nAs a chief security executive, your primary duty is to protect.
\nCertainly, one can argue that your job has many more functions — as it most certainly does — and will continue to grow in the future.
\nBut that word “protect,” that duty of care, the fundamental necessity to protect from harm, is by definition the primary goal of your position.
\nPrevention of negative impact events against people, businesses, economies, technologies, and markets is why our jobs were created.
\nBefore you get all charged up and start running out to protect, you need to think about what you are protecting.
\nWhen I asked some new CSOs what they thought they were protecting, I was surprised by the wide variety of answers I got but was encouraged by not only the inward look but the outward look of what they understood was at stake if they did not do their job.
\nTo Respond
\nn the pure sense of the word, not everything you will respond to will be a crisis.
\nIn the eyes of those you serve, however, every issue will be a crisis.
\nTaking away labels, frameworks, and everything else associated with business resiliency and crisis response, the point here is that you need to be (and will be expected to be) the rock of any type of crisis at your business.
\nDuring critical times, businesses need an authoritative anchor to help sort out the process of responding, remediating, and moving forward.
\nDon’t mistake knowing how to manage a crisis with knowing how to fix everything or know everything about everything.
\nThe secret of crisis management is knowing the practitionership of crisis handling.
\nInevitably, to call in a crisis, you need a 911 operator; rest assured that is you as well.
\nPart of your crisis preparation must be understanding how to qualify issues, route issues, and escalate them as needed.
\nThere are three basic things to consider when preparing to be that 911 operator:
\n1) Methods to Report:
\n2) Notification and Escalation Mechanisms
\n3) Issue Classification and Handling Index
\nThe Business Principals
\nThe next critical attribute for the next-generation security leader is business acumen.
\nAs a business operations protection executive, you are required to understand how your business works and how it makes money, and be able to articulate how you support that business and enable it to meet its goals.
\nA crucial part of business knowledge is understanding profit.
\nAnother aspect of basic business principles required for the next-generation security executive is to understand the concept of risk versus reward.
\nThe final component of basic business principles for security executives is the concept that their job is actually to protect the business and not just provide security.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5b3f666e41&e=20056c7556<\/p>\n
The SEC Audit Trail – Several Industry Groups See Problems as Currently Proposed
\nLast week, several securities industry groups filed critical responses to the SEC\u2019s plan for an audit trail.
\nWhile most groups that commented on the SEC\u2019s proposed regulation supported implementing the proposal, several had concerns regarding the cost for investors and firms, and the protection of private data.
\nThe SEC audit trail, approved for public comment on April 27, 2016, is a proposed national market system plan to create a single, comprehensive database that would enable regulators to efficiently track all trading activity in the United States equity and options market.
\nThe SEC\u2019s proposed audit trail details the methods by which self-regulatory organizations and broker-dealers would record and report information, including the identity of the customer, that would provide a complete lifecycle of all orders and transactions in the U.S. equity and options markets.
\nWill the SEC revise its audit trail plan.
\nThe SEC has 120 days from July 18 to approve the plan, but it appears that further revisions might be necessary before approval is granted.
\nWith several recent cybersecurity threats and hacks, it will be vital that the repository for the audit trail has the highly advanced security measures to protect the markets\u2019 information.
\nIt will also be important for the plan to detail who will bear the burden of the costs.
\nThe SEC and other regulators should bear some of that burden since it will be a useful tool for them, but the plan fails to delineate such as currently constructed.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b603bf2145&e=20056c7556<\/p>\n
ISF Updates Security Standard, While Encouraging Accountability
\nThe Information Security Forum, a not-for-profit association that offers research-based security guidance to a global membership of enterprises, on July 27 issued a major update to its Standard of Good Practice, a guide for meeting the objectives set out by the U.S.
\nNational Institute of Standards and Technology.
\nThe updated guide has been restructured into 17 categories and makes it easier to more systematically address four information security life cycles: employment, information (electronic, printed and spoken), hardware and system development.
\nFrom a vertical perspective it’s also changing.
\nWhile inherently security-centric verticals once dominated\u2014banking used to represent one-third of membership, but is now one-fourth\u2014membership from verticals such as transportation, manufacturing, retail and utilities is increasing.
\nWhich Durbin says points to how “mainstream” security is, now that everything is cyber-enabled.
\nFrom a vertical perspective it’s also changing.
\nWhile inherently security-centric verticals once dominated\u2014banking used to represent one-third of membership, but is now one-fourth\u2014membership from verticals such as transportation, manufacturing, retail and utilities is increasing.
\nWhich Durbin says points to how “mainstream” security is, now that everything is cyber-enabled.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7167ce4c3b&e=20056c7556<\/p>\n
* Best practices in cyber vulnerability assessment
\n* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
\n* Will Faster Payments Mean Faster Fraud?
\n* Accenture : Data theft, malware infection big threat to digital businesses
\n* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M\/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
\n* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
\n* Twitter Hacking and Social Media\u2019s Risk to Executive Security
\n* Beyond Data: Why CISOs Must Pay Attention To Physical Security
\n* $2.7 Million HIPAA Penalty for Two Smaller Breaches
\n* Using compliance as a tool for change
\n* In the Breach War, File Protection Is Just as Important as Data
\n* Data security and breach notification in Finland
\n* ISO compliance in the cloud: Why should you care, and what do you need to know?
\n* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
\n* Breach notification reporting can be complicated without proper skills, tools
\n* Banks must do better on cyber security: KPMG
\n* Australia gets one-quarter of a minister for national infosec
\n* The Case for Continuous Security Monitoring
\n* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
\n* 5 Best Practices for Outsourcing Cybersecurity
\n* Most CISOs and CIOs need better resources to mitigate threats<\/p>\n
Best practices in cyber vulnerability assessment
\nHere are the best practices for cyber vulnerability assessment.
\nFirst and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
\nResearch other companies in your industry.
\nTo know exactly which parts of your business structure need an assessment, you need to research your company\u2019s processes with a focus on the systems that are critical to keeping your business running.
\nOnce you\u2019ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
\nNow that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you\u2019re aware of the security systems you already have in place.
\nf you\u2019ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what\u2019s needed, you\u2019re ready to perform your vulnerability scans.
\nf you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
\nDon\u2019t wait.
\nDon\u2019t second guess.
\nThe assessment will produce recommendations for remediation that you should act on right now.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2be92933fb&e=20056c7556<\/p>\n
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
\nA recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
\n\u201cDue to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,\u201d Scott writes.
\nIn a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
\nWhile the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
\nThe report provides an interesting perspective about the need for CISOs to ignore the hype surrounding \u201csilver bullet\u201d solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
\n\u201cIn many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
\nThey are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,\u201d he writes.
\nAnd, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
\nAccording to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
\n\u201cVendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
\nThe culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.\u201d
\nIn the report, the author offers strategic recommendations for calculating a cybersecurity solution\u2019s ROI and uses a healthcare organization as an example.
\nThe ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
\nThe report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f6139b0ad7&e=20056c7556<\/p>\n
Will Faster Payments Mean Faster Fraud?
\nCrowe contends that to ensure global payments interoperability, faster payments are a necessity.
\nThe U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
\nParry says the most fundamental risk to payments is poor identity management.
\nAnd it’s a legitimate concern.
\nAfter all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
\nAnd in a real-time or near-real-time environment, once the money is gone, it’s gone.
\nUnlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
\nCrowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
\nThe top concern, she says, is “a faster process that is still secure for business.”
\nThe Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
\nAnd the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
\nFaster payments will be part of that, but not all.”
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d263a9cb23&e=20056c7556<\/p>\n
Accenture : Data theft, malware infection big threat to digital businesses
\nThe new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
\nThis insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
\nThe survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
\nMore than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
\nThe survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
\nThe findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
\nDespite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
\nWhen asked about current funding and staffing levels some42 percent of respondents said they need more budget for hiring cyber security professionals and for training.
\nMore than half (54 percent) of respondents also indicated that their current employees are underprepared to prevent security breaches and the numbers are only slightly better when it comes to detecting (47 percent) and responding (45 percent) to incidents.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=503e4c03e0&e=20056c7556<\/p>\n
Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M\/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
\nTORONTO–(BUSINESS WIRE)–Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect.
\nSeventy-nine percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
\nThe findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.
\nThe report \u201cSecurity Beyond the Traditional Perimeter,\u201d sponsored by internet risk detection and mitigation expert BrandProtect, examined the threats, costs and responses of companies to external internet cyber attacks.
\nThese threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company\u2019s traditional security perimeter.
\nSecurity professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
\nSome of the key findings include:
\n– Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
\n– External internet attacks are frequent and the financial costs of these attacks are significant.
\nRespondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
\n– Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
\n– Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=53f9c760ec&e=20056c7556<\/p>\n
2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
\nGULF BREEZE, Fla., July 19, 2016 (GLOBE NEWSWIRE) — via PRWEB – Necurs is back with a vengeance, according to the security research team at AppRiver.
\nIn its Q2 Global Security Report, the company notes that the infamous botnet’s return was one of the major reasons behind the escalation in malware activity–which clocked in at 4.2 billion malicious emails and 3.35 billion spam emails between April 1, 2016, and June 30, 2016.
\nFor the first time, the report also includes metrics from Web-borne threats, reporting an average of 43 million unique threats daily throughout the second quarter.
\nAppRiver’s security analyst team quarantined 4.2 billion emails containing malware in Q2, pointing to a continued increase in malware traffic this year and resulting in total of 6.6 billion emails quarantined during the first half of 2016.
\nFor comparison, analysts observed 1.7 billion emails containing malware during all of 2015.
\nRansomware levels, as predicted in the Q1 Global Security Report, have increased this quarter–and arguably pose the greatest threat to netizens.
\nAppRiver’s security researches predict that the massive volume of malware isn’t likely to subside anytime soon.
\nWith the likes of Locky and Zepto kidnapping users’ files until they pay a ransom, malware–especially ransomware–has become a business of its own.
\nThe popular channels that malware, like ransomware, travel through include obfuscated JavaScript, malicious macros, and OLEs (Object Linking and Embedding).
\nFifty-five percent of spam and malware traffic originated in North America, with Europe coming in second place.
\nAdditionally, AppRiver’s SecureSurf\u2122 Web filtering detected a spike in phishing attempts in June.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b6a3fa644f&e=20056c7556<\/p>\n
Twitter Hacking and Social Media\u2019s Risk to Executive Security
\nThe use of social media as a means for targeting victims \u2013 whether through phishing or social engineering scams \u2013 is nothing new.
\nHowever, in the past month or so we\u2019ve seen a new trend in threat actors\u2019 tactics: hacking high-profile executives\u2019 social media accounts with the purpose of publishing embarrassing and controversial posts.
\nThis was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
\nExecutives can do a number of things to help minimize the risk of exploitation, including:
\n– Invest in a Monitoring Service
\n– Use Multi-Factor Authentication
\n– Remove Geo-Location Data
\n– Limit Personal Information Disclosure
\n– Verify Online Content
\n– Do Not Reuse Passwords
\n– Create Official and Verified Accounts
\n– Use Separate Accounts
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7e3e14abf8&e=20056c7556<\/p>\n
Beyond Data: Why CISOs Must Pay Attention To Physical Security
\nIT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats.
\nIT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
\nTechnology professionals needs to get back to basics.
\nWhile it\u2019s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer.
\nSecurity must be considered at every step, even when no networked communication is taking place.
\nDespite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access.
\nOrganizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder.
\nBy unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=07c56dadde&e=20056c7556<\/p>\n
$2.7 Million HIPAA Penalty for Two Smaller Breaches
\nIn the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
\nThe first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
\nThe second 2013 breach, which affected 3,044 individuals, involved OHSU’s use of a cloud-based storage service without a business associate agreement, OHSU says.
\nSo far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements.
\nThose include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
\nAlso, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
\nOne of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=51ba4f9dd7&e=20056c7556<\/p>\n
Using compliance as a tool for change
\nOne of my guiding principles is that compliance does not equal security.
\nCompliance isn\u2019t a true representation of how well companies use security to protect themselves.
\nIt can be little more than checking all the boxes and telling the auditors what they want to hear.
\nAfter all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
\nUsing compliance shortfalls to upgrade our security practices isn\u2019t unusual.
\nLast year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls.
\nAnd relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs.
\nPCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it.
\nSo now we\u2019re enforcing encryption for 100% of our company-owned PCs.
\nSuch widespread use of encryption has a beneficial side effect, since many states now provide a \u201csafe harbor,\u201d meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f0466b1bde&e=20056c7556<\/p>\n
In the Breach War, File Protection Is Just as Important as Data
\nEarlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures\u2026on a personal storage device.
\nIn what was coined an \u2018inadvertent data breach,\u2019 a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later.
\nNot all financial services organizations or payment companies would fare so well.
\nAccording to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access.
\nFully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information.
\nA whopping 84% had a moderate or total lack of confidence in their organization\u2019s file security monitoring, reporting and policy enforcement capabilities.
\nEmerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
\nPast information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to fu<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * Are Data Breaches Becoming More Common? * Time to scale up cyber security to meet emerging threats: Deputy Governor, RBI * Don’t…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-2498","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2498"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2498\/revisions"}],"predecessor-version":[{"id":4985,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2498\/revisions\/4985"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}