Healthcare finance tips for safeguarding against cyberattacks

cyber-attack caption

Premera hack puts renewed focus on securing sensitive healthcare info.

As Tuesday’s news about the Premera Blue Cross hack shows, healthcare organizations are vulnerable to cyberattacks, and the fix can be costly.

“The average Fortune 500 company budgets $44 million a year for security, including networking and all other aspects,” said Larry Ponemon, chairman of the Ponemon Institute, a research center focused on data security. “(Most) hospitals have less than a million to budget on cyber security.”

Already, at least two class action lawsuits have been brought against insurer Anthem, which saw a major data breach in January affect 80 million people. There’s also the cost to the health plan’s reputation and the logistics of notifying 80 million customers, Ponemon said. It’s still unknown what will come after 11 million people’s information was accesed in the Premera hack.

Until Anthem’s hack in January, high profile security breaches focused on large retailers such as Target and Home Depot.

This doesn’t mean healthcare organizations have been sitting on their hands believing it can’t happen to them, Ponemon said. A  survey of 91 healthcare organizations in 2013 showed that 90 percent experienced at least one data breach that year.

“Even if a hospital is reasonably secure, if may not be enough in this world,” he said.

Medical records are extremely valuable on the black market,  Ponemon said. They contain Social Security numbers, health ID numbers, addresses and possibly credit or debit card information – everything needed to create a fake identity.

“Basically it’s a rich data source for bad guys,” he said, such as terrorists seeking travel credentials.

The hackers may wait months and years before exploiting the data, he said.

“This is where we see the most serious ID theft crimes,” he said. “A lot of the 80 million will become identity theft victims.”

Ponemon was in the intelligence field for 45 years prior to founding the Ponemon Institute 14 years ago.

HITRUST, the Health Information Trust Alliance, works with healthcare organizations to improve their data security. It has partnered with the U.S. Department of Health and Human Services to conduct monthly briefings on cyber threats relevant to the healthcare industry, and to share best practices for defense and response.

HITRUST offers healthcare organizations a cyber threat alerting system of threats targeted at the industry. The C3 Alert is coordinated with the Healthcare and Public Health Sector and Government Coordinating Councils, according to HITRUST chief executive and founder Daniel Nutkis.

What hospitals can do:

  • As most security breaches are due to human error, maintain a good data structure to prevent data leakage, Ponemon said.
  • Encrypt data. The Wall Street Journal reported Anthem did not encrypt the personal data of its customers.
  • Ban the use of personal devices for storing patient information. Some doctors routinely send clinical records through personal e-mail, their own smartphones or tablets.
  • Rent a network intelligence system instead of buying one, Ponemon advises. It’s secure.
  • Collaborate with partners on exchanging information during and after a cyberattack, according to the National Institute of Standards and Technology’s 2014 “Draft Guide to Cyber Threat Information Sharing.” While this may seem counter-intuitive, providers need to  learn the types of systems and information being targeted and the techniques used to gain access.
  • Use standard data formats to facilitate interoperability and fast information exchanges, the NIST recommends.

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.healthcarefinancenews.com/

Banking Sector Leads In Global Data Leakage – Infowatch Report

Data Leakage The banking and financial services industry is at high risk for data leakage with over 40 per cent of leaked personal data globally, according to the Infowatch Global Data Leakage Report 2014.

Infowatch Group is the global leader in data leakage protection solutions.

Its Chief Executive Officer, Natalya Kaspersky, said the industry was involved in the leakage of 313 million personal data attributed to 135 cases reported last year.

“Although healthcare segment recorded a higher number of cases, the personal data compromised were much lower in volume compared to the banking and finance sector at 58 million,” she said during her presentation via webinar today.

She said the type of data breached was led by information breach, followed by data fraud and exceeding access rights.

The way data was being leaked was also changing, she said, from the traditional paper or hard copy to a more sophisticated way through browsers and cloud.

Kaspersky said data leakage might soon overtake other threats when it comes to financial and reputation damage to an organisation.

“It is the consumers which are being put at risk when organisations did not put enough precautions to prevent leaks, as the report revealed that 92 per cent of information leaked are personal data,” she added.

Meanwhile, Infowatch Asia Pacific/Malaysia Regional Head, Renga Nathan, said the awareness on the importance of data leakage protection in Malaysia was still very low probably due to the lack of enforcement in terms of Personal Data Protection Act.

“In Malaysia, the penetration of such solutions is only about ten per cent, while in the banking sector only 30 per cent have that kind of protection,” he said.

However, there has been an increasing awareness whereby more organisations are now putting in more budget allocations to extend their data protection to leakage solutions.


SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.bernama.com.my/

5 IT Shortcuts That Put Your Company’s Data at Risk

computers
IT departments looking to save time and money shouldn’t be doing so at the expense of their data protection. A study from the University of Texas revealed that 43% of companies suffering from catastrophic data loss close and never reopen, and 51% close within two years.

Backup solutions provider Unitrends warns IT professionals about five common data protection shortcuts that could put their company’s data — and even their jobs — at risk.

Ignoring Hardware Failures

Hardware failures are the leading cause of data loss. Though most IT professionals don’t completely disregard hardware that is failing to back up company data and systems, many do often ignore the fact that certain backup mediums have high failure rates, such as tape or a SAN or NAS storage device that is used as both the source and target of a backup. To reduce the risk of hardware failures, move data from primary storage to a separate, secondary storage device. Disk-to-disk backup is the best approach, as it’s more reliable than tape and still ensures a physically separate secondary storage set that can survive hardware and system failures.

Trusting Co-workers to Follow Policies

The reality is that employees aren’t always great at following company policies, and even when they do, mistakes still happen. The best defenses against human error are automation and retention. Automation enables automatic execution and strict enforcement of created policies and procedures, and retention enables data recovery, regardless of whether the data loss is noticed right away or weeks later.

Underestimating Cybercriminals

By now, most companies have at least basic security solutions, such as firewalls and anti-virus software, in place to defend against malware. But cybercriminals are becoming very adept at breaking through traditional cyberdefenses. IT professionals should evaluate their infrastructure, identify areas of vulnerability and implement advanced security solutions to overcome them. These solutions include web monitoring software for safe Internet usage, end-point protection for bring-your-own-device management and a sandbox to fight targeted attacks. From a backup perspective, the best approach is to operate backup and disaster-recovery solutions on a non-Windows operating system. Windows has long been one of cybercriminals’ favorite targets, and running protection software on an operating system that is relentlessly under attack just doesn’t make sense.

Playing the Odds

Despite data-loss horror stories, many companies still don’t have disaster-recovery plans in place to protect information from natural and man-made disasters. And many of the companies that do have set plans have just one general set of guidelines that apply to all disaster situations. A strong plan focuses on people, infrastructure and processes, and clearly outlines how each is affected in different disaster scenarios.

Failing to Test Disaster-Recovery Plans

Failure to test disaster-recovery plans, or testing them on an infrequent basis, can greatly increase the risk of data loss in the event of a disaster. Since IT infrastructure evolves daily, thorough testing must be done on a consistent schedule that allows it to be adopted as yet another standard business practice.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://mashable.com/

Companies did not learn from LuxLeaks

Nearly three months after the first LuxLeaks report was published for Luxembourg, companies are still leaving themselves vulnerable to data breaches, suggest two Allen & Overy Senior Associates.

LuxLeaks

Senior Associate in Employment Law Gilles Dall’Agnol has keenly observed the reactions of companies to the two reports, which revealed tax agreements with international companies made by big four companies in Luxembourg.

“I think that LuxLeaks, for all its negative consequences, has had the effect of increasing awareness about the topic of data security,” he said.

As a result of the scandal, he says he expects to see the role of information security officers strengthened, along with the introduction of specific policies and mechanisms, such as whistleblowing structures. Meanwhile, he says companies will be more reluctant to outsource data security responsibilities.

However, Catherine Di Lorenzo, Allen & Overy Senior Associate in IP/IT and data protection law, said that many companies are failing to address a key question when securing tangible evidence of a data breach: are they authorised to monitor or screen employees’ emails?

“With respect to such screening, probably the most important part you have to know is that screening qualifies as employee monitoring which is only permissible if certain data protection rules have been complied with,” Ms Di Lorenzo explained, adding: “The data protection steps cannot be retroactively applied, which means if you’ve a suspicion to do with an email in which client data might have been sent, as you did not comply with data protection rules, the employer cannot simply go and screen the employee’s account.”

A company carrying out monitoring while having failed to comply with these rules exposes itself and its managers to criminal liability. In addition, evidence collected in this way is likely to be considered inadmissible in court.

This means, in other words, that a dismissal of an employee based solely on evidence collected in this way is likely to be ruled as abusive.

“If a company has not complied with the data protection rules, it should not even be carrying out a screening as this would itself qualify as a criminal offence. If the company does the screening anyway and finds something, it will most likely not be able to use it.

“It’s a disaster if you find yourself in such a situation,” Ms Di Lorenzo said, adding: “Compliance with data protection rules costs just one or two days’ work. But it is simply an element of corporate housekeeping everybody has neglected for a long time.”

Mr Dall’Agnol adds that in many such cases, companies do not have another choice but to make a criminal complaint without carrying out screening or employment law sanctions and leave it to the prosecutor to find the evidence.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.wort.lu/

Employee and customer privacy in an era of ‘Big Data’ monitoring

Exploring the challenges of real-time data monitoring and the role that legal plays in striking the right balance.

In the second article of this three-part series, we outlined how data analytics is an emerging tool that organizations are employing to detect hidden and emerging compliance and legal risks in their data. Now, we will explore the challenges of real-time data monitoring in an era of Big Data, and the role that legal plays in striking the right balance for the organization.

Prudent risk management or Big Brother?

It’s no surprise that the National Security Agency’s surveillance of social media sites and telecommunications, and several recent high-profile data breaches, are fueling an environment of mistrust regarding how companies collect and use the personal information of their customers and employees.

At the same time, organizations are looking to accelerate their monitoring, collection and analysis of data not only to gather business intelligence but also to improve risk management and data security practices. That means great scrutiny of both the organization’s networks and its employees. And as organizations move toward true real-time monitoring of their employees’ every electronic move, legal has a role to play in managing the risks associated with these monitoring activities.

The right to privacy

Does a right to privacy exist in the age of Big Data? Legally, the answer depends in large part on your geographic location. In many foreign jurisdictions, most notably the EU, privacy has been elevated to a human right. However, there are no comparable U.S. laws. And although the U.S. Supreme Court has ruled that the Constitution protects individuals against government intrusion, in the U.S. employees do not have a general right to privacy from employers’ monitoring of data on its own networks and devices.

The focus in the U.S. thus far has been on consumer privacy rights, not employee rights. On the federal level, the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Gramm-Leach Bliley Act and Children’s Online Privacy Protection Act are just a few of the laws that regulate data collection and management practices; in some cases, those laws may impact employee’s data. Enforcement agencies like the Federal Trade Commission, Consumer Financial Protection Bureau, and state attorneys general have brought enforcement actions against companies that fail to protect consumers’ personal information. Organizations can expect increased regulation and enforcement to continue on both the federal and state fronts.

Privacy in the workplace

In contrast to the increased attention on consumer privacy, employees currently are entitled to little privacy when it comes to their activities at work. Employers already have a right to, and in fact do, monitor employee behavior on an organization’s network and devices. But much of this monitoring is theoretical — employers generally do so only when they are alerted to potential problematic conduct. That dynamic is rapidly fading into obscurity.

With the proliferation of mobile devices and social media, the line between business and personal is increasingly blurred. Employees use personal devices and social media accounts for work — and use those devices and accounts for personal activities. As organizations increase real-time monitoring of employee activity to manage risk and to meet the challenges of data security, they are on a potential collision course with as-yet unchartered territory of employee privacy. We have seen this increased risk of data monitoring already with National Labor Relations Board rulings restricting the monitoring of employee activity on social media sites not sponsored or controlled by the organization. We can expect additional potential restrictions where the line between personal and business information are blurred (such as BYOD).

Effective privacy and usage policies

At present, the best way to minimize the risks of real-time data monitoring is for legal to establish clear data-related policies and procedures that provide guidance to employees about the organization’s rights to collect, use, retain and monitor data on its networks, devices and websites. They should have senior-management buy-in and reflect the organization’s corporate values and principles. Policies should reflect the following:

  1. Ownership: Confirm to all employees that the organization owns any and all business data in any form — and has the right to access and protect that data — even if stored on personal devices.
  2. No expectation of privacy: Employees should be notified that they have no reasonable expectation of privacy with respect to any systems or devices used to store business data or to access the organization’s systems.
  3. Monitoring: Inform employees that they are being monitored, specify the type of monitoring that you are using and explain the business purpose for that monitoring.
  4. Acceptable use: Define the acceptable use of company networks, email and devices, including whether and when employees may use company systems for personal reasons and the consequences of such use.
  5. Personal devices: If employees are permitted to use personal devices for work, have clear polices on the applications authorized for business activity, and provide technologies that, to the extent possible, separate business from personal information. Also, require employees to turn over those mobile devices for examination when the employee leaves her employment or if the organization has reason to believe the employee is storing business data on that device outside of what is permitted by policy.
  6. Prohibited technologies: Instruct employees regarding the forms of communication, applications and websites that may not be used for business purposes.
  7. Enforce policies: Inform employees of the consequences of failing to abide by company policy and enforce those consequences for policy violations. Consider periodic attestations from employees that they understand and are abiding by these policies.

Know your organization and its data

As a result of changes in technology, communication channels, and the legal and regulatory environment, the landscape of data risk management is in a tremendous state of flux. It is incumbent upon legal to lead the development of data management practices, ensuring that it properly analyzes and weighs the legal and regulatory risks and that their policies are consistent with the corporate culture and business needs.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.insidecounsel.com/

Identity Finder 8 Aims to Classify Sensitive Data

Data loss prevention should start with one question: Where is the sensitive data?

Identity Finder announced Feb. 12 the release of its 8.0 platform, which includes new dynamic classification system and sensitive data watch capabilities. The Identity Finder platform enables enterprises to identify sensitive information in order to take the appropriate steps to prevent data loss or leakage.”With this release, we’re focused on more than just DLP [data loss prevention],” Todd Feinman, CEO of Identity Finder, told eWEEK. “We’re now focused on more of the entire life cycle of sensitive data management.”Feinman said that Identity Finder is properly classified as a sensitive data management vendor. With the Identity Finder 8 release, the platform includes data discovery, classification, monitoring and protection capabilities. On the discovery piece, Identity Finder 8 now includes a dynamic classification system that expands on where the platform is able to search for data and what types of data it is able to find.The dynamic classification system is performed in real time. Feinman explained that there is a Windows service that runs in the background, and when new data is saved to the hard drive, the service immediately does a check to analyze and classify the data. The service can be used to monitor data written to a network file share server as well.

he classification data is aggregated to a sensitive data management console for centralized reporting across an enterprise.

“The console provides full insight into everything, even if the data is only stored on one user’s desktop or on a file server,” Feinman said.From a protection perspective, the Identity Finder console has an API that can potentially be leveraged by other technologies to understand which data is sensitive. Feinman noted that Identity Finder does partner with endpoint security product vendors. In particular, he said that Identity Finder can be leveraged by encryption vendors to help identify the sensitive information that needs to be encrypted in an enterprise.If, for example, an enterprise using Identity Finder discovers data that has a Social Security number (SSN) in it, there are several steps taken that can help protect against the data’s loss, though actually blocking transmission of the data is not part of the platform. There is an overlay icon that shows up on the user’s desktop that will identify to the user that a given piece of data has sensitive information in it, like the SSN, according to Feinman.
“We don’t have a technology that prevents the user from attaching the sensitive document to an email that leaves the organization,” he said. “That’s where traditional DLP products work differently from us.”Feinman said that Identity Finder isn’t trying to block the email message with the SSN in it, but rather is trying to change user behavior, so users understand what data is sensitive.”Our real hope is that employees start to think about the sensitive data they have on their computers that might be a risk,” he said. “We want to help make users aware of the data that’s on their system through the data classification process.”


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.eweek.com/