Data Security or Data Privacy? The Challenges of Regulating Personal Data

Data Security or Data Privacy? The Challenges of Regulating Personal Data

Data is a company’s greatest asset, but it can also be an Achilles’ heel when regulatory compliance isn’t met.

Though policies for data security are rising due to the increased prevalence of cybercrime, laws dictating how companies can control user data are less regulated. Policies surrounding data privacy have traditionally been under-prioritized, with many legal firms not understanding the distinctions between data security and data privacy. Matters are compounded further when regional variances in data policy come into play.

Defining Data

How data is handled depends on how it is defined—law denotes a distinction between what is considered “sensitive” data and “personal” data.

Personal data is defined as any information that can identify an individual directly or indirectly. Sensitive information is a subset of personal data, defined as information that can only be taken and collected locally if mandated by law. Personal data is more tightly regulated and the focus of most privacy legislature.

Privacy Regulations

Keeping compliant with personal data privacy regulations becomes a significant challenge when international business enters the picture. Legal requirements protect personal data from being collected, used, processed, shared, or transferred in specific global and regional jurisdictions.

Data Security or Data Privacy? The Challenges of Regulating Personal Data

“…If you run legal operations of a company in the U.S., it does not mean you have the right to access data in a foreign jurisdiction.” Said Sheila Fitzpatrick, data privacy expert working with the US government and council of the European Union.

The problem stems from the complexity of data management in each region—local jurisdictions have their own laws that must be adhered to, no matter where the business is conducted. According to Fitzpatrick, transparency is key:

“You need to collect data that you absolutely have to have to run the business … you need to understand what you are using that data for. You need to be very clear about why you are collecting that data and what you plan to do with that data. There is no implied consent.”

Data privacy is subject to several other unique regulations too, chief among them the “Right to be Forgotten” mandate. Part of this legislation denotes how companies have an eventual legal obligation to delete user data unless it has a legal hold protecting it.

Although data security is well-established, data privacy is still undervalued in the legal world. The increasing globalization of e-discovery and the legal world will require more regulations concerning cross-border e-discovery, data ownership, and how to ensure both information security and data privacy for all users.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter10 Legal eBook CTA

Privacy Survey Highlights the Poor State of Data Security

Privacy Survey Highlights the Poor State of Data Security

Risk management remains a priority for legal firms across the world, but new research is showing just how unprepared many industries are to take on the challenge.

Privacy Survey Highlights the Poor State of Data Security

Guidance Software performed a data risk and privacy survey on a variety of industries, including government firms, IT industries, and financial services. The respondents, primarily security executives and security analysts, shed light on the current state of information security and how they felt security should be handled moving forward:

  • 48 percent reported feeling unprepared to identify and protect sensitive information from data breaches, mishandled devices, or human error.
  • Despite this lack of confidence, 46 percent believe that protecting sensitive data is a top priority.

How data security should be handled was addressed.

  • 69 percent feel that it’s important to systematically delete obsolete or outdated information.
  • 55 percent are most worried about private or sensitive data residing on servers or endpoints.
  • Over 37 percent feel that a risk management solution for regulatory and policy compliance is important for data security.

Security Solutions

With so many respondents reporting discontent with the current state of data security, it makes sense that legal firms are hungry for solutions.

Risk management software lets organizations understand the flow of sensitive data, from the time of creation to its eventual endpoint throughout the workflows of each industry. These workflows include file creation, email sharing, transmission to multiple devices, and storage in databases. Without dedicated data management software, each of these points of contact creates multiple vulnerabilities that can be exploited.

Enterprise software protects data throughout every step of its use and ensures that information practices comply with external regulatory bodies, such as HIPAA.

Building a Culture of Security

Software data security through risk management platforms is the first step of total information governance. To ensure true data security, the most significant security variable present in any enterprise must be addressed—employees.

According to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Legal firms must mitigate employee mishandling of information by creating protocols governing data use. Across email, mobile device communications, and file transfers on external storage systems, employees must follow defined rules that dictate how they handle sensitive data.

The effort required to implement these protocols will be substantial at first, but security practices can be refined over time to better align with the workflows of each organization. This will ensure that efficiency isn’t lost while trying to secure data. When legal firms have a strong culture of security backed by risk management software solutions, data breaches and information loss will become concerns of the past.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

6 Considerations for Your Email Security Solution

6 Considerations for Your Email Security Solution

With email still holding a prominent place in the world of communication, businesses can’t afford to take email security lightly. Basic encryption is essential, but the wealth of services available for email security offer a wide range of benefits beyond basic features.

6 Considerations for Your Email Security Solution

Keep these six considerations in mind before purchasing email security software:

1. Outlook Encryption

Microsoft Outlook includes a basic encryption feature, but most businesses find this security method to be onerous. Both parties must have the public key certificate to encrypt and decrypt messages, which is time-consuming when applied to large enterprises.

2. Recipient and File Parameters

For maximum efficiency, your email security software shouldn’t require the recipient to download their own version of your software. In addition, the chosen solution must accommodate the largest files your enterprise may send. Both will help reduce the chance that users will be forced to choose less secure transfer methods to work around software limitations.

3. Security Features

The goal of all encryption software is security, but not all email security solutions are created equal.

Although software that includes multiple verification methods, policy-based encryption, and SSA 16 Type II certifications are the standard, you must ensure the included features offer protection for both emails in motion and emails at rest. Email providers should encrypt emails to keep them secure if an interception occurs during transfer. On the storage side, solutions should offer storage in company-owned infrastructure that limits access to encryption keys.

4. The User Experience

While quality email solutions must first and foremost secure data, they must also prioritize the user experience.

On the sender side, the encryption process should be simple—one-click encryption, email tracking, and receipt notices are essential. Making this process easy increases adoption rates across your enterprise. For email recipients, attachment retrieval should be simple and without the need for additional downloads. Complexity and cumbersome processes reduce adoption and frustrate users while a straightforward user experience accelerates building a corporate culture of security.

5. Mobile Integration and Adaptability

The email solution should be flexible and ideally integrate with the programs users are already familiar with. Most security programs have mobile applications that have secure portal access via your Internet browser. With more business conducted on mobile devices these days, mobile email security is essential.

6. Administrative Customization

Once you’ve researched the must-have security features, your final choice may come down to how customizable you want your email security system to be. Competitive encryption solutions offer advanced options to tailor the email platform to each business or individual user. Digital signatures, automated messaging, or adding your brand logo are all bonus features that can give your security solution an edge. Identify and deploy an email solution, which allows for easy customization, one-click ability to secure communication and claw back and true traceability and intelligence.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterCTA-Email-Encyption-eBook-1024x443

Visual Hacking a Growing Concern for Healthcare, Reports 3M

Visual Hacking a Growing Concern for Healthcare, Reports 3M

Despite the push towards data security and information governance, data breaches can occur where you least expect them. Though encryption software and more secure firewalls have shown success at preventing internal data breaches, another threat is looming on the data security landscape: “visual hacking.”

Low-Tech Hacking

Visual hacking involves capturing confidential information from digital screens by using smartphones, discrete cameras, or plain sight. Compared to complex coding backdoors and malware infection, visual hacking is relatively low-tech, but that doesn’t mean it isn’t a concern for healthcare organizations tasked with controlling sensitive data.

Imagine the opportunities for visual hacking present in locations as basic as healthcare clinics. Offenders can snap photos of your information as you fill out your medical record, eavesdrop on your conversation with staff, and once they enter the actual clinic, use silent, high-powered zoom cameras to discretely record any instances of unsecured patient data. With just a few clicks of a button, healthcare organizations can suffer data breaches that may cost them millions.

Visual Hacking

Though protecting confidential data from prying eyes has always been a concern in the healthcare field, new mobile camera technology is giving offenders more tools than ever before. A 3M sponsored hacking experiment with the Ponemon Institute found that a white hat hacker could visually hack sensitive information in 88 percent of attempts.

3M’s campaign against data loss helps IT and security professionals better address their security vulnerabilities. According to Gartner, IT security spend reached $75.4 billion in 2015, but this increase in security funding will do little to prevent the rise of low-tech hacking methods.

Preventing Visual Hacking

Healthcare providers must try to prevent data loss from visual hacking:

  • Using applications to mask high-risk data, particularly when accessing data from mobile and public locations.
  • Creating a corporate culture of security that prioritizes visual security—all staff must know of the growth of visual hacking and why all data must be stored behind authentication or privacy filters.
  • Limiting logins to necessary locations will help prevent the number of access points where data breaches may occur.

There’s no simple strategy to fight visual hacking, but healthcare organizations that understand the risks and challenges associated with visually securing private data are one step ahead in the game. Data security across all channels is an ongoing struggle that healthcare providers must be prepared to face.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

New Security Regulations Promise Increased Transparency

New Security Regulations Promise Increased Transparency

In a new initiative to reduce the incidence of the ever-present danger of cybersecurity breaches, the European Union is developing new standards for data security that may come into practice as early as this year. While the regulations don’t apply to U.S. businesses, they’ll be mandatory for companies that partner with business in the EU and work with clients there. Part of these procedures involve appointing a dedicated privacy security officer to manage compliance of security standards, and shifting toward an “opt in” mindset for personal data use that keeps customers in the loop, legally and contractually-speaking.

This creates new incentives for international companies to maintain their cybersecurity standards, even those without current partnerships with European businesses.

The Need for Change

The new security standards speak to an initiative against the near-constant incidence of cybersecurity breaches affecting businesses—from the U.S. Office of Personnel Management to the U.S. Census Bureau, both large- and small-scale organizations have fallen victim to the data losses that coincide with poor security practices. The campaign to put an end to these attacks also involves increased cooperation and transparency between general counsel and IT tech services.

New Security Regulations Promise Increased Transparency

“The laws are always going to change, and unless you have a general counsel involved to understand that, to present that to the technologist in a way that they can understand, there’s no way the technologist will be able to understand all the nuance,” said Kristoph Gustovich, director of hosting and security at Mitratech.

In-house counsel ensures that all company contracts comply with cybersecurity standards, including the new standards proposed by the EU. These stringent regulations require companies to clarify their intended use of patient information, with specific and focused language that leaves no room for miscommunication on the contractual use of patient data. While burdensome for companies that must now increase transparency of their information use, Gustovich believes that the regulations are a necessary part of the future of cybersecurity.

“Most companies nowadays are going above and beyond anything that’s out there right now and looking forward to the future,” said Gustovich. “They’re always looking to meet what’s going to be the next stage of regulations.”

Desh Urs iBridge LLCWritten by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

The incidence of criminal data theft shows no signs of slowing.

In another highly-publicized breach of confidential data, hackers broke into the computer network of the UCLA Health System and compromised the data of nearly 4.5 million patients.

This breach is another notch on the growing list of healthcare corporations that have suffered from vulnerabilities in their privacy infrastructure; health insurance company Anthem reported a data breach that affected nearly 80 million Americans earlier this year.

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

Security Weaknesses

Reports like these highlight a truth in the healthcare industry: with as much reliance as medical providers have on information-based technology services, they are still ill-equipped to handle the security provisions for their use.

UCLA specifically came under fire for their failure to encrypt their patients’ information—a basic security measure that many IT security analysts consider to be common practice, considering how frequently cybercriminals target healthcare facilities. Anthem Inc. faced similar criticism for their lack of forethought in their data security measures.

Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, spoke to the weaknesses of the healthcare IT infrastructure:

“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” she said.

Despite the unauthorized access that potentially revealed names, insurance information and Social Security numbers, the university claimed there was no evidence that any patient information was stolen. The interim president of the UCLA Hospital System, Dr. James Atkinson, expressed his concerns about the exposure of the confidential information:

“We take this attack on our systems extremely seriously,” he said. “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.”

The Costs of Data

While these data losses will hopefully spark increased security measures for the university IT network, they may be of little consolation to the millions of patients whose medical data was exposed. However, the patients aren’t the only ones that suffer from such data leaks—a Brighton, Mass. hospital was recently fined $218,400 due to alleged HIPAA violations due to using unsecured data-sharing applications to transmit patient information.

There are high costs associated with vulnerability of privileged information. As healthcare IT systems continue the shift towards digital record-keeping, healthcare providers must make a concentrated effort to ensure that those systems are updated and secure.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Healthcare IT and the Dangers of Cloud-Based Computing

Healthcare IT and the Dangers of Cloud-Based Computing

Employees in the healthcare industry are increasingly using cloud applications to boost their productivity, but cloud-based services can create security vulnerabilities that IT support is ill-equipped to handle.

Security Weaknesses

Healthcare IT and the Dangers of Cloud-Based Computing

Image courtesy of SweetCrisis at FreeDigitalPhotos.net

A recent study by cloud security vendor Skyhigh Networks showed that cloud-based computing is on the rise, with the average company now utilizing 923 distinct cloud services. This creates a unique challenge for IT security, as Skyhigh’s team reported that only 9.3 percent of cloud services met security standards for data protection, identity verification and service security. The report also found that while only eight percent of companies were considered high-risk for cyber-security breaches, high-risk partners received 29 percent of all shared data.

The research gathered on cloud security highlights a worrying trend—even when IT knows of employee usage of cloud applications, their presence creates significant loopholes in a healthcare security infrastructure that relies on keeping patient information confidential.

Cloud-Based Threats

According to a report by The Cloud Security Alliance that identified the biggest threats to cloud computing, data breaches, and stolen information were the primary concern, followed closely by improper data handling by industry insiders along with a fundamental lack of understanding of what cloud security entails.

With nearly a third of shared data being transferred through companies with poor cybersecurity compliance, many healthcare organizations hoping to achieve increased efficiency through the cloud may instead find themselves at risk for data breaches and mishandling of privileged information.

Rajiv Gupta, CEO of Skyhigh Networks, admitted that the value of stolen medical information put health organizations at high risk for breaches: “…Healthcare companies [are] prime targets for criminal attackers, and the stakes will only increase as more medical records move to the cloud.”

A Culture of Security

To fight the growing trend of data vulnerability in the cloud, healthcare organizations must implement more comprehensive evaluations of risk assessment against employee behaviors.

Better security standards rely on data protection rather than network security that can be bypassed through the hundreds of cloud-based applications that healthcare organizations use. To facilitate this goal, Gupta recommends eliminating redundant cloud applications now in use and implementing stronger sanctions for authentication.

Though security breaches occur though employee mishandling of information as readily as data leaks, healthcare organizations must make a concentrated effort toward coaching their employees on cloud application use alongside updating their corporate security policies.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know about ICD-9 to 10 Conversion

Cyber Security & Secure Digital Communications – Filtering Through the Noise

Cyber Security & Secure Digital Communications – Filtering Through the Noise

Over the past several years, we have seen an increase awareness of terms such as Cyber Security, Compliance, Privacy, and Data Breach. Terms that strike fear in the minds of management and operators alike. They are gatekeepers of sensitive and classified information. In the technology-driven world we live in, this affects almost every industry, and the Nuclear Industry is a perfect target.

In this article, we will summarize Secure Messaging and Secure Content Delivery. We will cover the concept, benefits and best practices.

The Concept:

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Secure Messaging & Secure Content Delivery is the ability to encrypt electronic communications and files between multiple parties. This is not a new concept, as solutions have been around for decades and more than likely, you have already participated in either sending or receiving an encrypted message in the past. What has changed is a renewed focus by vendors to offer solutions that are more user-friendly, offer better security, and with tighter integration within existing communication systems.

Secure Messaging is a small, yet critical piece of your Cyber Security policy. A framework provided by the U.S. Nuclear Regulatory Commission (NRC) assists in identifying electronic assets that must be protected from cyber-attacks.  Other federal regulators, including the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC) also participate to ensure digital assets are fully protected. These electronic assets are critical digital assets (CDA)s and more information can be found in Title 10 of the Code of Federal Regulations, 10 CFR 73.54: “Protection of Digital Computer and Communications Systems and Networks”. It is mandatory that U.S. commercial nuclear plants provide proactive solutions to help protect communication systems.

NRC’s Regulatory Guide 5.71 stipulates products be free from known, testable vulnerabilities and malicious code through eliminating using malicious or undocumented functions that may allow either unauthorized access or use of systems.

Benefits and Best Practices:

It is easy to understand the value proposition of secure email. Besides providing multiple-layers of encryption, there are several features offered within systems that may align with operational and functional objectives. The requirement and ability to secure CDAs is relevant, yet perhaps any communication between peers, and co-workers should be encrypted, given the raised threat level and industry they work in. When communicating with external partners, business associates and customers, a renewed focus on Security, Privacy, and Compliance will only help to better train users and lower both Legal and Operational risks for the facility.

A growing concern for companies is in faxing. Fax solutions are not secure, using standard telephone lines to transmit sensitive information that can easily be intercepted using tools purchased from a local electronic store. Incoming faxes normally come to a central location, and may not be collected when delivered. This poses a risk as any persons who have access to the fax machine, will also have free access to send, receive, or read faxes.

Secure email is much safer than traditional faxing, and electronic faxing (e-Fax) solutions, as it offers useful intelligence and audit trails. Solutions exist where traceability and tracking features are embedded within messages. This not only ensures communication and documents are delivered, but can also verify that the intended recipients received them safely. Documents can be sent in their native electronic format, which saves the recipient from having to re-scan the fax document to store electronically. Finance and HR Departments are a two functional areas where native file formats are required.

Solutions also exist where large file size delivery is embedded within the system, allowing for more flexibility when sending large PDF or database files. This helps to reduce costs used in traditional courier and mailing services. Other intelligence features can include the ability to recall secure messages sent in error, or to set expiry periods to secure messages and/or attachments. Either feature provides granular control to users, minimizing financial and legal risks. Having unique abilities not traditionally offered in regular email communication systems offers organizations a distinct advantage when communicating both internally and externally. In the most subtle way, an organization can manage expectations and set accountability between users and parties. Adding additional layers of encryption will only enhance existing security policies and procedures followed today.

The next time you review your internal Cyber Security policies, understand how simple email communications are being protected. This should go beyond traditional desktop emails, and also include emails sent through both phone and tablet devices. Sometimes the most often used communication tools are taken for granted, which can lead to lack of procedure or process, which might lead to data leakage or mistakenly sending otherwise sensitive information to unintended recipients.

If you would like to review a solution or discuss this topic, please email desh.urs@ibridgellc.com.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.