5,400 More: Providence Breach Highlights the Poor State of Data Security

5,400 More: Providence Breach Highlights the Poor State of Data Security

Providence Health and Services, an Oregon-based healthcare clinic, recently notified nearly 5,400 current and former patients that their medical data may have been exposed. A former employee reportedly accessed the medical records without “any apparent business need” between July 2012 and April 2016, according to a Providence media advisor. Affected information included demographic details, medical treatments, and possibly insurance data and Social Security numbers.

Providence_Health_&_Services_logo

The employee has since been fired in accordance with a corrective action plan, with the clinic noting that it didn’t believe any sensitive information was further viewed or disclosed.

Damage Control

Providence’s breach highlights one of the biggest problems plaguing healthcare as a whole—threat detection. With private information being transferred across multiple EMRs, external hard drives, and mobile devices daily, it’s becoming increasingly difficult for clinics to monitor all channels on which sensitive data travels. Add in human error and the complications that arise when data is handled by large teams of providers, and you have a security system that is vulnerable inside and out.

Breaches like the one recently reported in Providence can take months to detect, and in some cases, they may even take years. Unless a breach is detected immediately, unauthorized users have plenty of time to copy, transfer, or sell privileged information.

As part of its corrective action strategy, Providence is offering 24 months of free credit monitoring for all affected patients. Although damage control tactics like these are necessary after any instance of data loss, they do little to assuage the fears of patients worried about future information exposure. By the time the breach has occurred, it’s already too late.

A Measured Response

Knowing how to appropriately respond to breaches is the responsibility of all organizations handling sensitive data. In Providence’s case, the clinic didn’t believe that the data was exposed beyond the initial breach, and tailored its outreach accordingly.

The confusion following breaches makes large-scale damage control strategies difficult to apply at the drop of a hat, making it essential for breach response protocols to be in place before the damage is done. When strategies for breach prevention are incorporated into clinic policy through mandatory employee training, threat classification, and agile threat response, better security comes as a matter of course. To prevent breaches like the one affecting Providence, healthcare organizations need to build security into their infrastructure from the ground up.

Desh Urs iBridge LLCWritten by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

$2.7 Million: The Costs of OHSU’s Security Shortcomings

$2.7 Million: The Costs of OHSU’s Security Shortcomings

The Oregon Health & Science University recently resolved an investigation into two breaches of electronic health data occurring in 2013, resulting in a payment of $2.7 million and three-year corrective action plan to prevent future security issues.

According to Tamara Hargens-Bradley, spokesperson for the U.S. Department for Health and Human Services Office for Civil Rights, these breaches occurred across multiple channels:

“The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or ‘cloud storage’ service, without a business associate agreement,” she said. “No harm was reported by patients.”

OHSU

The breaches occurred within three months of each other, both the result of improper security protocols. The stolen laptop was not encrypted at the time of its theft. And Google, the company hosting the illegally-accessed spreadsheet, features no contractual relationship with OHSU to securely store sensitive information. These failings bring to light previous security incidents in OHSUs infrastructure, occurring in 2009 and 2012 and affecting nearly 15,000 patients.

Since the 2013 breaches, the OHSU has taken steps to improve its security protocols, including:

  • Stronger computer encryption across the campus
  • Free identity theft protection for at-risk patients
  • Toll-free phone outreach for patient concerns and support

Steps to Security

Though OHSU committed itself to a three-year security action plan to prevent future data loss, its strategy may be shortsighted. Though its commitment to supporting affected patients is necessary, it’s little more than a damage control measure. Pledges to strengthen computer encryption across the university will do nothing to support cloud-based security infrastructure or prevent theft of the hardware itself.

Better security is a product of planning—reacting after the fact isn’t enough to enact meaningful change. Structures must be in place before breaches happen; and for organizations like OSHU that have suffered myriad breaches over the past seven years, these structures can’t come soon enough:

  • Preparation: Security should be delegated to a specific task force that is trained in crisis management and has dedicated plans for how to solve emerging threats.
  • Detection: Organizations must know where breaches are before they can be addressed.
  • Removal: Workflows for how data breaches will be contained and addressed help teams act efficiently.
  • Post-Recovery Response: Data must be reviewed on how the breach occurred, why it occurred, and how to reinforce security to prevent it from happening again.

While prioritizing affected patient and communication are good first steps, OHSU has a long road to travel before it’s ready to build structures that support true organizational security.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

 

Privacy Survey Highlights the Poor State of Data Security

Privacy Survey Highlights the Poor State of Data Security

Risk management remains a priority for legal firms across the world, but new research is showing just how unprepared many industries are to take on the challenge.

Privacy Survey Highlights the Poor State of Data Security

Guidance Software performed a data risk and privacy survey on a variety of industries, including government firms, IT industries, and financial services. The respondents, primarily security executives and security analysts, shed light on the current state of information security and how they felt security should be handled moving forward:

  • 48 percent reported feeling unprepared to identify and protect sensitive information from data breaches, mishandled devices, or human error.
  • Despite this lack of confidence, 46 percent believe that protecting sensitive data is a top priority.

How data security should be handled was addressed.

  • 69 percent feel that it’s important to systematically delete obsolete or outdated information.
  • 55 percent are most worried about private or sensitive data residing on servers or endpoints.
  • Over 37 percent feel that a risk management solution for regulatory and policy compliance is important for data security.

Security Solutions

With so many respondents reporting discontent with the current state of data security, it makes sense that legal firms are hungry for solutions.

Risk management software lets organizations understand the flow of sensitive data, from the time of creation to its eventual endpoint throughout the workflows of each industry. These workflows include file creation, email sharing, transmission to multiple devices, and storage in databases. Without dedicated data management software, each of these points of contact creates multiple vulnerabilities that can be exploited.

Enterprise software protects data throughout every step of its use and ensures that information practices comply with external regulatory bodies, such as HIPAA.

Building a Culture of Security

Software data security through risk management platforms is the first step of total information governance. To ensure true data security, the most significant security variable present in any enterprise must be addressed—employees.

According to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Legal firms must mitigate employee mishandling of information by creating protocols governing data use. Across email, mobile device communications, and file transfers on external storage systems, employees must follow defined rules that dictate how they handle sensitive data.

The effort required to implement these protocols will be substantial at first, but security practices can be refined over time to better align with the workflows of each organization. This will ensure that efficiency isn’t lost while trying to secure data. When legal firms have a strong culture of security backed by risk management software solutions, data breaches and information loss will become concerns of the past.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Although cybersecurity has taken a central role for healthcare facilities and legal firms, cybercrime doesn’t discriminate based on industry.

Universities and academic facilities contain sensitive data just as vulnerable to outside intrusion as industries that heavily prioritize security. Student healthcare data, financial information, and other personal details are all at risk in unsecured academic networks. Over the past several years, multiple universities have reported data breaches that had significant impacts to their student body and reputation.

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

The University of Maryland suffered a breach in 2014 that resulted in over 300,000 compromised records, including university IDs and social security numbers. That same year, a breach at Butler University revealed the social security numbers, driver’s license information, and bank account data of over 200,000 individuals.

The financial cost of these breaches is high, but the damage isn’t limited to leaked information. Much as other victims of high-profile breaches (including Sony and Target) have recently learned, the bad PR from a data breach can be catastrophic to an institution.

Threat Prevention

As positive PR is an absolute necessity for academic organizations, a cybersecurity prevention and damage control strategy is essential.

Initial measures for beginning this plan should include:

1. Internal Threat Assessment

With over 50 percent of cyber attacks in 2014 from insiders, institutions must know of internal threats and have measures for threat assessments. This involves creating dedicated teams with representatives from each department who can oversee internal data security in their own divisions.

2. Enhance Security Infrastructure

Academic institutions must upgrade their IT security to discourage hackers. Sensitive information should be protected with authentication credentials, firewalls, and by limiting access to only essential personnel. Better system-wide controls help prevent the unregulated flow of information that cyber breaches rely on.

3. Breach Testing

Many institutions these days test the strength of their security with the help of white hat hackers. These vendors can review the strength of your cybersecurity protocols and offer guidance on where you may be vulnerable.

4. Damage Control Planning

Should a breach occur, institutions must have a plan in place to mitigate the damage. Steps will need to be taken to lock down your system and prevent small data losses from turning into out of control information breaches. This includes disclosure protocols for parties who may be affected by the data loss.

5. Getting Insured

Cyber insurance can help reduce the financial burden of leaks should a breach take place. This can be beneficial for large-scale organizations who handle millions of patient or customer records.

While these steps are a good start for academic organizations without cybersecurity protocols in place, they are only the first steps of a larger, system-wide push towards data security. The threats are here—academic institutions can’t afford to wait.

Desh Urs iBridge LLCWritten by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Visual Hacking a Growing Concern for Healthcare, Reports 3M

Visual Hacking a Growing Concern for Healthcare, Reports 3M

Despite the push towards data security and information governance, data breaches can occur where you least expect them. Though encryption software and more secure firewalls have shown success at preventing internal data breaches, another threat is looming on the data security landscape: “visual hacking.”

Low-Tech Hacking

Visual hacking involves capturing confidential information from digital screens by using smartphones, discrete cameras, or plain sight. Compared to complex coding backdoors and malware infection, visual hacking is relatively low-tech, but that doesn’t mean it isn’t a concern for healthcare organizations tasked with controlling sensitive data.

Imagine the opportunities for visual hacking present in locations as basic as healthcare clinics. Offenders can snap photos of your information as you fill out your medical record, eavesdrop on your conversation with staff, and once they enter the actual clinic, use silent, high-powered zoom cameras to discretely record any instances of unsecured patient data. With just a few clicks of a button, healthcare organizations can suffer data breaches that may cost them millions.

Visual Hacking

Though protecting confidential data from prying eyes has always been a concern in the healthcare field, new mobile camera technology is giving offenders more tools than ever before. A 3M sponsored hacking experiment with the Ponemon Institute found that a white hat hacker could visually hack sensitive information in 88 percent of attempts.

3M’s campaign against data loss helps IT and security professionals better address their security vulnerabilities. According to Gartner, IT security spend reached $75.4 billion in 2015, but this increase in security funding will do little to prevent the rise of low-tech hacking methods.

Preventing Visual Hacking

Healthcare providers must try to prevent data loss from visual hacking:

  • Using applications to mask high-risk data, particularly when accessing data from mobile and public locations.
  • Creating a corporate culture of security that prioritizes visual security—all staff must know of the growth of visual hacking and why all data must be stored behind authentication or privacy filters.
  • Limiting logins to necessary locations will help prevent the number of access points where data breaches may occur.

There’s no simple strategy to fight visual hacking, but healthcare organizations that understand the risks and challenges associated with visually securing private data are one step ahead in the game. Data security across all channels is an ongoing struggle that healthcare providers must be prepared to face.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Incident Response Plans: Preparing Your Agency Before the Next Breach

Incident Response Plans: Preparing Your Agency Before the Next Breach

Agencies, particularly those in the fast-developing field of data governance, must not assume that they’re safe from data breaches. According to research by the U.S. Government Accountability Office, involvement in a security incident may be a matter of when rather than if: information security events involving federal agencies increased from over 5,500 in 2006 to over 67,000 in 2014. Security incidents in the healthcare and information technology fields show similar growth, and most victims are unaware of their vulnerability.Incident Response Plans: Preparing Your Agency Before the Next Breach

Creating a Response Plan

Agencies must prepare for the eventuality of a security incident by designing an incident response plan that establishes basic processes for threat management. These include protocols for threat recognition, analysis, and recovery:

  1. Respond: Responding to an issue begins with defining security “events” and security “Incidents.” According to CEB, security events involve any occurrence within a secure system, while the term “incident” is reserved for events that pose an immediate threat to acceptable-use policies or basic computer security. Delineation between these two categories is important for planning a response process—incidents must be addressed, but not every event will need intervention.
  2. Investigate: Agencies must maintain consistency when responding to incidents. Standardized labels and categorization should be used for incidents to help agencies identify trends and patterns. This allows for more efficient problem identification and a faster overall response.
  3. Recovery: After categorization, agencies should prioritize recovery processes that mitigate damage and restore its systems efficiently. The recovery process itself is broken down into several phases:
  • Preparation – Selection of a specialized team with a single point of contact for incident response. This also includes creating systems for tracking and analyzing emerging threats in the environment.
  • Detection – Appropriate channels must be monitored to alert agencies to possible incidents.
  • Removal – Workflows for various incidents must help response teams act efficiently. These processes will involve steps for the containment and eradication of recognized threats. Part of effective threat removal is to monitor each step taken and keep records for future threat analysis.
  • Post-Recovery Response – After the threat is contained, agencies must assess the incident and determine how and why the breach occurred. This response is necessary to help agencies reinforce their security and generate new protocols for threat removal.

Security incidents can devastate unprepared healthcare and technology agencies. Incident response plans help safeguard privileged information and empower agencies to react quickly to threats. They also function as reporting systems to let each agency know how to better prepare their infrastructure to prevent more damage to an already compromised system.

Desh Urs iBridge LLC
Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Cybersecurity and safeguarding Protected Health Information (PHI) is a hot topic in the digital world. However, while awareness and new legislation are improving the current state of digital information security, less attention is given to security protocols for hardware and physical data storage.

Hard Drive Theft

Centene, a prominent Medicare and Medicaid insurance provider, recently announced the loss of six hard drives containing private information on nearly 950,000 individuals. The affected data loss includes names, addresses, social security numbers, and membership IDs. A statement offered by Centene on Jan. 26th claimed that the hard drive loss “resulted from an employee not following established procedures on storing IT hardware,” noting that the missing drives were a small part of their total 26,000 unit IT inventory.

Is Encryption Necessary?

Centene’s data loss was a function of lack of encryption protocols and poor inventory management.

Unfortunately, the answer to data security isn’t as simple as “encrypt everything with PHI.” Unnecessary encryption can be costly and may reduce efficiency due to the extra steps needed to authenticate users. Under the HIPAA Security Rule, encryption of PHI is merely “addressable.” This means that organizations that thoroughly document alternative security measures need not encrypt all instances of PHI.Centene Corporation

When encryption isn’t feasible, other security protocols must be used. Inventory governance is essential for protecting hardware containing PHI. However, the challenges of keeping a real-time IT inventory make the process easier said than done.

“An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn’t scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information,” said Tom Walsh, founder of security consulting firm tw-Security.

This presents a challenge to holders of PHI: how can the costs of encryption be balanced with inventory management for better overall security? According to Walsh, risk analyses coupled with precise inventory tracking will help organizations “channel limited security resources where they are needed most.”

Finding a Middle Ground

The question of hardware and PHI security is as complex as the challenges associated with cybersecurity. It’s clear that both inventory governance and correctly-applied security protocols are necessary to keep PHI safe. The CEO of security consulting firm Redspin noted that: “…Healthcare organizations must be disciplined about tracking PHI throughout the organization and ensuring the appropriate safeguards are in place everywhere. Encryption adds cost and complexity, but a PHI breach can be far more costly.”

Given recent PHI breaches, we’re willing to bet that insurers like Centene would agree.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Five Biggest Data Breaches of 2015

Five Biggest Data Breaches of 2015

While 2015 was a noteworthy year for advances in technology and data security, the evolution of cybercrime wasn’t far behind. Several significant data breaches occurred in 2015, affecting everyone from healthcare recipients to unfaithful spouses to government employees. Here are five of the biggest and nastiest data losses that occurred last year:

1) Premera

One of the largest healthcare network breaches ever seen, the Premera breach is unique because it was discovered on the same day as the breach of another major healthcare service provider—Anthem. IT professionals claim that both attacks were performed similarly, with both breaches likely caused by the same group. The Premera breach resulted loss of financial information, medical claims information, social security numbers, and email addresses of 11 million customers.

2) U.S. Office of Personnel Management

Beginning with a breach that began in March 2014, (and only noticed in April 2015), the U.S. government suffered one of the largest breaches of government data in the country’s history. Data lost included social security numbers, addresses, and dates of birth on over 22 million current and former employees, including the fingerprints of nearly 5 million people. Officials pointed to a lack of comprehensive IT inventory as one of the causes of this information loss.

3) IRS

Unfortunately, the Office of Personnel Management breach wasn’t the last word on U.S. government data loss. The Internal Revenue Service also suffered a breach in 2015 that revealed confidential tax records of over 330,000 individuals. To make matters worse, the thieves used the stolen tax data to scam millions of dollars in fraudulent refunds from the government agency.

Five Biggest Data Breaches of 2015

The IRS was on the wrong end of a large data breach in 2015

4) Ashley Madison

The much-publicized breach of the extramarital dating site Ashley Madison made headlines in 2015, both for the irony of unfaithful users of the affair-promoting platform having their identities exposed, and for the massive fallout that came shortly after. Over 37 million customer records were made public, exposing numerous affair-seeking individuals and even leading to two possible suicides.

5) Anthem

Discovered on the same day as the Premera breach, the Anthem healthcare network breach revealed privileged information on over 80 million people—affecting nearly 1 in 4 Americans. Like Premera, the breach went undetected for nearly a year before the leak was noticed. The data lost between both Anthem and Premara constitutes the largest theft of digital medical records ever recorded.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

Personal Device Security and Online Connectivity

Personal Device Security and Online Connectivity

Cybersecurity is typically associated with data privacy in large organizations—computer networks, encryption, and secured data transfer. However, our personal information is spread across more devices than many of us realize. Even seemingly, innocuous devices that have online connectivity can be vulnerable to outside access.

Fitness Breach

Security service AV-Test reviewed the security of nine fitness monitors across several brands—Acer, Fitbit, Garmin, Sony and Withings—to find that the lowest security devices suffered from nine of eleven possible security weaknesses, including inability to disconnect from Bluetooth and exposing user log information. While vulnerabilities like these seem insignificant compared to the large-scale data and privacy breaches that make headline news, the implications are troublesome for data security of personal electronics. These security weaknesses seem mild, yet they expose user devices to hacking, eavesdropping, and unauthorized data aggregation. Though fitness monitors and wristbands don’t contain copious amounts of sensitive information in how businesses do, they’re still exposed to unauthorized access that may cause data modification or losses.Personal Device Security

Implications and Connectivity

These mild weaknesses don’t offer serious threats to user privacy yet, but this will change as devices become more advanced and store more sensitive user data. The lack of security present in personal electronic devices sets a troubling precedent. Cybersecurity is difficult to implement, even for high-priority devices that contain privileged information. In the current state of our cybersecurity infrastructure, basic electronic devices aren’t likely to face the same security scrutiny as more advanced technology.

Security, particularly for personal devices, is an afterthought for many businesses. Implementing better security is costly—and often deemed unnecessary for equipment that records seemingly innocuous user data. However, several devices tested by AV-Test could not disconnect from Bluetooth—a concept designed to increase the operability of the device, yet it leaves users exposed to constant online access. Hackers are developing new ways to utilize exploits that will have increasingly detrimental effects on the state of our device security.

Connectivity and constant online connections are still relatively new in the technological world. While the full implications of this constant connectivity are not yet understood, it’s clear that device manufacturers must prioritize data security. Establishing acceptable security practices now will ensure that businesses have the means to upgrade their future security alongside their consumer technology.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Legal Losses: 4 Steps to Better Internal Security

Legal Losses: 4 Steps to Better Internal Security

When people think of “cybercrime,” they imagine a hacker finding an exploit in an unsecured system and taking advantage for their own gain. While this is a growing concern in the legal world, it isn’t the only security threat that firms must consider. A 2015 Data Breach Investigation Report by Verizon found that 20.6 percent of all data breaches are caused by individuals inside the industry, whether accidentally or intentionally. These breaches can be notoriously hard to detect, given that internal data leaks are less obvious with immediate consequences less than hacker access. IT security has traditionally been challenging for legal firms—clear corporate policies must be implemented to protect privileged information from both hackers and illicit employee actions.

1. Increase Awareness

Legal Losses: 4 Steps to Better Internal Security

A 2015 Data Breach Investigation Report by Verizon found that 20.6 percent of all data breaches are caused by individuals inside the industry, whether accidentally or intentionally.

The first step in decreasing incidence of cybercrime both within an organization and without involves increasing awareness. Companies must create a corporate culture of transparency and honesty with their employees, and train them in data handling practices. Employees should know what to do if they detect a security issue, with clear policies in place for the assessment and removal of emerging threats.

2. Detection/Data Loss Software

Implementing software to monitor data transfer is another method of preventing data loss. Legal firms can optimize their IT security with programs that track detection points of data transfer to highlight potential vulnerabilities. If a breach occurs, these programs offer hard evidence and digital trails for investigators to follow.

3. Implement Warnings

A simple way to increase data security is to let employees know that their actions are being tracked. Employees are much less likely to engage in illicit or illegal behaviors when they know that their computers are subject to searching. This deterrent can be powerful, particularly when employees understand the weaknesses of their business’s IT infrastructure.

4. Monitor Communication

Proper tracking of employee behaviors is necessary to prevent internal losses of information. Forensic analysis of employee communication and behaviors provides visibility into the exchange of information across digital platforms and offers insight into suspicious behaviors in a breach. Investigators can monitor key variables when data is compromised to identify trends and establish the source of information loss.

IT security in the legal world is a never-ending battle. Legal firms must realize that they are vulnerable internally and externally, and take the precautions to keep client data safe.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC