The US federal government has designated November as National Critical Infrastructure Security and Resilience Month (CISR Month). Effective cybersecurity measures are one crucial component of our country’s critical infrastructure. So as part of CISR Month, bTrade would like to offer what MFT Nation likes to call a “case study in what-not-to-do” in the world of cybersecurity.
Here’s the Situation
You are the IT person responsible for maintaining a vast collection of highly sensitive data for your organization. More than a year ago, your system was hacked and the cyber thieves absconded with a major part of your organization’s sensitive data. The incident was widely reported by all forms of media, even the fact that the organization’s auditors had been issuing reports which rated your cybersecurity measures as “deficient,” or words to that effect.
So what do you do? You listen to your auditors and become more vigilant about your cybersecurity efforts, right? Most would think that, especially if you’re in the private sector. But this particular situation doesn’t involve a private sector business. It concerns a prominent government agency within the White House called Office of Personnel Management (OPM), and the most sad/maddening part of this case study is that the latest audit report finds that OPM’s cybersecurity measures are actually regressing.
I kid you not, and here are the pertinent details of this sad/maddening case study in what-not-to-do.
History of Cybersecurity Warnings from OPM’s Auditors
In a previous post, bTrade’s MFT Nation described the importance of OPM’s activities within our country’s critical infrastructure. We also explained that OPM’s inspector general had issued a series of warnings beginning in 2007 about glaring problems with OPM’s cybersecurity measures. In fact, the IG issued a “flash audit alert” stating that OPM’s “severely outdated” security procedures put its data at risk.
OPM Breach – Most Damaging Cybersecurity Intelligence Breach in US History
The risk was realized last year when hackers gained access to OPM servers for an extended period of time and made off with highly sensitive data collected during security clearance investigations on some 22 million federal employees. A major print publication reported that U.S. officials considered the breach to be “among the most potentially damaging cyber heists in U.S. government history.”
OPM’s Deplorable Conduct hasn’t Changed since the Breach
The OPM auditor recently released a new report which finds that OPM’s cybersecurity defenses have gotten worse since the devastating breach. The report points to a “significant regression” in the agency’s compliance with a 2014 cybersecurity law, and notes that the agency “failed to meet requirements that [it] had successfully met in prior years.”
The report also found the agency still suffers a “significant deficiency” in its information security management, doesn’t have a full inventory of its servers, only two of its applications met government user verification, and it doesn’t track fixes of routine security weaknesses. In fact, of the 26 recommendations issued by the auditor, 17 of them had been issued before, with some dating back to 2008.
The auditor offered these striking facts to support its deficiency findings:
- “OPM has a history of troubled system development projects. Despite multiple attempts and hundreds of millions of dollars invested, OPM has encountered well publicized failures to modernize its retirement claims processing, financial, and background investigation systems. In FY 2016, the agency’s enormous IT infrastructure overhaul initiative was significantly behind schedule.”
- “We believe that OPM’s IT security management structure – as currently defined on paper – can be effective with some minor improvements (see the next section of this report). However, this structure was not operational for the majority of FY 2016, and therefore we believe that this issue again rises to the level of a significant deficiency.”
- “At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization” ”—i.e., an assessment/evaluation of whether a system’s security controls are meeting the security requirements of that system.
- “OPM has not established an agency-wide risk management strategy. In addition, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 are not all fully implemented.”
- “OPM does not have configuration baselines for all operating platforms. This deficiency impacts the agency’s ability to effectively audit and monitor systems for compliance.”
- “The majority of OPM systems contain Plan of Action and Milestones that are over 120 days overdue,” and “contingency plans for most of OPM’s systems have not been reviewed or tested in FY 2016.”
- “Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.”
Basically, all aspects of OPM’s IT infrastructure have problems. The equipment is outdated despite “well publicized failures to modernize.” The infrastructure is not well managed as there is “a history of troubled system development projects,” including the “IT infrastructure overhaul initiative” which is “significantly behind schedule.” OPM’s policies and procedures are either lacking or not followed (the “12 primary elements” of OPM’s “agency-wide risk management strategy” are “not all fully implemented”). The human resources are not properly trained, including those individuals with “significant information security responsibility” that have not taken “specialized security training” required by “OPM policy.” Not a pretty picture.
But the most galling aspect of OPM’s IT infrastructure is that all these deficiencies are still present after a historically bad data breach and “[de]spite multiple attempts and hundreds of millions of [taxpayer] dollars invested.” Pitiful. Just pitiful.
If a private sector business had such a poor cybersecurity track record, all hell would break loose. Congress would call for hearings, the media would be outraged, lawyers would sue, and government agencies would levy heavy fines. But we see no similar steps taken with respect to OPM. Why? Where is the outrage? Have we come to accept government waste as a fact of life? Are we willing to look the other way when we get shoddy work despite spending “hundreds of millions of [taxpayer] dollars”?
We certainly hope not. It’s time to treat all critical infrastructure the same, whether it be in the public or private sector. So join us in saying to OPM: You need to get your house in order, and time is of the essence because you are responsible for highly sensitive data affecting tens of millions of Americans.
Stay tuned to MFT Nation for developments in the OPM case study, and to stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.
Good Time to Take Stock of Your Authentication Methods
I’m sure almost everyone has heard that when buying real estate the three most important factors to consider are “location, location, location.” When it comes to data security, one could say the three most important factors to consider are “authentication, authentication, authentication.”
In its November 2016 cyber newsletter, the Office for Civil Rights (OCR) disclosed that some of the many data breaches that have occurred in the healthcare sector were due to “weak authentication.” As the healthcare sector continues to be a top target for cyber-attacks, OCR advises that all healthcare organizations should perform a risk analysis to determine whether proper methods of authentication have been implemented.
Deploy “Reasonable and Appropriate” Authentication Methods
Remember, HIPAA requires that covered entities must select healthcare authentication measures that are “reasonable and appropriate” for their normal operations and security requirements. The OCR newsletter lists certain types of authentication methods, like single-factor and multi-factor. According to OCR, healthcare organizations tend to use single-factor methods such as “login passwords or passphrases to access information.”
bTrade Can Help Address Authentication Needs
If you are a healthcare organization and want to determine whether you have implemented proper authentication measures, contact us at email@example.com to schedule a free consultation with a bTrade authentication expert. He or she will assist finding an authentication method that is “reasonable and appropriate” considering your organization’s size, complexity, technical infrastructure, hardware, and software security capabilities.
In addition, you may want to consider bTrade’s TDMedXchange software solution because authentication is just one of many features that a healthcare organization could use to help prevent a data breach and ensure compliance with HIPAA requirements. The authentication requirements in TDMedXchange are fully customizable and include features such as:
- Virtual Keyboard to thwart keystroke loggers
- Strict password settings
- One Time Passwords
- Customizable password length, lockout, history, age, include/exclude characters, etc.
To stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.
Managed File Transfer Vendor Earns “Excellent Supplier” Rating on ISO 9001 Supplier Evaluation for a Long-Time Customer
bTrade, the industry leading compression and managed file transfer (MFT) provider, announced today that it once again scored well in connection with an ISO 9001:2008 supplier evaluation, this time from its customer, Telered, S.A.
Telered is a Panamanian company that provides Panama’s electronic payments network. The shareholders of Telered are all the major Panamanian banks who demand infrastructure supported by state-of-the-art technology, including bTrade software solutions. Telered maintains connections with many entities, both private (local and international) and public, through a communications infrastructure that transmits the information between the entities and the affiliated financial institutions in a secure and reliable manner. Telered has been a bTrade customer for more than a decade.
Because the Panamanian payments network is certified under the ISO 9001:2008, Telered conducted a supplier audit of bTrade earlier this year. bTrade was rated on key metrics such as experience, performance against competition, product quality, price, and delivery and response to problems.
bTrade is pleased to report that it received from Telered a compliance rating of 98.2%. According to Maria Barrera, a Process Analyst at Telered, the 98.2% score puts bTrade in the category of “Excellent Supplier.”
“It is extremely gratifying to receive this recognition from our customer, Telered, S.A.,” said Steve Zapata, President and CEO of bTrade. “bTrade has always focused on continued quality, and this supplier rating reconfirms our mission to provide our customers with the highest quality products and services possible,” added Zapata.
For more information on bTrade’s solutions and services, please visit bTrade.com.
bTrade develops managed file transfer technology solutions for enterprises that share sensitive data across applications and organizations, and face complex security and compliance mandates. Thousands of customers depend on bTrade solutions to gain control and oversight of the movement of critical corporate data to facilitate data growth, reduce security risk, and improve IT and business efficiency. bTrade was founded in 1990 and is led by eBusiness visionaries who have delivered industry-leading business integration solutions to thousands of enterprise customers worldwide. bTrade is privately held and profitable with its global headquarters located in Glendale, California USA.
In an earlier post, MFT Nation critiqued the U.S. Federal Government’s (the “Feds”) recently revised data security policies entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). In that earlier post, we focused on the not-so-good aspects of the Circular. We also promised to discuss the positive aspects in the future, which is the purpose of this post.
The Feds claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” (This sentence is what an English teacher would call a “run on” sentence). To achieve such laudable goals, the Feds say they focused on the following three elements when drafting the Circular:
- Real Time Knowledge of the Environment. In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds. In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time. In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design. Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
- Proactive Risk Management. To keep pace with the needs of citizens, we must constantly innovate. As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security. Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions. This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
- Shared Responsibility. Citizens are connecting with each other in ways never before imagined. From social media to email, the connectivity we have with one another can lead to tremendous advances. The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.
This is all good stuff. Data security policies should focus on real-time knowledge of the environment, proactive risk management and shared responsibility. In fact, bTrade focused on these and other concepts when developing its TDXchange software solution. But again, it’s just amazing the Feds waited until 2016 to come to this realization and finally draft data security policies around these concepts. But I digress. Back to the topic—positive aspects of the Circular.
Appendix I establishes minimum requirements for information security programs and assigns responsibilities for the security of information and information systems. Appendix I requires agencies to do such things as:
- Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems;
- Continuously monitor, log, and audit user activity to protect against insider threats;
- Periodically test response procedures and document lessons learned to improve incident response;
- Encrypt moderate and high impact information at rest and in transit;
- Ensure terms in contracts are sufficient to protect Federal information;
- Implement measures to protect against supply chain threats;
- Provide identity assurance for secure government services; and,
- Ensure agency personnel are accountable for following security and privacy policies and procedures.
Again, this is all good stuff. For many years now, the Feds have required the private sector to incorporate such data security practices into their businesses.
Appendix II outlines some of general responsibilities for managing personally identifiable information (PII). Appendix II summarizes requirements in the following areas:
- Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
- Designating senior agency officials for privacy;
- Managing and training an effective privacy workforce;
- Conducting Privacy Impact Assessments (PIA);
- Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
- Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
- Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
- Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.
Such data security policies can already be found throughout the private sector. It is the type of ecosystem for data security and privacy which businesses have been recognizing and adopting for many years now. Governmental agencies are being told that they have to develop a culture of privacy and security protection within their organizations and are being given the framework to follow.
The Circular is definitely needed given recent cyberattacks affecting the Fed. In addition, it is hard for the U.S. government to expect businesses in the private sector to do something the government does not do itself.
Let’s hope the Feds don’t go another 16 years until the next update.
The year 2000 was also a memorable time for the IT world. We survived the feared Y2K problem, but the dot-com bubble was about to burst. Google was just a baby and desktop computers dominated the IT landscape.
But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies. We kid you not. Until recently, the Feds were relying on 16 year-old data security policies. As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”
The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”). The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.” If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did. The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”
Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation. For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.” And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.” Time will tell whether the Feds practice what they preach.
The release of the Circular generated a great deal of attention, but it is really nothing extraordinary. It’s the type of document the Feds have required of private sector organizations for quite some time. For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide. The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).
The Feds have consistently fined businesses for failing to “implement and maintain” data security policies. Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies. Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied. I guess it’s good to be the king, so to speak.
They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.” Let’s just say that we are skeptical.
Why? To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing. The Circular is all of that. It’s an 85-page monstrosity with a host of problems.
To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text. To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics. The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM). If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).” Good luck with that one!
That said, the Circular has certain favorable aspects that are worth noting. We will discuss this in an upcoming post.
If you have questions about the above content, contact our data security experts at firstname.lastname@example.org.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.
The basic goals of any file transfer software is being able to transfer files securely and reliably. Getting the files from one place to another using standard file transfer protocols is something you would expect the solution to be able to do, and do well.
So what distinguishes one file transfer product from another? How should you decide that one solution is the best one to choose? That comes down to extra features and additions that allow you to use the solution to handle different scenarios or functions, some you may not have even thought you needed. This should be the major topic of conversation whenever you are considering a new file transfer solution.
bTrade’s TDXchange solution is one that has quite a few extra features that would allow you to better manage your day-to-day file transfer needs, if you decide to start using them. For example, we have:
- data transformations
- read and write transfers directly from a database
- secure ad hoc messaging
- Outlook plug-in
- cloud storage adapters
- SLA notifications
- encrypted data store
- and many more …
Now when added together, it makes TDXchange a very useful solution to handle not only the day-to-day situations, but also those file transfer scenarios that are not routine or automated. Let’s go through some of these extras and features I mentioned to give you an idea what they can do for you.
Data transformations are available to help you correct/modify your transactions when characters either need to be removed or added. For example, when you receive an occasional file that contains carriage returns and/or line feeds, but your backend system doesn’t like them. This situation is easily dealt with in TDXchange by setting up a data transformation in the adapter that will automatically remove them, or change them to some other character, string or null. Problem document no more! If you have a need to make a file a certain length, set up your TDXchange transformation tool to make an 80 character (or other size) record. It works on both inbound and outbound documents.
Want to write inbound data directly to a database record, or take a field from a database record and send it directly? Not a problem. With a few simple parameters, you can configure the adapter to read and write directly from your database. No intermediate file creation steps necessary.
If you have a one-time or occasional need to send a file containing sensitive information to someone, TDXchange provides a solution in the form of secure ad hoc messaging. Simply log into your mailbox, attach the file, add the recipients, and then send them a one-time password via SMS. The recipients will get a link and can then sign into your TDXchange system via the web to download the file directly from the secure storage area. No partner definitions needed. So whether it is one-time access or more frequent use is required, TDXchange’s ad hoc messaging it is available for you.
The secure ad hoc feature also comes with an Outlook plugin which integrates directly with your desktop. Configure it once and you can then use Outlook to send files securely, small or large, and avoid the file size limitations with email.
If you or your partners want to use cloud storage, like Drive, Dropbox, Box, etc., we have adapters that can send it to them. Plus the files can be encrypted, so even though the file is residing on the cloud, it is still securely encrypted until your partner retrieves it and decrypts it.
With the TDXchange dashboards, permitted users can to monitor/track activity in the file transfer system with both graphical and textual displays. The TDXchange dashboards give permitted users visibility into activity within the entire system, as well as more granular looks at the number of transfers to particular partners, broken down by transport types, etc. This functionality, combined with notifications system, ensures that administrators are up-to-date on system-wide activity at any time of the day.
To make sure that even data-at-rest is secure, TDXchange gives you the option to encrypt your data store, thereby keeping your data safe from view even for persons who have access to the file system. While the data resides there, it is completely private and TDXchange can even be configured to disallow administrators the ability to view the data.
We like to think of TDXchange as a fully featured MFT system, and are also proud of the extra pieces we have added to make the solution work for our customers. These additional features go beyond traditional MFT and provide some nice-to-have tools that can help you in your day-to-day activities.
Kilpatrick Townsend & Stockton and the Ponemon Institute jointly released a study this week pointing to the vulnerability of many companies’ knowledge assets.
The survey summary notes that research “was conducted to determine whether the publicity-accorded data breeches subject to notification laws and related regulatory requirements has skewed the focus of organizations away from the theft or loss of their most critical information, and to provide helpful practices to reduce the risk.”
U.S. data breach notification laws mandate that companies notify customers or related third parties if data that may cause injury can be compromised, typically customers’ financial and personal identifying information.
The regulatory focus on this information can leave many companies’ most important “knowledge assets,” things like trade secrets and corporate strategy, unprotected or undersecured.
Jon Neiditz, co-leader of Kilpatrick’s cybersecurity, privacy and data governance practice, said that data breach notification laws have really steered what company IT professionals recognize as at-risk data.
“What we see is that what we’ve gotten to know as data breaches really, really come to some extent from data breach notification laws,” Neiditz said.
Data breach laws demand that security professionals and IT specialists attend to the security of specific data, often to the detriment of stricter information governance systems. “The compliance requirements were forcing them towards focusing on the information they’re required to protect,” Neiditz said.
Neiditz noted this was a trend revealed in his work at Kilpatrick on company data breaches. While companies may know how to secure information subject to notification laws, other company knowledge assets often lacked appropriate security or oversight.
Larry Ponemon, chairman and founder of the Ponemon Institute, said that many companies fail to address data vulnerabilities to their most valuable information because a fix would require time and costs that they may not want to spend.
“They’re flying with their heads down because it takes real resources to fix the problems, but they’re real problems. The bad guys are becoming much more surgical in their attacks,” Ponemon noted.
While cyberattacks traditionally have worked to bypass company data security without a specific target data set in mind, Ponemon said that hackers are now more methodical in targeting vulnerable company data. Without appropriate information governance structures in place, companies risk their high value knowledge assets being targeted by these attacks, a cost perhaps far higher than that of protecting the data to begin with.
“A small amount of this high value information in the wrong hands could be maybe more costly,” Ponemon said.
Neiditz said that he hopes the release of this research will encourage IT professionals and company leadership to think more strategically and clearly about the kinds of data they need to focus their resources on, not just the data subject to data breach laws.
“The great opportunity for organizations is to recognize that the most critical data that [an] organization has is in dire need of protection, and that’s in part because the focus of information security programs has been kept away from a focus on the most critical information to organizations,” Neiditz noted.
The study identifies strong data governance, especially as aligned with a centralized control over knowledge assets and an IT security strategy, can help secure data better.
Although many may be tempted to run out and seek new data security software, the two authors say that comprehensive security changes require some strategic planning.
“There are no really quick and fast solutions. Technology is required to achieve a high level of information governance, but you need more than that, you need people who have the right skills, and you need an organizational culture that says, ‘We really do care about this,’” Ponemon noted.
That said, Ponemon noted that there are some basic things that companies can begin with to secure these knowledge assets, many of which they can do easily with tools they may already be using. Ponemon said that companies should consider things like “blocking and tackling tools, things you should have in place anyway.”
“It starts with information at high value should be encrypted or tokenized or redacted in ways that renders the information useless if someone sees the information even by accident,” he added.
Neiditz says that fixes like the ones Ponemon pointed to, and those highlighted in the report, may just require a rethinking of current data security tools and strategies.
Much has happened in the world of cybersecurity since last we posted. bTrade will be publishing upcoming posts that hopefully will have interest or provide help to our MFT Nation readers. In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.
For today, let’s touch on the 2016 LegalTech West Coast Conference, which we attended last month. The conference provides a good glimpse into how lawyers and their bright IT professionals are approaching cybersecurity. We’d like to share our thoughts about one particular comment made by an attendee, as it was echoed both during and after the conference.
Cybersecurity is Just Too Darn Difficult and Complex
Here’s the comment which was made in an article published after the conference: “But while law firms, like companies in the financial and healthcare industries, are implementing security practices, ‘when you look outside of those areas, there’s not a whole lot of standards,’ said David Pluchinsk, partner at Beirne Maynard & Parsons.” The article goes on to say: “This, of course, can make cybersecurity a difficult and complex issue for outside and private counsel.”
We understand the feeling. Data breaches have dominated headlines. Due to the prevalence of cyber threats, many organizations in the legal field are feeling a bit overwhelmed and suffering from what has been described as “breach fatigue.” For example, a Los Angeles-based boutique law firm specializing in divorce cases merged with a larger firm because one of the partners couldn’t sleep at night due to worries about cybersecurity.
But fear not, MFT Nation readers. We have some information that can hopefully ease your fears about cybersecurity.
Pursuing the “Holy Grail”
Contrary to popular sentiment, the financial and healthcare industries have not discovered the panacea of cybersecurity standards. The HIPAA standards do not amount to a cybersecurity “how-to” guide for the healthcare industry. For example, this article explains that HIPAA does not explicitly require encryption; in fact, HIPAA doesn’t explicitly require the implementation of any specific security technology. And as this article demonstrates, the apparent abundance of cybersecurity standards in the financial and healthcare industries does not necessarily translate into real “data security.”
Searching for Standards
We disagree with the statement that “there’s not a whole lot of standards” outside of the financial and healthcare industries. It’s simply not true, as evidenced by the following:
- In the FTC v. Wyndham case, a federal appellate court urged entities looking for cybersecurity standards to refer to the “expert views” provided by the FTC, the “agency responsible for administering the statute [which regulates cybersecurity practices].”
- The appellate court in FTC v. Wyndham pointed to one particular brochure prepared by the FTC called “Protecting Personal Information: A Guide for Business,” which the court said contains the “characteristics” of a “sound data security plan.” In it, the FTC provides a clear and well-written list of “5 key principles” to help businesses “regardless of the size—or nature” with data security. The FTC makes a bold statement in the brochure that “the principles in this brochure will go a long way toward helping you keep data secure.” We wholeheartedly agree.
- In this post, MFT Nation discussed some of the key FTC data security standards.
- On the Data Security page of its website, the FTC has a wealth of other helpful information relating to data security standards. Please take advantage of these resources if you are searching for available data security standards. The information is FREE, and as the first paragraph of the FTC’s Data Security page states, it “can help you meet your legal obligations to protect that sensitive data.”
- Another FREE resource is the “Framework”published by the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department. NIST describes the Framework as a compilation of “standards, guidelines, and practices to promote the protection of critical infrastructure.” The Framework operates on the principle that one-size-fits-all checklists are inferior to “risk-based” cybersecurity practices. We here at the MFT Nation have written before about the Framework. Suffice it to say that we consider the Framework better suited for larger organizations and advanced cybersecurity practioners.
Knowing lawyers like I do, I’m sure the search for the “Holy Grail” of cybersecurity standards will continue. Hopefully, the above-mentioned resources will put the industry on the right path.
Contact bTrade for Help
People care about cybersecurity and the impact it has on their lives, both personally and professionally. However, it is one issue over which they feel they have limited control.
Cybersecurity is not an easy thing. But many aspects of running a business are complex and difficult. We don’t want to understate the complexity of cybersecurity. But deal with it like you would any other complex and difficult aspect of your business—get some advice from a subject matter expert/experts and devise a plan/solution that fits your company and budget.
If you need help, contact our data security experts at email@example.com.
Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.