Blog – MFT Nation

heading-img-1
Monday Cybersecurity Tip – Healthcare

The HIPAA “Technical Safeguards” focus on the technology that protects PHI and controls access to it.  Remember, HIPAA does not specify the type of technology an organization must use.  Instead, it sets forth the following categories of standards or guidelines:

  • Access Control
  • Audit Controls
  • Integrity
  • Authentication
  • Transmission Security

If you want more information about complying with HIPAA’s “Technical Safeguards,” we recommend this resource which is produced by the US federal government agency responsible for HIPAA compliance.

If you want to learn more about how a managed file transfer software solution like TDXchange can help you comply with HIPAA’s “Technical Safeguards,” contact us at info@btrade.com.

ContactUsIimage

 
Multiple Ransomware Infections Reported

Earlier today we advised of a cybersecurity tip from the US Department of Homeland Security about regularly updating software on your Internet-connected devices. That tip was timely given this malware alert from US-CERT: http://bit.ly/2z4Y8QE.shutterstock_189271679A

 
Cybersecurity Awareness: Stop.Think.Connect.

The US Department of Homeland Security, as part of its Cybersecurity Awareness Month activities, offers this cybersecurity tip: “Keep a clean machine. Regularly update the software on your Internet-connected devices, including PCs, smartphones, and tablets, to reduce the risk of infection from malware.”shutterstock_113259814A

 
Protecting Critical Infrastructure from Cyber Threats

shutterstock_194674616AUS-CERT, an authoritative source in cybersecurity for the US Federal Government, offers some good info on this last day of Cybersecurity Awareness Month: http://bit.ly/2A2NQ0y

 
From Where Will the Next Big Data Breach Come? (Hint: It Might Be Sitting in Your Chair)

MFT Nation routinely reports on the world of cybersecurity, but October is special for bTrade because it is National Cybersecurity Awareness Month.  As part of its cybersecurity awareness efforts, MFT Nation wants to share information from a data breach report released by specialty insurer, Beazley Insurance Company, related specifically to the US healthcare sector.  Beazley’s report examines the major causes of data breaches reported by healthcare insureds in the first nine months of 2017.

The good news, at least from the perspective of a data security software company like bTrade, is that the cause of most breach incidents is “human error.”  Beazley found these incidents typically involve an employee viewing patient records without a work-related reason to do so—e.g., looking at a celebrity patient’s record or the record of an ex-spouse or neighbor—and that these “employee snooping” incidents are often discovered by “audits run on the electronic medical records system.”

The Beazley report correctly notes that “increased employee vigilance and auditing will help organizations identify such behavior early on, reducing the number of affected patients and hopefully lessening the shutterstock_134946989Alikelihood of regulatory inquiry.”  And as a reminder, bTrade’s TDXchange software powers electronic medical records systems and has robust “audit” capabilities, including the ability to view all activity conducted within the system and generate a number of reports based on your defined criteria.

The second most frequent reported cause of healthcare data breaches is “hack or malware.”  The Beazley report correctly notes that encryption is one of the best preventatives for hack or malware.  As a reminder, bTrade software has the encryption strength required by the US federal government.

One final note about the Beazley report.  The authors surveyed enforcement actions brought by the leading federal government agency responsible for HIPAA oversight and enforcement and offered this observation which may be of interest to our MFT Nation readers:

“But with the increase in OCR’s resolution agreements, a trend of OCR’s hot button issues has emerged. Organizations should review previous resolution agreements (all of which are available on OCR’s website) and familiarize themselves with what OCR considers to be best practices, such as: device encryption; workforce education and training; updating of policies and procedures; the elimination of old data; security risk assessments; risk mitigation plans; vendor management and using the minimum amount of PHI.”

To learn more about how bTrade can help you secure ALL aspects of your critical data, please contact us at info@btrade.com.

Also, you can stay current on developments in the world of cybersecurity by following bTrade on TwitterFacebookLinkedIn and Google+.

 
Hackers Gonna Hack so the Future of Cybersecurity will be Un-CIV-alized

We here at MFT Nation were drawn to an article in which the author opines on what cybersecurity will look like in 10 years.  We chose to write about the article not because the author offered anything particularly mind-blowing, but rather because we want to offer a few predictions of our own based on an assumption that the author’s future vision of cybersecurity becomes a reality.

One Man’s Vision for the Future of Cybersecurity—CIV World

1.  A World of Complex, Interconnected, Vulnerable (CIV) Systems

One facet of the author’s future vision is an increased “role of cyber” because although so many aspects of our personal and business lives are already “interconnected and driven by computers,” in the future “this connection will be even tighter.”  Another part of his vision is increased “vulnerability” given the “complexity and connectivity” of the systems.  The CIV systems will get so complex that humans “will not be able to cope with all this information” so we will rely on “artificial intelligence to help us in making decisions.”   For purposes of this post, we’ll call this future state “CIV World.”

2.  Proliferation of Attacker Ecosystem

The author believes the “attacker ecosystem” will expand to include more types of hackers—from “nation sponsored organizations” to people with “no apparent motive” except to “demonstrate their technical skills”—who will have more sophisticated techniques such as “bots” that “scan the entire network and find the weakest spot.”

3.  Cybersecurity Defense Will Need to Keep Pace

Given the preceding two points, the author sees a future with “more sophisticated” cybersecurity defense systems including artificial intelligence and a “new generation of cyber experts.”

CIV World Creates Very Real Problems of Its Own

 1.  The Great Recession: A Case Study for What Can Happen to CIV World

Most of you certainly remember the financial crisis of the late 2000s, now referred to as the “Great Recession.”  None of the world’s financial gurus in either the public or private sector predicted a collapse of the complex, interconnected, vulnerable financial systems around the globe.  A Forbes article boldly declares that if anyone tells you they predicted it, they’re lying.

Will CIV World lead to a global crisis of epic proportions?  Hopefully not.  But recognize that CIV World technology systems are very much like modern economies, in that because of their “complexity and connectivity,” vulnerabilities will be present which no man or machine can foresee.

The CIV World author says help will come from the “next generation of cyber experts” and “artificial intelligence to help us in making decisions.”  The best and brightest of the financial industry no doubt felt the same way before the Great Recession.  If you don’t believe us, please read this article from the immensely powerful Federal Reserve Bank of New York.

In it, the New York Fed attempts to explain why no one foresaw the Great Recession.  Interestingly, the article begins by excerpting quotes from two prominent economists stating that “threats will constantly be changing in ways we cannot predict or fully understand.”  That is telling, indeed.  The powerful New York Fed starts its explanation for failing to forecast the Great Recession with an implicit admission that modern economies are so complicated that it cannot predict threats or even “fully understand” what’s going on.

We foresee the same situation for CIV World; the complexity of the many interconnected systems will lead to vulnerabilities that the next generation of cyber experts won’t be able to foresee, even if they are armed with AI and other developing technologies.

2.  Hackers Gonna Hack, and their Favorite Targets Will be Big Government and Large Corporations

The CIV World author sees government taking “a bigger role” protecting “large scale environments like their own infrastructure (power grids, water supply, traffic control and frankly – everything around us).”  He also sees “[l]arge corporations” assuming a larger role “guard[ing] their data on their own servers, on their cloud servers, on our personal computers, and even on our mobile devices.”

He’s probably right, but should we feel comforted by big government and large corporations taking a larger role?  To answer that question, we harken back again to events surrounding the Great Recession.  To reiterate, no one in the financial world, not government or large corporations, could foresee the collapse of the complex, connected global financial system.  In fact, the New York Fed tells us that it’s all too complicated for government or large corporations to predict threats or even to fully understand.  The same applies to CIV systems that will exist in CIV World.

Besides, basic human nature suggests that problems will follow if big government and large corporations take larger roles.  Think about it from the perspective of hackers.  If all the sheep are flocking to complex, interconnected, vulnerable systems created and operated by big government and large corporations, where to you think the hackers will target?  So prepare for large scale hacks and resulting data breaches in CIV World.

Heck, it may already be happening, as evidenced by this Forrester article discussing recent data breach incidents occurring at one big government agency—the SEC—and two large corporations—Equifax and Deloitte.  The Forrester author does such a good job of summarizing our point so we will just excerpt this quote from his article:

It’s always tough to call hacking a trend after all, “hackers gonna hack.” However, it does continue to prove the oft-used Willie Sutton adage about robbing banks “because that’s where the money is” has not become irrelevant in the 21st century. Hackers have adapted to the digital transformation and data economy much like Enterprises have. Moreover, that means adjusting how and what they target.

Given the constant that “hackers gonna hack,” the CIV systems created by CIV World’s government and large corporations will make nice, juicy, easy targets for hackers.

3.  Prepare for an Arms Race, of Sorts

It sounds to us like CIV World will devolve into an “arms race.”  Wikipedia generally defines the phrase “arms race” as “a competition between two or more parties/groups to have the best armed forces,” like the buildup of nuclear weapons by the US and the Soviet Union during the Cold War.  Wikipedia correctly points out, however, that “close analogues” exist in the technology field “such as the arms race between computer virus writers and antivirus software writers, or spammers against Internet service providers and E-mail software writers.”

As Wikipedia correctly points out, the fundamental problem with an arms race is “no absolute goal” exists, “only the relative goal of staying ahead of the other competitors in rank or knowledge.”  And the end result is “futility” because “the competitors spend a great deal of time and money, yet end up in the same situation as if they had never started the arms race.”

So in CIV World, expect to spend a great deal of time and money defending the large and ever-increasing numbers of CIV systems.  And to what end?  Futility, of course, because the competitors end up in the same situation as if they had never started the arms race.

Do You Want to Reduce Complexity While Increasing Security?  bTrade Can Help

You don’t have to go down the CIV World path.  Many alternatives exist other than the large, risky, public-facing systems described in CIV World.

For small to medium-sized organizations, the most secure systems are those that involve stand-alone solutions allowing local transfer and storage of data.  Why?  Because only those with physical access to the computer or device can access the data.

For larger organizations, it may be better to deploy a centralized server to store and transmit data internally and externally over secure network connections.  The best way to mitigate risk is by maintaining servers within an organization’s own firewalls.

Encryption also plays an important role in data security and is a central component of bTrade solutions.  There are several types of encryption, including the process of transforming plaintext into an unintelligible form (ciphertext) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decrypting process (two-way encryption).  By encrypting all data “in transit” and “at rest,” organizations will meet and exceed all compliance and governance mandates.

To learn how bTrade can help you secure ALL aspects of your critical data, please contact us at info@btrade.com.

Also, you can stay current on developments in the world of cybersecurity by following bTrade on TwitterFacebookLinkedIn and Google+.

 

 
When More Cybersecurity Regulation Works

The Consumer Financial Protection Bureau (CFPB) has fired a shot across the bow of the cybersecurity world and the ever-expanding online payment industry, taking a cybersecurity enforcement action that marked the agency’s first foray into regulating data security.

Dwolla Inc., a Des Moines-based digital payment startup, agreed to pay a $100,000 penalty and improve its data security practices as part of a consent order that the CFPB issued last month.  Without alleging that the company was breached, the CFPB accused Dwolla of overstating the measures it took to protect consumers’ personal information between December 2010 and 2014.

According to the consent order, Dwolla claimed on its website that it met or surpassed industry cybersecurity standards, even though its transactions, servers and data centers did not comply with those standards.  The company also failed to live up to claims that it encrypted all sensitive personal information, according to the CFPB.

The consent order, which requires the company to fix its security practices and conduct biannual risk assessments, represented the five-year-old agency’s first step into territory traditionally policed by the Federal Trade Commission (FTC).  In August, a federal court affirmed the FTC’s authority to regulate data security in FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).  Some industry observers say the CFPB appears to be stretching its authority over “unfair, deceptive or abusive acts or practices” as the basis for regulating data security.  The Dodd-Frank Act gave the CFPB jurisdiction over privacy, but left data security with the FTC.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said in a prepared statement.  With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.  It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.

 
Cybersecurity Tip: Securing Data At-Rest Is Easier Than You Think

Data In-Transit

By now, everyone involved in the world of cybersecurity understands the importance of sending and receiving data in a secure manner.  Cybersecurity professionals will tell you that whenever you release files and they travel across systems over which you have no control, you must take certain steps to ensure the data is secure.  For example, the file can be encrypted and digitally signed using advanced algorithms before being sent.  Additionally, you can transmit the files across a secure channel using communication protocols such as AS2, SFTP FTPS, etc.  This ensures that in the very rare situation that files would be intercepted, they are unreadable and therefore useless to the intercepting party.  This process is often referred to as securing data “in-transit.”

Data At-Rest

Data “at-rest,” as the term implies, is data which is stored on a drive not currently in use or being transmitted.  Due to its very nature, this is generally a relatively secure state.  The storage device is buried in a machine housed internally behind multiple layers of security, network devices, etc.  However, the data itself is still in a legible and accessible state from the other machines also behind these layers of cybersecurity.  Additionally, these machines are still connected to the internet in some method and thereby potentially accessible by cyber thieves.

Today, the majority of data breaches are initiated by internal machines once thought to be highly secured.  For example, a user unknowingly obtains a piece bTrade Xaof malware from a website, opens an infected email attachment, or even knowingly accesses the data with malicious intent.  These types of events happen many times a day, across organizations of all sizes, and located all around the world.  Securing your data while at rest can make it useless to such a would-be threat.

Securing data at-rest (at least from a high level) seems like it can be done easily enough.  You can encrypt the data using strong algorithms such as AES or RSA using various methods.  The data can be encrypted through software or applications, and even via hardware itself.  However, what happens when you need to access the data?  How do you integrate these encryption methods with your third party applications and communication tools?  This is where the idea of securing your data which has been or will be transmitted externally can become a daunting task….or does it?

Luckily, a solution does exist.  You could deploy a managed file transfer solution which has a secure and encrypted datastore, such as bTrade’s TDXchange software.  In fact, for many years bTrade’s cybersecurity experts have offered the ability to secure the data at-rest with the simple click of a box in the user interface.  We can automatically encrypt all files sent and received over all aspects and areas of processing with virtually no impact to the user.

bTrade Can Help

It’s no longer enough to only secure your data while only in use or transit.  To learn how bTrade can help you secure ALL aspects of your critical data, please contact us at info@btrade.com.

Also, you can stay current on developments in the world of cybersecurity by following bTrade on TwitterFacebookLinkedIn and Google+.

 
 
 
 
Web Design BangladeshBangladesh Online Market