Earlier today we advised of a cybersecurity tip from the US Department of Homeland Security about regularly updating software on your Internet-connected devices. That tip was timely given this malware alert from US-CERT: http://bit.ly/2z4Y8QE.
The US Department of Homeland Security, as part of its Cybersecurity Awareness Month activities, offers this cybersecurity tip: “Keep a clean machine. Regularly update the software on your Internet-connected devices, including PCs, smartphones, and tablets, to reduce the risk of infection from malware.”
MFT Nation routinely reports on the world of cybersecurity, but October is special for bTrade because it is National Cybersecurity Awareness Month. As part of its cybersecurity awareness efforts, MFT Nation wants to share information from a data breach report released by specialty insurer, Beazley Insurance Company, related specifically to the US healthcare sector. Beazley’s report examines the major causes of data breaches reported by healthcare insureds in the first nine months of 2017.
The good news, at least from the perspective of a data security software company like bTrade, is that the cause of most breach incidents is “human error.” Beazley found these incidents typically involve an employee viewing patient records without a work-related reason to do so—e.g., looking at a celebrity patient’s record or the record of an ex-spouse or neighbor—and that these “employee snooping” incidents are often discovered by “audits run on the electronic medical records system.”
The Beazley report correctly notes that “increased employee vigilance and auditing will help organizations identify such behavior early on, reducing the number of affected patients and hopefully lessening the likelihood of regulatory inquiry.” And as a reminder, bTrade’s TDXchange software powers electronic medical records systems and has robust “audit” capabilities, including the ability to view all activity conducted within the system and generate a number of reports based on your defined criteria.
The second most frequent reported cause of healthcare data breaches is “hack or malware.” The Beazley report correctly notes that encryption is one of the best preventatives for hack or malware. As a reminder, bTrade software has the encryption strength required by the US federal government.
One final note about the Beazley report. The authors surveyed enforcement actions brought by the leading federal government agency responsible for HIPAA oversight and enforcement and offered this observation which may be of interest to our MFT Nation readers:
“But with the increase in OCR’s resolution agreements, a trend of OCR’s hot button issues has emerged. Organizations should review previous resolution agreements (all of which are available on OCR’s website) and familiarize themselves with what OCR considers to be best practices, such as: device encryption; workforce education and training; updating of policies and procedures; the elimination of old data; security risk assessments; risk mitigation plans; vendor management and using the minimum amount of PHI.”
To learn more about how bTrade can help you secure ALL aspects of your critical data, please contact us at firstname.lastname@example.org.
We here at MFT Nation were drawn to an article in which the author opines on what cybersecurity will look like in 10 years. We chose to write about the article not because the author offered anything particularly mind-blowing, but rather because we want to offer a few predictions of our own based on an assumption that the author’s future vision of cybersecurity becomes a reality.
One Man’s Vision for the Future of Cybersecurity—CIV World
1. A World of Complex, Interconnected, Vulnerable (CIV) Systems
One facet of the author’s future vision is an increased “role of cyber” because although so many aspects of our personal and business lives are already “interconnected and driven by computers,” in the future “this connection will be even tighter.” Another part of his vision is increased “vulnerability” given the “complexity and connectivity” of the systems. The CIV systems will get so complex that humans “will not be able to cope with all this information” so we will rely on “artificial intelligence to help us in making decisions.” For purposes of this post, we’ll call this future state “CIV World.”
2. Proliferation of Attacker Ecosystem
The author believes the “attacker ecosystem” will expand to include more types of hackers—from “nation sponsored organizations” to people with “no apparent motive” except to “demonstrate their technical skills”—who will have more sophisticated techniques such as “bots” that “scan the entire network and find the weakest spot.”
3. Cybersecurity Defense Will Need to Keep Pace
Given the preceding two points, the author sees a future with “more sophisticated” cybersecurity defense systems including artificial intelligence and a “new generation of cyber experts.”
CIV World Creates Very Real Problems of Its Own
1. The Great Recession: A Case Study for What Can Happen to CIV World
Most of you certainly remember the financial crisis of the late 2000s, now referred to as the “Great Recession.” None of the world’s financial gurus in either the public or private sector predicted a collapse of the complex, interconnected, vulnerable financial systems around the globe. A Forbes article boldly declares that if anyone tells you they predicted it, they’re lying.
Will CIV World lead to a global crisis of epic proportions? Hopefully not. But recognize that CIV World technology systems are very much like modern economies, in that because of their “complexity and connectivity,” vulnerabilities will be present which no man or machine can foresee.
The CIV World author says help will come from the “next generation of cyber experts” and “artificial intelligence to help us in making decisions.” The best and brightest of the financial industry no doubt felt the same way before the Great Recession. If you don’t believe us, please read this article from the immensely powerful Federal Reserve Bank of New York.
In it, the New York Fed attempts to explain why no one foresaw the Great Recession. Interestingly, the article begins by excerpting quotes from two prominent economists stating that “threats will constantly be changing in ways we cannot predict or fully understand.” That is telling, indeed. The powerful New York Fed starts its explanation for failing to forecast the Great Recession with an implicit admission that modern economies are so complicated that it cannot predict threats or even “fully understand” what’s going on.
We foresee the same situation for CIV World; the complexity of the many interconnected systems will lead to vulnerabilities that the next generation of cyber experts won’t be able to foresee, even if they are armed with AI and other developing technologies.
2. Hackers Gonna Hack, and their Favorite Targets Will be Big Government and Large Corporations
The CIV World author sees government taking “a bigger role” protecting “large scale environments like their own infrastructure (power grids, water supply, traffic control and frankly – everything around us).” He also sees “[l]arge corporations” assuming a larger role “guard[ing] their data on their own servers, on their cloud servers, on our personal computers, and even on our mobile devices.”
He’s probably right, but should we feel comforted by big government and large corporations taking a larger role? To answer that question, we harken back again to events surrounding the Great Recession. To reiterate, no one in the financial world, not government or large corporations, could foresee the collapse of the complex, connected global financial system. In fact, the New York Fed tells us that it’s all too complicated for government or large corporations to predict threats or even to fully understand. The same applies to CIV systems that will exist in CIV World.
Besides, basic human nature suggests that problems will follow if big government and large corporations take larger roles. Think about it from the perspective of hackers. If all the sheep are flocking to complex, interconnected, vulnerable systems created and operated by big government and large corporations, where to you think the hackers will target? So prepare for large scale hacks and resulting data breaches in CIV World.
Heck, it may already be happening, as evidenced by this Forrester article discussing recent data breach incidents occurring at one big government agency—the SEC—and two large corporations—Equifax and Deloitte. The Forrester author does such a good job of summarizing our point so we will just excerpt this quote from his article:
It’s always tough to call hacking a trend after all, “hackers gonna hack.” However, it does continue to prove the oft-used Willie Sutton adage about robbing banks “because that’s where the money is” has not become irrelevant in the 21st century. Hackers have adapted to the digital transformation and data economy much like Enterprises have. Moreover, that means adjusting how and what they target.
Given the constant that “hackers gonna hack,” the CIV systems created by CIV World’s government and large corporations will make nice, juicy, easy targets for hackers.
3. Prepare for an Arms Race, of Sorts
It sounds to us like CIV World will devolve into an “arms race.” Wikipedia generally defines the phrase “arms race” as “a competition between two or more parties/groups to have the best armed forces,” like the buildup of nuclear weapons by the US and the Soviet Union during the Cold War. Wikipedia correctly points out, however, that “close analogues” exist in the technology field “such as the arms race between computer virus writers and antivirus software writers, or spammers against Internet service providers and E-mail software writers.”
As Wikipedia correctly points out, the fundamental problem with an arms race is “no absolute goal” exists, “only the relative goal of staying ahead of the other competitors in rank or knowledge.” And the end result is “futility” because “the competitors spend a great deal of time and money, yet end up in the same situation as if they had never started the arms race.”
So in CIV World, expect to spend a great deal of time and money defending the large and ever-increasing numbers of CIV systems. And to what end? Futility, of course, because the competitors end up in the same situation as if they had never started the arms race.
Do You Want to Reduce Complexity While Increasing Security? bTrade Can Help
You don’t have to go down the CIV World path. Many alternatives exist other than the large, risky, public-facing systems described in CIV World.
For small to medium-sized organizations, the most secure systems are those that involve stand-alone solutions allowing local transfer and storage of data. Why? Because only those with physical access to the computer or device can access the data.
For larger organizations, it may be better to deploy a centralized server to store and transmit data internally and externally over secure network connections. The best way to mitigate risk is by maintaining servers within an organization’s own firewalls.
Encryption also plays an important role in data security and is a central component of bTrade solutions. There are several types of encryption, including the process of transforming plaintext into an unintelligible form (ciphertext) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decrypting process (two-way encryption). By encrypting all data “in transit” and “at rest,” organizations will meet and exceed all compliance and governance mandates.
To learn how bTrade can help you secure ALL aspects of your critical data, please contact us at email@example.com.