It happens more often than you might think: the loss of consumers’ personally identifiable data due to lost hardware.
Due to headline-grabbing cyber breaches, we often forget about the very real problem of lost data on devices. Whether stolen or just missing in action, these types of data breaches are a regular occurrence—and a serious risk.
For example, in January, Modern Healthcare reported that the health insurance company Centene Corp. was hunting for six computer hard drives containing the health records of nearly one million patients.
The company said the hard drives were being used in a data project analyzing lab test results to improve members’ health outcomes. The PHI (personal health information) on the missing drives included individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified “health information.”
Centene is not the only company facing the problem of lost devices. Several studies have reported on the issue. For example, eSecurity Planet found the leading cause of data breaches has been the theft or loss of unencrypted laptops and USB drives. “If there’s a difference between a laptop theft today and 10 years ago, it’s that it’s probably got saleable data on it,” stated Stephen Cobb, ESET senior security researcher.
Lock Down Devices with Encryption
The Centene security incident is yet another reminder of the critical importance of applying cybersecurity measures to any device containing PII or PHI data. In this case, if the health insurance company had encrypted the data it would not have to be so worried about the data on missing devices getting into the wrong hands.
Encryption is basically a way of scrambling data so that the only way to unscramble it is with a password. It is an effective cybersecurity step at all three states of data: at rest, in use and in transit:
- Data at rest. Refers to inactive data stored physically in any digital form, such as hard drives and mobile devices.
- Data in use. Refers to active data stored in a non-persistent digital state, typically in computer RAM, CPU caches or CPU registers.
- Data in transit. Divided into two categories, it includes information that flows over the public or untrusted network such as the Internet, and also data that flows in the confines of a private network such as a corporate or enterprise LAN.
The Power of Encryption
The FBI’s recent attempt to force Apple to access encrypted files on a terrorist’s iPhone has raised many questions about the balance between security and accessibility. However, experts agree that encryption is vital to the optimal security of networks and data. In fact, it’s impossible to operate the commercial Internet or other widely deployed global communication networks securely without the use of encryption.
It’s so vital that last year 15 security specialists and university professors collaborated on a 34-page document published by MIT expressing their concern for the government’s repeated requests for “exceptional access” to encrypted data. Interestingly, this document was published almost six months before the FBI vs. Apple case.
In the report, they state their denouncement of exceptional access legislation. They emphasize that the stakes are much higher today than ever before, because “the scale and scope of systems dependent on strong encryption are far greater, and our society is far more reliant on far-flung digital networks that are under daily attack.”
While companies like iPhone, Facebook and Google are taking encryption seriously (to the point of pushing back on government agencies’ frequent data requests in the name of security), other companies are not. In fact, some of the biggest breaches in recent history were due to a lack of encryption, including the breaches at Target, Sony and the U.S. Office of Personal Management.
“Ninety-nine percent of organizations do not encrypt anything other than the occasional laptop,” stated Chris Gatford, director of penetration testing at Hacklabs, according to ZDNet. “Encrypted file systems, especially encrypting data at rest, it just doesn’t occur.”
Further, MIT Technology Review reported that: “Many technological security failures of today can be traced to failures of encryption. (For example,) In 2014 and 2015, unnamed hackers—probably the Chinese government—stole 21.5 million personal files of U.S. government employees and others. They wouldn’t have obtained this data if it had been encrypted.”
Add a Cybersecurity Framework
Not only should all organization take encryption seriously, but also they need to create an even stronger cyber defense to both ensure encryption is taking place as well as other security measures. They can achieve this by adopting a cybersecurity framework in their security strategy.
The combination of a solid cybersecurity framework and strong encryption creates the equivalent of a double-bolt lock that makes it harder than ever for malicious attackers to penetrate organizations’ security walls.
The most comprehensive cybersecurity framework was created by National Institute of Standards and Technology (NIST). According to NIST, its cybersecurity framework “enables organizations to establish a roadmap for reducing cybersecurity risks that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.”
The NIST Framework Core consists of five concurrent and continuous functions—identify, protect, detect, respond and recover. These functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. They lay out questions and guidelines for organizations to answer and execute including:
- Identify. What assets need protection?
- Protect. What safeguards are available?
- Detect. What techniques can identify incidents?
- Respond. What techniques can contain impacts of incidents?
- Recover. What techniques can restore capabilities?
This double-bolt approach of combining encryption with a cybersecurity framework will not only keep data on devices safer across the organization, but the entire network will be more secure—from both daily attacks by unrelenting aggressors and the ongoing, very real risk of losing devices.
Contact us today for more information about how we help organizations to identify, measure and respond to their information risks.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.