Data Safeguard Policies

A Q&A with David Lineman, President of Information Shield
An organization’s security is only as good as its underlying policy. Besides guiding personnel on procedures, rules and protocols, policy is also a public signpost that will reassure customers, third party organizations and stakeholders that their data will be protected. To find out more about the common mistakes people make with regard to data safeguard policy, I talked to David Lineman, president of Information Shield (and eRisk Hub resource vendor).

What security/privacy provisions are most often missing from organizations’ policies, especially small to medium size organizations?
Among the security policies most often left out is “acceptable use” of internet and email, even though these are common areas for breaches. The technical vulnerabilities are always there, certainly, but many of the huge, public breaches occur when someone emails out personal data by mistake, or responds to a phishing email with data that then leads to a technical breach. So where organizations tend to be missing the boat is with the policies that relate to people and the way they behave—and making sure that people in the organization, no matter what size it is, are aware of those policies that apply to them. Really, all of the regulations in healthcare and financial services actually point to the same set of controls in security policies—passwords, for instance. You need to manage access control with passwords and that is as valid today as it was 30 years ago as a key element of personnel security. Employees need to be screened and they should be receiving security education and training. Companies are spending billions of dollars on technology and a minute amount on training for security. Another area that tends to be neglected is physical security: putting locks on doors, not leaving sensitive information out on a file cabinet or in a dumpster—but also the management of media such as phones and tablets.

Some companies will try to copy a policy (e.g. privacy policy) off of the internet as a template. What are some of the pitfalls of doing this?
Templates are fine but they all need to be customized to make them appropriate for your organization. People want to think that a template will make their job easier but there’s no way of getting around the fact that the policy needs to be adjusted based on the needs of the business. We sell templates as part of our business, but we make them customizable and we give people the tools and tips to help them. There are certainly risks to using a template. For example, many companies in financial services get audited quite often. And the worst thing you can do—almost worse than not having a policy or not following a policy—is to copy a template in a rush and leave it untouched with the wrong information. It’s a huge trend in security and compliance right now to validate third parties, and if you have a sloppy policy, you can also lose business and credibility with clients.

What are some of the most critical policies organizations need to comply with various state or federal regulations?
Well, the ones we’ve talked about already are required. Virtually every regulation specifies physical security, third party security, access control, and acceptable use of internet and email. Two areas I haven’t talked about are business continuity and breach response. Regulators spend a lot of time looking at breaches and what happened so that they can stop them from happening in the future. Breach response plans need to be written and incorporated into company policy. Disaster recovery and business continuity is a big area—we’ve seen over the past couple of years that natural disasters and it can knock out a business for weeks at a time. In general, I think people have to have an eye toward a comprehensive set of security policies and not just look at something like access control in isolation. You cannot comply with regulations by just picking one or two areas to focus on. If you have a small business you might not need the same intricate detail a big company will need, but you still need to have a comprehensive policy.

In conclusion…
As Mr. Lineman points out, good privacy and security practices start with a written policy. But that’s only the beginning. There then needs to be internal enforcement and fine-tuning of the policy to ensure adherence. We have also seen similar problems with templates. Plaintiff lawyers love to point out inaccuracies in a company’s policy, especially where it may say one thing but the company is doing another, so one may argue that using a template is a deceptive trade practice, thus increasing your negligence.

Preventing eBusiness Interruption

A Q&A with Mark Teolis, General Manager of DOSarrest
Denial of service (DDoS) attacks are a threat to any business with an online presence. With little effort, an attacker across the world can completely overwhelm, degrade and/or crash your business computer servers. The result is that you then lose customer trust and revenue for every minute the system is down. This type of attack is very prevalent and difficult to defeat. DOSarrest (an eRisk Hub listed vendor) assists organizations in deflecting these belligerent attacks. We spoke with general manager Mark Teolis to learn more about DDoS attacks and what we can do about them.

Can you explain what a DDoS attack is, and how this type of interruption impacts commerce operations?
A DDoS attack is when someone is maliciously sending unimportant—often just nonsense—traffic to your webserver, forcing the server to respond to it. The repeated requests bog down the server and eventually it can’t deal with any requests, even legitimate ones, and it starts to slow down or crash. If you have an ecommerce operation that’s hit by a DDoS attack, your operations simply stop. Your site is down, and customers can’t log on. Often they go somewhere else to make the purchase. And if your operation is time-critical, such as Ticketmaster, for instance, missing out on that day’s sales is not like having a bag of sugar you can sell the next day. It’s a loss you can’t recoup. These attacks can be devastating and most people are not prepared. I always tell people to have a plan in place, to think about being down for a day to three days and how it will impact business, prestige and sales. Protecting yourself is an expensive undertaking, but can you really afford to take the risk?

How often are businesses sustaining this type of an attack? Are any sectors more exposed than others?
We don’t have any hard and fast numbers because in most cases companies don’t report these attacks. However, we believe there are about 10,000 DDoS attacks a day. At the beginning, about 10 or 15 years ago, the biggest target was the electronic gaming industry and that’s where this thing started. These days, anyone can launch this type of attack, without any kind of tech knowledge. All they need is to rent a botnet for as little as US $20 a day. So everyone is getting hit now.

How does DOSarrest (or similar solutions) help prevent or mitigate DDoS attacks?
If you want to protect yourself, there are a couple of ways to go about it. You can buy a piece of equipment, a DDoS mitigation device, which is a onetime fee and it will stop attacks, though each device has different capabilities. Another route is to go to a provider who offers protection services–again, some are better than others. In this case you are usually paying a monthly fee. Your provider is only as good as their upstream connection—if the attack is too big for the connection, your system will go down. One of the biggest misconceptions people have is if they buy a service or a device it will be able handle everything, and it’s just not true. Our service relies on our own proprietary techniques to block malicious traffic and we offer it as a monthly fee.

If my business is undergoing a live DDoS attack and I call DOSarrest (in a panic, of course), how soon can I expect to get the problem resolved so I’m operational again?
We can have it resolved in 15 minutes once a customer goes through the emergency form on our site.

In conclusion…
We have personally seen clients pummeled by DDoS attacks and often it’s at the height of their sales season (Black Friday or Cyber Monday, for instance). Sometimes these attacks are accompanied with an extortion threat (pay this or else). Other times, the bad guys might use the DDoS as camouflage so they can exploit and breach an application. We have also seen DOSarrest help clients and restore their ecommerce operations in a timely manner so that desired customer traffic can get through, while the bad guy noise cannot. This is not a testimony, but this firsthand experience is one of the reasons why we wanted to interview Mr. Teolis for this article, and this is why we include DOSarrest in our eRisk Hub crisis portal.


SCADA: Old Systems with New Risks!

A Q&A with David Wolpoff, Kyrus Technologies
Supervisory control and data acquisition (SCADA) systems are industrial computer systems that monitor and control industrial or infrastructure processes. Recently, two hacking incidents at water utilities in Illinois and Texas have exposed their vulnerabilities. To get a better handle on how companies using SCADA systems can better protect them from malicious attacks, I spoke with David Wolpoff of Kyrus Tech.

How do bad guys access and exploit SCADA systems?
I wish I could say there’s some magical technique. Unfortunately, it’s the same vulnerabilities you see in any computer system. Things are interconnected. When someone wanted to get into the IT infrastructure of the city water utility in Springfield, Illinois, all they had to do was get access by breaking into the third party vendor who sold the SCADA system to steal passwords and they walked right into an open door. The problem is when you get these embedded systems people think of them as a product they purchase and deploy, and they don’t think it’s something someone might want to subvert, so they’re not doing the same kind of due diligence that they might do for their other systems.

What types of damages can a SCADA attack lead to?
SCADA systems bridge the gap between cyber space and kinetic space so they tend to be interfacing with larger scale systems with a physical presence. That means an attacker can shut down a water pump and cut off the water supply to a city. In general, an event could include everything from interfering with a particular manufacturing process—which might only be noticeable to a company—to attacking a power grid, which would impact an entire region and pose major risks. We don’t know if SCADA attacks are happening more often than they used to but my guess is that people are probably accessing these systems on a regular basis—it just doesn’t always make it into the media.

What can a client do to proactively defend themselves against these attacks?
Again, I wish there was something magical out there. It really breaks down to limiting access, such as only providing access to vendors during certain times for updates. A reasonable administrator should be setting up an authorized list for people allowed to access the system when they first set it up. Unlike the personal computing space there are not a lot of tools for repairing, removing or even detecting hackers on an embedded system, so it is very important to keep attackers out. Another big question I would ask is whether the system actually needs to be connected to the internet—many don’t need to be. The more interconnected you are, the more you offload maintenance burden to third parties the more you expose yourself to risk. The best advice I can give is to think of these systems as you think of other systems and start applying regular practices and due diligence to them before you have a problem.

In conclusion…
I’d like to underscore Mr. Wolpoff’s recommendation: Any organization that plays a vital national infrastructure role should revisit their SCADA system’s design—and whether it truly needs to be connected to the public internet. This past year we have come across several clients in the utility and energy sectors who intentionally decided NOT to connect their SCADA to the internet because the downside was so great.

The Impact of ‘Meaningful Use’ on Healthcare Providers

A Q&A with Amit Trivedi, Healthcare Program Manager for ICSA Labs
When the American Recovery and Reinvestment Act of 2009 was signed by President Obama on February 17, 2009, it included the Health Information Technology for Economic and Clinical Health (HITECH) Act, which calls for programs under Medicare and Medicaid to provide incentive payments for the “meaningful use” of certified electronic health records (EHR) technology. I spoke with Amit Trivedi, healthcare program manager for ICSA Labs, an independent division of Verizon that’s involved in the certification and testing process for health records, about the concept of “meaningful use” and HITECH’s ramifications for data security.

Can you explain in layperson terms the “meaningful use” component of HITECH?
The idea behind meaningful use is that as part of healthcare reform, there’s roughly $20 billion earmarked as incentives for providers who meet the “meaningful use” benchmark. These incentives are designated for hospitals and providers, which are using certified electronic health records for “meaningful” activities such as electronic prescribing, exchanging health information with other providers or business partners, and submitting information about clinical quality and other measures. In this first of three planned stages of adoption of the law, which will most likely run until June 2012, organizations need to prove they are meaningful users according to the Stage 1 criteria, and that they are using certified systems.

Can the electronic health records (EHR) requirements also be a curse in that they create additional privacy exposures (and liability)?
As people begin to synthesize electronic records and IT systems into their organizations it will naturally open them up to vulnerabilities or risks they might not have had before. Adopting an EHR will lead to growing pains — as does the adoption of any new technology that is critical to operations and workflow. But even organizations that already have advanced clinical systems are going to have to move towards greater interoperabilit and that is going to bring new risks, too. Another thing to keep in mind is size and scope: A solo doctor’s office and a large academic center with multiple hospitals are each going to have their own risks and complexities to figure out. What we do know is that HITECH gives added teeth to existing Health Insurance Portability and Accountability (HIPAA) legislation. Whereas in the last decade HIPAA wasn’t actively enforced it will now be monitored much more closely by the Office of Civil Rights, and there are now incentives for clinicians to purchase and implement secure, certified, electronic health record systems.

What are some of the potential pitfalls in data security with regard to EHRs?
There are a number of things that could potentially go wrong. One of the biggest things to keep in mind for administrators is that now that organizations are required to publicly notify victims of data breaches, which can potentially be a big black eye for an organization. We’ve seen a number of healthcare organizations land on the front page of the paper for data breach incidents. Not having the proper policies and controls in place can lead to a breach. You often read about a stolen laptop or data hacked from a contractor’s unencrypted hard drive that contained private health information. The integrity of the network is that much more critical when these EHRs go online. In the past, hospitals wouldn’t be expected to have a hotshot IT department that could handle various issues but now they need to be prepared to deal with any incident, just like all other major institutions.

What are accountable care organizations (ACOs)? How do they play into the legislation and do they add risk?
ACOS are another layer of the new provisions. They are a network of doctors and hospitals that share responsibility for providing quality care to patients. The idea behind the whole program is improving healthcare and being able to demonstrate that in a quantifiable manner. ACOs are given financial incentives for demonstrating improved care. For organizations, they add an additional level of administration. There are requirements for ACOs to be able to share de-identified, aggregated data, which can be complicated from a privacy perspective.

What can a customer do to mitigate risks for EHR security?
The main thing, when introducing any new technology, is to be aware of the risks involved and the best practices to follow. Security often gets left out of the budget but it’s an important item. You have to do due diligence and set up the proper procedures and controls. While this is new to the healthcare industry, there are plenty of other industries out there to learn from.

It is important to look beyond the incentive dollars and at the big picture behind the idea of “meaningful use.” Clinicians are not just being asked to slam in new technology. They are being asked to demonstrate that they have the right technology in place and that they can use it to safely and securely improve care delivery. With any new technology that is introduced into an environment, it is important to perform due diligence and ensure that the proper policies, procedures, and controls are in place to safeguard private health information.

In conclusion…
This past year we conducted a Cyber Liability & Data Breach Insurance Claims study and one of our findings was that the healthcare sector business clients suffered the most losses (payable under cyber risk insurance) of all the sectors we covered. This ranges from staff mistakes to lost laptops to hacker breaches, but very often there is a third party business associate, contractor or vendor involved—and this is where the actual breach occurred. There are more than 600 vendors that offer EHR software and technology to the healthcare industry and all of these vendors, along with thousands of healthcare entities, are currently undertaking the process to demonstrate meaningful use and comply with HITECH. As Mr. Trivedi has said, with this process will come growing pains and inevitable data breach incidents.

14.5 Things NOT to Do Following a Data Breach Incident

A Q&A with John Mullen, Nelson Levine de Luca & Hamilton, LLP

The hours and days following the initial discovery of a breach are full of confusion and chaos. However, companies can save themselves from a lot of trouble later on down the line if they stay focused. We spoke to lawyer John F. Mullen Sr. of Nelson Levine de Luca & Hamilton, LLP in Blue Bell, PA, about dos and don’ts for companies in this situation—mostly don’ts.

The following is what he came up with:

  1. Don’t assume a breach won’t happen to you. It’s going to happen and you need to be insured. Even if you’re not a big multinational company that’s attracting hackers you are likely to have someone working for you who could accidentally leave their laptop with TSA at the airport and land you in a data leak situation.
  2. Don’t kid yourself. This was a breach. I’ve seen companies in the aftermath of an incident who don’t want to come to terms with the reality so they bury it. They put off dealing with it. They rationalize. It doesn’t help.
  3. Don’t rush to judgment. Meaning, don’t start sending out notice until you know how many people are involved. To the extent possible, don’t start responding until you have all of the facts.
  4. Don’t assume that the first factual answers you get are accurate. In all my years in the business, I have never encountered a case where the original version of the story ends up being the absolute story. The truth is always more complicated. See above.
  5. Don’t let your self-insured retention cripple you from taking the right action. In other words, don’t be cheap. If you’ve got a million-dollar problem, don’t let your 50,000-dollar checkbook force you to cut corners. At the end of the day, it’s just going to delay the action and compromise the situation.
  6. Don’t hire your favorite M&A lawyer for a breach case. This may sound self-serving but it’s also true: This is a specialty area of the law and you want a person who is an expert in this area to represent you.
  7. Don’t do what I call “panic hiring.” Yes, you have limited time to take care of the response, but don’t just hire the first vendors you meet. That’s the equivalent of walking into a car dealership and handing them your checkbook and asking the salesman to write in the price. You may be panicked but if you don’t hire the right people, they will take advantage of that and you’ll pay out of the nose. This is another reason to have cyber insurance, as many of the insurers have negotiated favorable rates with needed vendors.
  8. Don’t over-notify people when notice is required.
  9. Don’t ignore your vendor due diligence. If you’re handing off your data to a company to do your processing and they lose the information then you will likely still be held liable. Make sure the company has the insurance and capital to handle that kind of loss so you don’t get stuck.
  10. Don’t forget to create a response plan ahead of time.
    10.b  Don’t run a response by committee.
    If you’ve got five people in charge, then no one’s in charge. Have a senior manager who handles decision-making and money spending in charge. If not, people will sit around looking at each other and it will take much longer to complete everything that needs to be done.
  11. Don’t rush through any of the process. Yes, there’s a time element involved—typically 45 to 60 days. But I can’t tell you how many clients come to me and say they want to give notice tomorrow. I always have to slow them down because inevitably they will find out they were more exposed than they thought, and then everything they did would be wrong and they’d have to do it all over again.
  12. Don’t fight with regulators, and don’t let your lawyers fight with regulators. Picking fights doesn’t help anybody and if you get on their bad side, regulators will put you through years of hell. Show that you’re willing to bend over backward to work with them and things will usually go well.
  13. Don’t forget e-discovery.
    Not saving your data up front can get you into big trouble down the road.
  14. Don’t assume you can win the class action suit.

Clients come to me assuming they will win because there aren’t “sufficient damages,” but the courts are swinging the other way now and that is no longer the case.

In conclusion…
In assisting insurance companies in dealing with their data breach insurance claim incidents—on average about one per week, and no two events look the same—I find it amazing how many times we come across clients who trigger not one but several of the issues listed in Mr. Mullen’s list. The good news is that many businesses are starting to follow (albeit slowly) a prudent breach response roadmap, demonstrating that they have learned from either their past mistakes or by seeing other organizations (their peers/competitors) deal with a publicly reported incident.

No more posts.