Adam Bosnian, Executive Vice President of the Americas at CyberArk is of the opinion that making room for more security budget earlier was the reaction from companies that were breached. But now, organizations are proactively formulating security strategies to avoid being breached. This is certainly a positive shift, which is likely to bring down the possibility of breaches in the future.

In a nutshell, the survey respondents believe that,

While data breaches are often attributed to attacks from outside the organization, the survey also revealed that 52 percent respondents believe attackers are already present on their network or have been present at least during the past year. This belief supports the idea of insider attacks, which is a growing threat to organizations today.

It is noteworthy that 44 percent respondents believe that attacks reaching the privileged account (a shared accountdesigned for making work easier)takeover stage are the most difficult to detect, respond to, and remediate. But 29 percent respondents believe that it is at the malware implementation stage that attacks become difficult to detect.

Another disturbing fact is that 60 percent of the survey respondents have indicated that their businesses allow vendors to access internal networks and out of these, 58 percent respondents do not have the confidence that these vendors are actually securing or monitoring privileged access to their network. This is becoming a big concern across businesses.

Who is responsible for security?

Most companies may believe that the third-party vendor is the one who has to secure access to its network. But according to experts including Bosnian, it is the responsibility of the company to make sure that their network is completely secured.

What are the other trends shaping security strategies in organizations?

About 30 percent respondents believe that Bring Your Own Device (BYOD) has a major impact. Likewise, 26 percent said cloud computing drives strategic decisions about security, and 21 percent believe that regulatory compliance has a big impact on the security strategy.

The survey also indicated that 31 percent businesses have already deployed security analytics in some form, 23 percent are planning to or in the process of doing so within the next year, and 33 percent indicated they have no plans for introducing security analytics in their business.

However, experts including Bosnian believe that the industry is moving in a healthier direction than it was a few years ago. The fact that organizations are proactively taking measures to prevent security breaches is undoubtedly a welcome change. These organizations can successfully achieve their objective by implementing comprehensive security solutions such as Aegify Security Posture Management, Aegify SecureGRC or Aegify Risk Management that can dramatically simplify security initiatives and help build a completely safe and secure business network.

The post Breaches Drive Security Strategy in Organizations appeared first on Aegify.

The Culprits Causing Breaches

Hacking

Hacking has been the cause of at least 89 major breaches since 2009 according to HHS. However, security experts believe that these incidents are becoming much more common than before and are posing bigger threats.

The hacking incident at Montana Department is one of the largest breaches added to the Federal tally in late July. The tally lists the incident as a major breach which affected 1.06 million individuals. The department has notified 1.3 million individuals about the breach, and investigation is still in progress. Although this hacking incident was confirmed in May, it is believed that the hacking itself may have started far back in July 2013. Following the incident the Montana Department has implemented additional firewall software and is working towards improving their security systems. The potentially compromised information in this incident includes names, addresses, dates of birth, and Social Security Numbers of the department clients. It is also believed that the server may have included details on the health assessments, diagnoses, treatment, health conditions, prescriptions, and insurance. All affected individuals in this incident have been offered free credit monitoring for one year.

Insider Threats

Breaches involving insiders are also a growing concern. Inappropriate access to patient records for a variety of reasons including snooping, to those with more malicious intent such as identity theft and financial fraud are also becoming increasingly common. These insider threats have been growing substantially, especially with digitally stored patient information on the rise.The third largest incident added to the federal tally last month involved an insider breach affecting 97,000 current and former patients of NRAD Medical Associates, a radiology practice in Long Island, NY. Similarly, mistakes involving paper documents and unauthorized access by insiders have also been posing a huge threat. For example, an incident at St. Vincent Breast Cancer in Indianapolis involved a clerical error that led to mailing of letters containing personal health information to the wrong recipients. This incident affected nearly 63,000 individuals.

Lack of Encryption

This has been identified as one of the predominant causes of breach incidents time and again. In a recent breach involving a vendor that provides patient billing and collection services to the Los Angeles County departments of health services and public health, eight unencrypted desktop computers were stolen from the office of a business associate. This incident affected more than 342,000 individuals. These stolen computers are believed to contain personal information including patient names, Social Security Numbers, and billing information, in addition to dates of birth, addresses, diagnoses, and other medical information. While the affected individuals have been offered one year free credit monitoring service, the Los Angeles County continues to face several class action lawsuits.

Breaches caused due to lost or stolen unencrypted devices have been repeatedly pointing to the value of encryption. With the increased use of portable devices and BYOD in healthcare coupled with lack of encryption the problem only seems to be worsening.

Keeping Threats at Bay with Periodic Risk Analysis

As healthcare data breaches continue to increase in number, there is also more clarity on the main causes of these breaches. This knowledge should be used by healthcare entities to mitigate security risks and curb threats before they harm systems and businesses. Periodic self-assessment and risk analysis, are therefore crucial to preventing breaches in every healthcare entity. This can help bring about better control over data and help address threats before it is too late. Comprehensive security solutions such as Aegify Security Posture Management,  Aegify SecureGRC or Aegify Risk Managementalso offer a number of benefits and provide the ideal platform to completely secure healthcare data throughout their lifecycle.

The post The Culprits behind Health Data Breaches appeared first on Aegify.

‘Meaningful use‘ risk analysis is critical to your compliance program. Organizations and professionals that fail to conduct a proper risk analysis expose themselves to fines, lawsuits, and loss of incentive funding. A preemptive security risk analysis is thus vital to prevent your healthcare practice from falling victim to a security breach.

Of course meeting this requirement is logical and simple – just embrace the analysis as a way to identify threats and protect electronic health information. Here’s what you can do to ensure that data loss is effectively plugged in breach-prone areas:

Portable devices

Unencrypted patient data on portable devices like a laptop, Smartphone, PDAs are plain disasters waiting to happen! Thefts, stolen devices, unattended devices are common occurrences. Ensure that patient data is encrypted regardless of the device it resides in.

PC desktops

Again, the same worry of unauthorized access. Desktops need to be locked and workstations moved away from the view of people standing in line.

Paper/Fax/Email

To ensure that they don’t get into the wrong hands, all paper records containing patient information need to be shredded. Patient information can be compromised when data is faxed to the wrong number, or emailed to a wrong recipient. Slow down & pay attention.

Children

Take extra care with medical records of patients younger than 18 years. The state regulations vary; so stay abreast of the federal and your state’s rules.

Besides this, you could also adopt a comprehensive platform like Aegify Security Posture Management, Aegify Risk Manager or Aegify SecureGRC. These solutions from eGestalt come with the capability to perform a detailed risk analysis using a sophisticated model, supporting you through the processes of security risk analysis.

The post Is Your Patient Data Secure? You Can Ensure That It Is – With These Tips for Successful ‘Meaningful Use’ Security Risk Analysis appeared first on Aegify.

The latest incident involved the Vermont Health Connect where a cyber-attack seems to have taken place last December, with hackers accessing health data 15 times. This incident is yet another wake up call for the healthcare sector, and brings to the forefront a primary question – why hackers target healthcare data?. Healthcare data breach incidents are representing a worrying trend that has caught the attention of healthcare security experts worldwide.

The fact is that external attacks on healthcare data are on the rise, and healthcare organizations have to prepare to equip and deal with these threats and defend their organization. They have to adopt means to prevent unauthorized access to records and safeguard data from sophisticated cybercriminals who are looking for critical health information to commit frauds for financial gain.

The Changing Nature of Cyber Attacks

In the past, hacking was often not a planned or targeted activity. Mostly, it was carried out for fun without other serious motives. But today, cyber-attacks are highly sophisticated, where organized criminals attempt to get hold of sensitive information that can be used fraudulently. Hackers look at healthcare information as a goldmine. Stolen social security numbers, for instance are sold in the underground market for 25 cents and credit card numbers can fetch $1 each. Medical records are now being looked upon as a commodity sold on the black internet. A comprehensive medical record that can be used to get free surgery may be sold at $1000.

Healthcare and government sector systems that process health data are increasingly becoming the targets of hackers because these records contain social security numbers and health insurance identification numbers. It has been noted that healthcare-related hacking incidents in 2013 have risen to 28 incidents affecting 1.1 million records, from 23 incidents affecting 879,179 records in 2012.

While these statistics are alarming enough, what is more alarming is the fact that healthcare entities are yet to ramp up security measures in response to these increasing threats. In reality, the healthcare sector has inadequate resources for protecting their information systems. Over half of all healthcare organizations spend less than 3% of their IT budget for protecting data and a greater number of entities do not even have a CISO or information security manager to manage the security of their systems.

Preparing to Detect and Defend

It has been established time and again that healthcare organizations have become a hot target for sophisticated hacking. Hence experts and practitioners recommend a few critical steps to be taken by these organizations, to improve their ability to detect and defend against security attacks.

Working towards prevention – Healthcare entities should be able to prevent security attacks before they take place, rather than detecting an attack and reacting to it. And in order to prevent attacks, healthcare entities should conduct periodic assessments and investigate their systems to identify possible lapses and gaps and determine the effectiveness of their controls. Periodic security assessment is therefore a critical requirement to help prevent security attacks.

Deploying essential security tools – Organizations should design alerts and alarms that can help detect events which may potentially have negative consequences. Statistical and anomaly-detection methods and rule-based detection mechanisms may prove very helpful in this regard.

Defining roles and responsibilities – In addition to adopting tools and technology for detecting threats, healthcare entities should also formally define the roles and responsibilities for incident response. They should document procedures for response teams to follow in case of a security incident, and also test these procedures periodically.

Taking a comprehensive approach – In order to prevent security breaches, organizations should take a comprehensive and definitive approach to defense. They should adopt end-to-end security solutions such as Aegify Security Posture Management or Aegify SecureGRC that can address all the critical aspects of information security in an integrated manner and help manage healthcare information efficiently. Aegify Risk Management makes it simpler to identify these risks to effectively address them proactively.

The post Health Data – A Goldmine for Hackers appeared first on Aegify.

Protecting sensitive data needs to top the list of all priorities as a data breach is not only expensive, but also results in a tarnished reputation, embarrassment and additional scrutiny. Risk management expert, Rocco Grillo, believes that a mature vendor risk management program can help identify all deficiencies. He opines that every healthcare organization needs to develop vendor management programs with razor-sharp requirements, to help prevent data breaches involving business associates. Besides this, healthcare entities also need to conduct periodic audits of business associates to ensure that they are taking appropriate security steps. Grillo suggests that healthcare organizations must:

• Conduct due diligence research on the vendor before signing a contract with business associates
• Ensure that if a BA has access to PHI [protected health information], then it is an absolute necessity to have controls in place and avoid loss of money and reputation

Grillo goes on to emphasize that while you can outsource the function, you can’t outsource the risk. Therefore, the vendor may be accountable, but in reality, it is the data owner who has to bear the brunt of being in the headlines for the wrong reasons.

There’s a lot at stake when you’re protecting privacy data or when you are faced with a data breach. It is important to adopt a proactive approach to prevent breaches rather than just react to breach incidents. While these precautionary steps suggested by Grillo can greatly minimize risks and associated costs, platforms like Aegify SecureGRC help automate the security, risk, and compliance management processes of all external vendors and sub-contractors. eGestalt’s vendor management solution prevents breaches and lets you know how far your vendors and Business Associates have progressed in their compliance efforts. Gain complete visibility and control over the security and compliance posture of all your vendors with eGestalt.

The post Intelligent Vendor Management Programs – Vital to Ward off Breaches appeared first on Aegify.