Finally a story about a CIO who takes on the data security threat from USB sticks and thumb drives. Earlier this week, in Health Data Management News, appeared a short article entitled “Data Security is The CIO’s Constant Challenge”. This is the story of Chuck Christian, CIO at Good Samaritan Hospital, Vincennes, Indiana and his IT department, and their efforts to protect private healthcare information and ensure HIPAA compliance.
Chuck explained “Earlier this year, Good Samaritan went well beyond its laptop policies, disabling USB ports across the computers connecting to its network. It was a pre-emptive move to preclude inappropriate data transfers to easily lost devices.”
Chuck Christian explained that disabling the USB ports definitely resulted in changes in behavior. Not least being the purchasing manager from the hospital who wanted to purchase thumb drives in bulk. Chuck’s response – “I said no.” To the credit of Chuck and his IT department they implemented a number of secure alternatives to enable staff at the hospital to get their jobs done.
It’s as simple as that. If you are in charge of data security “Just say no” when someone even suggests using a USB stick or bringing it into the workplace, and give them a secure alternative, such as Accellion secure file transfer.
Chuck Christian you are our Accellion Hero of the week.
The Digital Forensics Association just completed a fascinating new report ominously titled “The Leaking Vault – Five Years of Data Breaches”. The report analyzes over 2,800 data loss incidents from publicly accessible sources and is the largest study of its kind. It’s a great read if you have a strong stomach for forty two pages of data breach data.
One eye popping data point is that during 2005 – 2009, 148.6 million records have been reported lost due to use of portable media. This source of data breach is second only to data hacks. Perhaps most alarming is that loss of data from portable media represents the fastest growing data breach sector.
The security risks from portable media is a topic we’ve covered several times in the past year in the Accellion Managed File Transfer Blog. Just in case you missed the earlier posts here they are again.
In addition to sharing the unpleasant truths regarding data breaches the Leaking Vault report also offers some good recommendations on steps to take to increase data security. Recommendations for securing Portable Data is one of their four focus topics.
Here’s Accellion’s recommendation for reducing the risk of data breach from portable media - Don’t use USB memory sticks for file transfer, use a secure file transfer solution.
National Health System (NHS) organizations in the UK have accounted for more than once quarter of the data security breaches reported to the Information Commissioner’s Office (ICO). If this keeps up the ICO could become a profit center with their new powers, approved in April, to impose penalties up to £500,000 on offending organizations.
The ICO issued a press release on June 15 announcing Poor Data Security in the NHS. NHS Stock-on-Trent and Basingstoke and North Hampshire NHS Foundation Trusts were the latest NHS bodies found in breach of the Data Protection Act (DPA). Mick Gorrill, Head of Enforcement at the ICO was quoted “Everyone makes mistakes, but regrettably there are far too many within the NHS.” He went on to add “We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law.”
The recently introduced C29 amendment to the Canadian Personal Information Protection and Electronics Documents Act (PIPEDA) is a sign that the Canadian government is stepping up its efforts to raise the visibility of data breaches through expanded data notification requirements. This week’s SC magazine article entitled “Canada’s newly introduced data breach is a start, but it lacks teeth” raises the question of whether this legislation goes far enough. Under the C29 amendment, banks, retailers and other companies are required to report any “material breach of security safeguards involving personal information under their control.” In the amendment, the focus is on notification not specifically prevention.
While it is some consolation to the individual to know that they will be informed if their personal information has been breached, it would be a lot more reassuring to hear that corporations are required by law to implement safeguards to protect their information. The recently introduced Massachusetts legislation CMR-17 is a good model for legislation that goes significantly further than setting regulations for notification and extends to requirements for data breach prevention.
While data breach notification regulations are a good step in the right direction, an ounce of prevention is worth more than a pound of notification.
This week Lincoln Medical and Mental Health Center of NY suffered an embarrassing data breach resulting from a lost FedEx shipment of CDs. More than 130,000 medical records were exposed in this breach and it is small consolation to read that “Siemens was promptly directed to suspend further transport of CDs by the carrier.” Of particular note in this data breach is the fact that both Siemens and Lincoln Medical and Mental Health Center thought it was an okay idea to ship CDs of unencrypted healthcare data as part of a standard business process, until of course a shipment went astray. Did the word HIPAA never come up? Why would anyone think it is a good idea to ship CDs of unencrypted healthcare data when there are readily available secure file transfer solutions?
DataLossDB the Open Security Foundation tracks data breaches and lists 134 data breaches from Snail Mail affecting 2729 Organizations in its database. This week’s Lincoln data breach adds one more organization who has experienced the security hazards of shipping sensitive information unencrypted via the mail.
Last week I joined over 1,000 IT professionals at the 2010 Gartner Security and Risk Management Summit in the Washington DC metro area.
Security in the cloud was a major theme during the conference. Interestingly while security was identified in recent Gartner surveys as the number one concern for companies moving to cloud computing, it isn’t stopping people moving to the cloud. The large majority of corporations surveyed expected to have systems running in the cloud very soon. It seems the benefits are so compelling there is little foot-dragging on this score.
Another interesting topic raised during the conference was that despite all the millions of dollars invested in securing corporate networks and assets, it is often the non-technological leak that causes damage; typically an inadvertent mistake by an insider. The example discussed was the security hazards of using removable media ie a thumb drive, to move files. Now that example really hit home.
All in all it was a good conference – so thanks Gartner for putting together a good program.
Last week, Accellion exhibited at Microsoft Tech Ed North America for the first time. It was a great event and met all of our expectations!
We couldn’t believe how busy our booth was in New Orleans. We spoke with prospects from across the country and met with so many of our existing customers. It’s always nice to put faces with customer names.
Our days were filled with conversations with attendees about secure file transfer and with our new demos showcasing our new plug-ins for the Microsoft Business Productivity Infrastructure (BPI) and Business Productivity Online Suite (BPOS) – including plug-ins for Outlook 2010, SharePoint 2010 and Office Communications Server 2007 R2.
We’re already looking forward to Tech Ed next year. See you in Atlanta!
A few weeks ago my daughter and I went to Las Vegas so I could attend a security conference. It just so happened that her school was having Spring Break the same week. Luckily I had a friend who was going there at the same time so they could play all day while I attended sessions on securing Enterprise data. Not sure who got the better deal
It turned out that the conference was really interesting. One of the sessions I attended had 4 CIOs from 4 different verticals (Healthcare, Law, Technology, and a major University) on a panel where attendees could ask questions regarding how they secured data within their Enterprise. They discussed many subjects including the difficulties of managing data leaving the Enterprise, managing a work force that is geographically dispersed and working more and more from home, and trying to keep up with the new generation of workers who expose themselves on social sites but get very upset if any part of their financial or personal data gets confiscated or used for purposes they did not approve.
The location of the conference was also interesting. It just so happens that Nevada was the first state to require businesses to secure personal data. Nevada State legislation Chapter 603-A was introduced in 2005 and an amendment was added late last year. This amendment added 2 significant changes: (1) a requirement to comply with the Payment Card Industry Data Security Standard (PCI); and (2) requirements to encrypt personal information in certain contexts.
This year Massachusetts followed suit with their own legislation, CMR-17. Part 3 of the Computer Systems Security Requirements requires: (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
It is good to see State Government taking an interest in controlling the transmission of sensitive personal data. Accellion Secure File Transfer helps businesses in these States comply with these new laws. Not only does Accellion send files encrypted, but also stores these files encrypted.
Vegas and Security? I guess these guys are ahead of the pack! I wonder when the rest of the world will catch up?
Mythbusters has to be one of my favorite programs. Since 2003 they have tested more than 700 myths related to technology, science, animals, humans, food – you name it they’ve tried it. And if they haven’t tried it you can submit a myth for them to test. Last week’s episode investigated the validity of the Giant Water Slide Jump that has been a recent YouTube hit. Awesome fun!
Stephanie tackled the Big File Transfer myth head-on by exploring the relationship between the size of a file, the size of an organization and the associated security risk. Its an important topic to cover and thanks Stephanie for raising awareness that no matter the size of the file or the size of the organization you can get yourself in a heap of trouble if you are not securing the transfer of intellectual property and confidential information.
Just like the Giant Water Slide Jump, the Myth that Managed File transfer is just for Big Corporations with Big files is officially - BUSTED.
The game of baseball requires more than bats and balls, gloves and uniforms. Communication is essential. Every pitch hinges on the ongoing conversation between the catcher and the pitcher about what to throw to the batter. Fastball? Slider? Curve?
For a very long time in the world of baseball, this conversation between catcher and pitcher has occurred in the clear. The catcher and pitcher are sixty feet apart, and the use of messaging technology is against the rules, so the catcher uses hand signals to indicate the suggested pitch. Traditionally, “one” (a flash of the index finder) communicated “fastball,” and “two” (”the deuce”) indicated a curveball. But with the myriad of pitches thrown today, signals are complex, including indications of pitch location.
The signaling of pitches led to another baseball tradition: opponents trying to steal those signs. When an opposing team successfully steals signs, it is not easy to detect. A team may lose a game, with their pitcher giving up ten runs, and simply conclude that their man on the mound just didn’t have his best “stuff” that day.
It is rare when a team is caught stealing signs, but this past week it may have happened. The Colorado Rockies were playing host to the Philadelphia Phillies on Monday May 10th when the local TV crew spotted the Phillies’ bullpen coach, Mick Billmeyer, with a pair of binoculars. The Phillies claim that he was simply watching their own catcher when they were on the field. Were the signs stolen? Hard to tell. All we know for sure is that the Phillies won the game, 9-5.
As in baseball, communication is essential in business, and much of this communication still occurs in the clear. The key difference is that the use of technology to improve privacy and security in business is not only legal, it’s recommended.
Subscribe to RSS Feed
TWITTER
FACEBOOK
LINKEDIN
YOUTUBE