Category: Uncategorized

Heads up if you’ve stayed or made reservations at a Marriott or Starwood property over the last decade. A major security issue was just announced and the scope of the problem is actually quite astonishing. Here’s what you need to know about the Marriott International data breach.

What is the Marriott Data Breach?

On November 30th, Marriott International announced that the private information of up to 500 million guests became compromised. The breach is one of the largest in history and brings up a variety of concerns regarding consumer privacy safety.

They noted that an internal tool recognized a data breach in September, but wasn’t able to confirm the issue was part of the Starwood database until November. Further investigation revealed that the problem has happened since as far back as 2014 and that the exact breadth of the issue isn’t yet known.

Who is Affected by the Marriott Data Breach?

To be blunt, 500 million people is a lot. If you’ve traveled on business in the past or regularly stay at the hotel chain’s properties, your personal data is likely compromised. Additionally, those who merely made reservations but never actually stayed the night are also included in the breach.

According to NBC News, Marriott also reported that for 327 million of those people, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Encrypted credit card information is also likely stolen, but the company isn’t yet sure if the thieves were able to reveal account numbers.

An additional report also suggested that employee information might have even been compromised, especially in situations where workers took advantage of employee discounts to stay at hotels around the globe.

What is Marriott Doing After the Data Breach?

While the initial statement from the company was vague, they have taken steps to improve the situation by hiring the public relations firm Kroll. Those concerned about being part of the Marriott data breach may check for more information at a website provided by the hotel chain.

Maryland Attorney General Brian Frosh is opening an investigation into the incident, citing the company headquarters in his state as the reasoning for his inquisition. Additionally, New York planned to look into the incident and other states where the company has properties are likely to follow. There is no word yet on how the breach is being reviewed internationally.

Furthermore, within hours of the news, a class action lawsuit for 12 billion dollars was filed by Ben Meiselas of Geragos & Geragos. The suit is on behalf of two plaintiffs who feel duped by the company not immediately admitting there was a security issue. In other cases in the past are any indication, there’s likely to be a settlement out of court soon.

What Can Other Companies Learn from Marriott’s Data Breach?

At this time, it is hard to tell what other companies can learn from Marriott International’s data breach since news of the incident is still relatively recent. Other companies have faced similar issues in the past, such as Yahoo’s admission earlier this year that the three billion accounts had information hacked and Under Armour’s data breach of 150 million MyFitnessPal user accounts. Those companies were able to provide customers with free credit monitoring to try to earn back trust, but time will still tell on how it affects each firm’s reputation overall. Both have made attempts to increase application cybersecurity.

In short, if you have made a reservation or stayed at a Marriott Hotel or Starwood property in the last few years, it is wise to invest in some version of identity theft monitoring. Also, consider additional discussion and concerns with your lawyer general and by making a claim on Marriott’s data breach website.

How Marriott Got Caught In A 500-Million Person Data Breach

Were You Affected? (Your Questions Answered)

What Do We Need To Know About The Marriott Breach?

Another big corporation got hooked. This time it was Marriott International. They just revealed that their Starwood reservations database of 500 million customers was hacked and that the personal information of up to 327 million guests was stolen. And, this has been going on since 2014!

How Did This Happen?

• On September 8, 2018, Marriott was alerted about an attempt to access the Starwood guest reservation database.
• They contacted leading security experts to help them determine what occurred. Marriott said that the hacker copied, encrypted and removed their customers’ data.
• On November 19, 2018, Marriott was able to decrypt the data and learned that it was from the Starwood guest reservation database.

Marriott acknowledged that the encryption security keys for this data may have fallen into the hands of hackers. This allowed them to access the massive amount of data. Secure systems lock up data and should store the encryption keys in a location that’s separate from the confidential information.

Some good questions to ask here are:

“How did the criminals get Marriott’s encryption keys?

“Why did it take so long for Marriott to reveal the breach?” They learned about it in September which is over two months ago.

And, this was a 4-year long breach! “Why didn’t Marriott know that their customers’ data was being stolen over this long period?”

Maybe we’ll find out the answers to these questions, and perhaps not. What’s for sure is that you are on your own when it comes to protecting your confidential data.

How Do I Know If My Data Was Stolen?

If you are a Starwood Preferred Guest member and your data was stored in the Starwood property’s database (which includes Sheraton, Westin and St. Regis hotels, among others) you need to be on alert.

As mentioned, this data breach goes all the way back to 2014 and includes names, passport numbers, email addresses and payment information for approximately 327 million travelers – a “big catch” for any hacker. Even your date of birth, gender, reservation dates and communication preferences may be included in the breach.

Should I Contact Marriott?

Marriott set up a website and call center for customers who were impacted by the data breach. Email notifications are also being rolled out.

Marriott is also offering affected customers the option to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert if your personal information is found. If you live in the U.S., you’ll also be offered fraud consulting services

What Else Should I Do?

If your data was stolen, you should observe for incidents of identity theft. Also, watch for phishing emails where hackers try to impersonate someone you trust to take information or money from you.

Arrange For Security Awareness Training For Your Employees

If your business data was involved, make sure that you arrange for Security Awareness Training for your employees to train them to recognize phishing attempts. This includes:

• Baseline Testing to assess the Phish-prone percentage of your employees through a free simulated phishing attack.
• Training For Your Users with content that includes interactive modules, videos, games, posters, and newsletters.
• Simulated Phishing Attacks that utilize best-in-class, fully automated, simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
• Reports with statistics and graphs for both training and phishing for your management to review.

Whether your business was involved in the breach or not, Security Awareness Training for your employees is always a good idea.

Another good idea is to sign up for Dark Web Scanning Services.

Get Dark Web Scanning For Your Confidential Business Data

The Dark Web is a secret internet society that’s only accessible to a select group of criminals. Criminals use it to take stolen data (like the Marriott/Starwood customer information) and dump it on the black market for sale.

Dark Web Scanning is a sophisticated monitoring solution that helps businesses of any size detect cyber threats that expose their stolen business accounts, email addresses, payment information, and other confidential data that’s on the Dark Web. It also does this in real time and detects any of your compromised credentials or information before criminals can use it for profit or other crimes.

Don’t Count On The Marriott’s Of The World To Protect Your Business Data – You Must Do This Yourself

Contact us for information about Data Protection, Security Awareness Training and Dark Web Scanning. We have a Suite of IT Security Solutions to help you keep your business data secure.

 

 

 

No industry is exempt from data breaches that lead to widespread fraud. However, the healthcare industry faces unique challenges since it is not always easy to determine the impact of the breach on patients as well as the healthcare organizations that serve them. The problem starts with isolating where the hack originated in the first place. With so many organizations having access to patient demographic and insurance data, this can be the most time-consuming aspect of the entire fraud investigation process.

Healthcare: A Unique Form of Identity Theft

Most patients are aware that their healthcare provider and their insurance company have access to their personal medical data. Providers need the information to diagnose and treat the patient while insurers require it to pay the patient’s claims. What many fail to realize is that a large number of third-party organizations could have access to the data as well. Pharmacies, medical equipment providers, home healthcare organizations, and supplemental insurance providers are just some examples of companies with access to patient data.

The problem in healthcare is that a cybercriminal intent on stealing the medical data of another person can piece it together from a variety of sources that the victim of identity theft does not even know to exist. Some in the healthcare IT industry refer to this as synthetic identity theft. By taking small pieces of information obtained from a healthcare report and combining it with information stolen elsewhere, hackers can easily scam the healthcare system. In fact, the problem is so widespread that millions of cases of fraud take place every quarter.

What Healthcare Providers Can Do

No healthcare administrators like to admit that a security breach took place on their watch. It may look to them like hackers gained access to private patient data and then did not use it. Unfortunately, that is rarely the case. Healthcare fraud differs from financial fraud because most criminals go on to use stolen credit, debit, and other banking information right away. With healthcare fraud, they need more time to piece together a forged identity before they start inflicting real damage. The CEOs of healthcare organizations are often too quick to claim that no one used the stolen information in a nefarious manner.

Obviously, it is better for healthcare IT departments to be proactive rather than reactive. This starts with knowing every location of a patient’s healthcare data. For example, a single patient could have an electronic medical record, a paper medical record, new test results not yet transferred to the medical record, and old information stored in boxes or machines that have not been used in years. To prevent medical fraud, healthcare providers must make it a priority to know the locations of all data about a patient and take adequate steps to protect it.

Sometimes health organizations are unaware a breach has taken place until a patient complains that someone used their information to obtain numerous prescriptions or to commit insurance fraud. Once alerted to it, they need to take immediate action to stop the current fraud and prevent it from happening again. This includes taking measures such as strong encryption with medical records and guarded access to paper records.

Besides a lack of inventory, part of the problem is the current patchwork approach to healthcare privacy laws. Organizations should push the federal and state governments to create uniform standards for improved patient protection.

How to Help Patients Protect Personal Health Data

Healthcare providers must work hard to gain patients’ trust in the current climate. One way they can facilitate this relationship is to provide patients with reminders about safeguarding their own information. Here are some typical examples:

• Request a new medical card with a different identification number if the original has been lost or stolen
• Submit a police report after the theft of a wallet or purse
• Report any information on the explanation of benefits forms that appears suspicious such as services the patient does not remember receiving
• Check medical records at least once a year to ensure accuracy
• Always have the most current copy of medical records available

Providers should also consider publishing an annual notice to members outlining their privacy policy and the steps they take to prevent theft of patient data. Holding open meetings and taking questions from patients is another way to assure them that the organization is serious about protecting them from identity theft in a healthcare setting.

Guide To Ensure Your Cloud Data Is Properly Backed Up

Cloud storage is a relatively new technology that provides access to data on multiple devices any time and anywhere. Many businesses turning to cloud storage to boost the productivity of their employees. While cloud storage is both convenient and secure, it is not infallible. Therefore, it is important that you take the time to ensure your cloud data is properly backed up. Whether you’re running Google Apps or Office 365, this guide will help you make sure you’re properly securing and backing up the data you have stored on the cloud.

How to Back Up Office 365 Data

To back up your data on Office 365, you need to specify the backup settings in a new profile or in an already existing profile. This profile should have Cloud Apps enabled. Once you’ve done this, inSync will begin backing up the user data in Office 365 according to the backup schedule you specified in the profile. In your profile, you can specify how many times in a day or week inSync should perform automatic backups.

The inSync cloud administrator is also able to back up Office 365 data at any time when needed. The procedure for performing an unscheduled backup of data on Office 365 is as follows:

1. Go to the menu bar for the inSync Management Console and click Availability > Backup. The Backup Overview page will appear.
2. Go to the All Data Sources tab and click on the Office 365 device you want to back up.
3. Click on the button Backup Now.

inSync will then begin the backup of the device you selected. There are multiple pages where you an view the details of the backup. You can see the backup details on the inSync Management Console, the inSync mobile app, and the inSync Client.

How to Backup Google Apps Data

If your organization uses Gmail, Docs, Spreadsheets, and Calendar, chances are you have a lot of important information stored on Google’s servers. Unless you take the time to back up your Google Apps data locally, your organization will be in major trouble if Google loses your data or denies you access to it for whatever reason. Therefore, it is essential that you back up your Google-hosted data on a regular basis.

Unfortunately, it is not as easy to back up data on Google Apps. There are many third-party apps available for backing up data on Google Apps. For example, you can use POP access with a desktop email client to back up the Gmail accounts of your employees. Thunderbird is an example of a third-party application that you can use to back up Gmail accounts. You can use Google Docs Download scripts to back up your documents and spreadsheets on Google’s servers locally.

Backups are essential even if you’re storing your data on the cloud. For more information about how to ensure your cloud data is properly backed up, don’t hesitate to contact us.

California’s recently passed privacy law, coming on the heels of similar regulations issued by the European Union, makes it imperative that businesses have clear policies and procedures for collecting, storing and using personal information.

The California Consumer Privacy Act (CCPA), passed in May 2018, is a far-reaching law that covers not only the data itself but also how businesses manage relationships with consumers and third parties. It is similar to but more stringent than, the EU’s General Data Protection Regulation (GDPR), also enacted in 2018.

What Businesses Does the CCPA Affect?

The CCPA applies to any business or non-profit organization (or entity that controls or is controlled by such a business and shares branding) that meets one of the following criteria:

• Exceeds $25 million in annual gross revenue
• Has personal information on 50,000 or more consumers, devices or households
• Earns more than half its annual revenue by selling personal information to a third party

How Is ‘Personal Information’ Defined?

The CCPA takes a broad approach to personal information, including some data that are not typically included in such definitions. Under the act, personal information includes:

• Account name
• Unique identifier, including cookies
• IP address
• Email address
• Commercial information, such as property records
• Biometric data
• Internet activity, including browsing history, search history and interactions with websites, ads or applications
• Professional and employment-related information

.A provision also covers inferences that could be drawn from any of the other information to create consumer profiles. The law does not include publicly available information.

What Rights Do Consumers Have Under the CCPA?

Consumer rights under the CCPA include:

• Data Access. Consumers can request in which categories a company has collected information, the categories of sources of that information and the specific information itself. Businesses also need to divulge the purpose of obtaining or selling personal information. Companies receiving a request must promptly deliver said information via email or mail free of charge. Businesses are required to share information no more than twice annually.
• Deletion. If requested, businesses must delete any information the firm has collected and order its service providers to do the same. Data need not be removed in some instances, such as to complete a transaction, detect fraud or use for reasonable internal purposes.
• Data Transactions. Businesses must reveal the categories of information sold to a third party and how those match up with the third parties’ information categories.
• Opting Out. Consumers can opt out of selling their information to third parties. Those that sell information to third parties must notify consumers and provide them an opportunity to opt out. If a consumer is under 16, the business must receive affirmative consent (e.g., opting in) from the consumer or, if under 13, a parent or guardian.
• Non-Discrimination. Businesses may not discriminate against a consumer who exercises these rights, including refusing to sell goods or services, charging different prices or delivering a different quality of products or services.

Does the CCPA Address Data Breaches?

In the event of a data breach, the CCPA provides consumers with a private right of action. That means consumers can pursue statutory damages and injunctive relief if data is accessed or stolen by an unauthorized party. It also allows consumers to take action if the business failed to maintain reasonable security measures.

What Other Obligations Do Businesses Have?

Businesses must post California-specific privacy rights on websites. Those sites must also disclose how consumers can request information and the categories of personal information collected or sold in the previous 12 months. There must also be a conspicuous link titled ‘Do Not Sell My Personal Information.’

Businesses must train employees on the act and consumers’ privacy rights.

How Is the CCPA Different from the GDPR?

The European Union adopted the General Data Protection Regulation that applies to nearly all companies that collect private consumer data on EU citizens. It requires companies to comply with robust data security and management protocols.

While the compliance categories are nearly the same as those under the CCPA, the guidelines are not as well defined, and enforcement is weaker. Unlike the CCPA, the GDPR applies to small and large companies and will likely evolve over time.

What Should My Business Do to Address GDPR and CCPA?

What can your company do to comply with these acts? Here are a few tips:

• Create an internal privacy team, responsible for developing and reviewing privacy policies and managing consumer requests
• Develop a consumer information policy and processes that include how data is collected, categorized, stored and accessed. Consider deleting private consumer data that is not needed for the business relationship.
• Update your website with the required notices, links, and policies that are updated annually.
• Evaluate data security, including security policies, backups, encryption and access.

Companies that manage data governance well are in a better position to meet data protection and retention compliance requirements and to accomplish their digital transformation goals. Microsoft Office 365 makes comprehensive, streamlined data governance throughout your organization easy, with automation tools for setting policies governing data retention, expiration, and deletion.

The majority of companies already have data governance (DG) policies in place for at least some of their data types and operations departments, though DG is often not comprehensive in many smaller to medium-sized businesses. Many times, informal rules evolve into stricter controls and eventually are formalized as policies.

Here’s some helpful information about data governance in Office 365 and some general advice on DG implementation planning and execution, to help you prepare to formalize your DG program.

What is Data Governance?

Data governance is the management system that ensures the maintenance of high data quality throughout the lifecycle of an organization’s essential data. This includes management of data security, accessibility, integrity and usability.

A proper data governance program has a governing group, a clear set of DG procedures, and an agreed plan for following the procedures.

A company’s procedures for ensuring formal management of its data should include clearly defined practices for monitoring of processes and enforcement of its data protection and retention requirements.

Why is Data Governance Important to Organizations?

The relevance of data governance for general data management and security should be obvious enough. Still, many companies fear to try implementing a data governance program, because it seems too complicated, or because there is a strong sense of uncertainty about the sustainability of such a program as a component of their diverse operational processes.

Data Governance in Microsoft Office 365

Office 365 provides a set of exceptionally intuitive tools to protect your business’s data against security threats, potential accidental leaks or deletions, and other risks to data retention and integrity, and to regulatory compliance. Data governance tools are located in the Office 365 platform’s Security & Compliance Center in Microsoft software products including:

• Office 365 Business Essentials
• Office 365 Business Premium
• All levels of Office 365 Enterprise packages
• Exchange Online Plans 1, 2 and Kiosk
• SharePoint Online Plans 1 and 2
• Skype for Business Online Plans 1 and 2.

Key Advantages of Data Management in Microsoft 365

Easily Assess and Manage Compliance Using Just One Set of Functions.

Microsoft Cloud services allow you to assess compliance risks and increase your data protection by using the Office 365 Compliance Manager. The Compliance Manager enables DG actions in the categories of Ongoing Risk Assessment, Actionable Insights, and Simplified Compliance. Obtain more in-depth information on data protection and compliance through your Service Trust Portal.

Conveniently Govern Data Handling and Protect Sensitive Data Throughout Its Lifecycle.

Implement a comprehensive DG program that will automatically classify and protect valuable data across all of your company’s connected devices, cloud services and apps. Apply encryption, access and retention rules, and other governance strategies to help ensure data compliance, protection and quality.

Leverage Powerful AI to Respond Efficiently to Regulators’ Requests and More.

Use Microsoft Office 365’s robust eDiscovery functions to locate obscure relevant legal information, even amidst unstructured data. Easily acquire insights into all your business’s data-related activities by using Office 365’s comprehensive activity API and auditing tools.

Microsoft 365 Data Governance Features and Benefits

A formal DG program is usually undertaken at the point when a company grows to a size at which the staff can no longer implement cross-functional tasks involving data with the same degree of efficiency that they maintained as a small startup team.

While there will be implementation challenges in the area of team coordination, Office 365 takes the pain out of DG implementation on the technical end. Some of the benefits of using Office 365 Data Governance functionality include:

• Automated data classification greatly simplifies rule applications.
• Intelligent policies generated through powerful machine learning bring best practices to your decision process.
• Built-in DG policies make regulatory compliance quick and straightforward to implement.
• Over 80 built-in IDs of sensitive content types do the work of identifying possibly needed categorizations for you.
• Automated policies help ensure proper systemic handling of data retention, expiration and deletion.
• Policies you set immediately purge redundant, obsolete data and other unnecessary data, and preserve your important data.
• You can fully customize your data retention policies, to have your sensitive data handled precisely as you determine it should be.
• Your data is classified and labeled, and protected and retained based on the policies you choose, based on varying levels of sensitivity across your company’s data assets.
• DG policies set in Office 365 help in regulatory compliance regarding data privacy (like HIPAA, GDPR, SEC regs, etc.).
• You can tailor policies for various departments and enforce policies differently for multiple users.
• Data preservation lock policies encrypt data and can’t be turned off or rendered less restrictive.
• With minimal pointing and clicking, Microsoft Office 365 Data Governance functions can reduce your compliance risks throughout Office 365.
• Having a clear picture of what data assets your company owns, and where it is in your system helps ensure compliance and security of your important data.

Challenges in Data Governance Implementation

Implementing DG programs in any business using any technology is not an uneventful undertaking. Some of the biggest problems to smooth implementation include:

• Organizational Culture — DG succeeds best in open company cultures wherein fundamental changes are welcomed. DG becomes political, involving redistributing responsibilities. Sensitivity is required.
• Upper Management and Budget — Persuading upper management of the need for DG and to allocate sufficient budget for the project can be challenging. Succeed in this before proceeding.
• Universal Acceptance — DG requires buy-in from all departments and individuals. Top management and project managers especially must thoroughly understand the technical and business considerations and champion the project.
• Standardizing DG — Flexibility is needed to grapple with rapidly-changing requirements. It’s critical to strike a winning balance between the needs of staff to acclimate and the need for a timely transition to full conformance to new DG standards.
• Maintaining DG — Be mindful of the need for preventing data mismanagement and imposing repressive policies that are not conducive to a healthy team environment, to sustain long-term success of DG and to promote the overall interests of the business and its team.

Data Governance Implementation Project Best Practises

Data governance is a permanent proposition. Implementation and long-term oversight teams risk participants losing their sense of priority and commitment to the program over time. So, it’s recommended to begin with an application-specific, data-type-specific, or other prototypical introductory project and then continue in phases (of no longer than 3 months each). Keeping the project manageable allows for more natural adaptation and greater confidence in broader adoption.

Common DG implementation steps include:

• Analyze the current condition of the company’s data management and data quality.
• Define objectives and goals for the DG implementation project.
• Ensure that top management fully supports and budgets for the project.
• Ensure that all employees understand the importance of the project and support it.
• Define roles for parties, including DG strategy steering committee, DG Oversight Board, Data Manager, Data Stewards, Data Owners, Data Users.
• Develop a set of data governance program policies.
• Create a roadmap for implementation.
• Implement the data governance program.
• Monitor and enforce the DG policies.
• Repeat the above steps each time changes are made that can affect the program.

Final Recommendations for Data Governance Implementation

Before starting DG implementation, reasons for the project should be clarified, to help prevent wasting time on unnecessary tasks. Evaluate current processes and adapt them to the planned new DG requirements, if practical vs. unnecessarily developing entirely new procedures.

Evaluate various data governance platforms and compare the difference in functional blocks for data integration, master data management, metadata management, data integration, data protection and data quality insights.

When you embark on your data governance initiative, avoid reinventing the wheel. As much as possible, use proven implementation methodologies, structural models and best practices already available in software tools, technical information libraries, or Managed IT Services consultants.

It seems like every week, a new, high-profile data breach is in the news. Both national and international companies alike can be hacked at any time, putting clients and customers in danger of having their financial and personal information used by criminals. Likewise, breaches like these pose real threats to the stability of a company. Trust in a company’s brand, products, services, and overall reputation can be lost in a matter of days.

But while most consumers — and many companies themselves — assume that data breaches happen over the Internet (and granted, they often do), another highly susceptible mode of communication may also be the culprit of a data breach: The telephone.

While it may not appear so now, it is essential to take precautionary steps to ensure the safety and security of your company’s phone line. Here are some key questions you and your company may have on this topic:

Aren’t online security precautions enough to keep my data safe?

No, unfortunately not. Today, when consumers need to enter their personal and financial information online, companies are usually (hopefully) at the ready with security precautions in place. But most companies don’t offer the same protections on their phone lines, and hackers are becoming more and more in tune with this loophole.

Moreover, you simply cannot expect your company to go entirely online. Older consumers, especially, still want to carry out transactions and make updates to their personal information over the phone. If any customer needs to call your company, you’ll also need to verify their identity, which means asking them personal information such as their full name, address, phone number, email address,

Sometimes, customers will even be asked to give passwords, pin codes, and answers to security questions over the phone. For better or worse, there are more than a few consumers who use the same passwords, pins, and security answers for many or all of their accounts. Again, hackers are keenly aware of this and use this information to conduct illegal activity.

How can my company start protecting our phone lines better?

You’ll need to implement security protocols with your phone lines just as you do with your website.

One such form of data protection is the GDPR or the General Data Protection Regulation, an EU-based framework of rules, which aims to help consumers have more control of their personal information. You’ll need to abide by GDPR and implement the necessary payment systems into your telephone protocol. GDPR-friendly systems allow the customer to enter data — especially payment information — directly into your banking establishment’s system (often by asking the consumer to dial in their credit card or social security numbers, etc.) instead of vocalizing it to an agent.

Another thing you can do to add an additional layer of security to your phone lines is to record all calls. You’ve likely heard the phrase, “all calls will be recorded” when phoning a company or service before. This is a notification that that establishment is concerned about call security and is putting an extra precaution in place.

How can recording calls help security over the phone?

It’s a way for companies to have full transparency of what transpires on a phone call in the event of a related security breach.

Of course, one concern in this area is that call agent may take personal information from customers and use it illicitly. In the event of this occurrence (or suspicion of this occurrence), the company will have a record of all calls, which they can then use to get to the bottom of security issues.

Is my company’s phone line at risk of a data breach?

It’s best to assume that yes, it is at risk. All phone lines can be hacked and are at risk, and if your phone line ends up being compromised, your company is unfortunately in for a world of trouble. Regrettably, even if you can fix the problem right away, your current and potential customers will lose trust in your ability to protect their information.

Time and again, companies, both large and small, take hard hits because of data breaches. And earning back the reputation of old customers becomes increasingly more difficult when news of every security problem is plastered all over television, news sites, and social media.

Instead of fixing security issues after they happen, aim to prevent them altogether. Keep in mind as you move forward that this means preventing security breaches online and over the telephone.

No longer are cyber thieves content to steal individuals’ financial information off unencrypted hard drives or through spam or phishing schemes. Increasingly, these criminals are going after bigger targets – they are targeting corporations with ever more complex threats like SQL injections, advanced persistent threats and Zero-Day exploits. These criminals are ruthless and have begun targeting healthcare providers.

According to Robert Herjavec, ransomware attacks on hospitals may increase fivefold over the next five years. Why, you may ask, all this interest in hospitals and the healthcare industry?

• Financial gain. Medical records are far more valuable than credit card data. Medical records can sell for up to $50 each on the Dark Web compared to the meager $1 that Social Security and credit card data brings.
• Easier to hack. Banks and other financial institutions are becoming more difficult to crack for cyber thieves. These institutions have invested heavily in cybersecurity to protect their data, while healthcare’s investment in sophisticated cybersecurity is lagging.
• Medical identity theft is more difficult to detect. Consumers can purchase plans to help protect them again identity fraud and track their financial statements to detect fraud. But both patients and healthcare providers are unlikely to recognize a security breach immediately.

Large hospitals and other large healthcare organizations are not the only targets. Smaller private medical practices are also being targeted. According to Healthcare Informatics, 45 percent of all ransomware attacks in 2017 were in the healthcare field.

Regardless of the size of the organization, ransomware attacks can cause significant financial loss. Some organizations chose to pay the ransom because of the urgent need to resume patient care. However, there are more considerable economic consequences too.

• Disruption of services. During the ransomware attack, the healthcare provider cannot provide a wide array of medical services causing loss of income by interruption of the business’s operations.
• Loss of reputation. Patients often choose a medical practice, hospital or same-day surgery center based on the facility’s reputation. Loss of trust in a facility’s ability to safeguard patients’ medical records could potentially lead to business failure.

The CIO in any healthcare organization must communicate with the facility’s board of directors and management that cybersecurity is not an issue that can be tabled until next year. Clearly, everyone should develop a deep understanding of the serious consequences if their facility is attacked by ransomware. When the magnitude of potential damage is fully appreciated, cybersecurity will cease to be an expense. Cybersecurity will become an investment to protect the business from catastrophic cyber-attacks.

The healthcare industry is unique – bound by HIPAA for patient privacy and security – unlike credit cards which can be canceled and reissued – medical records uniquely belong to the patient and could be at risk for the life of the patient.

Why is the healthcare industry at increased risk for ransomware attacks?

Cybersecurity companies like Herjavec Group and Cybersecurity Ventures issued a report in 2016 that ransomware damages would be in the range of $1 billion for the year. Let’s look at some of the reasons the healthcare field is now the #1 target for ransomware.

• IoT growing in healthcare. The Internet of Things is exploding. Global healthcare entities will spend upward of $270 billion on IoT devices by 2023. Imaging devices connected to the internet are a tantalizing target. Add in equipment maintenance software that requires periodic updates, and we can begin to see the opportunities for cybersecurity breaches. The critical needs of patient care demand that imaging devices are available 24/7 with no scheduled downtime – leaving updates to patch weaknesses not always performed on a timely basis.
• Healthcare executives seem less aware of the risks than in other industries. Unfortunately, many healthcare executives seem less aware of the potential dangers from ransomware than management in different vertical industries. Hospitals, ambulatory clinics, imaging facilities and private practices are playing catchup to secure their networks.
• Insider threats. Insider threats generally come in two forms. An obvious insider threat is the disgruntled employee or former employee. Less obvious threats may come from third-party contractors or outside consultants. And lastly, lack of employee training may cause careless or inadvertent mistakes.

What types of problems does ransomware cause?

Understanding the potentially catastrophic dangers that ransomware is the first step in realizing how important cybersecurity is the healthcare field.

• Patient’s health and well-being. IoT connected devices include Wi-Fi heart pumps and smart beds in the surgical suite. If these devices become compromised through security, a fatality could result. Altering a patient’s records by changing their blood type could result in an adverse reaction after a blood transfusion.
• Hollywood Presbyterian Medical Center. The Locky strain of ransomware infected this Los Angeles hospital in 2016. The hospital paid over $16,000 in ransom. More damaging was the news that the breach put the hospital on lock-down because employees couldn’t access their computers. Their radiology and oncology departments couldn’t use their equipment.
• Hancock Health, Greenfield, Indiana. Officials paid over $55,000 to get decryption keys to regaining access to over 1,400 files. Although the hospital had backups, officials did not want to risk days or possibly weeks before they regained access to their data.
• 16 Hospitals Shut Down in the United Kingdom. In 2017, ransomware known as WannaCry creating chaos for hospital administrators, employees and patients. The ransomware even affected their telephone systems forcing employees to use their personal mobile phones. Citizens were advised to use these facilities for emergencies only.
• MedStar Network, D.C. and Maryland. The largest healthcare provider in the area, with 10 hospitals and 200 outpatient locations, was hit by a ransomware attack in the spring of 2016. Patient records were locked, and some patients had to be turned away.
• 2018 and no end in sight. Almost 50 major breaches have been reported by Healthcare IT News.

The Challenges Hospitals Face

First of all, the FBI will continue to monitor ransomware attacks through their Cyber Division. The FBI discourages hospitals and other organizations from paying ransoms – recommending a proactive approach – data backup and a business recovery plan instead.

Challenges include outdated systems and too few experienced cybersecurity personnel. The data is high value on the open market so ransomware intrusions will continue to occur.

Hospitals, rightly so, focus on patient care. But more attention and budget must be directed toward cybersecurity over the next five years. Lagging wages for IT personnel in the hospital industry are a contributing factor.

Many hospitals work on outdated platforms, and they utilize more off-the-shelf software too. Sadly, many hospitals lack the backups they need to protect themselves. Stricter adherence to back up recommendations could stem healthcare facilities from being forced to pay ransoms.

Protect your organization against ransomware attacks by acknowledging the risk, putting a plan in place and then allocating the budget for cybersecurity.

In July 2018, after much speculation throughout the business and technology sectors, Microsoft revealed the highly anticipated Surface Go tablet. The 10-inch device was the first Surface-branded tablet to be released since the non-Pro Surface 3 was introduced across Canada in May 2015. With the release of Surface Go, business owners were able to perform intricate tasks on-the-go, while simultaneously enjoying all of the benefits that the new tablet provided. Now, four months later, Microsoft has released the Surface Go tablet with LTE throughout Canada.

Surface Go Attributes

The Microsoft Surface Go is an Intel-powered tablet that offers a wide variety of features, advances, and benefits. For example, the Surface Go is automatically equipped with Windows 10. It also features immediate access to all of the apps within the Windows Store. However, it is important to note that the Surface Go tablet is automatically locked to “S Mode” for both consumer and commercial models. Unlocking the “S Mode” is a relatively straightforward process that will enable the tablet to access a variety of other apps.

Like many of the Microsoft products, the Surface Go tablet features a multitude of productivity-enhancing apps. It also has standard web browsing and advanced video conferencing capabilities. The addition of Microsoft Office enables businesses to use the Surface Go tablet in the office and at out of office presentations. Speaking of, the addition of LTE, now ensures that tablet users will have access to the Internet anywhere that they go.

Surface Go with LTE in Canada

In today’s digitally driven world, where important messages can’t be missed and deals can be completed in a blink of the eye, having 24/7 access to the Internet can mean the difference between business success or failure. The recent release of the Microsoft Surface Go with LTE enables Canadian business owners (and employees) to access the Internet via their tablet from practically anywhere. Additional features and benefits include:

• The easily stored and accessible 10-inch size makes the tablet the perfect travel device.
• An extended battery life ensures that the tablet can be used throughout long meetings and during train or air travel.
• The dual-core 6W TDP processor is strategically designed to use the minimum amount of power when completing light productivity tasks.
• The Surface Go with LTE can easily be paired with the Microsoft TypeCover and used with the Surface Pen to increase productivity.
• An extended warranty is available with the Surface Go commercial model.

In addition to the above features and benefits, the Surface Go with LTE consumer model is equipped with 8GB of RAM, 128GB SSD, and an Intel 4415Y processor. The latter attributes allow the tablet to complete more complex tasks, which is especially beneficial to Canadian business owners who need to review presentations, leverage interactive apps, complete video conference calls, and a wide variety of other time-consuming activities. The commercial version of the Surface Go with LTE features an even more robust Windows 10 Pro operating system that is essential for the on-the-go employee or business executive.

Canadian Business Owners Can Leverage The Benefits Of The Surface Go With LTE

Did you know that the Surface Go with LTE was strategically designed to inspire employees to work more naturally? From its people-centric design to its flexibility to its accessibility, the Surface Go is meant to boost the work experience for entire organizations. In fact, a recent survey of more than 1,000 employees from global companies, found that the Microsoft line of Surface tablets can achieve the following ROI enhancing business benefits.

• 75 percent of employees said that Surface devices increased their productivity levels.
• Up to nine hours are saved when mobile or remote workers are completing everyday tasks.
• IT manageability is improved by ensuring that security and compliance protocols are followed (even when employees or business executives are working on the road or from home).
• Teamwork, creativity, and mobility are enhanced.

The moral of the story is simple, the Microsoft Surface Go tablet with LTE can help Canadian businesses thrive in the modern digital age. When clients expect companies to respond instantaneously, and more employees are interested in working remotely, the Surface Go with LTE offers the ideal solution to increase productivity levels, enhancing mobility, and generating ROI-enhancing results for Canadian business owners.