Ulistic Projects Blog

Learn from Marriott’s Example: Notification Responsibilities After a Data Breach

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. Know the laws in your state.  

To answer this question, let’s start with the example experienced by Marriot International recently when a breach exposed the social security numbers of the hotel chain’s associates. Then, we’ll look at the federal and state requirements for notifying those impacted by a breach that involved their data.

How Did Marriott International Employees Fall Victim to a Data Breach?

Marriott International told some of its employees that their social security numbers (SSNs) had been exposed to an unknown person. The risk came from a vendor that handled documents for the hotel chain.

On September 4, 2019, Marriott found out that someone access information recorded on those documents, which included subpoenas and court documents. The notification, which came two months after the incident, merely stated that someone may have accessed the records, which is all hotel representatives claim to know. The potential breach impacts over 1,500 Marriott employees. On October 30, the hotel started sending notifications via regular mail for anyone it hadn’t been able to find.

Those impacted will receive free credit monitoring as well as identity theft protection for one year at the company’s expense. Notification and credit monitoring services are part of recent data breach laws, but one must wonder what took Marriot so long to notify the victims.

Why Did Marriott Have a Difficult Time Finding Victims?

Marriott received a list of those impacted, but most had no address. This may be the most significant factor in the delay. And, it’s not an unusual one. Company records breached by hackers may be incomplete in the best of circumstances, and this information was sitting in several external systems.

The unnamed firm said all Marriott employee data was deleted from its system. One of the problems in cases like this is storing data in multiple systems, which increases the risk of theft and data breaches. Marriott no longer partners with the vendor.

What Are Your Company’s Responsibilities in Case of a Data Breach?

The FTC recommends following these steps, some of which are legally required.

Secure your Operations

Move quickly to take whatever steps are needed to secure your systems. Otherwise, your data breach can result in a series of breaches. Mobilize or form a breach response team to shore up your network against further loss.

Fix Vulnerabilities

As part of the fix, you need to anticipate questions that clients, associates and the authorities may have. Put together clear questions and answers to post on your website. Direct communication may ease frustration and concerns, especially if it takes some time to identify those impacted, as in the Marriott cases.

Work with forensic experts to track to determine what records were at risk.

Notification

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. You must notify the affected parties when personal information is involved. Check the laws in your state as well as the federal laws and consult with your legal team regarding your responsibilities.

HIPAA is an everyday stressor in the healthcare industry. A computer-based recordkeeping system can help keep records secure and HIPAA compliant.  

For many in the health care industry, compliance with the Health Insurance Portability and Accountability Act (HIPAA) is an everyday stressor that dictates the actions and availability of information. However, HIPAA is necessary to protect the patients’ information and medical records. A violation of HIPAA could lead to lawsuits and large fees, which could cause a business or practice to close their doors.

The Challenge of Human Error

Unfortunately, even the perfect system is prone to human error, especially if you do not have integrated checks and balances that are part of a computer document management software.

Many facilities that are larger in size have already integrated their records into a computer-based record-keeping system. This type of software is especially helpful for the large volume of records that they keep on a daily basis. However, smaller healthcare facilities may want to consider a customized computer-based record-keeping system to stay HIPAA compliant.

Typically, most HIPAA violations happen without employees’ knowledge, or they are due to simple inexperience. Some of the most common HIPAA violations include:

• Accessing records for any reason other than to aid in treatment or payment
• Not using a secure encryption method for protecting health records
• Removing patient information from the facility, either physically or on an unauthorized device
• Sharing patient information via a personal email
• No control or lack of control of who accesses patient health information
• Not removing access of former employees

Digital Solution for Record Keeping

Physical paper documents have a higher chance of being compromised because their very nature requires that you physically secure them. Within HIPAA, health facilities not only have to worry about who has access to patient information but for what reason.

While some electronic solutions can help healthcare facilities step away from paper options, such as a common or shared network drives, these do not provide the security needed to remain HIPAA compliant. HIPAA requires that digital solutions for handling patients’ personal information have almost cutting-edge security tools. Due to the private nature of patients’ information within the system, health facilities’ data is considered a prime target for hackers looking for targets with blackmail or ransomware.

Benefits of Moving to Digital Record-Keeping

Even for small health care facilities, there is a digital document management system that could fit the needs of the business while still being HIPAA compliant. Some of the benefits of digital record keeping are:

• Tracking for Audit Purposes – A digital document management system can record everything that happens to a file. The record could include which user has accessed the file, when the file was accessed, if anything has changed since the last time it was accessed, and historical copies of the file.
• Control Over File Permissions – The records system administrators can control who has permission to view a file and the features they are available to use once they have access.
• Unique Security Options – Administrators can dictate which users have access to patient information. As an example, administrators can add a two-step authentication method to access sensitive patient information.

Privacy and HIPAA compliance can be challenging, but adding the right document management tools can help with the stress and pressure of protecting patients’ information.

Why Organizations Need to View IT as Central to Success and Profit

Think Your IT Department is Simply There to Make Repairs and Solve Minor Problems? Find Out Why It Should Be the Center of Your Organization’s Long-Term Strategy  

Information technology (IT) is more than a critical function. A well-run IT department should be integrated into an organization’s overall strategy. In fact, a comprehensive IT department should be at the center of organizational strategy. Within a firm, IT can include the following:

• End-user computing devices
• Networks and network infrastructure
• Operating systems
• Software applications
• Data storage
• Telecommunications
• Internet service
• Telephone systems

Using IT As a Strategic Asset

According to leading industry experts, even when leaders are aware of what constitutes the IT department’s purview and assets, there is a tendency to overlook IT’s potential. Yet, technology assets can be leveraged to ensure the organization runs as smoothly as possible. When an IT department and its assets are finely tuned, leaders can focus on identifying opportunities and innovative technical solutions. This includes innovative technical solutions that can be either used by the organization or leveraged by it. Consequently, the IT department and its assets become more cost-effective. With the right type and degree of investment, IT can help turn a profit for the firm.

Centralizing IT

When elevating IT and its assets to the center of organizational strategy, it is crucial to think about three areas. Those areas are:

• Income
• Growth
• Strategic planning

IT can generate income through innovative solutions, but also by streamlining internal costs. This is usually achieved through the automation of processes and by increasing the efficiency of processes. Growth goes hand in hand with innovative solutions and increasing the efficiency of internal processes. By being able to meet client needs and drive market behaviors, an organization can use IT to establish a competitive advantage. Establishing and maintaining a competitive advantage to stimulate long-term growth is an essential part of any strategic plan.

Reasons to Leverage IT

The number one reason why it is important to leverage technology-related assets is due to the industry’s pace. Changes in technological advancements and capabilities happen at lightning-fast speeds. Without proper strategic planning, analysis and leverage of internal IT capabilities, an organization can simply not expect to succeed. IT can not only be a means of survival, but a point of differentiation. Technical expertise and advantage can reduce costs, create markets, better meet client needs, and make the entire organization more efficient. Neglecting IT or viewing the department and its assets as a necessary evil can backfire as others find ways to make technology generate revenue.

November 11^th is Remembrance Day…

A day where we stand united to honour those who have made the ultimate sacrifice in the line of duty.

And for all they’ve done, we say thank you.

Thank you to those who placed themselves in harrowing situations in the name of protecting our freedom.

However you’re planning on spending the day, remember to take a moment to think about these exceptional men and women.

November 11th is Veterans Day… 

A day where we stand united to honor those who are currently serving and those who have served – those who sacrificed for the common good of our country. 

 

And for all they’ve done, we say thank you. 

Thank you to those who have and those who continue to place themselves in harrowing situations in the name of protecting our freedom. 

However you’re planning on spending the day, remember to take a moment to think about these exceptional men and women.

Weak Points in Cybersecurity Hackers Love

Do you know where hackers are most likely to gain access to your private data? Discover the favorite entry points and how you can stop them.  

It seems like every week that there are reports of another massive data breach hitting the news. The number of users affected is almost unimaginable. Cybercriminals accessed 983 million records at Verifications.Io and 885 million records at First American Financial Corp., alone. Its scary stuff, but what’s even more terrifying is the majority of compromised companies never show up in the papers.

During the first half of 2019, there an average of 30 data breaches per day. So, how are hackers stealing so many records so quickly? They have their ways.

Four Places Cybercriminals Love to Steal Your Data From

1. Old Websites. The internet is a graveyard of abandoned and unprotected half-built sites which are the favorite hunting grounds for hackers who are on the lookout for easy and virtually risk-free hacking opportunities. Although it is true that most of these sites contain nothing more than a few email addresses and dummy accounts, every so often, a cybercriminal can strike goldmine. On occasion, legacy and demo sites for large businesses are still connected to the company’s servers and provide a nice backdoor to confidential data.

You can protect your business by completely removing old sites from online and limiting which sites have access to your servers.

2. Free Code. Many sites offer free code snippets that you can use for free on your website. All you have to do is download it and you can save hours of time and thousands of dollars. Good deal, right? Well, have you ever heard the Japanese saying, “There is nothing more expensive than something free?” When it comes to the code for your website, it is a motto you should take to heart. Using someone else’s free code for your company’s website could be the most expensive mistake you ever made. While clean, secure codes for free does exist online, the majority of what you will find is usually poorly written, and as solid as a sieve.

Stop hackers from using embedded backdoors in public code by not using it for mission-critical websites.

3. Unsecured Cloud Storage. Everyone is talking about the benefits of cloud computing and cloud storage, and it seems like businesses can’t wait to make the jump to working on the cloud. But before trusting your company’s confidential data to any third-party cloud storage solution, you better make sure the vendor has tight security. Many big-name companies like Facebook and Microsoft forgot to ensure their third-party vendors had the proper security, and the results were embarrassing and costly data breaches.

Carefully choose who you use for outsourcing and take an active role in protecting your data, even if it is hosted on a third-party’s server.

4. Unprotected APIs. Does your business use custom apps that utilize APIs? If the answer is yes, you may be exposing your confidential data to hackers without knowing it. While in-house app developers spend a great amount of time safeguarding your app itself, from exploits, the APIs you are using from an outside developer to power your app may be a gaping hole in your defense.

Review the end-user agreements for the APIs you use and conduct penetration tests to check for vulnerabilities.

In the end, protecting your data and the confidential information of your customers falls on your shoulders. No one can be perfect when it comes to online security, but every single business can do better.

Given how medical providers struggle with ensuring their data is safe, something had to be done to offer guidance. Read this blog about a new cybersecurity plan.  

The picture archiving and communication system (PACS) is an ecosystem that stores images that are gathered from medical imaging technology. This ecosystem offers a convenient platform where medical providers can store and access these vital images. However, this ecosystem is vulnerable to cyberattacks.

In order to provide protection for this confidential data, the NIST National Cybersecurity Center of Excellence recently released proposed guidance to assist healthcare delivery organizations with securing their picture archiving and communication systems. In addition, they also released a project aimed at providing an example solution for building stronger security controls.

The guidance material called, Securing Picture Archiving and Communication System, includes aspects that help health organizations design an approach, architecture, and security elements for the PACS ecosystem, including easy-to-follow how-to guidance.

The Evolution of Digital Capabilities

As image-making technologies have taken a gigantic leap over the last decade, now confidential data and vital imaging are uploaded in a digital format by providers across the globe. This adds a huge level of convenience and gives providers the ability to easily store and share this content. The systems that house these images and data are typically stored in image-intensive areas like the radiology department and are also uploaded to each patient’s electronic health record (EHR).

But as this process adds easier accessibility and organization in a digital format, including limiting the time to takes for doctors to make a diagnosis, the technology has also opened the door to more cyber threats. And many medical providers struggle with auditing user accounts and monitoring them properly to suspect any abnormal behavior. Medical providers also struggle with ensuring that data moves safely across the network and also with monitoring access by its users, which can lead to a drop in system performance.

Goals of the Project

With the project set forth by the NIST National Cybersecurity Center of Excellence, their goals include the following:

• Identify who uses the PACS systems
• Determine the process between the user and system
• Perform a risk assessment
• Identify appropriate mitigating security tools
• Design an example solution

The ultimate goal here is to assist provider organizations with reducing the chance of a cyber breach or substantial data loss, while also minimizing any disruptions with their systems. This also puts emphasis on enabling quick access to imaging and important data without this confidential data becoming vulnerable to an attack, which also offers peace of mind for patient privacy.

Broad Capabilities Equals Broad Threat Landscape

So what makes these systems so vulnerable? This occurs from the broad capabilities of this technology. The PACS connectivity of the ecosystem works with a variety of different technologies that include medical imaging devices and other systems that help to manage and maintain archives of medical images. The role of PACS is to interact with medical imaging devices, connect with other clinical systems, and allow users from multiple locations to review images that lead to faster and higher quality patient care.

With such a broad spectrum of capabilities involved with the PACS ecosystem, the means a broad landscape for threat.

No matter how secure you may be right now, you could always be doing more. Have you double-checked your cybersecurity lately? Review the best practices below to strengthen your small business cybersecurity.

When everything is going well, the last thing you want to do is think about what will happen when something goes wrong. It’s not necessary to dwell on the potential for a security disaster though – you know that it’s a possibility, so let’s just leave it at that. What’s important about this is that you know to cover your bases.

No need to assume the worst – just plan for it, so you know you’re protected. As that old saying goes, “An ounce of prevention is worth a pound of cure”.

Do what you need to do to “prevent” now, so you don’t have to pay for the “cure” later.

Use A Firewall

Your firewall is your first line of defense for keeping your information safe.

A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.

A firewall inspects and filters incoming and outgoing data in the following ways:

• With Packet Filtering that filters incoming and outgoing data and accepts or rejects it depending on your predefined rules.
• Via an Application Gateway that applies security to applications like Telnet (a software program that can access remote computers and terminals over the Internet, or a TCP/IP computer network) and File Transfer Protocol Servers.
• By using a Circuit-Level Gateway when a connection such as a Transmission Control Protocol is made, and small pieces called packets are transported.
• With Proxy Servers: Proxy servers mask your true network address and capture every message that enters or leaves your network.
• Using Stateful Inspection or Dynamic Packet Filtering to compare a packet’s critical data parts. These are compared to a trusted information database to decide if the information is authorized.

Train Your Staff

Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and therefore present a serious threat to your security.

So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your data secure?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

How Do I Train My Employees For Cyber Security?

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

• How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
• How to use business technology without exposing data and other assets to external threats by accident.
• How to respond when you suspect that an attack is occurring or has occurred.

Strengthen Your Passwords

Passwords remain a go-to tool for protecting your data, applications, and workstations.

They also remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Weak passwords are easy to compromise, and if that’s all that stands between your data in the cloud and in applications, you could be at serious risk for a catastrophic breach.

That’s why protecting your login processes with an additional layer of security – multi-factor authentication – is recommended. Multi-factor authentication requires the user to utilize two methods to confirm that they are the rightful account owner. It is an available security feature in many popular applications and software suites.

There are three categories of information that can be used in this process:

• Something you have: Includes a mobile phone, app, or generated code
• Something you know: A family member’s name, city of birth, pin, or phrase
• Something you are: Includes fingerprints and facial recognition

Protect Mobile Devices

Implement Mobile Device Management and Bring Your Own Device policies that allow employees to use their own devices in combination with the business’ without compromising your security:

• Require password protection and multi-factor authentication for mobile devices.
• Deploy remote access software that allows you to locate lost/stolen devices, and remotely wipe their data if need be.
• Develop a whitelist of apps that are approved for business data access.

And don’t limit yourself to desktops, laptops, and phones – there’s more out there for you to take advantage of. Have you considered what the Internet of Things and wearable devices can do for workplace efficiency? Now’s the time to get on board – up to 20.4 billion IoT devices will be online by 2020.

Manage Account Lifecycles And Access

This is one of the more basic steps on the list, but no less important. It can’t really be automated or outsourced to any technological aids; it’s just about doing the work. You need to have a carefully implemented process to track the lifecycle of accounts on your network.

• Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
• Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
• Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

Protect Your Wireless Networks

Wi-Fi is a necessary part of doing business. Your staff cannot go without it, so it becomes your responsibility to make sure it’s secured, simple as that.

• Turn off broadcast so that your SSID is not available for others to see.
• Use WPA2-Enterprise security, which forces per-user authentication via RADIUS for access.
• Double-check your radio broadcast levels at default to make sure they don’t extend outside your building.
• Create a Guest Network that’s segmented and has a limited bandwidth so that those visiting your building don’t have any chance of access to your data.
• Monitor your network, and log events to track any activity by your employees and other contacts with network access.

Limit Unnecessary Physical Access

Your cybersecurity measures won’t amount to much if your laptops, tablets, smartphones and other devices are left out in the open for anyone to take.

It’s one thing for a cybercriminal to hack into your system remotely. It can be significantly easier if they’re doing so directly on a business device.

• Keep business devices under lock and key when not in use.
• Maintain a detailed inventory of who has authorized use for specific business devices.
• Don’t leave the login information on a sticky note on the keyboard of the device.

Follow Payment Card Best Practices

If you accept payment through credit and debit cards, make sure to follow established security policies and practices to mitigate any potential risks.

• Work with banks and other financial industry contacts to make sure you’ve implemented the right cybersecurity tools and anti-fraud services.
• Double-check your compliance requirements for FINRA, GLBA, and SOX.
• Segment networks involving a point of sales and payment systems from any unnecessary aspects of your IT infrastructure. No unnecessary software or web access should overlap with these systems.