2020 marks the fifteenth year that The Ponemon Institute produced its Cost of a Data Breach report.  Among the findings of the report, produced jointly by IBM security, is one that generates pause for many of those in the healthcare industry: while the average total cost for a data breach was $3.86 million across all sectors, this cost in the healthcare sector was nearly double that at $7.13 million.  This represents an increase of 10% from the 2019 study.

What does this mean for those in the healthcare sector?  Strengthening information security practices to avoid and mitigate breaches is paramount, and a key component of this effort is finding ways to diminish the cost of a breach.  In these times where many companies are closely watching the bottom line, there is good news: among the top cost-mitigating factors are three that with your people and processes.

1. Incident Response Plan and Testing

Incident response team formation and incident response testing comprise 2 of the top 3 cost mitigating factors affecting the average cost of a data breach, according to the Ponemon report.  Having a team in place before an incident occurs means that you will be able to respond and contain a breach more quickly.  A trained team will be able to react quickly and make good decisions during a breach.  You will know what steps to take, who to contact for assistance, and how to mitigate the damage a security incident can create.

2. Business Continuity Planning

Implementation of a sound business continuity program rounds out the top 3 cost mitigating factors.  Your business continuity program is essential during a data breach.  You will want to answer questions like: How will your organization continue to provide services to your customers?  Do you have data backups that can restore corrupt data, or data that is frozen by ransomware?  Are you able to ensure your systems remain secure when operating under an emergency plan?  And how do you go back to normal operations when a breach is finally over?  Planning for these questions in advance puts you in a strong position to recover effectively.

3. Employee Training

Employee training continues to be a top cost mitigating factor.  One of the most effective ways to prevent a breach is to ensure employees know their responsibility for information security, and how they can contribute on an individual basis.  They will learn how to keep your organization secure by not falling for e-mail scams like phishing and spear phishing, how to create strong passwords, and how to be cyber-aware while working from home.  A well-trained workforce with information security on the brain can not only help you avoid falling victim to a breach, but they can also be the first line of detection and help you discover an attack more quickly.

When it comes to securing your company’s systems, and your customers’ personal information, every effort counts.  Leveraging your work force’s skills and knowledge in these key areas to contribute to your breach resilience are great steps in the right direction.

The United States is now almost one year into its COVID Pandemic Response that shifted a large percentage of its workforces to a remote office scenario.  While every organization works to maintain appropriate security and privacy safeguards in this new milieu, the stakes are higher for those companies that are obligated by the HIPAA Privacy and Safeguard Rules.  While you cannot understate the importance of awareness training for a remote work force, there are several steps that companies can implement to support continue compliance, even outside the office.

  • Secure Wireless– All employees should ensure that the wireless networks to which they are connected are secured. This seems straightforward and generally, people are aware that they should be requiring passwords to join the network, but secure wireless networks take a little bit more than that. Protection of the networking equipment itself is often overlooked, as more attention is focused on the workstation itself. Users should ensure that they have changed the default administrative credentials on their networking equipment.  Setting the SSID (network name) to private can also help secure the network, making it more difficult for criminals to find. Firmware on the access point or router should be updated and patches maintained.  Securing network equipment and devices is critical to securely working in a remote environment.
  • VPN Connections – When accessing corporate resources, employees should be sure to do so through secure VPN connections. VPNs establish a secure connection between the workstation and the network resource being accessed. Data traffic is exchanged through an encrypted tunnel, offering protections against theft of data in transit. It also obscures the IP address of the workstation by using a proxy.  It’s also important to remind employees to disconnect from the network when they are done with work.
  • Two Factor Authentication – An additional of security can be added by requiring two factor authentication for logging into corporate assets that may have sensitive or regulated data, such as PHI. This requires users to provide not just a name and password to log-in, but also an additional identifying criterion. Most often, this is a randomized number provided by an authentication tool, such as Google Authenticator or RSA SecurID.  This means that even if someone does compromise username and password, they will be unable to log in to those sensitive assets.
  • Printing Restrictions – In talking about securing the work environment at home, printing is often overlooked. Printing hard copies of reports or file that contain PHI represents a potential exposure. If employees must print documents with sensitive information, it should be stored in a locked drawer or filing cabinet. When the document is no longer needed it should be shredded.
  • Policies and Procedures – While well-documented policies and procedures are a must for the protection of PHI, they are only successful if employees understand them and know how to apply them to their job roles. Not only is it helpful to have the policies regarding the treatment of PHI readily available, but companies may also consider conducting ongoing training about the role their employees play in ensuring the security and confidentiality of PHI.  Ongoing communications through email, SharePoint or company messaging systems can act as helpful reminders and assist in creating a culture of security and privacy awareness.

While everyone is managing the seemingly continuous change necessary to maintain healthy communities amidst the pandemic, one thing that remains constant is the need to ensure the protection of sensitive patient data.  For that reason, we must ensure that the policies, processes, and pratices that we enforce to secure patient data apply equally in the office and at home.

By Dr. Heather Mark, CCEP

Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.

The subject of data privacy and consumer rights has been a hot topic over the last several years.  Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice.  While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”

I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc).  This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences.  Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.

Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.

  • What data do we collect?

Surprisingly, the answer to this question for many companies is, ”I’m not sure.”  If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected.  In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time.  Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.

  • Why do we collect that data?

Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?”   This is where the rubber meets the road.  If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately.  The general guideline for data – if the data is not needed, it should not be collected.

  • How does data flow through and out of our organization?

This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained.  Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data.  For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.

As important as how the data flows through the organization is how the data flows out of it.  What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.

  • How do we dispose of data when it is no longer needed, or a deletion request is received?

The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual.  Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping.  Doing so requires careful planning and execution and a clear understanding of privacy requirements.

  • How do we disclose our data privacy practices?

The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used.  To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used.  Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization.  And the notice must be provided PRIOR to the collection of data.  If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.

Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation.  Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data.   This also assists in obtaining organization-wide buy in on the program.

Personal information is the currency of this age.  Consumers will trade privacy for convenience.  The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience.  That gives organizations a great deal of power, but also a great deal of responsibility.  In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used.  Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.

By Dr. Heather Mark, CCEP

In the wake of the COVID-19 pandemic, fraudulent activity and scams have been on the rise.  As a result, scammers are looking for ways to test their stolen card information.  One way they do that is to find portals or e-commerce sites that have payment forms and use those forms to “test” cards.  This is done by running hundreds or thousands of small transactions to see if they will be authorized.  If these small transactions are authorized, the criminals assume the card is “good.”  Meanwhile, the merchant may not know that this has happened until an expensive invoice is received for those “auths.”

In order to combat these types of scams, here are three ways merchants with an internet presence can mitigate their risk proactively:

  • Implement CAPTCHA – CAPTCHA is an easy test that users take on web-based forms to prove that they are not a “bot.” These may include simple math questions or identifying pictures from an array.  This simple step allows merchants to filter out bad actors and helps to ensure that their payment site is not being misused.
  • Use TC CrediGuard TC CrediGuard is a product offered by Sphere that allows merchants to set parameters for certain transaction patterns. Merchants can set TC CrediGuard to deny transactions based on a set of predetermined criteria.  For example, a merchant may set parameters to deny transactions after five attempts from the same IP address within 7 minutes.  Or, if the IP address of a bad actor is known, a merchant may block that specific IP address.
  • Add a Log-in Screen – Payment forms that reside in front of a log-in page may be more convenient for your customers, patients, or donors, but it can also make it easier for criminals to use that payment screen as a tool for testing card numbers.  By adding a log in screen, you create a barrier that may protect your business from becoming a target for these types of schemes.

By implementing these recommendations, merchants can take significant steps towards mitigating the likelihood of a Primary Account Number (PAN) or Card Testing event.

To learn more about secure online payment solutions and fraud reduction tools, please contact a Solutions Consultant at 800.915.1680, option 2 or sales@spherecommerce.com.

By Dr. Heather Mark, CCEP

The data economy has become so pervasive in today’s business that it sometimes is necessary to pause and think about where we’d be without the explosion of data that businesses have at their disposal.  Cloud software firm, Domo, releases an annual report each year on the astronomical growth of data.  Their report, Data Never Sleeps, provides a fascinating example of just how people are using the internet, leaving digital trails to be followed.  According to Data Never Sleeps 7.0, more than 511,200 tweets, 18, 100,00 texts, and 188,000,000 emails are sent PER MINUTE. And that doesn’t include our unintentional data creation – the Internet of Things, or our browsing history, or geolocation data. Our world runs on data, which means that as consumers, we need to be able to trust that our data won’t be misused by the companies with which we do business.

A PwC survey conducted in 2017, tells us that consumers are becoming more cynical about how companies handle data.  Just 25% of survey respondents believe that companies handle data responsibly and less than 15% believe that the data will be used to improve lives. Further, 87% of those respondents have said that they will take their business elsewhere if they don’t trust the data handling practices of a company.

In Francis Fukuyama’s book, Trust: The Social Virtues and the Creation of Prosperity, he proposed the idea that trust and ethics was central to economic well-being.  “If people who have to work together in an enterprise trust one another because they are all operating according to a common set of ethical norms, doing business costs less…”  It costs less because we know that our colleagues and our partners will behave in ways that we expect, and that serve the good of the organization.  Similarly, as consumers, we are more likely to do business with organizations that we trust.

An essential element of trust is transparency. Again, referencing the PwC survey, 71% of consumers find the privacy policies posted by companies to be difficult to understand.  If a consumer believes that an organization is intentionally obfuscating its practices, trust erodes.  When trust erodes, consumers say they will take their business elsewhere.

The moral of the story here is that as we move more fully into the data economy, we must also move more fully into being trustworthy stewards of personal data.  We do that, by adhering to the letter and the spirit of the data protection laws and establishing strong information practices.  Some of those practices include:

  • Data Flow and Categorization – It sounds cliché, but you can’t protect what you don’t know you have. So, the first step that is typically suggested is doing a data flow or data mapping.  This helps you to determine where the date is coming from, how it’s being used, and who you might be sharing it with.  You may find that you’re collecting more data than you need, or that you’re sharing it with vendors that don’t need it.
  • Limit Collection of Data – Another old axiom in the data security and privacy business is “don’t collect what you don’t need.” To put it simply, it’s difficult to disclose or inappropriately use data that you don’t have.  Once you’ve done a data mapping exercise, you can review this with your team to determine which data is strictly needed as opposed to “nice to have.”  Moreover, many of the fair information practices are built on the notion of only collecting the data that you need to complete transaction with the individual.
  • Disclosures – Transparency with your constituency about what data you’re collecting and when, and how it’s being used is one of the simplest, but most important, steps that can be taken with respect to privacy. Visitors to your site, and consumers of your product or services, can’t make informed decisions about sharing their data if they don’t understand how that data might be used. Providing clear and concise information about your information practices helps to engender trust and stands you in good stead with legislative privacy regimes.
  • Awareness and Training – In today’s economy, most of our businesses and non-profits run on data. Whether we intend to or not, we become dependent on data transmission, data analysis, data storage, and data collection.  That means that everyone in our organization is going to encounter personal data at some point.  Given that fact, it’s important that your team knows what data is considered sensitive, and how that data is to be treated. An important part of training, that can be easy to overlook, is how to report a potential incident.  For example, what should be done if someone has emailed a payment account number?

The dilemma facing businesses today is encapsulated nicely in the January 2019 issue of the Frontier Technology Quarterly:

On one hand, the data economy is radically transforming many economic activities and creating new levels of prosperity. On the other, it presents the possibility of a perilous dystopia … A market economy cannot function without trust, and the data economy is no exception. Trust deficits can unravel the data market and undermine social cohesion, stability and peace.