Get our cybersecurity articles in your inbox. Sign up for the monthly LMG SecurityLink here.
[Healthcare Industry] Cybersecurity and Physical Security Must Work Together
Security breaches involving devices stolen from healthcare offices or employees’ vehicles appear in the news at least weekly. Most recently, medical device company DJO Global and hospital corporate parent Northwestern Memorial HealthCare (NMHC) both acknowledged fall 2014 incidents in which a laptop containing unencrypted data was stolen from an employee’s vehicle. DJO Global responded by wiping personal information from the laptop, highlighting the importance of enabling remote wiping. NMHC responded to their incident, which put 2800 patient records at risk of exposure, by encrypting all laptops and retraining staff. For healthcare organizations, frequent thefts of devices containing patient information reveal how physical security and cybersecurity go hand in hand.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to notify affected parties following a breach. Healthcare organizations can decrease their risk of being in this position by:
- Encrypting all laptop/desktop drives and mobile devices, in addition to password protection. Without encryption, a thief can bypass your password and access your data by connecting your hard drive to a different computer or rebooting your computer with a removable device.
- (Re)training staff in the importance of physical security, including not leaving work laptops in their vehicles, or at least not in plain sight.
- Writing security policies regarding mobile devices, to be read and signed by staff.
[Financial Industry] Teaming Up Against Attackers
As U.S. banks face targeted attacks by hackers around the world, they must explore new strategies for defending their data. One of these strategies is sharing information on cyber threats. Soltra Edge, developed jointly by the Depository Trust & Clearing Corporation and the Financial Services Information Sharing and Analysis Center, is a new software product that offers a standardized way to share and analyze threat intelligence. Soltra Edge and other information-sharing products will help banks put up a stronger collective defense against cyberattacks.
[Legal Industry] Does Encryption By Default Aid Criminals?
A move toward encryption by default – by Apple, Google, WhatsApp, and others – is stirring up debate among law enforcement officials. Built-in encryption prevents Apple, Google, and WhatsApp from accessing data stored on client devices, rendering this data inaccessible even by legal request. (In Apple’s case, this applies only to device data, not data stored in the cloud.) FBI director James B. Coney and Manhattan District Attorney Cyrus Vance, among others, have spoken publicly against automatic encryption, saying it will prevent law enforcement from apprehending criminals. For attorneys, encryption by default is a trend to watch, as it may make digital evidence harder to obtain. Read more about built-in encryption on our blog.
[Retail Industry] Compliance Corner: Changes in PCI DSS 3.0
While the update from Data Security Standard (DSS) 1.2.1 to 2.0 contained only two new requirements, the change from 2.0 to 3.0 has twenty. This standard officially went into effect January 1, 2014, but vendors who were compliant with PCI DSS 2.0 had until January 1, 2015 to comply, and some of the new requirements remain best practices until July 1, 2015.
Here are three major areas of change to be aware of:
- Penetration testing (Req. 11.3-4) Penetration testing must now follow an industry-accepted methodology such as NIST SP800-115, requiring organizations that outsource penetration testing to investigate their service providers’ methods.
- Vendor relationship management (Req. 12.8-9) Requirement 12.8.5 mandates that organizations document which PCI DSS requirements are managed by third parties, and which are managed in-house. Requirement 12.9 states that service providers must agree, in writing, that they are responsible for the cardholder data they handle.
- System inventory (Req. 2.4) Requirement 2.4 states that organizations must maintain an accurate and up-to-date inventory of system components that are in the scope of PCI DSS.
Read our full tips on how to comply in these three areas.