Archive for the ‘Data Breach’ Category

« Older Entries

Healthcare CIO Puts USB Ports on the Disabled List

Thursday, July 29th, 2010

Finally a story about a CIO who takes on the data security threat from USB sticks and thumb drives. Earlier this week, in Health Data Management News, appeared a short article entitled “Data Security is The CIO’s Constant Challenge”.  This is the story of Chuck Christian, CIO at Good Samaritan Hospital, Vincennes, Indiana and his IT department, and their efforts to protect private healthcare information and ensure HIPAA compliance.

Chuck explained “Earlier this year, Good Samaritan went well beyond its laptop policies, disabling USB ports across the computers connecting to its network.  It was a pre-emptive move to preclude inappropriate data transfers to easily lost devices.”

Chuck Christian explained that disabling the USB ports definitely resulted in changes in behavior.  Not least being the purchasing manager from the hospital who wanted to purchase thumb drives in bulk.  Chuck’s response – “I said no.” To the credit of Chuck and his IT department they implemented a number of secure alternatives to enable staff at the hospital to get their jobs done.

It’s as simple as that.  If you are in charge of data security “Just say no” when someone even suggests using a USB stick or bringing it into the workplace, and give them a secure alternative, such as Accellion secure file transfer.

Chuck Christian you are our Accellion Hero of the week.

Posted in Accellion, Data Breach, HIPAA, Healthcare | No Comments »

New Data Breach Report – Portable Media Fastest Growing Data Breach Sector

Tuesday, July 27th, 2010

The Digital Forensics Association just completed a fascinating new report ominously titled “The Leaking Vault – Five Years of Data Breaches”.  The report analyzes over 2,800 data loss incidents from publicly accessible sources and is the largest study of its kind.  It’s a great read if you have a strong stomach for forty two pages of data breach data.

One eye popping data point is that during 2005 – 2009, 148.6 million records have been reported lost due to use of portable media.  This source of data breach is second only to data hacks. Perhaps most alarming is that loss of data from portable media represents the fastest growing data breach sector.

The security risks from portable media is a topic we’ve covered several times in the past year in the Accellion Managed File Transfer Blog.  Just in case you missed the earlier posts here they are again.

• Health records found on USB stick in UK Car Park

• Top 3 File Transfer Mistakes

• Another reason why file transfer via a USB stick is not a good idea

In addition to sharing the unpleasant truths regarding data breaches the Leaking Vault report also offers some good recommendations on steps to take to increase data security.  Recommendations for securing Portable Data is one of their four focus topics.

Here’s Accellion’s recommendation for reducing the risk of data breach from portable media  - Don’t use USB memory sticks for file transfer, use a secure file transfer solution.

Posted in Accellion, Data Breach, Data Security | No Comments »

NHS Trusts Failing to Protect Information

Thursday, July 15th, 2010

National Health System (NHS) organizations in the UK have accounted for more than once quarter of the data security breaches reported to the Information Commissioner’s Office (ICO). If this keeps up the ICO could become a profit center with their new powers, approved in April, to impose penalties up to £500,000 on offending organizations.

The ICO issued a press release on June 15 announcing Poor Data Security in the NHS.  NHS Stock-on-Trent and Basingstoke and North Hampshire NHS Foundation Trusts were the latest NHS bodies found in breach of the Data Protection Act (DPA). Mick Gorrill, Head of Enforcement at the ICO was quoted “Everyone makes mistakes, but regrettably there are far too many within the NHS.”  He went on to add “We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law.”

But wait a sec, just yesterday, July 14, there was another press release announcing Birmingham Children’s Hospital NHS Foundation Trust found in breach of the Data Protection Act (DPA).  Did the folks at Birmingham Hospital NHS Trust not get the message from the ICO?

Posted in Accellion, Data Breach, Data Security, Healthcare, UK | No Comments »

An Ounce of Prevention is Worth a Pound of Notification

Friday, July 9th, 2010

The recently introduced C29 amendment to the Canadian Personal Information Protection and Electronics Documents Act (PIPEDA) is a sign that the Canadian government is stepping up its efforts to raise the visibility of data breaches through expanded data notification requirements.  This week’s SC magazine article entitled “Canada’s newly introduced data breach is a start, but it lacks teeth” raises the question of whether this legislation goes far enough.  Under the C29 amendment, banks, retailers and other companies are required to report any “material breach of security safeguards involving personal information under their control.”  In the amendment, the focus is on notification not specifically prevention.

While it is some consolation to the individual to know that they will be informed if their personal information has been breached, it would be a lot more reassuring to hear that corporations are required by law to implement safeguards to protect their information. The recently introduced Massachusetts legislation CMR-17 is a good model for legislation that goes significantly further than setting regulations for notification and extends to requirements for data breach prevention.

While data breach notification regulations are a good step in the right direction, an ounce of prevention is worth more than a pound of notification.

Posted in Accellion, Data Breach, Data Security | No Comments »

HIPAA Hazard – Shipping CDs via FedEx

Wednesday, July 7th, 2010

This week Lincoln Medical and Mental Health Center of NY suffered an embarrassing data breach resulting from a lost FedEx shipment of CDs. More than 130,000 medical records were exposed in this breach and it is small consolation to read that “Siemens was promptly directed to suspend further transport of CDs by the carrier.”  Of particular note in this data breach is the fact that both Siemens and Lincoln Medical and Mental Health Center thought it was an okay idea to ship CDs of unencrypted healthcare data as part of a standard business process, until of course a shipment went astray.  Did the word HIPAA never come up?  Why would anyone think it is a good idea to ship CDs of unencrypted healthcare data when there are readily available secure file transfer solutions?

DataLossDB the Open Security Foundation tracks data breaches and lists 134 data breaches from Snail Mail affecting 2729 Organizations in its database. This week’s Lincoln data breach adds one more organization who has experienced the security hazards of shipping sensitive information unencrypted via the mail.

Posted in Accellion, Data Breach, Data Security, HIPAA, Healthcare | No Comments »

Vegas and Security?

Thursday, June 3rd, 2010

A few weeks ago my daughter and I went to Las Vegas so I could attend a security conference. It just so happened that her school was having Spring Break the same week. Luckily I had a friend who was going there at the same time so they could play all day while I attended sessions on securing Enterprise data. Not sure who got the better deal :-)

It turned out that the conference was really interesting. One of the sessions I attended had 4 CIOs from 4 different verticals (Healthcare, Law, Technology, and a major University) on a panel where attendees could ask questions regarding how they secured data within their Enterprise. They discussed many subjects including the difficulties of managing data leaving the Enterprise, managing a work force that is geographically dispersed and working more and more from home, and trying to keep up with the new generation of workers who expose themselves on social sites but get very upset if any part of their financial or personal data gets confiscated or used for purposes they did not approve.

The location of the conference was also interesting. It just so happens that Nevada was the first state to require businesses to secure personal data. Nevada State legislation Chapter 603-A was introduced in 2005 and an amendment was added late last year. This amendment added 2 significant changes: (1) a requirement to comply with the Payment Card Industry Data Security Standard (PCI); and (2) requirements to encrypt personal information in certain contexts.

This year Massachusetts followed suit with their own legislation, CMR-17. Part 3 of the Computer Systems Security Requirements requires:  (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

It is good to see State Government taking an interest in controlling the transmission of sensitive personal data. Accellion Secure File Transfer helps businesses in these States comply with these new laws. Not only does Accellion send files encrypted, but also stores these files encrypted.

Vegas and Security? I guess these guys are ahead of the pack! I wonder when the rest of the world will catch up?

Mary Nicknish, Accellion Product Manager

Posted in Accellion, Data Breach, Data Security | No Comments »

Federal Agency File Transfer Security Study

Wednesday, May 12th, 2010

A recent report by MeriTalk entitled “Why Encrypt? Federal File Transfer Report” offers interesting data and recommendations regarding securing the transfer of federal data.  Perhaps most alarming was the significant use by those surveyed of unsafe methods for transferring files:

•  66% use physical media (e.g. tapes, CDs, DVDs, USB drives)

•  60% use FTP

•  52% use personal e-mail accounts

and also the disappointing data that “currently just 58% say employees are aware of secure file transfer policies.”  The study was commissioned by Axway and illustrates the gaps between what should be happening to secure the transfer of data and what is actually happening.

Use of Accellion secure file transfer within the federal government has been steadily growing with recent Accellion government deployments at:

•  US Securities and Exchange Commission

•  NASA

•  State of Florida, Department of Transportation

•  Government of Newfoundland and Labrador

•  Government of Saskatchewan, Information Technology Office

It seems from the recent study there is still more work to be done in securing file transfers by Federal Agencies.  We are here to help.

Posted in Accellion, Data Breach, Data Security, FTP | No Comments »

Health Records on USB Stick found in UK Car Park

Wednesday, May 5th, 2010

Another day, another data breach.  The BBC reported today that a memory stick containing health records from a nearby secure hospital facility was found by a 12-year old boy in a supermarket car park in the UK.  The information contained records of violent patients from the Tryst Park severe mental health unit at Bellsdyke Hospital, along with information about staff.

This is really getting silly.  As a spokesperson from the health authority NHS Forth Valley said “We have clear policies in place on the safe use of portable data devices.”  It seems that these clear policies either:

  1. weren’t clear
  2. didn’t cover the Asda Car Park
  3. were ignored

As mentioned before in the Accellion Blog the best idea with portable flash devices and USB sticks is DON’T USE THEM to transfer sensitive information - file transfer via USB stick is not a good idea.  Abstinence in this case really does seem the best idea.  Accellion secure file transfer technologies make it possible to quickly, securely and efficiently transfer sensitive information thus avoiding creating headline news such as today’s.

Another side benefit of using secure file transfer, other than securing the transfer of files, is it makes staff more conscious of the handling of confidential information. Did the person who dropped the USB stick in the car park really mean to take the records to Asda, or did they just forget the USB stick was in their pocket, which just happened to have a hole in it? In the case of information security humans are often the weakest link.

Sometimes safeguards are just that, they guard people from their own mistakes.  So next time you visit the local supermarket check your pockets beforehand.

Posted in Accellion, Data Breach, Data Security, Healthcare, UK | 1 Comment »

Police responsible for first UK data loss subject to new fines

Wednesday, April 21st, 2010

Last Friday was not a good day for the Gwent Police in the UK.  The personal information of 10,000 people was accidentally emailed by the Gwent Police to a journalist at The Register, resulting in the first major UK data loss since new fines were introduced by the UK Information Commissioner.

It was bad enough that a Microsoft Excel spreadsheet containing birth dates and criminal record checks was sent unencrypted and without password protection.  To accidentally include in the CC: field, the email address of a journalist at The Register turned this into a high profile data breach.  The Register email address was in the system because it had been used earlier for two unrelated Freedom of Information requests.

IT staff were immediately called in to tighten security measures to avoid similar incidents occurring in the future.  As a minimum that should include a secure file transfer system, content monitoring and filtering and data encryption.

While The Register has cooperated with Gwent Police in deleting the file they did not feel compelled to comply with requests not to mention this story.

Posted in Accellion, Data Breach, Data Security, Email Attachments, UK | No Comments »

Digital Copiers and Scanners – Digital Time Bombs

Tuesday, April 20th, 2010

CBS News chief investigative correspondent Armen Keteyian wins the Accellion Top Sleuth award this week, with his story on Digital Photocopiers Loaded with Secrets. Holey Moley, what were people thinking when they discarded their digital photocopiers?  Digital copiers contain hard drives that store images of documents, scanned, copied and emailed from the machine.  Extracting this info from discarded photocopiers is not much of a challenge, especially when the disk is not encrypted. Apparently one photocopier even had a sensitive document still under the copier glass. While major manufacturers of digital copiers and scanners offer security and encryption packages, there is mounting evidence that organizations aren’t generally aware of the security risks inherent with these devices.

So why the interest by Accellion in digital copiers and scanners?  We’ve had our eye on these little beasties for quite some time as potential sources of data leakage. Today’s digital copiers and scanners provide the ability to scan a document and then email the resulting digital file as an email attachment. Without security controls, digital copiers and scanners pose a serious threat to protection of intellectual property and non-compliance with regulations such as HIPAA. In addition, scanned documents create huge email attachments that wreak havoc on email performance.  A couple of years ago we introduced the SMTP Satellite to plug this security hole and improve email performance.

With the Accellion SMTP Satellite organizations can secure and track the transfer of scanned documents and offload delivery from email.  And we’ve written earlier on our view that disk and data encryption is always a good idea.

Posted in Accellion, Data Breach, Data Security, Email Attachments, Product | No Comments »

« Older Entries