Townsend Security Data Privacy Blog

Today there are hundreds of independent software vendors (ISVs) selling niche retail management software and payment applications designed specifically for various types of businesses. All of these retail ISVs must certify all payment applications that process credit card data with the payment card industry (PCI) payment application data security standard (PA-DSS). This certification verifies that the software handling customer credit and debit card information encrypts the software and protects the encryption keys.

Although all retail ISVs must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements. Good encryption and key management is the cornerstone of good security. When retail ISVs don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave  their customers vulnerable to data breaches.

In order to protect customers, retail management software vendors can upgrade their encryption and key management solutions. Townsend Security offers industry standard AES encryption and certified key management that ease the burden of data security with these three features:

1. Reduced Cost and Complexity

Getting a new encryption key management project off the ground is difficult when you have to justify doing the project over again. Encryption key Management has a reputation for being both costly and difficult, which is partly the reason why many encryption key management projects are rushed through certifications using the bare minimum requirements. That reputation was accurate ten years ago, but today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help businesses achieve this by offering encryption key management that is easy and fast to deploy, has an easy and cost effective licensing model, and has OEM or “white label” options because we don’t believe issues around branding should get in the way of good data security.

2. Certifications

We supply NIST and FIPS 140-2 certified encryption and key management, or we’ll help you achieve FIPS certifications for your solution. Retailers, especially at the enterprise level, are becoming more and more savvy about the need for certified solutions, and their demand is increasing. NIST and FIPS certifications ensure that their encryption key management has been tested against government standards and will stand up to scrutiny in the event of a breach.

3. Protect Your Customers from Data Breaches

As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don’t always equal good security. In order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and in transit using industry best practices. If your customer experiences a data breach, and you have implemented adequate security that renders the data that was compromised unreadable, you will be not only your customer’s hero, but your own company’s hero as well.

Retail ISVs and payment application software companies also need to know that although they  have certified their solutions with PA-DSS, these standards, like all PCI standards, are not set in stone. Data security is constantly evolving to meet the challenges of new threats that are always surfacing. Retail ISVs need to be aware that just because their solution has been certified, their encryption and key management practices might not suffice during their next certification.

Townsend Security has redefined what it means to partner with a security company. With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. We’ll help you turn encryption and key management into a revenue generating option to help build your business and protect your valued customers.

When it comes to encrypting credit card numbers to meet PCI security regulations and prevent data breaches, point of sale (POS) vendors selling payment application software often implement encryption key management that is cobbled together and doesn’t meet best practices. For POS vendors who supply retail businesses with complete cash register systems, including POS terminals and payment application software, inadequate key management solutions leave retailers vulnerable to data breaches.

Although all POS vendors must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements.

Although their vendors have passed the test, retailers are still experiencing some of the largest data breaches because their POS vendors don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data.

At the end of the day, individual businesses are responsible for their own data security; however, POS vendors offering payment application software can boost their own security posture and protect their own reputation by offering better encryption key management for credit card numbers to their customers. Database administrators and information security officers in retail companies can ease their fear and anxiety about their POS solutions. They can rest easy if their POS vendor provides a FIPS-certified encryption and key management solution with these three advantages:

1. Encryption Key Management that is Easy to Use - Good encryption key management should be easy to install, configure, evaluate, license, and sell to end users. Townsend Security’s 1U server plugs right into your IT infrastructure and requires no on-site technician to install. Our cross-platform encryption key management HSM integrates seamlessly into Microsoft, IBM i, Linux and other legacy platforms. Our team provides training, OEM integration, NIST and FIPS certifications, marketing materials, and consistent back end support as well as sample code, binary libraries, applications, key retrieval and other tools you and your customers need to implement encryption and key management fast and easily.

2. Encryption Key Management that is Cost Effective - Small and mid-sized retailers are a growing target of hackers due to the fact that these companies tend to have less data security. These companies, however, need to secure their sensitive data and must meet compliance regulations just like larger businesses do. We strongly believe that cost should not be a barrier to any business. Townsend security offers cost-effective licensing and easy deployment for seamless integration in less time and at an affordable price. We also offer OEM and “white label” options to save time and pain around branding. The average data breach costs a company $5.5 million. With better encryption and key management, you can save your customers millions of dollars.

3. Encryption Key Management that Protects Your Company in the Event of a Breach - In today’s technology climate, data breaches are no longer a matter of “if,” but “when.” Even the strongest networks can be hacked. The only way to secure data is to encrypt the data itself, thereby making it unreadable and unusable to unauthorized users. However, the encrypted data is only as safe as the encryption keys! In the retail industry, the responsibility of a data breach will fall on the retail company that experienced the breach, as well as the POS and software vendors. If a breach occurs to one of your customers, encryption key management will protect your customers and protect your own organization as well.

Almost every single POS vendor offers encryption and key management for their payment applications, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

The last thing a POS vendor wants is a data security plan that looks good on paper but doesn’t deliver when the going gets tough. The good news is that the right tools are easily available to companies who want to not only meet, but exceed compliance and prepare for evolving data security standards. “Good security breeds good compliance and not the other way around -- compliance is the low bar,” says Mark Seward, senior director of security and compliance for Splunk. With a Townsend Security partnership, POS vendors can offer their customers industry standard and NIST/FIPS certified solutions by implementing an OEM encryption key manager that is customized for their specific applications.

In a world where data breaches are occurring nearly every day, and data security in many organizations looks more like a sieve than a safeguard, using a strong encryption and key management solution is a must. Protecting sensitive data using encryption and protecting encryption keys using a strong encryption key management hardware security module (HSM) is so important today that it is required, if not strongly recommended, by most data security industry regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

If encryption and key management are so critical to protecting data, why are so many data breaches occurring every week? This is especially an important question to ask merchants and retail companies whose encryption and key management strategy has already passed a PCI test in order to operate their POS systems. Although they’ve passed the test, many are still the easiest targets for hackers and seem to be the most susceptible to data loss in general.

At the end of the day, individual businesses are responsible for their own data security, but POS vendors can boost their own security posture and industry leadership by offering better encryption and better encryption key management solutions to their customers. Since encryption and key management are necessary components of POS systems, providing customers with third-party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give a POS vendor these critical advantages:

1. Competitive Advantage - As we have seen over the past few years, industry regulations such as PCI-DSS and HIPAA/HITECH continue to become more stringent. POS vendors offering NIST-certified encryption key management will only retain customers if they can offer encryption key management solutions that fall in line with these regulations.
2. Protect Customers to Protect Yourself - When a data breach occurs, two parties take the most heat: the CEO and the software vendor whose solution was inadequately protecting the data. Retailers who experience data breaches due to poor encryption and key management techniques employed in their POS systems will likely blame their vendor and are more likely to migrate to a competitor.
3. Offer a Higher Quality Product and Generate New Revenue - Almost every single POS vendor offers encryption and key management on their devices, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

In our opinion, POS vendors should absolutely offer their customers the best encryption and encryption key management solutions that are out there. It is clear that many POS vendors are not offering their customers the best data security tools, and the evidence is in the data breaches that happen nearly every week. POS vendors can offer their customers industry standard and certified solutions by implementing an affordable OEM encryption key management solution that is customized for their specific applications.

It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.

Currently the news reports that this breach occured because:

1. Leaders in the company don’t think that anything is wrong with their data security. According to a survey by CORE Security only 15% of CEOs are very concerned about network vulnerability; however, 65% of security officers “admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.”
2. The point of sale (POS) and retail management software that retail companies use to process their customer’s card information often use inadequate security tools and minimal security best practices.

Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.

Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.”  As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!

This has revealed a truth that is becoming more and more evident:

Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.

Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:

1. Encryption - Always use industry standard encryption such as AES encryption.
2. Encryption key management - Companies encrypting data should always protect their encryption keys using an encryption key management hardware security module (HSM). This is a critical component to securing sensitive data.
3. System logging - A good system logging solution can help you catch and prevent changes to your network in real-time in order to prevent a data breach.
4. Certifications - Your POS and retail management software provider should have encryption and key management with NIST and FIPS certifications. These certifications ensure that your encryption and key management solution are up-to-date with the highest standards.

Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.

Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.

Townsend Security recently asked founder and CEO Patrick Townsend to contribute his expertise and thought leadership on data security and executive risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

In his article, Patrick Townsend discusses:

• 5 misconceptions business executives have about data security
• 5 steps to take to reduce security risk
• And what tools to invest in to protect your company's future

Read an excerpt from his article below:

"Many business executives are aware that hackers and data breaches pose a risk to their organizations, but they aren’t sure how much risk they really bear, or even how to assess the risk from a business point of View. Let’s look at some of the misconceptions executives have, and what steps they can take to minimize the risk.

5 Misconceptions About Data Security Risk:

1) If we have a breach, we’ll just pay the fine
In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2) We’ve never had a problem, so things are probably OK
This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3) My software vendors and consultants say they have everything under control
Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants...

Steps to Take to Reduce Security Risk:

1) Talk About It
Discuss the importance of data security with all members of the organization’s leadership team. Then talk to your IT department. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2) Assess Your Current Data Security Posture
If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts. This process can also help you overcome any internal resistance to addressing the problem.
Invest in Encryption and Key Management

3) When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution, you should also ask: Is our encryption industry standard and NIST certified, is our key management FIPS 140-2 compliant, is our key management device an external hardware security module (HSM), and are we using dual control and separation of duties to reduce points of failure...”

Read all the points in the rest of the article in your free copy of the eBook HERE.

Patrick Townsend has more than 25 years of experience in the data security industry and brings both a deep well of knowledge and a unique perspective to the subject. He speaks regularly on data protection and encryption key management topics.  He has produced a series of educational videos available on YouTube, records podcasts on data privacy, and is a regular contributor to the company's blog.

Like any business, for a solution provider to succeed they must meet the evolving needs of their customers.  In the IT world, we all know that data management is one of the most important, complex, and fast growing needs of businesses. From disk backups to managed hosting and cloud services, solution providers are moving towards offering more of these services and at lower costs. Unfortunately, with the amount of data storage and management growing at an exponential rate every year, a major need of most businesses that goes overlooked is data security.

Today almost every business must adhere to data security regulations set forth by industry standards groups. In retail, these standards are Payment Card Industry Data Security Standards (PCI-DSS). In the medical vertical, HIPAA/HITECH Act mandates the protection of sensitive patient data. Other regulations such as SOX, FISMA, and GLBA/FFIEC cover most other entities. All of these regulations mandate or recommend the use of AES encryption and encryption key management.

We would all like to think that IT directors and executives of every business adhere to these standards and recommendations and choose solution providers that provide them with encryption key management. However, as we witness easily preventable data breaches every week in the news, we know that this is simply not true.  

What IT executives and solution providers don't seem to realize yet is that in the event of a major data breach, at least two parties will take the fall: The IT executive and the solution provider(s).

Take for example the Utah Department of Health data breach that occurred in March of last year. This highly publicized breach was caused by a hacker who accessed 280,000 social security numbers as well as other private health information (PHI) and personally identifiable information (PII) such as birth dates, home addresses, and taxpayer ID numbers.

This attack was considered easily preventable.

How are these kinds of attacks easily preventable? When encryption and key management best practices are used, this kind of data is rendered totally unusable by hackers. That's why encryption and key management are considered the highest standard of data security and why they are mandated by industry regulations such as PCI-DSS and GLBA/FFIEC. If AES standard encryption and encryption key management best practices were used in Utah's Department of Health IT center, it is unlikely that the data breach would have occurred.

In the end, Utah's CTO was pushed to resign and the technology used to process data totally overhauled.

Unfortunately, companies in general are pretty confused about when, where, and how to encrypt sensitive data, even though both encryption and encryption key management are recommended, if not mandated, by most industry regulations. Worst of all, many companies who know they should be encrypting their data don't do it because of budget (a direct indicator of priorities)! This results in a LOT of unprotected sensitive data.

Ultimately, consumers assume that the businesses they patron are protecting their personal data, but the truth is, not all of them are!

The threat of data breaches and cyber attacks is not going away. In fact, these events are increasing every year. Solution providers offering data management tools to companies in retail, healthcare, finance/banking, and many other industries should absolutely be offering their customers encryption and encryption key management. Several solution providers currently offering encryption and encryption key management are already at a competitive advantage to providers that don't.

To learn more about how easy encryption key management can be, download the podcast, “Simplifying Encryption and Key Management: Removing Complexity and Cost” featuring data privacy expert Patrick Townsend.

With data breaches in the news every week, and each bigger than the previous, security is a top concern for system administrators, as well as business leaders.  As we have seen, a data breach can cripple an organization.  While the IT team performs forensics and updates their systems, the management team has to explain to investors why they weren’t adequately prepared and break the news that “Those big plans we had to grow the business in the next two years? Yeah, those are on hold while we remediate this breach.” 

While the IBM i (AS/400) is considered by many to be a secure platform, it is not immune to data breaches.  As a data security company, we see plenty of organizations think they are doing the right things to keep their data safe, but are falling down on a few key areas.  Below are the top three tips to keep your IBM i (AS/400) secure and your data safe:

1) Encryption and Key Management

Did you know that many compliance regulations consider an email address personally identifiable information (PII) and require it to be encrypted?  Security experts recommend using NIST-certified AES encryption coupled with an external encryption key management hardware security module (HSM).  With the introduction of FIELDPROC in V7R1, IT teams can now encrypt their sensitive data without application changes – saving development resources and time coming up with excuses to company leaders on why the company is still at risk.

For organizations who have been encrypting their sensitive data, security audits often find they haven’t been properly managing their encryption keys.  Encryption keys should never reside on an IBM i with encrypted data. We help more enterprises than you would like to know after they fail a security audit for improper encryption key management.   

2) Password Management

Password management continues to be a challenge for all organizations.  Poor management leads to insecure passwords and inconsistent policies – which in turn leads to more data breaches.  Fortunately for IBM i administrators, IBM realized this and made a Single Sign On (SSO) option as part of the OS – all administrators have to do is enable it.  Patrick Botz, former lead security architect and founder of the IBM Lab Services security consulting practice, regularly helps organizations enable SSO and eliminate 80% or more of an organization’s password management problems just using tools that IBM provides as part of the OS.  Additionally, there is a clear return on investment when an organization enables SSO, which makes you a hero when you tell management “I have a way to make our jobs easier and save money at the same time.”

3) Secure System Logging and File Integrity Monitoring

A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Maybe that is why most compliance regulations (PCI DSS, HIPAA/HITECH, etc.) require it.  So why isn’t system logging a common practice on the IBM i?  Simply put, the IBM i doesn’t log information like other systems.  There are some big challenges getting security information into a usable format and transmitted to a SIEM for monitoring.  Challenges an administrator faces with propriety IBM i logs:

• Data format – IBM security events are in internal IBM format, not syslog format.
• Multiple sources – Security events get collected in a variety of locations, almost always in an internal and proprietary IBM format.
• Timeliness – Tools are lacking to collect security events in real-time, increasing the security exposure.
• Communications – There are no native syslog UDP, TCP or SSL TCP communications facilities.
• Data completeness – While it is possible to print security information using IBM tools, critical information is missing from reports.

Fear not, there is a solution – Alliance LogAgent Suite with File Integrity Monitoring (FIM).  Alliance LogAgent Suite can send system logs to any collection server that is listening for messages.  Additionally, the FIM tools allow system administrators visibility right down to the field and column level, record-by-record, in their databases.

While this is by no means a comprehensive list of everything security-related an administrator should do to their IBM i, these three areas are where we recommend you start. If you are currently encrypting data, we challenge you find out where your encryption keys are being stored (it might scare you).  If you aren’t securing your systems with SSO, what are you waiting for?  Are you under a compliance regulation that requires system logging?  A complete system logging solution like our Alliance LogAgent Suite can be installed and running in an hour. To hear security experts Patrick Townsend and Patrick Botz elaborate on these three IBM i security tips, view our webinar “Top 3 IBM i Security Tips.”

Today, nearly every business needs to meet at least one set of data security compliance regulations, if not more. Regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC recommend if not outright require companies collecting sensitive data to secure that data using encryption and encryption key management. Most solution integrators are aware of this, but they may not know what to look for in a third party key management vendor to partner with.

The key management vendor you chose to partner with should provide you with all services you need to integrate key management into your solution easily. If you're a solution integrator, a third party key management vendor should provide you with:

1. Technology. Does your key management partner provide you with all of adequate hardware, software, encryption libraries, and tools you need to easily deploy encryption and key management on your customers' networks?

2. Certifications. Certifications are crucial to meeting government and industry data security requirements. Is your key management partner’s solution FIPS 140-2 certified? What is the certificate number? Do they use NIST-certified AES encryption?

3. Training. Does your partner provide you with adequate training to tools such as walk-through instruction and training videos to help you implement encryption key management with ease?

4. Platform Compatibility. Does your partner support all of your customers' legacy platforms such as IBM, Microsoft, or Oracle, including newer and older versions?

5. Client Side Support. Does your partner supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily? Do they charge client-side licenses? (Note: Townsend Security never charges for client-side support.)

6. Marketing Collateral. Does your partner provide you with strong sales and marketing material to help you promote and provide credibility to the product?

7. Knowledge of Compliance Regulations. Does your partner know how their solutions will help your customers meet compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC?

8. Virtual and Cloud Environment Capabilities. Your customers may be storing their data "in-house", but if they want to move to the cloud, can your key management partner  move with them?

9. Scalable Solutions. Many customers of SIs are small and medium sized businesses with the same data security needs as larger enterprises. Can your key management scale to meet the needs of the SMB market?

10. A Supportive Business Relationship. Does your partner understand your competitive and pricing challenges? Will your partner work with you to craft a solution that will keep your price competitive, or will they just give you a price and walk away?

11. A Win-Win relationship. Will the partnership create new business and generate new revenue for both parties?

Townsend Security is a third party encryption and key management provider of NIST-certified AES encryption and and FIPS 140-2 certified key management systems. With over 25 years of experience helping companies protect data and meet compliance requirements, Townsend Security can help you do the same.

To learn more about partnering with Townsend Security, contact us now. To learn more about AES Encryption and encryption key management, download our White Paper  "AES Encryption and Related Concepts."

2012 was a big blogging year for Townsend Security.  By the close of December we published a grand total of 285 blogs!  Wondering what data security compliance regulations your organization faces?  We covered it.  Do you need to learn more about securing your SharePoint server with encryption and key management?   We’ve got 490 words on it.  Did you know email addresses can be considered Personally Identifiable Information (PII) and need to be encrypted?  Patrick Townsend, Founder and CEO, wrote about that in “Protecting PII – Passwords, Bank Accounts, and Email Addresses?”

With all the great blogs on protecting sensitive information, examining data breaches, and how to meet data privacy compliance regulations, our bloggers created some great content that we hope you found valuable. Without further ado, here the three top read blogs from 2012:

#1 Skip V6R1 on IBM i and Upgrade to V7R1 – A Security Note

IBM provides a new automatic encryption facility in V7R1 for DB2/400 called FIELDPROC.  This new facility gives IBM i customers their first shot at making encryption of sensitive data really easy to do. With the right software support you can implement column level encryption without any programming.  The earlier trigger and SQL View options were very unsatisfactory, and the new FIELDPROC is strategically important for users who need to protect sensitive data. [More]

#2 How LinkedIn Could Have Avoided a Breach – And Things You Should Do

The loss of passwords by LinkedIn, eHarmony, and Last.FM should be a wakeup call for CIOs, security auditors, and IT security professionals everywhere.  Let’s take a look at what probably happened, what you can do, and why you need to look beyond passwords on your own systems. [More]

#3 What is the Difference Between AES and PGP Encryption?

AES encryption is the standard when it comes to encrypting data in a database.  Advanced Encryption Standard (AES) has been adopted as a standard by the US government and many state and local agencies.  AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.  AES encryption uses an encryption key to encrypt the data. [More]

As compliance regulations get tighter, data breaches get more sophisticated, and security best practices advance, Townsend Security will be here to blog on what is new and what you need to know about.  Here is to 2013 being the most secure year yet!

Are you free on January 30th at 10:00am Pacific?  We will be presenting a webinar titled “Top IBM i Security Tips for 2013” with Patrick Botz, former Lead Security Architect and founder of the IBM Lab Services security consulting practice and discuss:

• Using FIELDPROC for automatic encryption
• Key Management best practices – and what to look out for
• A practical way to  implement Single Sign On (SSO)
• How to easily collect IBM i logs and transmit them to ANY SIEM

We have recently seen the medical community step up their level of concern regarding protecting Protected Health Information (PHI).  Aside from just “doing the right thing” there are business reasons attached.  Data breaches are now a regular occurrence and have serious dollars connected to them.  Did you know that data breaches in the healthcare industry have increased 32% in the past year and cost an estimated $6.5 billion annually?  Additionally, breaches aren’t just a result of hackers.  Forty-one percent of healthcare executives attribute data breaches to employee mistakes.  Luckily, there is a safe harbor for breach notification – proper encryption and key management.

We recently held a webinar titled “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” and received some excellent questions that we would like to share with our blog readers around encryption, key management, and breach notification.

What does the Department of Health and Human Services (HHS) have to say about Encryption and Key Management?

The Department of Health and Human Services (HHS) points to the National Institute of Standards and Technology (NIST) for encryption and key management best practices.  When an organization has a breach, and their encryption and key management isn’t based on industry standards such as those defined by NIST, you can bet they are going to be responsible for a breach notification – averaging $214 per record or $7.2 million per breach.

So when NIST says “This is what we suggest you do,” companies are taking note.  WHEN there is a breach – not IF there is a breach – HHS is going to ask how you were encrypting your data.  Was your encryption based on standards? How were you managing your encryption keys?  Was your encryption a homegrown or proprietary solution? 

NIST suggests using Advanced Encryption Standards (AES) for encrypting data at rest and pairing it with a proper key management as you would find in our  Alliance Key Manager HSM.  With NIST certified encryption and key management, you are provably meeting standards and best practices, and in turn, HHS is more likely to say you are exempt from a breach notification.

We are a medical software vendor.  Are we required to encrypt PHI in our solution?

Software vendors and medical equipment vendors have no mandate requiring them to protect the data, but it is a strong recommendation.  Keep in mind that both end customers and their patients are expecting their data to be protected the right way and they don’t want to find themselves subject to breach notifications.  Implementing proper encryption and key management has become even more important for software vendors as it is becoming a competitive issue.  We are seeing our partners finding success because there are still gaps in terms of who is offering this kind of protection – though everyone should be.  

The other thing to think about, and HHS is quite clear on this issue, is they really want vendors of medical solutions to offer encryption.  Although it is not a mandate yet, companies that currently have solutions in the medical segments should be prepared for encryption and key management to become a requirement in the future.  As we have seen before, things that are strong recommendations today often end up as mandates tomorrow. 

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.