Townsend Security Data Privacy Blog

The last 20 years has seen a dramatic re-alignment of the Chief Information Officer’s (CIOs) responsibilities to match the business goals of their Organizations. The modern CIO is less likely to be a pure technologist, and far more likely to be imbued with a deeper knowledge of business issues such as organizational goals, strategic alliances, bottom line financial analysis, and even with merger and acquisition strategies. In the public sector, this means that CIOs are far more aligned with political and policy goals, and not just minders of the IT infrastructure.

This has largely been good for the competitive stance of business organizations, but I think it has led to some technology blind spots. CIOs today are far more dependent on their vendors, consultants, and shrinking IT staff for guidance on security issues, and data privacy in particular. And in today’s risk environment, that may not be a good thing.  Because when a data breach happens, the CIO is going to be the one on the hot seat to explain the problem and take responsibility.

And that is not a comfortable place to be.  Just ask anyone who has been there.

When CIOs try to assess their data privacy stance, they often question their IT staff questions like this:

• Do we have our data protected properly?
• Is our data protected according to compliance regulations?
• What assurances do we have from software and cloud vendors that our data is protected?

Patrick Townsend recently contributed this article to OneAccord's blog.  To read this article in it's entirety you can visit OneAcord's blog here.  If you are ready to learn more about encryption, download our white paper "AES Encryption Strategies - A White Paper for the IT Executive."

Townsend Security recently hosted a webinar titled “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” that focused on how members of the healthcare industry can achieve a breach notification safe harbor if they are properly encrypting their Protected Health Information (PHI).  PHI can be stored in many different places – from Electronic Medical Records (EMR) in a database to healthcare claims stored on a laptop by a health insurance company.  With fines for data breaches averaging into the millions of dollars, it is more important than ever to protect your PHI.  We received some great questions during the webinar that we would like to share with our blog readers.

How is encryption used to protect PHI?

Encryption solutions are used in a variety of places.  Basically those of us that are encryption vendors tend to think of encryption in two ways.  The first is encryption of data in motion.  For example, if you open a web browser and go to a website that uses HTTPS and the “lock” comes on, you are encrypting your data as it is “in motion.”   Typically, SSL or TLS encryption is being used.  These technologies protect any information that flows between your web browser and that endpoint – making it safe to send PHI like a social security number or medical records online.

Second, we think about securing data at rest.  This typically means data that is in a database. When you go to the doctor and he interviews you and puts his results into the computer, that data is landing in a database and it needs to be protected.  AES encryption and proper key management are necessary to protect this data.

Our database software has encryption options.  Why would we need a third party software?

Lets start with an example.  Encryption is part of the package when you purchase Microsoft SQL Server 2008 Enterprise Edition or Oracle 11g with Advanced Security.  So you might say to yourself, “Why do I need something else if Microsoft offers encryption?”  In these cases, you are sitting in a good place for the cryptographic portion, but still need encryption key management to meet any compliance regulation.

To line up with industry standards for encryption best practices, you need to have dual control and separation of duties.  To do this you need to physically separate the encryption keys from where the protected data lives (Your SQL Server or Oracle database).  It is great when a vendor provides encryption as part of their database software, but it only gets you halfway to where you need to be.  An encryption key management Hardware Security Module (HSM) will bring you in line with best practices for dual control and separation of duties, allow you to pass your audit, and achieve safe harbor status in the event of a breach.

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Over the last few years we’ve seen attempts by the US Congress to pass new federal privacy notification laws. There are good reasons to do this as the current mix of state privacy notification laws are inconsistent and it is hard for organizations of any size to know if they are in compliance with the more than 45 state-level regulations. Businesses would appreciate some simplification and clarity, and one federal law would be preferable.

Both the House of Representatives and the Senate have seen proposed legislation pass out of committee. But no consolidated legislation has passed Congress and been signed into law.

The latest attempt is proposed Senate Bill 3333.

This legislation is similar to many state laws in how it defines Personally Identifiable Information (PII), how it proposes that breach notification take place, and how it levies fines for the loss of sensitive information. Like HIPAA legislation, it charters the Federal Trade Commission with enforcement responsibility.

Unfortunately, it won’t have much of an impact on reducing data breaches and identity theft.

First, the definition of Personal Information is too narrow in today’s consumer and Internet world. To qualify as a breach, the proposed act requires that the data loss include a first and last name combined with a social security number, or financial account information. The breach that happened to LinkedIn would not even qualify under this definition. And yet it was a serious security breach. The bad guys are really good at aggregating data like this, so the new law wouldn’t have helped. And it will give companies an excuse for hiding this type of loss.

When it comes to protecting sensitive data it leaves a gaping hole. Here is how the proposed legislation describes the approach to protecting sensitive data:

Personal information does not include information that is encrypted, redacted, or secured by any other method or technology that renders the data elements unusable.

Without a requirement to use encryption, AND clear guidance on protecting the keys used for encryption, we will continue to see significant data breaches taking place on a daily basis. Without this clear guidance, we will actually take a step backwards. In today’s world, security auditors and professionals already understand the need for good encryption key management systems and practices. They know that encryption keys stored with the sensitive data is equivalent to taping your house key to the front door when you leave in the morning. PCI data security auditors, SOX auditors, and almost all other security professionals now require that encryption keys be protected by HSMs designed for that purpose. But we don’t see mention of this in the legislation.

Rather than provide clarity around protecting sensitive data, this legislation will continue the confusion around how personal information should be protected, and even what constitutes a data breach. It will not provide the clarity and guidance that businesses hope for. It won’t stem the loss of sensitive information, and it won’t stop the terrible financial impacts of identity theft.

Let’s hope this bill gets strengthened before the final version is passed.

Patrick

For more information on the importance of encryption key management, download our white paper "Key Management in the Multi-Platform Envrionment" and learn how to overcome the challenges of deploying encryption key management in business applications.

The recent email and password breaches at LinkedIn and Yahoo have exposed how severe the loss of this information can be.  A large majority of people use the same email account and the same password to authenticate to multiple web sites and services. For this reason, the breach of any one site compromises the security of the others.  And the fact that Facebook, Google, and other sites make it easy to share authentication makes the impact of a loss that much greater.

Because of these losses, I’ve been getting a lot of questions from CIOs and database administrators about protecting email addresses and email passwords in their databases. While the techniques used to protect information in databases are different than the techniques used to protect login credentials, you should definitely put this type of information under data protection controls.

Here are some steps you can take to protect this important personally identifiable information in your databases:

• Be sure to encrypt BOTH the email address and the password.  I often find that companies only encrypt the password. It turns out that end users frequently use weak passwords and they are easy to guess. Even if the password is protected using strong encryption, the password can often be discovered through a dictionary attack. So encrypt BOTH the email address and the password.
• Don’t decrypt an email address and password if you don’t need to. I’ve noticed that many applications automatically decrypt a password when a row is read from a database even if it is not needed. This just creates an unnecessary exposure point.
• Use strong, industry standard encryption methods to protect the email address and password. I recommend using 256-bit AES encryption which is the most widely accepted standard for protecting data at rest.  Never use home grown or non-standard encryption.
• Use good key management practices. Store the encryption keys on a key server HSM designed for this purpose. Storing the encryption key on the same server is like taping your house key to your front door when you leave in the morning.
• Store passwords on a key server HSM and not in the local database. Many key server HSMs provide the option to import raw information like passwords to the key server, and then retrieve them only when needed.
• Most important! Don’t be discouraged about the effort required to implement good encryption and key management. I’ve seen security efforts defeated before they begin because companies think that the effort will be too complex and too expensive. It’s probably easier than you might think.

Database vendors like Microsoft, IBM, Oracle, and others have done a lot over the last few years to make this effort easier. And security vendors (we are one) have also made progress in making encryption and key management faster and more affordable. Encryption is widely viewed as hard to do and expensive. That’s no longer true - times have changed!  Download a free 30-day evaluation of our NIST-certified AES encryption and see how easy it is to encrypt usernames, passwords, and other PII on your systems.

Patrick

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes and governs national standards for electronic health care transactions.  According to the website of the U.S. Department of Health and Human Services: 

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.... The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.  www.hhs.gov

The protections under HIPAA have been expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH).  Again, according to the Department of Health and Human Services:

HITECH requires healthcare organizations to take more responsibility for protecting  patient records and health information. The Act widens the scope of privacy and security protections available under HIPAA, increases potential legal liability for non-compliance and provides more enforcement of HIPAA rules. The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.

HITECH defines a data breach of protected health information (PHI) as any unauthorized use, access or disclosure of PHI that violates the HIPAA Privacy Rule and poses significant financial, reputational or other harmful risks to an individual.

Should SMBs be concerned about a data breach of PHI?  A recent study found that only 5 percent of data breaches are caused by malicious cyber attacks, while almost 55 percent are linked to human error. 

To determine whether a PHI data breach has occurred, HHS looks at various factors, some within your control, some not.  A key question the Department will ask in the event of a data breach is:  Was the PHI safeguarded by encryption?

What level of HIPAA encryption is recommended?  What are the HIPAA encryption best practices?  The key, as the Practice Management Center of the American Medical Association points out, is to "...render electronic personal health information (ePHI) unusable, unreadable or indecipherable to unauthorized individuals...".  If you follow the specific technologies/methodologies prescribed, you increase the likelihood of being relieved of the potentially burdensome and expensive notification requirements established by the HITECH for a data breach.

Best practices for HIPAA encryption include:

1. Ensuring your encryption is certified by the National Institute of Standards and Technology (NIST). 
2. Using an encryption key management appliance that is FIPS 140-2 certified. Federal information processing standards codes (FIPS codes) are a standardized set of numeric/alphabetic codes issued by the National Institute of Standards and Technology (NIST).  They are designed to establish uniform identification of geographic entities through all federal government agencies. 
3. Encrypting any and all systems and individual files containing ePHI including medical records (and related personnel records), scanned images, your practice management systems and any emails that contain ePHI.
4. Encrypting data that is published on the Internet.  
5. Encrypting data on your computers, including all laptops.
6. Encrypting data that leaves your premises.
7. Encrypting all sessions during which your data was accessed remotely.  This last one requires diligence supervision to ensure that it is followed every single time.  It should become a habit, something each staff member with access offsite does as a matter of course. 

HIPAA encryption protects not only the personal health information of employees and patients from unauthorized disclosure and use, it protects SMBs from the potentially significant costs (i.e., financial, administrative and via damage to the organization's reputation) that result from such disclosure. 

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

It seems like every day the media reports another data breach—a stolen laptop that contains patients’ private information, credit cardholders’ names and social security numbers hacked. Not only do the headlines prove to be public relations nightmares for the companies involved—especially if the stolen or hacked data isn’t encrypted—but they come with severe financial penalties, often reaching into millions of dollars.

When data is encrypted, companies can assure those whose data has been stolen or hacked that there is no reason to worry. Thieves may have the files containing the data, but the thief will be unable to access the data itself. This minimizes the public relations hit and reduces liability with compliance regulators. In today’s highly regulated business world, there is no excuse for not having encryption on your IBM i. Here are two types of encryption to make sure your data is secure:

NIST-Certified AES Encryption for Data at Rest
NIST sets non-military government standards for a wide variety of technologies including data encryption. Because NIST uses an open and professional process to establish standards, the private sector usually adopts NIST standards for commercial use. NIST is one of the most trusted sources for technology standards.

Since AES was introduced, it has been adopted by all U.S. government agencies as the gold standard for protecting sensitive data, and many software companies have made it available to consumers through encryption software. When selecting a data security service, looking for one that has NIST certification should be at the top of your list.

PGP Encryption for Data in Motion
In today’s world, data moves faster and further than ever. That’s why it’s important to ensure it’s secure whether it’s in a database, on a laptop, or sent via email.

PGP encryption is ideal for exchanging data with trading partners, banks, insurance companies, benefits providers, and many other external partners. It’s ability to run on any computing platform makes it ideal for this type of secure data exchange.

Data breaches and associated fines don't have to be a reality of doing business. By properly encrypting your sensitive information you remove the risk of seeing your name in the headlines, being fined millions of dollars, and trust of your brand by your customers.  Download our white paper "AES Encryption and Related Concepts" to learn more about industry best practices for securing your data.

Did you know that any organization that handles sensitive information (PHI, PII, etc) is can be audited in the event of a data breach? You may be asking yourself, what does a security auditor look for? I recently sat down with Patrick Townsend, President & CEO of Townsend Security, to discuss how organizations can set themselves up for success when they get audited.

Patrick Townsend:

“First of all, in my experience, companies will have different experiences with different auditors. Some auditors will be more knowledgeable about certifications and encryption best practices than others. However, there are three critical components of data security that all auditors will look for:

1. NIST-Certificated Encryption and FIPS 140-2 Certified Key Management
One problem that we see companies face is that they are using encryption, but have implemented non-standard technology, which almost never withstands proper scrutiny. At Townsend Security, we stand behind our standards based products because they have gone through rigorous testing by NIST chartered testing labs.  Our AES encryption is NIST certified and our encryption key manager is FIPS 140-2 certified — which means they have been independently tested and certified to meet best practices.

2. Security Best Practices
Use best practices of dual control, separation of duties, and split knowledge. These three practices are parts of NIST encryption key management best practices and are critical to your security posture. As a company, you must insist on employing these practices in order to meet the highest standards of data security.

3. Policy Based Security
Invest in policy-based security. This type of security will be developed to deploy data protection with all data security regulations in mind—both federal and state. Every company falls under state and proposed federal privacy laws, and therefore, companies handling sensitive data will do better to use certified data security solutions built by companies who can tailor their products to meet an organization’s individual needs.

Here at Townsend Security we are always moving forward with you, our customers, to help meet a variety of compliance regulations with the most standard, up-to-date, and industry-certified security solutions. We want to help our customers always pass their security audits with flying colors!

Download a free 30-day evaluation of NIST-certified Alliance AES Encryption to start meeting compliance regulations (PCI DSS, HIPAA, etc.).  Additionally, learn how to easily store encryption keys separately from your encrypted data with a secure encryption key management HSM by visiting our Encryption Key Management Simplified Resources page.

The newest version of the IBM i (AS400) operating system, V7R1, brings sophisticated new security tools from IBM’s larger systems to mid-range markets. These new features allow third-party companies such as Townsend Security to offer NIST-certified automatic AES encryption, so that you can now encrypt your sensitive data without application changes!

With the update from V5R4 or V6R1 to V7R1, the AS400 can now protect data more efficiently by using FIELDPROC, an “exit point” technology that works in the database instead of in application programs. Previously, IBM i (AS400) encryption was an application-level process where a user had to first identify the field such as credit card numbers, social security numbers, or other private information and then decide on an approach that usually involved modifying applications. This required programmers to make changes and undergo a sophisticated test cycle.

The new FIELDPROC exit point allows a user to identify all fields they wish to encrypt with Townsend Security’s automatic AES encryption without making application changes.

It is crucial to keep in mind that administrators can use strong encryption in a weak manner by neglecting the use of proper encryption key management. In using a third-party encryption  provider such as Townsend Security, a company with more than 20 years of IBM i (AS400) experience has three distinct advantages:

1. AES encryption is automatic, meaning that no changes in applications need to be made. This saves your company time and money by focusing on your business instead of a complicated encryption project.
2. NIST-certified encryption will pass all state, federal, and industry compliance regulations. Townsend Security guarantees our NIST certified Alliance AES/400 solution will meet or exceed encryption standards in PCI, SOX, HIPAA/HITECH and other regulations.
3. Third-party encryption can be faster. Alliance AES/400 from Townsend Security can encrypt one million credit card numbers in one second of CPU time--100 times faster than competing encryption libraries on the same IBM i platform.

Because encryption has a reputation for creating performance problems, the newly specialized FIELDPROC tool optimizes encryption and sets up secure caches. Townsend Security’s Automatic AES Encryption integrates seamlessly with these features to create the most secure data environment available on the IBM i (AS400) today.

Download our podcast on "The Benefits of FIELDPROC Encryption" to learn more about FIELDPROC capabilities and the benefits of automatic encryption.  Additionally, we have a podcast titled "FIELDPROC Performance - Speed Matters" for those who are wondering how it will impact their systems.

An alarming number of security breaches have occurred in the last decade victimizing families of military personnel, who belong to TRICARE. Since the fall of 2009, over 400 breaches have occurred. At least 500 people have been directly affected and another 50,000 smaller scale breaches have been reported to the government. The community of Palo Alto, California was hit closest to home, when over 20,000 names of emergency room patients were available on an online public forum before the list was discovered by authorities. For several months, all these people were susceptible to a profusion of afflictions such as identity theft, credit card fraud or fraud against Medicare and Medicaid programs. Just one move can financially ruin a family.

One major cause of the breach was that security tapes were stolen from the car of a TRICARE employee, and these backup tapes had people’s private information on them. The big problem of course, was that after these tapes were stolen, the information was readily available to pirates. Any encryption didn’t exist, so the information was just there for the taking.  If the data on these tapes was encrypted, TRICARE wouldn’t have to worry about the tapes being stolen and you wouldn’t be hearing about this problem – HIPAA grants a breach notification safe harbor to organizations who are encrypting their sensitive data.

If you aren’t familiar with HIPAA (The Health Insurance Portability and Accountability Act), it was established in 1996 and its main focus is to protect the rights to health insurance for families when the wage earner was to change or lose a job. It’s second objective focuses on standards for electronic health care transactions. With HIPAA, there are legal regulations that the government has put in place to protect our Personal Health Information (PHI).  While there is no encryption requirement, it is strongly considered a best practice.

The largest concern when a story like this breaks is for the victims. The Federal Trade Commission (FTC) has published a few tips for individuals who are affected from the TRICARE breach:

• Don’t willingly give out personal information over the phone unless you know exactly whom you are dealing with.
• Increase the frequency at which you check over your medical records to make sure nothing looks out of the ordinary.
• Any fraudulent report you notice should be reported to the police immediately.

The TRICARE breach should be an example of why encryption should be mandatory for organizations that deal with PHI.  Not only does it protect the privacy of your customers, when a breach does happen, HIPAA grants you a breach notification safe harbor.

Learn more about encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

Hundreds of thousands of Medicaid recipients are up in arms about a recent security breach that saw their personal information abducted by hackers. Originally it was reported that 181,000 had their information stolen including 25,000 who actually had their social security numbers taken as well. Currently the report has been updated to a staggering 900,000 and 280,000 respectively. Over a quarter million people on Medicaid had their social security numbers exposed, and many of these victims don’t have the means to hire private investigators or attorneys to right their personal situations. 

As many organizations that suffer a breach do, the Utah Department of Health is offering free credit monitoring services for one year to those who had their social security numbers compromised. Other than that, there isn’t much to be done for the breach victims.  Unfortunately, many are still concerned their identities could be stolen among other potential hardships.

To prevent security snafus such as this, the Utah Department of Health should have been protecting their sensitive data with encryption and key management.  Encryption would have rendered the breached data useless. The Utah Department of Technology holds millions of its citizen’s personal information and, unfortunately, didn’t take proper precautions to protect it. Alliance Key Manager, our encryption key management HSM, could have provided exactly what they would have needed to avoid a breach.  With on-board encryption, sensitive data can be sent to the HSM, encrypted, and then sent back to where the data needs to live. Additionally, Alliance Key Manager also meets regulatory requirements - a hurdle for many companies trying to pass an audit around encryption key management.

When you see a situation like this in Utah, its naive to think that hackers can’t access your information in your own home state. But just ask a Medicaid recipient from Utah, and it is clear that these dangers aren’t so far from home. Utah’s governor spoke on behalf of its citizens saying "Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised."

It’s a difficult situation, but as they try to mend the fences, it is important to audit your own encryption and key management processes to ensure that what happens in Utah stays in Utah.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.