Technology Advisor Blog

What is a Data Breach?

Posted by Ann Westerheim on 1/20/15 4:33 PM

Laptop Work-10Recently one of our clients got a system infected with a virus and worried about whether or not they needed to report it.  First, it IS possible to get a virus even though you're doing everything right, such as maintaining up-to-date anti virus protection, firewall protection, and security patch updates.  But in most cases, although viruses can create a lot of damage and disruption, no data is exposed to the wrong hands.

The Massachusetts Data Protection Law and many industry-specific standards such as HIPAA have rules regarding breach disclosure requirements.  To gain more insight into what actually constitutes a breach, here is a definition of a breach from the HHS.gov website (Health and Human Services).  In this case, the language specifically relates to protected health information, but similar guidelines can be used ot understand other protected information.

“Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.”

In some cases, viruses can introduce key-logging software that could lead to a breach, but in general there is no “use or disclosure”.  The damage done by a virus may be thought of as analogous to someone physically damaging your computer with a hammer.  It's damaged, and harm was done, but no information was disclosed - more of an act of vandalism as compared to theft.

We strongly advise all clients to keep up to date with security training and make sure all employees understand the need for maintaining up to date security protection.

Tags: Security Requirements, breach,

Do you know where your WISP is?

Posted by Ann Westerheim on 3/20/14 8:26 AM

Do you know where your WISP is?March 1 was the 4th anniversary of the Massachusetts Data Protection Law which was introduced to help protect residents against identity theft and fraud.  The law identifies requirements businesses must follow to secure protected information, which includes a resident's first name or initial and last name, combined with a number of specified protected information including drivers license number, bank account number, social security number, credit card numbers, etc. We've all read the headlines about the major retailers such as Target, Hannafords, and TJX who have been in the news over the years for security breaches, but many small business owners may not be fully aware that the law applies to ALL businesses, large and small.

Do you know where your WISP is? A WISP is a Written Information Security Policy.  Its not enough to follow the guidelines identified in the law, you must also have a written policy.  The anniversary of the law going into effect is a good time to assess your own situation with respect to compliance.

The Massachusetts Data Protection Law includes the following requirements:

  1. Secure User Authentication Protocols  (use of strong passwords, and no passwords on post-its under your mouse pad!)
  2. Secure Access Control Methods (access to protected information needs to be restricted to those who need access to perform their jobs)
  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly (wireless networks must be encrypted, and NEVER send protected information via regular email).
  4. Reasonable monitoring of systems for unauthorized use of or access to personal information (Do you have a way to identify if someone is trying to access your network?)
  5. Encryption of all personal information stored on laptops or other portable devices (Newer laptops are encryption ready so you don't need extra software)
  6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information  (all those updates we talk about every "patch Tuesday" are required by law!)
  7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (one of the key reasons we advise all clients to sign up for monitoring through managed services).
  8. Education and training of employees on the proper use of the computer  security system and the importance of personal information security (in our experience, the vast majority of problems we see are caused by users who don't fully understand security requirements and may inadvertently work around them).
In addition to complying to all these requirements, you also need to have a written policy that describes how you do this.  We recommend keeping this as simple as possible, but it has to be written down.  Do you know where your WISP is?

Tags: MA Data Security Law, 201 CMR 17.00, Security Requirements

8 Things to Know About the Massachusetts Data Security Law

Posted by Ann Westerheim on 3/28/13 9:32 AM

MA Data Security LawMarch is the anniversary of the Massachusetts Data Security Law which went into effect March 1, 2010:  201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.  The anniversary is a good time to refresh your team about the requirements!

The goal of the law is to help prevent identity theft and we all have a role to help.

Here are the eight technology requirements included in this law:

1.  Secure user authentication protocols including:

(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Use of STRONG passwords is required (uppercase letters, lower case letter, numbers, and symbols) and NEVER put your password on a post-it by your monitor, or under your keyboard or anywhere else that's easily accessible!

2.  Secure access control measures that:

(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

If an employee doesn't need access to personal information to do their job, make sure they can't get to it.  This is very important if multiple users share a system.

3.   To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted over a wireless network.

Do not email personal information.  Instead use SSL transmission of data to secure web sites.

4.  Reasonable monitoring of systems, for unauthorized use of or access to personal information;

Are logs routinely checked?  There are several great tools to help you decipher server logs to get the information you need.

5.   Encryption of all personal information stored on laptops or other portable devices;

Laptops MUST have encryption technology.  Other portable devices such as flash drives must also be protected.  Backup tapes (if used) must be encrypted.

6.  For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 

7.  Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

Do you know if your security patches and Antivirus definitions are up to date?

8.   Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Users often break basic rules for “convenience” so they can get their work done faster. Ongoing education is needed!

In your next team meeting, review these requirements and make sure everyone understands the importance of compliance.  For more information, visit the Massachusetts Office of Consumer Affairs and Business Regulations web site.  Give us a call if you'd like us to review your site security with you.

 

Tags: MA Data Security Law, 201 CMR 17.00, Security Requirements

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.