The Liability Clause

A recent study reveals that, alarmingly, only 32% of organisations believe that protecting data in the cloud is their own responsibility. The terms and conditions of major cloud providers includes a “Limitations of Liability” clause which puts data security responsibility on the cloud user. For example, AWS states it accepts no liability in the case of “any unauthorised access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of the user’s content or other data."

Those responsible for cloud infrastructure in an organisation generally understand the risks involved with storing data in the cloud. However, all users of the cloud need to be conscious of the severity of protecting data in the cloud.

Hackers are devising many sophisticated methods to target innocent and vulnerable users, making human error prevalent amongst data leakage incidents.

Who guards the encryption key?

It has often been said that data is the new oil. Data can provide valuable insights that drive key business decisions, political campaigns and marketing initiatives.
Just as the oil industry has security measures in place to protect against terrorism
and maritime piracy, organisations need to establish security measures to ensure the protection of their data. One vital step is encryption.

More than half (51%) of organisations fail to use encryption to protect sensitive data in the cloud. Arguably, most cloud providers will encrypt its customers’ data. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about. Interestingly, Apple was recently pressured by the FBI to abandon its plans to fully encrypt its iCloud backups as it did not give the FBI a backdoor. Recall the liability clause? Full encryption of data cannot be dependent on the cloud provider

To be a truly secure solution, the user needs full and secure control of the encryption key that is stored away from the data. This will protect the data even if the cloud account is hacked.

How to secure data in the cloud

If the data is stored in the cloud, control of the encryption key is important.

Although most cloud service providers will encrypt their customers’ data, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

Moreover, if a hacker obtains the user’s credentials, the breach will go unnoticed to the cloud service provider as they won’t be able to decipher between a legitimate user from an attacker.

By encrypting the data yourself, you have full and secure control of the encrypted encryption key, which will ensure the data is kept confidential even if the cloud account is hacked.

Keeping the encryption key away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as five-factor authentication.

Backing up data in the most secure way possible

In the worst-case scenario of a lost or stolen USB flash drive, hard drive or solid state drive, an encrypted PIN protected USB or HDD/SSD drive will negate the risk of your data being compromised.

Additionally, backing up valuable data onto an encrypted, PIN-authenticated drive can save you the trouble of losing access to important information during a ransomware attack, allowing you to quickly restore your data so that you’re back up and running

If the drives are only accessible by entering a unique 7-15-digit PIN, it will prevent unauthorised access to the data stored on the drive.
With brute force limitation, if the PIN is entered incorrectly a designated number of times, all data previously stored in the drive is deleted and the drive is reset to factory default settings.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive should automatically lock to prevent unauthorised access.

Using a drive that can also be configured as a read only (write protect) will ensure the data is not modified.

Data is becoming increasingly valuable. Businesses and individuals alike should take the utmost precautions to protect their data.

Backing up data into the cloud or to an encrypted PIN protected USB or HDD/SSD drive will protect your data from being accessed or viewed by unauthorised persons and will ensure your data isn’t lost forever.

1. Give PHI data the encryption pill

Encrypting data is a requirement of compliance standards, including HIPAA. Organisations are under constant attack. Regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such
as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted.

2. Don’t let PHI data spread like a virus – control the encryption key

If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys.
However, the encryption key is stored in the cloud and thus accessible to hackers
and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

In fact, the US Department of Health and Human Services launched an inquiry into Google’s partnership with non-profit healthcare organisation Ascension. Reportedly, 150 Google employees can access the healthcare data on tens of millions of patients, including patient names and dates of birth, diagnoses, patient health and hospitalisation records.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the CSP as they won’t be able to decipher between a legitimate user from an attacker. By keeping the encryption key, which should be encrypted itself within an ultra-secure Common Criteria EAL4+ microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

3. Sharing is caring, but only if the data is secure

The more people the data is shared with, the greater the challenge to ensure data privacy. In 2019, over 60% of personal data breaches reported to the Information Commissioner’s Office (ICO) were a result of human error – healthcare being the most affected sector – with a fifth of those incidents caused by posting or faxing data to the incorrect recipient and 18% whose emails landed in the wrong inbox. In fact, a concerning 59% of US healthcare IT professionals cite email as the most common point of compromise.

Storing PHI data in one place and accessed by authorised users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security

Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues. This is a far greater alternative to the archaic use of fax machines the NHS only just discontinued in March 2020. The NHS admittedly agreed to increased investment in its IT department, especially following the infamous WannaCry ransomware attack.

High-impact data breaches

Data breaches are a global issue, and as worldwide healthcare providers have transitioned to EHR-based record keeping, controlling access to such sensitive data has proven to be difficult. In the UK, eight in ten providers of frontline healthcare services suffered at least one data breach between 2021 and 2023 . French healthcare software provider Dedalus Biologie was fined €1.5 million for a 2021 breach which saw the names, social security numbers, and sensitive medical information of nearly 500,000 people released onto the internet . And in the US, reported breaches affecting major healthcare organisations totalled around 295 in the first half of 2023 . 87 million US patients have had their information breached in 2023, with 43 million in the third quarter alone5.

The safety of healthcare data is, clearly, a worldwide issue, and the methodology of cyber criminals can be extremely disruptive. The EU Agency for Cybersecurity reports that ransomware accounts for 54% of cybersecurity threats in the health sector , and not only does a ransomware attack risk the loss or distribution of improperly secured or backed up data, but it also causes serious disruption to medical systems. Being unable to restore an affected system quickly and easily may cost lives, a position health organisations should never have to face.

Reliance on outdated technology

In many cases, technological threats and issues mean providers have been forced to reach for outdated technology in a bid to safeguard secure communication channels. Many US health organisations, for example, have found the transition to a modern EHR platform difficult. Incompatibilities – and, in some cases, vendors actively blocking communication – between competing EHR platforms hampers interoperability to the point where most US healthcare providers have struggled to remove their reliance on electronic and paper fax for secure communication7.

The UK, despite attempts to ensure NHS interoperability by 2020, still struggles with siloed systems and fragmented technology which prevents seamless communication between departments and restricts adherence to digital and data standards . Primary Care Support England continues to distribute paper-based Lloyd George medical records, physically couriering them between locations as the scanning and digitisation of UK medical records remains incomplete9.

While a certain amount of teething trouble is to be expected over the course of any digital transformation effort, a difficult or frustrating system may cause pressurised individuals to transmit data without following proper protocols. Besides, many legacy or portable systems do not yet have the capability to be connected to a modern network, let alone the technology to communicate in a truly secure manner. Temptation or necessity may lead to insecure data storage and transfer – an extremely poor practice in such a sensitive environment.

Changing practices to protect data

Digital hygiene must be treated as importantly as physical hygiene within healthcare. It is vital that all professionals in the health space are made aware of their responsibility to protect data. This goes far beyond those developing EHR platforms or other back-end technologies; digital hygiene must be practiced up and down the chain.

Anyone with access to sensitive records must learn the inherent vulnerabilities of transfer methods like email or devices like laptops and be clear on the potential consequences of their use, misuse, or loss. Many everyday practices within healthcare organisations can introduce security vulnerabilities, too. Pulling results from a non-networked mobile ECG or sonograph, for example, is often done using a basic USB flash drive. If such a drive is lost or stolen, control of that data is lost with it – and the sanctity of a patient’s personal information becomes vulnerable. It is incumbent on any individual that may need to transfer anything from place to place that they do so in the most secure way possible.

The rise of commercial ransomware

The lucrative nature of ransomware means it has, progressively, moved away from the domain of lone hackers or small groups. Ransomware is an increasingly professional criminal endeavour, employed with a focused approach specifically tailored for maximum impact to hackers’ targets, however big or small they may be. Attackers have become more brazen and public with their extortion methods, threatening to release sensitive data like company records, client lists, or trade secrets publicly or even making ransom demands to an affected business’s third-party clients.

Mounting a ransomware attack does not even demand a huge amount of expertise. Any prospective hacker can access Ransomware-as-a-Service (RaaS). As part of a profitable secondary cybercrime market, RaaS sees malware authors offering off-the-shelf variants of malicious software, along with expertise on its use and ready-made databases of online credentials, for a fee. An open market for ransomware means an attack could potentially come from any source at any time, making a solid backup and encryption policy absolutely essential.

Growing physical vulnerabilities in the workplace

Ransomware must be deployed within a company’s systems to work. Attackers can use various means to gain access to systems, from directly targeting insecure networks and computers to exploiting previously undiscovered digital vulnerabilities. The number of potential avenues of attack is growing all the time. The wide-ranging devices which make up the Internet of Things (IoT), for example, are likely to number over 22 billion by 2024, each of them a tiny network-connected computer. The trend towards commonplace remote and hybrid working also highlights new vulnerabilities for more traditional computer hardware, as employees use insecure home networks or even public Wi-Fi in places like coffee shops.

The distributed workforce means VPNs are a target. Working in public places means criminals can discover passwords by simply watching a user type them in. A single lost or unattended laptop could be enough for a hacker to gain the credentials to launch an attack. The inevitable growth of technology means those wishing to utilise brute force to deploy ransomware within a network have stronger tools available to them, backed by higher processing power. Protecting one’s data with encrypted, air-gapped backups nullifies any potential impact that any of these attack vectors could hold; there is no brute force method which can come close to breaking AES 256-bit hardware encryption.

Using confidence tricks to shatter security

Often, ransomware attackers attempt to gain access to networks with more simplistic methods like phishing. Spoof emails are surprisingly effective: two in three users open phishing emails, a third will click the links or attachments within, and half of those will enter details into fake login screens . Their potential success rate means the use of phishing emails is growing, too. In Q1 this year, malicious emails made up a quarter of all email messages, an all-time high3.

Phishing works so well because phishers have mastered social engineering confidence tricks and employ meticulous research and Artificial Intelligence (AI) tools to make their emails seem authentic. In addition to broad email campaigns, they research and target specific individuals with more valuable access credentials. Phishers also use AI to replicate the writing style of powerful employees in order to make their emails appear more authentic – a process known as spear phishing. Reports suggest that newer AI-generated phishing emails can convince users to click through and fill in a form up to 80% of the time4.

Bypassing the ingenuity and methodology of those wishing to deploy ransomware – whatever their method – requires consistently vigilant behaviour, and a Zero Trust approach. Zero Trust is a framework which offers no implicit trust to any entity which interacts with your organisation. Under Zero Trust, every device, user, platform, tool, or vendor must clearly demonstrate its security credentials. It is an essential component of digital hygiene, and, if properly understood by all employees, is the best way to minimise the possibility of a ransomware attack. In some cases, though, hackers with insider knowledge may find a way to infiltrate a network regardless of an organisation’s policies. So, any cyber resilience plan must be joined by a matching IT infrastructure.

Controlling data access based on location

IT administrators would not generally allow hybrid workers a free choice of software or hardware. In the same vein, employees should also not be given full freedom to work as they want in any location they choose. Hybrid workers, given their relative freedom, may take an over-relaxed attitude to their place of work; putting in the hours in coffee shops, on public transport, or otherwise working away from the office are naturally more vulnerable to causing such breaches.

Tight security controls are vital to keep data safe, whether that be PII data or company spreadsheets. A data breach could be caused by connecting to cloud services over insecure networks, for example. Data could be leaked through a device like a laptop being left unattended or being stolen. But an offline, secure approach mitigates these issues. If hybrid and remote workers are required to use encrypted storage while working away from a trusted network, virtually every potential cause of a breach is removed.

A secure drive may be able to lock itself based on a user’s proximity to their computer – should the drive’s owner step away from their machine, the drive’s contents would automatically be rendered inaccessible. If strict policies demand that remote employees work only from a pre-approved locale, secure storage can also be geofenced. This restricts use of a device based on its GPS coordinates – the fence can cover regions as large as continents or as small as a few metres. Outside of those areas, such a device would not be able to be unlocked.

Implementing hardware policies to aid work/life balance

The health of a company’s data is of paramount importance, of course, but introducing proper data hygiene procedures can also go some way to protecting the health of its employees. Remote workers, and even in-office employees, can experience an unhealthy creep towards the work side of work/life balance. We’ve all burned the midnight oil at times, and not always because we’ve needed to. Digital connectivity can be an addiction.

Overarching legislation isn’t necessarily the answer. Even in France, where ‘Right to disconnect’ legislation passed in 2017 aimed to protect workers from out-of-hours work, the easy availability of digital tools means many employees continue to feel compelled to remain connected and available outside of their working hours . But French companies which have established strong internal policies in line with the legislation have been able to demonstrate significantly reduced out-of-hours engagement. A culture focused on wellbeing and reasonable expectations is key, then – and using secure hardware to implement more direct controls can have a positive effect, too.

Set a time limit on the use of secure storage, for example, and the unlocking procedure can be prevented outside of agreed hours, reducing the chance of employees engaging in so called ‘grey work’ – out-of-hours work beyond one’s prescribed responsibilities. If such a limit needs to change, simple back-end software allows administrators to alter it on a user-by-user basis or apply a temporary lifting of restrictions. Each unlock also builds an audit trail of activities, which can tell administrators and managers precisely when and where a drive has been unlocked.

Employing remote management for additional security

Cryptographic security is what makes these functions work – and they really do work. The contents of a sufficiently secure drive will be obscured by uncrackable encryption until that drive is unlocked, offering a guarantee that those vital numbers are completely safe from any breach. Indeed, even if plugged into a USB port, such a drive would not appear to be connected to the computer until a secure online authentication process has been completed. Even if the encrypted storage were able to be accessed, AES 256-bit hardware encryption protects data against the possibility that the data could ever be read, copied, or shared.

Online authentication has a double use. It also means the access parameters of the device can be remotely administered at the time of unlocking. If a geofence moves, or an employee’s access restrictions change, these alterations do not require physical access to any remote hardware – any policy changes are automatically applied to a drive upon its use, no matter what machine it is connected to.

Notable crypto disasters

Transactions on the blockchain are irreversible. If a criminal infiltrates an online wallet and transfers its contents, there is no hope of a resolution. In the case of Japanese exchange Mt. Gox, for example, a breach saw the company’s ‘hot wallet’ – essentially an online account used to hold cryptocurrency for quick transfers or sales – emptied by hackers, losing 7% of the world’s Bitcoin, most of which belonged to its customers . The attacking party transferred and ‘washed’ the coins, automatically scattering them between anonymous wallet addresses to make tracing their whereabouts on the blockchain impossible.

It is also a given that the company behind the exchange is operated properly and is trustworthy. The recent high-profile collapse of crypto exchange FTX happened because customer deposits were mishandled, loaned to owner Sam Bankman-Fried’s hedge fund second business, and otherwise lost to risky bets. When this was discovered, major investors bailed, a potential takeover was dissolved, and the crypto market itself crashed. End-user customers were left without financial recourse, their fiat currency gone, and their crypto deposits locked into FTX’s platform while a block on withdrawals was instituted.

An exchange alternative

Crypto exchanges are not inherently unsafe. Yet FTX’s fall has certainly created increased wariness from investors. Exchanges are a necessary means to trade digital currency for hard currency, but that’s as far as trust should go. Taking the decision to store crypto offline provides full control over funds and isolates them from any potential online disaster. Setting up an offline wallet, otherwise known as a ‘cold wallet’, is a simple process which allows the movement of funds away from exchanges and into a software package stored on a device controlled by the funds’ owner.

Once that currency has been transferred, it becomes completely hidden from the internet. The token that then represents the cryptocurrency itself remains stored on the blockchain, but its location – and the cryptographic keys required to access it – are known only to the offline wallet. For all intents and purposes that currency disappears. Although, as we will discuss, a cold wallet comes with its own vulnerabilities, its offline nature makes it the safest way to store cryptocurrency.

Protecting the cold wallet

There are some downsides to moving cryptocurrency offline. Managing offline storage requires a little more attention than simply relying on the streamlined tools of an exchange. Cold wallets such as Ledger, Trezor, and KeepKey can remain safe offline indefinitely, but they must be periodically connected to the internet to update the value of their crypto portfolio, to update the investor on their contents, or to transfer money away from them. They are by far the most secure method of cryptocurrency storage, but cold wallets are also not impervious to hacking. If an attacker were able to gain access to the hardware containing the wallet itself, or the seed phrase (a mnemonic phrase to recover a lost or broken crypto wallet) used to generate its private key – both of which should be securely stored by their owner – they could steal its funds.

Perhaps most importantly, a cold wallet’s practice of security by obscurity makes it fragile in its own way: if a wallet is physically lost, or if its access credentials are forgotten, its contents permanently go with it. The fact that it is cryptographically secured means that no amount of searching, hacking or computation will ever get its contents back. Managing an offline wallet is, essentially, to manage one’s own bank: protecting one’s assets is critical.

Protecting the many points of vulnerability

To comply with NIS 2, a holistic approach is required that considers all possible threat vectors. Organisations should not assume that just because on-prem data is secure, that this equates to a sufficient level of compliance to meet NIS 2 criteria. Consideration should be given to the integrity of all outgoing and incoming data, as well as data that is stored in the cloud. In this context, it is important to question who is ultimately liable for data in the cloud?

Cloud providers have been quick to promote security capabilities along with other benefits of scalability, cost and convenience. Yet, the security element can be somewhat misleading. Indeed, the terms and conditions of many major cloud providers include a ‘limitations of liability’ clause, which puts data-security responsibility squarely on the shoulders of the cloud user. All users need to be conscious of using adequate, and in many cases, more stringent security measures when storing their data in the cloud to assure wider stakeholders of its integrity.

In addition, consideration must also be given to the integrity of data on the move with the increase in flexible working options for employees. Hybrid and remote working practices, accelerated by Covid, have become not just an outlier but the norm for many, with 40% of British adults working from home at least once per week . However, the number of workers on the move also means a corresponding increase in the number of devices in transit. These are devices that would otherwise be kept at a desk within a fixed office, where they can be more easily secured.

Furthermore, away from the scrutiny of IT teams, remote employees may be tempted to use personal devices for work purposes, negating any protections which have been applied to certified hardware. They may work on unsecured networks in places where their passwords could be shoulder-surfed, and, potentially, lose sensitive documents on unencrypted devices between work locations.

This all puts more demand on IT teams to improve security for data and devices in transit, while placing a greater onus on staff to ensure that no risks are taken when it comes to valuable company data. To maximise protection, it’s essential to consider encrypting files both in transit and at rest. This way, if a device is lost, left somewhere, or is stolen, the information it contains cannot be accessed and data integrity is guaranteed.

Zero Trust and a cybersecurity-aware culture

Improving cybersecurity to comply with NIS 2 essentially means protecting all possible points of entry that could be used by an attacker. Creating strong passwords, removing, or disabling all superfluous drivers, services, and software, and setting system updates to install automatically are all sensible approaches. However, Zero Trust is rapidly becoming the standard in security and involves removing the implicit trust given to individuals, tasks, and computer systems.

Applying a Zero Trust policy in line with the National Institute of Standards and Technology’s (NIST) risk management framework, which promotes a never trust and always verify approach to any request for systems access, greatly reduces the likelihood of unauthorised or unauthenticated user access. A Zero Trust approach ensures that any long-term access to information is revoked. This helps companies tighten controls on their networks and requires access only to be granted as and when it is needed. This denies attackers the opportunity to spread widely around a network, or sit for long periods of time undetected, waiting for an opportunity to strike.

Encrypting valuable data to guard against threat

Finally, it’s important to consider the measures that businesses can take to further safeguard data. Dedicated tools, documentation, and training will help mitigate risks and keep products and services up-to-date and protected. Secure encryption is another method, enabling the security of key files and any communications between client apps and servers to be enhanced.

Encryption, even when stored in the cloud, vastly improves the security of company files and can provide the required superior levels of protection. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with on-device crypto-chip and AES-XTS 256-bit encryption will offer complete data integrity, even if brute force action is used. In addition, using a device with an internal microprocessor that is Common Criteria EAL5+ Certified, and encrypting data with a FIPS PUB 197 certified AES 256-bit encrypted encryption key brings into play military grade protection.

The expanding cybersecurity landscape is bringing with it many new challenges which require innovative responses. Complying with the NIS 2 Directive by taking steps to adhere to principles of Zero Trust, encrypt data, and educate staff as to their responsibilities will help ensure robust cybersecurity. Whether working on or off-site, such an approach will prevent the long-lasting negative impact associated with cyber-attacks and the loss of valuable information, ultimately resulting in safer data.