fbpx
0

DORA, are you ready for it?

DORA, are you ready for it?

The Digital Operational Resilience Act comes into force across the EU on 17 January 2025, aimed at strengthening cybersecurity across the financial industry. Failure to comply will result in severe fines and risk of reputation. Here is what financial institutions and ICT providers need to know in order become compliant with the new regulation.

Author: Shannon Dority, Marketing Manager iStorage

Digital Operational Resilience Act

As part of creating a risk assessment process, organisations will need to conduct an impact analysis to demonstrate how specific scenarios of severe disruptions might affect the business. These include incidents such as ICT service failures, natural disasters and cyberattacks. Data backup and recovery measures, system restoration processes and plans for communicating with affected clients, partners and the authorities must be included as part of these plans. There is not a one-size-fits-all method for how this needs to be conducted, as requirements will be proportionate to the size of the business. But regardless of size, businesses will need to demonstrate their cybersecurity measures they have in place to prevent these instances, as well as have an effective plan in place to recover quickly in the event one does occur.

With data backups being a crucial part of the DORA regulation, an important way organisations can demonstrate operational resilience is by making data backups a daily task. Having multiple encrypted backups of your data and important files is a crucial safeguard in the event of a cyberattack and/or disruption, helping to save time and money in regaining access to critical information and getting your business back up and running. Using a hardware encryption module to encrypt data stored in the cloud and/or an offline encrypted backup is an important option to include in your data hygiene practices, as it can provide that extra level of reassurance and security. Taking that critical extra step, in protecting your data by storing it offline in an encrypted flash drive or portable HDD/SSD, out of the hands of criminals, can act as an essentially unbreakable safe and can make the world of difference when you need to restore your data following an ICT service failure, natural disaster, or a cyberattack.

Who guards the encryption key?

Data breach costs continue to rise

Data breach costs continue to rise

IBM’s latest report found that the current global average cost of a data breach is $4.88m (£3.82m) in 2024, a 10% increase from 2023, and the highest it has been since the pandemic. What do the findings tell us and what can your business do to prepare for a digital natural disaster?

Author: Shannon Dority, Marketing Manager iStorage

Data is the lifeblood of modern-day business, providing all the vital information necessary to operate and thrive. Its invaluable nature not only makes it indispensable to organisations but has made it the prime target for cybercriminals to attack, steal and exploit. And they are not slowing down anytime soon, making data breaches the natural disaster of the digital ecosystem. This means businesses need to step up their data protection game to keep control out of the hands of cybercriminals.

What the results tell us

IBM’s Cost of a Data Breach Report 2024 surveyed 604 companies that experienced data breaches between March 2023 and February 2024. 70% of the companies report significant or very significant disruption following a breach. The knock-on impacts of business disruptions and post-breach responses - such as the inability to conduct daily operations, sales, manufacturing shutdowns, payment of regulatory fines, class action lawsuits, lost customers and damaged reputations - have all directly led to the cost increase. 63% of organisations planned to increase the cost of their goods or services due to the breach, furthering the knock-on impact directly to customers in an already competitive market.

Healthcare, while seeing a 10.6% average decrease, remains the industry experiencing the costliest breaches at $9.77m (£7.65m). Financial and Industrial followed behind, with both seeing average cost increases of 4% and 18% respectively. These industries remain a target for cybercriminals due to their existing technology infrastructure and the high level of vulnerability they are likely to experience in the event of a cyber-attack. On top of that, 35% of attacks involved shadow data (data residing in unmanaged data sources) and took on average longer to detect resulting in higher costs.

Malware and criminal activity in the form of phishing or stolen/compromised credentials remain the most prevalent root cause for data breaches. However, destructive and exfiltration attacks proved to be more costly as they cause longer lasting and expensive business damage. Skill shortages, lack of adequate training, and overly complex security systems have also contributed to higher data breach costs, jumping to 53% in 2024 from 42% last year.

Moving Forward in the Digital Ecosystem

There are two main questions you need to ask yourself.

1. Are you prepared for the looming digital natural disaster that can strike at any time?
2. What are you willing to pay - the cost of a breach that could reach in the millions, or invest a fraction of that to implement the correct infrastructure to protect yourself?

Cybercriminals are becoming more organised and sophisticated in their attacks, and the evident rising costs of data breaches means businesses need to take both preventative and preparatory measures to combat increasing cyber-attacks. Having a plan in place in the event of a large-scale attack and preparing for the worst-case scenario can put businesses at an advantage in the event of a breach. Similar to having a natural disaster plan in place if you live in an area prone to them (hurricanes, earthquakes, etc), businesses need to have a similar plan in place for their digital infrastructure. A data breach is a digital natural disaster that everyone needs to be in preparation for because it is no longer the case of ‘IF’, but ‘WHEN.’

It is important to know your entire data ecosystem to have a successful security approach. Security and IT teams must also assume that there is unmanaged (shadow) data that has not been accounted for or disclosed. Around 40% of all breaches involved data distributed across multiple environments, such as public clouds, private clouds and on premises. Knowing where your data is distributed and stored at all times can help to prevent, identify and contain breaches with minimal disruptions.

One positive that came from the report was that 63% of the company’s that fell victim to ransomware attacks did not pay the ransom in the end. This means that they either had backups and/or controls in place that protected their data from being encrypted and were able to restore their operations. Ensuring you have multiple encrypted offline backups of your data is an important safeguard in the event of a cyberattack, helping to save time and money in regaining access to critical information and getting your operations quickly back in action.

Who guards the encryption key?

Protecting your data in the new school year

Protecting your data in the new school year

August is in full swing and going back to school preparations are just around the corner. Attacks are increasing across the education sector, it is more paramount than ever to increase cyber-security and protect important data heading into the new school year.

Author: Shannon Dority, Marketing Manager iStorage

Cyber challenges facing education

From personal data - such as names, addresses, financial information, credentials, visas and passports – to intellectual property, – such as groundbreaking and cutting-edge research - the plethora of valuable data educational institutions hold makes them a prime target for cybercriminals. In addition, many institutions lack adequate security measures, with lack of budget and training sited as the root cause. At the same time, further and higher education IT security teams face further challenges around different departments often utilising their own individual software, alongside relaxed internal systems intended for easy document sharing. These factors leave the sector increasingly vulnerable to cybercriminals who could cause a very significant disruption to an institution’s operations. It could even lead to the extreme case of permanent closure, which was seen with Lincoln College in Illinois when a ransomware attack led to its May 2022 closure.

Graham Harrison, Group IT Director for Lincoln College commented in the aftermath of the breach:

“Accreditation, certification and audits are no guarantee of defence against sophisticated, professional cyber-attacks. Because of the number of cyber-attacks against the sector and nationally, insurers are setting tighter criteria. This will lead to better cyber-security, but often requires significant investment. It is exactly the same with Cyber Essentials accreditation; it helps but won't guarantee safety.”

“I've concluded that further education (FE) colleges probably ought to be investing about a half to one percent of turnover on cyber security and ring-fencing that budget to ensure critical measures are implemented. Affordability is a constant consideration in FE, but as we discovered on that November night, the financial and human costs of dealing with a cyber-attack can far outweigh the cost of building a robust cyber security capability to keep staff and students as safe as possible.”

As the new school year gets underway, it is important for everyone across the sector to make it a top priority to increase cyber-security and protect important data. This not only includes administrative staff to protect the integrity of their institution, but also for students, professors/teachers and researchers to protect their work from being lost, stolen or corrupted from external networks. Having in place preventative measures to prevent an attack is the first line of defence, however it is essential to have a preparation plan in place that runs alongside in the event a successful breach and attack occurs.

How to Increase Cyber-Security in Education

With the beginning of the school year approaching, here are some tips and tools to help you best protect that valuable information.

Practice good digital or cyber hygiene.

This can involve steps like regularly updating your passwords, creating strong complex passwords, Using multi-factor authentication, making regular system and security updates, deleting unused software, and optimising regular penetration testing, amongst various others. While these seem like tedious tasks to do on a regular basis, they will benefit you in the long run. The data and information you hold is only as safe as your strongest wall of armour, so proactive steps to protect your devices from potential attackers is paramount.

Stay vigilant on the signs of a potential threat.

Phishing is still the most prevalent attack method within the sector, the rise of AI and new technologies have opened the doors for cybercriminals to get more sophisticated and creative on how they breach your systems. Phishing is no longer subjective to email anymore, with newer forms such as Smishing (SMS), Vishing (voice) and Quishing (OR Codes) have been on the rise in recent years. Cybersecurity awareness training is important not just for staff and administrators, but for students who connect their devices and use institutional servers. General rule of thumb, if it looks suspicious or you do not recognise the sender, do not click on the link provided!

Create a two-part plan.

This goes for both preventative and preparation plans. Keep your security systems up to date and know how your data is stored. While you can have every firewall in existence in place, it only takes one small crack for a cybercriminal to break in and create havoc. In this case, know what preparations you have in place to ensure your valuable data and information is not only protected, but can be recovered to reduce severe disruption across the institution.

Most importantly, BACK UP YOUR DATA AND FILES!

Make this a regular, if not a daily habit no matter your position within the education sector (students and researchers included). Ensuring you have multiple encrypted backups of your data and important files is an important safeguard in the event of a cyberattack, helping to save time and money in regaining access to critical information. While cloud backup services can be an option for this, it is important to note that even cloud servers can be impacted by leaks and cybercriminals (ie Apple iCloud celebrity photo leak). Using a hardware encryption module to encrypt data stored in the cloud and/or an offline encrypted backup is an important option to include in your data hygiene practices, as it can provide that extra level of reassurance and security. Taking that critical extra step, in protecting your data by storing it offline in an encrypted flash drive or portable HDD/SSD, out of the hands of criminals, can act as an essentially unbreakable safe and can make the world of difference when you need to restore your data following a cyber or ransomware attack.

Who guards the encryption key?

Assuming responsibility for data protection in the cloud

Assuming responsibility for data protection in the cloud

Given the responsibility to ensure data protection in the cloud, how can organisations encrypt, share and manage data securely?

Author: John Michael, CEO iStorage

The Liability Clause

A recent study reveals that, alarmingly, only 32% of organisations believe that protecting data in the cloud is their own responsibility. The terms and conditions of major cloud providers includes a “Limitations of Liability” clause which puts data security responsibility on the cloud user. For example, AWS states it accepts no liability in the case of “any unauthorised access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of the user’s content or other data."

Those responsible for cloud infrastructure in an organisation generally understand the risks involved with storing data in the cloud. However, all users of the cloud need to be conscious of the severity of protecting data in the cloud.

Hackers are devising many sophisticated methods to target innocent and vulnerable users, making human error prevalent amongst data leakage incidents.

Who guards the encryption key?

It has often been said that data is the new oil. Data can provide valuable insights that drive key business decisions, political campaigns and marketing initiatives.
Just as the oil industry has security measures in place to protect against terrorism
and maritime piracy, organisations need to establish security measures to ensure the protection of their data. One vital step is encryption.

More than half (51%) of organisations fail to use encryption to protect sensitive data in the cloud. Arguably, most cloud providers will encrypt its customers’ data. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about. Interestingly, Apple was recently pressured by the FBI to abandon its plans to fully encrypt its iCloud backups as it did not give the FBI a backdoor. Recall the liability clause? Full encryption of data cannot be dependent on the cloud provider

To be a truly secure solution, the user needs full and secure control of the encryption key that is stored away from the data. This will protect the data even if the cloud account is hacked.

Controlling data shared in the cloud

Who guards the encryption key?

How can you back up your data securely?

How can you back up your data securely?

Everyone has at some point lost data.

It could have been a stolen phone, a lost USB flash drive or a result of a computer crash.

What exactly is Data Encryption?

How to secure data in the cloud

If the data is stored in the cloud, control of the encryption key is important.

Although most cloud service providers will encrypt their customers’ data, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

Moreover, if a hacker obtains the user’s credentials, the breach will go unnoticed to the cloud service provider as they won’t be able to decipher between a legitimate user from an attacker.

By encrypting the data yourself, you have full and secure control of the encrypted encryption key, which will ensure the data is kept confidential even if the cloud account is hacked.

Keeping the encryption key away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as five-factor authentication.

Backing up data in the most secure way possible

In the worst-case scenario of a lost or stolen USB flash drive, hard drive or solid state drive, an encrypted PIN protected USB or HDD/SSD drive will negate the risk of your data being compromised.

Additionally, backing up valuable data onto an encrypted, PIN-authenticated drive can save you the trouble of losing access to important information during a ransomware attack, allowing you to quickly restore your data so that you’re back up and running

If the drives are only accessible by entering a unique 7-15-digit PIN, it will prevent unauthorised access to the data stored on the drive.
With brute force limitation, if the PIN is entered incorrectly a designated number of times, all data previously stored in the drive is deleted and the drive is reset to factory default settings.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive should automatically lock to prevent unauthorised access.

Using a drive that can also be configured as a read only (write protect) will ensure the data is not modified.

Data is becoming increasingly valuable. Businesses and individuals alike should take the utmost precautions to protect their data.

Backing up data into the cloud or to an encrypted PIN protected USB or HDD/SSD drive will protect your data from being accessed or viewed by unauthorised persons and will ensure your data isn’t lost forever.

Can the healthcare sector find treatment for data privacy?

Can the healthcare sector find treatment for data privacy?

The healthcare sector has experienced great technological advancement over the years. Remember pagers? We’ve certainly come a long way. Clinical applications used today, such as electronic health records (EHR), mobile health (mHealth), computerised physician order entry (CPOE) and self-service applications, contribute to a more efficient medical workforce. However, as with any digital transformation project, increased security risks can be expected, especially with the rise of sensitive data collected.

Healthcare institutions collect a vast amount of data, including patient records, health card numbers and radiologic images. With the exponential growth of data, many are turning to the cloud for storage solutions. This, in turn, only amplifies data protection concerns.

Whether it be in adherence to HIPAA, CCPA, DPA or GDPR, healthcare institutions are responsible for protecting and securely storing patient health information (PHI) data. PHI data must be protected in transit and at rest. This can be challenging for large healthcare
institutions when sharing data with remote employees, with other departments or with other institutions. Many lack a centralised management of systems and data, losing out on full visibility and control of data.

To ensure data privacy, there are five important suggestions to follow: (1) encrypt data in transit and at rest; (2) control the encryption key; (3) share encrypted data securely; (4) back up sensitive information; (5) have a centralised management system that will help you closely monitor and remotely manage data.

1. Give PHI data the encryption pill

Encrypting data is a requirement of compliance standards, including HIPAA. Organisations are under constant attack. Regardless of whether the attack makes headlines or not, the data should be protected. To ensure data privacy when faced with common threats, such
as DDoS and malware attacks, data must be encrypted before it is sent to the cloud, in transit and at rest.

For ultra-secure encryption, that data should preferably be encrypted with a FIPS certified randomly generated AES 256-bit encrypted encryption key. Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted.

2. Don’t let PHI data spread like a virus – control the encryption key

If the data is stored in the cloud, control of the encryption key is important. Granted, most cloud service providers (CSPs) will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys.
However, the encryption key is stored in the cloud and thus accessible to hackers
and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

In fact, the US Department of Health and Human Services launched an inquiry into Google’s partnership with non-profit healthcare organisation Ascension. Reportedly, 150 Google employees can access the healthcare data on tens of millions of patients, including patient names and dates of birth, diagnoses, patient health and hospitalisation records.

The user needs full and secure control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked. Having your own key management system will not only give you more control of encryption keys but is also more convenient for those using a multi-cloud solution.

Security measures must go beyond the cloud login credentials. If a hacker obtains the user’s credentials, the breach will go unnoticed to the CSP as they won’t be able to decipher between a legitimate user from an attacker. By keeping the encryption key, which should be encrypted itself within an ultra-secure Common Criteria EAL4+ microprocessor along with a PIN authenticated code, away from the cloud increases the number of security measures from just one authentication, the cloud account login, to as much as a five-factor authentication.

3. Sharing is caring, but only if the data is secure

The more people the data is shared with, the greater the challenge to ensure data privacy. In 2019, over 60% of personal data breaches reported to the Information Commissioner’s Office (ICO) were a result of human error – healthcare being the most affected sector – with a fifth of those incidents caused by posting or faxing data to the incorrect recipient and 18% whose emails landed in the wrong inbox. In fact, a concerning 59% of US healthcare IT professionals cite email as the most common point of compromise.

Storing PHI data in one place and accessed by authorised users only, who have a copy of the encrypted encryption key at hand, can allow for efficient working whilst ensuring data security

Sharing encrypted data securely allows for instant collaboration in the cloud, saving time in what would be days of posting encrypted USB flash drives to and from colleagues. This is a far greater alternative to the archaic use of fax machines the NHS only just discontinued in March 2020. The NHS admittedly agreed to increased investment in its IT department, especially following the infamous WannaCry ransomware attack.

4. Failing to back up data will make you WannaCry

5. Centralised management – saving hands for data privacy

Controlling access to data is challenging when there is a high volume of data that is widely shared. For example, Canada-based genetic testing company LifeLabs reported it discovered unauthorised access to its systems, containing the data of 15 million patients, including contact details, lab results and health card numbers. The lawsuit claims the company failed to implement “adequate security measures”, including failing to encrypt their data.

Another worrying example is that of a dismissed hospital administrator who hacked his NHS trust and stole 14 files relating to his sacking, 600 staff-related documents, 150 documents discussing management matters and almost 9,000 patient heart scan images.

These incidents highlight the need for a centralised management of data. Having one IT manager responsible for each department and a superior IT manager overseeing the whole organisation will help organisations monitor and manage large amounts of sensitive data in an organised fashion.

IT managers need full visibility and control of all member access to data within the organisation. Administrator capabilities – such as temporarily disabling or resetting encryption modules (storing the encrypted encryption key to access data stored in the cloud), restricting file types, encrypting file names, viewing user’s log files, displaying user’s location, as well as geo-fencing and time-fencing capabilities – will all contribute to an efficient oversight of data.

Healthcare institutions must assume responsibility for data privacy. Encrypting PHI data is the first step in doing so. When organisations encrypt their data themselves, they have control of the encrypted encryption key and increase security measures when storing data in the cloud. Sharing that encrypted encryption key to authorised colleagues, backing up data in PIN protected drives and having full visibility and control of users and devices will ensure data confidentiality when information is shared, if the cloud is hacked or if a drive is lost.

Taking control of sensitive information to ensure its privacy will help healthcare institutions avoid hefty data breach fines, preserve their reputation and, most important of all, earn patient and customer trust.

A Guide to HIPAA Compliance

A Guide to HIPAA Compliance

How iStorage can help

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for patient data protection. HIPAA applies primarily to covered entities (treatment, payment and operations providers in healthcare). It is also applicable to business associates – a person or business that provides a service, function or activity for a covered entity that involves the business associate having access to protected health information (PHI) maintained by
the covered entity. Business associates can include lawyers, accountants or cloud service providers (CSPs), as long as they are involved in creating, receiving, maintaining or transmitting PHI.

Compliance is easier said than done. Healthcare institutions collect a vast and ever-growing amount of data, including patient records, health card numbers and radiologic images. Protecting all this data can be challenging for large healthcare institutions when sharing data with remote employees, with other departments or with other organisations. Many lack a centralised management of systems and data, losing out on full visibility and control of
data. As a result, healthcare organisations suffer the looming threat of non-compliance. Common HIPAA breaches include unauthorised disclosures and misuse of patient records, disclosing to third parties more than the minimum necessary PHI and lack of administrative or technological safeguards for PHI.

To ensure adherence to the various HIPAA rules and safeguards, health organisations must have appropriate physical, network and security measures in place to protect PHI at rest and in transit and prevent and detect unauthorised access to PHI. At iStorage, we have designed and developed our products and solutions to assist our clients in the healthcare sector meet industry regulatory standards.

The importance of encryption

To understand the importance of encryption, it is essential to first understand the value of PHI. Unlike credit card information or social security numbers, PHI, which is made up of one’s personal health history, cannot be changed. As a result, PHI sells for as much as US$363 in the black market, compared to credit card information and PII that sell for US$1-$2. It is not surprising then that there was a whopping 80 per cent increase in
the number of people affected by health data breaches from 2017 to 2019*.
In fact, IBM’s Data Breach Report found that healthcare is the most expensive
industry for a data breach at USD 6.45 million.

Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. Therefore, if a hacker obtains encrypted PHI, it will be of no use. Furthermore, if an encrypted device, such as a USB flash drive or hard disk drive, is lost or stolen, it will not result in a HIPAA breach for the exposure of patient data. HIPAA’s Technical Safeguards require PHI to be encrypted to NIST standards, which calls for the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. All iStorage devices, which include the USB flash drive range, HDD/SSD range and cloudAshur encryption module, have an on-device crypto-chip offering real-time AES-XTS 256-bit hardware encryption with FIPS PUB 197 validated encryption algorithm.

For ultimate security, going above and beyond HIPAA requirements, the datAshur PRO² and the diskAshur PRO² range, as well as the cloudAshur encryption module, are the only drives to feature a Common Criteria EAL4+ ready secure microprocessor, which employs built-in physical protection mechanisms, designed to thwart an array of cyber-attacks, such as side-channel attacks.

Backing up valuable data onto a PIN-authenticated, encrypted hard-disk drive can save healthcare service providers the trouble of losing access to important information during a ransomware attack and can also be a means to archive medical records in an encrypted format for at least six years, in accordance to HIPAA.

Another HIPAA Technical Safeguard is employing network or transmission security that ensures HIPAA compliant hosts protect against unauthorised access to PHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud. How can this be achieved?

Controlling access to data

Confidential information stored on a local computer or drive, sent via email or file sharing service and shared in the cloud should be securely encrypted. If the device is lost or stolen when employees transport files or work out of the office, the datAshur PRO² and the diskAshur PRO² range allow organisations to avoid the risk of their data being accessed or viewed. The drives are only accessible by entering a unique 7-15-digit PIN, preventing unauthorised access to the data stored on the device.

The brute force limitation feature means the User PIN is deleted if entered incorrectly a designated number of times and the drive can only be accessed by entering the Admin PIN to reset the User PIN. If the Admin PIN is entered incorrectly a certain number of times, the encrypted encryption key is deleted along with all data previously stored in the drive.

When power to the USB port is turned off, or if the drive is unplugged from the host device or after a predetermined period of inactivity, the drive will automatically lock to prevent unauthorised access. The datAshur PRO² can also be configured as a read only (write protect) device to ensure the data is not illegally modified. The technical safeguards of HIPAA require access control allowing only for authorised personnel to access PHI. How can this be upheld when sharing data in the cloud?

HIPAA and the cloud

A common concern when sharing confidential information in the cloud is security and, by extension, liability. Who is liable for data breaches in the public cloud? A CSP is classed as a business associate under HIPAA, even if the PHI shared is encrypted and the decryption key is not provided, meaning the CSP must meet HIPAA compliance obligations. When using the public cloud covered entities must enter a business associate agreement (BAA) with the CSP and a service level agreement (SLA) can be drawn to address specific responsibilities regarding data protection and security

In terms of security, the level of encryption used by most cloud service providers meets the minimum standard demanded by HIPAA. However, this does not necessarily mean the CSP is HIPAA compliant. For example, Apple averts culpability, clearly stating in its terms and conditions: “If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Another important factor to consider is control of the encryption key. Granted, most CSPs will encrypt their customers’ data and some even offer a key management system service, which allows customers to manage their encryption keys. However, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff – much like leaving your house key under the doormat that half the neighbourhood knows about.

With cloudAshur, each authorised user will have a copy of the encrypted encryption key stored physically within the PIN-authenticated cloudAshur encryption module. Using cloudAshur KeyWriter, all critical security parameters are copied, including the randomly generated encryption key and all PINs, between the Master cloudAshur module and as many Secondary cloudAshur modules as required. This allows secure and instant collaboration in the cloud between authorised users, as well securely sharing encrypted files via email and file transfer services.

Multi-factor authentication is also highly recommended as a best practice for HIPAA compliance. Although not mandatory, the HIPAA Journal advises it’s “the best way to comply with the HIPAA password requirements.” If a hacker obtains the cloud user’s credentials, the breach will go unnoticed to the CSP as it won’t be able to decipher between a legitimate user from an attacker. The cloudAshur encryption module increases security measures to an unprecedented five-factor authentication, as the encryption key is kept away from the cloud.

What if the CSP is willing to enter a BAA, such as Microsoft? Although Azure or OneDrive can be used in a way that satisfies HIPAA Rules, Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services. As Microsoft explains, “Your organisation is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.” The same is true with many CSPs. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees. It is therefore the responsibility of the covered entity using the service to ensure that HIPAA Rules are followed.

Gaining visibility and control of data

To avoid a HIPAA violation, cloud accounts must be monitored to ensure that PHI is not being accessed by unauthorised individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organisation. This level of management can be attained using the cloudAshur Remote Management Console.

Administrator capabilities – such as temporarily disabling or resetting encryption modules (storing the encrypted encryption key to access data stored in the cloud), restricting file types, encrypting file names, viewing user’s log files, displaying user’s location, as well as geo-fencing and time-fencing capabilities – will all contribute to an efficient oversight of data.

Having full visibility of PHI shared will be useful if a patient requests to obtain a copy of their health records, which must be provided within 30 days – a right outlined in the HIPAA Privacy Rule. In the event of a breach, the HIPAA Breach Notification Rule requires breach notifications to include the nature of the PHI involved, the unauthorised person who used the PHI or to whom the disclosure was made (if known), whether the PHI was actually viewed or acquired (if known) and the extent to which the risk of damage has been mitigated. Gaining visibility and control of data. Using the cloudAshur Remote Management Console, Admins can view log files, revealing when files have been accessed or modified and by whom. This will help adhere to the technical safeguard of HIPAA that requires access control, which includes audit reports or tracking logs that record activity

HIPAA compliance encompasses a number of obligations. Such is the case, that a HIPAA Compliance Officer is needed to ensure privacy policies to protect the integrity of PHI are enforced. Healthcare organisations that violate HIPAA Privacy and Security Rules are subject to hefty fines imposed under the supplementary Health Information Technology for Economic and Clinical Health (HITECH) Act, regardless of whether the violation was inadvertent or resulted from wilful neglect. Simply put, excuses will not be accepted. Failure to comply can also result in criminal charges and civil action lawsuits being filed should a breach of PHI occur.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

Healthcare organisations need to confirm they have implemented all the appropriate safeguards to protect PHI in transit and at rest and prevent unauthorised disclosures, if they are to be HIPAA compliant. The datAshur PRO² and the diskAshur PRO² will provide a secure back up of encrypted data, accessed only those authorised with a PIN. The cloudAshur can be used to encrypt data in the cloud or locally on a PC or Mac, as well as encrypt files shared via email or file sharing services. Using the cloudAshur Remote Management Console, healthcare organisations can have a holistic view and full control of PHI shared, helping keep PHI confidential, meet HIPAA compliance and gain patients’ trust.

The critical care of data in healthcare

The critical care of data in healthcare

iStorage CEO, John Michael, considers the importance of digital hygiene in healthcare and explains how hardware encryption helps health organisations add security to their processes, protects patients, and keeps sensitive records safe from cyber criminals

High-impact data breaches

Data breaches are a global issue, and as worldwide healthcare providers have transitioned to EHR-based record keeping, controlling access to such sensitive data has proven to be difficult. In the UK, eight in ten providers of frontline healthcare services suffered at least one data breach between 2021 and 2023 . French healthcare software provider Dedalus Biologie was fined €1.5 million for a 2021 breach which saw the names, social security numbers, and sensitive medical information of nearly 500,000 people released onto the internet . And in the US, reported breaches affecting major healthcare organisations totalled around 295 in the first half of 2023 . 87 million US patients have had their information breached in 2023, with 43 million in the third quarter alone5.

The safety of healthcare data is, clearly, a worldwide issue, and the methodology of cyber criminals can be extremely disruptive. The EU Agency for Cybersecurity reports that ransomware accounts for 54% of cybersecurity threats in the health sector , and not only does a ransomware attack risk the loss or distribution of improperly secured or backed up data, but it also causes serious disruption to medical systems. Being unable to restore an affected system quickly and easily may cost lives, a position health organisations should never have to face.

Reliance on outdated technology

In many cases, technological threats and issues mean providers have been forced to reach for outdated technology in a bid to safeguard secure communication channels. Many US health organisations, for example, have found the transition to a modern EHR platform difficult. Incompatibilities – and, in some cases, vendors actively blocking communication – between competing EHR platforms hampers interoperability to the point where most US healthcare providers have struggled to remove their reliance on electronic and paper fax for secure communication7.

The UK, despite attempts to ensure NHS interoperability by 2020, still struggles with siloed systems and fragmented technology which prevents seamless communication between departments and restricts adherence to digital and data standards . Primary Care Support England continues to distribute paper-based Lloyd George medical records, physically couriering them between locations as the scanning and digitisation of UK medical records remains incomplete9.

While a certain amount of teething trouble is to be expected over the course of any digital transformation effort, a difficult or frustrating system may cause pressurised individuals to transmit data without following proper protocols. Besides, many legacy or portable systems do not yet have the capability to be connected to a modern network, let alone the technology to communicate in a truly secure manner. Temptation or necessity may lead to insecure data storage and transfer – an extremely poor practice in such a sensitive environment.

Changing practices to protect data

Digital hygiene must be treated as importantly as physical hygiene within healthcare. It is vital that all professionals in the health space are made aware of their responsibility to protect data. This goes far beyond those developing EHR platforms or other back-end technologies; digital hygiene must be practiced up and down the chain.

Anyone with access to sensitive records must learn the inherent vulnerabilities of transfer methods like email or devices like laptops and be clear on the potential consequences of their use, misuse, or loss. Many everyday practices within healthcare organisations can introduce security vulnerabilities, too. Pulling results from a non-networked mobile ECG or sonograph, for example, is often done using a basic USB flash drive. If such a drive is lost or stolen, control of that data is lost with it – and the sanctity of a patient’s personal information becomes vulnerable. It is incumbent on any individual that may need to transfer anything from place to place that they do so in the most secure way possible.

The power of hardware encryption

Introducing hardware encryption prevents such data from reaching the wrong hands. Utilising storage media which can encrypt files securely and automatically keeps sensitive data safe, ensuring it can only be seen by those authorised to unlock it. Employing encrypted storage further up the chain, using it alongside other standard methods to locally back up patient records, safeguards against system loss in the case of ransomware or other disruptive hacking techniques. Data stored on an encrypted external drive is, if that drive is then disconnected, protected against network intrusion and even against physical attack – and since hardware encrypted drives appear as a standard USB device when unlocked, they are fully compatible with all medical equipment with a USB port as no software is required.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

John Michael, CEO, iStorage

Halting the rise of ransomware: how zero trust can mean zero loss

iStorage CEO, John Michael, considers why ransomware attacks are again on the rise and how encryption and backups are critical ways to take the sting out of hackers’ ransom demands

Despite hope last year that successful ransomware attacks were on the wane, 2023 has seen a revival of ransomware. Companies continue to face the threat of locked down hardware, losing access to critical data, and potentially having that data released publicly if they refuse to acquiesce to extortionate ransom demands.

It’s not hard to track the reasons for ransomware’s resurgence. IT departments employed proactive methods – including regular backups, encryption, and network security – to combat the so-called ‘golden age’ of ransomware caused by the pandemic-led shift to hybrid and remote working. Statistics suggest such plans are no longer being given the same priority. Just 68% of companies allocated a budget in 2022 to protect against ransomware compared to 93% in 2021. Moreover, only half of those surveyed were taking proactive steps to prevent such attacks, such as regular data backups. Instead, as media headlines declined, companies appear to have lowered their defences.

Ransomware works, and it is not going away. Victims are incentivised to pay, because an attack could cause serious reputational and regulatory damage as well as an average of 20 days of business downtime. Criminals could net millions with a successful ransomware deployment – demands of US$70 million and upwards from a single compromised business are not unheard of. In only the first three months of 2023, companies were forced to spend around $450 million to regain control of their data and could potentially spend more. The golden age of ransomware is clearly not over, and its impact may be rising exponentially.

The rise of commercial ransomware

The lucrative nature of ransomware means it has, progressively, moved away from the domain of lone hackers or small groups. Ransomware is an increasingly professional criminal endeavour, employed with a focused approach specifically tailored for maximum impact to hackers’ targets, however big or small they may be. Attackers have become more brazen and public with their extortion methods, threatening to release sensitive data like company records, client lists, or trade secrets publicly or even making ransom demands to an affected business’s third-party clients.

Mounting a ransomware attack does not even demand a huge amount of expertise. Any prospective hacker can access Ransomware-as-a-Service (RaaS). As part of a profitable secondary cybercrime market, RaaS sees malware authors offering off-the-shelf variants of malicious software, along with expertise on its use and ready-made databases of online credentials, for a fee. An open market for ransomware means an attack could potentially come from any source at any time, making a solid backup and encryption policy absolutely essential.

Growing physical vulnerabilities in the workplace

Ransomware must be deployed within a company’s systems to work. Attackers can use various means to gain access to systems, from directly targeting insecure networks and computers to exploiting previously undiscovered digital vulnerabilities. The number of potential avenues of attack is growing all the time. The wide-ranging devices which make up the Internet of Things (IoT), for example, are likely to number over 22 billion by 2024, each of them a tiny network-connected computer. The trend towards commonplace remote and hybrid working also highlights new vulnerabilities for more traditional computer hardware, as employees use insecure home networks or even public Wi-Fi in places like coffee shops.

The distributed workforce means VPNs are a target. Working in public places means criminals can discover passwords by simply watching a user type them in. A single lost or unattended laptop could be enough for a hacker to gain the credentials to launch an attack. The inevitable growth of technology means those wishing to utilise brute force to deploy ransomware within a network have stronger tools available to them, backed by higher processing power. Protecting one’s data with encrypted, air-gapped backups nullifies any potential impact that any of these attack vectors could hold; there is no brute force method which can come close to breaking AES 256-bit hardware encryption.

Using confidence tricks to shatter security

Often, ransomware attackers attempt to gain access to networks with more simplistic methods like phishing. Spoof emails are surprisingly effective: two in three users open phishing emails, a third will click the links or attachments within, and half of those will enter details into fake login screens . Their potential success rate means the use of phishing emails is growing, too. In Q1 this year, malicious emails made up a quarter of all email messages, an all-time high3.

Phishing works so well because phishers have mastered social engineering confidence tricks and employ meticulous research and Artificial Intelligence (AI) tools to make their emails seem authentic. In addition to broad email campaigns, they research and target specific individuals with more valuable access credentials. Phishers also use AI to replicate the writing style of powerful employees in order to make their emails appear more authentic – a process known as spear phishing. Reports suggest that newer AI-generated phishing emails can convince users to click through and fill in a form up to 80% of the time4.

Bypassing the ingenuity and methodology of those wishing to deploy ransomware – whatever their method – requires consistently vigilant behaviour, and a Zero Trust approach. Zero Trust is a framework which offers no implicit trust to any entity which interacts with your organisation. Under Zero Trust, every device, user, platform, tool, or vendor must clearly demonstrate its security credentials. It is an essential component of digital hygiene, and, if properly understood by all employees, is the best way to minimise the possibility of a ransomware attack. In some cases, though, hackers with insider knowledge may find a way to infiltrate a network regardless of an organisation’s policies. So, any cyber resilience plan must be joined by a matching IT infrastructure.

Encryption and backups - the two-pronged solution to ransomware

As creative as one’s network policies may be, there is no other option: organisations must implement consistent encryption and a strong backup policy in order to protect their data. In the case of a ransomware attack, the presence of a backup accelerates the speed of any recovery efforts and potentially avoids an expensive and embarrassing payout. An air-gapped backup, one stored on an external device not attached to the network, cannot be affected by ransomware. Backups should, therefore, be kept in triplicate online, offline, and off-site – a strategy known as the 3-2-1 rule, which ensures there is always a backup available in the case of physical or digital disaster.

Add encryption, and you introduce an extra layer of security to your backups. In the unfortunate event that an external drive is lost or stolen, encryption makes its contents functionally useless to those without the key, minimising the possibility of a damaging data breach. Hardware encryption helps to streamline and fool proof this process by encrypting and decrypting data automatically without needing to install special software.

The correct hardware backup and encryption solution removes a large amount of business vulnerability, and a lot of worry. Employees no longer need to be concerned with awkward software, or even whether they are doing the right thing – hardware encryption is secure by default. Physical and logical separation between encryption keys and the data they protect renders hacking attacks useless. And with a solid plan in place for recovery, ransomware will end up little more than a temporary inconvenience.

John Michael, CEO, iStorage

Preventing data breaches and staff burnout in the remote-work era

iStorage CEO, John Michael, argues that remote and hybrid work demand a stricter focus on data security and employee health, both of which can be achieved with the right tools and policies.

Hybrid and remote work are not going anywhere. Workers love the flexibility of the modern office, and the statistics back it up: 82% of a surveyed 28,000 full-time employees find that hybrid working has made them happier, and 78% say that working remotely improves their overall wellbeing . Employers enjoy their own benefits, given that remote work reduces burnout and – contrary to certain management assumptions about its effectiveness – increases employee engagement. A 2018 survey, conducted prior to the major rise in remote work, noted that 67% of workers had experienced burnout , yet in 2022 flexible working had brought this figure closer to 30% .

These figures present the positives, but they absolutely downplay the difficulty of administering a distributed workforce, particularly one, such as accountants, which is expected to work with sensitive data. It doesn’t take a genius to realise that an accidental breach could be an incredibly costly mistake, incurring a significant fine or losing a client – and breaches do happen. The Information Commissioner’s Office received reports of over 1,000 data breaches related to unauthorised access of data in 2022, and almost 600 incidents of data or paperwork being left in an insecure location . The protection of data cannot be left to chance: in the remote work era, good data hygiene is essential.

Controlling data access based on location

IT administrators would not generally allow hybrid workers a free choice of software or hardware. In the same vein, employees should also not be given full freedom to work as they want in any location they choose. Hybrid workers, given their relative freedom, may take an over-relaxed attitude to their place of work; putting in the hours in coffee shops, on public transport, or otherwise working away from the office are naturally more vulnerable to causing such breaches.

Tight security controls are vital to keep data safe, whether that be PII data or company spreadsheets. A data breach could be caused by connecting to cloud services over insecure networks, for example. Data could be leaked through a device like a laptop being left unattended or being stolen. But an offline, secure approach mitigates these issues. If hybrid and remote workers are required to use encrypted storage while working away from a trusted network, virtually every potential cause of a breach is removed.

A secure drive may be able to lock itself based on a user’s proximity to their computer – should the drive’s owner step away from their machine, the drive’s contents would automatically be rendered inaccessible. If strict policies demand that remote employees work only from a pre-approved locale, secure storage can also be geofenced. This restricts use of a device based on its GPS coordinates – the fence can cover regions as large as continents or as small as a few metres. Outside of those areas, such a device would not be able to be unlocked.

Implementing hardware policies to aid work/life balance

The health of a company’s data is of paramount importance, of course, but introducing proper data hygiene procedures can also go some way to protecting the health of its employees. Remote workers, and even in-office employees, can experience an unhealthy creep towards the work side of work/life balance. We’ve all burned the midnight oil at times, and not always because we’ve needed to. Digital connectivity can be an addiction.

Overarching legislation isn’t necessarily the answer. Even in France, where ‘Right to disconnect’ legislation passed in 2017 aimed to protect workers from out-of-hours work, the easy availability of digital tools means many employees continue to feel compelled to remain connected and available outside of their working hours . But French companies which have established strong internal policies in line with the legislation have been able to demonstrate significantly reduced out-of-hours engagement. A culture focused on wellbeing and reasonable expectations is key, then – and using secure hardware to implement more direct controls can have a positive effect, too.

Set a time limit on the use of secure storage, for example, and the unlocking procedure can be prevented outside of agreed hours, reducing the chance of employees engaging in so called ‘grey work’ – out-of-hours work beyond one’s prescribed responsibilities. If such a limit needs to change, simple back-end software allows administrators to alter it on a user-by-user basis or apply a temporary lifting of restrictions. Each unlock also builds an audit trail of activities, which can tell administrators and managers precisely when and where a drive has been unlocked.

Employing remote management for additional security

Cryptographic security is what makes these functions work – and they really do work. The contents of a sufficiently secure drive will be obscured by uncrackable encryption until that drive is unlocked, offering a guarantee that those vital numbers are completely safe from any breach. Indeed, even if plugged into a USB port, such a drive would not appear to be connected to the computer until a secure online authentication process has been completed. Even if the encrypted storage were able to be accessed, AES 256-bit hardware encryption protects data against the possibility that the data could ever be read, copied, or shared.

Online authentication has a double use. It also means the access parameters of the device can be remotely administered at the time of unlocking. If a geofence moves, or an employee’s access restrictions change, these alterations do not require physical access to any remote hardware – any policy changes are automatically applied to a drive upon its use, no matter what machine it is connected to.

Remote data erasure provides peace of mind

A lost drive is obviously not a good thing. But that’s the point of cryptographic security and pivoting one’s data policies to ensure it is used. If a hardware encrypted drive is lost or stolen, it does not mean company data being breached, it simply means a loss of easily replaceable hardware. And if a double layer of security is required, a remotely administered secure drive can be set to erase itself if too many unsuccessful attempts are made.

If a remote employee reaches the end of their tenure, proper data hygiene procedures might also require that they return their hardware. But a secure drive could, if required, be set to be wiped at the moment an unlock attempt is made. This, along with geofencing, goes some way to preventing disgruntled employees taking company data to places it shouldn’t be.

Obviously much of the burden of remote worker data hygiene must be shouldered by company policy. But whatever level of control a company wishes to have over its remote employees, whatever policies exist to support efficient work and wellbeing, or even if you’re running a freelance accounting operation, investing in secure hardware makes such policies far easier to follow and implement. Select hardware which is also backed by clear and straightforward administration software, and the prospect of safer data is easier to achieve.

John Michael, CEO, iStorage