The disclosure this week that the medical records of thousands of National Football League (NFL) players may have been compromised through the theft of a laptop and external hard drive serves two reminders: mobility of data is an oft-overlooked but crucial issue in 21st century business where employees take work anywhere; and any type of organization, not just those in the healthcare industry, can suffer the loss of protected health information (PHI).
According to the Verizon 2015 PHI Data Breach Report, lost and stolen assets top the “nefarious nine” incident patterns that account for 96% of data breaches. The NFL revealed this week that in April, a backpack containing electronic and paper files – 12 years’ worth of records – was stolen when a thief smashed the window of a locked car rented by a Washington Redskins athletic trainer.
The NFL said the laptop was not encrypted. So far, it has not seen “evidence that the thief obtained access to any information on the computer that was stolen.” Still, the NFL is directing all teams to use encrypted laptops, review the security of medical information they hold, and train employees on privacy and security.
Regardless of whether the theft was a targeted breach or if the stolen data is ever actually compromised, the NFL security fumble serves as yet another reminder to constantly evaluate cybersecurity. Brendan Fitzpatrick, who leads Secure Halo Enterprise Security Assessments, offers some questions to ask.
1. Does your organization have an explicit written policy that all laptops have full hard drive encryption so that even if a laptop is lost or stolen and the hard drive is pulled out, it can’t be accessed through another machine?
2. Do you have a policy that deals with downloading certain types of information onto a laptop? For example, is it okay for unlimited PHI to be stored on a local laptop, or does the policy say that only PHI required for work in the field can be on a laptop. The Redskins laptop had 12 years of medical records on the drive.
3. Are all media that you’re using with your laptop (such as the Redskins zip drive) encrypted so that if the worst happens and it’s stolen or lost, the data is unavailable?
4. How strong are your passwords? Passwords should always be at least 10 characters long, should not contain names, and must incorporate a unique combination of uppercase, lowercase, numbers, and special characters.
5. Do your employees share passwords? If being shared by more than one person in an organization (and especially if used for public-facing purposes), credentials should be stored securely in a controlled area and mature procedural controls should be in place that prohibit access to these accounts via mobile devices or from unsecure networks.
6. Does your organization provide communication and training around cyber policies to promote a cybersecurity culture from top to bottom? Do you enforce and check for understanding of the policies?
7. Do you employ multi-factor authentication to provide an additional layer of protection?
8. Are defense-in-depth perimeter and endpoint controls in place and is your organization consistent with the latest patching?
9. Does your organization conduct electronic monitoring only on the centralized system or do you have a Data Loss Prevention (DLP) solution on laptops, which would send an alert if information was taken from a lost or stolen device?
10. Does your management system allow administrators to remotely shut down or wipe a device such as a laptop?
11. Do laptops have an automatic VPN connection and if so, can it be turned off by administrators?
12. Does your remote login system have the capability to easily remove login access to prevent an unauthorized user logging in and further infiltrating the organization?
That’s just a short list of the many questions it seems can’t be repeated often enough around cyber hygiene. It’s crucial to remember the multitude of non-technical ways in which cyber risk can be introduced into an enterprise environment. Faceless remote access attacks originating in foreign countries are not the only threat. An unencrypted laptop that is stolen or lost, or a disgruntled employee, or gaps in physical security can lead to the exposure or theft of valuable information, regulatory fines, and negative brand impact.
The NFL is learning this difficult lesson. Yet, it’s a reminder for other organizations to mature their cybersecurity practices through a more holistic risk management approach. Mobility is one of six domains (also including Data Security, Insider Threat, Physical Security, Internal and External Business Operations) that Secure Halo examines to identify vulnerabilities. An enterprise approach to cybersecurity can lead to a healthier risk posture and fewer data fumbles.
