• How Employee Monitoring Keeps Clinical Trial Data Secure

    by Patrick Knight | Aug 15, 2018

    Clinical trials are a crucial step in developing new life sciences products such as drugs and medical devices. All tests – whether with large or small groups of people – require medical and personal information from patients upfront, and then proceed to collect data throughout the process. Ultimately, research companies are responsible for large sets of sensitive data and securing that information should be a top priority.

    Why does clinical trial data need to be protected?

    To begin with, there are legal requirements for medical data security. All clinical trials require medical histories and personal information from everyone in the study. To protect participants from medical fraud, clinical trial groups are legally obligated to secure this sensitive information. HIPAA and the FDA’s Code of Federal Regulations, as well as other regulations require the protection of sensitive medical records. Your group can be fined for violating these rules.

    From a PR perspective, strong data protection policies can protect your reputation. Potential participants are more likely to take part in a study if your organization is respected and shows a commitment to privacy. Additionally, it is in your business’s best interest to secure clinical trial data to protect your competitive advantage. If a competitor obtains your data, they may be able to use it to put a new drug or medical device on the market first, with less research cost on their end.

    Risks to clinical trial data

    Personal medical histories are highly sought after by hackers looking to turn a profit; medical data is considered to be ten times more valuable than credit card information. With personal medical information, criminals can forge IDs and documents, illegally acquire drugs, and collect on fraudulent insurance claims.

    Many clinical trial organizations rely on 3rd party services to provide materials, financial support, or data analytics. By increasing the number of people who can access clinical trial data, the insider threat risk goes up. The majority of data breaches are actually caused by insiders – either with malicious intent or by mistake. By widening the umbrella of possible insider threats through the involvement of 3rd party services, the need for data security multiplies.

    Malicious insiders look for ways to use company data for personal gain or to harm the organization. They may attempt to steal clinical trial records and sell them to a competitor or take it with them for future career advancement. They may also attempt to use the data to embarrass the company in some way. Accidental information security breaches can happen by employees opening an email with malware or not correctly following security protocol (such as leaving an Electronic Healthcare Record open on a monitor).

    Clinical trial data security tools

    The Society for Clinical Data Management has published a popular whitepaper Good Clinical Data Management Practices that your organization should review and discuss ways to implement. In addition, you should be in compliance with all data security laws and regulations.

    To further secure clinical trial data, consider deploying employee monitoring software. With this tool, you can track user activity to make sure only approved employees are accessing sensitive information, and that their behavior is normal for the task. For example, employee monitoring software can detect actions such as downloading data sets and storing them on an external drive, which could signal theft. With so much on the line – fines, reputation, sales, participant safety – and so many insider threats, employee monitoring software is an effective and efficient way to make sure your data is being handled appropriately and securely.

  • Cyber Incident Reporting Compliance for Federal Contractors

    by Patrick Knight | Aug 08, 2018

    We recently discussed data security requirements for federal contractors and now we are doing a deeper dive into one of the trickier compliance factors: reporting cyber incidents.

    What is a cyber incident?

    Federal contractors use and have access to sensitive government data, and as such it is their duty to manage that information responsibly. Data security protocol has changed in the last year to more tightly protect those materials. Federal contractors are now required to rapidly report cyber incidents to the Department of Defense.

    The DoD defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” Even if the actual government data wasn’t attacked, any breach to a covered contractor information system must be reported so the DoD can assess risk to the information.

    Reporting requirements

    If you experience a cyber incident as defined above, federal regulation mandates you to report it “rapidly” – defined as within 72 hours of discovery of the breach. Additionally, you need to “conduct a review for evidence of covered defense information,” such as identifying compromised computers, servers, and accounts, as well as identifying exactly which data was breached.

    For federal contractors, a network compromise is defined as “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.” You are required to file a report even if there is only evidence to suggest an attack might have happened. Those attacks can come through an insider to your organization or an outside hacker, whether with malicious intent or through error.

    Cyber Incident Prevention + Response

    With the complexity of this industry, it is almost inevitable that contractors will experience a cyber incident at some point. Investing in data security tools and creating a response plan are vital elements to any contractor’s business plan. With sensitive data, it is your responsibility to monitor that information for evidence of network attack.

    Monitoring software, such as technology created by Veriato, tracks user activity to make sure your data isn’t being accessed by someone who shouldn’t have it, or in a suspicious way. If any behavior is flagged, you can access a factual, comprehensive look at the incident to understand what happened, and prevent future breaches. Additionally, you’ll have a robust report for the DoD, which will build your reputation and prevent negative effects.

    Investing in monitoring software as part of your security plan will improve your data protection and help with cyber incident reporting compliance, because you’ll have a better situation assessment within the 72-hour time period

  • Data Security Requirements for Federal Contractors

    by Patrick Knight | Aug 03, 2018

    Approaching data security requirements for federal contractors

    Federal contractors are private entities that fulfill governmental needs. As such, they are trusted with sensitive, private federal information which makes them obvious targets for cyber attacks. The government has recently ramped up data security requirements for federal contractors, demanding more software, hardware and accountability from them.

    Recent changes in data security requirements for federal contractors

    Data security requirements for federal contractors are complicated and stringent. The Security and Privacy Controls document for federal IT is 462 pages long with 109 specific security requirements – and that’s not to mention various supplementary compliance publications. Beginning in 2018, contractors are expected to be compliant with new regulations laid out in NIST 800-171. You should have legal counsel and security experts to help you manage compliance, but here’s an overview of a few of the government’s recent data protection requirements:

    • Insider threat detection: The National Institute of Standards and Technology require federal contractors to implement an insider threat program. It’s a given that employees pose a serious risk to federal information, so contractors are required to provide training on identifying and reporting insider threats. They can also deploy software to detect and assess insider risk to decrease their security risk level.
    • Encrypt high level data sets: Until recently, many contractors didn’t have an effective classification system for their information. The new regulations require organizations to do a risk assessment across their data and provide proof of encryption for risk-prone data.
    • Report cyber incidents: Organizations working on behalf of the government are required to rapidly report all cyber incidents directly to the Department of Defense. The account includes a detailed cyber incident report, the malicious software, and any media the DoD requests. Reports are required for any attacks on the system – not just the contract data – to help the DoD gauge overall risk to its information.
    • Access control policy: Contractors are also required to implement an access control policy. Users should be restricted from accessing sensitive data unless it directly relates to their job. Employers should set up alerts to be notified if those access controls are violated, and immediately investigate.
    • Monitor users: Contractors are now being required to implement employee monitoring software to detect security risks. Approved software identifies suspicious user activity and detects unauthorized access. The technology can initiate undetected screen recording to capture a full picture of a suspicious incident. The software can also deploy multi-factor authentication and data encryption to boost security. Employee monitoring software can detect risk early on and alert management to intervene; it can even automatically shut down access and computer systems to prevent an attack.

    Veriato provides government-compliant monitoring software that can help you meet requirements and create a secure workforce.

    Growing threats to data security

    As technology advances so do the threats to it. More complex information systems can be more secure – but also provide more risk points insider threats and hackers can try to exploit. More government contracts and contractors widen the risk even further. As the Internet of Things is embraced by contractors, those attack points multiply. Phones, tablets, watches and speakers can all become sources of risk to sensitive government information. Additionally, escalating global conflicts mean more parties are interested in harming the government or the citizens whose data is in the custody of contractors.

    The Department of Defense and National Institute of Standards and Technology are constantly assessing risk of information through federal contractors. As technology becomes more intricate, contractors can expect more regulations and requirements to roll out when it comes to information security compliance.

    Assessing Risk

    The latest government regulations help contractors understand how to identify the risks posed to sensitive information. These organizations are held to a high security standard to protect not only the government, but also the citizens. Data security should be more than checking boxes every so often; it should be a way of operating a business. If federal contractors approach data security from a position of mitigating and managing risk, compliance will most likely follow.

  • How Technology Protects Against Wrongful Termination Claims

    by Dominique Cultrera | Jul 05, 2018

    Using technology to protect your company from wrongful termination claims

    What is wrongful termination?

    Wrongful termination is a situation in which an employee is let go for illegal reasons or if the organization violates company policy during the firing. Most employment agreements are at-will, meaning the organization doesn’t need a specific reason to let an employee go. However, there are protected cases in which termination is unlawful. Discrimination on the basis of race, nationality, gender, age, or religion is grounds for a wrongful termination suit.

    How technology can help

    Employee monitoring software can provide data to defend against wrongful termination claims. When an employee is terminated for cause, employee monitoring software may help serve as proof of the reason for termination. For example, it can track time spent on applications to demonstrate lack of effort or low productivity. Having data to back up a reason can keep a highly emotional situation more objective and less personal.

    Data collected by employee monitoring software not only supports cases for termination, but can also detect them. The software alerts you when employee activity becomes suspicious or dangerous. At that point you can conduct an investigation, and correct the behavior or terminate the employee. Employee monitoring software provides concrete evidence for a termination, versus speculation or opinion.

    After an employee is terminated, employee monitoring software can help protect your organization’s proprietary information. Many employees take intellectual property with them when they leave – whether because they feel ownership of the information or because they have hostile plans (such as damaging the company or using it to further their careers elsewhere). Employee monitoring software monitors what data an employee accesses and what he or she does with it. It lets you know if they store the information on a cloud server or external drive. You can then confront the employee and regain control of the data.

    Due Diligence

    • Keep records: The best way to prevent wrongful termination claims is to be an attentive manager throughout the employment. Keep records of employees’ performance – but make sure that documentation is standard for all employees. If your organization’s record keeping is selective, it could raise a wrongful termination claim for discrimination.
    • Check up with employees: Establish the practice of frequent meetings with employees – maybe even more than the annual review – to get an idea of their feelings about the workplace. These meetings may provide a way for employees to bring up any discrimination or harassment they might be facing. The organization can take steps to fix the problem, and those steps may serve as defense should a harassment or discrimination claim arise. Additionally, if the employee doesn’t bring up any such issues, the organization can use this lack of evidence for protection against wrongful termination claims.
    • Monitor data records: Make sure your employee monitoring software controls are configured appropriately. Though you don’t want to handle that data too much (to maintain as much privacy as possible), it is important to have a review process in place. Updating permissions and reviewing any flagged behavior will help you stay in the know when it comes to your employees. By regularly reviewing data records, you can manage your workforce and protect your network.

    Though most employment is at-will, all organizations can take steps to protect against wrongful termination claims. Employee monitoring software helps defend and prevent those claims, as well as protect corporate data. Take advantage of technology to help keep your work environment safe and secure.

  • Data Security Considerations for Your Work From Home Policy

    by Patrick Knight | Jul 03, 2018

    Incorporating data security in your work from home policy

    Work from home policies have soared in popularity among both employees and employers for a variety of reasons. Your task as an organization is finding a way to provide that benefit to your employees without compromising your data security.

    What’s the problem with working from home?

    There are many benefits to working from home – including some big ones like employee morale and productivity. In addition, employees generally appreciate the improved work/life balance and employers like that it removes distractions and conserves office resources.

    Unfortunately, working from home can pose some serious security risks that must be considered in your organization’s work from home policy. In a modern workforce, the Internet of Things (IoT) is growing in popularity. These internet-enabled devices that collect and act upon data create a massive liability when it comes to data security.  While smartphones, tablets, laptops, wireless headphones and smart speakers can make jobs easier, they also amplify the network attack surface. More devices mean more security risks.

    Remote access also raises the issue of unsecured networks. If employees are using unsecured networks to access corporate data, they put that information at risk. Additionally, when employees work from home, organizations have no control over the physical security of the devices. In a less formal setting – like at home vs. in the office – people are more likely to observe a lower level of security precautions. They may leave their computers unattended, or leave desk drawers unlocked. These simple behaviors create a security risk – even if your employees don’t realize it.

    Data security measures and considerations for your work from home policy

    • Configure Devices: If you provide hardware to your employees, it’s probably already set up on the security front. But if your employees are using any of their personal devices to access work information, consider establishing security standards and requiring IT to configure all personal devices to your security expectations as part of your work from home policy.
    • Set up a VPN: This is a key step to a successful work from home policy. A Virtual Private Network lets your employees access your secure network remotely – and keeps hackers out thanks to authentication requirements. Make sure to configure access permissions and encrypt data. It’s probably also a good idea to require the use of a VPN while accessing sensitive data rather than allowing offline access.
    • Approve applications: Make a list of approved applications your employees are allowed to use for collaboration and saving data. Communicate that list to them as part of your work from home policy.
    • Set up physical security policies: Some examples of protecting devices are requiring a password, instituting two-factor authentication, and requiring an auto-lock feature.
    • Educate employees: Explain both your work from home data security policy as well as the reasoning and considerations behind it. If employees understand the risk, they are more likely to comply with best security practices. Reiterate that working from home is a privilege – but it can’t be offered at the expense of information security.
    • Implement employee monitoring software: Even the most security-educated employees can inadvertently put data at risk. Insider threats are the number one cause of cyber attacks in business. Employee monitoring software as a part of your work from home policy will catalog activity, prevent and detect threats, and help you respond to risks as quickly and efficiently as possible. Tracking user activity via remote access allows you to offer the benefits of working from home with the knowledge that your security risks are constantly being managed.

    Offering remote work benefits can help attract and retain employees. Keep that perk working for everyone by building data security into your work from home policy.

  • The Severity of Cyber security Threats

    by Veriato | May 09, 2018

    Across every major news outlet the topic of cyber security threats and data privacy are impossible to miss. From multinational companies being relieved of millions of credit card numbers, to foreign hacking, to the selling of user data via social media, digital security is clearly more important than ever. Threats are being realized by vulnerable organizations large and small. The fallout of these breaches has also been widespread and include everything from lasting negative impact on stock prices to loss of customers and even complete loss of consumer trust. Threats of hacking in are high, but organizations would be remiss to not make efforts to detect cyber security threats from insiders as well.

    Carelessness, negligence, or compromised credentials from inside an organization make up more than half of security threats when compared to malicious intent. In fact, the most common culprit, by far, of data breaches are accidental exposure by employees. Cyber security threat experts note that what’s known as “phishing” has become the largest vulnerability when it comes to an organization's digital security. Phishing attacks trick employees into sharing sensitive company information and can lead to catastrophic damages.

    Fallout, detection & prevention

    But how does one detect a cyber security threat from an insider exactly? It’s not an easy process — in fact, simply relying on human detection and intervention is archaic in today’s digital world. It’s far too easy for an employee to move information from an organization’s network to USB drives, cloud storage, or their own personal devices. It’s also possible that an employee simply forgot to log out, or logged into an unsecure network, or a multitude of other seemingly innocuous actions that could bring an entire organization to its knees.

    In recent cases, organizations that have knowingly failed to take preventative action against cyber security threats have found themselves in severe legal troubles, leading to a multitude of damages both financial and of reputation.

    Luckily there are tools available to assist in the detection, some smart enough to preemptively identify higher threat risks before they become a problem. When searching, make sure to look for a security tool that offers actionable intelligence into the activities and behaviors of users. As more and more information finds itself in a digital format, it's imperative to find the right software to detect and prevent insider threats.

  • Best practices for securing your data when terminating an employee

    by Veriato | May 02, 2018

    When and where to start

    Best practices for securing your data when terminating an employee actually start with the initial onboarding process. Every established organization looking to scale should consult legal counsel after first having drafted an employee handbook. Once created, every employee should be provided an employee handbook outlining the acceptable use policy related to any and all corporate IT resources. It is also imperative (and often overlooked) to have the employee handbook updated periodically as technology and employee responsibilities advance.

    Establishing and tracking risk within each department is also a key factor in setting up best practices for data & intellectual property (IP) security within the context of employee conduct in our digital world — this framework also proves itself useful if and when it comes time for terminating an employee. Each position within the company should have an assigned insider threat risk level, with a sufficient amount of activity monitoring within reason. Certain job categories require more active review than others, and it’s up to the organization to determine its own best practices for data & IP security based on information sensitivity.

    What to watch out for

    While the act of securing your data when terminating an employee may seem fairly straightforward, challenges do exist. For example, some companies still operate with an Employment At Will policy. Essentially, Employment At Will refers to the employee’s right to terminate his or her own employment relationship with the organization at any time and for any reason that he or she sees fit. This also means however that the organization has the right to terminate the employment of any employee at any time for any lawful reason. The employment relationship between the organization and its employees is At Will (the exception being employment covered by a contract.) Regardless of reasons for departure, employers often find themselves with limited time to thoroughly secure valuable data and intellectual property.

    Whether an employee resigns, or employment is terminated for cause, Human Resources should be notified and a thorough exit interview should be conducted as soon as possible. Share feedback with employees to ensure you are on the same page so the employee will not be surprised. An organization does not want the employee feeling that they have been discriminated against or terminated without valid reason — this could lead to retaliatory actions by the employee and could potentially put your IP at risk.

    Emotional awareness during the exit interview process is key. Be mindful of cues that could signal larger issues within the company.  An employee openly discussing their unhappiness with management or company policies can indicate a potential insider threat. Many employees have a sense of entitlement to company IP they helped to create and recent surveys show as much as 42% of employees have taken an employer’s corporate information when switching jobs — proving the just how important securing your data when terminating an employee truly is.

    Keeping your house in order

    It’s easier than ever for employees to move IP from a network to USB drives, cloud storage, or their own personal devices. Be exceedingly clear that employees are expected to return and destroy any copies of the organization’s intellectual property they may still have. Regardless of what gave rise to the employee’s departure, activity monitoring is a vital component of securing your data when terminating an employee to ensure the safeguarding of corporate intellectual property.

     

    Deployment of activity monitoring allows an organization to review digital goings on for as long as necessary. If an employee tenders resignation, deploying an active and intelligent monitoring tool allows for the collecting and archiving of digital activity. These tools can also help to analyze the digital activity. Additionally, consideration should be given to monitoring those associated with the departing employee for a period of time, recording their activity for potential insider threat.

    In the event that legal proceedings are necessary, properly recorded, organized, and cataloged digital evidence can help an attorney build a strong case. More than three quarters of cases that contain comprehensive digital evidence are settled faster and with far better results.

  • Employee Monitoring Ethics | Ethically Monitoring Employees

    by Larry Thompson - President, Veriato | Apr 19, 2018

    All employers want to create a workplace where employees feel safe, valued, and trusted. We know that work satisfaction breeds life satisfaction, and generates more productivity and engagement among employees.

    As leaders, we naturally question the ethicality of any system involving data and privacy, because we want to make sure our workforce feels protected and trusted. When it comes to employee monitoring, the practice can sound much more sinister than it actually is.

    Ethical vs. Legal

    First of all, ethicality is different than legality. Each state and country has different monitoring and privacy laws and regulations, which need to be observed. Talk with your legal team about considerations to keep in mind when it comes to instituting an information security policy.

    Right vs. Responsibility

    Organizations have a right to protect their data – and a right to use appropriate measures to do so. Beyond that, organizations have a responsibility to their employees, shareholders, and customers to keep that information secure. A secure system means employee information, customer records and data, and proprietary information are all safeguarded from threats. Additionally, this security protects an organization’s reputation and bottom line. To effectively provide a sufficient level of security, some level of employee monitoring is necessary in this digital day and age.

    Employee Monitoring Best Practices

    Monitoring employees should be done with clear parameters and accountability to maximize privacy. We suggest the following best practices for employee monitoring:

    • Transparency: Tell your employees they’re being monitored. Make it clear that what happens on corporate assets, including devices and networks, is subject to monitoring.
    • Keep it professional: Only monitor corporate data. Don’t monitor personal material such as social media or online banking access.
    • Minimize exposure: Don’t make data collected from monitoring widely available. Restrict that access to only those who need to review it.
    • Monitor broadly: Don’t single any person out. Monitor your whole employee base to make sure you cover all possible threats and avoid any discrimination or favoritism.
    • Use behavioral analytics: Behavioral analytics software takes human subjectivity out of the monitoring. It monitors and collects data and determines if there is a potential threat. If so, the technology alerts the security personnel that a review of information may be necessary. With this protocol, people are in contact with that data as little as possible, and only when it’s necessary for security reasons, which maximizes privacy.

    Employee monitoring is an effective way to protect your organization’s important data, which is a huge benefit to your employees. By following these suggested best practices, your organization can experience greater information security, ethically.

  • The Benefits of Starting A User Activity Monitoring System

    by Veriato | Apr 18, 2018

    Benefits of User Activity Monitoring

    If you’re on the fence about starting a user activity monitoring system across devices or networks, you’re probably wondering if it’s worth the investment, or if you should just be more trusting of your employees. After all, you don’t want them to feel like they’re being micro-managed or taint their opinion of management.

    The truth is, effective employee monitoring, or user activity monitoring (UAM) improves productivity and network security, provides an understanding of user behavior, allows for accurate billing, and brings issues to light.

    Make workers more productive

    Deploying UAM software can boost employee performance. Just knowing they are being monitored can positively affect your employees’ online activity. Maybe they’re not intentionally wasting time on non-work-related internet searches, and just being aware that someone can see their activity will make them think twice about their browsing activity.

    Additionally, it allows leadership to get an accurate picture of processes and make suggestions for improvement. UAM provides concrete data on user activity, rather than subjective opinion, to help with effective decision-making.

    Mitigate insider threats

    A strong firewall and secure network can keep hackers out – but what if they’re already in? UAM can help you detect insider threats to your sensitive data. The average organization experiences 4 insider leaks each year, costing $16.3 million annually – which is 12 times more than the cost of external attacks.

    With so much interaction (people, devices, systems) with sensitive data, your users are a huge liability. Though 87 percent of insider leaks are unintentional, such as clicking on a malware link or attaching the wrong file, the threat remains. User activity monitoring allows organizations to catch dangerous activity before a leak, or at least in time to minimize the damage.

    Establish a behavior baseline

    Nobody is completely productive 100% of the time at work. People take breaks, and most have some non-work matters to deal with occasionally during the workday. User activity monitoring lets employers establish a baseline of user behavior so they know what is reasonable to expect when it comes to their employees’ internet usage.

    With a baseline, leaders can approach those who are abusing internet usage and work to find a fix. On an individual basis, if a certain user’s behavior changes drastically, this could be a warning sign and UAM software can alert IT to investigate further.

    Plus, understanding what your employees do online helps you better understand them. You can communicate expectations, and even partner with HR to make sure benefits packages are in line with things that are important to workers.

    Accurate billing

    If you know conclusively where your employees’ time is being spent, you can bill your clients with improved accuracy. If a client questions the invoice, organizations will have data from a UAM system to support the bill. This ensures both parties are getting fair treatment – your organization isn’t accidentally under-billing, and the client is confident the charge is valid. It also protects your reputation and your bottom line.

    Spotlight issues

    Our research shows that user activity monitoring software can reveal serious problems within your organization. 20% of users surveyed, said the UAM software they deployed revealed sexual harassment issues among employees and 5% said drug abuse issues were brought to light. In these situations, monitoring actually protects employees, because an organization can quickly address the dangerous issues. Some issues may never surface to HR, but with user activity monitoring, the problems can be quickly resolved.

    Additionally, 11% of surveyed organizations said user activity monitoring made them aware of underutilized software. Knowledge like this can lead to a change in employee education to focus on program basics, or can lead to adjustments in software spending to help the bottom line.

    Boost your business

    With so much freedom network access brings and so much sensitive data at stake, employee monitoring is becoming a necessity for the modern business. You can protect your assets, improve your business, and understand your employees better by investing in user activity monitoring software.

  • GDPR Mandates Immediate Data Breach Reporting

    by Veriato | Apr 12, 2018

    GDPR Article 33: 72 Hours Is Not a Lot of Time

    According to the EU General Data Protection Regulation (GDPR) which goes into full effect May 2018, “...as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours…”. Failure to do so may result in severe financial penalty — not to mention potential damage to reputation. GDPR mandates that notification must be given when a breach is likely to “result in a risk for the rights and freedoms of individuals”. This means immediate data breach reporting to the proper authorities for any chance of a personal data breach within the allotted 72-hour time frame.

    Prepared for Immediate Data Breach Reporting?

    These new regulations apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. Time is of the essence when it comes to reporting any misuse or breach of personal data security.

    With the ever increasing speed of technology, it’s more important than ever to properly and swiftly identify and mitigate the risk of any data breach. Organisations must become adept in identifying the potential risk of a breach, detecting the actual breaches, and defining the nature of the breach, as well as providing activity detail should a breach occur. Discover how the right technology can help with breach detection, potential breach activity, as well as provide the activity detail your organization needs to stay GDPR compliant.

  • General Data Protection Regulation Compliance Objectives

    by Veriato | Apr 09, 2018

    May 25th 2018 is coming fast. Do you have the audit detail necessary to meet General Data Protection Regulation compliance objectives?

    The EU General Data Protection Regulation (GDPR) is the most significant regulation regarding data privacy in over 20 years. Starting May of 2018 the new GDPR will be fully in effect and General Data Protection Regulations compliance will be strictly enforced for the good of all EU citizens. At its core, General Data Protection Regulation compliance is simply about protecting the personal data of EU citizens that is necessary and appropriate to collect.

    Currently, EU privacy laws apply to organizations located within the EU but with the GDPR will now also apply to organizations located outside the EU. This is possibly the largest and most radical change when compared to the previous privacy regulations. All rules concerning General Data Protection Regulation compliance will now extend to organisations offering goods or services to, or monitoring the behaviour of, EU data subjects –– meaning that the regulation applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Additionally, non-EU businesses processing the data of EU citizens may have to appoint a representative in the EU.

    Under the new  GDPR rules, organisations in breach of General Data Protection Regulation compliance can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). It is important to note that these rules apply to not only controllers but to processors as well. This means that 'clouds' or cloud-based organisations are not exempt from GDPR rules or enforcement. Each Member State will have the same effective powers, including powers of investigation, corrective powers and sanctions, as well as advisory powers, particularly in cases involving complaints from citizens, and under Member State law, will also have the power to bring any and all GDPR infringements to the attention of the judicial authorities and engage in legal proceedings.

    How to Generate General Data Protection Regulation Compliance

    The right monitoring software should easily keep organizations of all sizes compliant with GDPR rules and obligations. It’s important to ensure safeguards are in place, demonstrate in real time that access to data is appropriate, and provide context should a breach occur.

    Learn more about the new changes and the best technology to ensure General Data Protection Regulation compliance

  • The Growth of AI and Employee Monitoring In the Workplace

    by Mike TIerney | Apr 03, 2018

    Recently the Economist published two articles that discussed the increasing use of AI and employee monitoring in the workplace. 

    Veriato is pleased that we were referenced in both of these articles.  We feel they did a good job of presenting a balanced view of the benefits both AI and employee monitoring offer, as well as the potential downsides if they are not implemented and used wisely. 

    In the case of AI, there is a great deal of hype at present, which can lead some to give in to the temptation to rush a deployment.  Organizations should be very clear about their goals for any technology and be deliberate in ensuring that they are aligning its power to those goals. 

    In the article published on 28 March, the author gives some great examples of how employing AI can enhance organizational capabilities in areas of hiring, productivity, worker safety, and management (yes, even management is getting AI’ed – it isn’t just the proverbial little guy). 

    A key takeaway from all this is to remember that we are dealing with people.  Humans have bad days, make mistakes, and sometimes complain.  But, without a doubt, it is people that make great organizations great.  We must keep the human element involved in interpreting data produced by AI, and in determining how to act on it. 

    In the case of employee monitoring software, a more established technology, organizations should be transparent with their people about what data is being collected or generated and how it is used. Their benefits include increased productivity through improved investigations and the prevention of both insider and external theft of company assets.  Here again, the goal should dictate how the technology is utilized. 

    Transparency does not mean employers need to disclose exact methods. But going beyond the letter of the law and communicating intention is simply a best practice.  Once again, we are talking about people. 

    We should not seek to replace human decision making when it comes to employment offers, worker assessments, investigations, and the like.  We can and should seek to present additional sources of information to enable better human decision making.  In the same article referenced above, the author correctly points to Veriato as a firm that can capture, report, and alert on all activity occurring on an employee’s computer.  We have been providing benefits to organizations through this capability for 20 years, in more than 100 countries around the world.  And we consistently work to ensure our tools provide mechanisms to protect privacy, despite the seeming continuity our customers experience.  The author suggests that as voice-enabled speakers become more commonplace, employee monitoring could extend to listen in on conversations occurring in the workplace.  It is possible that some company may try and go down that path.  Veriato won’t.  And I believe that any organization that does move in this direction is in for some deservedly uncomfortable legal discussions. 

     

  • Internet of Things security practices for your business

    by Patrick Knight | Mar 22, 2018

    Wearables, smart speakers, remote security systems, connected cars, inventory trackers, smart headphones: these are just a handful of the connected devices in modern workplaces. The Internet of Things (IoT), or internet-enabled devices that collect and act upon data, is becoming more popular with ever-increasing applications. Far beyond a smart coffee pot that automatically gets the brew going to start the workday, the Internet of Things is changing business security and vulnerability in a big way.

    So, what’s the problem?

    IoT improves productivity, enables employees to work more effectively from home… and causes serious security concerns. Gartner projects there will be 20.4 billion IoT devices in use by 2020. With so many connected devices, the network attack surface is much larger and harder to secure.

    Smart devices are designed to connect immediately, and were built with ease of use, not security, as the priority. When employees utilize smart devices via company networks or connect devices storing company data to other networks, that information is at risk. There’s not much regulation demanding security of IoT devices, and companies have a hard time establishing their own protocols fast enough to keep up with the adoption of connected tech.

    What can I do about it?

    First, you need to prioritize the establishment of some device security guidelines. If employees haven’t cleared all their devices they use for work with IT, start there. Then, determine which security measures you will require, and help your employees set them up across all devices. Make sure your employees know who owns the data on their tech. Set up standards for downloading and storing information. For example, you may want to restrict access to sensitive information by preventing offline access or only allowing access while connected to the secure corporate network.

    You also need to restrict permissions by user and by device. Determine who should be able to access which information and who should be able to manipulate it – and from which devices. Then set up network parameters accordingly.

    With so many access points across so many devices and networks, relying on your human capital to implement security measures is just not sufficient. As IoT expands, the need for security software increases. Investing in a security program(s) to monitor user activity and devices vastly improves a company’s cybersecurity. Businesses can rely on such software to enforce company network regulations, detect suspicious activity, and discover IT weak spots. Doing so will allow businesses to take full advantage of the possibilities that come with IoT without compromising data security.

  • 5 employee cyber security training questions you need to ask

    by Patrick Knight | Mar 15, 2018

    Chances are your organization already addresses cyber security to some extent in new employee onboarding. Whether that’s traditional training videos on cyber security that employees watch on their own time, presentations by IT, or brochures, most employees know that their companies have cyber security protocol and best practices. But how many of your employees actually know what the protocol and practices are?

    In 2016, the average cost of a data breach was $3.62 million. And according to a study by the Poneman Institute, careless workers are the leading cause of data breaches in small and medium-sized businesses. If you want to improve your business’s cyber security, it’s time to get serious about employee education and cyber security training. You can start by asking these questions about your employees’ training:

    1. Is your information relevant?
      Everyone should be familiar with the basics of cyber security, but not all employees need a complete cyber security education. HR professionals, for example, generally have access to sensitive data such as social security numbers and bank numbers, so they will need special training on how to safely handle that information. But to a new marketing team member who can’t even access those SSNs – that security training wouldn’t be applicable. Tailoring your cyber security education to specific jobs will help your employees stay engaged throughout the training – and hopefully remember and implement what was covered.
    2. Is your information understandable?
      The cyber security world is chalk full of jargon. To the average employee the words “Ransomware,” “DDoS,” “patch” and “worm” just don’t have any context when it comes to their job. Not only will they not understand you if you launch into cyber-speak, they might feel unintelligent, and just tune you out. Speak their language, not yours. A Forbes article also suggests keeping your cyber security training short; try a few quick 10-minute sessions instead of an hour-long training. If you break the training up, it will be easier to digest and remember.
    3. Have you told them WHAT TO DO with this information?
      The basics of cyber security are great, but make sure you are sharing how to implement the security measures. Do you want employees to go change their passwords? Tell them some good rules of thumb for creating strong ones. Do you want everyone to update software? Tell them about auto-updates and show them how they can set it up. Giving employees action items turns cyber security from an abstract idea into a goal they can work to achieve.
    4. Do your employees understand why it’s important?
      You know how costly security breaches can be. You know the consequences of employee negligence. So tell your employees. If they see how simple steps to improve their security can impact business operations, they’re more likely to take those steps. All of us are more likely to do something if we understand why we are supposed to be doing it. It won’t bring about 100% compliance, but it will help your employees to know you aren’t making demands just to make their lives more complicated – you’re asking for help in making a real difference in the business.
    5. Have you covered the basics?
      Everybody could use a refresher on the fundamental rules of cyber security. Even if a few employees do roll their eyes, chances are some of them have been using the same password for years – so they really should be hearing it again. In an interview with Fortune, the CEO of the Computing Technology Industry Association said, “Behavior changes really only happen through repetition, follow-up, and emphasis. It takes a long time to instill new habits.”

    If we want to mitigate our employees’ risk, then we need to get serious about how we educate them about information security. If we honestly evaluate our cyber security training methods, we could probably all make some improvements. And that could make a real difference.

  • Why Zero Trust Is Not As Bad As It Sounds

    by Patrick Knight | Mar 01, 2018

    What is Zero Trust?
    “Zero Trust” refers to a network security strategy that calls for all users – internal and external – to be authenticated before gaining access to the network. Zero Trust means organizations never implicitly trust anyone with their sensitive data. Instead of using a blanket network perimeter, Zero Trust networks implement a series of micro-perimeters around data so only users with clearance to access certain data points can get to them.

    It essentially makes sure that users are given the least amount of access possible to still achieve what they need and are supposed to. Zero Trust also means logging all traffic, internal and external, to look for suspicious activity and weak points.

    Why are companies adopting Zero Trust?
    Security breaches are getting more common and more expensive – despite increased security budgets. Zero Trust is more than a software platform; it’s an attitude about users and data. Rather than trusting internal network users and focusing on external hackers, organizations are wising up to the reality of malicious insiders and the need to play it safe by protecting information from all users.

    Security strategies are becoming an important part of the business conversation, and new measures and attitudes are being introduced. In an interview with CSO, Chase Cunningham from the firm who coined the term “Zero Trust,” says that many companies are undergoing a digital transformation. As you move to the cloud, “there’s where you start your Zero Trust journey.”

    Zero Trust isn’t as harsh as it sounds
    The Zero Trust strategy isn’t saying, “no user is safe, ever.” Obviously companies can’t function with that mindset. Rather, it means that when it comes to sensitive data, people should have to prove they are authorized to see it before they’re granted access.

    60% of network attacks are by insiders – three-quarters of which are done with malicious intent. If the majority of network attacks are done by people who are traditionally trusted network users, why not start putting some restrictions on their access? That’s all Zero Trust says to do. It prioritizes privacy by making sure sensitive data is only accessed on a need-to-know basis.

  • 4 reasons why cyber security deserves a larger chunk of your hospital organization’s budget

    by Veriato | Feb 22, 2018

    In the medical community, the patient is paramount. There are countless methods employed to treat people and protect their health. But when it comes to their patients’ safety, most hospitals need a higher dosage of cyber security.

    Currently, health organizations are allocating less than half of what other industries budget for Information Security. This is no longer sufficient for a field with such high-value assets, and many factors play into the need for increased cyber security in the medical arena.

    1. Evolving healthcare technologies: Just in the last decade, health records have gone from mostly paper to totally electronic – and the digitization is continuing. Now employees access patient data via mobile devices and remote networks. Data sharing and cloud storage are necessities. Additionally, many medical devices themselves are now internet-enabled and some providers are embracing wearable tech for patients. Precision medicine, an emerging approach that customizes treatment based on patient-specific factors, also relies on the Internet of Things, and generates more sensitive data. As digital treatments, methods, and devices become more widespread, the opportunities for cyber attacks also increase. The AHA suggests that organizations put a scalable security plan in place now that can grow and adapt with the changing landscape.
    2. Increase in threats: With more online data, come more cyber threats. In 2015, around 100 million health care records were stolen. In 2016, organizations experienced on average one cyber attack per month. The value of EHRs has increased on the black market, enticing more cyber criminals. Organized crime rings target information systems to steal and sell specific information (social security numbers, billing info) or entire EHRs. Political groups and hacktivists seek to expose high-profile patient data to embarrass or discredit their enemies. Nation-state attackers try to seize groups of EHRs for mass exploitation of people. Even your own employees are security risks – from malicious insiders to those uneducated about cyber security best practices. The threats to patient data are diverse, dangerous, and escalating.
    3. Costly consequences: The Poneman Institute reports that the average cost of a data breach for healthcare organizations is estimated to be more than $2.2 million. In another study, 37% of respondents reported a DDoS (distributed denial of service) attack that disrupted operations about every four months, totaling an average of $1.32 million in damage per year. In addition to huge monetary penalties, data breaches hurt organizations’ reputations, which can have ripple effects in business. Intellectual property such as research findings and clinical trial information can also be stolen and sold, negating years of work and monetary investment.
    4. Physical risk: A medical facility exists to help people heal. Even though cyber attacks are online, they can cause physical damage.  In a Poneman Institute study, 46% of respondents said their organization experienced an APT network attack that caused a need to halt services. This shutdown can seriously impact the treatment of patients. Additionally, attacks using Ransomware are on the rise, in which hackers make a network inaccessible until the organization pays a ransom, usually in Bitcoin to make it untraceable. In the meantime, health care records can’t be accessed, meaning treatment may be delayed – resulting in health consequences or even death (and lawsuits). In this day and age, protecting patients means protecting your network. As Theresa Meadows, CIO of Cook Children’s Hospital, said in an interview for NPR: "The last thing anybody wants to happen in their organization is have all their heart monitors disabled or all of their IV pumps that provide medication to a patient disabled."

    Hospital organizations always put the patient first. An important – and undervalued – way to do that is to give cyber security the priority it deserves.

  • 3 ways cyber security is changing business operations

    by Veriato | Feb 15, 2018

    Businesses understand the importance of cyber security, and most are taking steps to ramp up their protection game. In fact, the International Data Corporation has projected worldwide spend on cyber security software, hardware, and services will reach $101.6 billion by 2020. That’s a 38% increase from the $73.7 spent in 2016.

    But cyber security is changing more than just budgets in the business world. Here are three ways companies are changing their business operations and models to improve cyber security.

    1. IT is taking a more prominent place in the Core Business. Gone are the days of a basement IT crowd whose main job was to tell you to try turning your computer off and back on again. With cyber security’s heightened priority, IT is taking a more prominent place in the core business. Hacks can stop business operations, harm corporate image, and of course, cost million of dollars – proving cyber security is way more than an IT problem.

      IT departments are starting to align security spending with business objectives, proving that security isn’t a cost; it’s an investment. Savvy business leaders rope their tech team into operational planning, using the department as a business partnership to achieve goals. If a business is serious about succeeding, they’re getting serious about cyber security.
    2. Regulations are rising. The first compliance date for the New York Department of Financial Services’ cyber security regulation was last August. This legislation was the first of its kind in the nation, requiring financial institutions to report attempted data breaches, hire a CISO to handle employee cyber security, and enforce their third-party providers to improve security as well. Though not as extensive as the New York regulation, 42 states introduced 240+ cyber security bills or resolutions in 2017 according to the National Conference of State Legislatures

      On a global scale, China and Singapore have similar regulations, and the EU adopted extensive regulation with the GDPR in 2016. Many of these bills impact not just native businesses, but companies who do business in that country. With the increase in regulation, businesses need to change structures, communications, and policies to stay compliant. Companies need to invest in a robust legal team that can handle managing the upcoming regulations that will affect their operations.
    3. Subscription software is the new norm. By 2020, more than 80% of software will be sold via subscription, rather than the traditional model of licenses and maintenance, according to Information Week. This drive makes sense from a bottom line perspective, but also from a cyber security perspective. The longer the same software is in use, the more time hackers have to expose and exploit its vulnerabilities. With a subscription model, the software is always current, making it more secure. 

      Thanks to the cost-saving benefits of subscription software, businesses can use the extra budget room to implement more cyber security measures or invest in new data protection services. IT is embracing the subscription software model, and it’s having rippling effects across the entire business.

    As cyber security becomes more of a concern, businesses are changing to prioritize it. Spending is adjusted, objectives are aligned, and services are adapted to keep businesses secure, and therefore more successful.

  • Technical safeguards for HIPAA at the administrative level.

    by Veriato | Jan 25, 2018

    This is the 3rd post in a 3-part series on HIPAA data security.  Here we discuss ways Veriato can assist organizations reduce the cost associated with HIPAA compliance reporting while increasing data security.

    Requirement 164.308

    Administrative Safeguards

    Veriato acts as a core part of your implementation and maintenance of security measures and administrative safeguards to protect patient data, specifically around monitoring and reviewing the conduct of you workforce in relation to the protection of patient data.

    Below are some examples of how Veriato can assist in addressing some of HIPAA’s Administrative

    • Risk Analysis (Required) § 164.308(a)(1)(ii)(A) – Veriato’s visibility into how users access, interact with, and use patient data can be utilized to assess the confidentiality, integrity, and availability of patient data, regardless of application used.
    • Information System Activity Review (Required) § 164.308(a)(1)(ii)(D) – By providing per-user activity detail and reporting, Veriato supplies the most comprehensive and contextual activity review possible, showing when patient data is access, as well as the actions performed before and after the access in question.
    • Log-in Monitoring (Addressable) § 164.308(a)(5)(ii)(C) – Veriato facilitates the monitoring of and reporting on log-ins which can be used to identify suspect activity.
    • Response and Reporting (Required) § 164.308(a)(6)(ii) – In cases where the suspected or known security incident involves a user’s application-based interaction with patient data, Veriato provides the activity detail necessary to document the security incident and outcome in almost.

    Requirement 164.312

    Technical Safeguards

    Veriato’s advanced user activity monitoring and behavior analysis technology can be leveraged to define advanced policy and procedures designed to establish and ensure patient data remains protected giving you HIPAA technical safeguards at the highest level.

    Below are some examples of how Veriato can assist in addressing some of HIPAA’s Technical Safeguards:

    • Audit Controls (Required) § 164.312(b) – Veriato not only empowers security teams to record an examine user activity within systems containing protected patient data, but also within any other application, providing unmatched visibility into actions taken around patient data access.
    • Mechanism to Authenticate Electronic Protected Health Information (Addressable) § 164.312(c)(2) – Because Veriato records and can playback all user activity involving protected patient data, it provides the ability to demonstrate that patient data has not been altered or destroyed in an unauthorized manner.

    Requirement 164.414

    Administrative Requirements & Burden of Proof

    In an organization’s time of need, when demonstrating either HIPAA compliance – or the lack thereof – is necessary, the determining factor will ultimately be the answer to the question “Was patient data improperly used?”. This will require an ability to review the exact actions taken by one or more users, both within and outside of an EHR application.

    Below are some examples of how Veriato can assist in addressing this HIPAA requirement:

    • Administrative Requirements § 164.414(a) – Veriato’s ability to record, playback, and report on detailed user activity can help demonstrate compliance with the Safeguards portion of the Administrative Requirements § 164.530(c).
    • Burden of Proof § 164.414(b) – In the event of a suspected breach, Veriato uniquely facilitates the playback of specific user activity to either demonstrate the lack of a breach, or to help define the scope of one.

    Requirement 160.308

    Compliance Reviews

    Whether as part of suspected violation or other circumstances, compliance reviews of administrative provisions around appropriate access to, and usage of, patient data can be simplified by demonstrating enforcement of policies and procedures through Veriato’s activity reports and activity playback.

  • Security concerns and solutions for staying HIPAA compliant

    by Veriato | Jan 23, 2018

    HIPAA Security Challenges for Key Stakeholders

    While HIPAA itself isn’t broken out into separate objectives for each stakeholder in the organization, stakeholders each have different needs around the goal of adhering to HIPAA:

    • CEO – Needs a proactive approach leveraging people, processes, and technology that ensures adherence to HIPAA requirements around safeguarding patient data.
    • CFO – Can’t afford the cost of a breach in compliance. Would rather spend budget on preventative measures, than on responding to a breach.
    • CCO – Wants a plan in place of how to easily and quickly demonstrate
    • CSO – Desires for patient data to remain secure, and a way to know patient data isn’t being misused.
    • IT Manager – Needs to provide a means of visibility into exactly how patient data is used, regardless of application.

    What’s needed is a technology that cost-effectively addresses HIPAA security challenges and requirements directly by monitoring the access to patient data, aligning with established policy and processes, providing visibility into how patient data is used or misused, and providing context around either demonstrating compliance or determining the scope of a breach.

    How Veriato Helps Address HIPAA Security Challenges

    Veriato helps organizations of all kinds satisfy their HIPAA obligations by offering technical solutions through detailed, contextual, rich logging of all user activity – both inside an EHR as well as any other application – combined with robust screen recording and playback. This level of visibility into user interaction with patient data provides comprehensive evidence for compliance audits. Activity data is searchable, making it easy for an auditor, security teams, or IT to find suspect actions, with the ability to playback activity to see before, during, and after the activity in question. Reports can be produced in minutes – typically a fraction of the time needed – and don’t require pulling critical resources from other tasks.

    Veriato assists in meeting a number of specific requirements, leveraging its deep visibility into user activity to provide context around access to patient data, showing what was accessed and what was done with the data. 

    In our next blog post, the last of a three part series, we will walk through a few of these requirements and illustrate how Veriato helps further address some of the HIPAA security challenges faced today. 

  • Expert advice on HIPAA data security

    by Veriato | Jan 18, 2018

    The biggest challenge in ensuring HIPAA data security is people.

    At its core, HIPAA compliance is simply about maintaining patient privacy by ensuring the appropriate access to and use of patient data by your users. Electronic Health Record (EHR) solutions provide detail around when patient data is accessed, but without visibility into what users do with sensitive patient data after they access it, the risk of data breaches, compliance violations, and the investigations, fines, and reputational damage that comes with them, is significantly increased. 

    Organizations seeking to meet HIPAA requirements for data security and technical compliance are expected to demonstrate proper use of patient data through appropriate administrative and technical safeguards. While most organizations focus their efforts on implementing safeguards that revolve around an EHR system already designed to be HIPAA compliant, today’s computing environments facilitate the ability to repurpose accessed patient data in an unauthorized fashion, quickly, easily, and conveniently.  Webmail, cloud-based storage, USB storage, web-based collaboration tools, and even printing are just some of the ways users can improperly save, steal, and share patient data – making the watching of activity only within an EHR a shortsighted strategy, if the goal is to truly be able to demonstrate compliance.

    The penalties for a HIPAA data security breach are severe – ranging from hundreds of dollars per record, up to $1.5 million, depending on the tier of the infraction. Avoiding these penalties depends solely on an organization’s ability to ensure proper controls concerning HIPAA technical compliance are in place, and that access to patient data is properly secured.

    HIPAA Tier

    So, what’s needed is a means to have complete visibility into every action performed by a user with access to patient data – every application used, webpage visited, record copied, file saved, printscreen generated, and page printed. Only then will a covered entity truly know whether patient data has been appropriately accessed and used.

    But, compliance to HIPAA isn’t just a technical battle; it’s one filled with policies and procedures that, in conjunction with technology, ensure users are trained, access to patient data is correctly granted, use is appropriate, and compliance can be demonstrated.

    In the following 2 blog posts, we will discuss challenges to key stakeholders and ways that Veriato can help address HIPAA data security and technical compliance challenges.