HIPAA may be twenty-two years old but the HIPAA Security Rule—which assures the security of confidential electronic patient information—hit its twenty-year mark just this year. HIPAA was signed into law in 1996 to protect Americans from losing health insurance coverage when changing jobs or dealing with a lay off and to protect the privacy and security of individual health information. Rules that govern HIPAA’s implementation requirements include the Privacy Rule and the Security Rule, which followed the initial rule 2 years later, issued in 1998.
Being on the hook for free services to friends and family members is a well-known risk for many professionals. Doctors get called in the middle of the night to see sick nieces and nephews, attorneys advise their siblings on traffic violations and airline employees are hunted down by everyone for those free standby certificates. But as a technology professional, I can say that we have it arguably worse than anyone else; “Can you set up my Wi-Fi?”, “Do I have enough encryption?” And if you think that the barrage of requests is not bad enough, you haven’t heard the complaints! “That phone broke within three months!”, “I dropped my router while dusting and now my WiFi is out!”.
These days, it feels like everybody’s talking about encryption and privacy. Whether you work in healthcare, energy and utilities, financial services or some other enterprise—you’ve probably come across debates around privacy, encryption and how to securely communicate to maintain privacy. But with all the news reports and use of buzzwords being thrown around it’s easy to forget the basics. So what do terms like encryption, privacy and man-in-the middle attacks really mean?
The high-profile Golden State Killer case is causing experts to debate the privacy implications of using genealogical data from open-source sites, like GEDmatch.com, in criminal investigations. There are no laws prohibiting detectives from using the data, but law enforcement experts are concerned about potential abuses of this investigative method. Others have argued the tactic represents an invasion of privacy – but does it?
What started out as a novelty quickly spun into something ominous. In November of 2017, the San Francisco-based start-up fitness app Strava released a heatmap depicting the activities of Strava users across the world. What does the Starva leak mean for privacy and what can end-users do to secure their information?
Face ID is a facial scanner that will replace Apple’s Touch ID, allowing people to unlock their iPhone with their face. Sounds simple and convenient but it also has many privacy experts concerned. In fact, Apple’s embrace of facial recognition opens a whole can of worms over security, the idea of people’s faces as their password and where this technology may take us.
In March 2017 the nation’s first cybersecurity regulation became law imposing strict cybersecurity measures on financial institutions operating in New York. The new rules specify everything from naming a Chief Information Security Officer, to risk assessments, event notification, encryption, penetration and vulnerability testing, training and monitoring and audit logs.
Unlike healthcare providers, family members are not subject to the privacy and security mandates in the Health Insurance Portability and Accountability Act (HIPAA). However, there is a huge market for medical information, drug prescriptions, social security numbers and credit card numbers on the dark web. Cybercriminals are mastering how to invade devices to steal this exact type of information we bandy about in our family beehives during a health crisis.
It seems that every day we have a slew of new sensational cases and revelations that make us stop and think “Is our privacy over? Does anyone even care? What are we to do to protect ourselves?” I say, relax, the situation is bad, but it is not as bad you might think and probably not for the reasons you might think so.
Quick – when was the last time you used your smartphone to investigate a health issue? If you are like most people you are probably a “connected patient” using smart devices to take more ownership of your health. A 2015 Pew Research Center (PEW) report shows 62% of smartphone owners use their phone to look up information about a health condition. And many of us now also use our smartphones to correspond with providers.
Communication and effective collaboration within the healthcare industry is not always as easy as it should be. Care teams – from doctors and nurses to the patients and their caregivers – need the ability to communicate efficiently, effectively, privately and securely to ensure the highest level of service. Unfortunately, this is an ongoing challenge, particularly when it comes to long term and home based healthcare.
There is only one thing certain in today’s world, and that’s uncertainty. It was certainly driven home by the election results, where everyone was certain of the outcome, until they were not. It is disconcerting to live in this environment. From random terrorist attacks to unprecedented economic and geopolitical events, we need to almost block out the news cycle. In order to survive in this environment, it is important to make a list of things that are in your control and those that are not.
It is no secret that we are living in a digitally evolving world. The use of personal mobile devices continues to increase as constant advancements bring more and more convenience to our busy lives. With today’s smart phones you can do almost anything you want with just the tap of your finger. It leaves me wondering – what’s next?
“Whoever Wins the White House, This Year’s Big Loser is Email.” Thus, reads the headline in the NY Times on October 19, 2016. Indeed, in the current election cycle, month after month, the focus has been on hacked and released emails, on disappearing emails, on emails that reappear on various devices – not of the user’s choosing. It certainly seems that the people who sent those emails should have known better than to write what they actually wrote in the first place.
We are proud to announce that today we unveiled an entirely new web experience that better reflects our mission. We are driven to help customers better address privacy and security when collaborating with colleagues, partners and their clients. The ability to communicate with confidence directly impacts the speed of business.
Welcome back from what we hope was a happy and relaxing July 4th. Happy Independence Day! For us, July 4th is a particularly meaningful holiday. It’s an opportunity to spend time with family and friends and to appreciate the freedoms and liberties we have living in the United States of America.
People engage in conversations over phones in public areas without a thought to who can overhear, or about the potential consequences. There is a blind faith that privacy is somehow granted by being surrounded by strangers. That privacy is often valid, however strangers don’t always equal safety.
Today’s workforce has gone beyond mobile. It is fluid. The physical mobility of devices has improved so drastically that the lightest devices from 20 years ago would be the heaviest devices today. People aren’t just working in different places because they have to, they are working everywhere because mobility enables them to. The freedom to get things done instantly, without having to rearrange your life, has taken hold of today’s workforce. With it come efficiencies and benefits to the organization, employee and consumer, but also risk that must be considered.
Moving with the fluid workforce are their devices; laptops, tablets, phones and everything in-between are constantly being pulled out at soccer games, doctor’s offices, coffee shops and airports. Everywhere you look, someone is connecting. The problem is that interruptions in the real world are often sudden, abrupt, and urgent. Devices may be quickly put down to address a disruption. It is in that moment that the security of the device and everything on it matters the most.
The devices that enable our freedom contain valuable information. When they are lost, stolen, or simply misplaced, that information becomes vulnerable. What’s more, despite the best efforts of IT professionals to educate people about the importance of securing their device, it doesn’t always happen. With almost every security measure that IT forces onto a device usability is degraded a bit. Degrade usability too much, and users simply move to another device. Even enforcing the use of a passcode on a phone causes consternation:
“Do I use a 4-digit pin or a complex password? I need to take pictures of my kids quickly before the moment passes. Maybe I should disable the code on family days so I don’t miss anything? Not having a code will also make it easier for my kid to play games on it when we’re in the car.”
In fact, studies show that despite the need for security, alarmingly, only 46% of users set a screen lock using a four-digit PIN, password or fingerprint. This means that over 50% of mobile device owners still do not take the basic step of password-protecting their devices. And password protection is just the first step; device encryption is equally important. Without it, a moderately sophisticated attacker can simply access device storage directly, sidestepping password protection altogether.
One obvious reason to care about mobile device security is the sad fact that some of your organization’s mobile devices will be lost. Make no mistake about it: No matter how diligent your staff may be, devices are going to be lost or stolen – eventually. In New York City alone, 73,000 mobile devices were left in taxi cabs in 2014. A lost device should always be regarded as a security breach. Whether the finder attempts to extract information with intent to steal intellectual property, or with the benign intent of identifying the rightful owner, unauthorized access will occur. Unlocked phones and unsecure apps can leave your organization open to a data breach. And this risk certainly is not limited to smartphones – laptops and tablets, while larger, are misplaced every day as well. Unfortunately, there are numerous examples where organizations have been fined for failing to encrypt lost laptops containing PII or PHI. Just this month, Premier Healthcare reported that a non-encrypted laptop was stolen from its billing department, exposing over 200,000 patient’s PII; almost 2000 of those records including social security numbers and/or other financial information.
Simply stated – lost devices are a security breach waiting to happen. With higher local storage capacity and access to cloud storage, lost phones and tablets are next to hit the news for breach of information. No amount of diligence can completely prevent the loss of devices. The best you can do is focus on mitigating the potential fallout and make sure that a lost device does not lead to a data breach.
Beyond securing devices, however, the applications that employees use to share information and communicate vital business information also need to be secure. While many organizations may think that deploying secure apps is excessive given their phone security requirements, those requirements are only as good as the hardware provider’s capabilities and are susceptible to human error.
Apps that encrypt their information prevent sharing, saving or forwarding of information and restrict the extraction of information without proper authorization. This can help mitigate the risk of information leaks or larger breaches. It is a mental shift from only protecting the device to protecting the information that flows between devices and better controlling what can be done with that information. Apps that securely leverage the convenience of mobile devices for rapid information exchange, collaboration and decision making can have a dramatic positive impact on employee workflow efficiency and experience.
Employees just want to use their devices in a way that makes their lives easier and helps them get their jobs done. The introduction of ephemerality has also changed the way we look at collaboration via our mobile devices. Corporate data can now be stored in a secure, fire-walled repository, while removed from devices alleviating much of the risk created by lost or stolen devices.
This is not to say that device security should be ignored. Far from it. Even the most conscientious person might leave valuable information in unsecure locations on their devices, where device security is the last line of defense. On top of reasonable device security, the applications themselves can further protect information on devices and in transit, achieving a deeper level of security and confidence. Secure applications help ensure that the privacy of information belonging to your organization, employees and customers is protected.
In our ever-evolving, technology-rich and breach-heavy world, the need to increase the security on BYOD devices has grown significantly while empowering employee efficiency is just as important. It is incumbent upon every organization to understand the impact of their mobile workforce upon security and compliance mandates in order to minimize the likelihood and impact of data loss or breach. The inclusion of secure apps such as secure mobile messaging help you protect vital information from breach while leveraging the efficiencies of the mobile device. Providing, or enforcing, an option for secure information exchange and collaboration that does not jeopardize privacy or compliance should be included in every organization’s mobile enablement strategy.
To find out more about the benefits that can be realized through secure mobile messaging, contact us.
Contributor: Avi Elkoni
In this Age of the Internet, confidential information is more easily exposed than ever before. Real-time communication tools and social media give everyone with Internet access the ability to publicize information widely. Confidential information is always at risk of inadvertent or even intentional exposure. The current cultural emphasis on transparency and disclosure—punctuated by headline news of high-profile whistleblowers, and exacerbated in the corporate context by aggressive activist shareholders and their director nominees—has contributed to an atmosphere in which sensitive corporate information is increasingly difficult to protect.
A member of a board of directors has fiduciary responsibilities to the corporation he or she serves. One important responsibility is a duty of confidentiality. The duty of confidentiality is essentially a duty not to speak about board matters to non-board members or share board materials with non-board members unless authorized to do so. Open dialogue is crucial to board deliberations. If Board members do not feel that their conversations are private or that the confidentiality of their discussions will be respected, they may feel pressure to avoid certain topic areas or to hedge their comments in a way that doesn’t serve the organization’s best interests.
The Board of Directors’ legal obligations with respect to confidentiality are often not well articulated. Confidential board information includes material, non-public information, the disclosure of which is regulated by federal securities laws and by company-wide policies and procedures. It also includes sensitive boardroom discussions that have both personal and business elements, and implications. These discussions may be amongst board members outside of the formal board meeting settings. In order for boards to function effectively, directors must feel comfortable expressing their views with board members on corporate matters honestly and freely, without concern that their conversations will be made public or intercepted by competitors.
Increasingly board members and executives travel nationally and internationally. With increased exposure to mobile communications being intercepted and even mobile device loss or even confiscation, more and more executives are concerned about containing potential confidential business conversations private now that every type of conversation seems to have gone mobile.
Concerns about leaks often increase with the election of “constituent” directors. These directors, placed on public company boards through proxy access or a proxy fight, are typically perceived—rightly or wrongly—as representatives of those shareholders that nominated them and are considered likely to share details of board deliberations with their sponsors. When a director deliberately exposes sensitive board information, boards may struggle to respond effectively, as the remedies available to the board and the company are limited, particularly since directors cannot require another director to resign. In order to protect confidential and sensitive information, boards should, at a minimum, have robust director confidentiality policies. Companies may also want to review their crisis management plans to ensure that they cover breaches of confidentiality by directors in addition to executives and employees.
Confidential Board Information
Confidential, non-public corporate information falls generally into three categories: proprietary information that is of competitive, commercial value to the company; inside information about the company’s finances, operations, and strategy; and sensitive information regarding board proceedings and deliberations. Unauthorized disclosures of proprietary information could imperil a company’s competitive advantage or commercial success while unauthorized disclosures of inside information can lead to illegal insider trading and manipulation of the company’s stock price. Company insiders may disclose information in any category that is material and non-public only in specific ways prescribed by the federal securities laws. For these reasons, all companies should have comprehensive corporate confidentiality policies that apply to employees as well as directors. The authorized processes and channels for disclosure of confidential corporate information should be well defined and understood within the company, as improper disclosures can lead to criminal and civil liability in certain circumstances.
The third category, sensitive board information, includes information to which a director is privy by virtue of his or her membership on the board of directors. In the course of fulfilling their fiduciary duties and director responsibilities, directors are entrusted with significant amounts of material, non-public information of all types; however, they also become aware of the inside story: how this confidential corporate information is discussed, used, and understood within the board itself. Directors generally know how their fellow board members view corporate executives, strategic initiatives, potential mergers and acquisitions, competitive and legal threats, and even each other. They also understand how board deliberations have developed over time. Any element of this “meta-information” may be of particular importance, may be potentially disruptive or embarrassing if disclosed, or may simply have been shared within the boardroom with the expectation of privacy. Leaks of sensitive board information—as opposed to proprietary or valuable corporate information—also can be highly damaging to a company. Such leaks can be made publicly, to the media and the investor community at large, or privately, to a director’s sponsor or other influential shareholders.
Public and Private Disclosures
The most sensational type of leak happens when a disgruntled or dissatisfied director provides confidential information to the media in order to put pressure on the rest of the board. A less dramatic but likely more prevalent type of boardroom leak is the private communication of confidential information by constituent directors to their sponsoring shareholders. Activist shareholders and the investment community are increasingly pushing for shareholder-sponsored directors on public company boards, and indeed their numbers are growing as demonstrated in the following chart.
Inadvertent exposure can be limited through corporate policy to ensure board member electronic discussions outside the boardroom are only allowed through encrypted, secure messaging applications . These applications capture a single copy of the conversation in a protected corporate archive but prevent interception, forwarding, storing and printing on board member devices and servers.
The Board of Directors may be, by policy, required to use this communication mechanism to discuss board business amongst each other or even with their constituent debriefings. This provides for complete transparency among board members and protects the confidentiality of the corporate information. Transparency is maintained by retaining a single corporate archive of the conversations in a secure corporate archive and nowhere else. The Corporate Archive can be audited; to ensure company IP as an example is not inadvertently or purposefully being leaked. These policies can easily be extended to private confidential conversations amongst executive staff of the Corporation.
Having policies that ensure that secure, ephemeral communications are enforced will assure the transparency of the communication and re-enforce trust between board directors / members.
Internet and Mobile Technologies have enabled corporations to be more efficient and for small and mid-size corporations to compete on a global scale. However, they have also increased the risk of loss of confidential information that when breached can materially impact the performance of the company. With heightened risk of data breach and increased calls for transparency by shareholders, corporations need to set new policies and compliance standards for their board members and executives to responsibly manage these risks. Interestingly technology solutions like secure, ephemeral, and compliant messaging may be a key element of such risk mitigation strategies.
For more information on how secure messaging can enable executives and the board of directors to communicate in a more confidential manner via their mobile devices, contact us.