A Turkish Taxi or Going to the Cloud

Traveling: Did you know that when you take a taxi cab in Turkey and there is an accident while you are in the car, then you, the passenger, are liable for the damages? Why? Because you hired the cab. That is what it means for your business when you “go to the cloud.” Businesses think the cloud solves all of their cybersecurity problems, but that is not the case. Your business is responsible.

Regulatory Requirements: For most businesses, they have at least one set of regulatory compliance rules to abide by when handling data. For example, if your business accepts credit cards as payment, you are subject to the Payment Card Industry Data Security Standard (PCI DSS). If you track any Personally Identifiable Information (PII) on your customers or employees, you are subject to the Privacy Act. If you are a health care provider and handle Protected Health Information (PHI), you need to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers have the trifecta of data protection liability – having PCI, PII, and PHI to worry about. In the cybersecurity world, regulatory requirements drive your data security plan.

Data Security: The definition of data security from technopedia.com is “protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.” In other words, data security is how you protect your customer’s data. Although there are many laws, regulations, and guidelines, they do not dictate HOW to implement the protective measures. THAT is up to the individual business owners to decide. This is important because the business is held legally responsible for any privacy breach that may occur whether the data is in the cloud or in your back-office data closet. You are responsible for its protection.

Cloud Absolution? No: Some business owners think that if they push their system to the cloud they will be absolved of data security. Many cloud service providers offer Software as a Service (SaaS) solutions for just about every application these days, making it a turn-key solution for many businesses. One example is Office 365. it reduces local IT costs and in most cases provides an increase in service. In many cases, the business can coordinate with the provider to pay for controls like encryption and firewalls in the cloud. Sounds great, doesn’t it? So where’s the problem?

Who’s In Charge: The cloud customer (that’s you) decides who gets access to the application. The employees are usually working from a laptop, desktop, tablet or phone to access the application.

Threats Still Exist: The cloud is NOT threat repellant. If any of your business computers get key-logger malware (malware that records your keystrokes), the hacker will steal your cloud login credentials and use them to access to your data from anywhere in the world. Your client data that you use daily is sitting on the computer memory of your local device. If the data is (heaven forbid) sent unencrypted to the cloud, you are subject to interception of your data with what’s called a man-in-the-middle attack. This happens often when using public Wi-Fi hotspots. Employees are also susceptible to social engineering where they are tricked into clicking on a malicious link or even provide their password information over the phone. As we noted in other articles, the dark web has usernames and passwords available from previous breaches. If people re-use their passwords, the hacker may get access that way too.

Due Diligence: Even in the cloud, business owners must have due diligence with data security because they are liable. Your employees need cybersecurity training. Their devices should have antivirus and endpoint detection monitoring – agents watching for unusual behavior. Businesses should have cyber insurance to transfer the risk in case a breach occurs despite best efforts.

The Bus?: So, if you are in Turkey you may want to take the bus. Using cloud services on the other hand, there isn’t any substitute for a robust security plan.

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me.