It seems from a recent report that healthcare businesses have become a specific target for hackers in recent months. International managed security services company SecureWorks says that attempted hacker attacks launched at its healthcare clients doubled in Q4 2009, increasing from an average of 6,500 per healthcare client, per day in the first nine months of 2009, to an average of 13,400 per client per day in Q4 2009.

It’s suggested that there are two main reasons for this: the large amounts of identifiable data on patients stored within healthcare organisations, and the sheer number of possible attack vectors, including web-based attacks and attacks from devices (such as infected, unauthorised USB flash drives).

In some territories, such as the UK and Canada, healthcare bodies are rolling out extensive data security measures (such as secure USB drives with onboard anti-virus scanning). This is a sensible and practical response to the increase in data security risks.

More UK companies and Government departments than ever are reporting data losses to the Information Commissioner’s Office, the UK data watchdog, according to recent data.

Reported incidents grew nearly 100% to 356 data losses in the period between November 2008 and September 2009, compared to 190 incidents between October 2007 and November 2008.

The most common type of loss was due to stolen hardware, usually laptops, with 127 such cases.  Another 71 were due to lost hardware – usually USB flash drives – and 78 due to misaddressed discs or memory sticks. 

It’s hard to say whether the number of losses has increased, or if organisations are simply reporting more losses than in previous years.  But it’s reasonable to assume that many of these losses would not have caused problems if the data had been stored on a secure USB flash drive.

After being banned in November 2008, it looks likely that USB flash drives are about to be reintroduced to U.S. Defense Department computers and networks.

But there will be very strict controls on their use, to avoid future malware and security issues which caused the DoD to suspend the use of all USB memory sticks, removable storage devices and camera flash cards on all networks after a worm infection.

In a recent blog post, the CIO for the U.S. Navy, Robert Cary said Defense officials are finalising details of the new USB security policy.  Cary said in his blog that the important thing is to ensure that thumb drives used in the future cannot transfer viruses to military computers and networks.

Policies will also include practice such as authorised staff being issued with government-owned and procured secure USB drives, a ban on all personally owned flash media, and upgrades to DoD antivirus and malware detection and procedures.  These are all recommended, sensible controls to ensure network hygiene and reduced risks of data losses.

The UK Government Information Commissioner’s Office (ICO) continues to be firm with public sector organisations that have had data losses.

This week, a Council in central England has agreed to comply with data protection principles, and signed an undertaking to assure the ICO that personal data will be kept securely in future.  A council employee lost an unencrypted memory stick which contained highly sensitive personal information on four families.

As part of the commitment, the council has agreed to ensure that portable and mobile devices, including laptops, USB flash drives etc are encrypted.  Staff will also be trained and made aware of policies for storage and use of personal information.

It’s good to see that these measures are being taken over losses of personal data, even when the actual volume of lost data is small.  Let’s hope that other countries take an equally firm stance on this issue.

Data Leak Prevention (DLP) is a topic that always sparks debate amongst IT people, as it demands a complex mix of technology, policies and buy-in from users to make it truly effective.  This article has drawn on the opinions and experience of a number of CSOs to focuses on five technological approaches that, when used together, should offer a solid defense for data.

As well as covering key elements such as encryption, gateway protection and email filtering, it mentions that “being able to control the use of USB devices is a key requirement of a DLP solution.”

This is certainly true.  But it’s not just the usage of USB devices.  What the article fails to mention is the need to protect the data while it’s on USB pen drives, with robust and automated encryption.  After all, without this, a user could put sensitive data unprotected on an authorised USB device. 

That’s why organisations use secure flash drives like our Cruzer Enterprise range as a core part of their DLP programme, because they secure data on the move without the user having to make decisions about it.

Torbay Care Trust, an integrated community health and adult social care organisation in the South West of England, has chosen our Cruzer Enterprise secure USB flash drives to help protect mobile data stored on the drives from unauthorized access.

The organisation has purchased and rolled out 1000 Cruzer Enterprise flash drives. The drives will be issued to and used by all staff members, in particular those employees working remotely or transferring data between sites.
 
“We decided to deploy an encrypted USB solution across the Trust as data security breaches have become a national concern,” said Sue Fankhauser, IT buyer for Torbay Care Trust. “Our IT department felt that it was necessary to employ a best-practice solution to protect data against any potential threats and to reassure the public that patient data is secured. After evaluating numerous encrypted flash drives, we chose the Cruzer Enterprise flash drive because it met all of our security requirements.
 
“We also asked SanDisk to send us the USBs without any unnecessary packaging - which they were more than happy to do. As well as being environmentally friendly, this produced no waste at our end, helping to support our eco-friendly policies.”
 
Recent data security breaches within other Government organisations have led to calls for greater data security with transportable media devices, such as data sticks, and by deploying the SanDisk drive, Torbay Care Trust feels it is setting the standard for others to follow.

With Windows 7 now being available to download, many users will be exploring and experimenting with its new features. 

One of these that’s been getting a lot of interest online is the built-in ability to encrypt removable storage devices, such as existing USB thumb drives.  While it’s good to see an operating system with integrated security features, it’s worth looking at the details of exactly how secure the method is.

While this software encryption does offer reasonable protection for data – and is certainly better than no encryption at all – it can still leave data vulnerable.  The software-based encryption used in the article is not “always on” as part of the device specifications – so the user has to remember to actively encrypt data.  Unlike the hardware encryption on our Cruzer Enterprise range of secure USB drives.

Second, hardware-based encryption does not require any type of driver or software installation on the host PC.  This keeps the encryption independent of the PC without leaving behind software footprints. 

So if you’re going to remember to encrypt every piece of sensitive information you carry on a pen drive, the Windows 7 approach is fine – but you shouldn’t rely on it for every user in an organisation.

According to a new report, just 27% of the Ministry of Defence’s IT systems meet the Government’s own data security standards, following a review. 

 The Government developed tough data handling sanctions in summer 2008 following a series of high profile data breaches from public sector organisations. 

 Under the new security measures, any USB flash drive, disk drive or laptop containing sensitive information has to be encrypted if it is to be taken out of Government offices - which is a significant, but achievable task, especially if secure thumb drives are used.

 To highlight just how vulnerable an unsecured flash drive is, in summer 2008, the MoD admitted that it had lost 658 laptops and 121 USB memory sticks since 2004 - with some of those lost drives containing military information classed as “Secret”.  So, securing USB drives is a vital first line of defence against data losses.