Question

MedQuip, a company that specialises in the production of personalised medical equipment, was recently accused of failing to reasonably secure the Protected Health Information (PHI) and Personally Identifiable Information (PII) of its customers. Between June 19 and July 12 2019, MedQuip’s network was breached, with the attacker stealing over a million PHI and PII records. A law enforcement investigation and forensic analysis of MedQuip’s network found that the attacker first penetrated the network through a third-party user’s computer. Due to weak segmentation between non-sensitive and sensitive parts of MedQuip network, the attacker was able to access and modify sensitive PHI and PII data for the purpose of selling the data to MedQuip’s competitor. MedQuip’s Internal IT staff had stored sensitive data in an unencrypted format on unencrypted hard drives, making it easy for the attacker to access and steal sensitive data. This highlights a gap in knowledge with respect to appropriate IT security practices and reveals MedQuip’s lack of understanding regarding the consequences of poor information security. It is estimated that the billing information of 9,000 customers was compromised. While it is understood that MedQuip has a robust IT security policy based on industry regulations, it appears the policy hasn’t been enforced, making it possible for the breach to be successful. In a press conference discussing the incident, the IT director commented that while the company had an IT security policy in place to prevent such breaches, security controls defined in the policy relating to data handling and storage had not been implemented. Following further internal investigations, the concerned employees could not be penalised as the IT security policy did not meet certain criteria.

5. Describe the criteria that must be met by MedQuip to make its security policy enforceable?

6. What mistakes did senior management make with respect to the organisation’s information security?

7. What mistake did the IT staff make with respect to data security?

8. Provide one (1) example each of how MedQuip may safeguard its Hardware, Software, Data, Procedure, and People.

Answer 1

5) There are two parts to any security policy. One deals with preventing external threats to maintain the integrity of the network. The second deals with reducing internal risks by defining appropriate use of network resources. There are some point which will help you do the same.

1. Identify your risks

What are your risks from inappropriate use? Do you have information that should be restricted? Do you send or receive a lot of large attachments and files? Are potentially offensive attachments making the rounds? It might be a nonissue. Or it could be costing you thousands of dollars per month in lost employee productivity or computer downtime.

2. Make sure the policy conforms to legal requirements

Depending on your data holdings, jurisdiction and location, you may be required to conform to certain minimum standards to ensure the privacy and integrity of your data, especially if your company holds personal information. Having a viable security policy documented and in place is one way of mitigating any liabilities you might incur in the event of a security breach.

3. Level of security = level of risk
Don't be overzealous. Too much security can be as bad as too little. You might find that, apart from keeping the bad guys out, you don't have any problems with appropriate use because you have a mature, dedicated staff. In such cases, a written code of conduct is the most important thing. Excessive security can be a hindrance to smooth business operations, so make sure you don't overprotect yourself.

4. Include staff in policy development
No one wants a policy dictated from above. Involve staff in the process of defining appropriate use. Keep staff informed as the rules are developed and tools are implemented. If people understand the need for a responsible security policy, they will be much more inclined to comply.

5. Train your employees
Staff training is commonly overlooked or underappreciated. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful.

6. Update your staff
A security policy is a dynamic document because the network itself is always evolving. People come and go. Databases are created and destroyed. New security threats pop up. Keeping the security policy updated is hard enough, but keeping staffers aware of any changes that might affect their day-to-day operations is even more difficult. Open communication is the key to success.

7. Set clear penalties and enforce them
Network security is no joke. Your security policy isn't a set of voluntary guidelines but a condition of employment. Have a clear set of procedures in place that spell out the penalties for breaches in the security policy. Then enforce them. A security policy with haphazard compliance is almost as bad as no policy at all.

6) The mistakes that senior management make with respect to the organisation’s information security

1. Failure to understand the true threat against their employees, suppliers and ultimately, their data
2. Failure to have a cutting-edge comprehensive Information Security plan
3. Failure to view data security as a "business problem" and not just an "IT problem"
4. Failure to view data security as a 3-D ecosystem
5. False reliance on an obsolete ‘perimeter protection' strategy vs. ‘data-centric' strategy
6. False reliance on cyber products and anti-virus

7) MedQuip’s Internal IT staff had stored sensitive data in an unencrypted format on unencrypted hard drives, making it easy for the attacker to access and steal sensitive data. This highlights a gap in knowledge with respect to appropriate IT security practices and reveals MedQuip’s lack of understanding regarding the consequences of poor information security.

8) Unauthorized access to information

A better understanding of data leakage channels is a key factor in successful combating against unauthorized access and interception of data. Integrated circuits in computers produce high-frequency fluctuations in voltage and current. Oscillations are transmitted by wire and can be transformed into a perceivable form. They also can be intercepted by special devices integrated in computers or monitors in order to capture information that is displayed on the monitor or entered from the keyboard. The data can be also captured when transmitted over external communication channels, for example, over telephone lines. Interception devices are detected with the help of special equipment.

Methods of protection

There are several groups of protection methods, including:

• Obstacle to the alleged intruder through physical and software means.
• Management or influence on the elements of a protected system.
• Masking or data transformation with the use of cryptographic methods.
• Regulation or the development of legislation and a set of measures aimed at encouraging proper behavior of users working with databases.
• Enforcement or creation of conditions under which a user will be forced to comply with the rules for handling data.
• Encouragement or buildup of an environment that motivates users to act properly.

Organizational means of protection

The development of organizational means should be within the competence of the security service. Most often, security experts:

• Develop internal documentation that specifies rules for working with computer equipment and confidential information.
• Provide briefing and periodic inspections of the staff; initiate the signing of additional agreements to employment contracts which outline responsibilities for the disclosure or misuse of work-related information.
• Delimit responsibilities to avoid situations in which one employee has at the disposal the most important data files; organize work with common workflow applications and ensure that critical files are stored on network drives.
• Integrate software products that protect data from copying or destruction by any user, including top management of the company.
• Develop the system recovery plans in case of failures due to any reason

Technical means of protection

The group of technical means combines hardware and software means. Here are the main ones:

• Regular backup and remote storage of the most important data files in the computer system
• Duplication and backup of all network subsystems that are important for data security
• Possibility to reallocate network resources in case of the malfunctions of individual elements
• Possibility to use backup power supply systems
• Ensuring safety from fire or water damage
• Installation of advanced products that protect databases and other information from unauthorized access.

The complex of technical measures includes measures which make computer network facilities physically unavailable, for example, equipment of rooms with cameras and signaling.

Authentication and identification

Identification and authentication are used to prevent unauthorized access to information.

Identification – is the assignment of a unique name or image to a user who interacts with information. Authentication is a set of methods used to verify the user's match with the authorized image.

Authentication and identification are intended to provide or deny access to data. Authenticity is established in three ways: by a program, by an apparatus, or by a man. Apart from a person being an object of authentication, it can extend to hardware (computer, monitor and carriers) or data. Setting a password is the easiest method of protection.