Prime Factors Blog

Navigating the Shifting Sands of Data Security and Compliance

Posted by Gwen Fremonti on Apr 25, 2017 10:00:00 AM


One thing that will never change about cyber security is that there will always be change. Protecting sensitive and private information in this age of digital hackers and scammers is more important than ever. Any organization can become a target, and the tools needed to fight the invaders must keep up; industry standards will be updated and new regulations will be added, and your business has to stay on top of all of it.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Healthcare and the Demands of HIPAA

There is no escaping the fact that patient health information is a prime target of attack in the electronic age. Hospitals, research institutes, universities, medical centers, and government entities holding sensitive medical information can all become targets. An NBC News report from February 2016 stated that, “health care-record hacking skyrocketed 11,000 percent last year alone” and one out of every three Americans had their health records compromised.

The healthcare industry is heavily regulated, especially when it comes to patient privacy. The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to protect patients’ private health information (PHI), and the Health Information Technology for Economic and Clinical Health Act (HITECH) was signed in 2009 to promote the safe use of health information technology. Every year, the regulations change and new compliance rules are issued.

Recently, those regulations have become stricter, with the institution of harsh financial penalties. In 2016, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) levied over $25 million in fines for HIPAA compliance violations. One such entity, The Feinstein Institute for Medical Research, paid $3.9 million in fines. An investigation – which uncovered a number of HIPAA transgressions – started after an unencrypted, password-protected laptop containing patient health information was stolen from an employee’s car.

In that instance, serious compliance violations occurred, and the case was even more alarming because the research institute did not use encryption technology, allowing a hacker to more easily access and read patient data. Encryption is an effective way to keep the bad guys from reading private information because it renders the data unreadable, even if they do manage to “break” into the system, or in this case, steal a laptop from an employee.

Identity Theft…The Crime of This Century

According to the Identity Theft Resource Center (ITRC), data breaches increased 40% in 2016. Based on their findings, more than 36 million records were threatened, including social security numbers, credit/debit card numbers, health information, emails, passwords, and usernames.

The government continues to add regulations to help ensure the safety of consumer information, and those regulations change continually. Europe is also stepping up its efforts with the European GDPR (General Data Protection Regulation), which includes compliance related to data security and privacy for Personally Identifiable Information (PII), and those regulations cover every country in the European Union.

Of course, there are “famous” breaches like the one that affected Target stores in 2015, but thousands more happen every year that we rarely hear about. It is more important than ever for companies to have security in place to protect sensitive data, and firewalls and malware defenders are not enough to stop potential thieves. Even the most sophisticated computer security system can be hacked.

It’s what happens after a breach that may matter more. Encryption technology can protect data during storage, transfer, and entry so that even if information is stolen, it cannot be used.

How Do You Protect What’s in Their Wallet?

If you sell anything, you will almost certainly handle a customer’s credit card at some point. This is why PCI data security compliance is almost as big a business as big business. The Payment Card Industry Data Security Standards (PCI DSS) – founded by credit card giants American Express, Visa, MasterCard, Discover, and JCB International – sets all credit/debit card security standards – and these standards are changed all the time to address the latest cyber threats. The organization released new standards at the end of 2016, adding multi-factor authentication requirements and compliance monitoring regulations for companies to follow. 

As a result of the new and ever-changing rules, companies spend massive resources trying to protect customer data. Doing so is not only good business – customers will not shop where they don’t feel safe – it is required. PCI compliance requires the installation of firewalls, the use of anti-virus software, security systems to protect stored data, restrictions on who can access cardholder data, restrictions of physical access, and employee education about security policies. Companies are also required to use encryption technology to store, transfer, and access cardholder data before, during, and after the point of purchase.

Remember the Target breach mentioned above? There is an “upside” to that story. Yes, customer data was hacked, but the data itself was encrypted – so the stolen information could not be read.

Violating PCI regulations can have serious financial and legal consequences for businesses, and the rules change constantly. It is difficult for many companies to keep up and sometimes more difficult to manage the required encryption technology. There is a rising need for effective, easy-to-implement technology that allows businesses to encrypt private customer information as efficiently and effectively as possible.

There are no easy answers in this war against cybercrime, but there are tools that can help your business level the playing field – and EncryptRIGHT is foremost among them.  To learn more, contact Prime Factors today at 888-963-6358 or through our contact form for a free consultation.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: encryption, PCI Data Encryption, PCI Data Security Standards, encryption keys, PCI Compliance