Sample 1
PublicationEditorial SectorsPublication&Report SamplesSpecial ReportsSubscriptionsCareersContact Us

 

[VENTURES TECHNOLOGY WATCH]

 

Security & Privacy Challenges – Mobility & BYOD Impacts – Plus Healthcare Sector Impacts

 

Ventures Technology Watch Report Series

division of

Creative Strategies Ventures Corporation

11251 Rancho Carmel Drive

Ste. 503533

                                                   San Diego, CA 92150

U.S.A. 

                                                                                                                       

Ventures Technology Watch Report – Security Series

Report No. 2014-6a-Security Series

Author - Edward Poshkus, Principal Industry Analyst

Contributorsto the report:

Jeri Trippe, Senior Industry Analyst/EVP

Stan Terepka, Industry Analyst                       

San Diego, CA                                                                           Los Gatos, CA

Tel.  858-675-1425                                                                       Tel. 408-348-6639

E-mail – Sales@creativestrategiesvc.com                                      Te l.408-348-6143

              editorial@venturestechwatch.com 

Subject – Security Report Series: 

Topic – Security & Privacy Challenges – Mobility & BYOD Impacts – Plus Healthcare Sector Impacts 

Environment: 

With the massive yearly growth in smart devices – smart phones, tablets, laptops, ultrabooks, e-readers, portable music devices with internet access, wearable computers, smart watches, smart glasses plus the attendant explosion of seemingly unlimited information access points for both consumer and business has created and is expanding the vulnerability points for data breaches for impacting all sectors of life. Mobile computing is now used in about 90-95% of organizations.  We – public and private organizations and consumers – must consider and address security and privacy challenges. The need to secure information during the current decade has migrated from the typical data silos in business and in the public sector (local, county, state, and federal)to the user of any mobile device given the connectivity availability of any time, any place, and any form factor (think voice, video, data and the ubiquitous texting).

Issues of both (1) Security – Access and Information Protection and (2) Privacy – Personal Information Protections with all devices are of concern or should be for everyone in both the business and personal environments. The data and information availability via mobile devices is exacerbated by the BYOD evolution (personal plus organization use) virtually all around the planet. Information borders no longer exist for us or those seeking to abscond with it.  

Location based services create further potential security and privacy “leakage” concerns. Storage of credit card information and key personnel data on smart phones is an example of potential risk including identity theft since most do not encrypt the data either at rest or in transit. Cloud storage of private information is another issue for security can be very weak.  The massive number of data breaches in the past several years in nearly all business segments including healthcare is indicative of increasing vulnerability. 

Just think, in 2013there were about 1 billion smart phones shipped, just under 200 million tablets, and about 300+ million PC of various form factors. The installed base is massive and expanding monthly. Security utilization has not kept pace in any environment. Of course there are some exceptions but should be the rule and not the exception. How many use encryption for the information at rest or in transit? Do you? Do your associates? Do businesses? Do your friends? Not many do for in most data breaches the information was not encrypted.

How many have difficult passwords versus a 4 digit/character to activate a smart phone or computing device? Do many use facial recognition on netbooks that has been available for years and now on smart phone? Special drawing or pictographs can also be use easily as long as one remembers the flow. 

A typical user according to various pundits may have mobile 3 to 5 devices actively in use. A smart phone, tablet, notebook, a smart watch and an e-reader is an example for each of our staff. Other may have many more. Can we protect all of them? Can we comply with the needs and ever expanding compliance needs? Are Wi-Fi hot spots we can create secure? The scope increases for some devices are user owned but also have corporate data on them (BYOD).  

Figure 1 

Devices a Typical User May Utilize and Own

Slide3_1.GIF

The current environment offers a significant and profitable business opportunity at multiple levels. The needs are not just software but also personnel who understand the issues and the investment involved to reach acceptable risk levels. A key concern is defining the acceptable risk level in each sector and information class. Corporate intellectual property (hard and soft), PII (personal identification information) or PHI (protected health information) are associated with differing levels and also from perspective. 

Healthcare is an interesting segment and offers opportunity for products defined or adapted to the special needs. Fulfilling compliance requirements in Healthcare are a key aspect for mobile technologies. Healthcare is moving to Electronic Health Records (EHR) and must contend with HIPPA compliance issues. Sharing of the medical records with other healthcare providers exacerbates the challenges as the sector moves to Stage 2 of the Meaningful Use EHR incentive program.  We will discuss the Health Care sector specifically in a later section of this report.  

The global workforce is increasing becoming mobile. Some estimate close to or a bit above 1 Billion mobile workers worldwide. Next one can add in the billions of other mobile users – sophisticated or not with feature phones, smart phones, tablets, laptops, portable music devices with internet connectivity and other computing devices. Social media, virtual offices, web conferencing and video telephony all add to the connectivity explosion that continues and adds vulnerability points for commercial and personal loss. Global needs must be considered in any product planning to leverage investment.  

Figure 2

Slide2_1.GIF

   

The levels of protection as a function of the risk levels, cost of loss, plus regulatory and compliance issues is a key consideration in selection of what is needed to achieve the security and privacy protection goals. Complete security may not be possible but there are practices that can reduce the risks significantly bit in transit and at rest.      

Mobility  

The more connectivity we have the more we want but frequently potential vulnerabilities of this anywhere, anytime, any device access are ignored. The explosion of mobile devices generates increased security vulnerabilities such as network intrusion, DLP, device loss, and personal and business data loss. The type and availability of mobile devices continues to expand dramatically with no slowing in sight.   

Figure 3

User Connectivity is Location/Sector Independent  

Slide1_1_1.GIF

Given the explosion of BYOD, the potential points of attack are virtually anywhere and can occur anytime. Although business and personal information can be siloed on a BYOD unit it is not always possible. With the pervasiveness of mobile devices in business, biz-com (business-consumer), consumer as well as many in the public sector unfortunately do not have, do not consider or do not rigidly enforce policies to protect the information flows and minimize data loss potentials.  

This creates significant potential profit opportunities for vendors as more major data breaches and losses are publicized plus the evolution of BYOD in business requiring security solutions.

The typical Mobile User Environment – essentially information access– voice, video, data and the ubiquitous texting -- from any device, anywhere (without the traditional work boundaries) and anytime - is illustrated above to indicate potential attack points. Specific connectivity points are not indicated but access includes all wired and wireless technologies and the more mundane such as portable hard drive devices including the ubiquitous thumb drives. Not all users have all devices but it is necessary to view the general scale when assessing dangers and of course commercial opportunities for security products. This is a bi-directional “borderless” flow of information 24/7.

In devising the necessary precautions to meet our goals, the user environment must be considered global given the reach and ease of use of all communications technologies is it voice, video, or data. Information storage (cloud vs. on premise) can add complexity as well.  

NOTE –In our previous security series reports we have addressed potential security issues such as – Cloud; Virtualization; Compliance (GLBA, HIPPA, PCI and so forth); Blended Threats; DLP; Encryption; Thumb Drives; and Policy with the explosion of mobile devices. We may touch upon some of the facets here as we address the increasing global threat profiles for they all are facets of mobile security.  

Privacy  

Privacy is a key concern for private information flows. Stored data are being compromised in many areas (financial and personal healthcare examples) despite some search executives saying there is no such thing as privacy and none should ever be expected.  Despite their opinions – There are questions beyond the function of generating revenues using collected data for marketing purposes and revenue generation. Privacy expectations do exist and some are mandated by law as in HIPPA. 

The lack of universal encryption when data is at rest or in transit is addressed by a relatively small number of organizations. Self encrypting hard drives are superb but vast amounts of aggregated information is stored in the clear. What happens when that is shared with third parties? Do they have the same level of concern as the individual or company that may be compromised?  Secure storage and encryption technology is a significant revenue opportunity across all sectors – private and public.  

Are there any vestiges of privacy left when (1) location based services track user movements, (2) browser use is tracked and many companies battle any “do not track” efforts,(3) strict privacy controls by various providers essentially do not exist, and (4) here is little oversight for privacy protection. Should there be privacy when a user indicates “do not track” by adding DNT software to the browser? Should a consumer’s web search for specific healthcare information be harvested or should it be protected? An interesting development could be an option to “hide” the specific health search. Possibly searching through a site such as DuckDuckgo.com that does not track is sufficient. Should that user’s stated wish be ignored as it is by many data collection firms or at least be asked to “opt in”? What happens when an employee’s data searches are harvested from their BYOD? What happens with losses of private information from data breaches?  

Does any user know or have access to their private information stored by the search engine firms? Do they have knowledge or any access to the information harvested, stored and sold by the information aggregators who sell to anyone? Should this be tolerable with personal health information? Many other questions can be added and feel free to do so. Each question though could be an opportunity for inventive minds. 

In this environment -- Both privacy and security levels desired must be a decision by the company and the users whenever and wherever possible. They do tend to be interlocked in planning but can be addressed separately. We are merely pointing out elements than can be identified and some solutions are discussed. They are not all inclusive or exclusive but are talking points for implementation and potential revenue generators.  

1. – Connectivity Environment

For the purpose of this paper we do consider both fixed and mobile connected devices for vulnerabilities exist within both environments. The focus is primarily the mobile devices aspect for the growing points of vulnerability and now exposure has few closed boundaries as we experienced with earlier LAN connectivity for PCs. Emergence of laptops, netbooks, ultrabooks, feature phones, smart phone and tablets and any device that can connect to the web are the primary connectivity gateway for ever increasing information flow. We now have to think in terms of petabits (or more) total information flows in aggregate to and from billions of devices. Virtually every contact can have potential vulnerability issues that need to be addressed nearly on a device by device basis.

For example, we now have more phones of all types in the world than the total population. The mobile phone devices represent about 75% of the total. Mobility demand has been and continues to be driven by the explosive growth of smart phones, i.e., Apple’s iPhone family, smart phones by Samsung and from other global vendors based upon the dominant Android system. Bluetooth connectivity may add another vulnerability point. 

The sophistication of smart phones continues to increase dramatically and we continue to be dazzled by the array of mobile devices – tablets, ultrabooks, net books, laptops, texting devices, readers and so forth -- that we encounter at a variety of shows during each year such as CES, CTIA, VoIP, Networld Interop and many others. As the installed mobile base increases, the threat horizon does as well. Although smart phones may represent over 80% of the current handset sales, not to be forgotten is the significant installed base of feature phones with internet access. Feature phones allow web access from the handset and text messaging capability but do not have the inherent power of the smart phone. IP voice communications via Skype et al is also another opening for the malicious. Social media access is another potential vulnerability point. Think about electronic wallets and the potential loss of personal financial data. 

The tablet phenomenon (iPAD® family and a host of Android based Tablets and other OS’s) adds another vector to the mobile device population explosion. Sales forecasts for Tablets of all types are now approaching 200+ million per year with. Laptop and desktop computer sales are in the area of 300+ million unit sales (and up-ticking recently) with the majority being mobile units. Ultrabooks and netbooks provide a computing option for a light weight portable computing device that compliments the laptop population and have core computing capability for business that the tablets do not have. The laptops and tablets are complementary in many business cases.  

E-readers, such as the Kindle® and others, yield another mobile and web connection venue for all users’ – consumer and corporate. One subtle security danger point is the thumb drive connectivity and the pocket hard drives of several terabyte capacities or more – given the ease of misplacing the devices (we are guilty here for we have misplaced thumb drives) and the utter lack of encryption use by the vast majority of users. Other aspects in this mobility environment include the music players such as the iPOD® flavors and all the competitors given the web connectivity, sharing, and synchronization factors between devices.    

Features and functionality of smart phones, tablets and the blurring of capabilities with computers have exploded the day to day reach of our un-tethered end point environments. Further, social networking applications create security headaches for the CIO both within the corporate campus and externally, especially when more and more connect from public hotspots or with the BYOD devices at home and then brought into the business. The avenues for data flow/migration/sharing plus potential critical information breaches keep increasing daily. An example is the prevalence of social networking in personal and business environs.  

The shrinking sizes of the devices plus the dramatic capability increases are superb for the user.   We see an amazing array of electronic devices, computers, smart handheld devices, telephones, transportable storage units, connectivity possibilities from wireless (3G, 4G, LTE etc and now discussion of 5G),  high speed power line and evolving wireless connectivity possibilities including personal “hot spot” creation extend information flow through the enterprise, SMB, SOHO, IP  and home (now nearly a digital home). Mobile devices we carry even into our vehicles (think of Bluetooth enabled GPS devices that enable telephone calls) - all marvelous enablers in our information focused society and business environments. Use of Bluetooth in the vehicle creates another security point. This functionality does create problems for the corporate IT departments as well as private users. How can we ensure security of information and the integrity of corporate data for the mobile endpoints and users? Is it possible given the flood of social networking messages? What are the safety implications of texting while driving or walking into traffic with limited awareness of the surroundings? Here the use of Bluetooth or Wi-Fi connectivity exacerbates the loss potential. The connected home is not yet a high visibility point.             

Most enterprises and many SMBs utilize wireless networks and provide their staffs with wireless devices of one type or another (vanilla cell phone, feature phone, smart phone, smart device, tablet, ultrabook, netbooks, or laptops).  There are several billion cell phones of all flavors in use in the world today (along with multiple O/S versions) and the actual number is probably much higher than estimated given the explosive growth in China. The demand for sophisticated mobile units seems to expand geometrically. Growth is projected at 50-100% per year depending upon which pundit is contacted and which geographic area is studied. The actual growth is probably close to 100% per annum and only mildly curtailed by current economic conditions and bandwidth capacity. This is reflective of the ever increasing information flow for business and personal consumption including social networking and meaningless tweets (billions of messages of all types per day).  

Vulnerability points are now spread over multiple locations, wired and wireless connectivity, operating systems, and a vast universe of ever changing devices and added operating systems. Security issues are increasing in complexity and sophistication required to prevent integrity of information transfer be they business, government, social and personal. This does create an immense opportunity for security software and hardware providers. We further need to consider the expanding utilization of Unified Communications in our security planning. 

The PC environment is relatively consistent with OS upgrades from the vendors. The eReader segment has been dominated by the Amazon offerings but now there are a host of competitive devices. However, in the smart phone universe, operating systems now include primarily Android and iOS®, each with its own set of strengths and weaknesses. One concern is the inconsistency in Android OS version in similar devices which can complicate the security management problem.  There are over 1 billion installed using the Android OSs.  

The tablet sector is undergoing a transition as well as more competitors select the Android operating system to compete with the iPAD universe. Apple currently is the primary OS force followed by Android based tablets which are eroding the Apple position.   

In essence, given the explosion of mobile and computing devices, bandwidth availability is a crucial facet to meet the demand for voice, video (streaming at a minimum), and data demand fosters the evolution from 3G, to 4G and LTE wireless networks to satisfy the volume requirement. It is not only the wireless bandwidth but backhaul limitations that are crucial to network expansion. The increasing messaging, file sharing, video, and so forth strains today’s bandwidth availability and will continue to do so. Look at the data consumption impacts on the AT&T and Verizon networks by just the iPhone® users. Usage restrictions have been being applied as a result of “pipe” limitations and throughput limitation of the routing infrastructure.

The topic of “Net neutrality” has high visibility in the press and inWashington at times. The move proposed by the FCC to segment the bandwidth for sale to high volume content providers is viewed by many as a political way to destroy the internet as we know it today and move away from the egalitarian design that has functioned well since inception. We can discuss the subject in private and we will cover the subject in a future report.

The global wireless network continues to respond to demand for high speed bandwidth and added spectrum to facilitate connecting anyplace and anytime with essentially any device – either business provided or user (BYOD) supplied and the consumer environment. The plethora of information access points are now anywhere in the world and create paths for breaches of personal and corporate critical information and intellectual property from hundreds of millions of devices and transfer of petabytes of data annually with no end in sight to the volumes. The move to more femto and small cells facilitates meeting the demand is an example. Qualcomm indicates a 1000x in network capacity may be possible with small cells. (This will be discussed in another issue). 

The security focus and complexity continues to shift as a given end point may be anywhere in the world driven by the sophistication and ubiquity of mobile devices and massive population (billions) of transportable information devices. As such, there are no longer any clearly defined boundaries for management for security issues. BYOD blends corporate usage/information with private user information creating more challenges.  

Unfortunately security policy/concerns at all levels is the laggard in this evolution even as the capabilities of the devices explodes. Attacks can come from any direction be they malware, spyware, phishing, spear attacks, drive-by attacks, hacking, simple device loss/theft, or other modes. In our opinion not enough attention has be paid by the device providers or by the consumers/users of the devices. Simple passwords of 4 characters are inadequate but are a minimal start.  The ability to remote “wipe” a lost or stolen device is a strong point in protecting against lost devices ( albeit not universally applied or enforced), does provides a modicum of protection. The threats are not merely in the devices but can be attacked as well by the recent publicized vulnerabilities of some of the consumer “cloud storage” offerings such as Drop Box and others.    

Yet, this ability to be untethered and to connect anywhere and anytime generates ever increasing opportunities as well as security issues and threats beyond the potential loss of a device. The smart phone is a device that can and does hold much of our personal and business data in a small device and provides data connectivity with web browsing capability. Both consumers and business users are faced with an ever expanding horizon of potential attacks and information loss at the desk, home, coffee shop and virtually any environment. We are ignoring any potential dangers of location based information flow. Our focus is the connectivity aspects – smart devices, wire line, wireless, smart devices and transportable information systems (flash drives or discs). Unfortunately, most of the information flow remains “in the open” for few users and corporations utilize encrypted communications other than Blackberry in the past. 

Our surveys in the Home, the SOHO (Small Office Home Office), SMB (Small Medium Business, and Enterprise environments monitor the awareness and impacts of emerging concepts plus technologies upon information security and potential and real malicious attacks. We include the home environment and tele-workers for connectivity within the home for their information typically flows through poorly (if at all) secured wireless networks. A further extension is Wi-Fi connectivity (or femto cells) for the network. (We will do an in-depth study in the future). 

The advent of Wi-Fi and WiMax enabled devices/phones further add to the potential risk of breaches in the information flow. Recall how often one sees a user studiously tapping away on a smart phone for email or social connectivity/messaging – both sending and receiving in a coffee shop alongside those using a wireless connection. Are those connections secured? They probably are not to the consternation of the corporate CIO and Senior IT management. Most users seem to ignore the possibility of a breach/loss. Far too many fail to either enable basic security programs and firewalls or to keep them updated given the massive increase in threats each month.  

We will discuss the perceptions and technological needs based upon our user and industry discussions. We do not intend to enter into an extensive technology discourse for the merits and ultimate success in the marketplace is a function of satisfying the user perceptions and needs.

The focal points are – Connectivity and Security Risks Wireless (all flavors including Bluetooth), Wireline, Powerline, Physical networks, Spyware, Malware, Phishing, Spear Phishing,  Rootkits, Theft/Loss, Drive-by attacks, vulnerability from external data storage offerings.   

1A.Threat Issues – Are they Real? 

The “Verizon 2014 Data Breach Investigations Report” results yielded some astonishing numbers from 50 Contributing Organizations.  In the 2013 data base, there were 1, 367 confirmed data breaches and 63, 437 security incidents. This represented 95 countries in the global nature of the report. (These are only the reported incidents).         

Threats included 

POINT-OF-SALE INTRUSIONS

WEB APP ATTACKS

INSIDER AND PRIVILEGE MISUSE

PHYSICAL THEFT AND LOSS

MISCELLANEOUS ERRORS

CRIMEWAREPAYMENT

CARD SKIMMERS

DENIAL OF SERVICE

CYBER-ESPIONAGE

EVERYTHING ELSE

 

The breaches can result from many factors, either internal or external. Much has been written about hackers and hacking for high value theft and resale and will not be addressed here. Device loss or theft is another element as are mistakes disclosing information. Misplacing digital records by insiders or outsiders working for the business (discs left in a car with unauthorized transit), through vendors security practices (A Retailer Breach example), and the list can go on. 

More businesses are increasing their visibility levels in face of the breach notification laws in at least 46 states. Not all notifications are timely, i.e. a major retailer. A major telecom had a data breach by one of their vendors but waited over a month to notify customers. At the opposite end of the spectrum is PF Chang’s China Bistro notifying customers in a matter of days after the loss discovery. In the public sector, there were 47,479 incidents with 175 confirmed losses. 

Adding to the difficulty in securing and protecting the PII (personal identifying information) is a major failure by those collecting, requiring or using the PII with a cavalier attitude (in the past) for protecting passwords, emails, financial account information, credit/debit card information, and in many cases the social security numbers. Protected Health Information (PHI) is another matter. In the Verizon report data base, healthcare had 26 incidents with 7 confirmed data losses. 

Several examples of data breaches in healthcare are:

a.       A northern California hospital where an unencrypted USB drive with PHI of 34,000 patients was stolen from an unlocked employee locker. This was a preventable occurrence with proper trading and security processes.

b.      A massive data breach at UPMC health system was caused by a hacker and exposed all 62,000 employees PII information including SS numbers, bank account information, and other private data. This did not expose patient information but highlights the needs for broad based security procedure beyond HIPPA needs. 

An interesting side note is thieves can sell a stolen credit card for a dollar or two in the street. PII can be sold for about $10 while PHI could reach $50 for each record. This is indicative of the values and importance of consideration of vulnerability for customer/client records. 

Yes, the threats are real and are occurring continually. One pundit noted that about 90% of healthcare organizations had at least one data breach in the past 2 years but did not indicated the type of breach (PII or PHI) or severity. Any methodology, new, current or emerging in our mobility universe is a strong market opportunity at multiple levels and across a broad spectrum of sectors.  

2. “Connectivity and Security Risks”  

If we so desire, we can be connected 24/7 with very few location exceptions. Cellular, Wi-Fi, Wi-Max, Wireline, 302.11 b/g/n, femto cells and Powerline are all available for connecting nearly all our devices including HDTV in a high speed (802.11n) home network or smart home. The vulnerability accrues from an ever increasing number of entry points. Consumers, public and private employees all need to increase awareness and practices to minimize loss risks.  

We can synchronize our smart phone, tablet, netbook, laptop and desktop and spread that information across all devices and any networks we use and in marginally secure cloud storage. This creates an interesting possibility to spread malware infections if not careful. Social networking can further exacerbate entry points and malware spread given a mix of personal and corporate mobile devices. End points must be the focus to identifying and address the general risks to create and implement an effective security policy at the business or consumer perspective. It is a question of scale and education of the end point connection.  

The following table delineates the elements for an end point policy concerns to formulate a policy. Not all are applicable to each situation (consumer) but can be used as an educational list for both a business and for any BYOD application 

End Point Policy Concerns

Applications Used

Agreements in Place

Compliance Requirements

Privacy Issues - BYOD

Services Provided

Security Requirements

Cloud Storage – Corporate and Personal

Social networking  

Brief questions are illustrated below for each aspect in creating a policy – primarily business with a BYOD policy (over 90% allow or will allow BYOD). The listing and questions are not all inclusive but are an indication of considerations. 

a.       Applications – What applications should be used, what should be avoided, what download points are safe, Are they scanned for malware before installation?

b.      Agreements – What are the understandings with employees who have corporate data on their device(s)? Is there a formal (written) policy?

c.       Compliance – This is a function of the industry such as healthcare – think HIPPA. HIPPA requires native encryption on EACH device for data that falls under it. There is an alphabet soup of other compliance requirements.

d.      Privacy Issues for BYOD – How is corporate and personal data separated/segregated? What is collected from the devices? What is permissible?

e.       Service provision- Is there a VPN? How is business email treated? Is there software provided? Automatic updates?

f.       Security requirements – Are the requirements understood? Secure passwords, User authentication, remote wiping, restrictions, security/malware software, and encryption requirements? External drives and so forth.

g.      Cloud storage – Corporate approved or acceptable cloud storage use.

h.      Social networking – Again personal versus private and how to separate on BYOD devices. 

Awareness of key vulnerability/attack points by hackers and cybercriminals is crucial. Several are: 

·         Weak passwords than can be identified via dictionary attacks

·         Eavesdropping on unencrypted wireless communications

·         Unpatched software is always vulnerable

·         Incorrectly configured network devices -- routers are an example for default setting are not always changed

·         Attacks on vulnerable databases via SQL injections 

The list can go but this is merely “food for thought”. Given that the mobile devices have internet connectivity, attacks used on desktops have in many instances migrated to the mobile arena. Furthermore, connection via Wi-Fi or Bluetooth can be at risk for the Bluetooth device or Wi-Fi may have been compromised and can be potentially used for a “man in the middle attack”. There are a host of buzz words surrounding this subject matter. We can discuss the points individually by contacting us.  

3. Are there security solutions -- Potential Considerations/Responses? 

Security issues/threats now emanate from many directions. The same technology to connect disparate networks, provide seamless interoperability between systems and converged network management through web connections are used to create security breaches.  Unfortunately and not especially surprisingly, in our surveys, we find many do not create and routinely update and follow basic security, risk assessment, and vigilance policies. We continue to find corporate networks unprotected from something as basic as identity management (who can connect to the network) to unprotected wireless access points. This has worsened with the advent of tablets, smart phones and lack of BYOD policies. Use of cloud storage can create added threat points if not secure or information is not stored and sent encrypted. Encryption key management is a problem but can be resolved.   

The problem appears to worsen at the Home, SOHO and many SMB locations but the business and public sectors are vulnerable as well. For example, in setting up a wireless home network, many do not use even WEP to eliminate rogue access connectivity. It would appear intuitively obvious this is a problem that needs to be solved – Is there a plug and play setup program for the unsophisticated home user? The problem will be exacerbated as more devices are added to the home network as well as SOHO.  A consideration is to be sure to protect both PII and PHI at a minimum.    

The simple use of strong passwords (strong- meaning a string that is not 3 or 4 characters) can minimize some potential vulnerability. An example is on-line banking – most users have strong passwords for on line banking on their laptop or desktop but this does not necessarily carry over to all mobile devices. Also, we as users seem to have a plethora of passwords. Can I actually recall each password for my desktop, laptop, netbook, tablet and phone given that I acquired at different times and some devices limit the password strength? That is a real problem seeking solution. Do we, as consumers, change them regularly when not forced to do so by a network administrator? Should there be single sign-on and dual authentication for all users that is provided as a service?  

Single and dual authentication processes are an excellent move for accessing corporate information. It is merely one step in the overall security net. What information can be downloaded? Is it encrypted in transit and at rest? Can it be wiped remotely if the device is lost? Is it segregated on the BYOD device? (Please excuse us if this is repetitious but we are advocates of security at all levels.) 

Use of biometrics is a step in the right direction. It can be a fingerprint reader – it is standard on our company laptops as is facial recognition but not on all the tablets or smart phones yet. Facial recognition might be ideal but does have problems at times. Use of graphic motion/drawing can be useful as a security tool as well. The key is strengthening the device access point. Mobile security software is readily available as well but few have it installed. Should it be a requirement for BYOD? Most would venture the answer is yes but is it actually implemented today? Also, remote wipe software should be included as well in case the device is lost or stolen.  

Security attacks are very sophisticated. No longer is it simple Spyware. Now it is potentially damaging Malware, Phishing, and Rootkits that we all face on the smart phones, netbooks, tablets, e-readers and phishing through Tweets and other social networks. How many smart phones are protected? How many netbooks/ laptops/tablets/e-readers connecting to public wireless networks are securely protected from carrying a threat back to their base network? How many are carrying unknown (to them) threats on the ubiquitous flash drives or small portable drive many of us carry to a meeting while travelling instead of a computer? How do we keep from allowing such a threat from a portable drive or smart phone or tablet to enter the network? We do need to keep in mind that walking with a flash or similar drive is now part of the network as is a portable music or video player. This is independent of information format for we all receive voice, video, and data routinely, any of which can be corrupted by a security attack. Yes, the statements continue to be made over and over despite efforts to educate everyone and foster minimal safe practices including data encryption. DLP (data loss protection) is crucial and proprietary data loss can be expensive to either the corporation or the consumer. Think about the consequences of losing an electronic wallet with your financial data that was not protected by encryption. 

Network security and Malware attacks are just one aspect of this problem. Loss of netbooks/laptops/tablets/smart phones with the attendant company and personal data losses of confidential information continues to occur despite the publicity each time a credit card or personal information is lost. The major concern, given the financial and business exposure, is how to stop it. Most have no idea they should encrypt with readily available tools. It is not a panacea but it makes illicit data use much more difficult.   

“Cloud Computing and Storage” is another potential venue for potential data loss. The concepts do require another set of information integrity and breach protection. There needs to be standards used so that the users understand the associated risks rather than a case by case or cloud vendor by vendor approach. There are benefits but we strongly advise caution when pushing intellectual property into a public cloud. In many cases, each time data is uploaded to the “cloud” some information remains on the mobile device with its potential theft. Again, opportunity abounds for hardware, software and service vendors for those astute in solving the issues but progress is slow and few universal standards exist in real time user environments. Again, encryption in transit and at rest is a key deterrent that should be followed. 

The thumb flash drive and portable hard drives (a 2+ TB drive now fits in a shirt pocket) are another risk factor. How do we keep track of these small tools we use especially traveling? Should we have automatic encryption for each time we use the device as can be done with self encrypting drives? How does one keep track of the encryption codes used for such a multiplicity of devices? We can lock downloads to the device and restrict uploads today. How large is the business opportunity? 

Should a security chip be embedded in every device for restricting access, encryption, and “wiping” the device if the device is lost or stolen? This is and will be a key factor in smart phone physical loss. Legislation for “Kill Switch” to be built into the smart phones is progressing. The size (landscape of the device) may not permit such a hardware addition but firmware may solve the issue.   

Some vendor interaction is welcomed such as the fingerprint reader and rudimentary facial recognition now standard on some laptops and other devices as a basic protection. Identity management for access is increasing in corporate networks. Many now will not allow an unrecognized device – laptop, flash drive, netbook, tablet, smart phone, music player – to attach unhindered to the network. Some thumb drives offer some levels of security with the device. However, with an encryption methodology in routine use by corporations the data loss problem can be minimized. The same is true of users at their desk or home. An opportunity exists, particularly in the user environment, for an easy to use and easy to decrypt software packages. They should be preloaded in new computer and device sales but are readily available with some self encrypting hard drives.  

Note: Potential security risks (and privacy) with respect to the use of social networking (Twitter, Facebook, LinkedIn and others) will be discussed in our 4Q security report.  

4. Privacy – Can anything be done? 

Security and privacy issues tend to be interlocking. User education and awareness is vital for there is no ultimate security for any encryption can eventually be broken. The key is to increase the difficulty of accessing our information – corporation and personal – so that it is not as attractive to attack as any information stored or sent in the clear. This does provide some privacy protection for personal data as well as corporate.  Self encrypting drives (hardware and software) are readily available. Email and messages can be sent encrypted. Simply using the encryption capabilities of Outlook is a start and is available but few users take advantage of this or may not be aware of the feature.

We also need an awareness of privacy issues as well despite some executives saying there is no such thing as privacy and none should be expected. Most users expect some privacy and at least the ability to “opt in” for broad based disclosure to protect what personal information they desire. After all, corporations do tend to protect their information and do have expectations for protecting internal private and privileged information so why should not a user expect the same. 

Are there any vestiges of privacy left when location based services track user movements? Browser use is tracked and too many companies battle any “do not track” efforts. Strict privacy controls by various providers essentially do not exist, and there is little oversight for privacy protection. Facial recognition and tracking in retail outlets for determining traffic flows by gender is enabled by our communications technology but can it go too far if they identified each user personally. Yes, we are monitored visually on casino floors in Las Vegas but we accept that function because we know it is there and make the choice it is acceptable or we can leave.  

Privacy concerns with wearable recording devices are another question? Do you wish to be recorded anywhere without your knowledge? Could private corporate information be recorded without someone’s knowledge in a meeting? It is doubtful but may be feasible. Technological advances are marvelous but at times need some oversight. 

There is “Do not Track” software available as well to help protect our on line privacy. However, it is not 100% foolproof for some companies and information harvesters try to and do circumvent the feature for their own benefit. I routinely use DNT software but there are always several tracking cookies that slip through despite the software. Some vendors do not honor the “DNT” on the unit. Maybe a national do not track list similar to do not call listing is needed. Social networking can lead to significant privacy intrusion if the users are not aware of the vulnerabilities. This is partially driven by user choice as to what is acceptable or not for posting. Education would seem to help with some and simply awareness is a major assist. 

5. Mobility and BYOD – Healthcare Environment 

Healthcare information is taking a major role in our lives as the industry moves forward to electronic health records and information sharing with the patients. Healthcare has its own issues especially given the government “push” for electronic records. Many vendors to the industry are competing to store personal health information. EHR – electronic medical records – need special protection. Should they be able to be harvested for marketing purposes? Is that compliant with HIPPA‘s encryption requirement? 

Approximately 85-90% of healthcare practitioners use their personal smart phones in day to day activities. BYOD provides choice, impacts efficiency and can reduce costs. There are concerns.  PHI (protected health information) such as medical record numbers, social security numbers, and names as an example are not be downloaded to a BYOD. This requires a device management program to ensure compliance with the HIPPA requirement. BYOD programs must meet the complexity for practitioners that work with different affiliations, each which may have different messaging and management systems.    

The challenges can be resolved but a number of criteria need to be addressed. A solution needs to recognize what information is PHI to control what is downloaded for HIPPA compliance. Regulatory compliance necessitates audit logs including IP address, user data, IP addresses, device, and URL accessed. Also needed is knowledge of the sensitivity and where it is disseminated. All the while, is the need to provide the practitioner with privacy and security for the personal information on their device. 

Physicians use tablets as well for work (75%+ is a low estimate) and similar constraints as the smart phones are in play for compliance. All information in transit and at rest must be encrypted in any policy.  

Key concerns here are: 

a.       How do users on the network interact with those outside the controlled network? How to identify and control PHI here?

b.      How long can PHI exist on a device? Can it be deleted when authorization changes?

c.       What personal programs are installed that could impact the network? 

Many use cloud storage for cost savings. Cloud storage utilization can be attractive for the industry but does have vendor vulnerabilities. If they are “in the cloud” not all may be compliant with many government regulations. Also security may be severely lacking if at all. One question is whether or not all records are encrypted in the cloud storage and when accessed for transit. 

The HIPPA Omnibus Final Rule, finalized in September 2013, makes business associates liable for data security breaches. The Healthcare organizations should and must have business associate agreements (BAA) in place. Many cloud vendors were somewhat hesitant about the rule. Google, Microsoft and Box comply now and more are being added as a result of the rule.  

The need for the rule addition was evident. Prior to 2013, the associates were involved in over 50% of large scale breaches. In 2013, it dropped to 10-15%. 

One example of the serious problem (now resolved) was in 2011 when a billing contractor for Stanford University Hospital allowed a spread sheet to be posted on-line and exposed 20,000 patient health records. It was a year before it was discovered. The BAA provides an incentive to avoid such occurrences and should be included in the security policy. 

On the patient side is the portal access to the health care records and healthcare related internet use. We have the same mobile devices at hand as the healthcare practitioner. Typically, we as patients may store some of our health record electronically; use a health app of some type; have tracked and stored health patterns; ordered prescriptions on line; set doctor appointments; obtained test results; visited our insurance website; or chatted on line with a healthcare professional.  

Some of the practitioner contact and information flow is via a patient portal. Depending upon the portal structure and security structure, the communication could be at risk as with a transaction on line except the loss impact is higher in most cases. Secure sign on and user authentication must be part of the process but not be overly complex. Strong design provides confidence to the user and encourages more use and efficiency for all involved.  

Health information exchange (HEI)  is growing and that can aid a patient and physicians using different entities for their healthcare or the patient requiring assistance when travelling out of the area. In some cases disparate information systems are in use hampering the exchange. There also are concerns with the security of public exchanges. The policy to minimize risk is for a hospital not to import HEI data into the system but view it at the portal. The government has endorsed a secure messaging protocol – Direct Project – to push messages and attachments to each other. Direct messaging can be use the meet some of the Meaningful Stage 2 information sharing rules. EHR requirement must be met for compliance. 

Smart phones, laptops are tablets are routinely encountered in the healthcare arena and there is an expectation of security and compliance from the patient perspective. Now enter, Google Glass, for the healthcare arena and within EHR. One company is adding Google Glass in its offerings so that a doctor can take a picture or pictures during surgery to send into the patient records, record videos of patient visits, view patient profiles for all appointments for the week and real time data streaming of patient visits so the doctor can have anyone (physicians, family, scribes and so forth) watching anywhere in the world. Is each end point secure? Is this a PHI that must comply with HIPPA?  Should it be a patient option? How is the data protected and stored in this worldwide viewing? It raises a few interesting concerns about privacy also for it appears to be very invasive of patient privacy and EHR.  

Just think - Do you want your corporate personal financial and health data to be stored in the clear (not encrypted)? How many of us would want our medical records electronically stored or electronically transmitted in the clear? Are all tablets being used in HIPPA compliant sectors truly secure and compliant? Is a 4 digit password secure and hard to break? Should it be stronger and how to ensure it is? An interesting opportunity exists in this vertical market. Many practitioners use mobile devices for personal and professional needs. Nearly 90% use their own smart phones.  BYOD increases efficiency and can reduces costs but there are issues in what can and cannot be done and compliance must be absolute. 

Summary 

Security awareness and actions to prevent losses/breaches of corporate intellectual property (all types), data and personal information (PII and PHI) requires effort on multiple levels. No element – vendor, corporation, health care provider, business user or consumer - can abrogate their responsibility for prevention and protection by trusting it is “taken care of” by someone else. We do have techniques and technologies available than resolve many of the potential weak points in this data anywhere, anytime and any device world. 

a. Vendor Level -- Regrettably, the security and threat mitigation seem to remain low on the radar screens of many hardware and software vendors. Many are increasing efforts but it is insufficient at this time in our opinion. Provision of full disc encryption and fingerprint readers and or facial recognition for access with all hardware seems to be the ideal target. Transition to such an environment will take time but does need to be expedited. Software to “wipe” a stolen device is available but most do not include it with the hardware and the third party push is somewhat limited in the secondary market. This is shifting with laws being passed to include “Kill Switches” in all new smart phones. Meanwhile download a third party app for some protection. 

b. Corporation – The corporations are being bombarded with a plethora of consumer devices brought into their environments, many times ad hoc without concerns for security of personal devices. Security procedures from the past are no longer sufficient for the network is no longer closed. Our surveys indicate activity is improving but many organizations in our sample universe are doing very little to ensure security policies are dynamic and up to date. Even device loss protection can be an afterthought. Further, encryption seems to be an afterthought in far too many cases. Why is data kept in the clear and then have to explain major data breaches by their staff or third party who has the information? Failure costs are high?

c. SMB – The small business universe can be vulnerable for they generally do not have the personnel resources to fully address the problems. Here the hardware and software vendor can provide direction and solutions if they target this sector. 

d. Business User – Given our mobility, each user needs to understand and act upon the security policies of the business and suggest changes based upon their experiences. One cannot assume “corporate” has the complete solution. Device loss is a key concern and the company must have the ability to wipe the device once the business user provides notification of the loss. This can be difficult with BYOD for personal privacy and personal information loss becomes a concern. All information on portable devices – thumb drive or pocket hard drive – must be encrypted for it only takes a few moments of attention. 

e. Consumer – Our surveys indicate the majority of users do not secure their home networks very well – a relatively simple action to remedy but is too often ignored. Personal devices are being used for more vulnerable and valuable (V˛) applications – i.e. online banking for convenience with one line passwords are vulnerable for theft. Also encryption is lacking in most consumer computing devices. Unfortunately, most only pay lip service to security until a device or personal information is lost. 

f. Possible steps – With a few steps we can readily layer security protection for many devices, be they laptops, netbooks, smart phones, held computing devices and others.  

1.      Ensure a STRONG password is used and change it regularly. Do not write it down if at all possible and keep it separate from the device/office locale. Use two factor authentications wherever feasible.

2.      Use full disc encryption as much as possible and include encrypting portable devices and cards. If using Windows one can use the built in BitLocker or use third party products. Encryption software typically will include:  

256-bit AES Encryption

Data Reliability

File Shredding

Password Meter

Password Generator

Virtual Keyboard

History Cleaning

Stealth Mode

Manual Wipe

 

3.      Device loss, misplacement, theft – There are various approaches and products one can use. The first is a product that will lock and wipe the device remotely. Another is to use a service to label the devices with a return program. Others are services to track devices (GPS location) or spying systems that activate when a device is reported lost or stolen.  

4.      A finger print reader integrated on a laptop or netbook provides a higher level of security. There are also third party devices we have used that work well and resolve the legacy issue. Just be sure to activate the device with two entries in case one finger is wearing a band-aid. 

5.       Biometrics for end point access security (could be part of added step for sign-on) seem ideal. However, initial applications of facial recognition on the laptop did not perform consistently but does offer an intriguing possibility. (I have problems with facial recognition on this laptop and I am sure others have similar experiences).Most new devices today have a camera of some type so it may be feasible. After all, there is some testing now with use of recognition technologies to track shoppers and then deliver ads to their devices.   

6.      Be aware of the concerns with unprotected hot spot connections. 

7.      Use “do not track” software at all times. 

8.      Be aware of opt out versus opt in features and capabilities and use them to have some privacy protection. Keep in mind most trackers seem to always us opt in as a given. 

9.      Use available email encryption routinely. 

10.  Just ask what damage can be caused if critical information is not secured or what would be lost. Would you want your personal health records stored in the open? 

g. Given the popularity of Android based devices (and the many flavors of the OS in a 1 billion plus installed base) a separate commentary may be helpful when considering vulnerabilities issues or end point policy. 

1.      Device lock/access – Use a password and consider an app that may allow a gestures to unlock 

2.      Install remote wipe software to use in case of theft or loss of the phone to delete the data. It may also be used to locate a device as well. 

3.      Install mobile security software for it is readily available from multiple sources.

Back up the smart phone regularly to ensure you will not lose your data. There are apps readily available. 

4.      Download an app to lock the device after a specified inactive time period if not already on the phone as an added protection level... 

5. Restrict your app purchases to a recognized site, preferably Google Play to minimize download risks 

h. Just be aware of potential risks/vulnerabilities when using any mobile device. 

i. Understand the increased impacts in the health care sector with increasing EHR utilization and its attendant security needs at all levels from provider through patient especially with the smart phone. 

Recommended Client Actions 

1. General Considerations 

We strongly urge our readers in all sectors to closely review their current security policies and procedures, risk assessment, and threat mitigation policies to ensure they are in place for all users with company provided device and BYOD. Mobile security should be a critical strategic and tactical focus. The internal IT staff must have the capabilities for this environment which differs

from the company owned devices. BYOD is expanding and nearly 90+ % currently accommodate BYOD or plan to. 

Knowledge is no longer stored in a central secure repository but is as mobile as any individual and their devices. Be very aware of vulnerabilities in storing unencrypted information and have policies for what is stored and accessed in the “public cloud” or on mobile storage devices such as thumb and flash drives. Cloud storage is useful but needs awareness for the security and privacy policy may be too weak to meet your compliance regulation needs or if the data is stored off shore where local policies may not be as robust. Consider storing HIPPA or other compliance centric information in the private not public cloud.  Personal and business data must be separated on the devices for both security and privacy needs. 

Review the security/privacy policies and procedures routinely so that threats can be assessed and preventative actions taken to minimize operating risks. Elements of the policy should include data and information flows; the network from the core to the end points; the overall infrastructure design; application use and deployment; encryption; compliance and of course people and access provision and  authentication. The policies should be as clear and straightforward as possible for complexity will reduce utilization and increase trust in the policy. 

2. Where are the revenue potentials in this arena? 

Revenue and profit opportunities abound throughout all market segments and can be serviced in many cases by the core products provided. At the chip level, security and encryption algorithms can be included in the hardware and/or firmware in future devices. Can current firmware be adapted or modified for the installed base? Can near communication be made secure?  

Hardware, software, apps, special devices, dual memory capability to store personal versus business or compliance data on BYOD, self encrypting capabilities for in transit and at rest, holograms, expanded graphics, and improved biometrics are some examples that come to mind.

All offer discrete opportunities for all steps in the supply chain including system integrators and VARs. Another possibility is resolving interconnectivity issues between healthcare providers who use different email, business processes, software, and so forth as we move to Stage 2.

In the healthcare markets, in addition to the thoughts listed, there are device and software potentials in addressing (a) The tremendous increase in reports/paperwork/electronic records due to the ACA requirements – Is there a simple way to complete the documents for the practitioner to improve their efficiency?; (b) Compliance reporting and security for PII and PHI; (c) security for core to endpoints (both internal and external) including mobility; and (d) products and systems for the small practitioners. Support, security expertise, and training appear to offer added revenue potentials.

Our report clients are strongly advised to look closely at the potential revenue streams via applying their internal competencies or through strategic alliances to maximize global revenue streams.

Feel free to call us to discuss your ideas/concepts for future products under a confidentiality agreement or for a detailed unbiased product assessment.

Ed Poshkus, Principal Industry Analyst

Report No. 2014-6a-Security Series

Availability - 06-15-14 

Contributors to the report:

Jeri Trippe, Sr. Industry Analyst, EVP

Stan Terepka, Industry Analyst 

If there are questions about the content, contact

                         Ed Poshkus, Principal Industry Analyst, - edposhkus@creativestrategiesvc.com

                         Jeri Trippe, Sr. Industry Analyst, EVP - jtrippe@creativestrategiesvc.com

 

 

 

[1][2][3][4]

Copyright (c) 2013  CSVC. All rights reserved.

webmaster@venturestechwatch.com