• "XYPRO helped extend our individual accountability to levels previously unattainable with Safeguard alone."

Protecting Healthcare Data: An Ounce of Prevention

July 30 2015

2014 was a landmark year for the Healthcare Industry when it came to data breaches. 2015 is continuing that trend. According to the Identity Theft Resource Center, the Healthcare Industry accounted for 42 percent of all major data breaches reported in 2014.

Thieves have begun turning their attention to the 3 trillion dollar a year Healthcare Industry, whose data is turning out to be worth more than credit card numbers. The Healthcare Industry has not only seen a sharp uptick in the amount of large, widely publicized data breaches, but also in the value of the data stolen.

The average price of a single stolen credit card has dropped from $35 to under $1 because of flooded supply, causing thieves to look elsewhere for other more profitable sources of revenue. The Healthcare Industry, with its aging infrastructure, slow adoption of security and hasty need to move to electronic medical records, has turned out to be a treasure trove for cyber criminals. Medical data breaches are now rivaling those of the largest retail breaches. We no longer live in an era where the only threat to our privacy is credit card theft. Today’s cyber-attacks make payment data leaks look like petty theft. Our transition to this new era has been sudden; our medical records, social security information and personal data are all at risk. Because medical records are worth ten times more than credit card, they have become a high value target. With so many players in the Healthcare Industry as well as government agencies being compromised, it is difficult to trust anybody with your information.

When I discuss these facts with others, they tend to ask me “How do you even monetize medical data? ”. Two words. Medical Fraud. Once medical data is compromised, thieves can submit fraudulent claims to an insurer for payment, costing you, me, healthcare providers, insurers and everyone in between billions of dollars a year. According to the 2015 Experian Data Breach Industry Forecast report, the cost of healthcare breaches are nearing the $6 billion a year mark. That number doesn’t take into consideration fines, fees, unreported fraud, as well as the side affect on other industries.

It doesn’t stop at medical fraud. Having a patient’s medical history gives a criminal access to sensitive information about that patient, which leads to medical identity theft. Medical identity theft allows a fraudulent person to receive healthcare benefits they’re not entitled to, as well as access to prescription history. This enables thieves to purchase prescription drugs on a patient’s behalf, which are then resold online on black market websites, such as the former Silk Road.

The HP NonStop, with it’s unique fault tolerant features, high availability and mission critical capabilities, is often in a pivotal position in the healthcare industry and is therefore a prime consumer of medical data. With so much at stake and the ramifications of a healthcare breach so damaging, what can be done and why isn’t more being done about it?

We all understand the quicker you detect a breach, the sooner you minimize the amount of damage an attacker can cause, but the current mean time to detection of a breach is over 200 days. That means an attacker is in your network, on your systems for over 6 months on average, wreaking havoc and most organisations don’t even have a clue.

XYPRO’s XYGATE Data Protection (XDP) powered by HP Security Voltage has the ability to neutralize the damage caused by a breach by rendering useless that valuable medical and personal data stored on your mission critical systems. A proper implementation of XDP will encrypt or tokenize medical and personal data to ensure continuous interoperability with your applications, while rendering the data useless to a thief. This requires no modifications to your applications. XDP retains the data formats that your applications currently use.

The challenge of protecting sensitive data is no longer a concern only for those organizations who process card payments. The extremely valuable and sensitive nature of Personal Identifiable Information (PII), Personal Healthcare Information (PHI) and medical records have thrust the Healthcare Industry right into the cyber-security spotlight. Implementing the proper security infrastructure to make the ongoing protection of this data is no longer a nice to have, but a critical requirement.

Steve Tcherchian, CISSP
XYPRO Technology

Monish Mehta
Security Analyst
XYPRO Technology

E-Crime Singapore: Data and Device Centric: The Two Security Strategies for your Enterprise

June 12 2015

What better place to host the latest E-Crime & Information Security Series than steamy Singapore: The modern gateway to the Asia Pacific Rim. The Marriott Tang Plaza acted as a fitting host on the bustling and extravagant Orchard Road in the heart of Singapore.

The show was well attended from a variety of delegates across APAC to and including the financial sectors, gaming and hospitality, education and government to entertainment sectors.

XYPRO provided its part through a strong representation of two primary pillars of security; Data-Centric and Device-Centric Security through our product partnerships with HP Security Voltage and Device Authority.

Between topics of “Today’s Enterprise Security”, “Changing Landscape and Threats in Payment Security” to “Are your E-Payment Systems Vulnerable to fraud, laundering and other financial crimes?”, the reoccurring themes kept popping up as pain points with Authentication and the security of data, most notably, your clients’ data! This is an important distinction in the fact that your customers are entrusting you with the protection of their data! We have all heard the numerous public breaches and the staggering financial costs both directly and indirectly but also of course the numerous fallout and repercussions to your business both financially and to your reputation.

It was therefore with great interest that a majority of the delegates were quite engaged with our offering and approach to Data and Device-Centric security. Taking a Data-Centric approach with HP Security Voltage is exactly what the name implies in that we protect the data itself by neutralizing a potential breach through the adoption of Tokenization and Format Preserving Encryption (FPE) of the Data, PANs and other valuable information. So regardless of whether our perimeter defenses fall under a calculated persistent attack; the intrinsic value and costly compromises with such a data breach are relegated as virtually innocuous.

Device Authority takes a novel approach to Authentication by utilizing the Device itself as the key. No more can we rely on Username and Password as the defining factor for gainful entry onto our critical systems. There needs to be a manner to which we can ensure access to not only the rightful individuals but also the devices to which they plan to gain entry with. Our devices provide a stable form factor to provide a unique and identifiable signature of the device itself linked with the credentials of a given user; thereby drastically reducing the threat surface by eliminating millions of risky entry points onto our systems through the provisioning of only a few trusted devices that are linked to our given credentials.

Today’s hackers penetrate through multiple layers of defense. Increasingly it is highlighted by security researchers that multi-layer protections need to be in place, to protect network, system, application and personal data. Regulatory bodies across the globe are also providing guidelines for layered security and compliance policies. Naturally delegates were so intrigued to discover the add-on of Device-Centric security to fend off threats from external systems prior to connection, and the flexibility of tokenization and FPE to ensure maximum data protection even after a breach has occurred.

In a typical payment system environment, XYPRO is already aiding numerous organizations’ security by enabling authentication, role based authorization, security policy and centralized log management for intrusion detection. These Device-Centric and Data-Centric solutions bring significant value to our comprehensive suite of solutions, additional options and greater security assurance to your ever expanding interconnections.

It was interesting to note from our discussions with the delegates that many were determining which approach to take? Secure Authentication protocols to ensure the Identity and the Integrity of users or shore up your Data defenses with Tokenization/Format Preserving Encryption to neutralize a breach before it occurs by rendering data useless in the wrong hands. As self-serving as the answer sounds, the answer of course is both. There is no magic bullet for security. A comprehensive approach to [Multifactor Authentication with Device Authority] and a [logical deployment of Tokenization / FPE with HP Security Voltage] is a sound investment across your enterprise and will continue to be a prominent focus for XYPRO and its clients.

Angelo Nicolaides
XYPRO Technology Corporation
Sales Executive

Did Someone Say ”Downtime”?

June 12 2015

All I have ever really known with complete certainty in my near thirty-year relationship with NonStop has been that HP NonStop computers are mission critical servers that are truly fault tolerant and have full redundancy capabilities for a single reason: they need to be available all the time. Availability is the primary directive. Or at least it was.

Very recently, I had the opportunity to spend some time with some friends at a longtime customer. This customer is one of the top five US Banks and takes very seriously the need for NonStop and its reliability and availability. I was told that the senior executives at this bank have indicated there is a single circumstance under which they would accept, and actually prefer, downtime. That circumstance is a security breach. After all, a downtime event is recoverable. A security breach is not.

The words “downtime” in the NonStop world are sheer blasphemy. How can this be? Uptime is critical to a successful business model in the industries that rely on NonStop. Uptime ensures customers’ service expectations are met, delivers financial benefits and avoids penalties for downtime. Uptime also comes with bragging rights and prestigious awards.

Like so many of us in this great community, my introduction to Tandem was far too many years ago and in a very different world than we are a part of today. I was in high school.

My first introduction was not through employment, but from my father who had been working on a project to bring an ATM and Online-Teller network to the bank where he was employed. He explained to me about this very special computer system that could process transactions very quickly and had two of everything so it was really reliable. The year was 1983, I remember all of this and that my father was immensely impressed. Like a typical teenager, I didn’t really care much about this. I only really began to understand a few years later when I had the opportunity to learn and work with the Tandem myself.

Working part-time in the evenings while in college, I gained some exposure to the inner workings of a bank’s data center. It was a hub of activity with lots of people and with machines of all sizes. Reader-Sorters, Line printers, 9-track tape drives, massive disk packs, etc. There was also a prized area on the data center floor where the Tandems were kept. The Tandem operation also had a separate command control room where these systems were monitored. Everyone knew they were there, everyone knew they were special, not everyone knew why.

The Tandems would run all the time, literally. This was their value. In the data center, the Tandem NonStop II sat beside the gleaming new TXP. I still knew very little but I began to understand why these Tandems were special.

Later on, as we came to depend more and more on these machines, the systems in place to support their uninterrupted operation were big, important and becoming more sophisticated. As an operator, testing the UPS (Uninterrupted Power Supply) system, test-firing the diesel generator at least weekly and ensuring there was enough fuel to run for several days was a mandatory procedure. These were mission-critical computers. They had to run all the time and the Tandem systems did.

The only thing that is constant in technology is change and striving to improve and speed up the way things work. There is always something driving the need for even greater reliability and uptime. A simple fire suppression system malfunction or even worse, a fire itself, could render the system unusable. The growth of DR (Disaster Recovery) centers began in an upward direction. In the unlikely event of a disaster, the remote DR center could, and had to, be up and running in a matter of minutes. Availability was of paramount importance.

Business Continuity Planning was now the new buzzword in the Tandem community (along with remembering to call these computers NonStops following the acquisition of Compaq by HP). With natural disasters such as earthquakes and hurricanes and now very unnatural terrorist threats, the NonStop server had real-time data replication in active-active environments, spanning very large distances to ensure that these computers were operating on individual power grids and fully separate communications infrastructure that could not be affected by the loss of availability at any single site. The great Myth Busters TV show even blew up a NonStop server to prove just how quickly a failover and recovery could happen. These computers are truly mission critical and the customers who purchase and use them do so because their businesses rely on the ability to run without interruption.

For my thirty years on NonStop, the only direction I knew was that more uptime, and in most cases, continuous uptime, was the way to go. Never did I suspect that there would be something that was so critically important to a business they would sacrifice this near perfection. Sadly, earthquakes, hurricanes, tornadoes, and even nuclear warfare are no longer the ultimate threat to uptime. It is the cyber-criminal.

As a vendor of HP NonStop server security solutions, it’s a positive thing to hear a customer say their focus on security is right up there and even ahead of availability and performance. The revelation that unscheduled downtime is more acceptable than a security breach is not only a sign of these modern times but a continental shift in priorities for the majority of companies that rely on fault tolerant, mission critical servers.

And just as the needs for more uptime drove the development of more and more sophisticated solutions to avoid possible availability catastrophes, so too the need to thwart the ongoing threats of cyber criminals and hackers drives the development and implementation of advanced security solutions, these days at lightning-speed..

Many of these solutions already exist in the form of strong encryption and tokenization of data, enhanced access controls, audit and analysis, continuous real-time monitoring and threat detection, security incident and event management, and more. It is a matter of time, education, commitment, investment and effort that this very present threat to downtime can be tackled. We’re investing our best efforts and resources to staying ahead of the cyber criminals and hackers. It’s not too difficult to imagine what will we be the next phase in the evolution of the NonStop uptime story, but there is no doubt that security will always be a big part of the solution.

Please visit the XYGATE Overview to see our full range of security solutions.

Barry Forbes
XYPRO Technology Corporation
VP of Sales and Marketing