Is your data safe and secure?

People need to be able to trust the enterprises and databases holding their data

thinkstockphotos 499123970 laptop security

Data breaches are an unfortunate consequence of the application of technology in the modern world. The information economy has placed a significant premium on personal information relating to everything from finance to dating, and even health care.

Prescriptive, predictive, and descriptive analytics have transformed the value of a person into the sum of the data accumulated through our living, working, and spending decisions. Analysts spend their time filtering, averaging, analyzing, and parsing the data at their disposal. They are expected to form predictions and models based on the implications.

Prescriptive analytics optimize algorithms at their disposal to recommend outcomes. Predictive analytics use existing statistical models to explore a statistical future. Descriptive analytics gathers and mines data for answers in experience. All of this is done to generate valuable information that can be used, and that can be sold, to generate revenue for someone other than the person whose information has been captured.

Information stored in data banks is often protected by some form of security, but each of these data banks is subject to breach, whether due to human error or criminal aggression. Recent and continuing broad-scale hacking incidents have increased both awareness and scrutiny regarding the holders of data as well as the systems they use to protect it.

The recent Equifax data breach has exposed tens of millions of people to potential misuse of their personal finance information. Ron Lieber indicates the data breach “meant that potentially millions of Social Security numbers, driver’s licenses, and other information had been stolen, leaving many of us to wonder how vulnerable we might be to identify theft.”

For the average person, remedies are limited. You can follow the instructions provided by Equifax to freeze your credit reporting. You can choose to use its premium credit monitoring tools. You can use free credit reporting offers online to monitor your own credit with some discipline. You can choose to use your debit cards instead of credit cards, and strengthen passwords and PINs on all your accounts.

While data held by financial reporting agencies is incredibly significant, it’s not the only kind of data that can be stolen and misused. Information about our personal lives is also stored in all kinds of places. Tinder, the popular dating mobile application, maintains huge personal data files on its users. Caroline Mortimer reported on the experience of Judith Duportail, a French journalist, who “discovered the app had gathered massive amounts of data [some 800 pages] about her age, gender, interests, the people she had dated or spoken to, where she went, and where she lived over a period of several years she used it.”

While European Union regulations and British privacy protection laws require Tinder to disclose its holdings within 10 days, U.S. citizens currently have no such mandated protections. More important, even if you can discover this data, there isn’t currently a way in which you can demand and case the destruction or deletion of that information. It’s literally sitting out there, capable of being stolen and misused. While no breach of Tinder data has been reported, similar enterprises such as Ashley Madison and Adult Friend Finder have been hacked. In fact, significant data breaches have also been reported by Yahoo, Twitter, Target, LinkedIn, and Sony, among others. This raises the obvious question: Is any of our personal information safe?

The health care sector isn’t immune from data breaches. Despite federal regulatory provisions designed to protect patient privacy through application of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), effective security hardly seems possible. According to Healthcare IT News, assaults on healthcare databases include multiple phishing attacks on systems belonging to Augusta University Medical Center, the hijacking and ransoming of 26,000 open servers belonging to MongoDB, a cyberattack on over 19,000 patient records held by Medical Oncology Hematology Consultants, a breach of more than 106,000 patient records held by Mid-Michigan Physicians Imaging Center, 33,877 patients affected by a hostile virus that penetrated the systems of St. Mark’s Surgery Center, 266,123 Pacific Alliance Medical Center patient records held for ransom, as well as lost security pertaining to millions of records belonging to Indiana Medicaid, Airway Oxygen, and Washington State University, among others.

Make no mistake: Health care data breaches are very alarming. Hackers get access to your most private information. They can also obtain credit card numbers, Social Security, billing data, and other personally identifying information enabling them to sell your identity.

In his monthly HIPAA breach report, Hoala Greevy, CEO of HIPAA-compliant email provider Paubox says, “The entire health care industry remains 10, if not 15, years behind every other American business segment. This includes cybersecurity defenses, making the healthcare providers extremely susceptible to attacks, breaches, theft, or impermissible use.”

Jathan Sadowski says, “The vaults of these databanks are impossible to secure, in large part, because the wealth of information they hold is a beacon for hackers. Even the most impenetrable cybersecurity will eventually fail under the pressure of dogged hackers.”

Given the sheer size of some breaches versus the alleged security promised by some of the data vaults, people must become more vigilant about their own data identity. That identity is all too often exposed do to submission of descriptive data to online businesses, nonprofits, medical practitioners, or anyone communicating a requirement for such information to be collected to proceed with a transaction. Whether sharing that information is in fact required by law is debatable, but people more often than not decline to ask.

Perhaps it’s time to talk about the risks involved and the actual need to supply all the descriptive detail. For example, if your name and date of birth are cross-referenced, is your Social Security number really necessary to label your records? Could a simple application be created that uses an algorithm to translate your Social Security number into a unique derivative that is then attached to a record instead, and could that do away with the need for other unique identifiers? Could biometrics such as voice, fingerprint, iris, or face scan be used? Even those technologies aren’t absolutely guaranteed to be secure.

The rapid advancement of telehealth and telemedicine practice further increases the risk of unauthorized exposure of personal information to the extent that perhaps voice and video transmissions are at risk. HIPAA-compliant solutions are quickly becoming fundamental requirements. For more information on their solutions, a form must be filled out and submitted. Is that text and data transfer HIPAA-secure and HIPAA-compliant? The layers of protection remain unclear.

It’s time for data collector transparency. People need credible certification of security and adequate notice of system upgrades and changes. Clear information regarding how the security of the physical database is ensured must become a legal requirement.

Service and technology providers, vendors, and their servers need secure firewalls, data encryption, and constant monitoring. People must demand this, and people need to educate themselves regarding descriptive data threats.

The lessons from data breach history are clear. Deployment failures occur when databases are not performing as designed. Leaked data results when hackers access any data that has not been encrypted. Damaged databases require immediate repair and restoration. In-house saboteurs will steal or damage databases and backups. Multiple database features present multiple ways for hackers to enter a system. Hackers plug in data as SQL injections to alter code and change data. Businesses must segregate authorities and powers of both users and administrators. Current threat levels mandate that administrators stay current and consistent in their security practices. Despite any and all of that, threats evolve and persist.

While the average end user doesn’t know or understand much about data breaches or hacking, one thing is clear: People need to be able to trust and rely on the enterprises and databases holding their personal information. People need to know that their data is safe and secure.

Copyright © 2017 IDG Communications, Inc.