Ransomware and Personal Data: The Secondary Threat (Part 1)
News sources have been extremely active over the last week with emerging details of the 'WannaCry' global ransomware attacks, using vulnerabilities taken from the National Security Agency of the United States. The impacts of the attacks are ongoing, with victims in more than 150 countries, including hospitals that have been effectively brought to a standstill. Beyond reputational and economical impacts, it is truly a health and safety issue.
Healthcare organizations are the leading industry victims of data security breaches, with personal information of nearly 16 million people lost last year in the U.S. alone.
Personal (patient) data is critical to a hospital’s mission of providing medical care. However, careful planning and investments in backup/archive solutions ensure that hospitals can continue to serve their patients, retaining access to that critical information for instant access and business recovery.
Resuming operations is clearly Priority No. 1. But once resumed, are the problems over? The simple answer is: PROBABLY NOT.
Several years ago, I led personal data breach response teams for a large organization in the U.S. It is through this lens that I now view these stories.
In some of our incidents, the primary administrator or users of the breached devices were unaware they were even storing personal data, a fact that was only uncovered with forensic analysis. The breaches came at the time when California formalized requirements (SB1386) to notify potential victims of privacy breaches. While there was no direct evidence that personal data had been accessed or misused, we enacted notification procedures with press releases, direct communications to individuals and the creation of call centers to handle inquiries. The typical reactions ranged from outrage of our handling of data, to resignation that in today’s world privacy is just something that no longer exists. Victims asked:
What if my information was lost?
What other information are you holding that is at risk?
I want a copy of whatever information you’re holding on me.
Please delete my information from your systems and give me proof you deleted it. You cannot be trusted!
Of course, before we were able to answer those questions and to shape the response, we had to determine the breadth and extent of the breaches. These were complex forensic exercises that required rapid access to information held on servers and laptops. In some cases, several months passed before the data theft was recognized and the analysis had to expand beyond the devices initially identified.
The same kinds of questions my teams were asked in those incidents years ago have helped to shape privacy and notification legislation across the world, as we can see from U.S. State laws and from upcoming European Union GDPR regulations, effective in May 2018. In the case of GDPR, the fines for improper handling of personal data and poor notification practices are so large they can no longer be ignored.
I will continue the discussion in the second part of this blog, with some recommendations for data privacy practices.
For more information about how Commvault can support you, check out the following articles: