10 security lessons from FTC breach investigations

Published
  • March 30 2017, 4:00am EDT

Top security lessons from FTC breach reviews

Healthcare organizations need to tighten up information security efforts, such as using best practices in requiring passwords and adopting data protection standards. Using findings from investigations of 50 data breaches across industries, including several at healthcare organizations, the Federal Trade Commission has developed key steps to improving data security. Here are 10 key lessons the FTC has distilled from studying those breaches.

Don’t collect personal information that’s not needed

No one can steal what you don’t have. Healthcare organizations, in particular, often collect a wide range of personal information on patients, some of which is not needed for the care that they’re going to provide. Organizations should review their processes to make sure they really need all the information they’re asking for and storing, because that raises the amount of information that needs to be protected, or can do an organization harm if hacked.

Content Continues Below

Hold information only as long as legitimately needed

Many organizations, including those providing healthcare services, often don’t have a game plan for governing the lifecycle of information. For example, holding onto credit or debit transaction information without a business need long after a sale is complete violates bank rules and enables hackers to steal the information and create counterfeit credit and debit cards. Similar risks exist in healthcare data collection as well.

Don’t use personal information when it’s not necessary.

Protecting personal information involves being careful about how it’s used. For example, one organization gave service providers access to sensitive consumer data to enable them to develop applications for the organization. In another example, a company used real people’s personal information in employee training sessions and then failed to remove the information from employees’ computers after the sessions were over.

Insist on complex and unique passwords

Simple, easily guessed passwords, like 121212 or qwerty, aren’t much better than no passwords at all. These lax practices leave organizations vulnerable to hackers who use password-guessing tools or try passwords stolen from other services in the hope that the organization’s employees use the same password to access its system.

Content Continues Below

Store passwords securely

The FTC reports that one organization stored network user credentials in clear, readable text, and that practice helped a hacker access consumers’ credit card information on its network. Another organization allowed customers to store user credentials in a vulnerable format in cookies on their computers. In a third case, an organization did not have policies prohibiting employees from storing administrative passwords in plain text in personal email accounts. FTC recommends two-factor authentication to protect against password compromises.

Guard against brute force attacks

Hackers use automated programs that use computing power to produce potential passwords at a high rate of speed, aiming to find those that unlock access. These brute force attacks work by typing endless combinations of characters until hackers discover someone’s password. To thwart these types of brute force attacks (from automated attempts to log into a network) organizations should suspend or disable user credentials after a certain number of unsuccessful log-in attempts.

Protect against authentication bypass

Locking the front door doesn’t offer much protection if the back door is left open. The FTC’s study found one organization that failed to adequately test its web application for widely known security flaws. As a result, the FTC contends that a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases.

Content Continues Below

Keep sensitive information secure throughout its lifecycle

Data doesn’t stay in one place. That’s why it’s important to consider security at all stages if transmitting information is a necessity for an organization. The FTC found one organization that used SSL encryption to secure the transmission of sensitive personal information between a consumer’s web browser and its website server—however, after the information reached the server, the company’s service provider decrypted it and emailed it in clear, readable text to the company’s headquarters.

Ensure proper configuration

Encryption—even strong methods—won’t protect users if it’s not configured properly. In two FTC cases, the organizations used SSL encryption in their mobile apps, but turned off a critical process known as SSL certificate validation without implementing other compensatory security measures, thus making the apps vulnerable, enabling hackers to decrypt sensitive information.

Segment networks

Not every computer in an organization’s system needs to be able to communicate with every other system. IT executives can help protect particularly sensitive data by housing it in a separate secure place on a network. One organization investigated by the FTC didn’t sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks. As a result, hackers could use one in-store network to connect to, and access personal information on, other in-store and corporate networks. The organization could have reduced that risk by sufficiently segmenting its network.