You may have noticed in the technology world that we use acronyms a lot. It’s a bit of a running joke in the industry in fact. However, the acronyms we are going to discuss today are no joke and are some of the most important ones in the world of cybersecurity. The acronyms up for discussion today, I am calling ‘all the PXI’s”, and they cover a wide gamut of security issues that cut across compliance and the supply chain. You will notice that across the PXI’s there is a real feeling that protection of data, in whatever form, needs to be carried out across the entire ecosystem of business partners and suppliers.
The Financial Sector and PCI
PCI stands for Payment Card Industry, and it is the acronym half of the well-known compliance standard PCI-DSS or Payment Card Industry Data Security Standard. The standard is a framework or a set of guidelines that define the types of security required to ensure that payments are secured. Any organization, from a small local shop, to a multinational bank, has to conform to the measures set out in PCI-DSS when protecting payment card information. This means taking responsibility to ensure that financial data is protected when it is accepted, transferred, stored and processed.
The major payment card vendors oversee PCI-DSS. It is broken down into six main goals that need to be achieved at varying levels to conform to PCI-DSS requirements. Which level you need to achieve depends on the volume and type of transactions you perform. Just to make it even more complicated, each card vendor has its own variation on a level. WorldPay has a set of guidelines for merchants that helps them to establish which level they need to reach. The six requirement goals cover the following:
1. Don’t store any authentication data from a customer (such as a PIN number).
2. Control system and network access and protect cardholder information.
3. Any payment card applications need to be secured.
4. Monitor system access.
5. If you do have to store payment card information, protect it.
6. Pull all compliance efforts together and make sure security policies are in place.
In 2016, PCI-DSS released a new version, 3.2. This version was released to bring PCI-DSS up to date in terms of the new threats from mobile and Cloud computing. Version 3.2 also has a number of supply chain-related requirements, such as:
“12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use”
The action above is likely to have come as a direct result of breaches like Target Corp where a third party vendor was phished with the result of Target’s core network being accessible by cybercriminals.
Following on from the ethos inherent in V3.2 of PCI-DSS, there is a strong push towards the ‘shared responsibility’ in protecting the payment card data of customers across the supply chain, and with business associates.
In 2018 there was a minor update to V3.2.1. This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS,” said PCI SSC Chief Technology Officer Troy Leach. “It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.
Healthcare and PHI
PHI stands for Protected Health Information and it is one of the most sought after blobs of data that a cybercriminal has in their sights. PHI comprises a multitude of information. PHI is defined by the Health Insurance Portability and Accountability Act(HIPAA) and is made up of any data that can be used to associate a person’s identity with their health care. A full list of the 18 identifiers that make up PHI, can be seen here. PHI is a valuable asset and sold on the dark web for more money than any other data set, according to Ponemon Institute. In terms of the protection of PHI, HIPAA and the related Health Information Technology for Economic and Clinical Health Act (HITECH) – brought in to enable electronic medical records (EMR), offer the guidelines for the protection of PHI. Within HIPAA is the ‘privacy rule’ and the subsets, ‘security rule’, ‘enforcement rule’ and ‘breach notification rule’ all of which deal with various aspects of the protection of PHI. This section of HIPAA gives general guidance as to what steps to take to implement a protection policy for PHI and in particular electronic PHI (ePHI). The security section is made up of three main parts:
1. Technical safeguards: The security rule goes through all of the likely areas that need to be addressed to ensure PHI protection. This includes authentication and access control, the integrity of data, and transmission security (encryption)
2. Physical safeguards: Such as workstation security, removable media protection, and facility access control.
3. Administrative safeguards: Having a policy in place to cover processes and procedures. This section also looks at security awareness training.
The protection of PHI has become a serious matter. Recent years have seen major PHI breaches, with 112 million records being stolen in 2015, and 2016 looks likely to exceed that. U.S. Department of Health and Human Services Office for Civil Rights (OCR) has suggested that as many as 40% of these breaches have been associated with third-party vendors. To counter this, recent changes to the twin acts HITECH and HIPAA have been implemented to extend the reach of the acts to associated businesses. The HIPAA Omnibus rule has come into play to ensure that any company that touches, at any time, a PHI record must comply with the same regulations as the main organization.
Every Industry and PII
PII stands for Personally-Identifying Information, and it ultimately impacts all organizations, of all sizes and types. Both PHI and PCI can be seen as special cases of PII. As far as cyber criminals are concerned, PII is the golden chalice. PII is any information that can be used to identify a person; For example, your name, address, date of birth, social security number and so on. Once you have a set of PII, not only can you sell it on the dark web, but you can also use it to carry out other attacks. This was exemplified perfectly in the attacks on the Office of Personnel Management, and the Anthem breach of 2015. Here multiple millions of PII data was stolen and then used to perpetrate further attacks on organizations such as the IRS.
The protection of PII is something that every industry must address and have security policies and strategies in place to mitigate the risk to PII. The National Institute of Standards and Technology (NIST) has a series of guidelines, which help to steer your security policy on PII protection. The NIST “Guide to CyberThreat Information Sharing“ focuses in on the benefits of using a shared intelligence approach to information security. The guide states that:
“Through the exchange of cyber threat information with other sharing community participants, organizations can leverage the collective knowledge, experience, and capabilities of a sharing community to gain a more complete understanding of the threats they may face.”
This is an important consideration in light of findings from a Ponemon Institute report “Data Risk in the Third-Party Ecosystem” which points out that 49% of respondents had a breach of sensitive data caused by one of their vendors. If you don’t extend your security policies across your supply chain, then you are at a major risk from the extended ecosystem.
All the PXI’s are at risk from cyber threats. They are each valuable in their own right and in the wrong hands can be used to perpetrate crimes, over and over. We as organizations are compelled by law and ethics to protect the information of our customers. It is a mutually beneficial action. In protecting our customers’ data, we, in turn, protect our reputation and our bottom line. But we cannot do this alone. The extended supply chain needs to be brought under the umbrella of compliance and information protection, not only because the laws themselves are mandating it, but because working together will give the type of holistic, far-reaching protection that we need, to fight the ever-present danger of cybercrime.