GDPR Day (25th May 2018) has come and gone. You know your legal basis for all the personal data that you process. You have a Privacy Statement. All information that is past its retention period had been shredded and you have an ongoing data deletion plan. Full marks so far.
Alas – it is not all over. What happens when you have a data breach and how likely is that to happen?
Human error is still the largest cause of data breaches and these are often caused by one of:
- Sending an email to the wrong person.
- Attaching the wrong data to an email.
- Leaving a mobile device with sensitive data in a public place.
Our friends at MRSL Enterprise are looking to provide some leadership on data security. The company deals with a lot of medical information for its medical forensic; medical indemnity and medico-legal professional indemnity insurance business. At MRSL Enterprise they suggest the following approach.
If you can get to grips with the ideas explained here you will be able to significantly improve your data breach defense and be well on the way to completing the proposal for to buy data breach and cyber insurance. Most data breach and cyber insurance not only comes with a monetary payout for loss – but also provides some practical help from computing experts to sort out problems.
MRSL Enterprise has its own custom solutions that are build into its systems from communicating with the firm’s reporting doctors. However, for private medical – or any other business – that needs secure email we would recommend RMail from Frama. We first saw the produce for its encrypted email feature – but the product has many more benefits for you including a large document transfer facility and very accurate recording of email delivery. You will like the simplicity of the encrypted email. In its most standard form there is no need for a user name and password – so if you are sending referral letters to elderly patients then there is little that needs to be set up and explained to them. Contact Michael Roberts for a demo.
Secure email or not if the wrong attachment goes to the wrong person that is a data breach. MRSL Enterprise has joined the #StopAttachments campaign set up by TrackMyRisks. Email itself is becoming progressively more secure. The weakness in email remains the attached documents. The solution is simply to stop attaching documents to emails and use a secure centralised single source document that can then be shared over secure links with the right people. TrackMyRisks provide a secure document sharing platform. In addition to security there are many other advantages. The system provides a single source for the document so you never have the problem of everyone having a different version. The TrackMyRisks system provides a strong audit trail – so you can know who looked at what and when. This can be crucial if there is a dispute. MRSL Enterprise provides a TrackMyRisks account to all of its commercial insurance customers as part of the service that it offers clients. You don’t need to be a client of MRSL Enterprise to have your own TrackMyRisks account – you can contact Matt Hodges-Long for a demo.
You do need a username (your email address – so easy to remember) and a password for TrackMyRisks – but it is only one password to access all of your data.
Most documents, Microsoft Word, Excel, Powerpoint and PDF can now be password protected which also encrypts the contents. This is a good approach and the strong encryption is generally used by all of the major document viewing and editing software these days. The downside of this approach is that you need to share the password with the person to whom you are sending the document – who then also need to remember it. A classic error is to put the password in the same email as the document. Easy to do – but removes the security of adding the password. Having a pre-agreed password is a good approach.
Password protected documents is a solution, but we find it a bit more cumbersome and more susceptible to human error (eg password in the same email). Over all we prefer the TrackMyRisks solution both for its security and the other benefits of a single source for the document and version control and tracking.
If hackers to get to your data then they will not be able to read it easily if it is encrypted. Most computers are starting to embrace encrypted storage as a standard feature, but it is still not set on as in a normal system. Windows 7, 8, 8.1 and 10 have the BitLocker feature. This is seamless to the user. The data is encrypted and stored and then unencrypted as it is presented to the user. It does rely on the user logging in with their password – so problems can arise if the user forgets this. Microsoft do provide some means of recovering the data – but this is not guaranteed and things can get fraught! MacOS has an equivalent.
Apple’s iOS also provides encrypted storage. The biggest risk with Apple is the mobile devices. If their password is cracked then the device will unencrypt the data. It is advisable to set mobile devices such that they delete all data on ten incorrect password entries. It is also possible to set these devices so that a command can be sent to them to lock up the device or even delete all of its data.