How to Prevent Security Breaches Using Technical Safeguards
This article is part of our series on how to prevent data security breaches. Read more about how you can use physical safeguards and administrative safeguards to mitigate your business risk.
Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This article addresses the security controls that can help you minimize the risk of security breaches. It is impossible to prevent all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization will need to conduct its own risk management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and money needed to implement such controls.
Technical safeguards are security controls that protect security-sensitive information and are carried out via technology or managed by technology. Security hardware and software enable the Covered Entity to implement such controls. Among other things, technical safeguards prevent unauthorized access to security-sensitive information, protect against malware, provide audit trails for investigation or assessments, and prevent corruption or tampering with systems.
Access Control Technology
Access control systems should identify, authenticate, and authorize people and processes, implement a method of mediating access to information based upon the authenticated entity’s authorization, and log information accesses for later review. The Covered Entity should prepare policies and procedures about how it manages access control to security-sensitive information.
These policies and procedures should include controls to ensure:
Every user is uniquely identified and authenticated
User activity is logged
Access controls are in place and are effective (e.g., security-sensitive information is kept secure and/or encrypted to ensure its confidentiality)
In addition, the Covered Entity should have systems to prevent unauthorized access to systems containing security-sensitive information (e.g., firewalls) and detect intrusions (e.g., intrusion detection systems).
Patching/Updates
Covered Entities should have systems for regularly updating systems and application software. Software manufacturers regularly issue patches and software updates to address security vulnerabilities and improve the ability of the software to resist attacks. Keeping software up-to-date will lower the risk of exploits and malware. The recent Equifax breach apparently stemmed from the company’s failure to update the software to address a known vulnerability.
Logging
Covered Entities should have a technical method for logging user and system activity and a method, automated or procedural, for examining that activity log some time in the future. The overall intent of this requirement is to give the Covered Entity a means of monitoring user access to security-sensitive information and to hold users accountable for their access behavior. Logs of machine processes assist in monitoring the status of systems and may assist in investigations of malicious activity, as well as possible corruption or software errors.
Integrity Controls
Covered Entities should use technology to prevent, or at least detect, improper data alteration and destruction from causes such as:
Equipment failure
User accidents
Malicious user acts
Technologies like redundant arrays of inexpensive disk (RAID), error-correcting memory, and fault-tolerant (clustered systems) already exist to reduce the risk of data alteration or loss from equipment failure. Well-designed user interfaces to databases and applications can reduce accidental data alteration or loss. Digital signature technology assists in identifying and preventing malicious user data manipulation or corruption.
Authentication
Authentication technology permits a Covered Entity to know that an authorized person, entity, or process is gaining access to information or systems. Systems commonly use passwords, tokens, biometrics, or dial-back techniques to verify an individual’s or entity’s identity. Covered Entities frequently use these authentication technologies to control access to security-sensitive information.
Transmission and Wireless Security
Covered Entities should protect security-sensitive information while it is in transit over a network, such as office wireless networks or the Internet. Security threats addressed include:
Eavesdropping: An unauthorized person “listens” in on an unprotected or open network carrying security-sensitive information.
Data modification: Interception and surreptitious modification of security-sensitive information by an intruder in a way that the recipient cannot detect.
The Covered Entity should protect data while in transit commensurate with the transmission security risks and their associated mitigation costs.
Encryption
The Covered Entity should evaluate and decide whether to encrypt some or all of its security-sensitive information while it is at rest in storage or transmitted over networks. Considerations going into this decision include:
The recipients’ ability to receive and decrypt an encrypted message.
The sensitivity of the transmitted information.
The potential impacts of unauthorized disclosure.
The costs of implementing, managing, and operating the encryption system.
The vulnerabilities of storage, the network, and the overall environment.