Mobile Data Security Blog

Home  »  Archive by category "Compliance"


Majority of Healthcare Breaches Are Due to Loss or Theft, Not Hackers

I just recently read an article about how a healthcare organization lost backup hard drives containing personal information on nearly 40,000 of its clients. To make matters worse, the article stated that there was “no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.” WHAT?  I shake my head in frustration because there is a simple solution. Why don’t more healthcare companies deploy secure USB?

You might be surprised to know that the majority of breaches come from lost or stolen devices, not hackers. In fact, sixty-eight percent of all healthcare breaches are from loss and theft. This leads me to conclude that most healthcare companies insecurely store, and therefore risk losing their clients protected health information (PHI) such as birth dates, medical records, and Social Security numbers.

Sadly, it looks like this trend won’t be ending anytime soon.  A recent healthcare data breach forecast predicted that employees (not hackers) will continue to be the greatest threat to securing healthcare data including PHI.  The forecast goes on to say that despite all signs pointing to employees as the largest threat to a company’s security, business leaders will continue to neglect the issue in favor of buying more “appealing” security technologies aimed at preventing intrusions from outsiders in 2015. (sigh)

So here’s the good news – there is a workable solution that’s easy for healthcare organizations to implement. One simple, affordable option is to store PHI and other confidential data on a portable, encrypted external hard drive or USB instead of storing data directly on the laptop.  There’s a class of readily available hardware encrypted devices that are virtually unhackable and can be remotely wiped should they be lost or stolen.  And, these drives deploy the highest standards of protection with AES-256 encryption.   These highly secure drives even protect data and applications from malware like BadUSB. And their rugged design makes them nearly indestructible.  They’ve even been known to survive an autoclave! 

IronKey™ offers the most secure storage solutions and mobile workspaces available.  So, don’t be tomorrow’s headline.  Check out our healthcare security solutions today.


Could You Pass a Privacy Audit? Healthcare and Australia’s Privacy Regulations


Our special guest blogger, Elizabeth Parsons, is based in Melbourne and is responsible for growing the Imation Mobile Security business in Australia and New Zealand.  

Last year the Australian Federal Government ushered in a new set of Australian Privacy Principles (APPs) and in the process, dramatically overhauled the obligations of organisations regarding the collection, use, storage and security of personal data.  The changes were expected to have a big impact on data handling within the healthcare industry, as the regulations particularly targeted all Australian Government agencies, businesses with a turnover of more than $3 million or trade in personal information, and private health service providers.

Twelve months on, it’s timely to consider how well your organisation has responded to the new requirements, and to ask yourself:  Would your organisation pass a privacy audit if one was held tomorrow?

The Basics

One of the first changes that should have been introduced by every facility or institution is an updated, accessible privacy policy. This should advise individuals of your obligations, the kind of personal information collected, how it is collected, the purpose for collection, how an individual can access that information, and how they can make a complaint about any breaches of the APPs.

Following on from this, every organisation should also now have an internal guide to privacy compliance.  The aim of this is to ensure that the staff will understand the legal requirements when dealing with personal data. It should also articulate the organisation’s own rules and processes relating to collection and storage of data.

The Problem of Security

One of the most critical obligations under the APPs is security.  The eleventh privacy principle states:

“If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.”

And it’s here that, even today, many healthcare organisations find their privacy efforts falling short, because keeping data safe from accidental loss or malicious activity such as viruses, worms and hackers isn’t always straightforward or easy.

While most organisations have measures in place to secure data on the network, the main area of vulnerability is mobile data.  When a clinician carries patient data on their laptop from their consulting rooms to the hospital, what happens if the laptop is stolen?  Or when a USB stick is used to send information from one facility to another, what is the outcome if the USB is dropped and lost?

No matter whether confidential information is breached due to theft, malware, spyware, or just a simple accidental loss, there are serious consequences. Since 2014, failure to comply with Australia’s new privacy laws can leave an organisation liable for a fine of up to $1.7 million.

Doing away with mobility is not the answer.  The efficiencies and improvements to health outcomes arising from a more mobile health force are too great to ignore. Therefore, it’s clear healthcare facilities have to find a way to keep mobile data safe.

A Two-pronged Response

The solution is to adopt a two-pronged approach to mobile data security by only using drives that offer encryption supported by data management.

Encryption involves coding data on the drive so it remains unreadable to anyone who doesn’t have the right “key”.  If the USB or hard drive is lost or stolen, the contents remain obscured and inaccessible. One of the most appealing aspects of encryption is there are no technology barriers to its adoption, and compared to the cost of a data breach, the investment required is relatively insignificant.

The second part of the approach is a management capability that brings control to the data on the device.  For example, at some stage an employee will forget their password, rendering them unable to access the corporate network. With the right management capabilities, IT can not only reset the password but when the user logs on, they can cross-reference the IP address of their machine against a map in order to ascertain if the person is indeed who they say they are. If IT has any suspicions, they can remotely wipe the hardware device that the employee is working from and kill all encrypted data.  Management functions also enable IT to force a device to be in read-only mode, remotely make password changes and re-commission devices that are no longer in use.

Together, encryption and management ensure confidential and private information on USB and external drives to remain protected, even if the drive is lost or stolen and lands in someone else’s hands.

The 2014 changes to Australia’s privacy regulations have put the data management practices of Australia’s government agencies and private sector organisations under the spotlight. For the healthcare industry, securing confidential patient data has never been more important with the increasing amount of records being transferred to electronic records. Achieving the necessary degree of security requires more than good intentions. It demands a comprehensive mobile security solution built around strong encryption, robust identity management, and policy-based data management.



Introducing the IronKey S1000 USB 3.0 Storage Drive


Meet the newest addition to the IronKey™ secure storage family of flash drives:  The IronKey S1000.  Building upon IronKey’s history of providing the world’s most secure USB storage devices, users now have a choice between IronKey’s industry-leading USB 2.0 and 3.0 devices.  Check out some of the highlights of the IronKey S1000:

Blazing Fast USB 3.0 Performance

Realize read speeds of up to 400 MB/sec and write speeds up to 300MB/sec. That’s double the performance of competing hardware-encrypted USB 3.0 flash drives and up to 10x faster than a USB 2.0 drive. Storage size has doubled too, with capacity up to 128GB.

Strongest USB Security Available Today

The S1000 protects files with Federal Information Processing Standards (FIPS) 140-2 Level 3 and National Institute of Standards and Technology (NIST)-approved XTS-AES 256-bit encryption, ensuring compliance with the most stringent government and industry regulations while allowing workers to remain mobile.  As with our other products, the S1000 requires code signing for firmware updates  and protects against attacks such as BadUSB and now the most recent Equation Group hard drive attacks to which other USB vendors are vulnerable.

Additionally, the IronKey S1000 military-grade, ruggedized design resists physical tampering and will self-destruct if unauthorized attempts to physically obtain access to the data are made.

Backed by a Lifetime Warranty

Our products are built to last.  They can withstand being run over by a Land Rover and multiple cycles in the washing machine.   In an industry first, we are offering a lifetime warranty for our IronKey S1000 family.  

The IronKey S1000 is available in two versions for maximum flexibility:  IronKey Basic S1000 and the centrally managed IronKey Enterprise S1000. 

Which product should I use?

If you have a desktop, laptop or tablet with USB 2.0 ports, the IronKey S250 and D250 devices are a perfect fit.  But if you have a desktop, laptop or tablet with USB 3.0 ports, you’ll want to look to the IronKey S1000 to take advantage of the faster speeds, enhanced encryption and the lifetime warranty.   


Sochi Games and Windows To Go – BYOB — Bring Your Own Burner

With reporters just starting to show up at the Sochi Games, their horror stories are emerging on everything from yellow drinking water, poisoned dogs and roofless hotel rooms to a hacker heaven. Digital connectivity and security are going to be hot topics and major issues during the Games. The IronKey Workspace™ for Windows to Go, a PC on a Stick™, is a great solution for anyone traveling to Russia. Here’s why:

Russia has LAWFUL interception of ALL communications. There is ONE network, completely government controlled. What this means is, if you want to be online — unless you are working on a highly classified government network from your country of origin — you WILL be monitored and almost certainly hacked.

Even if you have a VPN, the Russian network will own your PC, your credentials, your certificates, etc. So you’re toast.

But you have to be connected and get work done. What do you do?

Take three things on your trip:

  • IronKey Workspace W500™ for Windows To Go, with your needed applications and public files. You can plug the Windows To Go drive into almost any computer, work solely from the USB stick and not leave a trace behind.
  • Laptop, with the hard drive either disabled or removed (just to be safe)
  • Burner cell phone – buy with cash.

The good news is you can be connected this way without digital harm. The bad news is that, while you’re in Russia, you’ll have to assume all of your communications are public and not secure.  But you can stay completely connected, be productive, and still be safe when you return home.

While in Russia, you can use Windows To Go in your laptop, do all your work with your regular applications and stay connected to home base. The Windows 8.1 operating system you load on Windows To Go must contain applications and files that are not sensitive, because once you log on to the network, you need to assume anyone can see them and know it’s you. Same thing with when you use your cell. Even burner cells can be traced and triangulated. Just ask the DEA.

Once you get home, have IT re-provision your Windows To Go device. Or do it yourself. Load up all your applications and files, including all the sensitive ones. Windows To Go can be used again, completely securely in other countries. You can use it with your regular laptop or the drive-less one you got for the trip. Destroy the cell just like in cop shows.

Bon voyage!




3 Tips For Enabling Data Security and Mobility at Government Agencies

October marks the end of the US federal government’s fiscal year, and Imation’s mobile security experts are very busy discussing the benefit of our solutions with IT staffs at various agencies. We typically see an increase in interest near the end of the fiscal year, but there are a couple of reasons why our IronKey secure USB solutions are more top-of mind this year than in the past.

There is an increased focus from government agencies on enabling computer mobility. Like many other sectors, government agencies understand that mobile devices make employees more productive, a fact which was backed up as recently as May in an 1105 Government Information Group report. IronKey secure USB data storage devices and IronKey Workspace Windows To Go solutions enable end user mobility, as government employees can take their data and desktop environments with them wherever they go securely.

Microsoft Windows 8 spotlights how USB devices can serve as a secure, mobile computing alternative for BYOD. Microsoft cites Windows To Go, which enables a fully functioning Windows desktop to be booted from a USB device, as a key enterprise feature of Windows 8. Government agencies are taking notice.

At the same time, government IT staffs are justifiably concerned about security. The same 1105 Government Information Group report cited earlier notes that agencies are providing their employees with agency-issued devices, primarily because they are worried about the lack of control. A government mobility policy in these situations shifts away from BYOD, since employees cannot bring their own devices.

Any solution involving mobile devices (whether through employee devices or agency-provided devices) must include policies and technology to protect against data leakage or misused data.

In general, we offer these tips as part of such policies:

1) Access control: Agencies must establish and enforce strict methods for granting device access.

2) Auditing: IT departments should schedule frequent audits to make sure that devices are in the right hands and are being used appropriately.

3) Remote kill: Government agencies should deploy mobile solutions that enable remote kill capabilities, so that devices can be erased or destroyed if they fall into the wrong hands.


Enabling BYOD with a Secure Windows To Go IronKey Workspace

We have now announced Microsoft certification and general availability of our IronKey Workspace W500. Microsoft’s certification process is a rigorous one, so we are extremely pleased to put this stamp of approval on our latest Windows To Go solution. And we’re excited to bring our secure PC on a Stick platform to the Windows To Go solution set.

According to Intel’s IT Manager survey on the current state of BYOD, one of the two largest barriers to BYOD adoption is that the devices used by employees cannot support security, encryption or remote wipe.  The IronKey Workspace W500 solves IT managers’ security concerns with its hardware based encryption, ability to issue ‘silver bullet’ commands to remote wipe the device, and centralized management.  The IronKey Workspace W500 is truly an IT provisioned, IT managed and IT secured device that fits into your network.

intel barriers snap

Source: Intel

Gartner predicts that half of companies will require BYOD in 2017, and as this trend spreads from mobile phones and smartphones to the PC, our Windows To Go workspace offerings position us strongly in this space. Strong market interest in our solutions backs up this trend – for example, we have initiated pilots large organizations that are interested in deploying thousands of devices. Use cases we are seeing include:

  • Executive travelers are seeking to bring a secure device to insecure countries, instead of a laptop.
  • Government agency looking to provide a way for employees to telework securely, using the workspace device on their home PCs.
  • A hospital is looking at providing secure workspaces to medical residents instead of providing PCs –a 10X cost savings.
  • Top universities are testing IronKey Workspaces for their students to use in computer labs, and then to allow them to bring their computing environment home.

Our new IronKey Workspace W500 represents a powerful, secure PC on a Stick offering for enterprise customers. This is a high-performance, ruggedized, high-security platform for organizations who see opportunity in using Windows To Go to support their BYOD initiatives.

You can learn more about the IronKey Workspace solutions at


California Cracks Down: Companies Must Encrypt Personal Data

The California Attorney General has issued a major data breach report, finding that more than 2.5 million people were affected by 131 reported data breaches within the state, with 56% of the breaches including disclosure of Social Security numbers.

California Attorney General Kamala Harris is calling for wider use of encryption and increased training for employees and contractors on handling personal information. InfoWorld reports that, “her office “will make it an enforcement priority to investigate breaches involving unencrypted personal information” and will “encourage … law-enforcement agencies to similarly prioritize these investigations.”  She also recommends employee and contractor training on how to handle personal information.

Imation did its own review of U.S. data breach laws in 2012, and created the “heat map” graphic below, based on the strictness of those laws. California was a forerunner in data breach laws; while most state laws are similar, requirements and penalties vary widely.

As we’ve noted before, encryption is the foundation for protecting personal data. 

Having data encrypted at the time of the breach means, under most (but not all) of these laws, (because the data is unreadable) that loss or theft of a USB device or laptop doesn’t require reporting. Also, as the California report notes, keep security awareness campaigns active so workers stay alert to the risks.

By taking a few pragmatic precautions, the majority of risks can be greatly mitigated. So the next time an employee loses a notebook or an encrypted flash drive that held protected data, if it’s been properly encrypted and managed you’ll have may well have endured a non-event.

Compliance Heat Map

Imation Compliance Heat Map. Click to view full-sized image.


The Thumb Drive Conundrum: Managed USB and Encrypted Flash Drives Attack the Insider Threat

The revelation that Edward Snowden absconded from NSA with secret files on a thumb drive has generated predictable gnashing of teeth about the use of portable USB drives in secure organizations. At the same time, government and business organizations are successfully implementing secure deployments of portable USB drives so that employees can transport data they need to be productive.

The technology issue is one of competing needs: To be productive, mobile employees need the mobility, offline storage and security afforded by USB drives. To secure data, IT needs control of how employees move information and what information is moved.

The fact is that today, IT can take control without blocking USB ports. We’re not sure what safeguards the NSA had in place, but there are technologies that could prevent or mitigate this kind of insider threat. For example, secure enterprise device management software can offer:

Device Location – with managed USB drives, software can show the locations of every managed device when they connect to the Internet on a map. This allows tracking of a device that has “gone rogue” and could aid in recovery.

The “Silver Bullet” – the ability to either password-disable or perform a remote kill to completely disable the device if it goes missing or someone is suspected of copying data they should not have on the drive.

Geofencing, IP Blocking – It is possible to add rule features so that unless the device meets certain conditions, the data is automatically wiped. For example, IT could enable “geofencing” so that if device is outside the country, the data is wiped – or if it is on an unapproved network, or outside a certain IP range.

Have a Consistent Data Security Policy

It’s really a matter of having a consistent policy for your data at rest.  Many organizations require their PCs and Macs to have full disk encryption enabled.  But that policy is not enforced when it comes to removable media like a USB drive.  By using a manageable and encrypted storage device you can maintain a secure policy for your data no matter where it goes.

If we look at the SANS Top 20 Security Controls, Critical Control #17 – Data Loss Prevention specifically addresses how best to handle sensitive data and prevent it from leaving your organization without permission.  The advice from SANS is to, “deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data,” and that “enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices.”

For workers who travel, teleworkers shifting between work and home, or contractors working with your data, a secure, managed USB thumb drive is more secure than online file sharing, and certainly better than unencrypted and unmanaged notebook computers, USB devices and smartphones. And management adds an extra layer of security against both external and insider threats.  IT can address a number of potential security threats by implementing policies that require uses to use encrypted flash drives.


The Security You Need

Organizations have different security needs, and different departments require different levels of security. When we brought together portable USB security leaders MXI Security, IronKey™, and Imation’s Defender™ collection to form the Imation Mobile Security group, our opportunity was to bring together the best of these technology leaders, so we could have a portfolio of products to satisfy all security levels.

Today, we are announcing that we have unified these powerful technologies under the IronKey brand, one of the most trusted and recognized in the security business. Beyond the iconic IronKey secure flash drives, the Imation Defender Collection is now included under the IronKey brand.

The overall result of this rebranding is a simpler, more streamlined product set.  Customers now can turn to the IronKey portfolio for hardware encrypted USB flash and hard disk drives with biometric authentication, manage drives with the IronKey ACCESS ™ on-premise device management system, and find encrypted USB drives compatible with McAfee ePO software. All this in addition to the iconic IronKey 250 drives – called The World’s Most Secure Flash Drive™ — and the new IronKey Workspace family for Windows To Go.

secure-portable-storage-products-large (2)

IronKey Secure Portable Storage Products

Visit to view the full portfolio, and find the right solution for your organization.


Bring out the heavy hardware to protect passwords

Use strong passwords, un-guessable security codes and hardware encryption to defeat advanced threats

As long as you have a password in place, your data is protected, right? The number and types of breaches we saw in 2012 challenge this notion. From LinkedIn to eHarmony to Twitter, cyber thieves have been on the hunt to break the barriers of thousands of simple passwords. And what is most chilling? it’s not going to stop.

Passwords have been around since the dawn of the digital age, but they are not well understood. Simple, overused passwords can’t protect data from even low-skilled hackers. And people are people, and even when they are outfitted with The World’s Most Secure Flash Drive, need a reminder that making your password “password” is no longer (if ever) considered clever or safe.

With rising attention to data privacy and increasing risk of data breaches, there will be more encryption across all devices and platforms in 2013. Which means that it is never too soon to revisit the password. Here are four best practices organizations should follow to improve password strength their organization:

  1. Passwords must be longer, stronger and un-guessable
    Passwords protected in software are subject to offline brute force attacks, which is why web service hacks can be so devastating. Attackers can go through a database of passwords they have obtained and crack them at their leisure.  It is remarkable the number of individuals who use the password “password” or “123456”. These passwords are often the first ones breached by cyber-thieves, as can be noted in last years LinkedIn and Twitter breaches.

    • Instead, choose a unique password, with character complexity and a combination of both letters and numbers. A strong password should be at least 12 characters long. The rule is that the longer the password, the longer it will protect you. A good hacker can breach an 8-character password in a few days; a 15 character password might take a year.
    • To make the password even stronger, the character complexity should be at random, as complexity alone is not enough to stop a hacker in today’s digital age. Having a strong password makes offline attacks much more difficult for hackers.
  2. Remember Personal Information is Out There
    With today’s heavy social media presence, the names of your dog or your mother’s maiden name are no longer confidential information. The public has access to the information you post on your social media site, and unwittingly offer clues to clever hackers. When choosing security questions for password recovery, be mindful of the information that is public, and create passwords that revolve around something actually “private.”
  3. Use Hardware Encryption to Combat Advanced Software Threads
    Avoiding the threat of brute force attacks on passwords requires heavier hardware – hardware encryption, that is. A password protected in the right kind of hardware makes security simpler, because this kind of brute force attack to decrypt the password is not possible. The hardware will lock up after a low number of attempts (set by policy), and then the attack stops.

And finally, a bonus point: Remember to set strong policies and educate employees. Cyber-thieves are becoming more sophisticated, and strong passwords are the best defense. Organizations must create stricter guidelines for employee password security in order to keep their employee’s personal and the company’s corporate data secure.