With the recent allegations of Russian election hacking, the Russian and Chinese government targeting private companies, and the use of such hacks for political, military and economic gain — internal and external, data security has become a major issue for all companies. The design constraints for encryption no longer come from a series of “what if” possibilities — they are now a series of “because of…” realities. It does little good to start a company only to see its credibility destroyed by an internal or external data breach.

It is important that security is built in from the beginning and there are a series of important concepts and procedures that professionals like those at Telegraph Hill can bring to your organization.

Applicable Law

The FinTech industry has a series of laws to protect identity theft. US Applicable FinTech laws are Gramm-Leach-Bliley Act (GLBA) and the Federal Financial Institutions Examination Council (FFIEC). In April 2019, in coordination with The European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA), the EU introduced a new series of working groups to confront the issues of FinTech Data Security,

“the European Commission announced the launch of the European Forum for Innovation Facilitators (“EFIF”). The EFIF will serve as a joint platform designed to foster collaboration and experience sharing among European financial supervisors on their engagement with FinTech firms through sandboxes and innovation hubs. On an ad-hoc basis, the European Supervisory Authorities (“ESAs”) and EU Member States’ National Competent Authorities (“NCAs”) will also be joined by third-countries’ authorities to exchange best practices, identify regulatory obstacles and share knowledge.”

The MedTech industry also has applicable laws to protect privacy. US Applicable MedTech laws are focused on HIPAA compliance and the FDA is lobbying to include medical devices into that system–to protect individuals from harm by device security breaches.1 Correspondingly the EU has the General Data Protection Regulation (GDPR), the forthcoming Cybersecurity Act, and The EU’s Medical Device Regulation (MDR)2.

Furthermore, for companies conducting business in California, any leaked personal information is required to be disclosed by law (SB-1386). Facebook recently set aside $5 billion to cover fines with $3 billion expected to go to pay fines to the US FTC and $1.6 already required by the EU GDPR. While Facebook’s issues may be more management oversight and actions related — the data that we know about was not stolen, it was sold — the fines set a real and expensive legal precedent for companies that don’t comply.

Regardless of your plans to be a US only company or supply your products internationally, it is important that you bring design and architecture together that not only conforms to existing law, put includes a flexible design pattern so that your company can advance with what has become a security cold war. The professionals at Telegraph Hill bring hundreds of years of combined cutting-edge experience to your organization to solve these problems.

Encryption of Personally Identifiable Information

In California, leaked personal information must by law be disclosed (SB-1386). Application-level encryption can decrease the risk of leaked data, both in the means by which data can be accessed, and by the amount of data that is accessible.

What is PII or PHI?

PII Thumbprint

Personally Identifiable Information (PII) is any data that can potentially be used to uniquely identify, contact, or locate a specific individual. PII includes but is not limited to: Name, Address, SSN, VIN, DOB, Facebook ID, Zip Code, Phone, Email Address. HIPAA defines Protected Health Information (PHI) with a similar standard but excludes VIN and Facebook ID but includes Credit Cards, Drivers License and Medical Records.3 And, the PHI definition is being extended to apply to Genetic, Facial Mapping, Fingerprint (and other uniquely identifiable prints) and retinal scan data.4

This brings up some interesting questions. Legal technologists advise that facial mapping and retinal scans used for security and law enforcement may incorporate medical information in some security standards. Such problems highlight the need for the flexible design pattern mentioned earlier for handling security information.

There are three areas of concern for PII. PII in transit, PII in an application, and PII in storage. Each area requires different security standards. PII in transit (on a network) needs to be encrypted. PII in storage needs to be separated from other non-PII information. PII in an application may require screen locks, physical device security, application display logic or by polarized displays that narrowly focus the angle from which sceen data can be viewed. Application may need to design a non-PII reference that the user understands and relates to. A PII reference may be a first name or internal account number — giving information consumers the ability to keep context on “the subject” while working with non-PII information for the customer.

Encryption

data encryption keys

Almost all forms of encryption use a Block Cypher technique, the most common form being public/private key encryption. A secondary form of encryption is called Hash Function Encryption. A common example of Hash Function Encryption is MD5. But it’s possible, at least in theory, to invent any hash you want. In Hash Function Encryption the systems in common use today use a Block Cypher technique with a key. This makes them very similar in practice to Block Cypher because of Block Cypher’s resiliency.

There is no encryption method that is considered absolutely safe. Block Cypher is believed to be crackable by quantum computing. And, there are academic papers reveal that patterns in a block cypher can point to a specific key values that formed it. As such new algorithms have been developed to encrypt the cypher block like RC6 and Triple DES. Thus, it is important to encapsulate your encryption design into a flexible design pattern mentioned earlier.

Security at Rest

database security

Security at Rest, Storage Security or Database Security requires specific techniques to protect PII. Currently the best practice follows three rules:

  1. The PII must be encrypted with a multi-round block cypher.
  2. It must be stored away from the non-PII data.
  3. The encryption technique and keys used to link the PII and non-PII data should not be stored in the database.

There are many shortcuts that, while they may pass a security review, do not conform to established law and best practices. A common shortcut is to put an encryption key on the entire database and encrypt everything. This violates the second and third (arguably) the third rules above and has two big security holes: (1) anyone with access to the database driver, has access to all the information in it because the information is encrypted and decrypted either on the server or in the driver, and (2) If a hacker gains access to the physical data, the decryption algorithm is stored in the database properties and easily accessed which gives the hacker full access to the database.

Many professionals are considering blockchain as a means of handling these types of security concerns. Blockchain will work for financial data — but only today, and only if PII is not stored in the Blockchain. Bitcoin and other cryptocurrencies avoid PII by only storing the key in the chain. Blockchain does not comply with storing PII/PHI in the Blockchain because it violates forms of the second and third rules above.

For a more formal discussion on the highly complicated reasoning behind this practice, contact Telegraph Hill to begin a professional with deep knowledge in the field.

Security in Motion

Network Security

Security in Motion refers to network data requiring security, usually in the form of encryption. Commonly this encryption is two phase key encryption. While the data is vulnerable of being “seen” over the internet, the tools that decrypt it are not exposed at the time of detection–if at all.

Because RSA and other algorithms are publicly available, it’s possible to generate a private key on a client and store it there, sending only the public key to the server and vice versa. A key server can setup a public/private key to each client/customer and send them the public key. In this way a very secure and unique connection can be formed between a server and all it’s clients. This way, information in motion is always secured to the state of the art.

Security in Display

Laptop display security

Security in Display refers to security for information that is being displayed to an end user. For PII, the standards are fairly loose here today. For PHI they are not. PHI displayed should have authentication, time-out and physical security.
Authentication means that only specific individuals authorized to see the PHI can access the display that presents it.

Time-out means that after a specific amount of time (usually 30 seconds to five minutes) the screen goes blank and the user must reauthenticate to resume his or her session.

Physical Security

Physical Security means that a number of physical steps must be taken to prevent others from seeing the screen when the information is being displayed. This can include a physical door, a locking system to prevent theft and/or a polarized display that narrows the viewing angle of the screen.

Conclusion

data judgement triangle

Data Security requires a thorough understanding of the current. It also must consider both what the laws will be if a company grows to additional markets in other jurisdictions. Data security is about knowing what data to secure and how to do that, physically in all the conditions your data is in. Handling security efficiently requires experienced experts in the field.

Data security requires a thorough understanding of how to secure your data across a complete spectrum of uses and those uses’ potential vulnerabilities. Telegraph Hill and Painted Intelligence has the expertise and tools to enable you to deliver your project with increased data security, efficiency, planning and predictability. For more information and help managing the complex world of Data Security, contact the experts at Telegraph Hill Software.

David Urry
Telegraph Hill Software
535 Mission St, San Francisco, CA 94105
david.urry@thpii.com



1 https://www.fda.gov/medical-devices/digital-health/cybersecurity
2 https://www.raps.org/news-and-articles/news-articles/2019/3/eu-medtech-industry-signals-need-for-harmonized-ap
3 https://www.virtru.com/blog/personally-identifiable-information-hipaa/
4 https://www.genome.gov/about-genomics/policy-issues/Privacy