CCPA and Zero Trust Security for PII: Healthcare and Education

The California Consumer Privacy Act went into effect on July 1st, 2020, putting businesses under new regulatory standards for handling Personally Identifiable Information (PII) of residents in the country’s most populous state.

Similar to GDPR, there has been a lot of anticipation leading up to the deadline. Organizations may be more prepared than they were in 2018 for GDPR, but a few key things have changed.

Why is privacy still a huge concern? In the new age of quarantine, we now face:

• Remote everything: cloud collaboration (including processing PII) is the new normal — requiring appropriate cloud security and endpoint security
• Double ransom with data exfiltration: more attackers are exfiltrating customer data from businesses and (if ransom is withheld) extorting consumers directly through bitcoin — often in the headlines.

What does this mean for businesses? Even more exposure, and greater incentive to pay an even higher ransom to avoid privacy law penalties and class-action litigation.

The value of PII

A lot of attackers and ransomware exploits early on didn’t know what they were going after; they just wanted a bite and would try to exploit it. Now, bad actors are actively looking at specific sites for banks, law firms, or healthcare providers, and they understand why that information is valuable, and a lot of it has to do with the privacy laws.

How valuable is personal data?

• Damages paid by businesses with data breaches in civil class action lawsuits for CCPA are set to include $100-$750 per California resident (there are nearly $40M total) and incident, or actual damages (whichever is greater), and any other relief deemed proper by the court.
• This threat might seem like less than 4% of annual turnover from a GDPR fine set by the ICO in the UK, but think about the years of costly litigation to arrive at the settlement.

So imagine – if your business is breached, attackers can add potential fines to your ransom and you are incented to pay, because at least you avoid the reputational damage of being exposed to regulators and class-action lawsuits, which cost many more years and millions to defend.

The laws are well-intentioned, but it’s a huge incentive for attackers to put businesses’ feet to the fire if they’re able to hook a healthcare institute or school in CA or a bank anywhere. Privacy and consumer data is such a high-value currency that if an attacker knows what they’ve got, they’ll exploit it for every penny it’s worth.

Vulnerable targets: healthcare and education

Businesses like healthcare and education with large numbers of customers and employees, and large amounts of their PII, are at significant risk.

What is the threat?

• Both have already been under scrutiny for privacy concerns around PII for years, through regulations like HIPAA in healthcare and FERPA in education (and now CCPA).
• Now that distance learning is the norm and medical records have gone largely electronic, connecting systems through the Epic, it’s easy for attackers to move between systems if there are no network segmentation access policies in place to prevent it.
• With a global pandemic and vaccine research underway, the need for research and healthcare to keep operating is even more strategic – and potentially more lucrative for ransomware attackers, as we’ve seen with hits on the World Health Organization (WHO), and COVID-19 vaccine test centers.

Consequently, it is no surprise that healthcare and education get hit so frequently with breaches.

Zero Trust Security with Illumio

One recent Illumio customer at a top medical school offering distance learning sought to better secure its data against potential attacks, by preventing the spread of breaches to PII with network segmentation.

Network segmentation is a critical control to secure PII, by ring-fencing applications with patient or client data. Implementing Zero Trust security policies limits access to allowed parties with a legitimate business purpose and stops the attacker’s path of privilege escalation to move freely across the network to the most valuable data. The customer first thought to use firewalls - but security on the network with internal firewalling couldn’t keep up with cloud-based demand.

“Being able to efficiently and safely enforce policy rules was paramount because we have so many people and systems. With firewalls, it could take months,” the school IT lead explained. “You have to use change control. If hardware goes down, you jeopardize the whole data center. It creates points of failure and complexity, and puts a strain on the network staff. Every new database requires coordination.”

The team chose a software-based approach with Illumio.

“We were interested in micro-segmentation but did not want to use ACLs on network infrastructure, which would require a testing environment and outage windows. At the same time, our security team wanted to start using the native security capabilities of our Windows servers. Illumio ASP checked all of the boxes for both implementations – it was our first and final choice. It allows us to see all of the communication flows in our live production environment and to test firewall rules without facing outages.”

Illumio helps healthcare, academic, and other critical industries keep their PII safe through better micro-segmentation that decouples Zero Trust security from the constraints of the network. Learn more about one healthcare school’s journey to more better cloud security for distance learning in the case study here.