It’s not uncommon for businesses to assume that a small team manually looking after certificates is sufficient, and that certificate-related outages or theft of cyber data is the type of thing that happens to other companies. But it’s just as easy for large organizations to have the same challenges with expiring certificates.
Recent events demonstrate that businesses and websites of any scale are vulnerable to attack when the proper measures aren’t taken. From governmental encryption vulnerabilities to cybersecurity breaches, neglect and complacency can lead to disaster. Allow these cautionary tales to encourage you to start investing in machine identity management today!
The Cybersecurity Hub is South Africa’s governmental security hub, which plays the vital role of handling cybersecurity threats that South Africa’s residents report in. So it’s not unreasonable to expect that the website would follow security best practices to act as a beacon to those that it serves. One of those best practices is to maintain security certificates that safeguard the connection between a website and a web browser with encrypted keys. If one of those certificates expires, then it can jeopardize protection, as when expired certificates at Equifax contributed to the company’s notorious breach. Granted, renewing certificates can be a challenge with certificate lifecycles now shorter than ever. The Cybersecurity Hub security certificate expired on November 12th and wasn’t resolved until November 19th, a week later.
What could cause this type of security gap in a government-run website? As Venafi experts often point out, one of the biggest challenges with certificate management is maintaining a living record of not only when certificates expire, but where they are located and what they do. Depending on the size of your network, it could take a little while you diagnose and address expired certificates, as was the case with South Africa’s Cybersecurity Hub. This is one of many reasons that machine identity management is a game-changer for any organization, and automating your certificate management can ensure that certificate-related outages really won’t impact your website.
The U.S. Department of Health & Human Services Breach Portal reported that 418 HIPAA breaches were reported in 2019, compromising the protected health information (PHI) of nearly 35 million Americans. This seems staggering for an industry that should be entirely dedicated to the protection of privacy, and has been mandated to do as much via the 1996 Health Insurance Portability Accountability Act.
It turns out that while the regulations laid out by healthcare companies may seem adequate on paper, they fall short in failing to account for human error. For example, when a healthcare employee’s unencrypted laptop was stolen, the PHI of nearly 4,000 patients were stolen and accessible to malicious third parties. Hospitals have also been guilty of incorrectly disposing of documents and having patient PHI stolen right out of the garbage.
The bottom line is that encryption is terribly important. That being said, there are tangible steps healthcare companies can take to improve compliance with security guidelines. An in-house compliance professional can ensure that access to emails and attachments containing private patient information is restricted to only necessary parties, and block the use of personal and unencrypted devices for official communications.