2 cissp ® Official Study Guide Eighth Edition

Protected Health Information

Download 19,3 Mb.

Pdf ko'rish

bet	163/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 159 160 161 162 163 164 165 166 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Proprietary Data

Protected Health Information
Protected health information (PHI)
is any health-related information that can be related to a
specifi c person. In the United States, the Health Insurance Portability and Accountability Act
(HIPAA) mandates the protection of PHI. HIPAA provides a more formal defi nition of PHI:
Health information means any information, whether oral or recorded in
any form or medium, that—
(A) is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or health care
clearinghouse; and
(B) relates to the past, present, or future physical or mental health or
condition of any individual, the provision of health care to an individual,
or the past, present, or future payment for the provision of health care to
an individual.
Some people think that only medical care providers such as doctors and hospitals need
to protect PHI. However, HIPAA defi nes PHI much more broadly. Any employer that pro-
vides, or supplements, healthcare policies collects and handles PHI. It’s very common for
organizations to provide or supplement healthcare policies, so HIPAA applies to a large
percentage of organizations in the United States (U.S.).
Proprietary Data
Proprietary data refers to any data that helps an organization maintain a competitive edge.
It could be software code it developed, technical plans for products, internal processes, intel-
lectual property, or trade secrets. If competitors are able to access the proprietary data, it can
seriously affect the primary mission of an organization.
Although copyrights, patents, and trade secret laws provide a level of protection for pro-
prietary data, this isn’t always enough. Many criminals don’t pay attention to copyrights, pat-
ents, and laws. Similarly, foreign entities have stolen a signifi cant amount of proprietary data.
As an example, information security company Mandiant released a report in 2013 docu-
menting a group operating out of China that they named APT1. Mandiant attributes a sig-
nifi cant number of data thefts to this advanced persistent threat (APT). They observed APT1
compromising 141 companies spanning 20 major industries. In one instance, they observed
APT1 stealing 6.5 TB of compressed intellectual property data over a ten-month period.

162
Chapter 5
■
Protecting Security of Assets
In December 2016, the U.S. Department of Homeland Security (DHS) and the Federal
Bureau of Investigation (FBI) released a joint analysis report documenting Russian mali-
cious cyber activity. This report focused on activities of APT 28 and APT 29, also known
as Fancy Bear and Cozy Bear, respectively. These groups primarily targeted US govern-
ment entities and others involved in politics. Cybersecurity fi rms such as CrowdStrike,
SecureWorks, ThreatConnect, and FireEye’s Mandiant have all indicated that APT 28
is sponsored by the Russian government and has probably been operating since the
mid-2000s.
It’s worth noting that different organizations frequently identify the same APT with dif-
ferent names. As an example, U.S. government entities named one APT as APT 28 or Fancy
Bear in a report. Other entities, such as cybersecurity organizations, have referred to the
same group as Sofacy Group, Sednit, Pawn Storm, STRONTIUM, Tsar Team, and Threat
Group-4127.
In 2014, FireEye, a U.S. network security company, purchased Mandiant
for about $1 billion. However, you can still access Mandiant’s APT1 report
online by searching for “Mandiant APT1.” You can view the joint report by
searching for “JAR-16-20296A Grizzly Steppe.”

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 159 160 161 162 163 164 165 166 ... 881