HIPAA Compliance for Medical Practices
62.2K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The data breach payment fight heats up

The data breach payment fight heats up | HIPAA Compliance for Medical Practices | Scoop.it

The spat between retailers and banks over who foots the bill and bears the responsibility following a data breach is ramping up heading into 2015.

A group of retail trade groups on Monday fought back against what they call a misleading survey from the Independent Community Bankers of America (ICBA), which alleged banks are shelling out millions of dollars because retailers can’t secure their networks.

With little legal framework to govern retail data breaches, merchants and banks have spent 2014 bickering about who is at fault in the wake of an attack.

Retailers argue they are victims of malicious attacks, are rapidly improving their security and are calling on banks to quickly adopt the chip-enabled cards, a more secure technology than the current magnetic strip. Banks counter that they are moving toward chip technology, but that it’s helpless given the poor security standards at retailers.

The ICBA survey, released Dec. 18, said community banks had to reissue nearly 7.5 million credit and debit cards at a cost of $90 million in the wake of the massive Home Depot data breach, which exposed 56 million customers’ payment card information.

“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said at the time. “Communities and customers should not suffer for the faults of retailers.”

This statement, and survey in general, contained “inaccuracies and misrepresentations,” said the group of retailers, which included the Retail Industry Leaders Association, the National Retail Federation and the National Restaurant Association.

“ICBA cannot simply dismiss data breaches as a retail problem and refuse to recognize the risk to financial institutions — to do so would be a disservice to your members,” the groups said.

Retailers bear equal or greater costs after a data breach, they argued, pointing to a 2013 Federal Reserve study of debit card fraud.

Banks are also disingenuous about their switch to chip-enabled cards, the retailers said.

“While ICBA supports the movement to embedded-chip technology for credit and debit cards, the organization appears to only do so grudgingly, questioning its efficacy against data breaches,” they said.

Retailers called out ICBA on not committing to chip-and-PIN cards, where a microchip encrypts the credit card info, and the user confirms the purchase by entering an ATM-style PIN number.

Banks have pledged to move by October 2015 to at least chip-and-signature cards, which still has the microchip encryption, but is backed up by a more fallible signature.

“The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer,” the groups said.

The U.S. is the only major western country in the world that has not adopted chip-based cards.

Many of these liability issues could be resolved through data breach legislation. Congress held multiple hearings throughout 2014 to consider a possible bill to establish minimum data security standards. No serious proposal came close to passage.

An ongoing lawsuit between major U.S. banks and Target could also establish legal precedent for liability in the wake of a cyberattack. A late 2013 Target breach exposed 40 million customers’ payment information and banks are alleging they have not been properly reimbursed for their costs.


more...
No comment yet.
Scoop.it!

Hacked in 2014: The Year of the Data Breach

Hacked in 2014: The Year of the Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

2014 will go down as the year of the data breach, from massive hacks at retail chains to the leaking of celebrity nude photos and not to mention dangerous security vulnerabilities like Heartbleed and ShellShock that had security pros panicking.

A slew of industries like banking, retail, and healthcare have all fallen prey to cyber criminals this year. As the year now winds down, the effects of some of 2014’s most notorious hacking incidents are still being felt and will be for some time. Here are five of the year’s worst data breaches and the huge impact they are having on the state of cybersecurity.


Sony Pictures

The hack at Sony Pictures is the latest breach of the year and by the looks of things, will be the biggest, moving far beyond being an IT issue. A hacker group known as Guardians of Peace, or simply GOP, breached Sony’s internal systems in late November, affecting thousands of employees, several executives and celebrities, leaking as-yet-unreleased films, and demanding the cancellation of the Seth Rogen and James Franco comedy film, The Interview. This fueled rumors that North Korea was behind the attack, an allegation that continues to gather more steam. The hermit kingdom would deny involvement but still called the hacking a “righteous deed”.

However a number of large US theater chains have now dropped the film after one of GOP’s latest messages threatened physical attacks on cinemas screening the film. The number of theaters dropping the film eventually pushed Sony to completely cancel the release of the film.

The fallout continues across the board too as more and more details start to emerge courtesy of GOP, including some actors’ movie paydays as well as a heated email exchange between execs over Angelina Jolie. While Sony has hired security firm Mandiant to clean up the mess, there’s no end in sight for the leaks with each one becoming more and more serious. Sony will need a long time to mend its reputation and relationships, especially when several employees are taking legal action against the company.


Home Depot

Back in September Home Depot suffered a major payment system data breach for which it is still feeling the effects of, now facing 44 lawsuits. All in all 56 million credit card details and 53 million email addresses were stolen in the breach spanning April to September of this year with the company spending $43 million in one quarter to try and tame the breach’s effects.

Staring down 44 lawsuits in the US and Canada, Home Depot is looking at several accusations with one of the central claims being that the company was not complying with data protection standards. Meanwhile its recent regulatory filing added that there may very well be more damage discovered in the breach:“It is possible that we will identify additional information that was accessed or stolen.” On the plus side, people haven’t stopped shopping there as Home Depot still managed to boost its revenues in sales.


JP Morgan Chase

Several retail outlets have been rocked by data breaches this year but so too have financial institutions, for obvious reasons. Throughout the summer, hackers breached the bank, stealing names, email addresses, phone numbers, and addresses with the number tallying over 80 million customers and businesses. At the time, the New York Times called it the “most serious computer intrusions into an American corporation” and added that several other banking businesses were targeted too.

The attack was spread out over two months and stoked fears of wider attacks on the financial industry, which if successful, could yield serious rewards for cyber crooks. As for who was responsible for the attack, that remains unclear but original reports pointed the finger at Russian hacking networks, which has now become a recurring theme in many data breach cases and the talk of whodunit.


Community Health Systems

Healthcare data bases are becoming lucrative targets for cyber criminals too and while there have been several data breaches at facilities around the US, the biggest and most devastating was the August data breach at Community Health Systems. More than 4.5 million people were affected in 200 different hospitals, compromising data such as patient names, addresses, birth dates, phone numbers, and Social Security numbers but CHS insisted that no medical information was lost.

FireEye’s Mandiant, the same security firm now hired by Sony, believes that hackers in China going by the name Dynamite Panda are responsible and are allegedly the same group behind the 2011 RSA data breach.


P.F. Chang’s

The data breach at restaurant chain P.F. Chang’s showed that hackers will target any and all businesses. In August the company reported that payments systems at 33 of its locations were compromised and hackers made off with credit card details, names, and possibly expiration dates. However P.F. Chang’s first noticed something was awry back in June, which led to the investigation.

While this breach didn’t cause the same impact as say Target from last year or Home Depot, the incident raises more question marks over the state of retail data security and payment security as a whole, especially when security firms like McAfee predict that in 2015 point of sale attacks will evolve to become even more dangerous.

If a big company or banking institution were to get stolen from fifty years ago, the average customer could really care less. But when these companies have all of your data and credit card information at their fingertips, the potential for it to fall in the wrong hands is a legitimate problem. Whether it is politically or financially motivated, these corporate data breaches are also all part of the overarching conservation of public data, privacy, and government surveillance that we are having as a country—and it’s one that hasn’t completely played out yet.

In the end, 2014 may not be remembered as the year of the data breach, but rather the first of many. As new mobile payment systems like Apple Pay become more common, the chances for further data breaches and cybersecurity hysteria will no doubt increase. Will an increased focus on cybersecurity really prevent attacks in the future? Will the concerns result in a hesitant attitude toward mobile payment systems that will affect the adoption of the technology? We may not know the answers to these questions as of now, but a year from now, I have a feeling we will.



more...
No comment yet.