HIPAA Compliance for Medical Practices
61.1K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks | HIPAA Compliance for Medical Practices | Scoop.it

U.S. officials confirmed this week that the Pentagon was hit by a spearphishing cyberattack last month, most likely from Russian hackers, which compromised an unclassified email system.


The attack compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff, a U.S. official confirmed to NBC News. Officials said no classified information was taken, but didn't specify in the report how much or what kind of non-classified information was involved.


The attack occurred around July 25 and used what officials called a "sophisticated cyberattack." The suspected Russian hackers, which may or may not be connected with the Russian government, used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spearphishing attack, according to CNN, which first reported the attack.


The news of the breach comes on the heels of the massive Office of Personnel Management (OPM) breachthat occurred earlier this year, compromising the personal information of more than 21.5 million federal employeesand contractors. While this latest breach was significantly smaller in number of records compromised, it speaks to the growing sophistication of phishing attacks as an entrance to move laterally across the network, Unisys Vice President of Security Solutions Tom Patterson said.


"Phishing attacks like this one aimed at the Pentagon’s joint staff are not new. What makes them more effective is the amount of advance knowledge the attackers have in order to trick the recipient into clicking on the link," Patterson said. "With so much personal information now in the wild, attackers are able to create a ‘pattern of life’ on targets which makes phishing attacks such as this one aimed at the Pentagon’s joint staff much more effective."


Patterson said the sophistication in this attack was not the phishing itself, which is fairly common, but in the hacker's "clever exfiltration of data."


"The days of the typo-ridden silly emails are long gone. Today’s phishing attack looks as real as an authentic message, and are only going to get better," Patterson said.


While it is important for a business to focus on phishing prevention through user education, Patterson said it is becoming clear that enterprises need to put more emphasis on mitigation once the hacker enters the network, as the "standard pattern of attack" is to gain access through phishing then escalate privileges and spread laterally. One way to do that, he said, is employing micro-segmentation of data, he said, which divides the data center into smaller zones for easier security enforcement.


"Enterprises in both government and private sector have begun to shift their defenses inward, understanding that it only takes one of these types of phishing attacks to be successful," Patterson said. "With this new drive toward mitigation, enterprises can use micro-segmentation to survive and manage these inevitable types of attacks."

more...
No comment yet.
Scoop.it!

What Data Breaches Now Cost And Why

What Data Breaches Now Cost And Why | HIPAA Compliance for Medical Practices | Scoop.it

The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.

Meanwhile, the average total cost of a data breach worldwide jumped a whopping 23% in 2014 -- to $3.8 million, and the average cost of a stolen record containing sensitive information increased from $145 to $154, an increase of more than 6%. Ponemon attributes those higher numbers in part to the volume of attacks, loss of business or customers, and the amount victim organizations are spending on incident response.


Ponemon also found that the cost of a data breach actually drops when a company's board of directors plays a more prominent role in the wake of a breach or when a company purchases breach insurance. An involved board of directors knocks down the per capita cost of a breach by $5.50, and insurance, by $4.40.


An incident response team cuts the per capita cost by $12.60, while wide use of encryption decreases the cost by $12; training employees, by $8; and business continuity management, $7.10.


"That was a pleasant surprise," says Caleb Barlow, vice president for IBM Security, which commissioned the Ponemon study. "This is as much of a game about being proactive as having good defenses."

On the flip side, the per capita cost of a breach goes up when a third-party organization is part of the breach equation (think Target's HVAC supplier) -- by some $16. Several other factors also contribute to higher cost of a breach, including lost or stolen devices ($9); a "rush" to notification of a breach ($8.90); and hiring consultants to assist in the response process ($4.50).


Canada and Germany are the least likely countries for companies to suffer breaches, while Brazil and France are the most targeted nations of breaches with at least 10,000 data records stolen, according to data gathered for the report from 350 companies around the world.

"Germany is always an outlier in efficiency, strong governmance, and certifying … standards," says Larry Ponemon, chairman and founder of The Ponemon Institute. "They are also more likely to invest in encryption," for example, he says.


Canada's compliance orientation and strong data privacy protection is likely a factor in its fewer breaches, he says.


Industry-wise, a stolen healthcare record costs an organization some $363 per record and a stolen education sector record, up to $300 record. For retail, it's $165 per record--up from $105 in 2014 mainly due to the rash of breaches in that industry. Transportation ($121) and the public sector ($68) incur the lowest cost per stolen record.


Barlow says the dramatic difference in costs of healthcare records in healthcare versus other industries reflects the long shelf life of the data in those records such as social security numbers, and other personal information. "The long-term implications are significant," Barlow says. "It could be a problem 15 years down the road," for example, he says.

"This really underscores how you need to separate identity and access: SSNs are about identity and shouldn't be used for access. The problem is they're being used for both," Barlow says.


In the US, the cost per stolen record is $217 and in Germany, $211. The total cost of a data breach is an average of $6.5 million in the US and $4.9 million in Germany. Brazil and India were on the other end of the spectrum, with the average cost per record at $78 in Brazil and $56 in India. The average cost of a breach to an organization in Brazil was $1.8 million and in India, $1.5 million.


Why the much lower numbers in Brazil and India? "A lot of the costs are indirectly or directly related to labor costs: in India and Brazil, there are lower costs for labor, such as assembling a forensic team" as well as associated economic factors, says Larry Ponemon.


Meanwhile, the report says there are three main drivers for the continued rise in the cost of a breach: the number of attacks continue to increase, with the associated costs to clean up; the financial fallout of lost customers is adding to the breach cost; and victim organizations are spending more on forensic investigations, assessments, and incident response team management.


Cybercrime and malicious insider attacks are the most costly, the report found, at a price of $170 per stolen record versus $142 for system glitches and $137 for human error. It takes an average of 256 days to spot a data breach caused by a malicious attack, and 158 days to catch one caused by human error, the report found. "We kind of already know that about 80% of all attacks come from organized crime," IBM's Barlow says. "They're probably better-funded that your own IT security team."

more...
No comment yet.
Scoop.it!

Unencrypted Devices Still a Breach Headache

Unencrypted Devices Still a Breach Headache | HIPAA Compliance for Medical Practices | Scoop.it

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit - the loss or theft of unencrypted computing devices - is still putting patient data at risk.

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services' "wall of shame," which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.


That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.


The incident occurred on Feb. 3 while ISMA's IT administrator was transporting the hard drives to an offsite storage location as part of ISMA's disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group's request to comment on the breach, citing that there are "ongoing civil and criminal investigations under way."


A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year's worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.


Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:


  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.


Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That's why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.


"It is unfortunate that [encryption] is considered an 'addressable' requirement under HIPAA, as many people don't realize that this does not mean optional," says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.


Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.


Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.


"Install encryption on laptops that handle PHI," he advises. "Don't store patient information on a smartphone or other mobile device."

Concerns about the cost and complexity of encryption are unfounded, Berger contends, because encryption has become more affordable and the process has been made easier.


"There have been arguments that encrypting backup media sent offsite is technically problematic," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "While it's true that encryption can add overhead, this has become a weaker argument in recent years."


But Borten acknowledges that organizations must look beyond encryption when safeguarding patient information. "Encryption is not a silver bullet," she notes. "For example, if a user leaves a laptop open, the otherwise-encrypted hard drive is accessible. But for portable devices and non-paper media, there is no equivalent security measure."


Borten notes that the most common reason cited for a lack of device encryption is a lack of adequate support and resources for overall security initiatives. "While all an organization's laptops might be encrypted - the easy part - there are mobile devices running on multiple platforms and personally owned devices and media that are harder to control," she notes. "It takes management commitment as well as human and technical resources to identify all those devices and bring them under the control of IT."

Room for Improvement

The 2015 Healthcare Information Security Today survey of security and privacy leaders at 200 healthcare entities found that encryption is being applied by only 56 percent of organizations for mobile devices. The survey, conducted by Information Security Media Group in December 2014 and January 2015, found that when it comes to BYOD, about half of organizations require encryption of personally owned devices; nearly half prohibit the storage of PHI on these devices. Only 17 percent of organizations say they don't allow BYOD.


Complete results of the survey will be available soon, as well as a webinar that analyzes the findings.


"Personally owned devices are definitely the Achilles heel," Berger says. "Healthcare organizations have to address BYOD head-on. It is a complicated and thorny issue, but 'looking the other way' is not an acceptable approach. We recommend clear decisions regarding acceptable use, reflected in policy and backed up by enforcement," he says.


"We have also seen [breaches] happen when an organization makes the decision to encrypt but then has a long roll-out plan and the lost/stolen devices had yet to be encrypted," he adds.

Steps to Take

To help reduce the risk of breaches involving mobile computing devices, Berger says organizations should make sure they have a mobile device use policy that's "clear, comprehensive and well-understood. We suggest calling it out as a separate policy that must be signed by employees. Back up policy with ongoing security awareness training and strong enforcement."


In addition, OCR advises covered entities and business associates to make use of guidance it has released with its sister HHS agency, the Office of the National Coordinator for Health IT. OCR also offers free online training on mobile device security.


more...
No comment yet.
Scoop.it!

House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches

House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.


The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

Should the House and Senate come together on final legislation, it would be the federal government’s most aggressive response yet to a spate of computer attacks that helped sink a major motion picture release by Sony Pictures Entertainment, exposed the credit card numbers of tens of thousands of customers of Target stores and compromised the personal records of millions of people who did business with the health insurer Anthem.

“The gravity of the emergency we have in cyberspace is setting in with lawmakers,” said Paul Kurtz, who worked on the issue under in the Clinton, Bush and Obama administrations, and is chief executive of TruStar, which aids companies in information sharing. “They now understand that companies can no longer fight the bad guys individually.”

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

“Liability protection is something needed to help companies share,” said Sarah Beth Groshart, director of government affairs at the Information Technology Industry Council. “And only Congress can provide that.”



Policing the nation’s computer networks has been complicated over the last decade by concerns from Republicans, who expressed concern for burdens placed on the private sector, and from those arguing for more stringent privacy protection in both parties.

The 2013 exposure of the government’s extensive surveillance programs into American lives through the leak of classified documents by Edward Snowden further muddied an agenda that many national security experts insisted was critical to preventing large scale cyberattacks on American infrastructure and businesses. Further, jurisdiction for cybersecurity snaked over an array of congressional committees, making unified legislation at times difficult.

Lawmakers have been grappling with cybersecurity legislation since 2012, when a bipartisan Senate effort twice failed over business concerns that the legislation was putting too onerous a burden on the private sector.


Leon E. Panetta, who was defense secretary at the time, and intelligence leaders implored lawmakers to shrug off the furious opposition of the U.S. Chamber of Commerce, but lawmakers were not persuaded.

A House effort in the last Congress mustered strong opposition from the White House, which was concerned about jeopardizing the privacy rights of consumers.

But since then, a series of cyberattacks has changed the political equation. The attack on Sony Pictures — Mr. Obama blamed North Korea for the attack — thwarted the wide release of a comedy portraying the assassination of North Korea’s leader, Kim Jong-un.

Early this year, Anthem reported a major breach that exposed the records of nearly 80 million people. Just last week, Target agreed to reimburse MasterCard $19 million for losses associated with the theft of 40 million credit and debit card numbers from its computer network in December 2013.

“We are under attack as I speak,” said Representative Dutch Ruppersberger, Democrat of Maryland. “To do nothing is not an option.”

Privacy advocates continued to express anger legislation Wednesday on the House floor, creating unlikely alliances between some conservatives and left-leaning members.

“We’ve seen before that the federal government has a poor track record of safeguarding our information when entrusted with it,” said Representative Jared Polis, Democrat of Colorado, on the House floor. “The last thing we should be doing,” is empowering them with more information access, he said. His comments were echoed by Representative Darrell Issa, Republican of California. “Since 9/11 the government has begun to know more and more about what we are doing, where are, where we sleep, who we love,” he said, while consumers, “have known less and less.”

At the same time, some feel the bill does not go far enough on national security. “I do believe we will see a cybersecurity bill enacted and signed into law,” said Senator Susan Collins, Republican of Maine who has worked on the issue for years. “But it won’t be as strong as it should be to protect critical infrastructure.”

However security experts said that the government would benefit from the information sharing as well. “The net effect of this legislation will be positive on national security side and economic security side,” said Mr. Kurtz.

The White House issued a statement on Tuesday that commended the effort in the House but did raise concerns about the liability protections offered to private companies in the House bill, raising fears that they would be so sweeping that they might backfire and prevent companies from reporting cyberthreats.

Privacy changes in the bill won over Representative Adam Schiff, Democrat of California and ranking member on the House Intelligence committee, who opposed it last year, and both parties expect the president to come along as well.

The timing for passage of the Senate version of the bill may be impeded by time-consuming amendments. That chamber is already snarled over a bill that would give Congress more say in a nuclear deal with Iran and a major trade measure. The Highway Trust Fund is nearly broke and requires legislative action before the end of the month, and a national security program at issue also requires renewal.

Indeed there is some concern among some Republicans that the bill could become a vehicle for a debate about the broader national security and privacy matters. Senator Dianne Feinstein, Democrat of California who is the ranking member on the Senate Intelligence Committee said Wednesday she was confident that a bill would be passed and conferenced successfully with the House. “What matters is that we get it up,” she said.


more...
No comment yet.
Scoop.it!

Don't wait to be a data breach victim – take preventive measures now

Don't wait to be a data breach victim – take preventive measures now | HIPAA Compliance for Medical Practices | Scoop.it

February was Data Privacy Month, and though it may be behind us, consumers would be smart to consider every day as Data Privacy Day. From Anthem to Target and Otto Pizza to The Works Bakery Cafe, data breaches are becoming increasingly prevalent in Maine and across the country.


Legislative leadership in Maine is concerned with the financial security of our residents, particularly our older population. In 2013, the Maine Legislature passed a joint resolution recognizing Jan. 28 as Data Privacy Day, joining the many states and 28 countries that have made similar resolutions.


The resolution encourages all members of the community to learn about data privacy, the specific steps one can take to protect the privacy of their personal information, and to discuss data privacy with vulnerable citizens throughout Maine. It also calls upon businesses and agencies to better protect the privacy and security of their customers’ sensitive information.


In light of existing vulnerabilities in data security, the American Bankers Association has pushed Congress to pass data security legislation that holds retailers and others to higher and more consistent standards in order to safeguard customer information.


Last month in Maine, the Insurance and Financial Services Committee heard testimony regarding legislation that AARP Maine, a Maine Fraud Prevention Alliance member, introduced to amend the state’s credit freeze law to reduce the cost of a freeze to Mainers.


Fellow alliance member Jane Carpenter, CEO of Maine Identity Services, LLC, testified at the public hearing, and the Maine Council on Aging and the University Credit Union submitted written testimony. This bill, L.D. 382, is sponsored by Sen. Rodney Whittemore, R-Skowhegan.

A credit freeze is one of the best ways consumers can protect themselves from identity theft. Currently, it costs Mainers $10 to freeze credit with each of the three credit bureaus; $30 total. Freezing credit files protects this sensitive information and helps to prevent identities from being stolen.


The fee is waived for identity theft victims who can provide a copy of a police report, investigative report or complaint to a law enforcement agency. L.D. 382 would eliminate the fees, making this tool more accessible.


Considering the importance of keeping one’s data and credit safe, we encourage all Mainers to be proactive. Many individuals are unaware of a data breach until they are contacted by their bank or credit union. However, just by carefully monitoring monthly bank and credit card statements, consumers are more likely to spot a problem.


According to Carpenter, of Maine Identity Services, there are no guarantees that a hacker can be stopped from using your information once they have obtained it. Carpenter estimates that as many as 750,000 Mainers have become victims of identity theft over the last 18 months, yet by reacting quickly when you first learn about a breach, you can help decrease the chance of becoming a victim of this crime.

Along with initiating a credit freeze, there are other preventative measures one can take. Specifically, the Maine Fraud Prevention Alliance developed the “DASH Fraud” program, whose acronym is based upon four easy-to-remember measures to prevent fraud and protect information:


DELETE unsolicited emails and texts – no financial services company will ask for personal information via email. Never click on links; instead, go directly to websites by typing in the known Web address.

 ASK for permits from door-to-door salespeople – anyone involved in transient selling must have a permit. If in question, call your local municipality or law enforcement.

 SHRED personal information and documents, as well as junk mail – including pre-approved credit offers and prize offerings.

 HANG UP on unsolicited calls – many calls involve “claiming a prize,” wiring money or confirming personal information. If it appears legitimate, get the name and phone number of the company and conduct research. Never give personal information to a stranger.

Individuals can also sign up to receive free “Watchdog Alerts” through AARP’s Fraud Watch Network to stay up to date on the latest scam alerts – go to aarp.org/fraudwatchnetwork, which offers excellent resources and prevention tips.


We encourage everyone to take the necessary steps to protect their personal data. We also urge our legislators to support L.D. 382 to eliminate the current credit freeze costs, which will arm Maine residents with a more accessible way to protect their identities.


more...
No comment yet.
Scoop.it!

BYOD and cloud are top data breaches and malware risks, survey shows

BYOD and cloud are top data breaches and malware risks, survey shows | HIPAA Compliance for Medical Practices | Scoop.it

With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?



Security risks and data breaches are growing while the form factors of computing devices shrink—because

Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with CSO readers that a lack of security metrics and reporting was undermining IT security programs. Now, we’ll take a look at what those top security risks are.


Data breaches and malware are at the top

In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 percent of respondents named data breaches and malware as their top threats and risks. Over half—51 percent—of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies’ top risks.

While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.


Trends impacting security programs: BYOD and cloud

When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:

  • The continuing evolution of BYOD practices 

  • Increasing adoption of cloud technology, both public and private 



Required BYOD


What we’ll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.


But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a ‘Big Brother’ inspired kickback from the employee. However, the savvy security team will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else.


Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.


The future of IT security is data security—not device security

When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents—32 percent—named information protection and control as their top priority. Web application firewall wasn’t far behind, with 26 percent naming this as a top priority.




This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals’ top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.


What next?


Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm—data centric security in a future CSO article. We’ll take a deeper dive into the idea that if data itself is safe, it doesn’t matter if there is a breach.


more...
No comment yet.
Scoop.it!

Two More Health Insurers Report Data Breach

Two More Health Insurers Report Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Today, medical insurance providers LifeWise and Premera Blue Cross each reported, separately, that they had been the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera will be notifying approximately 11 million affected customers; LifeWise 250,000. Neither organization has evidence that any customer data has been used fraudulently, and has not yet confirmed that any patient data has indeed been compromised.

They say attackers "may have gained unauthorized access to" members' information, including name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.

Individuals who do not have medical insurance through these companies, but do other business with them, might have had their email addresses, banking data, or Social Security numbers exposed.  

These attacks, when combined with the Anthem Healthcare breach reported last month and the Community Health Systems breach in the summer, clearly indicate that health insurance providers have become a popular new target -- and Chinese cyberespionage groups are being implicated.

Anthem first detected suspicious activity Jan. 27 and confirmed on Jan. 29 that an attack had occurred, over the course of several weeks in December 2014.

LifeWise and Premera also say they discovered their breaches Jan. 29 -- possibly as a result of Anthem sharing information about their own intrusion with HITRUST's Cyber Threat Intelligence and Incident Coordination Center. However, after investigations by Mandiant -- the same organization conducting the investigation at Anthem -- both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

Both Premera and LifeWise are providing two years of free credit monitoring and identity theft protection to affected individuals. More information is available at premeraupdate.com and lifewiseupdate.com.


more...
No comment yet.
Scoop.it!

US cops charge suspects in 'world's largest data breach'

US cops charge suspects in 'world's largest data breach' | HIPAA Compliance for Medical Practices | Scoop.it

US law enforcement has charged three men believed to have been behind "the largest data breach in US history".

The US Department of Justice (DoJ) reported charging Vietnamese citizens Viet Quoc Nguyen, 28, and Giang Hoang Vu, 25, and Canadian citizen David-Manuel Santos Da Silva, 33.

The charges allege that Nguyen hacked into and stole confidential information from at least eight US email service providers between February 2009 and June 2012.

The information included over one billion email addresses from the companies' marketing departments, and was listed by the DoJ during a Congressional inquiry in June 2011 as the largest data breach in US history.

Vu reportedly helped Nguyen use the stolen information to send "tens of millions" of malicious spam messages.

Da Silva, who was also indicted by a federal grand jury on 4 March 2015 for conspiracy to commit money laundering, reportedly helped Nguyen and Vu to monetise the scheme and hide incoming revenue.

Vu was arrested by Dutch law enforcement in 2012 and extradited to the US in March 2014. He pleaded guilty to conspiracy to commit computer fraud in February and is scheduled to be sentenced on 21 April.

Da Silva was arrested at Fort Lauderdale-Hollywood International Airport on 12 February, and is scheduled to be arraigned on 9 March in Atlanta. Nguyen remains at large.

US assistant attorney general Leslie R. Caldwell listed the charges as a major step in bringing "international" cyber criminals to justice.

"These men, operating from Vietnam, the Netherlands, and Canada, are accused of carrying out the largest data breach of names and email addresses in the history of the internet," said Caldwell.

"The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers. This case again demonstrates the resolve of the DoJ to bring accused cyber hackers from overseas to face justice in the US."

Reginald Moore, special agent in charge of the US Secret Service Atlanta Field Office, explained that the charges prove the need for increased collaboration between departments when combating cybercrime.

"Our success in this case and other similar investigations is a result of our close work with our law enforcement partners," he said.

"The Secret Service worked closely with the DoJ and the FBI to share information and resources that ultimately brought these cyber criminals to justice.

"This case demonstrates that there is no such thing as anonymity for those engaging in data theft and fraudulent schemes."

The charges have been welcomed by members of the security community. Imperva CTO Amichai Shulman said he expects the move to set off alarm bells in cybercrime circles.

"I think the most important lesson here is that law enforcement agencies are able to point out specific individuals involved in specific acts of cybercrime even when they are in distant locations around the globe," he said.

"My belief is that, if enough resources are put up against small breaches as well as large breaches in a ‘zero tolerance' policy against cyber violation, we'd see the number of attacks decrease significantly over a short period of time."

Mark James, security specialist at ESET, hopes to see similar operations in the near future.

"Hopefully this will turn out to be a success and will go on to many more cases showing that the fight against cybercrime is not always a losing battle," he said.

The latest developments come during a global push by law enforcement to combat cyber crime.


more...
No comment yet.
Scoop.it!

HIPAA needs a makeover | mHealthNews

HIPAA needs a makeover | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

The pace of mHealth innovation shows no signs of slowing down. New technologies are not only improving the lives of patients, but also empowering clinicians. However, healthcare is a highly regulated space dominated by major vendors, and it is vital that the regulatory environment keep up with the changing world. Specifically, it’s time for the Department of Health and Human Services to take a fresh look at the Health Insurance Portability and Accountability Act (HIPAA) to ensure it better fits today’s mobile world.

Current HIPAA guidelines – while critical – need to be revised to support smaller companies that can transform the space. Leading app developers across the industry are working together to seek clearer guidelines that will encourage innovation. The App Association recently joined with AirStrip, CareSync and other mHealth companies urging government representatives to look at this issue so we can better align our practices with theirs and together work towards the goal of improved patient care.

We recommend:

1. Make existing regulation more accessible for tech companies

Information on HIPAA is still mired in a Washington, D.C. mindset that revolves around reading the Federal Register or hiring expert consultants to "explain" what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Additionally, there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers, not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Proposed solution: HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

2. Improve and update guidance from OCR on acceptable implementations

The current technical safeguards documentation available on the hhs.gov website is significantly out of date. Without new documentation that speaks to more modern uses, it will be difficult for developers to understand how to implement HIPAA in an effective way for patients.

Proposed solution: HHS and the OCR must update the "Security Rule Guidance Material" and provide better guidance regarding mobile implementations and standards – or examples of standard implementations that would not trigger an enforcement action – instead of leaving app makers to learn about these through an audit.

3. Improve outreach to new entrants in the healthcare space

Some of the most innovative new products in the mobile health space are coming from companies outside the traditional healthcare marketplace. Yet HHS appears attached to ‘traditional’ healthcare communities.

Proposed solution: In order to ensure the expansion of innovative new technologies, it is essential that HHS, the OCR and others expand their outreach to the communities that are driving innovation.

These issues are critical to the mobile health economy. By working more closely together, we can create a regulatory environment that encourages innovation in this life-changing marketplace.


more...
No comment yet.
Scoop.it!

Anthem health insurance hack exposes data of over 80 million

Anthem health insurance hack exposes data of over 80 million | HIPAA Compliance for Medical Practices | Scoop.it

Hackers have accessed millions of customer and employee details from US-based health insurance firm Anthem, including name addresses and social security numbers. The database that was accessed included details for roughly 80 million people, but Anthem, the second biggest insurer in the country, believes that the hack likely affected a fraction in the "tens of millions". Its Chief Information Officer said that they didn't yet know how hackers were able to pull off the attack. In a statement on Anthem's site, CEO Joseph Swedish said that the company was the target of "a very sophisticated external cyberattack" -- although medical and financial details were apparently not breached.

Notably, the company decided to reveal it had been attacked just days after it had, even as their internal investigation continues. It also managed to detect the breach itself - something that also doesn't happen so often. The health insurer is the latest in a list of big companies targeted by a cyberattack, including the likes of Target, Sony, eBay and Home Depot. Anthem plans to reach out to everyone whose information was stored in the hacked database through letters and email.


more...
No comment yet.
Scoop.it!

FTC suggests stronger data privacy law, HIPAA not enough for health data

FTC suggests stronger data privacy law, HIPAA not enough for health data | HIPAA Compliance for Medical Practices | Scoop.it
This week the Federal Trade Commission published a report focused on privacy and security issues related to the massive Internet of Things (IoT) trend, which includes the growing number of connected health devices. The report summarizes the discussions that took place at an FTC-hosted workshop in November 2013, and it also includes recommendations for the industry from FTC’s staff, which they put together based on the workshop’s discussion.

The workshop’s health panel included five people: Scott Peppet, a professor at the University of Colorado Law School; Stan Crosley, director of the Indiana University Center for Law, Ethics, and Applied Research in Health Information, and counsel to Drinker, Biddle, and Reath; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; Jay Radcliffe, a senior security analyst for InGuardians; and Anand Iyer, president and COO at WellDoc. A full transcript of the entire workshop can be found here (PDF) — the health-related discussion starts on page 164.

Notably, one FTC Commissioner — Jeffrey Wright — filed a dissenting opinion and argued that the FTC should not have published recommendations for IoT companies based on one workshop and public comments.

“If the purpose of the workshop is to examine dry cleaning methods or to evaluate appliance labeling, the limited purpose of the workshop and the ability to get all relevant viewpoints on the public record may indeed allow the Commission a relatively reasonable basis for making narrowly tailored recommendations for a well-defined question or issue. But the Commission must exercise far greater restraint when examining an issue as far ranging as the ‘Internet of Things’ – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult. A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations,” Wright wrote.

He goes on to argue the FTC should have researched a rigorous cost-benefit analysis prior to offering its recommendations — and not just acknowledge in passing that the FTC recommendations would carry potential costs and benefits.

The report notes that, in general, IoT brings up a number of security risks for consumers.

“IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.”

Some of the FTC staff’s recommendations include a push for Congressional action related to general data security regulation — not specific to IoT — and a broad-based approach to privacy legislation: “Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices,” the write.

While it is pushing for a broad-based law, the agency specifically cited health-related data and that HIPAA doesn’t cover all health-related data.

“Workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company,” the wrote. “Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses.”
more...
No comment yet.
Scoop.it!

Data breach costs now average $154 per record

Data breach costs now average $154 per record | HIPAA Compliance for Medical Practices | Scoop.it

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year's $145.


In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.



Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.


Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.


Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.


The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.


"With credit cards, the time frame from the breach to mitigation is very short," he said.


The credit card company just has to cancel the old credit card number and issue a new one.


"But the health care record can be used to establish access in perpetuity," he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.


"it can be used to establish credit or steal your identity ten or fifteen years from now," he said. "Once this information is out there, you can't get the genie back in the bottle."


And that doesn't even include the costs of health care fraud, he added.


Factors that can impact breach costs


The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.


If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.


"Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach," said Barlow. "This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don't have days to respond -- you don't even have hours. You have minutes to get your act together."


Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.


Costs rise with time


Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.


On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.


Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

more...
No comment yet.
Scoop.it!

Data breaches cost an average of US$3.8M: Study

Data breaches cost an average of US$3.8M: Study | HIPAA Compliance for Medical Practices | Scoop.it

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.


The total average cost of a data breach is now US$3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.


The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.


Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.


"Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."

IBM, which sells cybersecurity services to companies, has a vested interest in highlighting the costs of data breaches.


The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.


The study's authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.


The study found that the health care was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.


That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

more...
No comment yet.
Scoop.it!

How responsible are employees for data breaches and how do you stop them?

How responsible are employees for data breaches and how do you stop them? | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.


On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.


more...
No comment yet.
Scoop.it!

ONC issues new privacy, security handbook

ONC issues new privacy, security handbook | HIPAA Compliance for Medical Practices | Scoop.it

During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights.
 
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago.
 
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements.
 
And for those looking for more guidance on what questions to ask your health IT vendors, look no further.
 
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
 
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
 
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively. 


more...
No comment yet.
Scoop.it!

Cyber insurance can reduce impact of a data breach

Cyber insurance can reduce impact of a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Cyber insurance for your business might be worth the cost. It deserves a good look because it educates on reducing risk, helps when a breach happens and can be a competitive advantage.


In 2015, data breach events are once again on the rise. How your organization, regardless of size, efficiently and compliantly manages a breach incident response can be the difference between being the next headline news story or going out of business.


As business owners and executives look for new ways to protect their business risks and branding, cyber insurance is receiving more consideration as a way to help you manage and respond, whether your data breach is caused by outside hackers, your own employees, or vendor relationships ranging from malicious intent to accidental release of information.


The use of cyber insurance communicates to clients, prospects and vendors that your business is serious about managing a data breach event and your commitment to protecting customer and employee information.


Here are three tips to consider when reviewing the option of adding a cyber insurance policy:


Work with an insurance broker who understands cyber insurance. An insurance broker who understands cyber insurance can help educate your business on the different types of cyber insurance policies and validate the need for a cyber-insurance policy. A broker can also help you understand business interruption, legal liability, costs to investigate a data breach, notification to victims and defend/settle class-action lawsuits, including regulatory enforcement actions and fines.


Data breach assessment. Your business needs to evaluate its overall risk of experiencing a data breach and the type data you collect, store and transmit.

Here are some questions to ask when considering cyber insurance: What type of industry are you in? What is the type and volume of data that your company collects, uses, stores, and transfers? What is the prominence of your brand? Are your technology and information security and governance best practices up to date? Are mobile devices an integral part of your business? What are the total number of vendors and third-party contractors with access to your company's sensitive data?


Learn about cyber policy exclusions and endorsements. Not all cyber insurance policies are created equal. Ask about retroactive coverage for "prior, unknown data breaches." Ask about coverage that includes "loss of data" versus only "theft of data." If your business acts as a vendor or third party contractor for other businesses, ask about your cyber coverage that includes liability to cover your business clients.

The reality is, the challenges of a data breach event can include complex federal and state breach notification laws, and most small businesses lack the financial and human resources to respond. Cyber insurance can support your risk-management objectives.


more...
Mark Manning's curator insight, March 9, 2016 8:11 AM

Insurance cover might be essential for your business.

Scoop.it!

Data Encryption Is Key for Protecting Patient Data

Data Encryption Is Key for Protecting Patient Data | HIPAA Compliance for Medical Practices | Scoop.it

According to the HIPAA Final Omnibus Rule, section 164.304 sets forth the following definition: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." Although encryption is considered an "addressable" issue, and not "required" or "standard," it really should be accounted for as "required." But why? Encrypting mobile devices, laptops, hard drives, servers, and electronic media (e.g., UBS drives and CD-ROMs) can prevent the practice from paying a large fine for a HIPAA breach.

As a reminder, both Concentra and QCA Health Plan paid over $2 million in combined fines to the Department of Health and Human Services, Office for Civil Rights. The "investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) was a critical risk," the Office for Civil Rights said. "While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information."

The problems with not encrypting data and failing to conform to the other requirements associated with HIPAA and the HITECH Act can have further reaching consequences. According to a recent article by Absolute Software, "Protected health information is becoming increasingly attractive to cybercriminals with health records fetching more than credit card information on the black market. According to Forrester, a single health record can sell for $20 on the black market while a complete patient dossier with driver's license, health insurance information, and other sensitive data can sell for $500."

Any physician who has had their DEA number compromised or been involved in a government investigation involving Medicare fraud knows firsthand about the importance of implementing adequate security measures and internal audits. Investing in encryption is one way to mitigate financial, reputational, and legal liability.


more...
Justin Boersma's curator insight, March 27, 2015 7:28 AM

Data encryption is vital in the protection of private consumer data collected by companies, especially medical records. Innovation in data encryption is required to prevent breaches of sensitive information as The Information Age grows in the coming years.

Scoop.it!

Stolen hard drives bring more data breach pain for US health services

Stolen hard drives bring more data breach pain for US health services | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana State Medical Association (ISMA) has warned 39,090 of its clients that their private data may be at risk of leakage, after the "random" theft of a pair of backup hard drives.

The drives were being transported to an offsite storage location when the theft occurred, on 13 February. ISMA went public with the breach on Monday, having apparently sent out letters to those affected a few days earlier, three weeks after the incident.

Data on the drives includes at least the standard set of personal details, such as names, dates of birth, health plan ID numbers, and physical and email addresses. In some cases it also includes Social Security Numbers and/or details of medical history.

Those affected should already have been told what level of information about them may have been leaked.

ISMA's statement claims the data on the drives "cannot be retrieved without special equipment and technical expertise", although it's not clear if that equipment and know-how means anything more than a computer to connect the drives to and the skills to plug them in and mount them.

There's certainly no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.

ISMA has posted a detailed FAQ for those affected, and will provide credit monitoring services for those who want them - the deadline to apply for this is 8 June 2015.

Many of them may already have availed themselves of ID protection, as there's likely to be a considerable overlap with the epic Anthem breach, which affected huge numbers of people across the US.

As Paul Ducklin recently pointed out, medical information is highly sensitive, opening up all sorts of opportunities for social engineering and identity theft.

All such data needs to be properly secured, to protect it not just from hackers as in the Anthem case, but also from inadequate anonymisation when referenced online, and of course from the many dangers of the physical world.

Backups are of course a vital part of any security and integrity regime, but it's worth remembering that they also bring some added security risks of their own. Backed-up data needs to be stored securely, ideally in a separate location from the master copies, and transporting data is always a fragile part of the chain.

We routinely hear of data being lost in the post, devices being mislaid in trains, planes and taxis, and even records simply falling off the back of trucks.

In this case, the incident is described as a "random criminal act". The proper tactic to mitigate this risk is not heavily-armed security guards escorting couriers to backup storage locations, but something much simpler and cheaper.

All data considered sensitive or important should be strongly encrypted as a matter of routine when immediate access is not required.

Off-site backups in particular should be locked down as strongly as possible, given that decryption time will not add significantly to the restore process.

Keeping data well encrypted adds another layer on top of the security of storage facilities, and minimises the danger from "random criminal acts", and even carelessness, when data is in transit.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

DOJ Charges Suspect in Largest Known Data Breach

DOJ Charges Suspect in Largest Known Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Justice may not always be swift, but the U.S government has proven itself to be tenacious in tracking down alleged cyber-criminals to the ends of the Earth. The U.S Department of Justice (DOJ) announced Feb. 17 that Russian national Vladimir Drinkman appeared in a federal court in New Jersey in connection with cyber-attacks that occurred between 2007 and 2009 and affected up to 160 million credit cards.

Drinkman has pleaded not guilty and is being detained without bail ahead of a trial scheduled for April 27, 2015. Before being extradited to the United States to stand trial, Drinkman had been in detention by authorities in the Netherlands since he was first arrested June 28, 2012.

According to the indictment, Drinkman did not act alone in his activities and there were other co-conspirators, including Alexandr Kalinin of St. Petersburg, Russia; Roman Kotov, of Moscow; Mikhail Rytikov of Odessa, Ukraine; and Dmitriy Smilianets of Moscow. The Justice Department noted that Smilanets is currently in U.S. federal custody, while Kalinin, Kotov and Rytikov remain at large.

The Justice Department previously identified Drinkman and Kalinin as "Hacker 1" and "Hacker 2" in a 2009 indictment in which Albert Gonzalez was also charged. That indictment involved the corporate data breach that impacted Heartland Payment Systems, Hannaford Brothers and 7-Eleven.

All told, the Justice Department claims that Drinkman and his co-conspirators acquired at least 160 million credit card numbers by way of various hacking activities. Those activities include SQL injection attacks against the victims, whereby the attackers were able to inject malware.

"This malware created a back door, leaving the system vulnerable and helping the defendants maintain access to the network," the U.S Department of Justice noted in a statement. "In some cases, the defendants lost access to the system due to companies' security efforts, but were allegedly able to regain access through persistent attacks."

Though Drinkman was first identified back in 2009 as Hacker 1 in the Gonzalez indictment, it took until 2015 for the U.S. government to bring him before a federal court. That six-year gap is not uncommon, said Phil Smith, senior vice president, Government Solutions and Special Investigations, at security specialist Trustwave. The extradition process is lengthy and can be cumbersome, he added.

"Criminals will often flee to countries where extradition to the U.S. or NATO countries is lengthy or can be subverted," Smith told eWEEK. "We have even seen cases where the U.S. has pending criminal charges and requested to extradite individuals only to see them tried, convicted and jailed in a foreign country and then extradited back to their home countries to serve out their sentences."

Smith added that, in some cases he is aware of, once criminals have been returned to their home countries, the charges were thrown out and the criminals have been released. "It is very frustrating. So when you are able to get one of these individuals extradited to the U.S., it's a great victory and I applaud the efforts of the prosecutors and agents," he said.

more...
No comment yet.
Scoop.it!

5 scary ways your business is vulnerable to a cyber security breach

5 scary ways your business is vulnerable to a cyber security breach | HIPAA Compliance for Medical Practices | Scoop.it

The Internet has changed the way that you do business.

No matter what industry you are in, you value what your cyber network does for you in terms of connecting with clients and staying efficient.

But, with advances in cyber technologies come more cybercriminals. No matter how sophisticated cyber security technologies and firewalls get, it seems that there is still a more sophisticated hacker capable of breaching your systems and stealing sensitive data.

Believe it or not, three-quarters of businesses surveyed have reported that they have experienced a security breach in the last 12 months.

As you can see, you are more vulnerable than you might think, and here’s how:

You Fail to Invest in Encryption

Hackers attempt to break through firewalls in an effort to steal information. From bank accounts and routing numbers, to social security and credit card numbers, businesses have a lot of sensitive data that they have to protect.

When these attackers steal information, they can affect your reputation and cost you money. If you have failed to encrypt your data with full-disk encryption tools, your data may be vulnerable.

If you have failed to encrypt your data with full-disk encryption tools, your data may be vulnerable. You Are Not Wi-Fi Protected

You Are Not Wi-Fi Protected

Did you know that it is much easier for cyber attackers to gain access into a network when you have a Wi-Fi network?

Most security experts recommend that businesses connect to the Internet with a wired network, but if you do have a Wi-Fi network, then you need to have a complex password complete with special characters, numbers, and capital letters.

Leaving Computer and Mobile Devices Vulnerable

Not all cyber attacks involve hacking into the network. Actually, a large portion of businesses who are targeted by “cyber” criminals are those who have had their computing devices stolen.

If your business laptops, cell phones, tablets, and other devices are stolen, it is easy for the burglar to gain access into your network and find important personal and account information on you and your clients.

Having special physical locks to secure devices can deter burglars looking for a quick score.

Failure to Focus on Mobile Security

The cyber infrastructure is turning mobile, and many companies have not developed a strategic plan to keep up with the growing popularity of mobile computing.

If you use smartphones for conferences or tablet devices for estimates, your network could be at risk of an attack.

Mobile threats are becoming so common that accredited institutions like Norwich University have developed an online master’s in information security that trains MS graduates how to stay ahead of these damaging threats. Mobile security needs to go to the forefront of your security planning

Employees Are Not Properly Trained

You do not have to be a large corporation just to implement employee training programs that will prepare everyone to follow good security practices.

You should teach your employees how to make strong passwords, how often to change passwords, how to spot a threat and how to avoid sites that make the company network vulnerable.

By doing this, you can prevent potential attacks.

There will always be the threat of cyber attackers as long as the Internet is around.

While the threat is there, there are also ways to make your business more secure and less vulnerable. Brush up on security and be sure your company is equipped to survive.


Via Roger Smith, Paulo Félix
more...
No comment yet.
Scoop.it!

Can You Keep a Secret? Tips for Creating Strong Passwords

Can You Keep a Secret? Tips for Creating Strong Passwords | HIPAA Compliance for Medical Practices | Scoop.it

The computers in your office are veritable treasure chests of information cyber pirates would love to get their hands on. Only authorized personnel in a practice should have the keys to unlock what’s inside. Passwords as those keys. They play an important role in protecting Electronic Health Records (EHR) and the vital information those records hold.

The HIPAA Security Rule says that “reasonable and appropriate . . . procedures for creating, changing, and safeguarding passwords” must be in place. But the rule doesn’t stop there. It goes on to say that “In addition to providing passwords for access, entities must ensure that workforce members are trained on how to safeguard information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.”

Regardless of the type of computers or operating system your office uses, a password should be required to log in and do any work. Today’s blog will focus on how to create strong passwords – the kind that aren’t easily guessed. And since attackers often use automated methods to try to guess a password, it is important to choose one that doesn’t have any of the characteristics that make passwords vulnerable.

How to stay ahead of the hackers

They’re a clever bunch, those hackers. And they seem to know a lot about human nature, too. They’ve figured out the methods most people use when choosing a password. And they’ve turned that knowledge to their advantage.

To outsmart them, create a password that’s:

NOT a word found in any dictionary, even foreign ones
NOT a word any language — including its slang, dialects, and jargon
NOT a word spelled backwards
NOT based on recognizable personal information — like names of family and friends
NOT a birthdate
NOT an address or phone number
NOT a word or number pattern on the keyboard — for instance, asdfgh or 987654

A strong password should:

Be at least 8 characters in length
Include a combination of upper and lower case letters, at least on number and at least one special character, like an exclamation mark

Examples of strong passwords

With their weird combinations of letters, numbers, and special characters, passwords can be a challenge to remember. Starting with an easy-to-remember phrase and then tweaking it to fit the guidelines for strong passwords is one way around that problem.

For instance:

1h8mond@ys! (I hate Mondays!)

5ayBye4n@w (Say bye for now)

Safety first

The importance of having strong passwords — the longer, the better — and changing them on a regular basis can’t be overstated. And it goes without saying that writing a password on a Post-It note and attaching it to a computer monitor should never be done. Do everything you can to make your passwords strong, and store them somewhere safe. These steps will help ensure the security of your PHI and give those hackers fits.

more...
No comment yet.
Scoop.it!

How To HIPAA-proof Your Smartphone

How To HIPAA-proof Your Smartphone | HIPAA Compliance for Medical Practices | Scoop.it
Healthcare individuals and organisations can often find themselves the prime target for security breaches, and for that reason they need to do their utmost in protecting the privacy of patient records and information. To that end, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was introduced to set the standards required for protecting sensitive information, including saving, transmitting and accessing patient data and electronic files.

IT security has in recent years become a high priority for hospitals and other healthcare providers, as online attacks have risen. HIPAA has always been there to define the baseline for securing patient information from the cyber-criminals that target the healthcare industry. But, in January of last year, the department of Health and Human Services released an Omnibus Final Rule, which modified the HIPAA standards and placed new liabilities on individuals working in the healthcare profession.
Omnibus Final Rule Polices

These include:

Healthcare organisations (including business subcontractors and associates) being directly liable for compliance, as well as for penalties for all violations.
Risk assessment now must focus not on the harm to the patient but simply whether information has been compromised.
In the event of a security breach, patients, HHS and media must be notified within 60 days.
Breaches of limited data sets (i.e. data that does not contain birth dates or location information) are no longer to be treated as an exception, and must be treated in the same manner that all breaches of information are treated.

The result has led to a surge in regulatory and HIPAA privacy claims, with many involving nefarious acts by unhappy employees and disgruntled patients.

In one case, it is reported that a physician’s smartphone was compromised and over 30 unauthorized security breaches were recorded over the space of just a single four-hour period. The practice was required to notify hundreds of patients warning them of the potential leakage of their medical information, as well as reporting the incident to the press and the relevant government authorities as per HIPAA regulations.
Smartphones Extremely Vulnerable To Theft And Loss

Because of their portability and small size, mobile devices are particularly vulnerable to theft and loss, which indeed accounts for the majority of security breaches. Catherine Barrett of the Federal Working Group reports of a survey of 600 US hospital workers, which found that 66% of reported data breaches were as a result of a mobile device being lost or stolen.

Any unauthorised access to sensitive information on your smartphone or any other device constitutes as a violation to HIPAA privacy rulings. Even if you lose your phone, you are potentially putting that information at risk and you may well find yourself liable. If anyone other than you manages to access those files that are protected under HIPAA – even if the person who finds the phone has no malicious intent and is just being a bit nosy before handing the phone into the authorities – you are still in violation of HIPAA and are susceptible to punishment. Under the Omnibus Final Rule a breach is a breach, and there is no wiggle room when you find yourself in court.

HIPAA

The cost of a breach is a real one too. Although it is true that certain data breaches may well be covered by your insurance, the cost to your reputation (especially considering that you have no choice under HIPAA but to make public the infraction) is difficult to measure, and the time you and your staff will have to devote to addressing the issue is certainly not negligible.
How To HIPAA-Proof Your Smartphone

First and foremost you will of course want to HIPAA-proof your desktop and office systems, and something like PA File Sight is certainly something to consider – the software allows managers to view exactly who is accessing, reading from and editing any important and sensitive files on the system.

Once you have done this it is time to HIPAA-proof your smartphone and any other mobile devices.

Step 1. Activate Your Phone Passcode: Although this seems like a no-brainer, it is surprising how many people don’t even take this first very easy step. You will need to choose a four-digit passcode to access your phone, and it cannot be something that is easy to guess. No birthdays, addresses, phone numbers or special dates that are in any way related to you, as these can all be Googled. Your phone may have a special setting that will wipe all information from the phone if the incorrect passcode is entered more than a set number of times. Set this to, say, 5, and turn this setting on.

Step 2. Never Use Email: Email accounts are very easily hacked, especially if you are using your smartphone to transfer information. If a HIPAA Privacy claim was ever filed against you or your practice and it was discovered that you were sending sensitive information via email, you will not have a defensive leg to stand on. The problem is that regular email communications are not usually encrypted, so if you are using this method you need to stop immediately and switch to a cloud-based encryption service or use a virtual private network (VPN) only.

Step 3. Set A ‘Required Login’ For Accessing Apps: Although it is obviously very convenient to leave yourself logged in to your apps on your smartphone, you must never ever do so with any that deliver HIPAA sensitive information to your device. If someone were to gain access to your phone and you had left all of your apps open, then the person will have access to every file you have. Login each time – it might be inconvenient, but that’s just tough.

Step 4. Install an Encryption App: This is one sure-fire way to ensure that all files being transferred from and to your device remain protected should your device be compromised. Encryption apps will also protect the information that resides on your phone itself. There are many encryption apps available for both Apple and Android devices, some of which are so sophisticated that they even meet FBI standards. Though it is unlikely that you will need such a powerful (not to mention expensive) one, you will nonetheless be much better protected if your files are secured by some sort of encryption app on your phone. The apps can of course be configured to encrypt all of your phone’s data, or just the sensitive information that you select.

By following the above steps you will be slowing any hacker down considerably. Although these barriers could all be hacked by a serious or determined individual, it is much more likely that they will instead look to move onto the next unprotected device, which hopefully will be one that doesn’t contain any HIPAA sensitive data. Either way, if the information on your phone is securely protected, you should be able to avoid any HIPAA violations should your device become lost or stolen.
more...
No comment yet.