HIPAA Compliance for Medical Practices
84.8K views | +1 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Unencrypted Devices Still a Breach Headache

Unencrypted Devices Still a Breach Headache | HIPAA Compliance for Medical Practices | Scoop.it

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit - the loss or theft of unencrypted computing devices - is still putting patient data at risk.

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services' "wall of shame," which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA's IT administrator was transporting the hard drives to an offsite storage location as part of ISMA's disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group's request to comment on the breach, citing that there are "ongoing civil and criminal investigations under way."

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year's worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That's why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

"It is unfortunate that [encryption] is considered an 'addressable' requirement under HIPAA, as many people don't realize that this does not mean optional," says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

"Install encryption on laptops that handle PHI," he advises. "Don't store patient information on a smartphone or other mobile device."

Concerns about the cost and complexity of encryption are unfounded, Berger contends, because encryption has become more affordable and the process has been made easier.

"There have been arguments that encrypting backup media sent offsite is technically problematic," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "While it's true that encryption can add overhead, this has become a weaker argument in recent years."

But Borten acknowledges that organizations must look beyond encryption when safeguarding patient information. "Encryption is not a silver bullet," she notes. "For example, if a user leaves a laptop open, the otherwise-encrypted hard drive is accessible. But for portable devices and non-paper media, there is no equivalent security measure."

Borten notes that the most common reason cited for a lack of device encryption is a lack of adequate support and resources for overall security initiatives. "While all an organization's laptops might be encrypted - the easy part - there are mobile devices running on multiple platforms and personally owned devices and media that are harder to control," she notes. "It takes management commitment as well as human and technical resources to identify all those devices and bring them under the control of IT."

Room for Improvement

The 2015 Healthcare Information Security Today survey of security and privacy leaders at 200 healthcare entities found that encryption is being applied by only 56 percent of organizations for mobile devices. The survey, conducted by Information Security Media Group in December 2014 and January 2015, found that when it comes to BYOD, about half of organizations require encryption of personally owned devices; nearly half prohibit the storage of PHI on these devices. Only 17 percent of organizations say they don't allow BYOD.

Complete results of the survey will be available soon, as well as a webinar that analyzes the findings.

"Personally owned devices are definitely the Achilles heel," Berger says. "Healthcare organizations have to address BYOD head-on. It is a complicated and thorny issue, but 'looking the other way' is not an acceptable approach. We recommend clear decisions regarding acceptable use, reflected in policy and backed up by enforcement," he says.

"We have also seen [breaches] happen when an organization makes the decision to encrypt but then has a long roll-out plan and the lost/stolen devices had yet to be encrypted," he adds.

Steps to Take

To help reduce the risk of breaches involving mobile computing devices, Berger says organizations should make sure they have a mobile device use policy that's "clear, comprehensive and well-understood. We suggest calling it out as a separate policy that must be signed by employees. Back up policy with ongoing security awareness training and strong enforcement."

In addition, OCR advises covered entities and business associates to make use of guidance it has released with its sister HHS agency, the Office of the National Coordinator for Health IT. OCR also offers free online training on mobile device security.

No comment yet.

Data Encryption Is Key for Protecting Patient Data

Data Encryption Is Key for Protecting Patient Data | HIPAA Compliance for Medical Practices | Scoop.it

According to the HIPAA Final Omnibus Rule, section 164.304 sets forth the following definition: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." Although encryption is considered an "addressable" issue, and not "required" or "standard," it really should be accounted for as "required." But why? Encrypting mobile devices, laptops, hard drives, servers, and electronic media (e.g., UBS drives and CD-ROMs) can prevent the practice from paying a large fine for a HIPAA breach.

As a reminder, both Concentra and QCA Health Plan paid over $2 million in combined fines to the Department of Health and Human Services, Office for Civil Rights. The "investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) was a critical risk," the Office for Civil Rights said. "While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information."

The problems with not encrypting data and failing to conform to the other requirements associated with HIPAA and the HITECH Act can have further reaching consequences. According to a recent article by Absolute Software, "Protected health information is becoming increasingly attractive to cybercriminals with health records fetching more than credit card information on the black market. According to Forrester, a single health record can sell for $20 on the black market while a complete patient dossier with driver's license, health insurance information, and other sensitive data can sell for $500."

Any physician who has had their DEA number compromised or been involved in a government investigation involving Medicare fraud knows firsthand about the importance of implementing adequate security measures and internal audits. Investing in encryption is one way to mitigate financial, reputational, and legal liability.

Justin Boersma's curator insight, March 27, 2015 7:28 AM

Data encryption is vital in the protection of private consumer data collected by companies, especially medical records. Innovation in data encryption is required to prevent breaches of sensitive information as The Information Age grows in the coming years.


Stolen hard drives bring more data breach pain for US health services

Stolen hard drives bring more data breach pain for US health services | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana State Medical Association (ISMA) has warned 39,090 of its clients that their private data may be at risk of leakage, after the "random" theft of a pair of backup hard drives.

The drives were being transported to an offsite storage location when the theft occurred, on 13 February. ISMA went public with the breach on Monday, having apparently sent out letters to those affected a few days earlier, three weeks after the incident.

Data on the drives includes at least the standard set of personal details, such as names, dates of birth, health plan ID numbers, and physical and email addresses. In some cases it also includes Social Security Numbers and/or details of medical history.

Those affected should already have been told what level of information about them may have been leaked.

ISMA's statement claims the data on the drives "cannot be retrieved without special equipment and technical expertise", although it's not clear if that equipment and know-how means anything more than a computer to connect the drives to and the skills to plug them in and mount them.

There's certainly no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.

ISMA has posted a detailed FAQ for those affected, and will provide credit monitoring services for those who want them - the deadline to apply for this is 8 June 2015.

Many of them may already have availed themselves of ID protection, as there's likely to be a considerable overlap with the epic Anthem breach, which affected huge numbers of people across the US.

As Paul Ducklin recently pointed out, medical information is highly sensitive, opening up all sorts of opportunities for social engineering and identity theft.

All such data needs to be properly secured, to protect it not just from hackers as in the Anthem case, but also from inadequate anonymisation when referenced online, and of course from the many dangers of the physical world.

Backups are of course a vital part of any security and integrity regime, but it's worth remembering that they also bring some added security risks of their own. Backed-up data needs to be stored securely, ideally in a separate location from the master copies, and transporting data is always a fragile part of the chain.

We routinely hear of data being lost in the post, devices being mislaid in trains, planes and taxis, and even records simply falling off the back of trucks.

In this case, the incident is described as a "random criminal act". The proper tactic to mitigate this risk is not heavily-armed security guards escorting couriers to backup storage locations, but something much simpler and cheaper.

All data considered sensitive or important should be strongly encrypted as a matter of routine when immediate access is not required.

Off-site backups in particular should be locked down as strongly as possible, given that decryption time will not add significantly to the restore process.

Keeping data well encrypted adds another layer on top of the security of storage facilities, and minimises the danger from "random criminal acts", and even carelessness, when data is in transit.

Via Paulo Félix
No comment yet.

DOJ Charges Suspect in Largest Known Data Breach

DOJ Charges Suspect in Largest Known Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Justice may not always be swift, but the U.S government has proven itself to be tenacious in tracking down alleged cyber-criminals to the ends of the Earth. The U.S Department of Justice (DOJ) announced Feb. 17 that Russian national Vladimir Drinkman appeared in a federal court in New Jersey in connection with cyber-attacks that occurred between 2007 and 2009 and affected up to 160 million credit cards.

Drinkman has pleaded not guilty and is being detained without bail ahead of a trial scheduled for April 27, 2015. Before being extradited to the United States to stand trial, Drinkman had been in detention by authorities in the Netherlands since he was first arrested June 28, 2012.

According to the indictment, Drinkman did not act alone in his activities and there were other co-conspirators, including Alexandr Kalinin of St. Petersburg, Russia; Roman Kotov, of Moscow; Mikhail Rytikov of Odessa, Ukraine; and Dmitriy Smilianets of Moscow. The Justice Department noted that Smilanets is currently in U.S. federal custody, while Kalinin, Kotov and Rytikov remain at large.

The Justice Department previously identified Drinkman and Kalinin as "Hacker 1" and "Hacker 2" in a 2009 indictment in which Albert Gonzalez was also charged. That indictment involved the corporate data breach that impacted Heartland Payment Systems, Hannaford Brothers and 7-Eleven.

All told, the Justice Department claims that Drinkman and his co-conspirators acquired at least 160 million credit card numbers by way of various hacking activities. Those activities include SQL injection attacks against the victims, whereby the attackers were able to inject malware.

"This malware created a back door, leaving the system vulnerable and helping the defendants maintain access to the network," the U.S Department of Justice noted in a statement. "In some cases, the defendants lost access to the system due to companies' security efforts, but were allegedly able to regain access through persistent attacks."

Though Drinkman was first identified back in 2009 as Hacker 1 in the Gonzalez indictment, it took until 2015 for the U.S. government to bring him before a federal court. That six-year gap is not uncommon, said Phil Smith, senior vice president, Government Solutions and Special Investigations, at security specialist Trustwave. The extradition process is lengthy and can be cumbersome, he added.

"Criminals will often flee to countries where extradition to the U.S. or NATO countries is lengthy or can be subverted," Smith told eWEEK. "We have even seen cases where the U.S. has pending criminal charges and requested to extradite individuals only to see them tried, convicted and jailed in a foreign country and then extradited back to their home countries to serve out their sentences."

Smith added that, in some cases he is aware of, once criminals have been returned to their home countries, the charges were thrown out and the criminals have been released. "It is very frustrating. So when you are able to get one of these individuals extradited to the U.S., it's a great victory and I applaud the efforts of the prosecutors and agents," he said.

No comment yet.

Can You Keep a Secret? Tips for Creating Strong Passwords

Can You Keep a Secret? Tips for Creating Strong Passwords | HIPAA Compliance for Medical Practices | Scoop.it

The computers in your office are veritable treasure chests of information cyber pirates would love to get their hands on. Only authorized personnel in a practice should have the keys to unlock what’s inside. Passwords as those keys. They play an important role in protecting Electronic Health Records (EHR) and the vital information those records hold.

The HIPAA Security Rule says that “reasonable and appropriate . . . procedures for creating, changing, and safeguarding passwords” must be in place. But the rule doesn’t stop there. It goes on to say that “In addition to providing passwords for access, entities must ensure that workforce members are trained on how to safeguard information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.”

Regardless of the type of computers or operating system your office uses, a password should be required to log in and do any work. Today’s blog will focus on how to create strong passwords – the kind that aren’t easily guessed. And since attackers often use automated methods to try to guess a password, it is important to choose one that doesn’t have any of the characteristics that make passwords vulnerable.

How to stay ahead of the hackers

They’re a clever bunch, those hackers. And they seem to know a lot about human nature, too. They’ve figured out the methods most people use when choosing a password. And they’ve turned that knowledge to their advantage.

To outsmart them, create a password that’s:

NOT a word found in any dictionary, even foreign ones
NOT a word any language — including its slang, dialects, and jargon
NOT a word spelled backwards
NOT based on recognizable personal information — like names of family and friends
NOT a birthdate
NOT an address or phone number
NOT a word or number pattern on the keyboard — for instance, asdfgh or 987654

A strong password should:

Be at least 8 characters in length
Include a combination of upper and lower case letters, at least on number and at least one special character, like an exclamation mark

Examples of strong passwords

With their weird combinations of letters, numbers, and special characters, passwords can be a challenge to remember. Starting with an easy-to-remember phrase and then tweaking it to fit the guidelines for strong passwords is one way around that problem.

For instance:

1h8mond@ys! (I hate Mondays!)

5ayBye4n@w (Say bye for now)

Safety first

The importance of having strong passwords — the longer, the better — and changing them on a regular basis can’t be overstated. And it goes without saying that writing a password on a Post-It note and attaching it to a computer monitor should never be done. Do everything you can to make your passwords strong, and store them somewhere safe. These steps will help ensure the security of your PHI and give those hackers fits.

No comment yet.

How responsible are employees for data breaches and how do you stop them?

How responsible are employees for data breaches and how do you stop them? | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.

On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.

No comment yet.

Two More Health Insurers Report Data Breach

Two More Health Insurers Report Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Today, medical insurance providers LifeWise and Premera Blue Cross each reported, separately, that they had been the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera will be notifying approximately 11 million affected customers; LifeWise 250,000. Neither organization has evidence that any customer data has been used fraudulently, and has not yet confirmed that any patient data has indeed been compromised.

They say attackers "may have gained unauthorized access to" members' information, including name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.

Individuals who do not have medical insurance through these companies, but do other business with them, might have had their email addresses, banking data, or Social Security numbers exposed.  

These attacks, when combined with the Anthem Healthcare breach reported last month and the Community Health Systems breach in the summer, clearly indicate that health insurance providers have become a popular new target -- and Chinese cyberespionage groups are being implicated.

Anthem first detected suspicious activity Jan. 27 and confirmed on Jan. 29 that an attack had occurred, over the course of several weeks in December 2014.

LifeWise and Premera also say they discovered their breaches Jan. 29 -- possibly as a result of Anthem sharing information about their own intrusion with HITRUST's Cyber Threat Intelligence and Incident Coordination Center. However, after investigations by Mandiant -- the same organization conducting the investigation at Anthem -- both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

Both Premera and LifeWise are providing two years of free credit monitoring and identity theft protection to affected individuals. More information is available at premeraupdate.com and lifewiseupdate.com.

No comment yet.

US cops charge suspects in 'world's largest data breach'

US cops charge suspects in 'world's largest data breach' | HIPAA Compliance for Medical Practices | Scoop.it

US law enforcement has charged three men believed to have been behind "the largest data breach in US history".

The US Department of Justice (DoJ) reported charging Vietnamese citizens Viet Quoc Nguyen, 28, and Giang Hoang Vu, 25, and Canadian citizen David-Manuel Santos Da Silva, 33.

The charges allege that Nguyen hacked into and stole confidential information from at least eight US email service providers between February 2009 and June 2012.

The information included over one billion email addresses from the companies' marketing departments, and was listed by the DoJ during a Congressional inquiry in June 2011 as the largest data breach in US history.

Vu reportedly helped Nguyen use the stolen information to send "tens of millions" of malicious spam messages.

Da Silva, who was also indicted by a federal grand jury on 4 March 2015 for conspiracy to commit money laundering, reportedly helped Nguyen and Vu to monetise the scheme and hide incoming revenue.

Vu was arrested by Dutch law enforcement in 2012 and extradited to the US in March 2014. He pleaded guilty to conspiracy to commit computer fraud in February and is scheduled to be sentenced on 21 April.

Da Silva was arrested at Fort Lauderdale-Hollywood International Airport on 12 February, and is scheduled to be arraigned on 9 March in Atlanta. Nguyen remains at large.

US assistant attorney general Leslie R. Caldwell listed the charges as a major step in bringing "international" cyber criminals to justice.

"These men, operating from Vietnam, the Netherlands, and Canada, are accused of carrying out the largest data breach of names and email addresses in the history of the internet," said Caldwell.

"The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers. This case again demonstrates the resolve of the DoJ to bring accused cyber hackers from overseas to face justice in the US."

Reginald Moore, special agent in charge of the US Secret Service Atlanta Field Office, explained that the charges prove the need for increased collaboration between departments when combating cybercrime.

"Our success in this case and other similar investigations is a result of our close work with our law enforcement partners," he said.

"The Secret Service worked closely with the DoJ and the FBI to share information and resources that ultimately brought these cyber criminals to justice.

"This case demonstrates that there is no such thing as anonymity for those engaging in data theft and fraudulent schemes."

The charges have been welcomed by members of the security community. Imperva CTO Amichai Shulman said he expects the move to set off alarm bells in cybercrime circles.

"I think the most important lesson here is that law enforcement agencies are able to point out specific individuals involved in specific acts of cybercrime even when they are in distant locations around the globe," he said.

"My belief is that, if enough resources are put up against small breaches as well as large breaches in a ‘zero tolerance' policy against cyber violation, we'd see the number of attacks decrease significantly over a short period of time."

Mark James, security specialist at ESET, hopes to see similar operations in the near future.

"Hopefully this will turn out to be a success and will go on to many more cases showing that the fight against cybercrime is not always a losing battle," he said.

The latest developments come during a global push by law enforcement to combat cyber crime.

No comment yet.

5 scary ways your business is vulnerable to a cyber security breach

5 scary ways your business is vulnerable to a cyber security breach | HIPAA Compliance for Medical Practices | Scoop.it

The Internet has changed the way that you do business.

No matter what industry you are in, you value what your cyber network does for you in terms of connecting with clients and staying efficient.

But, with advances in cyber technologies come more cybercriminals. No matter how sophisticated cyber security technologies and firewalls get, it seems that there is still a more sophisticated hacker capable of breaching your systems and stealing sensitive data.

Believe it or not, three-quarters of businesses surveyed have reported that they have experienced a security breach in the last 12 months.

As you can see, you are more vulnerable than you might think, and here’s how:

You Fail to Invest in Encryption

Hackers attempt to break through firewalls in an effort to steal information. From bank accounts and routing numbers, to social security and credit card numbers, businesses have a lot of sensitive data that they have to protect.

When these attackers steal information, they can affect your reputation and cost you money. If you have failed to encrypt your data with full-disk encryption tools, your data may be vulnerable.

If you have failed to encrypt your data with full-disk encryption tools, your data may be vulnerable. You Are Not Wi-Fi Protected

You Are Not Wi-Fi Protected

Did you know that it is much easier for cyber attackers to gain access into a network when you have a Wi-Fi network?

Most security experts recommend that businesses connect to the Internet with a wired network, but if you do have a Wi-Fi network, then you need to have a complex password complete with special characters, numbers, and capital letters.

Leaving Computer and Mobile Devices Vulnerable

Not all cyber attacks involve hacking into the network. Actually, a large portion of businesses who are targeted by “cyber” criminals are those who have had their computing devices stolen.

If your business laptops, cell phones, tablets, and other devices are stolen, it is easy for the burglar to gain access into your network and find important personal and account information on you and your clients.

Having special physical locks to secure devices can deter burglars looking for a quick score.

Failure to Focus on Mobile Security

The cyber infrastructure is turning mobile, and many companies have not developed a strategic plan to keep up with the growing popularity of mobile computing.

If you use smartphones for conferences or tablet devices for estimates, your network could be at risk of an attack.

Mobile threats are becoming so common that accredited institutions like Norwich University have developed an online master’s in information security that trains MS graduates how to stay ahead of these damaging threats. Mobile security needs to go to the forefront of your security planning

Employees Are Not Properly Trained

You do not have to be a large corporation just to implement employee training programs that will prepare everyone to follow good security practices.

You should teach your employees how to make strong passwords, how often to change passwords, how to spot a threat and how to avoid sites that make the company network vulnerable.

By doing this, you can prevent potential attacks.

There will always be the threat of cyber attackers as long as the Internet is around.

While the threat is there, there are also ways to make your business more secure and less vulnerable. Brush up on security and be sure your company is equipped to survive.

Via Roger Smith, Paulo Félix
No comment yet.