HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Patients suing Fort Wayne medical company over data breach

Patients suing Fort Wayne medical company over data breach | HIPAA Compliance for Medical Practices | Scoop.it

Two lawsuits have been filed in federal court in Fort Wayne seeking class action status on behalf of patients who have had their data compromised by Medical Informatics Engineering.

The Fort Wayne-based medical software company has reported that the private information of 3.9 million people nationwide was exposed when its networks were hacked earlier this year. The compromised information includes patients' names, Social Security numbers, birth dates and addresses, The (Fort Wayne) Journal Gazette (http://bit.ly/1W3PLHO ) reported.

The company contacted the FBI to report the data breach in May and began issuing letters to patients, letting them know which provider's information was hacked and offering them credit monitoring services, in mid-July.

The first lawsuit was filed last week by one patient, while the second lawsuit was filed Tuesday by three other patients.

Both lawsuits are similar and accuse the company of negligence. The plaintiffs argue that the company should've realized the risks associated with collecting and storing patients' personal information, and that the company had a responsibility to protect their data, according to court documents.

The lawsuits allege that Medical Informatics Engineering failed to take steps to prevent and stop the data breach, failed to comply with industry standards for safeguarding such data, and failed to properly implement technical systems or security practices, the documents said.

"Given the risk involved and the amount of data at issue, MIE's breach of its duties was entirely unreasonable," the attorneys wrote in the lawsuit.

In addition to class action status, all four patients also are seeking damages and expenses.

Eric Jones, co-founder and CEO of Medical Informatics Engineering, confirmed to the Associated Press Thursday that the company is aware of the two pending lawsuits.

"Our primary focus at this time is on responding to requests for information to those affected and helping them to enroll in credit monitoring and identity protection services," he said.

No comment yet.

4 in 10 Midsize Businesses Have Experienced A Data Breach

4 in 10 Midsize Businesses Have Experienced A Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Most midsize business leaders view a data breach among their top risks and a majority consider IT security ‘very important’ when selecting a supplier, according to The Hartford’s survey of midsize business owners and C-level executives. They have good reason to be concerned: 43 percent had experienced a data breach in the prior three years, and 13 percent have had a supplier’s data breach impact their business information.

The Hartford survey found most midsize business leaders (82 percent) consider a data breach at least a minor risk to their business. Nearly one-third (32 percent) view it as a major risk.

“All types of businesses have networks and networks can be vulnerable to a breach,” said Joe Coray, vice president of The Hartford’s Technology & Life Science Practice. “As we have seen in recent years, a breach involving a supplier or vendor can impact a business as much as a breach of its own IT systems. Whether businesses are hosting their data internally or entrusting it to external business partners, it is important that they validate how their information is being secured.”

Recognizing the data risks involving suppliers, more than half of the midsize business leaders (53 percent) surveyed consider IT security and data protection practices very important when selecting a supplier. By comparison, 36 percent consider a supplier’s contingency planning and 28 percent view a supplier’s location relative to their business as very important.

No comment yet.

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency | HIPAA Compliance for Medical Practices | Scoop.it

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.

The Department of Homeland Security said in a statement that data from the Office of Personnel Management — the human resources department for the federal government — and the Interior Department had been compromised.

"The FBI is conducting an investigation to identify how and why this occurred," the statement Thursday said.

The hackers were believed to be based in China, said Sen. Susan Collins, a Maine Republican.

Collins, a member of the Senate Intelligence Committee, said the breach was "yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances."

A spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."

"Cyberattacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify," spokesman Zhu Haiquan said Thursday night. He added that hacking can "only be addressed by international cooperation based on mutual trust and mutual respect."

A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees are affected as well.

The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

The agency said it is offering credit monitoring and identity theft insurance for 18 months to individuals potentially affected. The National Treasury Employees Union, which represents workers in 31 federal agencies, said it is encouraging members to sign up for the monitoring as soon as possible.

In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.

Cybersecurity experts also noted that the OPM was targeted a year ago in a cyberattack that was suspected of originating in China. In that case, authorities reported no personal information was stolen.

Chinese groups have persistently attacked U.S. agencies and companies, including insurers and health-care providers, said Adam Meyers, vice president for intelligence at Irvine, California-based CrowdStrike, which has studied Chinese hacking groups extensively.

The Chinese groups may be looking for information that can be used to approach or compromise people who could provide useful intelligence, Meyers said. "If they know someone has a large financial debt, or a relative with a health condition, or any other avenues that make them susceptible to monetary targeting or coercion, that information would be useful."

One expert said hackers could use information from government personnel files for financial gain. In a recent case disclosed by the IRS, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.

"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.

DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyberthreats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.

It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the statement said.

Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN "certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where's there at least some accountability."

Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

No comment yet.

Breaking Down the HIPAA Risk Assessment

Breaking Down the HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

Conducting a HIPAA risk assessment is something that every covered entity must do to ensure that they are properly monitoring potential weak spots in their data security. At the time of publication, the Office for Civil Rights (OCR) had not yet chosen a date for its second round of HIPAA audits, but the looming threat of an OCR visit cannot be the only reason for CEs to think about HIPAA risk assessments.

Following up with last week’s discussion on the details in a potential HIPAA audit, HealthITSecurity.com will now break down the important aspects of the actual HIPAA risk assessment. We’ll cover the basics of the risk assessment process, as well as what common mistakes organizations might make and why a thorough risk assessment is essential for all CEs.

What is a HIPAA risk assessment?

The HIPAA risk assessment is meant to help healthcare organizations properly analyze potential risks and pinpoint where PHI may be vulnerable. This is also part of the administrative safeguard requirement that all CEs must adhere to, and have the necessary regulations in place to best monitor risk.

“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” according to the Department of Health and Human Services (HHS) website.

HHS adds that a proper risk analysis should include, but not necessarily be limited to the following activities conducted by CEs:

  • Evaluate the likelihood and impact of potential risks to e-PHI
  • Implement appropriate security measures to address the risks identified in the risk analysis
  • Document the chosen security measures and, where required, the rationale for adopting those measures
  • Maintain continuous, reasonable, and appropriate security protections.

Under the HIPAA Security Rule, CEs need to ensure that all ePHI it creates, receives, maintains or transmits is protected. The risk assessment is an important part of this process. For example, a healthcare provider can start its own analysis by tracking where it stores PHI. This can be in databases, mobile devices, and even in the cloud. From there, the organization needs to determine how that information is secured. Are the devices encrypted? Are they password protected? Who has access to the databases?

Understanding the HIPAA risk assessment will also be easier when organizations remember the four factors that HHS will use to determine the likelihood that PHI was inappropriately used or disclosed:

  • What is the nature of the information involved?
  • Who is the authorized person responsible?
  • Was PHI actually acquired or viewed?
  • To what extent has the risk to PHI been mitigated?

Overlooking even one area could lead to data security issues, as that could be where a data breach occurs or the OCR could discover that something is left unsecured.

How to avoid potential mistakes

As is the case with health data security in general, there are numerous ways that a healthcare organization could overlook an area and then experience a data breach. With the HIPAA risk assessment, it’s important to not assume that one analysis is all that is needed. Technology will continue to evolve, and facilities will likely integrate new systems to keep pace. A periodic assessment will not only keep an organization HIPAA compliant, it will also ensure that as new tools are added, ePHI remains secure.

For example, let’s say that a practice begins to use secure messaging for the first time. Doctors, nurses, technicians, and other employees are now able to send text messages to one another and maybe even patients. But, those mobile devices may not have been in an original risk analysis, and they are now potentially storing PHI. Not including those devices in a HIPAA risk assessment would not be good for the facility.

It is also important to actually follow up with the initial risk assessment. A CE can’t just conduct an analysis and then say, “That’s it!” It’s necessary for healthcare organizations to verify that they’re actually doing what they said that they were going to do in terms of keeping PHI secure. If any changes or adjustments needed to be made, the entity actually needs to follow through and do it.

Another potential mistake to watch out for is assuming that the risk assessment has to be done single-handedly. There are numerous agencies that have developed guides and tools to help CEs conduct thorough HIPAA risk assessments that are properly catered to their workflow. For example, theNational Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) have comprehensive guidelines and assisting tools.

Lowering the odds of a data breach

By taking the time to develop and implement security measures that apply to your daily operations, as well as ones that meet federal requirements, your odds of experiencing a security breach will be lessened. While this does not guarantee that a health data breach will never occur, it will help your facility better protect its data.

CEs and their business associates must remain alert and thoroughly evaluate what will constitute an inappropriate use or disclosure of PHI, as well as what they are doing to ensure that appropriate policies and procedures are in place to avoid inquiries and reprimands from government agencies.

Organizations must understand where PHI is being stored, who is being granted authority to access PHI, how the data is actually being viewed and used, and how CEs and BAs are handling risk. The HIPAA risk assessment is not a quick process, but it is a necessary one that will help facilities of all sizes better understand their workflow and how sensitive information is being kept secure.

No comment yet.

Here's how healthcare can guard against data breaches in the "year of the hack"

Here's how healthcare can guard against data breaches in the "year of the hack" | HIPAA Compliance for Medical Practices | Scoop.it

Protected Health Information, or PHI, is increasingly attractive to cybercriminals. According to PhishLabs, health records can fetch as much as 10 times the value of credit card data on the black market.

Stolen healthcare records can be used for fraudulent billing which, unlike financial fraud, can go undetected for long periods of time. The rising price of healthcare records on the market is attracting more cybercriminals, who are exploiting any vulnerability they can find, be it an unpatched system or an insecure endpoint device.

We’ve all heard about several devastating data breaches in the healthcare industry this year – Anthem’s breach of more than 78 million records and the Premera Blue Cross breach of 11 million records. In the first quarter of 2015 alone, there have been 87 reported data breaches affecting 500 or more individuals, according to data from US Department of Health and Human Services Office for Civil Rights. These breaches affected a combined total of 92.3 million individuals, up 3,709 percent from Q1 2014.

Given the mega breaches experienced by Anthem and Premera, one could consider them as outliers. In terms of comparison, excluding the aforementioned breaches would still leave us with a 4.9 percent increase in individuals affected in the first quarter of 2015 versus the same quarter in 2014. Although the first three months of 2014 saw three more data breaches than what has occurred in 2015, it is clear that the number of individuals affected per breach is on the rise.

2015 is the year of the “hack”, but people are still the root cause.

In the first quarter of the year, 33 percent of data breaches were attributed to hacking or an “IT incident,” but the methods by which cybercriminals have successfully penetrated corporate networks are quite telling. These breaches have originated from unencrypted data, unpatched systems, or compromised passwords. In 2015, several hacking incidents have been tracked back to the compromise of a single set of credentials.

The Verizon 2015 Data Breach Investigations Report analyzed nearly 80,000 security incidents including 2,122 confirmed data breaches. Its findings reveal that despite the rise in cyberattacks, 90 percent of security incidents are tied back to people and their mistakes including phishing, bad behavior, or lost devices. The report notes that, even with a detailed technical report of a security incident, the “actual root cause typically boils down to process and human decision-making.” This is frightening but also good news, as there are measures that can be taken to reduce these risks by improving upon process and education, complemented by the right data security solutions.

It’s not all about the network

Healthcare organizations reacting to data breach headlines may focus efforts on protecting the network, leaving data vulnerable to other attack vectors and overlooking the people and process risks that ultimately result in most data breaches.

Cyberattacks come from many different vector points. It only takes one missing device, one use of unsecured WiFi, one compromised password, one click of a phishing email to compromise the entire corporate network. Many of these risks, which originate on the endpoint, put corporate network at risk. Current data security strategies in healthcare cannot be network versus endpoint, nor can they ignore the “people” risk that is only amplified by such trends as BYOD, mobile work, the cloud, and the Internet of Things.

A holistic approach to healthcare security

If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals – breaches will continue to occur. Healthcare organizations that want to get ahead of cybercriminals need to create a holistic approach to data security that incorporates threat prevention, incident detection, and efficient response.

Reduce “the attack surface”

Every point of interaction with PHI puts that data at risk. Reducing the sum total of these points of interaction – the attack surface – can reduce the risk to the data. I suggest a layered approach to data security which decreases the attack surface across endpoints as well as the network, including:

  • A foundation of tight controls and processes;
  • Encryption is a must, but on its own is often circumvented;
  • Supplement encryption with a persistent technology that will provide a connection with a device, regardless of user or location while defeating attempts to remove the technology;
  • Network segmentation is key — granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems;
  • Automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.

Minimize the “people” risk

You can have the best firewalls, encryption and network access controls, but your employees are still your weakest link. Using a combination of process (education and interactive ongoing training) and technology (such as mobile device management), employees should be aware of their part in protecting corporate data on endpoints.

Know how to detect anomalies

Conduct regular security audits on the network and endpoints. Know where your sensitive data resides and how it’s being used (or misused, in the case of employees) with the aid of a data loss prevention (DLP) tool. Most DLP and endpoint security tools can create automated alerts for suspicious activity.

Develop and maintain an incident response plan

With clear procedures in place to pursue anomalies and to escalate breach situations, potential risks can be addressed promptly and effectively. With many false positives, skilled IT personnel need to connect the dots (such as a user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) and spot a true security incident quickly. Ensure your endpoint security supports remote actions such as data delete and device freeze.

With data regulations tightening, and healthcare data breaches escalating, don’t give cybercriminals an easy “in” to your organization. Trim the sails and batten the hatches to weather the oncoming storm of cyberattacks with a holistic approach to data security.

The more layers of protection you have in place, the better chance you have of avoiding a breach. Just as sailors can make or break a ship’s success in a storm, your employees are your first line of defense in preventing and detecting a data breach incident. If an incident is discovered, an efficient response plan can help your organization stay afloat in the muddy and complex waters of compliance.

No comment yet.

Was Recent IRS Data Breach Preventable?

Was Recent IRS Data Breach Preventable? | HIPAA Compliance for Medical Practices | Scoop.it

A government watchdog says the Internal Revenue Service ignored many of its recommendations to improve computer security. But IRS Commissioner John Koskinen told a Senate panel Tuesday that a data breach reported last month involving the accounts of 104,000 taxpayers is an example of "a perfectly good security mechanism ... being overtaken by events."

At a hearing of the Senate Finance Committee, panel Chairman Orrin Hatch told Koskinen that his agency "has failed" the taxpayers whose returns were stolen in the breach reported last month. Hatch added:

"These taxpayers, and their families, must now begin the long and difficult process of repairing their reputations. And they must do so with the knowledge that the thieves who stole their data will likely try to use it to perpetrate further fraud against them."

The Treasury's inspector general for tax administration, J. Russell George, told the panel that 44 of its recommendations to the IRS "have yet to be implemented." Specifically, he said the IRS had not always applied high-risk computer security upgrades known as patches, and that the agency had failed to monitor many of its servers, "which puts the IRS' networks, data and applications at risk."

Koskinen countered that many of the IG recommendations did not apply to the most recent data breach, which involved a separate IRS website. And in response to a question from Hatch, George conceded he could not give "a definitive answer" as to whether the IRS might have prevented the breach if it had implemented the recommendations. But, George said, "it would have been much more difficult."

George and Koskinen both said the perpetrators were likely from Russia and other nations but, citing the ongoing investigation of the data breach, would not be more specific.

The IRS revealed last month that the back tax returns had been downloaded by hackers who used legitimate taxpayers' names, Social Security numbers and other personal data to access the information through a link on an IRS website called Get Transcript. The link has since been taken down.

The back tax information is useful for people applying for a home mortgage or college loan. But thieves could use the data to better impersonate taxpayers and get past IRS screens to file fraudulent returns and obtain refunds.

Sen. Johnny Isakson, R-Ga., said it was ironic that while the Senate has been busy debating whether the National Security Agency should be allowed to access data on phone calls, the IRS collects much more personal information — including wages, investments and charitable contributions. This data, he said, is "a lot more personally identifying for the average American than whatever the NSA ever does, and they're looking out for our physical safety."

No comment yet.

Data breach costs now average $154 per record

Data breach costs now average $154 per record | HIPAA Compliance for Medical Practices | Scoop.it

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year's $145.

In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.

Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.

Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.

The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.

"With credit cards, the time frame from the breach to mitigation is very short," he said.

The credit card company just has to cancel the old credit card number and issue a new one.

"But the health care record can be used to establish access in perpetuity," he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.

"it can be used to establish credit or steal your identity ten or fifteen years from now," he said. "Once this information is out there, you can't get the genie back in the bottle."

And that doesn't even include the costs of health care fraud, he added.

Factors that can impact breach costs

The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.

If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.

"Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach," said Barlow. "This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don't have days to respond -- you don't even have hours. You have minutes to get your act together."

Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.

Costs rise with time

Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.

On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.

Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

No comment yet.

Data breaches cost an average of US$3.8M: Study

Data breaches cost an average of US$3.8M: Study | HIPAA Compliance for Medical Practices | Scoop.it

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.

The total average cost of a data breach is now US$3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.

The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.

"Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."

IBM, which sells cybersecurity services to companies, has a vested interest in highlighting the costs of data breaches.

The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.

The study's authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.

The study found that the health care was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

No comment yet.

Shocks and surprises in new breach trend studies

Shocks and surprises in new breach trend studies | HIPAA Compliance for Medical Practices | Scoop.it

Since 2010, HHS has documented more than 1,000 major data breaches (where each incident involved the compromise of more than 500 patient records). Now we’re starting to see some in-depth analyses of those breaches.

In the new issue of the Journal of the American Medical Association (JAMA), there’s a study that concludes that 29 million medical records were compromised between 2010 and 2013.

The JAMA study also found that six of the breaches involved at least one million records each – and more than one third of all breaches occurred in just five states: California, Texas, Florida, New York and Illinois.

The study was accompanied by an earnest editorial subtitled “The Importance of Good Data Hygiene.” The authors called for a total overhaul of HIPAA, which they described as “antiquated and inadequate.” They noted that HIPAA doesn’t adequately regulate the use of Protected Health Information (PHI) by “digital behemoths” like Apple, Google, Facebook and Twitter.

In addition to the JAMA report, our company did an extensive analysis of 2014 data breach trends summarized here. We thoroughly documented 89 of those breaches, and we excluded the huge Community Health Systems breach so it wouldn’t skew the other data. Here are the most important trends we spotted:

Non-digital breaches still a problem

In the 89 incidents, paper breaches accounted for 9 percent of compromised records in the first half of 2014 – and 31 percent in the second half. Nearly 200,000 paper records were compromised, plus about 60,000 pieces of individually identifiable health information ranging from lab specimens to x-rays. Obviously, it’s still vitally important to safeguard the confidentiality of non-digital health records. Organizations must clarify and enforce policies and procedures to achieve that goal.

Theft of portables still a concern

We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a major contributing factor. In addition to taking greater common-sense precautions, organizations should use whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized people. Policies and procedures for portable device security need to be clearly communicated to all employees – and workforce training needs to involve much more than a dry online tutorial.

Watch out for rogue employees and business associates

We uncovered 45 incidents involving company insiders that resulted in the compromise of nearly half a million records. In other words, about half of all the data breaches were the result of mistakes or malice by an organization’s own people. It’s impossible to prevent every workforce-related breach, but everyone in the organization needs to be on the lookout for unusual activities that could spell trouble. All employees and BAs need to know that the hammer will come down – swiftly and consistently – on insiders who intentionally compromise patient data.

No organization should shout “hooray” simply for avoiding an Anthem-scale breach. There are many other incidents – improper disposal of paper records, misplaced x-rays, employee snooping, and more – that can still do a lot of financial and reputational damage. Those are the types of breaches that even a HIPAA tech-fix can’t solve.

These breach trend summaries agree on one main point: healthcare organizations need to constantly assess the maturity of their information risk management programs – and not view them as a narrowly defined “HIPAA compliance” duty.

No comment yet.

Most companies take over six months to detect data breaches

Most companies take over six months to detect data breaches | HIPAA Compliance for Medical Practices | Scoop.it

Financial firms take an average of 98 days to detect a data breach and retailers can take up to 197 days, according to new research.

A new cybersecurity report conducted by the Ponemon Institute on behalf of Arbor Networks suggests it is not only cyberattack events which place sensitive data and corporate networks at risk. Instead, the time it takes for businesses to detect a data breach once it occurs gives threat actors plenty of time to conduct surveillance, steal data and spy upon victim companies -- pushing up the cost of cyberattacks.

According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today's threat landscape.

Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. Despite these long periods of time, known as "dwell" time, 58 percent of those surveyed who work in finance -- and 71 percent of those in retail -- said they are "not optimistic" about their firms' ability to improve these results in the coming year.

The research says that on average, 83 percent of financial companies suffer over 50 attacks per month, as do 44 percent of retail firms. The high rate of attacks is not surprising considering the valuable data stored by these industries -- ranging from trade secrets to sensitive customer data. If accessed, this data can be sold on the black market for high prices.

Among financial services firms, 71 percent of respondents view technology that monitor networks and traffic as the "most promising" method of stopping or minimizing advanced persistent threats (APTs). In total, 45 percent of those surveyed said they have implemented incident response procedures, and 43 percent have begun sharing data on APTs -- a facet often ignored in cybersecurity as companies can be unwilling to admit they have suffered a data breach.

Among retail firms, 64 percent said network-based technology is the best way to cope with APTs, 34 percent have implemented incident response procedures and 17 percent have established threat sharing with other companies or government bodies.

"The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

"The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable."

No comment yet.

Unencrypted Devices Still a Breach Headache

Unencrypted Devices Still a Breach Headache | HIPAA Compliance for Medical Practices | Scoop.it

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit - the loss or theft of unencrypted computing devices - is still putting patient data at risk.

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services' "wall of shame," which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA's IT administrator was transporting the hard drives to an offsite storage location as part of ISMA's disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group's request to comment on the breach, citing that there are "ongoing civil and criminal investigations under way."

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year's worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That's why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

"It is unfortunate that [encryption] is considered an 'addressable' requirement under HIPAA, as many people don't realize that this does not mean optional," says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

"Install encryption on laptops that handle PHI," he advises. "Don't store patient information on a smartphone or other mobile device."

Concerns about the cost and complexity of encryption are unfounded, Berger contends, because encryption has become more affordable and the process has been made easier.

"There have been arguments that encrypting backup media sent offsite is technically problematic," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "While it's true that encryption can add overhead, this has become a weaker argument in recent years."

But Borten acknowledges that organizations must look beyond encryption when safeguarding patient information. "Encryption is not a silver bullet," she notes. "For example, if a user leaves a laptop open, the otherwise-encrypted hard drive is accessible. But for portable devices and non-paper media, there is no equivalent security measure."

Borten notes that the most common reason cited for a lack of device encryption is a lack of adequate support and resources for overall security initiatives. "While all an organization's laptops might be encrypted - the easy part - there are mobile devices running on multiple platforms and personally owned devices and media that are harder to control," she notes. "It takes management commitment as well as human and technical resources to identify all those devices and bring them under the control of IT."

Room for Improvement

The 2015 Healthcare Information Security Today survey of security and privacy leaders at 200 healthcare entities found that encryption is being applied by only 56 percent of organizations for mobile devices. The survey, conducted by Information Security Media Group in December 2014 and January 2015, found that when it comes to BYOD, about half of organizations require encryption of personally owned devices; nearly half prohibit the storage of PHI on these devices. Only 17 percent of organizations say they don't allow BYOD.

Complete results of the survey will be available soon, as well as a webinar that analyzes the findings.

"Personally owned devices are definitely the Achilles heel," Berger says. "Healthcare organizations have to address BYOD head-on. It is a complicated and thorny issue, but 'looking the other way' is not an acceptable approach. We recommend clear decisions regarding acceptable use, reflected in policy and backed up by enforcement," he says.

"We have also seen [breaches] happen when an organization makes the decision to encrypt but then has a long roll-out plan and the lost/stolen devices had yet to be encrypted," he adds.

Steps to Take

To help reduce the risk of breaches involving mobile computing devices, Berger says organizations should make sure they have a mobile device use policy that's "clear, comprehensive and well-understood. We suggest calling it out as a separate policy that must be signed by employees. Back up policy with ongoing security awareness training and strong enforcement."

In addition, OCR advises covered entities and business associates to make use of guidance it has released with its sister HHS agency, the Office of the National Coordinator for Health IT. OCR also offers free online training on mobile device security.

No comment yet.

House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches

House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.

The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.

Should the House and Senate come together on final legislation, it would be the federal government’s most aggressive response yet to a spate of computer attacks that helped sink a major motion picture release by Sony Pictures Entertainment, exposed the credit card numbers of tens of thousands of customers of Target stores and compromised the personal records of millions of people who did business with the health insurer Anthem.

“The gravity of the emergency we have in cyberspace is setting in with lawmakers,” said Paul Kurtz, who worked on the issue under in the Clinton, Bush and Obama administrations, and is chief executive of TruStar, which aids companies in information sharing. “They now understand that companies can no longer fight the bad guys individually.”

The House bill would provide legal liability protections for companies that share cyberthreat information with each other or with the government. But negotiators also added what they see as critical privacy protections.

If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.

“Liability protection is something needed to help companies share,” said Sarah Beth Groshart, director of government affairs at the Information Technology Industry Council. “And only Congress can provide that.”

Policing the nation’s computer networks has been complicated over the last decade by concerns from Republicans, who expressed concern for burdens placed on the private sector, and from those arguing for more stringent privacy protection in both parties.

The 2013 exposure of the government’s extensive surveillance programs into American lives through the leak of classified documents by Edward Snowden further muddied an agenda that many national security experts insisted was critical to preventing large scale cyberattacks on American infrastructure and businesses. Further, jurisdiction for cybersecurity snaked over an array of congressional committees, making unified legislation at times difficult.

Lawmakers have been grappling with cybersecurity legislation since 2012, when a bipartisan Senate effort twice failed over business concerns that the legislation was putting too onerous a burden on the private sector.

Leon E. Panetta, who was defense secretary at the time, and intelligence leaders implored lawmakers to shrug off the furious opposition of the U.S. Chamber of Commerce, but lawmakers were not persuaded.

A House effort in the last Congress mustered strong opposition from the White House, which was concerned about jeopardizing the privacy rights of consumers.

But since then, a series of cyberattacks has changed the political equation. The attack on Sony Pictures — Mr. Obama blamed North Korea for the attack — thwarted the wide release of a comedy portraying the assassination of North Korea’s leader, Kim Jong-un.

Early this year, Anthem reported a major breach that exposed the records of nearly 80 million people. Just last week, Target agreed to reimburse MasterCard $19 million for losses associated with the theft of 40 million credit and debit card numbers from its computer network in December 2013.

“We are under attack as I speak,” said Representative Dutch Ruppersberger, Democrat of Maryland. “To do nothing is not an option.”

Privacy advocates continued to express anger legislation Wednesday on the House floor, creating unlikely alliances between some conservatives and left-leaning members.

“We’ve seen before that the federal government has a poor track record of safeguarding our information when entrusted with it,” said Representative Jared Polis, Democrat of Colorado, on the House floor. “The last thing we should be doing,” is empowering them with more information access, he said. His comments were echoed by Representative Darrell Issa, Republican of California. “Since 9/11 the government has begun to know more and more about what we are doing, where are, where we sleep, who we love,” he said, while consumers, “have known less and less.”

At the same time, some feel the bill does not go far enough on national security. “I do believe we will see a cybersecurity bill enacted and signed into law,” said Senator Susan Collins, Republican of Maine who has worked on the issue for years. “But it won’t be as strong as it should be to protect critical infrastructure.”

However security experts said that the government would benefit from the information sharing as well. “The net effect of this legislation will be positive on national security side and economic security side,” said Mr. Kurtz.

The White House issued a statement on Tuesday that commended the effort in the House but did raise concerns about the liability protections offered to private companies in the House bill, raising fears that they would be so sweeping that they might backfire and prevent companies from reporting cyberthreats.

Privacy changes in the bill won over Representative Adam Schiff, Democrat of California and ranking member on the House Intelligence committee, who opposed it last year, and both parties expect the president to come along as well.

The timing for passage of the Senate version of the bill may be impeded by time-consuming amendments. That chamber is already snarled over a bill that would give Congress more say in a nuclear deal with Iran and a major trade measure. The Highway Trust Fund is nearly broke and requires legislative action before the end of the month, and a national security program at issue also requires renewal.

Indeed there is some concern among some Republicans that the bill could become a vehicle for a debate about the broader national security and privacy matters. Senator Dianne Feinstein, Democrat of California who is the ranking member on the Senate Intelligence Committee said Wednesday she was confident that a bill would be passed and conferenced successfully with the House. “What matters is that we get it up,” she said.

No comment yet.

ONC issues new privacy, security handbook

ONC issues new privacy, security handbook | HIPAA Compliance for Medical Practices | Scoop.it

During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights.
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago.
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements.
And for those looking for more guidance on what questions to ask your health IT vendors, look no further.
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively. 

No comment yet.

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks

Pentagon Data Breach Shows Growing Sophistication Of Phishing Attacks | HIPAA Compliance for Medical Practices | Scoop.it

U.S. officials confirmed this week that the Pentagon was hit by a spearphishing cyberattack last month, most likely from Russian hackers, which compromised an unclassified email system.

The attack compromised the information of around 4,000 military and civilian personnel who work for the Joint Chiefs of Staff, a U.S. official confirmed to NBC News. Officials said no classified information was taken, but didn't specify in the report how much or what kind of non-classified information was involved.

The attack occurred around July 25 and used what officials called a "sophisticated cyberattack." The suspected Russian hackers, which may or may not be connected with the Russian government, used automated social engineering tactics to gain information from employee social media accounts and then used that information to conduct a spearphishing attack, according to CNN, which first reported the attack.

The news of the breach comes on the heels of the massive Office of Personnel Management (OPM) breachthat occurred earlier this year, compromising the personal information of more than 21.5 million federal employeesand contractors. While this latest breach was significantly smaller in number of records compromised, it speaks to the growing sophistication of phishing attacks as an entrance to move laterally across the network, Unisys Vice President of Security Solutions Tom Patterson said.

"Phishing attacks like this one aimed at the Pentagon’s joint staff are not new. What makes them more effective is the amount of advance knowledge the attackers have in order to trick the recipient into clicking on the link," Patterson said. "With so much personal information now in the wild, attackers are able to create a ‘pattern of life’ on targets which makes phishing attacks such as this one aimed at the Pentagon’s joint staff much more effective."

Patterson said the sophistication in this attack was not the phishing itself, which is fairly common, but in the hacker's "clever exfiltration of data."

"The days of the typo-ridden silly emails are long gone. Today’s phishing attack looks as real as an authentic message, and are only going to get better," Patterson said.

While it is important for a business to focus on phishing prevention through user education, Patterson said it is becoming clear that enterprises need to put more emphasis on mitigation once the hacker enters the network, as the "standard pattern of attack" is to gain access through phishing then escalate privileges and spread laterally. One way to do that, he said, is employing micro-segmentation of data, he said, which divides the data center into smaller zones for easier security enforcement.

"Enterprises in both government and private sector have begun to shift their defenses inward, understanding that it only takes one of these types of phishing attacks to be successful," Patterson said. "With this new drive toward mitigation, enterprises can use micro-segmentation to survive and manage these inevitable types of attacks."

No comment yet.

4 HIPAA compliance areas your BAs must check

4 HIPAA compliance areas your BAs must check | HIPAA Compliance for Medical Practices | Scoop.it

It finally looks like the feds are starting up the next phase of HIPAA audits — but there’s still time to ensure your business associates (BAs) are staying compliant. 

In preparation of the next round of audits, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has begun sending out pre-audit surveys to randomly selected providers, according to healthcare attorneys from the law firm McDermot, Will and Emory.

Originally, the surveys were meant to go out during the summer of 2014, but technical improvements and leadership transitions put the audits on hold until now.

Moving toward Phase 2

The OCR has sent surveys asking for organization and contact information from a pool of 550 to 800 covered entities. Based on the answers it receives, the agency will pick 350 for further auditing, including 250 healthcare providers.

The Phase 2 audits will primarily focus on covered entities’ and their BAs’ compliance with HIPAA Privacy, Security and Breach Notification standards regarding patients’ protected health information (PHI).

Since most of the audits will be conducted electronically, hospital leaders will have to ensure all submitted documents accurately reflect their compliance program since they’ll have minimal contact with the auditors.

4 vendor pitfalls

It’s not clear yet to what extent the OCR will evaluate BAs in the coming audits due to the prolonged delay. However, there are plenty of other good reasons hospital leaders need to pay attention to their vendors’ and partners’ approaches to HIPAA compliance and security.


Mainly because a lot of BAs aren’t 100% sure what HIPAA compliance entails, and often jeopardize patients’ PHI, according to Chris Bowen, founder and chief privacy and security officer at a cloud storage firm, in a recent HealthcareITNews article.

A large number of data breaches begin with a third party, so it’s important hospital leaders keep their BAs accountable by ensuring they regularly address these five areas:

  • Risk Assessments. As the article notes, research has shown about a third of IT vendors have failed to conduct regular risk analysis on their physical, administrative and technical safeguards. Ask your vendors to prove they have a risk analysis policy in place, and are routinely conducting these kinds of evaluations.
  • System activity monitoring. Many breaches go unnoticed for months, which is why it’s crucial your BAs have continuous logging, keep those logs protected and regularly monitor systems for strange activity.
  • Managing software patches. Even the feds can struggle with this one, as seen in a recent HHS auditon the branches within the department. Keeping up with security software patches as soon as they’re released is an important part of provider and BA security. Decisions about patching security should also be documented.
  • Staff training. Bowen recommends vendors include training for secure development practices and software development lifecycles, in addition to the typical General Security Awareness training that HIPAA requires.
No comment yet.

China suspected in huge data breach : News

China suspected in huge data breach : News | HIPAA Compliance for Medical Practices | Scoop.it

China responded Friday to allegations it was involved in a hacking attack on U.S. government computers by saying such claims are unproven and irresponsible, and that it wishes the United States would trust it more.

The administration of President Barack Obama has increasingly pressed China on the issue of cyberhacking, and on Thursday U.S. officials said China-based hackers are suspected of breaking into the computer networks of the U.S. government personnel office and stealing identifying information of at least 4 million federal workers. U.S. Sen. Susan Collins said the attack amounted to a foreign power seeking information on U.S. employees who have security clearances for access to sensitive information.

Beijing generally does not explicitly deny specific hacking accusations, but seeks to dismiss them as unproven and irresponsible, while invariably noting that China is itself the target of hacking attacks and calling for greater international cooperation in combating hacking.

Chinese Foreign Ministry spokesman Hong Lei said at a regular news briefing Friday that Beijing hopes the U.S. would be "less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation."

"We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source," Hong said. "It's irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation."

Cybersecurity analysts who study hacking attacks believed to originate in China have cited evidence suggesting they are state-sponsored rather than independent actions, including that they seem to be highly organized teams that focus on the same kinds of targets, sometimes for years, and tend to work regular hours excluding weekends.

The Virginia-based cybersecurity organization Mandiant concluded in a report in early 2013 that a massive hacking campaign on U.S. business could be traced to an office building in Shanghai run by the Chinese military.

China's military is believed to have made cyber warfare capabilities a priority more than a decade ago. One of the few public announcements of the capabilities came in a May 25, 2011, news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.

No comment yet.

Ponemon: Healthcare data breaches are costliest

Ponemon: Healthcare data breaches are costliest | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches in healthcare are the most expensive to remediate and growing more so, according to a new report on data insecurity by the Ponemon Institute. The study covers 350 companies in 11 countries across 16 industries. 

Worldwide, the average cost of a healthcare breach is $363 per exposed personally identifiable record, the Traverse City, Mich.-based researcher concludes in its “2015 Cost of Data Breach Study: Global Analysis” sponsored by IBM. In the U.S. healthcare industry, the average cost was $398. 

In contrast, globally, the average cost of a data breach across all industries is $154. At $68, the loss of public sector records are the least costly, the report author said. 

Retail's average cost is near the middle, at $165, but it's up dramatically from $105, a 57% increase, during the prior year's report. Per capita breach costs for all industries and countries increased by 12% during the same period. 

The study is based on survey data gathered in 2014 from the United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, United Arab Emirates and Saudi Arabia. Ponemon researchers steered clear of firms that experienced massive data breaches to try to come up with realistic estimates of breach costs. All participating organizations experienced a breach, however, ranging in size from 2,200 to slightly more than 101,000 records. 

The 5th annual breach study by Ponemon did not follow the same companies year over year, making it difficult to rely upon the study for trend data. Ponemon notes that breaches by hackers and what its authors called “criminal insiders” increased to 47% of all breaches reported in this year's study, up from 42% in the prior year's study report. Remediation costs for crime-linked breaches rose as well, to an average of $170 per record from $159.

Companies in the two Arab countries, counted as a cluster, had the highest proportion, 57%, of their breaches caused by malicious or criminal attacks. France followed at 55%. The U.S. ranked 5th at 49%. 

The U.S. nosed out Germany as the country with the highest average breach cost across all industries at $217 compared with $211 per record, respectively, the study showed. 

The Ponemon findings that healthcare data breaches would carry the highest costs for remediation comes as no surprise to security expert Chris White, senior lead engineer of commercial data protection services at Booz Allen Hamilton. In Europe, for example, privacy laws are even more stringent that in the U.S. 

“There is something inherent to the human condition that says health information is some of our most private information,” White said. “The other piece is the damage that could be done with personal information.” Black market prices for medical records can run 10 times those of personally identifiable information from hacks in other industries. “A lot of it has to do with the depth of information that can be gleaned from them” and used by criminal for identity and medical identity theft.

Given that healthcare trailed other industries in the adoption of information technology, but has boned up on tech in the past three to five years, “it's a logical leap for some of the attackers” to target health IT systems, White said.

No comment yet.

Cost of data breach at all time high: $3.8 mn and climbing

Cost of data breach at all time high: $3.8 mn and climbing | HIPAA Compliance for Medical Practices | Scoop.it

Ponemon Institute released its annual Cost of Data Breach Study: Global Analysis, sponsored by IBM. According to the benchmark study of 350 companies spanning 11 countries, the average consolidated total cost of a data breach is $3.8 million representing a 23 percent increase since 2013.

The study also found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. Healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363. Additionally, retailers have seen their average cost per stolen record jump dramatically from $105 last year to $165 in this year’s study.

“Based on our field research, we identified three major reasons why the cost keeps climbing,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. First, cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.”

The following are key takeaways:

Board level involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.50 per record. Insurance protection reduces the cost by $4.40 per record.

Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.10 per compromised record.

The most costly breaches continue to occur in the U.S. and Germany at $217 and $211 per compromised record, respectively. India and Brazil still have the least expensive breaches at $56 and $78, respectively.

The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach, the average cost could be as high as $363, and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68).

Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $137 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).

Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.23 million in 2013 to $1.57 million in 2015. Notification costs decreased from $190,000 to $170,000 since last year.

Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.

“The growing sophistication and collaboration of cybercriminals ties directly with the historic costs we’re seeing for data breaches,” said Marc van Zadelhoff, Vice President of Strategy, IBM Security. “The industry needs to organize at the same level as hackers to help defend themselves from these continuing attacks. The use of advanced analytics, sharing threat intelligence data and collaborating across the industry will help to even the playing field against attackers while helping mitigate the cost to commerce and society.”

Predicting the Likelihood of a Data Breach

For the second year, the research looks at the likelihood of a company having one or more data breaches in the next 24 months. Based on the experiences of companies participating in this research, the probability is based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, Brazilian and French companies are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

No comment yet.

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.

South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.

The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.

Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.

"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."

The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.

The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.

The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.

In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.

"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.

OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:

  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.

But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.

"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.

"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."

When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."

However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.

"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

No comment yet.

What Data Breaches Now Cost And Why

What Data Breaches Now Cost And Why | HIPAA Compliance for Medical Practices | Scoop.it

The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.

Meanwhile, the average total cost of a data breach worldwide jumped a whopping 23% in 2014 -- to $3.8 million, and the average cost of a stolen record containing sensitive information increased from $145 to $154, an increase of more than 6%. Ponemon attributes those higher numbers in part to the volume of attacks, loss of business or customers, and the amount victim organizations are spending on incident response.

Ponemon also found that the cost of a data breach actually drops when a company's board of directors plays a more prominent role in the wake of a breach or when a company purchases breach insurance. An involved board of directors knocks down the per capita cost of a breach by $5.50, and insurance, by $4.40.

An incident response team cuts the per capita cost by $12.60, while wide use of encryption decreases the cost by $12; training employees, by $8; and business continuity management, $7.10.

"That was a pleasant surprise," says Caleb Barlow, vice president for IBM Security, which commissioned the Ponemon study. "This is as much of a game about being proactive as having good defenses."

On the flip side, the per capita cost of a breach goes up when a third-party organization is part of the breach equation (think Target's HVAC supplier) -- by some $16. Several other factors also contribute to higher cost of a breach, including lost or stolen devices ($9); a "rush" to notification of a breach ($8.90); and hiring consultants to assist in the response process ($4.50).

Canada and Germany are the least likely countries for companies to suffer breaches, while Brazil and France are the most targeted nations of breaches with at least 10,000 data records stolen, according to data gathered for the report from 350 companies around the world.

"Germany is always an outlier in efficiency, strong governmance, and certifying … standards," says Larry Ponemon, chairman and founder of The Ponemon Institute. "They are also more likely to invest in encryption," for example, he says.

Canada's compliance orientation and strong data privacy protection is likely a factor in its fewer breaches, he says.

Industry-wise, a stolen healthcare record costs an organization some $363 per record and a stolen education sector record, up to $300 record. For retail, it's $165 per record--up from $105 in 2014 mainly due to the rash of breaches in that industry. Transportation ($121) and the public sector ($68) incur the lowest cost per stolen record.

Barlow says the dramatic difference in costs of healthcare records in healthcare versus other industries reflects the long shelf life of the data in those records such as social security numbers, and other personal information. "The long-term implications are significant," Barlow says. "It could be a problem 15 years down the road," for example, he says.

"This really underscores how you need to separate identity and access: SSNs are about identity and shouldn't be used for access. The problem is they're being used for both," Barlow says.

In the US, the cost per stolen record is $217 and in Germany, $211. The total cost of a data breach is an average of $6.5 million in the US and $4.9 million in Germany. Brazil and India were on the other end of the spectrum, with the average cost per record at $78 in Brazil and $56 in India. The average cost of a breach to an organization in Brazil was $1.8 million and in India, $1.5 million.

Why the much lower numbers in Brazil and India? "A lot of the costs are indirectly or directly related to labor costs: in India and Brazil, there are lower costs for labor, such as assembling a forensic team" as well as associated economic factors, says Larry Ponemon.

Meanwhile, the report says there are three main drivers for the continued rise in the cost of a breach: the number of attacks continue to increase, with the associated costs to clean up; the financial fallout of lost customers is adding to the breach cost; and victim organizations are spending more on forensic investigations, assessments, and incident response team management.

Cybercrime and malicious insider attacks are the most costly, the report found, at a price of $170 per stolen record versus $142 for system glitches and $137 for human error. It takes an average of 256 days to spot a data breach caused by a malicious attack, and 158 days to catch one caused by human error, the report found. "We kind of already know that about 80% of all attacks come from organized crime," IBM's Barlow says. "They're probably better-funded that your own IT security team."

No comment yet.

Cyberattackers swipe data of 1.1M at CareFirst

Cyberattackers swipe data of 1.1M at CareFirst | HIPAA Compliance for Medical Practices | Scoop.it

It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. What's more, the cyberattack wasn't even detected in-house.    The Baltimore, Md.-based CareFirst BlueCross BlueShield health plan announced the cyberattack May 20, despite the attack occurring back in June 2014.    According to a company news release, the cyberattack compromised the names, dates of birth, email addresses, member ID numbers and user names of 1.1 million members.    The cyberattack went undetected by the health plan itself. Rather, as CareFirst Chief Executive Officer Chet Burrell described in a statement, outside cybersecurity firm Mandiant "was the firm that actually discovered the attack."

Only after the health plan brought in cybersecurity firm Mandiant to conduct end-to-end IT security testing in the wake of the Anthem and Premera attacks, did CareFirst discover cyberattacks had gained access to a single database that stores members' online services data.    CareFirst officials described the breach as a "sophisticated cyberattack," but there are some security officials who question that general wording that was also used to describe the Anthem breach, which compromised the data of as many as 80 million.    As Kevin Johnson, founder of security consulting firm Secure Ideas, told Healthcare IT News this February following the Anthem breach: From his experience working with insurance companies on their security together with his seven years working at Blue Cross in Florida, "sophisticated" is an inaccurate word choice when used to describe a cyberattack at an insurance company. 

"I have never found an insurance company that required a sophisticated attacking incident," he said. "Period.   "They have tons of systems. They have tons of tests," he said. "It's a huge conglomeration of stuff."   As Ken Westin, security analyst at Tripwire, sees the CareFirst breach: "In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that  several organizations have been targeted and compromised."   Attackers look for system vulnerabilities, Westin continued, "vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes."

No comment yet.

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency

Kareo Announces Apple Watch App To Improve Medical Practice Efficiency | HIPAA Compliance for Medical Practices | Scoop.it

Kareo, the leading provider of cloud-based medical office software for independent medical practices, today announced the launch of its Apple Watch App. Kareo’s most recent innovation extends the functionality of the company’s EHR to Apple Watch, streamlining care delivery and enhancing the patient experience by improving communications, reducing patient wait times, and increasing practice efficiency.

Kareo is launching this new Apple Watch App in response to the growing demands on physicians to increase their focus on all aspects of patient engagement. “Physicians are on their feet attending to the needs of patients for the majority of the day, leaving little time to check their schedules and prepare for the next appointment,” said Dr. Tom Giannulli, CMIO of Kareo. “Recognizing this demanding care delivery environment, Kareo’s Apple Watch App will help doctors better manage their schedule while enabling enhanced communication throughout the day, improving their ability to deliver a great patient experience.”

Kareo’s Apple Watch App provides the most relevant, practice-oriented information necessary to improve care and increase practice efficiency. Key functionalities of the App include:

  • Secure messaging that allows the user to send, reply, and read messages via dictation. Messages can be sent to staff or patients using Kareo’s secure messaging system, improving overall patient engagement and practice communication.
  • An agenda that allows the provider to quickly reference their schedule and see the status of appointments checked-in, no show, late, checked out, etc., helping reduce wait times and improve practice efficiency.
  • Appointment reminders that can be sent five minutes before the next scheduled appointment. The notification subtly vibrates the watch, indicating that the doctor has an impending appointment.
  • Appointment information that is accessible within a notification or through the agenda, allowing the provider to review details such as the patient’s name, time of appointment, visit type, and reason for the visit.
  • “I’m Running Late” pre-set messages that allow the doctor inform other staff members when they are running behind and how much longer they expect to be. This improves practice communication and enables the front desk to give patients a more accurate wait time estimate.
  • Apple “Glances” that provide a quick overview of key practice metrics, including how many patients are scheduled throughout the day, how many patients are waiting to be seen, and which patients are currently waiting in an exam room.

All features of Kareo’s Apple Watch App are HIPAA compliant and secure, ensuring all data are private, yet easily accessible.

“Independent physicians need new tools to grow strong, patient-centered practices, and Kareo’s Apple Watch App is another example of Kareo’s focus on helping physicians leverage innovative technology to drive their success,” said Dan Rodrigues, founder and CEO of Kareo. “With key practice and patient information accessible on their wrists, physicians are able to discreetly and efficiently provide updates to staff while staying focused on what matters most – the patient.”

No comment yet.

Are wearables violating HIPAA?

Are wearables violating HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

With the development of wearable technologies such as the Nike Fuel Band, Fitbit, and Apple Watch, consumers suddenly have more options to monitor their fitness performance than ever before. These devices are also making inroads into medicine as physicians begin to experiment with using Google Glass  to connect ER doctors to specialists in order to reduce patients’ wait times.

Whether it’s for the weight room or the emergency room, manufacturers and software developers are collaborating to draw health further into the digital realm.

And the way these devices capture data poses serious privacy and security issues to individually-identifiable health information that must be addressed.

Real world privacy concerns

The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage. By purchasing these products, customers agree to a company’s Terms of Service, and in some cases, these terms can be fairly permissive in what they allow companies to do with that data.

According to Google Glass’s current Terms of Sale, for instance, the product falls under the company’s general Terms of Service. Although these grant the user intellectual property rights over data they store on Google servers, the company can still reproduce, modify, publicly display, distribute, and generally use this data to promote and enhance existing products and create new ones. Thus, although users may not be relinquishing ownership of their IP rights, it is clear that they are giving up a substantial degree of control over their data.

Google’s shift to a unified privacy policy in March 2012 further bolstered its ability to improve services through the collection and analysis of customer data. This new policy enabled the company to consolidate data on individual users from across its product portfolio and create unique user profiles, giving Google a fuller picture of individuals’ preferences and activities.

All personal health data is not created equal

Not all personal data is equal in the eyes of the law. That is the central issue when applying these practices to health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the analysis and sharing of individually-identifiable health information when directly related to patient care, but it is more restrictive. The law permits health information to be used in assessments of physician and hospital performance, but allows patients to request that their data not be shared with third parties. HIPAA also requires consent before a healthcare provider uses health information for advertising purposes.

In a medical context that means: mining individually-identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA. It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.

HIPAA and wearables: What’s next?

If wearable device manufacturers want to store health information in the cloud, they must bring their Terms of Service and privacy policies in line with HIPAA privacy and security requirements.

The vendors making wearables should take several steps to achieve this goal.

  • Analyzing health data: Where privacy is concerned, companies must only analyze health data within the confines of what is permissible under HIPAA. If companies want to mine customer data for other purposes, they should keep health information separate from non-medical data.
  • Sharing health data: Companies would also need to grant patients and consumers greater transparency into how their data is being used as well as who has access to it. HIPAA would also require obtaining a patient’s consent before using their health information in any part of the advertising process.
  • Securing health data: When it comes to HIPAA-mandated security controls, companies should also protect health information with baseline access control and encryption measures, in addition to maintaining an “audit trail” of who has edited a patient’s information and when.

These measures would make the manufacturers of wearable health tech more accountable to the patients and consumers that their products serve — and it follows that any consumers, doctors and healthcare organizations using wearables in any capacity should seek out vendors will to adhere to those tenets moving forward.

No comment yet.

How responsible are employees for data breaches and how do you stop them?

How responsible are employees for data breaches and how do you stop them? | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.

On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.

No comment yet.

Misplaced USB drive leads to county health department breach

Misplaced USB drive leads to county health department breach | HIPAA Compliance for Medical Practices | Scoop.it

The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.

The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.

The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.

No comment yet.