Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

December is not only the shop ‘til you drop season, it’s also National Identity Theft Prevention and Awareness month, reminding retailers and businesses that they need to not only protect themselves from a data breach but also make their employees aware of identity fraud scammers who target seasonal help.  According to the Federal Trade Commission, identity theft is the number one type of consumer fraud in the U.S., resulting in about 9 million people annually having their identity stolen.  In 2011, eight percent of reported identity theft incidents were employment-related.  Thieves usually exploit their victims by impersonating them after stealing their Social Security number and credit card information or worse, selling valuable Social Security numbers on the black market.

Companies need to protect themselves from an identity theft “double whammy” in which cyber thieves attack hiring employers and job applicants at the same time through online job scams.  Fraudsters will first pose as a representative of a legitimate business and list fake job listings, sometimes even going so far as to create bogus websites in order to steal personal information of potential employees.  Cyber thieves take advantage of the fact that many times, job seekers are desperate for work and will give out personal information willingly in exchange for potential employment.

Here are some tips for employers to minimize data breaches when hiring:

1)       Avoid using Social Security numbers to identify applicants.

2)       Collect only essential personal information needed for the job application.

3)       Shred unnecessary documents on non-hired applicants and former employees, including temps and contract workers.

4)       For existing employees, do not keep medical records, EEO data, immigration forms and background check information in personnel files.

5)       Have a data breach response and notification plan in place. Act quickly if a data breach occurs.

Data security experts warn that simply having data protection and security policies are not enough.  The policies need to be taken seriously by everyone at the company and the regulations need to be firmly enforced.  In addition, the repercussions and cost of a data breach need to be explained to employees on every level since companies can be held liable for negligence in handling personal data and fined by the FTC and other government agencies.  All departments, including human resources and accounting should be well-trained in protection from identity theft procedures and data security information policies.  Employees who have access to personnel data should be carefully screened and pass a security clearance.  Businesses should also periodically review their data storage processes and determine whether or not to keep the information and how to keep it protected.

As medical data breaches continue to spike, the federal government is seeking remedies to try and prevent medical identity theft.  

Nearly 21 million Americans are at risk of having their medical identities stolen after having their healthcare records exposed in data breaches.¹ And that’s just since September 2009, when a new breach notification rule took effect and the U.S. Department of Health and Human Services (HHS) began enforcing the rule and tracking healthcare breaches.  

As the problem continues to worsen – theft of medical data increased by 50% last year² – the federal government is looking for ways to both stem the tide of breaches and help consumers whose medical records have been exposed.    

The Centers for Medicare and Medicaid Services (CMS) – which provides coverage to 100 million people – can play an important role in this effort. As the single largest healthcare payer in the nation, CMS can help consumers by responding to breaches a little quicker and by providing more information in its notifications, according to the HHS Office of the Inspector General (OIG).

But the OIG’s recommendations can apply to all healthcare organizations that want to help their patients, clients or employees whose personal information has been exposed due to a data breach. 

OIG officials believe if organizations send out breach notifications on-time and provide enough information, then potential victims can take steps to protect themselves. They can be more diligent about checking their credit reports, financial statements and medical records. They can also subscribe to credit and identity monitoring services, if these services aren’t already provided to them by their organizations.

If everyone does their part, perhaps the healthcare industry will eventually see the tide turn on data breaches and medical identity theft.

¹ U.S. Department of Health and Human Services Office for Civil Rights.

² Identity Theft Resource Center

To cloud or not to cloud? That is the question. And while there’s no questioning the convenience and benefits of cloud storage – you can access your data from multiple devices and save space on your own servers – there are questions regarding how secure cloud storage really is.

Given recent hacking incidents at bigger-than-big companies and popular cloud services, here are a few things you need to consider when using a cloud provider:

Look for robust authentication: If a cloud provider offers a one-step login, i.e. password-only security, that’s a red flag. If there’s just a single password standing between your sensitive data and hackers, how long until that password gets cracked? Or it could be accidentally or maliciously shared with the wrong person or written down on a piece of paper that’s later lost. The bottom line is, you need more than a password. Look for and use a cloud provider that has a robust login and authentication process. Yes, it takes longer every time you log in. But it also helps to keep hackers out. Be sure to change your passwords and other authentication data regularly. And remember that not everyone in your organization needs to know how to access the cloud.

Take your time: It’s good to be cautious when you’re talking data storage, especially when it’s an outsourced service. So take your time choosing a cloud provider. Ask questions about what security measures are in place and how they are maintained. A dependable cloud provider should be able to answer all of your questions quickly. That likely means they know their service well and have anticipated your concerns. If you’re getting the runaround or don’t feel confident with the answers you’re receiving, look elsewhere. There’s not just one cloud in the sky.

Sign on the dotted line: You’ve thoroughly vetted a cloud provider’s security and authentication measures and have determined you’ll actually have a higher level of security using the cloud than with internal, on-site storage. You’ve asked about risk management, documented policies, incident preparedness, encryption levels, employee training and all of your other concerns. You’ve conducted a thorough audit and you’re happy with what you’ve found. Then and only then enter into a service agreement with a cloud provider.

Just remember that any type of cyber security is never foolproof and new threats constantly emerge in the cyber world. So keep up with what’s going on at your cloud provider and keep access to the cloud restricted only to individuals in your organization who really need it. If one of those individuals leaves your organization, change all of your cloud passwords and authentication data at once.

The fewer people who have access to your sensitive data – both inside and outside your organization – the more secure it is.

You see stories about data breaches all the time. Earlier this month, in fact, a small medical facility was fined $1.5 million following a data breach that resulted from a stolen, unencrypted laptop. News like that makes security, legal and compliance professionals shudder. But could the medical facility have avoided that fine? Absolutely. What about after a data breach? What happens during the recovery and remediation process? Do you know what you should do and shouldn’t do to avoid fines and litigation?    

Join us for an interactive discussion on key data breach mistakes and how to overcome them on October 11 at the IAPP Privacy Academy in San Jose. Also, stop by the Experian booth to meet our team, network with your peers, and enter for a chance to win an Apple® MacBook Air.

I will be participating on the data breach panel to discuss the best ways to respond to a breach to avoid potential fines and legal action. The panel will also discuss how to protect your customers or patients to maintain their loyalty and how to recover losses through insurance. You’ll leave with:

• Key lessons from significant breaches and  issues arising from their investigations, including consequences and challenges
• Best practices for handling some of the most unusual situations
• Tips for handling notification and communication effectively

For more information about the IAPP Privacy Academy click here.

Experian Data Breach Resolution surveyed a sample of clients to find out who they are and what they think of our services.

The U.S. tops Germany, the U.K. and France when it comes to data breach notification costs. In other words, it costs American companies more to notify people of a data breach when their personal information is lost or stolen.

The Ponemon Institute, which recently conducted a global data breach study, found that it cost U.S. companies an average of $561,500 to notify victims per breach, compared to $303,600 for German companies and $223,100 for companies in the U.K. Even more interesting, is that in some countries – like India and Australia – companies only spend an average of $31,000 (India) and $80,000 (Australia) to notify customers of a data breach. (All figures are U.S. dollars)

So why do American companies spend so much more on data breach notification?

The answer is mainly due to numerous laws and regulations. Currently, 46 states have breach notification laws and several federal agencies, such as the Department of Health and Human Services, require organizations to notify potential victims when their unsecured protected health information is breached.

In contrast, countries without breach notification laws – like India and Australia – spend much less because they don’t have to notify all of their data breach victims. Countries like Germany and the U.K. have strict notification requirements, although not as tough as the U.S.

American companies and organizations may not be able to do much about notification costs, which are expected to continue to rise. But there are other measures that can be taken to lower the cost of a breach. For example:

• Negotiating a pre-breach agreement with a data breach resolution provider to lock in a good rate ahead of time.
• A chief information security officer (CISO) who is responsible for enterprise data protection can reduce the cost of a breach by as much as $80 per record, according to the Ponemon Institute.
• Increased loyalty by treating potential victims fairly and providing them with credit and/or identity protection can prevent the loss of customers and potentially save millions.

Swimmers may be stealing the spotlight, but it’s scammers who are taking home the gold–in the form of stolen credit card numbers, PINs, consumers’ personal identities.

One familiar con trotted out this year (and every Olympics) is ticket fraud, including what Britons call ‘ticket touting’ (scalping) and its more sinister cousin, counterfeiting. Paying for tickets that are never delivered is another way unwary buyers are tricked into giving up personal and/or credit card information.

Beware the cyber threats

Acknowledging the widespread use of smartphones, tablets and similar devices to retrieve Games-related content, the UK’s national fraud reporting center, Action Fraud, cautions fans to browse wisely, warning that worms, viruses and other malware can penetrate mobile devices just as easily as PCs.

Top malware delivery threats listed on Action Fraud’s blog site include:

• Search Engine Poisoning – The most prevalent form of malware delivery (40% of all malware infections), in which attackers link what appear to be legitimate search result “bait” pages to malware infected sites.
• Drive-by-Downloads – Technique that automatically downloads malware when devices interact with an infected website, email, pop-up ad or other apparently authentic Olympic content.
• Information Phishing – Disguised links from Facebook and Twitter abound this year. When clicked, infected links, in the shortened bit.ly/ format, for example, can instantly extract, disable or destroy a device’s content or operating system.

Staying off the scammers’ scorecards

A fraudster’s goal is to rip you off in record time and disappear into the shadows with their
ill-gotten gains.  To avoid being victimized during the Olympics (or anytime) follow these common-sense rules for browsing and buying:

• Never click a link from someone you don’t know.
• Avoid giving personal or credit card information to anyone whose identity and organization you can’t positively confirm.
• For Olympics news or memorabilia, frequent only sites known to be credible and trustworthy, such as London2012.com.

Such simple precautions can make for a winning Olympics experience, and help send the fakes, frauds and phonies home empty handed.

Have you or a friend encountered scammers during the Olympics? Take a minute to briefly share your story.

Can you imagine losing backup disks containing information for 300,000 patients? Or having computer back-up tapes stolen? What if someone hacked into your network servers or lost important laptops? These aren’t hypothetical scenarios. They’re real data breach cases that have occurred in recent years. Can this happen to you? You bet. The key is being prepared for the inevitable.

I would like to invite you to participate in an informative webinar on this important issue. I will be joined by Dr. Larry Ponemon, a data protection “think tank” pioneer and Chairman of the Ponemon Institute, and Karen Murray, Vice President, Chief Compliance Officer of Steward Health Care System in a discussion focusing on the latest data breach trends, how to prepare for a data breach and the best ways to respond to a breach.

The 90-minute webinar, delivered in conjunction with the Health Care Compliance Association (HCCA), will be held at noon CST on July 25, 2012 and participants may be eligible for CEUs.

In addition, the webinar will feature:

• The latest research about consumer notification from the Ponemon Institute
• A look at healthcare data breach statistics
• Best practices for data breach preparation from a compliance officer’s perspective.
• Examples of what works – and doesn’t work – when responding to a data breach
• How and why data breaches happen
• How to budget the resources for a  potential breach
• What do regulators expect from an organization that experienced a breach?
• A question and answer period for participants

Come learn the best ways to try and prevent a data breach and the most effective methods to respond to one. Learn to minimize your costs and help protect your reputation.