Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could exposea larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the report based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group.

The data breach statistics from the report totaled 268 incidents affecting 94 million people.  The biggest factor responsible for the largest number of breaches of data was unintended disclosure due to negligence and clerical errors. 78 incidents led to exposing almost 12 million records of private information.  The next highest number was 51 incidents due to the loss of a portable data storage device which resulted in breaching almost 82 million personal records.  Hacking was low on the list, adding up to 40 incidents exposing about 1 million records.   

What can be done about this alarming problem?

Security experts advise implementing nationally mandated data breach protection protocols and developing effective breach response programs in conjunction with cyber security training for employees who handle sensitive public data.  Employing technology such as encryption is another method to counter human error since it is inexpensive, simple to administer and highly effective in protecting data.  Using management software that can track and monitor which devices are being used, monitor downloaded data and has the ability to remotely wipe the memories of lost or stolen devices is another data protection tool.

Some experts even go so far as to suggest that all these initiatives need to be backed by a law that punishes workers who fail to follow these protocols with either firing them from their jobs or jail time, depending on the severity of the data breach.  The bottom line is that protecting the public’s most private information is serious business and those who are entrusted with such sensitive information need to recognize that they have a responsibility to protect the public’s privacy.  And in turn, it’s a responsibility that we, the people must ensure that they take seriously.

According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

December is not only the shop ‘til you drop season, it’s also National Identity Theft Prevention and Awareness month, reminding retailers and businesses that they need to not only protect themselves from a data breach but also make their employees aware of identity fraud scammers who target seasonal help.  According to the Federal Trade Commission, identity theft is the number one type of consumer fraud in the U.S., resulting in about 9 million people annually having their identity stolen.  In 2011, eight percent of reported identity theft incidents were employment-related.  Thieves usually exploit their victims by impersonating them after stealing their Social Security number and credit card information or worse, selling valuable Social Security numbers on the black market.

Companies need to protect themselves from an identity theft “double whammy” in which cyber thieves attack hiring employers and job applicants at the same time through online job scams.  Fraudsters will first pose as a representative of a legitimate business and list fake job listings, sometimes even going so far as to create bogus websites in order to steal personal information of potential employees.  Cyber thieves take advantage of the fact that many times, job seekers are desperate for work and will give out personal information willingly in exchange for potential employment.

Here are some tips for employers to minimize data breaches when hiring:

1)       Avoid using Social Security numbers to identify applicants.

2)       Collect only essential personal information needed for the job application.

3)       Shred unnecessary documents on non-hired applicants and former employees, including temps and contract workers.

4)       For existing employees, do not keep medical records, EEO data, immigration forms and background check information in personnel files.

5)       Have a data breach response and notification plan in place. Act quickly if a data breach occurs.

Data security experts warn that simply having data protection and security policies are not enough.  The policies need to be taken seriously by everyone at the company and the regulations need to be firmly enforced.  In addition, the repercussions and cost of a data breach need to be explained to employees on every level since companies can be held liable for negligence in handling personal data and fined by the FTC and other government agencies.  All departments, including human resources and accounting should be well-trained in protection from identity theft procedures and data security information policies.  Employees who have access to personnel data should be carefully screened and pass a security clearance.  Businesses should also periodically review their data storage processes and determine whether or not to keep the information and how to keep it protected.

We’re all familiar with well-known causes of data security breaches and identity fraud; phishing, malware attacks, and lack of cyber security protection are some of the most popular.  A lesser-known but just as lethal culprit in the world of data breaches is surprisingly, a person’s typing skills due to the fact that a simple typo can lead to typo-squatting also known as URL hijacking.

Typo-squatters count on accidental misspellings and typing errors of web addresses in a web browser’s address bar to get people to their page which can often be unscrupulous hacker sites designed to extract a person’s private information.  Typo-squatters buy up domains that are similar to popular domain addresses to lie in wait for web surfers to make typing mistakes which is now even more widespread with the popularity of touch screen devices.  For example, instead of typing dot-com, you mistakenly type dot-org and are transferred to an authentication or login page that asks you to input your account information and password before proceeding.  These pages are actually typo-squatted pages that were created to not only steal your information but they can also make you vulnerable to a computer virus or identity theft.  The most dangerous scenario is when a person uses the same user name and password for every website since a hacker then can access financial information such as banking and credit cards accounts using the stolen log-in information.  

Typo-squatters can also cause a business data breach by creating doppelganger domains for large companies that use subdomains for their various worldwide offices.  Business emails are intercepted when a user mistypes a recipient’s e-mail address.  Using a doppelganger domain, a hacker configures an email server to intercept any correspondence addressed to a person with that name.  Extra large companies with many subdomains are at the biggest risk since they have more employees with more email addresses which means more chances for typos.

A key way to practice data breach protection in preventing typo-squatting is to use a search engine to find a website instead of directly typing in the web address especially if you are searching for a financial institution.  All the big search engines will have companies’ legitimate web addresses as well as data protection and security software to scan for malware and prevent hacking.  Common sense is also another powerful tool to prevent a breach of data; if a site doesn’t look right, it probably isn’t so exit quickly and try again through a search engine.

As we approach another season of shopping and consumerism, the retail industry should pay strict attention to the findings in the latest Verizon’s Data Breach Investigations Report (DBIR), an annual data breach information study conducted by the Verizon RISK Team (VERIS) with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzed forensic evidence to examine how data breaches occurred in organizations, who caused the breaches, why they did it, how the victims responded, and how the breaches could have been prevented. 

 The 2012 DBIR focused on the retail industry which for the past two years has ranked only second behind hotel and food services as the business most plagued with data breaches.  The main reason for the high rankings of these two trades is that they use point of sale (POS) systems to conduct daily business activities, making them prime targets for criminals that exploit POS systems with weak security.  Point of sale generally refers to when money is transacted in exchange for goods or services. Retailers are especially easy targets for cyber criminals who can hijack credit card information from long distances and these kinds of attacks are low risk for the criminals who often disappear long before a data security breach is discovered.  In addition, fraudsters prefer to target small to medium businesses such as franchise owners that lack the resources and/or expertise to manage their own cyber security. 

 VERIS defines threat agents as the cause of data breach incidents and categorizes them as either external (originating outside the victim organization), internal (originating inside the victim organization) and partner (any third parties who share a business relationship with the victim.)  The report found that external threat agents were the most prolific with the majority of attacks originating fromEastern Europe, a hot bed of organized cyber crime.  Internal threats made up a smaller percentage of incidents and often involved criminals coercing retail staff to help them by either using a remote skimming device or swapping legitimate PIN entry devices and POS terminals with identical, counterfeit replacements that are rigged to capture payment card data. 

 Even though these cyber thieves can be insidious, especially during a busy holiday season, retailers can protect themselves by following a few simple data breach protection practices:

1)      Change passwords consistently on all POS systems since hackers constantly scan the web for passwords that are easy to guess.

2)      Implement a firewall on remote access/administration services.  

3)      Do not use POS systems to access the internet.

4)      Make sure your POS system is compliant with the Payment Card Industry Data Security Standard (PCI DSS) an information security standard for businesses that handles credit card information.

As medical data breaches continue to spike, the federal government is seeking remedies to try and prevent medical identity theft.  

Nearly 21 million Americans are at risk of having their medical identities stolen after having their healthcare records exposed in data breaches.¹ And that’s just since September 2009, when a new breach notification rule took effect and the U.S. Department of Health and Human Services (HHS) began enforcing the rule and tracking healthcare breaches.  

As the problem continues to worsen – theft of medical data increased by 50% last year² – the federal government is looking for ways to both stem the tide of breaches and help consumers whose medical records have been exposed.    

The Centers for Medicare and Medicaid Services (CMS) – which provides coverage to 100 million people – can play an important role in this effort. As the single largest healthcare payer in the nation, CMS can help consumers by responding to breaches a little quicker and by providing more information in its notifications, according to the HHS Office of the Inspector General (OIG).

But the OIG’s recommendations can apply to all healthcare organizations that want to help their patients, clients or employees whose personal information has been exposed due to a data breach. 

OIG officials believe if organizations send out breach notifications on-time and provide enough information, then potential victims can take steps to protect themselves. They can be more diligent about checking their credit reports, financial statements and medical records. They can also subscribe to credit and identity monitoring services, if these services aren’t already provided to them by their organizations.

If everyone does their part, perhaps the healthcare industry will eventually see the tide turn on data breaches and medical identity theft.

¹ U.S. Department of Health and Human Services Office for Civil Rights.

² Identity Theft Resource Center

As Superstorm Sandy demonstrated to the East Coast during the last week of National Cyber Security Awareness Month; life happens so do you know where your data is?

Data breach protection is of such national critical importance, the effects of Sandy prompted Homeland Security chief Janet Napolitano to emphasize the need for more national cyber security protection at an event in Washington.  During her speech, Napolitano spoke about how Sandy’s devastation left many financial institutions vulnerable to business data breaches due to lack of electricity and other utilities.  She also highlighted the exorbitant costs of a data breach which total billions of dollars annually and are generally paid for by consumers and companies.  From Washington to Wall Street, Superstorm Sandy was a forceful reminder the best thing businesses can do to mitigate natural disasters is to have a data protection and security plan in place to not only protect their business data but to ensure that their disaster recovery time is brief, enabling their business to return to functioning as quickly as possible.

In developing an IT disaster recovery plan, companies need to first address the potential threats to hardware and data caused by natural disasters. Earthquakes can destroy physical infrastructures and floods can prevent offices from being accessed for days until the water subsides, creating a need for long term business data breach protection.  And hurricanes such as Sandy create both problems, potentially destroying hardware and software.  Therefore, the most effective way a business can protect itself from a breach of data in the event of a natural disaster is to implement a strategy that combines data protection solutions with a disaster recovery plan.

Since IT systems are comprised of hardware, software, data and connectivity, without one component, business recovery will be halted.  An IT recovery plan needs to address how to deal with the loss of each of these parts.  First, every recovery strategy needs to create an inventory list of hardware, software applications and data.  Then there must be a plan as to how to replicate and reimage hardware if the hardware is destroyed.  Next, copies of software programs need to be accessible for re-installation with multiple copies kept in more than one place.  The final piece of a data recovery plan is to reclaim the actual data so it is crucial that all business data is constantly backed up and protected using data protection solutions that are reliable and accessible.  Companies then should periodically test their recovery plan to make sure that it works.

Recovering from a disaster is not all about technology; a company’s disaster recovery strategy needs resources such as people, processes and a plan.  However, if a company is well prepared and their recovery plan is well-executed, their disaster recovery time will be less and hopefully, less painful.