Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)¹.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

¹ HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.

According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

As Superstorm Sandy demonstrated to the East Coast during the last week of National Cyber Security Awareness Month; life happens so do you know where your data is?

Data breach protection is of such national critical importance, the effects of Sandy prompted Homeland Security chief Janet Napolitano to emphasize the need for more national cyber security protection at an event in Washington.  During her speech, Napolitano spoke about how Sandy’s devastation left many financial institutions vulnerable to business data breaches due to lack of electricity and other utilities.  She also highlighted the exorbitant costs of a data breach which total billions of dollars annually and are generally paid for by consumers and companies.  From Washington to Wall Street, Superstorm Sandy was a forceful reminder the best thing businesses can do to mitigate natural disasters is to have a data protection and security plan in place to not only protect their business data but to ensure that their disaster recovery time is brief, enabling their business to return to functioning as quickly as possible.

In developing an IT disaster recovery plan, companies need to first address the potential threats to hardware and data caused by natural disasters. Earthquakes can destroy physical infrastructures and floods can prevent offices from being accessed for days until the water subsides, creating a need for long term business data breach protection.  And hurricanes such as Sandy create both problems, potentially destroying hardware and software.  Therefore, the most effective way a business can protect itself from a breach of data in the event of a natural disaster is to implement a strategy that combines data protection solutions with a disaster recovery plan.

Since IT systems are comprised of hardware, software, data and connectivity, without one component, business recovery will be halted.  An IT recovery plan needs to address how to deal with the loss of each of these parts.  First, every recovery strategy needs to create an inventory list of hardware, software applications and data.  Then there must be a plan as to how to replicate and reimage hardware if the hardware is destroyed.  Next, copies of software programs need to be accessible for re-installation with multiple copies kept in more than one place.  The final piece of a data recovery plan is to reclaim the actual data so it is crucial that all business data is constantly backed up and protected using data protection solutions that are reliable and accessible.  Companies then should periodically test their recovery plan to make sure that it works.

Recovering from a disaster is not all about technology; a company’s disaster recovery strategy needs resources such as people, processes and a plan.  However, if a company is well prepared and their recovery plan is well-executed, their disaster recovery time will be less and hopefully, less painful.

How important is cyber security? October is National Cyber Security Awareness Month for the ninth consecutive year and each year, the designation seems to become more important.

So important that a top U.S. cyber warrior is recommending that his cyber command division be elevated into a top-level military unit under the Department of Defense. The Cyber Command, created two years ago, is currently under the U.S. Strategic  Command, which is responsible for U.S. nuclear and space operations.

Rear Admiral Samuel Cox, the cyber command’s top intelligence officer, believes his unit needs more power to combat the growing number of cyber threats facing the nation, according to Reuters. Many of those threats come from foreign hackers who are trying to pierce the Pentagon’s computer networks to obtain highly-classified information.

But cyber attacks aren’t just a threat to the military. Look at the numerous banks that experienced online outages due to cyber attacks in the past few weeks. And what about the flurry of data breaches reported this year by healthcare organizations?

The fact is that no organization – large or small – is immune from cyber attacks, hackers or simply the loss of a portable device containing the personal identifying information of consumers. Every organization and – every individual for that matter – needs to take cyber security seriously. And what better time to check on your security measures than during National Cyber Security Awareness Month. So here’s a checklist to help you keep your data safe.

•  Install the most up-to-date firewall, anti-spam and anti-virus software.
• Establish policies for handling sensitive data, mobile devices and computers. Educate everyone from C-suite executives to employees to contractors and vendors.
• Upload patches to fix any problems with your software programs.
• Use passwords on laptops, computers and mobile devices. Educate employees and contractors on the importance of using long, strong passwords.
• Encrypt laptops and mobile devices. Also encrypt sensitive files.
• Back up sensitive files and properly dispose of files you no longer need. Store backup data in a separate location – ideally off-site – from your main servers. To dispose of sensitive data, you should physically destroy the hard drive that contains the data. Otherwise, someone may be able to retrieve that data if the computer is sold or donated.

Our guest blogger this week is Zachary Smith, a legislative analyst for the Experian Government Affairs team.

Despite being a top priority for the Administration and leadership in Congress for much of the past year, the Senate failed to reach agreement on a comprehensive cybersecurity bill before adjourning for August recess.

After several revisions, the Senate began debate on the Cybersecurity Act of 2012 during the last week of July.  The bill would have created a National Cybersecurity Council to develop best practices for industries designated as “critical infrastructure.”  These industries might include utilities, pipelines and financial service companies.  In addition, the legislation would have encouraged the establishment of voluntary data exchanges to allow government agencies and private companies to share cyber threat information.

Disagreements arose between over the level of authority that the proposal would provide the Federal government to establish new cybersecurity standards for certain entities that it deemed to be “critical infrastructure.”  A majority of Senate Republicans voiced support for alternative legislation that would make the participation by private entities completely voluntary.

There were also attempts to establish a new law for a national data breach notification standard.  However, the Senate could not reach agreement on specific provisions of a preemptive program. 

There is a possibility that the Senate could revisit cybersecurity legislation when it returns for a brief work period in September or during the lame duck session after the election.  However, unless there are significant changes made to the bill so that it is palatable to a significant majority in the Senate, it is highly unlikely that legislation will be passed and signed into law this year.

Unfettered mayhem, raining down from cyberspace, has birthed the need for new protection few would have envisioned just a few years ago: cyber insurance coverage.

As coverage goes, cyber insurance is still a relatively new and emerging option that, despite its newness, is rapidly gaining traction among threat-weary businesses in every sector—healthcare, in particular, where protecting high-risk information in EHRs (electronic health records) is among the top priorities. 

Why cyber insurance?
For most, the goal of adding cyber insurance is to mitigate threats, liabilities and costs sustained from (what else?) “cyber incidents” – a broad term covering an ever-growing range of mishaps and misuse, from hacked accounts and stolen credentials to pilfered laptops and wayward thumb drives.  

Given the frequency and severity of recent breaches, and the financial fallout that invariably results, who can blame companies for wanting an extra layer of protection?

Certainly not attorneys Theodore J. Kobus III and Kimberly M. Wong, data security experts and co-authors of a new paper entitled “Risk Management: Cyber Insurance & Your Data Response Plan.” In fact, Kobus and Wong strongly suggest that, depending on budget, exposure profile and potential loss scenarios, cyber insurance may be a risk-reduction remedy that businesses sorely need.

Surprisingly customizable coverage
Companies seeking first-party cyber insurance coverage have a surprisingly diverse range of choices, say the authors, including protection against losses stemming from: data destruction and theft, extortion and hacking, and revenue lost from network intrusion or interruption.

Notification expenses, such as printing, mailing, credit monitoring and call center support may be included in a policy, along with third-party cyber liability coverage for vendors and partners.

Procuring the proper policy
The paper also includes suggestions for working with your broker, including:  

1. Determine what coverage you have under current general commercial liability or professional liability policies.  Identify potential gaps and opportunities to increase long-term protection.
2. Assess your current level of exposure and types of cyber incidents that pose the biggest threats.
3. Inventory the nature and location of all sensitive data. Is it stored in areas that are vulnerable to physical or digital theft? Knowing this will inform cyber coverage decisions.
4. Step through potential employee/non-employee loss scenarios, such as: hacking, theft of data or computer equipment and unauthorized publication of information online.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The rise of online functionality and connectivity has in turn given rise to online security issues, which create the need for passwords and other defenses against information theft.  Most people today have multiple online accounts and accompanying passwords to protect those accounts.  I personally have accounts (and passwords) for sites I no longer even remember.  And while I have more accounts than most due to my profession, my hunch is that many people deal with the issue of password overload.  Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out.  Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that “you are you.”  I expect that you have experienced such “password overload” inconveniences, or you almost certainly know someone who has.

The problem seems like it could be easily solved by using the same password for everything.  One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app.  The problem with this approach is that if you are using the same passwords for all (or even several) of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to then drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks….  This could all happen because you logged into Facebook at an unsecured Wi-fi location, where your password for that one account is compromised, and it happens to be the same password you use for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm and you don’t want to end up cuffed for felony check fraud? The answer is a password manager.  This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service. 

A few things you should look for when finding a password manager are:

1. Is it cross platform? Will it work on your iPhone and your PC?
2. How is the information (your passwords) encrypted?
3. Does the service sync automatically, or will the user need to update the password storage database every time they sign up for a new account?
4. What is the initial authentication process and how strong is it?
5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

Internet safety isn’t just for the employees who handle your most sensitive data. It’s for each and every one. With June being National Internet Safety Month, it’s the perfect time to brush up on exactly what that means for your employees and business.

In a recent study, 78% of organizations had experienced at least one data breach due to the actions of a careless or malicious employee.¹ It’s important to educate and empower your employees to do their part for data security, and that means being safe online.

Anyone who uses the Internet in your office needs to be mindful of Internet safety. Even if someone doesn’t handle sensitive data directly, his/her actions could infect your network with a virus that leads to data loss.

One of the obstacles to Internet safety is that cyber risk is so intangible it doesn’t seem like an immediate threat at all.  Cyber threats are oftentimes the opposite. A virus could slowly siphon data from your network for weeks, months or longer without anyone knowing.

Because cyber risk is often veiled, regular educational sessions with your employees are vital. Be sure they know and follow your Internet usage policy. Don’t have one in place? National Internet Safety Month is the perfect time to organize and implement your guidelines. You can find examples online to help shape your own policies.

Here are a few things to consider addressing:

Personal Internet Use
Blocking employees from logging in and using their personal accounts at work isn’t just an issue of lost productivity. It’s also a security issue. Links, videos and attachments online and in emails can contain unseen threats, such as a virus or malware that undermines the security of your data. That could include your employees’ own personal data. Be sure they understand that the precautions are for their benefit as well as for the stability of the business and their jobs. You can use the honor system for off-limit sites or use software that blocks unsecure and other URLs.

Software Downloads
Have your IT team handle all software downloads and ensure operating systems and software are updated regularly. Automatic updates implemented across the entire network at once help ensure there isn’t a weak link, an outdated computer, in your system. Again, you can use the honor system and ask employees not to install any software themselves or block them from doing so for added security. After all, accidents and human error do occur.

Email Dos and Don’ts
Some employees handle a hundred or more emails a day. Considering the high volume and the ease of communicating by email, mistakes are bound to occur. Sensitive data sent to the wrong email address could be detrimental for your business and customers. Be sure your employees understand what type of data is and isn’t permissible to send by email. And that they don’t open any attachments, click on any links or respond to any requests for sensitive data if the source is not verified.

As part of your Internet usage policy and National Internet Safety Month, impart on your staff the importance of not only being mindful and careful but also sounding the alarm when anything goes wrong. The sooner you know about threats to your network, the sooner you can protect your data and business.

1 The Human Factor in Data Protection, Ponemon Institute (2012)

Organizations are adopting social media tools within their networks at increasing rates, yet the legal and compliance risks are often not fully understood or addressed.  A recent Forrester report noted that more than half of security decision-makers and influencers at enterprises reported that they were “concerned” or “very concerned” about the inability to meet regulatory obligations using social media platforms. 

According to the report, critical reliance on third parties for information collection and capture, rapidly rising social media content volume and fast-changing applications, and the difficulty of ensuring authentication all make it difficult for security professionals to keep up with the legal and regulatory compliance associated with social media.

The report suggested that security pros should look to financial services for guidance on social media risks, keeping in mind that retention obligations clearly apply to social media, retention obligations also apply to both corporate- and employee-owned mobile devices, and firms should monitor and provide ongoing training to employees.

Above all, critical steps that security professionals must take in order to respond to the risks that social media poses include the following:

1.  Build effective policies governing social media usage in your enterprise.
Your social media policy should cover what your organization will and will not do online, what your employees can and cannot do, and what members of the public can and cannot do on your social media sites.

2.  Determine how tools that control social media fit into broader information governance.
Look before you leap when it comes to adopting tools that help enforce social media controls and make sure they’ll integrate with your company’s existing systems.

3.  Incorporate flexibility and continuous monitoring in social media.
Social media is constantly innovating end evolving – your organization will need to do so as well.