Archives

Panama Papers are Biggest Data Leak Yet

April 11, 2016

Panama Papers

If cyber hackers can unearth the financial secrets of Russian President Vladimir Putin, do you really think your company is safe from the same thing?

Panama Papers: “History’s Biggest Data Leak”

News of the “Panama Papers” is filling newspapers and websites across the globe this week, in what The Guardian is calling, “History’s biggest data leak”.

Hackers have unearthed the financial secrets of some of the world’s most powerful people, detailing the secrets of how many international politicians, business leaders and celebrities have used the Panamanian law firm Mossack Fonseca, the fourth-largest offshore law firm in the world, unseemly financial transactions.

The Panama Papers are 11.5 million documents taken from the files of Mossack Fonseca by an unnamed source and turned over to a German newspaper. Information from this leaked data continues to spill out and the repercussions already include the prime minister of Iceland resigning on April 5, the president of Transparency Chile, a branch of a global anti-corruption group, stepping down on April 4, and the CEO of large Austrian bank resigning on April 7.

Others named involved in the massive data breach were the presidents of Argentina and the Ukraine, the prime minister of Pakistan, a king from Saudi Arabia, the former emir of Qatar, and Argentine soccer star Lionel Messi. A Russian cellist who’s a close confidant of Putin has also been named in the documents.

As the fallout from this massive data leak continues to reverberate literally around the world, it’s a great reminder that every company is at risk of a data breach. If the world’s richest and most powerful people can have their most confidential information hacked, cyber hackers can seemingly get anywhere they set their minds too.

Is your company safe?

While up to nearly half of all organizations experienced a data breach in the last year, a recent report by AIIM (Association for Information and Image Management) showed that a quarter of respondents felt that their senior managers did not take the risks of data privacy breaches seriously.

This report comes on the heels of a 2015 IBM survey of more than 700 C-level executives, almost three-quarters of CEOs believed that ‘rogue individuals’ as the largest threat to organizations—the truth is 80% of cyber attacks are led by highly organized crime rings.

Too many C-level leaders have their hand in the sand and move forward with an “It won’t happen to us” mentality.

Protect your company and be proactive. Your data is everywhere these days—on hard drives and paper at the office, with volumes of information on laptops that move in and out of the office, on mobile devices and cloud storage—these are all entities that need to be managed from the C-level on down.

IBM’s study revealed that almost two-thirds of C-level executives in marketing, human resources and finance departments acknowledge they are not actively engaged in cyber security strategy and execution. Cyber security is at a point now where it simply has to go beyond the IT department. Criminals are targeting any department where personally identifiable and financial information resides.

Senior managers have to commit to information security before an organization can fully adopt a culture of security. Employees will follow the example set by their managers.

The Panama Papers put another spotlight on cyber security. Even the most rich and powerful are at risk.

 

Cyber Crime Continues to Rise

February 11, 2016

Cyber Crime Continues to Rise

If you’ve picked up a newspaper or watched the news on television over the last five years, you’re probably aware that identity theft is one of the fastest rising crimes in the United States. It was probably bound to happen, as more and more of our lives, including our financial transactions, are done digitally, criminals have followed close behind, and cyber crime is increasing dramatically. So you knew that, but did you know that identity theft now costs Americans nearly twice as much as property theft? In a recent report the U.S. Bureau of Justice statistics found that total losses attributed to identity theft in 2012 were $24.6 billion, compared to $13.9 billion for property theft crimes. One would imagine that those numbers are only going to rise over the next decade.

Cyber Crime – is there an End in Sight?

There are plenty of studies that show that the crime rate is falling in the U.S., but many of those studies can be construed as inaccurate, as there still isn’t a great way of measuring cyber crime. An article from last year in phys.org had the following two quotes:

“Crime reporting has to be updated for the cyber-era,” said researcher and dean of the UAlbany School of Criminal Justice Alan Lizotte. “Property crime that remains underreported because it’s online crime shapes our response to it, particularly the response of law enforcement—what’s hidden stays hidden, yet continues to be a real, growing threat.”

“Recent data breaches targeting major US retailers and, more disturbingly perhaps, health-care providers, are evidence that we’ve reached a new frontier in criminal behavior,” said UAlbany criminal justice school researcher Giza Lopes. “Crime control is far from keeping up—a deficit that spans from inadequate measurement to jurisdictional inability to deal with a problem that spills over physical and national boundaries.”

Clearly cyber crime is on the rise and the ways to keep track of it haven’t quite caught up yet. What this means for organizations however, is that it’s pretty obvious that the need for data security is more important than ever. Maxxum’s recent research study revealed that over 40 percent of companies sometimes use disposal methods outside of a professional technology disposal service—including equipment donations and giving equipment to employees.

There’s certainly nothing wrong with donating or gifting old technology, but we can’t stress enough how important it is to have that technology wiped clean of information beforehand. Simply deleting material isn’t nearly enough. Drives need to be sanitized and wiped clean to insure that your sensitive information isn’t leaving your building in your old technology assets.

Organizations should make sure they receive documented transfer of custody and indemnification from their technology asset disposal company (we’ve outlined a few other key things to expect from a technology asset disposal company for reference here).

At Maxxum, we’re committed to smart, strategic partnerships with our clients. We stay up-to-date on laws and regulations regarding data privacy and environmental responsibility. We develop and support industry best practices in compliance, remarketing, recycling and reporting.

The Rising Cost of Data Breach

October 28, 2015

cost of a data breach

IBM and the Poneman Institute released a global study in January that said the average total cost of a data breach has increased 23 percent in the last two years, up to $3.79 million.

The same study showed that the average cost paid by organizations for each lost or stolen record containing confidential information rose from $145 in 2014 to $154 in 2015. The largest increase was seen in the retail industry, where the average cost increased from $105 in 2013 to $165 in 2014.

The Cost of a Data Breach is Increasing

As today’s world becomes more and more digital, with so much sensitive data stored on drives of all sorts, optical media, cell phones, and various other forms of office equipment, there’s every reason to believe that the cost of a data breach is only going to rise over the next several years.

It’s important to know that just because a piece of technology no longer works, doesn’t mean that the information on it is no longer accessible. In fact, without destruction, most of it is pretty easily retrieved by someone who knows what they’re doing.

In 2003 researchers at MIT were able to recover 92.4 percent of sensitive information from 158 used hard drives. That sensitive information included not only corporate information, but names and contact information, emails, credit card numbers, social security numbers and medical records.

Security measures have improved dramatically since MIT’s study, and organizations have embraced the value of hiring Technology Asset Disposal Companies. While security has improved, so have hackers and data thieves. If you think that black markets where stolen information is sold only exist on TV shows and in the movies, you’ve got your head in the sand.

The following numbers should scare you a little bit: 80 percent of corporate desktops and laptops contain sensitive data. When it comes to IT personnel, only 34 percent have a secure process for hard drive destruction.

There’s far too much on the line, both monetarily and legally, for organizations not to hire experts to dispose of their technology assets when the time comes to refresh or upgrade. Avoid the rising costs of any kind of information breach by hiring an expert and trustworthy data destruction organization.

15 Million T-Mobile Customers’ Data Exposed | T-Mobile Data Breach in 2015

October 23, 2015

t-mobile data breach

On October 1, it was announced that approximately 15 million T-Mobile customers were impacted by a T-Mobile data breach at credit agency Experian PLC, the latest major leak of confidential data to hit corporate America.

The exposed data included names, addresses, birth dates and encrypted Social Security numbers, driver’s license or passport numbers for customers who might have applied for T-Mobile cell service between Sept. 1, 2013 and Sept. 16, 2015.

T-Mobile said the T-Mobile data breach was discovered on September 15 and included information on millions of their subscribers, former customers and people who applied for service or device financing at the wireless carrier over the last two years.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian,” T-Mobile CEO John Legere said. “I take our customer and prospective customer privacy VERY seriously.”

Experian is one of the three major American credit bureaus, along with Equifax and TransUnion, that affect, if not touch every American with a credit card or cell phone.

There is no evidence yet that any breached information has been inappropriately used and Experian is notifying the individuals who may have been affected. They are also offering free credit monitoring and identity resolution services for two years to affected customers.

Hackers typically put this type of information up for sale on black markets, where large data bases of information are aggregated and sold to identity thieves. A stolen identity can lead to stolen tax refunds, ruined credit and worse.

T-Mobile is in the process of reaching out to people who may be impacted by the T-Mobile data breach.

Here are four steps to take if you are ever afraid your personal data has been breached. All four steps can be done by calling each of the three credit bureaus (Experian: 1-888-397-3742, Equifax: 1-800-525-6285, and TransUnion: 1-800-680-7289).

  1. Monitor your credit reports. You are entitled to one free credit report every 12 months from each of the three credit bureaus.
  2. Consider placing a “fraud alert” with each of the three credit bureaus. An alert doesn’t block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.
  3. Consider placing a “security freeze” with each of the three credit bureaus to prohibit the release of any information from your reports. A security freeze can help prevent identity theft since most businesses won’t open credit accounts without checking a consumer’s credit history first.
  4. Beware of unsolicited calls or emails offering credit monitoring or identity theft services. Never provide your Social Security number, credit card numbers, or other personal information in response to unsolicited emails or calls.

Ponemon: Data breach costs now average $154 per record

June 10, 2015

The per-record cost of a data breach reached $154 this year

broke

by Maria Korolov | May 27, 2015

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year’s $145.

In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.

Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.

Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.

The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” he said.

The credit card company just has to cancel the old credit card number and issue a new one.

“But the health care record can be used to establish access in perpetuity,” he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.

“it can be used to establish credit or steal your identity ten or fifteen years from now,” he said. “Once this information is out there, you can’t get the genie back in the bottle.”

And that doesn’t even include the costs of health care fraud, he added.

Factors that can impact breach costs

The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.

If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.

“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”

Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.

Costs rise with time

Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.

On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.

Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

This story, “Data breach costs now average $154 per record” was originally published by CSO.

Go to original article…

Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

Pharmacy Fined $125,000 for Breach

April 28, 2015

By , April 27, 2015.

Paper Patient Records Not Properly Destroyed

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It’s the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.

In an April 27 statement, the Department of Health and Human Services’ Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.

Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” says OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell’s premises.

OCR’s investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician’s home (see $800,000 Penalty for Paper Records Breach).

An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

“The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers,” says privacy attorney Adam Greene of law firm Davis Wright Tremaine.

“In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies,” Greene notes. “In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed.”

Covered entities and business associates should closely track OCR settlement agreements “and ensure that any similar issues are addressed within your own organization,” Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s surprised there haven’t been even more such enforcement actions by OCR for these kinds of improper disposal cases.

There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, “such as by shredding into itty-bitty pieces,” says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. “This [latest] case represents a drop in the bucket.”

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being “shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.

In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.

“This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating,” Holtzman says. “I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS.”

Holtzman adds: “I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another.”

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year (see Could Big HIPAA Settlement be Coming?).

View original article…

HIPAA Compliance Audits Remain on Hold

April 16, 2015

OCR Official Describes New Guidance in the Works

By , April 15, 2015.

HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services’ Office for Civil Rights told attendees the next phase of the random HIPAA audit program “is under development.” Attorney Alessandra Swanson, an OCR team leader from the agency’s Chicago office, declined to say whether there’s a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What’s Next?).

OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office’s new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a “compliance specialist – auditing” position available within its Washington headquarters.

“This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules,” the job posting said.

OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the “minimum necessary” standard for data; and HIPAA Security Rule compliance updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

“Our goal is, and has always been to get entities into compliance,” Swanson says. “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first. “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.

Read full article…

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

Third-Party Breaches: Eyeing the Risks

March 27, 2015

BitSight’s Stephen Boyer on the Merits of Continuous Monitoring

By Information Security Media Group, February 17, 2015

Target is the high-profile example, but many organizations have been breached through third-party vulnerabilities. Where are the security gaps, and how can they be filled? BitSight’s Stephen Boyer offers insight.Boyer, CTO and co-founder of BitSight Technologies, sees the Target breach as transformational for the industry. It showed that a CEO could be fired as a direct result of a breach.

“Now what we’re seeing is boards of directors getting much more involved,” Boyer says. “They’re asking questions about cybersecurity performance.”

And they want to know specifically which of your third-party service providers leaves you most vulnerable to a breach.

As organizations examine these relationships, they also increasingly turn to continuous monitoring solutions. “[This movement] is a lot different than typically what has been done in the past, which is ‘how do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?'”

In an interview about data breaches and third-party risks, Boyer discusses:

  • How recent breaches have deeply impacted organizations;
  • Results of a new Forrester survey of third-party risks;
  • How continuous monitoring can help organizations reduce these risks.

Boyer is the CTO, co-founder, and board member of BitSight Technologies. Previously, he has worked at Saperix, Lincoln Lab and Caldera.

Third-Party Risks

TOM FIELD: In the past year, we’ve seen so many high-profile data breaches. I’m thinking about Target, but certainly that there were others, and they resulted because of third-party vulnerabilities. As I talk with security leaders, I certainly hear their frustration in trying to mitigate something that they can’t control and to prepare their organizations to respond to an incident that really doesn’t happen on their purview. Does that match what you’ve seen in the past year as well?

STEPHEN BOYER: Absolutely. I think you articulated it really well. It has been very transformational over the last year. I would say the Target breach, having the CEO let go from that, has really been a transformational event for the industry. Now what we see is that boards of directors are becoming much more involved. They’re asking questions around cybersecurity performance and also wondering how we are doing with respect to our supply chain and our third parties in trying to mitigate those risks. That’s moving up to the board level.

Additionally, what we’re also seeing is risk transfer options. Companies realize that even if they invest heavily in security and train their staff, there’s always some risk or some threat that they can’t account for that they want to be able to transfer into cyber-insurance. We’re seeing a growth there.

Then, also, we’re seeing legislators perk up and become much more interested and asking more questions than they previously had been, specifically with respect to third-party risk management.

Impact on Breached Organizations

FIELD: You make a good point. I traveled to a lot of places all over the world in the past year, places where you never will find a Target store, but everybody knows about the Target breach because it resulted in the CEO losing his job. When you look back on Target and some of the other high-profile breaches, what do you see as common threads in terms of the impacts on the organizations that were breached?

BOYER: It really kind of depends on the situation of the company and their industry. But what we’ve seen is that companies have moved to an outsourcing model. For all the variety of efficiencies that exist in terms of cost and capability, they have outsourcing open up their networks and provide data to someone else, and they’ve increased that trust relationship, which has been a very difficult thing to manage and mitigate. “I’m now moving the parameter of my company and I’m extending the enterprise out to a variety of different companies.” That could be somebody who’s providing heating and ventilation; that could be someone else who’s providing some sort of IT services. They all have access into data or into the networks, and those are points of vulnerability.

Survey Findings

FIELD: You just conducted a new survey with Forrester that’s on third-party risks. Can you share with me some of the key findings?

 

Read full article…