Saunders commented on the testimony of Treasury Inspector General for Tax Administration’s (Tigta) J. Russell George’s testimony to a Congressional oversight committee.  George claims the IRS gives “confusing and often conflicting instructions” to taxpayers who are victims of ID Theft.

IRS statistics show over 640,000 taxpayers were affected in 2011 which is more than double those affected in 2010 and according to George, the problems include:

- More than a year to resolve an ID Theft issue.

- When electronic returns are rejected due to ID Theft, the victim is instructed to mail in a paper return with a specific form neither of which is prioritized.

- ID Theft guidelines and procedures are dispersed among 38 IRS manual sections and are inconsistent and incomplete.

- IRS makes little use of ID Theft data to identify trends.

- Since December 2011, eight taxpayers have been sentenced due to ID Theft.

In the case of the tax-related and other types of ID Theft, credit monitoring won’t be enough.  Lawyers will be needed to assist victims in restoring their identities and in dealing with government agencies, banks and other creditors.

Tweet This Post 

One million patient files containing names, social security numbers, diagnosis codes, birth dates, and health plan identification numbers were on 57 hard drives left in a network closet of a former BCBS office building.  Security of the files was turned over to the property manager for several months until the servers could be moved. The burglary occurred in October of 2009 when the hard drives were stolen from the locked closet.

BCBS says it has spent $17M so far in corrective actions including recovering the lost data from backups, identifying the affected customers and providers, and notifying all of the victims associated with the data breach. 

This case is significant because the patient data at the time of the theft was out of the control of BCBS. It’s also the first fine levied since the HITECH Act was passed.

Be sure your vendors have their privacy & security programs in place. Put verbiage to that extent in your contracts with them. If vendors lose data that originates with your company, the liability will most likely fall on you.

Tweet This Post 

Kimberly Little of LexisNexis Risk Solutions quoted several surveys by LexisNexis, Blue Research and Javelin to illustrate what steps consumers have taken in the past year to avoid online id theft. Here are the highlights:

85% of consumers believe online fraud is a growing concern.

63% said they avoid online registrations requiring personal information.

88% of respondents said they omitted information or gave incorrect responses when creating a new account on a website.

54% said they were more likely leave a website rather than register.

26% said they just went to a different site when asked to register.

77% said they prefer social logins (using Google, Facebook, Twitter or other social media sites) instead of registering on specific sites.

Consider limiting the information required on your website and consider using social media logins if you need to identify visitors to your site.

Tweet This Post 

The following:

- Has overall responsibility for a comprehensive security program that includes information security policies, compliance, and governance.

- Develops long-term security strategies and ensures the company meets all mandated security standards.

- Provides security-related vision, leadership, and strategy required for the company’s continued market place presence and success.

- Is responsible for developing and implementing a corporate culture of compliance and information security.

- Trains and motivates employees to make compliance and information security an inherent part of the corporate culture.

- Provides leadership for the governance and compliance of national, state and global (if applicable) security policies, standards, procedures, and guidelines to prevent the unauthorized use, release, modification, or destruction of data across multiple platforms and environments.

- Sets the strategic direction for information security for all technology platforms and business units.

- Establishes and implements the company’s security program. Ensures the development, testing and implementation of appropriate security plans, products and control techniques. Identifies protection goals, objectives and metrics consistent with the corporate strategic plan.

- Oversees a network of security directors and vendors who safeguard the company’s assets, intellectual property, confidential employee, client and vendor information and computer systems.

- Coordinates and manages all areas of victim notification, interaction with regulatory bodies, investigations and remedies in the event of a data breach.

Tweet This Post 

Most executives believe these requirements only affect medical providers when in fact, companies offering health insurance to their employees are also responsible.  Keep in mind both a health insurance id number as well as any confidential information used to fill out a health insurance application is considered to be PHI. 

Leon Rodriguez, director of the Dept of Health & Human Services Office for Civil Rights (OCR) said 63% of the companies investigated by the OCR reported data breaches that were the result of security lapses at a BA.

Here are some questions to ask regarding your business associates:

1) How critical is this BA to our company? Is there an alternative vendor?

2) Do we have an updated agreement in place with each BA, one that includes our privacy and security needs? When was the agreement last updated?

3) With what security standards does the business associate comply? Does the BA conduct employee training, have a recent risk assessment, a mitigation plan in the event of a breach, a chief compliance officer?

4) Does the BA have an incident detection and management process in place? How will they let us know if there is a breach with our data?

5) What are the contractual obligations and/or indemnity provisions when a data breach occurs? Does the BA assume the financial liability we could incur?

6) What is our termination clause?  Are there clear guidelines in order to terminate the agreement?

7) Has the BA had privacy or security incidents with other clients? If so, how were they corrected?

What are the legal and contractual requirements for offshore BAs and subcontractors? Is the safeguarding of PHI included in the BA agreements with both domestic and foreign subcontractors?

Make sure your business associates have the required privacy & security measures in place to protect you, your company and your PHI.

Tweet This Post 

The Study found outside hackers (33%) and negligent insiders (39%) are the main causes of a data breach.

It’s interesting to note that according to the Study, if an organization has a Chief Information Security Officer (CISO) with responsibility for overseeing the entire Data Loss Prevention/Privacy and Security Program, the average cost of a data breach can be reduced by as much as $80 per record lost.

Keep in mind in order to comply with several federal data loss laws, companies are supposed to name a CISO.  Also, many insurance providers require a CISO in order to underwrite cyber insurance.

When referencing the 2011 Study, Dr. Larry Ponemon, President of the Ponemon Institute said, “One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach. As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.”

Tweet This Post 

And although it’s a nationwide problem, federal investigators say it has reached “epidemic” levels in Florida.

Steven Miller, IRS deputy commissioner for services and enforcement said, “Tax-related identity theft incidents went from 51,702 in ’08 to 248,357 in ’10.”  Miller also claims this year the IRS has flagged 2 million returns for review. 

Electronic filing has made the fraud much easier.  Many of the identity thieves are operating out of prisons and are part of organized crime.

Here are some suggestions to protect yourself when filing your returns:

1) If you file by mail, send it certified and request a return receipt of delivery.

2) Have your refunds direct deposited into your checking account.

3) Ignore emails from the IRS … they’re fake.

4) Verify your tax preparer’s credentials.

5) Make sure your preparer uses encrypted email if electronically filing your return and when sending copies of your return to you.

6) Avoid storing tax files or any personal info on a cloud or internet drive.

Tweet This Post 

A Ponemon Institute study reports it’s oftentimes the low tech breaches caused by an untrained employee that cause the most damage. Interestingly enough, these types of breaches are usually the easiest to prevent.

Dr Larry Ponemon, the chairman and founder of the Ponemon Institute, said: “Data-centric security technology, education and awareness among employees are essential [for an effective security system].”

Best practices and our federal government suggest all employees be trained on identity theft awareness and prevention.

Make sure you include employee education in your corporate data loss prevention program.

Tweet This Post 

1) Risk Assessments – Know who has access to PHI, where it’s stored and how it’s utilized in day to day activities.

2) Encrypt Media and Mobile Devices – Consider limiting or banning patient data on devices taken from the premises.

3) Train Employees – People need to know and understand the organization’s policies so they can help guard against breaches and misuse of confidential information.

4) Monitor Business Associates – Work with vendors to be sure they’re in compliance with the privacy & security laws. About 22% of breaches have involved business associates.

5) Limit Data Storage – Do you really need all the information you’re collecting?  Can you limit the amount of PHI stored?

6) Remember Paper Records – Paper records are as much of a concern as digital and computerized records.

7) Other Vulnerabilities – Are your wireless networks secure?  Are your anti-virus and malware protection programs up to date?  How about your computer operating system?  Do inactive computers automatically log off?  Are you encrypting PHI?

Tweet This Post 

The HITECH Act requires proactive privacy and security audits to correct vulnerabilities before a breach occurs.

Last summer, KPMG got the contract from OCR to formulate and test an auditing program.  Between November 2011 and December 2012, OCR plans to audit 150 healthcare organizations from large providers to small practices.

To prepare:

- Know where PHI is located

- Be sure it’s encrypted

- Make sure your wireless network is secure

- Track who has access to PHI

- Have your breach response plan in place

- Train employees to spot and report breaches

- Appoint a Security Officer to oversee program

When a covered entity is notified of an audit, they may have less than 10 days to prepare so get your program in place asap.

Tweet This Post