When it comes to data breach vulnerability, is your company more at risk from a hacker accessing your database or by employees making simple errors?

A Ponemon Institute study reports it’s oftentimes the low tech breaches caused by an untrained employee that cause the most damage. Interestingly enough, these types of breaches are usually the easiest to prevent.

Dr Larry Ponemon, the chairman and founder of the Ponemon Institute, said: “Data-centric security technology, education and awareness among employees are essential [for an effective security system].”

Best practices and our federal government suggest all employees be trained on identity theft awareness and prevention.

Make sure you include employee education in your corporate data loss prevention program.

Tweet This Post 

390 major breaches have affected 19 million people since the HIPAA breach notification rule was implemented.  Here are several prevention suggestions on how to guard PHI (Private Health Information).

1) Risk Assessments – Know who has access to PHI, where it’s stored and how it’s utilized in day to day activities.

2) Encrypt Media and Mobile Devices – Consider limiting or banning patient data on devices taken from the premises.

3) Train Employees – People need to know and understand the organization’s policies so they can help guard against breaches and misuse of confidential information.

4) Monitor Business Associates – Work with vendors to be sure they’re in compliance with the privacy & security laws. About 22% of breaches have involved business associates.

5) Limit Data Storage – Do you really need all the information you’re collecting?  Can you limit the amount of PHI stored?

6) Remember Paper Records – Paper records are as much of a concern as digital and computerized records.

7) Other Vulnerabilities – Are your wireless networks secure?  Are your anti-virus and malware protection programs up to date?  How about your computer operating system?  Do inactive computers automatically log off?  Are you encrypting PHI?

Tweet This Post 

The implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act is causing the Office for Civil Rights’ (OCR) auditors to levy stiff fines and penalties to organizations that can’t prove they’re guarding Protective Health Information (PHI).

The HITECH Act requires proactive privacy and security audits to correct vulnerabilities before a breach occurs.

Last summer, KPMG got the contract from OCR to formulate and test an auditing program.  Between November 2011 and December 2012, OCR plans to audit 150 healthcare organizations from large providers to small practices.

To prepare:

- Know where PHI is located

- Be sure it’s encrypted

- Make sure your wireless network is secure

- Track who has access to PHI

- Have your breach response plan in place

- Train employees to spot and report breaches

- Appoint a Security Officer to oversee program

When a covered entity is notified of an audit, they may have less than 10 days to prepare so get your program in place asap.

Tweet This Post 

With the advent of electronic health records, medical data has become much more accessible to everyone, including criminals.

The Ponemon Institute’s National Study on Medical Identity Theft found “The number of data breaches among healthcare organizations is still growing – eroding patient privacy and contributing to medical identity theft”.

The Report also claims the average cost to resolve medical identity theft is a whopping $20,663 per victim.

All employers offering health insurance need to be mindful that they too can lose medical information even if they aren’t considered to be a medical provider. Health insurance policy numbers as well as any confidential data used to fill out a health insurance application is considered to be medical information.

Be sure you have adequate cyber insurance coverage and that your company is in compliance with the federal and state privacy & security/data breach laws.

Tweet This Post 

A new concern on the data breach/privacy & security front is what’s known as a “Hacktavist Attack”.  This is when a company’s website is taken down by flooding it with traffic, otherwise called DDoS (Distributed Denial of Service). A DDoS can affect incoming traffic as well as Internet access for inside employees.

Wendy Nather, research director at 451 Research, a tech firm specializing on IT security says, “Companies have to acknowledge it as a new cost of doing business, and factor it into their infrastructure and security planning.”

Many experts agree existing cyber security standards aren’t effective against DDoS attacks.

Oftentimes, an activist group protesting a company’s policies is behind the attack.  The goal is to expose and humiliate the company.  In recent months, senior executives at some of the country’s top institutions and corporations have also been targeted.

Neal O’Farrell, head of the Identity Theft Council worries that organized crime might soon become involved. O’Farrell says, “There are so many different hacking and hactivist groups, it’s getting harder to verify claims of exactly who’s behind a specific attack.” He also said, “Some attacks could actually be linked to organized crime.”

When considering the risk of any type of attack, exposure of personally identifiable information should always be assumed.

So what can your company do to protect itself?  Add more authentication, add more encryption, get into compliance with the federal and state privacy/security laws and beef up your insurance coverage.

Tweet This Post 

Well that didn’t take long … last week we learned of the Zappos data breach, This week Zappos and its parent Amazon were named in a class action lawsuit claiming the shoe retailer didn’t adequately protect customers’ information.

According to the Associate Press, “Zappos alerted employees and customers by email Sunday that names, phone numbers, and email addresses of its customers may have been accessed in a hacker attack. The company said customers’ credit card and payment information weren’t stolen.”

The AP also reported, “The civil negligence lawsuit seeks unspecified millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy, along with a court order for the company to pay for customer credit monitoring and identity theft insurance and periodic audits to ensure customer data is secure.”

If data breaches are happening to the big companies like Zappos, how exposed is your company? Do you have the necessary compliance parameters in place to satisfy the feds, state and the plaintiffs’ attorneys in the event of a breach? Do you have the proper insurance in place as well?

Tweet This Post 

As you’ve probably heard, Zappos, the online shoe retailer has experienced a data breach of 24M customers’ names, email addresses, billing and shipping addresses, phone numbers and last 4 digits of their credit cards.

Zappos believes the cyber attack was by a criminal who gained access to their internal network.

Fortunately, at least on the surface, it seems Zappos has a privacy & security program in place that involves a breach response strategy whereby customer service reps have been taken off the company’s toll-free order entry line and deployed to respond to customer email. A program such as this is part of both Federal and most State compliance requirements on how to handle sensitive information.

Is your company prepared for the inevitable data breach?

Tweet This Post