Security News, Vulnerabilities, Data Breaches, Website Security
HIPAA
What is the value of a Data Breach?
Jan 27th
- Image by Getty Images via Daylife
SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of Data Breach” study released on Monday by the Ponemon Institute… The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.
Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?
So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.
Security Requirements
So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly
Related articles by Zemanta
- Data breach costs continue to rise (v3.co.uk)
- Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
- Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f1ed6c34-1f2a-4642-b40c-ac12e03f3b45)
HIPAA Vendor Compromised Healthcare Records
Nov 12th
This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn’t know how many were copied, but the site has been disabled and is undergoing a “thorough forensic review” or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article “This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee’s laptop computer containing certain personal member information was stolen from a car in a public parking lot.”
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d25ea83e-d17c-440a-b00c-2001ab64b257)
HIPAA Compliance Data Breach with a Foreign Supplier
Nov 3rd
Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.
Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.
As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.
So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
FTC’s Additional Rules for HIPAA Security
Aug 23rd
FTC’s Additonal Rules for HIPAA Security
The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.
This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements? It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)
Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?
Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.
“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”
Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC? But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.
I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment
HIPAA Assessments are the next wave
Jul 12th
In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.
The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.
There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.
For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.
Regards
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Recent Comments