Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
Californian Supermarket Shoppers, Victims of Identity Theft
Over 100 shoppers at a supermarket in Los Gatos, California, became victims of identity theft when their private records have been stolen from their debit and credit cards through the checkout card reader. The thieves from the Lunardi’s grocery store used the stolen PIN numbers and card information to create fake cards which were subsequently use them to shop around.
The supermarket customers have been reporting cases of identity theft to authorities for over a week, and according to Dark Reading have been losing an average of $1,000 from their bank accounts.
“What we have here is more than one person — they’ve been able to get in there (Lunardi’s) and switch out the ATM card reader,” said Los Gatos-Monte Sereno police Sgt. Tam McCarty in an article in the San Jose Mercury News. “Once they’ve done that, they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone.”
88,000 Patients Exposed to Identity Theft
Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.
According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.
“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.
Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.
Private Information on Iredell County Taxpayers Stolen
The Iredell County Tax Collector’s Office has just informed the public about an information theft that has taken place at the end of April. The incident involved a courier vehicle that provided services for First Citizens Bank which was stolen in Charlotte. The vehicle’s shipment containing included data related to Iredell County tax payments. According to Prime Newswire, Charlotte law enforcement officials are currently investigating the incident, but the contents of the shipment are yet to be recovered.
The stolen shipment contained a computer report of 468 taxpayer’s check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments.
Data on 700 Children with Social and Developmental Problems Lost
Medical data on about 700 children and teenagers with social and developmental problems from Hong Kong have recently been lost. The data loss was admitted to by the territory’s government at the end of last week.
The records were stored on a memory card which was stolen from a Child Assessment Centre in the city’s Tuen Mun district. The government’s Department of Health, quoted by M&C News, said the memory card had been kept in an unlocked room.
The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.
CoSoSys to Protect SearchAmerica
CoSoSys, the leading provider of End Point Security solutions, has recently announced that SearchAmerica has selected Endpoint Protector 2008 to manage and enforce portable device security policies in their IT environment. The solution SearchAmerica chose is quite new and extremely powerful, and it will protect all company workstations, notebooks and servers against data loss, data theft and other forms of data leakage.
CoSoSys has added a rather important client to its portfolio, as SearchAmerica is the industry leader in financially clearing patients through address verification, prediction of payment and automated charity/Medicaid processing. See more in the official press release.
DLP on the Right Track, but not Fullproof
Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.
In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:
“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”
The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”
How to Secure Thumb Drives
DarkReading has recently published an article exploring the methods and reasons why company should secure their thumb drives. The first issue they bring into our attention is whether stolen or lost USB are less often reported (when compared to laptops for example) because companies have learned to protect them or because they are so hard to track, no one has any idea of how many have been lost or ever used within a certain network.
I’d have to say that unless companies cut access to their USB ports or implement a comprehensive endpoint security application, no one will ever be able to tell how many employees have ever used flash drives to carry data to and fro the office and how often they have misplaced them.
Here are a few of the security methods presented by DarkReadeing that a company is presented with and has to choose from when trying to prevent the damages thumb drives entail:
- blocking all USB ports on all network computers – I would say that’s impracticle as instead of benefiting from all advantages of easy portability and storage, a company would force employees to use other methods to carry their project between work and home. And to my mind, it’s harder to secure an entire laptop than it is for a thumb drive.
- Relying on the security software USB producers advertise – could work, given the security is not a marketing scam only. If it’s not, what is offered, points out DarkReading, can be quite limited
- A hybrid approach mixing advanced data encryption with a system to allow only certain pre-aproved USB drives.
- Using cheap drives and open source encryption technology, but only when you really trust your employees. I’d say this is a bit futile, as if trust is what you base the security policy on, why implement it in the first place? Security is not a matter of trusting or not trusting personnel. It’s a matter of noticing breaches can happen to anybody and that all employees are human and can easily err. Or get really mad at you and hurt your business on purpose.
CareFirst Dental HMO Exposes Data of 75,000 Members
One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.
One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.
Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.
Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.
A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.
The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.
Personal Data Thrown in the Dumpster
The financial information and social security numbers of hundreds of inhabitants of Flint, USA, have been found in a dumpster. Customers of the Affordable Realty entrusted these private details to the realty mortgage company. When Affordable Realty was evicted from the building where their office was location, company representatives thought the best place to get rid of the data would be the nearest dumpster.
ABC12 News has video record of the incident, along with some text comments. Let’s hope the company is properly held responsible in order to prevent similar future incidents.
