Hospitals, a Danger to Your Personal Data

May 20th, 2008 by Alina (0) DLP, Data Leakage, Data Loss, Data Theft, IT security, Identity Theft, In The Spotlight, Laws & Standards, endpoint security

According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.

According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.

Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.

This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.

Data on 700 Children with Social and Developmental Problems Lost

April 30th, 2008 by Alina (0) Data Loss, Data Theft, IT security, endpoint security, security breach

Medical data on about 700 children and teenagers with social and developmental problems from Hong Kong have recently been lost. The data loss was admitted to by the territory’s government at the end of last week.

The records were stored on a memory card which was stolen from a Child Assessment Centre in the city’s Tuen Mun district. The government’s Department of Health, quoted by M&C News, said the memory card had been kept in an unlocked room.

The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.

CoSoSys to Protect SearchAmerica

April 23rd, 2008 by Alina (0) DLP, Data Leakage, Data Loss, Data Theft, In The Spotlight, In the News, endpoint security

CoSoSys, the leading provider of End Point Security solutions, has recently announced that SearchAmerica has selected Endpoint Protector 2008 to manage and enforce portable device security policies in their IT environment. The solution SearchAmerica chose is quite new and extremely powerful, and it will protect all company workstations, notebooks and servers against data loss, data theft and other forms of data leakage.

CoSoSys has added a rather important client to its portfolio, as SearchAmerica is the industry leader in financially clearing patients through address verification, prediction of payment and automated charity/Medicaid processing. See more in the official press release.

Stolen Hardware - Most Common Cause for Data Breaches

April 12th, 2008 by Alina (1) Data Loss, Data Theft, IT security, In the News, endpoint security, security breach

Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.

the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.

Security - Necessary Evil for Businesses

April 10th, 2008 by Alina (0) IT security, In the News, endpoint security, security breach

Discussions taking place at the RSA 2008 Conference held in San Francisco point out that security concerns are more and more of a drag on business innovations. According to RSA president Art Coviello, quoted by Dark Reading, this results in holding back companies’ creative thinking.

Coviello backed his opinion with statistics from research conducted by IDG and commissioned by RSA:

“More than 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns,” he told the RSA audience in a keynote address Tuesday morning.”

Security policies place quite a significant pressure on users who are always told one click can lead to disaster and are always faced with cryptic dialogs boxes that aren’t at all helpful.

Worse, in most organizations security is viewed at best as a necessary evil, due to IT’s primary focus on trying to constrain behavior and prevent some desktop mishap, “Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do,” said Bill Boni, corporate vice president of information security and protection for Motorola, and one of the IDG survey respondents quoted by the RSA exec.

After identifying the negative effects of security on business innovation, Coviello also came with a solution. The best way to address downsides is a change in security mentality, a switch from saying “no” to potentially harmful actions to showing how they should be safely performed.

“The next time a new idea comes up, don’t start by saying it isn’t secure — start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.”

This situation fully applies to Endpoint Security. There’s been a lot of buzz on how portable storage devices, such as USB sticks, smart phones and iPods can cause the ugliest virus infections, how they enable data theft and how loosing one with sensitive data can endanger the identities of millions. This leads to restrictive measures such as cutting all access to these devices. The negative result is less mobility of employees, less space for them to work and innovate, less effectiveness on their side.

The actual response to ongoing threats is learning how to handle portable storage devices safely, so as to benefit from all their advantages without overlooking their embedded threats.

How to Secure Thumb Drives

March 29th, 2008 by Alina (0) DLP, Data Loss, Data Theft, IT security, endpoint security, security breach

DarkReading has recently published an article exploring the methods and reasons why company should secure their thumb drives. The first issue they bring into our attention is whether stolen or lost USB are less often reported (when compared to laptops for example) because companies have learned to protect them or because they are so hard to track, no one has any idea of how many have been lost or ever used within a certain network. 

I’d have to say that unless companies cut access to their USB ports or implement a comprehensive endpoint security application, no one will ever be able to tell how many employees have ever used flash drives to carry data to and fro the office and how often they have misplaced them. 

Here are a few of the security methods presented by DarkReadeing that a company is presented with and has to choose from when trying to prevent the damages thumb drives entail: 

  • blocking all USB ports on all network computers – I would say that’s impracticle as instead of benefiting from all advantages of easy portability and storage, a company would force employees to use other methods to carry their project between work and home. And to my mind, it’s harder to secure an entire laptop than it is for a thumb drive.
  • Relying on the security software USB producers advertise – could work, given the security is not a marketing scam only. If it’s not, what is offered, points out DarkReading, can be quite limited
  • A hybrid approach mixing advanced data encryption with a system to allow only certain pre-aproved USB drives.
  • Using cheap drives and open source encryption technology, but only when you really trust your employees. I’d say this is a bit futile, as if trust is what you base the security policy on, why implement it in the first place? Security is not a matter of trusting or not trusting personnel. It’s a matter of noticing breaches can happen to anybody and that all employees are human and can easily err. Or get really mad at you and hurt your business on purpose.

CareFirst Dental HMO Exposes Data of 75,000 Members

March 28th, 2008 by Alina (0) Data Loss, IT security, In the News, endpoint security, security breach

One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.

One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.

Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.

Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.

A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.

The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.

Stolen Agilent Laptop with Records of 51,000 Employees

March 26th, 2008 by Alina (0) DLP, Data Theft, IT security, In the News, endpoint security, security breach

There have been quite a few cases of stolen laptops that contained private records of hundreds, thousands and even hundreds of thousands of individuals. They’re increasing number and in some cases the consequences are a pretty strong argument when it comes to convincing other companies they need to secure their endpoints. But apparently, recognizing the risk and having a contract signed compelling another company to protect your data is not enough. At least it wasn’t in the case of Agilent Technologies.

A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of said company has been recently stolen from the car of an Agilent vendor from San Francisco. According to MercuryNews.com, the theft was announced by Agilent in a letter sent to former employees. The stolen data included employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.

In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - “in violation of the contracted agreement.”

“It wasn’t encrypted, which was a surprise to us,” said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman’s Wharf.

Sensitive Medical Data of 2500 Patients Stolen

March 25th, 2008 by Alina (0) Data Theft, IT security, In the News, Laws & Standards, endpoint security, security breach

Private medical details of over 2,500 patients taking part in a study conducted by the National Institutes of Health have been stolen. The information was stored on a government laptop computer which was stolen in February. The data accounted for seven years of clinical trial, exposing names, medical diagnoses and details on patients’ heart scans. Although governmental policies enforce it, the stolen data was not encrypted.

It took NIH a month to reveal the theft and start notifying the patients whose sensitive records have been lost. According to the Washington Post, the reason behind NIH officials’ hesitation was their concerns they would cause false alarms.

Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that “when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically.” She said that “we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust.”

NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute’s research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.

Given this recent data theft incident, government agencies should really take the findings of the Government Accountability Office regarding security more seriously and start implementing more effective security policies.

Mindblowing Data Breaches of 2007

March 17th, 2008 by Alina (1) Data Leakage, Data Loss, Data Theft, IT security, In The Spotlight, endpoint security

CSO Online has recently published a top 10 of the most significant data breaches of 2007. They have analyzed stolen hardware, malware infections and other such security breaching activities. CSO has also concluded the “most brilliant lunacy” of the year was to require the usage of social securities numbers as passwords.

If you haven’t guessed who the dark winner is, it’s the nasty TJX affair. But considering other data and facts we’ve recently told you about, the CSO estimated losses seem to be a bit off. Nevertheless, the top is quite interesting and a very good reminder security should never be taken lightly.

« Previous Entries
© Endpoint Security Info 2008. Wordpress Theme by Arcsin

blogarama - the blog directory Technology Blogs - BlogCatalog Blog Directory Blog Directory Find Blogs in the Blog Directory
valid CSS valid XHTML