WAM – the entire company’s network is infected with a new virus that the anti-virus program did not recognize.

The dropping of virus seeds in the way of USB drives is a very common attack. Drives are left in corporate lobbies, doctor’s offices, parking lots, restaurants, any place where people gather. The thieves are counting on Good Samaritans to help their follow man or woman.

Employers need to inform their employees of the following procedures:

1. If they find a USB drive never have them put it into their computer

2. They should give the drive to IT to determine what they want to do with it.

3. If there is no IT dept either drob the drive into the garbage or first smash it with a hammer before dropping it into the garbage.

4. Don’t worry that someone will loose important data. They probably have backup and if they don’t they soon will; and if there was confidential data on the device you just saved the company’s customers from a data breach.

Medical Identity Theft in Healthcare

Publication Date: March 2010

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

1.5 Million Victims of Medical Identity Theft

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion – or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure. [3] Two notable instances are the Health Net breach and the Virginia Department of Health Professions breach.

• Health Net (a Connecticut-based health insurance plan) reported the loss of a hard drive containing seven years of personal and medical information on about 1.5 million Health Net customers. They reported the lost drive six months after it disappeared. [4]
• Virginia Department of Health Professions was the victim of a $10 million extortion plot to expose over 8 million patient records and 35 million prescriptions. [5]

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information – like information about tests, diagnoses and procedures – can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

The American Recovery and Reinvestment Act (ARRA) and the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act have highlighted the need to address privacy and security across our healthcare system. In fact, HITECH requires that consumers be notified of healthcare data breaches. Alerting patients when their personal health information has been breached is a necessary response, but it is a reactive measure. It does nothing to prevent the breach or address the subsequent issues patients face when they are victims of medical identity theft. The healthcare industry also needs policy that takes a proactive approach–one that implements controls and technology that assure patient information is always protected. It needs to make secure electronic medical identities a priority.

As the ARRA provides incentives for more and more doctors to adopt electronic health records (EHRs), and as health information exchanges (HIEs) becomes more commonplace, consumers are even more at risk of medical identity theft from an intentional or unintentional breach of healthcare records, or the “loss” or theft of a laptop. Right now, healthcare records are likely to be on paper, and secured by the physical safeguards and administrative procedures in the doctor’s office. When these records are digitized and accessible via interconnected EHRs and HIEs, the potential for exposure grows exponentially.

A related issue to identity theft, and a significant problem for the healthcare industry, is the problem of mistaken identity, which can be life threatening. Today most HIEs rely on a record locator service (RLS) to find where patients’ data are stored. Many use a “probabilistic match,” which depends on various pieces of information such as the patient’s name, address, Social Security number, date of birth and other personal information. These methods are not 100% accurate and can lead to potentially fatal errors. For example, in an emergency situation, a patient who has been incorrectly identified could be given a transfusion of the wrong blood type. Compounding the issue is the fact that patients must provide this personal information each time they visit a provider so that their records can be located. These verbal and paper-based identification processes are ambiguous and error-prone, as well as ripe for fraud and abuse.

Addressing Medical Identity Theft

The way to stop medical identity theft and identity confusion is to improve patient identification and provide enhanced data protection. Strong authentication and data encryption are methods that can achieve these goals.

Industry experts are already calling for this change. The Medical Identity Final Report prepared by Booz Allen Hamilton for HHS stated, “Many stakeholders in medical identity theft have noted that patient authentication can be one of the simplest yet most effective methods in preventing medical identity theft. Patient authentication consists of ensuring that patients receiving services are the individuals they claim to be. Patients are often asked to provide only verbal assertions of identity and coverage. However, technology solutions such as biometrics, smart cards, or electronic patient records may be able to assist providers in verifying patients’ identities based on past histories, demographics or facial photographs.” [6]

To address medical identity theft, solutions need to provide higher levels of assurance than today’s processes, whether the interactions are in person or remote. Identity management is a crucial foundation for healthcare, and solutions that incorporate smart card technology can be used to address the security and privacy challenges facing the industry. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to and leveraged by the healthcare industry.

How Strong Authentication and Data Encryption Prevents Medical Identity Theft

Strong authentication of identity is a critical step in addressing medical identity theft. All personal health record (PHR) providers, health record banks, health insurance and hospital Web portals should provide two-factor authentication mechanisms to their end users to help secure access to personal health information. In two-factor authentication schemes, individuals typically use a card, token or mobile device to access their health information or prove identity when obtaining healthcare services. The safest and most secure two-factor methods are based on smart card technology, where a tamper-resistant chip with security software is embedded into the card, token or mobile device (like a mobile phone). This is the same technology that is used in U.S. electronic passports, and in the U.S. federal government’s employee ID cards that are used to access the nation’s most secure computer networks and facilities. A smart card allows patients to unambiguously identify themselves to their healthcare provider when accessing patient records or requesting healthcare services.

Data encryption also plays an important role in the protection of personal health information (PHI) and is now mandated as part of the breach notification laws. Encrypting PHI protects against access by intruders; smart cards provide a robust set of encryption-enabling capabilities including key generation, secure key storage, hashing and digital signing. Smart cards also add strong authentication capabilities that ensure only authorized users are able to access PHI. These capabilities can be used by a healthcare system to protect privacy in a number of ways. A doctor can use a smart card to digitally sign orders or prescriptions, protecting the information from subsequently being tampered with and providing assurance that the doctor was the originator of the information. The fact that the signing key originated from a smart card adds credibility and a greater legal stature to the record. The smart card provides two major benefits: one, it securely holds and protects the keys; and two, it is portable, so it stays with the doctor and not in the computer where someone else might be able to fraudulently use it. Smart cards can also put patients in control of their private information. Patients can use their smart card to securely store personal health information, authorize provider access to that information, and secure transmission of data to healthcare systems.

Heath care reform in the U.S. is a major undertaking and it will take time to achieve the levels of identity management and data protection that are required by new electronic health record systems. But the size of the task should not prevent the healthcare industry, both private and public, from beginning the journey towards better securing heath information and increasing the efficiency and quality of the nation’s healthcare delivery systems. As the industry moves toward the goal of electronic health records for all patients and with all providers, the need for strong identity management becomes more pressing. Issuing proper identity credentials and authenticating identity are solid steps in modernizing the U.S. healthcare system.

Issuing secure patient and provider identity credentials based on smart card technology will help to reduce medical identity theft, and will also bring numerous efficiencies to existing healthcare administration systems. Identity and authentication solutions based on smart card technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records.

References

1. Survey conducted by The Ponemon Institute in February 2010
2. “HHS Budget Makes Smart Investments, Protects the Health and Safety of America’s Families,” February 1, 2010
3. Identity Theft Resource Center 2009 Data Breach Stats
4. “Health Net Says 1.5M Medical Records Lost in Data Breach,” ComputerWorld, November 19, 2009
5. “Hacker says he stole confidential medical data on 8 million Virginia residents,” Healthcare IT News, May 6, 2009
6. Booz Allen Hamilton, Medical Identity Final Report, prepared for U.S. Department of Health and Human Services, January 15, 2009, Page 16

About the Smart Card Alliance Healthcare Council

The Healthcare Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a particular industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used and to work on issues inhibiting the industry.

In the world of secure emails the choice may be based around your preferred communications channel (smart phone, PC, netbook, etc), what is convenient to you, are you more of a cloud person or a PC based email app user, price per user, number of emails that can be sent, and so forth. But the number one perspective you have to have in evaluating any of these different products is how convenient is it to your recipients. I am a firm believer that if you make security cumbersome, then users will always find ways to circumvent security for their own convenience. However, you can’t make something so convenient that security is thrown out the window. It’s a balancing act.

I recently tested rPost, SecurEnvoy, Word Secure, ZixMail, 4SecureMail, FileFortress, and Voltage Secure Mail. This is not an all inclusive list and with secure email services popping up rapidly there are probably a lot that I am unaware of. My bias in looking at all these services was not to find the one best service since that goes back to picking ice cream. Instead I am going to go through a series of items that I have concerns about and for you to consider before signing up.  

I am not going to review each product separately for their strengths or weaknesses. I believe that almost every technology is inherently good assuming it is being deployed in the right environment. Rather here I will discuss general features and you have to determine if it works for you.

1. Managing the Secrets Codes:
   Secure emails is the process in with the text you write is encrypted by a method so that the text becomes so scrambled and disjointed that it cannot be read by someone. The trick this is to get the authorized recipient the code or key that can unscramble everything back to its original text. Think of it as you and your best friend using your Captain America’s Secret Decoder Rings (maybe your Ironman ring for you younger readers). The difficulty comes in what is called key management or sharing the secrets.For example, say I have only two friends called Preston and Nikkitta (hey their my imaginary friends and I can name them anything I want). I want to send secure messages to Preston but I don’t want Nikkitta to read, so I encrypt with Secret code 1 setting. Next I want to only communicate with Nikkitta so I need Code 2. Finally, there will be times I want both to read the same email because I am lazy and don’t want to send out two separate emails so I create Code 3. You might think I only have three Codes to worry about, well don’t be so quick on your math. What if Preston wants to send me secure emails using a Code 4 he created, and since Nikkitta does not want to be left out of the fun, she has her Code 5. But we still are not finished. Preston also sends out emails that both Nikkitta and I can read Code 6, and Nikkitta has emails that she wants Preston and I to read Code 7. So what’s the fine Code count? Seven

So along comes Samantha and she knows a great group of people to befriend, but she wants her codes too. If we follow the same logic then I have 19 codes I have to remember. In truth I have over 200 friends and business contacts so I would have a boat load of codes.

Some products have you generate a password or code every time you send a new message. Some products have all the emails go into a secure server that requires a logon account. And, some will generate a new key for each group and store them within your computer. All these systems have their pros and cons like what happens if you want to retrieve an older email? How secure is the logon procedures and secure are the user’s passwords (Sticky Note security again)? If you go to a different computer where are all your account codes? So, when you looking at secure email systems give serious thought to  how the codes will be managed.

The next blog will be on Code Distribution.

Identity theft has raised the bar in blocking access to your new and existing customers using email marketing campaigns. In the past we may have found spam annoying as it filled up our in box, but with phishing, pharming, social media spying, etc.  all being used to steal one’s personal information, it’s gotten to the point of customers not opening, blocking and erasing all correspondences (legitimate or not). Hey, better safe than sorry.

All the so-called business cost savings that can be achieved using electronic media may be flying out the window. Aweber, Constant Contact, and others all have great products and these attacks are not their fault. Just realize that their identity has also been stolen: their brand. But as a business owner do you want to pay monthly service fees if all your marking efforts only end up in eTrash.

So, before starting a large, expensive email marketing campaign, determine if your customers will even read or click onto anything you send them. Maybe the new way to keep your customers informed is by creating a blog and posting your information and stories there. This strategy forces your customers to come to you and keeps them in control.

If you have not heard, now computers with webcams are being used to spy on their users. The school in Pennsylvania is one of the newest publicized incident but many individuals are finding their video conference calls on the internet without their permission. In a recent security newsletter article, the same old precautions are being made: Anti-virus software, firewalls, secure wireless connections and being careful about opening email attachments. The only new suggestion made to prevent webcam intrusion was to put a piece of tape over the lens. Wow, big whoop.

With computers, operating systems, networks, email, websites, social networks, smart phones, and the list goes on all being used to invade our private data we may have been better off without the microchip.  It’s troubling when great products like Apple’s iPhone and iPad are being band from companies because of security risks. Convenience is no substitute for insecurity.

Business owners who use technology to reduce their costs are being attacked by government legislations to safeguard private data as well as hackers. Maybe it’s time technology companies take some of the heat for the holes they have in their products. Technology companies who ignore security are giving all the tools to the hackers and all the risks to their customers. Who do these tech companies really care about?

Beware of a email that looks like an product selection or monthly deal from Amazon. There are many places to click to see pictures, unsubscribe, etc. It is spam to get access to your computer.

Businesses today are using more online shopping carts and online marketing services to inform customers about their products. As spammers start coping the look and feel of your emails then they cause everyone to erase anything that come electronically from any company. Legitimateor not. I can’t tell you how many deals I have been offered by companies simply because I don’t trust the email. And some of these deals were legit.

So if you do use auto-responders only use ones from reputable companies.

Individuals, if in doubt always check the links by hovering you mouse over it and reading the URLdata. If it does no look right, don’t click. If by chance you have, be sure you have a strong anti-virus program so block access and protect your computer and data.

While I am not here to dispute these claims, I do warn any company that migrates to more cloud infrastructure to make security of the data paramount in their plan. Especially with the many state and federal privacy protection laws on the books. As been blogged about before, the average cost on a company from a data breach in 2009 was $6.7 million per incident.

All cloud accounts need strong passwords, the passwords need to be changed frequently, and best that any data stored or backed up on the cloud is encrypted first.

1) What information information is considered confidential, &

2) Where this information is stored in the company.

The information that is considered PII confidential is defined as any information about an individual that distinguished or traces an individual’s identity, or is linkable to an individual. Examples include (but not limited to): Name, mother’s maiden name, SSN, passport, driver’s license, tax ID, credit card number, street or email address, birth day, race,   employment info, medical info, biometrics and in some cases even a photograph. And the list goes on.

Since what the government considers PII the best course of action is to protect all information.

A few simple ways to protect PII data is to:

• Limit the amount of information you take
• Limit the time you store the information
• Limit the places where the information is stored
• Limit the access to the information

Some of the best ways to secure the PII is with secure passwords, the use of a multi-factor authentication token (i.e. smartcard) and to ALWAYS encrypt the information.