WAM – the entire company’s network is infected with a new virus that the anti-virus program did not recognize.

The dropping of virus seeds in the way of USB drives is a very common attack. Drives are left in corporate lobbies, doctor’s offices, parking lots, restaurants, any place where people gather. The thieves are counting on Good Samaritans to help their follow man or woman.

Employers need to inform their employees of the following procedures:

1. If they find a USB drive never have them put it into their computer

2. They should give the drive to IT to determine what they want to do with it.

3. If there is no IT dept either drob the drive into the garbage or first smash it with a hammer before dropping it into the garbage.

4. Don’t worry that someone will loose important data. They probably have backup and if they don’t they soon will; and if there was confidential data on the device you just saved the company’s customers from a data breach.

Medical Identity Theft in Healthcare

Publication Date: March 2010

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

1.5 Million Victims of Medical Identity Theft

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion – or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure. [3] Two notable instances are the Health Net breach and the Virginia Department of Health Professions breach.

• Health Net (a Connecticut-based health insurance plan) reported the loss of a hard drive containing seven years of personal and medical information on about 1.5 million Health Net customers. They reported the lost drive six months after it disappeared. [4]
• Virginia Department of Health Professions was the victim of a $10 million extortion plot to expose over 8 million patient records and 35 million prescriptions. [5]

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information – like information about tests, diagnoses and procedures – can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

The American Recovery and Reinvestment Act (ARRA) and the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act have highlighted the need to address privacy and security across our healthcare system. In fact, HITECH requires that consumers be notified of healthcare data breaches. Alerting patients when their personal health information has been breached is a necessary response, but it is a reactive measure. It does nothing to prevent the breach or address the subsequent issues patients face when they are victims of medical identity theft. The healthcare industry also needs policy that takes a proactive approach–one that implements controls and technology that assure patient information is always protected. It needs to make secure electronic medical identities a priority.

As the ARRA provides incentives for more and more doctors to adopt electronic health records (EHRs), and as health information exchanges (HIEs) becomes more commonplace, consumers are even more at risk of medical identity theft from an intentional or unintentional breach of healthcare records, or the “loss” or theft of a laptop. Right now, healthcare records are likely to be on paper, and secured by the physical safeguards and administrative procedures in the doctor’s office. When these records are digitized and accessible via interconnected EHRs and HIEs, the potential for exposure grows exponentially.

A related issue to identity theft, and a significant problem for the healthcare industry, is the problem of mistaken identity, which can be life threatening. Today most HIEs rely on a record locator service (RLS) to find where patients’ data are stored. Many use a “probabilistic match,” which depends on various pieces of information such as the patient’s name, address, Social Security number, date of birth and other personal information. These methods are not 100% accurate and can lead to potentially fatal errors. For example, in an emergency situation, a patient who has been incorrectly identified could be given a transfusion of the wrong blood type. Compounding the issue is the fact that patients must provide this personal information each time they visit a provider so that their records can be located. These verbal and paper-based identification processes are ambiguous and error-prone, as well as ripe for fraud and abuse.

Addressing Medical Identity Theft

The way to stop medical identity theft and identity confusion is to improve patient identification and provide enhanced data protection. Strong authentication and data encryption are methods that can achieve these goals.

Industry experts are already calling for this change. The Medical Identity Final Report prepared by Booz Allen Hamilton for HHS stated, “Many stakeholders in medical identity theft have noted that patient authentication can be one of the simplest yet most effective methods in preventing medical identity theft. Patient authentication consists of ensuring that patients receiving services are the individuals they claim to be. Patients are often asked to provide only verbal assertions of identity and coverage. However, technology solutions such as biometrics, smart cards, or electronic patient records may be able to assist providers in verifying patients’ identities based on past histories, demographics or facial photographs.” [6]

To address medical identity theft, solutions need to provide higher levels of assurance than today’s processes, whether the interactions are in person or remote. Identity management is a crucial foundation for healthcare, and solutions that incorporate smart card technology can be used to address the security and privacy challenges facing the industry. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to and leveraged by the healthcare industry.

How Strong Authentication and Data Encryption Prevents Medical Identity Theft

Strong authentication of identity is a critical step in addressing medical identity theft. All personal health record (PHR) providers, health record banks, health insurance and hospital Web portals should provide two-factor authentication mechanisms to their end users to help secure access to personal health information. In two-factor authentication schemes, individuals typically use a card, token or mobile device to access their health information or prove identity when obtaining healthcare services. The safest and most secure two-factor methods are based on smart card technology, where a tamper-resistant chip with security software is embedded into the card, token or mobile device (like a mobile phone). This is the same technology that is used in U.S. electronic passports, and in the U.S. federal government’s employee ID cards that are used to access the nation’s most secure computer networks and facilities. A smart card allows patients to unambiguously identify themselves to their healthcare provider when accessing patient records or requesting healthcare services.

Data encryption also plays an important role in the protection of personal health information (PHI) and is now mandated as part of the breach notification laws. Encrypting PHI protects against access by intruders; smart cards provide a robust set of encryption-enabling capabilities including key generation, secure key storage, hashing and digital signing. Smart cards also add strong authentication capabilities that ensure only authorized users are able to access PHI. These capabilities can be used by a healthcare system to protect privacy in a number of ways. A doctor can use a smart card to digitally sign orders or prescriptions, protecting the information from subsequently being tampered with and providing assurance that the doctor was the originator of the information. The fact that the signing key originated from a smart card adds credibility and a greater legal stature to the record. The smart card provides two major benefits: one, it securely holds and protects the keys; and two, it is portable, so it stays with the doctor and not in the computer where someone else might be able to fraudulently use it. Smart cards can also put patients in control of their private information. Patients can use their smart card to securely store personal health information, authorize provider access to that information, and secure transmission of data to healthcare systems.

Heath care reform in the U.S. is a major undertaking and it will take time to achieve the levels of identity management and data protection that are required by new electronic health record systems. But the size of the task should not prevent the healthcare industry, both private and public, from beginning the journey towards better securing heath information and increasing the efficiency and quality of the nation’s healthcare delivery systems. As the industry moves toward the goal of electronic health records for all patients and with all providers, the need for strong identity management becomes more pressing. Issuing proper identity credentials and authenticating identity are solid steps in modernizing the U.S. healthcare system.

Issuing secure patient and provider identity credentials based on smart card technology will help to reduce medical identity theft, and will also bring numerous efficiencies to existing healthcare administration systems. Identity and authentication solutions based on smart card technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records.

References

1. Survey conducted by The Ponemon Institute in February 2010
2. “HHS Budget Makes Smart Investments, Protects the Health and Safety of America’s Families,” February 1, 2010
3. Identity Theft Resource Center 2009 Data Breach Stats
4. “Health Net Says 1.5M Medical Records Lost in Data Breach,” ComputerWorld, November 19, 2009
5. “Hacker says he stole confidential medical data on 8 million Virginia residents,” Healthcare IT News, May 6, 2009
6. Booz Allen Hamilton, Medical Identity Final Report, prepared for U.S. Department of Health and Human Services, January 15, 2009, Page 16

About the Smart Card Alliance Healthcare Council

The Healthcare Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a particular industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used and to work on issues inhibiting the industry.

If you have not heard, now computers with webcams are being used to spy on their users. The school in Pennsylvania is one of the newest publicized incident but many individuals are finding their video conference calls on the internet without their permission. In a recent security newsletter article, the same old precautions are being made: Anti-virus software, firewalls, secure wireless connections and being careful about opening email attachments. The only new suggestion made to prevent webcam intrusion was to put a piece of tape over the lens. Wow, big whoop.

With computers, operating systems, networks, email, websites, social networks, smart phones, and the list goes on all being used to invade our private data we may have been better off without the microchip.  It’s troubling when great products like Apple’s iPhone and iPad are being band from companies because of security risks. Convenience is no substitute for insecurity.

Business owners who use technology to reduce their costs are being attacked by government legislations to safeguard private data as well as hackers. Maybe it’s time technology companies take some of the heat for the holes they have in their products. Technology companies who ignore security are giving all the tools to the hackers and all the risks to their customers. Who do these tech companies really care about?

1) What information information is considered confidential, &

2) Where this information is stored in the company.

The information that is considered PII confidential is defined as any information about an individual that distinguished or traces an individual’s identity, or is linkable to an individual. Examples include (but not limited to): Name, mother’s maiden name, SSN, passport, driver’s license, tax ID, credit card number, street or email address, birth day, race,   employment info, medical info, biometrics and in some cases even a photograph. And the list goes on.

Since what the government considers PII the best course of action is to protect all information.

A few simple ways to protect PII data is to:

• Limit the amount of information you take
• Limit the time you store the information
• Limit the places where the information is stored
• Limit the access to the information

Some of the best ways to secure the PII is with secure passwords, the use of a multi-factor authentication token (i.e. smartcard) and to ALWAYS encrypt the information.

Ramat Gan, Israel, April 14, 2010: Tufin Technologies, the leading provider of Security Lifecycle Management Solutions, today announced survey results that reveal the hacking habits of 1000 New York City teenagers. Exactly half (50%) of US kids sampled revealed they’d had their Facebook or email account hacked, which may explain why 75% feel hacking is wrong and 70% think it should be considered a criminal offense. However, 39% of the teens surveyed think hacking is “cool” and 16%, or roughly one in six, admitted to trying their hand at it. Only 15% of the entire sample has either been caught or knows someone who has – particularly disturbing considering 7% of young hackers reported they did so for money and 6% view it as a viable career path.

“Because kids today tend to be more tech savvy than their parents, and the processes, procedures, and precedents for some forms of Internet-based crime are still evolving, it’s too easy for kids to not realize the dangers or consequences of hacking until they are no longer juveniles,” said Monique Nelson, Chief Operating Officer of WebWiseKids.org, an online safety organization sponsored in part by the United States Department of Justice. “These young hackers are under the radar, with the majority hacking from home. Prevention is always an uphill battle, but it’s imperative that parents do pay close attention to their children’s attitudes and beliefs about what is appropriate ” and legal ” online behavior. We want to educate kids before they make bad choices, not because they already did.”

A potentially surprising finding is that it’s not just the boys ” of the sample, 29% of those who admitted to hacking were girls. The most common reason cited for hacking was for fun (54%) followed by curiosity (30%). 14% that hack aimed to cause disruption and a resourceful 7% of US kids thought they could generate an income from the activity, with 6% viewing it as a viable as a career path! 35% had already hacked by age 13 and 52% hacked between the ages of 14-16.

Are American teenagers more law abidingor do they just not get caught? Tufin performed an identical survey of 1000 high school students in London, the results of which can be found at http://tr.im/TULj. The collective results reveal some interesting contrasts between American students and their UK brethren. Some of the major take-away’s include:

* American kids hack less, are hacked more and get caught hacking substantially less than their UK counterparts. In the UK, one in four (26%) have tried hacking with 36% – or roughly one in three ” reporting that they have been hacked. * In the US, 16% of students, or roughly one in six hack and exactly half (50%) have had their Facebook or email accounts compromised. * 18% of London and a surprising 30% of NYC students agreed hacking is easy. * 70% of UK teenagers labeled the practice as ‘uncool’ versus 61% of US teenagers. * Roughly 70% of New York students think hackers should be viewed as criminals and be punished by the law, compared to only 53% of their peers in London. * Perhaps it’s because they get caught almost twice as often – in the UK, 27% have been caught or know someone who has been caught hacking, as opposed to only 15% of their American brethren. * Facebook is the number one target for young hackers in the US (20%) and the UK (27%), followed by their friends’ email accounts. (6% US & 18% UK) * 87% of US kids had tried hacking by age 16 as opposed to only 44% of their UK peers.

In the U.S., home is where the hack is The study found a clear dichotomy between the two populations when it came to their methods – while only 27% of UK students were inclined to misbehave from the confines of their bedrooms, 51% of New York teens had no issue hacking from their home computers. 22% of juvenile offenders in the UK are utilizing computers in Internet Cafes (22%), with only 6% in the US. The number of US kids hacking at school was 28%, compared to 21% in the UK, with roughly 20% of each population using someone else’s machine.

“Over the years, hacking has changed from teenage ’script kiddies’ showing off their online prowess to sophisticated career criminals hacking for profit, ” said Ruvi Kitov, CEO of Tufin Technologies. “Whether they target a company’s intellectual property, a person’s bank account or their Facebook page, our job as IT security professionals is to stop hackers in their tracks. We need to ingrain in our children that no matter how harmless your intent, to gain unauthorized access into another person or company’s online assets is both wrong and illegal. This is important not just to combat hacking in the future, but also to educate children about online safety and increase their awareness of common threats.”

If bored or curious kids were this successful at hacking, just imagine what a motivated criminal could accomplish. Here are some ways to stay safe online:

1. Install security software: anti-virus, anti-spyware and a personal firewall. At a minimum, your computer should have current anti-virus and anti-spyware software and a firewall to protect yourself from hackers and malicious software that can steal sensitive personal information.

2. Keep your security software and operating system up-to-date.

3. Protect your personal information online. Be wary of clicking on links in emails that are unfamiliar and be very cautious about providing personal information online, such as your password, financial information, or social security number.

4. Know whom you are dealing with. It is remarkably simple for online scammers to impersonate a legitimate person or business.

5. Vary your user name and passwords between sites, that way if one account is compromised it can limit the damage of others being breached.

6. Use “strong” passwords that are long and use both letters and numbers, and change them every few months. (NOTE from the IDProtectionExpert: You want password managers that require at least two factor authentication — something you have and something your know. I like smartcards and not USB memory sticks.)

7. Untick ‘remember me’ boxes for user name and passwords, especially for email accounts, online banking, social media websites etc., If your computer is used by other members of the household – and possibly their friends ” you may be exposing your personal information without realizing it!

8. Be careful what you talk about in chat rooms, you never know whom you’re talking to or who’s listening in.

9. Learn what to do if something goes wrong. You can also alert the appropriate authorities by contacting your Internet Service Provider or the Internet Crime Complaint Center. The Federal Trade Commission (FTC) can assist if you are subject to identity theft. You can also forward spam or phishing emails to the FTC at spam@uce.gov .

Notes to editors: This survey was carried out by independent, “man-on-the-street,” researchers for Tufin Technologies amongst 1000 teenagers in London and 1000 teenagers in New York City. About Tufin Technologies, Inc. Tufin is the leading provider of Security Lifecycle Management solutions that enable companies to cost-effectively manage their network security policy, comply with regulatory standards, and minimize IT risk. With a combination of accuracy and simplicity, Tufin empowers security officers to perform reliable audits and demonstrate compliance with corporate and government standards. Founded in 2005 by leading firewall and business systems experts, Tufin serves more than 500 customers in industries from telecom and financial services to energy, transportation and pharmaceuticals. For more information visit www.tufin.com, or follow Tufin on: Twitter at http://twitter.com/TufinTech, LinkedIn at http://www.linkedin.com/groupRegistration?gid=1968264, Facebook at http://www.facebook.com/group.php?gid=84473097725, The Tufin Blog at http://tufintech.wordpress.com/, The Tufin Channel on YouTube at http://www.youtube.com/user/Tufintech

Don’t friend these people.

A tip off is you see how many people are following them it usually a very low number. You also want to be sure you have a strong anti-virus program to protect your computer.

Be careful of who you friend and if you don’t know them or they are not part of your circle don’t accept them. And no matter what don’t click onto any of their links or pictures.

A Symantec report says that most breaches at small to midsize businesses are caused by people, not malware. Click here to read the entire article.

Look at all the four vulnerability point: Building – Employee – PC – Network and start implementing training, policies and solutions that are inexpensive and work.

Recently they produced an online video chocked full of basic information that hits on many of the same topics we at IDProtectionExpert.com discuss. Click the link below to view their training video and then come back and listen to what our different experts have to say on specific areas.

FTC – Protection Personal Information: A Business Guide

 The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. But when one also adds in Gramm-Leach-Bliley Act (GLBA) where this law recently redefined what constitutes as a financial institution, more businesses are affected. According to GLBA:

 ”Financial institutions” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.  

 Therefore, health care providers, real estate agents, accountants, book keepers, retail stores, utilities, car dealerships, schools, etc. all fall under GLBA which intern tie to FACTA, that institutes the Red Flag Rules.

 When a data breach of either paper or electronic information occurs, all customers, patients, employees and/or vendors must be notified. A breach does not only mean when a thief or hacker breaks in, but improper disposal of sensitive documents, lost computers or storage devices with unencrypted data, dishonest employee, open posting of passwords, etc. Statistics show that careless employees’ actions account for the majority of the incidents that data thieves rely on to collect sensitive information.

 The Red Flag Rules give very little information to companies as to what policies and procedures should be put in place. Rather the FTC states that “the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.” Typical government uselessness.

 So here are some tips:

1. Protect the building: ID badges, access control, CCTV, locked file cabinets, limited access to incoming faxes, etc.
2. Protect the employees: Security training and awareness, clean desk policy, shredding of papers, email security, etc.
3. Protect PC and Computers: Anti-virus software, data encryption, password managers, etc.
4. Network Protection: Firewalls, VPNs, monitoring, password policies, limited web access, file access monitoring programs, etc.

 With the complexity and the cross-integration required to develop a security policy, it is best to bring in security consultants and experts to work closely with your exiting CSO, CIO and IT managers. The security consultants are not there to replace anyone but rather to be a valuable tool to prevent a breach that now costs a company about $6.6 million per incident (source: Ponemon Institute ).