WAM – the entire company’s network is infected with a new virus that the anti-virus program did not recognize.

The dropping of virus seeds in the way of USB drives is a very common attack. Drives are left in corporate lobbies, doctor’s offices, parking lots, restaurants, any place where people gather. The thieves are counting on Good Samaritans to help their follow man or woman.

Employers need to inform their employees of the following procedures:

1. If they find a USB drive never have them put it into their computer

2. They should give the drive to IT to determine what they want to do with it.

3. If there is no IT dept either drob the drive into the garbage or first smash it with a hammer before dropping it into the garbage.

4. Don’t worry that someone will loose important data. They probably have backup and if they don’t they soon will; and if there was confidential data on the device you just saved the company’s customers from a data breach.

Medical Identity Theft in Healthcare

Publication Date: March 2010

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

1.5 Million Victims of Medical Identity Theft

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion – or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure. [3] Two notable instances are the Health Net breach and the Virginia Department of Health Professions breach.

• Health Net (a Connecticut-based health insurance plan) reported the loss of a hard drive containing seven years of personal and medical information on about 1.5 million Health Net customers. They reported the lost drive six months after it disappeared. [4]
• Virginia Department of Health Professions was the victim of a $10 million extortion plot to expose over 8 million patient records and 35 million prescriptions. [5]

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information – like information about tests, diagnoses and procedures – can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

The American Recovery and Reinvestment Act (ARRA) and the associated provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act have highlighted the need to address privacy and security across our healthcare system. In fact, HITECH requires that consumers be notified of healthcare data breaches. Alerting patients when their personal health information has been breached is a necessary response, but it is a reactive measure. It does nothing to prevent the breach or address the subsequent issues patients face when they are victims of medical identity theft. The healthcare industry also needs policy that takes a proactive approach–one that implements controls and technology that assure patient information is always protected. It needs to make secure electronic medical identities a priority.

As the ARRA provides incentives for more and more doctors to adopt electronic health records (EHRs), and as health information exchanges (HIEs) becomes more commonplace, consumers are even more at risk of medical identity theft from an intentional or unintentional breach of healthcare records, or the “loss” or theft of a laptop. Right now, healthcare records are likely to be on paper, and secured by the physical safeguards and administrative procedures in the doctor’s office. When these records are digitized and accessible via interconnected EHRs and HIEs, the potential for exposure grows exponentially.

A related issue to identity theft, and a significant problem for the healthcare industry, is the problem of mistaken identity, which can be life threatening. Today most HIEs rely on a record locator service (RLS) to find where patients’ data are stored. Many use a “probabilistic match,” which depends on various pieces of information such as the patient’s name, address, Social Security number, date of birth and other personal information. These methods are not 100% accurate and can lead to potentially fatal errors. For example, in an emergency situation, a patient who has been incorrectly identified could be given a transfusion of the wrong blood type. Compounding the issue is the fact that patients must provide this personal information each time they visit a provider so that their records can be located. These verbal and paper-based identification processes are ambiguous and error-prone, as well as ripe for fraud and abuse.

Addressing Medical Identity Theft

The way to stop medical identity theft and identity confusion is to improve patient identification and provide enhanced data protection. Strong authentication and data encryption are methods that can achieve these goals.

Industry experts are already calling for this change. The Medical Identity Final Report prepared by Booz Allen Hamilton for HHS stated, “Many stakeholders in medical identity theft have noted that patient authentication can be one of the simplest yet most effective methods in preventing medical identity theft. Patient authentication consists of ensuring that patients receiving services are the individuals they claim to be. Patients are often asked to provide only verbal assertions of identity and coverage. However, technology solutions such as biometrics, smart cards, or electronic patient records may be able to assist providers in verifying patients’ identities based on past histories, demographics or facial photographs.” [6]

To address medical identity theft, solutions need to provide higher levels of assurance than today’s processes, whether the interactions are in person or remote. Identity management is a crucial foundation for healthcare, and solutions that incorporate smart card technology can be used to address the security and privacy challenges facing the industry. This foundation can be put in place without reinventing the wheel. The federal government has already established a set of best practices, standards and technology solutions for smart card-based identity management and authentication that can be adapted to and leveraged by the healthcare industry.

How Strong Authentication and Data Encryption Prevents Medical Identity Theft

Strong authentication of identity is a critical step in addressing medical identity theft. All personal health record (PHR) providers, health record banks, health insurance and hospital Web portals should provide two-factor authentication mechanisms to their end users to help secure access to personal health information. In two-factor authentication schemes, individuals typically use a card, token or mobile device to access their health information or prove identity when obtaining healthcare services. The safest and most secure two-factor methods are based on smart card technology, where a tamper-resistant chip with security software is embedded into the card, token or mobile device (like a mobile phone). This is the same technology that is used in U.S. electronic passports, and in the U.S. federal government’s employee ID cards that are used to access the nation’s most secure computer networks and facilities. A smart card allows patients to unambiguously identify themselves to their healthcare provider when accessing patient records or requesting healthcare services.

Data encryption also plays an important role in the protection of personal health information (PHI) and is now mandated as part of the breach notification laws. Encrypting PHI protects against access by intruders; smart cards provide a robust set of encryption-enabling capabilities including key generation, secure key storage, hashing and digital signing. Smart cards also add strong authentication capabilities that ensure only authorized users are able to access PHI. These capabilities can be used by a healthcare system to protect privacy in a number of ways. A doctor can use a smart card to digitally sign orders or prescriptions, protecting the information from subsequently being tampered with and providing assurance that the doctor was the originator of the information. The fact that the signing key originated from a smart card adds credibility and a greater legal stature to the record. The smart card provides two major benefits: one, it securely holds and protects the keys; and two, it is portable, so it stays with the doctor and not in the computer where someone else might be able to fraudulently use it. Smart cards can also put patients in control of their private information. Patients can use their smart card to securely store personal health information, authorize provider access to that information, and secure transmission of data to healthcare systems.

Heath care reform in the U.S. is a major undertaking and it will take time to achieve the levels of identity management and data protection that are required by new electronic health record systems. But the size of the task should not prevent the healthcare industry, both private and public, from beginning the journey towards better securing heath information and increasing the efficiency and quality of the nation’s healthcare delivery systems. As the industry moves toward the goal of electronic health records for all patients and with all providers, the need for strong identity management becomes more pressing. Issuing proper identity credentials and authenticating identity are solid steps in modernizing the U.S. healthcare system.

Issuing secure patient and provider identity credentials based on smart card technology will help to reduce medical identity theft, and will also bring numerous efficiencies to existing healthcare administration systems. Identity and authentication solutions based on smart card technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records.

References

1. Survey conducted by The Ponemon Institute in February 2010
2. “HHS Budget Makes Smart Investments, Protects the Health and Safety of America’s Families,” February 1, 2010
3. Identity Theft Resource Center 2009 Data Breach Stats
4. “Health Net Says 1.5M Medical Records Lost in Data Breach,” ComputerWorld, November 19, 2009
5. “Hacker says he stole confidential medical data on 8 million Virginia residents,” Healthcare IT News, May 6, 2009
6. Booz Allen Hamilton, Medical Identity Final Report, prepared for U.S. Department of Health and Human Services, January 15, 2009, Page 16

About the Smart Card Alliance Healthcare Council

The Healthcare Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a particular industry or market segment and produce tangible results, speeding smart card adoption and industry growth.

The Smart Card Alliance Healthcare Council brings together payers, providers, and technologists to promote the adoption of smart cards in U.S. healthcare organizations. The Healthcare Council provides a forum where all stakeholders can collaborate to educate the market on the how smart cards can be used and to work on issues inhibiting the industry.

In the world of secure emails the choice may be based around your preferred communications channel (smart phone, PC, netbook, etc), what is convenient to you, are you more of a cloud person or a PC based email app user, price per user, number of emails that can be sent, and so forth. But the number one perspective you have to have in evaluating any of these different products is how convenient is it to your recipients. I am a firm believer that if you make security cumbersome, then users will always find ways to circumvent security for their own convenience. However, you can’t make something so convenient that security is thrown out the window. It’s a balancing act.

I recently tested rPost, SecurEnvoy, Word Secure, ZixMail, 4SecureMail, FileFortress, and Voltage Secure Mail. This is not an all inclusive list and with secure email services popping up rapidly there are probably a lot that I am unaware of. My bias in looking at all these services was not to find the one best service since that goes back to picking ice cream. Instead I am going to go through a series of items that I have concerns about and for you to consider before signing up.  

I am not going to review each product separately for their strengths or weaknesses. I believe that almost every technology is inherently good assuming it is being deployed in the right environment. Rather here I will discuss general features and you have to determine if it works for you.

1. Managing the Secrets Codes:
   Secure emails is the process in with the text you write is encrypted by a method so that the text becomes so scrambled and disjointed that it cannot be read by someone. The trick this is to get the authorized recipient the code or key that can unscramble everything back to its original text. Think of it as you and your best friend using your Captain America’s Secret Decoder Rings (maybe your Ironman ring for you younger readers). The difficulty comes in what is called key management or sharing the secrets.For example, say I have only two friends called Preston and Nikkitta (hey their my imaginary friends and I can name them anything I want). I want to send secure messages to Preston but I don’t want Nikkitta to read, so I encrypt with Secret code 1 setting. Next I want to only communicate with Nikkitta so I need Code 2. Finally, there will be times I want both to read the same email because I am lazy and don’t want to send out two separate emails so I create Code 3. You might think I only have three Codes to worry about, well don’t be so quick on your math. What if Preston wants to send me secure emails using a Code 4 he created, and since Nikkitta does not want to be left out of the fun, she has her Code 5. But we still are not finished. Preston also sends out emails that both Nikkitta and I can read Code 6, and Nikkitta has emails that she wants Preston and I to read Code 7. So what’s the fine Code count? Seven

So along comes Samantha and she knows a great group of people to befriend, but she wants her codes too. If we follow the same logic then I have 19 codes I have to remember. In truth I have over 200 friends and business contacts so I would have a boat load of codes.

Some products have you generate a password or code every time you send a new message. Some products have all the emails go into a secure server that requires a logon account. And, some will generate a new key for each group and store them within your computer. All these systems have their pros and cons like what happens if you want to retrieve an older email? How secure is the logon procedures and secure are the user’s passwords (Sticky Note security again)? If you go to a different computer where are all your account codes? So, when you looking at secure email systems give serious thought to  how the codes will be managed.

The next blog will be on Code Distribution.

Attacks have gotten worst and more lascivious with the phishing and pharming emails that look like they are coming from Amazon.com, USPS, FedEx, eBay, Apple, Microsoft, and other respected companies only to discover that the links are to sites that grab your personal information, inject virus and/or to be the first step to breaking into your personal computer.  One can’t even “unsubscribe” for fear that the link is bogus.

Sure, the “security experts” will tell you to buy their anti-virus and anti-spam software. Install a firewall on your computer. Keep all you programs updated with the latest patch. Give sage advice about not opening emails from people you don’t know. However, I am beginning to think these “experts” like all the attacks and breaches since it sells more of their products and services. Now I am not saying that you shouldn’t get security software and a firewall, but after all these years where users are bombarded with new attacks one has to wonder, who’s in control and do the software companies really care?

So, back to my point about email marketing. If you hate these emails and have become as suspicious as I have, why would you as a business owner utilize cold contact email campaigns in your own marketing plan and budget? The buying of email lists, monthly service fees, generating newsletters, and other old style self promotions is not worth the money. The very people you are trying to contact will delete all your messages. If you didn’t know yourself, would you ever open the marketing emails you send out?

Today, business marketing is more about people coming to your site or blog to read and learn about you and your products.  People want to build a trust and rapport with you, and not be sold a product. The day’s of TV pitchmen may be going away.

People will trust sites that their friends know so the social networking campaign is important. You also want to develop RSS feeds, eZines, Twitter feeds, etc.  The time and effort to integrate all this together requires a new type of marketing person. Be sure you get someone who knows what they are doing and not just repeating the buzz words.

Next, having a customer subscriber to an email newsletter to get the latest promotions and information may also become a waste of time and money. Instead, have a “member’s only” area that they sign up for where discounts and promotions are determined by the frequency of their visits.

As a security expert who constantly reviews different products, I review I’m still amazed at how software companies disregard the protection of a user’s data and personal information by treating it as an afterthought.  Furthermore, as our internet usage moves more to a cloud based system, security of both the back end and front end has to Job 1. In conclusion, instead of Caveat Emptor (let the buyer beware) or Caveat Venditor (let the seller beware) today’s phrase is “Caveat Computis Usor” (let the computer user beware).

Identity theft has raised the bar in blocking access to your new and existing customers using email marketing campaigns. In the past we may have found spam annoying as it filled up our in box, but with phishing, pharming, social media spying, etc.  all being used to steal one’s personal information, it’s gotten to the point of customers not opening, blocking and erasing all correspondences (legitimate or not). Hey, better safe than sorry.

All the so-called business cost savings that can be achieved using electronic media may be flying out the window. Aweber, Constant Contact, and others all have great products and these attacks are not their fault. Just realize that their identity has also been stolen: their brand. But as a business owner do you want to pay monthly service fees if all your marking efforts only end up in eTrash.

So, before starting a large, expensive email marketing campaign, determine if your customers will even read or click onto anything you send them. Maybe the new way to keep your customers informed is by creating a blog and posting your information and stories there. This strategy forces your customers to come to you and keeps them in control.

• Bad press
• Government investigations and fines
• Credit monitoring services to the victims
• Law suits and legal services
• New security technologies and policies to implement
• And then, how productive will employees be with all these changes being implemented.

It is ironic that this theft is going to cost ECMC millions of dollars in direct and indirect costs when there are solutions available for under $100 per user. My intent is not to add more blame onto ECMC, but rather to give a wake up call to other companies about data theft so they can learn from this incident. With the average cost of a data breach now reported at $6.7 million per incident, your company can’t afford to sit back and think this will never happen to me.

First, all data needs to be encrypted. There are programs like SafeHouse that are inexpensive and can encrypt data stored on hard drives, memory sticks, CD-ROMs, etc. If it can store data, it can be encrypted. But encryption is only one part since many of these programs requires a password to decrypt the data. Most people – left to assign a password – will use something easy, repeat something used elsewhere, or write down the password on a sticky note by their computer. Any one of these acts defeats the security of encryption.

Second, by adding a smartcard based password manager, now the data safeguards are elevated exponentially. Because the smartcard can store a complex, 20-charater long password that no one has to remember or type, key loggers can’t pick up the passwords and a brute force attack will be too time consuming to make it a viable attack. With the smartcard protected by a limited number of acceptable false entries and with card data encrypted, a lost or stolen smartcard is useless unless someone knows the PIN. Finally, the combination of data encryption plus smartcard implements what I call the “Seven Levels of Assurances”:

• Something you have – The card
• Something you know – The PIN to the card
• Something you are – Fingerprint, iris, biometric
• Something the card has – Account URL’s, passwords, user names, etc.
• Something the card knows – The card’s decryption keys
• Something the card is – Chip Specific Serial Number (CHUID)
• Something the card knows about you – User’s Classification Code

No single technology or solution will protect any company 100% from a potential data theft. The goal of any security officer is to put in enough barriers that drive the would-be attackers to find easier prey, while at the same time maintaining user convenience so they don’t circumvent security with bad practices. The use of firewalls, anti-virus software and secure logon policies are necessary, but these alone are no longer sufficient to comply with the many new privacy protection laws. As businesses add high tech safes to safeguard their data warehouses, frequently the strength of the lock is overlooked. Don’t install a screen door to protect your data vault.

If you have not heard, now computers with webcams are being used to spy on their users. The school in Pennsylvania is one of the newest publicized incident but many individuals are finding their video conference calls on the internet without their permission. In a recent security newsletter article, the same old precautions are being made: Anti-virus software, firewalls, secure wireless connections and being careful about opening email attachments. The only new suggestion made to prevent webcam intrusion was to put a piece of tape over the lens. Wow, big whoop.

With computers, operating systems, networks, email, websites, social networks, smart phones, and the list goes on all being used to invade our private data we may have been better off without the microchip.  It’s troubling when great products like Apple’s iPhone and iPad are being band from companies because of security risks. Convenience is no substitute for insecurity.

Business owners who use technology to reduce their costs are being attacked by government legislations to safeguard private data as well as hackers. Maybe it’s time technology companies take some of the heat for the holes they have in their products. Technology companies who ignore security are giving all the tools to the hackers and all the risks to their customers. Who do these tech companies really care about?