How to Remove Responsibility While Avoiding Data Breaches in Healthcare

February 28, 2012   Adam Quart   No comments
hhs data breach report infographic

If you are in the healthcare industry then you are familiar with privacy and how important it is to keep confidential data secure. Not only are you under the scrutiny of government regulatory compliance, you are also responsible for your patient’s personal data and ultimately their identity. In healthcare accountability has become an important part of compliance requiring data breaches affecting over 500 individuals to be reported and posted on the HHS.gov website. Now under pressure of hefty fines and being placed in the spotlight will we start to see the amount of breaches reduced or better yet higher security put in place?

Taking a look at information on the U.S. Department of Health & Human Services website we have put together some facts about healthcare data breaches. Although these are only the reported incidents it is alarming to find that the majority of the issue has to do with unsecure digital data. By removing the responsibility from physicians it would seem that hospitals and other healthcare facilities could have avoided many of the reported data breaches.

Loss and theft have played the largest role in healthcare data breaches with over 265 breaches involving 15,039,697 individuals’ records. That is over 67% of the total amount of reported breaches and an almost sickening, pardon my pun, 78% of the total stolen records. In the defense of lost and stolen information I would like to add that not all incidents involve a computer or digital form of data. However it is still extremely daunting that 92% of computer related data breaches are through theft or loss.

hhs data breach report infographic

Government regulatory compliance like the HIPAA Security Rule and HITECH Act require more security for healthcare data. However by still allowing physicians and other healthcare employees to transmit confidential patient data the problem will continue to be an issue. As the facts point out that although accountability is present and fines are hefty this cannot protect us against human nature. By losing computers or other portable devices, whether to theft or carelessness we put privacy at risk. However restricting healthcare from downloading and storing the confidential data relieves the situation.

If remote access of patient data can protect against 92% of computer related breaches then why is it not being implemented? By placing accountability on a single location and utilizing zero footprint technology data can be accessed through any device without information being left behind. Furthermore two-factor authentication allows for protection through an added layer of security that fights against fraudulent access.

The future is here now, there is no better time than present to remove trust from physicians and place it in the hands of IT security. By utilizing secure remote access through two-factor authentication and a one-time password we can improve privacy without hindering healthcare professional.

Read More

Verizon Reports Data Breach Count Rises While Records Breached Falls

February 16, 2012   Adam Quart   No comments
verizon data breach report

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide
Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

2011 verizon data breach protection

External Threats and Remote Access Security
It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a one-time password is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

Read More

PC Software Piracy and Security Concerns

February 14, 2012   Zone Alarm Blog

With the recent Internet-wide protests of PIPA and SOPA legislation making headlines, the issue of online piracy has sparked a controversial debate. In addition to the morality issue of pirating software, consumers should be aware of the many risks — including security risks — involved in this practice.

Software piracy is a widespread problem. In the U.S. in 2010, 20 percent of software was pirated, according to the Business Software Alliance, an organization aimed at stopping copyright infringement of software. What types of programs are consumers pirating? The Software & Information Industry Association says the software most likely to be pirated includes programs like Adobe Acrobat, Adobe PhotoShop, Intuit Turbo-Tax, and Adobe DreamWeaver, among others. The 2010 value of this illegal software was nearly $59 billion, costing the software industry plenty of money. But not so advertised is the potential cost to those who illegally download.

Though pirating may seem like a cheap and easy alternative to purchasing licensed software, there are more risks from pirating than many realize. In addition to the legal and financial ramifications (the BSA says those found guilty of using or creating pirated software can be fined up to $250,000 or face a maximum prison sentence of seven years), consumers also risk their computer security.

Pirated software is unsafe. Unlicensed software that harbors particularly dangerous viruses and malware is often distributed by cybercriminals hoping to gain access to your information. For example, an illegal copy of a word-processing program might contain spyware that can send your credit-card information to a hacker. Or you could pirate a copy of a spreadsheet program and unknowingly activate your computer as a botnet drone. In addition, the keygens (key generators) that often come with illegal software or can be downloaded separately to activate the program are also commonly infected with malware.

Pirated programs also often cause computer-wide problems, corrupting files and disrupting function. Even worse, many of the pirated security software programs are actually decoys that cause the very problems they claim to protect against.

Using legally licensed software is the only way to properly protect your programs and computer. Developers frequently update their software, often releasing patches that protect their programs from the latest malware and keep the latest versions running smoothly. If you are using pirated software, your program and computer will remain vulnerable. Remember, too, that you might find yourself struggling to master your new software without the help of customer service that is only provided for legitimate versions.

Pirating software poses major legal, financial, and security risks to any user, and therefore should be avoided. But you should also consider the larger economic impacts. Though it may seems like a way for you to personally save money in the short-term, according to the SBA, if law enforcement agencies could reduce the amount of pirated software by 10 percent during the next four years, it would create 32,000 new jobs and generate $41 billion in economic growth — much needed in our current climate.

Read More

$60 Billion A Year Medicare Fraud and How Two Factor Authentication Can Increase Medicare Security

February 14, 2012   Adam Quart   No comments
medicare fraud

Medicare fraud is a huge problem in the United States. It is estimated that it costs taxpayers more than $60 billion each year. Some experts believe the number is higher than that figure. These rising costs are driving up federal budget deficits that endanger our future. There is enough money in Medicare fraud that if we were to take that amount, it would be enough to pay for a healthcare reform. Medicare is a huge problem for the United States and is costing taxpayers billions each year. One way we can protect against Medicare fraud is to mandate that Medicare records be electronically stored in a central data base and then protecting that data by securing the access with technology such as two factor authentication. Two factor authentication is a secure and effective way to protect sensitive data and is also an effective way to combat Medicare fraud.

Medicare fraud has become one of the most profitable crimes in America and will continue to rise as long as criminals find ways to exploit the weaknesses in the Medicare system. Medicare fraud has become much more sophisticated and these criminals recruit patients, get patient lists, find doctors, and look for new ways to commit Medicare scams.

In locations like Florida, Medicare fraud has become bigger than the drug trade. Rather than stealing or making $100,000 to $200,000 off of drug sales, they can steal millions off of Medicare fraud. In cities like Los Angeles, the City of Angels Medical Center recruited homeless people off the street to fill their beds, offering them food and money, meanwhile billing Medicare millions of dollars for their stay.

There are even companies that provide “lists” of Medicare patients that include their name, social security numbers, addresses, and dates of birth. With those four pieces of information, a criminal can bill the government for a patient. Copies of patient information can sell for $10 per patient on the black market and it is common for fraudsters to purchase thousands of these patient lists and then bill Medicare. Many of these lists are stolen from doctor’s offices and hospitals. Many of these charges go unnoticed because Medicare auditors can only check a fraction of these charges to see if they’re legitimate claims.

The Medicare system is based on trust and when the Medicare program was introduced in the 1960’s, it was assumed that no one would try to defraud the system that was designed to take care of the elderly people’s health needs. The government is required to reimburse Medicare vendors in less than 30 days, and in most cases Medicare “auto adjudicates” which means that as long as the computers decide that the right codes are being sent and the right forms are filled out, checks are sent to the vendors. This is a huge flaw in the Medicare system and the right security measures need to be put in place to prevent this kind of fraud. The Medicare system needs to be reformed and security measures need to be put in place to prevent access to sensitive data and to prevent unauthorized users from accessing it.

Security methods such as two factor authentication are an effective way to combat unauthorized access of users trying to fraud the system. By using two factor authentication, health care workers have to present two factors of identifying themselves to access the healthcare records of patients to ensure that they are authorized to access the data and to ensure their identity. Two factor authentication methods are also fairly cheap to implement and can be a very cost efficient way of combating Medicare fraud. One of the most effective ways to implement two factor authentication and the cost effective ways is to implement two factor authentication is to use a login/password combination in conjunction with a one-time password sent through a mobile device such as a smart phone or a tablet. Using this method, a user is identified with their username/login credentials and also through their mobile device that receives a one-time password through an out of band network that ensures that they are who they say they are. This is an effective and cost efficient way to identify someone because most users already have a mobile device such as a mobile phone and adding this additional layer of security can thwart fraudulent access because even if an unauthorized user has a user’s login credentials, they would not be able to access the one time password that is being sent through the mobile device.

Two factor authentication can be easily incorporated, can be low cost and requires minimal training. If we took a fraction of the $60 billion that it costs taxpayers like you and me each year and used it to incorporate two factor authentication into Medicare security systems, we would be saving a significant amount on Medicare and preventing a lot of fraudulent activity. The Medicare system needs to be reformed and it needs to be reformed in a hurry with an importance on strengthening the security system.

Read More

Are Password Failures at the Forefront of Data Privacy and Protection?

February 07, 2012   Adam Quart   1 Comment
password failure

As the battle between “good and evil” wages forth bills like SOPA and PIPA along with government regulations seem to be big news. Also on the frontier of data privacy and protection we are seeing hacktivism through malicious attacks exposing confidential information. At the forefront of this mess it is not hard to see that password failures along with an overall lack of security knowledge are what got us here.

Government Regulatory Compliance and Bills

With data breaches becoming more common, information technology security is starting to be seen as a necessity. Government regulatory compliance such as HIPAA, FFIEC and PCI DSS is already focusing on protection of confidential financial and healthcare data which is being transmitted or accessed through a network. In these cases strong authentication is required to identify a user requesting access to confidential networks.

Recently legislation has been trying to move more to data protection matters as well. SOPA and PIPA, 2 government bills which would allow the federal government to police the internet, were shot down by the public recently. The bills would make it possible for the FBI to shut down websites which may be dealing in pirated data. However there is a gray area that exists between what is and what is not “personal data or information”.  That is why many websites, including Google and Wikipedia, protested the bill in order to protect freedom of speech. Hactivist groups also took a stand against the new legistlation with a series of DDOS attacks and possibly data breaches for later attacks.

Hacktivist Groups

Leading the data breach headlines are groups like Anonymous who participate in hacktivism to take a stand. In recent news Anonymous has claimed responsibility for shutting down the FBI and Department of Justice websites in protest to SOPA and PIPA. In the past year Anonymous and other hactivist groups like Lulz Security have been responsible for shutting down websites through DDOS attacks but more importantly for data breaches which have a longer lasting effect.

Data breaches like the Stratfor hack lead by Anonymous have leaked confidential intelligence and personal data. Coordinated with Lulz Sec, Anonymous also breached private data of over 77 million Sony Playstation Network accounts. Many of these attacks spawn from the lack of strong passwords and network security.

Passwords and Authentication

It is clear to see that data is where the power lies in the future, government wages war against hackers who are not only fighting for privacy but are the same ones leaking it confidential data. It would seem that everyone believes creating stronger passwords will prevent future data breaches however the problem lies in accountability as well.

Passwords are too easy to forget, lose, crack, hack and just do not work. That is why password failure is at the forefront of data privacy and protection. All of this along with the fact that our personal passwords are being leaked through data breaches leads to the reality that passwords, no matter how strong, are old news and not considered secure anymore. Through strong authentication however, everyone can forget their passwords, relying on the added layer of protection along with notifications to fight accountability.

Two-Factor Authentication is Strong Authentication

In order to protect against password failure we have to get rid of passwords all together. How can we do that though? Two-factor authentication through an out-of-band one-time password allows users to use almost any password because the authentication process relies on “something you have” to identify a user. An OTP is sent to a separate network than the original point of access, usually through SMS text message since the network is out-of-band, cost effective and efficient. By utilizing a mobile phone you also gain notification whenever someone requests access to the account.

The new frontier of data privacy and protection relies on authenticated access for remote users. Not only does this prevent from data breach but it allows users to leave passwords behind. Placing accountability back into the hands of security.

Read More