All posts by Michael Bruemmer

While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use.  With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy.  However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization.  Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level.  If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services. Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen.  Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices.  The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines. Unfortunately, this troubling trend doesn’t just affect the medical industry.  In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats. Download our Free Data Breach Response Guide Key statistics from the survey: 84 percent use the same smartphone for personal and work usage. 47 percent don’t have a password on their mobile phone. 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen. 49 percent said their IT departments have not discussed mobile/cyber security with them. Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach.  As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs.  Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.

You’ve heard of the websites that can locate sex offenders near you. Maybe you’ve even used them to scope out your neighborhood. But are those websites giving you the full picture? What if some sex offenders are flying under the radar? According to a recently released study from Utica College, more than 16 percent of sex offenders attempt to avoid mandatory monitoring by manipulating their identity. They use multiple aliases, use various personal identifying information such as social security numbers or date of birth, steal identity information from family members, manipulate their name, use family or friends’ addresses, alter their physical appearance or move to states with less stringent laws. Finding ways to slide under the radar means registered sex offenders could live near schools and playgrounds, or even gain unapproved employment. In one case, 29-year-old Neil Rodreick enrolled in at least four schools in Arizona, posing as a 12-year-old boy. He was finally caught when one school was unable to verify the information on his paperwork. A parallel study conducted by Utica demonstrated that awareness of identity manipulation of sex offenders is low. Of 223 law enforcement agencies surveyed in 46 states, only five percent knew of an identity manipulation case within their jurisdiction. Close to half (40 percent) of respondents said that they had zero cases, indicating that some may not even be aware of this issue. Clearly, additional monitoring is needed. Experian offers sex offender monitoring that conducts an in-depth search of sex offender registries in all 50 states, Washington D.C., Puerto Rico and Guam to help find and identify sex offenders. It also provides notifications when a sex offender is living in or moves to a customer’s neighborhood, or if a sex offender registers under a different name using a customer’s address. Monitoring identity and credit information is also another way to stay aware of sex offenders using one’s personal credentials. Do you feel that current sex offender tracking is working? Are there other tools or systems states should be using to track them? Visit our website for more information on identity protection products you can offer your customers.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC). The rise of online functionality and connectivity has in turn given rise to online security issues, which create the need for passwords and other defenses against information theft.  Most people today have multiple online accounts and accompanying passwords to protect those accounts.  I personally have accounts (and passwords) for sites I no longer even remember.  And while I have more accounts than most due to my profession, my hunch is that many people deal with the issue of password overload.  Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out.  Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that “you are you.”  I expect that you have experienced such “password overload” inconveniences, or you almost certainly know someone who has. The problem seems like it could be easily solved by using the same password for everything.  One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app.  The problem with this approach is that if you are using the same passwords for all (or even several) of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to then drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks….  This could all happen because you logged into Facebook at an unsecured Wi-fi location, where your password for that one account is compromised, and it happens to be the same password you use for multiple accounts. So, what do you do if you don’t want to tattoo 25 passwords on your arm and you don’t want to end up cuffed for felony check fraud? The answer is a password manager.  This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service. A few things you should look for when finding a password manager are: Is it cross platform? Will it work on your iPhone and your PC? How is the information (your passwords) encrypted? Does the service sync automatically, or will the user need to update the password storage database every time they sign up for a new account? What is the initial authentication process and how strong is it? How reputable is the company who created the product and what is reported about the product itself? By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission. As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection through extended fraud resolution that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line. The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t. Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection. Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member. With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships. Extended fraud resolution from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, reach out to us via our contact form on our contact page.

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm. The rash of large-scale data breaches in the news this year begs many questions, one of which is this: how do hackers select their victims? The answer: research. Hackers do their homework; in fact, an actual hack typically takes place only after many hours of first studying the target. Here’s an inside look at a hacker in action: Using search queries through such resources as Google and job sites, the hacker creates an initial map of the target’s vulnerabilities.  For example, job sites can offer a wealth of information such as hardware and software platform usage, including specific versions and its use within the enterprise. The hacker fills out the map with a complete intelligence database on your company, perhaps using public sources such as government databases, financial filings and court records. Attackers want to understand such details as how much you spend on security each year, other breaches you’ve suffered, and whether you’re using LDAP or federated authentication systems. The hacker tries to identify the person in charge of your security efforts.  As they research your Chief Security Officer or Chief Intelligence Security Officer (who they report to, conferences attended, talks given, media interviews, etc.) hackers can get a sense of whether this person is a political player or a security architect, and can infer the target’s philosophical stance on security and where they’re spending time and attention within the enterprise. Next, hackers look for business partners, strategic customers and suppliers used by the target.  Sometimes it may be easier to attack a smaller business partner than the target itself.  Once again, this information comes from basic search engine queries; attackers use job sites and corporate career sites to build a basic map of the target’s network. Once assembled, all of this information offers a list of potential and likely egress points within the target. While there is little you can do to prevent hackers from researching your company, you can reduce the threat this poses by conducting the same research yourself.  Though the process is a bit tedious to learn, it is free to use; you are simply conducting competitive intelligence upon your own enterprise.  By reviewing your own information, you can draw similar conclusions to the attackers, allowing you to strengthen those areas of your business that may be at risk. For example, if you want to understand which of your web portals may be exposed to hackers, use the following search term in Google: “site:yourcompanyname.com – www.yourcompanyname.com” This query specifies that you want to see everything on your site except WWW sites.  Web portals do not typically start with WWW and this query will show “eportal.yourcompanyname, ecomm.yourcompanyname.” Portals are a great place to start as they usually contain associated user names and passwords;   this means that a database is storing these credentials, which is a potential goldmine for attackers.  You can set up a Google Alert to constantly watch for new portals; simply type in your query, select how often you want updates, and Google will send you an alert every time a new portal shows up in its results. Knowledge is power.  The more you know about your own business, the better you can protect it from becoming prey to hacker-hawks circling in cyberspace. Download our free Data Breach Response Guide