5 Tips for Gracefully Handling Your Data Breach

5 Tips for Gracefully Handling Your Data Breach

You can barely throw a rock on the Internet these days without hitting a piece of advice on the best way to prevent a data breach. Yet, any organization that falls victim to such an attack is likely to find little guidance about the next steps to take. What’s the most appropriate way to share the news about a security incident?

Source: freedigitalphotos/Stuart Miles

Know Your Audience

The key in finding the best approach to take is to first understand that the message may have to vary slightly depending on the recipients to address their pain points and concerns:

  • Consumers worry about their privacy. Will they need to switch banks? Cancel cards? Should they continue doing business with the affected company?
  • Regulatory bodies like the Federal Trade Commission will want to verify that the technical aspects—like fulfilling any statutory obligations—of the announcement meet certain standards.
  • Banks will want details about how the affected company will address the costs for issuing new cards to consumers.
  • The board and the shareholders are more concerned about company worth and viability, and how or if such an incident compromises an organization’s value.

Given this is just a cross-section of those who might be affected by a data breach; it is easy to see how any official message must be tailored according to the audience.

Tips for Taking the Plunge

Once it’s time to explain, remember that honesty is the best policy… with these tips:

  1. Find the right balance between planning when and how to discuss any cyberattack with those affected, whether that means shareholder or cardholder. Some companies have found success with making an initial limited disclosure, then releasing more details upon investigation completion, but don’t deliberately downplay the gravity of the situation either. Also, comply with all mandatory disclosure timelines.
  2. Remember that language is everything. A “cyberattack” suggests an unforeseen and unpredictable outside force, while a “data breach incident” subtly implies that the company is at fault. Choose every word carefully.
  3. Know your rights. Reporting information to the authorities may negate the protective status of attorney-client privilege. Although cooperation with law enforcement is a must, do so with the guidance and advice of counsel rather than disseminating information too quickly.
  4. Remember that excessive compensation isn’t a must. Although offering a type of loyalty reward, like free credit monitoring, as a gesture of thanks to affected customers is understandable (and often appropriate), going overboard with an offer that’s disproportionately generous can seem suspicious in an overly culpable kind of way. Always weigh the considerations of such offers against the possible costs.
  5. Don’t be afraid to involve forensics consultants as part of damage control. Digital evidence can uncover any indicators that could point to a preventable security compromise. Or, proof that could absolve an affected company completely.

Although any data breach incident—ahem, cyberattack—can feel like a PR nightmare, it doesn’t have to be. Going public with a data breach can be handled with professionalism and grace, as long as a solid strategy is set in place before any information is released about the incident.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Why It’s Time for Law Firms to Get Real about Data Security

Why It’s Time for Law Firms to Get Real about Data Security

Source: freedigitalphotos.net/Renjith Krishnan

Source: freedigitalphotos.net/Renjith Krishnan

When it comes to data security, law firms are facing two distinct disadvantages. First, the legal industry seems to lag behind other fields somewhat when it comes to technology in general; not every member of the old guard sees the need to learn new tricks. And secondly, there’s no industry-wide standard when it comes to data security requirements for sensitive information. This combination all too often leaves law practices severely lacking when it comes to protecting data, leading experts to refer to law firms as the “soft underbelly” when it comes to cyber security. Is this a fair designation, or are law firms more self-aware than that?

Technological Savvy

Although of course new case law is created on a regular basis, the truth is that the vast majority of legal expertise lies in examining and reexamining the same information again and again. This can give the impression—sometimes even to those within the legal profession—that not much changes when it comes to litigation, and therefore not a whole lot need to join the 21st century with regards to technology by investing significantly in a firm’s technological infrastructure. As such, to run into severely outdated computer systems in a lawyer’s office isn’t all that unusual, particularly in smaller firms that lack the financial resources of larger, more established practices.

Yet, to assume that these “rules” apply to all law firms is equally shortsighted. In reality, the past year alone has shown a dramatic uptick in security efforts from individual firms, either in an effort to adopt ISO 27001 or even stricter security standards. Initiatives like LegalSEC® are helping to develop consistent guidelines within the legal community and create security programs that are both measurable and achievable, as well as promote greater awareness about cyber security.

The Future of Legal Technology

The issue of cyber security becomes paramount when the legal industry intersects with other professions in which data protection is a chief concern. For example, clients in the financial services industry are likely to conduct security audits to ensure outside counsel’s compliance with industry-specific guidelines. These audits can even include details such as security assessments of data centers and physical files.

In short, the legal industry now finds itself positioned in a place that requires them to maintain robust security programs, acknowledge and resolve any existing vulnerabilities and be prepared to address any risks that are uncovered during a security audit. The overwhelming response has been to rapidly restructure existing operating budgets accordingly.

While the sudden IT security ramp-up may seem like an overwhelming shift, this is really only one pixel in the big picture of other changes law firms are facing: new billing practices as clients push for a move from hourly to service-based fees, the non-traditional career path of working as an independently contracted lawyer, and a number of other post-recession adaptations that allow the industry as a whole to evolve and—eventually—thrive in its new incarnation. Rest assured, those in the legal field are not the only seasoned professionals who are facing these types of challenges. Armed with a renewed awareness of the severity that a lapse in data security can represent, the legal industry is ready to face the future and get serious about data security.

Written by Simeon D. Rapoport

Simeon D. Rapoport is the Vice President & General Counsel for iBridge. He’s been an attorney for more than 25 years, began his career working in the courts and private practice for more than 10 years, and has been in-house corporate counsel since 1998. Rapoport’s experience includes private practice with the large West Coast firm of Bullivant Houser and more than 10 years at Standard Insurance Company. Rapoport is a frequent author and speaker, and he enjoys being active in Bar and civic groups. His interests include family, fitness, outdoor activities, and travel.

Are You Beefing Up Your Data Security?

Are You Beefing Up Your Data Security?

While the general public may think of data breaches as occurring mainly in the retail industry, signs increasingly indicate that the healthcare sector could present a much higher risk for consumers, both in terms of frequency and the potential for more serious consequences. Large retailers whose security efforts have been found wanting (as in the case of Target’s heavily publicized recent data breach) have been duly fined and have now actively kicked their security efforts up a notch, along with many of their peers. Yet, healthcare organizations—despite their arguably greater vulnerabilities—still seem to be lagging behind when it comes to data protection.

Source: freedigitalphotos.net/Stuart Miles

Personal vs. Financial Data

Although having your credit card or bank account data stolen is certainly stressful, the loss or theft of personal information like medical records can be even more sensitive, for a number of reasons:

  • While consumers can contact their banks, credit card companies or the credit bureaus to report identity theft, no “official” recourse exists for a breach of medical records.
  • Information gleaned from medical records can be leveraged into accessing a multitude of other accounts, including banks and credit cards.
  • Correcting medical records after healthcare fraud has occurred is next to impossible, as healthcare organizations are (understandably) reluctant to change any records but those directly originating from their practice.
  • Healthcare fraud cost the United States an estimated $80 billion, according to the FBI.

This list is just the tip of the iceberg when it comes to looking at all the reasons a personal data breach so often presents a more serious threat to individuals than a retail-related breach that only accesses payment accounts.

What’s Your Security Grade?

A close examination of data on security breaches indicates that those in the healthcare industry continue risking network exposure and patient data by following high-risk practices. Security ratings are lower overall for healthcare organizations than for retailers, indicating a strong need for all healthcare-related businesses to beef up their efforts at patient protection across the board.

In 2013 alone, nearly 200 data breaches were reported to the U.S. Department of Health and Human Services, a number that reflects over 7 million at-risk patient records. This is an increase of 138 percent from the previous year.

The Payoff

Since most healthcare systems were originally designed for ease of use rather than high-level security, these facts are hardly surprising. Yet, since the United States spends approximately $2.7 trillion dollars on healthcare every year, it shouldn’t be hard for healthcare organizations to see that their records represent a potential goldmine for cybercriminals. That fact alone should be reason enough to start taking security much more seriously.

At this point in the game, it’s clear that protecting patient data and healthcare records desperately needs to take top priority, especially when additional factors such as the launch of HealthCare.gov and the recent increase in HSS crackdowns are taken into consideration. If you’re still not sure where you stand with your system’s security, take the time to conduct a risk assessment and find out if your organization might be vulnerable.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

3 Tips for Healthcare Data Security

3 Tips for Healthcare Data Security

While IT security is challenging in any business, the healthcare industry carries its own unique set of obstacles and high standards. This is due to a number of different factors, ranging from the obvious (HIPAA and other regulatory guidelines) to the subtle (the best way to handle long-term data storage of medical records). Here are three tips that can help you improve your healthcare data security overall.

1. Risk Analysis Done Right

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

Arguably the most important item of documentation required as part of an Office of Civil Rights audit, a risk analysis shows the steps your organization has taken in terms of both technical and physical data security, as well as looking at employee education efforts and other administrative factors. From uptraining and promoting awareness among staff to ensuring that satellite devices like company-issued laptops are just as secure off-site as on, every detail of your data security can be revealed with a risk analysis. With the OCR going as far back as five years for their audits, showing just the most current version is no longer enough; they’re looking now at how your security strategy has evolved over the years, and if you’re making ample efforts in the right directions.

2. Encrypt, Encrypt, Encrypt

Speaking of company-issued laptops, are yours encrypted? Because physical theft and loss of unprotected data remains the biggest problem currently facing healthcare data security. In fact, OCR data shows that the majority of HIPAA privacy and security breaches—60 percent—are due to the theft or loss of unencrypted laptops and other devices. If this equipment were encrypted, unauthorized access to the data they contained would be severely limited or even prevented entirely. While the per-user costs seem significant to enable encryption initially (sources estimate somewhere between $200-$400), the financial impact of a data breach that occurs from a failure to encrypt is exponentially higher.

3. Educate Your Employees

Of course, all the rules and policies in the world aren’t going to make a bit of difference if your employees remain unaware of them… or worse, decline to follow them. Employees have to be educated about the risks—not just of how a data breach could impact employees and patients, but also the importance of encryption, why safe browsing and computing habits matter, the difference between a strong and weak password and so on. IT security doesn’t happen in a vacuum; privacy and protection are dependent on every individual who interacts with sensitive data, and at every step of the workflow.

Call in the Experts

If you’re feeling generally overwhelmed by the big picture of healthcare IT security—or the multitude of just as important yet easily overlooked tiny safety details—you may want to look into working with a third party vendor who specializes in the field of ensuring IT security for healthcare organizations. From data analysis to implementing encryption and working to develop a comprehensive employee education program, an outside voice of expertise can provide a much-needed level of guidance to ensure that your organization and your patients are well-protected.

Are Small Hospitals More Vulnerable to Data Breaches?

Are Small Hospitals More Vulnerable to Data Breaches?

Small hospitals and healthcare practices often think they’re not as vulnerable to hackers as their larger peers, and for seemingly logical reasons. In theory, they present less of a motivation for hackers (since the payoff wouldn’t be nearly as impressive), and their size probably makes them less well-known compared to a larger facility, too. Yet, the realty is that what these healthcare providers read in the news is just the tip of the iceberg. There are a few reasons why smaller healthcare organizations may actually be a more enticing target than healthcare executives realize.

Size Relative to Security

Image via freedigitalphotos.net/Stuart Miles

Image via freedigitalphotos.net/Stuart Miles

When it comes to security, size should never be relative. That is, smaller facilities shouldn’t skimp on protection just because they have less extensive databanks or fewer patients. Unfortunately, this is exactly the misassumption some healthcare executives make: that protection really isn’t all that critical. Just as unfortunately, a lot of hackers know that this attitude is prevalent in small practices, which makes those less extensive databases ripe for the plucking.

Another place where size is deceptive lies on the development side of the healthcare industry. Healthcare-related apps are convenient little things, thought of as generally hobby-based and innocuous. This combination of qualities means that security is often overlooked here, too, leading to many health and fitness apps that sorely lack in adequate protection of patient privacy.

Steps to Take

No matter how insignificant your healthcare practice may seem in comparison to larger, fancier or sleeker facilities, one man’s trash is another man’s treasure, as the saying goes. Just because you imagine that your limited information couldn’t possibly be valuable to hackers doesn’t mean that the jackpot isn’t just as satisfying if cybercriminals gain unauthorized access to your system…and that means your patients—and their privacy—remain very much at risk.

There are a few steps that can help limit these vulnerabilities:

  • Beef up security: Don’t let anything go unprotected, even (perhaps especially) medical records. Hackers aren’t just after payment information; don’t assume that just because you don’t maintain records of credit card authorizations that there’s nothing in your circuits that could interest a seasoned cybercriminal. Health data is its own gold mine.
  • Regular check-ups: Even if a breach does occur, an early diagnosis is key to limiting potential damages. Something as simple as keeping an eye on your access logs so you recognize any anomalies can make a huge impact in rendering hackers powerless.
  • Don’t forget the small stuff: There really is no “too small” when it comes to hackers. From health-related apps to insulin pumps to the most remote rural practice, anything that houses, transmits or records medical information requires the utmost protection.

If there’s only one takeaway here, let it be that developing awareness of the very real danger of medical identity theft—regardless of practice size—is of the utmost importance to protecting patient information. Take the right steps to protect your practice and your patients, and you’ll become a much less tempting target.

Is Your Healthcare IT Security Stuck in The Stone Age?

Is Your Healthcare IT Security Stuck in The Stone Age?

It has been more than a decade since HIPAA’s security rule was introduced. In the intervening years, the field of healthcare IT security has evolved dramatically. However, not all practices and providers have gone along for the ride.
Are you part of an organization running a Flintstones-era healthcare infosec operation? If so, you may be playing fast and loose not only with patient welfare but also federal regulations. With the impending implementation of IDC-10 and the ongoing shift to fully electronic medical records, chinks in your healthcare IT security armor may leave both your patients and your organization vulnerable to costly and compromising breaches.

Head in the Cloud?Image via freedigitalphotos.net/ddpavumba

Cloud computing has lifted physicians’ abilities to communicate, collaborate, and compare patient information into the stratosphere. Developments in cloud computing technology put staggering amounts of useful information in the hands of healthcare providers in both megacities and small municipalities.

But for all the benefits that come from this open access platform, there is also great risk involved. Managing data across multiple platforms and great distances exposes sensitive patient information to huge numbers of eyes. If you haven’t made security a priority, you may inadvertently – and unknowingly – be exposing patient reports, EMRs, and images to nefarious individuals or entities. Be sure any outsourced firms with which your organization or practice contracts has a top-of-the-line IT security system and federal approval for capturing and storing confidential patient information.

Security Alphabet Soup

When swimming in a sea of EHR/EMR, HIPAA, HITECH and many other acronyms, it’s easy to let information security fall to the bottom of your list of compliance priorities. However, the federal government is ramping up efforts to monitor and intervene in even the smallest of HIPAA breaches. In a world of rogue “hacktivists” and ever-changing security threats and standards, how can you be sure you’re doing everything possible to keep patient information secure? Here’s a hint: if you don’t know what “hacktivists” are, you may be in the middle of a Stone Age healthcare IT security situation.

In the new cyber economy, even small- to medium-sized businesses and practices face security threats more commonly associated with institutions on an enterprise-level scale. Putting healthcare IT security higher on your list of priorities shouldn’t even be up for debate.

Top Healthcare IT Security Threats

A few of the most vulnerable points for IT security include:

  • Providers and contractors with multiple, untraceable, unencrypted mobile devices – Constantly upgraded operating systems make these ubiquitous devices are especially vulnerable to cyber hacking and viruses.
  • The shift from desktop systems to cloud-based servers – The ability to use multiple applications from one virtualized “desktop” saves hardware dollars but exposes private health information to a wider array of infosec threats.
  • Social media vulnerability – It’s nearly impossible to restrict employee access to social media, but these networks are also rife with quickly-spreading viruses and security bugs.

Healthcare Security for the Modern Age

If you aren’t sure whether your healthcare security processes and procedures are up-to-date, they’re most likely behind the times. Get smart with your healthcare IT security policies in order to ensure both federal compliance and patient privacy. Leaving your practice and patients vulnerable to cyber infection is as great a charge as the cause of improving physical health. To guarantee the security of both patient data and your vital business information, make IT security a top priority. Doing so may require enlisting an outside contractor with the expertise to make your healthcare IT security completely airtight.

Image via freedigitalphotos.net/ddpavumba

3 Reasons Why Law Firms Need to Take Extra Steps for Data Protection

3 Reasons Why Law Firms Need to Take Extra Steps for Data Protection

Regardless of specialization, lawyers everywhere are familiar with the concept of attorney-client privilege, and the closely related need to protect client confidentiality. Yet, a recent survey conducted by LexisNexis indicates that very few firms are actually taking steps to increase protection of sensitive data. Here are three reasons that needs to change.

1. Email Is Vulnerable

It’s a common misassumption to believe that because email accounts require passwords to log in at both ends of transmission (from both the sender’s account and the recipient’s), that email is a protected means of communication. In reality, however, emails that are sent without encryption are completely vulnerable to hackers. Although the LexisNexis survey mentioned above indicates that only a minority of firms are currently using encryption for their privileged communications, doing so would be a small step for many firms that could make a big difference in data security.

2. File Sharing Is Gaining Popularity

As the volume of data exchanged daily continues to increase, the concept of file sharing grows in popularity too. Unfortunately, the majority of respondents to the LexisNexis survey report that their preferred method of “file sharing” is—again—simply sending everything back and forth by unencrypted email. There are encrypted file sharing services and programs available that could offer an additional layer of security to sensitive data, offering greater peace of mind to attorney and client alike.

3. Confidentiality Isn’t Real Protection

A staggering number of firms—77 percent to be exact—say that they rely on the confidentiality statement at the bottom of every email as their primary defense. While this may offer some level of protection to the firm itself, the clients themselves are rarely protected by any confidentiality disclaimer… not to mention, a few sentences about privileged information doesn’t actually mean that the information contained in the email is protected in any real way from outside threats, which is a concern that needs to take on a higher priority.

Future Protection

Both clients and their attorneys need to recognize the need for heightened security when it comes to data protection. When 89 percent of firms report that their use of unencrypted email is their primary means of client communication as well as internal information exchange, the concern quickly becomes apparent. No matter what your signature line may read, the truth is that promising not to share privileged data isn’t even close to the same thing as protecting that same data against unauthorized access. It’s time for law firms to get serious about data protection in an effort to truly safeguard themselves and their clients.

Image via FreeDigitalPhotos.net/thanunkorn

Vendor Sacked for HIPAA Breach Blunder

Vendor Sacked for HIPAA Breach Blunder

Breach

Data Misuse Concerns

The site in question, used by physicians for patient notes, didn’t show signs of access by any unauthorized personnel, and the patient records did not include financial information or social security numbers. However, the potential for accessing personal information such as prescriptions and medical history was still very much a possibility.

All of the impacted individuals were notified, and Boston Medical Center immediately discontinued their decade-long business association with the medical transcription company. The website was taken down the same day the incident was reported, although it’s not clear how long the patients’ unprotected data was live on the site prior to that date.

It’s clear that MDF Transcription was not following the HIPAA protocol as they should have. The fact that it doesn’t appear as if any of the information was used or accessed inappropriately, HIPAA is not just about fully realized cyber-attacks. Instead, the guidelines set in place by HIPAA are intended to be proactive and preventative, protecting not only against the misuse of data but also unauthorized access of any kind.

The Future of PHI

Ongoing discussions over protected health information (PHI) have led to a recent Blue Ribbon Panel for further discussion on how to best respond to the increasing complexities involved with privacy and security enforcement within the healthcare industry. From the Office for Civil Rights (OCR) to the Federal Trade Commission and even the Securities and Exchange Commission, a number of organizations are getting more involved with the education and enforcement of the HIPAA compliance process.

Perhaps more relevant for companies like MDF, the OCR is taking a more aggressive stance when it comes to imposing financial penalties on those organizations that have neglected to meet even baseline expectations for PHI standards and HIPAA compliance. Overall, the mood is one of very little patience toward companies that continue ignoring mandatory standards, and a heavy emphasis on the right of the individual to expect (and receive) a certain level of privacy assurance when it comes to his or her own health and medical records.

How to Minimize Data Exposure Risks

How to Minimize Data Exposure Risks

Recently, HIPAA reported one of the largest ever security breaches in the healthcare industry: namely, the theft of over 400,000 individuals’ protected health information (PHI) from a Texas healthcare system. The breach, which occurred in December 2013, spanned three days and resulted in the loss of social security numbers, addresses and birth dates for employees as well as patients, along with more detailed medical information. How can such an attack impact the affected parties, and what can be done to prevent future vulnerabilities of a similar nature?

Information and Identity Theft

The access to personal records like dates of birth and social security numbers gathered with the initial data theft is really only the first stage for hackers. This sensitive information can then be leveraged into accessing accounts that have additional levels of protection in place. For example, many online bank accounts and credit card accounts require a two-step verification process that begins with a user name and password, and then adds another qualifying factor such as a PIN or answer to a secret question.

After hackers are armed with medical records and employee information, it’s much easier to decipher passwords, PINs and other verification methods. For example, many people may use their birth year or anniversary date as their PIN, or as part of their password. Additionally, information like full legal name plus social security number can allow the hacker to open lines of credit in the victim’s name, file fraudulent tax returns in order to gain access to refund money and other forms of identity theft. The original hackers may perform these operations themselves, or may opt to sell the stolen information to the highest bidder for use by other cybercriminals.

Adding Protection

While user education—on issues like how to generate more secure passwords and practice other sensible precautions online—is an important step in limiting personal loss even if a breach of this type occurs, the impacted organizations themselves can provide a better first line of defense as well. For example, data encryption would help to prevent data exposure, as would the implementation of a monitoring plan that would identify and analyze potential breach points. Regular scans and analysis would help IT security personnel recognize a potential breach on the network much sooner, allowing more time for preventative measures to be taken.

There’s never just one finger with which to point blame on the occasion of this or any other successful hack. Instead of looking around for who may or may not be guilty, energies are far better spent on ensuring that a more secure infrastructure is put into place that will better protect organizations and individuals against cyber-attacks in the future.