Archive for January, 2014

Saint Francis Hospital Patient Data Breach

January 30th, 2014

Saint Francis Hospital Patients data were stolen from independent contractor physician car in New Haven, Conn.  Vanapalli is an independent contractor physician who works in the Emergency Department at Saint Francis. There are many questions related to unsecured data presence in the car. Saint Francis Hospital and Medical Center notified patients about the breach quicker than many other organizations.

Information included patient names, dates of birth and medical record numbers. It didn’t contain information like Social Security numbers, financial information or addresses.

It shows how organizations need to keep electronic health records, as well as the risks associated with paper copies of records. The incident reinforces the need for electronic health records (EHRs). But also it shows importance of safe guard measures like encryption of laptops, desktops and policy enforcement for better security.

Saint Francis has mentioned that they have implemented internal information safeguards. Credit monitoring for the 858 patients will be provided for two years. It said it will plan to improve physical safeguards. One of the steps includes preventing physicians, especially those who are contracted, from possessing physical records and transport them. So considering incidents like this EHR systems do have certain privacy and security benefits.

Saint Francis said the breach was a violation of policy. It said they didn’t receive any information to related data misuse. John Rodis, M.D., executive vice president and chief operating officer and chief physician executive, said “Our goal has always been to help ensure adequate safeguards are in place to protect our patients’ confidentiality. Education of our staff has already been completed and we are evaluating other opportunities to strengthen our compliance program.”

Alertsec strengthens security

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

Healthcare compliance improving according to DataMotion security survey

January 28th, 2014

DataMotion’s conducted second annual survey on corporate email and file transfer habits. It helped to give insights about the perception of responding IT and business decision-makers about their organizations. It considered both advancement and ongoing issues for health care providers in securing patient as per the procedures.

More than 400 IT and business decision makers across the US and Canada participated in the survey.  Survey conducted was cross-industry but special significance was given to healthcare. According to the response from the health care companies, there is a strong effort toward improving security and compliance practices but there is still work to be done. Companies are now beginning to understand the importance to protect private and sensitive data.

“There [have] been improvements in security and compliance since last year, and healthcare in many ways is leading the way compared to other industries, but there are still serious problems to address,” DataMotion’s Chief Technology Officer, Bob Janacek said, “52 percent of healthcare respondents said their company either doesn’t have, or they are unsure if they have, a BYOD policy. There have been many incidents of mobile devices being lost or stolen that contain protected health information, potentially resulting in a HIPAA breach, and this puts organizations at great risk. Furthermore, healthcare regulations have expanded; meaning companies not previously covered, might be now.”

Study showed above average progress in privacy through emails and file transfers because of the emphasis HIPAA and the final Omnibus ruling place on policies. Some of the aspects of the reports are –

-90.4 percent of companies responded positive for security and compliance policies for transferring files electronically

– 84.8 percent mentioned their employees/co-workers capability to encrypt email

– 86.4 percent stated their policy to achieve compliance

– 32.6 percent healthcare respondents replied about co-workers inability to fully understand security and compliance policies for transferring files electronically.

– 3 out of 4 healthcare respondents replied about employees/co-workers “routinely” or “occasionally” violating security and compliance policies

– While 87.7 percent of healthcare companies permit the use of mobile devices for email, 40.3 percent d stated there is no BYOD policy.

– 11.7 percent are unsure about the policy existence.

– More that 25% promoted free consumer-type file transfer services. 30.5 percent said their company does not forbid the use of these services.

Janacek said “These survey findings give us a textured understanding that hopefully will help businesses overcome and anticipate related issues, especially in an age where security and compliance can so dramatically impact the bottom line,”

More efforts have to be made to get the compliance to protect private data. Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Enhanced by Zemanta

Data Theft Analysis, Prevention and More

January 26th, 2014

Theft or loss of unencrypted laptops and USB drives is one of the leading causes of data breaches for several past months. There is lot more possibilities of data breach through stolen laptop today as compared to it was decade ago.

“Whether or not, in a particular instance, a thief was looking for the data on the machine, the fact that there is this market in name, address, Social Security number, phone number, credit card data and so on, makes the loss of a device which has got that data on it all the more potentially damaging,” ESET senior security researcher Stephen Cobb says.

“If there’s a difference between a laptop theft today and 10 years ago, it’s that it’s probably got saleable data on it,” Cobb states. “Something that we see in talking to organizations is that a lot of people are not yet fully aware that data about people has a value in a very structured black market.”

“You can buy a 16GB thumb drive at the drugstore for $12, and you can put information on it, the loss of which would cost you a million dollars,” Cobb mentioned.”Not enough people are looking at it like that. For $80, you can buy one that’s encrypted automatically, but they look at the difference in price and they say it’s not worth it. But when you look at the million-dollar impact, it’s a different calculation.”

Another major cause for data breach is related to employees neglect for the policies. He added “Policies and procedures often lag behind the systems that they’re supposed to protect,” he says. Policies have to ensure safety of the data.

“If I were to fault anybody in the employee error side of things, it would be upper management for not realizing the importance of keeping people up to date on these things,” Cobb says. “I’m an opponent of the stupid user theory. Yes, some people do dumb things, and there will always be that element, but an employee isn’t stupid if they haven’t been told what they should and shouldn’t do. And an organization which doesn’t have checks and balances in its processes is more stupid than the employee who makes a mistake and there’s nobody around to catch it.”

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Potential data Breach of 6,777 patients after unencrypted desktop stolen in Albany

January 23rd, 2014

Unencrypted desktop owned by Phoebe Putney Memorial Hospital (PPMH) in Albany, Georgia was found missing. About 6.777 patients are vulnerable to data misuse after the incident. Information like patient names, dates of birth, addresses, dates of services, physician names, diagnoses, and Social Security numbers were present on the desktop. Computer was password protected.

Affected patients were seen between May 2010 and October 2013. PPMH sent notification about the incident and provided a copy online. It offered one year credit monitoring for affected patients.

PPMH also notified the incident to The Albany Police Department but they were not sure about computer being stolen or misplaced. They stated, “We deeply regret any concerns and inconvenience this has caused our patients. We have reviewed and enhanced our security policies and procedures and have re-enforced with all staff the importance of handling patient information with care to prevent something like this from happening in the future.”

PPMH hired computer Forensics Company to investigate the breach. Unencrypted computers are common in data breach stories so security is at high risk. So considering possible misuse involved in unencrypted computers it is recommended to get the best security.

Alertsec strengthens security

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

Records stolen from CaroMont employee’s car

January 21st, 2014

CaroMont Regional Medical Center’s census report paper records for 191 patients were stolen from an employee’s car in Dallas. The information was reportedly stolen from the   employee’s car during a stoppage on the way to the office. Employee notified Dallas Police Department about the theft.

Employees have been known to take patient information out but certain steps are required to be followed to protect the information according to CaroMont spokeswoman Dallas Paddon.

Patient names, dates of birth, medical record number, and the reason for the hospital visits were the information present on the report. The census report was single printed document. CaraMount notified the affected patients. They are advised to monitor their credit and contact Experian, Trans Union, and Equifax because of possible financial information misuse. CaraMount didn’t mention the reason behind it.

Donnetta Horseman, CaroMont’s corporate responsibility officer, issued a statement about the theft Wednesday, “Upon learning of the unauthorized disclosure, we conducted a thorough investigation with the staff person and appropriate disciplinary actions were taken.”

The staff member has been disciplined and staff is being reeducated on patient information disclosure and CaroMont’s Notice of Privacy Practices as per CaraMount. But it was not made clear why the employee had the report in his or her car.

Previous year information from 1,310 patients with CaroMont Medical Group was sent through an unsecured email.  Email included information names, addresses, phone numbers, dates of birth, dates of service, medical record number, diagnonses, medication, and insurance company names, as well as two patients’ Medicare numbers.

Around 80% of information theft is due to lost or stolen laptops and other storage equipment. With the critical information at stake, many companies also use encrypted laptops/computers for storing records which is also stored in binder. With the misplaced or stolen laptops same as paper record can cause serious security concerns. To secure records or computers related stringent procedures should be followed.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

US tops as Malware Hosting Nation

January 19th, 2014

Solutionary’s Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q4 2013 states that the United States was the leading malware-hosting nation. US host 44 percent of all malware which was five times more than the second-leading malware-hosting nation, Germany. Later was responsible for 9 percent of all malware in Q4 2013. Report predominantly focused on distribution and analysis of malware. SERT used cloud-based Solution Active-Guard Platform and global threat intelligence network to get the results.

Solutionary SERT director of research Rob Kraus said in a statement ,“We aren’t just talking about foreign espionage campaigns, APTs and breaches; many of these malicious activities are taking place within U.S. borders,” and continued saying, “Malware and, more specifically, its distributors are utilizing the technologies and services that make processes, application deployment and website creation easier.”

Reports mentioned that over 40 antivirus fail to detect malware Researchers found that majority of malware applications are related to PUA’s i.e. potentially unwanted applications which are installed Microsoft Windows 32-bit portable executables (PE32) files.

SERT also mentioned about the malicious actors turning to cloud for malware distribution. It found that malware distributors are widely using cloud computing either by buying services directly or compromising legitimate domains. They are also hiding behind the reputed hosting providers like Google, Godaddy and Amazon to avoid geographic black listing. This type of modus operand has enabled distributors for cost effective ways of spreading malware through easily making them online.

Reports also provide recommendations to Internet Service Providers to limit the risk associated with malware distributions by sites hosted and domain name registered. Ultimately it is up to providers to take action for stopping the proliferation of malware.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Stolen Laptop may lead to security breach of 12,354 Cancer Patients’ Data

January 17th, 2014

Personal information may have been exposed when a laptop was stolen from an employee’s office of New Mexico Oncology and Hematology Consultants (NMOHC). NMOHC started notifying affected customers about the data theft incident. They were advised to monitor their credit reports and financial accounts for any unauthorized activity.

As 12,354 cancer patients’ data has been compromised there is possible violation of protected health information (PHI). PHI includes names, birthdates, addresses, diagnostic results or information related to treatment and insurance information. No Social Security numbers or driver’s license numbers were on the laptop.

NMOHC was not aware about any unauthorized activity related to stolen information but they are instructing customers to report same.

The organization said in a statement on its Web site. “While NMOHC hopes to recover the stolen computer and PHI, that may not be possible,” adding, “In an attempt to prevent further breaches of PHI, NMOHC has increased physical security safeguards as well as implementing additional security safeguards on all laptops. NMOHC is also strengthening other aspects of its internal HIPAA security program.”

With the important information like PHI being stolen more actions are taken by the organization to prevent data loss.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

HealthCare.gov Data Breach Notification Bill passed by the house

January 15th, 2014

House of Representatives lawmakers approved the Health Exchange Security and Transparency Act today which would require the Department of Health and Human Services (HHS) to notify individuals within 48 hours of security breaches from state and federal health exchanges. It will be routed through HealthCare.gov.

President Obama was against the bill, stating “unrealistic and costly paperwork requirements” and mentioned that bill will fail to enhance security flaws. Democratic senate is likely to oppose the bill from getting a vote. Regardless of different views, Republicans believe the approval of bill is seen as public disbelief in HealthCare.gov to keep patients data safe and secure.

The final tally was 291 to 122 as 67 democrats choose to vote in favor of bill. Democrats vote may be related to reelections. With the passage of bill, republicans are continuing policy of raising concern related to HealthCare.gov site security. They have raised concerns about technical security issues due to missed security testing deadlines during the summer.

House Republicans proposed the bill to safeguard peoples interest related to information breach. Under section 1311 or 1321 of the Patient Protection and Affordable Care Act (42 U.S.C. 18031, 18041) which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed, the Secretary of Health and Human Services shall provide notice of such breach to each such individual within two days.

CMS spokesman Aaron Albright said “To date, there have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information from the site,” said last week. Many democrats believe that the Republicans are over blowing the security concerns for political gain.

Reps. Elijah Cummings (D-Md.), the ranking member on the House Oversight Committee, and Henry Waxman (D-Calif.), the ranking member on the House Energy and Commerce Committee mentioned that  they believe the Republicans are just following scare tactics.

According to post, Cummings said “There have been no successful security breaches of HealthCare.gov,” and continued “Nobody’s personal information has been maliciously hacked.”

The fact that 67 democrats voted for passage of bill may be considered to have political goals but also there is chance that some of them believe that there are major security issues on HealthCare.gov.

With the steps taken by the government it is better to be sure from our end with encrypted laptop.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Data breach of 480 patients notified by Southwest General

January 12th, 2014

Binder went missing from Southwest General Health Center of Ohio which includes information as patient names, dates of birth, medical record numbers, and clinic information related to childbirth. No financial information or Social Security numbers was present. About 480 patients were notified about the incident.

The hospital has not received any information about misuse of the missing binder. They have released a statement about it plans to prevent future incidents. The binder was used in an obstetric quality study being conducted by the hospital and the Ohio Department of Health, Office of Vital Statistics, and the Ohio Hospital Association.

Southwest General has existing policies and procedures to protect its patients’ health information. They are taking due care to maintain privacy and security of its patients and have implemented more procedures to prevent similar incidents. It is not clear whether hospital has notified law agencies or not.

Around 80% of information theft is due to lost or stolen laptops and other equipment. With the critical information at stake, many companies also use encrypted laptops/computers for storing records which is also stored in binder. With the misplaced or stolen laptops same as binder can cause serious security concerns. To secure binder or computers related stringent procedures should be followed.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Enhanced by Zemanta

South Carolina Insurance data stolen: Notofication sent after two months

January 9th, 2014

State mandated health insurance program in S.C. notified customers about laptop theft which has occurred two months earlier according to website, GoUpstate.com. The laptop belonged to one of the company’s auditor and reportedly it was password protected, the laptop was stolen from individual’s car. Information about stolen laptop was notified to the police next day and the SC Health Insurance Pool.

SC Health Insurance Pool, run by the SC Department of Insurance had hired Columbia accounting firm DeLoach & Williamson to review their claims and payments. The laptop had important personal information like patient names, dates of service, provider identification numbers, and Social Security numbers as per The Post and Courier. In total 3,432 customers were affected who earlier used the program in 2011 and 2012.

Personal information may lead to data theft due to possible violation of company policy as per the Attorneys for DeLoach. It is prohibited to leave laptop in vehicle unattended which leads to theft. The pool mentioned that it does not allow employees to take customer information outside company offices.

Despite theft knowledge within week, customers were not informed. All the affected customers were mailed about the incident.

“First, we had to determine what type of information was included,” Cynthia Hutto of Nelson Mullins Riley & Scarborough said. Apparently delay was caused due to the process of information collection for mailing address and setting up free credit monitoring. Cost for same is covered for one year by the auditor and respective mailing notification is sent for same.

With the present scenario it is advisable to have security software which prevents major data loss. With the possible penalty of breach and potential loss of customers trust more stringent security measures has to be applied. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta