Archive for February, 2014

Default IP Address, Outdated Firmware used by majority of SOHO Wireless Routers

February 28th, 2014

Tripwire has announced the results from its analysis of security vulnerabilities in small and home office wireless routers, finding that 80 per cent have exploitable flaws in their security.

Tripware conducted survey of 653 IT and security professionals and 1,009 employees who work remotely in the U.S. and U.K. Survey shows that 55 percent of IT professionals and 85 percent of employees haven’t changed the default IP address on their wireless routers.

It also came to notice that 52 percent of IT professionals and 59 percent of employees haven’t updated the firmware on their routers. Also admin password on their routers is also not changed by 30 percent of IT professionals and 46 percent of employees.

Tripware also found out that 80 percent of Amazon.com’s top 25 best-selling small office/home office (SOHO) wireless routers have security flaws.

Tripwire security researcher Craig Young said in a statement. “Unfortunately, users don’t change the default administrator passwords or the default IPs in these devices and this behavior, along with the prevalence of authentication bypass vulnerabilities, opens the door for widespread attacks through malicious Web sites, browser plugins, and smartphone applications.” And “[T]hreats to routers will continue to increase as malicious actors recognize how much information can be gained by attacking these devices,”

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software. Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Beebe Healthcare notified 1,900 patients of a data breach through contracted employee

February 27th, 2014

Potential data breach came to notice when contracted employee did not show up for work. It was learned by the co-workers that the employee had previously been arrested for identity theft in Pennsylvania. Beebe healthcare of Delaware notified 1,900 patients of a data breach. It was observed that employee had worked at three Beebe offices in their network.

Beebe Healthcare has hired forensics team to conduct an enquiry into possible data breach. It was observed that no information is misused. In statement it explained, “Our investigation determined that during her assigned job duties, the contractor had access to patient medical records, which included patient names, dates of birth, Social Security numbers, health insurance information and clinical information.” Beebe Internal Medicine in Lewes, Beebe Family Practice in Millville, and Beebe Pulmonary Associates were affected location.

“Upon learning of this information, we immediately terminated the contractor’s engagement and began a thorough investigation, including hiring a national forensic expert firm. Our investigation determined that during her assigned job duties, the contractor had access to patient medical records, which included patient names, dates of birth, Social Security numbers, health insurance information and clinical information.

Based on our investigation and the work of the national forensic experts, we have no evidence that patient information was removed from Beebe or has been used inappropriately in any way. Although the staffing agency with whom we contracted performs background checks on all applicants, the report did not reflect any potential criminal activity for this individual,” Beebe further added in the statement, “We deeply regret any inconvenience this has caused our patients. To prevent this from happening in the future, we are performing our own background checks of all staffing agency employees and will no longer rely on staffing agencies to do so.”

Alertsec strengthens security

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

Hacked server of St. Joseph leads to data breach affecting 405,000

February 26th, 2014

St. Joseph Health System (SJHS) in Texas reported a data breach due to hacking of server. It has affected more than 405,000 patients, employees, and employee beneficiaries. Hackers from china and other locations accessed information through single server. The server has employee and patient data from St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center as per the health system. The server was taken offline as soon as breach was discovered.
Information about patient names, birth dates, Social Security numbers, possibly addresses, Medical information as well as bank information for current and former employees were present on the server. Investigators failed to determine if any information had been extracted.
“SJHS is working with the United States Federal Bureau of Investigation, which is also looking into this incident. SJHS is providing written notice of this incident to affected individuals, to the U.S. Department of Health and Human Services, as well as to certain state and international regulators.”SHJS mentioned in a release on its website.
St. Joseph stated that there has been no report about misuse of information. It has setup a confidential call center for affected people. Statement on their website further added, ‘To further protect individuals from identity theft or financial loss, we encourage patients, employees, and their families to remain vigilant, to review their account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity.

Individuals can also check their credit by obtaining a free credit report.  Under U.S. law, individuals are entitled to one free credit report every year from each of the three major credit bureaus.
SJHS have five hospitals, two long term care centers, more than a dozen physician clinic locations and a charitable foundation. It has a designated Accountable Care Organization.
Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.
Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

HIMSS Privacy and Security director discusses ‘Hidden Pitfalls with Cloud, Mobile Technology and Mobile Data’ at HIMSS14

February 24th, 2014

 

Lee Kim will review practices of healthcare organization examining vendor contracts, such as business associate agreements (BAAs) with cloud vendors maintaining HIPAA compliance. Kim assists HIMSS with government relations, federal affairs, and state affairs in terms of evaluating privacy and security laws and regulations.

 

She believes that organizations have been doing risk assessments to find holes in their information systems.
They’re definitely going through risk assessments for their systems and I’m predicting that organizations, including providers will be more focused on risk remediation. Its one thing to assess risk, determining high-level vulnerabilities, but the real value you get out of a risk assessment is what you do about it and take action. Providers can do this by actually mitigating those risks both inside and outside of their organizations.
Kim believes that there must be strong program to have processes in place. Kim mentioned that health industry is unique as it’s trusted with patient information and can affect patients’ lives.
Ensuring the patient information is both private as well as secure is certainly paramount. Not only do organizations need to comply with HIPAA, they need to have a holistic approach to keeping bad actors away from patient data. Unfortunately, these bad actors can be inside or outside an organization. Or it may even be an individual who doesn’t have bad intent but is exceeding the scope of their authorized access and cause a breach out of negligence.
Kim also stated that there are many cloud users who are not completely aware of it.
In terms of where we’re going with information technology, it just seems as though there’s more of a dependence on cloud-based solutions. For example, a provider may contract with a cloud provider or use a hosted EHR solution. More health IT stakeholders are seeking these outsourced solutions such as cloud.
Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Two Men Jailed for Identity Theft

February 22nd, 2014

Angelo Ponds, 32, of Miami Gardens, Fla., and Sean Guillaume, 31, of Miramar, Fla. were sentenced to jail for their involvement in identity theft at medical Lab. Incident was related to stolen identity tax refund (SIRF) scheme. Ponds was sentenced to 48 months in prison and Guillaume was sentenced to 94 months in prison both to be followed by three years of supervised release.

Guillaume stole medical records with names, dates of birth, and Social Security numbers, and sold data for 5,000 individuals. He worked for unidentified medical laboratory testing company .He sold this information to Ponds. He knew that Ponds would use the PII to file fraudulent tax returns seeking refunds.

According to court documents, Guillaume worked for a company that performed medical laboratory tests where he had access to medical records with names, dates of birth, and Social Security numbers (personal identity information or “PII”) of individuals in the course of his employment with that company.

According to justice records, Ponds filed other people record fake taxation earnings with Internal Revenue Service seeking refunds.

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Hospitals focus on IT security audits

February 20th, 2014

After healthcare organization makes decisions on security audit strategies, some aspect has to be considered such as potential impact on daily workflow and the amount of time that elapses between catching an abnormality and resolving the issue. Mark Combs, West Virginia University Hospitals Chief Information Security Officer (CISO) mentioned about the steps to find internal security threats.

Mark Combs mentioned that audit report can stop larger breach. He mentioned about the situation in Florida where a healthcare organization was alerted by federal investigators that one of its employees was filing false tax claims.

“Obviously, we’ve found instances where employees were doing inappropriate things, but we were able to catch them soon enough so that they didn’t grow into one of those larger issues,” Combs said. “Luckily, we haven’t had one yet where federal authorities alert us of an incident.” He further added organizations set their policies as best practices and they need applications in place to enforce those policies.

Combs and West Virginia University Hospitals made decision for use of Iatric Systems’ Security Audit Manager (SAM) product. Rob Rhodes, Senior Director of Patient Privacy Solutions for Iatric Systems said that the integration works well with SAM because it reaches out to any of organization’s systems with PHI and allows us to pull the audit logs and aggregate them in the SAM.

“Once it’s aggregated in SAM, we then run proactive reports and alerts,” he said. “Users can set those up so the algorithms we have go out and look for potential privacy violations. SAM has incident tracking as well.”

West Virginia recently incorporated a policy change when it switched from a legacy system to Epic HER.

We did that to comply with the HIPAA Security Rule, as we were concerned that people would use their access to look at and potentially harm the integrity of their own record if they make mistake. We put “same last name” auditing in place, which is a report that’s native to SAM. Not only were we able to use that in Epic, but for our other half-dozen or so systems as well.  As we contacted managers telling them they weren’t complying with the policy, we saw a huge reduction in people looking at their own accounts through work access.

To get perfect audit reports encryption software for laptops are essential. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Complaint filed against St. Rose Dominican Hospitals

February 18th, 2014

The Office for Civil Rights (OCR) complaint is filed against ST. Rose Dominican hospitals for allegedly compromising patient’s records as part of gaining advantage in a contract dispute. Dignity health which owns ST. Rose Dominican hospitals is in process of dealing with a complaint. It is complaint against violating patient privacy by using records for leverage.

According to the announcement by the Nevada Health Services Coalition, Dignity Health took access to patient records by contacting Coalition plan members. It happened when the agreements between the two agencies fell through. It is considered as violation by the Health Insurance Portability and Accountability Act, or HIPAA. U.S. Department of Health and Human Services Office of Civil Rights filed the complaint. The Nevada Health Services Coalition, a nonprofit, helps negotiates hospital contracts for discounted health care service rates for 19 member group healthcare organizations, including 230,000 Nevada residents.

Christine Carafelli, executive director of the coalition said, “It’s our position that patient data collected in the course of medical treatment should not be used to lobby or gain leverage in contract negotiations.”

After this complaint, Dignity Health released statement:

“St. Rose Dominican Hospitals upholds the highest ethical and moral principles, and honors federal, state and other regulatory guidelines related to the provision of health care. St. Rose has not, and will not, compromise patient safety or confidentiality. Like all hospitals, St. Rose values the patients it has served and regularly communicates with current and former patients regarding operational, financial or other matters related to health care services at St. Rose.”

To protect your data arising out of disputes it is better to safeguard company laptops with encryption software. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization. Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

1,100 patients of St. Vincent Hospital notified about laptop theft

February 15th, 2014

St. Vincent Hospital notifies 1,100 patients of laptop theft. Letters were sent out for same. Laptop was used with an EEG machine went missing leading to potential data breach. Laptop was password protected which was connected to an EEG machine (for recording electrical activity in the brain) used for diagnostic testing was detached and stolen. Police was notified immediately after the incident. It is considered by the hospital that laptop was not stolen for the information it contained and thus there may be low risk involved in the data breach.

ST. Vincent spokesperson said that laptop was taken from euro diagnostic department of the main St. Vincent Hospital campus in Indianapolis, a unit where doctors, patients and family members of patients can usually be found.

In a statement issued by the hospital, it mentioned that laptop contained patients’ protected health information (PHI) which includes name, date of birth, gender, date of service, type of service and physician name. This diagnostic testing device didn’t contain information related to the social security numbers or financial data. Affected patients of this stolen incident were advised to request free credit reports from Experian, Equifax, or TransUnion. It is advised to the patients to get the report check for any breach.

According to the spokesperson, “St. Vincent is taking precautionary steps to avoid future incidents, and is evaluating its medical devices, and installing encryption protection software as appropriate. Also, the hospital is working to enhance its physical security measures.”

Alertsec strengthens security

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

Notification letter sent to 3,026 clients of Easter Seal Society

February 13th, 2014

 

Easter Seal Society employee’s work laptop was stolen which caused data breach of its clients. Nearly 3,026 clients were affected and same were notified about the incident. Theft incident resulted in data breach because of stolen employee’s laptop along with few other belongings.

The Easter Seal Society of Superior California released a report mentioning that there was some grouping of date of birth, health care provider information, patient identification number, health care billing information and therapy notes. So data compromised didn’t consist of same information for all the clients. Easter Seal Society of Superior California president and CEO Gary T. Kasai mentioned in the notification letter, “Upon learning of this incident, Easter Seals immediately launched an internal investigation, hired specialized data security counsel to assist in the response to this incident, and retained external forensics experts to assist in determining the scope of this event.”

“Following this incident we undertook a review of our internal policies and procedures related to protected health information, as well as the enforcement of our employees’ adherence to these policies and procedures,” Kasai added in the statement. “All necessary steps are being taken to ensure that this type of event does not occur again in the future.”

Easter Seal doesn’t believe any sort of fraudulent activity has occurred till now. Its press release added ‘Easter Seals also encourages all concerned individuals to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity.’ But it failed to indicate whether the laptop was encrypted or even password-protected.

Easter seal is not a healthcare provider but an organization dedicated to services and education for those with disabilities. It is likely considered a HIPAA business associate.

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec strengthens security

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Enhanced by Zemanta

University of Miami Health System patients notified about lost records

February 10th, 2014

 

The University of Miami Health System (UHealth) one of Southern Florida’s largest health providers has lost patient records containing protected health information (PHI). It had recently begun to notify about the incident to the patients.

Information on the file contained patient names, dates of birth, physician’s name, insurance company name, medical record name, visited facility, visit number, procedures, diagnostic codes, and Social Security numbers. Uhealth didn’t disclose the number of patients affected.

“Medical records are not at risk, but in an abundance of caution, the University is notifying all individuals whose information was included in the missing records,” a written statement by the Health System mentioned.

In July, an off-site storage vendor was contacted by the Department of Otolaryngology to locate the records but was unable to find it. After confirmation they notified about the lost records. Uhealth is offering credit monitoring services for all the affected patients. It further added as patients were notified after six months of the incident, it is unlikely of misuse in coming days.

Theo Karantsalis, whose son was treated by the department said, “The one thing we expect is that your patient records are going to be kept confidential.”

According to Uhealth’s Statement it will report the incident to HHS. Below is complete excerpt of the report:

“The University of Miami Health System (UHealth) is committed to providing our patients the best possible care and to protecting the confidentiality of our patients’ health information. On June 27, 2013, the Department of Otolaryngology, while attempting to retrieve records stored at an offsite storage vendor, was notified that the vendor was unable to locate the records. After an exhaustive search, it was confirmed on August 28, 2013, that the records were not in the possession of the University or the storage vendor.

Everything we’re giving out is on the release

These records consisted of billing vouchers (documents used for internal billing purposes). Vouchers contain the name, date of birth, social security numbers, physician name, facility, insurance company name, medical record number, visit number, procedure and diagnosis codes for the patient’s visit. Vouchers are documents used for internal billing purposes ONLY. Medical records are not at risk.

At this time, there is no indication that the information has been misused in any way.

In an abundance of caution, the University is notifying all individuals whose information was included in the missing records. The University also is offering potentially affected patients complimentary credit monitoring protection and has established a website to serve as a primary source of information, as well as a toll-free number for additional questions.

Only patients who were seen at the Department of Otolaryngology may potentially be affected by the incident. Potentially affected patients will receive a notification letter.

University computer systems are completely unaffected by this incident. All patient information remains current and available on these systems.

At the University of Miami Health System, we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data. We are committed to protecting all information entrusted to us, and pursuant to the Federal HITECH Breach Notification Rule, we will report this incident to the U.S. Department of Health and Human Services.

Available around the clock, the University’s incident website is http://entincident.med.miami.edu. The toll-free incident line, 866-274-4371, is available from 9 a.m. to 9 p.m. EST Monday through Friday and from 11 a.m. to 8 p.m. EST Saturday and Sunday until April 30, 2014.”

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta