Archive for November, 2015

Lahey Hospital Agrees to HIPAA Settlement

November 27th, 2015

Lahey Clinic Hospital, Inc. (Lahey) agreed to an OCR HIPAA settlement resulted due to an incident where an unencrypted laptop was stolen. It potentially compromised the PHI of 599 individuals. The settlement costs Lahey Hospital $850,000 and must also enter into a Corrective Action Plan (CAP), which includes “a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey.”

The device was taken from an unlocked treatment room “off of the inner corridor” in the hospital’s radiology department.The OCR investigation found that Lahey failed to implement the necessary physical safeguards for a workstation that houses ePHI, and that it “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”

OCR also mentioned the following results from its investigation:

  • With respect to the workstation, Lahey failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility
  • Lahey failed to assign a unique user name for identifying and tracking user identity with respect to the aforementioned workstation
  • Lahey did not implement a mechanism to record and examine activity on the workstation at issue in this breach
  • Lahey impermissibly disclosed the ePHI of 599 individuals for a purpose not permitted by the Privacy Rule
  • Lahey must also provide proper training to workforce members who access ePHI, ensuring that they are aware of all policy and procedures in place to keep it safe.
  • Lahey must also keep a record of the “receipt, removal, and disposition of hardware and electronic media that maintain ePHI into and out of” the hospital, as well as the movements within the facility.
  • Lay should develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis.The risk analysis report must be sent to HHS within 270 days of Lahey being asked to send it, OCR writes.

“Upon receiving HHS’s notice of required revisions, if any, Lahey shall have ninety (90) days to revise the risk analysis and risk management plan accordingly and forward to HHS for review and approval,” the settlement reads.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

 

Faxing Error and Data Breach

November 24th, 2015

Quest Diagnostics suffered data breach due to improper fax number input. The incident resulted into class-action lawsuit following a fax-related healthcare data breach.

According to the reports, several hundreds of health files were allegedly sent to a New York-based marketing firm rather than to Quest for approximately one year. Human error caused the breach in which individuals from several providers incorrectly provided Quest’s fax number, thus inadvertently sending the medical files to the marketing firm APS Marketing Group.

This healthcare data breach came to light when a representative from APS Marketing Group, Gabby Klotzman, reported it to the I-Team at NBC News. Affected information included patient names, phone numbers, dates of birth, and in some cases, Social Security numbers.

Klotzman reportedly contacted Quest Diagnostics immediately, to which the healthcare company explained it would remedy the issue and contact potentially affected individuals.

However, the faxes allegedly continued to come, prompting Klotzman to contact the Department of Health and Human Services (HHS), but to no avail.

After several months of receiving these medical files via fax, Klotzman contacted NBC’s I-Team, who contacted a handful of the individuals whose medical records had been compromised.

Upon those follow-ups, Quest explained that it did not know the magnitude of the health data breach. According to Quest, it has added a revised fax number to account for any practices who may have input the original number incorrectly.

Newman Ferrara LLP announced a class-action lawsuit against Quest due to its reportedly inadequate handling of the situation.

“That Quest was on notice of this massive data breach for perhaps a year or more, and yet failed to take any responsible or required action, amounts to an egregious dereliction of duty,” stated firm partner Jeffrey Norton in the press release. “Through this lawsuit, we intend to make sure something like this does not occur again.”

The plaintiffs allege that Quest did not take adequate action to prevent the health data breach.

“Although Quest was alerted early on to the breach, the company did nothing to prevent the continued transmissions, failed to alert medical providers and patients, and failed to report the breach to authorities. As a result, the personal and sensitive medical information of hundreds of patients was disclosed to unauthorized third-parties, putting their security and privacy at great risk,” the press release explains.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Starwood Hotels & Resorts cyber attack

November 20th, 2015

Starwood Hotels & Resorts suffered data breach when undisclosed amount of customer payment card data may have been accessed. The incident happened when the point of sale systems at 54 of its hotels in North America were infected with malware.

“Promptly after discovering the issue, Starwood engaged third-party forensic experts to conduct an extensive investigation to determine the facts,” the company said in a statement. “Based on the investigation, malware was detected that affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.”

“The affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood hotels,” the company added.

Affected data collected by the malware includes cardholder names, payment card numbers, security codes and expiration dates.

“Quickly after we became aware of the possible issue, we took prompt action to determine the facts,” Sergio Rivera, Starwood President, The Americas, said in a statement. “We have been working closely with law enforcement authorities and have been coordinating our efforts with the payment card organizations. We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring.”

According to the reports, all those affected are being offered one year of free access to identity protection and credit monitoring services from AllClear ID.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

 

Android vs iPhone Security

November 18th, 2015

Apple/iOS

Pros of Apple’s iOS include the fact that it is proprietary, closed-source and more secure “by fault” with a single user per device,” said Jason Van Zanten, information security lead at JAMF Software. “The Apple App Store is tightly controlled, and the global partnership between Apple and IBM (IBM MobileFirst for iOS) empowers enterprise users.”

Jason also mentioned that Apple Push Notification service (APNs) for mobile device management, configuration profiles with device settings, app distribution, and remote management commands (lock, wipe, etc.) helps for security.

But some are cautious with above approach.

“While Apples approach is often seen as stronger in terms of security by providing a managed and controlled transaction environment, no system can truly be 100 percent fixed and closed off,” said Sam Rehman, chief technology officer for Arxan Technologies. “At times this could provide a false sense of security which emphasizes risks of certain weaknesses.”

“The Apple ecosystem has a lot to offer its users – except for the reality that there is no possibility of a truly secure brand or data control in any meaningful way,” agreed Andrew McLennan, vice president of the mobile security division, of INSIDE Secure. “The phone user is entirely in the hands of Apple and if there is a major breach it could be catastrophic.”

Android: a Popular Target

“Android offers much more freedom and control, and it is easily possible to get hardware-like security protection using software fixes with native languages such as C++,” McLennan said. “With the Android platform, you can control your own security destiny, particularly if using a mobile solution that also deals with device fragmentation.”

While this makes Android “generally a much better place to be than with the Apple platform,” he said, this is not true if Java is employed for sensitive code. “Java is completely useless for code that needs security, as it takes mere minutes to influence or subvert this code.”

James Quin, CDM Media senior director of content and c-suite communities, said studies show that as much as 97 percent of all mobile malware targets Android while iOS “suffers from functionally none.”

Android’s ubiquity accounts for much of its popularity with hackers, he said. “When malicious code writers sit down to develop threats, theyre going to do so in the manner that gives them the most attack surface, and that always comes from attacking the most populous platform.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Hospital suffers data breach

November 16th, 2015

OH Muhlenberg, LLC recently suffered a keystroke logger cyberattack, which lead to a health data breach. Affected information includes patient names, addresses, telephone numbers, dates of birth, Social Security numbers, drivers license/state identification numbers, health plan information, financial account numbers, payment card information, and employment information.

After the FBI notification, hospital conducted a large-scale investigation. OH Muhlenberg found thata malicious software, called keystroke logging, had been installed on several of the hospitals computers.

The health data breach also affected hospital employees and contractors which includes providers who worked in OH Muhlenberg. Exposed information for them includes credentialing information, Drug Enforcement Administration numbers, National Provider Identifiers, and state license numbers.

According to the hospital, it is not possible to know which patients have been affected by this security breach.

Unfortunately, we cannot determine the type of information that may have been accessed during the incident because it is impossible to determine exactly what information was inputted into the infected computers,OH Muhlenberg wrote in a frequently asked questions document regarding the breach.

OH Muhlenberg expressed regret for this situation. Statement also mentioned its commitment to protect sensitive patient information.

The Hospital is committed to maintaining the privacy of its patients, employees, and providers, and takes precautions for the security of personal and medical information,said thehospitals director of privacy and security DeAnn Tucker, RHIA, CHPS, CCS. We sincerely regret any inconvenience this incident presents to you.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Health Care CyberSecurity

November 14th, 2015

The Institute for Critical Infrastructure Technology (ICIT) Co-founder and Senior Fellow Parham Eftekhari had the discussion with HealthITSecurity about Cybersecurity Awareness.

According to Eftekhari, its currently imperative for organizations to understand that theyll never be able to prevent breaches from happening.

The best way to protect their organization is to focus on detect and response strategies, and create as many roadblocks and obstacles as possible so network administrators can quickly identify unauthorized access or suspicious activity on the network,he explained. [It will] slow down the attackers ability to successfully exfiltrate data and really give the network administrator time to stop the attack.

According to Eftekhari, behavior analytics, dual-factor authentication, and encryption are critical pieces when it comes to creating a virtual tar pitenvironment within the network to slow down the attacker.  

The other key takeaway for Cybersecurity Awareness is the human factor, he explained.

[ICIT] acts as an educator for the legislative community, federal agencies and critical infrastructure sector stakeholders because they need access to cutting edge research and knowledge of cyber trends.Eftekhari said. In that same context, we also need to guide our children and our families, and of course consumers and employees, in cybersecurity best practices without being Orwellian about it. Thats how were going to become a more cyber conscious nation and ultimately improve security.

Montana Williams, Senior Manager, Cybersecurity Practices, ISACA mentioned that it is important that everybody in an organization understand their role in increasing the resiliency of that organization.

Cybersecurity has evolved slowly because technology has outpaced the security aspect of cybersecurity,Williams stated. So it has struggled to keep up with the newest technical advances. The security aspect has struggled to keep up with the threat vectors, and then also it has struggled from an awareness perspective because I believe people are still very naive about the threat of cybersecurity.

Employee training as a whole is the most critical thing for organizations, according to Williams.

The technologies exist out there that can do a great job against a threat, but that training component doesnt exist because the professionals who are managing those technologies dont know how to integrate them the most effective way on their enterprises against that threat thats out there,Williams said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Email and health data breach

November 12th, 2015

The University of Cincinnati Medical Center suffered data breach which potentially compromised the PHI of 1,064 individuals. The medical center has experienced nine such incidents in past of emailing private patient information to the wrong email addresses.

Affected information includes patient names, dates of birth, medical record numbers, dates of services, physician names, and diagnosis information. UC Health did not report the disclosure of any Social Security numbers or other private financial information. Financial and billing information was not compromised. UC Health have no reason to believe that the information has been misused

The incident happened when the emails intended to employees within the hospital network was inadvertently sent to someone potentially not within the hospital system.

UC Health takes very seriously our role of safeguarding the personal information of our patients and using it in an appropriate manner and we apologize for any concern or inconvenience this situation may cause,the hospital said in a statement.

Notification letters to all potentially affected individuals are also sent. UC Officials encourage potentially affected individuals to open a fraud alert on their credit cards and to enlist the services of a credit monitoring agency. UC Health has also created a block on any emails sent to affected domain name in the future.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Unencrypted email and data breach

November 10th, 2015

An unencrypted email resulted in potential health information data breach for over 500 patients in North Carolina. The North Carolina Department of Health and Human Services (DHHS) has experienced a health data breach second time due to an unencrypted email. Earlier, the incident involved the health data breach of 524 state Medicaid patients.

DHHS mentioned that the email that compromised the information was sent to the correct recipient but was unencrypted which is against the policy. Affected information includes Medicaid patients, including patient names, addresses, Medicaid recipient ID numbers, genders, ethnicity, race, insurance information, provider names, Social Security numbers, and dates of birth.

DHHS has plans to overhaul the email encryption process by updating email software. The said software will block any email containing patient information from being sent until the information has been encrypted. DHHS believes that software eliminates the risk of human error.

We take very seriously our responsibility to secure the personal information entrusted to us,said Dave Richard, DHHS deputy secretary in charge of Medicaid. This technology adds a safety net and a layer of protection that goes beyond the human element. This is an important, necessary addition to our workflow.

DHHS also suffered health data security issues back in 2014. DHHS officials believes that it was the agencys responsibility to protect patient information.

I deeply apologize for the impact that this has caused to the citizens of the state,DHHS secretary Aldona Wos explained at the time. First and foremost, I firmly believe as secretary, that it is my obligation to ensure that the children and families we serve receive their health care in a protected and secure environment.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Retaliatory agenda leads to data breach

November 8th, 2015

Employee retaliatory agenda leads to theft at Childrens Medical Clinics in Texas. As per the report, an employee took paper patient records from the healthcare facility. The employee also used his credentials to log into electronic patient records, taking screenshots of the records and sending it to another former clinic employee.

Clinic believes that there is no reason to believe the former employee planned to use the patient records to do any harm to the patients, but rather sought to cause damage to its reputation.

Affected information includes patient names, dates of birth, diagnostic information, and treatment information. The notification letter did not indicate that Social Security numbers or other billing information were disclosed.

Clinic has not issued credit monitoring services to potentially affected individuals but advised its patients to monitor credit and register for fraud alert. It also provided a free hotline and online portal that potentially affected individuals may use if they have any questions or concerns.

Childrens Medical Clinics expressed regret.

Childrens Medical Clinics of East Texas prides itself on its dedication to not only high quality medical care for your children, but also with federal and state compliance with the security and privacy of your medical records,they wrote. Childrens Medical Clinics of East Texas sincerely apologizes for any inconvenience and concern this incident has caused to you.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Two Separate Healthcare Data Breaches Expose Patients’ PHI

November 6th, 2015

A California healthcare organization suffered two separate healthcare data breaches.

First Data Breach

Incident happened when some small glass laboratory slides and paper records were disposed of in a way that did not conform to Huntington Medical Research Institutes (HMRI) policies.

Affected information includes patient names, dates of birth, clinical information such as diagnosis, treatment, tissue sources, specimen information, specific tests ordered, and referring physician information. Some billing information may also have been included. However, Social Security numbers and financial information were not included in the slides and paper records.

HMRI is diligently following up on this incident and taking reasonable actions to prevent similar incidents in the future,HMRI explained in a statement on its website, adding that there is no reason for patients to take any action. Among other actions, HMRI is reinforcing the training of staff who have access to patient health information, and strengthening data security.

Second Data Breach

The second healthcare data breach was reported after former HMRI employee potentially took some ePHI.

Affected information includes patient names, some demographic information such as date of birth, clinical information such as diagnosis, treatment, tissue specimen source, other specimen information,  and specific tests ordered were all included. Moreover, referring physician information and some billing information were also potentially exposed.

HMRI statement mentioned that there is no action that patients need to take, and that it once again plans to reinforce staff training for employees to have access to PHI and also strengthen the facilitys data security.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.