Top Five Data Security Risks For Healthcare Organizations

ComplianceHome reported the results of a study by Absolute Software Corporation, a provider of computer theft recovery, data protection, and hardware tracking solutions. Absolute identified the five computer security risks health care facilities most often encounter that produce data breaches.

If you are a new I've Been Mugged reader, a data breach is when a person accesses the personal data they are not authorized to access. Data breaches lead to identity theft and identity fraud. According to the article:

"Identity theft as a result of stolen or misplaced computers that contain sensitive information is an escalating problem. According to privacyrights.org, there were at least 46 US data breaches involving 62 stolen or lost computers at healthcare facilities in 2007, resulting in almost five million compromised identities."

That means that health care facilities (e.g., hospitals, health clinics, etc.) in 2007 alone, exposed the personal data for about five million consumers (e.g., patients, employees, former employees, contractors, etc.), making it easy for criminals to commit identity fraud. Absolute found these five computer security risks:

1. "Failure to Protect Sensitive Data Beyond Encryption: According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops... lost or stolen mobile computers cited as the cause of nearly 50% of data breaches..."
2. "Inability to Accurately Manage Mobile Computer Assets: In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets."
3. "Sensitive Information on Public Terminals: Many healthcare facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations."
4. "Difficulty Implementing a Comprehensive Data Security Plan: Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords."
5. "Reluctance to Create a Data Breach Policy: Few healthcare facilities have 'nightmare scenario' policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media."

If I had to sum up this situation, it seems that too many health care facilities are in denial about protecting the sensitive data they archive, including tracking who has what equipment and a process to resolve things when a data breach happens. What a pathetic state of security! Something to keep inmind the next time you visit a hospital as a patient or as a job applicant.

A Free And Easy Way To Test The Security Of Your Wireless Home Network

At the ZD Net SOHO Networking blog (Small Office Home Office), Rik Fairlie provided a really good tip for consumers to check the security on their home wireless (WiFi) network. Security is important because we all (or at least many of us) do online banking, access our financial accounts online, and want to protect our personal data from abuse by both spammers and identity theives.

Rik tested his home wireless network with the Network Magic management tool by Pure Networks. Network Magic has a free diagnostic scan that provides a report on the security status of your home wireless network:

The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic... Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found... Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date... This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

Sounds like a valuable tool for consumers to improve the security of their home wireless networks, and protect sensitive data.

Does Your Employer's Computer Liquidation Process Create Data Breaches?

Recently, a friend who is an IT (Information Technology) professional told me how much they enjoyed my prior post about How To Destroy a hard Drive in 5 Seconds. We agreed that identity theft and data security are huge problems. Then, my friend shared an unsolicited story about a data security incident at my friend's company. I am not disclosing any names. The point is not were this happened, but what happened and how many other companies have the same security issues.

Pat (not my friend's real name) shared this story... Pat's employer uses a computer liquidation service to liquidate (e.g., recycle, resell, or destroy) used computer equipment that's at the end of its useful life: laptops, desktops, servers, printers, and such. The computer liquidator erases any data on hard drives and liquidates the computer equipment. Pat's employer uses a separate shipping vendor to transport the computer equipment from their offices to the computer liquidator's location. This sounds simple enough.

Anyway, a security guard in the building where Pat works, pulled Pat aside one day to see a used laptop the guard had acquired. Pat looked at the laptop, powered it up, and quickly noticed that the laptop was equipment from Pat's company that should have been liquidated. The laptop contained both data and software, including LAN/intranet access software. The security guard explained that a driver from the shipping company gave the laptop as a gift in return for a favor.

Pat notified the IT management at Pat's employer. Management's solution to this data breach was to fire the shipping vendor and hire another vendor.

Wow!

It's stories like this one that reinforces my impression that many companies do not take data breaches seriously -- and do not do enough to protect the sensitive data they choose to archive, nor train their staff adequately.

I'm not a data security professional, but since I've started writing I've Been Mugged I've learned enough to spot several problems with how Pat's company mismanaged their data breach:

1. There was no clear recognition that a data breach had occurred. The security guard had access to data on the laptop which the guard shouldn't have had access to -- the definition of a data breach
2. Pat's company did not investigate the extent of the data breach. What other computer equipment had the shipping vendor already distributed as gifts prior to this event? What sensitive data did this equipment contain?
3. Pat's company doesn't seem to demand any security or background checks of drivers for the shipping vendor.
4. Why wasn't the laptop retrieved from the security guard?
5. Pat's company doesn't seem to perform any validation or checks with the computer liquidator that the manifest of computer equipment sent was actually received and data was erased.

I wonder how many companies have the same computer equipment liquidation process... data security holes, data breaches, and all. Thank God I don't work at Pat's employer.