Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
Rite Aid – HIPAA Violation – Lessons Learned Not Implemented
Posted In Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 12th, 2010 Tags: CVS, FTC, HIPAA, HITECH, Rite Aid, Security Awareness
Did everyone see this ultimate lesson regarding lessons learned but not implemented?
Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark? According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them. The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.
Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.
The HHS settlement against Rite Aid requires their pharmacies to:
- Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement against Rite Aid requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.
For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.
Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.
Albert Einstein said it best:
“Insanity is doing the same thing over and over again and expecting different results.”
Are you and your organization doing the same thing over and over again and expecting different results?
No Comments
Email This Post
Is Your Company Vulnerable to Social Engineering?
Posted In Information Privacy, Information Security, Risk Management on August 5th, 2010 Tags: BP, defcon, security awareness training, Social Engineering
Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization.
With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack. The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software. The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org.
Other hackers in the competition asked company employees what version of Adobe Reader the company used or who the garbage collector was that hauled their trash. Employees seemed extra willing to help the hackers who pretended to lack specific information. Several large corporations were targeted including BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola and Ford. Only 3 of the 10 companies passed the test and did not provide any sensitive information.
Are your employees this gullible? Is your company vulnerable to social engineering attacks?
By sharing real-world stories like the competition results above, you can help your employees understand risks and potential consequences of revealing sensitive information. Managers can help employees become aware of how they can protect their jobs, their organization and your organization’s clients by preventing data breaches, information losses, lawsuits, etc.
Hackers are continuously developing new tactics and more sophisticated strategies for retrieving information from unsuspecting employees. Because we know hackers are getting better at social engineering, it is critical for your organization to develop better awareness training and education to keep up with changing risks, threats and more sophisticated techniques.
Link: Companies Fail Social Engineering Contest
No Comments
Email This Post
Supreme Court: You Can Spy on Employees if…
Posted In Information Privacy, Legal on July 2nd, 2010 Tags: policies and procedures, search, supreme court, text messages
Did you happen to notice the recent Supreme Court ruling that ruled in favor of employers having the right to check up on employee usage of mobile devices to protect their bottom line?
These days it is fairly common for organizations to equip their employees with mobile devices and pagers. But when employees are given a character allowance for texting and they go over the allowance, the organization is charged overage fees and this is where the ruling comes in.
In this court case, the employers were looking to get costs back in line and requested transcripts of the employee text messages to verify if the overage fees were necessary. What the employers found were lots of personal (some highly explicit) text messages being sent on company owned devices.
After several lower court rulings, the Supreme Court ruled that because the employers suspected that people were breaking the rules and using their mobile devices and pagers for non-business communications, the employers were justified in requesting and reading the text message transcripts.
But before employers get too excited…there are multiple lessons learned in this Supreme Court ruling, and employers do not have free reign. Employers must have clearly defined policies that spell out what employees can and cannot do on the clock and off the clock with company property. The employer’s dos and don’ts should include phones, laptops, etc. Employers must also communicate the policy to all appropriate employees to make sure they understand what the dos and don’ts include. Employers should also make sure managers and supervisors understand what steps they can and cannot take when it comes to keeping costs down and privacy rights cannot be invaded just for the sake of controlling costs.
Does your organization have the right policies in place with the right people? Would your policies and procedures hold up in a court ruling?
No Comments
Email This Post
Prevention is Key to Escalating Costs for Banks and Customers…
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance on June 4th, 2010 Tags: ACH Fraud, Awareness Training, Financial Security, Hillary Machinery, PlainsCapital, Security Awareness
Did you see this lesson learned involving a bank and their customer?
We all know that famous quote from Benjamin Franklin – “An ounce of prevention is worth a pound of cure”….but knowing it and implementing it are two entirely different efforts.
I hope financial institution and business leaders are paying attention and realizing that COSTS related to implementing prevention are a whole lot less expensive than COSTS related to reaction and damage control?
What if PlainsCapital and Hillary Machinery had invested more in individual level awareness and tools that could have prevented this string of events?
- Cyber criminals transferred more than $800,000 out of Hillary Machinery’s bank account via ACH and wire transfers.
- Hillary Machinery and PlainsCapital bank were able to recover about $600,000 of the funds that were sent to eastern Europe.
- Hillary Machinery asked PlainsCapital to repay the remaining $229,000.
- PlainsCapital responded by filing a lawsuit against Hillary Machinery asking the judge to declare the bank’s security measures “reasonable”.
- Hillary Machinery filed a countersuit that charged that the bank did not catch the irregular wire transfers and ACH transactions made to Europe over a weekend.
- Hillary Machinery moved their business accounts to a different bank.
- PlainsCapital settled its lawsuit against Hillary Machinery.
Hillary Machinery is saying nothing and PlainsCapital is saying nothing.
Bottom line…the COSTS to both organizations were significant. When you add up the COSTS for legal fees and reputation management related to negative headlines along with each organization’s time, resources, marketing, damage control and lost business…you see that prevention would have been much less expensive.
Is your financial institution prepared to prevent this type of incident? Are customers prepared to do their part in preventing this type of incident? Are business leaders prepared to prevent sophisticated cyber attacks and risks?
One last thing…don’t you wonder what the settlement details were?
No Comments
Email This Post
Copy Machines: A Wake-up Call for Security
Posted In Information Privacy, Information Security, Risk Management on June 1st, 2010 Tags: copy machines, FTC, Security Awareness
On April 19, CBS News featured a report revealing that nearly every copy machine stores documents copied, scanned and e-mailed by the machines on their hard drives. The report found sensitive and personal information on copy machines ready to be resold.
In response, the FTC is now contacting copy machine manufacturers, resellers and office-supply stores regarding privacy concerns over the thousands of images that are potentially stored on the machines’ hard drives. The FTC is trying to “determine whether they are warning their customers about these risks and whether manufacturers and resellers are providing options for secure copying.”
This is a great example of how security risks and threats are constantly changing and how critical it is to ensure your employees, managers, staff, contractors, third-parties, etc. are aware of existing, new and updated risks.
How are organizations addressing security awareness today?
Many organizations implement once-a-year general training that provides users with a general overview of topics like phishing, pharming, password security, etc. But, as this report illustrates, general training is NOT enough. Organizations must provide ongoing awareness training to their employees and ensure all personnel (third-parties, vendors, contractors, volunteers, etc.) have acknowledged the updates and understand their individual roles and responsibilities for protecting information.
This report on copiers was released in April; what if Employee A did not take his awareness training until next January? This employee’s lack of awareness and accountability for 8 months prior could create embarrassing and expensive consequences for your organization.
Curious how your organizations are addressing ongoing awareness training requirements?
No Comments
Email This Post
Facebook Privacy – End User Awareness and Accountability Lacking
Posted In Information Privacy, Information Security, Risk Management on May 20th, 2010 Tags: Facebook, FTC, online safety, privacy, Security Awareness, Social Networking
A group of 15 US privacy and consumer protection groups filed a complaint with the US Federal Trade Commission (FTC) accusing Facebook of “unfair and deceptive” practices and called on the FTC to investigate Facebook’s privacy practices and force it to take steps to guard better against security breaches.
In fairness to Facebook, the social networking company has added several new security tools to help prevent hacking and increased privacy options. But no matter what the FTC finds or what tools Facebook adds, perhaps a better approach to user security and privacy is to ensure users are aware of social networking risks and accountable for what types of information they are willingly sharing?
Some general best practices (and common sense) that all Users should be aware of include:
- Keep your personal information to yourself. Don’t post your full name, Social Security number, address, phone number, or bank and credit card account numbers! Be cautious about posting information that could be used to identify you or locate you offline (school, sports team, where you work, etc.).
- Post only information that you are comfortable with others seeing and knowing about you. Many people can see your page, including your parents, your teachers, the police, the college you might want to apply to, or the job you might want to apply for.
- Remember that once you post information online, you can’t remove it. Even if you delete the information from a site, older versions exist on other people’s computers.
- Adjust Facebook privacy settings to help protect your identity. Facebook has provided several options to protect users online – but it is up to the individual User to be responsible for them!
- Read the Facebook Privacy Guide. At the bottom of every Facebook page, there is a link for “Privacy”. This page contains the latest privacy functions and policies and helps you ensure your privacy settings are properly set.
- Choose your Friends Carefully. Once you have accepted someone as your friend they will be able to access any information about you (including photographs) that you have marked as viewable by your friends. You can remove friends at any time.
Organizations may find it is to their advantage to provide ongoing awareness training and prevention efforts to ensure all personnel (employees, vendors, contractors, volunteers, customers, etc.) understand constantly changing social networking risks and threats and what types of information should or should not be shared.
Schools must also find better ways to provide ongoing online safety awareness to help their students understand escalating risks and threats lurking online if they willingly share too much personal information.
Individual users need to be more accountable for protecting sensitive and personal information. Is it Facebook’s responsibility if users decide to post inappropriate pictures or share their credit card number online?
This recent article from EdTech News provides resources and 7 Ways to Reduce Online Dangers.
No Comments
Email This Post
What is a “Failure to Implement”?
Posted In Human Resources, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on April 19th, 2010 Tags: Assessments, CVS, documentation, FTC, HIPAA, Implementation, Infotec, legal due diligence, Omaha, Security Awareness
Recently, Awareity’s CEO, Rick Shaw, was asked to present at the Infotec conference in Omaha. During his presentation, “The Truths (and Myths) About Assessments, Planning and Implementing”, Rick discussed the three-legged stool each organization is sitting on, and the importance of all three legs (Assessments, Planning/Developing and Implementing).
Most organizations understand the importance of assessments and planning, but where many fail to deliver is in the implementation phase. As we have seen with numerous headlines and lessons learned, a failure to implement can lead to expensive fines, lawsuits, breaches and losses. Rick used a case study for CVS Caremark. Due to employees carelessly tossing old pill bottles into a store’s dumpster, CVS now has the FTC coming to audit their information security program for the next 20 years and was forced to pay a HIPAA violation fine of $2.25 M.
The FTC Complaint Docket No. C-4259 read:
“Among other things, respondent failed to: 1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal.”
During the presentation, one woman raised her hand and asked, “What do you mean by “implement”? How do you “implement” your policies and procedures once they are created?”
I thought this was a great question and one that should be expanded upon.
An organization can have the best security policy (or plan, program, etc.) in the world, but if the policy is not implemented down to the individual-level, how will individuals be able to help the organization achieve better results?
If your organization is just blasting your security policies out to your people in e-mails and memos…how do you know if anyone received the email or is reading the policies and understands them? Or perhaps you are sending out updated pages for the employee handbooks or manuals…how can you ensure your employees are actually reading these policies? Are the binders just sitting on a shelf untouched?
Implementing policies, procedures, plans and processes means organizations have documentation and proof that individuals have read, understood and acknowledged their roles and responsibilities. Regulations require proof of implementation. Legal due diligence requires proof of implementation. Lessons Learned continue to prove that organizations that lack implementation will continue to experience expensive and embarrassing results.
Organizations must ensure all appropriate individuals (employees, third-parties, etc.) are receiving updated policies and guidelines, reading the policies, understanding the policies, and acknowledging their individual roles and responsibilities. Providing employees with a once-a-year general training session is not good enough as we know risks, threats, best practices, etc. are constantly changing. The bad guys are not taking 364 days off, is your organization?
Comment (1)
Email This Post
“Culture Eats Strategy for Lunch”
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on April 6th, 2010 Tags: Boulder Community Hospital, culture, Data Breach, Management, strategy
Perhaps you have heard this saying before?
Culture eats strategy for lunch.
Culture is most commonly defined as the behaviors and beliefs characteristic of a group of people. So an organization’s culture of behaviors and beliefs are what shape the decisions people make and results an organization achieves.
Lessons learned indicate that an organization’s culture is driven from the top down. For example, what culture related messages do organizational leaders send:
- With their words?
- With their actions at work? In public?
- When they respond to conflicts?
- When information is shared internally and externally?
- When changes are encountered?
- On an ongoing basis?
So how does culture eat strategy for breakfast?
Simple…an organization can have the best strategy in the world, but if their culture will not allow or enable the strategy to happen…the strategy is not going to succeed.
There has never been a more critical time for organizational leaders to ensure new strategies are aligned with their organization’s culture. Organizational leaders must also eliminate gaps and connect-the-dots to ensure their organization’s culture is consistent across levels and silos of people.
How is culture created, implemented and managed?
Lessons learned show that organizations first need to replace their traditional and reactive methods of communications – manuals, general and annual training, memos and memorandums – with proactive methods that ensure awareness, accountability and measurability.
Lessons learned show that organizations are more successful when their acceptable behaviors and organizational beliefs are communicated using methods that require individual level acknowledgements of understanding.
If your organization is just blasting your acceptable behaviors and beliefs and policies out to your people in manuals, e-mails and memos…how do you know if anyone is reading them or understands them?
A recent example of culture eating strategy for breakfast comes from a hospital in Colorado. The hospital recently found out that some of their patients received letters informing them that their medical records were taken from unsecured recycling bins outside the hospital owned clinic. A hospital spokesperson told a Denver news affiliate the following:
“We learned that while we have good policies for protecting patients’ information, those policies weren’t really being followed.”
I guess their culture ate their strategy (and policies) for breakfast…
Comment (1)
Email This Post
Passwords…Are they needed?
Posted In Information Privacy, Information Security, Risk Management on April 1st, 2010 Tags: E-mail Security, Hackers, passwords
This week I received an e-mail from a friend of mine saying he was in the UK to visit his ill sister and needed to borrow money…perhaps many of you have received an e-mail like this too? In reality, my friend’s e-mail account had been hacked and the e-mail was a hoax.
Also this week, I was part of a Board meeting and we were talking about Internet security and e-mail security and I mentioned my friend’s e-mail account had been hacked and described the story within the e-mail. Interestingly enough, nearly everyone in the meeting had seen a version of e-mail and a couple had experienced the pains of having their e-mail account hacked.
I took the opportunity to ask how many people in our Board meeting were using “strong passwords” to protect their e-mail account. Everyone in the meeting looked at me like I had just asked them to figure out how many cubic feet there are in the universe.
I quickly explained that a strong password is a combination of letters, numbers and special characters that would make it much more difficult for hackers to guess their password and take over their e-mail and I gave them a couple examples too. For example:
“Beer Man” could become a strong password with these changes: B33R m@n
“SpaceShip” could become a strong password with these changes: Sp@ce5hip
Lessons learned continue to show that how lack of awareness can be very costly.
For more password lessons learned check out this recent survey:
http://www.theregister.co.uk/2010/03/30/password_security_still_pants/
No Comments
Email This Post
