HIPAA Security – Cybercrime

Just last week I received an email from one of my suppliers.  The gist of the email was as follows:

“On September 1st, 2017, we were informed by our 3rd Party Ecommerce Provider that their software platform which hosts our website experienced a data breach.  The investigation indicates the intrusion began in early July 2017 and was remediated prior to August 24th, 2017.  During this time, the attackers gained access to certain customer information.”   

The sad part is that certain customer information turned out to be our credit card information with all corresponding information needed to complete transactions. Worse than that is the fact that no one is safe as demonstrated by the hacking of Experian, a global identity protection company.

Based on the email I received I decided to look further into hacking and how it may affect Healthcare Businesses and Professionals and while doing that I found a term I never thought about, “aftershock”. In this particular instance aftershock refers to the act were attackers resell the information obtained years after the initial breach. As Experian wrote in their 2017 Data Breach Industry Forecast:

“As a result, companies that didn’t experience a first-hand data breach may see repeat unauthorized log-ins and be forced to notify their users that their information is being misused. This can be compared to an earthquake “aftershock” where the effects of an attack reverberate and are felt long after the initial disaster. “

In this same report Experian points out that Healthcare will continue to be a key target for hackers as identity theft and ransomware is becoming easier and more lucrative. At first this comment hurt my pride but then I considered the following:

  • EHRs continue to be upgraded, these upgrades may actually create new vulnerabilities we don’t know about;
  • Data is being shared among devices that may not have the same protections as EHRs and system servers making unauthorized access easier to obtain;
  • Creating connection among multiple users and platforms create new weaknesses in some systems;
  • A chain is only as strong as the weakest link. In other words, you may be sharing data with an entity that may not have the latest patches or security;
  • New apps and functionality is great but they may not have a robust security system yet which creates opportunity;
  • Need to network may force entities to lower their defenses to facilitate communication.

In short, too many variables that are difficult to control in an ever-changing environment. So while I’m not too good at hitting moving targets I also refuse to give up so for now here are a few recommendations I took from Lions Bank:

  • Protect your Access ID, passcode and security questions.
  • Keep up to date anti-virus / anti-spyware software and firewalls to protect your computer.
  • Log off of any online session when your session is complete. Do not leave the session open.
  • Change your passcode occasionally.
  • Don’t allow individual sub users to access accounts they do not need to access.
  • Don’t request privileges on accounts which you rarely or never use to transact.
  • Include your cell phone number as a means to receive security alert notifications in addition to email.
  • Review the privileges of sub-users at least once annually.
  • Check your credit card and bank statements regularly and look for unauthorized transactions.
  • Never provide your personal or financial information in response to an unsolicited phone call, fax, or email no matter how official it may seem.
  • Do not respond to email that may warn of dire consequences if you do not validate your information immediately.
  • When submitting sensitive or financial information online, look for the padlock or key icon in your browser. Most secure internet browsers use “https”.
  • If you notice any suspicious activity in your account, notify someone immediately.
  • Only download mobile apps from trusted sites and approved Apps stores.
  • Keep Bluetooth turned off when you are not using it.

“Learn more about Cybercrime at EPI Conferences: “Healthcare Compliance and Innovation Conference”.