ID Experts Home
0

Article

2015 PHI Protection Network Forum - A Time “Before…

It is 10:33 am the day after attending the third annual PPN Forum in Orange, California on February 19, 2015.  I am sitting in seat 26D at the back of Alaska fight 587 traveling home and reflecting on the highlights of the forum. The key message at the forum was that mega data breaches starting with Target in December of 2013 through the recent breach of up of to 80 million members of Anthem has created a “window of opportunity” for PHI Protectors to advance their cause of better PHI security.    Here are a few highlights from the day…   Dick Wolfe recognized with the first “PHI Hero” Award:  The morning started with us honoring Dick Wolfe, a good friend and colleague with the first “PHI Hero” Award. Dick made a significant contribution to the protection of health information before his passing last November.  Dick’s daughter, Melissa Johnson, was there to accept the award on her father’s behalf and said how much she really appreciated hearing about the important work her father did during his 30 year career and understanding how important his role was to protecting our health information.   Average Persistent Threat: Larry Clinton, President of the Internet Security Alliance set the tone for the conference highlighting the challenge PHI Protectors have in healthcare with investment down and the challenge of advanced persistent threats becoming the “Average Persistent Threat”.  It is now commonplace for cyber criminals to use sophisticated methods and tools to attack and breach an organization’s security defenses.  He said there are now only two kinds of organizations - those that know they have been breached and those that don’t know they have been breached.  The reality is every organization is at risk of cyber-attack and breach of sensitive personal data, intellectual property, and other trade secrets.   Delineation now exists in time before the Target breach and after the Target breach: JD Sherry, VP Technology and Solutions from Trendmicro, asked each panelist which Looney Tune character best represented their role?  The panelists all agreed it was the Wile E. Coyote because no matter what he tried, the Road Runner always got away.  The bad guys always seem one step ahead of the good guys regardless of effort or technology they implement.  JD asked how their jobs had changed over the past 24 months.  A key point made by this panel was “we now refer to time as Before Target and After Target”.  Dustin Wilcox, CISO at Centene said before Target, he met with his executive team for 15 minutes once a quarter, but after the Target breach, his board members and executives began calling him at home asking questions about how to avoid a Target-type breach and giving him the necessary resources to implement security initiatives faster.   Value of A Cyber Insurance Policy:  David Finn, Health IT Officer from Symantec led his panel on a discussion of the legal and regulatory issues and consequences.  The panelists highlighted the benefit cyber liability insurance can have in mitigating the financial impact of a breach.  Kim Holmes, VP Product Development at One Beacon said one big mistake entities make is believing that their current general liability insurance policy covers cyber risk. Sean Hoar, Partner at Davis Wright Tremaine cautioned about knowing what is covered and what is not and whether the policy had specified vendors you had to use as part of the coverage.  He commented that if if you already have a relationship with an attorney or breach services provider, the policy may exclude you from using them.  Andrew Serwin also talked about when to use attorney client privilege to protect confidential information and suggested considering invoking this protection when doing a risk assessment in case this information discloses cyber risks an organization decides to accept.   4 Threats are Big Data, cloud, mobile, social media:  Greg Bassett, VP of Service Delivery at Clearwater Compliance introduced his panel by stating the value of a information in a patient health record is worth 20 to 50 times of a social security number on the black market.  Big Data, cloud computing, mobile (BYOD), and social media are what is keeping security and privacy professionals up at night.  And on top of all of this risk, is “risk of the unknown.”  Jerry Sto. Tomas, CISO Allergan, shared a story about a recent hostile takeover attempt to create a possible security breach.  The panel shared that there is a shortage of security professionals available for hire in the market, creating more opportunity for risk.   What I Learned from Chinese Hackers: This panel focused on approaches to protecting PHI and was led by James Christiensen, VP of Risk from Accuvant.  Eric Cornelius, Director of Critical Infrastructure and Industrial Control Systems at Cylance shared what he learned from hackers who use existing tools to breach a network. He said Chinese hackers will use the standard utilities that come prepackaged with Microsoft to gain access to a secure network.  He also said that with zero additional investment, an entity could use these same free tools and do a better job of detecting a breach. Chris Strand, Sr. Director of Compliance at Bit9 and Stephen Bono, Principal at Security Evaluators also talked about the need to focus on the basics in cyber security - people, process, and tools.    San Diego Health Connect is proof there is value in sharing health information:  Good news was shared by Dan Chavez, General Manager of San Diego Health Connect, a health information utility that connects providers, patient and Health Information Exchanges (HIE). Dan believes that the success his health information exchange is based on creating a platform with federated data that improves health quality outcomes.  He stressed that all the stakeholders including major provider systems, government agencies, and business associates agreed to play by the same rules, which fosters information exchange without competition.   The common enemy between doctors and CISOs is the compliance officer: When Dr. Jay Smith was asked how PHI Protectors could do a better job engaging doctors in compliance; he said that the enemy is the compliance officer.  But he followed up with the sentiment of “give them a role and voice at the table and they will come.”  Ray Ribble, Managing Partner at All Medical Solutions asked his panel to suggest ways PHI Protectors could get involved with efforts inside and outside of their organizations after the conference, which  lead to a discussion about engaging with alliances such as the Medical Identity Fraud Alliance, NIST, and ISACS.    Thank you again to the sponsors, speakers, and attendees for making this a wonderful information sharing and networking event.  Please join the conversation on the LinkedIn Group and participate in the ongoing dialogue. As our panelists said, we have a tremendous window of opportunity now to make an impact -- patient privacy and security is about all of us.

0

Article

Anthem Breach Highlights Limited Public Awareness of…

The massive data breach recently announced by Anthem Inc., the second largest U.S. health insurer,  provides a perfect example of a limited understanding by media and many “experts” of the full spectrum of risks resulting from data breaches in healthcare organizations. While breaches like this one at Anthem do put consumers at risk of financial identity theft, it is the threat of medical identity theft and fraud that is more serious and less well understood.   In the eyes of most people, every data breach puts consumers at risk for identity theft,which leads to bank account fraud, credit card fraud, and tax fraud –all  things financial.  As an example, Forbes coverage of the Anthem breach (6 Ways to Protect Yourself after the Anthem Data Breach, February 5, 2015) provides conventional advice, the same treadmill of check your bank statements, check you credit cards, change your password, order your credit report. That is all good, albeit generic, advice but it completely ignores the risks of medical identity theft and fraud.   Because the compromised data included both health insurance member indentifiers as well as social security numbers, the major risk here is medical identity theft.  This can happen a number of different ways but the two most common are 1) someone uses your medical identity to obtain medical goods, services and prescriptions pretending to be you or 2) a devious individual (often organized crime) uses your medical identity to bill your insurance, Medicare or Medicaid for all kinds of medical goods, services and prescriptions without your knowledge.  The huge problem here is everything that is done by the fraudulent person goes on your personal medical record as if you did it!     Suddenly the next time you go to a doctor or emergency room they will pull up your record (which is now an electronic health record) and most of the things on there are not you.  Your pre-existing conditions, your allergies, your drug interactions, possibly even your blood type may have changed. Medical identity fraud can literally kill you.  So pardon my frustration when 90% of the major media outlets never even mention that.     Is that possibly because medical identity theft isn’t as prevalent as I think? As it turns out, to the contrary, medical identity theft is the fastest growing identity crime in the country affecting, over 1.8 million Americans according to the 2013 Ponemon Study on the subject.    But all is not lost, some of the media coverage on the Anthem breach is starting to dig into the risks of medical identity theft.  NBC News has taken a broader view of the risks inherent in the Anthem breach in their coverage. Their article (Anthem Hack: Credit Monitoring Won’t Catch Medical Identity Theft, Feburary 5, 2015) actually talks about the problem and points out correctly that credit monitoring is largely useless to protect consumers from medical identity theft. They point out many of the risks and give some advice on how to detect if you may have a problem.   What was not reported in this article, however, is that there is now an effective alternative solution to credit monitoring that focuses on protecting consumers from medical identity theft.  It is MIDAS – medical identity theft alert system – a software and services solution created by ID Experts specifically in order to address the risks of medical identity theft. MIDAS notifies the consumer every time a healthcare provider makes a claim against their medical identity.  You simply confirm that yes, you saw that provider on that date and received that treatment or product.  Of course, if you don’t recognize the claim being made we then have a potential serious issue that will be followed up on immediately.  No more wondering if someone is fraudulently using your medical identity.    One last note…if you care about the serious topic of medical identity theft, there is a recently created non-profit organization called the Medical Identity Fraud Alliance (MIFA) that has a mission to educate consumers (and the media) of this growing problem. As big as it is, pretty much everyone agrees the Anthem breach will be just one of many healthcare breaches in the coming months and years and now is the time to start arming consumers with a way to fight back

Have questions? We'd like to help

Let's discuss your specific needs & how we can support your strategies

Get the latest intelligence in your inbox

Learn about the latest solutions, tools, case studies, & regulations from industry experts