Brian Lapidus is a seasoned expert in security and risk mitigation who focuses on the increasing challenges faced by the public and private sectors in protecting sensitive data and personal information from loss, theft and fraud.
The chief architect of product development at Kroll’s Fraud Solutions group, Lapidus sets direction for the company’s continued success in identity theft discovery, investigation and restoration. Lapidus is particularly knowledgeable about the security gaps – physical, procedural and electronic – common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used.
He is frequently quoted on the types of data breaches being experienced by thousands of organizations, and what steps can be taken to better protect confidential data and to recover should a data breach occur. He oversees a highly-skilled team that includes veteran licensed investigators who specialize in supporting breach victims and restoring individuals’ identities to pre-theft status.
The fact of the matter is that patients – and
the law – demand that healthcare companies protect highly sensitive information
from every possible threat. But in-house security options just can’t keep pace
with rapidly growing risks. After all, anti-virus software won’t stop someone
from taking medical records. A firewall can’t help retrieve a stolen
laptop. Below, I answer several questions that every healthcare
organization should know.
Q: Why are healthcare organizations particularly vulnerable to data breaches? A: There are several factors that make healthcare organizations particularly vulnerable to data breaches. Some of these factors include:
I. Sensitivity of data – The healthcare industry is responsible for maintaining its patients’ most sensitive Personal Health Information. PHI is a treasure-trove for identity thieves.
II. Immense Data flow (masses of data flowing in and out) – A primary reason healthcare data security breaches occur is because facilities do not know where all instances of their patients’ sensitive or confidential information resides within the network. Moreover, the danger does not stop at the hospital perimeter, but includes vendors that share or receive the data, as well as employees’ and contractors’ laptop computers and other portable storage devices.
III. Portability/Usage of EPHI (Electronic Protected Health Information) storage devices – Improvements in technology and the portability of patient data come at a cost to security. Devices used to store and access PHI include laptops; home-based personal computers; Personal Digital Assistants (PDAs) and Smart Phones; USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access; not to mention hotel, library or other public workstations and Wireless Access Points (WAPs).
Q: Who and/or what is at risk should a data breach occur? Are children, in particular, at risk? If so, why?
A: The credit reporting agencies do not knowingly maintain
credit files on minor children. Therefore, if the Personal Identifying
Information (PII) of a minor is at risk, it is impossible to place a
"fraud alert’ on his or her credit file to monitor and help protect the
child from identity abuse. Many victims do not realize that their
information was used until they apply for credit as an adult.
There are two different ways that an identity thief can use a minor’s information. The first is "Minor ID Cloning"
where a thief uses the minor’s name and social in combination with a
fraudulent address and date of birth to apply for credit. Once the
credit bureau receives an application for credit, that begins the
minor’s credit history and the child "becomes" the age of whatever
information the thief supplied on the application for credit.
The second form of minor identity theft is "Minor ID Combining" where a thief uses the minor’s social security number in combination with the thief’s name and date of birth.
The detection and repair of minor identity theft is a time consuming and difficult process.
Q: What should healthcare organizations be doing to better protect the personal information of children and all patients?
A: Awareness of data-breach methods and ways to thwart an attack
are key to reducing exposure. Following are some simple steps to
elevate awareness and establish a better defense:
I. Educate employees about appropriate handling and
protection of sensitive data. Have sanctions in place for employees
found not following proper guidelines. Both are HIPAA requirements.
II. Consistently enforce policies and procedures, physical safe guards, and IT security. All three are required by HIPAA.
III. Review and revise physical security practices as
needed in both bricks and mortar and virtual operations. Address all
the critical areas, such as who can leave the office with patient’s
PHI, where sensitive data is stored and destroyed, who has access to
sensitive data, and whether employees are required to surrender keys
and badges upon leaving the company’s employ.
\u003c/div\>\u003c/blockquote\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>\u003c/strong\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>Q: Who and/or what is at risk should a data \nbreach occur? Are children, in particular, at risk? If so, \nwhy?\u003c/strong\>\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>A:\u003c/strong\> The credit reporting agencies \ndo not knowingly maintain credit files on minor children. Therefore, if the \nPersonal Identifying Information (PII) of a minor is at risk, it is impossible \nto place a "fraud alert' on his or her credit file to monitor and help protect \nthe child from identity abuse. Many victims do not realize that their \ninformation was used until they apply for credit as an adult.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>There are two different ways that an identity thief \ncan use a minor's information. The first is\u003cstrong\> "Minor ID Cloning"\u003c/strong\> \nwhere a thief uses the minor's name and social in combination with a fraudulent \naddress and date of birth to apply for credit. Once the credit bureau receives \nan application for credit, that begins the minor's credit history and the child \n"becomes" the age of whatever information the thief supplied on the application \nfor credit. \u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>The second form of minor identity theft is \n\u003cstrong\>"Minor ID Combining"\u003c/strong\> where a thief uses the minor's social \nsecurity number in combination with the thief's name and date of \nbirth.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>The detection and repair of minor identity theft is \na time consuming and difficult process.\u003c/font\>\u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>\u003c/strong\>\u003c/font\> \u003c/div\>\n\u003cdiv\>\u003cfont face\u003d\”Arial\” size\u003d\”2\”\>\u003cstrong\>Q: What should healthcare organizations be \ndoing to better protect the personal information of children and all \npatients?”,1]
);
//–>
Q: What are the top three things healthcare organizations can do to protect themselves pre-breach? Post-breach?
A: Pre-Breach
1. Designate a privacy official responsible for
developing and implementing its privacy policies and procedures, and a
contact person or contact office responsible for receiving complaints
and providing individuals with information on the covered entity’s
privacy practices as required by the HIPAA Privacy Rule at 45 C.F.R.
§ 164.530(a).
2. Covered entities should be extremely cautious about
allowing the offsite use of, or access to, EPHI. There may be
situations that warrant such offsite use or access, e.g., when it is
clearly determined necessary through the entity’s business case(s),
and then only where great rigor has been taken to ensure that
policies, procedures and workforce training have been effectively
deployed, and access is provided consistent with the applicable
requirements of the HIPAA Privacy Rule. Covered entities must develop
and implement policies and procedures for authorizing EPHI access in
accordance with the HIPAA Security Rule at §164.308(a)(4) and the
HIPAA Privacy Rule at §164.508. It is important that only those
workforce members who have been trained and have proper authorization
are granted access to EPHI.
3. Partner with a corporate breach and data security
expert to map a breach response strategy and plan. A covered entity
must mitigate, to the extent practicable, any harmful effect it
learns was caused by use or disclosure of protected health
information by its workforce or its business associates in violation
of its privacy policies and procedures or the HIPAA Privacy Rule at 45
C.F.R. § 164.530(f).
Post-Breach
1. Have a relationship with a corporate breach and HIPAA
data security expert so that any investigation can begin immediately
and affected individuals will be notified in a timely manner.
Collaborating with a company that can investigate, notify, and assist
breached individuals goes a long way to avoid loss of brand integrity.
2. Detail who is in charge of any internal investigation,
and who will speak to the police and media. Notify your corporate
breach and data security expert partner there is a security issue.
3. Maintain a good relationship with local, state, and
federal law enforcement throughout the investigation. A positive
report about a healthcare provider’s cooperation with law enforcement
goes a long way toward maintaining brand integrity.
Q: Describe a client in this industry who benefited from your service.
personal information of 365,000 patients. The personal information
exposed included patient’s names, physicians’ names, addresses, date of
birth, patient financial information, insurance data, diagnoses,
prescriptions, and in some instances, lab results. The tapes also
contained personal information of deceased individuals and minors who
had received treatment at their facility. Kroll was hired to notify
these individuals of the loss of information and to provide licensed
investigators to respond and educate disturbed callers on how they
could protect their personal information as well as that of minors and
deceased loved ones. In addition to consultative services, the
investigators provided assistance to individuals who had fallen victim
to identity theft as a result of this incident, and helped these
individuals regain their pre-theft identity status.
Q: What are the latest trends in security breaches at healthcare organizations?
A: I’ll provide two examples that discuss two of the latest trends, one
focusing on a healthcare payer and the other focusing on a healthcare
provider.
Healthcare Payer
A large commercial healthcare insurance company experienced a data
breach as a result of a laptop being stolen from an employee’s car. The
employee did not follow the corporate policies for protecting member
data which resulted in exposing Personally Identifiable Information
(PII) for 38,000 plan members. The information compromised included
names, addresses and Social Security numbers and health related data.
Kroll was hired to provide notification and consultation to impacted
individuals. Additionally, for individuals who had fallen victim to
Identity Theft as a result of this incident, Kroll provided licensed
investigators to assist those individuals in resolving the issue and
returning their identity to its pre-theft status.
Healthcare Provider
A hospital while under an expansion of its IT system, discovered there
were unauthorized entries (breaches) into two separate computer
databases. The first database contained personal information of
patients, and of the parents or guardians who were listed as the main
policy holders with the health insurance carrier. This personal
information included names, addresses, social security numbers and
patient (minors) birth dates.
The second database contained personal financial information,
unencrypted bank account and routing numbers pertaining to individuals
who had donated to the hospital. Kroll was hired to provide
notification and consultation to impacted individuals. Additionally,
for individuals who had fallen victim to Identity Theft as a result of
this incident, Kroll provided licensed investigators to assist those
individuals in resolving the issue and returning their identity to its
pre-theft status.
If you or your company would like to discuss a particular identity theft protection solution or issue, please visit www.krollfraudsolutions.com to get additional information or to contact a Kroll Fraud Solutions specialist.
Categories: Uncategorized
Healthcare industry is a fast growing industry in now a days, among these nurses have an important role.Keep the nice work .If you are interested in nursing jobs in detroit have a look on our link
http://www.ktcusa.org/
Healthcare industry is a fast growing industry in now a days, among these nurses have an important role.Keep the nice work .If you are interested in nursing jobs in detroit have a look on our link
http://www.ktcusa.org/