Monthly Archives: July 2015

Will Your Recruitment Initiatives Invite and Welcome Computer Hackers?

inside threat

It is very clear that the current landscape is replete with stories of improper intrusion and hacking of computer systems leading to improper dissemination of proprietary or other types of protected information.

Most organizations try to block the unwanted intruder (hacker) from ever gaining access to their computer systems. A common method utilized by hackers is known as phishing, which is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to get the unsuspecting victim to click on a particular link, oftentimes seeking private information. Clicking on that link may also allow for malware/viruses to enter the unsuspecting victim’s computer system. So far, we see nothing new.

I recently read that there is a variant on the phishing scheme which comes into play when a company advertises that it is seeking to fill a position. In essence, it is inviting applicants to send resumes which normally and, in fact, are expected to be sent as email attachments. The person tasked with hiring, oftentimes HR, or in smaller organizations, someone with admin responsibilities receives a series of e-mails from would-be applicants. The attachment, however, can contain malware which would not necessarily be detected.

Frankly, I found this situation to be alarming because the general rule of “don’t open e-mails or attachments from people you don’t know” realistically falls by the wayside. In fact, the refrain “you really should have known better” also falls by the wayside.

How many people has your organization hired by placing ads on websites and then sifting through the e-mail responses?

Antivirus software and keeping current on software patches are an obvious first step.

Internal firewalls with dual factor authentication may be the next step.

 

How Much Does a Data Breach Cost in Dollars and Cents?

Online Security

In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.