Blog

Archive for September, 2009

When will they learn? Another lost tape.

Wednesday, September 30th, 2009

On September 11th of this year, Chase Bank once again joined the illustrious list of companies / government agencies that have lost data storage tapes containing sensitive consumer information such as social security numbers and addresses.  This list includes Citibank, the IRS, BNY Mellon, Harvard Law School, Bank of America, Ameritrade, etc…   And it’s not even the first time that a subsidiary of JP Morgan Chase has lost a data tape, as their private client group had an incident back in May of 2007.   In this case, Chase tried to reassure their customers by letting them know in their notification letters that “the tape can be read only with special equipment and software and we have no evidence to indicate any of the information has been viewed or used inappropriately”   So every thing is good right?  Except that obtaining that “special equipment and software” really isn’t that hard, it’s just a matter of spending enough money.  And that’s why Chase had to notify their customers of a potential breach, and offer them a one year subscription to the bank’s identity protection program. 

Maybe this time Chase will learn their lesson and decide to start encrypting their backup tapes.  If the tape had been encrypted with a product like Zserver Backup, the data would have been protected with a 256 bit encryption key and losing the tape would have meant that they had lost their backup copy, but that their customers’ sensitive data was still as safe as if it had been locked up in their own data center.  Given the simplicity and low cost of the solution, there really is no reason for any company not to encrypt its backups.   So the question you should be asking of every company that has your private data is: when will they learn?

Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Electronic Health Records: The Carrot and the Stick

Tuesday, September 8th, 2009

The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) which was passed as part of the American Recovery and Reinvestment Act of 2009 contains both incentives and penalties to encourage hospitals and physicians to implement technology with the goal of creating and using electronic health records (EHRs) for each person in the US by 2014.   Since part of the act requires that these records kept protected, and the Secretary of the Health and Human Services has provided guidance that this includes data encryption as well as ensuring data destruction, the incentives are important for helping hospitals and physicians achieve compliance.

The incentives work this way.  The sooner after 2011 that hospitals and physicians implement EHRs, the more money they qualify for, with phaseouts for the incentives starting for implementations that start after 2013.   The incentive payments continue for a number of years to help with the support required for EHRs.    On the reverse side of the coin is the penalties that start kicking in for physicians and hospitals  that have not adopted EHR by 2015.  These penalties reduce Medicare payments that otherwise would have been received by percentages that have an increasing scale for each year that implementation is delayed. 

The important thing to note about these dates is that the act requires that physicians and hospitals be “meaningful EHR users” during a payment year to qualify for the incentive payments.  So even though the payments will not start until 2011, it’s important that preparations for converting to EHRs starts right away.  That’s because converting to electronic records and ensuring that they are protected is not an overnight process.  Hospitals and physicians will need to evaluate the best technology for their use, map out a plan for the conversion of their most important paper records and arrange for the training fo their staff.

Posted in Data Storage Security | No Comments »

Guess what category tops the biggest information security breaches of 2009?

Wednesday, September 2nd, 2009

If you look at the recent article in BankInfoSecurity.com about the biggest breaches in 2009, you’ll see that they’ve done an analysis of the 46 data breaches that have occured so far this year which involved financial institutions.   That analysis shows that the majority of the breaches involved insider theft.   It’s a pretty daunting statistic and emphasizes the need to protect yourself from data theft by the people inside your protected network.  But if you look deeper at the data, you’ll see the problem is even bigger than it appears.  Because BankInfoSecurity segregates out insider theft (the purposeful theft of the data) from other forms of insider data breaches.    Specifically, “exposure of data on the Internet” and “Accidental breaches”   In both those categories, the breaches were caused by insiders, they were just unintentional breaches of data.

And that’s important to note.  Because most people when they hear about data loss from insider threats automatically think about disgruntled or dishonest employees or contractors, and then the second thought is (especially at smaller companies / departments) that my employees are happy and honest and it could never happen in our company.  And it is very possible that they’d be right.  But as the latest survey shows, that doesn’t mean they won’t suffer a data loss caused by an accidental breach.   And those are probably among the easiest data breaches to protect themselves from, just by implementing a few common sense procedures and some basic software protection.

Posted in Security Breaches & Data Loss Incidents | No Comments »