|
|
|
Privacy Threats Come from all Corners
The types of personal information crooks, marketers, surveillors and others are after varies greatly. You can see it in the kinds of organizations under attack from black-market entreprenuers, just-because-I-can hackers and even Chinese computer manufacturers.
Before you scatter your personal information to the wind, be aware of the risks posed by the various entities you use to work, play and make life "easier."
While retailers, banks and entertainment companies tend to make the most headlines when breached, healthcare systems have been hot, frequent targets for many moons. Be sure to consider how your medical history, insurance information and prescription profile data could be of value to any number of individuals and companies.
Increasingly, consumers must practice diligent privacy practices with every entity they allow access to their personal information. Read on for tips on doing exactly that.
|
|
Tip #1: Check Health Reports as Often as Credit Scores
The recent Anthem breach points to the need for all organizations to secure the personal information of their employees and patients, including health insurance information. Crooks know this kind of information will sell like hot cakes on the black market, both to knowing criminals looking for access to prescription drugs, as well as unsuspecting individuals simply looking for affordable healthcare options.
I advise people to check with their healthcare providers and insurance companies as often as they check with the three major credit bureaus. Just as we need to look for unauthorized transactions on our financial accounts, we need to watch for fraudulent activity on our increasingly valuable (and vulnerable) health insurance accounts.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers and insurers to share information with patients about the way in which their personal data is secured, as well as who has recently accessed it for reasons that do not support treatment, payment or operations, upon request; HIPAA refers to these as "accounting of disclosures." This is in addition to sharing the details in times of a breach. HIPAA also requires that healthcare providers and insurers provide a copy of the medical records (contained within what is called a "designated record set") upon the request of patients and insureds.
This underscores the need for healthcare providers and insurers to perform strong and frequent due diligence on the safety controls of their own systems and activities. Ask to see your patient records and accounting of disclosures at least once a year to make sure all your information is accurate.
Tip #2: Monitor Your Third Parties
In many of the most publicized data breaches, such as Chick-fil-A, contracted third parties have been found to be main point of entry for hackers. That's why it's so important to determine the strength of a contracted business provider's security before entering into a partnership.
To address this need, I've developed a third-party contractors tracking and risk-evaluation service specifically for healthcare providers held to HIPAA requirements for covered entities. The service helps privacy, compliance and security managers keep track of their business associates, centrally documenting the health information each has access to, the security controls and practices they follow and other important information the covered entities need to know. This helps each covered entity (the healthcare providers, insurers and clearinghouses) better determine the risks each entity poses to patient privacy and the organization's overall security. As well, the service helps covered entities manage updates provided by the business associates.
FYI, I am happy to share the news I will be making this third-party contractors system available to all industries in 2015. Want to know more? Just drop me a line.
|
Tip #3: Keep Eyes Open for Scammers
Data trafficking is now more lucrative than drug trafficking! So it's no wonder crooks and opportunists are everywhere trying to get access to your data. Following are a few of the latest tricks and traps getting unaware consumers into hot water.
Pizza delivery - Scammers place phony menus under car windshield wipers and wait for unsuspecting diners to call in. That's when they steal their full names, credit card information and home addresses.
Airline rewards - Hijacking air miles is a hot trend among criminals who access the accounts through stolen usernames and passwords (often obtained through third-party sites unrelated to the airlines). (Thanks to my friend Faith Heikkila for this tip.)
Lenovo computers - The Internet was a buzz last week with news that Chinese computer manufacturer Lenovo had built spyware into certain machines. Fortunately, you can find and remove it by following these instructions.
|
|
Tip #4: Understand Your Credit Card Tells a Story
Scientists at MIT have proven what many of us in the data security and privacy community have long suspected - consumers can be identified from their "anonymized" credit card transactions. Their research found that adding just a small amount of information from an outside source was enough to identify the credit cardholder in the financial transactions they observed.
The takeaway for you? Understand your transaction data tells a story. Taken out of context, that story could paint a completely inaccurate picture of you. How might that story be used within insurance actuarial calculations, insurance claims and adjustments, loan and mortgage application considerations... what about divorce proceedings?
No one is saying you need to go off the grid. Simply understand the privacy risks that exist as you choose to make purchases with plastic. Also, be cautious about parties claiming to "anonymize" data before they share it with others. True anonymization is much more complex than removing a few specific data items.
|
Tip #5: Think Twice Before Signing onto Just Any Wi-Fi
Last month, we talked about the risks associated with your home Wi-Fi. Just after hitting send on the February Tips message, a new home router vulnerability was reported (thanks to my friend Joe Shook for this pointer). This one allows cybercrooks to mess with your DNS settings so as to send you to imposter sites, replace advertisements on legitimate sites and even to block you from security updates.
But it's not only residential Wi-Fi that carries risks. Some of the same vulnerabilities exist when we're away from home. Hotel Wi-Fi networks, for instance, are hacker hot beds.
According to the FTC, here is what you need to look out for:
When you try to get online using a hotel's Wi-Fi network, you get a pop-up for a software update. Do not click to accept the download; you may unknowingly load software that will damage your computer or steal your information.
NOTE: I carry my own Internet Wi-Fi router with me when I travel so I can use it to connect online and control all the security settings. If you travel a lot as well, you may want to consider doing this, too.
|
Tip #6: Be Mindful of the Internet of Things (IoT)
Our connected world has stimulated great innovation and advancement. At the same time, more connections often mean more opportunities for lost privacy and security. Take a look at these examples:
 Smart TVs are listening - CNN Money recently reported the voice recognition baked into Samsung's new smart TVs actually records every word spoken by the TVs' owners and then sends that data over the Internet. Even more troubling, this spoken-word data is being sent to a third party, which converts speech to text.
Smart cars are vulnerable - At least one U.S. Senator is concerned smart car manufacturers aren't building proper security into their vehicles. Researchers recently showed how failing to do so allows hackers the ability to take over systems like steering and brakes. Yikes. (I hope to do some research to check this out myself sometime this year. I will let Tips readers know what I find.)
Privacy Professor on the Air...
My next two visits to the Great Day KCWI Morning Show have been scheduled. Please be sure to tune in on March 9 and March 23 at 8:20 a.m. central. To see my last appearance, during which we discussed identity-theft threats and scams that often spike during tax season, check the station's YouTube channel.
... and on the Road
I have a growing list of presentation and training events confirmed. Here is where I will be in the coming months. Stop by and say hello if you'll be in the area.
March 4: Facilitating a round table privacy discussion "Data Privacy - Evolving Customer/Regulator Expectations" at the Utility Analytics Summit in Phoenix, AZ.
March 5: Talking about privacy at the SGIP ENGAGE 2015 conference in Phoenix, AZ.
March 17: Co-presenting the session, "GAPP vs. Gaps: Managing Enterprise Privacy" with my friend Sarah Cortes at the ISACA NA CACS Conference in Orlando, FL.
March 18 & 19: Teaching a 2-day class, "Conducting a Privacy Impact Assessment," at the ISACA NA CACS Conference in Orlando, FL. I'm excited to see class space is already sold out! (NOTE: If your organization can't make it to the class, you can purchase my PIA toolkit online, which includes training.)
April 8: Speaking about privacy engineering at the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS) Seminar, West Lafayette, IN.
April 14: Providing a closed privacy discussion/class to the executives and board members of a large multi-national corporation in Tennessee.
|
Questions? Topics?
Do you have any topics you'd like to see me discuss on the Great Day KCWI morning show? Or, any you'd like for me to answer in my next monthly Privacy Professor Tips? Please let me know by sending an email. I've also just added some easy to use "?" buttons on my sites you can use! See here and here.
Need Help?
If you need any help with information security or privacy training and awareness, security or privacy activities, or if you must comply with HIPAA and need help (especially important now that the Department of Health and Human Services, as well as all the State Attorneys General are increasing their compliance reviews, and fines/penalties), please check out my SIMBUS site (http://www.hipaacompliance.org) or get in touch with me; I would love to help you!
You Have My Permission to Share
I receive a lot of requests to repurpose the information contained in these Tips messages, so I wanted to drop a quick note in here to say, "Yes, I approve!" Feel free to forward this in its entirety to others. If you want to use only excerpts, then please use the following attribution so that others will know where to find me if they have additional questions about the material you pass along. **NOTE: This permission for excerpts does not extend to the images in this email. One of the photos is my personal photo. For the others, we have paid for their use only within this tips message, which you can forward within this message, but cannot remove and use elsewhere. If you want to use them, contact me.
|
|
|
| | From my February trip to Alaska where I taught a class on geo-location privacy. |
Spring is an ideal time for new beginnings. As you develop improved strategies in your personal and professional life, consider your data security and privacy health. Are you doing all you can to keep yourself, your organization, your colleagues and friends safe?
Like this 130-ft glacier, making changes to your long-practiced habits can seem overwhelming. But keep this in mind: even small adjustments can have a huge impact.
Have a safe and healthy Spring and we'll talk next month!
Rebecca
|
|
|
|
|
|
|
|
Rebecca Herold, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI
The Privacy Professor�
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564
|
|
|
|
