HIPAA Compliance and Cybersecurity with Gavin Kent
Technology in a healthcare space can benefit both the employees and the patients, but how do you handle the security of HIPAA compliant information?
Identity fraud is a real issue and theft is not a joke. Check out our Q&A with theft expert
1) United States
2) Germany
3) Spain
1) There is a sense of urgency – they ask you to do something immediately.
2) There is a consequence for not complying to whatever urgent task they are asking you to do.
3) They demand a specific form of payment, primarily seen in gift cards.
– Federal agencies don’t take gift cards – big red flag.
– Technology is changing so much that some people may not even know what an iTunes gift card is. Carrie has seen that some people think it’s just another type of credit card.
The Federal Trade Commission keeps statistics of complaints filed in the U.S., and they use that information as well as other resources to create the “Consumer Sentinel Report” (this isn’t the only company doing research, but it’s a big one). Last year they noticed an uptick in credit card fraud. The most common types of credit card fraud are:
– Credit card skimming is when criminals use a device to capture information from your credit card via the magnetic strip.
– A common misconception is that the new chip on credit cards will protect you from identity theft – this is not true. While it did stop credit card skimming, criminals were still able to use your identity to apply for a new credit card. This is called new account fraud.
– Soon after the chip was implemented, criminals figured out how to surpass its security measures and read the information on the chip, which is called credit card shimming.
*side note* These aren’t things you should worry about too much – you are protected by law and will have zero liability as long as you report it to your credit card company within 60 days of the date of the transaction.
– While the number of data breaches has decreased over the last couple of years, the number of records exposed in those breaches have exponentially increased.
– Using companies like Mint.com, a free financial management service, is very convenient for users. If it’s that convenient for you, imagine how convenient it is for criminals. Think about it – you’re putting all of your eggs in one basket. Risk vs. reward… is the reward worth taking the risk?
– Credit Karma is a company that gives you free details about your credit scores and report. What their website doesn’t tell you is that when you sign up for their services, you are actually giving them permission to share your information with their partners, who are credit card companies. Credit card companies buy into Credit Karma in order to obtain your information because that’s how they make their money – by giving you loans and credit cards. Credit Karma’s privacy policy also says that once you leave, they can still keep your information on file for 1-2 years.
*side note* Privacy policies and terms of conditions may be long and dreadful to read, but at least scan the documents to find out two important pieces of information: 1) What do they collect, and 2) How do they use it?
1) Equifax
2) Experian
3) TransUnion
4) Innovis
5) NCTUE (National Consumer Telecom & Utilities Exchange)
(the first 3 are called the “Big 3” and are the most common)
Remember when we went over new account fraud? Criminals don’t even have to go to the dark web anymore – a person’s name, birth date, and social security number can be purchased online for as little as $1. There are three options for a person who is dealing with new account fraud:
– Fraud alert: a disclaimer that goes on your credit report that basically says “this person is a victim of identity theft, verify identity before opening any account”. It’s free, and you only need to contact one credit bureau to have this message applied to your report. Carrie’s effectiveness rating is 75%, because she’s seen people with a fraud alert on their accounts that still have accounts opened. It just depends on the creditor that they’re working with and the sophistication of the “bad guy” – it’s very easy for someone to produce a driver’s license with all of your information on it but their photograph, thus bypassing a fraud alert.
– Credit freeze: you are telling the credit bureaus that they are not allowed to show your credit report to any new creditor. If the “bad guy” is trying to apply for an account, that creditor is going to want to see your credit report. They won’t be able to open it due to the freeze, and the account will not be opened. According to Carrie, this is the best defense. It’s free now (a law was recently passed to make this option free) but you must contact each credit bureau directly. Carrie’s effectiveness rating is 90%, because nothing is 100% unfortunately, but this is about as good as it gets.
– Credit lock: a marketing gimmick created by the credit bureaus because if you have a freeze, they can’t sell your credit reports. It’s almost the same thing as a freeze, but the difference is that a freeze is mandated under the federal law, whereas a credit lock means you are entering into an agreement with the credit bureaus in which you may or may not be given the same rights as a freeze.
*side note* Criminals can steal a child’s identity, too. In most cases, it can be even more detrimental because the criminal has 18 years of doing whatever they want before anyone suspects or detects anything. In Florida, a parent can put a freeze on their child’s credit report until the age of 16. As soon as a child is born, their social security number is everywhere: doctors, pediatricians, etc. Carrie suggests freezing it as soon as you can – it can’t prevent all types of identity theft, but it will at least prevent new account fraud or any credit-related identity theft.
NIST (National Institute of Standards and Technology) has changed their password recommendation policy.
– The first recommendation was released a few years ago and said that passwords need to be 8-12 characters, include letters, numbers, and symbols, and you have to change them every 3 months. After a few years, they realized people were making their passwords way too easy because it was hard to remember a new password every 3 months, therefore defeating the purpose.
– The new recommendation is that passwords should be a minimum of 12 characters, and it doesn’t matter if they’re letters numbers or symbols – it’s just about the length. The “bad guys” use software programs that continuously try to figure out your password. However, when it’s 12 or more characters, it takes much longer for these programs to crack your password, increasing the chance that the criminal will give up and move to an easier target.
– Not all websites adhere to the new recommendation, but when you’re creating passwords, use the maximum amount of characters allowed.
– Rather than a password, think of it as a “passphrase“… Here’s an example: “ilovefloridaihatesnow”
– Paper and pencil: If you want take the old-fashioned route and write it down, that’s still an option – just make sure it’s secure and locked away somewhere, not sitting out on in the open on your desk or in an unlocked file cabinet.
– Document on your computer: Use a Word document or an Excel sheet, but make sure you password encrypt the file. Also, don’t name it something like “My Passwords” because that’s the first word a criminal will search if they are able to hack into your computer.
– Cloud storage: Before we go into this, we must understand the difference between a password and encryption. A password is just like a lock and key – if a robber breaks in, they can see everything and steal it. Therefore if they crack your password, they can see all of your information. Encryption takes the contents of the document or information and scrambles it, so it’s useless unless they enter the decryption key. This way, even if the criminal hacks in, they won’t be able to understand the scrambled mess of information that they are seeing, therefore encryption is much stronger than simply using a password. Now that we know the difference, there are two things to look for when using a password manager, like an app or an online service:
1) Encryption at rest: when your passwords are being stored on the server of the company, they’re encrypted, and 2) Encryption in transit: when you are accessing the password manager to retrieve or add passwords, the traffic is also encrypted so if someone tries to intercept in cyber space, they won’t be able to see it.
*side note* A new trend is allowing someone that you trust to have access to your passwords in case something happens to you. This is a good idea because, for example, if someone who was in charge of all the finances for their family had early onset dementia and couldn’t take care of it anymore, a surviving family member would have access to the password information and be able to take over.
– Never believe your caller ID. It’s extremely easy for criminals to Google “caller ID spoofing” and find tons of websites that will do it.
– Criminals will use caller ID spoofing for tactics like “family member in trouble” or “family member has been kidnapped“. An example of this is: a mother could get a call from her child’s cell phone number, with someone saying that her child has been kidnapped, when it’s not actually true.
– When victims try to call these numbers back, most of the time they’re calling an innocent bystander who has no idea what’s going on, their phone number just happened to be used.
– All a criminal has to do to steal your mail is walk into a mail office, submit either a forwarding address card or a change of address card, and boom – they’ll get all of your mail sent to them.
– It’s easy for them to do, yet difficult for you to detect. The average time that people notice their mail is missing about 2 months. This is because when someone lives with multiple residents, everyone else in the home will still receive mail, so it’s not as noticeable.
– There has been an increase of this every year since Hurricane Irma.
*Carrie’s tip* Go to usps.com and set up an online account. In your account, you can set up “informed delivery”, which will email you scanned images of any physical mail being sent to you. You can also monitor if there’s been a “mail forwarding” or “change of address” initiated that wasn’t you.
Sign up for USPS Informed Delivery here: https://informeddelivery.usps.com/box/pages/intro/start.action
Technology in a healthcare space can benefit both the employees and the patients, but how do you handle the security of HIPAA compliant information?
Take a look at our how-to video on setting up webinars through Zoom
Ready for your business and IT before a hurricane hits to protect your data