HHS provides Healthcare Providers Risk Assessment Tools

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization.

4HA risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization, or visit the Office for Civil Rights’ official guidance.

HHS (Health and Human Services) is now providing health care providers in small to medium sized offices a new security risk assessment tool that will guide them in conducting risk assessments of their organizations.

The security risk assessment (SRA) tool comes from a combined effort between the Office for Civil Rights and the HHS Office of the National Coordinator for Health Information Technology.

Organizations, with the guidance of the tool, will be able to carry out and document risk assessments with efficacy; the practices will be able to assess information security risks under the HIPAA Security Rule. The application for the tool can be downloaded from www.HealthIT.gov/security-risk-assessment.

HIPAA requires such organizations to routinely evaluate their physical, technical and administrative safeguards to preserve information security.

Deploying the risk assessments will enable health care providers to unveil possible loopholes in their systems and security policies, plus address susceptibilities—all of this will help stave off health data breaches and other security mishaps.

The HIPAA Security Rule requires conduction of the security risk assessment by health care providers that seek payment via the Medicaid and Medicare HER Incentive Program.

A user guide and tutorial video are available on the SRA tool’s website.

Additionally, the site provides videos on risk analysis.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Security is about Layers and Attitude

Installing a home security system and keeping doors and windows locked is not the end of your crime prevention regimen; it’s only the beginning. And the beginning is YOU.

2HYou are your greatest weapon against crime, wherever you are located at any given moment. Unfortunately, that “mama bear” or “papa bear” mentality has been driven out of many people by modern-day living and an influx of etiquette books and manners training.

Of course, modern-day living allows us to behave civilly so that we don’t punch out the next person who disagrees with our political views. By the same token, we’ve been conditioned to be softies when it comes to truly threatening situations. Or, we’ve become desensitized to possible threats.

An example of this civilized conditioning is mothers teaching their children, “Respect authority.” But what should a child do when an authorative adult tells a child his mother is sick so he must get on the van to go see her? It’s this conflict with civility and survival that predators prey upon.

We need to take more responsibility towards uncivilized people, predators are all around us. We need to aim for maximal security, while realizing that nobody or no location or setting can ever be 100 percent secure.

Security must be layered.

Security that’s founded in layers will go a long way at slashing your level of risks, and a long way at making a criminal’s intentions all the more difficult to carry out. Let’s get as close to that 100 percent as possible with some careful planning.

A classic example of layered security is that of a large bank:

  • Large windows, which make would-be robbers realize they’ll be more easily seen by people walking by.
  • Doors with locks
  • An alarm system which includes motion detectors and glass-break alerts
  • Bullet proof glass
  • Video surveillance
  • Armed guards
  • GPS and dye packs to locate stolen cash
  • A safe

So how can you parallel this kind of layered security for your house? You can start with a home security system that comes with all the bells and whistles, such as motion detection, motion sensitive outdoor lights, cameras, door/window sensors, remote access via smartphone or PC, a blaring siren and home automation components like the Lynx Touch 5100 by Honeywell. And that’s just one component of additional layers of home security.

Make sure windows have special coverings on the glass to make it impenetrable, and that window wells are covered with locked lids that can’t be lifted off.

Do your homework on how to secure your main door as solidly as possible with the best lock systems and door reinforcement technologies.

Now, what about your body? Take up martial arts. If possible, install a striking bag in your home and work out on it. Enroll your kids in martial arts, particularly a school where kids are taught to fight from a ground position. Make no excuses; do what you can to come up with the money and get going. A trained 120-pound woman can disable an untrained, much bigger and stronger man.

Train with weights to make your body stronger and tougher. A strong body not only is more likely to win a fight, but is also more likely to walk away from a crisis situation with minimal injury.

Plus, the stronger your body is, the more likely you’ll be able to assist someone else in an emergency situation. Nothing creates a sense of security like knowing you can pick up and carry heavy objects. And once you know how to save your own life or the life of another, every other decision in life is relatively simple. Understanding self defense and home security gives a person an enormous amount of perspective.

The “Heartbleed” Bug has not been exterminated

Though the breaking news of the Heartbleed vulnerability is a month old, this doesn’t mean that this “bug” has been squashed.

heartbleedThere still remain about 318,000 servers that are vulnerable to this OpenSSL bug, according to security researchers, though this figure is about half of what it was a month ago.

The Errata Security blog announced they calculated the 318,000 via a recent global Internet scan, which also revealed that more than 1.5 million servers still remain supportive of this “heartbeat” thing.

And there may actually be a lot more servers “bugged” because the count applies only to verified cases. Nevertheless, why are there over 318,000 still affected a month after aggressive Heartbleed mitigation went into effect?

Fraudsters can use this bug to attack those 318,000 systems. This flaw in encryption leaves private data like credit card numbers and passwords open for the kill.

Though many of the giant services fixed this problem within a prompt timeline, the smaller services are still struggling with it, and hackers know this. A crook can identify the compromised server and then exploit the bug and steal the private data that’s in the server’s memory or take control of an online session.

So how can you protect your private information?

  • Go to http://tif.mcafee.com/heartbleedtest, which is McAfee’s Heartbleed Checker tool. Enter the URL of a website to see if it’s vulnerable.
  • If no vulnerability is detected, change your password for that site. After all, if a site has already been bugged, changing your password at that point is useless.
  • If vulnerability has been detected, then keep an eye on your account activity for signs of unauthorized activity.
  • After a site has been patched up, then change your password.
  • And this time (if you already didn’t originally), create a strong, long password. This means use a mix of characters (letters, numbers, symbols) and use more than eight. And don’t include a word that can be found in the dictionary unless your password is super long, such as “I eat Martians for breakfast.” (The spaces count.) This would be a nearly uncrackable password due to its length and nonsensicality. But so would the more difficult to remember Y48#dpkup3.
  • Consider a password manager for creating strong passwords and remembering them, such as McAfee SafeKey.
  • For better security use two-factor authentication. This involves a one-time code for each time someone tries to log into an account.
  • As ongoing protection consider a credit freeze and identity theft protection to prevent new account fraud.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

10 Ways to Help Protect Yourself from Identity Theft

No one wants to be a victim of identity theft (at least not that I’m aware of). But even though we may say this, our actions don’t always indicate this—and actions speak louder than words.

10DSome of this information may seem basic or like common sense, but these are still tactics that identity thieves utilize because THEY WORK! So here are some tips to make sure you’re protecting your identity:

  1. Be careful when sharing personal information – Make sure you question who is asking for this information and why. Just because a site asks or even your doctor’s office form asks, doesn’t mean it’s absolutely necessary. Also make sure you understand how they are protecting your personal data.
  2. Don’t open attachments or clicks on links from people you don’t know – Whether this be via email, text message or social networking sites, exercise caution as these could be phishing messages designed to steal your personal information.
  3. Protect your home Wi-Fi connection – Not changing the default settings on your wireless router can lead to not only someone using your connection for free, but also to them accessing all the files on the devices that are connected to it. Using default settings is never a good idea for anything, but can have bigger implications with your Wi-Fi connection. Here’s tips on how to protect your Wi-Fi.
  4. Don’t shop or bank online from public computers – You don’t know if there is any security protection on these computers and if the Internet connection is secure. It’s just best not to do this.
  5. Don’t fall for 419 email scams – These are emails asking you help to get access to a big sum of money and in exchange you’ll get a portion of the money. Now come on…if a stranger asked you this in real life, would you believe them? Probably not…I mean…how many us really need to help a Nigerian prince? (Note: 419 refers to the article of the Nigerian Criminal Code dealing with fraud)
  6. Don’t accept all friend requests on social media – Remember that “friend” may not really be your friend. Only connect with people you know in the real world. And even then you should be careful when clicking on the links they post. I’d recommend you use a product like McAfee® SiteAdvisor® that provides easy, red, yellow and green site rating icons in your search results and in your Facebook, LinkedIn and Google+ feeds (for PC or Mac). It will also put up a warning screen if you click on a site we know to be dangerous (for PC, Mac or mobile)
  7. Carry as little possible with you – This includes credit cards, debit cards, your Social Security number or Identification card and scraps of paper with your PINs and passwords. You wallet or purse can be a treasure trove to thieves, so make sure to carry only what is absolutely necessary.
  8. Lock your mailbox – This may seem extreme, but many thieves raid mailboxes for credit card applications, fill then out and change the address, then they don’t pay the bill, and the debt collector comes looking for you! So ask the companies to stop sending you this mail and make sure your mailbox is locked
  9. Be careful what you put in your trash – Some thieves raid trash cans, especially if you have a locked mailbox. So that pre-approved credit card application that you relegated to the trash before it even entered your house is a gold mine for thieves. So make sure you employ the use of a cross-cut paper shredder before you throw these types of things away.
  10. And of course, make sure you have protection on all your devices – Comprehensive security on all your devices (not just your PCs) is a must these days. I use McAfee LiveSafe™ service, which protects all my PCs, Macs, smartphones and tablets. And it comes with McAfee SiteAdvisor that I mentioned above!

So remember, we all have to help ourselves by being proactive to protect our identities, both online and offline.

Stay safe!

 Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Change Your Password. World Password Day

We also say we want to be safe online. Yet sometimes our actions betray our words—especially if we’re using simple, short passwords for our online sites. Passwords with less than eight characters are the easiest to crack, especially if they include a proper noun or a word that’s in a dictionary. Hackers especially love passwords of all one character. Lose the “ilovedogs” password please.

WorldPasswordDayTake a look at your passwords. Are they simple and include an actual word, or are they long and unique?  World Password Day. Take the pledge and change your passwords.

And don’t balk about changing your passwords; you must change them to be safe online. Your password is your first line of defense—not only for your online accounts, but also on your devices. Be like Nike and “Just Do It!” Think about this if you’re reluctant to change them:

  •  Research shows that 90% of passwords are vulnerable to hacking
  • The most common password is “123456”  and the second most common password, is “password”
  • 1 in 5 Internet users have had their email or social networking account compromised or taken over without their permission

Now, believe it or not, a password of eight characters, even with various symbols and no dictionary words, can be cracked. However, a password the length of “Earthquake in the Sahara” would take over a million years to unearth. Ladies and gents, size does matter when it comes to passwords.

Ditch your old passwords

They may already be on the black market, and if not, it’s inevitable. Especially in this post Heartbleed time, we need to make sure we all change our passwords.

Think pass-sentence, not password

Just four words (with spaces) will make a killer password. Toss in punctuation. Create a sentence that makes no sense, like “Sharks swimming in the shower” and then add some space, numbers and special characters so it’s “Sh@rks swimming >n The Sh0wer!” That’s a 30-word password, technically known as a passphrase, and beats out #8xq3@2P. And which is easier to remember?

And don’t use something that a person who knows you might be able to guess: If you own five black cats, don’t make a passphrase of “I love black cats.”

Here’s a fun way to make a passphrase.

Make the change

Now that you have a passphrase that will take millions of years to crack, it’s time to make use of it. Sift through all of your accounts and change your passwords, using a different passphrase for each account, and not similar, either, for optimal uncrackability.

Once all of your new passwords (passphrases) are in place, you’ll have peace of mind, knowing that it would take millions of years for these passwords to be cracked.

Remember, there’s no better time than World Password Day to change your password!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

7 Ways we leak our Private Data

Smartphone apps. There are apps wanting your location when they do not need it. Are there any apps requesting your location? You should deny them this information unless it’s absolutely necessary.

2PAnother way your phone knows where you are in terms of location is through the data of a photo. Put up lots of photos on Facebook, and the metadata will contain your location. A stranger can then figure out your where you’ve parked yourself.

Solve this problem with these apps for iOS and Android: deGeo and Pixelgarde, respectively. They’ll rid your GPS data prior to the photos getting posted.

Too close for comfort. When services are linked together, your private information is more likely to get leaked. An example would be to hook an app into Facebook. If you link an account, that’s set to private, with a second, public account, anyone might see your activities. Unknowingly granting unwanted access to an app can result in data leakage. To make the process of figuring out all the different privacy rules, you can use MyPermissions. Don’t be lax on privacy issues.

Always being connected. Always staying connected to social networks means they can track your activities via cookies. If you don’t need to be connected online, then disconnect your device from the cyber world. However, it’s easy to forget to keep doing this.

A browser extension can solve this problem by preventing entities from tracking where you visit online. You should also make a habit of deleting cookies from your browser.

And if you want to know how your phone “knows” your shopping habits, it’s because your Wi-Fi is enabled when you walk into stores or even past a retailer without ever stepping inside; stores implement wireless technology to collect your data, even track your walking pattern inside the store. Turn your Wi-Fi connection off when being near retailers.

A retailer’s free service. Sign up for this and they’ll probably collect data from you, somehow, some way. The customer reward card that you get at the supermarket will likely collect lots of your private information.

Not encrypting. Encryption, by scrambling messages, prevents snoops from reading the messages you’re sending while they’re in transit, but the messages can still be found on your device. However, encryption is one way to reduce the amount of data that gets in unwanted hands. Encryption isn’t just for using a public computer; use it on your home computer and mobile too.

Using free WiFi. Every time you log into free WiFi you are either giving your data away through the carrier who logs your device or criminal hackers are sniffing out your information via unencrypted wireless. Never log into free WiFi without a virtual private network (VPN ) like that offered by Hotspot Shield.

Using a public computer to log into a private service. When you access one of your accounts on a computer at a coffee shop or hotel, this can leave your data on that computer. The browser’s private mode is the solution: use it. If you’re particularly concerned, use Tails, a private operating system.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Malware at all time High

Malware is everywhere and isn’t about to disappear. The latest PandaLabs report says that last year alone, of all the malware that ever existed, cyber crooks created and distributed 20 percent of that. Malware comes in the form of Trojans, worms, viruses, adware/spyware and miscellaneous, with Trojans leading the pack.

6DRansomware seems to be gunning for the top spot, though, with a recent resurgence.

What about 2014? The 2013 Annual Security Report anticipates that the Internet of Things and Android devices will head the headlines (Android continues to be a favorite target of cyber criminals).

PandaLabs foresees that Android will get socked by hundreds of thousands of new malware strains. In 2013, criminals unleashed over two million new malware threats for Android.

Another area of attack is social media, and in 2013, even large companies, movie stars and politicians were affected.

The Trojan is a true warrior, in that it’s responsible for three-quarters of attacks, says PandaLabs. There was a huge leap in the number of circulating viruses as well, and is attributed to basically two virus families: Xpiro and Sality, says Luis Corrons, the technical director for PandaLabs.

Sality has been around for quite some time, but Xpiro is the new virus on the block, and can infiltrate “executable files on 32-bit and 64-bit systems,” says Corrons.

We’re in the midst of the malware plague; never mind the Bubonic plague. The whole planet is under attack, but some countries more so than others. China is the most infected, along with Turkey and Ecuador: 54.03, 42.15 and 40.35 percent of compromised personal computers, respectively.

Of the 10 least harmed countries, nine are in Europe; the other is Japan. For Sweden, Norway and Finland, the percentage of infected personal computers is 20.28 percent, 21.13 percent and 21.22 percent, respectively.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

10 simple Ways Identity Thieves steal your Credit Card

There are 10 basic ways a crook can easily rob your identity by getting at your credit card or open a new credit card in your name, but there are also ways you can prevent this from occurring.

2CSimple Thievery

Leave a window open and a thief can slide through, then steal your stuff. He can even slide an arm through your car’s open window while you’re filling the tank at a gas station. To prevent this, keep house windows closed as much as sensibly possible; keep important documents locked up; keep car windows rolled up and doors locked when you’re out; and keep your wallet/purse hidden.

Employee Records

Your employer has your private information and in some cases a credit card number, which an identity thief could get access to. To prevent this crime, ask your employer how your personal information is stored. Be on the lookout for things you’d never expect.

Change of Address

An identity thief may file a change of address form in your name. He’ll get all your credit card related mail or your Social Security number. To prevent this, watch for change-of-address notices in your mailbox. If you stop receiving credit card statements, call the company.

Social Media

Your online profile may have all the information a thief needs to steal your identity. Prevent this by deleting personal information. Give answers to the security questions of financial accounts that don’t appear on your social media pages.

Mailbox Theft

A crook can easily abscond with mail (incoming and outgoing) relating to your credit cards and bank account. To prevent, get a locking mailbox and don’t delay retrieving new mail. When mailing letters, use an official Post Office mailbox or go to the post office.
Dumpster Digging

If you see someone foraging through the trash, they’re not necessarily looking for food or cans or metal. They can be searching for paper: a credit card statement, credit card offer or anything with your important numbers on it. To prevent, use a shredder, and go to electronic statements when possible.

Shoulder Snooping

The thief will peer over your shoulder to see your transaction (credit card number, password, whatever data is there). To prevent, cover your card number at a cash register and mask your PIN as you enter it in a keypad or ATM. When using your laptop for ecommerce, sit against a wall. If this isn’t possible, keep the screen at an angle that only you can view or get a 3M Privacy Filter. Google it.

Phony Call

The thief calls you, claiming to be a rep from your credit card company, asking you to confirm personal information. The thief then contacts your credit card company and poses as you…Please just HANG UP!! Call back the credit card company using the number on the back of your card to confirm any potential issues. Never give personal information over the phone if that person has called you.

Pickpocketing

These snakes slither in and out of crowds, often without being noticed, non-violent but very efficient. Prevent being their target by keeping your wallet hidden and not easily accessed.

Cloned Cards

Once all the damage is done and your card number is stolen, criminals can create exact duplicates of your card using foils and laminators burnt onto blank cards that can be purchased online.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

15 Tips to Prepare for Big and Small Security Threats

Businesses that focus on the big security breach may very well be missing the smaller threats that can do serious damage.

4HA human can easily kill a gnat. So how is it that just one gnat can drive you crazy, even though you can kill it in an instant? You are bigger and mightier … yet one gnat can get the best of you. That’s because you’re too big for the gnat, as it buzzes around your eyes, nose and in your hair.

This is just like when businesses implement giant measures to enhance security and protect themselves against big threats like hacking, or natural disasters like a tornado. The business feels mighty with its extensive video surveillance, steel bolt doors and armed security guards. Yet, it’s unable to foresee or handle the small stuff that can have dire consequences.

Some businesses make the mistake of focusing on only a handful of tactics and, as a result, other threats slip in undetected, or if detected, they’re not detected enough to be mitigated. Instead, all the business leaders can do is swat haphazardly, hoping to get a hit.

When businesses zoom in on only a few specific tactics, this results in a rigid plan that can’t adapt, and is useful only if the anticipated threat is precisely how it was envisioned in the first place. Concentrating on just a few selected risks means not seeing the bigger picture—missing greater risks that can come along.

Of course, you can’t possibly anticipate every possible threat. But preparing for just a few isn’t smart, either. What’s a business leader to do? Follow this list to prepare smarter.

Emergency Plan of Action

  1. Make sure all security and continuity plans are adaptable.
  2. Consider the human component, and work it in to the plan. Can IT’s brilliant plan be sustained by a person? Are facilities manned by one person or a team? .
  3. Cover all basics and implement regular updates.
  4. Don’t get sucker punched. Consider a variety of threats (from cyber sources to natural sources), not just a few, and the various ways your organization can respond and resolve.
  5. Be aware. Figure out backup locations for your business to function should you be forced to displace.
  6. Prepare staff. Designate a core team and keep their contact information handy so anyone can reach them anywhere.
  7. Communicate. Design an emergency communications protocol for employees, vendors and customers, etc., for the days post-disaster. Confirm emergency response plans with your vendors and suppliers, and prepare to use alternate vendors.
  8. Keep your data backup tools in excellent condition.
  9. Keep your inventory of assets up to date.
  10. Safely and efficiently store documents. Duplicates of all crucial documents should be kept off-site.
  11. Routinely make data backups, ideally both locally and with a cloud service.
  12. Determine succession of management in case key players can no longer function.
  13. Know the signs of a dying computer. A blue screen can mean a hardware problem or driver conflict. If things are taking way too long, there may be too much software … or a failing hard drive. Strange noises during startup, for instance, can also mean a hardware failure. Consider it your warning.
  14. Set up your backups. You can set up backup protocols with a program like Belarc Advisor, which is free and lets you know what to install and when it’s time to replace a computer.
  15. You may want to consider replacing your computer every two or three years to avoid being stiffed by a computer that’s suddenly gone stiff. Nothing’s more alarming than suddenly losing all your data, and there’s no backup computer that you can just turn on and pick up where you left off.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Healthcare Data under Attack

Crooks want your health information. Why?

2PIt’s called medical identity theft, and it’s not going away too soon. In fact, the ACA (Affordable Care Act) has only fueled the situation, says the Ponemon Institute, a security research firm.

This latest of Ponemon’s four annual Patient Privacy and Data Security studies reveals that sloppy behavior, like losing a laptop that has unencrypted data, is a primary cause of data breaches.

A crook would love this information because, “in the world of black market information, a medical record is considered more valuable than everything else,” says Larry Ponemon, the Institute’s founder.

The study was sponsored by ID Experts, and its founder, Rick Kam, says that the “black market is being flooded with payment card data.” Health care data includes a Social Security number and personal health record—data that sticks around for a long time, versus a credit card number.

Breaches can also result from unsecured mobile devices, employee negligence and third-party contractors who can get their hands on the data.

But by and large, says Ponemon, health care employees are good people who sometimes just “do stupid things.” And the rushed nature of their jobs can compromise attention to security.

One hospital visit can net six to 10 companies having access to your data, says Kam. This includes the ambulance company, hospital, extraneous labs and the health insurance company.

If someone snatches your medical records, you’ll be in a major jam. For instance, the thief who claims to be you can get medical treatment for an STD—and that will go on your record. Worse, the thief may have a different blood type. What if you’re in an accident and need blood transfusions, and you end up getting the wrong blood type?

The proliferation of mobile devices makes it even easier for criminals to steal data.

The study showed that 88 percent of medical facilities permit employees to access patient data via their own mobiles (and what percentage of these employees do you really believe have encryption and other security measures in place?).

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.