Small Healthcare Organization and SMBs Pose Largest Risk of Data Breach

healthcare smbs risk Like a wildfire data breaches have become the topic of discussion and the future of these attacks is changing just as rapidly. Out of the countless studies released by experts including The Ponemon Institute, Verizon and the United States Secret Service, we can see that many data breaches are due to loss and theft. Small healthcare organization and small to medium sized businesses have the biggest risk but the threat is not hackers. Instead it is the professionals who are being trusted with confidential data on devices without proper training or repercussion.

Why are Small Healthcare Organizations at Risk?

Of the total reported healthcare data breaches on HHS.gov, 67% were caused by theft and loss, resulting in 78% of stolen individual records. Physicians need to have access to confidential patient data at many times throughout their day, so they are already at risk of data loss or theft. However many small healthcare organizations are often reluctant to join the cloud due to security concerns. Even more daunting is the fact that theft and loss result in 92% of computer related data breaches, resulting in 97% of stolen records. By utilizing an in house network and allowing protected health information to be stored on mobile devices a smaller practice is actually putting their patient’s confidential data at risk.

Why are Small to Medium Sized Businesses at Risk?

Many small businesses lack the desire to be secure and state there is not enough money in their budget. However Ponemon recently surveyed IT professionals who work for companies with less than 100 employees and found that 78% believe data breaches are caused by employee negligence. How much does it cost to educate employees about weak passwords and data handling procedures? The highest percentage of breaches occurred from the loss of mobile devices and laptops. This form of negligence accounts for a third of the problems small businesses have with data breaches. Yet SMB’s are still reluctant to move their private data to a cloud computing system.

Verizon stated in its 2011 Data Breach Report that the cloud is not the problem when it comes to security. Healthcare has recently been moving toward the cloud to secure its confidential data but this is most likely due to government regulations like the HIPAA Security Rule. Small businesses are facing other concerns with the cloud though. Instead of worrying about security from hackers they are seeing the potential for these cloud computing services to steal their confidential information.

So what is a cost effective alternative that offers efficient security for data and can be created in house? Utilizing a central database for information not only limits data loss through employee negligence of data and passwords, but it also offers better accountability for businesses and healthcare facilities. By removing data from mobile devices such as smartphones, tablets and laptops, companies remove responsibility from employees. Also security of one single server is much easier to maintain than having to educate employees about security of their devices.

Through out-of-band two-factor authentication a company can limit access to authorized individuals only. Also by utilizing a one-time password sent through SMS text message this out-of-band authentication method can provide notifications when access is requested. This is an added layer of protection that also provides small businesses and healthcare facilities with a cost effective solution. The future of data breaches ultimately lies on the companies who store personal customer data however a simple and easy to implement solution is awaiting them.

The Malware Threat Landscape Creates an Increasing Need for Strong Authentication

malware threat landscapeIf a polymorphic financial malware variant does not make sense to you, then it is doing its job. With the malware threat landscape growing rapidly through new malicious applications, it is very difficult to keep up with terminology for the majority of computer users. It is estimated by The Aite Group that 25 million new types of malware were distributed in 2011 and the number could possibly rise to 87 million released per year by 2015. So what is a polymorphic financial malware variant? Why is it increasing the need for better online banking security and ultimately the overall need for strong authentication?

Polymorphic just means the malware is ever changing, constantly growing into a more malicious and nefarious program to steal information. Some variants are targeted to hijack browser sessions and in extremely targeted attacks they are solely financial based. The real threat behind these new forms of software used to trick internet banking users is that they are incredibly hard to detect and get rid of.

Shylock is the name of a sophisticated new malware which hijacks financial live chat sessions to impersonate a member of the bank and steal confidential data which can be used for greater attacks. This is considered a browser based man-in-the-middle attack which is very deceptive and effective.

It is the new form of phishing since traditional phishing attacks required a user to visit the false site through some sort of initiation. These phishing sites are now quick to be taken down and often blacklisted before too much damage can be made so hackers needed a new trap. Now instead of initiating the victim to visit a hacked website, the malware lays dormant hiding until the user accesses a secured banking application. By being between the user and the bank this man-in-the-middle attack allows the thief to ask personal questions to steal confidential data. This is a combination of social engineering and hacking.

Malware is becoming so sophisticated that the programs can now avoid antivirus scans. Shylock actually utilizes 3 ways of staying active on an infected machine while also being undetectable. Instead of the software running its own process it instead latches onto every other application on the victim’s machine, effectively hiding in the memory. Even with an up-to-date anti-virus detection is still not a solution because the program will actually detect when a scan has started. By removing all files on the computer related to the malware it can avoid detection however the application remains hidden in the memory still active. Now that the program is hidden from antivirus software it is still hidden deep in the victim’s computer and has actually taken over the window shutdown process. During shutdown of the computer all files are recreated for the next time the user starts up their device.

If a victim’s computer can be hijacked without them knowing and the malicious software running undetected can be reinstated at startup then how secure could any security process be? Strong authentication which utilizes an out-of-band authentication method can protect against these types of man-in-the-middle attacks by separating a piece of the login process from the malware. Through a time based one-time password banks can securely identify a user by transmitting the OTP to the customer’s mobile phone. Not only does this remove a piece of the login credential from malware but it provides the customer with an alert when access is requested.

It has been said by Kaspersky Labs that 780 new malware applications are created everyday to siphon confidential financial data. This means man-in-the-middle attacks such as this are more common on the horizon as the malware threat landscape becomes more aggressive. Without effective, efficient and customer friendly security adoption of another process may not be easy. Strong authentication which utilizes an out-of-band one-time password not only provides a low cost solution but also creates a notification platform for online banking access.

5 Ways Strong Passwords Still Fail to Prevent Unauthorized Access

strong password protectionAlthough online safety through the use of strong passwords sounds like a viable safety measure for most sites and logins, strong passwords are still susceptible to hackers, malware, and phishing attacks. As more and more data breaches are reported, such as the recent incident of VeriSign being hacked, online users are constantly urged to change their login credentials. Many users and some so called internet security experts still rely on strong passwords to protect the online privacy and security of their information. As secure as they seem now, strong passwords continue to fail to protect against unauthorized access every day as more users rely on it.

Strong passwords can consist of a combination of letters, numbers and symbols. The higher number of characters in a password, the stronger the password is considered to be. These passwords are secure forms of protecting data, however internet technology is changing rapidly and security needs to also change and be more secure. Security such as out-of-band authentication can be used to add an additional layer of security to protect users and information stored online.

There are five things to consider when utilizing a strong password instead of a more secure solution such as out-of-band authentication.

Strong Passwords Are Still Susceptible to Data Breaches and Password Hashes

Some websites and organizations will sometimes store a password hash which is an encrypted format of a user’s password. This means that even though you are utilizing a strong password it may be stored in an unsecure database somewhere. This was the case in the Zappos.com data breach where customer’s emails and password hashes were stolen.

Strong Passwords Can Be Stored Passwords

Although they seem secure, there is always the chance for human error. Storing strong passwords in your web browser not only allows unauthorized access from within your browser, but leaves your password susceptible to hacking. By utilizing a simple root kit, anyone including non experienced hackers can access your data stored within your browser. All it takes is some perseverance and some reverse engineering and anyone could crack your strong password even under encryption.

Key Logging Software and Other Malware can Capture Strong Passwords

You may not store passwords in your browser, but just the very action of using one allows key logging software to siphon that data. Beyond key loggers there is plenty of malware out there which would steal your information through the same manner, possibly through allowing a hacker remote access into your system. Strong passwords may be recorded in a malware program and sent through the internet to a hacker’s data base for your password to be used at a later time.

Social Engineering of Security Questions

Almost every time you sign up for an account you are required to state security questions which could be used to authenticate your identity later. These very “security” questions could be the downfall to cracking your super secret strong password which consists of 22 characters mixed between letters, numbers and symbols. By using social engineering and a bit of creativity, a savvy crook could figure out your security questions and gain unauthorized access. More and more users are seeing their passwords stolen through the use of these “challenge questions” that aren’t always hard to guess if a hacker has some of your personal information.

Strong Passwords are Hard to Remember and User’s Often Store Them in Places Easy to Access

Possibly the biggest part of failure in strong passwords is that they are much harder to remember than passwords that consist of only words or numbers. Imagine your login credentials always consisted of the passphrase flower1 but recently you have upgraded your password to make it stronger and to something more secure such as 5t#rG1$2oO. How are you ever going to remember such an outrageous password? It could be such a strong password that it actually prevents you from accessing your own account. Because strong passwords use more characters and symbols, most people write down their new secure pass code and leave it near their computer or stored on their computer. This is the most unsecure form of securing your account. An unauthorized user can simply find your password on or next to your computer and login to your accounts.

Now that we’ve reviewed the 5 pitfalls of strong passwords, it is plain to see that a more secure method is needed. A very secure and cost effective approach to securing against data breach or unauthorized access is through out-of-band authentication. This secures access to user accounts by transmitting a one-time password to the user through a separate network than the one where access is requested. By utilizing an out-of-band network such as a separate network to send an SMS text message, key logging and other malware is prevented from accessing your one-time password. Also, costs are kept low because almost everyone already owns and uses a mobile phone daily which doesn’t require deployment of additional devices for users to carry.

As more incidents occur of strong passwords failing to protect against data breach and identity theft, users and organizations will look for a more secure solution. Out-of-band authentication is a strong form of authentication and will be adopted by many organizations and users in the future when it comes to protecting against unauthorized access. Out of band authentication is easy to implement, easy to use, cost efficient, and its effective in combat fraud.

How to Relieve Healthcare Breaches Through Authentication Security

out-of-band healthcare security

Over 385 healthcare data breaches have been reported since September of 2009 on the HHS.gov website. Reported by the Secretary of Health and Human Services, any breach of over 500 individual’s records is required by the HITECH Act to be posted on their website. Although this data alone is astonishing by taking a closer look we can easily see how a more secure method of data protection can be achieved.

The most common form of data breach is through lost or stolen devices containing unencrypted confidential data. With over half of healthcare breaches coming from this route alone it would seem like a no brainer to keep all data stored on a central server that can be accessed remotely. This would eliminate half of the problem by not allowing data to be stored on devices.

Encryption Can Be Cracked

Although encryption may seem like the easy answer it would only solve part of the problem. Encryption can be cracked… if given enough time with an encrypted file a not so savvy criminal could gain access to confidential information. Also when it comes to data, 3 years down the line when the level of encryption is far less than its current state the confidential information is still just as valuable. Although the information would be encrypted, the old security would allow modern programs to crack that security more easily.

Server Security and the Cloud

At one time server security would not have been an option however advancements in not only IT security but authentication allow servers including cloud computing to be one of the most secure forms of data protection. By not allowing the data to be transmitted or stored it would not be floating around on unsecure devices. Also only authorized individuals would have access to the server which would eliminate data from being seen by restricted users.

Cloud computing is becoming widely adopted by corporations because security and accountability can be handled by 3rd party companies with more experience. So arguably, it can be safer to store data out in the open on a cloud than your very own server since the cloud security would be stronger.

Out-of-Band Authentication Security

Everyone has a mobile phone which they carry with them constantly. There are very few times when an individual does not have their mobile phone with them. This makes it a very effective and efficient form of authentication security. By sending an OTP through SMS text message, a user can be identified through an out-of-band authentication method. Furthermore by keeping the process out-of-band the process prevents malware from stealing information for authentication. It is an added layer of protection which creates a secure form of identifying users.

Over 19 million individuals have been affected by healthcare data breaches according to the HHS.gov archive. Through out-of-band authentication security almost 10 million patients and physicians personal information would be safe since over half the problem comes from unsecure devices. Encryption may seem like a secure answer but in the end keeping the data off of devices is where true security lies.