Some Helpful Suggestions to Help Protect Yourself
By Dorothy Cociu, RHU, REBC, GBA, RPA, OCAHU VP Communications & Public Affairs
In a world of fast-changing technology and more reliance on data, we are all at risk, because when there is data, there is a chance for a data breach. Who doesn’t use at least one, often many, forms of cloud storage? Who doesn’t use email and who doesn’t shop retail? And as last year’s Equifax breach taught us, as long as we have a credit card, a mortgage, or a loan, we have a credit file, and therefore we are at risk for identity theft, credit fraud and more. So how do we protect ourselves?
As many of you know, besides being a licensed insurance agent with my own agency, I am also a HIPAA Privacy & Security Consultant and trainer. Although a lot of what I’m talking about in this article isn’t directly related to HIPAA Privacy & Security, the concepts of data breaches and cyber security hold true across all lines. I specialize in administrative (policies and procedures, forms, etc.) and physical security (like locked file cabinets and proper alarm systems and other physical security), but the third part of security is technical security… I’m not an IT person. Far from it. But I’m smart enough to know that when HITECH became part of HIPAA Privacy & Security in 2009, I had to team up with some tech gurus to get my job done on the HIPAA Privacy & Security side of my business. What I learned very quickly is that technology is not specific to industry… Technology and data is widespread and consistent across all lines. Data is data, and breaches are breaches, regardless of industry or personnel.
In 2018, we’ve already seen major hacks and breaches with the Best Buy, Delta Airlines/Kmart-Sears and other retailers involved in the third party application chat service. Third party vendors were also the culprits in the Target, Home Depot and other hacks and breaches in the past few years. Personally, I won’t even use the table top ordering and payment machines on many restaurants tables today (such as Chili’s, Applebees, Red Robin and others to name a few). If they offer payment through their own machines, I will request that they run my credit or debit card through that, rather than through a third party application software. Maybe I’m paranoid, but when companies are using other companies to do things like run credit cards, I tend to get a bit nervous about my credit card protection. Third party applications generally have more risk due to malware inserted into them without the primary company using them having no control (like Best Buy, Target, etc.).
Best Buy recently announced that “a small fraction of our overall online customer population” was impacted… They noted that customers who didn’t even use its online chat service may have had their data accessed. Have you shopped online at Best Buy in the past year? Or booked a Delta flight online or shopped at Sears or Kmart with a credit card between September 27 and October 12 of 2017? I most likely could have! And I’m sure many others could have been affected as well.
That particular breach involved chat provider [24]7.ai, based in San Jose. There are also questions pertaining to the timing… State law requires breach notifications to made in an expedient manner without unreasonable delay, and although Best Buy, Delta and Sears/Kmart notified the media and customers quickly once notified, there are questions about when the chat service actually knew of the breach. Timing is everything in situations like this… Delays cost all of us harm.
Let’s think back over the past few years of the largest breaches… In healthcare, you must include HHS Wall of Shame members Anthem, Molina Health, Oklahoma Dept of Human Services, Aetna, Kaiser, LSU Health, Morehead Medical, University of Iowa Hospitals & Clinics, Arizona Dept of Health Services, Children’s Mercy Hospital, Memorial Hospital Clinic, St. Joseph Hospital & Medical Center, Walgreeens, not to mention the older ones like CVS and Thrifty Drugs.. The list is so long I can only include a few in this article… And now there are so many more currently under investigation, including California Physicians Service (Blue Shield) of CA, CA Dept of Developmental Services, Diagnostic Radiology & Imaging, UnitedHealth Group, Walmart, City of Detroit, University of Virginia Medical Center, and many more that I’ve mentioned in my Compliance Corner HIPAA News section, and so many more listed on the HHS website that I can’t list… There are pages and pages and pages!
In the retail world, we’ve all heard of them… And more seem to pop up every month. So how do we protect ourselves? There are some relatively easy and inexpensive steps everyone should take. First, sign up for a credit monitoring service. I personally love American Express’s Credit Secure, but for identity theft protection and monitoring the dark web, etc., I also signed up for Lifelock. Services like this are well worth the money! It’s worth a little research.
Another thing you can do is to watch what apps you download! Your phones are devices that keep us easily connected with the world, but they are also being abused by hackers and cyber criminals… Think about what data you have on your phones…. Not only client names, addresses, phone numbers (which are subjected to state and federal laws like GLBA and HIPAA Privacy & Secuity / HITECH as agents and industry personnel), but many people today use their phones for purchases, store credit card data, etc. Remember, these are HITECH (HIPAA Privacy & Security) protected devices for our industry, so be sure they are encrypted!
When I say watch the apps you download on phones, tablets, laptops…. Look at what they are asking for permissions to access. Why does a flashlight on your phone need access to your contacts? You need to be critical and aware, and not give everyone access to everything you have! So always check what they are asking your permission to access! Say no if you’re concerned! Don’t accept it!
I sat down with members of my tech team, Ted Flittner and Ted Mayeshiba, principals of Aditi Group, to discuss with them the recent data breaches and cyber security, and asked them to contribute to this feature article.
“Sometimes we can’t control when our data is breached, such as the retail breaches (all we have to do is shop and we’re at risk), credit firms like Equifax, etc.,” I asked Ted and Ted. “But there are some things we can control…things we can do as consumers to help ourselves and our data. Can you tell us some of the things consumers can do to protect themselves? “
“Backup your data,.” replied Ted Flittner. “Use a good continuous backup system like Backblaze, Carbonite or iDrive. These back-up as you create, and they are offsite, which is important. Why? Because if your backups are local, even in a fireproof vault, when the city comes to ‘red tag’ your building and not allow you to retrieve your backups, you have a problem don’t you? Having your backup in the cloud allows you to restore to a new machine if necessary.”
He continued: “ If a vendor you use is reported to have a breach, then it is wise to change your passwords. If you use that password at other locations, change those too. When you change your password, think about using a passphrase or sentence instead. It’s easier to remember (ilovecountrymusic). The new recommendation from the Center for Internet Security is for passphrases that are at least 12 characters long.”
I mentioned to him that I now do that often, but replace out, at Aditi Group’s suggestion, letters with numbers of special characters, which they both said they’d address as well. In his example, I would use something like “1l0v3countymu5!c” to make it even more secure. They absolutely agreed, and will discuss below.
Ted Mayeshiba continued: “[You can also] use multifactor authentication if it is offered. This is when a site wants your user name, password, PLUS sends you a code on your mobile phone or email before allowing you to open the site. Take advantage of it if it’s offered.”
I continued with my questions, asking them about some very important issues in today’s world… “Malware and phishing scams are running rampant,” I stated… “Just recently I was on a website doing a search and a pop-up came up with a loud warning that my computer’s data was in jeopardy and of course they wanted me to call them or click on things (which I didn’t, of course… I immediately called Ted F!), which would have opened the door for them to do bad things. What kinds of advice can you give us… what to look out for, what to avoid, what to NOT DO in these situations?”
“Think!” stated Ted Mayeshiba. “Do not click any link unless you’ve thought it through, ‘does this make sense?’ Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or asks for personal information. Check the phone number listed against what is listed in public directories.”
Ted Flittner continued: “For example: the Microsoft warning pop-up says call ‘800-88——‘ but a Google search shows no ‘Microsoft’ results for that phone number. So don’t call or click.”
Ted Mayeshiba continued: “Close pop-ups on Windows computers with ALT-F4 instead of clicking on any ‘buttons’ shown on the pop-up. Similarly, close suspicious applications safely without clicking on them.”
We continued our discussion on the recent breaches and hacks. I asked them, “Some medical breaches, such as Anthem, were the result of malware.. an employee clicking on something that was sent to them in an email. What is the best protection against malware and spyware? How important is it for employers to actually train their employees on what not to do?”
“Hardware and software solutions are slowly gaining on the proliferation of ways in which evil actors are trying to steal information for their profit. Always use professional email anti-virus/anti-malware programs and keep them updated daily,” stated Ted Mayeshiba.
“The weakest link in all this are the people who must work on the internet,” continued Ted Mayeshiba. “Training the people to look for, or be aware of, things like:
- Typosquatting – www.netfilx.typcom vs. www.netflix.com [note the differences in the website link]
- Homographic typosquatting – Using other languages that browsers translate to English but direct you elsewhere.
- Whaling – impersonation of owner authorizing someone to transfer money.” We discussed how these things are commonplace today and dangerous.
Ted Flittner continued with more examples:
[Watch out for] “Spear phishing – tricking recipient into thinking a message is from someone known; credential harvesting – fake google docs or Dropbox accounts…. Check the details – If you’re unsure, take a few moments to look at the email ‘header’ information where you can see the actual email account that an email was sent from. You may quickly see that the email appearing from ‘Bank of America’ is really coming from ‘aaa-zhen-all3.cn’”
Ted Mayeshiba continued [It] …”is critical to a user’s understanding of ‘what makes sense’ or not. Training on a regular basis is critical.” They both shook their heads in absolute agreement, as did I. Yes, I know… I’m a HIPPA Privacy & Security trainer and consultant, but it’s really just good basic advice.
I continued my discussion with them, saying “Let’s go back to what we discussed before about the use of strong passwords and using phrases. You guys preach the use of strong passwords, 16 or even 24 or more characters, upper and lower case letters, alpha-numeric, special characters, and never use the same passwords for multiple sites. What is the best advice you can give us related to password protection?”
“When you change your password, think about using a passphrase or sentence instead,” stated Ted Flittner. “It’s easier to remember (ilovecountrymusic),” as we discussed above. “ Replace some letters with special characters and numbers and mix upper and lower case letters, as you did.” [like changing a’s to @ and e’s to 3’s and the letter I to the number 1 or an exclamation point]. “The new recommendation from the Center for Internet Security is for passphrases that are at least 12 characters long. That’s a lot to remember. So we recommend using a secure password manager like “LastPass” or “Dashlane”. These managers allow encrypted storage of user names and passwords as well as related secure notes such as password hints or credit card numbers. Both products allow you to launch the website within the product and your stored user name and password are filled in automatically. They are also synchronized across all your devices (mobile, desktop, laptop, etc.), wherever you have installed the product. And these products are designed and encrypted so that only you have access to the stored data – not even their techs or admins.”
Ted Mayeshiba continued: “You should also use multi-factor authentication wherever possible to augment strong passwords. This makes the chance of hacking much less likely. And most multi-factor AKA two-factor authentication methods cost nothing by using a mobile phone app or text message.”
Lastly, I asked them “ Let’s say you’re a business owner…. Let’s say in fact you’re an insurance agent [as many of our readers of the COIN are] and you must store a lot of customer data, and laws require you to protect that data (HIPAA, GLBA, etc.)… If you’re on a tight budget, but know you have to do at least certain things to protect electronic data, what would you say agents absolutely must do and should do to protect their clients’ health and personal data?”
The answer is not simple or one-part. It’s a combination of things… “Encrypt all hard drives and data ‘at rest,’ stated Ted Mayeshiba. “Don’t use USB / Flashdrives or DVD’s or CD’s to transfer files without encryption. If you don’t have a hardware firewall yet, get one.”
Ted Flittner continued: “Take the machine with the data and take it off line so it has no access to email or other computers in the office. Isolate it. If this machine with the data MUST routinely communicate with an agency or bank, then design a Virtual Local Area Network or VLAN behind the firewall, and set up the machine to ONLY talk to those agencies upon your initiation.
“I know this sounds difficult, but it really is simple. If you have IoT devices as well, this is the recommended procedure to avoid having those devices hacked. Do not, under any circumstance, allow an IoT device to connect to the same VLAN that your computers are on.”
Some other not-so-technical words of advice from me… .If you’re at a gas station or a retail store using a debit card, cover the terminal when entering your PIN with one hand. Use the other hand to punch in the PIN code. People could be looking over your shoulder, or in some cases, sitting in a van watching you put in your codes and stealing your credit card or debit card numbers or PINs. As they said, change your passwords often, and never use the same passwords for multiple websites. I know, we’re all guilty of that sometimes. But please think about it, and while it’s fresh in your mind, go into your accounts now and change your passwords, and hopefully, save them in an encrypted database. ##
Author’s Note: I’d like to thank Ted Mayeshiba and Ted Flittner of Aditi Group for their assistance with this article. They can be reached at Aditi Group, Inc, AditiGroup.com, info@aditigroup.com, or by phone at (323) 776-9386. Ted and Ted are part of my company’s HIPAA Privacy & Security Training seminars on a regular basis.