407-445-2414 info@wrmllc.com
Travel-Related Breaches: Mitigating the Risks

Travel-Related Breaches: Mitigating the Risks

The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.

Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.

The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.

What Happened?

Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.

“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”

The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.

“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.

Earlier Incident

As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.

That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.

In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.

A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.

The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.

Overlooked Risk?

Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.

“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold

“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.

Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.

“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.

Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”

Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”

Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.

“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”

Steps to Take

McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”

But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”

Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.

There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.

Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.

“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”

Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”

Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”

Author: Marianne Kolbasuk McGee

Source: infoRisk Today

Think before you email

Think before you email

A tectonic societal shift is happening right under our noses. You don’t need a seismometer to see it. If you’ve watched any recent entertainment awards show, it’s easy to see and hear.

“Oh,” one might say, “that’s just fallout from the Sony Pictures hack and the Harvey Weinstein implosion. Those people are all famous public figures. It couldn’t happen to me.”

It could.

It’s amazing that anyone who lived through the 2016 presidential election is still using email or Twitter. Regardless of your political leaning, that election taught us that emails and tweets follow the sender around like a hungry dog at feeding time. Unlike dogs (alas) emails, tweets and social media posts are essentially immortal. Someone sufficiently motivated to find them can do so.

Indelible media

The examples of improper comments later in this article have been reported by several public sources, and they’re included for effect. The quoted sections may or may not be accurate, but they illustrate the kinds of comments that people write in indelible media from time to time that come back to haunt them.

Perhaps the reader can recall other examples, closer to home. Early in my career as a lawyer, we used to communicate with international clients via telex. (Yes, that long ago.) I sent a number of telexes overseas, requesting settlement authority in a relatively small case, and kept receiving responses that questioned my analysis.

Then I noticed that the responses were addresses to “Mrs. Louis Castoria,” perhaps mistaking “Louis” for “Lois” or “Louise.” When I re-sent the same advice and typed my name as “Mr. Louis Castoria,” the reply came back, “We agree with your wise recommendation.”

If the reader is surprised by my relatively mild story, or by the more dramatic ones told in the excerpts from media reports, imagine the impact of sexist comments on conscientious jurors in a civil case.

In employment discrimination cases, “Me, too” evidence — examples of discriminatory or harassing comments made to or about employees other than the plaintiff — can be admitted into evidence. The California Supreme Court ruled in 2006 that the state’s fair employment and housing act was “not designed to rid the workplace of vulgarity. ” [Lyle v. Warner Brothers Television Productions (2006) 38 Cal.4th 264, 295.] Still, such evidence gets to the jury.

In Pantoja v. Anton [(2011) 198 Cal.App.4th 87], the California Court of Appeal sent a case back for retrial because the trial court had improperly excluded evidence of a supervisor’s use of the term “Mexicans” to refer to employees.

It may be easy to see why evidence of sexist or racist terms might be relevant in some types of employment-related cases. Could the same kind of evidence be relevant in professional liability cases?

Character doesn’t count

I’m not aware of a reported decision in which “Me, too” evidence has come before the jury in an errors and omissions (E&O) case. The basic question in most E&O cases is did the professional person (insurance broker, lawyer, accountant or acupuncturist, for example) act within the standard of care of the profession in the community where the services were rendered? The defendant’s character is not usually considered admissible, unless it goes to credibility. A misogynist jerk can perform a perfectly correct appendectomy, just as a paragon of virtue can perform a negligent one.

Lawyers try to keep potentially damaging evidence away from the jury’s eyes by asking the trial judge to forbid the other side from introducing or mentioning such evidence. The judge is the filter, keeping out evidence based on whether it is “more prejudicial than probative,” or so likely to poison the jurors against a party that they may be unable to fairly decide a particular issue or the case.

It’s difficult to see offensive emails and tweets being material, or even relevant, in a typical E&O case. If a doctor leaves a sponge inside a patient during surgery, the fact that the doctor sent a distasteful email about a coworker’s appearance earlier that day adds nothing to the case. If the doctor is commenting, distractedly, about the coworker’s appearance during the surgery, that could be another story.

Emails on company network

There are plenty of good reasons to avoid writing odious emails in the workplace. The fear of an E&O lawsuit is probably low on that list. But if such messages are in the company’s network, they may see the light of day during litigation. The mere threat of them being made public could make a difference in whether a case settles at a small value or in the high six figures, as in one of these examples:

  • Example No. 1: According to Vox.com (08/08/17), a leading high-tech company fired an employee who posted a controversial 10-page memo arguing for less emphasis on gender diversity in the workplace. The memo argues that the reason women are underrepresented in the tech industry has to do with “biological causes” between men and women, and criticizes the company for its ongoing diversity and inclusion initiatives, arguing that “gender gaps [do not always] imply sexism,” and declaring that “discriminating just to increase the representation of women in tech” is “unfair, divisive, and bad for business.”
  • Example No. 2: The Associated Press reported on Feb. 27, 2018, that an eastern Iowa police chief was fired by the Anamosa, Iowa, City Council for having made sexist comments about a female officer in emails, and retaliated against her after she complained about his mistreatment. One email “joke” complained about “bras not showing enough of women’s ” The officer settled her suit against the city for $750,000.

The world is changing for the better. We are being called to exercise a higher standard of respect for one another. Being risk-averse is one good reason to apply the golden rule to workplace interactions. But there’s a far better one: It’s the right thing to do.

Source: PropertyCasualty360

Author: Louie Castoria