Saturday, February 26, 2011

What Health Care providers need to know

Yes, if you do not know there are New Requirements for Fighting with Identity Theft that Health Care Providers must know about “Red Flag Rules”.

“The Red Flags Rule”, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft” as stated by the FTC.

Basically when a person seeks health care services using someone else’s name and insurance info, is what is called identity theft.

“Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.” as stated by the FTC.

Seattle: Capitol Hill credit card fraud wave tied to Broadway Grill

The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one "point of interest." Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill's Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.

We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:

We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.

We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can't happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.

We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.

We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service's Electronic Crimes Task Force had identified and "reduced" the threat from what the lead agent called a "point of interest" in the Capitol Hill area.

We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he ws not aware of any contact between investigators and either of the Broadway stores. "To my knowledge, we have not been contacted by police. When we are, we will work with them," the spokesperson said earlier this week.

Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a a growing number of Seattle University students and employees who have experience problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. "They all reflect that Capitol Hill theme," Sletten said.

Sunday, February 13, 2011

Data leak: Human Services Agency of San Francisco

February 5, 2011 2,400 Records Exposed.

A former city employee emailed the information of her caseload to her personal computer, two attorneys and two union representatives. The former employee wanted proof that she was fired for low performance because she had been given an unusually high number of cases. Certain MediCal recipients in San Francisco had their names, Social Security numbers and other personal information exposed.

Is Your Business Vulnerable to Cybercrime?

It only happens to the big companies, right? While that may have been the conventional thinking in the past, cybercrime is finding large businesses, government institutions, and even individuals as its victims and as the Internet becomes increasingly integrated in to our daily lives, cybercrime continues to become more widespread.

Business is often about timing. Each day you have deadlines and if they aren’t met, you lose money. If you can’t get to your data for any reason, your day and the future of your business may be at risk. With data being so important to businesses of all sizes, it would be reasonable to believe that much like liability insurance, businesses are protected but that’s far from a true.

A recent survey concluded that 52% of all business don’t have an IT security policy. Their data simply isn’t held under cyber lock and key like it should be and their employees are free to practice internet usage while at work in any way that they see fit.

If your business is in the 52% crowd, something has to change and it has to change today. What can you do to decrease your risk of cyber attack?

Back Up Your Data

Just like in our real lives, not being a victim of theft often starts with common sense. Your data is too important to only be in one place and you should never trust somebody else to back it up. Copy your data and place it some place secure. If you can fit it all on to a portable hard drive or some other piece of hardware that isn’t connected to the internet, do that once per week. If you can’t, find an online backup service that will automatically do this for you

Cyber crooks targeting smartphones: McAfee

Smartphones have become prime targets for hackers and spammers, computer security firm McAfee said.

The number of pieces of malicious software, referred to as "malware," surged 46 percent last year as compared with 2009, according to a McAfee Threats Report for the final three months of 2010.

"Cybercriminals are keeping tabs on what's popular, and what will have the biggest impact from the smallest effort," said McAfee Labs senior vice president Vincent Weafer.

"We've seen a significant shift in various regions, showing that cybercriminals are tapped in to trends worldwide," he continued. "McAfee Labs also sees the direct correlation between device popularity and cybercriminal activity, a trend we expect to surge in 2011."

McAfee has seen software threats to mobile devices steadily increase in recent years as the popularity of smartphones and tablet computers has climbed.

"Threats to mobile platforms are not new," McAfee said in the report. "However, as more consumers use mobile devices and tablets in their daily lives and at work, cybercriminals have taken note."

Geinimi malware slipped into legitimate games and other applications for Android-based mobile phones was listed by McAfee as "one of the most important threats of the quarter."

As greater varieties of smartphones, tablets, televisions, and computers link to the Internet, hackers are likely to resort to "poisoning" Internet search results with links to websites booby-trapped with malware, according to McAfee.

"Web-based threats will continue to grow in size and sophistication," McAfee said.

Saturday, February 12, 2011

Malware Aimed at Iran Hit Five Sites, Report Says

The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected.

Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points.

Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year.

The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company’s privacy policies, they would not disclose the domain names.

“All of the domains are involved in industrial processing,” Mr. O Murchu said in an interview.

It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz.

At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-carried USB device that carried the attack code.

When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled a portion of the complex.

In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran.

The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled.

Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system.

Tuesday, February 8, 2011

Red Flags Rule Compliance: The Feds May Be The Least Of Your Concerns

By Larry M. White

After several false starts, the FTC has finally initiated enforcement of the Fair and Accurate Credit Transactions Act's, Red Flags Rule, and has placed the burden of policing identity theft activity squarely on the shoulders of both big and small businesses.

However, the FTC may be the least of your concerns if you originate credit for an identity thief because attorneys across the country have been eagerly awaiting this dangerous and virtually impossible regulation. Your problem? Verifying the identity of your customer.

If you don't have required and accepted procedures in place to do so, it could cost you everything you've ever worked for. Your Required Red Flags Rule Policy & Program. First, your operation must develop and implement a Red Flags Rule Policy which must include four required key elements in addition to other regulations and issues that must be addressed. 

To demonstrate the importance the FTC places on the Rule, your operation's Board of Directors is required to approve your Red Flags Rule Policy and Program. For those operations without a board, a committee of senior management must approve the initial Program and monitor it on an annual basis.

But don't be misled!

Simply downloading a "template" from the internet might possibly get you off the hook with the feds, but it probably won't suffice in litigation with an identity theft victim's lawyer. Attorneys already view this regulation as a "cash cow", and if one of your customers points the finger at your company because someone was using their identity unchallenged, rest assured the victim's attorney will request your written Red Flags Rule Policy and documentation of required staff training.

If you don't have a Policy, or it is poorly written, the plaintiff will most likely allege a breach of duty to protect a consumer's identity information, or in other words, "wilful non-compliance", which is as bad as it sounds. Read more...

Saturday, February 5, 2011

A Blind Eye to Cyber Crime?

Small Businesses Think It Won't Happen To Them

It's almost like it was written to be a movie script. The victims blindly walk into a huge trap plotted by the villains. The crime? Fraud -- lots of it. In the end, the villains get away with the proceeds, leaving the hapless victims penniless.

Problem is: This crime is not just playing out on the movie screen; it is happening in real life. Recent ACH fraud victims can attest to this fact. Ask Village View Escrow, PATCO construction or Choice Escrow.

"Doing right by educating your customers is a great start. If you're already doing it, do more."

Yet, despite these high-profile incidents, the results of a recent survey from the National Cyber Security Alliance say that small businesses are oblivious to the dangers they face from cybercrime. This statement should be a real wake-up call for not just the small businesses, but also the institutions that serve them.

Small business owners polled by Visa and the NCSA say they increasingly believe investments in cybersecurity are not justified by actual online threats, and the majority of cybercrime is focused on attacking large companies.

This attitude is manifested in practice, as 75 percent of owners say their employees have received less than three hours of network and mobile device security training in the past year, with 47 percent saying their employees received zero hours of training.

According to the Visa survey, more than 85 percent of small business owners believe that they are less of a cybercrime target than large companies, and 54 percent believe they are more prepared to secure sensitive customer and corporate data than large businesses. In addition, 84 percent agree that they have the policies and procedures in place for keeping data and computer systems secure.

The findings are surprising in light of growing concern from security experts and law enforcement that hackers and cybercriminals are honing in on small businesses as their new targets. In October, Ukraine authorities arrested a number of individuals who allegedly stole $70 million from U.S. bank accounts in an elaborate scheme targeted at U.S. small and medium-sized businesses.

What can financial institutions do to help raise awareness among their business customers? For a start, institutions of every size need to do much more to reach out and talk to their commercial account holders, educate them about the need for cybersecurity and sound security policies. Think of holding a "security 101" class for your small businesses to help them get up to speed on what they need to do to protect themselves and their customers. Along with creating some goodwill among your small business account holders, you'll be doing double duty in protecting your interests as well. Imagine having to tell the same businesses that their commercial accounts were hit in a corporate account takeover scheme and they're out thousands of dollars, or that their point of sale terminal shows that it has been swapped and a hacker has taken hundreds of their customers' credit card numbers. Doing right by educating your customers is a great start. If you're already doing it, do more.

Small businesses underestimate their cybercrime risk

Most small-business owners say they don't think cybercrime will happen to them, data show. While 84% of small-business owners say they have procedures in place to keep their data safe, about the same percentage say they think bigger companies are more of a target, according to a survey sponsored by Visa and the National Cyber Security Alliance.

Rising Number of Information Security Breaches in U.S. Authorities Consider Mandatory Reporting

Recently, identity theft center revealed 662 instances of data breach in U.S over the last year. However, there are no accurate figures on the number of records breached. Data breach may be caused by hacking, human error, phishing, employee theft and other forms of malicious attacks. Data breach results in disclosure of sensitive personal, financial and business information. The information may include names, addresses, social security numbers, protected health information (PHI), credit card number, bank account details, company strategies and confidential reports. Offenders may use the collected information for identity theft or to steal money. Offenders may also sell the information to their underground peers or to the competitors of an organization. Majority of the reported breaches were related to disclosure of social security numbers and, credit and debit card details. Therefore, individuals and organizations must place high emphasis on information security.

However, several data breaches go unreported. Negligence, lack of awareness on the consequences of data breach and reluctance to initiate legal action are some of the reasons that prevent affected individuals from reporting data breach incidents. In some cases, data breach reports by public authorities and organization do not contain specific details on the type of data breach, number of records compromised and number of individuals affected. Only 51% of the data reported breaches indicated the number of records compromised. Proper reporting of data breach is crucial to understand the threat pattern, severity of threats, consequences of the data breach and mitigating measures required.

Organizations must educate their employees on safe computing practices to avoid data disclosure and theft. Regular vulnerability assessment tests and use of ethical hacking may aid the organization in understanding the threats and initiating counteractive measures.

Identity Theft “Red Flag Rules” Raise Ire of AMA

Nο one wаntѕ tο bе thе target οf identity theft, аnd уеt, despite consumer awareness аnd prevention practices, іn 2008 ten million people wеrе victimized. It seems lіkе everyone ѕhουld bе overjoyed аt programs tο curb thіѕ threat frοm thе creditor’s side.

Nοt ѕο. Sοmе organizations, such аѕ thе American Medical Association, feel thаt thеіr members ѕhουld bе exempt frοm developing аnd implementing written identity theft prevention аnd detection measures.

Resistance frοm thе AMA hаѕ bееn ѕο strong thаt thе deadline fοr putting thе Red Flag Rules іntο practice hаѕ bееn delayed 3 times ѕіnсе іt’s inception іn November 2007. Thе nеw deadline іѕ November 2009.

Banks аnd οthеr credit issuing entities аlѕο object tο monitoring thе 26 red flags designed tο prevent anyone frοm using another person’s identity – fοr gaining credit, fοr getting a job, fοr renting аn apartment, οr fοr obtaining medical care under another’s insurance policy.

Whу? Thеу feel thаt thе nеw rules аrе “excessive аnd overly burdensome.” Hυgе banks wіll probably hаνе nο trουblе wіth compliance, bυt smaller organizations without a large staff mау hаνе tο hire 3rd party companies tο carry out thіѕ function. Eіthеr way, implementing thе Red Flag rules wіll сυt іntο profits.

One objection frοm thе AMA іѕ thаt physicians ѕhουld nοt bе classified аѕ “creditors,” even though thеу grant credit whеn thеу accept payments fοr care, οr whеn thеу wait fοr payment until аn insurance company responds tο billings.

Lawmakers аrе nοt heeding thіѕ argument, bесаυѕе thеу аrе particularly concerned wіth “medical identity theft.” Nοt οnlу саn thieves obtain medical care using someone еlѕе’s insurance, thе resultant medical records сουld bе medically dаngеrουѕ tο thе person whose identity wаѕ stolen.