In my earlier post today, I blogged about the loss of memory cards at an Arizona hospital that had information on some 2,200 patients who had endoscopies. Now the California Department of Public Health reported that it lost data for more than 2,500 facility residents, department employees and other healthcare workers. How viral is that?
This past year the CDPH fined hospitals guilty of losing patient records. It was supposed to beef up its efforts to protect this from happening again, but that hasn't happened. In this case, the information that was lost was stored on magnetic tape that was not encrypted. The data on this tape contained more information than the memory cards in the Arizona health center. Names, Social Security numbers, e-mail addresses, background and medical health information -- all you need, and then some, for identity theft.
Two things happened to compromise the safety of this data. First, the field office, where the tape originated, failed to encrypt the files, as per normal procedure. Then they sent it to the central office via USPS instead of by courier. The envelope arrived, but it was unsealed and empty.
When there is vulnerability in security, it's often because a company doesn't want to spend the money on upgrades. As everyone knows, California is in dire financial straits. But this time lack of sufficient funding wasn't the culprit. It was just a lack of following proper procedures. All that's really required are reminders everywhere -- on posters and on every computer monitor:
MIND THE SECURITY GAP
Call me paranoid, but I believe that people have to be alert 24/7 about their personal data. Recently I posted a blog about how information stolen in Fort Hood, Texas about 20 soldiers led to more than 2,000 attempts to use their identities to make money. Here's a more staggering statistic: 2,284 endoscopy patients' information is missing because two data cards were lost or misplaced at the Mountain Vista Medical Center in Meza, Arizona two months ago.
People tend to think in a linear fashion. Health care workers concentrate on their patients, as they should, but they need to be trained to think of every component in their workplace as cash to be guarded. No doubt they are careful about the equipment they use insofar as they try to avoid physical damage. But, like every worker I've dealt with in offices, they don't think too much about the IT part. If there's a problem, they just call IT to fix it. In this case, the issue is the privacy of the patients' medical information (names, dates of birth, ages and genders), not their addresses, Social Security numbers and credit card information. Still, it was enough for the medical center to notify patients of the incident and to offer them the standard patch -- one year of free credit monitoring services.
Fortunately, the hospital has revised security procedures for storing compact memory cards and are retraining employees on procedures related to confidentiality and security. That said, there is reason to be concerned about other security vulnerabilities at the hospital. Hackers don't give up. Just yesterday, my wife was at a small credit union in Stamford and one of the top employees said, "You can't simply throw out papers anymore. You have to shred them." She went on to explain that if a hacker isn't successful right away, he or she will wait a few months to use the information he has. Time is on the side of the hackers.
Loss of savings is a daily concern for many people since the economic meltdown more than two years ago. Lately, there have been more threats of loss of savings due to security vulnerabilities in the U.S. government. A new report by the Government Accountability Office states that the Federal Deposit Insurance Corporation lacks adequate encryption of "sensitive information transmitted over its network." It also found that the FDIC has "inconsistent identification and authentication user controls" and needs to beef up its internal monitoring and auditing practices. One example the GAO cited was the existence of default installation user ideas on some of its UNIX servers. Another is that the data network and voice network are both on the same network.
I'm not a heavy duty UNIX administrator, but I know enough about UNIX. It's an open system that is widely used in servers, on workstations and in mobile devices. It's critical that companies have policies and firewalls in place to avoid unauthorized penetration of their systems.
It's ironic that after all these years, the FDIC increased its insurance protection in case banks went under. Now people have to worry that their savings might be lost because of inadequate data security.
Some people think I go overboard in trying to protect my Social Security number. Several weeks ago I blogged about an audit in the Social Security department which uncovered issues in the process of procuring and installing software. Now West Point Professor Lt. Col. Gregory Ponti, a former Army intelligence officer, released a scathing report about the appalling careless in the military with regards to personal information.
Apparently, since the 1960s, military personnel use their Social Security numbers in everyday settings. Checking out sports equipment? Your Social Security number, please. Yes, sir. Flu shot? We need your Social Security number. Yes, sir. The New York Times reported that "thousands of soldiers in Iraq even stencil the last four digits onto their laundry bags." Although the Department of Defense claimed two years ago that it would limit the use of Social Security numbers, it hasn't happened. Only last week did the Defense Department put an end to using Social Security numbers on military ID cards, and that isn't scheduled for another five months. Moreover, Col. Conti noted, "The farther you get away from the flagpole at headquarters, these policies get overturned by operational realities."
I have never served in the military or navy, but it doesn't take much imagination to think of scenarios in which soldiers the idea of identity theft is the last thing on their mind. But soldiers don't have to be in combat to be at a heightened risk for identity theft. Last June, a Staten Island D.A. indicted a gang who stole the identities of 20 soldiers in Fort Hood, Texas.The theft was traced to a former Army member who moved to New York. The gang made more than 2,500 attempts to use the soldiers' identities.
20 soldiers, 2,515 attempts total = 125 attempts per identity theft victim
The Defense Department is trying a new campaign to make its personnel aware of the problem but, in my opinion, it's moving at snail's pace. The biggest threat is to those who are stationed overseas. They have no control over what's going on here if someone has their Social Security numbers. If the Defense Department asked me, I would immediately issue new identity cards without Social Security numbers and have the old ones shredded and have the bags of shredded paper hauled away with a military police escort.
Call me paranoid about identify theft, but I don't want to have the burden of proof on me that I didn't authorize credit card charges. I'm proud of my credit rating and want to keep it perfect.
http://www.nytimes.com/2010/12/07/technology/07identity.html
http://smallwarsjournal.com/blog/2010/12/the-militarys-cultural-disrega/
