GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Long live the check

Patti Murphy
ProScribes Inc.

News

Industry Update

Ruling a window to hot legal topic

NFC not paramount in expert testimony

NRF will try to block settlement

PCI SSC offers IT accreditation program

Features

GS Advisory Board:
Views on Visa's FANF

Research Rundown

Meet The Expert: Rick Slifka

ISOMetrics:
Consumer payment habits

Why advertise?

Selling Prepaid

Prepaid in brief

Is direct deposit the secret to prepaid's future?

Players profit from open currency

Views

Check fraud is the problem, RDC is a solution

Patti Murphy
ProScribes Inc.

Education

Street SmartsSM:
Start with a strong foundation

Jeff Fortney
Clearent LLC

Stage set for expansion of mobile payments

Henry Helgeson
Merchant Warehouse

The mobile app's role in marketing and sales

Ron Tunick ('Coach')
Nations Transaction Services

New era, same old game for MLSs

Dale S. Laszig
Castles Technology Co. Ltd.

Prepare for the mPOS wave

Rick Berry
ABC Mobile Pay Inc.

Health-care fraud: Back with a vengeance

Nicholas Cucci
Network Merchants Inc.

Company Profile

Central Payment Co. LLC

New Products

A POS for Main Street merchants

POS-itivity!
CardWare International

Bringing social order to business

The Social Merchant
The Social Merchant

Inspiration

A lesson from the Greeks

Departments

Forum

2012 events Calendar

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

September 24, 2012  •  Issue 12:09:02

previous next

Health-care fraud: Back with a vengeance

By Nicholas Cucci

Some 25 incidents affecting over 215,000 individuals were added to the tally of health-care breaches in the past month. The total since 2009 is now at 489 such breaches affecting over 21 million individuals. The past month was the second in a row with a substantial number of breaches being added to the total.

Although no new breaches were reported for several weeks in the spring of 2012, 79 incidents have occurred so far this year, affecting nearly 2 million people. The loss or theft of unencrypted computing devices or storage media remains the No. 1 cause. Almost 53 percent of all breaches since 2009 have stemmed from this cause.

One bad apple can wreak havoc

Memorial Healthcare Systems in Hollywood, Fla., revealed the largest of this year's incidents in July. This breach involved unauthorized access to more than 102,000 electronic health-care records, which occurred from Jan. 1, 2011 to July 5, 2012.

MHS posted a statement indicating that, during a review that began April 27, 2012, it "discovered that an employee of an affiliated physician's office may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS." Patient names, dates of birth and Social Security numbers may have been accessed. Some other notable health-care breaches this year took place at:

It's not your ancestor's spear fishing

A threat affecting health-care, among other industries, is spear phishing, in which fraudsters target specific individuals through messaging. This can be done via email, text messaging, short message service or any social media avenue.

Criminals are also using malware attacks to take advantage of security weaknesses in Microsoft Corp.'s Windows operating system. Such malware can be installed via a back-end attack or by getting an employee with administrative privileges to open a malicious link. The fraudster then acquires data by creating an auto-export capability through a file-transfer protocol included in the malware, emailing data, or using an insider to download data onto a separate drive.

Enemies are poised to strike

ISOs and merchants can create barriers to entry by monitoring incoming and outgoing traffic on their networks for anomalies, using third-party forensics companies to evaluate networks and systems, and performing regular risk assessments.

Detecting fraud patterns across multiple channels has been an ongoing challenge for most ISOs, banks and credit unions. After a health-care data intrusion is discovered, organizations are required to disclose the nature and scope of the breach to the Office of Civil Rights, to be added to what is known in the industry as the federal government's "Wall of Shame" (see www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). According to the OCR, the health-care records of nearly 30 million people have been compromised since September 2009.

Time to trumpet the message

Most entities - private and public - are doing an abysmal job of protecting data. So this is a good time to broadcast more information about compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards, and the Health Insurance Portability and Accountability Act (HIPAA).

Control measures are an important aspect of maintaining secure business practices. The human element is the hardest part to control. The PCI DSS limits access to cardholder data to minimize the risk of theft; access should be strictly limited to people who have a business need for it. Additionally, each person with access must have a unique identifier, and organizations must ensure a full audit trail.

The PCI DSS covers anyone who processes and stores credit card information. PCI compliance requirements are tiered. The amount of data covered directly reflects on the level of PCI compliance an organization must meet. HIPAA covers all health-care providers who have access to and store sensitive medical data.

To obtain full PCI compliance, organizations must follow certain actions, whereas HIPAA sets a distinction between "required" and "addressable" actions. HIPAA contains general rules; the PCI DSS is direct and specific.

Stealing data pays

Following are some current black market values for stolen financial data, according to RSA, the Security Division of EMC Corp.:

So take measures now to keep your organization off the Wall of Shame. To paraphrase Sun Tzu (by way of The Godfather's Michael Corleone): Keep your storage devices close, and your employees closer.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services