Illustration by M. Scott Ricketts
Data Breach Denial
All Maine businesses realize that their customers’ data can become compromised. But do we really get how easy it is for hackers to steal our data and how incredibly expensive it is to deal with? Probably not.
Several weeks ago, I gave a presentation on computer security at a medical conference in Boston. My session was scheduled for first thing on Saturday—before the morning’s caffeine
prescriptions would have a chance to work their magic.
To try to improve the audience’s blood flow and raise awareness of the pervasiveness of data breaches, I asked for a show of hands for this simple question: “Have you ever received an unsolicited replacement credit or debit card more than six months in advance of the expiration date of your old card?” More than three-quarters of the audience raised their hands.
“Why do you think they sent you a new card?” I asked, considering that replacement cards are very expensive for banks to produce.
No one knew why. The reason, I said, was that their credit card number—and probably many more—had likely been compromised. You could hear the gasps pop through the room.
While those physicians already invest in some computer security to be HIPAA compliant and take credit card co-pays, unless they’d had their lives upended by identity theft or a similar data breach, they (indeed, most of us) are probably unaware how vulnerable they are, both personally
and professionally.
The sad fact is that data breaches are much more prevalent than most of us think. In the week before the conference, about 651 people were killed in car accidents in the U.S. In the week before the conference, nearly half a million data records were reported as being breached.
The numbers are actually worse than that: Although the majority of states have data breach reporting requirements, both the number of actual breaches and the number of records compromised are generally considered to be
underreported.
But so what, the physicians probably wondered. What harm is really done? Well, depending upon whose statistics you believe, the cost to remediate a data breach ranges from $220 to $330 per record.
“That means,” I told my audience, “if you are a primary care physician with 4,000
patients, your cost to remediate a data breach could exceed $1 million.”
One doc brazenly claimed, “I have insurance; I won’t need to pay that $1 million.”
Really? I reminded him that property and casualty insurance covers tangible property; data isn’t tangible. General liability and malpractice don’t cover this either. Only special data breach insurance covers these costs.
At that point, everyone in the audience was wide awake.
A woman asked this question: “Why, if data breaches are so prevalent, expensive, and not often insured against, doesn’t the media make a bigger deal over them?”
My theory, I said, is because data breaches are like deaths from car accidents: Unless you have good video or know the deceased, the unfortunate truth is that most people don’t pay attention.
I did have some good news for my audience: Once they find themselves in a regulated environment where computer security is mandated, such as health care, it doesn’t cost that much more to be “very secure” as opposed to just “compliant.”
The bad news is that being “compliant” isn’t necessarily “secure” at all.
Take the case of a New England retailer who, at the time of their massive breach, was compliant with the PCI standards (payment card industry) for credit card processing. The PCI standards at the time mandated that all credit card-related data sent over the Internet between stores be encrypted—but that intra-store data transfers need not be encrypted.
The theory was that, behind the corporate firewall, customers’ credit card data was safe. Therefore, each store had a local server, and the credit card swipe devices (or pin pads) at each cash register sent data to the store’s server unencrypted. The in-store server then encrypted the data and sent it out on its way.
The hackers figured out a way to get into the company’s network, and installed malware that recorded the unencrypted card numbers, and in the case of debit cards, the PIN. We all know what happened next.
After the details of this breach became well-known, the PCI standards were modified to require end-to-end encryption. But the horse was already out of the barn.
The retailer was forced to throw out every single one of their card swipe devices in every store, and replace them with pin pads that encrypted everything. Sales declined appreciably for several months as wary consumers went elsewhere to avoid exposing their credit and debit card data to a network proven to have been insecure. Then all the lawsuits hit, including one from a bank who wanted the retailer to pay for all those replacement credit and debit cards the bank had to send out.
So what’s a retailer or physician or business manager to do? First, accept that regulations and standards are only a starting point for good security. Going above and beyond them doesn’t cost all that much more, and provides really cheap “insurance” against the $220-to-$330 per-record costs to remediate a data breach.
Second, staff training is imperative. In the past few years, firewalls and security hardware and software have gotten so much better that the bad guys now rely more on social engineering than on brute-force machine-to-machine attacks.
Third, trust but verify. Getting a second set of eyes from a recognized security firm on your corporate IT infrastructure is a good thing to do—before the horse has left the barn.
L. Mark Stone is the founder of Reliable Networks, a technology consulting and managed services firm in Portland. You can learn more about his company at www.reliablenetworks.com
You must log in to post a comment.