Reliance Jio data breached by website, company says it is ‘unauthentic’

A website has claimed to have posted subscriber data of Reliance Jio customers, including email IDs, names and Aadhaar numbers, on the website magicapk.com. While it couldn’t be confirmed whether the data related to all of Jio’s 120 million subscribers was uploaded, queries made through the website for some older numbers returned with information of all the fields.

A website has claimed to have posted subscriber data of Reliance Jio customers, including email IDs, names and Aadhaar numbers, on the website magicapk.com. Hours after the initial reports of the data being posted on the website on Sunday, it was suspended.

Read more on this news.

94% of healthcare organizations had a data breach last year

The Ponemon Institute just released their third annual “Benchmark Study on Patient Privacy & Data Security.” Sponsored by ID experts, the survey and report looks at data breaches in the healthcare industry. While some organizations have taken steps to strengthen their privacy and security programs the research indicates the majority lack budget and resources to prevent or detect breaches.

The survey reveals some impressive data, similar to the trends last year. While 94% of the healthcare organizations have reported at least one incident, as many as 45% organisations reported more than 5 data breach incidents. The report is talking about clinics and hospitals that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospital or clinic (18%).

Data breaches of health records information continue to be a problem for the entire health care industry. Healthcare organizations have been increasingly facing fines due to the unauthorized disclosure of patient information. High numbers of patient accounts are involved anytime a breach happens which can amount to several hundred thousand to several million dollars in fines.

Disclosures made regarding a patient’s protected health information (PHI) without their authorization is considered a violation of the Privacy Rule under HIPAA.

Costs of data breach

What causes the data breaches?

No doubt, the data breaches are costly in terms of HIPAA compliance and penalties, what really is causing this?

A report from the Health Information Trust Alliance (HITRUST) shows that the biggest cause of HIPAA data breaches is theft and loss of laptops and other portable media, not hackers. The perps are most likely not after the health data, they are after the devices themselves, and your staff unfortunately makes it relatively easy for them to gain access to the critical HIPAA data just came along for the ride.The HITRUST research found that only 8% of the breaches were caused by hacking and/or malware. HITRUST is a national consortium of healthcare professionals that helps the health industry protect patient data.

Is BYOD penetration a reason for high number of violations? Ponemon reported that 81% of its survey respondents said they allowed BYOD to access organizational data, and 54% said they were not sure if those devices were secure.

Sarah Kliff reported recently in the Washington Post’s Wonkblog that doctors emailing with their patients is becoming increasingly common. That means that the industry needs to pay particular attention to smartphones, wrote Art Gross at the HIPAA Secure Now blog. In a post titled, “Your Smartphone Will Cause Your Next Data Breach,” Gross aims his argument at healthcare workers who don’t think they have any patient information on their smartphones.

“Smartphones can be used to access EMRs [electronic medical records], PACS [picture archiving and communication system], to provide remote access to [spreadsheets and documents] and run thousands of applications that may contain patient information,” he wrote.

Recommendations

As the case with any information sensitive organization, healthcare industry to focus on their data security processes and best practises of information security. As the threat landscape changes rapidly and the value of information increases, management need to focus more on securing their IT assets. IT risk assessments need to be carried out at frequent intervals than a routine annual assessment. There is a need to set up[ a proper IT Governance mechanism at board level to ensure the important resource to the organization- data – is protected.

In its recent report, HITRUST recommends specific measures to control the data breaches in the health care industry.

Endpoint Security

o Conduct an accurate inventory of endpoint devices and develop a “bring your own

device” (BYOD) policy and management program.

o Ensure email access is controlled and encrypt email

o Encrypt mobile computing devices and consider encrypting desktops

o Ensure less mobile endpoints such as servers are adequately protected

Mobile Media Security

o Restrict the use of unencrypted mobile media, including backup media such as

unencrypted tapes
Paper Records

o Ensure paper records are adequately secured when transitioning to an EHR system

o Make employees aware of proper handling and disposal procedures

o Provide an adequate number of shredders or shredding bins in convenient locations9

o Ensure bins are emptied regularly and require onsite shredding if possible

o Centrally store and manage paper records in a secure location
Business Associates (BA)

o Formally assess and manage the risks incurred with a BA

o Classify and manage risks based on impact and likelihood of a breach by the BA

o Periodically rePevaluate BAs based on changing risks but no less than every three years

o Limit BA access to only the information minimally necessary to conduct business
Physician Practices

o Treat physician practices that connect to your organization as high risk

o Require similar assurances from physician practices that you obtain from BAs

o Ensure risks are comprehensively assessed: administrative, technical and physical

o Minimize effort by leveraging existing resources from HHS, HITRUST and others

Mobile Security: Malware Threats

Secure your Mobile !


Mobile devices, of late, gaining popularity with the acceptance of BYOD (Bring your Own Device) policy across the Corporates. Many large organizations are realizing that it’s easier to develop and deploy their own secure apps for employees with off-the-shelf solutions. Barclays bank, one of the world’s largest bank, hits the News this week by giving 8,500 of its employees an early Christmas present: iPads !  According to Baxter-Reynolds, Barclays’ total cost of ownership for 8,500 iPads works out to approximately £13.8 million, or $2,600 USD per unit.

What about Information Security?

While Barclays is focusing on a bigger business gain and employee confidence, security, of course, is a major concern. “With the lockdown offered on iOS devices — including encrypted content — iPads have all the things that reassure the ‘necessarily-paranoid’ in any bank’s IT department,” wrote Charles Arthur in the Guardian UK, commenting on Barclays’ decision to go with iPads.

barclays logo Zack Whittaker at ZDNet agrees, saying Barclays confidence in IPad safeguards sets a trend for other companies, particularly banks. “The huge iPad deployment shows a significant level of trust in the Apple platform — that it’s secure enough for banking,” Whittaker wrote in his analysis. “Finance, after all, is only one-notch below national security in the grand scheme of data protection priorities.”

Mobile Security in General

Yes, Barclays invested huge amounts on the devices, training and security mobile logomanagement of mobile technology. Waht about other companies- big and small – adopting rapidly the policy of BYOD yet not fully geared to understand and prepare to the face the risk? FBI & Internet Crime Complaint Center (IC3are warning the smart phone users of malware targeting mobile devices. Malware seems to be the worst threat to the mobility considering the low levels of mobile security awareness equally among the management & users.

Some tips to secure your mobile 

  • When purchasing a Smart phone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
  • Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
  • With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
  • Review and understand the permissions you are giving when you download applications.
  • Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
  • Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
  • Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
  • Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
  • Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
  • Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
  • Avoid clicking on or otherwise downloading software or links from unknown sources.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.