Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels, to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety.
Industry experts offer insights on top hidden vulnerabilities that can cause data breach:
1. Wireless medical devices. A wireless pacemaker can wirelessly transmit patient data 24/7 that could be used to steal, exploit, or tamper with patient’s health records, with potentially life-threatening consequences. – Rick Kam, president and co-founder, ID Experts.
2. Skimming devices at gas stations. Highly sophisticated credit card skimming devices at gas stations are stealing from consumers. A fake credit card reader is placed over the bank’s equipment to capture a customer’s personal identification number and sends the credit card information to a nearby computer. – Dave Navetta, founding partner, Information Law Group.
3. Web crawlers/Web spiders. Search engines utilize software applications to systematically browse and index content available over the World Wide Web. An improper firewall setting could allow for the contents of a server containing sensitive personal information to be indexed and for that information to appear in search results. – Eric A. Bukstein, associate, Hogan Lovells.
4. Paper records. Covered entities are now so focused on IT security matters, that there is a danger that basic privacy safeguards for paper records will not keep up with changes in work processes. Safeguards for handling paper records are needed, as much as ever, to keep protected health information out of the wrong hands during routine use, as well as en route to storage, the shredder, or disposal. – Terrill Clements, equal opportunity specialist, U.S. Department of Health and Human Services, Office for Civil Rights – Region X.
5. Malicious mobile applications. Smartphone applications are fun, useful, and prevalent. But malicious code can be easily embedded within applications, with the sole intention of grabbing and stealing consumer data, including credit card numbers and other personally identifiable information. – Robin B. Campbell, senior counsel, Crowell & Moring.
6. Search history poisoning. Cyber criminals will continue to infiltrate search engine algorithms and other search mechanisms that control what information is presented to users on the Internet, potentially giving hackers access to the user’s personal information. Researchers believe that manipulating users’ search histories may be the next step for attackers to use legitimate resources for illegitimate gains. – Steven Anderson, vice president and senior underwriter, XL Group.
7. Bring Your Own Device (BYOD). Most organizations now allow employees to access company data via personal smartphones, yet lack appropriate security protocols to protect the data, thus adding significant risk exposure to patient records. – Robin Slade, development coordinator, Medical Identity Fraud Alliance.
8. Cloud-based file sharing tools. Storing unencrypted files and documents can put data at risk for loss or hackers. Organizations should take precautions when using file-sharing services in the cloud so they don’t expose sensitive information. – Larry Ponemon, chairman and founder, The Ponemon Institute.
9. LinkedIn lurking. If your LinkedIn profile contains the words “payroll,” “HR” or “Finance,” you’ve painted a bull’s eye on your back for Spear Phishing. Not only that, LinkedIn provides the hackers with the names of your closest contacts, people whose emails you’re more likely to open if the hackers try using password-stealing malware. – Winston Krone, managing director, Kivu Consulting.
10. Human error. A growing majority of breaches occurs because of a human error on the inside of an organization; we recognize this based on the claims we are paying. Organizations should be asking how personally identifiable information is being handled, stored, accessed, and who is accountable for protecting it. An organization should have the right policies, procedures, and training in place to build awareness around the importance of protecting this data. It should be from the top down. – John Gambale, head of professional liability, U.S. and Canada, AIG.
“Emerging privacy and security vulnerabilities are often overlooked in planning for PII and PHI security,” said Rick Kam, president and co-founder of ID Experts. “The problem is that any computer can be hacked; and any device is capable of transmitting personal information. Proactive assessment can help organizations minimize risks to their customers and their business.”