Facts about Hacks

Bellcurve Technology

4114 Clubhouse Road, #943

Highland City, FL 33846

1 813.540.0454

This email address is being protected from spambots. You need JavaScript enabled to view it.

This year saw a sort of milestone for the engineers at Bellcurve Technology, and it wasn't a good one. This was the year we have represented customers in one capacity or another for 16 years, and we saw our 40th data breach. Out of those 40 breaches 10 have been significant and two rated as "the biggest medical data breach of 2011" and another client claimed the same title in 2012. Just to be clear, they were NOT our customers when the breach happened (NO customer of Bellcurve Technology has EVER had a data breach or faced ANY kind of fine from local, state or federal regulators) but they became our customers shortly after. In all of the breaches we have seen there are three common threads. In an effort to shed some light on the factors that may lead to a data breach we are bringing them to light in this forum. They are as follows:

1) ALL of the customers that had a data breach had an IT department or a contract with a company to provide IT services.

2) ALL of the data breaches had a human element, i.e. either through intent or through accident a human caused the breach.

3) NONE of the customers who had a data breach had been through an audit in the prior 12 months.

Number one is really not that much of a surprise if you think about it. Most companies have a contract for services with a company or have their own internal department if the company is big enough. The problem is that an IT department has to do everything in the workplace- printers, laptops, servers, applications, phones and they have to support them. And patch them. And build them for the departments that need them YESTERDAY (hint: developers aren't very patient). In short they have little time to devote to the function of security and security alone. they don't have the time to troll the dark web, read 20-30 articles a day and practice with the latest tools to stay on top of the latest trends. Their primary function, as it should be, is keeping your company operating so you can make money.

Number two is also not a surprise if you think it through. Out of the top ten biggest data breaches we have seen ONE was intentional (and the person will be in prison until 2022) while the other 9 were a direct result of a machine, application, server or firewall being incorrectly configured. Since then our customers learned that before they put a new service on the Internet they allow us to scan it and make suggestions about ways to secure it. This is a classic case of an ounce of prevention being worth a boat-load of headaches from OCR after you have to declare a HIPAA breach!

Number three is the one that just kills us. An average doctors office takes about 20 hours to audit and secure (we don't just hand over a list of what is wrong, we secure it as we go). So for the lack of a $2,500 security audit the companies faced fines up to $1million, loss of reputation, loss of business and in some cases criminal charges. This is an entirely preventable set of circumstances. HIPAA and HITECH both require annual audits and not having a solid track record of having those audit performed makes you a target for OCR. Gone are the days of warnings and token fines. One only needs to look at the "wall of shame" OCR hosts at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf to see that there is no one safe from the long arm of the law.