Hurricanes vs. Equifax – Compare and Contrast
Did we really need one more piece of bad news as summer wound down? The devastation and losses across Texas, Louisiana, Florida and the Caribbean had many of us on the edge of our seats from August 25 through last weekend. From the safety of high ground in the Midwest we were not directly affected by Harvey or Irma other than a temporary surge in gas prices. But friends, relatives and customers have suffered terribly. Homes were destroyed and lives were lost. We donated money, we filled boxes with cleaning supplies and diapers to ship south, we checked in with friends. We breathed some relief – it could have been worse.
Then in marched Equifax. Not as visual a disaster, perhaps not as obviously heartrending but yes, it is a disaster of unprecedented proportion, affecting 143 million people directly - over half of American adults. It is insidious precisely because the damage is not visual and not at all obvious. The potential economic damage to millions of people is underground, perhaps not immediate, but waiting to emerge as cyberthieves find ways to use your data to enrich themselves.
How Did It Happen?
Negligence. It now appears that the vulnerability (the open door used by hackers) was a software application Equifax uses but had failed to “patch” although the patch had been available since March. More reporting on that here.
If You Aren’t Worried, You Aren’t Paying Attention
If your personal information was not compromised in 2015 by the Anthem or IRS data breaches, it most likely is now. The Equifax breach gathered more data than either of those, and it’s all in one place, making identity theft much easier. Sensitive information stolen includes names, birthdays, addresses, social security numbers, and driver’s license numbers. Any of your assets that you track online are potentially available to thieves and your ability to build and maintain good credit is at risk. This damage will last for decades. NOTE: Even if you did not use Equifax yourself, you could be affected, because Equifax tracks everybody with credit.
Physical damage from hurricanes and floods can eventually be repaired. The rebuilding in Florida and Texas began as soon as the storms moved on and eventually will be completed. But building safety around personal data does not have an end date. In today’s world, the real story is that we have to change our thinking and change our habits – we all need to become schooled in how to fool cyberthieves – how to conduct our own Risk Management Plan. We can’t leave it up to the institutions we’ve trusted in the past. There is a lot of advice about what to do as a consumer. Here is guidance from the Federal Trade Commission.
What About Healthcare?
When it comes to protecting health information, Covered Entities and Business Associates both have a legal responsibility to conduct a Risk Analysis and implement a Risk Management Plan to reduce the chances of compromise. The HIPAA E-Tool® contains an easy to use Risk Analysis-Risk Management tool to enable the highest level of protection, by nudging staff to evaluate risks, and to install patches, as soon as available. It also helps inventory equipment and data, and assigns responsibility for follow through to manage risks.
“The first Risk Analysis step of The HIPAA E-Tool's interactive Risk Analysis-Risk Management tool calls for identification of any software that has not been updated with the latest security patch. Any unpatched software identified in Risk Analysis Step 1 is automatically entered on the first set of Risk Management Action Steps.”