| 7/8/2007 – From casinos to hospitals, protecting personal records becomes as important as locking doors
By Lee Howard Published on 7/8/2007
Businesses throughout the region that handle large amounts of personal information have found one sure-fire way of avoiding security breaches: collect less data.
“We constantly analyze what data we need to have,” said Mark Uihlein, vice president of information systems at the Mohegan Sun casino. “Less is better.”
Uihlein’s line of reasoning is followed at Foxwoods Resort Casino, where Gary Border oversees data security as a senior vice president of property marketing.
“Early on, when a person would apply for a Players Club card, we would collect Social Security numbers as a unique identifier, but we stopped collecting that information several years ago,” Border said.
Local casinos, banks, hospitals and employers collect large amounts of sensitive information, data that could be used by identity thieves if they fell into the wrong hands. Some businesses were willing to talk about security in a general way, responding to concerns from the public following recent data breaches at both Pfizer Inc. and The Westerly Hospital. Others, including Electric Boat, Lawrence & Memorial Hospital and Backus Hospital, would not discuss computer security except to say it is at the top of their radar screens.
David Falvey, an attorney in Groton who specializes in credit problems and bankruptcy, said the real worry from such security breaches is the potential for identity theft.
“Identity theft is rampant out there,” Falvey said. “It’s one of those white-collar crimes where you can make a lot of money and not run much risk. You can make more money than holding up a package store.”
If the experience of Westerly Hospital is any guide, a quick and decisive reaction to a security breach that leaks sensitive information over the Internet can help an organization recover quickly. Westerly Hospital employees manned phones in March after the hospital discovered that names and personal information of more than 2,000 patients had been posted on a Web site. The hospital and Westerly police are still investigating the incident.
“I was answering the phones afterward and remember expecting to get blasted,” hospital spokesman David Tranchida said. “But a large percentage of people said ‘good luck,’ and ‘sorry this happened. … Most people were understanding. They knew we didn’t plan for this to happen and we were just as unhappy as they were.”
•••••
In Westerly Hospital’s case, patient health information was not compromised. But that may be a measure of hospitals’ slow pace in transferring such information to computers, suggested Carol Harker, the director of medical records and privacy officer at Day Kimball Hospital in Putnam.
“Most of the problems at hospitals have been a one-patient situation,” Harker said. “The reason for that is that hospitals are not that automated yet. … We are in the process of trying to automate, but that is a time-consuming process — and expensive.”
Data breaches have compromised health records in the past, Harker said, but these have usually involved information that a government agency has required, such as reports about HIV-positive patients. The best way to avoid security breaches in the health-care field is to institute an aggressive paper-shredding program, Harker said, because most of the records are still on pieces of paper. Other methods involve constant inspections and badge access to sensitive records areas.
Harker argued that the chances of information leaking out is equivalent to the chance that someone leaves a box of files on a car and then drives away: It essentially boils down to human error. The problem, she said, is that when someone makes an error using a computer, thousands of people can be affected – all at the same time. Still, some officials believe that computerized information is safer than paper files, she said, if it is kept safe using encryption or elaborate passwords.
Making access to health records more difficult raises another problem, though: The need for quick access in the case of an emergency.
“With information we have to treat patients,” she said, “we can’t lock it up to the extent that people who need it can’t get to it.”
An interesting side note to hospital privacy practices is that patients have the right not to list themselves as having been admitted; if they do so, though, they can’t receive flowers, mail or visitors, Harker said. So 90 percent of patients who initially decide on this course eventually reconsider.
Privacy in the health field may be topped only by privacy in banking as a concern for Americans worried about identity theft. Banks, after all, keep a tremendous amount of sensitive data, including Social Security numbers and financial information, and few people want strangers prying into their compensation. Banks with breaches in their privacy firewalls risk losing customers.
“The reputational risk (of a data breach) is one that companies dread the most, next to financial risk,” said Barry Abramowitz, senior vice president and chief information officer at the Middletown-based Liberty Bank. “Once your reputation has been sullied, how do you recover from that?”
Abramowitz said banks constantly are faced with new federal guidelines to protect customers’ privacy. One of the most recent requirements is that customers seeking access to their accounts over the Internet must now do so using a complex password with at least eight digits and including capital and lower-case letters, numbers and at least one special character. Previously, as few as four digits were allowable.
•••••
Keeping information private is making Internet banking more complex for customers. At Liberty Bank, in addition to complex passwords, customers also routinely face three challenge questions, such as the name of their favorite movie.
“It’s probably the right thing to do,” Abramowitz said, “but customers do not embrace it.”
Indeed, some customers blanch at the security questions.
“We have had some people say they have never had a pet or they had no friends in high school,” Abramowitz said. “Some people don’t drive, and they never had a first car. … There is a humorous side to it.”
Abramowitz said banks face two potential scenarios when it comes to privacy breaches — and neither is a laughing matter. The first is when a hacker tries to access information from outside the bank, which calls for external controls; the second is when someone from the bank might leak information, intentionally or accidentally, which calls for internal controls.
For external controls, Liberty and other banks have set up firewalls, encryption and third-party services that scrub information to ward off Internet-based attacks, Abramowitz said. Internally, many controls have been set up, but the most important is that employees are given access only to the information they need to do their jobs. In addition, alarms have been set up when suspicious activity is detected, such as when large amounts of customer information are sent to a printer, he said.
Company policies are important, as well. At Liberty, only a limited number of laptops are available, and employees are discouraged from carrying around client account information. All laptops are encrypted as well, Abramowitz said.
“The privacy aspect of our business is right up there with servicing customers and making money,” he added.
Privacy and security have always been a concern at the local casinos, which pride themselves on protecting their patrons’ financial information. Both casinos have strong policies and protections regarding laptop computers and the use of file-sharing software, a combination that led to the data breach last month at Pfizer.
Mohegan Sun also has extensive physical security around its servers and a dedicated shredding program for hard-copy information. Foxwoods does extensive background checks of its key employees, and requires them to sign legal contracts promising to guard such information.
“It’s really, really difficult for someone with a questionable background to find full-time employment in the gaming industry,” said Uilhein of the Mohegan Sun.
Both casinos keep sensitive information, such as W-2G forms that are reported to the government when a client wins $1,200 or more. And each deals with its fair share of celebrities and high rollers, which presents other security issues. But Uilhein insisted that, when it comes to ensuring privacy, everyone is equal.
“We know how to deal with celebrities, and we are trained and well versed in those types of situations and encounters,” he said. “But our privacy protections are not just for celebrities.”
florida shredding |
