The Yahoo Email Breach and Healthcare

In late September, Yahoo admitted that it's security failed and hackers, possibly sponsored by a foreign government, stole the credentials of 500 million users. This happened in 2014 and was undetected until just before the announcement. 

If you're reading this as the owner or CIO of a business, use Yahoo email for business, and are required to be compliant with one or more laws, you should investigate if the breach has any compliance implications for you. 

Also, go reset your password – now. The passwords that were stolen were encrypted and Yahoo believes the risk is low. Still, there is risk. Reset. If your Flickr account is linked to a Yahoo ID, you probably should change that password too – just to be safe.

If you've used Yahoo email to send protected health information (PHI), you could be in breach of HIPAA.

Email and HIPAA

There are three things to know about email and HIPAA relative to this Yahoo news.

1. You can't send PHI via email without encryption. Unencrypted email is like a postcard – anyone can read it. Encrypted information has been placed in an envelope.
2. Free versions of Gmail, Yahoo email, AOL, and Dropbox (for sharing information) are NOT HIPAA compliant. The way these services store metadata could leave PHI exposed and is a violation.
3. Don't share accounts or passwords for sending PHI. Anyone who sends PHI must do so from their own user account. Sharing accounts and passwords breaks chain of custody for PHI and is a HIPAA violation.

If you've used any of these services to send PHI (or if you aren't a healthcare provider, used any of these free services to send personally identifiable information):

1. Stop and begin the process of moving your email communications to a service that will encrypt communications.
2. If you are a HIPAA-covered entity, you need to investigate and then contact any of your patients who could have been exposed. You've got 60 days from the date of Yahoo's announcement to do so – so move fast!

Quick Security Reminders

Are there any other things you can do to protect yourself? Absolutely, I'll quickly go over four here: look into alerts and authentication, update, change passwords, and restrict access.

1. Alerts and Authentication

Set up login verification for text message alerts when someone (even you) try to access your email account from a new or unrecognized device. Yahoo also has Account Key, Google has Google Authenticator, and Duo Security has Duo Mobile; all add a level of log-in security.

2. Update

This is the easiest way for you to ensure your systems are protected. Software and operating system manufacturers are constantly making data security improvements and releasing them in the form of security patches. Make sure to sign up for automatic software and anti-virus updates as non-updated operating systems and software are easy targets for hackers. You may also want to install and regularly update software to detect spyware.

3. Change passwords

ALWAYS change the passwords on new hardware and software in your business. Default passwords and account names are easy targets for hackers if default settings aren't changed.

Users reuse passwords across online services. That's why stolen account credentials can be a goldmine for cybercriminals. Do you use the same password for your bank as for your credit card(s)? Is that the same password you use for work – say to log in to your CRM system? 

Use different passwords. Change them frequently. And use a combination of numbers, letters, and symbols (even if that's hard to type!). And don't write your passwords on a Post-it note and leave that on your desk or stuck on your monitor screen. 

You should also consider using a password manager application – which can generate long, random passwords; store them in an encrypted database; and enter them into the appropriate applications after a user enters a single master password.

4. Restrict Access

Try to limit employee access of sensitive information to essential personnel only. If you have employees who need remote access to your company computer system consider requiring a second, regularly changed password in addition to the original log-in information. You may also want to install software to monitor unusual activity on your system or that can monitor outbound communication to ensure private data is not being leaked and boost computer security.

Copiers, such as those used in healthcare and financial services industries, should also have restricted physical access to them when possible. Additional levels of security such as HID cards and biometrics can add additional layers of security to keep confidential information from general view. And be sure to have secure authentication protocols in place if you allow your copiers to scan to email – particularly in regulated industries.

More on the Yahoo data breach:
http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html
https://gma.yahoo.com/consumers-know-yahoo-security-breach-234046917--abc-news-topstories.html