Lost and Stolen Employee Devices Key Source of Security Breaches

A Portland, Oregon radio station announced the private information of 13,000 staff and listeners was compromised after an employee’s backpack was stolen from a vehicle.


The bag included the magnetic tape storage devices holding social security numbers, bank information and credit card numbers, according to SC Magazine.

The company is now paying for a free year of identity theft protection and credit monitoring services for all those potentially impacted. The expense has not been released.

Stolen and lost employee technology is quickly becoming an expensive component of business today.

A study conducted by the Ponemon Institute looked at the cost of lost and stolen employee laptops, surveying 329 private and public-sector organizations. The report took into account organizations with less than 1,000 employees – and large-scale companies with more than 75,00 employees.

According to the report, 46 percent of stolen systems held confidential information – just 30 percent had encryption.

The report also uncovered the tremendous cost of lost and stolen laptops – not for replacement of the devices, but for costs associated with data protection for those whose information was compromised through the loss of the data. The average cost per stolen/lost laptop came in at around $49,000, according to the Ponemon Institute report.




JonsfaceFor information on how to protect your organization from the costs associated with security breaches, contact Citon Director of Business Development Jon Heyesen at 218.720.4435.



Top 10 Myths of Information Security Risk Assessment

VES LogoWipFli Risk Advisory and Forensic Services Manager Rick Ensenbach presented recently at a Vital Education Series event on the importance of healthcare security.

In a discussion geared towards healthcare professionals and business associates, Ensenbach dove into the world of healthcare security – the threats, the regulations and the risks of not proactively crafting a security policy intended to keep patients’ lives and records safe.


He also presented the top 10 myths of security risk assessment:

  1. Security risk assessment is optional for small providers.
  2. Installing a certified EHR fulfills my security risk analysis Meaningful Use requirement.
  3. My EHR vendor will take care of everything I need to do for security and privacy.
  4. I have to outsource the security risk assessment. (Note: Expert knowledge may be needed to stand up to an audit.)
  5. A checklist will suffice for risk assessment.
  6. There is a specific risk assessment method that I must follow.
  7. My security risk analysis only needs to look at my EHR.
  8. I only need to do a risk assessment once.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
  10. Each year I have to completely redo my security risk assessment.


(Reference: http://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis )


JonsfaceAre you a healthcare professional or an associate with healthcare clients? To learn more about healthcare security, contact Jon Heyesen, Director of Business Development, at 218.720.4435.

A Breakdown of Net Neutrality




On May 15, the FCC will vote on a draft proposal governing how Internet Service Providers (ISPs) are allowed to control the traffic that passes through them.

This could bring an end to what has been a standard practice since the birth of the Internet.

Right now, when your data (whatever it is) passes between you and the sites and services you access, it is treated no better or worse than your neighbors’ data. This concept is broadly called “Net Neutrality” and is a critical part of what makes the Internet great. A handful of massive telecommunications companies like Comcast and Time Warner want to be allowed to micro-manage traffic as it passes to and from its customers and charge extra for preferential treatment.

To illustrate the danger, I present a brief story I call, “Premium Sidewalk:”

While walking to your neighborhood grocery store, a man in a uniform riding a Segway scooter yells at you to wait just as you are about to cross the street.

“Officer R. B’Trary from the Sidewalk service enhancement team,” the officer says. “What is your destination?”

You tell him the grocery store. His stopwatch beeps, and he gestures that you can now pass just before he whizzes away.

At the next corner, Officer B’Trary appears again to insist you wait. Ten seconds later, you are signaled to proceed. As you approach the next corner, you prepare to launch into a tirade. Before you have a chance, your neighbor Ken walks past wearing a vest labeled “Premium Sidewalk” on the back and crosses the street without breaking stride.

Irritated, you ask why Ken could pass. B’Trary replies, “That is a Premium Sidewalk customer” and hands you a “Premium Sidewalk” brochure listing “Premium Sidewalk” for $20/month. Destinations can also pay for Premium Sidewalk. Apparently the grocery store has not. A shared resource that is paid for in other ways has been altered, not to improve traffic flow or service, but just to extract more revenue.

In order to create “Fast Lanes,” the broadband ISPs will not add more capacity. Instead, they will slow everyone else’s traffic down. Real world examples of what could happen include:

  • Netflix video streaming suddenly becomes uselessly slow while Hulu keeps working. Your brother across the country (who has a different ISP) sees the exact opposite.
  • Your ISP starts offering Internet add-ons like “Skype Premium” and suddenly your Skype calls stop working.
  • Your email stops being delivered reliably to certain regions of the country with the explanation that the recipients have not paid the extra for their ISP’s “email plus” package.

Proponents of “Fast Lanes” argue that they need to be able to charge more for services that consume higher bandwidth, raising fears of bandwidth hogs ruining service for everyone. Speaking as a network engineer, most of these arguments fall flat. Network congestion usually occurs at the “head end” as traffic passes out of the ISP’s network and into other provider networks.

Interconnections between providers and the cost of bandwidth over them are not cheap, so many providers skimp there. Meanwhile, they offer what appears to be faster and faster services to the customer. What good is a 100 Megabit connection, though, when the path from the provider to the greater Internet is clogged? That is where the “Fast Lane” comes in: Take congested connections and give lower priority to everything except those willing to pay extra. Instead of having to buy more upstream bandwidth, the ISP can keep the same undersized pipes in place and get more money for it. There is actually a disincentive to fixing bottlenecks in the “Fast Lane” model because no one will pay for them if the normal lanes work well.

If there were true competition in broadband, then the market could prevent problems, allowing users to choose between any number of alternate providers with better performing and lower cost service. The United States does not have that level of choice in most markets (see www.broadbandmap.gov). Despite some excellent regional broadband efforts, most areas still only have one or two of the same broadband giants to choose from. This creates the classic oligopoly in which a few powerful entities compete on stock price and quarterly earnings instead of performance and user satisfaction.

Since broadband is not governed under “common carrier” rules that apply to everything from trucking and shipping to phone calls in this country, providers have no obligation to treat what passes over their networks equally. Preferential treatment of information and goods generally leads to less freedom and higher costs, which is why so many tech giants (Google, Apple, Amazon, etc.) oppose “Fast Lane” changes. 

The FCC is accepting comments on the issue until May 15. I urge you to research the issue for yourself by reading more, like this article from ARS Technica: http://arstechnica.com/tech-policy/2014/04/the-fccs-fast-lane-rule-is-awful-for-the-internet-just-ask-the-fcc/

Paul Hirsch is a Senior Network Engineer for Citon Computer Corp. If you have a question for Paul, you can contact him using the form below. 

Your Name (required)

Your Email (required)

Your Message


Citon Partner Highlighted in WIRED Magazine for Healthcare Security

In an interview with WIRED Magazine, Scott Erven, Essentia Health’s head of security, revealed the daunting world of hacking vulnerability in hospitals today.

Erven explained the opportunities that exist for hackers to manipulate digital medical records, hack defibrillators and alter temperatures of refrigerators that store blood samples and temperature-sensitive medications.

“Many hospitals are unaware of the high risk associated with these devices,” Erven told the publication. “Even though research has been done to show the risks, healthcare organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”

Scott Erven works as the point of contact for Citon’s security-related solutions partnership with Essentia Health. Erven spoke at the 2013 Vital Technology Expo, co-sponsored by Citon Computer Corp. 

Read the rest of the article here: http://www.wired.com/2014/04/hospital-equipment-vulnerable/



To learn more about how Citon’s security solutions can help your organization, contact Jon Heyesen, Director of Business Development, at 218.720.4435.

Report: 30 Percent of Consumers Wouldn’t do Business After Security Breach

A new report indicates roughly 30 percent of consumers would abandon a business or organization after a security breach.

The report focuses on the financial, healthcare and retail industries, reflecting concern across the board.  Data was compiled through surveys conducted in October 2013 by Javelin Strategy and Research.

Respondents to the survey indicated they would be most distrustful of the retail industry after a security breach, with 33 percent saying they would not likely do business with the entity again.

Thirty percent of respondents indicated they would not return to a healthcare provider after a security breach, and 24 percent said they would no longer trust a financial institution.

“Today, regardless of whether they occur in the financial, healthcare, or retail industries, data breaches have an undeniable impact on a business’s image, and in turn, both the revenue and expense side of its bottom line,” the report’s conclusion states.


For information on how to assess possible IT security threats to your business or organization, contact the Citon IT security team:

Your Name (required)

Your Email (required)

Your Message