Healthcare and Technology news
39.4K views | +8 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past | Healthcare and Technology news | Scoop.it

Cybersecurity was identified as an increased business priority over the past year according to 87 percent of respondents in the newly released 2015 HIMSS Cybersecurity Survey

(http://www.himss.org/2015-cybersecurity-survey). Two-thirds of those surveyed also indicated that their organizations had experienced a significant security incident recently. Released at the Privacy and Security Forum, held in Chicago from June 30-July 1, this research reflects the continued cybersecurity concerns by healthcare providers regarding the protection of their organizations’ data assets.


“The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats,” said Lisa Gallagher, Vice President of Technology Solutions, HIMSS. “Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means implementing threat data,incorporating new tools and sophisticated analysis into their security process.”


The survey of 297 healthcare leaders and information security officers across the industry also found that at least half of respondents made improvements to network security, endpoint protection, data loss prevention, disaster recovery and IT continuity. Despite the protective technologies available, most respondents felt only an average level of confidence in their organizations’ ability to protect their IT infrastructure and data.


Key findings from the survey include the following:


  • Respondents use an average of 11 different technologies to secure their environment and more than half of healthcare organizations surveyed hired full time personnel to manage information security
  • 42 percent of respondents indicated that there are too many emerging and new threats to track
  • More than 50 percent of information security threats are identified by internal security teams
  • 59 percent of survey respondents feel the need for cross-sector cyber threat information sharing
  • 62 percent of security incidents have resulted in limited disruption of IT systems with limited impact on clinical care and IT operations
  • 64 percent of respondents believe a lack of appropriate cybersecurity personnel is a barrier to mitigating cybersecurity events
  • 69 percent of respondents indicated that phishing attacks are a motivator for improving the information security environment
  • 80 percent use network monitoring to detect and investigate information security incidents
  • 87 percent of respondents reported using antivirus/malware tools have been implemented to secure their healthcare organizations’ information security environment
more...
No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
more...
No comment yet.
Scoop.it!

Could a Greater Investment in Cyber Insurance Have Saved Anthem?

According to the Identity Theft Resource Center, last year saw 287 breaches and more than 7.7 million records compromised in the medical and healthcare industry alone. Healthcare breaches have made up more than 10 percent of the year’s attacks, proving what those in the industry already know—personal health information is valuable and sought after by hackers.

To this end, the recent breach of the Indianapolis-based health insurer Anthem was a massive one, exposing the personal data of approximately 80 million of its plan members. Shortly after the breach, it was estimated that the hack of Anthem could end up costing more than a billion dollars in total. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars,” said Daniel W. Berger, president and CEO of Redspin, a Carpinteria, Calif.-based health IT security consultant.

What’s more, according to a Business Insurance report, Anthem has $150 million to $200 million in cyber insurance, including excess layers of cyber coverage, sources told the publication. Anthem's primary cyber insurer is Lexington Insurance Co., a unit of American International Group (AIG), Business Insurance revealed, explaining that Anthem has $10 million in primary cyber coverage above a $10 million self-retention with Lexington. However, when a company has up to 80 million current customers, former customers, employees and investors to notify—in addition to lawsuits— this amount may not be enough, says Natalie Lehr, co-founder of cybersecurity firm TSC Advantage, based in Washington, D.C.

Indeed, various news media outlets have suggested that Anthem’s insurance policy could be exhausted. Lehr says that generally speaking, when companies put together their investment for security, they look for a standard where they meet their compliance obligation. The challenge with cases such as Anthem, Lehr says, is that even when the organization’s investments in security are to meet those standards, it’s still insufficient because it may not protect you against the ongoing liability, in this case on the class-action lawsuit side. “This is one of the big reasons why I see this as a watershed moment for the industry in terms of the scale of data taken,” Lehr says. “The intangible financial loss that a company could face can exceed the insurable loss calculation that has historically taken place with the transference of risk to the insurers.”

As such, Lehr notes that if organizations exceed the standard, it reduces the likelihood of compromise, and also the probability of compromise in the future. “It is a testament to any organization that invests in maturity beyond the standard,” she says. “Part of what we have done with our insurance partners is set up a way to measure the security level so clients who do exceed the standard can get a discount on their premium. Historically, that’s not part of the dialogue or pre-binding process thought,” she adds.

Lehr further says that with Anthem specifically, a sophisticated data loss prevention solution could have been put in place, so if the bulk of material from the file transfer protocol (FTP) network, the organization could look through that traffic and look for categories of data that include social security numbers, for instance. “We don’t know for sure if they had that in place, but it seems that with the bulk of the losses that occurred with Anthem, there was a determination made that it was internal data, which wasn’t necessarily required to be encrypted from a compliance standard,” she says. “But there’s a whole host of additional controls that could be applied, and it’s about the nature in which organizations address that.”

At the end of the day, Lehr says while that no one ever envisioned anything being stolen on the scale of what happened at Anthem, it is critical to make sure that you’re leading in terms of security posture, and that you’ve focused your investment around the core parts of your business. “If we look at the past as a marker of the type of cyber breach we’ll see in the future, we’re sort of kidding ourselves,” she says. “We talk to our clients about making sure their strategy isn’t to respond to an incident. That’s not enough. Investment in prevention is testament to investment in future.”


more...
Brian S. Smith, CIC, ARM's curator insight, March 26, 2015 8:16 PM

Interesting article about the data breach event suffered by Anthem.  The insurance costs are staggering as is the exposure.

Scoop.it!

Anthem's Audit Refusal: Mixed Reaction

Anthem's Audit Refusal: Mixed Reaction | Healthcare and Technology news | Scoop.it

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.


"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."

But some other security experts are not surprised that Anthem refused the vulnerability tests.

"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."

OIG Requests

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.

OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

A Common Practice?

David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."

Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."

In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"

Time for Change?

Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.

"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"

The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.

But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.

Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.

"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.

Safeguarding Data

Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"

Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."

more...
No comment yet.
Scoop.it!

Anthem says at least 8.8 million non-customers could be victims in data hack

Anthem says at least 8.8 million non-customers could be victims in data hack | Healthcare and Technology news | Scoop.it

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Anthem, the country's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.

It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.

It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.

Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.

Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.

Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.

Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.

Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.

Binns said the company still believes the hacked data were restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.

Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.


more...
No comment yet.
Scoop.it!

Phishing: Learning from Anthem Breach

Phishing: Learning from Anthem Breach | Healthcare and Technology news | Scoop.it

The hack attack against Anthem Inc., which the health insurer says started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.

"The Anthem breach is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.

In addition to Anthem, a growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.

"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."

He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.

A Shift to Mobile

As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.

"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."

Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.

"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."

Also discussed during this interview:

  • Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
  • How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
  • Why employee education related to phishing must be ongoing and consistent.

Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.


more...
No comment yet.
Scoop.it!

USPS Breach Exposed Health Data

USPS Breach Exposed Health Data | Healthcare and Technology news | Scoop.it

As the U.S. Postal Service's investigation into its data breach continues to unfold, it's now reporting that certain health information for approximately 485,000 current and former employees was potentially compromised.


The news follows confirmation from the USPS on Nov. 10, 2014, of a breach of some of its information systems that impacted more than 800,000 employees and 2.9 million customers.

The investigation has now determined that the intruders may have compromised a file containing workers' compensation injury claim data, according to a letter detailing the incident that the USPS provided to Information Security Media Group. The file, created in August 2012, contains information associated with current and former workers' compensation claims. Information included in the file dates from November 1980 to Aug. 30, 2012, according to the USPS.

Although the type of information varies greatly based on individual cases, workers' compensation-related data that may have been exposed includes names, addresses, dates of birth, Social Security numbers, medical information and "other" information.

The total number of employees whose health data may have been exposed reflects some of those originally listed as being impacted by the breach, "but others are receiving letters for the first time," says David Partenheimer, a spokesperson at the U.S. Postal Service. Those who did not receive an earlier letter from the USPS regarding receiving free credit monitoring for one year have now been informed how to obtain the service.

The USPS says it has no evidence that any compromised employee information has been used to engage in any malicious activity, the letter says.

Although the latest breach details involve health information, the USPS is not subject to the HIPAA Privacy Rule that governs healthcare data because it is not a covered entity (a healthcare provider), Partenheimer says.

Notification Delay Explained

At a U.S. House hearing in November, Randy Miskanic, a USPS official, defended the agency's delay in notifying USPS workers of the breach, contending authorities didn't initially know what data was pilfered. The USPS first learned of the breach on Sept. 11, 2014, but didn't notify employees until Nov. 10, 2014.

Miskanic also said the government didn't want to tip off hackers that it was aware of the breach.

In its original report on the breach, USPS said employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contacts may have been exposed. For customers, names, addresses, phone numbers and e-mail addresses may have been compromised.

As a result of the breach, the USPS in a Nov. 28 filing with postal regulators said it was forced to delay the filing of its annual financial report. The reasoning for the delay was to give USPS time to confirm that the breach didn't compromise financial information that could affect its report.


more...
No comment yet.
Scoop.it!

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR

Should the Sony Hack Have Hospitals Concerned? | Hospital EMR and EHR | Healthcare and Technology news | Scoop.it

If you haven’t heard the details of the Sony hack, then lucky you. It seems that coverage of the hack has been everywhere. Long story short, Sony wasn’t careful and the hackers got a lot of really private information like emails. It was embarrassing to the company in a variety of ways and the effects of it and them eventually pulling The Interview are going to be felt for a long time to come. In fact, some of the hack included Sony’s insurance records which included medical information.

Should hospitals be concerned by the hack of Sony? The hack itself shouldn’t be of particular concern, but it should be a stark reminder that anyone is vulnerable if the hackers want to hack you enough. Unfortunately, the game of privacy and security is a cat and mouse game of trying to make what you have so difficult to access that hackers choose other, simpler targets.

With that said, if Sony, Google, Target, etc can be hacked, then anyone could be hacked. While it’s absolutely critical that you’re doing everything you can to make it hard for hackers to access your systems, it’s also important to make sure that you have proper breach procedures in place as well. How you handle a breach is going to be incredibly important for every organization.

While the Sony hack is going to cost them a lot of money. A breach in healthcare could incur some of the same embarrassment publicly, but there are also stiff HIPAA penalties for a breach. This could get very expensive for organizations that aren’t taking health IT security seriously. If you thought the coming MU penalties are bad, try to calculate in some major HIPAA fines and reduced patient load because patients no longer trust your organization. It will be devastating for organizations.

What is your organization doing to avoid breaches? Are you going beyond the HIPAA risk assessment?



more...
No comment yet.
Scoop.it!

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog

Sony Hack Reveals Health Details on Employees and Their Children | The Health Care Blog | Healthcare and Technology news | Scoop.it

On top of everything else, the Sony data breach revealed employees’ sensitive health information:  Top Sony executives saw lists of named employees who had costly medical treatments and saw detailed psychiatric treatment records of one employee’s son.

Like last year’s revelation by AOL’s CEO, it shows US corporations look at employees’ health information and costs. By ‘outing’ the fact that 2 of AOL’s 5,000 employees had premature infants whose treatment cost over $1 million each, the CEO violated the employees’ rights to health information privacy.

Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii. Current US technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system.

Do you trust your employer not to snoop in your personal health information?  How can you trust your employer without a ‘chain of custody’ for  your health data? There is no transparency or accountability for the sale or use of our health data, even though Congress gave us the right to obtain an “Accounting for Disclosures (A4D)” for disclosures of protected health data from EHRs in the 2009 stimulus bill (the regulations have yet to be written).  And we have no complete map that tracks the millions of places US citizens’ health data flows. See: TheDataMap.

There is no way to know who sees, sells, or snoops in our health data unless whistleblowers or hackers expose what’s going on.  Our personal, identifiable health data is in millions of data bases unknown and inaccessible to us.  Both the Bush and Obama Administrations support this privacy-destructive business model on the Internet and in the US health care system.

The US health data broker industry consists of over 100,000 health data suppliers covering 780,000 live daily health data feeds. 

THE GREATEST DAMAGE CAUSED BY THE LACK OF CONTROL OVER PII IS THE LOSS OF TRUST— TRUSTED RELATIONSHIPS BETWEEN PEOPLE, COMPANIES, AND GOVERNMENTS ARE IMPOSSIBLE WITHOUT PERSONAL CONTROL OVER PII.

Both Angela Merkel and Jennifer Lawrence spelled out the deep and persistent effects of violating personal boundaries:

Both spoke of the deep emotional pain and costs of betrayal, and of being unable to trust or feel safe following such serious boundary violations. Trust is truly impossible unless individuals can set boundaries. People, companies, and governments must respect and honor individuals’ rights to control access to personal information to be trusted. Violating boundaries destroys trust and relationships between people and between nations.

Sadly, even though the  modern world’s concept of ‘privacy’ comes from our nation, from US Supreme Court Justice Louis D. Brandeis’ concept of privacy, and later in the computer age from Wallis Ware’s concept of Fair Information Practices, the US has lost its way and is destroying both freedom and the right to be let alone.

Among the Western Democracies, has the United States become the world’s most intrusive surveillance state?

Do we have control over any information about ourselves?  Or is every bit or byte of data about us collected, held, and sold by millions of hidden data bases?

more...
No comment yet.
Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


more...
No comment yet.
Scoop.it!

Study to Probe Healthcare Cyber-Attacks

Study to Probe Healthcare Cyber-Attacks | Healthcare and Technology news | Scoop.it

In the wake of the recent hacker attacks on Anthem Inc. and Premera Blue Cross that compromised personal data on millions of individuals, the Health Information Trust Alliance is attempting to launch a study to get a better understanding of the severity and pervasiveness of cyber-attacks in the healthcare sector, as well as the attackers' methods.


HITRUST, best known for its Common Security Framework hopes to recruit hundreds of participants for its "Cyber Discovery" study. Organizations that join the study will monitor for signs of attacks for a 90-day period using data gathered with Trend Micro's threat discovery technology, which works with security information and event management systems. "It's like a big sandbox that works in a passive mode and collects everything and tries to analyze everything that comes into the sandbox," Dan Nutkis, HITRUST CEO, tells Information Security Media Group.


Participants can use the data that's collected and analyzed by the technology for their own cyber-intelligence activities. For the study, the participating organizations will provide anonymized data regularly to HITRUST for analytical purposes. "We don't have the name of the organization, just the type of organization," Nutkis says.

Security expert Mac McMillan, CEO of security consulting firm CynergisTek, says that as long as HITRUST can guarantee the data collected from healthcare organizations is anonymized, the alliance might be able to attract participants. And if there are enough participants, "a study such as this based on empirical data can paint a relevant picture with respect to the risk that healthcare entities face, and therefore, would be very valuable if done correctly," adds McMillan, chair of the HIMSS Privacy & Security Policy Task Force.

HITRUST hopes to have the necessary software and hardware installed at all the participating organizations by the end of May, Nutkis says. It will publish an initial report of findings and recommendations approximately four months from the launch of the project.

Digging In

The organization is seeking about 210 voluntary participants from the healthcare sector, including insurers, hospitals, accountable care organizations and clinics. Each will participate for 90 days or longer, Nutkis says. Participants do not have to be members of HITRUST to qualify.


Each participating healthcare organization will get free use the Trend Micro technology during the study. Trend Micro will install the appliance and train organizations how to use it and how to conduct the forensics analysis, Nutkis says.


"The goal is to understand the threat actors, the methods and their targets," he says. Among the questions to be addressed, he says, are: "Are these actors targeting health plans or are they targeting specific types of equipment or types of data? Are they after PHI or PII? What's the level of persistence? What's the duration of them trying to get in? Do they keep coming back?"


The study aims to accurately identify attack patterns as well as the magnitude and sophistication of specific threats across enterprises, he says.

Recent Attacks

When it comes to the recent attacks on Anthem and Premera, and their significance to the healthcare sector, "there's a lot speculation and conjecture about what's going on," he says. "There was a great level of concern after the Community Health System attack" last year, in which hackers compromised data of about 4.5 million individuals. Because they were reported about six weeks apart, the Anthem and Premera breaches raised concerns about whether they were related, he says. While those breach investigations are still ongoing, the healthcare sector is trying to understand who's being targeted, how and for what data, he explains.


Nutkis says HITRUST will consider whether to repeat the study annually to track emerging trends.


McMillan, the consultant, says the value of the study to the healthcare sector will ultimately depend on what is examined. "For instance, will it address social engineering or things like phishing? Phishing is a huge issue for healthcare right now and is believed to have had a role in the many of the high-profile breaches of last year."


more...
No comment yet.
Scoop.it!

Security audit of Premera identified issues prior to cyberattack

Security audit of Premera identified issues prior to cyberattack | Healthcare and Technology news | Scoop.it

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.


Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.


However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.


At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.


more...
No comment yet.
Scoop.it!

Anthem Arrogantly Refuses Audit Processes. Twice.

Anthem Arrogantly Refuses Audit Processes. Twice. | Healthcare and Technology news | Scoop.it
Recently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Recently GovInfoSecurity reported that Anthem has again refused the OIG the ability to scan its network. OIG prefers to perform it’s own vulnerability assessments, so that it does not have to rely on the organizations internal assessments.

This is not the first time this has happened. When Anthem was called “WellPoint” it refused a request from OIG to scan, according to the OIG’s report at the time. OIG stands for Office of Inspector General and is essentially the “generic audit arm” of the US government. They are responsible for ensuring that government contractors are complying with regulations, and Anthem has an important contract to process medical claims for Federal Employees.

Here is what OIG had to say about this issue in September of 2013, the first time that Anthem refused its audit process:

This performance audit was conducted in accordance with generally accepted government auditing standards (GAS) issued by the Comptroller General of the United States, except for specific applicable requirements that were not followed. There was one element of our audit in which WellPoint applied external interference with the application of audit procedures, resulting in our inability to fully comply with the GAS requirement of independence.

We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers (see the “Configuration Compliance Auditing” section on page 9 for additional details.)

As a result of the scope limitation on our audit work and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Just months before, in July of 2013 Anthem (as WellPoint) had just payed 1.7 Million dollars for a HIPAA violation. That fine was the result of an investigation that found that Athem had not:

adequately implement policies and procedures for authorizing access to the on-line application database
perform an appropriate technical evaluation in response to a software upgrade to its information systems
have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

Vulnerability scanning is intended, among other things, to detect exactly these kinds of problems.

Anthem felt, in 2013, that even though it just had a massive breach, that it was in a position to deny OIG the capacity to verify Anthem’s claims about its own network. Now, in 2015, Anthem has just had a second massive breach, and has again indicated to OIG that is has a “corporate policy” that again prevents OIG from conducting a vulnerability scan as part of its independent audit. Quoting the OIG spokesperson featured in the GovInfoSecurity piece:

“we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is ‘corporate policy.’”

I have just been defending the notion that Anthem might have been doing the right thing, and that perhaps it was just the victim of a really clever hacker team. As you can imagine, when you say things like this on the Interwebs, you get a flock of people saying “If you are defending Anthem you really don’t care about patient privacy…” etc etc. My only point at the time was “We really need more evidence before we publicly condemn an organization for deprioritizing patient privacy.”

Well the evidence is in.

The notion that Anthem thinks its corporate policies trump the public’s ability to make sure they are doing their job as a Federal contractor was arrogant in 2013, when it just had one massive breach. Now this organization believes that its “corporate policies” still exempt it from scrutiny? I am aghast. Really, I should be coding right now, but instead I am writing this. I am a fairly jaded healthcare/security professional, and I thought I had seen it all. This takes the cake. Seriously, WTF?

I can only think of a few examples of this kind of bold, unfiltered, unapologetic raw arrogance. But instead of causing scenes at music award shows, the arrogance of Anthem has damaged hundreds of thousands of people more than once.

Anthems should be given a brief opportunity to rethink its policy on this issue, and assuming it does not immediately see the error of its ways its government contract should be put up for new bids from other organizations. I think we might be able to location some other health insurance company that has a less inflated respect for their own “corporate policies”.
more...
No comment yet.
Scoop.it!

Medical identity theft sees sharp uptick

Medical identity theft sees sharp uptick | Healthcare and Technology news | Scoop.it

The number of patients affected by medical identity theft increased nearly 22 percent over the past year, according to a new report from the Medical Identity Fraud Alliance – an increase of nearly half a million victims since 2013.


In five years since the survey began, the number of medical identity theft incidents has nearly doubled to more than two million victims, according to MIFA, a public/private partnership committed to strengthening healthcare by reducing medical identity fraud,

"Over the past five years, we've seen medical identity theft steadily rising with no signs of slowing," said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the study. "Our research shows more than two million Americans were victims of medical identity theft in 2014, nearly a quarter more than the number of people impacted last year."

In San Diego March 5-6, the two-day Privacy & Security Forum, presented by Healthcare IT News and HIMSS Media, featuring 26 sessions and 40 speakers from healthcare organizations such as Kaiser Permanente and Intermountain Healthcare, will put the focus on cyber crime and data security, discussing best practices to help keep these numbers in check.


Other findings from the report:

  • Sixty-five percent of medical identity theft victims surveyed paid more than $13,000 to resolve the crime. In 2014, medical identity theft cost consumers more than $20 billion in out-of-pocket costs. The number of victims experiencing out-of-pocket cost rose significantly from 36 percent in 2013 to 65 percent in 2014.
  • Victims are seldom informed by their healthcare provider or insurer. On average, victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim. Of those respondents (54 percent) who found an error in their Explanation of Benefits, about half did not know to whom to report the claim.
  • In many cases, victims struggle to reach resolution following a medical identity theft incident. Only 10 percent of survey respondents reported achieving completely satisfactory conclusion of the incident. Consequently, many respondents are at risk for further theft or errors in healthcare records that could jeopardize medical treatments and diagnosis.
  • Nearly half of respondents (45 percent) say medical identity theft affected their reputation in some way. Of those, nearly 90 percent suffered embarrassment stemming from disclosure of sensitive personal health conditions and more than 20 percent of respondents believe the theft caused them to miss out on career opportunities or lose employment.
  • A large majority of respondents (79 percent) expect their healthcare providers to ensure the privacy of their health records. Forty-eight percent say they would consider changing healthcare providers if their medical records were lost or stolen. If a breach does occur, 40 percent expect prompt notification to come from the responsible organization.

"2015 will be a year of increased attention to the pervasiveness and damaging effects of medical identity theft," said Ann Patterson, senior vice president and program director at MIFA, in a press statement. "As we've already seen this year, the healthcare industry is and will continue to be a major target for hackers. Stolen personal information can be used for identity theft, including medical identity theft and the impact to victims can be life-threatening."


more...
No comment yet.
Scoop.it!

Lessons from the Anthem hack

Lessons from the Anthem hack | Healthcare and Technology news | Scoop.it

Anthem experienced a major data breach recently, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but ... it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implementHIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.) Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says "thou shalt not establish a unique patient identifier system."

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves -- and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected -- because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

more...
No comment yet.
Scoop.it!

U.S. states say Anthem too slow to inform customers of breach

U.S. states say Anthem too slow to inform customers of breach | Healthcare and Technology news | Scoop.it

Ten U.S. states have sent a letter to Anthem Inc complaining that the company has been too slow in notifying consumers that they were victims of a massive data breach disclosed last week.

"The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers," said the letter, which was sent on Tuesday by Connecticut Attorney General George Jepsen on behalf of Connecticut and nine other states.

The letter asked the No. 2 U.S. health insurer to compensate any consumers who are victims of scams, if the fraud occurs before Anthem notifies them of the breach and offers them free credit monitoring.

"Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access

to credit and identity theft safeguards," said the letter.

Jepsen also asked Anthem to contact his office by Wednesday afternoon with details of its plans to "provide adequate protections" to consumers whose data was exposed in this breach.

The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island.

Representatives with Anthem could not immediately be reached for comment.

Anthem disclosed the massive breach last week, saying that hackers accessed a database of some 80 million consumers and employees that contained Social Security numbers and other sensitive data.

On Friday the company warned U.S. customers about an email scam targeting former and current members.


more...
No comment yet.
Scoop.it!

Wearables will cause data breaches in the enterprise, says Good Technology: 2015 Tech Predictions | SiliconANGLE

Wearables will cause data breaches in the enterprise, says Good Technology: 2015 Tech Predictions | SiliconANGLE | Healthcare and Technology news | Scoop.it

2015 will be the year of the smart watch, with compelling offerings arriving on both the Apple and Android platforms. But we will also see popular consumer mobile applications creating huge security issues for the enterprise, with major security breaches happening due to human error. This is all according to Nicko van Someren, CTO of Good Technology, a provider of secure mobility software.

van Someren’s predictions about emerging technologies are all part of our second annual Technology Predictions series in which industry experts share their predictions with us about the hot tech trends that they think will take center stage in 2015. We’ll be sharing all of their predictions with you over the next several days. Read on for more from van Someren.

 

.


Prediction No. 1: Human error will lead to more major security breaches

Cyber-attacks are getting more sophisticated and complex. This will continue in 2015 but it appears that many companies are not moving fast enough to keep up and the likely result will be major security breaches. The biggest contributing factor to these security risks will be human error and lack of awareness.

.

Prediction No. 2: Consumer technologies will cause security issues for enterprises

Consumer technology will also be a big concern in 2015. Consumer devices and consumer-centric technologies act as a gateway for corporate data to move between controlled, corporate environments and parts unknown. Modern consumer devices are inherently prone to leaks by design because they are built to explicitly make it easy for users to share data. Popular consumer mobile applications can easily move data outside of corporate controls without the user knowing, creating huge security issues for the enterprise.

.

Prediction No. 3: 2015 will be the year of the smart watch

2015 will be the year of the smart watch, with compelling offerings arriving on both the Apple and Android platforms. The emergence of new technology will result in the emergence of new security threats and vulnerabilities, putting users’ data at risk. We don’t yet know how hard it will be to break into these devices but we do know that, if hackers can infiltrate your smart watch, then they can potentially make transactions from Apple Pay and, possibly, reach back into the database on your smartphone to capture all sorts of sensitive information.

.

Prediction No. 4: Wearables will cause data breaches in the enterprise

As of now, wearables are mainly consumer-driven. Their arrival in the workplace in 2015 is certain but most businesses are woefully unprepared for this. Unless businesses move swiftly to limit how corporate data is delivered to and consumed on these devices, some sort of data breach is inevitable.


more...
No comment yet.
Scoop.it!

Medical records exposed in massive Sony hack | Healthcare IT News

Medical records exposed in massive Sony hack | Healthcare IT News | Healthcare and Technology news | Scoop.it

Sony last week notified employees that their medical data and Social Security numbers were swiped in a cyberattack, a breach that has prompted privacy advocates to reaffirm the need to implement further data safeguards.

Sony Pictures Entertainment on Dec. 8 sent letters to 34 Sony employees and their dependents, notifying them that their protected health information, medical diagnoses, Social Security numbers, credit card information, passwords, compensation, passport numbers and other personally identifiable information had been stolen in a "brazen cyberattack." Medical information on employees included conditions such as alcohol-induced liver cirrhosis, kidney failure and cancer, according to a Bloomberg report

Sony officials did not respond for comment by publication time. 


The attack, which transpired Nov. 24 at Sony's Culver City, Calif.-based office, caused a "significant system disruption," Sony Pictures officials wrote in the notification letter. 

U.S. government officials with information on the ongoing investigation into the hacking have said they are "fairly confident" North Korea was responsible for the cyberattack


The incident has prompted privacy advocates to speak out on the need to implement added safeguards to protect data in the digital age. 

Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit health privacy advocacy group, was chief among them to weigh in.

"This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity," Peel told Bloomberg. "This is a thousand times worse than that other stuff," she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”


The worse part about this breach, as Peel pointed out in her blog response to the Sony breach? "The greatest damage caused by the lack of control over (personally identifiable information) is the loss of trust – trusted relationships between people, companies and governments are impossible without personal control over PII."

Peel cited what transpired earlier this year with AOL after CEO Tim Armstrong revealed healthcare details about two employees to explain why the company opted to cut certain health benefits. 

What this showed? Employers do look at their employees' personal health information, said Peel. "Trusted relationships simply cannot exist if individuals have no right to decide who to let in and who to keep out of pii," she added. "Current U.S. technology systems make it impossible for us to control personal health data, inside or outside of the healthcare system."

There have already been a significant number of hacking-related health data breaches just in the last few months. 

Just in November, for instance, the Dallas-based Onsite Health Diagnostics, a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified more than 60,000 people that their protected health information was accessed and stored by an "unknown source," for a period of three months back in April. What's more, it took officials some four months to notify those individuals affected. 


In August, in the second biggest HIPAA breach ever reported, the Franklin, Tenn.-based Community Health Systems, notified 4.5 million of its patients that their personal information was stolen by cybercriminals who reportedly exploited the Heartbleed vulnerability. 

To date, nearly 42 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the Department of Health and Human Services. Some nine percent of those are hacking-related breaches.



more...
No comment yet.
Scoop.it!

New malware can live inside any USB device undetected

New malware can live inside any USB device undetected | Healthcare and Technology news | Scoop.it


It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.


The duo says that the only way around BadUSB is to more or less treat devices like hypodermic needles; trusting only those that have been used within our personal ecosystem and throwing away any that've come in contact with other computers. Hopefully you don't have a ton of untrustworthy Porsche sticks laying around.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
Technical Dr. Inc.'s curator insight, August 1, 2014 8:39 AM

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

zheng lil's curator insight, December 29, 2014 11:31 AM

It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.