Summertime, and the ransomware is running wild (updated)

Mashing up our summer ‘tune’ list are the latest reports on ransomware attacks and data breaches:

  • Banner Health’s odd breach of 3.7 million records, first testing their café credit cards then entering their patient information systems, is leading to at least one class-action lawsuit. HealthITOutcomes, Becker’s Hospital Review
  • Bon Secours Health System of Maryland had a exposure of 655,000 records when a business associate of Bon Secours left patient information exposed online for four days while it adjusted its network settings. Healthcare Dive
  • The Locky ransomware has been battering hospitals since the beginning of August, with phishing emails spiking on August 11. Most of this global strike is attacking healthcare, with transportation and telecom running second; countries with the highest frequency of attacks are US, Japan, and South Korea, FireEye reports. ZDNet
  • Solutionary, now NTT Security, which specializes in cybersecurity services, reported last month that 88 percent of all ransomware detections in second quarter 2016 targeted healthcare. However, Cryptowall, not Locky, was the killer ransomware they spotted, accounting for nearly 94 percent of detections. Release
  • Can you anticipate cyber crimes like these? ID Experts has an intriguing blog post on how you can think like a cyber thief. Part One of a promised three-part series. Updated: ID Experts disclosed earlier this week that it spun off RADAR, its two-year-old IT security and compliance company, effective 2 Aug, with a $6.2 million Series A funding. It appears that the CEO wrote the check (CrunchBase).  There’s gold in dem dere cyber varmints! MedCityNews  Release
  • Scared enough? The Federal Trade Commission comes to the rescue with a half-day seminar on ransomware detection and prevention in Washington DC on September 7. The session is free and will be webcast (details to come). FTC release, event page

Summertime, and the health data breaches are easy….

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Cybersecurity is the word, not the bird, from South Korea (see here) to the US.  The week opened with an unusual healthcare plan supplier breach: 3.3 million payer records held by a card issuer, Newkirk Products of Albany, NY. The company issues ID cards for several Blue Cross and Blue Shield plans and provides management services to other commercial payers. Ironically, it was discovered five days after their $410 million acquisition by Broadridge Financial Solutions of Lake Success, Long Island. On July 6, Newkirk discovered ‘unauthorized access’ to a server with records containing the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number. “No health plans’ systems were accessed or affected in any way” according to the release. MedCityNews, Newkirk release on notice

Another supplier breach affected another estimated 3.7 million patients at Arizona’s Banner Health. This one was a bit closer to home, hacking computer systems used in payment processing on debit and credit cards used at their food and beverage outlets in four states between June 23 and July 7.  A week later, the hackers gained unauthorized access to systems containing patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers. MedCityNews, Banner Health release

But what’s secret anymore about your health data anyway? It’s all those apps that are sending data via your Apple Watch and your Fitbit which aren’t necessarily covered by HIPAA or secure. (more…)

Why do hackers love bitcoin? Blockchain. And why are healthcare, IoT liking blockchain?

Hackers love bitcoin for their ransomware payment because it’s virtual money, impossible to trace and encrypted to the n-th degree. Technically, bitcoin is not a transfer of payment–it IS money of the unregulated sort. The ransomee has to pay into a bitcoin exchange and then deliver the payment to the hacker. However, what sounds straightforward is actually fraught with risks, such as the bitcoin exchanges themselves as targets of hacking and the fluctuations of bitcoin value meaning that a ransom may not actually be paid in full. ID Experts‘ article gives the basics of bitcoin, what to expect and when paying a ransom is the prudent thing to do.

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/07/blockchain-in-HC.jpg” thumb_width=”200″ /]Turn what is behind bitcoin around though, and it becomes intriguing to HIT and IoT. Blockchain is “a distributed, secure transaction ledger that uses open-source technology to maintain data. Records are shared and distributed over many computers of entities that do not know each other; records can be time-stamped and signed using a private key to prevent tampering.” Each record block has an identifying hash that links each block into a virtual chain. (Wikipedia has a more complete description.) For bitcoin, it ensures security, anonymity and transferability without a central bank. For healthcare, distributed data and security is the exact opposite of the highly centralized, locked down approach of standard HIT to enable interoperability and security (left above). The Federal ONC-HIT (Office of the National Coordinator for Health Information Technology) under HHS is soliciting up to 15 proposals for “Blockchain and Its Emerging Role in Healthcare and Health-related Research.” through July 29. Cash prizes range from $1,500 to $5,000. The final eight will present at the awards presentation September 26-27. Potential uses are:

  • Medical banking between dis-intermediated parties
  • Distributed EHRs
  • Inventory management
  • Forming a research “commons” and a remunerative model for data sharing
  • Identity verification for insurance purposes
  • An open “bazaar” for services that accommodates transparency in pricing

Health Data Management, Information Management, Federal Register announcement

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

Healthcare vulnerability in a concatenation of data breaches

Concatenation is one of those lovely English words that express far more than its simpler synonyms: sequence, series or chain of events. Perhaps we have experienced that concatenation of data breaches which connect and demonstrate a critical mass that motivate healthcare organizations, including insurers, to ensure that data security and privacy gets primacy in HIT. Our Readers know we’ve been on the case since 2010; we’ve been noting Ponemon Institute and ID Experts studies since then.

While simple, straightforward theft can be the cause of smaller breaches and not part of a Big Hack, it’s not as Three Stooges or Benny Hill-esque as perhaps the JAMA study earlier this year made it out to be, especially if it’s your personal record, or your patient’s, which is breached, identity and financials damaged. (See this Security Intelligence article on a minor health breach and how it affected an individual who happens to be in IBM’s security arm.)

Just in the past few weeks, in the US we have experienced the following major and minor breaches:

  • CareFirst BlueCross BlueShield in Maryland–an insurer, not a hospital or practice–had a Big Hack of 1.1 million health records, with names, birth dates, email addresses and insurance identification numbers (but not SSI or credit card numbers) revealed.
  • Beacon Health Systems (Indiana) had a phishing attack into employee email boxes dating back to 2013. This was a Medium Hack that affected about 220,000 patients. Data taken included SSI and driver’s license. Health Data Management today.
  • Advantage Dental in Redmond, Washington had a 152,000 patient hack during three days in February.
  • Also in February, a New York City Health and Hospitals Corporation employee transferred patient files to her personal and new work email. 90,000 patients may have compromised data as a result. Becker’s

More breaches are listed today in iHealthBeat and the ever-growing list on Privacy Rights Clearinghouse.

Ponemon Institute’s 2015 Cost of a Data Breach Study: Global Analysis, with IBM, was published last week. (more…)

Hackermania running wild, 2015 edition

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”300″ /]

Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.

Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)

Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

  1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
  2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
  3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
  4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)

The exploding black market in healthcare data

When medical records’ black market value is estimated at an average of $50 per record–94 percent of health care organizations have had at least one breach in the past two years–and 2 million Americans were medical identity theft victims in 2011–it’s one unpleasant ‘pointer to the future.’

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2013/08/IDExperts_Infographic_v4_72-crop1.png” thumb_width=”150″ /]Data firm ID Experts studied a decade of data breaches and notes that medical data has become very attractive to professional hackers and cyber thieves. ID Experts’ full infographic.

  • First, there is so much of it with the increasing electronification of health data.
  • Second, so much of it resides on insecure or unsecured networks: smartphone, tablet, laptop.
  • Third, organizations and individuals still are only semi-conscious of fraud reality, and are negligent and sloppy when it comes to securing devices and over-reliance on the cloud without tight enterprise security. The new and underfunded health insurance ‘exchanges’ are particularly vulnerable as they, as well as other healthcare organizations, can over-rely on technology to protect data–which clever hackers can work around. Moreover, they can extract and sit on data till the trail goes cold. (Scroll down infographic to find out more). Also Ponemon Institute’s recent report in Healthcare Technology Online.

ID Experts’ study conclusions are reinforced by the California State Attorney General’s report that 55 percent of breaches “were intentional intrusions by outsiders or by unauthorized insiders” and that healthcare breaches were the third largest in reported incidents. A counter-measure may be the Medical ID Fraud Alliance, a collaboration in progress that is planned to include the Federal Trade Commission, the Secret Service and the Veterans Administration. More in Amednews.com (published by the American Medical Association)

Healthcare breaches due to criminal activity and plain error are becoming more common as well. All one has to do is bop over to Privacy Rights Clearinghouse, click on ‘MED’ for healthcare and 2013 and check the frequency to date (113) of breaches both tiny and huge. (By comparison, full year 2012 totaled 224.) Our TTA ‘Into The Breach’ Awards go to:   (more…)