Roundup: data breaches ’round the world

October 22, 2014 | by

Following on our review of recent articles on why medical identity theft is so attractive, here’s our review of data breaches in the news, including a new (to this Editor) report from Europe.

  • It’s not Europe, blame the UK! That is one of the surprising findings of a meta-review of all types of data breaches released earlier this month by the Central European University’s Center for Media, Data and Society (CMDS). While not specific to healthcare, it is the first study this Editor has seen on EU data breaches and is useful for general trends. 229 verified incidents were analyzed by the CMDS across  28 EU member countries plus Switzerland and Norway, 2005-3rd Quarter 2014, and includes unusual healthcare breaches such as Danish HIV patients’ personal information included in a PowerPoint presentation later published online. Key findings:
    1. 57 percent of breaches were due to insider theft, mismanagement or error; 41 percent were hacker-instigated
    2. It’s common: “for every 100 people in the study countries, 43 personal records have been compromised”
    3. In terms of impact, the UK by far, then Greece, Norway, Germany and Netherlands were the top five countries for incidents and numbers of records breached (report page 9) (more…)

41 percent of healthcare employees don’t encrypt mobile devices: Forrester

September 12, 2014 | by | 1 Comment

Just after this Editor rhapsodized that one of the unrecognized (except here) wins for Apple’s new iPhone 6 in healthcare will be to give the docs what they want–larger screens–is this sobering stat from Forrester. Only 59 percent of healthcare employees use full-disk encryption or file-level encryption on mHealth computing devices used at work. Yes, here is another hole in the data security dike that needs plugging, because Forrester also cites that 80 percent of data breaches relate to lost or stolen devices. (What, not mulch?)  Author Chris Sherman also quoted street prices for health records to The Wall Street Journal’s CIO Journal blog  (more…)

Data breaches and ‘hackermania’ running wild

September 5, 2014 | by

Data breaches remain in the news–and the debate around how best to secure data rages.

Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?

Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.

Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)

Is any system hackerproof? Reader Joanne Chiocchi cited this Editor’s first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, (more…)

‘Hackermania running wild,’ part 2

September 5, 2014 | by

Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic  But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.

Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release. Website.

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/09/ESD-America.png” thumb_width=”150″ /]And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. (more…)

CHS data breach estimated price tag: $150 million

August 26, 2014 | by

Huge price tag, is the solution more ‘white hat hacker/crackers’, get a clue, C-Suite and why China leads in hacking (important updates!)

Dan Munro in Forbes got out his calculator and estimated that the cost to Community Health Services, based on prior incidents, may be as high as $150 million. He bases it on recent poster children Columbia-NY Presbyterian and BlueCross BlueShield of Tennessee. The message to healthcare business executives: pay now–by beefing up HIT and data security–or pay later in rush remediation of data breaches like identity theft protection, Office of Civil Rights-HHS fines, potential insurance fraud,  legal charges and damages awarded. On the latter, it took only hours after the announcement for the first class action to be filed in Alabama.

Of course cybersecurity experts, particularly the ‘white hat’ or ‘cracker’ variety, are in increasingly high demand across all business areas and internationally–and there aren’t many at that exalted level or even a rung or two below. Their commensurate compensation is one factor, but calls to hire less expensively overseas as explored in this article are, in this Editor’s estimation, a two-edged sword: much hacking, many sleeper bugs and ‘backdooring’ are engineered overseas (China, Russia, the Balkans, India); what is to say that these ‘former hackers’ aren’t playing both games? Cybersecurity’s hiring crisis: A troubling trajectory (ZDNet)

The C-Suite Must Care…The Workforce Must Be Aware

Since data security and data breaches threaten to swamp many sectors (universities and colleges, even more than healthcare, rank as the most vulnerable), the solution may not be wholly in the code. (more…)

FBI ‘Flash Alerts’ health organizations about hacker attacks (US)

August 22, 2014 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Late yesterday Reuters reported that the Federal Bureau of Investigation (FBI) issued a ‘flash alert’ to healthcare organizations, warning they are being targeted by “…malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” and that “These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.” These alerts are sent to businesses by the FBI and Department of Homeland Security (DHS) to help prevent cyberattacks. This follows an April FBI alert warning healthcare companies that their security systems were lax compared to other sectors, making them highly vulnerable to hacker attacks. Our Monday report on the Community Health System attack on 4.5 million records at the the #2 US publicly traded hospital operator  (more…)

The drip of data breaches now a flood: 4.5 million records hacked–update

August 18, 2014 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end  Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.  (more…)

Politico: massive hacking of health records imminent

July 2, 2014 | by

Politico is a website (and if you’re in Foggy Bottom-ville, a magazine) much beloved by the ‘inside government’ crowd and the media ‘chattering classes’. With some aspirations to be like Private Eye but without the leavening sharp satire, the fact that they’ve turned their attention to–gasp!–the potential hackathon that is health records is amazing. They mention all the right sources: Ponemon, HIMSS, the American Medical Association, BitSight, AHIMA. In fact, the article itself may be a leading indicator that the governmental classes might actually do something about it. This Editor applauds Politico for jumping on our battered Conestoga wagon with the other Grizzled Pioneers. We’ve only been whinging on about data breaches and security since 2010 and their researchers could benefit from our back file.

And speaking of 2010, the Department of Health & Human Services (HHS) is doing its part to close the budget deficit by collecting data breach fines–$10 million in the past year. A goodly chunk will be coming from New York-Presbyterian Hospital/Columbia University Medical Center: $4.8 million for a 6,800 person breach (iHealthBeat) where sensitive records showed up online, readily available to search engines. And yes, we covered this back on 29 Sept 2010 when breaches were new and hushed up. Politico: Big cyber hack of health records is ‘only a matter of time’

Oddly, there is nary a mention of Healthcare.gov.

Risky hospital business: happy device hacking, insider data breaches

May 10, 2014 | by

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach:  The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? (more…)

Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

April 23, 2014 | by | 1 Comment

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

  1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
  2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
  3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
  4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)

Why healthcare doesn’t encrypt: correct, incorrect assumptions

April 22, 2014 | by

As our readers know, we’ve preached the Gospel of Data Security for quite awhile, to the point where even The Gimlet’s Eyes have crossed. Based on this smart analysis in Healthcare IT News (done by an outsider to healthcare), there are real reasons why HIT leaders are reluctant to implement encryption and security that would be SOP for other types of organizations. Mr. Schuman sorts the ‘drag the feet’ factors:

  1. Outdated but still widely believed: Encryption makes information less accessible across a broad network, increasing retrieve and review time. There is increased, not decreased, pressure to increase access, including by practices and patients, as part of  Meaningful Use (US).
  2. Encryption as a barrier: Providers see encryption as increasing time, decreasing  usability of systems, making workarounds more difficult.
  3. Encryption not permitted: Equipment designed with a specific hardware/software configuration block security add-ins. The logic is that any add-ins, even for security, could and do compromise performance. They thus violate manufacturers’ warranties and leave hospitals/practices open to legal action if equipment does not perform as intended.
  4. It’s complicated and pricey: Encrypting proliferating devices multiplicity of devices and systems takes manpower–it’s not only not there, but also expensive. Good intentions, but little money, is there.

The solution may lie in encrypting data between applications, not in the hardware/software itself. Hat tip to reader ‘Klondike Playboy’ John Boden.

PHI data: 361,000 examples that it’s more insecure than ever

April 9, 2014 | by

We’ve been fairly consistent in our coverage of data breaches, including the regrettable fact that more digital data stored out there on EHRs and devices with low security means Happy Hacking (or Stealing) for Fun and Profit. [TTA 2 Apr] Here’s additional proof, including the first incident this Editor has seen of email phishing:

California, there they go: A theft of eight computers from Sutherland Healthcare Solutions’ medical billing and collections office compromised 338,700 patients’ personal health information (PHI), including SSIs. Sutherland provides services to the Los Angeles County Department of Health Services and Department of Public Health. Being California, three class action lawsuits have already been filed. Kaiser Permanente compromised 5,100 records at their Northern California Division of Research. According to iHealthBeat, it was on a laptop; Health Data Management reports it was on a server. The malware was lurking for 2 1/2 years (!) but it’s not determined whether the data was actually stolen. Phishing scam hits Catholic Health Initiatives, affects 12,000 in multiple states: What looked like an internal CHI email asking for patient information wasn’t– (more…)

How insecure can health data get? Very.

April 2, 2014 | by

Gigaom is one of our go-to sites for enthusiastic whiz-bang health gadget coverage (and more), but here’s the downside of all those devices: all that data. And it’s not only not secure, but also getting more insecure. Grégoire Ribordy of Swiss encryption company ID Quantique makes some key (and scary) points on the data breaches looming–and he doesn’t mention that block of Swiss cheese Healthcare.gov once:

  1. One-stop storage for your total health records and data, an idée fixe among government and single-payer theoreticians, just makes it one-stop-shopping for hackers.
  2. Richer health data means more to steal and exploit.  There’s also the illegal use of genetic information for employment discrimination–hard to enforce regulations, easy to misuse personal data.
  3. Biological crime isn’t just a future plot of ‘Law & Order.’ Criminals can target patients with specific conditions–or healthcare workers can make money on the side by supplying accident victim data to personal injury attorneys, as recently happened in NY. For prominent people, their sensitive health information can be leaked to the press for profit. (more…)

Now three medical device maker networks hacked

February 14, 2014 | by

St. Jude Medical, Medtronic and Boston Scientific targeted. The San Francisco Chronicle reported earlier this week, from what they termed a source close to the companies, that all three companies had data intrusions that lasted for several months during 2013, and were not aware of them until alerted by Federal authorities. None of the companies, nor the FBI, confirmed or commented on this for the Chronicle. The attacks were “very thorough” and the source stated that they showed signs of being committed by hackers in China. The attraction of all three companies–Medtronic being the world’s largest– is their intellectual property and of course patient data, with the article mentioning confidential patient data collection from clinical trials. Also iHealthBeat.

Previously in TTA: US health data breaches hit record; Healthcare.gov backdoored?

US health data breaches hit record; Healthcare.gov backdoored?

February 7, 2014 | by

Security firm Redspin reports a total of 7.1 million affected records in 2013, up from 3 million in 2012. The five largest breaches accounted for 85 percent of the total: Advocate Health, Horizon BCBSNJ, AHMC Healthcare, Texas Health Harris Methodist Hospital Fort Worth and Indiana Family & Social Services Administration. Hardware theft of unencrypted devices accounted for the first three; Texas Health was perhaps the most unique because it disposed of over 277,000 microfiche patient records in a city park, making it the winner of last May’s ‘It’s Just Mulch’ award in ‘The exploding black market in healthcare data’.  Not included in the Redspin report (free download here) was a mid-December breach of 405,000 records at Bryan, Texas-based St. Joseph Health System which would have put it fourth on the list. This took place in a two-day data security attack on their servers traced to China and reported to the FBI. While Redspin attributes only six percent of breaches to hacking, this is an amount sure to increase as more information is digitized. Health Data Management, iHealthBeat, FierceHealthIT  Security breaches, natural disasters and outages are events that cost US hospitals over $1.6 billion annually, and 82 percent of health IT executives surveyed by MeriTalk said that their technology infrastructure is “not fully prepared for a disaster recovery incident.” The $1.6 billion seems low in light of the Ponemon Institute’s 2012 health data breach estimate of $7 billion annually–and the $12 billion in victim costs [TTA 14 Sept 13]. FierceHealthIT

.…and wait till Healthcare.gov-related security breaches start. This Editor stopped beating the dead and quartered horse of Healthcare.gov last year, finding that what was suspected and detailed from the start was simply borne out by subsequent revelations. Another example: the recent revelation that US intelligence agencies are highly concerned that code in the website was produced by programmers in Belarus, a former Soviet republic closely allied to that hotbed of hacking, Russia. That means that ‘backdoors’ are right in the code, waiting to be opened. This affects more than the website–but through the hub, states, HHS, IRS and DHS. How did our Washington types find out about it? When a top Belarusian official bragged on state radio about it! Ace intelligence writer Bill Gertz in the Washington Times broke the story. (Want more on the website’s security problems? See here for more on the Gertz story plus the David Kennedy/TrustedSec testimony and more. But bring your preferred headache remedy!)

The sea of security ‘red flags’ that is Healthcare.gov

October 15, 2013 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/120306.png” thumb_width=”170″ /]It’s just a fact of life
That no one cares to mention
She wasn’t very good
But she had good intentions

—Lyle Lovett, ‘Good Intentions’

Confirmed by experts to the more-than-mainstream Christian Science Monitor are the layers of insecurity completely feasible on the current Healthcare.gov website–and the 14 state (plus DC) websites feeding into the Federal health insurance exchange and up into the mysterious hub linked to other Federal agencies. Healthcare.gov is supposed to adhere to NIST standards but these are no guarantee–and the state sites are not required to. ‘Red flags’ cited by experts (aside from ‘Wildman’ John McAfee) make for interesting reading:

  • Cross-site request forgery
  • ‘Clickjacking’–an invisible layer over the legitimate website
  • Cookie theft, and not by the Cookie Monster
  • Problematic verification from state to Federal, from legitimate third-party assistance, from brokers and so on
  • Log in fraud–the happy hunting ground of hackers and DDOS attacks

Warnings were apparent as early as 2 October [TTA 8 Oct]. And as our later coverage has explained, undoing all of this is near-impossible even with funding, in the less-than-a-month window till the crash time deadline in mid-November and then early January. Obamacare website security called ‘outrageous’: How safe is it? (+video)

Our 11-14 October compilation is a narrative and summary of major articles on the failure of the Healthcare.gov website and its consequences like none you will see elsewhere.