Data breach fail at AnthemHealth: an inadvertent ‘inside job’ (updated)

US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails  (more…)

‘Hackermania running wild,’ part 2

Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic  But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.

Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release. Website.

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/09/ESD-America.png” thumb_width=”150″ /]And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. (more…)

Health IT security gets a boost in Texas

Unlike the rampant data insecurity present in the state health insurance exchanges and the Federal HealthCare.gov, Texas is moving forward to secure data from providers within the state. The Texas Health Services Authority and the Health Information Trust Alliance (HITRUST) are developing and managing the Texas Covered Entity Privacy and Security Certification Program. Organizations must assess their compliance with privacy and security regulations, and if they do will receive a certification recommendation from HITRUST. According to iHealthBeat quoting a VP there, how this is implemented will have repercussions far beyond the state. A major goal, according to Health Data Management, is to reduce data breaches which are levied in Texas alone between $5,000 and $1.5 million–not including HHS.  Also Modern Healthcare, HITRUST process page.