Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
88,000 Patients Exposed to Identity Theft
Hardware containing personal information on about 88,000 patients of the Staten Island University Hospital has been stolen last year in December.
According to Silive.com, after four months of investigations that have led to no arrest, the hospital administrators are now starting to send letter to patients who are currently exposed to identity theft threats. The stolen desktop computer and the backup hard drive stolen from one of the hospital’s finance offices contained patients’ names, Social Security and health insurance numbers.
“The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,” said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known.
Ms. Ryback said no medical records were included in the files, but wouldn’t speculate why SIUH waited so long to notify people.
Data on 700 Children with Social and Developmental Problems Lost
Medical data on about 700 children and teenagers with social and developmental problems from Hong Kong have recently been lost. The data loss was admitted to by the territory’s government at the end of last week.
The records were stored on a memory card which was stolen from a Child Assessment Centre in the city’s Tuen Mun district. The government’s Department of Health, quoted by M&C News, said the memory card had been kept in an unlocked room.
The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.
Expensive Security Keeps Breaches Away
UK companies have tripled their spendings on information security defenses in the past three years, fact that has caused reported security breaches to drop by a third. That means 300% more money spent gets you to 30% less breaches.
According to the most recent edition of the UK government-sponsored Information Security Breaches Survey, quoted by the Register, the number of companies reporting a security breach is now at roughly the same level as in 2002, after reaching a peak in 2004.
Expenditure on information security has increased from two per cent to seven per cent of the IT budget on average over the last six years. But this increase in spending is uneven with a significant minority (21 per cent) of companies spending less than one per cent of their IT budget on information security.
Nonetheless, the security landscape has improved markedly over that period with 94 per cent of wireless networks now encrypted, versus only 47 per cent in 2002. More than half (55 per cent) of UK companies have a documented security policy, versus 27 per cent in 2002. Two in five businesses provide ongoing security awareness training to staff – twice as many as six years ago.
IBM Thinks the Securiy Business is Dead
At the RSA Conference 2008 taking place in San Francisco, IBM stated they are going to leave the security business to start providing sustainable solutions instead. This declaration has been given by Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services and then quoted by Dark Reading:
The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win.”
So, how does IBM define the creation of sustainable business?
Business sustainability is all about building security into systems and processes, she said. “If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments.”
“It’s time to give up on the fantasy that education and antivirus will cure consumer security woes. It is not up to consumers to protect themselves. It is not their problem. It is our problem, because online commerce is not sustainable if it is not inherently secure. And the only way to make it inherently secure is to take ownership of the security problem.”
Fighting Trojans, worms, insider attacks, and outsider attacks one by one is futile, she said.
Interesting approach indeed! However, I can’t help noticing how the security industry is limited to antivirus applications (antispam solutions are not even mentioned). In a technological world where most security solutions are moving towards standard compliance, where niche security fields, such as endpoint security, stress the need to manage threats and benefit from advantages instead of blocking threats and benefits alike, the IBM position seems to come a bit late. IT security is definitely more than trying to keep viruses away, maybe someone should tell IBM about it.
Security - Necessary Evil for Businesses
Discussions taking place at the RSA 2008 Conference held in San Francisco point out that security concerns are more and more of a drag on business innovations. According to RSA president Art Coviello, quoted by Dark Reading, this results in holding back companies’ creative thinking.
Coviello backed his opinion with statistics from research conducted by IDG and commissioned by RSA:
“More than 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns,” he told the RSA audience in a keynote address Tuesday morning.”
Security policies place quite a significant pressure on users who are always told one click can lead to disaster and are always faced with cryptic dialogs boxes that aren’t at all helpful.
Worse, in most organizations security is viewed at best as a necessary evil, due to IT’s primary focus on trying to constrain behavior and prevent some desktop mishap, “Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do,” said Bill Boni, corporate vice president of information security and protection for Motorola, and one of the IDG survey respondents quoted by the RSA exec.
After identifying the negative effects of security on business innovation, Coviello also came with a solution. The best way to address downsides is a change in security mentality, a switch from saying “no” to potentially harmful actions to showing how they should be safely performed.
“The next time a new idea comes up, don’t start by saying it isn’t secure — start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.”
This situation fully applies to Endpoint Security. There’s been a lot of buzz on how portable storage devices, such as USB sticks, smart phones and iPods can cause the ugliest virus infections, how they enable data theft and how loosing one with sensitive data can endanger the identities of millions. This leads to restrictive measures such as cutting all access to these devices. The negative result is less mobility of employees, less space for them to work and innovate, less effectiveness on their side.
The actual response to ongoing threats is learning how to handle portable storage devices safely, so as to benefit from all their advantages without overlooking their embedded threats.
Gains from Online Fraud Aim for the Sky
According to the latest data released by the FBI’s Internet Crime Complaint Center, damages caused by online fraud have significantly increased, going up by 20 percent.
The report cited by SecurityFocus shows that, while the number of complaints has been a little lower, the reported damage originated from online fraud grew from $198 million in 2006 to $239 million in 2007. FBI’s IC3 online portal where cybercrime complaints are received processed a little under 207,000 such reports last year, just a few less than in 2006. The criminal activity is in no way discriminatory, affecting victims aged from 10 to 100 years old.
“The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become,” James E. Finch, assistant director of the FBI’s Cyber Division, said in a statement. “What this report does not show is how often this type of activity goes unreported.”
While the media reports often on the crime of identity theft, the largest number of people, more than a third, complain about online auction fraud, the IC3 report stated. Other online crimes, such as industrial espionage by other nation states, largely go unreported. Earlier this month, the Council of Europe requested that Internet service providers help battle cybercrime by sharing information about their users.
Employees Are Great at Circumventing IT Security Policies
According to a survey conducted by Palo Alto Networks and quoted by DarkReading, employees in most enterprises are constantly circumventing corporate security policies by deploying unauthorized applications, including video viewers, streaming audio, P2P, and Google applications.
Palo Alto Networks used data from 20 different enterprises, gathered during vulnerability assessments, to reach the study results.
Employees are using a broad variety of tactics for circumventing IT policies on network usage, Palo Alto found. For example, approximately 80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user’s identity and surfing habits from IT monitoring tools.
“There’s no business reason for using proxies in the enterprise, other than to hide your activity from IT,” Mullaney says. “But we see at least some use of them in most of the enterprises we [assess].”
Hannaford - An Inside Job
Recent details on the Hannaford security breach point to an inside job. It appears Hannaford employees are most likely to have planned and then infected over 300 servers of the grocery chain.
Experts said the breach should serve as a big lesson for retailers: It’s as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it’s foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford’s claims it did.
“The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges,” said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford’s regularly. “I don’t see how anyone at Hannaford could get that level of access unless they were a very well-known entity.”
The Hannaford data breach has exposed over 4 million credit card accounts, thus being the second largest breach ever reported.
Thieves Planted Malware on 300 Hannaford Servers
Since it made security magazines’ headlines, the Hannaford data breach that exposed 4.2 million credit card accounts still ranks high in the news. The question on everyone’s mind is how it could all happen. According to the latest article published by The Register on the topic, the thieves behind the breach installed a sophisticated malicious software on over 300 servers in at least 6 states belonging to the Hannaford grocery chain.
What the malware did was to intercept credit card data while customers paid for purchases using plastic and then transmit the information overseas. While Hannaford has disclosed the number of servers on which the malware has been detected, they are yet to disclose how it got there. Security experts are quite puzzled by this incident, as they regard Hannaford as a legal and standard compliant company.
Security experts have been eager to figure out how thieves siphoned the data out of Hannaford Brothers Cos. network because the company is believed to have been following payment card industry (PCI) rules. If the east coast chain’s systems were vulnerable, plenty of other retailers may be open to the same attack, the experts have warned.
