Sunday, February 08, 2015

This Really Seems To Be A Global Warning About Health System Security. Everyone Needs To Do Better!

This appeared a few days ago.

Health Insurer Anthem Didn’t Encrypt Data in Theft

Companies Aren’t Required by Law to Scramble Records, and Often Don’t

By Danny Yadron and Melinda Beck
Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them, the result of what a person familiar with the matter described as a difficult balancing act between protecting the information and making it useful.
Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person said.
The risks became clear last week, when Anthem discovered that hackers had broken into the database and made off with information on tens of millions of consumers, likely making it the largest computer breach disclosed by a health-care company.
Because the data wasn’t encrypted, it would be easily readable by hackers. The company believes a hacker group used a stolen employee password to access the database.
That storage decision has made the country’s second-largest health insurer the latest poster child for a continuing debate in executive suites: Is turning a corporate network into an electronic Fort Knox worth the potential cost?
Companies can employ random pass codes, limit access from outside the office or use complex math to scramble data. But those things slow companies down, sometimes to a degree they find unacceptable.
There is no evidence yet that identify thieves are using the data stolen from Anthem, it said. On Thursday, investigators began to focus on links to a group in China. Although the investigation remains in its early stages, the Anthem hack relied on malware and tools that have been used almost exclusively by Chinese cyberspies, investigators said.
More here:
There is roll up coverage here:

Details emerge in Anthem hack

February 6, 2015 | By Katie Dvorak
The healthcare industry, which lags behind others when it comes to cybersecurity, now faces what is shaping up to be the largest breach of healthcare data in history. 
Hackers broke into health insurer Anthem's database, obtaining the personal information of about 80 million consumers, including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers.
Members' Social Security numbers were not encrypted, according to a Wall Street Journal article that cites an anonymous source familiar with the breach. Encrypting the information would have made it more difficult for hackers to access and sell, according to the article. 
The company believes a hacker group used a stolen employee password to access the database, the article said.
Who's behind the attack?
The perpetrators are not yet known, although an FBI-led investigation is underway. There's speculation that a Chinese state-sponsored hacker group might be behind the breach, according to a Bloomberg article, which also cites anonymous sources.
"The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group," the article said.
China has denied having anything to do with the attack, according to an article in the Bangkok Post--foreign ministry spokesman Hong Lei called the accusations "groundless."
More here:
This has to be the mother of health information breaches. It seems as though it was a sophisticated attack deploying sophisticated malware. That almost 1/4 of the population of the US is involved is amazing!
In Australia I am sure exactly the same vulnerabilities exist in both the health sector and elsewhere as well as a legion of other possible risks.
What is vital here is that companies and services that hold identifiable personal data need to have properly developed plans and to be continuously updating and improving what they are doing.
The potential for damage to businesses and services is very large indeed.
I suspect we have not have major leaks from Australian Health Entities compared with the US probably relates to the relative lack of value in the Australian data compared with the value that can be extracted from US patient identity details.
Before we move to giving everyone a PCEHR record - as is mooted at present - we need to be sure a top notch security plan is in place and under continuous threat review! I wonder, for example, is the PCEHR encrypted properly?
Compulsory significant breach notification (as in the US) also makes a good deal of sense to me.

No comments: