2015: The Year of the Healthcare Breach

HealthcareBreachOur own Rob Juncker, V.P. of research and development for Shavlik, has predicted that Healthcare breaches will rapidly increase in 2015. Now that hackers are getting smarter about attacking endpoints to glean credit card data from retailers, they are looking for more creative ways to make money. In the hacker’s community, credit card data is worth about $1 per card, whereas protected health information (PHI) is currently worth about $10 per record and rising.

Why the discrepancy in price? Because hackers can do more nefarious activities by submitting fraudulent healthcare claims or by buying and selling drugs and medical equipment for financial gain. Credit card companies are just plain better than insurance companies at detecting and shutting down fraudulent activity. Credit card companies also have the option to change your credit card number, whereas your patient data cannot change. Medical fraud could last for years before it is detected and corrected.

Now that Mr. Juncker has made the prediction, 2015 brings us our first major health record breach with Anthem, whose brands include Anthem Blue Cross/Blue Shield and others. The potential theft could be as big as 80 million records and include names, social security numbers, birth dates, policy numbers, diagnosis codes and billing information. The overall security problem is exacerbated by outdated equipment, demands from doctors to use mobile devices, and the loss or theft of devices used by multiple health workers.

So what can healthcare and IT organizations do? The first step is to simply keep up with the latest updates and patches. Once a software vendor such as Adobe releases a patch, hackers now know there is a security hole. Shavlik is seeing an increase of vulnerabilities coming from third-party applications outside of the OS. Patching both the OS and third-party applications is critical to keeping them secure and the data safe.

Vulnerabilities exist on the end-point because they are often unpatched and neglected. IT has enough on its plate to try and keep all the software on every system up-to-date. But in the wave of the latest breaches, it becomes imperative to do so.

As we see healthcare staff requesting more mobile devices such as tablets, we will see more loss and theft of devices that will contain PHI data. Having methods to encrypt the critical data such as email and attachments will greatly decrease the risk.

As a healthcare provider, what does it mean to you? As in retail, security is more and more of an issue that needs to be addressed. Healthcare organizations are now under scrutiny to comply with HIPAA regulations. Anchorage Community Mental Health Services (ACMHS) was fined $150,000 after 2,700 health records were stolen in an attack. They were attacked simply because they were not patching software!

Beware healthcare. 2014 was the year of retail breaches. 2015 is the year of healthcare breaches!

 

 

 

Shavlik Security Advisory: Insufficient Patch Management Could Lead to Attacks From More Than Just Hackers

Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.

In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.

  • More companies will be coming forward to report breaches.
  • The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.

Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.

Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.

 

$150K HIPAA Fine for Unpatched Software  

Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.

This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.

 

Target Ruling Raises Stakes for Cybersecurity Vigilance 

U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.

According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”

This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.

 

Employee Data Breach the Worst Part of Sony Hack

Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.

According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”

It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.

 

In a month where the security stakes have never been higher for corporations, CIO Magazine reported that Most Companies Fail at Keeping Track of Patches, Sensitive Data. According to its report,

  • 12% of companies have no patch management process at all
  • 58% of companies have a patch management process that is not fully mature (e.g. may patch the OS but not third-party applications)
  • 19% of companies have no control or tracking of sensitive data at all

If you see your organization in any of these statistics, now is the time to act. Your response will not only help keep your company out of the headlines but also out of the court room.