Hacking into Healthcare: Why hackers want health data and how healthcare SMBs can protect their patients

As I was reading about Cedar Sinai’s recent implementation of Bottomline’s Healthcare Data and Security Solution, I couldn’t help but to wonder – why is patient data at risk in the first place?
Clearly, we can all understand why big box shops like Target and Home Depot were hacked; credit card numbers are better than cash. Siphoning electronic funds is the digital age’s form of Bonnie and Clyde-style bank robbing. So, realistically, what could a hacker possibly stand to gain from breaching healthcare data security and gaining access to my records?
After consulting with a few colleagues in the healthcare industry, I realized there is one extraordinarily valuable piece of information that all U.S. residents have – a social security number. With that 9-digit treasure chest, individuals with more nefarious tendencies can open a line of credit under your SSN, file for a fraudulent tax refund and open financial accounts. But, that’s not all.
Medical identity threat was up 40 percent in 2013. Stolen health credentials go for about $10 each, double and sometimes triple the black market value for credit card numbers. This information can be used in hundreds of ways, but what they’re really after is your identity.
In some cases, only a few that I found, are hackers ever really interested in your maladies. Social security checks, yes, credit lines, yes… your latest blood pressure reading? Not so much. But it does happen. Mostly, though, they’re breaching healthcare data security so they can pretend to be you, convincing a bank they are you, which is much more valuable than health history.
So that’s why protecting patient data is extremely important to healthcare organizations. It isn’t just about not having the world know about your heart condition, although that certainly is one reason. It’s about what people are capable of doing once they get ahold of all the information that they need to take control of your financial credibility. Cedar Sinai’s decision to implement Bottomline puts them one step farther away from a reputation-damaging data breach.
That being said, what can smaller companies do for healthcare data security? Bottomline has a price tag that could bankrupt small specialty providers. What are the security options out there for the healthcare SMBs?
While there are many options out there, IBM has a whole arsenal of data, application and integration security options – many of which are scalable for both size and budget. Fortune 500s all the way to private locally-owned practices can benefit from a number of these solutions. These security products are packaged to meet individual organizations’ needs, ranging from identify protection to fraud prevention, from encryption to vulnerability assessment. How do you know what’s right for you? As an IBM Business Partner, TxMQ assists companies with the selection, deployment and maintenance of enterprise security options. As experts in securely integrating solutions in the cloud, we can not only help make your patient records more secure, but we can help you digitize them, as well. We’ll stay with you for as short or as long as you need us.
Photo from BrainFoodTV.com

Shellshock / Bash Bug Vulnerability Bulletins And Fixes

Today’s breaking news of the Unix “Shellshock” vulnerability reminds me instantly of the famous auror-turned-Hogwarts-professor Alastor Moody, who preaches that the fight against the dark arts demands “Constant Vigilance.” Same for cybersecurity. Constant Vigilance.
Consider: The Heartbleed issue affected potentially 500,000 machines worldwide. The new Shellshock (or “Bash Bug”) could potentially affect 500 million.
Cures for the Shellshock vulnerability, at the time of this writing, are still being sorted out. It affects Unix-based operating systems such as Linux and Mac OS X, which in some non-default configurations could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again Shell) command prompt.
The simplicity of an attack is what scares system admins the most: The vulnerability is truly easy to exploit.
The US Computer Emergency Readiness Team (US-CERT) is tracking the issue (see Bourne Again Shell (Bash) Remote Code Execution Vulnerability.) Following is CERT’s list of vendors that are confirmed to be exposed to the vulnerability. This list is initial and is expected to grow.

US-CERT recommends the following system-specific pages for hardening and patch info:

US-CERT aldo recommends users and administrators review TA14-268AVulnerability Note VU#252743 and the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.
Not sure where to start, or if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].

Reduce Your Liability Exposure With A Systems Security Health Check

The Home Depot data breach isn’t going away anytime soon. News continues to pour out about the theft of credit card info from Big Orange, and the tally currently sits at 65 million credit and debit cards compromised.
Several credit unions have sued Home Depot under claims that the retailer knew ahead of time that its systems were out of date and that hackers had access to the data for months before the breach came to light – claims that of course would need to be proven in court. Customers that suffered a loss are able to recoup their losses from Home Depot, and the retailer is offering a free year of credit monitoring to affected customers.
Although the breach doesn’t seem to have hurt Home Depot’s valuation and business the way it hurt Target – maybe because Home Depot deals more in necessities whereas Target deals more in frills – the lesson is resonating throughout North America. We certainly hear the chatter in the IT industry.
The big takeaway, and the advice we give clients, is to avoid potential liability exposure by upgrading any out-of-date systems or software. Note the accusation in the lawsuit I referenced above: That Home Depot knew it was using an out-of-date system.
The truth is that all systems are vulnerable to some degree. Passwords aren’t the ultimate protection. And we do trade risk for convenience whenever we use plastic to for online or in-store purchases. But companies that take every step to protect their data are much less exposed should a problem occur.
Sometimes system servers need a new round of hardening. Sometimes fix-packs or version upgrades are mandatory. Sometimes a vulnerable machine needs to be taken out. The first step is always to scope the current state of your security and compliance, then develop a plan from there. And keep in the mind that SMBs are the most vulnerable, because a single, successful liability lawsuit could signal the end of business.
TxMQ specializes in security and security upgrades (click here for our recent Webinar). Initial consultations are free and confidential. Contact vice president Miles Roty: (716) 636-0070 x228, [email protected].
(Photo by Scott Schiller under Creative Commons license.)
 

Cyber Attack Impacts Another Large Business

Sally Beauty Supply is the latest company to have their systems breached because of a cyber attack. Confidential customer data, including credit card numbers, were stolen.
In early March, Sally Beauty representatives discovered that at least 25,000 credit card numbers were uncovered.
“Our customers remain our top priority,” Chairman, President and CEO Gary Winterhalter said in a press release.
Sally Beauty joins the list of retail organizations to be hacked within the past several months, joining Neiman Marcus and Target.
Start thinking proactively about your security and compliance before it’s too late; nobody is immune. Where are the gaps in your systems?
Find out today. Call Wendy Sanacore at TxMQ, 716-636-0070 (229) or email [email protected]
source: http://m.bizjournals.com/dallas/blog/morning_call/2014/03/sally-beauty-data-breach-is-bigger-than-earlier.html?r=full
(Photo: From screensaver by iProton.)

WNY CIO Summit: Register Today!

WNY CIO Summit – Enterprise Data Breach
When: Wednesday, February 12, 2014, 8:00 a.m.
Where: University at Buffalo – Center For Tomorrow
Register Now

How much could an enterprise data breach cost you? Are you prepared to handle the repercussions, potential lawsuits and class action suits that may be included in the fall out?
Join TxMQ selected WNY area CIO’s for a candid conversation about how how you can protect your business from an Enterprise Data Breach.
Have questions about CIO Summit: Enterprise Data Breach? Contact Tom Grimm – TxMQ, Inc

Breach Etiquette: Target's Responsibility

Just as retailers were in the throes of the holiday madhouse, Target – the second largest retailer in the US – was breached. Forbes recently posted an article outlining seven lessons that could be learned from the way Target handled the situation.
The link to the Forbes article is here – Target’s Worst PR Nightmare: 7 Lessons From Target’s Well-Meant But Flawed Crisis Response – but what do you think?
What I always find surprising in these cases in which consumer portal sites are breached/hacked is that there’s always so much talk about how to handle the consequences. But what about an explanation of what will be done to prevent this from happening again? The same issue happened last year with the PlayStation Network, when millions of credit-card numbers and customer information was exposed. Another scenario was the ObamaCare website: The site went down because it wasn’t properly architected and stress tested. We heard a lot about “why” but not a lot about the “what” is being done to prevent it from happening all over again.
Obviously, when you open your business to the world, you’re now exposed to a world of attacks. You can only do your best to prevent a hacker’s attack. However, your best must include an ongoing and robust test plan, executed by an experienced team that keeps up with the latest technologies, methods of attacks, and the ever-changing demographics of user communities and methods of access.
TxMQ has expert infrastructure architects, portal architects and load-testing expertise to help companies address these issues through cost-effective, consulting engagements.
Find out more. Email our consulting leaders in confidence, [email protected], for more information.