50,000 Medicaid providers’ data breached

On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.  However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.

In last week’s article titled, data breach threats of 2013, we cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach.  As mentioned last week, organizations can conduct vendor risk management to reduce this threat.  The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.

Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions.  HHS Secretary Aldona Wos said, “We expect our vendors to maintain the security of information.”  However, N.C HHS is only now requesting validation of these assumptions.  Wos stated: “I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSC’s adherence to required security standards.”

Data breach threats of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media, and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were:

  1. Employee errors and omissions
  2. Denial of service (DoS) attacks
  3. Security breaches by third parties

Employee errors and omissions

Awareness is a critical factor here, and Deloitte lists it as one of the top three security initiatives of 2013.  70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.  The risks, as stated by Deloitte, include, “talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.”  To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of service (DoS) attacks

Denial of Service (DoS) attacks was also rated a high threat.  DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.  Due to the relative ease of conducting a DoS and the criticality of information systems to today’s businesses, it is no wonder that DoS makes the list.  These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.  Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Security breaches by third parties

Breaches by third parties are at the top of the listing party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to protect adequately the data they work with and, as we all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow, and companies are tasked with more responsibility to protect the data they work with.  As can be seen from Deloitte’s survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.  To protect themselves, businesses can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

U.S. Department of Energy suffers data breach

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driver’s license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.  The hackers did not gain access to classified information which investigators believe was the target of the attack.

Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on Pastebin.  However, the posted information was dated, and investigators believe Parastoo is not responsible for the attack.  According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the assault involved a foreign nation state.  This nation-state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts.  If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.

The DOE and FBI are still investigating the incident, but speculation abounds as to how the attack on their systems took place including weak server security configurations, inadequate user training, and an over-reliance on outdated methods.  The security of DOE systems has certainly been called into question, and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.

HIPAA Omnibus increases data breach response requirements

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013, designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule went into effect on March 26, 2013, and it includes some changes to data breach response requirements.

HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the risk assessment determined that the risk was low, then the covered entity did not need to notify the individuals nor the Office of Civil Rights (OCR).  According to HITECH Answers, the HIPAA Omnibus rule now requires that covered entities retain documentation on the risk assessment performed that could be provided to the OCR if their decision not to notify is called into question, in other words, a burden of proof.  If the OCR finds that the covered entity did not meet the burden of proof, it may find the covered entity to be negligent and fine them accordingly or require them to perform corrective action.  The rule also adds new requirements for determining the harm to the individual.

Also of interest to HIPAA data breaches is the revised language that broadens the definition of business associates to include more downstream providers who touch PHI.  This increases the number of companies that will need to adhere to the HIPAA requirements.  These companies will need to become compliant before the rule takes effect but many may not even be aware that they will soon be subject to HIPAA.

Canadian Hack Back

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators, and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the minister’s office on this subject resulting in a decision by Public Safety Canada on January 16, 2013, to reject the recommendations.  This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.  Alana Maurushat, the author of the report, wrote, “no surprise that there is no inclination to take up recommendations…these things often take decades of slow changes.”  The past year of discussion will increase awareness of the hack back initiative and we will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.

Small healthcare data breaches can result in significant fines

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA).  The primary violation was the loss of an unencrypted laptop containing Personal Health Information (PHI) for 441 patients, but the penalty included non-compliance areas such as the hospice’s failure to perform a risk analysis and the lack of mobile device security policies and procedures.  This is the first HIPAA fine issued for a breach of PHI from less than 500 patients.

HHS Office of Civil Rights Director, Leon Rodriguez, made it clear in his statement on the breach that HHS will hold businesses responsible for protecting PHI irrespective of their size.  “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

This comes as shocking news to some who assumed that HHS would not take action on smaller breaches which comprise the majority of healthcare breaches.  According to the December 2012 U.S. Healthcare Data Breach Trends report, there have been only 500 breaches reported to HHS over the last three years involving more than 500 patients but the same period has seen 57,000 breaches involving less than 500 patients.  These businesses should be prepared not only for the cost of notification, lost customers, breach response, and remediation but also HHS fines in the years ahead.

Dexter malware threatens data breaches on point of sale equipment

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.