The Health Insurance Portability And Accountability Act, or HIPAA, requires that EHRs and the data in them be guarded throughout their life cycles. Risk assessments must be performed and access privileges determined. You’ll need policies to secure all possible points of data leakage, including desktops, servers, databases, mobile devices, and the Internet.

In short, you must protect data at rest and in motion, and prepare for the inevitable breaches.

Creation And Use

When a patient walks into a provider’s office for the first time, the terminal at reception must be hardened, hosted on a trusted network, and continually scanned for viruses and malware. Receptionists should be able to add basic patient information but have limited access to executable files.

Access privileges should be assigned that strictly regulate employees’ ability to view, enter, edit, and delete data based on what they need for their jobs. For example, billing personnel don’t need to see the results of the medical tests that they’re charging patients for.

Attending physicians should use unique credentials to access the EHR application to record diagnoses. E-medical records must be signed with electronic signatures, which include PIN codes and are saved in encrypted files. Signatures verify that information has been reviewed every time a physician signs off on an EHR. They also let the medical staff sign off on records from any location, expediting processing, reducing workflow costs, and maintaining HIPAA compliance.

Source

As I was logging into Gliffy today for the first time in a few years, I noticed that there were two buttons to submit the login form with: one for a ‘basic’ login and one for a ‘secure’ login. To me, a secure login in 2010 is a basic login. The people behind Gliffy however believe that protecting your login credentials is worth at least $5/mo to you.

In a business model that offers both free and paid accounts, I feel that a company should make you pay for added features, storage, or accessibility to data that you are using their site for. I, like most people, realize that ad-based sites aren’t the preferred option. A site like Gliffy allows for many areas to make users pay for ‘more’. The number of documents you are able to store, file upload size limits, the number of users allowed to access your files. With all of these major points of wanting to upgrade, why nickel-and-dime our security?

It’s appreciated whenever a company offers free service, of any magnitude. What’s not appreciated, however, is when a company feels that they should charge you to securely give your username and a password to a form. The sharing of data networks is only continuing to grow and as-such, a vast majority of web sites (reputable ones, at least) at the very least encrypt your login credentials. Whether they encrypt all data during your session is a whole different matter, but most can agree that protecting credentials is a general necessity.

This isn’t meant to be a launch point for ‘well SSL is useless anyways’. SSL for credential logins is useful in the vast majority of situations people actually deal with every day. At this point in the Internet and networking, not allowing someone to choose to login securely with personal credentials for a reputable and fairly well-known (for the context) company, is ridiculous.

Lastly, I am not complaining that the Gliffy site doesn’t run in SSL for all content, merely that an SSL login should be provided, free of charge, to anyone using their service. This is a standard practice for most web sites and Gliffy should step-up and do the right thing for everyone’s privacy.

Reputational damage

Consider the reputational damage suffered by Radisson following its admission last fall that computers at some of its hotels in North America were breached between November 2008 and May 2009. Network World reported Radisson didn’t realize its guest data was compromised until alerted by credit card companies and processors.

In an open letter to guests posted on Radisson’s website, executive VP and COO Fredrik Korallus revealed that credit and debit card numbers, expiration dates and guest names may have been compromised, noting “the number of potentially affected hotels involved in the incident is limited.”

The latter comment hardly could have proved comforting to Radisson guests, who would not know whether they had stayed at one of those hotels and now have to shoulder the extra time and effort to check their bank and credit accounts for bogus transactions.

Wyndham’s response

The Wyndham data breach, discovered by the company in January and publicly acknowledged in late February, was particularly embarrassing and potentially more damaging to the brand’s reputation because it was the third hacking reported by the company in a 12-month period.

Unlike Radisson, which issued a news release to alert the public about the potential threat, Wyndham chose to share information with reporters in response to questions. Wyndham did post an open letter on its website along with frequently asked questions and a data breach claim form—if you can find them.

A search of Wyndham’s website by entering the search terms “open letter,” “breach,” “data breach,” “identity theft” and “payment card” in the site’s own search field failed to turn up the letter, FAQs or claim form. But I found the documents by researching online news stories, which included links to the pages.

The letter, signed by Kirsten Hotchkiss, senior VP, enterprise compliance and employment counsel, said the company believes no more than 37 Wyndham-branded hotels and resorts were involved, and “it is unlikely that identity theft will occur” because personally identifying information was “not at risk of compromise.”

Furthermore, she noted Wyndham provided each of the major credit card issuers with “card numbers that potentially could have been accessed” so that those companies “could take any appropriate action to protect their customers from possible misuse of the cards.” Wyndham also provided a toll-free number for guests to call for information.

“Never mind three strikes and you’re out,” said Paul McNamara in the 4 March issue of Computerworld. “How about three strikes and I’ve got to ask myself if I even want to be in one your hotels in the first place?”

Kelly Todd, a project manager for DataLossDB, which tracks and compiles information about data breaches, told Computerworld in that article, “Personally, I’d try my best to avoid using any business that suffered multiple breaches in a relatively short time frame.”

In a twist of irony, Wyndham neglected to encrypt its online data breach claim form. That means the information submitted by each potential data breach victim could once again be exposed to prying eyes. While the form does not request credit card numbers, it does include fields for the guest’s name, address, telephone number, e-mail address and Wyndham ByRequest number.

Barbara Hernandez expressed concern about Wyndham’s commitment to data security in a BNET travel blog posted 3 March. “Unless Wyndham requires its properties to have uniform and solid security measures, these data breaches will continue,” she said. “Perhaps it may take customers avoiding the hotel chain for Wyndham to realize the extent of the security risk.”

Source

VA includes a clause in its contracts requiring information security safeguards, including encryption and policies limiting who can access personal data. But that is no guarantee that vendors follow through, said VA senior IT and procurement officials at a hearing May 19 of the House Veterans Affair Committee subcommittee on oversight and investigations.

The challenge lies in verifying that over 22,000 VA contractors with whom the department shares veteran information adhere to security requirements, said Roger Baker, VA’s CIO. These vendors help VA provide healthcare and benefits.

“Our policy, which is stronger than any similarly sized private sector organization that I’m aware of, is that supply chain partners must follow VA’s information protection policies, including encryption of mobile devices,” he said.

The hearing occurred in the aftermath of the April 22 theft in Texas of a laptop with the personal information of 644 veterans from the vehicle of an employee of a health services contractor.

VA subsequently notified the affected veterans and is providing them with precautionary credit monitoring services. The contractor reported the incident immediately to law enforcement and to the agency and disabled the user account and server access from the stolen laptop, Baker said.

“The information was not encrypted despite contracts with the company that included the required security clause and the company had certified to the VA that they were in compliance,” he said.

The incident compelled VA to starting auditing its supply chain partners to ensure compliance with its policies.

“While it is impossible to audit all of our partners, these steps should provide us with substantially improved insight into the level of protection provided to veterans’ information anywhere it exists in our extended enterprise,” Baker said.

Among the steps, VA will verify that contracts where information is exchanged have the necessary information security clause, he said. Baker also expanded the authority of information security officers at VA facilities to review all contracts where information is exchanged. Previously their scope was limited to IT contracts.

VA will also randomly select a number of contracts at a facility for more in-depth audits of vendors’ compliance with VA security policies.
To ensure that the contractor that reported the Texas data breach is beefing up security safeguards, VA said it will conduct an onsite assessment of the contractor’s facility and its scope of compliance with all IT information and physical security and records management requirements.

VA is also examining security related to the vendor’s 55 other contracts with the Veterans Health Administration and will ultimately work with the department’s legal counsel to determine any consequences.

At the same time, Baker said VA has to encourage vendors and others to report breaches, “because we can’t mitigate the issue unless we know about it.”

VA has required the security clause in contracts after November 2008 and last year reviewed contracts to make sure they contained the clause. Out of more than 22,000 contracts reviewed, vendors in 578 contracts refused or did not believe that their services required adhering t0 the clause, said Frederick Downs Jr., chief procurement and clinical logistics officer in the Veterans Health Administration.

“The 578 contracts were critical to our medical centers’ ability to provide patient care,” he said. The contracts were for direct healthcare services for nursing homes, hospices and physicians or to support maintenance for MRIs and CT scans.

“We had to weigh that because the risk of not having the contracts was high,” Downs said, adding that VA has since clarified guidance for when the information security clause applies to healthcare contracts.

Rep. Steve Buyer (R-Ind.) questioned Baker about what a VA medical center should do when a contractor who delivers a radiologic service refuses to sign the information security clause.

“That is the challenge writ large across the organization with this information,” Baker said. “How do we do great medical care and protect the information at the same time?”

The primary purpose of sensitive health information is to provide specific care for veterans. “We have to protect that information from unwanted access at the same time that we provide it to any one who needs to use it,” he said.

Medical devices, which are certified by the Food and Drug Administration, add another layer of complexity to providing comprehensive information security. Some vendors who provide or support medical devices for VA cite FDA authority in refusing the VA security clause.

“We have to be careful from an IT perspective how we interact with the medical technology,” Baker said. For example, VA can’t apply patches to medical technology because it could have unknown effects on, say, an MRI machine.

It’s an issue that “VA today is tackling in advance of the rest of the country,” he said

Source

An insider told the New York Times that the Gaia program was attacked in a lightning raid taking less than two days last December. It claimed that this was only mentioned once at a technical conference four years ago, and the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The report claimed that intruders did not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions.

Google executives declined on Monday to comment about the new details of the case, saying they had dealt with the security issues raised by the theft of the company’s intellectual property in their initial statement in January.

They also privately said that the company had been far more transparent about the intrusions than any of the more than two dozen other companies that were compromised, the vast majority of which have not acknowledged the attacks.

Google is continuing to use the Gaia system, now known as Single Sign-On. Hours after announcing the intrusions, Google said it would activate a new layer of encryption for the Gmail service. The company also tightened the security of its data centres and further secured the communications links between its services and the computers of its users.

David Harley, director of malware intelligence at ESET, said: “So I certainly wouldn’t assume any connection between the alleged Chinese breach disclosed in January and recent reports of compromised Gmail accounts, but I wouldn’t discount the possibility either. After all, many of the respondents to the thread flagged by Aleksandr Matrosov were adamant that they hadn’t fallen prey to a phishing attack, and earlier reports did suggest attempts to access the accounts of Chinese human rights activists.

“The point of a single sign-on is to access a range of services: the problem with a single sign-on is that if it’s compromised, it becomes a single point of failure. Of course, it’s a long stretch from confidentiality attacks on Chinese dissidents to a South Korean spam server: I can’t help but wonder, though, what interesting weaknesses the original attackers may have found, and how widely the information on those issues may have been disseminated subsequently.”

Source

You can’t trust Internet email with potentially compromising information, such as your credit card or account numbers, social security numbers, or important passwords. As your message moves from one server to another, several people have the opportunity to read it.

o what should you do when you have to get sensitive information to someone, and snailmail just isn’t fast enough? I’ll give you several solutions.

Whatever option you pick, see What Is the Best Way to Create Strong Passwords? And if you have to share the password with the recipient, use the phone–just to be safe.

Public/Private Key Encryption: This elegant solution is supported by several programs, including Outlook 2007. The public key can encrypt but not decrypt, so you can safely share it with anyone. You keep the private key, which does the decrypting, to yourself.

Unfortunately, both the sender and the recipient must set up this type of encryption, and it’s not easy for the less technically inclined. That makes this a good choice in a business environment where everyone has an IT department, but not for occasional, personal communication.

Password-Protected .Zip Files: Depending on what software you use to create compressed .zip archives, you may or may not have an option to password-protect the files inside it. And that option may or may not support high-quality AES encryption.

And don’t go this route if it doesn’t support AES. The .zip format’s standard password protection is easy to hack.

Luckily, many third-party .zip programs support AES encryption, and they’re compatible with each other. These include industry leader WinZip, and the free, open-source 7-Zip. Whatever program you use, make sure you pick the AES option when you compress and encrypt your files.

Unfortunately, Windows’ built-in .zip tool doesn’t support AES, so you can’t simply assume that your recipient will be able to open your archive. If they don’t have a compression program that supports AES .zips, don’t want to install one, or don’t know what you’re talking about, this isn’t your option.

Secure Message and File-Sending Services: You don’t have to actually email your private information. You can upload it to a secure web site, and let the recipient download.

I’m recommending one service in particular: Send. (the period is part of the company name). It’s free, and you don’t even have to share your password with the recipient. Each person has their own private password.

When you post a message on Send., the site emails a notice to the recipient, who will need their own free Send. account to access your message.

There’s a slight chance that a criminal will intercept that first email and create the account before the legitimate recipient does. To avoid this, send an initial message with nothing confidential in it. That way, the recipient will be safely signed up, with their own, hopefully strong password, before you send them something important.

Source

Information that was previously available to a restricted number of researchers is now digital and accessible to many, making the issue of patient privacy prominent in discussions regarding the handling of these records.

Electronic medical records consist of very detailed patient data, where every disease, symptom or injury has its own code, which makes analysis easier and faster. But, the problem is that these codes are available through public databases and electronic medical records, and with this knowledge, this anonymized data can be still tied to the persons to whom it belongs.

To prove that this is a realistic problem, a research team form the Vanderbilt University in Nashville has conducted an experiment which resulted in 96 percent of the 2,762 patients belonging to the test group identified through diagnosis codes.

Scientific American reports that – as a solution to this problem – they introduced an algorithm that generalizes clinical information, but doesn’t interfere with the medical and genetic inter-data connections needed for research. The algorithm exchanges the publicly known ICD codes with an other code system.

They tested it by simulating a hacker attack, with the premise that the hacker is privy to the patients’ identity, their ICD codes and the fact that the patients’ data is included in the database. The test was completely successful – the hacker couldn’t uncover the patient’s private information, and the information remained useful for research.

Source

Update 2: A quick fix if you can’t change your database password. Set the WP_SITEURL inside your wp-config. It will override the change in the database. Just add this line inside your file:
define(‘WP_SITEURL’, ‘yoursite.com’);

Update 3: If you are seeing attacks from a different domain, please let us know. If you need help, send us an email and we will try to help asap (use contact@sucuri.net ).

Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.

First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.

Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:
WordPress stores the database credentials in plain-text at the wp-config.php file.

This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).

A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.

This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials

Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.

So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.

I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.

*To change the permissions via FTP, just run chmod 750 wp-config.php inside your blog directory.

Source

EINSTEIN 3, will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these executive branch networks. The goal of EINSTEIN 3 is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response.

The pilot will use combinations of early versions of Einstein plus new intrusion prevention technologies, as well as technologies developed by the NSA. The pilot will demonstrate the viability of a commercial ISP and a government agency for the US-CERT to apply intrusion detection and prevention technology on that traffic.

Some of the threats the system aims to identify and possibly block are phishing attacks, IP spoofing, botnets, denials of service, distributed denials of service, man-in-the-middle attacks, and other types of malware.

The system will also help support more security data sharing:

The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with federal departments and agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the NSA so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.

Such deep analysts of network traffic by the government will certainly raise privacy concerns. Last summer, the Center for Democracy and Technology (CDT) issued a report that called on the government to release information about the role the NSA will have in building and running Einstein 3. The PIA on Einstein 3 may not answer all of the CDT’s questions on privacy, but it’s the most detailed information on Einstein 3 I’ve yet to be able to find.

Source

A 22-year-old Korean man named Kim is under arrest for purchasing lists of Koreans’ personal information, such as cell phone numbers and e-mail addresses, which had been hacked in China. After spending 1 million won ($880) for 31 million items of data since July of last year, Kim posted an Internet ad and sold off 10 million such items.

A 27-year-old man Lee, who runs a branch for an Internet service provider, was one of the buyers. He spent 3 million won for 140,000 phone numbers for his branch’s telemarketing scheme.

The Seoul Metropolitan Police Agency took in Kim and Lee without physical detention, and also detained the owners of the companies that failed to protect their customer information from computer hackers.

Last September, a used-car trading Web site and the Internet home page for a car navigation manufacturer were victims of Chinese hackers who stole names and residential registration numbers of 910,000 online members. Hackers can use the stolen registration numbers to become members of certain Web sites that send spam messages, or sell the numbers to other hackers.

Seoul police charged a 32-year-old named Kim, the owner of the used-car site, and a 45-year-old named Lee, who runs the navigation maker, for negligence in protecting their customers’ information.

The law demands that companies protect their online customers’ information, and violations are punishable by a maximum of two years in prison or a 10 million won fine.

“This is the first case in which we applied this particular clause since it became effective in September 2008,” a police officer explained. “Protecting personal information is a legal obligation, not merely a recommendation. We will continue to charge companies that leave their customer information vulnerable to hacking.”

According to police, Chinese hackers have been targeting Web sites of Korean department stores and other frequently visited sites. The hackers offer the Korean information for sale on the Internet.

Source