Archive for June, 2014

Neurodiagnostics centre notifies patients of data breach

June 29th, 2014

Colorado Neurodiagnostics of Littleton, Colo. has notified an unknown number of patients after data breach. According to the reports, laptop was stolen from the office which contained Protected Health Information (PHI).  The information which was comprised includes patient names, dates of birth and clinical information but there were no Social Security numbers or financial data.

It was also noticed that laptop was password protected but the status of encryption was not known. The theft was reported to the Littleton Police and the federal Office for Civil Rights. Colorado Neurodiagnostics is offering affected patients identity protection services. Also, patients are also encouraged to closely monitor financial accounts and, if there is any suspicious activity

According to the organization, they will use security cameras and boost security training among employees. Furthermore to boost the security they should verify the status of encryption software on laptop.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

NRAD suffered PHI data breach

June 27th, 2014

NRAD medical associates situated in Garden City, New York suffered data breach due to unauthorized access of the data by one of its employee. NRAD has informed around 97,000 patients which were affected by this breach. According to the reports, internal employee accessed protected health information (PHI) and patient billing data back in April 2014. Information included date of birth, address, Social Security number, and health insurance information.

The employee working as radiologist was able to pass IT security safeguards in place and accessed information. NRAD said that it “immediately enhanced security measures” and doesn’t believe any of the compromised data was used maliciously. “We believe there is very low risk from this event and the data breach has been contained. We have no evidence that any customer financial or credit card information was involved,” the organization said, according to the report. They do not indicate when the breach occurred or how it was discovered.

In response to the discovery, NRAD “immediately implemented enhanced security measures,” and recommended that patients contact one of the three major credit bureaus to place a fraud alert on credit reports. In the FAQ, they state that the radiologist is “no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation.” The breach was also reported to HHS.

According to the NRAD:

In terms of the scope of the breach, NRAD reports that it affects approximately 97,000 current and former patients, which they state is approximately 12% of the more than 800,000 patients they have treated over the past 20 years. It was not clear from their letter whether all 800,000 current and former patients’ information was still in their billing system (and if so, why).

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Tools for Compliance management which can boost security

June 24th, 2014

HIPAA has certain set of rules when it comes for compliance management. Compliance requirements are many times seen as an unnecessary burden but if proper procedures are followed then it can protect your organization even from data breach. Moreover it can also protect you from lawsuits to corporate espionage. The risk associated with compliance failures can include financial impact or fines, data loss, lost business or even a suspension of operations.

Below is the list of compliance management tools –

  • www.glpi-project.org: A free, open source tool, GLPI offers IT and asset management capabilities. After all, a good inventory is the first step in seeing what needs to be secured.
  • www.ptatechnologies.com: A free toolset that is driven by the methodology of effectively managing operational and infosec risks in complex systems using calculative threat analysis and threat modeling.
  • www.somap.org: The ORICO Framework and Tool are two projects in one, offering risk management and the toolset to build a reference implementation of a security framework.
  • sourceforge.net/projects/assetmng: An open source IT asset management system that provides identification, valuation and risk assessments.
  • http://openfisma.org : An open source framework that is designed to reduce the complexity and automate the regulatory requirements of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).

IT managers may need to build their own solutions and integrate off-the-shelf products with other solutions. Luckily for those choosing a path of self-development, several free tools can become part of an integrated solution.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Breach count reaches to 1.3 million for Montana DPHHS

June 22nd, 2014

(DPHHS) have faced one of the largest HIPAA breaches in terms of number of affected patients. Total count stands at 1.3 million due to server hack of DPHHS. Information is not available whether the hackers used patient data maliciously or accessed it while on the server.

According to Montana, Server has the sensitive information which has patient demographic information, including names, addresses, dates of birth, and Social Security numbers. Also some records may have information regarding DPHHS services clients applied for and/or received, such as health assessments, diagnoses, treatment, health condition, prescriptions, and insurance. The incident extent came to light when DPHSS hired an investigator to know extent of breach.

“Out of an abundance of caution, we are notifying those whose personal information could have been on the server,” said DPHHS Director Richard Opper. “Again, we have no reports, nor do we have any evidence that anyone’s information was used in any way, or even accessed.”

Earlier Unknown computer hackers used malware to gain entry to a DPHHS server containing client and agency employee personal information. According to the reports, this incident should not impact DPHHS services as none of the information contained on the server was lost and has complete back-up of the information.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Rady Children’s Hospital notifies patients of data breach

June 20th, 2014

Around 14,121 patients were notified after data breach in Rady’s Children Hospital, San Diego.  Incident of data breach occurred due to human error when patient data was sent to job applicants. According to reports, hospital’s employee sent a spread sheet to unintended receiver.

Spread sheet contained sensitive information which includes patients’ names, dates of birth, primary diagnoses, admit and discharge dates, medical record numbers, and other insurance information. There were no Social Security numbers or financial data included in the files, Ben Metcalf, a hospital media relations representative said.

After the incident, hospital hired security experts to confirm the deletion of files from computers of job applicants. Security experts can also verify whether the files have been shared to know the extent of breach. When Rady conducted investigation on recent breach it was found that this type of breach occurred even in past when mail error exposed 6307 patients data

Rady said that it will begin using only onsite testing programs for job candidates, improve email security approval protocols and encryption methods and better educate employees on patient privacy requirements. Rady Children’s Hospital spends lots of time and money protecting its patient privacy and information from outside hackers. But error by an employee that recently exposed the information.

“Some families were upset,” said Kearns acting president of hospital. “But the vast majority understood that this is something that was not done purposely. This is something that was done on a human error.” Rady Children’s has notified county and state officials and will also need to report the breach to federal regulators.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

New Dyre Banking Trojan

June 15th, 2014

A new banking Trojan also known as Dyre or Dyreza was discovered by Researchers at CSIS and PhishMe. It was found that this virus is designed to bypass SSL protection and steal banking credentials.

PhishMe researchers warned of this new malware, being delivered via phishing emails with the subject lines “Your FED TAX payment was Rejected” and “RE: Invoice.” The emails contain links to files on LogMeIn’s Cubby.com file storage service. “Since Dropbox has been quick to block phishing links, the attackers needed a new legitimate service,” noted PhishMe’s Ronnie Tokazowski.

Process of attack is as follow – Click on the link in the email, and you’ll download a zip file. If you open the zip file, and malware is installed, which monitors all of the victim’s browser traffic, including SSL traffic, with the aim of stealing and uploading online banking login credentials.

“[Bank credentials] should be encrypted and never seen in the clear,” Tokazowski wrote. “By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality, your traffic is redirected to the attackers’ page. To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking.”

Krause told Dark Reading that the malware seems to represent a new banker Trojan family, unrelated to the Zeus Trojan. “One of the biggest differences between Zeus and Dyre is how communication with the command-and-control infrastructure takes place,” he said. “With Zeus, data is usually encoded or encrypted, then passed back as raw binary data. With Dyre, the data is POSTed in the clear, making detection for enterprises with IDS capabilities very straightforward.”

But that may well change in the near future. “Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author,” Krause said.

Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, told eSecurity Planet by email that the threat from Dyre is being enabled at least in part by the blind trust too many users have in SSL/TLS. “In fact, 40 percent of mobile online banking applications are estimated to be vulnerable to man-in-the-middle (MITM) attacks without any cyber criminal effort,” he said.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data Breach Round up : Last Month

June 12th, 2014


 

To get overview of recent data breaches, we are summing up the challenges and solutions to prevent information and credibility loss.  All the excerpts are part of communication with Rapid7 global security strategist Trey Ford.

Data Points

It’s crucial, Ford says, to ensure that everyone in your organization is fully aware of the sensitivity of the data they may be handling. “A lot of people are posting data, they’re moving things around – they’re just trying to do their jobs – and for a number of reasons they may not always be aware that, OK, this is a list, this is a database, and some of this data is sensitive,” he says.

While most companies are aware of the importance of protecting clearly sensitive data like Social Security numbers and credit card information, Ford says other data can easily slip through the cracks. “We’re in a culture where it’s been comfortable to give out your phone number, your email address, your mom’s maiden name – and we’ve forgotten that with just a few more data points, you can go through and start creating fraudulent accounts or purporting to be someone else,” he says.

“Attackers are going to be like water – they’re going to follow the path of least resistance,” Ford says. “So it may be that a lot of your core systems are very carefully measured, but you don’t get to wash your hands and shrug off liability when you give sensitive data to external companies.”

Breach Communication

Ford says the recent eBay breach serves as a good example of the importance of responding to a breach correctly. “EBay has historically very heavily invested in great technology, great people. They’ve had a very advanced security program, they’re very aggressive with their measurement strategy, they’re a metrics-driven security organization – and I’m confident that their internal response was actually very swift and well-executed internally,” he says.

Encryption is the answer

Finally, Ford says it’s frustrating to see data breaches resulting from the theft of unencrypted laptops and USB drives continuing to be an issue. “Encryption technology exists, it’s pervasive, every major operating system in production used today has it or has it available, and it’s not even terribly expensive,” he says. “The challenge lies in the fact that it’s hard to manage. There are concerns about, ‘What if the admin leaves, or what if we get locked out of something?’ – and those are valid concerns – but those problems have been solved, they’re addressable, and organizations not using encryption should be the exception, not the rule.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

St. Joseph Health’s patients’ data stolen

June 10th, 2014

Password 'fido' ...item 3b.. Five Characters i...

St. Joseph recently took over Regional Medical Group’s imaging center and recent data breach shows example of what can happen after transition. Total of 33,702 patients were affected by this breach. A thumb drive was stolen from employee’s locker which was not locked during the incident. Information related to Encryption status of the thumb drive was not availale.

Affected data due to breach includes patient names, gender, medical record numbers, date of birth, date and time of service and X-ray details. Affected patients were treated with X-ray services. The data was restricted to X-rays only. No other imaging exams — such as mammograms or MRIs — were included on the drive.

The stolen thumb drive did not contain information on specific illness or patient diagnoses nor did it include any patient financial information, including insurance data or Social Security numbers.

“We take our obligation to protect our patients’ privacy very seriously,” said Todd Salnas, president of St. Joseph Health in Sonoma County, to the Democrat. “We apologize to those patients affected and have already implemented a number of security measures and other protocols so that this doesn’t happen again.”

Salnas also added that St. Joseph would be putting new procedures in place to boost physical security, such as using new security personnel, improving employee awareness and implementing a new alarm system.

“We are in the process of standardizing the records from Redwood Regional Medical Group to St. Joseph,” said Salnas. “Not only the data but procedures and policies, which we’re still in the process of completing.”

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Montana Health Department hacked

June 7th, 2014

Montana Department of Public Health and Human Services is notifying public program clients and employees about data breach due to recent incident of server hacking. Montana hired an investigator and confirmed that their server was inappropriately accessed. The server had sensitive information which included state public assistance data such as food stamps, welfare payments, Medicaid, home heating aid and child-care assistance, birth records and some state employee information. It was also found out that there may have been clients’ names, addresses, birth dates, Social Security numbers and healt

As protected health information (PHI) was involved in this breach, Montana may initiate conversation with the Department of Health and Human Services (HHS). Montana’s state CIO, Ron Baldwin, told the Gazette that this was a first-time breach and that an outsider found a software vulnerability prior to the department being able to patch it, leading to the server hack. “This is not unique to Montana, it’s not unique to state government,” he said. “All states, all major businesses are experiencing these (attempts) every day, every month, every year … and they come from all over the world.”

Montana Department of Public Health and Human Services director Richard Opper suggested that the hackers may have been involved with trading Bitcoins in some form. “Out of an abundance of caution, we are taking the necessary steps to reach out to those whose information may have been stored in the server,” he said to the Gazette. “DPHHS is committed to answering questions clients and employees may have, and to help them take advantage of services we are offering.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.