Archive for the ‘Encryption’ category

Unauthorized access and data breach

February 17th, 2017

Verity Health System based in California recently announced that an unauthorized access may have caused data breach. The incident affected personal information of more than 9,000 individuals.

Verity Health operates six hospitals which includes Seton in Daly City, Seton Coastside in Moss Beach, O’Connor in San Jose, St. Louise in Gilroy and two in Southern California. It also runs Verity Medical Foundation and Verity Physician Network. Verify Health was known as Daughters of Charity. It was renamed after taken over by investment firm BlueMountain Capital Management.

Verity Health mentioned that the access occurred on the Verity Medical Foundation-San Jose Medical Group website.  It mentioned that the website is no longer in use. Also, immediate steps were taken to secure it and protect it from further damage.

Affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. Full credit card numbers and Social Security numbers were not included in the breach.

Verity mentioned that 9,000 got affected individuals in its statement. As per the OCR data breach reporting tool, incident impacted 10,164 individuals.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Facility believes that there are no reports of misuse of information. It has also established a call center to answer queries. It is also offering one free year of credit monitoring services for potentially affected patients.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Break In causes data breach

February 14th, 2017

Wichita, Family Medicine East, Chartered based in Kansas reported that it suffered data breach due to theft of an unencrypted desktop computer and printer from its facility. As per the reports, an individual got into the building by breaking an exterior window. Family Medicine mentioned that police have not yet caught the thief. Also, stolen items are not recovered.

Family East mentioned that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.”

Affected information included patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes. Social Security numbers and addresses are not included in the breach. Letters written to other physicians discussing a Family Medicine referral were included for few. Letters were also identified by name and information about their medical condition.

“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee’s oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”

Individuals who got treated in 2002 or 2003 are asked “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Steps also include obtaining credit reports and monitoring their financial and baking accounts for activities.

Facility mentioned that it is offering complimentary credit monitoring services to potentially affected patients. It also said that all computers and systems will be encrypted.

“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Health Facility suffers email hack

February 7th, 2017

Multicare Health System recently announced data breach due to an email hack. The incident potentially affected 1,200 patients. The Washington health system mentioned that it has no information at this time to believe that any patient personal health information was accessed or misused in any way.

Facility will send the notification to affected patients. Also, patients have been advised to review their Explanation of Benefits statements and to remain vigilant to signs of irregularities related to their health insurance.

MultiCare stated that an unauthorized individual gained access to an employee email account. The information in the emails likely contained personal patient information ranging from addresses to account balances. Facility added that financial information and Social Security numbers were not present on the affected email account.

After the incident the affected email account has been secured. Password has been changed. Facility initiated an investigation into the incident and has provided contact information for patients concerned about the status of their information.

About Multicare:

“MultiCare is a not-for-profit health care organization with more than 10,000 employees and a comprehensive network of services throughout Pierce, South King, Thurston and Kitsap counties.

Facilities heritage dates back to the founding of Tacoma’s first hospital in 1882. Since then, it has grown to meet the ever-changing needs of our region-always focusing on excellence, innovation and patient care.”

When  email account gets hacked one should follow below steps to minimize the damage:

Initial step is to assess the damage done by hackers.

Visit the website of your email provider and try to regain the access.

Change the password by authorised method. Check inbox and trash for any password reset emails, which were not initiated by you.

Scan your computer with anti virus software. Many emails are hacked today to install virus on your computer.

Review your personal settings.

Validate the source  of any program, game and app before downloading it.

_____________________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Cyberattacks remains major concern for healthcare industry

April 19th, 2016

According to the recent survey by Symantec Corporation on healthcare cybersecurity, cyberattacks were the top reason behind healthcare data breaches in 2015. Many healthcare facilities are now focusing more on cybersecurity. Ransomware and phishing scams are on the rise with increased threat to sensitive data.

“For the first time in 2015, criminal attacks are the number one cause of data breaches in the health sector,” stated the study. “Why? Because, the cyber-criminals have figured out that health data is deep and valuable, and that healthcare IT infrastructure, from traditional IT systems to connected medical devices, is typically vulnerable and easy to penetrate.”

In last decade the data breaches were mainly due to lost or stolen device but it is changing now. Cyberattacks are growing exponentially and soon it may take over other forms of data breaches.

EHR and other health IT systems mostly get shutdown due to cyberattack strongly affecting hospital routine work. Researchers of Symantec also connected the rise in cyber threats to the increase in innovative medical devices.

“Healthcare is a uniquely difficult environment to secure against cyber threats and often security measures conflict with care delivery,” wrote the authors of the report. “There are a lot of shared devices, many of which are critical to patient care. Routine security measures often don’t work in a clinical context.”

Healthcare industry should implement cybersecurity tools to protect from any such attacks. According to the surveys, healthcare sector suffers most under the hands of cyber criminals as compared to other industry because the it is highly regulated. There are stringent laws in case of healthcare data breach which tempts criminal to extort handsome money.

“Certainly, security technologies are available to protect organizations from these sophisticated attacks across multiple security control points―email, network, and endpoint―but the front line of defense is still the employee who receives the email and may be tempted to click on an infected web link,” stated the report. “Investment in contemporary security technology is important, but always needs to be complemented by training and drills for your workforce.”

Also, healthcare providers should be prepared for all types of attacks.

“Any breach, no matter how small, can provide valuable information to attackers as they accumulate details on healthcare organizations, their staff and patients, and their IT infrastructure,” noted the report.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen laptop and data breach

April 14th, 2016

Laptop theft can lead to data breach. OptumRx, the pharmacy care branch of a health services and technology company in Minnesota suffered data breach due to the theft incident. An unencrypted laptop was stolen from an employee’s vehicle in Indianapolis, Indiana as per the reports. OptumRx mentioned that laptop belonged to an unnamed vendor who provides home delivery services to patients.

Affected information included names, health plan names,addresses, prescription drug information, and prescribing provider information. For some individuals, dates of birth may have been exposed.

It also confirmed that Social Security numbers, credit cards, and other financial information was not involved.

Company did not specify the number of affected individuals. Also, Office of Civil Rights data breach portal didn’t mention the number of individuals affected by the security incident.

OptumRx has now contacted local authorities and launched an outside investigation. It has also mailed notification letters to potentially affected individuals.

“In addition, we have worked with the vendor to put immediate and additional protections in place to prevent the occurrence of similar incidents in the future,” explained OptumRx’s notification letter. “These measures include additional security requirements on laptops they use for OptumRx work, training and reinforcement of existing policies and practices, and further evaluation of additional safeguards.”

The company is also working with local law enforcement. Vendor is asked to put in place additional levels of protection for its laptops. One free year of identity theft protection services is also offered to individuals. It is supplying each with a one-year subscription to LifeLock.

LifeLock subscription includes following facilities to users:

  • Identity Threat Detection and Alerts:

With this service, LifeLock actively monitors an extensive online network for attempts to use your personal information. Whenever suspicious activity is detected, user will receive an alert via email or phone.

  • Wallet Protection

It also provides services for missing wallet. It has asked users to just call— anytime, anywhere—and LifeLock will help cancel or replace the contents to stop fraudulent activities. Coverage under this scheme includes credit and debit cards, Social Security cards, driver’s licenses, insurance cards, checkbooks and travelers checks.

  • Address & Verification

Impersonating can be done and Identity thieves can redirect your mail, containing financial information and providing a fraudulent new address. LifeLock monitors these such kinds of requests and notifies the user.

  • Black Market Surveillance

Identity thieves also get involved in illegal buy, sell and trade sensitive personal information on black market Internet sites. LifeLock now patrols over 10,000 criminal websites. Any suspicious activity is  notified to the user.

  • Pre-Approved Credit Card Offers

LifeLock works with bank to reduce emailing to affected individuals to avoid identity theft.

  • LifeLock Member Service 24/7/365

Sign in to your secure member portal at LifeLock.com is available all the time.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Computer glitch and Data Breach

March 26th, 2016

Laborers’ Health & Welfare Trust Fund for Northern California discovered that a computer glitch caused certain consumer health information to be processed incorrectly. The incident affected the processing of IRS Form 1095-B which included some patient health data in California.

According to the reports, some personal health information of workers were sent to other plan
participants and beneficiaries. Affected information included beneficiary names and names of dependents, Social Security numbers, and health plan coverage information. According to a press release, the Fund Office has notified potentially affected individuals personally, and will provide free credit monitoring to them.

The Fund Office mentioned that it will be taking steps to strengthen training processes and tighten security measures.

According to the press release –
The Fund Office has notified participants and provided credit monitoring services to all those participants and beneficiaries affected.The Fund Office has also instituted stronger security measures to guard against future mishaps.

According to the Wikipedia –
A computer glitch is the failure of a system, usually containing a computing device, to complete its functions or to perform them properly.In public declarations, glitch is used to suggest a minor fault which will soon be rectified and is therefore used as a euphemism for a bug, which is a factual statement that a programming fault is to blame for a system failure.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Unencrypted email and data breach

March 24th, 2016

BJC Healthcare Accountable Care Organization (BCJ ACO) in the St. Louis area recently announced data breach when an unencrypted email was sent to a participating medical practice in the BCJ ACO.It mentioned that 2,393 patients were possibly affected by the data security breach.

As per the statement, an email was sent containing patient information without the necessary security encryption. Affected information includes patient names, gender, dates of birth, and Medicare beneficiary identification numbers.  Medical information was not sent via email.

“BJC ACO investigated the email transmission and has discovered no indication that anyone other than the intended and authorized recipient at the medical practice read or accessed the email. BJC ACO has taken steps to re-educate staff on the process for sending emails in a secure manner”, the statement confirmed.

According to the statement: BJC ACO has complied with all U.S. Department of Health and Human Services Office for Civil Rights notification requirements, including individual patient letters, public news release and website posting.

About BJC ACO

BJC HealthCare was the first provider in the St. Louis area and one of 89 U.S. health care providers selected in 2012 as an Accountable Care Organization by the Centers for Medicare and Medicaid Services. CMS established ACOs that year to encourage groups of doctors, hospitals and other providers to coordinate health care services for Medicare patients and share in savings obtained through high-quality, well-coordinated care. BJC ACO currently coordinates care for approximately 40,000 patients in the BJC service area of metropolitan St. Louis, southern Illinois and mid-Missouri.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Hackers and Sensitive Data

March 4th, 2016

In today’s hacking world, hackers can gain access to sensitive data with little efforts. “It’s a bit depressing,” said Chandra Rangan, vice president marketing, HPE Security Products at Hewlett Packard Enterprise, discussing some of the findings published in HPE’s Cyber Risk Report 2016.

“Attackers are lazy. They want maximum bang for the buck, so they will go for low-hanging fruit,” Rangan said, noting that the most exploited bug in 2015 was over five years old. It was also the top bug in 2014.

As per the new findings, the top 10 vulnerabilities leveraged by attackers in 2015 are more than a year old. Half of them are at least five years old.

According to Rangan, there is a shift in which applications, rather than servers or operating systems, are used as a primary attack vector.

Mobile Insecurity

As per the recent survey:

  • 95 percent of newly discovered malware samples are found on Microsoft Window
  • 42 percent of exploits targeting Microsoft Window
  • 18 percent of the total exploits targeting Android
  • 12 percent of exploits on Java
  • Microsoft Office 11 percent
  • Adobe attacked by 14 percent, evenly divided between Flash and Reader exploits
  • 75 percent of the mobile apps scanned by HPE had at least one vulnerability

Some software developers “seem to be making a tradeoff between speed and security,” Rangan said. “There is a whole new crop of app developers, and they are saying ‘how quickly can I get this app to market and how quickly can I monetize it?’ When you are in that mode, you are less likely to use the development processes and methodologies that include multiple security checks.”

“You do not need to make a tradeoff, and you do not need to use the old-school waterfall development model. There are plenty of technologies out there where you can build security into the very fabric of your apps.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

————————————————————————————————————————————————————-

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Cybersecurity Insights from SC Congress

March 2nd, 2016

Recent SC Congress emphasised on Cyber insurance and new approaches to security patches.

Experts discussed some of the current and emerging issues in cybersecurity.

Cyber Insurance

Most of the panel on cyber insurance believed that the legal wording of policies, exclusions and other factors tend to make it a pricey policy which may not provide the expected benefits in the event of a data breach.

“I’ve never been a fan of insurance; getting the right coverage is always an uphill fight,” said Winn Schwartau, CEO of The Security Awareness Company. “We’ve been at war, but acts of nation-states are excluded by insurance, as are acts of war and acts of God. Is ISIS a nation-state?”

Same Old Cybersecurity Threats

Even though there are new, deeper threats, many cybersecurity vulnerabilities have existed for years which also exists today.

According to Jeffery Ingalsbe, CISO of broker management firm Flexible Plan Investments, in many way, there is nothing new under the sun.

Security Patches

“The problem is that companies are continuing to patch the same way. They’ve had problems with organization and prioritization of patches. They need to understand how to patch and unpatch so as not to impact the users,” Rushing said.

High Cybersecurity Standards

When it comes to securing the network, companies need to score closer to 99.9999 percent in order to be considered safe.

Test Security Software

Don’t try to integrate during proof of concept, or there could be other network issues, Richard Lafosse, CISO for Cook County, Ill added. “Evaluate more than one vendor and remember that the contract terms are king.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

————————————————————————————————————————————————————-

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Ransomware attack and data breach

February 24th, 2016

Hollywood Presbyterian Medical Center (HPMC) was on the verge of data breach but paid $17,000 after a ransomware attack. According to the reports, the cyber attack encrypted its EHR files and demanded the sum of money in exchange for the encryption key.

HPMC believes that there is no sign of information misuse stored on the EHR. HPMC discovered the breach after staff members got issues accessing parts of the hospital network. After a thorough investigation, hospital believed that it had fallen victim to a malware attack that kept them from accessing patient medical files stored in their EHR.

Forty bitcoins, an equivalent of $17,000 was asked as a ransom amount. As per HPMC, It paid the $17,000 ransom because that was typically the quickest and easiest way to regain access to its EHR files.

Hospital gained full access to the files. It was completely cleansed of the malware and checked for adequate security standards.

According to the  CEO and president Allen Stefanek –

I am very proud of the dedication and hard work of our staff who have maintained the highest level of service, compassion and quality of care to our patients throughout this process,” Stefanek wrote. “I am also thankful for the efforts of the technical staff as the EMR systems were restored, and their continued efforts as other systems are brought back online.

Phil Lieberman, a cybersecurity expert mentioned that –

I have never heard of this kind of attack trying to shut down a hospital. This puts lives at risk, and it is sickening to see such an act,he said. Health management systems are beginning to tighten their security.

According to Parham Eftekhari, ICIT co-founder and senior fellow –

As we have seen in the recent attack on Hollywood Presbyterian, hackers are able to completely paralyze an organization until it pays a ransom which may or may not unlock their systems and data,he said earlier this week in an interview with HealthITSecurity.com. The hundreds of thousands or millions of dollars paid in ransom is a small price to pay for an organization when faced with the alternative of losing everything and threat actors know it.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec’s Check Point Full Disk Encryption.