Security and Hacking, Real Fears

See the WSJ Article: New Epidemic Fears: Hackers

Securing health records in small doctor’s offices and clinics is not easy: small offices can’t afford Fort-Knox style data protection measures, like hiring security experts to make sure hackers aren’t getting into their systems. Even if electronic health records software includes encryption and other security features doesn’t mean those features will be turned on and used.

• Now, many privacy advocates are concerned the administration’s effort could end up making health information less secure. “If there isn’t a concerted effort to acknowledge that the security risks are very real and very serious then we could end up doing it wrong,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University.

• “As more information is shared, it is subjected to the weak-link effect.”

• Mr. Osteen’s efforts to safeguard information won’t be useful if smaller providers he shares it with haven’t made the same kind of security investments.”

Hackers Want Millions For Data on Prescriptions

The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom by Thursday for the return of millions of personal pharmaceutical records they say they stole from the state’s prescription drug database.

The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program.

“This was an intentional criminal act against the commonwealth by somebody who was trying to harm others,” Gov. Timothy M. Kaine (D) said. “There are breaches that happen by accident or glitches that you try to work out. It’s difficult to foil every criminal that may want to do something against you.”

Although the hackers had threatened to sell the data if they did not receive payment by Thursday, the deadline passed with no immediate sign that they followed through.

Thieves Winning Online War, Maybe Even in Your Computer

Internet security is broken, and nobody seems to know quite how to fix it.

Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.

As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

Your own health ID number

It’s been a decade since federal legislation called for the creation of a unique patient identifier — a number carried by each American linking patients to their individual health records — but concerns about privacy and security, reported way back in the July 21, 1998, Los Angeles Times, have stalled efforts to put the proposal into use.

Concerns still exist, but it may be an idea whose time has come, according to a Rand Corp. study releasedonline today. It turns out that the compromise fashioned to adhere to the 1996 Health Insurance Portability and Accountability Act mandating the creation of a system to accurately identify patients has resulted in a system in which privacy is at risk, while not doing enough to prevent errors.

DNA profiles blocked from public access

The National Institutes of Health quietly blocked public access to databases of patient DNA profiles after learning of a study that found the genetic information may not be as anonymous as previously believed, The Times has learned.

Institute officials took the unusual step Monday and removed two databases on its public website. The databases contained the genetic information of more than 60,000 cooperating patients. Scientists began posting the information publicly eight months ago to help further medical research.

Take Two Hackers and VoIP me in the Morning

With over 10,000 magazines published in the US, I rarely have time to read all of them. But I do make an effort to set aside a few hundred hours each week to read as many of them as I can.
Reading the current 2008/2009 Physicians Practice Annual Tech Guide provided a good helping of security food for thought.  As a former physician, I occasionally like to check on the lack of technological progress in the healthcare industry.  However, after reading this publication, I was pleased to find that both the Internet, and the digital storage of information, have been discovered and incorporated into the doctor’s office.  Unfortunately, the concept of information security has yet to be understood by our community of clinicians.

Malicious code makes Web surfing risky

The chance of downloading malicious code from a Web site has increased 41 percent in the past year, according to a recent study of malignant sites by McAfee Inc. The study, titled “Mapping the Web Revisited,” is the second examination of the prevalence of spyware, adware, viruses and other unwanted software according to specific domains.

The safest place to conduct your Web surfing is among sites in the .gov top-level generic domain, which is administered by the federal government and used by official government sites.

‘Crimeserver’ Discovered with Treasure Trove of Stolen Data

Web firm Finjan discovered a “crimeserver” in Malaysia with more than 1.4GB of stolen data that had been amassed in just three weeks.
Even more alarming: Finjan’s report about the attack surmised that crimeware is evolving with a customer-service focus. Finjan said the crimeserver was left open so that data could be accessed by anyone.
Cybercriminals collect a treasure trove of data from Web surfers whose computers are infected with Trojans. That’s all-too-common news these days, but a recent case shows that the problem is getting worse. Finjan Inc., which makes secure Web gateway products, discovered a server in Malaysia being used by hackers to store more than 1.4 gigabytes of stolen data. What surprised the Finjan researchers was that the data was stolen from businesses as well as individuals — and it was amassed in just three weeks.
Yuval Ben-Itzhak, Finjan’s chief technology officer, told us that there were other surprises from the discovery of the Malaysian-based “crimeserver” that was being used as a command-and-control center for the Trojans installed on infected PCs around the world.

Electronic medical records at risk of being hacked, report warns

The electronic health record systems that automate the digitized medical histories of U.S. patients are severely at risk of being hacked, a new report has claimed. A fix requires better collaboration between CIOs and vendors.
The warning comes from the eHealth Vulnerability Reporting Program (eHVRP), a collaborative of health care industry practitioners and technology providers. It was formed last year to assess the security of the nation’s electronic health records.
“There was not one system we could not penetrate and gain control of data,” said eHVRP board member Daniel S. Nutkis. “These systems were not any worse than banking systems. But the banking systems have elaborate security mechanisms sitting on top of them.”
{Security of electronic health records is nil, yet the government and industry promote the adoption of these grossly unsafe technologies anyway, risking exposure and theft not only of health information, but also of all the demographic amd financial data that is included in health records.~Dr.Deborah Peel, Patient Privacy Rights}

How Credit-Card Data Went Out Wireless Door

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn. There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright — had no idea what was going on. The hackers, who have not been found, downloaded at least 45.7 million credit- and debit-card numbers from about a year’s worth of records, the company says. A person familiar with the firm’s internal investigation says they may have grabbed as many as 200 million card numbers all told from four years’ records.

The previous record for card numbers exposed to thieves was 40 million. The TJX hackers also got personal information such as driver’s license numbers, military identification and Social Security numbers of 451,000 customers — data that could be used for identity theft. The company has apologized for its security lapse and beefed up its system. It rejects the 200 million figure as speculation, but says it may never know the precise number. TJX deleted its own copies of the records stolen by the hackers and can’t crack the encryption on files that the hackers left in its system.

{Are electronic health systems any more secure than TJX Companies’ system? How much health data today is transmitted over wireless networks and could be captured and decoded like the credit-card data from TJ Maxx, Home Goods and A.J. Wright? ~ Dr. Deborah Peel, Patient Privacy Rights}