Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

May 2015

Most Healthcare Organisations Have Experienced A Data Breach

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data reveals that the majority of healthcare organizations represented in this study have experienced multiple security incidents and nearly all have faced a data breach. Despite the universal risk for data breach, the study found that many organizations lack the funds and resources to protect patient data and are unprepared to meet the changing cyber threat environment.

The 2015 study was expanded beyond healthcare organizations to include Business Associates.

Represented in this study are 90 covered entities (hereafter referred to as healthcare organizations) and 88 business associates (hereafter may be referred to as either business associates or BAs). A BA is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S.

Department of Health & Human Services. The inclusion of BAs provides a broader perspective of the healthcare industry as a whole and demonstrates the impact third parties have on the privacy and security of patient data. Respondents were surveyed about their privacy and security practices and experiences with data breaches, as well as their experiences with both electronic and paper security incidents.

Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, they estimate that data breaches could be costing the industry $6 billion.

  • 90% of healthcare organizations represented in this study had a data breach
  • 40% had more than five data breaches over the past two years

According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125% compared to five years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack and 12 % say it was due to a malicious insider. In the case of BAs, 39% say a criminal attacker caused the breach and 10% say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78% of healthcare organizations and 82% for BAs. Despite the changing threat environment, however, organizations are not changing their behaviour, only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers.

Security incidents are part of everyday business. 65% of healthcare organizations and 87% of BAs report their organizations experienced electronic information-based security incidents over the past two years.

  • 54% of healthcare organizations suffered paper-based security incidents
  • 41% of BAs had such an incident

However, many organizations do not have the budget and resources to protect both electronic and paper-based patient information. For instance, 56 % of healthcare organizations and 59% of BAs don’t believe their incident response process has adequate funding and resources. In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

Even though medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014, the harms to individuals affected by a breach are not being addressed. Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records.

Nearly two-thirds of both healthcare organizations and BAs do not offer any protection services for patients whose information has been breached.

Since 2010, this study has tracked privacy and security trends of patient data at healthcare organizations. Although the annual economic impact of a data breach has remained consistent over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks. At the same time, employee negligence remains a top concern when it comes to exposing patient data. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Key Findings

In this section, they provide a deeper analysis of the findings. They have organized this report according to the two following topics:

  • Privacy and security of patient data in healthcare organizations and business associates
  • Five-year trends in privacy and security practices in healthcare organizations

To respond quickly to data breaches, organizations need to invest more in technologies.

  • 58 % of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft.
  • 49% agree they have sufficient technologies
  • 33% agree they have sufficient resources to prevent or quickly detect a data breach.
  • 53% of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

Background

  • Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
  • This is based on multiplying $1,067,400 (50% of the average two year cost of a data breach experienced by the 90 healthcare organizations in this research) x 5,686 (the total number of registered US hospitals per the AHA).

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

DDoS attack activity soars

Akamai Technologies, Inc. announced the availability of the Q1 2015 State of the Internet – Security Report. The quarter’s report provides analysis and insight into the global cloud security threat landscape.

DDoS attack activity soars

Q1 2015 set a record for the number of DDoS attacks, as observed across Akamai PLXrouted network, more than double the number recorded in Q1 2014, a jump of more than 35% compared to last quarter.

However, the attack profile has changed. Last year, high bandwidth and short duration attacks were the norm. But in Q1 2015, the typical DDoS attack was less than 10 gigabits per second (Gbps) and endured for more than 24 hours. There were eight mega-attacks in Q1, each exceeding 100 Gbps. While that was one fewer mega-attack than in Q4 2014, such large attacks were rarely seen a year ago. The largest DDoS attack observed in Q1 2015 peaked at 170 Gbps.

During the past year, DDoS attack vectors have also shifted. This quarter, Simple Service Discovery Protocol (SSDP) attacks accounted for more than 20% of the attack vectors, while SSDP attacks were not observed at all in Q1 or Q2 2014. SSDP comes enabled by default on millions of home and office devices including routers, media servers, web cams, smart TVs and printers to allow them to discover each other on a network, establish communication and coordinate activities. If left unsecured and/or misconfigured, these home-based, Internet-connected devices can be harnessed for use as reflectors.

During Q1 2015, the gaming sector was once again hit with more DDoS attacks than any other industry. Gaming has remained the most targeted industry since Q2 2014, consistently being targeted in 35% of DDoS attacks. The software and technology sector was the second most targeted industry in Q1 2015, with 25% of the attacks.

Compared to Q1 2014

  • 5% increase in total DDoS attacks
  • 83% increase in application layer (Layer 7) DDoS attacks
  • 69% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 8% increase in the average attack duration: 24.82 vs. 17.38 hours

Compared to Q4 2014

  • 24% increase in total DDoS attacks
  • 22% increase in application layer (Layer 7) DDoS attacks
  • 74% increase in infrastructure layer (Layer 3 & 4) DDoS attacks
  • 37% decrease in average attack Duration: 24.82 vs. 29.33 hours

A look at seven common web application attack vectors

For the Q1 2015 report, Akamai concentrated its analysis on seven common web application attack vectors, which accounted for 178.85 million web application attacks observed on the Akamai Edge network. These vectors included

  1. SQL injection (SQLi)
  2. Local file inclusion (LFI)
  3. Remote file inclusion (RFI)
  4. PHP injection (PHPi)
  5. Command injection (CMDi)
  6. OGNL Java injection (JAVAi)
  7. Malicious file upload (MFU)

During Q1 2015, more than 66% of the web application attacks were attributed to LFI attacks. This was fueled by a massive campaign against two large retailers in March, targeting the WordPress RevSlider plugin.

SQLi attacks were also quite common, making up more than 29% of web application attacks. A substantial portion of the SQLi attacks was related to attack campaigns against two companies in the travel and hospitality industry. The other five attack vectors collectively made up the remaining five% of attacks.

The retail sector was the hardest hit by web application attacks, followed by the media and entertainment and hotel and travel sectors 

The growing threat of booter/stresser sites

The menu of easy-to-use attack vectors found in the DDoS-for-hire market can make it easy to dismiss the effectiveness of attackers who use them. A year ago, peak attack traffic using these tactics from booter/stresser sites typically measured 10-20 Gbps per second. Now these attack sites have become more dangerous, capable of launching attacks in excess of 100 Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time.

IPv6 adoption brings new security risks

IPv6 DDoS is not yet a common occurrence, but there are indications that malicious actors have started testing and researching IPv6 DDoS attack methods. A new set of risks and challenges associated with the transition to IPv6 are already affecting cloud providers as well as home and corporate network owners. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, while some new attack vectors are directly related to the IPv6 architecture. Many of the features of IPv6 could enable attackers to bypass IPv4-based protections, creating a larger and possibly more effective DDoS attack surface. The Q1 security report outlines some of the risks and challenges that are ahead of us.

SQL injection attacks move beyond data theft

While SQL injection attacks have been documented since 1998, their uses have grown. The effects of these malicious queries can extend well beyond simple data exfiltration, potentially causing more damage than a data breach would have. These attacks can be used to elevate privileges, execute commands, infect or corrupt data, deny service, and more. Akamai researchers analyzed more than 8 million SQL injection attacks from Q1 2015 to uncover the most frequent methods and goals.

Website defacements and domain hijacking

Hundreds of web hosting companies provide web hosting for as little as a few dollars a month. In those cases, the hosting company may host multiple accounts on the same server. This can result in hundreds of domains and sites running under the same server IP address, potentially allowing malicious actors to hijack multiple web sites at once. Once one site has been compromised, a malicious actor can potentially traverse the server’s directories, potentially reading username and password lists, to access files from other customer accounts. This could include web site database credentials. With this information, attackers could gain the ability to change files on every site on the server.

Most consumers do not trust anyone to protect their personal information

Fortinet surveys reveal growing cyber threat concerns as more consumers fear data breaches, while CISOs lack confidence in their ability to stop them.

Despite their concerns, third-party studies reveal consumer behaviours may present greater challenges for organizations that don’t have the right security protections in place.

Two industry surveys commissioned by Fortinet reveals

  • 71% of consumers across the U.S. are more nervous about their personal information being stolen through a data breach than they were just a year ago
  • 28% of IT security professionals are confident they have done enough to prevent a security incident

Despite this shift in consumer sentiment, the research revealed consumers are not taking necessary precautions to protect their personal information. When asked what measures they are implementing to better safeguard their information online:-

  • 76% of respondents said they had merely implemented stronger passwords – a step that is typically required when setting up an online account
  • 20% said they aren’t doing anything at all

It is no question the cyber threat environment remains dynamic and dangerous, and is gaining in severity. According to a recent report released by the Identity Theft Resource Center (IRK), companies in the U.S. experienced a record-breaking 783 data breaches in 2014.

Already in 2015 this trend has continued with the Anthem Health security breach – the largest in history, affecting more than 80 million of its customers, as well as Sony, TV Monde and others. Many of these attacks were initiated by sophisticated hackers looking for ways to circumvent perimeter defences through compromised devices, while others originated from within the network through unsuspecting employees or partners who, without malicious intent, let cyber criminals in.

The amount of entry points cyber criminals can use to infiltrate corporate networks and steal precious information is growing rapidly, as the number of devices connected to the network increase,” said Andrew Del Matte, chief financial officer at Fortinet. “If consumers aren’t taking precautions to protect their devices and proprietary data in their personal lives, it is unlikely they are doing so at work, increasing the possibility of a breach. It is more critical now than ever before for businesses to help safeguard the consumer and customer data for which they are responsible. They must take a multi-layered approach to security to protect against both malicious and non-malicious threats, from both inside and outside of the network

On a scale of 1 to 5 with 1 being “completely trust” and 5 being “don’t trust at all,” consumers were asked how much they trust various business providers and other institutions to protect their information. The survey found:

  • 31% of consumers completely trust their doctors
  • 18% completely trust their health insurance providers
  • 27% completely trust their personal banks
  • 14% completely trust their credit card companies
  • 19% completely trust their employers
  • 4% completely trust retailers

Are Organizations Doing Enough?

In a survey of 250 IT professionals with authority over the security decisions for their organizations,

  • 57% indicated they are most concerned about protecting customer data from cyber criminals.
  • 28% of those surveyed, are completely confident their organizations have done everything possible to prevent a security incident
  • 26% said they were only half-confident that they have taken the necessary measures to protect their organization from potential risk

Consumers are more concerned than ever about their personal information being compromised through a data breach, with good reason,” said Derek Manky, senior security strategist at Fortinet’s FortiGuard Labs. “The evolving threat landscape puts everyone at greater risk, particularly organizations that aren’t taking the time to rethink their approach to security. An old school approach won’t do. Businesses should seek out a best-of-breed security partner with scale, third-party validated solutions and access to the most up-to-date threat intelligence, to safeguard their networks from threats, no matter the type or where it is initiated, today and in the future

The history of mobile threats, 2004 to 2015

Sophos have created this timeline of mobile threats going back to 2004. It’s by no means comprehensive, but it gives you a good idea of how threats have evolved in a short period of time.

sophos-mobile-malware-infographic-700

Time to Identify Advanced Threats is 98 Days for Financial Services Firms and 197 Days for Retail

According to a Ponemon Institute Survey, sponsored by Arbor Networks, Financial Services and Retail organizations agree, advanced threats are the most serious security challenge facing their organizations. Despite the concern, both industries struggle to identify these attacks once they are inside their network.

Known as ‘dwell’ time, the time it takes to identify these attacks is

  • 98 days for Financial Services firms
  • 197 days for Retail

Despite these results, 58% of Financial Services and 71% of Retail organizations said they are not optimistic about their ability to improve these results in the coming year. This is alarming considering the number of attacks targeting their networks. Within Financial Services, 83% experienced more than 50 attacks per month, while 44% of Retail firms did.

The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable

It’s time to find a better balance between technology solutions, usability, workflow and the people who use them. As security vendors, we need to help our customers so they can adapt to this new cyber security reality that balances the threats with the people who fight them every day,” said Matthew Moynahan, president of Arbor Networks.

In the wake of high profile mega breaches, the Ponemon Institute surveyed Financial Services and Retail firms in North America and Europe, Middle East and Africa (EMEA) to better understand how they are dealing with attacks targeting their organizations. The survey asked how these organizations manage the explosion in advanced threats and distributed denial of service (DDoS) attacks targeting their infrastructure; how effective (or not) their IT investments are; and how they are adapting incident response procedures and integrating threat intelligence for better visibility, insight and context.

Key Findings Among Financial Services Firms

Advanced Threats

  • 71% view technologies that provide intelligence about networks and traffic as most promising at stopping or minimizing advance threats during the seven phases of the Kill Chain
  • 45% have implemented incident response procedures
  • 43% have established threat sharing with other companies or government entities

DDoS Attacks

  • 55% consider DDoS attacks as an advanced threat
  • 48% ‘Strongly Agree’ or ‘Agree’ that they are effective in containing DDoS attacks
  • 45% have established threat sharing with other companies or government entities to minimize or contain the impact of DDoS attacks

Budgets & Staffing. Budgets are allocated

  • 40% towards Technology
  • 37% to Staffing
  • 20% to Managed Services

Key Findings Among Retail Firms

Advanced Threats

  • 64% view technologies that provide intelligence about networks and traffic as most promising at stopping or minimizing advance threats during the seven phases of the Kill Chain
  • 34% have implemented incident response procedures
  • 17% have established threat sharing with other companies or government entities

DDoS Attacks

  • 50% consider DDoS attacks as an advanced threat
  • 39% firms ‘Strongly Agree’ or ‘Agree’ that they are effective in containing DDoS attacks
  • 13% have established threat sharing with other companies or government entities to minimize or contain the impact of DDoS attacks

Budgets & Staffing. Budgets are allocated

  • 34% towards Technology
  • 27% to Staffing
  • 34% to Managed Services

Congratulations to the new board members of the PCI Standards Council

The new members to the board are from:-

  • Amazon.com
  • Barclaycard
  • British Airways PLC
  • Carlson Wagonlit Travel
  • Cartes Bancaires
  • Chase Paymentech Solutions
  • Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • Elavon Merchant Services
  • European Payment Council AISBL
  • European Payment Service Providers for Merchants (EPSM)
  • First Bank of Nigeria
  • Global Payments Direct Inc.
  • HP
  • Ingenico
  • Middle East Payment Services (MEPS)
  • PayPal Inc
  • Retail Solutions Providers Assn. (RSPA)
  • RSA
  • Square, Inc.
  • Starbucks
  • VeriFone Inc
  • Wal-Mart Stores Inc
  • Wells Fargo
  • WorldPay

Among many duties, Board of Advisor members provide directional and technical input on matters of focus vital for maintaining the security standards that protect digital purchasing and payments. Areas of importance include new cybercrime tactics, public-private-law enforcement information sharing, app development and merchant needs in developing economies. New board members are already contributing to the PCI security community through other volunteer opportunities as Participating Organizations. The PCI Council welcomes any person or organization to join in the fight against cybercrime by volunteering as a Participating Organization.

PCI SSC General Manager Stephen W. Orfei said

Cybercrime is standing in the way of economic growth for all businesses, including start-ups in the developing world and multinationals. Criminal networks are well funded and highly motivated to steal our hard-earned money and our personal information. At the Council we are grateful to have some of the best economic and security minds in the world joining the board to help tackle the challenge that cybercriminals present

PCI SSC International Director Jeremy King, said

The simple act of accepting a single credit card payment, an online payment or a mobile payment can send money and data bouncing around the world to dozens of places. And on every device, computer and network there are new methods thieves are creating to steal from us. Fighting a threat like that takes the cooperation of all 700 PCI Participating Organizations. PCI is fortunate to have new board members from Europe, the Middle East, Africa and Latin America charting the path for payment security. Past board members from around the world have been a massive help to the community, helping us keep ahead of new risks. We look forward to working with the new board in the same capacity

A review of websites and apps targeted at children is underway

The UK Information Commissioners Office (ICO), the enforcer of the Data Protection Act, has begun a review of websites and apps used by children as part of an international project to consider privacy concerns around the type of personal information services collect.

The ICO will look at 50 websites and apps, looking particularly at

  • what information they collect from children
  • how that is explained
  • what parental permission is sought

The websites and apps will include those specifically targeted at children, as well as those frequently used by children.

The same approach will be taken by 28 other privacy enforcement authorities from around the world, with a view to publishing a combined report in the autumn. The ICO will also consider action against any website or app that it finds to be breaking the Data Protection Act.

Steve Eckersley, ICO Head of Enforcement, said:

Anyone with children knows how many websites and apps are now targeted at them, and how popular they are with children. That’s true from Canada to Columbia, and the same concerns exist around what information the companies behind these services are gathering.

In the UK, we’re clear that apps and websites should not gather more personal data than they require, and operators should be upfront about how and why they collect information and how they use it. . These principles are true whatever the audience, but they are especially true where children are concerned. This research should give us a valuable insight into whether companies in the UK are operating compliantly, as well as how that fits with what is happening around the world

The work is coordinated by the Global Privacy Enforcement Network, and follows previous reports on website privacy policies, and how apps collect personal data. This year’s focus was chosen after privacy enforcement authorities identified a growing number of websites and mobile apps targeted at, or popular among, children.

What’s Keeping Higher Education CIOs up at Night?

whats-keeping-higher-education-cios-up-at-night-1-638

Higher Education CIO survey conducted by Extreme Networks.

The Evolution of Cyber Risk – and ACE Infographic

Evolution of Cyberrisk 1evolution of cyberrisk 2

PCI Council collaborates with industry to speed secure chip card acceptance for merchants

The PCI Security Standards Council has announced that it will join with the Payments Security Taskforce and EMV Migration Forum to launch the U.S. EMV VAR Qualification Program, a chip education curriculum and accreditation initiative that will help merchants and their partners securely implement chip card solutions.

The U.S. EMV VAR Qualification Program aims to streamline and simplify the testing and certification process for Value Added Resellers (VARs) and Independent Software Vendors (ISVs) to help them help securely implement chip card solutions for their merchant customers in advance of the 2015 liability milestone.

The optional program consists of three central elements:

  1. An educational curriculum from the EMV Migration Forum that provides a clear understanding of chip technology for payment cards in the U.S. market
  2. A listing on the PCI Security Standards Council website of all service providers independently accredited by the major payment networks to provide chip recommendations and implementation
  3. A pre-qualification process run by the accredited service providers to help VARs and ISVs begin the implementation process before they work with acquirers for final certification

We heard from the acquirer community that there was a limitation on the time and resources available to help the VAR community best prepare for the broad adoption of chip,” said PCI SSC Chairperson Bruce Rutherford. “This coordinated effort across all industry players will help eliminate the bottleneck and speed the certification of smaller merchants’ chip card acceptance efforts.

Added PCI SSC General Manager Stephen W. Orfei, “We’re pleased to partner with the Payment Security Taskforce and the EMV Migration Forum in this important initiative to drive adoption of EMV chip technology in the U.S., a critical security layer that when combined with PCI Standards as a layered approach will help organizations better protect their customers’ valuable payment card data

The coordinated effort will begin with the launch of educational resources for the VAR and ISV communities to establish an understanding of chip technology, including targeted webinars and self-service web portals on how to build a business case for chip, an overview of a chip card transaction and how to navigate the testing and certification process.

Each VAR will then have the ability to pre-qualify its payment solution for each of the major payment networks with an accredited service provider based on its knowledge of chip technology, and work with its acquirer to receive a final certification of the solutions a merchant would need to use to process a chip card transaction.

Details of the education programme can be found here.

Details of the pre-qualification process can be found here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: