in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Health Data Disk Encryption: Healthcare Organizations Are Vulnerable To Online Hacks

The Washington Post notes that the health care sector is very vulnerable when it comes to online hacking.  When you consider the amount of sensitive data available in medical databases, it comes as a shock.  However, when you consider how half of all HIPAA data breaches involve the loss or theft of laptop computers and other digital data containers, one wonders whether one should be shocked at all.  After all, HIPAA breaches that revolve around laptop thefts can be easily deterred with the use of medical full disk encryption software like AlertBoot.  And yet, breaches have, if anything, grown over the years, which can only lead to the conclusion that data security is not in the minds of most people working in the medical sector.

A Nurse's Job Description: Making Sure the Doctor Doesn't Need to Log In Himself

Researchers and whitehat hackers point out that hospitals and other medical organizations aren't paying as much attention as they should be when it comes to medical data security.  You can read the relatively long article here.

Some of the vulnerabilities described are classified as having low skill levels to exploit.  But, they still require a certain modicum of hacking skills.  Just because experts have labeled a particular attack as "easy" to perform doesn't mean that any John, Dick, and Harry can go ahead and execute it.  So, one might be justified in thinking that the warnings coming from academics are but ivory tower warnings.

And then one ends up reading head-slappers like the one below:
One nurse told [a researcher] that she had the job of typing in a physician’s password constantly so that the doctor would not have to, leaving the unattended machine unprotected. “She literally walked around the room logging the doctor into every machine, every hour” [washingtonpost.com]
With attitudes like these, why would one be surprised to read of laptops that contain PHI being left in unattended cars or not being protected with disk encryption software?

Financial Enticements: There are None, They Say

Besides the above, one of the more galling reasons given for not having proper security, in my opinion, is that of a medical organization not having enough of a "financial enticement" when it comes to hackers:
Questions about the cybersecurity of medical systems have been simmering for more than a decade. But the issue has intensified as hospitals embrace wireless devices and electronic records. Some health-care officials assumed that their networks were too obscure, or offered too few financial enticements, to be of interest to hackers. [washingtonpost.com]
There are numerous reasons why a site is hacked; incentives need not be purely financial.  Or, at least, not directly financial.  Consider the type of information you can find in a medical database.  While credit card numbers might not be present Medicare/Medicaid numbers, family relations, addresses, and other information can be used in phishing and other social engineering attacks which eventually lead to financial recompense in one way or another.

Social Security numbers, which are routinely collected when applying for medical services, can be sold for cash or used for starting a bevy of fraudulent activities.

On the non-financial front, hackers could attack a network because (1) it's there and it can be done, (2) because they're trying to make a point, political or otherwise, or (3) whatever reason they can come up with after attacking.  In other words, one can be attacked for no reason at all.

On the whole, it looks like things will get worse before they get better.  The silver lining might be the fact that the solutions to prevent medical data breaches are already here, today.


Related Articles and Sites:
http://www.theverge.com/2012/12/26/3806300/us-health-care-it-has-widespread-security-issues
http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html

 

 
<Previous Next>

Smartphone Security: The NSA Has iOS 5 Security Guidelines Online

HIPAA Disk Encryption: HHS Announces Settlement For Less Than 500 Patients HIPAA Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.