Make companies fix cybersecurity gaps

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.delawareonline.com/story/opinion/editorials/2015/02/13/make-companies-fix-cybersecurity-gaps/23372173/

Every now and then, a major problem comes along that gives plenty of
warning of the trouble ahead. The warnings are ignored until the bad things
start happening, people begin suffering and, finally, everybody gets angry.
Cybersecurity is one such issue. And we are quickly approaching the angry
stage.

President Obama met Friday with companies that make their money from
transferring private data electronically. The banks, computer companies and
other public and private networks know the trouble hackers have been
causing. The president was there to tell them to fight back.

Earlier this week, former Secretary of Homeland Security Michael Chertoff
was on the University of Delaware campus telling faculty and students that
we will all have to get used to electronic invasions. “This is everywhere,”
he said, citing the credit card information stolen from companies like
Target, Home Depot, JPMorgan Chase and eBay.

Consumers are helpless when a big or small company is hacked, whether by
thieves or agents of the Chinese government. The one thing they can do is
take their business elsewhere. If Home Depot is hacked again, customers can
move to Lowe’s or switch to cash.

However, there are two areas where consumers do not even have that much
power: Dealing with the government and their medical information.

This week the U.S. Government Accountability Office came out with its
annual “high-risk list,” the areas of government most vulnerable to fraud,
waste and abuse. One area that got a lot of new attention was the
inadequacy of the federal government’s information systems. The GAO said
too many agencies of the federal government are vulnerable to security
breaches involving citizens’ personally identifiable information.

The other area is medical information. The health system is moving to
digital records. This offers a great way to help people stay healthier,
avoid mistakes and save money. It is also a great way for hackers to get
hold of your medical information.

Case in point: Anthem insurance company just suffered an electronic
invasion that exposed the personal information of 80 million patients. Some
observers think it was the Chinese government again.

Is Anthem doing enough about it? How can we tell?

What are the incentives for federal agencies or health insurance companies
to do their utmost to protect private citizens? It is not as if the
citizens can switch governments or health insurance companies.

Niam Yaraghi and Joshua Bleiberg point out in a Brookings Institute report
the strictest law governing health insurance companies like Anthem could
only fine it a maximum of $1.5 million. That would be for almost deliberate
privacy violations. However, as Brookings notes, Anthem’s income from 2014
was $2.5 billion. The fine would be nothing. Cybersecurity problems are
here to stay. It will not go away. Therefore, we must put some sting into
the punishment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!