BreachExchange mailing list archives
Key Takeaways From the Premera Data Breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Mar 2015 19:06:05 -0600
http://healthitsecurity.com/2015/03/23/key-takeaways-from-the-premera-data-breach/ Last week, the Premera data breach announcement further pushed the data security of healthcare organizations into the limelight. The health insurer stated that approximately 11 million members’ sensitive information, including PHI, was potentially exposed after a “sophisticated cyber attack” infiltrated its system. Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions, Inc. are all potentially affected, with applicants’ and members’ names, dates of birth, email addresses, addresses, telephone numbers, Social Security numbers put at risk. Moreover, member identification numbers, bank account information, and claims information, including clinical information, were all potentially exposed. Incidents like this are likely to cause healthcare leaders to review their incident response procedures, according to Dan Bowden, Chief Information Security Officer for the University of Utah, University of Utah Health System. Many organizations are already working on their malware defense capabilities, Bowden said, but the two large scale breaches over the last couple of months further underline the importance of incident response. “There is no absolute to tell your consumers that there is no possible way their data will not get breached,” Bowden said. “We have people come to work every day trying to do the right thing and people make mistakes.” For example, an employee could open an email that lets malware into the healthcare’s system. “As long as we have people working with the data, even if they’re trying to do the right things, they can be victimized by a good attacker,” Bowden explained. However, incidents like the Premera data breach and the Anthem data breach that was announced in early February, have brought other important issues to the forefront, Bowden said. Health dataencryption is an increasingly popular topic, as many have criticized Anthem for allegedly not having its data encrypted. But each incident seemed to involve a serious malware attack, according to Bowden. Health data encryption is an “addressable” aspect of HIPAA, rather than a “required” one. This can make it difficult to compare one organization to the next, Bowden said, as different facilities will need different types of privacy and security measures. And even if a covered entity has data encryption methods in place, if an employee is using a laptop on the organization’s system, a third-party who can gain access could still get to the data. “Malware lets someone get escalated privileges, and in some way, circumvents the encryption,” Bowden said, adding that there is still some “dust to settle” in the Anthem and Premera cases. Until more information is released, it will be difficult to determine exactly what went wrong and how other healthcare organizations could potentially learn from those actions and prevent their systems from being breached. Malware has become an increasingly large issue, Bowden explained. Even three to five years ago, the healthcare industry’s top issue was lost laptops, he said, which was also part of the large push for data encryption. Now, with two large scale data breaches involving malware, Bowden said that there might be new priorities ahead for the healthcare sector. “A lot of consumers are cynical about any organization’s ability to protect their data absolutely,” Bowden said. “I’m not sure if trying to do an absolute of convincing customers is possible, but we need to do everything to show we have their best interests in mind and are doing our best to assess the risk and put reasonable controls in place to protect their data.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Key Takeaways From the Premera Data Breach Audrey McNeil (Mar 31)