With continuing breaches, mHealth should learn from past thefts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchhealthit.techtarget.com/news/4500250556/With-continuing-breaches-mHealth-should-learn-from-past-thefts

With breaches in healthcare not slowing down anytime soon -- consider the
recent UCLA health system data breach -- experts at the recent mHealth +
Telehealth World Congress discussed security breaches, what healthcare
organization can learn from those breaches and the value of stolen
protected health information (PHI).

"There's amazing concern that with mobile apps and mobile devices [and]
Internet of Things that there's less of a focus on quality control and
information security development," said Edward Grogan, vice president and
CIO at Calvert Health System Inc., based in Prince Frederick, Md.

Kristi Kung, senior associate at law firm Pillsbury Winthrop Shaw Pittman
LLP in Washington, D.C., agreed that with more mobile health apps, more
mobile devices and more devices being connected to the Internet, there's a
greater threat of attack. "Just because you have a secure device does not
mean that privacy's always maintained. Any time you're connected to the
Internet, you're always susceptible to attackers," she said.

She added that, "the worst is not behind us" and that "the healthcare
environment isn't as prepared."

Grogan and Kung shared ideas on how healthcare organizations can better
prepare for mobile health (mHealth) security.

Learn from others -- especially those outside of healthcare

Grogan advised attendees at mHealth + Telehealth World to apply lessons
from the Target and Heartland Payment Systems Inc. breaches.

In Target's breach, network credentials were stolen in an email malware
attack on a third-party vendor that had a supplier portal to the retailer,
Grogan said.

"Some of the lessons learned from that breach [are] to consider the weakest
link and evaluate third-party vendor security," Grogan said. Other lessons
to glean from the Target breach include making sure hospitals incorporate
multifactor authentication, where a person must provide two or more
credentials to get access to the information, and use network segmentation,
where computer networks are split into separate networks.

Grogan said that had Target segmented the supplier network from the
consumer network, most likely the breach would not have happened.

He added that containerization would also have helped in this case, in
which virtual instances are allowed to share a single host operating
system. Organizations can achieve greater security by isolating containers
from each other.

In Heartland's case, the payment systems company suffered a data breach in
2008, during which attackers made off with digital information for 100
million credit and debit cards. Heartland also had another data breach in
May 2015. In this case of the 2008 breach, preventive actions that could
have been taken -- and healthcare organizations should consider -- include
appointing senior leadership with security as their sole focus, security
data sharing, end-to-end encryption, tokenization and chip technology,
Grogan said.

At the end of Grogan and Kung's presentation, an attendee asked whether
there was a popular use for stolen PHI, and whether it was possible to
trace it back to who stole the PHI and who subsequently bought it.

"Healthcare records are so much better than a stolen Social Security
number, because a healthcare record has all that information already.
You've got Social Security number, you've got financial information and
then you have all the medical information about that person, too," Kung
said. "You're not just talking about traditional identity theft."

Not to mention that healthcare records can fetch a sizeable amount of money
on the black market. While stolen credit card information usually goes for
$1 to $2, Kung said, medical records can go for $20 to $50, ranging from
pieces of a patient's medical documentation to an entire record.

Chances are slim of finding out who bought stolen PHI. "As for tracking it
back, I think that's very difficult to do at this point," Kung said.

Grogan and Kung also fielded a question about what the uses are for knowing
someone has a broken leg, for example.

To that, Grogan's only reply was that it's simply a loss of privacy on the
part of the patient.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!