Risk
8/13/2010
01:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Six Healthcare Data Breaches That Might Make Security Pros Sick

Most of the healthcare industry's biggest compromises could have been avoided, experts say

The number of healthcare breaches in 2010 have outpaced other verticals -- including banking and government -- by as much as threefold. While not all of these breaches came via databases, the majority of them could have been prevented through better data access and governance policies -- policies that must be enforced at the database level, experts say.

Healthcare organizations seem particularly prone to problems on the inside of the organization, including malicious theft and unintentional loss of storage devices containing treasure troves of database information. Let's take a look at six of the biggest breaches from recent months -- and the lessons they might teach about data protection

1. Lincoln Medical and Mental Health Center: More than 130,000 records were exposed this spring when Lincoln Medical's billing vendor, Siemens Medical Solutions, chose to send out a stash of information on seven CDs sent to Lincoln via FedEx. Completely unencrypted, the data contained on the disks was compromised when the envelope was lost in transit. Though Siemens and Lincoln have stopped the process of transporting sensitive material through overnight shippers, the damage from this incident was already done.

Lessons Learned: With so many methods for securing data in transit available today, this incident was wholly preventable with a little common sense. Information was copied from the database directly onto insecure media, with only flimsy password protection to keep the bad guys from busting into it. At the very least, simple encryption might have made the loss less painful.

2. University of Texas Medical Branch: Allegedly using a stolen identity to gain employment at UTMD's medical biller, MedAssets, for the purpose of perpetrating fraud, Katina Rochelle Candrick is suspected of helping herself to up to 2,400 UTMD patient records. Disclosed earlier this year, the insider breach was ferreted out when MedAssets was notified by law enforcement that a former employee had been picked up for identity theft. Candrick was booked for many more ID theft charges in cases around the country, totaling more than $1 million in losses.

Lessons Learned: Identity theft is big business these days, and as thieves catch on, they're beginning to devise more elaborate schemes to get their hands on data. Not only do organizations need to ensure they work to better screen those who will use the data, but they also need to ensure their vendors are as discriminating. And, of course, database monitoring keeps tabs on the activity of employees -- no matter who they are.

3. South Shore Hospital: A whopping 800,000 records containing sensitive, personal health, and financial information were compromised when South Shore's data management company, Archive Data Solutions, lost backup tapes containing copies of the hospital's most sensitive databases created between 2006 and early 2010. The files were slated for destruction prior to loss. They contained the mother lode for potential identity thieves: names, addresses, phone numbers, dates of birth, Social Security numbers, patient health information, and even bank account data.

Lessons Learned: Unencrypted backup tapes have been a persistent threat to enterprise data for years now. Such media can hold vast stores of information and is small, portable, and regularly transported between multiple locations -- often leading to mishaps. Whether the information is due to be destroyed or stored for years, it makes sense to encrypt data prior to transport. It is also critical to understand that using a third party to manage sensitive backup documents never fully transfers risk to that third party.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0560
Published: 2014-09-17
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.

CVE-2014-0561
Published: 2014-09-17
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.

CVE-2014-0562
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

CVE-2014-0563
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.

CVE-2014-0565
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant