Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/26/2009
06:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Cyber Secure Institute Analyzes Virginia Health Database, UC-Berkeley Hacks

Institute demonstrates inherent risks in e-health, cites range of protections to ensure the privacy of data and the protection of individuals and families

WASHINGTON--(BUSINESS WIRE)--Today, Rob Housman, the Executive Director of the Cyber Secure Institute, released this statement concerning the recent hacks showing the vulnerability of the healthcare of Americans:

Have you ever told your doctor something private that you wouldn't want your friends and neighbors or a tabloid paper to know?

Have you ever received a medical test result that you wouldn't want shared with your employer?

Recent attacks demonstrate that your most private healthcare information is seriously at risk. And, absent major changes, the risks will grow exponentially.

Last month, hackers attempted to extort $10 million after breaking into a Virginia State web site used by pharmacists to track prescription drug abuse. The records of more than 8 million patients were deleted and a ransom note was put on the Virginia Prescription Monitoring Program's homepage, demanding $10 million dollars in exchange for the return of the records.

At almost the same time, The University of California at Berkeley disclosed that hackers had broken into their health-services database. The University began sending out notification letters to current and former students. The hackers had access to, and may have taken, health insurance information and medical information. The breach in the server took place from October 9, 2008 until April 9 this year, when administrators discovered messages left behind by foreign hackers. These are not the first instances where cybercriminals have stolen the private healthcare information of Americans. Last December, Lawanda Jackson pleaded guilty to violating federal privacy laws by selling private medical data from celebrities, including Britney Spears, Farah Fawcett and Maria Shriver (wife of California Governor Arnold Schwarzenegger), to the National Enquirer tabloid. Last October, cybercriminals attacked Express Scripts, one of America's largest processors of pharmacy prescriptions, threatening to release personal information of millions of Americans unless their demands were met. There is an ongoing investigation into the Express Scripts incident. These recent attacks provide cause for real concern among cybersecurity experts and healthcare professionals alike. Inadequate cybersecurity systems put our most personal data at risk.

What is more disturbing is that the problem is likely to get exponentially worse—unless drastic changes are made. President Obama's healthcare plan is heavily focused on the use of electronic health records to help modernize our nation's healthcare system. The recent stimulus package provides $19 billion for the next two years for the use of health information technology and President Obama has pledged an additional $50 billion total over the next five years. The benefits of "e-Health" are substantial and this is a policy direction our nation should be taking.

However, absent vastly more effective cybersecurity measures, the implementation of e-Health will significantly increase the risks for all Americans. Any e-Health system must be built upon only certified secure, best available IT technologies. The NSA has certified two technologies—the Integrity Global Security operating platform and the Tenix Interactive Link Device—against the most sophisticated cyber threats as being secure against even sophisticated, hostile, well-funded attacks. Only systems like these that are tested, proven and certified at these high levels of security robustness should be trusted with the nation's private healthcare information. Anything less puts the most personal information of all Americans at risk.

Additionally, any move to e-Health must be accompanied by a range of protections to ensure the privacy of data and the protection of individuals and families, which might include:

  • A trust fund, which could be paid for through healthcare corporation user fees, that would be available to make whole victims of e-Health data breaches.
  • A national e-Health data integrity oversight office charged with ensuring healthcare IT systems are sufficiently secure and are utilizing best available protections and investigating allegations of data breaches or data misuse.
  • Statutory protections making clear that victims of health data breaches can recover for all damages of e-Health violations, including loss of employment, loss of insurance, harm to reputation, and other similar harms.
  • Along with a host of other protections.

    To read the rest of this analysis and the full list of recommendations please visit: http://cybersecureinstitute.org/blog

    For more information about the Institute visit: http://cybersecureinstitute.org

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-5118
    PUBLISHED: 2019-11-18
    A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
    CVE-2019-12422
    PUBLISHED: 2019-11-18
    Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
    CVE-2012-4441
    PUBLISHED: 2019-11-18
    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
    CVE-2019-10764
    PUBLISHED: 2019-11-18
    In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
    CVE-2019-19117
    PUBLISHED: 2019-11-18
    /usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.