Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Yahoo! Hacked

tumblr_static_y_tumblr_lockup

In a blog post, Yahoo reports that attackers now own an undisclosed number of usernames and passwords to Yahoo Mail accounts.  User names and passwords would be attractive based upon the premise that  consumers use the same name-password combination across multiple platforms, including for financial accounts.

http://www.pcworld.com/article/2092198/yahoo-acknowledges-yahoo-mail-hack.html

http://www.latimes.com/business/technology/la-fi-tn-yahoo-mail-breach-number-users-not-disclosed-20140130,0,3294421.story#axzz2ryl2Z3RX

Cases and Classes: Updates on Litigation, Decisions Relating to Data Breaches

Sony

In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis.
Kaiser
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation.
Horizon
On January 28, 2014, a putative nationwide class action suit was filed against Horizon Healthcare Services (d/b/a Horizon Blue Cross Blue Shield of New Jersey) alleging that Horizon failed to secure PII and PHI including names, DOBs, SSNs, addresses, demographic information, medical histories, lab results, insurance information and other data collected by Horizon. The allegations deal with an incident in November 2013 when two unencrypted laptops were stolen from Horizon’s headquarters in Newark, New Jersey. Plaintiffs allege violations of the Horizon privacy policy; that Horizon did not undertake encryption measures even though it suffered a similar breach in 2008; that Horizon ignored government and industry warnings regarding encryption. The counts include violations of FCRA, negligence, breach of contract (the members’ health insurance contracts or handbook include privacy representations/safeguards), violations of NJ consumer fraud statutes (misrepresentations/omissions re: privacy policies and encryption; failure to destroy unneeded records; failure to expediently notify following a breach).
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials.  See article at:
http://www.nj.com/politics/index.ssf/2014/01/nj_senate_health_panel_grills_horizon_about_two_stolen_laptops.html

lawkeyshutterstock_148983662

Target Data Breach – Holiday Shopping Season 2013

INVESTIGATION UPDATE:

From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

***

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”

AND ON THE LITIGATION FRONT:

Banks file suit over their costs:

“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.

http://blogs.wsj.com/riskandcompliance/2014/02/07/banks-heap-suits-on-target-over-data-breach/

 

POST-BREACH REVIEW:

Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

CHRONOLOGY:

From the New York Times:-

DEC. 12 The Secret Service requests a meeting with Target.

13 Target is informed of the breach by the Secret Service and Justice Department.

15 Target removes the malware that evening.

17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.

18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.

19 Target makes its first public acknowledgement of the breach.

20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.

UPDATES:

Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee.  See:

http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-data-breach-next-month

And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc.  The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

http://www.reuters.com/article/2014/01/17/us-target-databreach-idUSBREA0G18P20140117

http://intelcrawler.com/about/press08

virusiStock_000003290536XSmall

Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number.  News reports are estimating 40 million accounts impacted.Credit Cards

The Target website includes a banner at the top of the home page with a link to the current information.  Click to that link and Target has included the following information, so far:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

See notice at:

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

And news articles at:

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

http://www.latimes.com/business/money/la-fi-mo-target-40-million-credit-debit-cards-possibly-breached-20131219,0,774974.story#axzz2nvWL0Dlb

UPDATE:  It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system.  Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised.  Target has not yet specifically identified the method of access or weakness that allowed for the breach.

Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.

ADDITIONAL UPDATE:

PINs also breached:-

http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/?_r=0

UPDATE AND COMMENTARY: 

What are the prospects for class litigation?  Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/?goback=%2Egde_88093_member_5828604845245898755#%21

See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):

databreach2013Picture1

2013 Top 10 US Data Breaches 1

Ride the Pony, Mony, Mony

TrustWave SpiderLabs tm is reporting on stolen credentials for approximately two million compromised accounts.  The tactic is similar to earlier breaches: harvesting passwords using key logging software.  The team believes the passwords had been harvested by a large botnet –
dubbed Pony.  Given that many users employ the same or similar passwords for many purposes, the security risks are apparent.  TrustWave cautions “If you don’t enforce a password policy, don’t expect your users to do it for you.”

Most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc.

See link to the report:

http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html

passwordphotol

The IoT needs PByD: FTC Looking at Privacy and Security in the Age of Smart Homes

The Internet of Things is the phrase used to describe technology that talks to technology – connected sensors and embedded technology.  Think of smart homes – your refrigerator knows what and when to restock; your HVAC adjusts to your schedule; personal tech – your heart monitor talks to your health care provider.  The FTC recently convened a workshop to address privacy and security considerations surrounding the use of such applications; see:

http://www.ftc.gov/bcp/workshops/internet-of-things/FINALAGENDA-11-13-13.pdf

In conjunction with the event, the Future of Privacy Forum  released “a whitepaper arguing for a new privacy paradigm in the new highly connected world.”

http://www.futureofprivacy.org/2013/11/19/fpf-releases-a-new-privacy-paradigm-for-the-internet-of-things/

The whitepaper authors argue that the consent/notice issues in dealing with the usual customer/consumer paradigm of managing privacy issues may not be relevant or sufficient in a world where the uses of data cannot be discovered until after the data has been collected, employed.  The argument now focuses on Privacy By Design strategies to tackle these thorny issues: anonymizing of data; transparency; codes of conduct; accountability/accessibility.

See IAPP summary of the workshop issues at:  https://www.privacyassociation.org/publications/is_notice_and_consent_possible_with_the_internet_of_things

If we don’t get a handle on this now, that wristband I’m wearing  may soon force me to add another mile to my jog because it knows what I had for lunch!  Let’s move, indeed!Exclamation Point with Social Technology and Internet Color Icon

And in more IoT news, along comes the worm:

http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/#!

My new excuse – the bathroom scale’s been hacked!

Wow Scale

UPDATE:

Google has acquired Nest, the maker of “connected” thermostats and smoke detectors.  According to a statement one of Nest’s founders delivered to TechCrunch, Nest will only use customer information for “providing and improving Nest’s products and services,” indicating it will not be used for Google’s larger advertising schemes.  Of course, the commentators are lining up to speculate about what Google will do with all that data collected straight from a consumer’s home., much in the way consumers have been using connectivity in their cars.  And now Detroit is increasing that connectivity with cars that will be able to connect to the Internet independently, with the car using the custom apps on their own.

See info on Google acquisition of Nest: http://www.engadget.com/2014/01/13/google-acquires-nest/

And, GM’s 2015 roll-out of more connected cars: http://business.time.com/2014/01/07/your-car-is-about-to-get-smarter-than-you-are/

Fun from tomfishburne.com:

 

And then along came Fridge Spam:

-More than 750,000 Phishing and SPAM emails Launched from “Thingbots” Including Televisions, Fridge-

“The attack is believed to be one of the first to exploit lax security on devices that are part of the ‘internet of things.”

See press release from Proofpoint: http://www.proofpoint.com/about-us/press-releases/01162014.php

And, BBC update:

http://www.bbc.co.uk/news/technology-25780908#!

 

 

 

DNTK – Do Not Track Kids – Proposed Legislation

No real eraser button?
No real eraser button?

Senator Ed Markey (D-Mass.) has introduced a bill to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to the collection, use and disclosure of personal information of children, to establish certain other protections for personal information of children and minors, and for other purposes.”  In the Findings included in the Bill, the proponents note that a Wall Street Journal study (2010) found that websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience.  The legislation is aimed at prohibiting “operators” (including mobile apps) from collecting personal information, including location data, from children ages fifteen and younger without that person’s permission (guardian permission already required under COPPA for minors 12 and under).

A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections.  They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”

http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pd

Meanwhile, California also just passed the online “eraser” law.  California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”.  The law kicks in on January 1st.   It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.

Despite the DNTK proposal, it remains that state legislatures and attorneys general continue to take the lead in privacy legislation and enforcement.  See, http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html

See also, State AGs Chuckle at Idea of Federal Breach Law:   https://www.privacyassociation.org/publications/amidst_u.s._govt_shutdown_state_ags_chuckle_at_idea_of_federal_breach_law

calstreetsigniStock_000015398858Small

And, in other California news, California also enacted AB370, its own “Do Not Track” law.  The legislation requires owners of commercial websites and online service providers (again, “operators”) to conspicuously post a privacy policy, which policy must disclose the categories of personally identifiable information the operator collects and with whom the operator shares such information. The law also addresses Do-Not-Track (“DNT”) signals sent from browsers, in that it requires operators of websites and online services to notify users about how they handle DNT signals.

“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online.  The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures.  In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII.  It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370

And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.

In a letter to AssertID, the Commission noted that the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.

The Office Workhorse is a Digital Machine

copyiStock_000004950258XSmall

And it is worth sanitizing.

On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.

photocopieriStock_000003018037XSmall

Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive.  Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010.  Affinity estimated that up to 344,579 individuals may have been affected by the breach.

OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”

See HHS press release: http://www.hhs.gov/news/press/2013pres/08/20130814a.html