Sunday, May 17, 2009

Healthcare Security- Identity Theft and Hacker ransom

I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the "weapons" story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur


*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test


The Channel Wire
May 06, 2009
Hacker Holding Health Records Hostage Demands Ransom
A hacker wants $10 million for the return of nearly 8.3 million patient records stolen from a Virginia prescription database last week.When users logged into the Virginia Prescription Monitoring Program (PMP) site April 30, they found a ransom note that also was posted on Wikileaks, a site that posts untraceable documents. The PMP has since disabled the link.
"I have your [expletive]!" read the note on the Wikileaks site. "In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh :( For $10 million, I will gladly send along the password."

Virginia set up the database in November 2007 after a spate of serious crimes primarily involving OxyContin made headlines, including a segment on "60 Minutes." The PMP was designed so that pharmacists can cross-reference prescriptions to see if a patient is issued multiple scripts for narcotics by different physicians.

The PMP extortionist warns that, "If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this [expletive] is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver's license #)."

This is not the first time and certainly won't be the last that hackers have broken into health information records and demanded money for the return of confidential records.

In November 2008, Express Scripts, one of the largest pharmacy benefit management companies in North America, fell victim to this practice that has been dubbed "cryptoviral extortion."

"A small number of its clients have received letters threatening to expose the personal information of its members," the company said in a letter on its Web site. "The threats are believed to be connected to an extortion threat the company made public last week."

Those letters included personal information such as Social Security numbers, dates of birth and, in some cases, prescription information, the company said.

Express Scripts said it first received a letter the previous month that threatened to publicly expose millions of the company's members' records if an extortion threat was not met. The original letter included the personal data of 75 Express Scripts members.

The company is working with the FBI, and has posted a $1 million reward for the arrest and conviction of whoever is responsible for the breach. Express Scripts also said it would offer its members free identity restoration services from Kroll, a New York-based risk-consulting and global data security firm, if they become victims of identity theft because of the hacker.

Express Scripts said that it is not aware of any actual misuse of its members' data.

No comments:

Post a Comment