HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The data breach payment fight heats up

The data breach payment fight heats up | HIPAA Compliance for Medical Practices | Scoop.it

The spat between retailers and banks over who foots the bill and bears the responsibility following a data breach is ramping up heading into 2015.

A group of retail trade groups on Monday fought back against what they call a misleading survey from the Independent Community Bankers of America (ICBA), which alleged banks are shelling out millions of dollars because retailers can’t secure their networks.

With little legal framework to govern retail data breaches, merchants and banks have spent 2014 bickering about who is at fault in the wake of an attack.

Retailers argue they are victims of malicious attacks, are rapidly improving their security and are calling on banks to quickly adopt the chip-enabled cards, a more secure technology than the current magnetic strip. Banks counter that they are moving toward chip technology, but that it’s helpless given the poor security standards at retailers.

The ICBA survey, released Dec. 18, said community banks had to reissue nearly 7.5 million credit and debit cards at a cost of $90 million in the wake of the massive Home Depot data breach, which exposed 56 million customers’ payment card information.

“We continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach,” ICBA Chairman John Buhrmaster said at the time. “Communities and customers should not suffer for the faults of retailers.”

This statement, and survey in general, contained “inaccuracies and misrepresentations,” said the group of retailers, which included the Retail Industry Leaders Association, the National Retail Federation and the National Restaurant Association.

“ICBA cannot simply dismiss data breaches as a retail problem and refuse to recognize the risk to financial institutions — to do so would be a disservice to your members,” the groups said.

Retailers bear equal or greater costs after a data breach, they argued, pointing to a 2013 Federal Reserve study of debit card fraud.

Banks are also disingenuous about their switch to chip-enabled cards, the retailers said.

“While ICBA supports the movement to embedded-chip technology for credit and debit cards, the organization appears to only do so grudgingly, questioning its efficacy against data breaches,” they said.

Retailers called out ICBA on not committing to chip-and-PIN cards, where a microchip encrypts the credit card info, and the user confirms the purchase by entering an ATM-style PIN number.

Banks have pledged to move by October 2015 to at least chip-and-signature cards, which still has the microchip encryption, but is backed up by a more fallible signature.

“The added security provided when each customer is given a unique personal identification number or PIN has already been shown to make debit card transactions 700 percent safer,” the groups said.

The U.S. is the only major western country in the world that has not adopted chip-based cards.

Many of these liability issues could be resolved through data breach legislation. Congress held multiple hearings throughout 2014 to consider a possible bill to establish minimum data security standards. No serious proposal came close to passage.

An ongoing lawsuit between major U.S. banks and Target could also establish legal precedent for liability in the wake of a cyberattack. A late 2013 Target breach exposed 40 million customers’ payment information and banks are alleging they have not been properly reimbursed for their costs.


more...
No comment yet.
Scoop.it!

Sony Pictures Admits HIPAA Data Might Have Been Compromised During Breach

Sony Pictures Admits HIPAA Data Might Have Been Compromised During Breach | HIPAA Compliance for Medical Practices | Scoop.it

In a breach notification letter sent to employees this week, Sony Pictures outlines the full scope of data that was compromised by attackers shortly before the Thanksgiving holiday.

The notice is similar to an email sent earlier this month, but with more detail, and encourages staff to take advantage of AllClearID, which will offer identity protection services for the next 12 months.

Featured Resource

It also warns them against Phishing attacks, or other malicious communications that might use this incident as leverage.

The letter discusses the "brazen cyber attack" carried out by a group calling themselves GOP – or Guardians of Peace.

The group claims to have spent more than a year accessing Sony's network, and has been leaking batches of internal documents and communications since November 26. To date, the group has leaked more than 200GB of data, including pre-release movies, executive emails, sales and marketing data, and nearly everything from human resources.

"Although [Sony Pictures Entertainment] is in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) Social Security Number, driver's license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information.

"In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, Social Security Number, claims, appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans."

Sony's attackers have leaked more than 30,000 HR records, which is why the list of compromised data in the breach notification letter is so vast.

While not mentioned in the letter directly, the leaked data also included criminal background checks, offer letters (salary and job details), and records related to personnel reviews and opinions within HR.

On Monday, Sony Pictures held a company-wide meeting at its headquarters west of Los Angeles. The details of the meeting are still emerging, but the gathering was supposed to inform employees as to the current state of the breach investigation, and hopefully offer a timeline of when things are expected to be back to normal.

Employees who have spoken to CSO have stated that network access is limited, and several systems used for day-to-day operations are still offline.

Staff are relying on weak Wi-Fi signals, Verizon Mobile Hot Spots, and a backup e-mail service that only allows communications with verified addresses. Other employees have also confirmed the grim conditions, adding that since the network shutdown shortly before Thanksgiving; productivity has slowed to a crawl in some cases.



more...
No comment yet.
Scoop.it!

Sony Breach May Have Exposed Employee Healthcare, Salary Data — Krebs on Security

Sony Breach May Have Exposed Employee Healthcare, Salary Data — Krebs on Security | HIPAA Compliance for Medical Practices | Scoop.it

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems.

Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.

Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered.  But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.

Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.

The latest revelations come more than a week after a cyberattack on Sony Pictures Entertainment brought down the company’s corporate email systems. A Sony spokesperson told Reuters that the company has since “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”


Some of the files apparently taken from Sony that are now being traded on file-sharing networks.

Several media outlets reported at the time that Sony employees had been warned not to connect to the company’s corporate network or to check email, and noted that Sony’s IT departments had instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.” Other reports cited unnamed investigators pointing to North Korean hackers as the source of the attack, although those reports could not be independently confirmed.

Such extreme precautions would make sense if the company’s network was faced with a cyber threat designed to methodically destroy files on corporate computers. Indeed, the FBI this week released a restricted “Flash Alert” warning of just such a threat, about an unnamed attack group that has been using malware designed to wipe computer hard drives — and the underlying “master boot record” (MBR) on the affected systems — of all data.

KrebsOnSecurity obtained a copy of the alert, which includes several file names and hashes (long strings of letters and numbers that uniquely identify files) corresponding to the file-wiping malware. The FBI does not specify where the malware was found or against whom it might have been used, noting only that “the FBI has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation.” The report also says the language pack referenced by the malicious files is Korean.


The FBI alert references several network traffic “signatures” that organizations can use to detect the traffic seen in previous attacks from this malware — traffic that appears to beacon back to (most likely compromised) systems in Thailand, Poland and Italy. But the alert also says this type of vigilance may only serve to let organizations know that their files are currently in the process of being deleted.

“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.

Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;

Update: 1:58 p.m. ET: Multiple sources are reporting that the links to the torrents for the stolen Sony internal data were posted on Pastebin late Monday morning. Less than an hour after that post went live, the individual hosts that were sharing copies of the Sony data came under sustained denial-of-service attacks apparently aimed at keeping the files from being shared with other torrent users.

Also, the security guys over at Packetninjas have posted a useful write-up on a malware sample they spotted from early July 2014 that matches the file name of the malware described in the FBI’s Flash alert about the file-wiping malware. Packetninjas notes that the file also was calling home to the same control server in Thailand that was documented in this week’s FBI alert.

This file directory tree, included in the leaked data, offers a glimpse into the sheer volume of files apparently compromised in this breach.

This is a developing story. More to come. Stay tuned.

more...
No comment yet.
Scoop.it!

Hacked in 2014: The Year of the Data Breach

Hacked in 2014: The Year of the Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

2014 will go down as the year of the data breach, from massive hacks at retail chains to the leaking of celebrity nude photos and not to mention dangerous security vulnerabilities like Heartbleed and ShellShock that had security pros panicking.

A slew of industries like banking, retail, and healthcare have all fallen prey to cyber criminals this year. As the year now winds down, the effects of some of 2014’s most notorious hacking incidents are still being felt and will be for some time. Here are five of the year’s worst data breaches and the huge impact they are having on the state of cybersecurity.


Sony Pictures

The hack at Sony Pictures is the latest breach of the year and by the looks of things, will be the biggest, moving far beyond being an IT issue. A hacker group known as Guardians of Peace, or simply GOP, breached Sony’s internal systems in late November, affecting thousands of employees, several executives and celebrities, leaking as-yet-unreleased films, and demanding the cancellation of the Seth Rogen and James Franco comedy film, The Interview. This fueled rumors that North Korea was behind the attack, an allegation that continues to gather more steam. The hermit kingdom would deny involvement but still called the hacking a “righteous deed”.

However a number of large US theater chains have now dropped the film after one of GOP’s latest messages threatened physical attacks on cinemas screening the film. The number of theaters dropping the film eventually pushed Sony to completely cancel the release of the film.

The fallout continues across the board too as more and more details start to emerge courtesy of GOP, including some actors’ movie paydays as well as a heated email exchange between execs over Angelina Jolie. While Sony has hired security firm Mandiant to clean up the mess, there’s no end in sight for the leaks with each one becoming more and more serious. Sony will need a long time to mend its reputation and relationships, especially when several employees are taking legal action against the company.


Home Depot

Back in September Home Depot suffered a major payment system data breach for which it is still feeling the effects of, now facing 44 lawsuits. All in all 56 million credit card details and 53 million email addresses were stolen in the breach spanning April to September of this year with the company spending $43 million in one quarter to try and tame the breach’s effects.

Staring down 44 lawsuits in the US and Canada, Home Depot is looking at several accusations with one of the central claims being that the company was not complying with data protection standards. Meanwhile its recent regulatory filing added that there may very well be more damage discovered in the breach:“It is possible that we will identify additional information that was accessed or stolen.” On the plus side, people haven’t stopped shopping there as Home Depot still managed to boost its revenues in sales.


JP Morgan Chase

Several retail outlets have been rocked by data breaches this year but so too have financial institutions, for obvious reasons. Throughout the summer, hackers breached the bank, stealing names, email addresses, phone numbers, and addresses with the number tallying over 80 million customers and businesses. At the time, the New York Times called it the “most serious computer intrusions into an American corporation” and added that several other banking businesses were targeted too.

The attack was spread out over two months and stoked fears of wider attacks on the financial industry, which if successful, could yield serious rewards for cyber crooks. As for who was responsible for the attack, that remains unclear but original reports pointed the finger at Russian hacking networks, which has now become a recurring theme in many data breach cases and the talk of whodunit.


Community Health Systems

Healthcare data bases are becoming lucrative targets for cyber criminals too and while there have been several data breaches at facilities around the US, the biggest and most devastating was the August data breach at Community Health Systems. More than 4.5 million people were affected in 200 different hospitals, compromising data such as patient names, addresses, birth dates, phone numbers, and Social Security numbers but CHS insisted that no medical information was lost.

FireEye’s Mandiant, the same security firm now hired by Sony, believes that hackers in China going by the name Dynamite Panda are responsible and are allegedly the same group behind the 2011 RSA data breach.


P.F. Chang’s

The data breach at restaurant chain P.F. Chang’s showed that hackers will target any and all businesses. In August the company reported that payments systems at 33 of its locations were compromised and hackers made off with credit card details, names, and possibly expiration dates. However P.F. Chang’s first noticed something was awry back in June, which led to the investigation.

While this breach didn’t cause the same impact as say Target from last year or Home Depot, the incident raises more question marks over the state of retail data security and payment security as a whole, especially when security firms like McAfee predict that in 2015 point of sale attacks will evolve to become even more dangerous.

If a big company or banking institution were to get stolen from fifty years ago, the average customer could really care less. But when these companies have all of your data and credit card information at their fingertips, the potential for it to fall in the wrong hands is a legitimate problem. Whether it is politically or financially motivated, these corporate data breaches are also all part of the overarching conservation of public data, privacy, and government surveillance that we are having as a country—and it’s one that hasn’t completely played out yet.

In the end, 2014 may not be remembered as the year of the data breach, but rather the first of many. As new mobile payment systems like Apple Pay become more common, the chances for further data breaches and cybersecurity hysteria will no doubt increase. Will an increased focus on cybersecurity really prevent attacks in the future? Will the concerns result in a hesitant attitude toward mobile payment systems that will affect the adoption of the technology? We may not know the answers to these questions as of now, but a year from now, I have a feeling we will.



more...
No comment yet.
Scoop.it!

Employee health information compromised in Sony Pictures hack

Employee health information compromised in Sony Pictures hack | HIPAA Compliance for Medical Practices | Scoop.it

A recent cyberattack on Sony Pictures has sent, not only personal emails and employee salary information out across the Web--but sensitive health information, as well.

Documents obtained by the hackers include health information on dozens of employees, their children or spouses, according to a report from Bloomberg.

Some of the information leaked includes a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs for more than 30 Sony employees, according to the report.

This is just the latest in a string of attacks compromising patients' health information, including a hack that impacted more than 4.5 million patients at Community Health Systems.

The release of this kind of information may be some of the most damaging, Deborah Peel, director of Patient Privacy Rights, tells Bloomberg.

Hackers who go by Guardians of Peace, according to the report, have been releasing documents onto the Internet since late November. Sony's internal probe currently links the attack to hackers known as DarkSeoul.

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges, according to John Moore, founder and managing partner at Chilmark Research.

In addition, healthcare information is becoming a vulnerable and attractive target for cybercriminals, according to Experian's 2015 Data Breach Industry Forecast.


more...
No comment yet.