Category:

Government Accountability Office discovered vulnerabilities in three states and said that other state-run health insurance exchanges may be at risk too...Obamacare health insurance websites in California, Kentucky and Vermont have serious cybersecurity flaws that could result in hackers obtaining personal data from hundreds of thousands of people...One state didn't encrypt passwords, GAO officials said. Another state didn't properly use a filter to block hostile attempts to the site. And the other state didn't use proper encryption - leaving a door for hackers to gain entry...Officials from both California and Kentucky told the AP there was no evidence hackers had stolen anything, while Vermont officials declined to comment on the findings...

Wal-Mart Stores said...prescription history and other basic information on a few thousand online U.S. pharmacy customers may have been visible to other users during a four-day stretch last month due to a coding mistake...We had a software coding error for a 72-hour period from February 15 to 18 that affected a limited group of online pharmacy customers...We moved quickly to fix the issue once it was discovered...The error happened during the migration of servers and was not a hack...Fewer than 5,000 users were potentially affected, a small percentage of the number of people who logged in during the 72-hour period...Wal-Mart is contacting potentially impacted customers directly and is offering them identity protection services...

New York Giants player’s info ended up on Twitter after doctors amputated his finger...Two employees of Jackson Memorial Hospital have been fired for accessing and leaking the medical records of New York Giants defensive end Jason Pierre-Paul after the football star lost part of his hand in a July 4, 2015 fireworks accident...The hospital, in its statement, said it had chosen not to comment earlier due to litigation surrounding the incident that has since been settled..."As part of our investigation into the breach, it was discovered that two employees inappropriately accessed the patient's health record. That finding resulted in the termination of both employees," officials said in the statement..."Protecting the privacy of our patients is a top priority at Jackson Health System. Any time we have allegations of a breach, we immediately and thoroughly investigate."

Healthcare’s “wall-of-shame” for 2015 officially ends tonight at midnight. It’s not really a “wall,” it’s just a website, but it’s the online mechanism for the Office of Civil Rights under Health and Human Services to publish data breaches as reported to them and required by HIPAA. The numbers this year are just staggering...According to OCR, there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records...The Top 10 data breaches alone accounted for just over 111 million records that were lost, stolen or inappropriately disclosed...A recent data breach study estimates that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward connected care, the amount of data exchanged between organizations will only grow. So what does this mean? It means that in 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs and other vulnerable PHI...Healthcare IT security will continue to fall further and further behind the rest of the industry verticals despite the increase in spending on technology and human resources. The industry is focusing on functionality for patient care and security is an afterthought. Many organizations are also overly dependent on antiquated hardware and software...I wish we could look back on 2015 as the year that healthcare took data security and patient privacy more seriously...In a data-driven world, medical information is just too lucrative and too easy to steal at scale. As long as that’s the case...we should reasonably expect more of the same for 2016.

Washington is reeling from the news of a hack at MedStar, one of the largest medical providers in the area. A computer virus infecting the organization's computer systems forced MedStar to shut down much of its online operations...The exact nature of the attack is not yet known, but MedStar is just the latest victim in a string of cyberattacks that have hit the health-care industry hard. Here's what you need to know about how health-care providers became the latest digital battleground.

• Why would cybercriminals go after the health-care industry?
• Just how vulnerable is the health-care sector to cyberattacks?
• What is the health-care sector doing to fix all this?

As hackers hold Hollywood Presbyterian Medical Center’s data and demand $3.4 million Bitcoin to give it back, experts say the "hostage situation" likely signals more ransomware attacks to come...There is no style to this attack...it was likely messaging-based, whether a malicious link in an email or perpetrated via a social network and, basically, an employee fell for it...Such attacks are particularly alluring to cybercriminals...because they are reasonably easy to pull off and have a big impact...the cybercriminals are demanding the hospital pay a $3.4 million ransom if they want their data back...In the meantime, executives declared the hospital in a state of emergency and employees are reverting to paper and faxes to communicate..."This incident really sheds light how weak the core of many providers' internal infrastructure is...It's very common for hospitals to have a large number of outdated and vulnerable systems on the network...

This year the top motivation wasn’t hacktivism or vandalism, but 'criminals demonstrating attack capabilities,' Arbor Networks report claims....Cyberattacks around the world are growing in size and complexity, according to Arbor Networks 11th Annual Worldwide Infrastructure Security Report...For the first time, nearly half of the respondents were from enterprise, government and educational organizations, with service providers at 52 percent. Healthcare is one of the verticals included in the enterprise category...This report provides broad insight into the issues network operators around the world are grappling with on a daily basis...The findings from this report underscore that technology is only part of the true story since security is a human endeavor and there are skilled adversaries on both sides.

Distributed Denial of Service trends:

• Change in attack motivation
• Attack size continues to grow
• Complex attacks on the rise
• Cloud under attack
• Firewalls continue to fail during DDoS attacks

Advanced threat trends:

• Focus on better response
• Better planning
• Insiders in focus
• Staffing quagmire
• Increasing reliance on outside support

Two California hospitals – Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville – have been attacked by hackers demanding a ransom...The latest hit comes just a month after Hollywood Presbyterian paid hackers a $17,000 ransom to regain control over its computer systems and during the same week on the heels of ransomware attacks against Methodist Hospital in Henderson, Kentucky, and Ottawa Hospital in Ontario, Canada...Organizations with a good defense-in-depth strategy, advanced detection capabilities and solid response and contingency plans will fare far better when attacked...Make no mistake about it. Protecting information assets is a business issue and organizations that don't recognize this will pay for it.

Healthcare software solutions company QS/1 this week announced that it had received a certification for the data security of its point-of-sale system. The company was certified under version 3.1 of the Payment Data Security Standard...Companies that receive PA-DSS certification have to create an application that doesn’t store such information as a credit card’s magnetic stripe, CVV or PIN. QS/1’s certification covers processing new EMV chip cards as well as end-to-end encryption of credit card data and tokenizing card data for customers who store it for recurring charges...Too many times we heard about retailers dealing with massive security breaches that compromise credit card data...Taking the steps to certify on the new 3.1 standard puts QS/1’s point-of-sale system at the forefront of credit card security.

Food and Drug Administration on Friday issued draft guidelines to medical device makers on how to protect patients from cybersecurity vulnerabilities in the devices...Cybersecurity threats to medical devices are a growing concern...The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices...The draft guidance, which is not legally binding, recommends companies take a number of actions, including monitoring and assessing risk, adopting a coordinated vulnerability disclosure policy, and taking measures to address cybersecurity risk early.