Data Breaches and Hackermania Running Wild

Donna CusanoData Breaches Remain in the News and the Debate Around How Best to Secure Data Rages

By Donna Cusano, Editor In Chief of Telehealth & Telecare Aware

Everything old is new again. UK website Computing reported that East Midlands Ambulance Service NHS Trust lost a data cartridge containing 42,000 records from its divisional headquarters in Nottingham. It was a small but deadly cartridge containing scanned handwritten copies of Patient Report Forms from September to November 2012. However, it can only be read on a now-obsolete cartridge reader, one of which is on the Trust’s premises. An interesting project for a ‘cracker’? Perhaps someone thought it was an old paperweight? Is this the virtue of old tech?

Wakey, wakey Hermann! Memorial Hermann Health System in Houston, Texas had an unauthorized employee nosing around patient records for seven years up to July, affecting at last count 10,604 patients. Compromised were health insurance information, Social Security (SSI) numbers, names, addresses and dates of birth (DOB). Obviously they weren’t firewalled and easy to access. No motive cited. According to HealthITSecurity, this person has been suspended, not fired. Also iHealthBeat.

Nothing to see here…move on. Breaking News. Healthcare.gov was breached in July by a hacker uploading malicious software to a server used to test code. No evidence that personal information was compromised. HHS maintains this was the first successful intrusion. We’ll see. MarketWatch (excerpt of WSJ paywalled story)

Is any system hackerproof? Reader Joanne Chiocchi cited my first article on the massive CHS breach (from the reprint in HITECH Answers–thank you, Roberta Mullin) and posed this question on LinkedIn’s Ellen’s Ethical Lens group. 48 comments later, many from a ‘devil’s advocate’ dentist who doesn’t much like EHRs/EDRs: in his view, highly hackable, inaccurate and a time waster in completing just HIPAA privacy notices. There are plenty of sobering facts in the comments (all worth reading). The dentist points out voluminously that ignoring and covering up security and process problems will inevitably invite a practitioner and patient backlash. Hat tip to Joanne and Ellen Fink-Samnick.

And two more breaches that required no hacking whatsoever:

To live and steal data in LA. A Cedars-Sinai Health System laptop stolen in a home burglary had 500 patient records with primarily lab results and SSI numbers. iHealthBeat

The Vienna 1946 “Third Man” Award, Second Edition goes to The Hand Care Center/Shoulder and Elbow Institute and the Orthopaedic Specialty Institute Medical Group, both of Orange, California which stored 59,000 old x-rays containing patient records with Iron Mountain, supposedly securely. Two IM employees stole them and sold them to a recycler for the silver. Harry Lime Lives! Privacy Rights Clearinghouse 12 and 26 August

Recent data breach coverage: CHS data breach estimated price tag: $150 million, FBI ‘Flash Alerts’ health organizations about hacker attacks, The drip of data breaches now a flood: 4.5 million records hacked–update

Apple flying around the iCloud for Apple HealthKit. Making headlines this week was a few overly personal celebrity photos (foolishly) stored on iCloud accounts going public online. According to Apple, the accounts were hacked probably by ‘brute force’ password attack and not through an iCloud flaw. TechRepublic But more of concern to digital health developers eager to get all that health and fitness data integrated via the Apple HealthKit API is that Apple is saying ‘nein’ to anyone using the iCloud to store data. Why the concern? Mobihealthnews lays down Apple’s eight ground rules.

Is CyberRX 2.0 a prescription for HIT? HITRUST (Health Information Trust Alliance), with participation from (US) HHS, will be hosting an October cyber attack simulation exercise with over 750 healthcare organizations participating. Exercises are at three levels depending on organization size and will include targeting information systems, medical devices and other technology resources of government and healthcare organizations. Press release.

And the weakest point may be ‘over the air’. ‘Interceptor’ fake cell towers can defeat smartphone encryption to ‘over the air’ eavesdrop on calls, read texts and possibly push spyware onto Android phones. According to the CEO of ESD America, they have detected at least 17 powerful towers, likely more, scattered around the US–many near military bases. A telltale sign is a forcing down from 3G/4G to the less-secure 2G, which may or may not be detected by a conventional phone. Of course ESD sells a phone built on the Samsung S3 body called the CryptoPhone 500 which can detect attacks, so they have a horse in the race. Interceptors appear to be common in Asia, the hacking haven. But here in the US, who owns these interceptor towers and where’s the information going? And this is not ‘black helicopter’ stuff: on 11 August, the US Federal Communication Commission (FCC) announced their investigation into the use of interceptors against Americans by foreign intelligence services and criminal gangs. Popular Science, MSN Money.

This post was originally published in two parts on TeleHealth & Telecare Aware, Data Breaches and ‘Hackermania’ Running Wild, ‘Hackermania Running Wild,’ Part 2 and is republished here with permission.