healthcare

now browsing by tag

 
 

Scary new healthcare breach statistics

Source: DarkReading

Interesting new statistics out today about some scary new healthcare breach statistics. It has now been determined that breaches are now responsible for more damages than employee error.

So, while I understand, many might laugh at this statistic, but in all actuality, it is a very scary statistic. All things being said, people make mistakes, in fact, they make a lot of mistakes. Now, there are so many breaches, so many attacks against the healthcare system, that despite the number of daily mistakes potentially made by employees, is more more costly.

Now, of all times, the healthcare industry should be bulking up, on all security measures, inside and out.

From the article:

Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data:  cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.

The Ponemon Institute’s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That’s a first, since employee or insider negligence — user errors, lost laptops and thumb drives, etc. — accounted for the majority of breaches last year and in years past, according to Ponemon.

More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.

About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.

The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.

“For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches,” says Larry Ponemon, chairman and founder of Ponemon Institute. “Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial.”

Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They’re not confident in their incident response capabilities, either, with more than half saying their IR isn’t adequately funded or manned. And one-third don’t have an IR plan at all.

Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).

Follow-up: Healthcare Industry Struck Again

Source: Courier Press

As a follow-up, to a previous article, written earlier today.

Shocked to hear more details about the hack that occurred; ok, not really. As I suspected, the attack came in from a phishing campaign.

Read more details from our own published article here, or from some more detailed information that Courier Press has acquired.

Healthcare Industry Struck Again – St. Mary’s Hacked

Source: Healthcare IT News

I don’t usually do this, but I’ll start of this post, with a quote from Health Care IT News:

Think healthcare is not a target for cyberattacks? Think again. Following a pattern of increasing attack frequency, one Indiana-based hospital is the newest target, after hackers swiped the personal data of thousands.

 

So, you look over the part of the sensationalism associated with this article, you know, the “Think healthcare is not a target for cyberattacks” portion, it really makes you wonder about that state of security in the healthcare industry. Why is the healthcare industry being struck again and again?

Having come from that field of work, I know the answer, in fact, I can 99% guarantee you, that I know the cause of the recent hacking of St. Mary’s Medical Center. Not because I have insider knowledge into the incident that occurred, but because I know the industry, I know where the weaknesses are, and I know that nobody is doing anything to combat these problems.

I’m not a betting man, but I would be willing to take a wager, that I know exactly what happened with this incident, here we go:

Hackers/Crackers/Attackers probably got St. Mary’s Medical Center on their radar from another hacked hospital/healthcare organization. Probably by scouring email from the attacked organization. I would wager that St. Mary’s did nothing to provoke the attack.

Once attackers got St. Mary’s Medical Center’s domain name, maybe a doctor or staff member’s name and email address; a little bit of simple recon occurred, scouring for more doctors and more administrator’s names and email addresses. Also, a little bit of scouting probably occurred on the website, with bad guys looking for VPN services, remote email, or something similar, that they could log into with the proper credentials.

Once a decent list of names and emails were collected, that is when the phishing attempts began. Maybe a phishing email about how to reset your password, or a phishing email offering a raise, and you need to enter your email information. They don’t need many submissions, they only need a couple, and with that, they can leverage more and more information.

Once they have working credentials for a user or two, the attacker is then able to leverage an attack into the infrastructure, by sending out emails, as a “trusted source”, requesting user’s visit a page to dish up their credentials; which leads to an avalanche effect, where they are able to gain more and more credentials.

Next revelation, will be a little bit shocking to most, but the Personal Health Information (PHI) data that was stolen, was most likely a “secondary” target of the breach. From my experience, I have seen that attackers are motivated by more substantial, quicker, and easier ways of getting money, rather than selling PHI data. What I believe the primary goal of the attackers, was to see if they could access the doctor’s HR files, and be able to modify the doctor’s direct deposit information, to a known bank account, where the attackers could take the money and run. PHI will provide some potential money for the attackers, however, the primary source could come from the doctor’s paychecks.

So, there you have it. There is my guess on what occurred at St. Mary’s. We may see, in the upcoming months what really happened, but that is my bet on what happened.

The only other option, is that St. Mary’s could hire some big name company to help them access the damage, and they could flip it around, to say it was a nation-state actor, who was trying to get there hands on super-secret formularies for a new breakthrough cure-all drug, that St. Mary’s, a 585 bed hospital bed is producing; but in the end, we all know that would be a lie.

Cognizant to Buy Trizetto to Boost Health Care Business

Source: Re/Code

Cognizant Technology Solutions struck its biggest deal on Monday, acquiring health-care IT services provider TriZetto for $2.7 billion to beef up its slowing health-care business.

Shares of the company, which is buying TriZetto from London-based private equity firm Apax Partners, were down almost one percent in late trading.

Cognizant’s health-care business, which accounted for about 26 percent of total revenue in 2013, has declined in the last three quarters.

The company provides services such as claims processing, billing and call center operations to insurers, hospitals and some state-run health-care exchanges set up under President Barack Obama’s Affordable Care Act, also known as Obamacare.

TriZetto provides information technology services, including care management and the administration of benefits. The company said it reaches 245,000 health-care providers, representing more than half of the insured population in the United States.

Englewood, Colo.-based TriZetto is the latest U.S. health-care IT services provider to be acquired as payers and providers of health-care seek new ways to cut costs.

“Health care is undergoing structural shifts due to reform, cost pressure and shifting responsibilities between payers and providers,” Cognizant CEO Francisco D’Souza said in a statement. “This creates a significant growth opportunity, which TriZetto will help us capture.”

The company in August forecast its slowest full-year sales growth in its 20-year history.

Cognizant, whose rivals include Tata Consultancy Services and Infosys, said it expected revenue synergies of $1.5 billion over the next five years from the deal.

The company said the deal would immediately add to adjusted profit on closing, expected in the quarter ending December.

Apax Partners, which acquired TriZetto in 2008, was exploring a sale of the company, sources told Reuters in August.

TriZetto had 12-month earnings before interest, tax, depreciation and amortization of more than $190 million as of June 30, one of the sources had then said.

Cognizant said on Monday it would fund the deal through a combination of cash and debt and had secured $1 billion in financing.

The deal comes after private equity firms Silver Lake Partners and BC Partners sold health insurance claims processor MultiPlan for $4.4 billion in March to a consortium led by Maurice “Hank” Greenberg’s buyout firm Starr Investment Holdings.

Credit Suisse, UBS Securities LLC and Centerview Partners advised Cognizant, while J.P.Morgan Securities and Goldman Sachs & Co advised TriZetto.

(Reporting by Soham Chatterjee in Bangalore; Editing by Saumyadeb Chakrabarty and Sriraj Kalluvila)