Healthcare vulnerability to hackers

[waltky]

Intruders could exploit known gaps to steal patients’ records...

Health-care sector vulnerable to hackers, researchers say
December 25,`12 - Government and business leaders in the United States and around the world are rushing to build better defenses - and prepare for the coming battles in the digital universe. To succeed, they must understand one of the most complex, man-made environments on Earth: cyberspace.

As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems. “I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

Compared with financial, corporate and military networks, relatively few hacks have been directed at hospitals and other medical facilities. But in recent months, officials with the Department of Homeland Security have expressed growing fear that health care presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists. “These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information,” a DHS intelligence bulletin said in May. Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google.

Rubin has documented the routine failure to fix known software flaws in aging technology and a culture in which physicians, nurses and other health-care workers sidestep basic security measures, such as passwords, in favor of convenience. Another researcher found that a system used to operate an electronic medicine cabinet for hospital prescriptions in Oklahoma could be easily taken over by unauthorized users because of weaknesses in the software interface. OpenEMR, an open-source electronic medical records management system that is about to be adopted worldwide by the Peace Corps, has scores of security flaws that make it easy prey for hackers.

The University of Chicago medical center operated an unsecure Dropbox site for new residents managing patient care through their iPads, using a single user name and password published in a manual online. After a Post reporter called about the vulnerabilities, officials at the cabinet manufacturer and the medical center took steps to close the gaps. The Peace Corps said it was considering changes. Government oversight and industry practices have not kept pace with the changing technology. The Food and Drug Administration, which is responsible for overseeing medical devices, most recently published guidance on cybersecurity in 2005.

MORE

 

[waltky]

Mebbe is lil' kids hackin' Daddy Bush's emails whilst he was inna hospital?...

Kids 'using coding skills to hack' friends on games, expert says
7 February 2013 - AVG's Tony Anscombe says children hacking games is still "theft"

Children as young as 11 years old are writing malicious computer code to hack accounts on gaming sites and social networks, experts have said. A report from antivirus company AVG detailed evidence of programs written to "steal" virtual currency. In one case, researchers were able to reverse-engineer "amateur" code to reveal data about the identity of one child in Canada. The company said children must be educated on coding "rights and wrongs". "As more schools are educating people for programming in this early stage, before they are adults and understand the impact of what they're doing, this will continue to grow." said Yuval Ben-Itzhak, chief technology officer at AVG.

The researchers found that many instances of malware targeting games popular with children shared the same characteristics. Most were written using basic coding languages such as Visual Basic and C#, and were written in a way that contain quite literal schoolboy errors that professional hackers were unlikely to make - many exposing the original source of the code.

Stealing data

The team examined closely one particular instance of code that masqueraded as a cheat program for gamers playing Runescape, an online title that has over 200 million signed-up players. The program, Runescape Gold Hack, promised to give the gamer free virtual currency to use in the game - but it in fact was being used to steal log-in details from unsuspecting users. "When the researchers looked at the source code we found interesting information," explained Mr Ben-Itzhak to the BBC. "We found that the malware was trying to steal the data from people and send it to a specific email address. "The malware author included in that code the exact email address and password and additional information - more experienced hackers would never put these type of details in malware."

That email address belonged, Mr Ben-Itzhak said, to an 11-year-old boy in Canada. Enough information was discoverable, thanks to the malware's source code, that researchers were even able to find out which town the boy lived in - and that his parents had recently treated him to a new iPhone. Many schools around the world are changing education programmes in schools to teach children to code, rather than simply to use, computers. In the UK, several after-school clubs have been set up - and initiatives to get kids into programming have been backed by the likes of Google and Microsoft.

Coding benefits

See also:

Hacker exposes ex-US President George H W Bush emails
8 February 2013 - George H W Bush was president from 1989-93

A computer hacker has stolen personal emails and photographs belonging to former US President George H W Bush and his family, US media report. One photograph posted on the internet showed the 88-year-old Republican politician in bed in hospital, where he was recently treated for bronchitis. The stolen emails are reported to include addresses and personal details of several members of the Bush family. A spokesman for Mr Bush confirmed that an investigation was under way. "We do not comment on matters under criminal investigation," Jim McGrath told the Houston Chronicle.

The hacker broke into email accounts of several members of the Bush family, news website the Smoking Gun reported. The hacked emails are reported to include messages expressing serious concern about the health of the former president, including a personal note sent by President Barack Obama through an aide.

'Interesting mails'

Mr Bush was discharged from hospital on 14 January after a seven-week stay, during which he was treated for a bronchitis-related cough. The purloined photos include pictures of his son, former President George W Bush. One shows the younger Mr Bush posing beside a life-size cardboard cutout of himself with a moustache drawn on it; others are said to show paintings by him, including self-portraits. The Smoking Gun said it had been in contact with the hacker, who goes by the alias Guccifer. He said he had taken "a lot of stuff" including "interesting mails" about the former president's time in hospital, the website reported.

George H W Bush was the 41st US President, serving one term from 1989-93. He was defeated by Democrat Bill Clinton when he stood for re-election. Before becoming president he was Ronald Reagan's vice-president from 1981-89. He also served as vice-president, CIA director, US ambassador to China and congressman from Texas. His son George W Bush served as 43rd president from 2001-09.

BBC News - Hacker exposes ex-US President George H W Bush emails

 

[waltky]

Clues given out by employees of companies being targeted by hackers are being used to gain access...

The Comment Group: The hackers hunting for clues about you
11 February 2013 - If you had an email that looked like it was from your boss asking how your recent holiday went, would you open it? Most probably - and hackers know it.

One group in particular has used this simple technique to devastating effect, using it to spy on some of the world's biggest corporations. But who are they, and what are they looking for? When security experts looked into some of the highest profile hacks in recent years - one particular criminal group kept on coming to their attention. The Comment Group, which industry insiders say is based in China, offer hacking for hire - be it for individuals, corporations or governments. It got its name from what was once its trademark technique - implanting dodgy links to malicious malware within the comments sections of popular websites.

But more recently, the Comment Group has become known for being particularly adept in one other important discipline of hacking: straightforward research. "They find the weakest link in the company," explains Jaime Blasco, from security specialists Alienvault. "What they do is collect intelligence about the companies," "They try to find information from the internet, from other employees, from intranets, from Google… whatever."

Nuclear attack

It is an approach that has been devastatingly effective. The group has been credited as being behind a vast range of attacks - everything from gaining access to user accounts at the EU to, according to Bloomberg, targeting a nuclear power plant that was situated near to a fault line. In a document published by Wikileaks, the US government regarded the Comment Group - which it referred to as Byzantine Candor - as being one of the most serious of all hacking threats originating from China.

One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from a legitimate international economics columnist at the National Journal." The cable continued: "In addition, the body of the email contained comments designed to appeal to the recipients as it was specifically aligned with their job function."

Soft drinks

 

[waltky]

Mebbe we should do like dey do in So. Africa...

Electronic Records Aid Hospitals, Patients
March 15, 2013 - For all of the money Americans spend on health care, electronic medical records are still far from universal in the United States.

However, a pilot project in Southern Africa suggests that replacing paper with touch screens may be a good investment in resource-poor countries. Electronic medical records are not new in Malawi. They’ve been used to track HIV patients for about a decade. Now, a published report describes an expanded version of the program at Queen Elizabeth Central Hospital in Blantyre. The electronic records system called SPINE, or Surveillance Program of Inpatients and Epidemiology, was set up with three goals. One was to collect what public health officials call “baseline data,” to get a better idea of the medical problems patients are facing.

Miguel SanJoaquin, formerly with the University of Malawi College of Medicine, says a second goal was to monitor changes in health patterns. “For example, there are issues like how are antiretrovirals working," he said. "Are certain diseases like pneumonia going down because of the introduction of new vaccines, and so on and so forth,” he said in a telephone interview from Cambodia, where he now works. SanJoaquin says the third benefit is directly aimed at individual patients.

Parents and children in Malawi use health passports as a portable medical record.

In the past, he said, patients would get a handwritten discharge summary with their diagnosis and follow-up information, such as how to take their medicine. But too often, the writing was hard to read or the information was incomplete. The new system helps patients by giving them a clearly printed discharge summary that is included in a document called a “health passport.” “Now there is a very neat and clear prescription on a piece of paper that is attached inside their health passport for their benefit.”

SanJoaquin said the information collected gives health authorities new tools to help improve their response to epidemics and other emergencies. On the other hand, writing in PLOS Medicine, he says that entering the data could be time consuming, and the system was hampered by power outages and hardware and software failures. And that’s in addition to the start-up cost of about $200,000, which was paid by European donors. Miguel SanJoaquin and his colleagues didn’t do a formal cost-benefit analysis, but they say the experience in Malawi demonstrates the feasibility and usefulness of an electronic medical records system in a hospital with limited resources.

Electronic Records Aid Hospitals, Patients

See also:

IRS facing class action suit for medical record breach
March 14, 2013 - A HIPAA-covered entity of the Southern District of California announced today that it is suing 15 Internal Revenue Service (IRS) agents for “an unlawful search and seizure conducted on March 11, 2011.” Though the surrounding details of the health data breach and pending class action lawsuit are minimal, Courthousenews.com reports that IRS agents have been accused of improperly accessing and taking 10 million medical records, such as the personal health records of all California state judges.

The covered entity, called John Doe Company, states that the IRS agents stole more than 60,000,000 medical records of more than 10,000,000 Americans, including at least 1,000,000 Californians. John Doe Company argues in its suit that because, in part, the agents had no reason to access the records in the records in the first place and abused their power in stealing the medical records, the 4th amendment was violated.

No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search. IT personnel at the scene, a HIPPA [sic: recte HIPAA] facility warning on the building and the IT portion of the searched premises, and the company executives each warned the IRS agents of these privileged records. The IRS agents ignored and discarded each of these warnings, ignored their own published and public-reliant rules and governing ethical requirements, and ignored the limitations of the court’s search warrant authorization, seizing the records under threat of destroying company property.

The investigation is ongoing and the legal representatives are sifting through whose data has been accessed and what type of information was sold. For example, according to the report, psychological counseling, gynecological counseling, sexual or drug treatment and other records have already been found to be part of the case. The class action suit claims the IRS hasn’t been helpful in the process and John Doe Company is looking for $25,000 in compensatory damages “per violation per individual” as well as punitive damages for constitutional violations.

Considering the size, amount of money and entities involved, this is a huge class action suit and it will be interesting to see to what degree the Department of Health and Human Services gets involved. How do HIPAA and HITECH apply here, given the recent changes? This case is worth watching in coming months.

Source