was successfully added to your cart.

All posts by PharmaStrategies

Health & Hacking: Health Care Company, Anthem Inc., Hit With Massive Cyber Attack

By | Cyber Crime, Hack, Health Care, Technology | No Comments

Anthem Inc. suffered a massive data breach as hackers broke through its defenses and stole account information from as many as 80 million of the company’s clients.

A statement released by Anthem CEO, Joseph Swedish, states that Anthem’s own associates’ personal information – including his own – was accessed during this security breach.

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,“ said Swedish.

For customers of Anthem, the company has established a website where they can find information concerning the data breach. There is also a toll-free number for current and former members to call, 877-263-7995.

Customers whose information has been stolen should report suspected identity theft to the FBI’s Internet Crime Complaint Center.

It is yet unknown how hackers obtained access to Anthem’s systems and the company is actively working with the FBI in an investigation. What is known though is that the hack looks to be very sophisticated.

According to Cindy Wakefield, an Anthem spokeswoman, the affected database contained records for approximately 80 million individuals, but the company is still investigating to determine how many individuals were impacted by the cyber attack. At this point, the company believes the number is in the tens of millions.

Cyber Attacks Are Expensive

Unfortunately, for Anthem Inc., this is not the first time the company has been the victim of a data breach. The company was formerly known as WellPoint Inc. and formed when Anthem Insurance purchased WellPoint Health Networks in 2004. In 2014 WellPoint officially changed its corporate name to Anthem Inc.

In 2013, WellPoint found itself on the receiving end of HIPPA fines totaling nearly $2 million after exposing hundreds of thousands of ePHI (Protected Health Information). The HHS Office for Civil Rights’ report on WellPoint indicated a security weakness in an online application database, which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the internet.

These deep fines are not the only costs health care providers must be concerned about. Last year the Sans Institute Reading Room published a report titled, “Health Care Cyberthreat Report, Widespread Compromises Detected, Compliance Nightmare on the Horizon.” It references the 2013 Ponemon Cost of a Data Breach report, which outlines a number of expenses related to a breach such as:

  • Incident Handling
  • Victim Notification
  • Credit Monitoring
  • Projected Lost Opportunities

According to the SANS report, these issues cost health care organizations globally in the range of $233 per compromised record. Additional recovery actions such as legal actions, new security control investments, extended credit protection services for victims and other related costs, actually push the cost much higher—amounting to an astronomical $142,689,666 in the case of the WellPoint incident. In addition to these remediation costs, there are also other concerns such as potential fallout in stock prices and the intangible costs of brand damage when word gets out about a company’s missteps.

Anthem Inc. Will Not Be The Last Cyber Attack

The Anthem cyber attack is the largest data breach to be disclosed by a health-care company and it is one in a long line of breaches that continue to have a deep and negative impact on the global economy.

2014 saw massive cyber attacks on giants such as Target, JP Morgan, Home Depot, Apple and Sony, to name a few. According to a study from PricewaterhouseCoopers, the number of detected cyber attacks skyrocketed in 2014, up 48 percent from 2013.

A separate report from security software vendor Kaspersky Lab estimates that an average data security incident costs a company $720,000. The report states that successful targeted attacks could cost a company nearly $2.54 million. Nearly every company surveyed by Kaspersky — 94 percent — had some type of cyber security incident in 2014.

The Solution: Unbreakable Data Encryption and Irrefutable Identity Management

As cyber attacks become more frequent, more sophisticated and more expensive to remediate, companies must take steps to protect their valuable data from hackers.

Data encryption and more specifically ‘Zero-Knowledge’ privacy, must be at the foundation of any successful cyber security system.

Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. With a sound, unbreakable data encryption system in place, any hacker attempting to breach a health care provider’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.

Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy. All too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.

As hackers become more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) coupled with irrefutable identity management make for a significant barrier against hackers.

Health & Hacking: Can Hackers Make You Physically Ill?

By | Cyber Crime, Hack, Health Care, Technology | No Comments

In the second season of the show, Homeland, the Vice President of the United States was assassinated by terrorists. In an elaborate plot, hackers were able to obtain the Vice President’s pacemaker identification number and then remotely cause him to die of a heart attack.

As the fictional Vice President slumped over and took his final breaths, many viewers were left wondering if medical device hacking is the stuff of science fiction or if it is something that could actually happen.

In fact, one of the viewers of that night’s episode happened to be former Vice President, Dick Cheney, who had a device implanted to regulate his heartbeat in 2007. In an interview with “60 Minutes” Cheney said, “I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”

To illustrate this risk in the real world, security expert, Jerome Radcliffe, himself a diabetic, demonstrated how a hacker could remotely turn off a diabetic person’s insulin pump or manipulate any of its settings without the person’s knowledge.

In 2013, another security expert, Barnaby Jack, was slated to give a presentation called, “Implantable Medical Devices: Hacking Humans.” This presentation was also referred to as, “how to kill a man at 30 feet by hacking his pacemaker.” Jack had developed a software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. Unfortunately, due to his untimely death, this presentation was cancelled.

Although the hacking of wireless infusion pumps and other medical devices has yet to happen, it is now considered a critical cyber security vulnerability. While much of the focus has been on the ability of hackers to harm patients directly, an additional prize for hackers lies in gaining entry to a hospital or medical center network. A medical device might just be the entry point hackers seek.

Hospitals store a wealth of records containing sensitive data such as financial, medical and identity information. What if hackers could hijack a pump and use it to access this extremely attractive trove of data or create a large-scale disruption of operations?

As this critical vulnerability only continues to generate more attention, the FDA weighed in during its first cyber security conference on medical devices. In its statement, the FDA urged medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber security threats.

In addition, the U.S. Department of Homeland security began investigating a number of suspected cyber security flaws in various medical devices and hospital equipment that officials feared could be particularly vulnerable to cyber attack.

Meanwhile, at a recent NIST (National Institute of Standards & Technology) conference in Minneapolis, a number of attendees compared hospitals’ infusion pump vulnerabilities to those exploited at Target last year. In that instance, hackers breached the retail giant’s defenses by sneaking in a side-door intended for use by an HVAC contractor. In the end, hackers obtained personal data on over 70 million Target customers.

As our professional and personal lives become more intertwined with technology and hackers become more creative in the ways they attack, it only becomes more apparent that data security is absolutely critical.

The Solution: Unbreakable Data Encryption

As the digital and physical worlds continue to collide, it will only become more important for institutions to implement stringent data security measures in order to stay a step ahead of hackers.

Data encryption should be seen as the cornerstone of any defense system. More specifically, companies should partner with a data security provider that offers ‘Zero-Knowledge’ privacy.

Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. By utilizing this system (client-side encryption) you are the only one holding the encryption keys that unlock your data. Since you alone are in possession of the keys, your data is never at risk of being unlocked, stolen or misused, either by internal threats or external attacks. You are the only one who can unlock your data, not a hacker, not your IT staff, not even the government.

While a number of data security providers offer data encryption, ‘Zero-Knowledge’ privacy takes the concept a step further. Most data security companies will store your encryption keys along side your encrypted data. This makes the data viewable by anyone with access to your storage facility, whether that is on your network or in the cloud. Unless you are the only one holding the keys to your data, encryption is meaningless.

With a sound, unbreakable data encryption system in place, any hacker attempting to breach a hospital’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.

The Solution: Irrefutable Identity Management

Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy.

As demonstrated by the Apple celebrity photo hacking scandal, all too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.

Along with stringent log-in standards, it is also important that a company utilizes a system that sends out a notification when any malicious intent is detected. For example, if a user attempts to access files more often than approved or files they are not approved to access, it is important for an alert to be sent out before damage is done.

As hackers become more sophisticated and more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) along with irrefutable identity management together make for a significant barrier against hackers.

What You Need To Know About The Sony Hack

By | Cyber Crime, Data Security, Hack, Technology | No Comments

In late November, on a day like most any other, Sony employees arrived at their offices and powered up their computers only to be greeted by a sight unlike most any other. The first sign of a hack occurred early that morning when the image of a menacing, red skeleton simultaneously appeared on every employee’s screen. This was accompanied by an ominous warning, along with a number of threats.

This initial event was only the beginning of a painful and drawn-out saga that continues to plague Sony. As the events continue to unfold, the public watches with bated breath, wondering just how much more information the hackers will be able to obtain. Because of this hack, the public’s overriding sentiment is now one of fear and uncertainty. People are worried that if a powerful and well-protected company like Sony is this vulnerable, it must mean their own business and personal information is at risk, as well. The truth is, they are right. As, our businesses and lives become increasingly reliant on technology it is essential to have protection.

By studying the Sony hack, we can gain insight into current data security vulnerabilities and prevent these disasters from happening in the future.

Goal of Hackers: Cause Financial Ruin

During the holidays, the hackers leaked a number of Sony’s films online including the Brad Pitt, WWII movie “Fury,” the musical “Annie” and the Oscar-nominated film, “Still Alice.” Within it’s first week of being leaked, “Fury” had already been downloaded 1.2 million times.

These illegal downloads of “Fury” simply illustrate a much larger issue, that is the economic damage that hackers can inflict. In fact, Hollywood isn’t the only industry reeling from cyberattacks. The global economy loses as much as $575 billion annually due to data theft, according to a study published in June by McAfee and the center for Strategic and International Studies.

Solution: Encrypt Data

Data encryption is critical. If Sony had encrypted its film files using a ‘Zero-Knowledge’ privacy system, hackers would have found it impossible to steal and disseminate “Fury” along with  all of the other stolen movies.

Key encryption is also an important component of intellectual property protection. Even if a company’s data is encrypted during transit or storage, many data security companies store the company’s encryption keys along with its data. This means that anyone with access to the location of the company’s data, will also have access to the keys, and therefore complete access to the data that is thought to be secure.

Goal Of Hackers: Paralyze The Company

Once hackers infiltrated Sony’s system, all global operations came to an electronic standstill. As Sony tried to deal with the massive security breach, employees were forced to find other means of communication in order to keep the company functioning. In what could be a scene straight out of the 1980s, employees communicated using fax machines and hand-delivered letters, all in an effort to avoid logging on to the internet in case the hackers would deliver another threat.

To add insult to injury, hackers released a folder called “Password.” The name of the folder is exactly what it is, the company’s most sensitive passwords. This file contained thousands of the company’s private passwords, all stored in plaintext, all lacking protection of any kind. Some of the passwords were personal, while some were tied to financial accounts such as American Express.

In the midst of the chaos, finger pointing began as Sony tried to unravel the mysterious identity of the hackers. At first the media focused on a comment made by an anonymous source that North Korea was behind the attack in retaliation for the movie “The Interview.” Recently, the FBI backed this allegation up, stating that there is evidence showing the hackers utilized IP addresses that were exclusively used by the North Koreans. Meanwhile, private security firms say this hack looks like it could be the work of a disgruntled former employee.

Two months later, as Sony is still trying to unravel this web, they continue to grapple with computer systems that do not work. In fact, Sony has been forced to delay its third quarter earnings report as the company struggles to repair the damage done to its systems.

Solution: A Strong Identity Management System

On top of data encryption, it is also critical for a company to know who has access to what files. In the case of Sony, the topic of Identity Management is now taking center stage. The question is still very much open as to the identity of the hackers.

By utilizing a secure Identity Management system, a company has full knowledge of the identity of any user attempting to access any file. In the case of Sony, it is not clear if the attack was caused by an outside hacker or an internal threat. With a sound identity management system, companies have the ability to grant and revoke access to files or see if certain users attempt to access files more often than approved. If there are signs of malicious intent, it is important for a company to be notified quickly, before damage occurs. By utilizing a robust Identity Management system, companies have the power to protect themselves from people, both outside and inside the company, who wish to do harm.

In addition to controlling user access, it is also important to protect the way in which users sign-on. In the case of Sony, which stored thousands of passwords in a folder called “Password,” security was lacking. By utilizing multi-factor biometric identification, a company can ensure that the person looking at the company’s data is who they say they are, even if their username and password are stolen.

Goal Of Hackers: Ruin Reputations

In addition to losing valuable intellectual property and dealing with a paralyzed computer system, Sony also had to deal with a humiliating public relations crisis as the hackers released private emails. The contents of these emails ranged from personal insults to confidential information concerning pay disparities and business practices.

The backlash from the release of these emails has been intense as the company now faces potential lawsuits and shunning from powerful players within the entertainment industry. The release of these emails has most certainly ruined reputations.

Solution: Encrypted Email

It is absolutely crucial that a company protects its email communications. In the case of Sony, stolen emails have caused a great deal of harm to the company’s reputation. In addition, any intellectual property or confidential information is also at risk when sending insecure emails.

By using a secure and encrypted email system, a company can ensure its emails are fully encrypted on the company computers and during transit. In order to open an encrypted email, a recipient must present the correct authentication.

To take it a step further, for an additional layer of protection, companies should utilize a revocable email system. By using this system, a company has the power to always revoke emails even after they have been read, no matter where they have been sent and even years after sending. For example, if an employee of a company sends out an email, that employee can also set permissions to prevent forwarding, printing or downloading of the email. In addition to that, the employee will also be provided with a full audit trail showing every time their email was accessed and read.