was successfully added to your cart.

Category Archives: Health Care

Health & Hacking: Health Care Company, Anthem Inc., Hit With Massive Cyber Attack

By | Cyber Crime, Hack, Health Care, Technology | No Comments

Anthem Inc. suffered a massive data breach as hackers broke through its defenses and stole account information from as many as 80 million of the company’s clients.

A statement released by Anthem CEO, Joseph Swedish, states that Anthem’s own associates’ personal information – including his own – was accessed during this security breach.

“Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,“ said Swedish.

For customers of Anthem, the company has established a website where they can find information concerning the data breach. There is also a toll-free number for current and former members to call, 877-263-7995.

Customers whose information has been stolen should report suspected identity theft to the FBI’s Internet Crime Complaint Center.

It is yet unknown how hackers obtained access to Anthem’s systems and the company is actively working with the FBI in an investigation. What is known though is that the hack looks to be very sophisticated.

According to Cindy Wakefield, an Anthem spokeswoman, the affected database contained records for approximately 80 million individuals, but the company is still investigating to determine how many individuals were impacted by the cyber attack. At this point, the company believes the number is in the tens of millions.

Cyber Attacks Are Expensive

Unfortunately, for Anthem Inc., this is not the first time the company has been the victim of a data breach. The company was formerly known as WellPoint Inc. and formed when Anthem Insurance purchased WellPoint Health Networks in 2004. In 2014 WellPoint officially changed its corporate name to Anthem Inc.

In 2013, WellPoint found itself on the receiving end of HIPPA fines totaling nearly $2 million after exposing hundreds of thousands of ePHI (Protected Health Information). The HHS Office for Civil Rights’ report on WellPoint indicated a security weakness in an online application database, which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the internet.

These deep fines are not the only costs health care providers must be concerned about. Last year the Sans Institute Reading Room published a report titled, “Health Care Cyberthreat Report, Widespread Compromises Detected, Compliance Nightmare on the Horizon.” It references the 2013 Ponemon Cost of a Data Breach report, which outlines a number of expenses related to a breach such as:

  • Incident Handling
  • Victim Notification
  • Credit Monitoring
  • Projected Lost Opportunities

According to the SANS report, these issues cost health care organizations globally in the range of $233 per compromised record. Additional recovery actions such as legal actions, new security control investments, extended credit protection services for victims and other related costs, actually push the cost much higher—amounting to an astronomical $142,689,666 in the case of the WellPoint incident. In addition to these remediation costs, there are also other concerns such as potential fallout in stock prices and the intangible costs of brand damage when word gets out about a company’s missteps.

Anthem Inc. Will Not Be The Last Cyber Attack

The Anthem cyber attack is the largest data breach to be disclosed by a health-care company and it is one in a long line of breaches that continue to have a deep and negative impact on the global economy.

2014 saw massive cyber attacks on giants such as Target, JP Morgan, Home Depot, Apple and Sony, to name a few. According to a study from PricewaterhouseCoopers, the number of detected cyber attacks skyrocketed in 2014, up 48 percent from 2013.

A separate report from security software vendor Kaspersky Lab estimates that an average data security incident costs a company $720,000. The report states that successful targeted attacks could cost a company nearly $2.54 million. Nearly every company surveyed by Kaspersky — 94 percent — had some type of cyber security incident in 2014.

The Solution: Unbreakable Data Encryption and Irrefutable Identity Management

As cyber attacks become more frequent, more sophisticated and more expensive to remediate, companies must take steps to protect their valuable data from hackers.

Data encryption and more specifically ‘Zero-Knowledge’ privacy, must be at the foundation of any successful cyber security system.

Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. With a sound, unbreakable data encryption system in place, any hacker attempting to breach a health care provider’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.

Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy. All too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.

As hackers become more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) coupled with irrefutable identity management make for a significant barrier against hackers.

Health & Hacking: Can Hackers Make You Physically Ill?

By | Cyber Crime, Hack, Health Care, Technology | No Comments

In the second season of the show, Homeland, the Vice President of the United States was assassinated by terrorists. In an elaborate plot, hackers were able to obtain the Vice President’s pacemaker identification number and then remotely cause him to die of a heart attack.

As the fictional Vice President slumped over and took his final breaths, many viewers were left wondering if medical device hacking is the stuff of science fiction or if it is something that could actually happen.

In fact, one of the viewers of that night’s episode happened to be former Vice President, Dick Cheney, who had a device implanted to regulate his heartbeat in 2007. In an interview with “60 Minutes” Cheney said, “I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”

To illustrate this risk in the real world, security expert, Jerome Radcliffe, himself a diabetic, demonstrated how a hacker could remotely turn off a diabetic person’s insulin pump or manipulate any of its settings without the person’s knowledge.

In 2013, another security expert, Barnaby Jack, was slated to give a presentation called, “Implantable Medical Devices: Hacking Humans.” This presentation was also referred to as, “how to kill a man at 30 feet by hacking his pacemaker.” Jack had developed a software that allowed him to remotely send an electric shock to anyone wearing a pacemaker within a 50-foot radius. Unfortunately, due to his untimely death, this presentation was cancelled.

Although the hacking of wireless infusion pumps and other medical devices has yet to happen, it is now considered a critical cyber security vulnerability. While much of the focus has been on the ability of hackers to harm patients directly, an additional prize for hackers lies in gaining entry to a hospital or medical center network. A medical device might just be the entry point hackers seek.

Hospitals store a wealth of records containing sensitive data such as financial, medical and identity information. What if hackers could hijack a pump and use it to access this extremely attractive trove of data or create a large-scale disruption of operations?

As this critical vulnerability only continues to generate more attention, the FDA weighed in during its first cyber security conference on medical devices. In its statement, the FDA urged medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber security threats.

In addition, the U.S. Department of Homeland security began investigating a number of suspected cyber security flaws in various medical devices and hospital equipment that officials feared could be particularly vulnerable to cyber attack.

Meanwhile, at a recent NIST (National Institute of Standards & Technology) conference in Minneapolis, a number of attendees compared hospitals’ infusion pump vulnerabilities to those exploited at Target last year. In that instance, hackers breached the retail giant’s defenses by sneaking in a side-door intended for use by an HVAC contractor. In the end, hackers obtained personal data on over 70 million Target customers.

As our professional and personal lives become more intertwined with technology and hackers become more creative in the ways they attack, it only becomes more apparent that data security is absolutely critical.

The Solution: Unbreakable Data Encryption

As the digital and physical worlds continue to collide, it will only become more important for institutions to implement stringent data security measures in order to stay a step ahead of hackers.

Data encryption should be seen as the cornerstone of any defense system. More specifically, companies should partner with a data security provider that offers ‘Zero-Knowledge’ privacy.

Essentially, ‘Zero-Knowledge’ privacy means that your data is encrypted and no one, other than you and those you grant permission to, can access your data. By utilizing this system (client-side encryption) you are the only one holding the encryption keys that unlock your data. Since you alone are in possession of the keys, your data is never at risk of being unlocked, stolen or misused, either by internal threats or external attacks. You are the only one who can unlock your data, not a hacker, not your IT staff, not even the government.

While a number of data security providers offer data encryption, ‘Zero-Knowledge’ privacy takes the concept a step further. Most data security companies will store your encryption keys along side your encrypted data. This makes the data viewable by anyone with access to your storage facility, whether that is on your network or in the cloud. Unless you are the only one holding the keys to your data, encryption is meaningless.

With a sound, unbreakable data encryption system in place, any hacker attempting to breach a hospital’s defenses and access sensitive patient information will be met with nothing more than a useless and undecipherable jumble of numbers and letters.

The Solution: Irrefutable Identity Management

Along with unbreakable data encryption, an irrefutable identity management system is also critical to a successful cyber security strategy.

As demonstrated by the Apple celebrity photo hacking scandal, all too often hackers are able to break through a company’s defenses by stealing usernames and passwords. With this type of attack becoming more common, it is wise for companies to utilize multi-factor authentication. This type of authentication can consist of a number of different options, such as biometric login. This way a company can always be sure that the person attempting to access valuable data is who they say they are.

Along with stringent log-in standards, it is also important that a company utilizes a system that sends out a notification when any malicious intent is detected. For example, if a user attempts to access files more often than approved or files they are not approved to access, it is important for an alert to be sent out before damage is done.

As hackers become more sophisticated and more creative in the ways they attack, data encryption alone is no longer considered a solution. However, unbreakable data encryption (‘Zero-Knowledge’ privacy) along with irrefutable identity management together make for a significant barrier against hackers.