The August edition of Digital Health’s cyber security round up includes updates on the Capital One data breach – described as one of the biggest ever – and insights from Hiscox’s Cyber Readiness report.
Capital One has disclosed the information that was compromised in its large-scale data breach affecting millions of people in the US and Canada.
The data exposed included 140,000 social security numbers, 80,000 linked bank account numbers and “personal information” from credit card applications from 2005 through to early 2019.
The breach has been described as one of the biggest in history. Thirty three-year-old Paige Thomas, who previously worked as a software engineer for Amazon Web Services (AWS), is currently being held by federal investigators after being charged with the crime.
According to Capital One, the data was exposed due to a mistake in the company’s cloud storage configuration settings.
Mark Tibbs, director of cyber intelligence at British law firm Mishcon de Reya, said that such mistakes were “all too common” for companies operating cloud infrastructure, due to the “complexity of modern businesses and the number of settings that need attention”.
Tibbs also suggested that the arrest of a suspect was “unusual”.
“The incident showed that Capital One responded extremely quickly to the incident,” he said.
“Due to the nature of the attack and some clumsy operational security by the alleged attacker, an arrest has been made. This is unusual in a case like this and represents a great result for law enforcement.
“Companies should, however, remain vigilant to the ever-present threat of external attackers and implement proactive measures to ensure their data, particularly sensitive customer data, is held with appropriate security measures in place to prevent their name being the next headline.”
Fire department feels the burn after data loss
The New York Fire Department has discovered that in March of this year, an employee lost a personal external hard drive that contained the details of more than 10,000 emergency patients.
The hard drive, which was unencrypted, held medical records on patients treated by the FDNY’s emergency services between 2011 and 2018.
While there is no evidence the data has been accessed, the FDNY has notified patients who may have been affected and is offering credit monitoring to 3,000 patients whose social security numbers were on the drive.
Jon Fielding, managing director EMEA of secure mobile storage specialist Apricorn, suggested the best way to protect corporate data was to mandate encryption as standard, and create strict policies around the use of removable media.
“The only storage devices that should be allowed are those that automatically hardware-encrypt all data written to them, so if a device does end up in the wrong hands the information on it will be inaccessible,” said Fielding.
“The insider threat is impossible to eradicate. It can be successfully managed, but employee education to change behaviours is vital.
The FDNY has retrained all employees that have high-level access to sensitive health data – but this doesn’t go far enough.
All employees must be aware of the risks and consequences of data breaches – not least the huge regulatory fines that can be applied under GDPR – and they should be trained in the practical skills and knowledge they need to keep data secure.”
China goes shopping for India’s healthcare data
Hackers are suspected of obtaining 6.8 million records from an India-based healthcare website, according to threat intelligence firm FireEye.
FireEye, an IT security firm based in California, claims to have observed “multiple healthcare-associated databases” for sale on the dark web between October 2018 and March 2019, many for less than $2,000.
As reported by Gulf News the databases, obtained from an unnamed Indian healthcare website, are said to have contained both patient and doctor information, as well as personally identifiable details and other credentials.
FireEye suggested that Chinese state action was behind the hacking activity, commenting: “In particular, it is likely that an area of unique interest is cancer-related research, reflective of China’s growing concern over increasing cancer and mortality rates, and the accompanying national health care costs.”
The firm’s findings were published in FireEye’s report, Beyond Compliance: Cyber Threats and Healthcare, which concluded that the healthcare organisations faced mounting attempts by criminals and state-sponsored hackers to steal data and carry out espionage operations.
“There is a potential for significant to catastrophic impacts should destructive or highly disruptive campaigns target the sector, particularly targeted against healthcare providers,” FireEye said.
Organisations still not getting the IT security message
Cyber-attacks suffered by business keep rising every year, with companies not being aware of its repercussions, according to findings published by Hiscox.
Hiscox’s Cyber Readiness report found that 61% of firms had suffered one or more cyber-attacks in the past year, up from 45% a year previously.
The international study also discovered that large firms had suffered losses of £551,000, compared to £128,000 a year ago.
Meanwhile, cyber readiness tests conducted by Hiscox indicated that only 10% of companies were highly-prepared, while 74% were ranked as unprepared ‘novices’.
Gareth Wharton, Hiscox Cyber CEO, commented: “This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months.
“Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable. The cyber threat has become the unavoidable cost of doing business today.
“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.”
PHIN finds out its mailbox was hacked
The Private Healthcare Information Network (PHIN) has apologised to recipients of spam emails that were sent out after on of its mailboxes was hacked.
According to the organisation, its firstname.lastname@example.org mailbox was “accessed inappropriately” at some point in July, whereby it was used to send malicious spam emails to recipients.
PHIN suggested that a “very small number” of website users may have been put at rosk following the breach, and urged recipients not to click on any links and delete any suspicious emails.
In a statement on its website, PHIN said: “We take security extremely seriously and maintain strict processes to limit the vulnerability of our systems to attack. We have secured the mailbox and an investigation is underway.
“A very small number of legitimate website users have potentially been affected by this incident, where email addresses may have been visible to the hacker. At this stage there is no evidence that those email addresses have been targeted in any way. No other mailboxes or systems have been affected. All patient data and consultant information is held on different systems that remain unaffected.
“We offer sincere apologies to anyone potentially impacted by this breach. We have informed the Information Commissioners Office (ICO) and will be contacting anyone potentially impacted over the next few days.”