[ISN] How a community hospital CIO stays ahead of the security curve

http://healthitsecurity.com/2014/04/03/how-a-community-hospital-cio-stays-ahead-of-the-security-curve/ By Patrick Ouellette Health IT Security April 3, 2014 When a smaller community hospital doesn’t necessarily have the same level of funding and resources as a larger hospital or healthcare network, it’s forced to maximize what it already has in place while staying in line with federal regulations. In many ways, the type of privacy and security work required of community hospitals may be comparable to a small-market sports team competing against teams that are consistently replete with resources. Jeff Brown, Lawrence General Hospital CIO, explained to HealthITSecurity.com during a recent interview how he and his team deal with the realities of data breaches and potential federal audits on a somewhat limited IT security budget. Brown maintains that his challenges at Lawrence General, of Lawrence, Mass., are representative of the thousands of community hospitals throughout the country. Simultaneously, privacy and security are at the forefront of every CIO’s mind because, Brown said, they are the “custodians” of the data. But to fill some of those gaps, Lawrence General is innovative on the program side. Lawrence General doesn’t have a formal Chief Information Security Officer (CISO); instead, Brown serves as the de facto CISO and there’s a separate Privacy Officer, who is a domain expert. Though this is fairly standard practice for smaller community hospitals, Brown said Lawrence General’s robust information security (IS) program and team help set it apart from other organizations. Brown, of course, must maintain an equilibrium when working with new technology products and building a secure infrastructure. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] U.S. States Investigating Breach at Experian

http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/ By Brian Krebs krebsonsecurity.com April 3, 2014 An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports. Reuters moved a story this afternoon quoting Illinois Attorney General Lisa Madigan saying that ”it’s part of a multistate investigation,” and that Connecticut Attorney General George Jepsen said that Connecticut is looking into the matter as well. News of the breach first came to light on this blog in October 2013, when KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty last month to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Security pros talk about playing defense against cybercrime

http://www.networkworld.com/news/2014/040314-cybercrime-280395.html By Ellen Messmer Network World April 03, 2014 Security professionals are playing defense against cybercrime, and often feel outgunned by tech-savvy hackers and insiders out to steal sensitive data from within the business. They see a shortage of qualified security personnel to call on, but also believe that threat-detection tools are getting better. Those were sentiments shared today by security experts from two large financial services companies, Citi and AIG, together with a special agent of the FBI at a panel discussion at Pace University in New York. When asked about the kind of things that worry them most, they were quick to point to the kind of attacks that are hard to stop and the difficulty in chasing cybercriminals around the globe. “Zero-day vulnerabilities bringing down the network,” said Bernadette Gleason, North American eCrime laboratory manager at Citi. Use of zero-day attacks by cybercriminals give them the advantage because they can exploit unknown vulnerabilities. “We’ve seen this happen and try to mitigate against it.” Like many businesses, Citi applies a defense-in-depth strategy but there’s also the realization that the financial services industry has to do better at “consumer awareness” by helping educate the public more about cybercrime, without confusing people with technical terms, she added. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] ‘Bounty Hunter’ Earns Record Payout, and Job, from Facebook

http://blogs.wsj.com/digits/2014/04/03/bounty-hunter-earns-record-payout-from-facebook/ By REED ALBERGOTTI Digits The Wall Street Journal April 3, 2014 Reginaldo Silva was poring over computer code in November when the one-time software engineer found what he thought was a security loophole on Facebook’s servers. The discovery led to the largest “bug bounty” ever paid by the company, and a job for Silva as an engineer at Facebook. Silva earned $33,500 for notifying Facebook of the flaw, which he said could have allowed a hacker to enter Facebook’s servers and execute code. In a worst-case scenario, the breach could have allowed the hacker to access Facebook accounts or even spread a computer virus to members. A Facebook spokesman said any manipulation of its servers would have been quickly identified and stopped by the company. Facebook employs hundreds of engineers who ferret out loopholes and bugs, but like many companies offers rewards to “white hat” hackers who find undetected chinks in the digital armor. “They’ve found things we wouldn’t have found,” says Alex Rice, head of product security at Facebook. “The bounty program has by far been the best tool we have for identifying bugs that make it out into the wild.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail