Tag Archives: October

[ISN] EHR audit catches snooping employee

http://www.healthcareitnews.com/news/ehr-audit-catches-snooping-employee By Erin McCann Managing Editor Healthcare IT News January 26, 2015 Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients’ confidential information, as one California hospital has observed this past week. Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients’ medical data for an entire year. The incident was discovered after the hospital conducted an EHR audit back in October 2014, when it was first discovered only 14 individuals had had their PHI compromised. Following an “expanded investigation,” hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NOAA Employee Charged With Computer Breach Met Senior Chinese Official in Beijing

http://freebeacon.com/national-security/noaa-employee-charged-with-computer-breach-met-senior-chinese-official-in-beijing/ By Bill Gertz The Free Beacon January 6, 2015 A federal weather service employee charged with stealing sensitive infrastructure data from an Army Corps of Engineers database met a Chinese government official in Beijing, according to court documents that reveal the case to be part of an FBI probe of Chinese economic espionage. Xiafen “Sherry” Chen, an employee of the National Oceanic and Atmospheric Administration (NOAA) office in Ohio, was arrested in October and charged in a federal grand jury indictment with illegally accessing the Army’s National Inventory of Dams (NID). The NID is a sensitive database containing information on all U.S. dams. U.S. intelligence officials have said the database was compromised by Chinese hackers in 2013 as part of covert efforts by Beijing to gather sensitive information on critical U.S. infrastructure for possible use in a future conflict. According to an FBI document in the case made public Dec. 30, Ms. Chen and Jiao Yong, an official of the Ministry of Water Resources in Beijing, exchanged a series of emails in May 2012 indicating that the two met in Beijing that year and that she was searching for, and would provide, dam-related information for him. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Google’s ‘security princess’ helped White House after hack

http://mashable.com/2015/01/06/google-security-princess-white-house-hack By Lorenzo Franceschi-Bicchierai Mashable.com Jan 6, 2015 After hackers breached its internal network in late October, the White House got the help of a Google security engineer, Parisa Tabriz, the company’s self-proclaimed “security princess.” Tabriz was tapped by the newly founded U.S. Digital Service, a tech task force for the government which launched in August, as a consultant for a “Top Secret / Classified project” to improve the network of the White House and the Executive Office of the President, according to an earlier version of her own resume, which has since been edited. Tabriz’s work for the White House on computer security has not been publicly reported before. Her resume entry was spotted on Monday by American Civil Liberties Union Principal Technologist Christopher Soghoian, who in the past exposed the FBI hacking techniques scouring the LinkedIn profiles of government contractors. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cybersecurity Seen as DoD Priority Under Carter

http://www.govinfosecurity.com/cybersecurity-seen-as-dod-priority-under-carter-a-7634 By Eric Chabrow Gov Info Security December 3, 2014 Ashton Carter is a Ph.D. physicist and an expert in nuclear weaponry and procurement, but the likely defense secretary nominee understands that cyberdefense must be a priority in running the Pentagon. “Cybersecurity won’t get lost,” says Jane Holl Lute, who as deputy secretary of the Department of Homeland Security worked closely with Carter when he was Defense Department deputy secretary. “He understands the importance of the issues, the need for collaborative action. He understands the role defense has, and homeland security, that lies at the heart of effective cybersecurity.” Carter served as deputy defense secretary from October 2011 to December 2013. Before becoming deputy secretary, Carter served as DoD undersecretary for acquisition, technology and logistics from April 2009 to October 2011. Those who have worked with and know Carter say he will utilize his vast knowledge of the workings of the Pentagon if he’s confirmed as defense secretary, succeeding Chuck Hagel, who is stepping down. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The US government is hacking Healthcare.gov to make sure it’s secure

http://www.theverge.com/2014/11/6/7171347/the-us-government-is-hacking-healthcare-gov-to-make-sure-its-secure By Rich McCormick Deaily Mail November 6, 2014 The launch of Healthcare.gov, the US government’s health insurance website, was beset with technical problems so severe that only six people were able to enroll on its first day in October 2013. Ahead of a second enrollment period, beginning on November 15th, government officials are launching cyberattacks against the revamped site to make sure the same crippling bugs and security holes don’t appear again. Andy Slavitt, hired to oversee the Centers for Medicare and Medicaid Services’ Healthcare.gov program, says that groups of white-hat hackers in his team are conducting weekly attacks on the network that simulate real hacking attempts, in order to probe for weak points and bolster its defenses. Flaws in the previous incarnation of Healthcare.gov were exposed earlier this year when a security researcher reportedly obtained 70,000 medical records through a Google search. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Banks’ Concerns About Cyberthreats Grow

http://www.bankinfosecurity.com/banks-concerns-about-cyberthreats-grow-a-7486 By Tracy Kitten Bank Info Security October 28, 2014 Banking leaders say they’re substantially more concerned today than they were just six months ago about cyber-attacks and geopolitical threats aimed at the global financial system. That’s according to a report covering results of a survey conducted during the third quarter and published last week by the Depository Trust & Clearing Corp. The DTCC provides clearing and settlement services for banking institutions. Participants in the survey included financial stakeholders from throughout the world. Since March, when the DTCC last conducted its Systemic Risk Barometer survey, more global banking leaders say they see ongoing cyber-risks as posing increasing concern. They rate cyberthreats as the No. 1 systemic risk facing the global economy today. Banking institutions and other financial services firms surveyed by the DTCC say that in the past 12 months, they have increased their investments in systems and technologies designed to monitor and mitigate systemic risks, such as cyber-attacks and economic recessions that could collapse the global financial system. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers accuse credit unions of talking smack about card breaches

http://arstechnica.com/security/2014/10/retailers-accuse-credit-unions-of-talking-smack-about-card-breaches/ By Sean Gallagher Ars Technica Oct 30, 2014 Reeling from the bad press associated with an ongoing parade of data breaches caused by criminal infiltration of their payment systems, representatives of six retail industry associations signed a joint open letter that pushes back against a vocal critic of retailers’ cyber-security practices—credit union associations. In the letter addressed to the presidents of the Credit Union National Association (CUNA) and the National Association of Federal Credit Unions (NAFCU), retail industry representatives accused the associations of spreading “a number of misleading and factually inaccurate points… in the media and before Congress in regards to the cyber security in our country.” The industry group executives insisted that retailers already share the burden of dealing with the cost of lost data—at least to the degree that they are contractually obliged by credit card organizations. But given how much they actually do pay, the retailers may protest too much. Unsafe at any register The letter is a direct response to comments made in a letter to House Homeland Security Committee chairman Rep. Michael McCaul (R-TX) by Carrie Hunt, the NAFCU’s senior vice president of government affairs, posted on October 28. In her letter, Hunt called out the retail industry for not carrying enough of the burden associated with the loss of customers’ financial data. While credit unions and other financial institutions are subject to strict standards and regulations on handling sensitive customer financial data, Hunt wrote, “retailers and many other entities…are not subject to these same standards, and they become victims of data breaches and data theft all too often. While these entities still get paid, financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Did Drupal Drop The Ball? Users Who Didn’t Update Within 7 Hours ‘Should Assume They’ve Been Hacked’

http://www.forbes.com/sites/thomasbrewster/2014/10/30/did-drupal-drop-the-ball-users-who-didnt-update-within-7-hours-should-assume-theyve-been-hacked/ By Thomas Fox-Brewster Forbes.com 10/30/2014 Hackers are remarkably quick off the mark. Drupal, the creator of the eponymous content management system that millions use the world over, now knows that all too well. In mid-October it patched a SQL injection flaw, which could be exploited by tricking a database into coughing up data from its tables and columns using the SQL language. But yesterday, it said that thanks to an automated attack that hit up as many Drupal sites containing the vulnerability as quickly as possible, anyone who didn’t update to version 7.32 within seven hours of its release should assume they’ve been hacked. The bombshell was officially dropped in an advisory late yesterday, ranked ‘Highly Critical’. And for all those users concerned, updating to version 7.32 or applying the patch fixes the vulnerability but will not fix a compromised website, the warning read. It gets a little worse, as Michael Hess HES -1.01% of the Drupal security team notes: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.” Hackers who broke into Drupal-based sites may have done all kinds of nasty things, from installing backdoors to simply grabbing all data on that site. They might even be able to use their leverage to compromise other websites and apps hosted on the same server, escalating their attacks. Put simply, this could be catastrophic for victims. SQL injection is one of the most commonly used attack methods on the planet. Tools like slqmap automate such attacks requiring little technical skill of the hacker, yet lead to devastating results. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail