Healthcare Cybersecurity

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

The post HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security appeared first on HIPAA Journal.

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise.

Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks.

The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one successful ransomware attack this year, while 40% of respondents said they had experienced multiple ransomware attacks.

Oftentimes, organizations pay the ransom to quickly regain access to their data, others are faced with no alternative but to pay the ransom. 65% of surveyed companies reported that they had paid a ransom demand to regain access to their files. The average ransom payment was $3,675.

The threat from ransomware is unlikely to go away. As long as the attacks are profitable, they will continue. A recent report from Cybersecurity Ventures suggests worldwide ransomware damages will reach $5 billion this year and will rise to $11.5 billion in 2019. To put those figures into perspective, the cost of ransomware attacks in 2015 was $325 million.

One of the most worrying endpoint security trends highlighted in the Ponemon Institute report was fileless malware.  Fileless malware attacks have increased considerably in the past 12 months. Out of all organizations that reported experiencing at least one endpoint attack, 77% said at least one of those attacks involved an exploit or fileless malware. Overall, 29% of organizations have experienced a fileless malware attack, a rise of 20% from last year. Ponemon also reports that fileless malware attacks are also 10 times more likely to succeed than other types of malware attacks.

The cost of endpoint attacks is considerable. On average, it costs $301 per employee to mitigate an attack – or $5,010,600 per company, per year, on average. The healthcare industry alone has spent $1.3 billion in the past year mitigating endpoint attacks. Those costs are broken down as 30% due to loss of productivity, 25% due to system downtime, and 23% due to theft of information assets.

Preventing endpoint attacks is seen as a major problem, with more than half of respondents (54%) not believing that endpoint attacks can actually be stopped. Antivirus solutions are necessary to prevent malware infections, although they are rarely effective against current threats such as fileless malware.

“This survey reveals that ignoring the growing threat of fileless attacks could be costly for organizations,” said Ponemon Institute Chairman and Founder Dr. Larry Ponemon. “The cost of endpoint attacks in the companies represented in this study could be as much as $5 million, making an enterprise-wise endpoint security strategy more important than ever.”

The shortfalls of AV software have led many companies to invest in new technologies such as endpoint detection and response solutions, although those solutions do not prevent attacks, only limit the harm caused when they do occur.

50% of companies said they are planning to replace or augment their current endpoint security systems with new tools, although many respondents said they are experiencing problems with endpoint security systems, such as a high false positive rate, complex management of the solutions, and even when solutions are deployed, there are many protection gaps.

The post Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks appeared first on HIPAA Journal.

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors.

While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems.

The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users.

If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities.

The vulnerabilities have been assigned eight CVEs, four affect Intel Manageability Engine Firmware (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712) two affect Server Platform Service 4.0.x.x (CVE-2017-5706, CVE-2017-5709), and two affect Intel Trusted Execution Engine 3.0.x.x (CVE-2017-5707. CVE-2017-5710). The ME, SPS, and ITE systems are embedded firmware that provide management and code integrity checks on intel powered hardware.

Four of the bugs were identified by security researchers at Positive Technologies, prompting Intel to conduct a full review, which revealed a further four Intel firmware vulnerabilities.

The good news is that in order for the vulnerabilities to be exploited, access to the device would be required. While insiders could run any code on the Management Engine by exploiting the vulnerabilities, it is possible that if other vulnerabilities exist, they could be leveraged by external actors to exploit the vulnerabilities without the need for a local user at a vulnerable device.

The flaws in the Management Engine (ME) are serious because ME is the basis for trust on a system. The ME performs checks on devices to ensure firmware hasn’t been updated or tampered with, so vulnerabilities in the Management Engine could be exploited to change the way the checks are performed.

For example, if a firmware update is attempted, the ME could report that the update has been applied, when it hasn’t. System administrators would believe that devices have been patched, when they remain vulnerable.

Further, since the ME is never switched off, unless power is totally cut to a device, even if the operating system is rebooted, the ME may remain compromised.

Unfortunately, there are no real workarounds other than applying the patches. Manufacturers are now working on customizing Intel’s patches, although since the vulnerabilities affect multiple processors, the process of customizing patches, testing them, and rolling them out could take several weeks.

Lenovo and Dell have already published lists with more than 100 affected systems, with the former expecting to roll out its patched by the end of the month.

Currently it is not believed that any of the vulnerabilities are being actively exploited, although that is almost certain to change over the coming weeks.

A tool has been released to check for the Intel firmware vulnerabilities detailed in security bulletin INTEL-SA-00086, which can be downloaded from the Intel website on this link.

The post Patches Released to Address Critical Intel Firmware Vulnerabilities appeared first on HIPAA Journal.

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang.

Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive.

Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord.

In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he was not responsible for the hack.

During the course of that investigation, Wyatt’s computer was seized. An analysis of the device revealed he had been involved in other crimes. Initially, Wyatt was arrested for using a false identity document and fraud offenses in January this year, and was arrested a second time in March for blackmail offenses.

Police discovered that Wyatt had used stolen credentials to apply for a payment card, although the application was denied. Wyatt had also used his deceased step father’s credit card to make a string of online purchases, including purchases of computer games and mobile phones. Wyatt racked up debts in the region of £4,750 on the card, according to the Northamptonshire Telegraph.

An extortion attempt saw Wyatt use the name “The Dark Overlords” on a ransom demand in which he attempted to obtain a payment of €10,000 in Bitcoin from a UK legal firm. Wyatt stole around 10,000 files from the unnamed Humberside law firm using malware to gain access to the files on the law firm’s server.

In that extortion attempt, Wyatt said that he was planning to sell the stolen files to buyers in Russia and China if the ransom demand wasn’t paid. The files included scans of driver’s licenses and passports. It is unclear whether Wyatt hacked the law firm or if he used stolen credentials to gain access to its system to install malware.

Wyatt’s partner, Kelly Walker, 35, was also arrested and charged with handling stolen goods and encouraging or assisting offenses, but she was acquitted when prosecutors failed to provide any evidence to support the charges.

It is unclear whether Wyatt was a core member of the Dark Overlord hacking group, a fringe player, or if he was a copycat that used the group’s name. Dissent from Databreaches.net pointed out in a recent blog post that Wyatt was allegedly supposed to make a call to one of the Dark Overlord’s victims in Georgia to put pressure on the clinic to pay the ransom demand. Wyatt was also allegedly responsible for opening back accounts in the UK on behalf of the Dark Overlord to take payments sent from hacking victims in the United States.

Wyatt is likely to be released in 18 months. In the UK, prisoners serving between 1 and 4-year jail terms are usually released after they have served half of their sentence, with the rest of the sentence served on probation. Wyatt has not been charged for any offenses in the United States.

The post 3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed.

The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report

The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations.

The Poor State of Cybersecurity in Healthcare

The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable risks. 47% of the large healthcare organizations that were surveyed were using more than 5,000 devices on their networks. Securing so many devices and ensuring they are kept up to date and fully patched is a major challenge for healthcare IT and security professionals, but many organizations are unaware of all of the devices that are connecting to their networks.

Ransomware is a major issue for the healthcare industry. The scale of recent ransomware attacks has put many healthcare organizations on alert, and most hospitals are now in a much better position to deal with attacks when they occur. In the United Kingdom, 15% of respondents said they do not have a plan that could be implemented in the event of a ransomware attack. The lack of planning can result in far greater disruption when an attack occurs.

One in five respondents said devices were in use that were running on Windows XP, even though the operating system has been retired and has not been supported since April 2014. 22% said they were still using Windows 7, which had vulnerabilities that were exploited in the WannaCry attacks. Only 57% of organizations said they were patching their systems at least once a week.

18% of respondents said they had medical devices with unsupported operating systems. Infoblox drew attention to the fact that 7% of respondents didn’t know what operating system that their medical devices are running on, and out of those who do, 26% of large organizations said that they either don’t know or don’t care if they can update those systems.

Those findings make it no surprise that attacks like WannaCry occurred and hit the healthcare industry in the UK so hard.

Cybersecurity Spending is Increasing, but Money is Not being Spent Strategically

The report shows that healthcare organizations are responding to the elevated threat of cyberattacks by investing more heavily in security. 85% of healthcare organizations have increased cybersecurity spending in the past year, and 12% say they have increased spending by more than 50%.

The two technologies that are most commonly chosen are anti-virus solutions (61%) and firewalls (57%), with half of surveyed organizations also having invested in network monitoring technology to identify malicious network activity. Application security solutions are also a popular choice, chosen by 37% of organizations, while one third have invested in DNS security solutions to block data exfiltration and disrupt DDoS attacks.

In the United States, approximately half of healthcare professionals said they had started encrypting their data, compared to 36% in the UK.  Healthcare organizations are now realizing the benefits of providing security awareness training to staff, although worrying, only 35% do. PhishMe reports that more than 90% of cyberattacks start with a phishing email, yet only 33% said they had invested in email security solutions.  Signing up to threat intelligence services can help organizations be more proactive about cybersecurity, yet only 30% of respondents said they had signed up to receive threat intelligence reports.

Recommendations to Improve Cybersecurity in Healthcare

Based on the findings of the report, Infoblox made several recommendations for healthcare organizations to help them mitigate the threat of cyberattacks.

Those recommendations include planning to update operating systems to supported versions. The short-term issues that software updates create are far better than the widespread disruption caused by cyberattacks that exploit vulnerabilities on those outdated systems.

Organizations were advised to know their networks better – the operating systems in use, the devices that are allowed to connect to the network, and the importance of monitoring network activity to detect intrusions.

Organizations must plan for ransomware attacks to minimize disruption. 15% of healthcare organizations still do not have a plan in place to respond if ransomware is installed, even with the elevated threat of attacks on healthcare organizations.

IT security budgets may be increasing, but those budgets must be spent wisely. Investing more money in traditional defenses may not be the best use of budgets.

“Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated,” said Rob Bolton, Director of Western Europe at Infoblox. “It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data.”

The post Cybersecurity in Healthcare Report Highlights Sorry State of Security appeared first on HIPAA Journal.

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill.

Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud.

Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced.

There have been several important dates in the past two decades since HIPAA was originally passed – Notably the introduction of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.

The HIPAA Privacy Rule introduced many provisions to better protect the privacy of patients. The Security Rule was primarily concerned with the security of electronic protected health information. The Breach Notification Rule ensures that all breaches of protected health information are reported, while the Omnibus Rule introduced a broad range of changes, including new requirements required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Four key updates to HIPAA legislation are detailed below.

The Privacy Rule of HIPAA Passed into Legislature

The Privacy Rule of HIPAA was passed into legislature on December 28, 2000. The official name of the update to HIPAA is the “Standards for Privacy of Individual Identifiable Health Information.” The HIPAA Privacy Rule compliance date was April 14, 2003.

The HIPAA Privacy Rule details the allowable uses and disclosures of protected health information without first obtaining consent from patients. The HIPAA Privacy Rule also gives patients the right to obtain copies of their health data from HIPAA-covered entities.

The Security Rule of HIPAA Passed into Legislature

The Security Rule of HIPAA was passed into legislature on April 21, 2003, although the effective date was not until April 21, 2005. While the HIPAA Privacy Rule was concerned with all forms of protected health information, the HIPAA Security Rule is primarily concerned with the creation, use, storage and transmission of electronic PHI. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be introduced to keep PHI secure. The Security Rule also introduced requirements for when PHI is no longer required.

The Breach Notification Rule of HIPAA Passed into Legislature

The HIPAA Breach Notification Rule came from the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed on February 17, 2009. The HIPAA Breach Notification Rule took effect from August 24, 2009.

The Breach Notification Rule requires HIPAA-covered entities to submit notifications of breaches of protected health information to the Secretary of the Department of Health and Human Services within 60 days of the discovery of a breach if the breach involved 500 or more records. Smaller breaches must still be reported, no later than 60 days after the end of the year in which the breach was discovered. The Breach Notification Rule also requires notifications of a breach to be sent to affected patients within 60 days of the discovery of the breach.

The Omnibus Rule of HIPAA Passed into Legislature?

The HIPAA Omnibus Final Rule was issued on January 17, 2013. The HIPAA Omnibus Rule introduced several changes to the HIPAA Privacy, Security, and Breach Notification Rules.

One of the most important changes affected HIPAA business associates – individuals or entities that are contracted to HIPAA-covered entities to provide services that require access to PHI.

Since the passing of the HIPAA Omnibus Rule, business associates of HIPAA-covered entities, and their subcontractors, must implement safeguards to protect ePHI as required by the HIPAA Security Rule. Since the introduction of the Omnibus Rule, business associates of HIPAA-covered entities can be fined directly for HIPAA violations.

Another important update was clarification of “significant harm.” Prior to the introduction of the Omnibus Rule, many covered entities failed to report breaches as there was determined to have been no significant harm caused to patients as a result of the breach. After the Omnibus Rule, covered entities must be able to prove there was no significant harm if they decide not to report a breach.

Infographic Summary of Milestones in the History of HIPAA

In addition to the above major changes to HIPAA legislation, there have been numerous milestones in the history of HIPAA, which have been summarized in the infographic below. The infographic details legislation changes, clarifications of HIPAA Rules, major enforcement actions, and HIPAA audits – Click the image below to view the graphic in full size.

HIPAA History

The post In What Year Was HIPAA Passed into Legislature? appeared first on HIPAA Journal.

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured.

While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data.

This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI.

In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without the need for authentication, in most cases stored data should be protected.

To reduce the potential for data exposure, Amazon is implementing a warning system that will alert users when authentication controls are not active. A bright orange button will now appear throughout the AWS console to alert users when their S3 buckets are accessible without the need for authentication. Administrators will be able to control the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be clearly displayed. Daily and weekly reports will also highlight which buckets are secure, and which are accessible by the public.

MongoDB Update Makes Databases Secure by Default

In addition to the data breaches resulting from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases this year. Worldwide, more than 27,000 organizations had their databases accessed, data stolen, and their databases deleted. The attackers issued demands for payment to return the stolen data.

While MongoDB incorporates all the necessary safeguards to prevent unauthorized accessing of databases, those safeguards must be activated. Many organizations failed to realize that the default configuration was not secure.

MongoDB has responded to the breaches and has taken the decision to implement default security controls for the new version of the database platform, which is scheduled to be released next month. MongoDB 3.6 will only have localhost enabled by default. Users that require their databases to be accessible over the internet will be required to switch on that feature. Doing so will make the databases accessible by anyone, so to restrict access, authentication controls will need to be manually switched on. The new secure default configuration will make it harder for data to be accidentally exposed online.

The post MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches appeared first on HIPAA Journal.

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year.

For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.”

In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen.

RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September.

Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%.

The severity of data breaches has also increased. In 2016, 2.3 billion records were exposed in the first 9 months of the year. In 2017, the figure jumped to 7.09 billion.

The majority of the exposed records in 2017 came from five breaches, which exposed approximately 78.5% of all the records exposed so far in 2017.

The breach at DU Caller exposed 2,000,000,000 records; the River City Media breach saw 1,374,159,612 records exposed; An unnamed web breach exposed 711,000,000 records; and the EmailCar breach saw 267,000,000 records exposed.

Those five breaches made the top ten list of the worst data breaches of all time, and were ranked as the 2nd, 3rd,  4th, and 9th worst data breaches of all time. With the exception of one breach in 2014, all of the top ten data breaches of all time have been discovered in 2016 (4) and 2017 (5).

While the above five breaches involved the most records, the most severe data breach of the year to date was the breach at Equifax, which exposed the records of 145,500,000 individuals. The breach only ranks in 18th place in the list of the worst data breaches of all time, but RBS rates it as the most severe data breach of 2017 due to the nature of data obtained by the hackers.

The main cause of 2017 data breaches, by some distance, was hacking. 1,997 data breaches were due to hacks, 433 breaches were due to skimming, phishing was behind 290 breaches, viruses caused 256 breaches, and 206 breaches were due to web attacks.

Web attacks may have come in at fifth place in terms of the number of breaches, but the attacks resulted in the greatest number of exposed records – 68.5% of the total. Hacking accounted for 30.9% of exposed records.

The business sector has been worst affected by data breaches in 2017, accounting for 68.5% of the total, followed by ‘unknown’ on 12.6%. Medical data breaches were in third place accounting for 8.5% of the total.

RBS reports that there have been 69 data breaches reported in 2017 that involved the exposure or more than a million records.

The Risk Based Security 2017 Data Breach Report can be viewed here.

The post 2017 Data Breach Report Reveals 305% Annual Rise in Breached Records appeared first on HIPAA Journal.