Healthcare // Security & Privacy
News
6/25/2014
05:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Montana Health Department Hacked

State of Montana notifies 1.3 million patients of breach to Department of Public Health and Human Services server.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Hackers breached a server in the State of Montana's Department of Public Health and Human Services, prompting officials to notify 1.3 million people of the incident.

There is no evidence this information was used inappropriately -- or even accessed -- but the state is offering free credit monitoring and identity protection insurance to potentially affected individuals, said Richard Opper, DPHHS director. Montana also is alerting family members of deceased patients.

Officials discovered the breach after an independent forensic investigation determined a DPHHS server had been hacked. The department ordered the May 22 investigation from Kroll after DPHHS officials first noticed "suspicious activity" on May 15, Jon Ebelt, DPHHS public information officer, told InformationWeek.

[Researchers discover a flaw in two-factor authentication. Read PayPal Two-Factor Authentication Broken.]

Since the breach, DPHHS has "taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information," according to the release. For security reasons, DPHHS declined to expand on these additional measures.

Eyal Firstenberg, vice president of cyber research at LightCyber, a security breach detection company:

The time gap between the initial breach and the detection, while outrageously long, is far from being a rare occurrence. In fact, once mission-driven attackers have established a stable beachhead they leverage legitimate existing network resources, like user credentials, for the next phases of the attack. They thus render traditional security controls, like AV, firewalls, and sandboxes useless. With no system in place to monitor the internal network in real-time, attackers are effectively allowed to explore, compromise and exploit the network at their leisure.

DPHHS website displays help line information for potentially affected patients (Source: Montana DPHHS)

DPHHS website displays help line information for potentially affected patients (Source: Montana DPHHS)

The health department notified both Federal Bureau of Investigation and the Montana Attorney General's Office of the breach, said Ebelt.

No information about any potential suspects was available.

Although many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry's rich stash of personal data -- including Social Security numbers, credit card information, and addresses -- and personal health information, experts said. In its 2014 Data Breach report, Verizon determined physical theft and loss, insider misuse, and miscellaneous error accounted for 73% of healthcare breaches.

Michael Raggo, security evangelist at MobileIron, told InformationWeek last month:

I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States. That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect.

In mid-May, the Office for Civil Rights (OCR) posted 61 new breach incidents affecting more than 500 patients, bringing the 2014 tally to 992 organizations and more than 31,000 patients. More than one third were attributable to theft, and unauthorized access/disclosure accounted for about 15%.

A search of OCR's database reveals only a handful of hacking incidents in 2014. In April, DeKalb Health's website was compromised when the service provider operating the Indiana provider's website was targeted by an overseas hacking group. Hackers created a fraudulent page made to resemble the legitimate site of the DeKalb Health Foundation, a non-profit organization, and sent phishing emails seeking donations. Hackers also defaced DeKalb's website to link to the fake site.

During its investigation, DeKalb discovered that several patient databases were housed on the affected server, notified patients, and provided one year of free monitoring services.

Also in May, Centura Health fell victim to a phishing scam after hackers reportedly targeted employees at the non-profit division of Mercy Regional Medical Center. The organization notified about 1,000 patients whose information may have been compromised when hackers might have gained access to personal information including Medicare beneficiary numbers, Social Security numbers, and dates of birth. An external forensics firm confirmed this data could have been compromised.

Nobody wants to be the next data breach headline. But ensuring that cyber-security defenses are operating effectively and efficiently is a monumental challenge given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
marcomputer
50%
50%
marcomputer,
User Rank: Apprentice
7/4/2014 | 10:07:04 AM
Husband love Inversion table
My Husband Buy It on Amazon and He love It So much.

He Create a Blog About Inversion table
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/30/2014 | 12:06:00 PM
Re: Re : Montana Health Department Hacked
That is a definite worry. Programmer Barnaby Jack hacked pacemakers -- for a good cause. And he died just before he was going to demonstrate how to attack implanted heart devices he said could kill someone from 30 feet away. If one person can do that, who knows how many other smart people can accomplish the same thing? Add a network to IoT implanted devices and you have a lot of potentially dangerous devices.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
6/30/2014 | 11:44:01 AM
Re : Montana Health Department Hacked
In a world that is going connected with IOT in healthcare systems as well (where everything is controlled using sensor outputs), hackers may be using this sensitive data to alter the healthcare systems offered to a patient (sounds sci-fi, but the scenarios can be present where hackers can remotely switch off the life support systems for a patient who is an important political figure).
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/30/2014 | 11:22:15 AM
Re: Unlawful brushing to servers on the increase
Providing 12-months of monitoring has become the default CYA whenever there's a breach. What happens on Day 366 or 367, I wonder? This question isn't aimed specifically at Montana. They're following the customary pattern, a pattern we see day in, day out. I can't think of a better solution and it's always easier to criticize than resolve a problem, but I do wonder if there isn't a better approach -- other than ensuring data is more secure from the get-go, of course!
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
6/28/2014 | 6:19:17 AM
Re: Unlawful brushing to servers on the increase
Hackers breached a server in the State of Montana's Department of Public Health and Human Services, prompting officials to notify 1.3 million people of the incident. No evidence has been found to show that this information was used maliciously but worse could have been done. The institution is right to offer free credit to patients offering them the security of their personal information and identity. Institutions should now be careful and cautious in order to avoid being victims of this rising of breaches into systems.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/27/2014 | 3:58:19 PM
Re: A least they notified everyone
I asked, @BryanB but they were really close-mouthed about the products, tools, or practices they use. And, to be honest, i can't blame them from not wanting to share what they use -- since that would probably make it easier for hackers to break in again. And they also didn't want to discuss their newer tools, unsurprisingly. It is impressive how fast they notified people, especially when you think about the long lapses often involved in retail data thefts.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/27/2014 | 3:56:31 PM
Re: The Other Side
That's a great point. The last time I applied for a credit card online I had to answer a secondary round of questions about past addresses, people in my household, and cars -- that really put my mind at ease because it adds a second layer of security. It really should be on credit card companies, loan companies, and other financial (and other) service providers to no longer merely accept those three pieces of information as adequate for opening an account.
BryanB881
50%
50%
BryanB881,
User Rank: Apprentice
6/27/2014 | 1:28:23 PM
A least they notified everyone
Atleast they reported it quicker than most private companies who never report a breach.  Curious what tools they used, multi scanning, dynamic or static analysis.  Really how they found the breach.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/26/2014 | 4:54:48 PM
Re: The Other Side
That is an issue that needs to be addressed. There need to be more mechanisms in place that make it harder to use someone else's identity. It's very similar to the cell phone kill switch that is now coming out. If we can find ways to take the value out of the stolen data by making it less usable, that will help address the demand.

It still doesn't negate the need for stronger security, though.
Number 6
50%
50%
Number 6,
User Rank: Moderator
6/26/2014 | 10:41:17 AM
The Other Side
The other side of these hacking stories needs to be covered, too. Why is it so easy for someone to get credit in your name with only 3 pieces of info- name, SSN, birthdate? Hackers gaining financially from the data they're stealing provides much of the motivation to do it.
Page 1 / 2   >   >>
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A look at the top stories from InformationWeek.com for the week of September 7, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.