Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patients Hackers have raided databases containing millions of medical test lab patients' personal and payment information, making off with at least hundreds of thousands of people's banking details. The ransacked data stores were maintained by American Medical Collection Agency (AMCA) on behalf of blood-testing biz LabCorp and medical- …
The fact that the billing company didn't have our medical data is worth SFA given they leaked social security & credit card numbers.
"You can breathe easy knowing that we managed to save the 'Billy Bass' singing fish plaque from your mantel while robbers were looting that safe full of cash we left unlocked..."
Offering ID protection & credit monitoring isn't good enough. We need heads on pikes. Starting with all the upper management of the billing company.
Sorry, but we're going to be seeing more of these fiascoes as more medical establishments farm out their patient management, and that's how it should be--because patient management services should not be managed by doctors; they should be managed by those who hire qualified infosec professionals to insure that patient data is protected. Yet, this industry is new; and while we here who follow infosec news have a sense of what this will take, doctors don't yet know how to shop for qualified services. Yes, as others are commenting here, HIPAA needs some updating and to be made mandatory. Until then, yes "fucking hell", these things will be getting worse.
...how not to (sub)contract services with your data...
...why you shouldn't believe RFP responses...
...why technical controls (firewalls, IPS, compliance, etc) require business processes to become effective, especially with outsourcers / external business partners...
...that in a world of "you get what you pay for", cheapest is not the best,,,
...etc
8 months the attackers were inside this database, and it was not spotted.
Compliance...? Audits...? SIEM...? Reporting...? Firewalls...? I bet they had them... Despite that, so many failures on a human and technical level.
To get action on this, I hope some shareholders get together and try to sue the company for breach of corporate responsibility - putting their share* price at risk. Then their cyber-insurance won't pay out, and the bosses could be individually liable.
*=Money has value. Suing for the loss of customer data will carry less weight.
AC, as I work for a security vendor and _know_ how hard it is to convince people that when we talk about cybersecurity, it really is not science fiction - and is relevant to them and they must do something...
I've worked at a number of sec vendors in my time though I'm back on the lamb side of the chopping block nowadays, rather than the meat cleaver side.
You touch on one of the perennial Hard Problems of real-world infosec: convincing those who signs cheques that it's a real threat, and you're not just another geek / middle manager in search of more toys, a bigger budget or empire.
As my 20 years mark approaches in a couple of years, I'm increasingly convinced of the truth of the old aphorism: in security, your biggest allies are demanding customers, regulators and auditors who take a Bottom Inspector approach to examining your security status, and of course advesaries / attackers. Your chief enemies are (1) the users, and (2) management. Yes, working in security is like being a BoFH without the wish-fulfillment bit...
For Quest Labs, AMCA would (in theory) have had to have signed a Business Associate Agreement, promising to be in full compliance with the US's HIPAA law, which requires, among other things, that all personally-identifiable health information (PHI) be stored and transmitted "securely". The law is not prescriptive, in terms of defining specific techniques for doing so, but does require both physical and electronic security.
While it does not require state-of-the-art security (at crushing expense), anyone reading the regulations would expect that full encryption of data is expected, as well as normal industry best-practices for firewalls, anti-virus protection, two-factor logins, patch management, etc. After all, you're protecting other people's data, not just your corporation's data. The law creates a legal duty to protect that data.
I wonder of AMCA knew that, signed any such agreement, had a clue what HIPAA is, or was HIPAA compliant? Violations of HIPAA can cause you to lose your accreditation, lose your your license, as well as huge fines (Some number of $ per case; multiply by 12 million cases).
This works back to Quest Labs, too, as they handed over the data that included the PHI. Quest is responsible for ensuring that they choose a vendor that is HIPAA-compliant, signing an appropriate Business Associate Agreement, and monitoring their compliance.
What is it with healthcare? Too important to concern themselves with trivia like whether their systems work?
I recently (OK, April 18th) tried to buy a prescription prepayment from the NHS's facility (calls itself beta, but isn't fit to be a public alpha without at least offering participants a clear back-channel to sort out issues). When it came to payment, I just got a developer-oriented error message, and a "cancel" link that just generated another error.
Turned out it had taken payment (which I found out from my creditcard records) but not delivered anything. Trying to contact them to sort it out was equally broken. I ended up raising a dispute with the bank over my payment, which the bank accepted when I supplied the above story with detail of my attempts to contact them filled in.
I work in the area (infosec) lots of things being pushed politically we "just have to make it happen" and no matter how many red flags are raised regarding data protection etc it's pushed through by those higher up. I have huge concerns around some of the information we are placing on public cloud but I'd be fired for uttering a word publicly. Hence Anon.
Take a tip from an old pro: put it in writing. Even a polite email heavily obfuscated with technical jargon that only goes to your line manager is enough. It won't stop you getting fired when something goes pop (because "scapegoat" is second on the list of core duties in security, just below "fig leaf") but it should get you a bit more of a payoff when you draw their attention to the warnings they ignored and ask how they'll sound when they're read out at the employment tribunal.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
