What Healthcare Can Learn From CHS Data Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
What Healthcare Can Learn From CHS Data Breach
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 12:03:18 PM
Re: Oversight is Inevitable, So Prepare Accordingly
Thanks so much for your kind words and for reading my articles, @RiskIQBlogger. Appreciate it! :)
RiskIQBlogger
50%
50%
RiskIQBlogger,
User Rank: Apprentice
12/1/2014 | 11:49:21 AM
Re: Oversight is Inevitable, So Prepare Accordingly
I'm looking forward to your next point @Alison_Diana. This is a topic I follow pretty closely. Great job on this latest one!
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 10:04:59 AM
Re: Misfeasance
The lack of CISOs -- or hiring CISOs who have zero authority -- will continue to bite healthcare organizations on the rump, as I will discuss in an upcoming piece on security in healthcare, later this week. (Or should that be insecurity in healthcare in 2015?)
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 10:03:16 AM
Re: Oversight is Inevitable, So Prepare Accordingly
You are so right, @RiskIQ, that some things will fall through the cracks. In CHS' case, recall they originally blamed their EHR, a condemnation the developer speedily (and accurately it turned out) denied. That's another lesson I'd take away: If you're unsure of the reason, don't say anything to the media (on or off the record) until you've done your due diligence. And do your best to make sure all the other agencies you're working with in law enforcement agree to take the same stance.
asksqn
50%
50%
asksqn,
User Rank: Ninja
11/27/2014 | 10:57:24 PM
Misfeasance
LOL to most negligent corporate entities such as CHS that are too cheap to hire competent Infosec personnel, showing the CEO how to bold text in MS Word represents "highly technical & sophisticated" software.  

 

 
RiskIQBlogger
50%
50%
RiskIQBlogger,
User Rank: Apprentice
11/26/2014 | 11:59:26 AM
Oversight is Inevitable, So Prepare Accordingly
Of course CHS would like to believe it was a sophisticated attack and perhaps it was. However, the idea that it was an unaccounted for connected test server seems very plausible. 

If it was indeed a connected test server, its very easy with 20/20 hindsight to say this breach could have been prevented. In my opinion that's an unsuccessful security posture.

I think its better to assume things will fall through the cracks and prepare accordingly. We've conducted many large scale studies into the frequency of rogue digital assets tied to brands, like rouge web infrastructure, unknown websites/apps on or off domain/ASN, rouge mobile apps., etc.

Its across the board in every type of organization, in all industries, that something belonging to them exists that's connected to the Internet, that is unknown and thus outside the scope of a given organization's security program.

At first glance this gap may appear harmless, but its now leading to data breaches large and small because so much valuable data is being collected and stored in so many different ways.  

 

 

 

 
Ariella
50%
50%
Ariella,
User Rank: Author
11/26/2014 | 11:03:02 AM
Re: data breaches
@Alison sure, we've been programmed to fill in all the blanks on doctor's forms, just as we're programmed to accept every test that they say they want to run. A pearl of wisdom from a doctor for better health was "Stay out of hospitals and refuse all tests (unless they explain that it is necessary for a particular reason." Otherwise, every single patient in a hospital will get a daily blood test even when it is not relevant to his/her condition. They also tend to feed all patients Colace without considering actual necessity.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
11/26/2014 | 10:57:08 AM
Re: data breaches
You raise a great point, @Ariella. Many organizations request medical information as a matter of course. And I still find healthcare organizations requesting Social Security numbers. My daughter saw a couple of doctors recently; the SSN line had not been crossed out (as it has at many healthcare providers) and one office even asked me to add her information after I left it blank. I responded that they are not allowed to request that information any more and I would not provide it, even if I knew her SSN. But how many people fill in that data as a matter of course, particularly as more practices (daycares, field trip providers, and others) now allow guardians to complete this information from home?
Ariella
50%
50%
Ariella,
User Rank: Author
11/25/2014 | 10:49:03 AM
data breaches
The thing is that even without a breach, that kind of data gets out all the time. Have you ever looked at the required medical form for a school or camp? It asks for all kinds of personal information way beyond the record of immunizations. And the schools and camps likely keep the paper files in unsecured locations.


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Commentary
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
News
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll