ACCORDING TO SEVERAL NEWS reports1, 2 Aspire Health, a large Nashville health care company that offers in-home treatment in 25 states, was hacked earlier this month and lost at least some patient information to an unknown cyber attacker.
The hack, disclosed for the first time in federal court records filed on Tuesday, occurred after a phishing attack gained access to Aspire’s internal email system on Sept. 3. The hacker then forwarded 124 emails to an external email account, including emails that contained “confidential and proprietary information and files” and “protected health information,” according to the court records.
The disturbing thing is not “just” that the hack attack succeeded, but HOW it occurred.
WHAT IS “PHISHING?”
Most Enterprise Risk Management practitioners know that phishing is defined as
- the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.
Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.3
Many organizations have policies to reduce the threat of phishing attacks.
Unfortunately that’s all they have – policies, and maybe procedures to report a phishing attempt.
Preventing such attacks needs on-going re-enforcement and, where appropriate, severe consequences. Exposing client information can prove very costly; a hit on the organization’s bottom line.
HOWEVER, the miscreants got to the sensitive information – be it patient information or personal/financial.
While if will be inconvenient, the information needs to be moved from an “open” server to one behind an (additional) firewall.
This server’s access should be secured by
- * A second password or other defense (retina scanning, etc.) and
* Be restricted to a limited number of trusted personnel; personnel who are repeatedly reminded of the procedures and consequences of unauthorized access to the secured data.
Most organizations that deal in classified information, defense contractors for example, limit access to sensitive information to relatively few people, people who have been vetted and awarded a security clearance.
- Information requests, especially requests originating in an email – even if the email seems to have been authored by an employee – must be considered “suspicious” and treated accordingly.
Admittedly, blocking access to personal information to all but a select few will slow down information retrieval, but it simultaneously reduces the chance of compromising the security of the data.
Limiting access to sensitive data also makes tracking access to that data easier and faster.
Obviously not all customer information needs this level of security, but the information that DOES demand the security can be protected.
I worked for organizations that required multiple passwords: one to log onto the user’s computer, another to log on to the network, and still others to log onto secure servers. The passwords were changed at least every 90 days (which I thought was too great a duration between new passwords).
There is almost no excuse for a data breach, especially one originating with a phishing email.
Sources
1. http://tinyurl.com/ya5kokgc
2. http://tinyurl.com/y7nq52dv
3. http://tinyurl.com/ybt5uqfn
PLAGIARISM is the act of appropriating the literary composition of another, or parts or passages of his writings, or the ideas or language of the same, and passing them off as the product of one’s own mind.
Truth is an absolute defense to defamation. Defamation is a false statement of fact. If the statement was accurate, then by definition it wasn’t defamatory.
No comments:
Post a Comment