now browsing by tag


#cybersecurity | #hackerspace | Billions of Medical Images Leaked in Huge Privacy Puzzle

Source: National Cyber Security – Produced By Gregory Evans

Security researchers say healthcare providers are failing to secure highly sensitive patient medical data. Mind-boggling amounts of health info are just sitting on internet-connected servers, with only a well-known default password—or no password at all.

And it’s despite frequent warnings. The scale of the problem has only grown in recent months.

Imagine that. In today’s SB Blogwatch, we prescribe radical surgery.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nice pipes (giggity).


What’s the craic, Zack? Mister Whittaker reports—“A billion medical images are exposed online, as doctors ignore warnings”:

 Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone … to access over 1 billion medical images of patients. … About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

The problem is well-documented. Greenbone found … more than 720 million medical images in September. … Two months later, [it doubled]. The problem shows little sign of abating.

Medical images … are typically stored in … a PACS server. … But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password. … Some of the largest hospitals and imaging centers in the United States are the biggest culprits.

Many patient scans include … the patient’s name, date of birth and sensitive information about their diagnoses. … Yet, patients are unaware that their data could be exposed on the internet for anyone to find.

HIPAA created the “security rule” … designed to protect electronic personal health information. … The law also holds healthcare providers accountable for any security lapses [which] can lead to severe penalties. … Experts who have warned about exposed servers for years say medical practices have few excuses.

And Renée Fabian adds—“Unsecured Medical Images Are an Underrated Threat”:

 Compromised medical data is life-altering — worse than having your financial information stolen — and in some cases, even life-threatening. … But the general public still has their eyes on financial identity theft as the bigger threat.

However, when your health-related information is used by someone else … it can have a much bigger impact than stolen financial data. … Here’s how:

Errors in your medical record constitutes one of the biggest dangers. … A diagnosis you don’t have, medication you’re allergic to, the wrong blood type or treatments you never actually get [can] make it into your permanent health care file. [So] you may end up in a situation where you’re treated with something that’s harmful.

You could also fail a physical job exam because a medical condition you don’t have ends up in your medical record. … It puts you at greater risk of discrimination, especially at work.

Your legitimate [insurance] claims may be denied. The company may flag or cancel your policy because of a suspicious number of claims or another person’s information on your record. [Or] you may be denied health or life insurance in the future.

Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web. … Criminals get more bang for their buck out of your health data.

Are you sure we’re not hyping this up a bit? Mark Davis is horrified:

 Images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information.

Indications are the reason for the image and would be something like “suspected pneumonia.” Diagnoses are official labels of sickness/illness/disease, like “AIDS.”

I can’t overstate how bad disclosing such information is, when it comes to protecting privacy.

Specifically, what are the legalities? Here’s Oliver Jones:

 It’s possible to see so-called “protected health information” (PHI) in these images. … HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI.

Natural persons can be tried and convicted, even if they were acting on behalf of corporations. … The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached.

It wouldn’t surprise me if the people involved in securing these sloppily configured … servers are in a state of panic. … I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah … it stinks to be them.

So doctors are to blame? prostheticvamp thinks that’s too simplistic:

 I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party—usually the vendor—to install, configure, and walk them through it.

Healthcare-related technologically was largely pushed on the industry via legislation. … When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of **** that no one wants to invest more time and money into than absolutely needed.

When it comes to healthcare, everything is always the doctor’s fault. It’s convenient to have a single target to blame. … Never mind that most physicians are just employees … in massive organizations, with extremely heavy regulatory oversight.

If an organization that runs three hospitals can’t … secure their PACS system with a decent password, that’s the fault of the physician about as much as it’s the fault of the nurse, the janitor, the cafeteria chef, etc. … We’re just line workers. We try to do our best by patients, but we ain’t in charge of anything.

OK, but what can IT do about it? imidan’s suggestion is clouded by their gender presumption:

 The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will **** his pants at the HIPAA violation, and the insurance guy will **** his pants at the likely cost of judgment for the inevitable prosecution.

The three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it’s clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they’d listen.

It gets worse. wswope has this head-meets desk moment:

 Fun experiment: use Google Maps API to search a major US metro area for medical practices. Pick out any websites that don’t use TLS. Crawl them for HTML forms that include common PHI keywords. You’ll find a lot.

Meanwhile, what of our neighbors to the north? Here’s ceoyoyo:

 Here in Canada, hospitals are super paranoid about their PACS. As originally designed, PACS really couldn’t transmit images over the Internet at all, and most hospitals still have it configured that way.

And Finally:

Riccardo Bonci is going straight to Heck

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stephen Hampshire (cc:by)

Source link

The post #cybersecurity | #hackerspace |<p> Billions of Medical Images Leaked in Huge Privacy Puzzle <p> appeared first on National Cyber Security.

View full post on National Cyber Security

The US Spends Billions on Cybersecurity — but No One Is Sure Exactly How Much

Source: National Cyber Security – Produced By Gregory Evans

In the wake of Russian meddling in the 2016 presidential election, massive breaches of IRS tax records, and the theft of more than four million employee files from the Office of Personnel Management, it’s small wonder the federal government has steadily beefed up its cybersecurity activities. Between 2007 and 2016,…

The post The US Spends Billions on Cybersecurity — but No One Is Sure Exactly How Much appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Fourth largest Bitcoin exchange. Bithumb, hacked for billions of Won

Source: National Cyber Security – Produced By Gregory Evans

The largest bitcoin and ether exchange in South Korea by volume, Bithumb, was recently hacked. Monetary losses from compromised accounts have started to surface, and are quickly reaching into the billions of won. With a reported 75.7% share of the South Korean bitcoin market volume, Bithumb is one of the…

The post Fourth largest Bitcoin exchange. Bithumb, hacked for billions of Won appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Severe cybersecurity incidents cost shareholders billions, says CGI

Source: National Cyber Security – Produced By Gregory Evans

Severe cybersecurity incidents cost shareholders billions, says CGI

Digitalisation comes with benefits, and pitfalls, for businesses. A new report highlights the cost of severe cybersecurity breaches on the share price of companies in the long-term, which average a reduction of 1.8%. The research too finds that the long-term negative effect on share price is increasing, creating additional incentives for business owners and the executive to act to prevent breaches where possible.

The digitalisation of business process creates a number of benefits to business operations, from lower costs to additional revenue streams. Digitalisation is not without issue however, as cybersecurity costs mount, transformation programmes fail and regulatory frameworks are imposed to haul in and forestall potentially abusive practices.

One area that is increasingly on the agenda at the boardroom level is cybersecurity. Businesses are increasingly finding themselves open to security incidents, with costs for business as a whole running in the order of $280 billion according to a recent report from Grant Thornton.

In a new report from CGI, titled ‘The Cyber-Value Connection’, the consulting firm explores the effect of cybersecurity breaches on the share price of companies affected. The research involved independent economic modelling from Oxford Economics, whose analytical methodology examines share price movements in companies that had experienced cyber breaches.

The research shows that there is a link between the share price of a company and cybersecurity breaches. Across the 65 companies in the sample, affected by a severe cybersecurity incident, the average long-term effect on share price was found to be 1.8%.

The performance of companies prior to the breach was found to have a correlation with the effect of the breach on share price. Poorly performing companies were found to be harder hit, their share price falling by an average of 2.3%, while companies outperforming their peers were found to average 1.1% reductions in share price in the long-term. The low sample size, the research notes, prohibits predictions in terms of the usual statistical levels of significance.

When averaging over the value of the average FTSE 100 company, a 1.8% average reduction in share price would see a £120 million loss of market capitalisation. Multiplying the average across the 65 companies whose severe breaches were considered as part of the research, the total costs hit £42 billion for the respective shareholders.

The research in addition to identifying the average cost to companies affected from a severe breach, also found that catastrophic breaches resulted in significant depreciations in the long-term value of companies. One UK media and communications company, that had a catastrophic breach in 2015, has seen its share price fall by 15% in the long-term, while a retail company, also in the UK, has suffered a loss of 12.9% of its share price value from a breach in 2014.

Company share prices across a range of sectors have been negatively affected by catastrophic breaches, with the top 10 largest breaches covered by the research ranging between a fall of 15% and 4.8%.

The value of a major UK supermarket, following a cyber security breach, saw almost immediate reprisal from investors, as the share price fell by more than 7 percentage points during the week following the incident. The fallout from the event saw a further 1 percentage point drop as the full consequences of the event became clear to an irate public.

The research also found that the effects of cyber security incidents, measure on the Friday following the event, are becoming more severe with time. The average percentage point decrease to a firm’s share price stood at 0.2% in 2013, by 2014 this stood at a decrease of 1.5% of their share price, while for the period 2015/16 the effect of share price almost doubled to a decrease of 2.7%.

The research also found that different sectors are affected differently in terms of loss to their respective share prices. The retail, hospitality and travel industry, for instance, saw a negative impact of 0.4% on their share price measured on the Friday following the incident, heathcare saw a drop of 0.7%, while technology saw a decrease of 2.1%. Communications and financial firms were the hardest hit however, with decreases of 2.6% and 2.7% respectively.

Remarking on the research, a spokesperson from CGI states, “Clearly, the CEO has responsibility for increasing company value. With the link between cyber breach and company value established in this report, it is clear the CEO’s responsibility must also include direction and governance of cybersecurity.”


The post Severe cybersecurity incidents cost shareholders billions, says CGI appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Billions of Smartphone Users affected by Heartbleed Vulnerability

Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk.Heartbleed is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server’s memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal.OpenSSL is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.But to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40-60 billion active Smartphone applications may be sharing some of those same servers or connect to their own group of servers that may also be compromised.Google wrote in an update on its Online Security blog on Wednesday, emphasizing that Android was not vulnerable to the Heartbleed bug, except for a very specific version and can you guess that so called specific version??Android 4.1.1 Jelly Bean, the one which makes up the majority of Android devices around the world, and which relies on the vulnerable version of OpenSSL.Google didn’t reveal the actual figure that are vulnerable to the bug, but according to the latest dashboard released by Google, it is estimated that around 34.4% of the Android devices in use today are running the Android 4.1.x version. Even last September Google announced that it had activated one billion devices. This means that the minimal number is likely to be in the millions. So, one can imagine how many Smartphones and tablets were at risk.Well, Google has released the patches for Android 4.1.1 which is being distributed among the Android partners.Apple users can be relaxed knowing that their devices running iOS and OS X are not affected by the most critical security flaw, Heartbleed.”Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” Apple told Re/code.Instead using OpenSSL, Apple relies on different SSL/TLS libraries called Secure Transport, which was hit by its own very serious bug in February outcropping the possibility for man-in-the-middle (MitM) attacks — though it wasn’t as dangerous as the recent OpenSSL Heartbleed security Flaw.But still Apple users were not exempted completely, as the users using BBM for private messages on iOS might have been vulnerable to this flaw.Blackberry confirmed that some of its products, including Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS and even BBM for iOS and Android were vulnerable to the Heartbleed security flaw. The figure of affected users is not least, as about 80 million people use BBM service.They have also assured that BlackBerry Smartphones and tablets, BlackBerry Enterprise Server 5, BlackBerry Enterprise Service 10, and the BlackBerry Infrastructure are not affected by the flaw and are fully protected.


The post Billions of Smartphone Users affected by Heartbleed Vulnerability appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Phone Hackers Dial and Redial to Steal Billions

Phone Hackers Dial and Redial to Steal Billions

SAN FRANCISCO — Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time. Read More….

For more information go to, http://www., or

View full post on National Cyber Security

China cyber-crime costing US billions: FBI chiefNational Cyber Security – China is waging an aggressive cyber-war against the United States which costs American business billions of dollars every year, Federal Bureau of Investigation director James Comey said on Sunday. …

View full post on Hi-Tech Crime Solutions Weekly

China cyber-crime costing US billions: FBI chief

China cyber-crime costing US billions: FBI chief

China is waging an aggressive cyber-war against the United States which costs American business billions of dollars every year, Federal Bureau of Investigation director James Comey said on Sunday. The FBI chief told CBS television’s “60 Minutes” program China topped […]

For more information go to, http://www., or

View full post on National Cyber Security