now browsing by tag


#cybersecurity | #hackerspace | Billions of Medical Images Leaked in Huge Privacy Puzzle

Source: National Cyber Security – Produced By Gregory Evans

Security researchers say healthcare providers are failing to secure highly sensitive patient medical data. Mind-boggling amounts of health info are just sitting on internet-connected servers, with only a well-known default password—or no password at all.

And it’s despite frequent warnings. The scale of the problem has only grown in recent months.

Imagine that. In today’s SB Blogwatch, we prescribe radical surgery.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nice pipes (giggity).


What’s the craic, Zack? Mister Whittaker reports—“A billion medical images are exposed online, as doctors ignore warnings”:

 Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone … to access over 1 billion medical images of patients. … About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

The problem is well-documented. Greenbone found … more than 720 million medical images in September. … Two months later, [it doubled]. The problem shows little sign of abating.

Medical images … are typically stored in … a PACS server. … But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password. … Some of the largest hospitals and imaging centers in the United States are the biggest culprits.

Many patient scans include … the patient’s name, date of birth and sensitive information about their diagnoses. … Yet, patients are unaware that their data could be exposed on the internet for anyone to find.

HIPAA created the “security rule” … designed to protect electronic personal health information. … The law also holds healthcare providers accountable for any security lapses [which] can lead to severe penalties. … Experts who have warned about exposed servers for years say medical practices have few excuses.

And Renée Fabian adds—“Unsecured Medical Images Are an Underrated Threat”:

 Compromised medical data is life-altering — worse than having your financial information stolen — and in some cases, even life-threatening. … But the general public still has their eyes on financial identity theft as the bigger threat.

However, when your health-related information is used by someone else … it can have a much bigger impact than stolen financial data. … Here’s how:

Errors in your medical record constitutes one of the biggest dangers. … A diagnosis you don’t have, medication you’re allergic to, the wrong blood type or treatments you never actually get [can] make it into your permanent health care file. [So] you may end up in a situation where you’re treated with something that’s harmful.

You could also fail a physical job exam because a medical condition you don’t have ends up in your medical record. … It puts you at greater risk of discrimination, especially at work.

Your legitimate [insurance] claims may be denied. The company may flag or cancel your policy because of a suspicious number of claims or another person’s information on your record. [Or] you may be denied health or life insurance in the future.

Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web. … Criminals get more bang for their buck out of your health data.

Are you sure we’re not hyping this up a bit? Mark Davis is horrified:

 Images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information.

Indications are the reason for the image and would be something like “suspected pneumonia.” Diagnoses are official labels of sickness/illness/disease, like “AIDS.”

I can’t overstate how bad disclosing such information is, when it comes to protecting privacy.

Specifically, what are the legalities? Here’s Oliver Jones:

 It’s possible to see so-called “protected health information” (PHI) in these images. … HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI.

Natural persons can be tried and convicted, even if they were acting on behalf of corporations. … The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached.

It wouldn’t surprise me if the people involved in securing these sloppily configured … servers are in a state of panic. … I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah … it stinks to be them.

So doctors are to blame? prostheticvamp thinks that’s too simplistic:

 I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party—usually the vendor—to install, configure, and walk them through it.

Healthcare-related technologically was largely pushed on the industry via legislation. … When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of **** that no one wants to invest more time and money into than absolutely needed.

When it comes to healthcare, everything is always the doctor’s fault. It’s convenient to have a single target to blame. … Never mind that most physicians are just employees … in massive organizations, with extremely heavy regulatory oversight.

If an organization that runs three hospitals can’t … secure their PACS system with a decent password, that’s the fault of the physician about as much as it’s the fault of the nurse, the janitor, the cafeteria chef, etc. … We’re just line workers. We try to do our best by patients, but we ain’t in charge of anything.

OK, but what can IT do about it? imidan’s suggestion is clouded by their gender presumption:

 The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will **** his pants at the HIPAA violation, and the insurance guy will **** his pants at the likely cost of judgment for the inevitable prosecution.

The three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it’s clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they’d listen.

It gets worse. wswope has this head-meets desk moment:

 Fun experiment: use Google Maps API to search a major US metro area for medical practices. Pick out any websites that don’t use TLS. Crawl them for HTML forms that include common PHI keywords. You’ll find a lot.

Meanwhile, what of our neighbors to the north? Here’s ceoyoyo:

 Here in Canada, hospitals are super paranoid about their PACS. As originally designed, PACS really couldn’t transmit images over the Internet at all, and most hospitals still have it configured that way.

And Finally:

Riccardo Bonci is going straight to Heck

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stephen Hampshire (cc:by)

Source link

The post #cybersecurity | #hackerspace |<p> Billions of Medical Images Leaked in Huge Privacy Puzzle <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | ‘Britain’s FBI’ set for huge new powers to foil County Lines drug gangs

Source: National Cyber Security – Produced By Gregory Evans Ministers are planning to give a huge budget boost and sweeping new powers to ‘Britain’s FBI’ to combat the growing threat of online paedophile rings, people traffickers and County Lines drugs gangs. It comes as the National Crime Agency reveals the frightening scale of organised crime […] View full post on

Computer #hacking #investigation #leads to #huge #cache of #child porn

Source: National Cyber Security – Produced By Gregory Evans

A Parkville man was sentenced Wednesday to federal prison after pleading guilty to computer hacking and child pornography charges.

Jacob Raines, 38, was sentenced in U.S. District Court in Kansas City to six years in prison.

Raines pleaded guilty in May to charges of computer intrusion and using a computer to view child pornography over the internet.

The computer intrusion charge involved Raines using a remote server to copy proprietary source code files and file folders from his former employer.

When serving a search warrant in that case, investigators found thousands of sexually explicit images and videos of children, including toddlers and infants.

His attorney on Wednesday argued for a sentence of four years in prison, while prosecutors asked for seven years.

The post Computer #hacking #investigation #leads to #huge #cache of #child porn appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

BREAKING: OurMine Hack Huge YouTube Channels In Major Security Leak

Source: National Cyber Security – Produced By Gregory Evans A huge security leak has seen major YouTube stars have their accounts hacked by OurMine, the notorious hacking group who have caused major upheaval in the past by hacking accounts belonging to some of the world’s biggest names. Stars including … The post BREAKING: OurMine Hack […]

The post BREAKING: OurMine Hack Huge YouTube Channels In Major Security Leak appeared first on

View full post on | Can You Be Hacked?

IT security faces huge challenge, says hacker ‘Mafiaboy’

Source: National Cyber Security – Produced By Gregory Evans Michael Calce’s parents knew there was “something rather unique” about him when he was five years old, he says. Handed a computer with unlimited internet access as a child, the Montreal-raised Calce is the infamous as “Mafiaboy”, who in February … The post IT security faces […]

The post IT security faces huge challenge, says hacker ‘Mafiaboy’ appeared first on

View full post on | Can You Be Hacked?

How Corporate America keeps huge hacks secret

Source: National Cyber Security – Produced By Gregory Evans

How Corporate America keeps huge hacks secret

But the biggest cyberattacks, the ones that can blow up chemical tanks and burst dams, are kept secret by a law that shields U.S. corporations. They’re kept in the dark forever. You could live near — or work at — a major facility that has been hacked repeatedly andINVESTIGATED by the federal government. But you’d never know. What’s more, that secrecy could hurt efforts to defend against future attacks. The murky information that is publicly available confirms that there is plenty to worry about. Unnamed energy utilities and suppliers often make simple mistakes — easily exposing the power grid to terrorist hackers and foreign spies. A CNNMoneyINVESTIGATIONhas reviewed public documents issued by regulators that reveal widespread flaws. There was thePOWER COMPANY that didn’t bother to turn off communication channels on its gear at mini-stations along the electrical grid, leaving access points completely open to hackers. It was fined $425,000 by its regulator in August. Another power company forgot to patch software on 66% of its devices, thus exposing them to known flaws exploited by hackers. It got a $70,000 fine in February. There are plenty of other examples, and all “posed a serious or substantial risk” to portions of the […]

For more information go to, http://www., or

The post How Corporate America keeps huge hacks secret appeared first on National Cyber Security.

View full post on National Cyber Security

Huge increase in online child abuse investigations

As police today embark on a week-long campaign to raise awareness of child sexual exploitation, new figures show detectives are dealing with more than one case a day.

Across the county, more than 1,500 referrals were made – where there are concerns for a child’s safety – last year. Of those, 529 were recorded as crimes.
Since April, police have dealt with 339 “intelligence packages” relating to online child abuse, compared to 237 in the 12 months before.

Det Insp Tony Baxter, of Lancashire Police’s Public Protection Unit, said: “The public quite rightly expects us to protect children from being exploited, particularly as new threats emerge such as online grooming through gaming and chat forums, an area that we are highlighting through this year’s awareness week.

Read More

The post Huge increase in online child abuse investigations appeared first on Parent Security Online.

View full post on Parent Security Online

A Huge Frustration for Tax Refund Victims

This is nothing new that people are stealing identities and then stealing their money from banks and even from tax-refund too. This gave a major start in 2013. Identity thieves are getting more creative and bold in stealing billions in tax refunds from Internal Revenue Service now.

A recent victim Laura Hankins knew something was wrong when she filed her daughter’s tax return and it was rejected hours later: An identity thief already had sent in a return using the 19-year-old’s personal information.

“This is the first time in her life she has ever filed income taxes, after earning all of $1,800 stocking products on grocery store shelves,” Hankins said. “I did her taxes for her online, but immediately she got the rejection.”

Thieves have claimed billions of dollars in bogus tax refunds from the IRS by swiping the Social Security numbers and identities of schoolchildren in Florida, prisoners in Pennsylvania, teachers in Washington state and soldiers deployed in Iraq and Afghanistan.

The IRS said Thursday that it has started more than 200 investigations into identity theft and refund fraud schemes this filing season and that enforcement efforts are taking place nationwide. It said investigators are especially focused on the misuse of specialized identification numbers assigned to firms that electronically file tax returns.

But the ease of the schemes means no one is immune. The best steps to reduce the chance of refund fraud are to protect your Social Security numbers and other personal information.
Because Hackers and employees with access to thousands of names stored in company databases have tapped into reams of personal information, allowing them to submit hundreds of fraudulent returns by computer and receive refunds within days.
It all adds up to a lot of frustration for legitimate taxpayers who face more paperwork and months of waiting for their tax refunds.

IRS has to take a step against this step, so people can start trusting them again rather to stop paying taxes.


The post A Huge Frustration for Tax Refund Victims appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Huge recent hack attack said to target mainly Israeli servers

Source: National Cyber Security – Produced By Gregory Evans

A new round of hacking attacks is being directed specifically against Israel, cyber-security giant Check Point believes. The exploit, which uses infected Microsoft Word documents to insert malicious code into a user’s computer, “appears to be politically motivated, instigated against a particular nation-state,” the company said. With that, said the company, the identity of the hackers behind the attack is unclear, and may never be known, because it is almost impossible to trace such attacks back to the original server that issued them. And, while Check Point would not name the specific targets of the attack, it said that they included Israeli public (i.e., government) and private organizations, and that the attacks had been going on “for some time.” “There are many reasons campaigns can end up with a lopsided geographical distribution of infection victims; that, alone, does not necessarily imply a ‘targeted campaign’ scenario,” said the company. “However, this case was different. Israeli targets were not just over-represented; the list of targeted Internet addresses contained a number of Israeli government agencies, security industry firms, municipal agencies, research institutions and even hospitals. In total, over 200 machines and 15 distinct Israeli firms and institutions were targeted.” The role of defense, […]

For more information go to, http://www., or

The post Huge recent hack attack said to target mainly Israeli servers appeared first on National Cyber Security.

View full post on National Cyber Security

Russian hacker admits role in huge $300m data theft scheme

Source: National Cyber Security – Produced By Gregory Evans

A Russian hacker called Vladimir Drinkman has pleaded guilty to his involvement in a data breach scheme that stole 160 million credit card details from US companies and resulted in losses estimated at $300m. The US Department of Justice (DoJ) said that the scheme was the largest of its kind, and is reported to have targeted institutions such as Dow Jones, Carrefour and Nasdaq. Drinkman was one of five hackers involved the scam that used SQL injection attacks to infiltrate networks and place malware to create a backdoor for the hackers to maintain access to the systems. Once inside they were able to gather huge amounts of data on customers and clients of the companies involved, and sold this information on forums in exchange for around $10 per US credit card and associated data and $50 per European credit card and associated data. Each member of the gang had different skills required for the crime. Drinkman carried out the network penetration to gain access to the corporate victims’ systems and mine the networks to steal the data. He was allegedly helped in this work by Alexandr Kalinin and Roman Kotov, both from Russia. Another defendant, Mikhail Rytikov, 28, of Odessa, […]

For more information go to, http://www., or

The post Russian hacker admits role in huge $300m data theft scheme appeared first on National Cyber Security.

View full post on National Cyber Security