Transcript Hacking - Kantara Initiative

Hacking in the Pharmaceutical Industry
*Eli Lilly Settles FTC Charges Concerning
Security Breach
Company Disclosed E-mail Addresses of 669 Subscribers to
its Prozac Reminder Service
*Novartis India Website Hacked
4/9/2009
The website of the Indian arm of Swiss drug major Novartis
was hacked on Tuesday.
When contacted, a company spokesperson confirmed the
report to PTI, saying "we will make all efforts to ensure that
the website is up and running at the earliest.”
GSK E-mail Database Hacked
4/11/2011
On April 4, 2011, we were informed by Epsilon, a
company we have used to manage email
communications on our product websites, that files
containing the email addresses of some of our
consumers were accessed by an unauthorized third
party. You are receiving this message because you
have registered on one of our product websites. For a
list of our products, please visit our website,
http://us.gsk.com/
*Anonymous hackers hit pharma giant,
Bayer's website
6/27/2011
Bayer confirms "illegal interference" with Italian website
after Anonymous-affiliated hackers make Twitter boast
*Pfizer Facebook Page Hacked on 7/22/11
Pfizer has regained control of its corporate Facebook page
after hackers temporarily defaced it earlier this week.
Genentech Patients Suffer a Security
Breach
October 12, 2011
This includes such information as name; address;
phone; date of birth; e-mail address; driver’s license
number; Social Security number; medical information
and health insurance information, according to a
September 29 letter that the Roche unit wrote to the
New Hampshire Attorney General
Top 5 U.S. Government Web Sites Hacked in 2011
*The U.S. Senate
Back in June, LulzSec claimed responsibility for a successful cyberattack on the U.S.
Senate Web site.
*The Pentagon
In July, Deputy U.S. Secretary of Defense William Lynn admitted that a "foreign
intelligence service" stole 24,000 sensitive defense department files in a single March
operation
*The CIA
America's own Central Intelligence Agency saw its worst nightmare come true when
www.cia.gov went down on July 15, with the hacker group LulzSec claiming
responsibility.
*NASA
Hackers reportedly compromised page on NASA's Jet Propulsion Laboratory Web site.
The online attack came just days before the final launch of NASA's shuttle Endeavor,
which was scheduled for May 16.
*FBI
The month of June this year witnessed another high profile government agency falling
prey to hackers.
Security Breaches in the Health Care Industry
Aetna named in security-breach lawsuit
June 2009: Aetna Inc. is being sued for a data breach
that allegedly exposed current, former and
prospective employees’ personal information to the
Web.
Aetna also suffered a similar data breach in 2006
Fears over patient data as NHS
computers are hacked
June 9, 2011
Computer hackers have penetrated NHS systems,
triggering fears that the security of highly sensitive
patient records is at risk.
Patient Data Losses Jump 32%
The frequency of patient data losses at healthcare
organizations has increased by 32% compared to
last year, with nearly half (49%) of respondents
citing lost or stolen computing devices such as
laptops, tablets, and smartphones, according to
recently published figures from the Ponemon
Institute's second annual benchmark study on
patient data security.
Military Health Plan
Threatens 4.9 Million
Data
Breach
October 4, 2011
A data breach involving nearly 5 million people
treated at military healthcare facilities over a 19-year
period is raising questions about whether U.S. Federal
Trade Commission (FTC) rules supersede Health
Insurance Portability and Accountability Act (HIPAA)
regulations.
Massive Healthcare Security Breach in
Puerto Rico
November 29, 2010
A data breach at a managed care service provider in
Puerto Rico may have exposed personal information
on over 400,000 customers.
"According to the disclosure, one or more
employees of Puerto Rico's Medical Card System
illegally accessed restricted areas of the
organization's website until Sept. 30"
Security Breaches on the Rise
Health care costs on the rise due to
increased Security Breaches
* According to a study by the Digital Forensics
Association; The medical industry reported 115
percent more data breach incidents in 2010
compared to 2009
*More than 58 percent of healthcare organizations
have little or no confidence that their organization
has the ability to detect all patient data loss or
theft.
Health Care Data Breaches Increase by
32 Percent: Ponemon Report
December 1, 2011
The Ponemon Institute, a research firm that advises
organizations on date security and privacy, has
released a new survey of the health care industry
showing a 32 percent increase in data breaches
The Cost:
* Data breach incidents cost U.S. companies $204
per compromised customer record in 2009,
compared to $202 in 2008
* The average total per-incident costs in 2009 were
$6.75 million, compared to an average per-incident
cost of $6.65 million in 2008.
* Financial impact of data breach incidents over a
two-year period came out to approximately $2
million per organization
* Total economic burden created by data breaches
on US hospitals has climbed to almost $12 billion
over the past two years
* The most expensive data breach event included in
this year's study cost a company nearly $31 million to
resolve. The least expensive total cost of data breach
for a company included in the study was $750,000
* Total economic burden created by data breaches
on US hospitals has climbed to almost $12 billion
over the past two years.
Security Breaches
The top three breaches reported in
2011 include:
* Viruses and malware (46%)
* Laptop or mobile hardware device theft (22%)
* Phishing/Pharming (20%)
Massive hack hit 760 companies
October 28, 2011
A list of 760 organizations that were attacked was
presented to Congress recently and published by
security analyst Brian Krebs.
Companies Included:
*Abbot Laboratories
*Cisco
*Charles Schwab
*Google
*Freddie Mac
*Facebook
*Wells Fargo
*Yahoo
*Microsoft
*Amazon
*IBM
*Intel
*PriceWaterhouseCoopers
90% of companies say they've been hacked
* In a recent survey by Ponemon Research on behalf of
Juniper Networks, of 583 U.S. companies, 90% of the
respondents said their organizations’ computers had been
breached at least once by hackers over the past 12
months.
* Nearly 60% reported two or more breaches over the
past year. More than 50% said they had little confidence
of being able to stave off further attacks over the next 12
months.
* About 32% of the respondents said their primary
security focus was on preventing attacks, but about 16%
claimed the primary focus of their security efforts was on
quick detection of and response to security incidents.
* About one out of four respondents said their focus was
on aligning security controls with industry best practices.
HHS counts 200 data breaches
October 30, 2010
The U.S. Department of Health and Human Services
counts nearly 200 health information data breaches of
records for 500 or more individuals. The breaches often
occur at "highly respected and sophisticated healthcare
providers," writes Michael Kline of the Fox Rothschild law
concern.
Security Breaches
NIH Data Breach Triggers Compliance
March 25, 2008
Who Breached: National Institutes of
Health Number Affected: 2500 Information
breached: clinical trial information How: laptop
stolen
A laptop containing medical information for 2500
people enrolled in a National Institutes of Health
(NIH) clinical trial has been stolen, putting these
patients at risk for medical identity fraud. The laptop
was stolen from the trunk of a car on Feb. 23rd. The
laptop contained clinical trial data going back 7
years, including names, medical diagnoses, and heart
scans. The data was not encrypted, despite
government policies that require this precaution.
According to the NIH, the first attempt to encrypt the
laptop failed, and the laboratory chief named Andrew
Arai, who used the laptop, did not follow-up with IT
*More
than 58 percent of healthcare organizations have
little or no confidence that their organization has the ability
to
detect
all
patient
data
loss
or
theft.
* In 2011, 170 of 481 publicly disclosed breaches happened
in the medical industry
Cybersecurity Expert Hacked Medtronic
Insulin Pump
August 25, 2011
A cybersecurity expert and diabetic who recently
showed that his insulin pump is vulnerable to
hacking has revealed the maker of his device: Fridleybased Medtronic Inc.
Jay Radcliffe, a 33-year-old Idaho man who hacked
into his own pump at a cybersecurity conference
earlier this month, said Thursday that he initially
withheld the name of the manufacturer in an effort
to work with the medical technology company on
security issues.
Nasdaq Confirms Servers Breached
February 7, 2011
the public company that owns the Nasdaq Stock
Market confirmed reports that its servers had been
breached.
"Through our normal security monitoring systems we
detected suspicious files on the U.S. servers
unrelated to our trading systems and determined
that our Web facing application Directors Desk was
potentially affected," according to a statement
released by Nasdaq OMX Group.
Security Breaches
Hackers Break Into Virginia Health
Professions Database, Demand Ransom
May 4, 2009
Hackers last week broke into a Virginia state Web site used
by pharmacists to track prescription drug abuse. They
deleted records on more than 8 million patients and
replaced the site's homepage with a ransom note
demanding $10 million for the return of the records,
according to a posting on Wikileaks.org, an online
clearinghouse for leaked documents.
"I have your [expletive] In *my* possession, right now, are
8,257,378 patient records and a total of 35,548,087
prescriptions. Also, I made an encrypted backup and
deleted the original. Unfortunately for Virginia, their
backups seem to have gone missing, too. Uhoh :(For $10
million, I will gladly send along the password.”
Georgia man pleads guilty to hacking into
Japanese drug maker's U.S. computer
network ; August 16, 2011
A 37-year-old Georgia man pleaded guilty yesterday in
Newark to hacking the computer system of a Japanese
pharmaceutical company’s U.S. subsidiary and crippling
the business for days after his friend
and
former supervisor lost his job with the
drug-maker.
Hacking into e-health records is too easy,
group says
September 17, 2007
Hackers can access many e-health records and modify
them unbeknownst to the software's legitimate users,
according to a new study by an organization concerned
about EHR vulnerabilities. It found that a low level of
hacking skills would suffice to get into a system, retrieve
data and make changes, such as altering medication
dosages or deleting records. The good news: The "risk of
vulnerability exploitation can be dramatically reduced
when vulnerabilities are known and appropriate security
controls are in place," the report's executive summary
states.
UKRAINIAN HACKER TO FORFEIT $580,000
AFTER TRADING ON STOLEN INFORMATION
March 31, 2010
After hacking into Thomson Financial’s computer
network to obtain nonpublic financial information about
pharmaceutical consultancy IMS Health, a Ukrainian man
was ordered by a U.S. judge to pay $580,000 in penalties,
according to Reuters News Agency.
What’s Causing Security Breaches?
* According to a joint study by Ponemon
and Intel Corporation, the healthcare and
pharmaceutical industry had the highest
rate of laptop thefts
*Most of the breach occurrences are
unintentional employee action, lost or
stolen computing devices and third-party
errors
* Forty-six percent of laptops contained
confidential data; only 30 percent used
encryption
*Most organizations (two-thirds) don’t take
advantage of security practices like
encryption, which would keep data secure
if a device the information resided on were
stolen
Most data breaches are caused by
insiders:
*Insiders were responsible for over 60% of data
breaches of protected health information (PHI)
*35% of the PHI breaches were due to insiders'
snooping into medical records of fellow
employees
*27% due to improper access to records of
their
friends
and
relatives.
Insider Threats, Misused Privileges are
Leading Causes of Security Breaches
December 7, 2011
Last week, Verizon Business released its 2010
Data Breaches and Investigations Report.
According to the report, 48% of data breaches
are caused by insiders, up from only 22% last
year.
Resolving Security Breaches?
Healthcare Security Breaches Can Cause
Headaches and Millions in Fines
* It can take three to six months to
resolve a data security breach incident
April 19, 2011
HealthNet is a provider of managed health care
services; and the hard drives that are missing from an
IBM-operated datacenter in Rancho Cordova,
California, contain some 1.9 million customer
records, including information such as names, social
security numbers, addresses, financial information,
and, of course, health care records (PHI).
Regardless of whether HealthNet and its vendors met
DHHS’ HITECH requirements, Health Net faces $250
per record in fines, which may reach $1,200 per fine
in the near future. At 1.9 million records potentially
lost, this could definitely result in the maximum fine
(could be as much as $5 million). Other penalties
could include roughly $2 per customer notification
($3.8 million), identity theft insurance for customers
that could be well in excess of $5 million and
countless potential lawsuits in the years to come.
* Many companies had to subscribe
customers or employees to free credit
monitoring services that ranged from
$10 to $25 per month/customer or
employee.