[SecurityRatty] tag: cardiovascular

Password Expiration: Like Margarine and Water?

Mon, 26 May 2008 20:00:00 +0000

We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful - to the heart, among other things - that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad. So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.

700,000 records on stolen CCB server

Tue, 22 Apr 2008 10:57:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
Numerous*

*See Commentary section for list of businesses

Contractor/Consultant/Branch:
Central Collection Bureau ("CCB")

Victims:
Individuals who were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Number Affected:
~700,000

Types of Data:
"personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes"

Breach Description:
"Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana. This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes."

Reference URL:
Central Collection Bureau
Chicago Sun-Times (Associated Press)
NBC Channel 13 Eyewitness News

Report Credit:
Central Collection Bureau

Response:
From the online sources cited above:

SECURITY BREACH NOTIFICATION ALERT:
CENTRAL COLLECTION BUREAU
Dated April 18, 2008

Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana.

This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes.

These individuals were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Approximately 700,000 files may have been breached.

The businesses that engaged CCB for debt collection during that period of time are listed below.

Please note that only a very small percentage of the individuals who were patients or customers of the businesses below—i.e., those who ultimately were referred for debt collection—would have their personal information included in the CCB database.

Some of the information might be outdated. St. Vincent Health System said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old.
[Evan] This was a question that my colleagues and I were debating about this breach. 700,000 records seems like an awful lot of "active" collection accounts. CCB would need quite a few collection agents to service this many accounts, if in fact they were all active. I think we can assume that only a fraction of the 700,000 records were actually "active" and CCB did not effectively destroy information that they no longer needed to keep.

Other patients and customers of those companies are not affected by this breach.

The theft occurred on Friday, March 21, 2008, at CCB's location in Indianapolis.

On that date, thieves broke into the company's offices and stole 8 computers, as well as one of its servers (databases).

The server was password protected and protected by three locked doors. The 8 computers did not contain personal information.

The information was protected by two passwords but was not encrypted, Klene said.

"Our server was password protected. We have obviously spoken to some IT people who feel that a good computer hacker could get through those passwords," he said.
[Evan] It doesn't even take a "good computer hacker" to get through the passwords.

CCB promptly contacted the police and is working with the Indiana Attorney General's office.

The company also promptly installed additional locks, a security system, and a motion detection system to help minimize the risk of any further unauthorized access to its information.
[Evan] These will help with physical security. Full-disk encryption and a effective data retention policy wouldn't hurt for logical security, eh? Us information security guys would refer to multiple defensive layers as "defense in depth". Brilliant!

CCB apologizes to its clients and all Indiana residents affected by this incident.

"We're obviously heartsick about this," said Chet Klene, Central Collection Bureau president. "We've been in business since 1972, and nothing like this has ever happened before."
[Evan] I don't doubt that CCB is "heartsick" by this incident. I feel bad for them and the fact that they probably did not know any better. Maybe this is partly a failure on the part of the information security profession as a whole.

While the company has no information suggesting that the breach occurred for purposes of identity theft, it nevertheless has contacted the three national credit bureaus to place a fraud alert.

Please go to the CCB website at www.ccbinc.net, call CCB at 317-887-5165 or 1-800-878-5165 or email CCB at theft@ccbinc.net for more information

Commentary:
Clients of CCB with information on the stolen server include:

Academy Animal Hospital, Advanced Interventional Pain, Advanced Physical Therapy, Alternative Care Experience, Anderson General Surgery, Andrew Dick MD, Anesthesia, Aqua Systems, Associated Billing, "Barbara Sturm, MD", Brad Sammons DDS, Brien Grow DO, Buchanan Counseling Services, Campion Barrow & Assoc., Cardiothoracis Surgeons, Cardiovascular Diagnostic Services, Carl Foster MD, Caryn Guba DDS, Center For Orthopaedic Surgery, Central Indiana Phys Medicine & Rehab, Charles Howe Professional Medical Corp, Charles Kelley III DPM, Charles Kerkhove Jr DDS, Charles Tomich DDS, Chiropractic Thereputics, Citizens Gas & Coke, City of Franklin Ambulance, Clarian Radiology, Clinical Laboratory Physicians, Comdent, Comprecare, Culligan Water Conditioning, Cummins Behavioral Health System, D.E. Kelley DDS, Daniel Feeny MD, David Pennington III MD, David Shaw MD, David Szentes MD, Denture By Design, Dermatopathology Lab, Diagnostic Medicine, Dunlap Urgent Care, Edward J Diekhoff MD, Emily Cline MD, Emergency Medical Group Physicians, Forest Creek Family Dental, Friendly Village of Indy, Gary Hunt DDS, Gary Taylor DDS, Generations In Dentistry, George Small Jr MD, Gial Anesthesiology Service, Grandmas House Child Care, Greg Hardin MD, Hamilton Anesthesia Group, Hearing Center, Henderson Drugs & Home Health, House of Kids, Howard Alig MD, Howard Regional Health System, Indiana Radiology Partners, Indiana Spine Group, Indiana General Surgery, Indiana Medical Network, Indpls Neurosurgical Group, Internal Medicine Plus, JCB Anesthesia & Pain Mgt, Jeffrey Stevens DPM, Jennifer Siegel DDS, JMH Health Affiliates, John Jackson DC, John Norris MD, Johnson Co Anesthesia, Johnson County REMC, Johnson Memorial Hospital, Joseph Meek DDS, Julie Chao MD, Kenny Stall MD, Kerry Mays MD, Kevin Macadaeg MD, Khalil Wakim MD, Kidd Pediatrics, Knowledge Learning Corp, Koehring & Sons, Kokomo Sports Center, Larry Buckel MD, Laura Steiner MD, Laura Stitle MD, Laurette Robey MD, Laverne Tubergen MD, Lawrence Falender DDS, Library Park Immediate Care, Lora Overton DO, Madison Anesthesia Group, Madison Avenue Flower Shop, Mark Ellis DDS, Mark Kahn DDS, Mark Ogle MD, Mark Yamanaka MD, Martinsville Dental Center, Memory Maker Studios, Mere Image Sportswear, Meridian Veterinary Clinic, Methodist Arthritis Physicians, Methodist Medical Group, Michael Arnold DDS, Michael Cozzi MD, Michael Harper, Midamerica Surgery Center, Milto Cleaners, Mitchell Foster MD, Muncie Cataract & Laser Center, Nancy Zinni MD, Northside Surgical Specialists, Northside Anesthesia Services, Northwest Medical Pain Control, Nufinity, Orthopaedic Supplies Inc., Panchapakesan Harlan MD, Paul Batties MD, Paul Johnson DDS, Paul Johnson DDS, Paul Strange MD, Philip Borders MD, Pioneer Anesthesia Consultanta, PT Buntin MD, R.D. McQuiston MD, Rebecca De La Rosa DDS, Richard Herd Jr DDS, Rick Stephens Builder, Riley Bennett & Egloff LLP, Robert Smith MD, Robert's Salon & Day Spa, Ronald Wines DDS, RW Armstrong, Sandhya Nanda MD, Sarah Akard DDS, Scot Hagadorn MD, South Emerson Anesthesia Assoc., South Emerson Pain Management, South Emerson Surgery Center, Southeast Family Physicians, Southside Animal Hospital, Southside Family Medical Group, Southside Pediatrics, St. Vincent Health and related entities, Stephen Stitle MD, Stephen Szynal DO, Stonehedge Apartments, Stop 11 Animal Hospital, Sun Medical, Surgical Associates of Madison Co, Susan Wagner DDS, Thomas Eads MD, Thomas Ferrara MD, Tim Schafer DDS, University Family Physicians, University Pediatric Associates, University Surgeons, USF Inc, Valle Vista Guidance Center, Valle Vista Hospital, Walker Family Dentistry, Wells & Marvel PC

Past Breaches:
Unknown

Help a kid with congenital heart disease go to camp!

Thu, 06 Mar 2008 17:11:53 +0000

Let me get serious for a moment here. My niece Michelle Pearl in Colorado and her boyfriend Tim are involved in the Race Across America. I am putting this up to help them help these special kids. If you find this cause worthy, please help them help others!

www.raceacrossamerica.org

Tim is affiliated with Team Strong Heart, whose goal is to raise $100,000 for Camp Odayin. Last year Team Strong Heart placed third in the Race Across America in the 4-man relay division.

www.campodayin.com

Tim is collecting tax deductible donations via the Team Strong Heart website. Tim is using Pay Pal, so your donation is secure. Please visit the team website to make your donation.

www.teamstrongheart.blogspot.com

What is Camp Odayin?

Each year 32,000 children are born in the US with cardiovascular defects.
Children with heart disease are not often afforded the opportunity to attend camp due to health risk and insurance issues.
Camp Odayin is a non-profit organization dedicated to providing the camp experience to these special young people.
Camp Odayin runs soley on donation and only costs the familes a $25 dollar registration fee.

Contact info: tim@timcase.net http://www.teamstrongheart.com

Help a kid with congenital heart disease go to camp!

Thu, 06 Mar 2008 16:11:53 +0000

Let me get serious for a moment here. My niece Michelle Pearl in Colorado and her boyfriend Tim are involved the Race Across America. I am putting this up to help them help these special kids. If you find this cause worthy, please help them help others!

Local Firefighter Needs YOUR Help!
Tim Case, a professional firefighter for Boulder Fire Rescue, is racing his bicycle 3100 miles this June in the Race Across America to support Camp Odayin, a camp in Minnesota for kids with congenital heart disease.
www.raceacrossamerica.org
Tim is affiliated with Team Strong Heart, whose goal is to raise $100,000 for Camp Odayin. Last year Team Strong Heart placed third in the Race Across America in the 4-man relay division.
www.campodayin.com
Tim is collecting tax deductible donations via the Team Strong Heart website. Tim is using Pay Pal, so your donation is secure. Please visit the team website to make your donation.
www.teamstrongheart.blogspot.com

What is Camp Odayin?

Children with heart disease are not often afforded the opportunity to attend camp due to health risk and insurance issues.
Camp Odayin is a non-profit organization dedicated to providing the camp experience to these special young people.
Camp Odayin runs soley on donation and only costs the familes a $25 dollar registration fee.

Each year 32,000 children are born in the US with cardiovascular defects.

Contact info: tim@timcase.net http://www.teamstrongheart.com

Fear Is Unhealthy

Thu, 17 Jan 2008 04:35:09 +0000

The New York Times writes about a plausible connection between fear and heart disease:

Which is more of a threat to your health: Al Qaeda or the Department of Homeland Security?
An intriguing new study suggests the answer is not so clear-cut. Although it’s impossible to calculate the pain that terrorist attacks inflict on victims and society, when statisticians look at cold numbers, they have variously estimated the chances of the average person dying in America at the hands of international terrorists to be comparable to the risk of dying from eating peanuts, being struck by an asteroid or drowning in a toilet.

But worrying about terrorism could be taking a toll on the hearts of millions of Americans. The evidence, published last week in the Archives of General Psychiatry, comes from researchers who began tracking the health of a representative sample of more than 2,700 Americans before September 2001. After the attacks of Sept. 11, the scientists monitored people’s fears of terrorism over the next several years and found that the most fearful people were three to five times more likely than the rest to receive diagnoses of new cardiovascular ailments.

[...]

After controlling for various factors (age, obesity, smoking, other ailments and stressful life events), the researchers found that the people who were acutely stressed after the 9/11 attacks and continued to worry about terrorism -- about 6 percent of the sample -- were at least three times more likely than the others in the study to be given diagnoses of new heart problems.

If you extrapolate that percentage to the adult population of America, it works out to more than 10 million people. No one knows what fraction of them might consequently die of a stroke or heart attack -- plenty of other factors affect heart disease -- but if it were merely 0.0003 percent, that would be higher than the 9/11 death toll.

Of course, statistics of any sort, even when the numbers are rock solid, don’t mean much to people when they’re assessing threats. Risk researchers have found that even when people know the numbers, they’re less worried about death tolls than about how the deaths occur. They have good reasons -- called “rival rationalities” -- for fearing catastrophes that kill large numbers at once because these events affect the whole community and damage the social fabric.

It doesn't surprise me that fear of terrorism is more harmful than actual terrorism. That's the whole point of terrorism: an amplification of fear through the mass media.

Refuse to be terrorized:

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.
And we're doing exactly what the terrorists want.

[...]

The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.