[SecurityRatty] tag: doctors

Backup Tape With Private Details Stolen From Greensboro Gynecology Associates

Thu, 17 Jul 2008 19:35:59 +0000

Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May. In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen. The letter was dated June 16, but some letters weren’t postmarked [...]

A backup tape is stolen from Greensboro Gynecology Associates

Wed, 16 Jul 2008 12:16:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Greensboro Gynecology Associates

Contractor/Consultant/Branch:
None

Victims:
Physicians, staff members, and patients

Number Affected:
Unknown

Types of Data:
"names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members"

Breach Description:
"GREENSBORO - Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May."

Reference URL:
News & Record

Report Credit:
Ryan Seals, News & Record

Response:
From the online source cited above:

In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen.
[Evan] Does "their computer database" include billing information and other confidential information other than personally identifiable information?

The letter was dated June 16, but some letters weren't postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping.
[Evan] I wonder what type of off-site storage facility. Some of the small businesses that I have encountered consider an employee's home to be an "off-site" storage facility.

The stolen information included patients' name, address, Social Security number, employer, insurance company, policy numbers and family members.

The tape did not include treatment or specific medical data.

"We are very concerned about this theft, as we too are victims," Pat Higgins, the practice's administrator, wrote in an e-mail Tuesday. "We are notifying our present and former patients. ..."

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

the case is under investigation

did not respond to inquiries about how many patients were affected, how the theft occurred and whether anything else was taken

The practice's letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff's Office said they had no such report on file.
[Evan] This is interesting news.

The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn't likely to be accessed.

"We have consulted with several computer security experts, and they have advised it is highly unlikely the tapes can be accessed because of the program used and the language (the information) is written in," according to a recording on a hotline set up to address patients' concerns.
[Evan] Who are these several computer security "experts'? I hate to disagree, but... The assessment is based on "the program used and the language" that the archived information is written in. Really? How hard is it to obtain the necessary hardware and software to access the information? Someone interested in accessing the tape could conceivably flip the data protection tab on the tape (to prevent data corruption through inadvertent writes), download some of the more popular backup software programs, buy a compatible drive (stolen or on eBay), and go to town. Couldn't they? Backup Exec is a very popular backup program. Anyone can download a 60-day trial for free. More talented professionals have even more sophisticated methods of accessing data on tape.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.
[Evan] I kind of hope that they are not consulting with the same computer security "experts" referenced above.

"We sincerely regret and apologize that this incident occurred," the letter said

Commentary:
Many backup software solutions include the option to encrypt the written data built-in. Why not use it?

Greensboro Gynecology Associates has established a hotline for concerned patients. The phone number is (336) 544-4590. The hotline asks patients to leave their name and telephone number for a staff member to return their call.

Past Breaches:
Unknown

Sometimes danger lurks right under our nose.

Thu, 05 Jun 2008 18:23:00 +0000

When Executive Protecion Specialists think and speak about "Threat Assessment", they are usually focusing on a known or suspected danger that may prove life-threatening. Sometimes, that danger may already have made itself at home and is silently destroying lives and eating away at victims like a cancerous growth.

One such story was highlighted by the "Washington Post Magazine" on May 25th, 2008. It involved a young girl who had been molested and raped by her own father. A man who was something of a hero to many. A man who had walked side by side with Dr. martin Luther king and who was only a few feet away from the Civil Rights leader when he was assasinated. That man is James Bevel.

I had the pleasure of listening to Col. Dave Grossman speaking at UCLA last April. He was eloquent in his description of how young lives are taken and families estroyed by School killings. He also spoke about those who prey on the less suspecting. He equated it to the Wolves hunting down and eating sheep. Mr. Bevel appears to be one of those parasitic wolves.

For years he raped his little daughter, telling her it was something of an "experiment". In his mind, he didn't think that it mattered. His unfathomable belief (and apparently remains the same until this day) is that all women are prostitutes until they reach a certain age, when sex is set aside for procreation. This beleif allowed him to allegedly rape his eight year old daughter on many occassions.

His daughter, Aaralyn Mills, finally found the courage to step foward and contact the Police in 2005. She assisted the Leesburg authorities to tape record her conversation with her father. In that conversation, James Bevel admitted raoping his daughter and that it was part of a scientific process. Unfortunately, her mother, like many other mothers, did not want or couldn't face the truth. This gave the big, bad wolf all the space he needed to desecrate the little sheep.

Sadly, men like this are living throughout our communities. they come in all shapes, sizes nd colors. Some are Doctors, Community leaders, Priests, Police Officers, Electricians and Preachers. If you have been entrusted with the job of protecting an innocent lamb, be a strong and fearful sheepdog and protect your flock, with your very life if need be. Be brave like Aaralyn Mills. She stepped forward at this time in her life because her father who has many children with many different women has now a young daughter and her half-siter is afraid that he will rape her too.

Hero is not a good enough word to describe this man.

Mon, 26 May 2008 13:04:11 +0000

My hopes and prayers to him and his family.

clipped from www.chron.com

After defying odds, Marine loses final battle

He endured 100 surgeries after a 2005 roadside bomb in Iraq, stunning doctors with progress

Stolen General Internal Medicine laptop exposes nearly 12,000

Mon, 05 May 2008 08:17:36 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
General Internal Medicine of Lancaster (PA)

Contractor/Consultant/Branch:
None

Victims:
Patients*

*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"

Number Affected:
"nearly 12,000"

Types of Data:
Names, addresses, telephone and Social Security numbers

Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."

Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster

Report Credit:
General Internal Medicine of Lancaster (PA)

Response:
From the online sources cited above:

EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?

A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17

"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.

office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.

After that process was completed, the office planned to burn the paper records.

no medical information about patients was compromised.

The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.

East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.

An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.

Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.

Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.

"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.

General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.

Anyone with questions is urged to call General Internal Medicine at 397-2738.

Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.

I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.

Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.

Past Breaches:
Unknown

Why even having health insurance is not enough anymore

Sun, 04 May 2008 11:13:07 +0000

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security. I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care. Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone. From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September. It was ambulatory surgery where she went in the morning and went home that afternoon/evening. Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k! When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could. I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation. We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger. Plus the insurance company covers less and less. This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back. Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it. My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area. So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist. This one is perhaps the worst of all and really gets my goat. My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later. OK, great lets do it, right? Wrong! Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600. That leaves a balance of $2400 that I have to pay. However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket. What is wrong with that picture. Whether I have insurance or not, it still costs me $2400! This is fundamentally what is wrong with our health care system. The dentist is willing to accept $2400. He should take the $1200 from my insurance and I should pay him another $1200. Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either. Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

Medical data breaches put patients at risk

Mon, 28 Apr 2008 20:00:00 +0000

Doctors can't cure the common cold and health care IT managers apparently can't stop the common data breach.

Securing Virtual Environments Through Partnerships

Sun, 13 Apr 2008 12:06:19 +0000

I’m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this however and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM’ing there technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that’s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

Virtual Environments need to be studied jointly in order to understand the new security risks, performance impacts and how to effectively secure it. Montego Networks plans to do that and has announced its HyperVSecurity Alliance at RSA and has joined forces with Cyberoam, Lancope StillSecure and Plixer International in an effort to provide Anti-Malware, Network Access Control, Intrusion Prevention, Behavioral Analysis and Network Monitoring for the virtual environment.

See:

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/

By establishing this type of alliance research engineers and vendors will be able to journey to the new Virtual Datacenter with all of the needed components and insight on securing networks. At the epicenter of this alliance is a security frame work designed by Montego Networks that allows various technologies to plug in to the center of the virtual environment which is the switching infrastructure.

Through Montego Networks HyperSwitch, which has the ability see virtual network communication between systems (virtual desktops & servers), a frame work is created that allows for user defined policy that can send traffic off to various places. An example of this is via the HyperSwitches Policy Based Switching engine which allows a user to create a policy that dictates that all email traffic will be directed to an Anti-Virus Gateway or its NetFlow capability which exports flow information to a Behavioral Analysis Engine.

After these various systems do what they do with the data, they are also able to respond back to the frame work via an API called NSCP (Network Security Control Protocol) to instruct it to tack appropriate action. This could be an IDS system invoking a firewall policy or a Behavioral Analysis system telling the frame work to throttle back (slow down) a users traffic flow. The possibilities are limitless!

So, much like the frontier to the USA from England where we needed Doctors, Lawyers, Law Enforcement, Builders and Farmers, virtualization needs a coalition of security forces that can provide Anti-Virus, IPS, Firewall, Network Monitoring, Behavioral Analysis, etc. etc.

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC’s! Anything But Cisco, Let Freedom Ring!

Securing Virtual Environments Through Partnerships

Sun, 13 Apr 2008 12:06:19 +0000

I???m back from the RSA 2008 Security Show in San Francisco and it was another great year of business development activity for security vendors. It felt like there was a decent amount of end user customers at the show but a lot more vendors touting their wares and looking to do work with each other. I sat and listened to many vendors complain about this and listened to them complain about how they spend money year after year for these shows and rarely get to talk to customers. It felt to them that they hear more from other vendors that come up to their booth asking about partnering or OEM???ing their technology. Well, this does get old pretty fast when you are looking to sell product to justify your existence but for me it was refreshing to talk with other companies about partnering. I had the opportunity to talk to customers also but it was really exciting for me to have partnership discussions.

Why? Well over at Montego Networks where we are focusing on securing a new type of network (one that???s virtual) we believe in security through partnerships. Securing virtual environments is like exploring new frontier or a planned venture to Mars. Research scientists, chemists, doctors, collective minds and in this case a unity of security vendors we feel is the best approach to getting ready for this venture to the new Virtual World.

See:

http://www.montegonetworks.com/node/54

http://www.eweek.com/c/a/Security/Partnerships-are-Key-in-Virtualization-Security/

The goal is to all co-exist in the virtual environment vs. fight for the same piece of land. I think this makes sense because all is needed in the virtual world!

Stay tuned, as the alliance will get bigger and stronger and give customers choice and independence as they look to secure the virtual datacenter. Learn your ABC???s! Anything But 100% Cisco, Let Freedom Ring!

Measuring the Wrong Things?

Mon, 24 Mar 2008 18:04:00 +0000

I'm not sure why I'm always finding interesting articles in NPR about medicine that seem to resonate so much in relation to software security. Nonetheless that seems to be how things go, so here comes another one.

NPR ran a story the other day titled "Doctors' 'Treat the Numbers' Approach Challenged". The main idea in the story is that doctors have been treating patients and using the results of certain tests as the metrics by which they judge health. They treat a patient with drugs, therapies, etc. to get to the diagnostic numbers they want, but now we're finding out that perhaps the numbers are not necessarily representing what we'd like them to.

The example from the article was:

Doctors call it "treating the numbers" — trying to get a patient's test results to a certain target, which they assume will treat — or prevent — disease. But earlier this year, a study on a widely used cholesterol drug challenged that assumption.
Vytorin, a combination of two cholesterol-lowering agents, certainly lowers cholesterol. But patients taking it didn't have any less plaque in a major artery than those taking a less-potent drug.

I'm assuming that less plaque generally does translate to fewer adverse events, but the article doesn't cover this. Helpfully, in medicine we generally have a pretty clear definition of an adverse event, and we're not dealing with intelligent active threats. Active threats (virus, bacteria, fungus, parasite), but not intelligent... We don't try to design cholesterol treatments to fend off a malicious food company that has designed a new more dangerous form of cholesterol that our drug can't fight :)

Knowing what to measure in security is hard though. We've covered a little of this before here.

If you're looking for more formal treatments of security metrics - check out the Quality of Protection (QoP) workshop held as part of the ACM CCS Conference.

"The goal of the QoP Workshop is to help security research progress towards a notion of Quality of Protection in Security comparable to the notion of Quality of Service in Networking, Software Reliability, or measures in Empirical Software Engineering."

Over the next few posts I'll take a few of the papers from the workshop and discuss a bit of their results. If you're interested in the TOC for the workshop, you can find it here.