Healthcare industry leaving neck exposed to cyber attacks
In a recent report that’s no doubt of great interest to the bloodsucking undead, Australia’s recent data breach—its largest ever—exposed around 1.3 million records, affecting 550,000 people who donated blood to the Red Cross. An anonymous source discovered that a 1.74 GB file containing this information had been posted to a public site, and alerted security expert Troy Hunt last week. The data on the file encompasses donors all the way back to 2010. Personal details and medical information were stored in the database.
On the bright side, this incident does not appear to have been the work of a malicious intruder. No Count Hack-ula here, but apparently only simple human negligence, according to Red Cross Blood Service. The database backups were put on a publicly-facing site by careless mistake. Actual blood analyses were not included among the data, which was available from September 5 to October 25. No one else, luckily, appears to have accessed the file, and Hunt and his source deleted their copies.
All of this should make a bit of a silver lining for Australian donors. However, it once again underscores, as so many incidents also do, how regular employees are often the weak link in the data security chain.
There are always others, of course. A new Ponemon study confirms that organizations do not prioritize data breach readiness, with 40% not routinely reviewing or updating their plans. This is a timely report, whose results are reflected in recent news about the 2015 Anthem data breach. The health care giant, now seemingly recovered from the incident that was a benchmark in security breaches, now faces allegations, courtesy of subpoena, that it was aware of the flaws in its information security technology before the breach, and did not act. Furthermore, they are accused of refusing to allow a security test. All these revelations come courtesy of a 2013 security audit by the Office of Personnel Management, performed due to Anthem’s position as an administrator of the Federal Employees Health Benefit Program (insert OPM joke here).
The main takeaway from headlines like these is that the healthcare industry continues to be vulnerable to cyber threats on multiple fronts, and is seemingly still unprepared for the dangers of the modern online landscape. Halloween may be over, but there are always digital vampires waiting to glut themselves on stolen data.