Are we suffering from data-hack fatigue when we should be extra vigilant?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.yakimaherald.com/emails/3100832-8/are-we-suffering-from-data-hack-fatigue-when-we

Chances are, you’ve heard something about the cyberattack on Premera Blue
Cross in the six weeks since the company announced its massive security
breach.

Maybe you even received a letter saying your personal information had been
compromised.

But how worried should you be, exactly?

Premera’s breach, in which hackers stole personal financial and medical
data for about 11 million people — 6 million of them in Washington alone —
was just the latest brazen attack on health system data.

In January this year, Anthem BlueCross BlueShield disclosed a breach that
affected an estimated 80 million people, including patient data stretching
back to 2004. Last year, Community Health Systems, the parent company of
Yakima Regional Medical and Cardiac Center, was breached via the
“Heartbleed” bug, an Internet vulnerability that allowed hackers to gain
information on 4.5 million patients nationwide. Premera’s breach actually
occurred in May 2014; the company learned of it Jan. 29 but didn’t make a
public announcement until mid-March.

All those breaches came after attacks on retailers like Target and Home
Depot, where credit card information for tens of millions of customers was
stolen.

Now, consumers might be at risk of data-hack fatigue, tempted to tune out
the deluge of bad news as simply one more cost of living in digital world.
But consumer advocates and health industry insiders say people need to keep
paying attention — if not to prevent fraud, then at least to catch it as
soon as possible.

At a recent health information management convention, one of the main
seminars was “It’s Not a Matter of ‘If’; It’s a Matter of ‘When,’” said
Jeff Yamada, chief information officer and vice president at Yakima Valley
Memorial Hospital.

“(Hackers) are getting so sophisticated in some of the tools that they’re
using, it’s hard to stay one step ahead of the threats,” Yamada said last
week in an interview.

“Some of the information they’ll gather, they’ll also gather from kids, so
down the line they have that information to be used at any time,” he said.

Premera, like Anthem before it, is offering two years of free credit
monitoring for anyone who was affected by the breach. The company spent
most of April sending out letters to affected customers, outlining options
for assistance.

Some consumers are scoffing at the idea of two years of credit monitoring
when their personal information is potentially vulnerable to theft and
fraud for years to come.

Premera spokeswoman Melanie Coon wrote in an email that the company is
encouraging affected customers to carefully review any “explanation of
benefits” statements upon receipt, to look for any claims for services they
never received, and to contact Premera directly.

Also, she said, “Affected individuals need to know that Premera will not
email members or make unsolicited phone calls to members about this
attack,” so if someone calls randomly or emails asking for personal
information, don’t go along with it.

“Although the investigation has not determined that any such data was
removed from our systems and we have no evidence to date that such data has
been used inappropriately, we urge affected individuals to sign up for the
credit monitoring and identity theft protection products,” Coon wrote.

Recognizing that identity theft may happen “months and even years after a
data breach,” she said, Premera is providing members with ExtendCARE, which
offers fraud resolution support and covers identity theft issues after
their membership has expired.

On the health care side, where detailed patient information is collected,
Yamada says health care organizations nationwide are constantly evolving in
how they identify and protect against potential threats.

At Memorial, he said, every year the hospital brings in an outside team to
do a full security assessment. After a week of close monitoring, the group
hands over a long report detailing every vulnerability in the system, and
hospital directors prioritize which issues they need to fix first.

“There’s constantly threats that kind of hit our front door — industrywide,
that happens every day,” Yamada said.

Protecting against those threats takes a significant investment in staff
and infrastructure, he said.

“From an IT perspective, yeah, we do spend a lot of dollars. And every year
that seems to grow,” he said. But, of course, they can’t afford not to do
so: “One breach will basically pay for itself,” he said.

“My take ... I say, if a robber wants to break into your house, they’ll
find a way to break in; you’ve just got to make it as hard as possible,”
Yamada said. “That’s what we try to do. Do we have 100 percent of
everything shored down? Probably not, but we make progress in what we’re
doing.”

In the wake of Premera’s cyberattack, Washington Insurance Commissioner
Mike Kreidler is leading a multistate investigation into the company’s
cybersecurity system and process of customer notification. Several
class-action lawsuits have also been filed against the company.

For Premera’s part, Coon said, both the FBI and security consultant
Mandiant warned that going public with the breach could prompt more
malicious activity from the hackers, so the company worked to finish its
investigation and shore up its IT security before making the announcement
March 17.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!