Tuesday, February 19, 2013

Unhealthy Healthcare Hackers

What business or organization collects and stores more sensitive personal information than does your doctor, hospital or other health care provider?

What business or organization is more careless or takes more risk with your sensitive personal information than does your doctor, hospital or other health care provider?

The answer to both questions may be "none."

According to Avi Rubin, a computer specialist and technical director of the Information Security Institute at Johns Hopkins University, he has "never seen an industry with more gaping security holes."  In a December 2012 article in the Washington Post, Rubin said, "If our financial industry regarded security the way the health care sector does, I would stuff my cash in a mattress . . ."

That's the bad news.  The good news is that so far there have been relatively few attacks directed at U.S. health care facilities.  However, the U.S. Department of Homeland Security says health care is a growing target to what they call activist hackers, cyberwarriors, criminals and terrorists.

A DHS memo last year warned "These vulnerabilities may result in possible risk to patient safety and theft or loss of medical information."

Johns Hopkins' Rubin cites aging software, the mandatory adoption of computerized  personal health records and a culture of physicians, nurses and health care staff who routinely ignore basic security measures, including strong passwords, in favor of their own convenience while putting your private information at risk.

He reported a conversation with a nurse who told him part of her job was typing-in a physicians' password in any computer he might want to use in the hospital, so the doctor would not have to, even though it meant leaving terminals "on line" and unattended.

Health care privacy laws are among the most complicated, or at least many doctors and hospitals act like it, but then fail to take even basic steps to safe-guard your personal information once it is entered into their computers.

Rubin told the Washington Post reporter that health care "is an industry with the least regard, understanding and respect for IT security of any I've seen, and they have some of the most personal and sensitive information of anyone."

A year ago, someone hacked into a network server at the Utah Health Department and possibly downloaded Medicaid records for 780,000 people.Utah officials tracked the hackers to computers in Eastern Europe.

Doctors, hospitals and other health care providers cannot afford to be careless with your medical records and personal information.  Their income AND their reputations are at stake.

Monday, February 18, 2013

Burger King Sells to McDonald's -- Twitter Says

The hactivist group Anonymous was quickly identified Monday as the likely source of a successful  take-over of the Burger King Twitter account.

It began with a tweet declaring the fast food chain "just got sold to McDonalds!"

It took an hour before Twitter shut down the account, but not before 30,000 new followers signed in to the Burger King account, and many had fun with the compromised social media site. 

There was probably "no harm -- no foul" in the attack, but there could have been.  And what business wants to be the butt of such drama?

A McDonald's spokesperson told NBC News they were not responsible, and then added "we empathize with our @BurgerKing counterparts. Rest assured, we had nothing to do with the hacking."

Burger King issued a statement at mid-afternoon:  "We apologize to our fans and followers who have been receiving erroneous tweets about other members or our industry and additional inappropriate topics."

Twitter said earlier this month that abut 250,000 user passwords had been compromised, although it was not clear if that contributed to the Burger King attack.

The lesson for all organizations is quite clear -- if you are playing in the digital world, be prepared to cope with an embarrassing moment or two.