Fraud News
Two proposed rules released this week by the Department of Health and Human Services aim to define and discourage inappropriate blocking of the secure sharing of health information, says Elise Sweeney Anthony of the Office of the National Coordinator for Health IT.
The information blocking proposals are among the many provisions in ONC's 724-page proposed rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program," released on Monday.
In addition to ONC's proposal, the Centers for Medicare and Medicaid Services also issued its own 250-page proposed rule dealing with interoperability and patient access to health information, as well as information blocking.
The 21st Century Cures Act spells out that healthcare providers, healthcare information exchanges, health information networks and certified health IT developers can be held accountable for information blocking, Anthony explains in an interview with Information Security Media Group at the HIMSS19 conference in Orlando, Florida.
"Information should absolutely flow to support patient care, patient involvement in their care and providers having the information needed to provide care," Anthony says.
The proposed ONC rule, however, lists seven "exceptions" for when failure to share data should not be considered a violation, taking into consideration privacy and security issues, she points out.
In the interview (see audio link below photo), Anthony also discusses:
Examples of information blocking that could be prohibited if the proposed rules are adopted - and the potential penalties that could be imposed by HHS' Office of Inspector General; How the ONC and CMS newly proposed rules align; The status of the ONC draft of its Trusted Exchange Framework and Common Agreement, or TEFCA, which also aims to help fulfill a call for increased health data exchange in the 21st Century Cures Act; ONC's proposals for requiring certified health IT vendors to support encrypting authentication credentials and/or multifactor authentication in their products.In her role as executive director of policy at ONC, Anthony leads the agency's engagement on a range of policy efforts. Previously, she served as ONC's deputy director of policy, where she led the agency's coordination with CMS on the electronic health record incentive program regulations. Before joining ONC, Anthony spent several years spearheading a variety of health improvement initiatives at a law firm.
The 2019 RSA Conference offers an opportunity to learn about new concepts across all aspects of cybersecurity. One such area is "data gravity," which will be the topic of a session featuring Microsoft's Diana Kelley and Sian John.
"At a high level, data is going to function similar to the physical laws of gravity, so the more data that you get, the more it's going to draw data to itself, but most importantly it's going to draw services and apps to it too," Kelley explains in an interview with Information Security Media Group. "This has really deep meaning in the cloud space, because what are we creating in the cloud? We're creating these massive balls of data gravity."
In their joint presentation at the RSA Conference, Kelley and John will focus on what data gravity means for security operations centers.
"We're getting now in the security world with cloud to that same big data problem we had in the wider IT world, and it's possibly one of the reasons why people are having challenges with building SOCs because of the fact that they need to stitch together these areas of data gravity to gain insights and understand what's going on," John says.
In this interview (see audio link below photo), Kelley and John discuss:
Data gravity and the hybrid cloud; Hot topics at this year's RSA Conference, including blockchain, applied crypto, cryptocurrencies, artificial intelligence and machine learning; The emerging focus on identity as a core component in a zero trust cybersecurity model.Kelley is the cybersecurity field CTO at Microsoft and a cybersecurity architect, practitioner, executive adviser and author. She leverages her more than 25 years of cyber risk and security experience to provide advice and guidance to CSOs, CIOs and CISOs.
John is chief security adviser for Europe, the Middle East and Africa in the cybersecurity solutions group at Microsoft. She has worked in cybersecurity since 1997. Previously, she worked with the British Houses of Parliament, Ubizen and Symantec. She was awarded an MBE in the Queen's New Year's Honor's List for 2018 for services to cybersecurity.
The Department of Health and Human Services is paying particular attention to complaints involving patients' access to their health information; it's also focusing on investigations of organizations with patterns of HIPAA noncompliance, says Nick Heesters of the HHS Office for Civil Rights.
Details about how OCR plans to ramp up enforcement of patients' record access rights are still being worked out, he says in an interview with Information Security Media Group at the HIMSS19 conference in Orlando, Florida.
Regarding how OCR will identify patient access cases to investigate, Heesters says: "Certainly, patient complaints is a main method by which OCR receives issues for potential investigations."
On Monday, two HHS units, the Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, each issued proposed rules that aim to bolster the secure exchange of health information. The two proposals aim to help provide patients with better access to their records in the quest for improved coordination of care.
During a HIPAA compliance and enforcement presentation at HIMSS19, OCR Director Roger Severino noted that "empowering consumers with [access to] their own health information ... leads to better health outcomes." OCR and other HHS units are coordinating their policy efforts around the aim of balancing privacy with the right of access, he told the audience at the session, which also featured Heesters.
Egregious Cases
Another area of heightened enforcement scrutiny, Heesters says, involves focusing on those entities with "a culture of noncompliance and total disregard for the duty of care that is owed to protecting individuals' protected health information."
Those are the "egregious cases" that can also get extra scrutiny for potential HIPAA financial settlements or civil monetary penalties, he explains.
"OCR is primarily interested in pursuing enforcement in those kinds of cases where there is no evidence of any kind of compliance or even any attempts to comply with the HIPAA rules," he says.
In the interview (see audio link below photo), Heesters also discusses:
Weak risk management practices that get OCR's attention for potential enforcement action; Trends in the types of breaches OCR is seeing reported; The status of OCR's HIPAA compliance audit program.Heesters, an attorney, is a health information privacy and security specialist at OCR. He is a certified information privacy professional with over 25 years of experience supporting technology and information security efforts in diverse industries, including financial services, government, defense, education and healthcare.
The US Department of Justice unsealed today espionage-related charges against a former US Air Force service member who defected to Iran and helped the country's hackers target her former Air Force colleagues.
Besides charges and an arrest warrant issued in the name of the former USAF service member, the DOJ also indicted four Iranian hackers who supposedly carried out the cyber-attacks acting on information provided by Witt.
The most notable of the four Iranian hackers is Behzad Mesri, who US authorities also charged in November 2017 with hacking HBO, stealing scripts for unaired episodes of season 6 of the hit series Game Of Thrones TV show, and later attempting to extort HBO execs for $6 million.
Mesri isn't just some random cyber-criminal, and he's believed to be a member of the "Charming Kitten" Iranian cyber-espionage unit, a top hacker and a close collaborator of the Iranian Revolutionary Guard Corps (IRGC), the country's main intelligence service.
But at the heart of today's indictment stands Monica Elfriede Witt, 39, a former US Air Force counter-intelligence special agent specialized in Middle East operations, who served for the Air Force between 1997 and 2008, and later worked as a DOD contractor until 2010 --including for Booz Allen Hamilton, the same defense company where Edward Snowden worked.
Prosecutors say that Iranian intelligence recruited Witt in 2012 when she attended a conference in Iran called "Hollywoodism," organized by Iranian company New Horizon Organization and sponsored by the IRGC. The conference's main topic was condemning American moral standards, promoting anti-US propaganda, anti-Semitism, and Holocaust denial.
Prosecutors say that Witt established relations with individuals she met at the conference, one of whom later arranged her defection to Iran in August 2013, where she received housing and computer equipment from the Iranian government.
The DOJ claims Witt has been working ever since with IRGC hacking units to craft and fine-tune cyber-operations against her former Air Force colleagues, some of whom she knew personally.
Some of the attacks mentioned in the indictment include spear-phishing campaigns, malware infections, and social media-based operations.
Witt allegedly provided information on the targets that were worth hacking and even worked with the four hackers to register an impostor Facebook account in the name of a former colleague, successfully befriending other special agents.
Witt's defection and subsequent collaboration with Iranian hackers were made much worse because she also had high-level security clearance and field duty experience, and indirectly helped Iranian intelligence gain deep insight into how US operations are conducted both internally and overseas.
All the five suspects named in the indictment are still at large, believed to be located in Iran. The DOJ says Witt now goes by the names of Fatemah Zahra or Narges Witt.
The US Department of Treasury also announced economic sanctions against two Iranian companies today --New Horizon Organization, for its support of the IRGC; and Net Peygard Samavat Company, a company that developed and attempted to install malware on US government personnel' computers under the coordination of the IRGC.
Related security coverage:
What are some of the hottest issues that will be discussed at this year's RSA Conference, to be held March 4-8 in San Francisco? Britta Glade, content director for the world's largest data security event, says DevSecOps - as well as third-party risk and cloud-related issues - are emerging as key themes.
DevSecOps is a subject that's at the tipping point, with many enterprises willing "to share the good, the bad and the ugly," she says in an interview with Information Security Media Group.
Glade also calls attention to "learning labs" at this year's event, which she describes as offering a "guide on the side" rather than a "sage on the stage." She explains: "There's the opportunity to go through something like a breach response, and the guide is taking you through an actual breach. Everyone in that room has a role; you're working through it together ... in little groups to share ideas. And it's a great opportunity to get to know other attendees."
In this interview (see audio link below photo), Glade also discusses:
Key topics are at this year's event; The "Early Stage Expo," which will highlight new and emerging innovations in information security; A new track on "public interest technology."Glade is director of content and curation for the RSA Conference. She has been in the learning and security sector for 23 years. Previously, she was head of analyst relations for RSA. In 2014, she was recognized as one of the top 10 analyst relations professionals by the Institute of Analyst Relations Professionals.
Breach Preparedness , Breach Response , Data Breach
Bad News, Based on the 5 Biggest Breaches in the Past 5 Years(euroinfosec) • February 13, 2019
Is the era of data breaches involving hundreds of millions - if not billions - of accounts over?Tempting thought: What if organizations' information security practices, policies and procedures are continuing to get better, repelling cybercriminals and nation-state attackers alike?
But at the risk of suffering a devastating existential crisis, what if we're instead all stuck in a perpetual cat-and-mouse game where attackers continue to improve enough to punch holes in defenders' security defenses, however less imperfect they might be?
Here's what is certain: Some of the biggest breaches in recent years show that the lag between attackers accessing a corporate system and the organization discovering the full extent of the intrusion can be months or years.
Massive breaches can also result from even relatively small security missteps, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. "If history can teach us anything, it will be that new and novel attacks will come to light," he tells me (see: Salesforce Security Alert: API Error Exposed Marketing Data).
What other lessons might be learned? Here's a review of the top five breaches in the past five years, including takeaways such as how many accounts were compromised and how attackers broke in.
1) Yahoo: 3 Billion Accounts (2013)
Details: Search giant Yahoo's entire user base of 3 billion accounts was compromised in an August 2013 data breach. Yahoo in December 2016 estimated that 1 billion accounts had been compromised, before revising that estimate to 3 billion in October 2017. The breach exposed names, email addresses, phone numbers, birthdates and in some cases, unencrypted versions of security questions and answers that were used to recover account access were also stolen. Passwords hashed using the MD5 algorithm - considered an unsafe password-handling practice even in 2013 - were also exposed.
Cause: Yahoo has said only that "an unauthorized party stole data associated with certain user accounts."
2) Yahoo: 500 Million Accounts (2014)
Details: Yahoo in 2014 suffered a separate series of breaches that began in 2014 and resulted in 500 million users' accounts being compromised. The company failed to disclose the breaches until September 2016. Yahoo's board has concluded that CEO Marissa Mayer, other senior executives and the company's legal team failed to properly comprehend or investigate the attack when it came to light in 2014 (see: Yahoo CEO Loses Bonus Over Security Lapses).
Cause: Yahoo has blamed a "state-sponsored entity" and said forged cookies were used to access some accounts. The Department of Justice has filed charges against four men, including three Russians, two of whom are allegedly officers in the FSB, Russia's federal security service. The fourth man, a Canadian citizen named Karim Baratov who acted as a "hacker for hire," was extradited to the U.S., pleaded guilty and last year received a five-year prison sentence. Boratov admitted to hacking 11,000 webmail accounts on behalf of his employers. Prosecutors accused the attackers of using forged cookies to access 6,500 Yahoo accounts.
3) Marriott: 383 Million Accounts (2014 to 2018)
Details: In November 2018, Marriott disclosed that the reservation database used by its Starwood Hotels & Resorts Worldwide unit had been breached in 2014. Marriott acquired Starwood in September 2016 for $13 billion. Marriott initially estimated that 500 million accounts were breached, but subsequently revised that assessment (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Exposed information included customers' "name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ('SPG') account information, date of birth, gender, arrival and departure information, reservation date and communication preferences." Also exposed: 8.6 million encrypted payment cards and 25.6 million passport numbers, of which 5.25 million were unencrypted.
Cause: Unstated, although Marriott's investigation continues. Some reports have suggested that Chinese-language malware - or perhaps backdoors - have been recovered by investigators, but that remains speculative and doesn't suggest how attackers may have broken in.
4) Adult Friend Finder: 412 million accounts (2016)
Details: Friend Finder - aka FriendFinder Networks, which runs thousands of adult-themed sites in what it describes as a "thriving sex community," was hacked in October 2016, leading to 20 years of data being exposed for 412 million users, breach information site LeakedSource reported. Friend Finder had previously been breached in May 2015 (see: Dating Website Breach Spills Secrets).
Affected Friend Finder sites reportedly included Adultfriendfinder.com (340 million accounts), Cams.com (63 million accounts), Penthouse.com (7 million accounts), Stripshow.com (1 million accounts), iCams.com (1 million accounts) and "Free Live Sex Cams" (35,000 accounts).
Cause: Local file inclusion, according to LeakedSource, which linked to a CSO report showing that there was an exploitable LFI flaw AdultFriendFinder. Such vulnerabilities allow an attacker to supply input to a web application. In the worst-case scenario, this input can be used to remotely execute arbitrary code on the server.
Note: Last year, police in Canada arrested Jordan Evan Bloom of Ontario after he allegedly earned $247,000 by administering LeakedSource and selling personal data. Security experts said LeakedSource was a suspiciously fast source of breached data and speculated that the site might be paying hackers for data troves, although that has never been confirmed (see: LeakedSource Operator Busted by Canadian Police).
5) Equifax: 161 Million Consumers (2017)
Details: In March 2017, attackers gained access to Equifax's network, exfiltrating personally identifying information for at least 145.5 million U.S. consumers, 15.2 million U.K. consumers and 8,000 Canadian consumers from 51 databases over 76 days. Equifax didn't spot the attack until four months later, and it issued its first public data breach notification in August 2017.
Cause: Attackers exploited a flaw in Apache Struts five days after Apache issued an emergency patch. Equifax failed to install the patch for four months, as part of a cavalcade of information security errors, including failing to renew a digital certificate in a security device that would have allowed it to inspect network traffic. Once the certificate was renewed and the device began working again, Equifax spotted attackers exfiltrating sensitive data that they had first encrypted (see: Postmortem: Multiple Failures Behind the Equifax Breach).
Risk: Cybersecurity Inertia
While the above list is a small sample size, it's notable for showing how attackers can take advantage of small problems to deliver major fallout. Detecting intrusions is also a slow process, sometimes due to poor security controls, organizational inertia or both - even at organizations such as Equifax, which should be among the most well-resourced in the world.
Lessons can obviously be learned from these five breaches. Unfortunately, there would be more lessons to learn if organizations were more forthcoming about what exactly went wrong.
Unwelcome: 'Unauthorized Access'
The Identity Theft Resource Center, a nonprofit U.S. organization that helps data breach victims, tracks public data breach notifications. In its review of all disclosed 2018 data breaches, it found that many organizations failed to disclose how many records were exposed or exactly what went missing. Many more failed to say how they'd been hacked, often listing the cause simply as "unauthorized access." As ITRC notes, this "is not an accurate reflection of the true method of intrusion" (see: Fewer Breaches in 2018, But More Sensitive Data Spilled).
Consumers are at risk if they don't know what was stolen. In terms of the greater good, other potentially hacked organizations will also have a harder time learning lessons from the breach if the cause is not revealed. They could get targeted in the same way by the same gang.
"Companies need to be more transparent and granular with their disclosures," ITRC says.
The cameras are watching, and they know who you are.
CBS NewsA Chinese facial recognition company left its database exposed online, revealing information about millions of people, a security researcher discovered.
SenseNets, a company based in Shenzhen, China, offers facial recognition technology and crowd analysis, which the company boasted in a promotional video could track people across cities and pick them out in large groups.
But the company failed to protect that database with a password, Victor Gevers, a Dutch security researcher with the GDI Foundation, discovered Wednesday. The database contained more than 2.5 million records on people, including their ID card number, their address, birthday, and locations where SenseNets' facial recognition has spotted them.
From the last 24 hours alone, there were more than 6.8 million locations logged, Gevers said. Anyone would be able to look at these records and track a person's movements based on SenseNets' real-time facial recognition.
"Knowing when someone is not in the office or at home can be useful for simple burglar crimes, but also social engineering attacks to get into buildings," Gevers said in a message.
SenseNets' database was wide open for viewing by anyone.
Victor GeversHe said that GDI Foundation reached out to the company to warn it about the open database, which has been available since July. SenseNets did not respond to a request for comment.
Logged locations include police stations, hotels, tourism spots, parks, internet cafes and mosques, Gevers said. The researcher found that there were 1,039 unique devices tracking people across China.
One camera was logged monitoring the Uygur population in Xinjiang, a Muslim minority group that the Chinese government has been accused of targeting with human rights abuses.
The database was available online for anyone to find, and it allowed for full access -- meaning a malicious actor could add or delete records from the database, Gevers said. While it was available, the security researcher saw that someone had tried to hold the database ransom in the past.
Along with the location records, thieves could have also stolen sensitive information like people's addresses and ID numbers.
Facial recognition is pervasive in China, used to monitor citizens across the country. By 2020, China plans to give each citizen a social credit score, tracked through facial recognition logging behaviors like jaywalking and shopping frequency. There are about 200 million surveillance cameras in China, and plans to more than triple that much by next year.
The technology has often been criticized as an invasion of privacy, as it allows government agencies to track citizens in real-time without their consent. In the US, the Orlando police department experimented with facial recognition tracking individuals using Amazon's Rekognition technology.
SenseNets' exposed database logged each time a person was recognized by facial recognition from a tracker spread around the city. Each camera has an individual name and an IP address tied to a location, Gevers said.
Now playing: Watch this: Facial recognition is turning your face into your passport
1:12
First published at 10:16 a.m. PT.
Update at 2:45 p.m.: Adds details on where these locations were logged.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Rights groups to tech giants: Don't sell facial recognition to government.