City’s NoMoreClipboard a victim
Store your medical records in one place online, be able to update them from your own home when needed and, more importantly, be able to share them with a physician or other health care group before you get to a doctor’s office or emergency room.
But what happened last month to the NoMoreClipboard network – as well as the network for the Fort Wayne medical software company behind it – is also the latest in a growing trend plaguing the health care industry as a whole:
They were hacked.
People’s names, addresses, dates of birth and Social Security numbers as well as other information were all vulnerable for nearly three weeks in May until officials with Medical Informatics Engineering – the parent company of NoMoreClipboard – discovered the hack.
A third-party forensic expert retained by the company and FBI cyber investigators are still looking into the scope of the attack, as well as where it might have stemmed from. But how many people might have been affected and who hacked the networks are still unclear.
Last year, cyberattacks on large corporations such as Target and Sony made headlines across the country. But hackers today are targeting businesses big and small in an attempt to mine information.
And the push to move that data online so it can be shared among doctors, insurance companies and others has, according to experts, giving hackers more chances and multiple doors to get at that data.
“Medical information is just as vulnerable as anything else,” said Jon Knight, program chair of the Cyber Security Information Assurance program at Ivy Tech Community College Northeast. “Those lines of communication have many points of entry.”
Small targets
Created in 1995, Medical Informatics Engineering bills itself on its website as ahead of its time when it came to “interoperable healthcare data exchange.”
Made up of 80 employees, the company certainly wouldn’t be the first on the small side to be the target of hackers. According to the National Small Business Association, half of 675 businesses surveyed by the organization in 2014 reported being the victims of cyberattacks – up 44 percent from 2013.
Plus, MIE’s reach is stretched considerably by its client list.
One client, Concentra, operates more than 300 medical centers in 38 states. Other clients include Franciscan St. Francis Health Indianapolis, Rochester Medical Group in the Detroit area and the Fort Wayne Neurological Center and Gynecology Center Inc. Fort Wayne.
Officials with MIE first noticed suspicious activity within one of its servers May 26 and notified the FBI. Eventually, a forensic investigation found unauthorized access to the company’s network began May 7. Wednesday, the company posted a message notifying users of its NoMoreClipboard network about the hack.
Described on its website as an “easy-to-use, portable, collaborative tool that supports secure, two-way communication,” NoMoreClipboard users can store medical records for themselves and up to 10 family members online with the service.
Users logging on to NoMoreClipboard Wednesday and Thursday were told data affected in the hack “may include an individuals’ name, home address, username, hashed password, security question and answer, email address, date of birth, health information, and Social Security number.”
Users were also encouraged to change their passwords.
And while they try to track down how many people were affected, officials with MIE said they are offering free credit monitoring and identity-protection services to affected individuals for the next 24 months. The company also created a toll-free call center at 866-328-1987 to answer questions about the attack.
“It’s our top priority right now,” Chief Operating Officer Eric Jones said of figuring out who was affected. “Between our internal staff and FBI and our third party (we hired), we have a lot of resources devoted to this.”
When reached for comment, the chief operating officer for one of MIE’s local clients said they had been notified of the hack and that MIE was taking steps to right whatever went wrong.
“We’ve been assured everything is being taken care of, and we are monitoring the situation,” said Barry Kunkle of the Fort Wayne Neurological Center.
Health vulnerable
In late January, hackers targeting health insurer Anthem got into the company’s computer network where they had access to the personal information of tens of millions of clients and former customers.
While that sparked news coverage galore, it also brought to light in the public consciousness what many experts had been seeing for some time: that more and more health care companies were becoming targets of cyberattacks.
The Office for Civil Rights at the Department of Health and Human Services keeps a database of data breaches at health care companies and providers involving the information of 500 or more patients. An analysis of that database by the Brookings Institute found 13 such incidents in 2008.
In 2013, that number rose to 256, according to the Brookings Institute. The organization also found the number of patients affected by such breaches increased from about half a million people in 2008 to nearly 9 million people last year.
Many of these attacks, both against the health care industry and at other companies, come from overseas, experts said.
“There are cafés in China where all they do is sit there and hack against cyber accounts in the U.S. all day,” said Knight, the head of Ivy Tech’s cybersecurity program. “If you get a dollar from an account, you get a dollar, and if you do that a thousand times in one day you’ve got a thousand dollars.”
Constant threats mean companies no doubt must invest in protecting their networks.
But then bigger questions arise, like: How much should they invest?
If they hire someone to protect networks, and the network is never hacked, is it because the network was already protected enough or is it the person who was hired to protect it?
Would a company benefit by hiring a firm specializing in trying to find loopholes within it’s network, and then hiring them to fix those loopholes?
“Now you’re getting into risk management,” Knight said. “What is the trade-off? What are you willing to accept?”
That may not be much of question for big companies and corporations; for small firms, it may be another issue entirely.
According to the National Small Business Association, small businesses reported the average cost of dealing with a cyberattack just two years ago was $8,699.
Today the average cost for a small firm is more than double that, at $20,752.
It’s not clear how much the hack at MIE is going to cost, and officials there declined to reveal the third-party company it hired to come in and help determine the scope of the attack on their networks.
They did say, though, they are working with experts to enhance data security.
View the original content and more from this author here: http://ift.tt/1IA24V6
from cyber security caucus http://ift.tt/1QtQaD8
via IFTTT
No comments:
Post a Comment