One In Four Indiana Residents' E-Record Data Exposed in Hack

Reader chicksdaddy reports that a data breach involving four million patients and more than 230 different data holders (from private practices to large hospitals) hit Indiana especially hard. It's the home state of Medical Informatics Engineering, maker of electronic records system NoMoreClipBoard. While data exposed in the breach affected 3.9 million people, 1.5 millon of them are in Indiana. According to the Security Ledger, though: [The] breach affects healthcare organizations from across the country, with healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach. And, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed.

'We have received no information from MIE regarding that,' said a spokeswoman for Fort Wayne Radiology Association (http://www.fwradiology.com/), one of hundreds of healthcare organizations whose information was compromised in the attack on MIE..

How is this even possible?

Why should a company storing confidential data have any ability to access any part of that data? Especially when there are hundreds of separate owners of the data!

Each data owner should encrypt data before it leaves their site. In fact, individual documents should be uniquely encrypted.

These stories of leaks of massive amounts of data -- again and again! -- just prove that nobody cares.

HIPAA is irrelevant... attacks are past stopping

I hate to be a doomsayer, but with the way weapons have surpassed armor, security is almost a pointless battle for companies. If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

Take network security. Backdoor in appliance gets an attacker to the management network from there, the TFTP server. From there, copying a modified config. IDS/IPS systems are pointless, as big companies already have these. Same with AV.

Take privacy. Show me one single Web browser that can pass the Panopticlick test and not have an individual fingerprint. One. The hackers and the ad people know who you are no matter what you do with cookies and LSOs.

Take malware. All it takes is one infection on a PC, and firmware on a video card, BIOS, hard drive, or many other subsystems can be updated so malware can load back in. This isn't new. Macs since the 1980s had the SCSI hard disk driver load code the second it saw the drive, so placing malicious code there would be trivial, and at the time, there were zero defenses. Modern malware goes through the Web browser, which runs with a full user context, and is commonly subverted via an add-on.

Take the system of updating PCs. All it takes is to subvert Microsoft's, Apple's, Adobe's, or anyone's update mechanism, and you can pwn PCs at will, with no way someone can trace it back.

Take physical attacks. Take the US, where 99% of locks on doors are bumpable. Even the boffins showing off their high security card readers have pin tumbler locks that can be opened with a pick gun (not even Medeco, and definitely not Abloy.)

Take economies. The US economy is so shitty, almost anyone can be bribed.

If the bad guys can't find a way in through some other compromise, they can browbeat someone for access. Dress up with a suit, get in someone's face that one is an auditor with so-and-so law firm, or a representative of the BSA, then scream in their ear that they will be fired or arrested if they don't hand access over -STAT-, the intruder can get into virtually any server room out there. Bonus points if they do a tiny bit of homework and drop a name or two. They can easily wind up screaming at someone, (think "command voice"), and said IT person gladly handing over the enterprise admin credentials even after their ancestry was questioned, capability to reproduce was asked about, capability to work was doubted, and their family's ancestry as sentient creatures was brought to question.

How can HIPAA do a single thing, if any known security precaution that is mentioned is roflstomped in days? No law is going to help in this case. If laws could, they would be implemented and in place, just like the DMCA.

TL;dr: You cannot win, and if a hacker wants your shit, they got it.

Re:HIPAA is irrelevant... attacks are past stoppin

[phantomfive]

If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

I don't think anyone ever said they were the most secure organizations in the world. In the case of Sony specifically, their security was notable for its poor quality.