Saturday, April 25, 2015

Relatively small breaches, but it makes me wonder if there is someone who does not like Ascension Health or if this is part of a broader targeting of health providers because of the type of information they store about their “customers?” (Perhaps details of their medical insurance coverage?)
Is Ascension Health being targeted by attackers successfully acquiring employee e-mail account logins via phishing?
Zach Lozano reports that Seton Family of Hospitals will provide free identity monitoring and protection services for patients who had their personal information leaked in a phishing attack targeting employee emails:
Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.
Well, that last statement is not quite accurate, as I’ll explain below, but you can read the rest of his report on KXAN.
In looking into this incident, I became suspicious when I noted that Seton is part of Ascension Health. This past week, another Ascension member, St. Vincent Medical Group in Indiana, also reported a phishing attack but they learned of theirs on December 3, not in February. So I started digging more, wondering if Ascension hospitals are being targeted just as we saw both Baylor facilities and Franciscan Health/Catholic Health Initiatives facilities being targeted by phishing attacks. And sure enough, I found a notice on Seton’s site that reports that they actually became aware of the phishing attack on December 4 – the day after St. Vincent’s learned of their breach. Seton’s notification is basically the same as St. Vincent’s notification after adjusting for date of discovery and number affected. Here’s the main part of Seton’s notice:
The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton’s patients.
Seton experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. Upon the determination that an email account had been compromised, the user name and password was immediately shut down. Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected e-mails to determine the scope of the incident. Seton engaged computer forensics experts to assist with the investigation. Through the ongoing investigation of this matter, we determined on February 26, 2015, that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.
The personal health information in the e-mail accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records.
I wonder whether we’ll learn that other Ascension Health members have been similarly targeted. Ascension Health describes itself as the largest non-profit health system in the U.S., with 131 hospitals. As their site also indicates, Ascension Information Services (“AIS”) was formed as a nonprofit corporation in 2005, and AIS provides information technology infrastructure and software application support services to all member entities of Ascension. But who provides the training to employees how to not fall for phishing attempts?

Wow! Five whole months!
Josh Dickey reports:
No one has been the victim of identity theft in the five months since the cyber attack on Sony Pictures Entertainment exposed reams of sensitive data, so a class-action lawsuit should be dismissed, the studio argues in court documents acquired Friday by Mashable.
Read more on Mashable.

No one has noticed for 25 years? I wonder if the “new” password procedure came before or after the article on their password? I'm guessing very soon after.
Earlier today, asked Verifone for a comment or response to the report about an unnamed firm using the same default password for 25 years, as it was pretty easy to figure out from a Google search that an unnamed vendor was them.
Gene Cyranski, Vice President of Zeno Group kindly sent this statement in response:
The Verifone default password is Z66831 and is loaded on all Verifone devices in the field. The purpose of this default password is to simply initiate terminal installation, and it is not intended to serve as a strong security control. The default password made its way over the years into the public domain and can be found on the Internet, along with instructions on programming terminals. The important fact to point out is that even knowing this password, sensitive payment information or PII cannot be captured. To date, Verifone has not witnessed any attacks on the security of its terminals based on default passwords. What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords. While Verifone has not changed the passwords, clients/partners/merchants are always strongly advised to change the “default” password upon terminal installation and set-up. New Verifone products come with a “pre-expired” password, which will require merchants to change the password during installation and set-up.

Still very little on offensive thinking? I can recommend plenty of offensive students.
Department of Defense Unveils New Cyber Strategy
The U.S. Department of Defense (DoD) on Thursday unveiled its latest cyber strategy, described as a way to guide the development of DoD's cyber forces and strengthen its cyber defense and cyber deterrence posture.
… “There may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations," the strategy says. "For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains."
"In contrast, the 2011 DOD Strategy for Operating in Cyberspace made little reference to the Pentagon’s operational or offensive cyber capabilities, although U.S. officials have spoken about the issue, and there are leaked classified documents that outlined U.S. policy and planning for offensive cyber operations," noted Denise E. Zheng, Deputy Director and Senior Fellow at the Center for Strategic and International Studies.
The full transcript of Carter's speech is available online.

As any good accountant would say, “What do you want the cost to be?”
Robert Hackett reports:
A single stolen customer record costs probably somewhere between $0.58 and $201. What’s the best model?
A few weeks ago Fortune visited a law firm where one partner lamented the quality of cost estimates for big companies suffering data breaches—a vital consideration for businesses seeking to manage their risk and score reasonably priced insurance policies. (Who and where are unimportant for the purposes of the story.) Prompted by a recent analysis of 10-k filings which concluded that the impact of breaches to corporate bottom lines is trivial, the conversation stirred the lawyer’s excitement—and vexation. There are no good estimates, the lawyer rued.
Read more on Fortune.

How do you start your search? Do you Google “gang” or do you Google “black kids?” Has anyone published guidelines?
Rose Hackman reports:
Critics say the NYPD’s trawling of social media for gang activity – affecting children as young as 10 – is disproportionate and may amount to racial profiling.
Read more on Raw Story.

When you have no control, everything becomes more complicated.
Court reminds State to produce Clinton emails in ‘shortest’ time possible
An appeals court gently warned the State Department on Friday to release relevant public documents quickly from among the large batch of emails Hillary Clinton turned over to the agency from her private server.
The U.S. Appeals Court for the District of Columbia ruled the best way to handle a Freedom of Information Act case involving the emails would be to send it back to the district court, which will determine the “most efficient way to proceed under FOIA.”
… The agency is sorting through the emails for potential redactions in process it says could take months. [State can't rely on the claim that there was “nothing classified” discussed on any of the emails. Bob]
In the meantime, outside groups have argued their previous Freedom of Information Act requests to the State Department were incomplete because they lacked Clinton’s emails.

Something for my students?
5 GIF Search Engines & Tools You Haven’t Heard Of Yet
GIFs are the language of the web, but some people are better at speaking it than others. If you’ve got a friend who always amazes you with her ability to find the perfect reaction GIFs, you need to find better tools.
Today, Cool Websites and Apps points out five websites for finding, and creating, GIFs – all of which we’ve yet to mention as a site. We’ve shown you obvious things, like the GIF search engine Giphy, but as GIFs (continue!) to grow in popularity more sites pop up.
Even major media corporations are getting in on it.

Eventually, I'd like my Data Management students to understand this kind of analysis as well as purely internal number crunching. (Also for my statistics students)
You may have doubts, as some readers did, about whether Google searches are a reliable way to predict that an NHL expansion team would struggle in Las Vegas. But it’s actually a pretty good way to forecast this kind of thing, and there’s another way to prove it:
It turns out that there’s a strong relationship between Google searches and an NHL team’s bottom line. How often fans are Googling the term “NHL” in a metro area reliably predicts how much they’re spending on hockey tickets.
In the chart below, I’ve estimated how much fans spent on tickets at each NHL arena during the past regular season. The process is simple: I just took total home attendance and multiplied it by the average ticket price.1 Then I compared ticket spending against the estimated number of NHL fans in each market based on Google search traffic.2

For my student twits?
How to Cite a Tweet in MLA, APA, and Chicago Style
As social media has evolved it has crept into academic work. I've even given research assignments in which I've asked my students to seek out and cite quotes from people on Twitter. More and more I'm asked, "how do I cite a Tweet?" In fact, I was asked this in an email last night. If you're citing for a blog post, you can just embed the Tweet. If you're citing for a more formal work you will want to follow guidelines of MLA, APA, or Chicago Style.
Guidelines and examples for citing a Tweet in MLA style can be found here.
Guidelines and examples for citing Tweets in APA are available here.
If you need guidelines and examples of citing a Tweet in Chicago Style, click here.
Those who use tools like EasyBib or RefMe should note that the Tweet citations generated by those tools don't exactly match the guidelines set by APA, MLA, or Chicago Style. I tried both tools for citing Tweets and found that I had to slightly modify the formatting produced by those tools.

No comments: