5 Lessons From The Citigroup Hack
Update: The IMF said it had been hit by a massive data theft that involved a “large quantity” of data, including emails and documents. There were reports that the hack came from a national government, but that has not been confirmed.
News of the successful theft of as many as 200,000 customers’ credit card information from Citigroup servers has highlighted the ongoing cyberwar between hackers – black hat, gray hat, white hat, whatever – and corporations that store and manage large amounts of personal customer data. For healthcare organizations there are several lessons to be learned in the latest cyber-attack.
Whatever You’ve Got is Not Good Enough. One of the conclusions of our experts’ roundtable on security and privacy is that healthcare is about a decade behind other industries, such as financial services, in terms of data security. Faced with contracting budgets and new mobile deployments, many healthcare IT departments have not upgraded their security technology in years. It’s time.
The Cover-Up is Nearly as Bad as The Crime. Citigroup waited nearly a month to disclose the latest hack, and might still be waiting had not The Financial Times broken the story. This is not uncommon – Sony waited a week before revealing its massive PlayStation hack, in April – and lawmakers are running out of patience. U.S. Sen. Patrick Leahy this week introduced the Personal Data Privacy and Security Act, which would make it a crime for companies to conceal data breaches,
Constant Vigilance is the Price of Freedom (From Hacks). Citigroup said that “routine monitoring" had disclosed the hack (which makes one wonder how routine the monitoring is if the hack went undetected for weeks). Many healthcare organizations lack network security systems that perform continual monitoring, waiting for alarms or concrete evidence of security breaches to surface.
The Bad Guys are Getting Smarter. More precisely, they’re getting cleverer. Speaking to The New York Times, a member of the hacker collective Anonymous (speaking anonymously, natch) claimed that 128-bit encryption, standard for many financial services and healthcare organizations, is “really not that big a deal." So weak are most corporate security systems, the hacker added, that if you know a couple attacks, you can just go around and see what works." What’s more, hackers have found that the chain is only as strong as the weakest link: often, attacking an individual’s computer, particularly mobile devices, is an easier way in than a frontal assault on a server.
The Regulators are Getting Restless. It’s clear that this latest incident will spur action by federal regulators. “The Federal Deposit Insurance Corp, the nation's primary regulator, is preparing new measures on data security," reported Reuters. Given the recent scathing report from the Dept. of Health and Human Services’ Inspector General’s office on the state of security at large healthcare organizations, healthcare is not likely to be far behind.
The list of recent major security breaches does not include any healthcare attacks, yet. In the current climate that is a false security.
- The Market for mHealth App Services Will Reach $26 Billion by 2017
- Palomar Medical Center Introduces New Wireless Patient Vital Signs Monitoring System
- ECRI Institute Releases C-Suite Watch List of Top 10 Hospital Technology Issues for 2013
- DaVita HealthCare Partners Releases Fourth Quarter 2012 Results
- Alcavis HDC Merges with Angelini Pharma