Cybersecurity experts are reacting to today’s news that the UCLA Health System is exploring a possible data breach :
Richard Blech, CEO, Secure Channels (www.securechannels.com):
“Isn’t it a tad simplistic to assume that hackers got in and took nothing? Wouldn’t it make more sense to assume that if the hackers bothered to hack…they probably took data? The reality is while hackers rapidly improve their cyber security chops the average company doesn’t. If the hackers are advanced enough (assuming UCLA has improved their security since their last incident) to breach the perimeter it makes more sense to believe they were capable of hiding their trail, leaving no evidence. Sensitive persona and medical information should always be deeply encrypted protecting data at a its core.”
Stewart Draper, Director of Insider Threat, Securonix (www.securonix.com),
“Recent reports suggest that up to 65% of all healthcare organizations have battled security incidents in the last two years. Cyber criminals and nation state groups have stepped up their focus on targeting the healthcare sector (Anthem breach) in 2015. As the industry begins to realize the investment in information security needed to help secure patient data it seems highly likely these type of attacks will continue, with medical records providing a much more lucrative target than data such as credit cards that can easily be changed.”
Igor Baikalov, Chief Scientist, Securonix (www.securonix.com):
“It’s ironic that when Anthem suffered a massive data breach earlier this year, it was a director of the UCLA Center for Health Policy Research who admonished health insurer for lax security measures: “Healthcare companies like Anthem have got to invest far more effort and resources in data security to regain public trust” (LA Times, 2/6/2015). Just like Anthem, UCLA had been hacked before, back in 2006, and then in 2008 had to settle for data privacy violations. Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted. If our premium universities don’t learn from experience, what can we expect from other, less-learned organizations?”
Jeff Hill, Channel Manager, STEALTHbits Technologies (www.stealthbits.com):
“Because they contain a wealth of sensitive information that can’t be changed or cancelled like a credit card number (e.g. Social Security Numbers, Dates of birth), a stolen medical record is an order of magnitude more valuable than a credit card, so any healthcare provider is a prime target.
Celebrity, however, compounds the attractiveness of the target in the Los Angeles area. If you’re looking to attract attention to your cause, what better way than to exploit the intersection of our voyeuristic and celebrity-obsessed culture? We love celebrity, but we love a fall from grace even more. What anti-depressants is our favorite TV star taking? How about that 2am visit to the Emergency Room Saturday night to treat the facial bruise? The most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.