IT malpractice: Doc operates on server, costs hospitals $4.8M

Image source Alegrasoft

New York Presbyterian and Columbia University Medical Center settle with HHS to end probe into 2010 patient data leak

An inadvertent data leak that stemmed from a physician’s attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS).

The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday. New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint.

The hospitals also agreed to take “substantive” corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. The HHS will also be provided with periodic progress updates under the agreement.

“Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems,” the statement said.

The $3.3 million settlement with New York Presbyterian is the largest ever obtained by the HHS for a violation of HIPAA security rules.

The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to “deactivate” a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.

The two health care organizations have a mutual agreement under which CU faculty members serve as physicians at NYP. The two entities operate a shared network that links to systems contacting patient health data at NYP.
It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to “deactivate” it.

In a joint statement, the two hospitals blamed the leakage on an “errantly configured” computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.

The leak was discovered after the hospitals received a complaint from an individual who discovered personal health information about his or her deceased partner on the Web.

An investigation by the HHS Office for Civil Rights (OCR) found that neither CU nor NYP had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network.

The OCR also faulted New York Presbyterian not ensuring that only properly authorized systems could access patient data.

In an email, NYP and CU said they have taken substantial steps to strengthen data security controls following the breach.

“For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question,” the statement said. “We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.”

HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations.

In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data.

Last December, a Massachusetts dermatology clinic agreed to pay $150,000 to settle an HHS investigation into the loss of a thumb drive containing unencrypted patient health information.

Source: Computer World

XP’s retirement will be hacker heaven

Hackers will bank bugs until after Microsoft retires Windows XP in April 2014; expect attacks, say security experts

Cyber criminals will bank their Windows XP zero-day vulnerabilities until after Microsoft stops patching the aged operating system next April, a security expert argued today.

Jason Fossen, a trainer for SANS since 1998 and an expert on Microsoft security, said it’s simply economics at work.

“The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft’s response,” said Fossen. When a new vulnerability — dubbed a “zero-day” — is spotted in the wild, Microsoft investigates, pulls together a patch and releases it to XP users.

If the bug is critical and being widely used by hackers, Microsoft will go “out-of-cycle,” meaning it will issue a security update outside its usual monthly Patch Tuesday schedule.

But after April 8, 2014, Microsoft has said it will retire Windows XP and stop serving security updates. The only exceptions: Companies and other organizations, such as government agencies, that pay exorbitant fees for custom support, which provides critical security updates for an operating system that’s officially been declared dead.

Because Microsoft will stop patching XP, hackers will hold zero-days they uncover between now and April, then sell them to criminals or loose them themselves on unprotected PCs after the deadline.

“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks,” said Fossen. “But if they sit on a vulnerability, the price for it could very well double.”

Minus any official patching from Microsoft, XP zero-days and their associated exploits could remain effective for months, maybe even years, depending on how well security software detects and quarantines such attacks.

If Fossen’s thesis is correct, there should be signs of bug banking, most notably a sharp reduction in the number of publicly-disclosed or used-in-the-wild XP vulnerabilities during the fourth quarter of 2013 and the first quarter of 2014.

“[Hackers] will be motivated to sit on them,” Fossen stressed.

There really aren’t precedents to back up Fossen’s speculation, he acknowledged, because the last time Microsoft pulled the plug on an edition was July 2010, when it retired Windows 2000. But according to metrics firm Net Applications, at the time Windows 2000 powered just four-tenths of one percent of all PCs.

Windows XP will have a much larger share when it’s retired next year: Based on XP’s current rate of decline, Computerworld has projected that the old OS will still run between 33% and 34% of the world’s personal computers at the end of April 2014.

That would be 80 times the share of Windows 2000 when it retired.

But even with Windows 2000’s minuscule share when it left support, there were reports that an edition-specific zero-day was created and sold.

“I heard rumors of a new zero-day being found and sold after the support period expired [for Windows 2000],” said HD Moore, creator of the popular Metasploit penetration testing toolkit and the chief security officer of security company Rapid7. “But there were few if any examples that ended up in the public eye.”

Moore agreed with Fossen that XP bugs would be more valuable after April 2014, but contended that all Windows vulnerabilities would jump in value.

“Something more common [three years ago] was backporting new security advisories into functional exploits on Windows 2000,” said Moore in an email. “Every time a server-side vulnerability was found in Windows XP or 2003 Server, quite a few folks looked at whether this would also work against Windows 2000. My guess is that the retirement of Windows XP will result in all Windows vulnerabilities being of slightly higher value, especially given the difference in exploit mitigations between XP and newer platforms.”

It’s far easier to exploit flaws in Windows XP than in newer editions, such as Windows 7 and Windows 8, noted Moore, because of the additional security measures that Microsoft’s baked into the newer operating systems.

Microsoft has said the same. In the second half of 2012, XP’s infection rate was 11.3 machines per 1,000 scanned by the company’s security software, more than double the 4.5 per 1,000 for Windows 7 SP1 32-bit and triple the 3.3 per 1,000 for Windows 7 SP1 64-bit.

“Windows XP vulnerabilities will be valuable as long as enterprises utilize that version of the operating system,” said Brian Gorenc, manager of HP Security Research’s Zero Day Initiative, the preeminent bug bounty program. But Gorenc also argued that any XP zero-days would be outweighed by higher-priority hacker work.

“Researchers are primarily focused on the critical applications being deployed on top of the operating system,” said Gorenc in an email reply to questions today. “Attackers and exploit kit authors seem to rely on the fact that the update process and tempo for applications are not as well defined as those for operating systems.”

Fossen, convinced that XP would be a big fat target after April 8, wondered whether Microsoft might find itself in a tough spot, and back away from the line in the sand it’s drawn for XP’s retirement.

“If hackers sit on zero-days, then after April use several of them in a short time, that could create a pain threshold [so severe] that people organize and demand patches,” said Fossen.

The consensus among analysts and security experts is that Microsoft will not back down from its decision to retire XP, come hell or high water, because it would not only set an unwelcome precedent but also remove any leverage the company and its partners have in convincing laggards to upgrade to a newer edition of Windows.

But a few have held out hope.

“Suppose we get to a date post the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?” asked Michael Cherry, an analyst with Directions on Microsoft, in an interview last Decembe. “It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time, there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix.”

Jason Miller, manager of research and development at VMware, had some of the same thoughts at the time. “What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft’s security image,” Miller said.

Another option for Microsoft, said Fossen, would be to take advantage of a post-retirement disaster to do what it’s been doing for years, push customers to upgrade.

“They might also respond with a temporary deal on an upgrade to Windows 8,” said Fossen, by discounting the current $120 price for Windows 8 or the $200 for Windows 8 Pro. “Then they could say, ‘We’re aware of these vulnerabilities, but you should upgrade.'”

Source: Computerworld

Huawei CFO Linked to Firm That Offered HP Gear to Iran

LONDON (Reuters) – A Hong Kong-based firm that attempted to sell embargoed Hewlett-Packard computer equipment to Iran’s largest mobile-phone operator has much closer ties to China’s Huawei Technologies than was previously known, corporate records show.

Cathy Meng, Huawei’s chief financial officer and the daughter of company founder Ren Zhengfei, served on the board of Hong Kong-based Skycom Tech Co Ltd between February 2008 and April 2009, according to Skycom records filed with Hong Kong’s Companies Registry.

Reuters reported last month that in late 2010, Skycom’s office in Tehran offered to sell at least 1.3 million euros worth of HP gear to Mobile Telecommunication Co of Iran, despite U.S. trade sanctions. At least 13 pages of the proposal were marked “Huawei confidential” and carried Huawei’s logo. Huawei said neither it nor Skycom ultimately provided the HP equipment; HP said it prohibits the sale of its products to Iran.

Huawei has described Skycom as one of its “major local partners.”

But a review by Reuters of corporate records and other documents found numerous financial and other links over the past decade between Huawei, Meng and Skycom, suggesting a closer relationship between the two firms. In 2007, for instance, a management company controlled by Huawei’s parent company held all of Skycom’s shares. At the time, Meng served as the management firm’s company secretary.

Meng, who also goes by the name Meng Wanzhou, appears to be a rising star at Shenzhen-based Huawei, now the world’s second-largest maker of telecommunications equipment. During a presentation of Huawei’s financial results last week in Beijing, she met foreign journalists in an on-the-record session that was reported to be a first for anyone in her family.

“We will honor our commitment to transparency and openness,” she told the journalists.

Meng did not respond to a request for comment for this article. Huawei declined to make her available for an interview, or answer any specific questions about the company’s or her links to Skycom.

In an emailed statement, Huawei said, “The relationship between Huawei and Skycom is a normal business partnership. Huawei has established a trade compliance system which is in line with industry best practices and our business in Iran is in full compliance with all applicable laws and regulations including those of the UN. We also require our partners, such as Skycom, to make the same commitments.”

A Hong Kong accountancy and secretarial firm that Skycom has listed in financial filings as its corporate secretary, did not respond to a request for comment.

The U.S. House Intelligence Committee recently criticized Huawei for not answering questions about its Iranian operations and for failing to “provide evidence to support its claims that it complies with all international sanctions or U.S. export laws.” The sanctions on Iran are designed to deter it from developing nuclear weapons; Iran says its nuclear program is aimed purely at producing domestic energy.

Huawei, which has contracts with many Iranian telecoms, says it is reducing its business in Iran.

STATUS REPORT

Corporate filings offer few clues about the operations of Skycom, which like Huawei is a private company.

Telecommunications managers who have worked in Iran say that many employees at Skycom’s offices are Chinese nationals who wear Huawei badges or carry Huawei business cards. On LinkedIn.com, several telecom workers list having worked at “Huawei-skycom” on their resumes.

Skycom’s corporate filings show that since it was first incorporated in Hong Kong in 1998, the firm has had a succession of different controlling shareholders, including individuals and offshore companies.

In its annual return filed in May 2007, Skycom reported that all of its shares had been transferred three months earlier from two companies in the British Virgin Islands to a Hong Kong firm called Hua Ying Management Co Ltd. Hua Ying’s shares were held by Shenzhen Huawei Investment & Holding Co Ltd, Huawei’s parent company, according to Hua Ying’s filings.

Meng was then Hua Ying’s company secretary, corporate records show.

In November of that year, all of Skycom’s shares were transferred to a company called Canicula Holdings Ltd, which is registered in Mauritius. Huawei declined to answer any questions about the transfer or whether it is related to Canicula.

According to Mauritius company records, Canicula’s registered address is a local company called Multiconsult Ltd. An employee there declined to answer any questions.

Besides Meng, several other past and present Skycom directors appear to have connections to Huawei. In its most recent annual return, Skycom lists a director named Hu Mei, who also appears to have a Huawei email address and was listed in an internal Huawei employee directory, according to a person familiar with the matter. A former Skycom director, Wu Shuyuan, also has a Huawei email address and was listed in an internal Huawei directory, this person said.

Reached for comment, both confirmed they had served or serve as directors of Skycom but declined to answer any questions about Huawei. Huawei declined to answer any questions about them.

In early 2010 – the same year Skycom offered to export the HP equipment to Iran – a London firm called International Company Profile that prepares credit reports, released a “company status report” on Skycom in Tehran. The report said ICP had interviewed Skycom’s financial manager there.

Skycom “is a subsidiary of Huawei Technologies Corporation,” the report stated.

The report also listed Skycom’s chief executive as Zhang Hongkai. In 2009, the website of China’s embassy in Iran published a press release announcing that Huawei had signed a cooperation agreement with an Iranian university. The article reported that the agreement was co-signed by “Mr. Zhang Hongkai, CEO from Huawei Iran Office.”

Zhang could not be reached for comment. Huawei declined to answer questions about the credit report.

Source: Reuters