Monthly Archives: August 2014

Light bulbs hacked; It's funny, but it's not

BobIt’s a question I think about a lot: Are we moving towards a world that’s safer or more dangerous?  More or less secure? This week, the “less secure” side scored another goal. Light bulbs can be hacked.  Doing so seems like a rather silly science fair project until you think about what it really means.

London-based security firm Context has taken an interest  in fragility of the Internet of Things, as we all should.  As a refresher, the Internet of Things simply means wireless chips will soon be placed in many items in your home, and these will all talk to the Internet and each other.  It’s not science fiction; it’s more like George Jetson. Whiz-bangy light bulbs sold by a firm named LIFX are among the first Internet of Things products. The bulbs talk to each other, and can be controlled with a smartphone.  Neat, I guess, in a chia pet sort of way. (Click on! Click off!)

Context took the things apart and found that a hacker could trick the bulbs into surrendering control to a stranger.  Essentially, bad guys can hop on the bulb users’ WiFi network and take control of the bulbs.  If you look at the firm’s website, you’ll see how much trouble it went to in order to turn a victim’s lights on and off.  Also neat, I guess.  The hack comes with a strong mitigating factor; the hacker must be within 30 meters of the target to start the surprise disco effect.  So state secrets are not at stake.

But here’s what you should think about.  LIFX seems like a responsible enough outfit. It isn’t Yo, that’s for sure.  The bulbs actually came loaded with AES (Advanced!) encryption. So the engineers actually thought about this problem. But the bulbs all shared the same underlying encryption key. Hack one, hack them all. That’s what Context did.

LIFX, by all accounts, reacted quickly to the hack and has issued a fix. Great, I guess. Happy ending?  Not by a long shot. I promise you, this pattern will repeat itself again, and again, and again.  There is no model currently that requires firms inventing cool stuff to make it safe. Features first, safety last. If ever.

Therefore, our world will soon be full of really creative devices full of fatal flaws.  It’s always been this way — features over safety — but when vulnerabilities were limited to personal computers, there were some real-world limits on how much trouble consumers could get into.  When the threats are in everything, as they will be with the Internet of Things, watch out.  Here’s a thought exercise.  What happens when it’s not the light bulbs, but rather the power outlets, that are “smart” and can be hacked?

This is why I made much ado about the nothing piece of software called Yo that had its 15 minutes of fame a few weeks ago.  Quick refresh: Yo is Twitter in two characters. Participants send single, two-character messages using Yo. It got a flurry of attention, allegedly a flurry of investment, and then hackers figured out they could download all personal information anyone had given Yo.   The firm that made Yo bragged that it was programmed in a day. The Internet of Things will be full of gadgets programmed in a day, full of basic, serious flaws, unless something changes.

Light bulbs hacked; It’s funny, but it’s not

BobIt’s a question I think about a lot: Are we moving towards a world that’s safer or more dangerous?  More or less secure? This week, the “less secure” side scored another goal. Light bulbs can be hacked.  Doing so seems like a rather silly science fair project until you think about what it really means.

London-based security firm Context has taken an interest  in fragility of the Internet of Things, as we all should.  As a refresher, the Internet of Things simply means wireless chips will soon be placed in many items in your home, and these will all talk to the Internet and each other.  It’s not science fiction; it’s more like George Jetson. Whiz-bangy light bulbs sold by a firm named LIFX are among the first Internet of Things products. The bulbs talk to each other, and can be controlled with a smartphone.  Neat, I guess, in a chia pet sort of way. (Click on! Click off!)

Context took the things apart and found that a hacker could trick the bulbs into surrendering control to a stranger.  Essentially, bad guys can hop on the bulb users’ WiFi network and take control of the bulbs.  If you look at the firm’s website, you’ll see how much trouble it went to in order to turn a victim’s lights on and off.  Also neat, I guess.  The hack comes with a strong mitigating factor; the hacker must be within 30 meters of the target to start the surprise disco effect.  So state secrets are not at stake.

But here’s what you should think about.  LIFX seems like a responsible enough outfit. It isn’t Yo, that’s for sure.  The bulbs actually came loaded with AES (Advanced!) encryption. So the engineers actually thought about this problem. But the bulbs all shared the same underlying encryption key. Hack one, hack them all. That’s what Context did.

LIFX, by all accounts, reacted quickly to the hack and has issued a fix. Great, I guess. Happy ending?  Not by a long shot. I promise you, this pattern will repeat itself again, and again, and again.  There is no model currently that requires firms inventing cool stuff to make it safe. Features first, safety last. If ever.

Therefore, our world will soon be full of really creative devices full of fatal flaws.  It’s always been this way — features over safety — but when vulnerabilities were limited to personal computers, there were some real-world limits on how much trouble consumers could get into.  When the threats are in everything, as they will be with the Internet of Things, watch out.  Here’s a thought exercise.  What happens when it’s not the light bulbs, but rather the power outlets, that are “smart” and can be hacked?

This is why I made much ado about the nothing piece of software called Yo that had its 15 minutes of fame a few weeks ago.  Quick refresh: Yo is Twitter in two characters. Participants send single, two-character messages using Yo. It got a flurry of attention, allegedly a flurry of investment, and then hackers figured out they could download all personal information anyone had given Yo.   The firm that made Yo bragged that it was programmed in a day. The Internet of Things will be full of gadgets programmed in a day, full of basic, serious flaws, unless something changes.

Attacks on healthcare systems have risen 100 percent

 

Larry Ponemon

Larry Ponemon

News that millions of patient Social Security numbers were stolen recently from Community Health Systems Inc. computers should come as a surprise.  Earlier this year, we published results from our Fourth Annual Benchmark Study on Patient Privacy and Data Security, and the headline result was this:      Criminal attacks on healthcare systems have risen a startling 100 percent since we first conducted this study four years ago in 2010.

Many other findings were equally as sobering. Healthcare employees are fueling breach risks by increased use of their personal unsecured devices (smartphones, laptops and tablets). Business Associates—those that have access to PHI and work with healthcare organizations—are not yet in compliance with the HIPAA Final Rule.

Data breaches continue to cost some healthcare organizations millions of dollars every year.

While the cost can range from less than $10,000 to more than $1 million, we calculate that the average cost for the organizations represented in this year’s benchmark study is approximately $2 million over a two-year period. This is down from $2.4 million in last year’s report as well as from the $2.2 million reported in 2011 and $2.1 million in 2010. Based on the experience of the healthcare organizations in this benchmark study, we believe the potential cost to the healthcare industry could be as much as $5.6 billion annually.

The types of healthcare organizations participating in the study are hospitals or clinics that are part of a healthcare network (49 percent), integrated delivery systems (34 percent) and standalone hospital or clinic (17 percent). This year 91 healthcare organizations participated in this benchmark research and 388 interviews were conducted. All organizations in this research are subject to HIPAA as a covered entity. Most respondents interviewed work in compliance, IT, patient services and privacy.

Other key research findings:

The number of data breaches decreased slightly. Ninety percent of healthcare organizations in this study have had at least one data breach in the past two years. However, 38 percent report that they have had more than five incidents. This is a decline from last year’s report when 45 percent of organizations had more than 5. This coupled with an increase in organizations’ level of confidence in data breach detections suggests that modest improvements have been made in reducing threats to patient data.

Healthcare organizations improve ability to control data breach costs. The economic impact of one or more data breaches for healthcare organizations in this study ranges from less than $10,000 to more than $1 million over a two-year period. Based on the ranges reported by respondents, we calculated that the average economic impact of data breaches over the past two years for the healthcare organizations represented in this study is $2.0 million. This is a decrease of almost $400,000 or 17 percent since last year.

ACA increases risk to patient privacy and information security. Respondents in 69 percent of organizations represented believe the ACA significantly increases (36 percent) or increases (33 percent) risk to patient privacy and security. The primary concerns are insecure exchange of patient information between healthcare providers and government (75 percent of organizations), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent of organizations).

ACO participation increases data breach risks. Fifty-one percent of organizations say they are part of an Accountable Care Organization (ACO) and 66 percent say the risks to patient privacy and security due to the exchange of patient health information among participants has increased. When asked if their organization experienced changes in the number of unauthorized disclosure of PHI, 41 percent say it is too early to tell. Twenty-three percent say they noticed an increase.

Confidence in the security of Health Information Exchanges (HIEs) remains low. An HIE is defined as the mobilization of healthcare information electronically across organizations within a region, community or hospital system. The percentage of organizations joining HIEs increased only slightly. This year, 32 percent say they are members and this is up slightly from 28 percent last year. One-third of organizations say they do not plan to become a member. The primary reason could be that 72 percent of respondents say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data share on HIEs.

Criminal attacks on healthcare organizations increase 100 percent since 2010. Insider negligence continues to be at the root of most data breaches reported in this study but a major challenge for healthcare organizations is addressing the criminal threat. These types of attacks on sensitive data have increased 100 percent since the study was conducted in 2010 from 20 percent of organizations reporting criminal attacks to 40 percent of organizations in this year’s study.

Employee negligence is considered the biggest security risk. Seventy-five percent of organizations say employee negligence is their biggest worry followed by use of public cloud services (41 percent), mobile device insecurity (40 percent) and cyber attackers (39 percent).

BYOD usage continues to rise. Despite the concerns about employee negligence and the use of insecure mobile devices, 88 percent of organizations permit employees and medical staff to use their own mobile devices such as smart phones or tablets to connect to their organization’s networks or enterprise systems such as email. Similar to last year, more than half of organizations are not confident that the personally-owned mobile devices or BYOD are secure.

 

To find out more, or download the entire report, click here.