Archive for July, 2012
Gold pipe cleaners, pillow stuffing, Play-Doh, tampons, painted dried pasta, purple beads, Q-tips, plastic balls, construction paper, syringes and glitter. Supply crafty hands with these items and a hot-glue gun and you could have a costume fit for Trannyshack. Or, give them to science-minded Stanford students and watch artistic renderings of viruses emerge through origami, whittling, collage and more.
On display at the university’s Cantor Arts Center through October 28, Adventures in the Human Virosphere: The Use of Three-Dimensional Models to Understand Human Viral Infections explores the awesome and terrible properties of, as a wall text describes, “the complete pantheon of viral predators that use humans as their hosts.”
Art works depicting smallpox, hepatitis B, rabies, herpes simplex, polio, rubella and other troublemakers are divided into two categories in the show curated by Judy Koong Dennis: icosahedral and helical viruses, and viruses surrounded by an envelope. The enveloped kind feature shapes that don’t fit categories such as cube or sphere; rather, the asymmetrical figures differ wildly from one another.
The pieces are select assignments from Humans and Viruses, a multidisciplinary Stanford course that Robert Siegel, MD, PhD, began teaching in 1983. Students with other backgrounds may take the class, but most are undergraduates studying human biology. Siegel first assigned the model project in the late 1980s, explaining, “Various structures and processes are best understood in three dimensions and from the kinesthetic learning associated with model building.”
Clean edges and symmetry characterize the many faces of the icosahedral and helical structures; several of the geometric pieces use traditional materials such as ceramics, paper or wood. Yu-Jin Lee, who contributed three icosahedral viruses to the show, told me, “As a student and origami enthusiast, I was excited with the challenge to create a virus out of paper. This project has allowed me to have a greater understanding of how objects come together and the importance of models in offering insight into the complex nature of medicine.”
I wavered on whether these contained, efficient structures of the icosahedral and helical varieties felt more intimidating than the exploded treasure chest titled HIV-1, or more dangerous than SARS, the hanging sparkly baby mobile, which could double as a jellyfish with puffball-topped tentacles and ribbons spilling out split sides. The flashy, translucent wrappings of HIV and SARS hint at their interior contents in a manner both dreadful and seductive, and they illustrate a displayed quotation from Nobel prize-winning biologist Sir Peter Medawar, OM CBE FRS, who described the composition of a virus as “a piece of bad news wrapped in protein.”
An electron micrograph of a virus accompanies each object. However faithful to form or radically offbeat each student’s imagining may be, seeing the microscopic made visible, colorful and even humorous (once recognized, the tampons got a laugh) left this viewer curious to know exactly how the immune-system pirates pillage. That something so small as an actual virus could cause so much harm to a comparatively giant human resonated equally scary and impressive. It also made me want to attend the next of Siegel’s Model Marathons, wherein students share their work with each other in “a celebration of infection including costumes, poetry, music and surprises – a clear example of learning gone viral.”
Previously: Science, apps and wonder and Rodin: Real art, but not real anatomy
Photo of Elena Jordan’s Model of SARS Virus, 2011 (fabric with glitter, puff balls, pipe cleaners, ribbon, pillow fill, hot glue) by Cantor Arts Center
Video game maker Ubisoft Entertainment says it has patched a security vulnerability uncovered in a plug-in used by players that could have potentially exposed them to malware.
The issue apparently lies in the browser plug-in installed by Uplay, the digital-rights management (DRM) software that allows players to connect with other gamers. According to Ubisoft, the plug-in used to launch applications through Uplay was able to take command line arguments that developers used to launch their games while they were being made.
“This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine,” Ubisoft spokesman Michael Beadle told eWEEK.
The vulnerability affected all the games that used Uplay. That list includes more than 20 titles.
The situation was publicized Sunday by Google security engineer Tavis Ormandy on the Full Disclosure mailing list. Ormandy stated that he discovered the problem when he was installing a video game called “Assassin’s Creed: Revelations.”
“However, I noticed the installation procedure creates a browser plug-in for [its] accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to Websites,” he wrote.
According to Beadle, the problem was brought to the company’s attention early Monday morning, and work on the fix began soon after.
“An automatic patch was launched that fixes the browser plug-in so that it will only open the Uplay application,” he said. “Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
The company took issue with reports describing the problem as a “rootkit.” The situation resulted from a coding error, Beadle said, adding that the issue is not related to DRM. During the past two years, Ubisoft has faced criticism over its handling of DRM issues.
“The browser plug-in can now only launch the Uplay application,” he said.
To update a Uplay client and apply the patch, users should close any open Web browsers and launch the Uplay PC client. The client will update automatically. It can also be downloaded from Uplay.com.
A reworked version of a proposed and controversial federal cyber-security law is again going before the U.S. Senate, but this time, the so-called Cybersecurity Act of 2012 might have enough changes and comprises to make it more palatable for all sides.
Senate debate on the revised legislation will begin July 31, several months after an earlier version was withdrawn due to criticism of some of its language and policy related to digital privacy and personal freedoms.
“This revised legislation would establish a robust public‐private partnership to improve the cybersecurity of our nation’s most critical infrastructure, which is mostly owned by the private sector,” according to a summary of the bill. “Industry would develop voluntary cybersecurity practices and a multi‐agency government council would ensure these practices are adequate to secure systems from attacks.”
The bill “was developed in response to what defense and intelligence leaders have called an ‘existential threat’ to our country,” according to the legislation. “Our critical infrastructure is increasingly vulnerable to cyber threats, and can be manipulated or attacked by faceless individuals using computers halfway around the globe. The destruction or exploitation of critical infrastructure through a cyber attack, whether a nuclear power plant, a region’s water supply, or a major financial market, could cripple our economy, our national security, and the American way of life. We must act now.”
Several critics of the earlier version of the legislation say they are more comfortable with the new version of the bill, though they still question whether such a law is ultimately needed.
“The bill is a step in the right direction of protecting online rights, but still has major flaws that allow for nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets),” wrote Mark Jaycox and Rainey Reitman of the Electronic Frontier Foundation privacy group in a blog post. That “overly broad” language is contained in Section 701 of the bill, they wrote, and is being addressed by an amendment that would remove this specific language.
“We remain unconvinced that a cybersecurity bill is necessary at this time, and we’re committed to fighting to ensure user privacy isn’t sacrificed in the rush to pass a bill,” they wrote. “While the most recent version of the bill has strong privacy protections, Section 701 continues to pose a real threat to the rights of users to communicate privately.”
The American Civil Liberties Union said the new version of the bill better addresses key privacy concerns that the group had with the previous version.
“Senators have unveiled significant privacy amendments” in the new legislation, wrote Michelle Richardson, legislative counsel for the ACLU in Washington, in a blog post, including that “companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency.”
“The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the Internet,” Richardson added.
The revised bill would also “restrict the government’s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats,” Richardson wrote.
The bill would also “require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it,” Richardson wrote, as well as “allow individuals to sue the government if it intentionally or willfully violates the law.”
In a statement, Fred Humphries, vice president of U.S. government affairs for Microsoft, called the new bill “an encouraging step in the legislative process.”
“Microsoft supports Congress’ efforts to advance risk management practices, strengthen protection of critical infrastructure, and enhance appropriate information sharing about cyber-threats,” Humphries said. “The framework is flexible enough to permit future improvements to security−an important point since cyber-threats evolve over time. The current bill as it stands seeks to advance these priorities and we continue to work to help ensure that any legislation is optimized to meet cyber-security challenges while protecting civil liberties and privacy.”
The highlights of the new bill include the following:
- It would establish the National Cybersecurity Council made up of members from the departments of Defense, Justice, Commerce, the intelligence community and other federal agencies, to conduct risk assessments to find the greatest and most immediate cyber-risks to Americans. The Council would also identify the nation’s most critical infrastructure to help improve national security against attacks.
- It would improve information sharing between private sector companies and the federal government while protecting individual and civil liberties.
- It would improve the security of federal government networks by amending the Federal Information Security Management Act (FISMA) and would require the federal government to develop a comprehensive acquisition risk management strategy. The amendments to FISMA would move agencies away from a culture of compliance to a culture of security by giving the Department of Homeland Security the authority to streamline agency reporting requirements and reduce paperwork through continuous monitoring and risk assessment.
A national cyber-security bill has been in serious discussions for the last several years. In 2010, Senate Bill 3480, the Protecting Cyber Space as a National Asset Act, failed to be taken up by the full Senate, according to The Homeland Security and Governmental Affairs Committee. Then in February 2011, Senate Bill 413, the Cybersecurity and Internet Freedom Act, was introduced. It was later merged with similar legislation from other congressional committees, resulting in The Cybersecurity Act of 2012, Senate Bill 2105, the original cyber-security law was introduced this past February.
Want to control how and when employees can use social networks or online services while at work?
IBM announced Tuesday the release of a new class of intrusion prevention system (IPS), dubbed IBM Security Network Protection, to help information security managers keep a closer eye on which applications and websites their employees are accessing, so they can more easily prevent inappropriate or risky behavior. The devices allow organizations to create and enforce security policies that can be customized to a user’s role in the organization, the time of day, as well as the type of site being visited.
The first appliance in what IBM calls the new “advanced threat platform” product line is the midrange XGS 5000, which offers 2.5-Gbps throughput and works on up to eight network segments. “The XGS 5000 appliance is a next-generation IPS,” said John Cloonan, program director for product management at IBM Security Systems, in an interview at last week’s Black Hat conference in Las Vegas. “The idea behind it is it takes our existing threat protection, and adds to that better visibility and control.” He said the appliances will pull data from any LDAP source, meaning security managers can create policies customized to different groups of employees.
As that suggests, when it comes to security policies and social media, one size doesn’t fit all. For example, a beta user of the new appliances was St. Vincent’s Hospital in Australia, which has 1,000 unique network users. According to Paul Kaspian, a senior product marketing manager for IBM Security Systems, the hospital made a few interesting discoveries thanks to the appliance, including a previously unknown Trojan application infection, as well as heavy use of YouTube by physicians. But while the hospital’s security team immediately eradicated the malware, they left the YouTube access for physicians intact, because it turns out that many physicians use YouTube to review procedures, refresh their knowledge, or share what they’ve learned with their peers.
[ Is your money safe? See More Than 50% Of Major Banks Have Malware. ]
On the other hand, many businesses deem certain social media or streaming-media sites to be clearly out of bounds. Earlier this year, for example, consumer goods manufacturer Procter Gamble revealed that it had found that each day its employees were watching 50,000 YouTube videos, streaming 4,000 hours of music on Pandora, as well as streaming a significant number of movies via Netflix. In the name of recovering bandwidth, if not productivity, the organization blocked access to Netflix and Pandora. But since Procter Gamble uses YouTube–as well as Facebook–for marketing and internal communications, they were spared.
On a similar note, the new line of IBM security appliances enables more than just allowing or blocking a social networking site such as Facebook. “Granularity is key, because you can’t just unilaterally block Facebook anymore,” said Kaspian, in an interview at Black Hat. Notably, many employees now use Facebook, Twitter, Google+, and other social networks to keep in touch not just with each other, but also customers.
So instead of blocking such sites, “maybe I want to … say that people can go to their Facebook page over lunch, but they can’t post, play games, or chat,” said Cloonan. “We’re not approaching this from a dictatorship of, ‘you shouldn’t be allowed to have any fun during work hours,’ but more about, ‘how can I protect work information?'”
The new range of appliances is part of IBM’s effort to provide a big-picture approach to enterprise security, by blending numerous types of prevention, detection, and correction capabilities. For example, Cloonan said the new range of appliances incorporates a threat-intelligence feed via IBM’s X-Force, which includes a database of 15 billion URLs, slotted into 68 different categories, and which have been automatically reviewed for any sign that they might be malicious. IBM said its device also offers native support for 1,000 different types of online applications or actions, including Dropbox and Evernote, and can block such things as IM chats or attachments. It also integrates with IBM’s QRadar Security Intelligence Platform.
According to Kaspian, IBM gained the URL database back with its acquisition of ISS, which had purchased Cobion. “We’re taking that technology and using it to make all of the decisions around Web control,” he said. “The granularity is really key. Yes, there are already products that can block things like gambling sites, but the interesting thing here is that we’ve taken this and integrated it into our threat protection platform. We’re using it from the standpoint of preventing risk, rather than governing user behavior.”
Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)
Two researchers presenting at last week’s Black Hat conference in Las Vegas demonstrated a new technique they’ve discovered for bypassing .htaccess files. Also known as hypertext access files, they’re primarily used for setting directory-level access controls for websites, and are common across multiple types of Web server software–including the open source Apache HTTP Server, which is the most commonly used Web server software in the world.
The two presenters–security researcher Maximiliano Soler, who works for Standard Bank in Argentina, and penetration tester Matias Katz, who founded Mkit Argentina–also released a tool under open source license, written in Python, that they developed to exploit the vulnerability. According to the presenters, the tool, named HTExploit, lets users list the contents of a directory protected this way, bypassing the authentication process.
They emphasized that their tool was designed to be used from within protected directories–run by people who already have access to a Web server–rather than via a publicly accessible site. But the vulnerability they uncovered could be used by outsiders to gain access, via the Internet, to parts of websites that are ostensibly protected by an .htaccess file.
[ Black Hat presenters warn of a possible attack on network-connected hardware. Read more at Mass Router Infection Possible: Black Hat. ]
Why bother attacking .htaccess files? The answer is simple: any directory that someone takes the time to protect is more likely to contain sensitive or secret information. “Today [it] is common to find lazy administrators and/or developers using directories located on the same Web server to save backups files, configurations, their own jobs, outdated versions, or new developments to be implemented in the future,” the researchers wrote in a related white paper.
The good news is that with some small HTML and PHP tweaks to fix the exploitable configuration errors, thus restricting the types of access requests that can be made, vulnerable .htaccess pages can be made immune to the exploit outlined by Soler and Katz.
The bad news is that the problem they’ve uncovered may be quite widespread, and it could be used to compromise not just any directory that contains a misconfigured .htaccess file, but potentially any PHP file on the same site.
“What Katz and Soler described in their session is not some rare ‘corner case’ hack that could only possibly occur in a lab with billions of automated attempts; this is easily testable in the real world, and the tools to exploit it are freely available,” said ESET security researcher Cameron Camp in a blog post.
The vulnerability stems from the fact that Apache “hands off PHP-based requests within .htaccess to PHP itself, which has been working fine on millions and millions of websites for years,” said Camp. But if the .htaccess file gets fed some type of nonstandard input–in effect, injected–then “PHP automatically–unless otherwise instructed–treats it as a GET request, and allows the utility to start saving the PHP files on a webserver to your local filesystem,” he said.
From there, however, the process continues, and begins combing accessed PHP files for any links they contain to other files on the same Web server, then downloading those to the local file system. In short order, an attacker–or penetration tester–could quickly grab copies of many, if not all, PHP files on a Web server. Such files could contain sensitive information, such as “references to login credentials for databases, passwords, personally identifiable information, and a host of other goodies that [could] be sold on the black market or used to enable further exploits,” said Camp.
“Now might be a good time to check your website configuration to make sure you’re protected, before the bad guys go scouring around trying to use this type of exploit,” said Camp. “If you’re not the person in charge of your website, you might want to point out this problem to the person who is. They may thank you, a lot.”
Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What’s Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)
Black Hat presenter uses test service and server-side request forgery to root SAP deployments.
As some of the biggest processors of regulated data in any large organization, business-critical applications like enterprise resource planning (ERP) applications from SAP are well within the purview of compliance auditors and malicious attackers. Yet many organizations feel that if these systems are set behind firewalls, they’re safely segmented enough to not require further hardening.
But as one researcher demonstrated at Black Hat USA in Las Vegas last week, business-critical application servers never process data as an island. And in those connections there are opportunities for attack by hiding malicious packets within admissible ones.
Called server-side request forgery (SSRF), the attack technique highlighted by Alexander Polyakov, head of Russian firm ERPScan, makes it possible to execute a multi-chained attack on SAP applications from the Internet while bypassing firewalls, IDS systems, and internal SAP security configurations.
InformationWeek encourages readers to engage in spirited, healthy debate,
including taking us to task. However, InformationWeek moderates all comments posted to our site,
and reserves the right to modify or remove any content that it determines to be derogatory, offensive,
inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM.
InformationWeek further reserves the right to disable the profile of any commenter participating in
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS
(click image for larger view and for slideshow)
Since 1972 – when 11 Israeli athletes and coaches were kidnapped and killed by terrorists using the high-profile venue for their own purposes–security has been nearly as high a priority at the Olympic Games as sportsmanship.
Digital security always scored a distant second place behind physical security because the threat of physical terrorism is more dire than any digital threat, and because cybersecurity threats have been far less effective than physical threats, security analysts said.
Cybersecurity is still a second priority, but its tools and techniques are helping to shore up physical security at the Games, using big data analysis techniques to identify suspicious activity, imminent threats, and unexpected holes attackers in the real or digital worlds could exploit.
Digital attacks on the London Olympics could easily surpass the 12 million hack attempts recorded during the Beijing Olympics four years ago, according to Larry Ponemon of the Ponemon Institute.
Attacks could come from political hacktivist groups such as Anonymous, nationalist or terrorist groups, or–most numerous and most likely to throw their black hats into the competition for tourist dollars–highly organized, sophisticated criminal organizations, Ponemon said.
[ Get more Olympic-caliber business advice. Read Olympics Lessons For Social Media Strategists. ]
The clearest–and least-expected–contribution is the real-time situational-awareness system built up using security information and event management (SIEM) systems and log files from network servers, digital-door-lock scanners, firewalls, point-of-sale systems, and other computer-enhanced systems that would normally be neglected until long after the Games were over.
Instead, big data analysis apps are searching through the tens of thousands of logs generated every day. They are tracking nearly every hint of physical and digital activity within the Olympic Village and the population of spectators and Olympic Games workers outside it.
Channeled to the SIEM system and big data analysis engines, the logs–which could amount to petabytes of data by the end of the Games–offer a detailed picture of all potentially suspicious activity in real time, rather than weeks after the Games are over, according to Chris Petersen, CTO and cofounder of log-analysis and SIEM vendor LogRhythm.
Sifting through logs to identify when and where someone is using an electronic passcard to go through the wrong door at the wrong time is invaluable, but not terribly useful if the security system isn’t also prepped with a series of automated responses and countermeasures to expected threats, Petersen wrote.
Applying big data to forensic data search and analysis is unusual in the world of big data, but could give responders in Olympics security operations centers (SOC) both early warning of threats and preconfigured ways to respond to them in ways security staff at previous Games couldn’t manage, Petersen wrote.
For hackers, the easiest targets may be the near-field communications (NFC) systems Visa is sponsoring that allow tourists to pay at food stalls, souvenir stands, and ticket vendors using no-touch digital-wallet payment systems, according to Robert Siciliano, an identity theft expert and blogger for McAfee security.
Mobile contactless payments–which allow smartphones loaded with security certificates and transaction software to act as credit or debit cards–may be convenient, but also give attackers a thinly defended point of entry for mobile payment systems on both Android and iOS devices, Siciliano wrote in a McAfee blog earlier this month.
Elections Ontario failed to enact security measures after it lost two USB keys containing the unencrypted personal data of up to 2.4 million voters, privacy commissioner Ann Cavoukian said Tuesday.
Elections Ontario discovered the “massive breach” when two memory sticks went missing in late April, but it didn’t tell the public until July 17, prompting investigations by the information and privacy commissioner and provincial police.
The agency went right back to using USB keys without enabling the encryption software just four days after realizing it had lost the two other data storage devices, said Cavoukian.
“Remarkably, despite the experience of the previous week and the resulting anxiety over lost data, the replacement USB keys were unencrypted,” she said.
“And no thought was given to encrypting the laptops” which also contained portions of the voters’ data.
The missing data keys include voters’ full names, home addresses, date of birth, gender and whether they voted in the last election.
Elections Ontario’s efforts “were totally inappropriate in light of the breach that had just occurred,” added Cavoukian.
“Personal information is the currency in which Elections Ontario trades,” she said.
“I am astounded at the failure of senior staff to address the security and technological challenges posed by the decision to locate the project off-site.”
Elections Ontario set up a second location after last fall’s election resulted in a minority government, because it had to prepare for the possibility of another snap election while also doing its usual post-election updating of the voters’ lists.
However, staff at the second location did not have access to the Elections Ontario server, so they used portable USB keys to move the data back and forth.
The USB keys were never locked away as they were supposed to be, the encryption software was never enacted to protect voters’ data, and it turns out staff thought putting a password on the file would protect the information.
“They had no understanding of the meaning of encryption,” concluded Cavoukian.
When they resumed work after losing the two USB keys, the Elections Ontario staff again failed to use available encryption software even though there were no security measures in place.
“These measures were totally inadequate and failed to address the glaring privacy risk raised by the loss of the keys,” said Cavoukian.
“Most significant, the project resumed by using a replacement set of USB keys with an encryption functionality, it was never activated.”
The commissioner also said it was discouraging to learn that privacy and security of personal information was not part of any training programs for staff at Elections Ontario.
A province-wide class action lawsuit has been launched against Elections Ontario regarding the loss of voters’ personal information.
The Canadian Press
Sen. Daniel Akaka (D-Hawaii) grilled the head of the Federal Retirement Thrift Investment Board on Tuesday about a massive data breach the agency suffered last year.
Akaka noted that 43 current and former members of Congress, including himself, had their personal information compromised in the attack.
In total, hackers gained access to the personal information of 123,000 federal employees who participate in the Thrift Savings retirement program. For some of the employees, the hackers were able to access names, addresses and Social Security numbers.
The Office of Management and Budget issued guidance to agencies in 2007 about security standards and the requirements to notify the public in the event of a breach.
But in an email to a Senate Homeland Security Committee staffer, a Federal Retirement Thrift Investment Board official said the agency is not obligated to follow the standards because it is an independent agency.
Greg Long, the board’s executive director, testified that the agency did not completely follow the security guidelines before the breach because of a lack of funding.
“I regret to say that the FRTIB did not have a breach notification plan in place prior to 2012. This was due to a lack of resources to develop the plan,” he said during a hearing of the Homeland Security Committee’s subcommittee on Oversight of Government Management.
But Long testified that the agency found the guidelines “very useful” in responding to the attack.
Federal employees were notified about the attack in May 2012.
Akaka is pushing for an amendment to the Cybersecurity Act, which is currently under consideration by the full Senate, that would require all federal agencies to notify the affected people in the event of a data breach.
Hospitals, for quite a while now, have been dealing with data breaches of patient information. But this week, six laptop and tablet computers were stolen from the home hospice offices at Northwestern Memorial Hospital in Chicago and the hospital is not saying how many patients had to be notified that their protected health information was compromised, according to a story at healthdatamanagement.com.
Hospices are where terminally ill patients usually stay until they die.
At risk were “Social Security numbers, name, address, date of birth, diagnosis, acuity of symptoms, medications, treatment notes, advanced directives, and insurance group and policy numbers,” the web site reports. Data breaches, of course, are not new.
In Utah earlier this year, 280,000 Medicaid patients were told their personal information had been breached, while in New York, the medical and personal records of almost 2,000 patients, vendors, contractors and staff were breached when magnetic data tapes were stolen in February.
Breaches cost the US healthcare industry $6.5 billion a year. In just four cases where information went unprotected, 7 million patients’ files were vulnerable.
The hospital was quoted in the story as saying that it does not believe the personal information was a target of the theft, and is offering affected patients credit monitoring services but would not give any details on services what exactly will be offered.
Northwestern in the statement said the devices were undergoing “a software upgrade and standard laptop security controls were suspended during that time,” the story notes. The hospital also said it is taking “decisive measures” to prevent future breaches, including limiting the number of patient records stored on laptop and tablet computers.
Northwestern is not alone. Last week, the Boston Globe reported that Beacon Israel Deaconess Medical Center (BIDMC) sent letters to 3,900 potential victims of a health data breach, resulting from the theft of a physician’s personal laptop that contained patient information, according to EHRIntelligence. The hospital published a press release about the event this past Monday and indicated that no misuse of patient data had been found.
Edited by Braden Becker