ItsjustJim621 t1_jcaibw8 wrote
Reply to comment by ronreadingpa in Ransomware gang leaks Lehigh Valley Health Network cancer patient photos as part of data hack by Aggravating_Foot_528
This this this.
As someone studying cybersecurity, I’m wondering what safeguards did LVHN have in place to even protect against something like this?
Security usually starts with endpoints….training to look for phishing emails. From there, we can bolster that with strong passwords, VPNs, creating a zero-trust network etc, honeypots, black holes…. Their IT team needs some serious training and/or network upgrades.
Then again, I get not paying the ransom because who’s to say they’d give the data back? But at that point, they’re really taking a gamble as to making a determination that the information compromised isn’t important compared to financial or business data.
Zenith2017 t1_jd3jchm wrote
Just FWIW, phishing training generally has a really poor return on investment. It's improving with products like knowbe4 but largely you can expect that around 8% of trainees will change their behavior in the short term
292ll t1_jcarr8g wrote
How can a private relatively small organization have the appropriate protections in place to compete with quasi-state funded hackers. I don’t know that we can ever get there and if 80% of companies do, they’ll find the other 20%.
IamSauerKraut t1_jcb3cid wrote
There are basic protections that many orgs are not putting into place because 1) not enough IT folks specialize in it, and 2) orgs are unwilling to pay the cost of installation/upgrades.
MartianActual t1_jcc4mp2 wrote
This. It would make you scream to see how inadequate cybersecurity is at a lot of major corporations or the lack of funding for it because its a cost, not a revenue generator.
ItsjustJim621 t1_jcas94b wrote
It’s always going to be a cat and mouse game.
My company got hacked a year or so ago before I came on board. And since then, there’s been a concentrated effort to batten down the hatches so to speak.
292ll t1_jcasnb8 wrote
It’s tough, I think an appropriate level is are you protected from 90% of these clowns, but most businesses don’t have the $ or resources to be fully protected.
IamSauerKraut t1_jcb3hfj wrote
No health system should go without protection. Time for them to belly up.
Zenith2017 t1_jd3jo50 wrote
Nobody can be fully protected, but I think it might shock you to see the reality out here. I have Fortune 50 customers whose security programs are woeful. Seriously, that bad. Cringeworthy, nail biters. Hell, my mom worked for a top 3 insurance company for years and from day 1 she was an admin on her laptop, handling HIPAA compliant data locally. It is often that bad, and a lot of companies are hardly trying.
BluCurry8 t1_jcbw88g wrote
That is a really ridiculous statement. LHV is not small and they are just as responsible for their data security as any other company holding PII data. Patient data should be secured from enterprise business applications.
delcodick t1_jccq147 wrote
Perhaps an organization that is unable to comply with its legal obligations shouldn’t be in business then 🤷♂️ I wouldn’t say that an Operating income: $78.4 million is particularly small 🤔
Viewing a single comment thread. View all comments