Local: (805)-371-3680 | Toll Free: (800) 240-CHIV
Facebook
Twitter
LinkedIn
YouTube
Chivaroli Insurance Services
  • INSURANCE COVERAGE
    • Healthcare Professional Liability
    • Directors’ & Officers’ Liability
    • Commercial Property
    • Managed Care / Billing / Miscellaneous
    • Employment Practices Liability
    • Difference in Conditions
    • Regulatory Proceedings Errors & Omissions
    • Fiduciary Responsibility
    • Property Terrorism
    • Commercial General Liability
    • Commercial Crime
    • Commercial Automobile
    • Stop Loss Coverage
    • Representations & Warranties
    • Business Owners Package
    • Security & Privacy (Cyber Liability)
    • Workers Compensation
    • Home / Auto / Valuables / Umbrella
  • OTHER SERVICES
    • Credentialing Requests
    • Consulting Services
    • Alternatives
    • Risk Management
    • Wholesale Brokerage
  • RESOURCES
    • Healthcare Resources
    • Insurance Resources
    • Terms & Definitions
  • NEWS
  • ABOUT
  • CONTACT

Hacking Incidents Prompt Universities to Rethink Balance between Openness / Security

March 21, 2014Chivaroli and Associates Insurance ServicesArticle Archives

Publication Date: 3/16/2014
Source: Baltimore Sun (MD)

internet hackersIn the two weeks between recent revelations that hackers stole data on students, alumni and faculty from the University of Maryland, College Park and the Johns Hopkins University, nearly 360,000 records were swiped in similar attacks at schools in Pennsylvania, Indiana and North Dakota.

Online thieves have increasingly sought sensitive or otherwise valuable data from educational institutions, experts say. Last year alone, breaches included possible exposure of 2.5 million Social Security and bank account numbers associated with an Arizona community college system, 74,000 Social Security numbers of University of Delaware students and staff, and 145,000 applications to Virginia Tech, according to the Privacy Rights Clearinghouse.

Colleges and universities often are attractive targets for hackers because there are many access points into their networks, which contain not just financial and personal data but also valuable intellectual property. That threat is forcing academics to reassess the way they keep and protect vast collections of information, often held in decentralized computer networks accessible to thousands of students, professors and researchers.

“It’s been a long-standing concern that our culture of collaboration and trust kind of flies in the face of the need for security to be more closed, more alert and more skeptical and cynical,” said Rodney Petersen, senior policy adviser for SecuriCORE, a higher education information security project at Indiana University. Just as campuses have added gates, guards and surveillance cameras on in recent decades, they may have to end the era of open access to online resources, he said.

The University of Maryland and other institutions reeling from major data thefts are redoubling efforts to confine and protect sensitive data spread across networks — sometimes so scattered that it’s a complicated task simply to learn where the data might be hiding and vulnerable. The growing security risks may also require new barriers around networks that have been traditionally open in the name of academic discourse and unfettered access.

But unlike retailers, banks and other companies that guard sensitive data, universities can’t mandate what devices or software are used to access their networks. And they must accommodate students and researchers spread across the globe, making it more difficult to prevent and detect security breaches.

Since January 2013, more than 50 colleges, universities and school systems across the country have been the targets of attacks that may have compromised personal information, according to the Privacy Rights Clearinghouse, a California-based consumer-advocacy group.

Such attacks are not confined to colleges and universities. The school systems in Howard and Carroll counties, for example, have reported network disruptions linked to possible cyberattacks this year, though personal data was not thought to have been at risk in either case.

Since a breach compromised names, Social Security numbers and birth dates of 287,580 students, faculty and staff at the University of Maryland on Feb. 18, officials said they have purged more than three-fourths of the sensitive records, some of which dated back to 1992. But they are also hastening to learn how vulnerable the university’s data remains, and how to prevent future attacks.

A cybersecurity task force that university President Wallace Loh called together within 24 hours of the attack is set to consider whether information technology systems on campus should be centralized to keep sensitive data in one place, rather than scattered across various colleges and departments. The group, which met for the first time Wednesday, also is launching an effort to scan all university databases for personal information that could be at risk.

Similar actions have taken place at Johns Hopkins, where officials on March 6 announced an attack that occurred late last year compromising names and email addresses of 848 biomedical engineering students, as well as confidential evaluations of classmates. In response to attacks and at the urging of auditors, the university has moved to prioritize what data needs the highest levels of protection, said Darren Lacey, the university’s chief information security officer.

Cybersecurity experts familiar with educational institutions’ challenges fending off hackers said the strategies are common responses to the growing threats. While they have traditionally used “open coffee-house style” networks, institutions are increasingly rearranging how they organize business systems such as tuition processing or employee payroll, said James Robinson, director of security for Accuvant, a cybersecurity company that works with higher-education clients.

That sort of strategy is one of their few options, given the broad access allowed on a university network. While a company can control what technology their employees use to connect remotely — often through secure virtual private networks — universities don’t have that luxury. And though security measures typically include automated systems that look for unusual activity or known malicious actors, that can be like finding a needle in a haystack.

Lacey said of Hopkins’ monitoring efforts, “Really, everything is an anomaly. If I get a million connections from another country, a corporation might say that’s not good. In our world, because we have students and faculty all over the world, that doesn’t necessarily trigger any response from us.”

Meanwhile, officials are increasingly sifting through a deluge of questionable activity.

“Here at UMB, the number of attempts to get unauthorized access to our networks has grown exponentially over the last five or six years, where our intrusion-prevention system blocks literally millions of attempts every day,” said Peter J. Murray, chief information officer at the University of Maryland, Baltimore.

He said 90 percent or more of the millions of emails sent to the university each week originate from websites “blacklisted” by anti-spam software providers. Those emails, which are blocked, often try to fool people into providing information such as passwords, credit card details or money. Many hacking efforts come through programs freely available on the Internet.

The simple response has been to do a better job of isolating sensitive personal data and building up protections around it, though that can invite more pursuit by hackers seeking to profit from theft. There may be other cases in which hackers are after valuable research data or other intellectual property, but they likely aren’t publicized because there is no legal mandate to report them, Robinson said.

As logical as it sounds, though, it’s not an easy transition for large institutions. On a campus like the one in College Park, IT systems and other back-office functions are spread across multiple colleges, each with multiple departments within it.

“It’s a cultural shift” to take some of those responsibilities away and shift them to a central university authority, Peterson said.

Hopkins officials said they are transitioning to a more corporate-like network, consolidating business systems with sensitive data and placing controls on how that data is used, pushing people to “be somewhat more circumspect in what data they need,” Lacey said.

At College Park, the university’s cyber task force has not yet determined how security practices vary across the campus and which present vulnerabilities, Ann Wylie said. The university last scanned its databases for personal information in 2006, so it’s also unclear if there are places sensitive information is harbored unprotected, she said.

Some experts suggest that access to some parts of university networks should nonetheless be limited, cutting down on the points through which hackers could gain access. One option: so-called two-step verification, forcing users who log in on a new device with a username and password to then provide a code sent via text message or email, Robinson said.

But higher-education officials may be reluctant to compromise the openness of their networks, at the risk of disrupting research that involves sharing large amounts of data, whether or not that data is sensitive. Tighter security could particularly challenge computer science research seeking to learn more about the very attacks officials hope to avoid.

“I think things are going to get a lot harder for everyone,” said Matthew Green, an assistant research professor of computer science at Johns Hopkins. “It’s good to be secure, but it’s good to be open. You have to really be careful how much you do to prevent people from the work they’re supposed to be doing.”

Officials say they are striving for a balance. At the University of Maryland, Wylie said sensitive student data might be sequestered without affecting research activity, though the university’s task force could determine that research data on human subjects, survey responses or valuable intellectual property could afford stricter controls.

“There is a tension here, but I think we can work with that tension,” she said. “We do not want to do anything that would put barriers for our faculty and grad students and researchers to do their work.”

For more information contact Chivaroli & Associates.

Baltimore Sun reporter Scott Calvert contributed to this article.

Examples of breaches

–Sept. 28, 2013: Virginia Tech reveals 144,963 online applications to the university may have been accessed. No Social Security numbers or financial data were exposed but nearly 17,000 driver’s license numbers were.

–Nov. 27, 2013: Names, Social Security numbers, bank account information and dates of birth for 2.5 million people associated with the Maricopa County Community College district in Phoenix, Ariz., may have been exposed.

–Dec. 13, 2013: Names, Social Security numbers and tax identification numbers of 6,500 individuals associated with the University of North Carolina, Chapel Hill were mistakenly posted online.

–Feb. 19, 2014: The University of Maryland, College Park says the Social Security numbers and birth dates for 309,079 students, alumni, faculty and staff were exposed in a breach. It later revises the number downward to 287,580 when some incomplete or inaccurate data is discovered in the database.

–Feb. 26, 2014: Indiana University announces personal data, including Social Security numbers, of 146,000 students and alumni breached.

–March 6, 2014: North Dakota University System notifies students, staff and faculty that 290,780 personal records, including Social Security numbers, were exposed in a breach.

–March 6, 2014: The Johns Hopkins University says the names and contact information of 1,307 students and faculty were exposed when a hacker attempted to extort the university for further access to its servers. It later lowered the number to 848.

Source: Privacy Rights Clearinghouse

Tags: hackers, Online thieves, personal data, valuable intellectual property
Chivaroli and Associates Insurance Services
Chivaroli & Associates Insurance Services is a full-service brokerage and consulting firm that specializes in the custom design and placement of property and casualty insurance and alternative risk funding solutions for healthcare organizations.
Previous post LA County Hospital – Patient Records Data Breach Next post Finding the Blind Spots: Latest Ponemon Study Shows New Vulnerability Zones in PHI Security

Related Articles

Healthcare Firms at Risk; Hackers Value Medical Records Over Credit Data

December 19, 2014Chivaroli and Associates Insurance Services

Small businesses become a favorite target for hackers

February 15, 2016Chivaroli and Associates Insurance Services

Latest hospital data breach targets employees

February 29, 2016Chivaroli and Associates Insurance Services

Sign up for News Updates

* = required field

Categories

  • Article Archives
  • General Article
  • Private
  • Uncategorized

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • August 2019
  • July 2019
  • June 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • December 2017
  • November 2017
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • April 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014

Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.

Facebook
Twitter
LinkedIn
YouTube

Contact Us Today

Address:
200 North Westlake Blvd., Suite 101
Westlake Village, CA 91362
Phone:
805-371-3680
E-mail:
mail@chivarolitr.wpengine.com

Resources

Health Care
Insurance
Terms & Definitions
News
About

Policies

Cookie Policy
Disclaimer

Recent News

  • Lawmakers Seek New Limits to Travel Nurse Costs
  • Experts Predict Healthcare M&A Will Accelerate in 2023
  • Surveys Indicate a Persistent Hard Insurance Market
  • Doctors are Disappearing from Hospital ERs as Private Equity Cuts Costs
© 2023 All rights reserved. Powered By Insurance Agency Website by Stratosphere