Cyber-security (122)

Despite a comprehensive cyber-security framework in place in the US, cyber-crime’s a major threat. It didn’t seem to help prevent a huge phishing attack to a hospital, reported on eHNA, indicating the scale and complexity of the challenge.

The US National Institute of Standards and Technology (NIST) has released for consultation its updated Framework for Improving Critical Infrastructure. It has two main parts, the report and a comprehensive checklist in Excel. They’re both essential for Africa’s health systems in developing their cyber-security.

The new report expands the cyber-security measures in the original framework from February 2014. Its new content includes:

  1. A new section on cyber-security measurement and correlating business results to cyber-security risk management metrics
  2. Expanded explanation of using the framework for supply chain risk management
  3.  Refinements to improve accountability for authentication, authorisation and identity proofing
  4. Better explanation of the relationship between implementation tiers and profiles, including establishing or improving a cyber-security programme and using framework tiers for implementation, and integrating framework considerations with risk management.

The Excel checklist has 23 categories. These lead on to 106 sub-categories and 398 cyber-security reference links. It’s a comprehensive list of actions needed for good cyber-security practices. The 23 categories are including:

  1. Asset Management (ID.AM) Asset Management (ID.AM):  identifying and managing data, personnel, devices, systems, and facilities consistent with their relative importance to business objectives risk strategies.
  2. Business Environment (ID.BE): understanding and prioritising mission, objectives, stakeholders, and activities to inform cyber-security roles, responsibilities, and risk management decisions
  3. Governance (ID.GV): understanding and using policies, procedures, and processes for managing and monitoring regulatory, legal, risk, environmental and operational requirements to cyber-security risk management
  4. Risk Assessment (ID.RA): understanding cyber-security risks to operations such as mission, functions, image, or reputation, organisational assets and individuals
  5. Risk Management Strategy (ID.RM): establish and use priorities, constraints, risk tolerances, and assumptions for operational risk decisions
  6. Supply Chain Risk Management (ID.SC): stablish and use priorities, constraints, risk tolerances and assumptions for risk decisions for managing supply chain risk and implementing processes to identify, assess and manage them
  7. Identity Management and Access Control (PR.AC): limiting and managing access to physical and logical assets and associated facilities to authorised users, processes, and devices consistent with the assessed risk of unauthorised access
  8. Awareness and Training (PR.AT): ensuring personnel and partners are aware of cyber-security and adequately trained to perform their duties and responsibilities consistent with cyber-security policies, procedures, and agreements
  9. Data Security (PR.DS): ensuring data’s managed consistent with risk strategies to protect its confidentiality, integrity and availability
  10. Information Protection Processes and Procedures (PR.IP): maintain and use cyber-security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination, processes, and procedures to protect information systems and assets
  11. Maintenance (PR.MA): ensure control and information system components are maintained in line with policies and procedures
  12. Protective Technology (PR.PT): manage technical security solutions to ensure cyber-security and resilience of systems and assets consistent with policies, procedures and agreements
  13. Anomalies and Events (DE.AE): detecting and understanding anomalous activity and its potential impact promptly
  14. Security Continuous Monitoring (DE.CM): monitor information systems and assets at discrete intervals to identify cyber-security events and verify the effectiveness of protective measures
  15. Detection Processes (DE.DP): maintain and test detection processes and procedures ensure timely and adequate awareness of anomalous events
  16. Response Planning (RS.RP): implement and maintain response processes and procedures to ensure timely responses to detected cyber-security events
  17. Communications (RS.CO): co-ordinate responses with internal and external stakeholders, including external support from law enforcement agencies
  18. Analysis (RS.AN): analyse and review cyber-security measures to ensure adequate responses that support recovery activities
  19. Mitigation (RS.MI): performed activities to prevent expansion of events, mitigate their effect, and eradicate incidents
  20. Improvements (RS.IM): implement lessons learned from current and previous detections and responses
  21. Recovery Planning (RC.RP): implement and maintain recovery processes and procedures to ensure timely restorations of systems or assets affected by cyber-attackes
  22. Improvements (RC.IM): improve recovery planning and processes by incorporating lessons learned
  23. Communications (RC.CO): co-ordinate restoration activities with internal and external parties, such as coordinating centres, Internet Service Providers (ISP), owners of attacking systems, victims, other Computer Security Incident Response Teams (CSIRT) and vendors.

Challenges for Africa’s health systems include where to start and how long should it take to set up? The second question depends on the resources available. The reasonable answer to the second question is, pick a start that matches cyber-security priorities. If these aren’t explicit, start at 1. If there’s already been a cyber-attack, start at 1 and 20 may be relevant.

Africa’s eHealth’s not strong on cyber-security rules and regulations. They’re essential, but a survey of ICT security experts in the US by Level 3 Communications says they’re not enough. The results, available from Health IT Security are that:

  1. 96% feel vulnerable to a data breach
  2. 63% have suffered one
  3. 69% say meeting compliance requirements is very or extremely effective in safeguarding sensitive data.

In the US, eHealth security and privacy rules are set out in the Health Insurance Portability and Accountability Act 1996 (HIPAA). It established national security standards for eHealth. They are a vital component to protect confidential information from unauthorised access. Level 3 says that since the act, cyber-threats and the cyber-security landscape has evolved rapidly, but healthcare can’t keep up. Cyber-security has become more essential to protect data and healthcare availability and continuity.

Three emerging cyber-security themes have become healthcare’s biggest cyber-security threats:

  1. Vulnerable connected devices the cyber-criminals can access to plant malware
  2. Distributed Denial-of-Service (DDoS) attacks that render computers or networks unavailable
  3. Phishing, accounting for more than 36% of cyber-security breaches.

Four lessons for Africa’s eHealth are clear. First, ensure effective cyber security standards, rules and regulations. Next, keep them up to date to match the expanding cyber-crime initiatives. Third, ensure compliance. And finally constantly strive to go beyond compliance with effective excellent cyber-security practices.

Are all the cyber-security firms misleading us about the hazards and dangers of cyber-threats? Dr Ian Levy, technical director at UK’s Government Communication Headquarters (GCHQ), an intelligence and security organisation, says they’re using “Medieval witchcraft” to exaggerate the risks and boost sales. A report in The Register records his view expresses at Usenix Enigma 2017, that their aim’s to sell security defences to tackle “Advanced persistent threats” from highly organised, smart criminals, but hackers are just “Adequate pernicious toe-rags.” The result of the sales campaigns “Are allowing massively incentivised companies to define the public perception of the problem.”  

Soon after Dr Levy’s comments, the UK Parliament’s Public Accounts Committee  (PAC), a highly respected and fiercely independent spending watchdog, released Protecting information across government. It’s critical of the UK’s cyber-security performance when the “Threat from cyber attacks has been one of the UK’s top four risks to national security since 2010.” It says the current performance “Reduces our confidence in the Cabinet Office’s ability to protect the nation from higher threat cyber attacks. The use of the internet for cyber crime is evolving fast and the government faces a real struggle to find enough public sector employees with the skills to match the pace of change.”

A quick look at a Symantec user report showed eight cyber-attacks were repelled over a week. Several phishing emails arrived most days. Some were diverted to a junk folder. One’s with new domain names made it to the inbox. Despite the NSCS’s efforts, and their improvements in response to PAC’s report, cyber-criminals are always one step ahead of cyber-security measures. Provided eHealth teams are aware of cyber-security firms’ aspirations to sell on the back of their advice and white papers, which isn’t difficult to spot, the advice offered is free and still very valuable for Africa’s eHealth cyber-security initiatives.

Patients and their families expect healthcare professionals to know and apply best practices. They can also expect that eHealth’s cyber-security aspires to the same standards. A white paper from Osterman Research, and sponsored by KnowBe4, a cyber-security and training firm, sets these out for combating phishing and ransomware cyber-attacks.  They offer a good start for Africa’s eHealth. Core themes include:

  1. Phishing and ransomware are increasing at the rate of several hundred percent a quarter
  2. Most organisations have been victimised
  3. Phishing and ransomware are in  security decision makers’ four main concerns
  4. Security spending will increase significantly in 2017
  5. Most organisations don’t seeing improvements in their security
  6. Security awareness training is vital to combat phishing and ransomware
  7. Organisations with well-trained employees are less likely to be infected

In this increasing challenging cyber-crime world, organisations can adopt many best cyber-security practices to deal with phishing and ransomware. They include:

  1. Cyber-security awareness training to create a human firewall
  2. Test staff periodically to see if cyber-security awareness training’s effective
  3. Rigorous password management
  4. Deploy systems that detect and eliminate phishing and ransomware attacks
  5. Search for and remedy cyber-security risks and vulnerabilities
  6. Maintaining good, isolated backups
  7. Using reliable threat intelligence
  8. Establish communication backchannels for key staff members
  9. Keep reminding employees of the risks of oversharing content on social media
  10. Ensure every employee maintains robust anti-malware defences on their managed platforms
  11. Keep software and operating systems up-to-date.

These are sensible and pragmatic practices that Africa’s health systems can adopt. Making theme effective needs a cyber-security leader, who must be an executive.

Standards, so regulation, for cyber-security are essential for Africa’s eHealth. In May 2013, the British Standards Institute (BSI) published Publicly Available Specification (PAS) PAS 555: 2013 Cyber security risk. Governance and management. Specification. It’s relevant for Africa’s eHealth.

BSI is the world’s first national standards body. Sir John Wolfe-Barry, who designed London’s iconic Tower Bridge, formed it in 1901. It registered its BSI Kitemark in 1903, the first year of life for which Harley Davidson, Crayola crayons and the Tour de France. It has a track record of setting standards for quality.

PAS 555 is generic, so fits healthcare. It aims to help organisations understand and manage their exposures to cyber-threats, a downside to eHealth’s costs and benefits, healthcare’s reputation and risks to patients and communities. It uses outcomes-based methodologies to define the overall outcomes of effective cyber-security and ensure organisations’ confidence. Its standards comprise:

  1. Business-led, holistic approach to cyber-security
  2. Technical aspects of cyber-security
  3. Physical, cultural and behavioural aspects
  4. Effective leadership and governance.
  5. These can help Africa’s healthcare organisations:
  6. Focus investment appropriately
  7. Minimise potential loss
  8. Improve operational effectiveness and efficiency
  9. Develop organisational resilience
  10. Improve loss prevention and incident management
  11. Identify and mitigate cyber-security risk throughout organisations.

It also helps organisations to choose how it achieves their specified outcomes. These can be through their own processes or adopting other standards and management systems and cross references to other standards, including some from the International Standards Organisation (ISO), such as:

  1. BS ISO/IEC 27001 Information Security Management
  2. ISO/IEC 20000-1 Information Technology. Service Management. Service management systems requirements
  3. ISO 22301 Business Continuity Management
  4. ISO 31000 Risk Management.

These offer constructive start points for Africa’s eHealth cyber-security. But, as cyber –threats continue to develop, it’s important to keep up too. Acfee’s first in a series of reports on cyber-security  aims to help with this.

Healthcare professionals are integrating technology with medical devices to improve disease management, reduce medical errors, and to increase communication with their patients. All these valuable benefits are reduced by cyber-risk, some of which become cyber-security breaches. The surge of Internet of Things (IoT) and web-connected medical devices has increased these cyber-security risks and vulnerabilities. An article in Forbes says that hacktivists and cyber-criminals exploit vulnerabilities in systems with poor cyber-threat monitoring, lack of regulations and policies. There’s also a need for reactive and detective controls and defences.  

 As The Association for the Advancement of Medical Instrument  (AAMI) celebrates its 50th anniversary this year, it welcomes its new president and CEO Robert Jensen. AAMI’s developed standard 80001-1:2010 to apply to risk management for ICT networks that incorporate medical devices. The most common cyber-security risks are web application attacks with malware that includes viruses, worms, spyware and ransomware. It’s crucial to provide a cyber-security strategy for total product life-cycles, starting from design and stretching to obsolesce to ensure maximum cyber-security.

80001-1: 2010 stipulates requirements needed to attain vital safety, effectiveness, data and systems and interoperability. It provides guidelines to suppliers, and it’s their responsibilities to comply when manufacturing, installing and distributing their medical devices for use. The first part in 80001-1 aims to guarantee the safety, security and privacy of both delivery and quality healthcare for patients, and address patient and operators risks.  Some recommendations to improve cyber-security are:

  1. Install benchmarks to test and trail medical devices for any vulnerabilities
  2. Develop programs for routine software updates
  3. Impose strict access and control policies to authorised personnel
  4. Increase cyber-security features in medical devices

Africa’s health systems can adapt the 80001-1 safety requirements to increase the cyber-security in medical devices. This will help secure eHealth systems and go along way in protecting patient data.

Our privacy, health and EHRs depend on secure and resilient cyber-security.  An article previously on eHNA asked how safe are hospital devices? It’s clear that the increasing number of medical devices connected to the Internet increases cyber-security risks. They could be life threatening and have fatal consequences, so serious in the extreme.  More healthcare providers are using connected medical devices to monitor and treat patients. It’s therefore imperative that these devices are secure.

The Center for Internet Security (CIS) is developing a set of benchmarks to protect medical devices, such as insulin pumps, pacemakers and defibrillators, from possible hacking or viral malware. In computing, benchmarking is running computer programs to assess the relative performance of an object by running numerous standard tests and trails against it. An article in MobiHealthNews says CIS has invited medical device makers to participate in the project to help to develop cyber-security control guidelines.

Protecting insulin infusion pumps is the first priority. The Washington Post has an article saying it’s one of the most used medical devices, so it’s likely to attract more attention from stakeholders and increase collaboration on increasing their cyber-security.

ABI Research has estimated that by 2020, more than 30 billion medical devices will be connected to the Internet of Things (IoT). Diabetes Mellitus and heart diseases are amongst the leading causes of death in South Africa. Although insulin pumps and pacemakers are not yet popular and easily accessible, demand’s growing rapidly. South Africa and other African countries can adapt the CIS cyber-security control guidelines initiative when manufacturing and using medical devices. The aim must be to ensure their safety.

Effective and sustainable eHealth is a longstanding priority for many developed countries in improving healthcare and its information, access and quality. It can be a catalysts between healthcare providers and patients to provide quality healthcare while bridging the gap between inequity and distribution of health resources.

The rapid growth of eHealth has, however, increased concerns about cyber-security. An article in Computer Business Review (CBR) says there are new emerging threats on hospital’s devices connected to web. While there’s considerable emphasis on protecting patients’ records, there’s insufficient accorded to guarding web connected hospital devices. Hacktivists and other cyber-criminals are finding new ways to penetrate hospitals’ health systems vulnerabilities, and these extend to online EHRs and devices.  

Internet of Things (IoT), hospital and wearable web connected devices, such as insulin pumps, pacemakers, heart and blood pressure monitors, are susceptible to targeted attacks by hacktivists, terrorists and organised crimes gangs. When healthcare data’s placed in the wrong hands, the consequences could be fatal.

WHO says  health systems in Africa are investing in eHealth and its mHealth component in their quests for Universal Health Coverage (UHC), accessibility and quality. Despite the expanding programmes, Africa’s eHealth is still nascent, with some healthcare providers and public health agencies still unaware of eHealth’s possibilities in improving health and healthcare quality and access.

As eHealth becomes more widespread in Africa, hospitals should learn from developed countries about a holistic approach in increasing cyber-security in both patients’ records and hospital devices. Allocating equal distribution of resources to implementing eHealth programmess and services and in increasing cyber-security in both hospital records and devices are key. Acfee has a report on eHealth cyber-security. It’ll be available on Acfee’s website soon, then followed up with supplementary commentaries are more information and insights become available. Acfee members will be notified when it’s available.

A common feature of cyber-security’s its general lag behind cyber-threats. Data Breach Incident Response Workbook, from AllClear ID, a cyber-security company, provides general guidance and assistance in developing security standards. It’s essential for Africa’s eHealth.

Health IT Security says it provides an outline and recommendations for a start to planning well-orchestrated responses to a data compromises. The next step’s engaging external stakeholders. An essential theme’s ensuring plans are recorded and tested thoroughly to achieve effective financial and operational responses to cyber-attacks.

Its contents include:

  1. The cyber-threat world and operational and reputational damage
  2. Anatomy of a data breach
  3. Preparing for a data breach
  4. Building a strong internal response team
  5. Data breach checklist
  6. Data breach notifications
  7. The Incident Response Plan Guide.

Incident response teams shouldn’t be just from ICT teams. They should draw and appoint an incident lead from:

  1. Executive management
  2. ICT
  3. Customer and patient services
  4. Risk management and security
  5. Compliance and audit
  6. Legal
  7. Privacy
  8. Public relations.

The checklist should document everything that happens and is discovered. Prompt action’s vital, so every action needs fitting into a timeline. Actions include:

  1. Implement the data breach incident response plan
  2. Specify the information needed for reporting summaries
  3. Identify the problem
  4. Start the incident reporting process
  5. If the data breach could harm a person or business, contact local police
  6. Create an incident summary report for executives
  7. Create a technical incident summary report.

The Incident Response Plan checklist’s comprehensive. It includes important advice: “Continuously update the information in the contact lists and other documents – don’t get caught in an emergency with outdated information.” It’s obvious, but an elementary error to avoid.

While phishing’s an elementary cyber-attack, its results can be enormous if it works. The US Anthem health insurance attack in 2015 resulted in an employee in a subsidiary organisation opening a phishing email. Attackers then had remote access to move across at least 50 accounts, 90 over systems, including Anthem’s enterprise data warehouse where the bulk of more than 78 million records were stolen.

A report from the California Insurance Commissioner found that Anthem took “reasonable measures” to protect patient information prior to the breach, the attacker targeted specific weaknesses within the system. On Feb. 18, 2014, an employee within an Anthem subsidiary opened a phishing email, allowing the attacker to gain remote access to the computer and then move laterally across  accounts, including the insurer’s enterprise data warehouse where the bulk of the information was stolen.

Investigators believe perpetrators of the 2015 Anthem hack that exposed personal records of more than 78 million people may have been acting on behalf of a foreign government, exploiting weaknesses in the insurer’s system that are commonplace within the industry.

Investigators determined the identity of the hacker with “high confidence.” They concluded with “medium confidence” that the attacker was working on behalf of a foreign government, but didn’t identify the offenders. Officials have previously linked the attack to Black Vine, a Chinese cyber-espionage group. Symantec, the cyber-security firm, says it’s “highly resourceful” and been targeting several high profile entities since 2012, and believes it’s behind the Anthem attack.

 Africa’s health care’s not immune. While cyber-crime opportunities may be more attractive in other health systems, Africa still needs effective cyber-security