Cyber-security (116)

Our privacy, health and EHRs depend on secure and resilient cyber-security.  An article previously on eHNA asked how safe are hospital devices? It’s clear that the increasing number of medical devices connected to the Internet increases cyber-security risks. They could be life threatening and have fatal consequences, so serious in the extreme.  More healthcare providers are using connected medical devices to monitor and treat patients. It’s therefore imperative that these devices are secure.

The Center for Internet Security (CIS) is developing a set of benchmarks to protect medical devices, such as insulin pumps, pacemakers and defibrillators, from possible hacking or viral malware. In computing, benchmarking is running computer programs to assess the relative performance of an object by running numerous standard tests and trails against it. An article in MobiHealthNews says CIS has invited medical device makers to participate in the project to help to develop cyber-security control guidelines.

Protecting insulin infusion pumps is the first priority. The Washington Post has an article saying it’s one of the most used medical devices, so it’s likely to attract more attention from stakeholders and increase collaboration on increasing their cyber-security.

ABI Research has estimated that by 2020, more than 30 billion medical devices will be connected to the Internet of Things (IoT). Diabetes Mellitus and heart diseases are amongst the leading causes of death in South Africa. Although insulin pumps and pacemakers are not yet popular and easily accessible, demand’s growing rapidly. South Africa and other African countries can adapt the CIS cyber-security control guidelines initiative when manufacturing and using medical devices. The aim must be to ensure their safety.

Effective and sustainable eHealth is a longstanding priority for many developed countries in improving healthcare and its information, access and quality. It can be a catalysts between healthcare providers and patients to provide quality healthcare while bridging the gap between inequity and distribution of health resources.

The rapid growth of eHealth has, however, increased concerns about cyber-security. An article in Computer Business Review (CBR) says there are new emerging threats on hospital’s devices connected to web. While there’s considerable emphasis on protecting patients’ records, there’s insufficient accorded to guarding web connected hospital devices. Hacktivists and other cyber-criminals are finding new ways to penetrate hospitals’ health systems vulnerabilities, and these extend to online EHRs and devices.  

Internet of Things (IoT), hospital and wearable web connected devices, such as insulin pumps, pacemakers, heart and blood pressure monitors, are susceptible to targeted attacks by hacktivists, terrorists and organised crimes gangs. When healthcare data’s placed in the wrong hands, the consequences could be fatal.

WHO says  health systems in Africa are investing in eHealth and its mHealth component in their quests for Universal Health Coverage (UHC), accessibility and quality. Despite the expanding programmes, Africa’s eHealth is still nascent, with some healthcare providers and public health agencies still unaware of eHealth’s possibilities in improving health and healthcare quality and access.

As eHealth becomes more widespread in Africa, hospitals should learn from developed countries about a holistic approach in increasing cyber-security in both patients’ records and hospital devices. Allocating equal distribution of resources to implementing eHealth programmess and services and in increasing cyber-security in both hospital records and devices are key. Acfee has a report on eHealth cyber-security. It’ll be available on Acfee’s website soon, then followed up with supplementary commentaries are more information and insights become available. Acfee members will be notified when it’s available.

A common feature of cyber-security’s its general lag behind cyber-threats. Data Breach Incident Response Workbook, from AllClear ID, a cyber-security company, provides general guidance and assistance in developing security standards. It’s essential for Africa’s eHealth.

Health IT Security says it provides an outline and recommendations for a start to planning well-orchestrated responses to a data compromises. The next step’s engaging external stakeholders. An essential theme’s ensuring plans are recorded and tested thoroughly to achieve effective financial and operational responses to cyber-attacks.

Its contents include:

  1. The cyber-threat world and operational and reputational damage
  2. Anatomy of a data breach
  3. Preparing for a data breach
  4. Building a strong internal response team
  5. Data breach checklist
  6. Data breach notifications
  7. The Incident Response Plan Guide.

Incident response teams shouldn’t be just from ICT teams. They should draw and appoint an incident lead from:

  1. Executive management
  2. ICT
  3. Customer and patient services
  4. Risk management and security
  5. Compliance and audit
  6. Legal
  7. Privacy
  8. Public relations.

The checklist should document everything that happens and is discovered. Prompt action’s vital, so every action needs fitting into a timeline. Actions include:

  1. Implement the data breach incident response plan
  2. Specify the information needed for reporting summaries
  3. Identify the problem
  4. Start the incident reporting process
  5. If the data breach could harm a person or business, contact local police
  6. Create an incident summary report for executives
  7. Create a technical incident summary report.

The Incident Response Plan checklist’s comprehensive. It includes important advice: “Continuously update the information in the contact lists and other documents – don’t get caught in an emergency with outdated information.” It’s obvious, but an elementary error to avoid.

While phishing’s an elementary cyber-attack, its results can be enormous if it works. The US Anthem health insurance attack in 2015 resulted in an employee in a subsidiary organisation opening a phishing email. Attackers then had remote access to move across at least 50 accounts, 90 over systems, including Anthem’s enterprise data warehouse where the bulk of more than 78 million records were stolen.

A report from the California Insurance Commissioner found that Anthem took “reasonable measures” to protect patient information prior to the breach, the attacker targeted specific weaknesses within the system. On Feb. 18, 2014, an employee within an Anthem subsidiary opened a phishing email, allowing the attacker to gain remote access to the computer and then move laterally across  accounts, including the insurer’s enterprise data warehouse where the bulk of the information was stolen.

Investigators believe perpetrators of the 2015 Anthem hack that exposed personal records of more than 78 million people may have been acting on behalf of a foreign government, exploiting weaknesses in the insurer’s system that are commonplace within the industry.

Investigators determined the identity of the hacker with “high confidence.” They concluded with “medium confidence” that the attacker was working on behalf of a foreign government, but didn’t identify the offenders. Officials have previously linked the attack to Black Vine, a Chinese cyber-espionage group. Symantec, the cyber-security firm, says it’s “highly resourceful” and been targeting several high profile entities since 2012, and believes it’s behind the Anthem attack.

 Africa’s health care’s not immune. While cyber-crime opportunities may be more attractive in other health systems, Africa still needs effective cyber-security

As cyber-criminals find new ways into eHealth, the US Food and Drug Administration (FDA) seeks to minimise the holes and risks in medical devices, many of which are part of eHealth networks. Its guidance in Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff sets out obligation on manufacturers by encouraging them to address cyber-security throughout device lifecycles. It extends across pre-market and post-market activities, so “Design, development, production, distribution, deployment and maintenance.”

It’s both realistic and practical. The guidance recognises that the constantly evolving cyber-security risks to medical devices make it impossible to mitigate risks completely by pre-market controls alone. A core action’s for manufacturers to implement comprehensive cyber-security risk management programmes and documentation. The focus of assessing the risk of patient harm should consider:

  1. Exploitability of cyber-security vulnerabilities
  2. Severity of patient harm if vulnerabilities are exploited.

An example of these assessments is using the Common Vulnerability Scoring System (CVVS) Version 3.0. It has several factors that combine to provide numerical ratings of high, medium and low exploitability levels, including: 

  1. Attack vector as physical, local, adjacent or  network
  2. Attack complexity as high or low
  3. Privileges required as (none, low or high
  4. User Interactions as none or required
  5. Scope as changed or unchanged
  6. Confidentiality Impact as high, low or none
  7. Integrity Impact as none, low or high
  8. Availability Impact as high, low or, none
  9. Exploit code maturity as high, functional, proof-of-concept or unproven
  10. Remediation level as unavailable, work-around, temporary fix, official fix or, not defined
  11. Report confidence as confirmed, reasonable, unknown or not defined.

As Africa’s eHealth steps up its cyber-security and regulations, the FDA’s guidance provides a constructive reminder that medical devices can’t be ignored. It’s a good starting point for Africa’s health systems to consult on and set the required eHealth regulations in place.

When it comes to responding to threats, military organisations have a considerable range of experiences. While they only have a 50% success rate because there’s invariably a loser, the lessons learned are always valuable.

The late John Boyd was a US Air Force fighter pilot who became a Pentagon strategist. From his experiences, he developed several theories of organisational behaviour. One was the Observe, Orient, Decide and, Act Loop (OODA). It’s an information strategy for information warfare and crises, and stretches across military and business. The goal’s to defeat an enemy by psychological paralysis caused by disrupting another entity’s OODA, which’s where eHealth’s cyber-security fits in. OODA can help to disrupt cyber-criminals activities, so disrupt cyber-threats.

Alien Vault has adopted the OODA Loop to deal with responses to cyber-incidents. It sees it as tactics rather than strategy. It fits it to cyber-security as:

  1. Observe: use security monitoring to identify anomalous behaviour that may need investigating
  2. Orient: evaluate what's happening in the cyber-threat intelligence landscape and inside a healthcare organisation, making logical connections and real-time contexts to focus on priority events
  3. Decide: based on observations and context, choose the best tactic to minimise damage and speed up recovery
  4. Act: remedy, recover and improve incident response procedures based on lessons learned.

There’s a 90 second video that shows how Alien Vault combines integrated security technologies and emerging threat intelligence. The aim’s to co-ordinate threat detection, incident response, threat management, and do these very quickly. The steps are:

  1. Identify, isolate, and investigate indicators of compromise (IOCs) before damage occurs
  2. Correlate security events with built-in vulnerability scan data threat Intelligence to prioritise response efforts
  3. Gain essential insight into attackers’ intent and techniques
  4. Respond to emerging threats with detailed, specific actions for cyber-attacks’ contexts that guide each alert
  5. Validate that existing security controls work as planned
  6. Report to auditors, managers and executives that incident response programmes are robust and reliable.

If security controls don’t work as planned, they’ll need fixing. The actions and resources needed should be included in in the report to executives.

OODA Loop’s a sophisticated, cerebral approach to cyber-security. As Africa’s health systems develop theirs, it’s valuable to keep OODA Loop in mind as a concept to work towards at a rapid pace. The attraction’s that, as cyber-criminals step up their illicit endeavours, it’s becoming a war, metaphorically.

 

It’s a reasonable assumption that cyber-criminals are at least one step ahead. They only have to be lucky once. eHealth security measures have to be lucky all the time. A survey by Tripwire shows that health ICT teams may not have enough luck. The results and recommendations are extremely and directly relevant for Africa’s eHealth.

It compared confidence with knowledge of health ICT security on seven core security controls needed to detect data breaches. The health ICT professionals believed they had the information needed to detect breaches quickly. They also provided contradictory information about the data, prompting Tripwire to conclude that health ICT professionals are overconfident in their ability to collect the data quickly to detect and remedy cyber-attacks.

The findings include:

  1. 63% of breaches occur within minutes
  2. 56% took several months to detect
  3. 90% say they can detect a configuration change to endpoint devices on their organisations’ networks within hours
  4. 51% say they’re not sure how long it takes
  5. 60% believe automated tools don’t collect some critical information needed to identify locations and departments where unauthorised devices were detected
  6. 83% say the can configure changes to network devices within hours
  7. 46% are unsure how long it takes
  8. 43% say less than 80% of patches succeed in a typical patch cycle
  9. 45% if identified vulnerabilities aren’t remedied within 30 days.

The seven security controls that match United States Computer Emergency Readiness Team (US-CERT) requirements, and in the study were:

  1. Payment Card Industry Data Security Standard (PCI DSS)
  2. Sarbanes Oxley Act (SOX)
  3. North American Electric Reliability Critical Infrastructure Protection (NERC CIP)
  4. Monetary Authority of Singapore Technology Risk Management (MAS TRM)
  5. National Institute of Standards and Technology (NIST 800-53)
  6. Critical Security Controls (CIS) Top 20
  7. Internal Revenue Service (IRS) 1075.

Tripwire’s seven recommendations from the study are for health systems to have:

  1. Accurate hardware inventories
  2. Accurate software inventories
  3. Continuous configuration management and hardening
  4. Comprehensive vulnerability management
  5. Patch management
  6. Log management
  7. Identity and access management.

All these need including in Africa’s eHealth programmes. With cyber-attacks rising rapidly, they’re urgent actions.

One of eHealth’s perverse equity features’s that all organisation’s are vulnerable. Each one can determine its degree of vulnerability. Health IT Security has access to a white paper How to Secure Data Access Within the Healthcare Industry from VASCO and iSMG. It deals with:

  1. The changing role of eHealth in healthcare
  2. Why healthcare organisations have headline-grabbing data breaches
  3. Types of eHealth that need strong authentication
  4. Best practices to help healthcare integrate and adopt security without compromising patient experiences.

They identify six eHealth types that need strong identification:

  1. EHRs
  2. ePrescribing
  3. Portal applications
  4. Patient applications
  5. mHealth
  6. Network infrastructure.

Advice that Africa’s health systems should follow is:

  1. Security isn’t an afterthought
  2. Breaches negatively affect patients and healthcare
  3. Cyber-criminals rely on gaps organisations’ authentication security framework
  4. eHealth regulators, of which there are few in Africa, should accord a high priority to data privacy and security, and set onerous standards that drive effective security
  5. Strong authentication minimises cyber-security risk and makes it harder for cyber-criminals to reach patients’ data
  6. End-to-end identity proofing solutions addressing users’ authentication and identification and facilitates secure information exchange between all access points is essential
  7. These solutions must be platform-agnostic and provide the same level of security across mobile, desktop and proprietary technology, and allow for integration of various technology protocols, such as Bluetooth, token and smartcard.

Many of Africa’s eHealth programmes have much ground to cover to erect bigger barriers to deter cyber-attacks. eHNA has posted numerous times on the topic, and one theme, regular users’ training, emerges as an essential requirement. The posts are tagged “Cyber-security” to help you access them.

Osterman Research has published Best Practices for Dealing With Phishing and Ransomware, a white paper with seven core themes:

  1. Phishing and ransomware are increasing at several hundred percent per quarter, a trend set for at least the next two years
  2. Most organisations have been victims of phishing, ransomware and other cyber-security attacks during the past year
  3. Security spending will increase significantly in 2017 as organisations realise they need to protect
  4. Most organizations are not seeing improved security from their security practices, and those that are effective, most are not improving over time, often because internal staff may not have the expertise to keep up
  5. Only 40% of cyber-security solutions and practices are considered excellent
  6. Security awareness training is crucial to improve and protect organisations against phishing and ransomware because well trained employees are more likely to prevent breaches
  7. There are numerous best practices to follow to minimise becoming victims of phishing and ransomware, the best being security awareness training, deploying systems that detect and eliminate phishing and ransomware attempts and look for and remedy security vulnerabilities.

An Osterman survey found:

Problem

Prevalence %

email phishing attack successful in infiltrating a network

34

One or more endpoints had files encrypted by al ransomware attack

30

Malware infiltrated a network, but can’t identify the entry channel

29

Sensitive information accidentally or maliciously leaked by email

17

email spearphishing attack infected one or more senior executives’ data

14

Network infiltrated by a drive-by attack from employee Web surfing

12

email as part of a CEO fraud or business email compromise attack

11

Sensitive information accidentally or maliciously leaked from a cloud tool

  5

Sensitive information accidentally or maliciously leaked from social media

  3

Not sure how sensitive information  was accidentally or maliciously leaked

  1

Other

27




















If greater cyber-security awareness is needed, these survey results reveal the need. Africa’s eHealth has an opportunity to run its cyber-security measures in alongside its new eHealth investment and minimise the damage.




Lessons learned are a crucial part of dealing with a cyber-attack. Africa’s eHealth can learn from Yahoo’s second successful cyber-attack in three months.

After an attack in September, Yahoo’s been attacked again. This time, more than a billion accounts are compromised. The Guardian in the UK reports it as the biggest cyber-crime haul so far. A statement from Yahoo says it’s taken steps to secure the accounts and is working closely with law enforcement agencies.

It was law enforcers who alerted Yahoo that a third party claimed its data files were Yahoo’s user data. It was. So far, the way in hasn’t been identified.

The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5 and some encrypted and unencrypted security questions and answers.

Techtarget, a security service, says the MD5 algorithm’s used to verify data integrity with a 128-bit message digest from data input. It’s claimed to be unique to that specific data, and used with digital signature applications that need large files compressed securely before encryption with a secret key, under a public key cryptosystem. MD5 is an Internet Engineering Task Force (IETF) standard. Passwords in clear text, payment card data and bank account details weren’t stolen.

A possible way in was by an unauthorised third party accessing Yahoo’s proprietary code to learn how to forge cookies. They used them to access users’ accounts without a password. Yahoo’s identified similarities of this activity to the same state-sponsored actor believed to be responsible for the previous breach.

The company’s notified potentially affected users and taken steps to secure their accounts. It includes the usual requirement to for users to change their passwords. Yahoo’s unencrypted security questions and answers so they can’t be used to access accounts, invalidated forged cookies and improves security to guard against similar attacks.

Users are directed to Yahoo’s Safety Center for advice. It includes:

  1. Change passwords, security questions and answers for any other accounts using  the same or similar information used for Yahoo accounts
  2. Review all accounts for suspicious activity
  3. Be cautious of unsolicited communications asking for your personal information or opening a web page asking for personal information
  4. Don’t click on links or downloading attachments from suspicious emails
  5. Consider using Yahoo Account Key, an authentication tool that eliminates the need to use a password on Yahoo.

Perhaps the most important lessons for Africa’s eHealth include:

  1. Be aware of as many of the ingenious ways that cyber-criminals can use
  2. After a cyber-breach, complete a comprehensive review of cyber-security looking for vulnerabilities that cyber-criminals can use
  3. Increase cyber-security vigilance by improving overall cyber-security
  4. Make cyber-security a top priority in eHealth projects because risks are rising
  5. Allocate as many sustainable resources as possible to cyber-security.