• Cyber-security
  • Cyber-threats keep evolving

    Cyber-criminals have sent millions of fraudulent emails as crude, random attacks, hoping to trick people to reveal their personal or financial information. As organisations and people worked out how not to respond, cyber-criminals began switching to bespoke targeted attacks. These use advance reconnaissance, research and testing, using use specialised knowledge and details about targets to try by-pass defences and penetrate organisations’ networks. They’re more lucrative than random cyber-attacks.

    Trend Micro, a global cyber-security firm, has published a white paper available through Health IT SecurityNavigating the evolving threat landscape with a more complete approach to network security deals with:

    • How targeted attacks change network security landscapes
    • Responding to increasingly complex threats
    • A cross-generational approach to network security
    • Security fuelled by market-leading global threat intelligence
    • Detection techniques comprising a smart network defence
    • Integration with other security solutions
    • Seamless threat intelligence sharing
    • Centralised visibility and control.

    Its findings from 264 organisations are alarming:

    • 80% had experienced a network-based attack or exploit
    • 90% had active command and control activity on their network
    • 65% had been infected by zero-day or unknown malware
    • 17% were being actively breached.

    Zero-day vulnerability is an important concept in cyber-security. It’s an undisclosed software vulnerability that cyber-criminals and other hackers can exploit to disrupt computer programs, data, additional computers and networks.

    An effective response, Trend Micro says, has to be “smart, optimized and connected.” Part of this is sophisticated cyber-security tools that operate alongside existing platforms and applications. Rigorous integration and interoperability ensures a stronger defence. These other technologies include:

    • Security Information and Event Management (SIEM)
    • Vulnerability assessment and management
    • Application security
    • Next-generation firewalls
    • Breach detection
    • Visibility and enforcement of Transport Layer Security (SSL), derived from Secure Sockets Layer and including encryption
    • Software-defined networking and the cloud
    • Network Packet Brokers (NPB) that optimise incident analyses by enabling ICT and security services to acquire situational awareness and security intelligence about intrusion and extrusion incidents, enabling faster incident responses
    • Incident response automation.

    Africa’s health systems should consider enhanced cyber-security as part of their eHealth strategies. It’s affordability can measured against the estimated costs of cyber-security breaches.

  • Better personal cyber-security with these tips

    It’s important that Africa’s health workers are cyber-security conscious. Good practices in their personal cyber-security, such as protecting their identity from theft, can help to improve their cyber-security practices at work.

    Using social media provides opportunities for cyber-criminals to steal personal identities. An article in the UK’s Guardian newspaper offers some tips. Holly Brockwell, a freelance technology journalist and editor of Gadgette, an online magazine offers five tips to minimise the risks. These are essential when some companies use weak security protocols.

    1.     Don’t play social media games because a notorious information security hole is the secret question and answer checks that offer weak security, with answers often in the public domain on social network sites, so often used to access open people’s accounts and can be accidentally provided by playing social network games

    2.     Don’t take dodgy online quizzes, they can ask for information that can provide access to personal accounts, so check trustworthiness by reviewing URLs, internet addresses, that quizzes came from, and if it’s not a recognised, reputable name, don’t do it, but, malicious sites can disguise their addresses, so it may best not to do any quizzes.

    3.     Don’t accept friend requests from strangers, because it provides them with access to historic and future status updates, so set security settings and all previous posts to friends only

    4.     Delete old posts every day

    5.     Use a password manager to help have unique passwords for personal accounts

    6.     Turn on two-factor authentication, such as having a unique passcode sent to a mobile phone, but mobile’s can be hacked to steal codes, so consider an authenticator app such as Google Authenticator, reviewed by Make Tech Easier

    7.     Don’t be anxious about applying effective cyber-security measures.

  • Bitpaymer’s offspring disrupts hospitals

    A variant of Bitpaymer ransomware’s been breaching hospital’s ICT. It’s been in Scotland’s Lanarkshire Trust, previously breached earlier this year by WannaCry, reported on eHNA. Some operations were cancelled, GPs’ work disrupted and patients asked to attend Accident and Emergency only if their needs were essential. ZDNet has a report saying systems were taken offline. Perpetrators say they’ve gathered "private sensitive data."

    Unlike most hacks that prefer to be covert, ransomware makes contact with users to ask for a ransom in return for a decryption key. The ransom request was very high, some 50 bitcoins, about £168,000, US$218,000. Failure to pay may result in the cyber-crooks sharing data they’ve acquired.

    ZDNet has short ransomware guide. Ransomware: An executive guide to one of the biggest menaces on the web. Other guides are Remove All Threats has a guide on removing Bitpaymer. Protect PC Health has a guide too. Both are for PCs.

  • A cyber-security guide addresses healthcare’s increasing vulnerability

    Healthcare’s data’s attractive to cyber-criminals. Protecting it from criminals and general misuse’s essential because it’s highly sensitive, identifiable information. These are two core themes from a white paper from Osterman Research. It helps Africa’s health systems to move their cyber-security initiatives on, 

    Sponsored by Quest, an ICT firm, Protecting Data in the healthcare Industry goes on to identify the types of threats and their subsequent impacts. It succinctly summarises regulatory requirement from the US, UK, the EU and Australia. These provide helpful insights for Africa’s health systems in developing their eHealth regulations. These need supplementing with actions that deal with numerous increasing trends, including:

    • Healthcare professionals are increasingly using cloud solutions
    • Increasing prevalence of phishing and ransomware, with 72% of healthcare’s malware incidents being ransomware attacks, and 88% of all ransomware attacks during April to June 2016 were on healthcare
    • Data breaches are common, with  healthcare attacks up by 35% since 2015
    • Disruptions undermine the reputation and value of affected organisations
    • Healthcare’s systematically underinvested in cyber-security
    • Health workers face a growing array of communication and collaboration tools and trust them as secure and reliable, but they’re not
    • Healthcare professionals are directly vulnerable too.

    Best practices for cyber security defences include:

    • Taking cyber-security risks seriously
    • Build cyber-threat awareness
    • Develop cyber- security strategies
    • Establish thorough and detailed cyber-security policies
    • Enable encryption at every point
    • Use threat intelligence to enhance cyber-security
    • Test cyber-attack recovery plans
    • Invest in cyber-security awareness training
    • Govern user behaviour for tools, devices and repositories
    • Tighten password policies and account access
    • Have effective cyber-security defences, including

    o   Backups of core data, especially offline

    o   Next-generation firewalls that provide deeper analysis and remediation of active threats

    o   Endpoint security technologies

    o   Robust perimeter defences.

    Total security’s isn’t the goal. Cyber-criminals can often be one step ahead, such as with WannaCray and NotPetya. The objective’s to mitigate and minimise the risk. It’s important that Africa’s health systems keep this focus, making them less attractive targets for cyber-criminals.

  • Kenya’s mHealth standards set SMS and ePrescribing practices

    Using SMS for health and healthcare’s an expanding initiative in Africa. Kenya’s Ministry of Health has set out a rigorous set of standards for it, and ePrescribing, in Kenya Standards and Guidelines for mHealth Systems. 

    As an effective communication tool for health in low-income countries, SMS need regulation and cyber-security standards that minimise the risk of privacy and confidentiality breaches. This extends across several activities. Kenya’s standards include:

    • Risks of Personal Health Information (PHI) in SMSs
    • Standards for text messages, including device selections, risk assessments, development practices and training
    • PHI security guidelines
    • Risk management strategy, including password confidentiality and encryption.

    Standards for telephone and eConusltations deal with devices such as Interactive Voice and Video and Response (IVVR), mobile phones, teleconferencing, Voice over Internet Protocol (VoIP. It includes SMSs too. The themes are:

    • Good medical practices, duties and responsibilities
    • Guidelines for using eHealth and ICT to provide healthcare
    • What to do in emergency situations. 

    ePrescribing extends from completing prescriptions, through delivery to pharmcists and on to dispensing to patients. Its goals include better quality healthcare, patient safety, accuracy and continuing care. The standards deal with:

    • How to use ePrescribing, including patient choice
    • Authenticating ePrescriptions
    • Delivering ePrescribed drugs and medications and the role of pharmacists
    • ePrescribing data sets that include:

    o   Minimum patient demographics

    o   Prescription identifiers

    o   Product identification.

    While addressing current eHealth requirements, these standards lay a foundation for eHealth’s future scale and direction. It’s an opportunity to move eHealth regulation closer to project implementations, especially for ePrescribing.

  • Call for Papers - six days to go

    Sharing eHealth experiences and research finding’s essential to progress. These are the main goals of the Health Informatics South Africa (HISA) Call for Papers (CfP) for its conference at eHealthAFRO 2017 on 2 to 4 October 2017 in Johannesburg. It’s hosted by the South African Health Informatics Association (SAHIA). The CfP has four topics. They are:

    • eHealth Strategy, governance and regulation
    • eHealth impact through routine health information
    • Cyber-security related to eHealth applications
    • eHealth systems related to public health and surveillance. 

    Papers on other relevant eHealth topics may be considered. Will extra papers include health informatics developments and research on eHealth futures, such as AI and health analytics?

    The timetable is: 

    • Full papers submitted to South African Computer Journal (SACJ), complying with SACJ’s submission guidelines, by Monday 28 August 2017    
    • Notification of paper acceptance on Friday, 15 September 2017
    • Final author registration by Friday, 22 September 2017
    • Final paper due Friday, 29 September.

    A special SACJ edition will published presented papers. They’ll comply with SACJ’s editorial process, so at the end of the submission form, comments to the editor should include “HISA Conference paper.”

    eHealthAFRO 2017 brings together researchers and practitioners active in health informatics. At least one author should register for eHealthAFRO and present the paper at the HISA Conference for the paper to be eligible for SACJ publication. SACJ charges ZAR6,000 for publication costs for accepted papers, but authors with no funding can apply for this to be waived.

    Prof Nicky Mostert-Phipps is the contact for submissions. She is a software development lecturer at the Nelson Mandela Metropolitan University Faculty of Engineering’s Built Environment and Information Technology, and can provide more information about HISA’s conference and preparing and submitting papers.

  • Choosing cyber-security services needs a methodology

    As the fight against ransomware hots up with WannaCry and Notpetya expanding the terms of engagement, it’s essential that Africa’s health systems are structured in adding to their cyber-security measures. A white paper from Imperva, a cyber security firm, sets out seven steps needed to choose an effective data-centric audit and cyber-security solution.

    Seven Keys to a Secure Data Solution proposes that the focus should shift to Data-Centric Audit and Protection (DCAP) instead of relying on tools and methods with several disconnected pockets of coverage. Choosing a solution has to navigate the wide range of services and a rigorous evaluation processes. Seven steps are needed: 

    1.     Seeking faster times to achieving value

    2.     More flexibility and adaptability

    3.     More functional breadth and depth

    4.     Increased scalability and predictable planning

    5.     Constant real-time visibility and blocking

    6.     Lower Total Cost of Ownership (TCO)

    7.     Increased focus and responsiveness.

     The approach becomes increasingly relevant as healthcare organisations move beyond using database tools and other narrow products as a cyber-security foundation and governance infrastructure. Instead, effective and efficient DCAP solutions are needed that combine extensive data security and audit functionality with a capability to eliminate the need for disparate management silos and inconsistencies. They achieve this by co-ordinating policies across types of data stores.

    It seems inevitable the growth, reach and brutality of cyber-crime needs a stiffer eHealth resolve. Assessing and applying new cyber-security techniques should now be routine part of eHealth services.

  • UK’s NHS made illegal patient data transfer to Google’s DeepMind

    As eHealth expands its reach, and Artificial Intelligence (AI) becomes routine, benefits will increasingly depend on health systems handing over their patient data to specialist companies. It seems inevitable, but it might not always be legal. The UK’s NHS found that it wasn’t.

    An article in the UK’s Guardian says the Royal Free London NHS Trust, based in London, broke the law in November 2015 when it transferred 1.6m patient-identifiable records to DeepMind, the AI outfit owned by Google. It was part of a project where DeepMind’s built Streams, an app that provides clinical alerts about kidney injury. It needed the data for testing.

    The ruling says by transferring the data and using it for app testing, the Royal Free breached four data protection principles and patient confidentiality under common law. It sees the transfer as not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it, and their information rights weren’t available to them. 

    The UK’s Information Commissioner agreed. Its view’s that the core issue wasn’t the innovation. It was the inappropriate legal basis for sharing data which DeepMind could use to identify all the patients. A better way’s to keep the data in the health system and interface with apps such as Streams only when a clinical need arises. 

    Two issues are important. One’s dealing with an apparent data-grab of millions of patient records by a global organisation. The other’s the way the NHS seems keen to embed a global company into its routing working. Both need regulating and protection of patients’ rights and interests. 

    These offer insights for Africa’s health systems to deal constructively with external eHealth and AI firms. The relationships are already on a trajectory. A lesson from the NHS and DeepMind project’s essential that Africa avoids being dragged along its wake. There’s still time to do it.

  • mHealth’s MDCS needs better cyber-security

    While mHealth’s been successful in developing countries, many initiatives fail to address security and privacy issues. Leonardo Iwaya’s at Karlstad University’s Faculty of Health, Science and Technology. His thesis, Secure and Privacy-aware Data Collection and Processing in Mobile Health Systems, starts from this perspective and describes solution. 

    He sets a context where mHealth often operates in a setting of no specific legislation for privacy and data protection in developing countries. Africa’s health systems exhibit equivalent limitations. His work has several components:

    • A comprehensive literature review of Brazil’s mHealth
    • Design of a security framework, SecourHealth, for Mobile Data Collection Systems (MDCS)
    • Design of a MDCS to improve public health using geographic Information (GeoHealth)
    • Design of Privacy Impact Assessment (PIA) template for MDCS
    • Study of ontology-based obfuscation and anonymisation functions for health data. 

    These offer Africa’s health systems a route into Information security and privacy that are paramount for high quality healthcare. They also protect healthcare professionals and other workers by creating a secure and explicit working environment for their clinical and working practices.

    Iwaya’s objective’s to enhance knowledge of the design of mHealth’s security and privacy technologies, especially the MDCS. These extend across data collection, reporting and replacing paper-based approaches for health surveys and surveillance. It’s a good place to start from to improve mHealth’s general and cyber-security.

  • Cyber-security training must be effective

    Now Africa has its own cyber-security advice, reported on eHNA, it’s important that health systems have effective training in place. The Internet Infrastructure Security Guidelines for Africa was unveiled by the Internet Society and the African Union Commission (AUC) at the African Internet Summit, in Nairobi. It has awareness as one of four core principles that have to be deployed. 

    A report from Enterprise Management Associates says cyber-security awareness programmes have a lot to learn. Already reported by eHNA, it says training that achieve better cyber-security awareness:

    • Involves interactive elements
    • Is continuous, with regular follow-ups
    • Simulates real-life attacks
    • Monitors users’ effectiveness.

    These are four criteria that Africa’s health system can adopt in applying this part of the AUC’s good practices.