• Cyber-security
  • How to deal with with ransomware

    A perspective on eHealth cyber-security is the challenge to cope with changes in government regulations, a revolution in medical device and mobile technology expanding at about 20% a year and healthcare transformation. Its eBook Ransomware: What every healthcare organization needs to know, Cisco sees this as a “Perfect storm of complexity and vulnerability” for information security. 

    Cisco Umbrella is a cyber-security platform for the cloud. Supporting advice in the eBook covers:

    What is ransomware?How prevalent is the threat?Why healthcare?How does infection happen?How does an attack work?How to protect organisations?The first line of defence.

    It sets out four main causes of infections:

    Phishing emailsCompromised web sitesMalvertisingFree software downloads.

    Cyber-attacks come from two sources, email and web sites. Clicking on an illicit link in an email or visiting a compromised or malvertising web site can trigger a sequence of events:

    Launching a download and installation of an exploit kit.Exploit kit identifies vulnerabilities in users’ systems and sends these back to the malicious infrastructureInstalling a targeted payload on users devices that can exploit the vulnerabilitiesCall-back to retrieve private malicious encryption keys that encrypt dataNotify users that a ransom payment will release the encryption key.

    Stopping ransomware attacks needs a set of actions to:

    Monitor global cyber-criminal activities for insight into where hackers are staging infrastructure for future attacksProtect patient devices, medical IoT endpoints, Protected HealTHInformation (PHI) and Personally Identifiable Information (PII) data systems, including ones that don’t support agentsDiscover and block likely malicious domains and Internet Providers (IP)Feed contextual threat intelligence into security management or incident response environments to identify which incidents need attentionKnow how unmanaged mobile and IoT devices connect to networks to prevent patient data exfiltration. 

    After a cyber-attack, assess what happened by:

    Identifying the root causeDeveloping a proactive cyber-security plan that leverages a multi-layer defenceUsing predictive intelligence to understand how and where attacks are staged on the InternetInternally segmenting networks to contain a breachRestoring data from backupsEducating employees about security best practicesDeploying first line defences that stop opportunities for lateral movement of ransomware in networks, eliminate its propagation and reduce the time cyber-attacks have to operate in networks.

    Cisco’s eBook adds to Africa’s eHealth knowledge. It’s an essential document for its cyber-security library.

  • Does spambot Onliner have your email address?

    It’s described as the largest spambot. ZDNet has a report about the finding by Benkow, a cyber-security researcher in Paris, who discovered an open and accessible web server hosted in the Netherlands which stores dozens of text files. They contain a batch of 711 million email addresses, passwords server login information and 80 million email servers used to send spam. The credentials came from other data breaches, such as the LinkedIn and Badoo hacks.

    Malevolent goals are to send email spam through legitimate servers to defeat many spam filters. Onliner delivers Ursnif banking malware into inboxes globally. Ursnif is a Trojan. It steals data such as login details, passwords and credit card data. A spammer then sends a dropper file as normal-looking email attachments. When it’s opened, the malware downloads from a server and infects the machines. Spamming is still an effective way to deliver malware, but email filters are becoming smarter, with many spamming domains blacklisted. 

    There’s been over 100,000 unique infections up to the end of August 2017. Cyber-attackers need large lists of Simple Mail Transfer or Transport Protocol (SMTP) credentials that authenticate them to send bogus legitimate emails that by-pass spam filters. The more servers they find, the bigger the campaign. 

    When bogus emails are opened, they send back to the cyber-crookss the IP address and user-agent information used to identify the type of computer, operating system and other information about the devices. Cyber-attackers use this to identify who to target with Ursnif. They specifically target Windows computers. iPhone or Android users aren't affected by the malware.

    Focused hacking instead of scatter bombing reduces the malevolent campaign’s cyber-noise. It can help to slow down responses from law enforcement agencies. 

    Benkow’s discovery re-emphasises the need for Africa’s eHealth programmes to train, then train again and again, health workers in cyber-security. It’s an essential components in the constant cyber-security response. 

  • How to construct the perfect password

    Passwords are personal, secret, vital and too complicated to be guessed. That’s the theory. It seems that expert advice hasn’t complied with the complicated part. A report from the US Joint Task Force Transformation Initiative Appendix A set out password practices. In an article in the Wall Street Journal (WSJ), the author, Bill Burr, a former National Institute of Standards and Technology (NIST) manager, says his advice wasn’t right. 

    The original report in 2003 was NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. It’s been updated regularly, and proposed password management should include:

     Changing passwords every 90 days Adding capital letters, numbers and symbols to words, such as password being Pa55?w0rd.

    He now says passwords shouldn’t be changed frequently because people often make only small modifications, such as Pa55?w0rd to Pa55!w0rd. These changes weaken passwords when the intention’s to strengthen them.

    A report by the BBC says a better method’s a random string of words, such as "pig coffee wandered black." It takes malware longer to break this code than using random guesses to find Pa55!w0rd.

    Africa’s eHealth programmes and users can adopt this updated advice. They should also follow research on cyber-security practices. Complying with evidence-based actions is always best.

  • Are WAFs part of your cyber-security toolkit?

    As websites’ role in health and healthcare expand across Africa, the need for cyber-security increases too. Web Application Firewalls (WAF) services are part of the solution. WAFs are deployed in front of web servers to protect web applications against cyber-attacks, monitor and control access to web applications and collect access logs for compliance, audits and analytics. Gartner has assessed and classified suppliers in its report Magic Quadrant for Web Application Firewalls. 

    The matrix measures ability to execute and vision completeness. It classifies suppliers into challengers or leaders and niche players or visionaries. Three suppliers are in the leader segment. Imperva is the most visionary. F5 scores top ratings for ability to execute. Akamai is behind these two.

    Vision and execution are important for WAF suppliers as the demand side trends towards cloud-based WAF service platforms that can protect from Content Delivery Networks (CDN), Distributed Denial of Services (DDoS) and bots. Its use is expected to be up from 20% to 50% by 2020 and are in the same quadrant.

    Suppliers were assessed against a wide range of criteria. They provide a basis for Africa’s health systems to evaluate suppliers in their procurements. They are:

    WAF’s capabilities in:

    Maximising detection and catch rate for known and unknown threatsMinimising false positives and alertsAdapting to evolving web applicationsEnsuring broad adoption through ease of use and minimal performance impactAutomating incident response workflows for cyber-security analystsProtecting public and internal facing web applications and Application Program Interfaces (API)Features and innovations to improve web application security beyond conventional network firewalls and Intrusion Prevention Systems (IPS)

    Gartner’s provided its research results for enterprise cyber-security teams to use as part of their evaluation of WAFs’ benefits can improve cyber-security. It offers Africa’s health systems a valuable template for their cyber-security endeavours.

  • An EU regulation and cyber-security checklist can help Africa’s eHealth

    The EU’s noted for its long documents. At over 200 pages, the General Data Privacy Regulation (GDPR) (EU) 2016/679, will apply from May of 2018. It consolidates and replaces existing data protection regulations, and may change the way businesses handle and store data. A core goal’s to strengthen security and privacy protection for individuals. A white paper from Alien Vault  sets out a nine point checklist. GDPR Compliance Checklist: A 9 step Guide can help Africa’s cyber-security and regulations too. 

    The nine steps are:

     Implement a Security Information and Event Management (SIEM) tool with log management capabilities that adhere to compliance requirements.Create an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be appliedUndertake vulnerability scanning to identify where weaknesses exist that could be exploitedConduct risk assessments and apply threat models relevant to your businessRegularly test to gain assurance that security controls are working as designedPut in place threat detection controls to reliably inform you in a timely manner when a breach has occurredMonitor network and user behaviour to identify and investigate security incidents rapidlyHave a documented and practiced incident response planHave a communication plan in place to notify relevant parties.

    Each of these has a schedule of activities. With cyber-security a prominent feature and priority at eHealthAFRO 2017, Alien Vault’s checklist offers a constructive approach for Africa’s eHealth. It’s a prime example of Africa learning from other countries’ experiences and initiatives. 

  • Do these 7 steps help you defend against cyber-security breaches?

    Cyber-security breaches are inevitable. Maximising cyber-security can minimise them, but can’t eliminate the risk entirely, so effective responses are essential. 7 Ways to Improve Your Security IncidentResponse, a white paper from R.sam, specialising in governance, risk and compliance, aims to help. A summary’s:

    Integrate with Security Information and Event Management (SIEM), products, services, technology and teams that provide real-time analyses of security alerts generated by network hardware and applications, and ensure the right data reaches the incident response team promptlyPrioritise Incidents using SIEMs and end users, and inform decision-makers by highlighting incidents in dashboards derived from calculated values such as priority or severityLeverage threat and  vulnerability data from a central repository of security operations, including threats, vulnerabilities, incidents, patch managements, asset management and other data sources and provide incident handlers with real-time viewsStandardize playbooks and configure automated dynamic rules to address unique handling requirements and criteria to help avoid mistakes in high-stress situationsAutomate responses for repeatable, measurable and auditable response tasksEnable collaboration so everyone working on an incident has a single view into activitiesShare real-time dashboards to leverage incident and event data.

    These can help to avoid four causes of inappropriate responses:

    Lack of process maturityPoor data quality and  availabilityUnsatisfactory toolsetsChanging policies and disparate teams.

    The seven steps comprise a platform that can overcome these limitations. They offer Africa’s eHealth programmes a way to step up their responses to cyber-security breaches.

    -------------------------------------

    Are you interested in reading more about the implications for African health systems? Download Acfee's paper on Cyber-security: themes for Africa's eHealth.

  • All-Wi-Fi standard has a cyber-security vulnerability

    A serious weakness’s been found in Wi-Fi networks.  Mathy Vanhoef of imec-DistriNet at KU Leuven found it. The paper on Krackattacks says WPA2, a security protocol, can be exploited by cyber-criminals using key reinstallation attacks (KRACK) within victims’ range. Once in, they can read information assumed to be encrypted, and steal sensitive information such as credit card numbers, passwords, chat messages, emails and photos.

    Attack succeed against all modern protected Wi-Fi networks. Depending on the network configuration, data can be injected and manipulated. Ransomware and other malware could find its way to websites.

    Weaknesses are in the Wi-Fi standard itself, not in individual products or implementations. Any correct WPA2 implementation is likely to be affected. Prevention needs users to update affected products when security updates are. If a device supports Wi-Fi, it’s probably affected.

    Vanhoef’s initial research found that Android, Linux, Apple, Windows, OpenBSD, MediaTek and Linksys are affected by variants of attacks. A proof-of-concept executed a key reinstallation attack against an Android smartphone. Attackers could easily decrypt all data transmitted by victims because the key reinstallation attack’s exceptionally devastating against Linux and Android 6.0 or higher. These can be tricked into reinstalling an all-zero encryption key.

    While attacking other devices finds it harder to decrypt all packets, large numbers of packets can be decrypted. A demonstration in Vanhef’s paper shows the type of information that a cyber- attacker can access using key reinstallation attacks.

    Africa’s eHealth programmes need to seek and install patches and updates from their vendors. The findings show, yet again, a cyber-world full of holes, many of which may still be unidentified. Constant vigilance is essential. As participants at Acfee’s recent eHealthAFRO 2017 said, cyber-security is everyone’s business.  

  • Most medics share passwords. Do you?

    A cornerstone of cyber-security’s rigorous password management. It seems it’s not very rigorous. A US study, Prevalence of Sharing Access Credentials in Electronic Medical Records in Health Informatics Research (HIR), found that almost three-quarters, almost 74%, of medical professionals have used a colleagues’ password to access EMRs. It’s partly a failing on access authorisation.

    Within this group, 100% of medical residents say they’ve done it. About 83% of interns and 77% of students said they used someone else’s password because they were not given a user account. About 57% of nurses say they’ve done it. 

    The average number of times that each person shared passwords was 4.75.  While this is alarming, many of the reasons for the practices reveal password regimes that don’t match medical professionals’ roles in patient care.  

    There are two big causes of the practice. One is where passwords are not assigned to professionals who need it. The other is where access authorisation is insufficient for professionals to fulfil their roles. It also seems that access authorisation may not be extensive enough, with some professionals having no passwords.

    The study concluded that password use’s doomed because medical staff share their passwords. It sees strict regulations requiring each professional to have a unique user ID might lead to password sharing, leading to reduced data safety. 

    Another perspective may be that eHealth’s access control needs overhauling to match professional’s working practices more closely. Three recommendations from the study for healthcare organisations are:

     Make it easier and less time-consuming to have access credentialsDelegate administrative tasks and extend EMR access to para-medical, junior staff, interns and students in understaffed hospitals, especially during on-call hoursAllow maximum privileges for one-time use only, so junior staff can access records under urgent, lifesaving conditions without having to use someone else’s password.

    These need IT teams to be more responsive. It seems inevitable to ensure data security and integrity. As Africa move further towards EHRs, these practices could be incorporated from the outset.   

  • AeHIN and Acfee to collaborate on supporting regional eHealth

    At today’s eHealthAFRO, Jai Ganesh Udayasankaran, Council Member of the Asian eHealth Information Network (AeHIN) presented his organisation’s history and successes. It plays a substantial catalytic role in supporting eHealth’s development in the Asian region.

    Mr Udayasankaran confirmed that AeHIN will collaborate with Africa’s emerging network, the Africa Centre for eHealth excellence (Acfee), on several aspects of eHealth that are priorities both for Africa and Asia. The main themes include:

    eHealth governanceeHealth regulationCyber-security.

    eHealth governance is well-developed in AeHIN. It promotes COBIT 5, a sophisticated standard. Most of Africa’s eHealth governance needs an initial entry point. Countries can use AeHIN’s experiences to see a trajectory of where their eHealth governance could lead.

    Acfee’s research on eHealth regulation in Africa reveals a significant deficit. The 2013 data are a few years out of date, though progress remains slow. They show an extensive reliance on telecommunications regulations, with little specific eHealth regulation, as shown below.

    These figures are well behind good practices. The deficit’s about 45% points, showing that progress is vital to avoid the African region falling further behind.

    Cyber-security has become increasingly critical. Acfee accumulates data on issues, priorities and guidance, much of which is posted on eHNA. Acfee’s basic cyber-security handbook for Africa sets out some features in what are rapidly changing and more effective cyber-threats.

    Collaboration with AeHIN will move further ahead this year. Progress will be reported at next year’s eHealthAFRO 2018 and in eHNA

  • Cyber-threats keep evolving

    Cyber-criminals have sent millions of fraudulent emails as crude, random attacks, hoping to trick people to reveal their personal or financial information. As organisations and people worked out how not to respond, cyber-criminals began switching to bespoke targeted attacks. These use advance reconnaissance, research and testing, using use specialised knowledge and details about targets to try by-pass defences and penetrate organisations’ networks. They’re more lucrative than random cyber-attacks.

    Trend Micro, a global cyber-security firm, has published a white paper available through Health IT Security. Navigating the evolving threat landscape with a more complete approach to network security deals with:

    How targeted attacks change network security landscapesResponding to increasingly complex threats A cross-generational approach to network securitySecurity fuelled by market-leading global threat intelligenceDetection techniques comprising a smart network defenceIntegration with other security solutionsSeamless threat intelligence sharingCentralised visibility and control.

    Its findings from 264 organisations are alarming:

    80% had experienced a network-based attack or exploit90% had active command and control activity on their network65% had been infected by zero-day or unknown malware17% were being actively breached.

    Zero-day vulnerability is an important concept in cyber-security. It’s an undisclosed software vulnerability that cyber-criminals and other hackers can exploit to disrupt computer programs, data, additional computers and networks.

    An effective response, Trend Micro says, has to be “smart, optimized and connected.” Part of this is sophisticated cyber-security tools that operate alongside existing platforms and applications. Rigorous integration and interoperability ensures a stronger defence. These other technologies include:

    Security Information and Event Management (SIEM)Vulnerability assessment and managementApplication securityNext-generation firewallsBreach detectionVisibility and enforcement of Transport Layer Security (SSL), derived from Secure Sockets Layer and including encryption Software-defined networking and the cloudNetwork Packet Brokers (NPB) that optimise incident analyses by enabling ICT and security services to acquire situational awareness and security intelligence about intrusion and extrusion incidents, enabling faster incident responsesIncident response automation.

    Africa’s health systems should consider enhanced cyber-security as part of their eHealth strategies. It’s affordability can measured against the estimated costs of cyber-security breaches.