• Cyber-security
  • Microsoft fixes a Word bug and vulnerability

    A bug in all Word versions is called a zero-day vulnerability. Proofpoint, a cyber-security firm, reports that researchers found documents exploited in a large email campaign, mainly in Australia, distributing the Dridex banking Trojan. It’s a type of malware that uses macros from Word to specialise in spying on computer users to steal bank credentials. It’s also known as Bugat and Cridex. Microsoft’s now fixed it with a patch. 

    A zero day vulnerability’s a hole in software that’s unknown to the vendor. It’s exploited by cyber-criminals before the vendor’s aware, and subsequently fixes it. The cyber-crime’s called a zero day attack.

    Dridex works by phishing. It relies on people inadvertently clicking the link and installing the malware. Its success also depends on emails that are superficially convincing. Using documents for phishing has become less frequently, Dridex shows how cyber-criminals can change their approach effortlessly to exploit new opportunities. Proofpoint says Microsoft Word users should install the security updates promptly.

  • Is eHealth’s cyber-security on the march?

    As Africa’s eHealth expands, its exposure to cyber-security risks increase. A cyber-security report from Acfee summarises these cyber-threats. They include:

    • Medical identify theft
    •  Ransomware
    • Denial of Service (DOS) attacks
    • Malware
    • Fraud.

    Reasons for cyber-crime differ from criminal to criminal. Some want money. Others, such as hacktivists, use it as a political campaign strategy. Examples of cyber-criminals’ goals for healthcare are:

    • Diverting funds or pharmaceutical stocks
    • Forging prescriptions
    • Stealing social security data to make fraudulent claims
    • Changing treatment regimens

    South Africa aims to implement comprehensive cyber-security measures driven by the South African Protection of Personal Information (POPI) Act. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) provides the foundation. It fits another, the wider National Institute of Standards and Technology (NIST) initiative reported by eHNA to improve the US cyber-security framework. The Payment Card Industry Data Security Standard (PTI DSS) provides a generic standard that fits healthcare.

    Fortinet, a cyber-security company, has an integrated approach set out in its white paper Countering the Evolving Cybersecurity Challenge with Fortinet Security Fabric. It provides an integrated cyber-security architecture that includes Advanced Threat Protection (ATP), Application Programming Interfaces (API) and layered, segmented firewalls.

    Typically, cyber-security aims to add new devices and cyber-security measure to an over-burdened cyber-security service. This increasing network eventually becomes dysfunctional, failing to solve the problem. Fortinet says there’s a hazardous contradiction. Deploying new devices helps to decrease the time to discover some new cyber-threats. In parallel, cyber-threats are compromising organisations at a faster rate. Hence the need for a shift to a new cyber-security model.

    Africa’s eHealth hasn’t adopted a cyber-security framework like Fortinet’s. As cyber-security awareness increases, it seems like an essential option.

  • Malicious insiders can be a major threat

    It’s important not to disregard the human side of cyber-crime and the threat it poses to healthcare, its EHRs and medical devices. The consequences can be devastating. External cyber-attackers aren’t the only threat. Real criminals can be inside healthcare. This is what happens when people trusted with personal and confidential information abuse trust and misuse their power. They’re known as malicious insiders.

    Employees, former employees, contractors or business partners can all have access to organisations’ networks, systems or data. Disgruntled, they may retaliate by stealing and releasing information that can damage organisations and patients. A global research study by Mimecast reported that an alarming 90% of organisations said malicious insiders pose a major threat.

    Findings from Pretenus Breach Barometer in an  article by Healthcare IT News reveal that the number of healthcare security breaches caused by insiders has doubled from January to February. Findings from 26 incidences reported that:

    1. Malicious insiders contributed to 58% of total breaches
    2. Their attacks are difficult to detect.

    More worrisome findings are:

    1. Only 23% of respondents are confident that their organisations have invested enough in monitoring systems
    2. The top three alleged instigators of malicious insiders threats are; 80% of employees meddling in their relatives or friends, 66% financial identity theft and 51% identity theft
    3. 57% of respondents believe that cyber-attacks are always an inside job
    4.  Attacks are usually for financial gain.  

    This evidence is a major public health concern. If disgruntled healthcare workers have access to personal and confidential patient data, it’s vital that measures are in place to deny them access. To protect patients and healthcare organisations from insider breaches the healthcare sector should invest in strengthening and protecting organisations’ networks, systems and databases especially those storing personal and confidential information.

    Acfee has information for health ICT professionals  on cyber security practices.

  • SMS security’s essential for Africa’s mHealth

    Talking can be an expression and communication of thoughts and ideas. Same for texting. Isaac Asimov, the scientist and sci-fi author said “Writing is, to me, is simply thinking through my fingers.”  The steady expansion of SMS communication in healthcare shows there’s plenty of thinking in the health systems, even if a lot of it’s generated electronically.

    As with all ICT, health SMSs are cyber-criminal targets. It’s essential that SMSs are secure. The CIO’s Guide to HIPAA Compliant Text Messaging by ec first and imprivata, and available from Health IT Security, provides a generic way to do it. Three combined activities are needed, policies, products and practices. The content’s considerable.

    Policies extend across five main areas. The subsets include seven routine actions: 

    1. Confirm recipients of texts 
    2. Confirm delivery and receipt of texts and that confirmation receipts are ideal 
    3. Don’t use shorthand or abbreviations 
    4. Review texts before sending them to ensure accuracy, especially being beware of autocorrect changes
    5. Ensure all text messages, or their annotations, used for clinical-decisions are documented accurately and promptly in medical records  
    6. Delete all texts containing protected health information as soon as the contents are no longer readily needed.

    Product checklists are long. There are 32 criteria from four perspectives. They’re features, usability, administration and security requirements, and vendor requirements. 

    Practices are mainly tracking and monitoring. When a secure SMS solution is deployed, its compliance must be sustained. Active management includes monitoring log files and other audit information to ensure appropriate use. Four core activities are:

    1. Track and monitor users and policies
    2. Ensure authentication events are appropriately captured
    3. Ensure message read receipts are time stamped.  
    4. Ensure a proactive audit practice aligns with an established policy is implemented for managing the secure SMS framework in line with regulations.

    Like all eHealth, there are considerable risks using unencrypted text when sending Electronic Protected Health Information (ePHI). Privacy and confidentiality can be damaged and diminish SMS’s benefits of improved communication with patients and between health workers. Africa’s health systems can benefit by applying the guide.

  • Cyber-attack exposes data of nearly 18,000 patients

    Cyber-attacks can have far reaching affects. These are multiplied when the target’s a healthcare organisation’s storing personal patient data. The  Metropolitan Urology Group in the US began notifying patients that a ransomware attack in November 2016 may have exposed their personal data. Nearly 18,000 patients were affected, according to the Department of Health and Human Services’ Office for Civil Rights, says an article in HealthcareITNews.

    The attack was on November 28, 2016. The organisation only discovered it on January 10. It took two months before it started sending notifications to patients on March 10.

    Two of the organisation’s servers were infected by a virus. It may have exposed data of patients attending between 2003 and 2010. The data contained names, patient account numbers, provider identification, medical procedure codes and dates of services. Roughly five of these patients had their Social Security numbers exposed too.

    Metropolitan Urology has been working with an ICT firm to remove the ransomware. Its learned from the experience too, and applying extra cyber-security measures to deter future attacks. All traffic from the affected servers is blocked, the firewall’s improved, email security’ stepped up and protection of all employee devices is in place. These are part of an overall upgrade to its policies and procedures. The organisation’s currently conducting a risk analysis of its ICT system to determine vulnerabilities.

    As compensation, all affected patients will receive one year of free credit monitoring. Metropolitan Urology has also set-up a call centre to answer questions about the breach.

    Any type of cyber-attack could have serious consequences for patients and the hospital. To protect patient data and ensure patients sustain their trust in eHealth services is crucial. It’s critical that organisations are aware of cyber-security threats and rectify and learn from them promptly. Regular staff training and awareness are crucial cyber-security components. Regular, routine and rigorous checks to ensure systems are intact and not breached are too. These are examples of how Africa’s health systems should approach their eHealth cyber-security endeavours.

  • NIST consulting on updated cyber-security framework

    Despite a comprehensive cyber-security framework in place in the US, cyber-crime’s a major threat. It didn’t seem to help prevent a huge phishing attack to a hospital, reported on eHNA, indicating the scale and complexity of the challenge.

    The US National Institute of Standards and Technology (NIST) has released for consultation its updated Framework for Improving Critical Infrastructure. It has two main parts, the report and a comprehensive checklist in Excel. They’re both essential for Africa’s health systems in developing their cyber-security.

    The new report expands the cyber-security measures in the original framework from February 2014. Its new content includes:

    1. A new section on cyber-security measurement and correlating business results to cyber-security risk management metrics
    2. Expanded explanation of using the framework for supply chain risk management
    3.  Refinements to improve accountability for authentication, authorisation and identity proofing
    4. Better explanation of the relationship between implementation tiers and profiles, including establishing or improving a cyber-security programme and using framework tiers for implementation, and integrating framework considerations with risk management.

    The Excel checklist has 23 categories. These lead on to 106 sub-categories and 398 cyber-security reference links. It’s a comprehensive list of actions needed for good cyber-security practices. The 23 categories are including:

    1. Asset Management (ID.AM) Asset Management (ID.AM):  identifying and managing data, personnel, devices, systems, and facilities consistent with their relative importance to business objectives risk strategies.
    2. Business Environment (ID.BE): understanding and prioritising mission, objectives, stakeholders, and activities to inform cyber-security roles, responsibilities, and risk management decisions
    3. Governance (ID.GV): understanding and using policies, procedures, and processes for managing and monitoring regulatory, legal, risk, environmental and operational requirements to cyber-security risk management
    4. Risk Assessment (ID.RA): understanding cyber-security risks to operations such as mission, functions, image, or reputation, organisational assets and individuals
    5. Risk Management Strategy (ID.RM): establish and use priorities, constraints, risk tolerances, and assumptions for operational risk decisions
    6. Supply Chain Risk Management (ID.SC): stablish and use priorities, constraints, risk tolerances and assumptions for risk decisions for managing supply chain risk and implementing processes to identify, assess and manage them
    7. Identity Management and Access Control (PR.AC): limiting and managing access to physical and logical assets and associated facilities to authorised users, processes, and devices consistent with the assessed risk of unauthorised access
    8. Awareness and Training (PR.AT): ensuring personnel and partners are aware of cyber-security and adequately trained to perform their duties and responsibilities consistent with cyber-security policies, procedures, and agreements
    9. Data Security (PR.DS): ensuring data’s managed consistent with risk strategies to protect its confidentiality, integrity and availability
    10. Information Protection Processes and Procedures (PR.IP): maintain and use cyber-security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination, processes, and procedures to protect information systems and assets
    11. Maintenance (PR.MA): ensure control and information system components are maintained in line with policies and procedures
    12. Protective Technology (PR.PT): manage technical security solutions to ensure cyber-security and resilience of systems and assets consistent with policies, procedures and agreements
    13. Anomalies and Events (DE.AE): detecting and understanding anomalous activity and its potential impact promptly
    14. Security Continuous Monitoring (DE.CM): monitor information systems and assets at discrete intervals to identify cyber-security events and verify the effectiveness of protective measures
    15. Detection Processes (DE.DP): maintain and test detection processes and procedures ensure timely and adequate awareness of anomalous events
    16. Response Planning (RS.RP): implement and maintain response processes and procedures to ensure timely responses to detected cyber-security events
    17. Communications (RS.CO): co-ordinate responses with internal and external stakeholders, including external support from law enforcement agencies
    18. Analysis (RS.AN): analyse and review cyber-security measures to ensure adequate responses that support recovery activities
    19. Mitigation (RS.MI): performed activities to prevent expansion of events, mitigate their effect, and eradicate incidents
    20. Improvements (RS.IM): implement lessons learned from current and previous detections and responses
    21. Recovery Planning (RC.RP): implement and maintain recovery processes and procedures to ensure timely restorations of systems or assets affected by cyber-attackes
    22. Improvements (RC.IM): improve recovery planning and processes by incorporating lessons learned
    23. Communications (RC.CO): co-ordinate restoration activities with internal and external parties, such as coordinating centres, Internet Service Providers (ISP), owners of attacking systems, victims, other Computer Security Incident Response Teams (CSIRT) and vendors.

    Challenges for Africa’s health systems include where to start and how long should it take to set up? The second question depends on the resources available. The reasonable answer to the second question is, pick a start that matches cyber-security priorities. If these aren’t explicit, start at 1. If there’s already been a cyber-attack, start at 1 and 20 may be relevant.

  • Cyber-security needs more than rules

    Africa’s eHealth’s not strong on cyber-security rules and regulations. They’re essential, but a survey of ICT security experts in the US by Level 3 Communications says they’re not enough. The results, available from Health IT Security are that:

    1. 96% feel vulnerable to a data breach
    2. 63% have suffered one
    3. 69% say meeting compliance requirements is very or extremely effective in safeguarding sensitive data.

    In the US, eHealth security and privacy rules are set out in the Health Insurance Portability and Accountability Act 1996 (HIPAA). It established national security standards for eHealth. They are a vital component to protect confidential information from unauthorised access. Level 3 says that since the act, cyber-threats and the cyber-security landscape has evolved rapidly, but healthcare can’t keep up. Cyber-security has become more essential to protect data and healthcare availability and continuity.

    Three emerging cyber-security themes have become healthcare’s biggest cyber-security threats:

    1. Vulnerable connected devices the cyber-criminals can access to plant malware
    2. Distributed Denial-of-Service (DDoS) attacks that render computers or networks unavailable
    3. Phishing, accounting for more than 36% of cyber-security breaches.

    Four lessons for Africa’s eHealth are clear. First, ensure effective cyber security standards, rules and regulations. Next, keep them up to date to match the expanding cyber-crime initiatives. Third, ensure compliance. And finally constantly strive to go beyond compliance with effective excellent cyber-security practices.

  • UK’s GCHQ technical director says cyber-security firms promote 'medieval witchcraft'

    Are all the cyber-security firms misleading us about the hazards and dangers of cyber-threats? Dr Ian Levy, technical director at UK’s Government Communication Headquarters (GCHQ), an intelligence and security organisation, says they’re using “Medieval witchcraft” to exaggerate the risks and boost sales. A report in The Register records his view expresses at Usenix Enigma 2017, that their aim’s to sell security defences to tackle “Advanced persistent threats” from highly organised, smart criminals, but hackers are just “Adequate pernicious toe-rags.” The result of the sales campaigns “Are allowing massively incentivised companies to define the public perception of the problem.”  

    Soon after Dr Levy’s comments, the UK Parliament’s Public Accounts Committee  (PAC), a highly respected and fiercely independent spending watchdog, released Protecting information across government. It’s critical of the UK’s cyber-security performance when the “Threat from cyber attacks has been one of the UK’s top four risks to national security since 2010.” It says the current performance “Reduces our confidence in the Cabinet Office’s ability to protect the nation from higher threat cyber attacks. The use of the internet for cyber crime is evolving fast and the government faces a real struggle to find enough public sector employees with the skills to match the pace of change.”

    A quick look at a Symantec user report showed eight cyber-attacks were repelled over a week. Several phishing emails arrived most days. Some were diverted to a junk folder. One’s with new domain names made it to the inbox. Despite the NSCS’s efforts, and their improvements in response to PAC’s report, cyber-criminals are always one step ahead of cyber-security measures. Provided eHealth teams are aware of cyber-security firms’ aspirations to sell on the back of their advice and white papers, which isn’t difficult to spot, the advice offered is free and still very valuable for Africa’s eHealth cyber-security initiatives.

  • Cyber-security can improve by adopting best practices

    Patients and their families expect healthcare professionals to know and apply best practices. They can also expect that eHealth’s cyber-security aspires to the same standards. A white paper from Osterman Research, and sponsored by KnowBe4, a cyber-security and training firm, sets these out for combating phishing and ransomware cyber-attacks.  They offer a good start for Africa’s eHealth. Core themes include:

    1. Phishing and ransomware are increasing at the rate of several hundred percent a quarter
    2. Most organisations have been victimised
    3. Phishing and ransomware are in  security decision makers’ four main concerns
    4. Security spending will increase significantly in 2017
    5. Most organisations don’t seeing improvements in their security
    6. Security awareness training is vital to combat phishing and ransomware
    7. Organisations with well-trained employees are less likely to be infected

    In this increasing challenging cyber-crime world, organisations can adopt many best cyber-security practices to deal with phishing and ransomware. They include:

    1. Cyber-security awareness training to create a human firewall
    2. Test staff periodically to see if cyber-security awareness training’s effective
    3. Rigorous password management
    4. Deploy systems that detect and eliminate phishing and ransomware attacks
    5. Search for and remedy cyber-security risks and vulnerabilities
    6. Maintaining good, isolated backups
    7. Using reliable threat intelligence
    8. Establish communication backchannels for key staff members
    9. Keep reminding employees of the risks of oversharing content on social media
    10. Ensure every employee maintains robust anti-malware defences on their managed platforms
    11. Keep software and operating systems up-to-date.

    These are sensible and pragmatic practices that Africa’s health systems can adopt. Making theme effective needs a cyber-security leader, who must be an executive.

  • PASS 555 can help Africa’s eHealth cyber-security

    Standards, so regulation, for cyber-security are essential for Africa’s eHealth. In May 2013, the British Standards Institute (BSI) published Publicly Available Specification (PAS) PAS 555: 2013 Cyber security risk. Governance and management. Specification. It’s relevant for Africa’s eHealth.

    BSI is the world’s first national standards body. Sir John Wolfe-Barry, who designed London’s iconic Tower Bridge, formed it in 1901. It registered its BSI Kitemark in 1903, the first year of life for which Harley Davidson, Crayola crayons and the Tour de France. It has a track record of setting standards for quality.

    PAS 555 is generic, so fits healthcare. It aims to help organisations understand and manage their exposures to cyber-threats, a downside to eHealth’s costs and benefits, healthcare’s reputation and risks to patients and communities. It uses outcomes-based methodologies to define the overall outcomes of effective cyber-security and ensure organisations’ confidence. Its standards comprise:

    1. Business-led, holistic approach to cyber-security
    2. Technical aspects of cyber-security
    3. Physical, cultural and behavioural aspects
    4. Effective leadership and governance.
    5. These can help Africa’s healthcare organisations:
    6. Focus investment appropriately
    7. Minimise potential loss
    8. Improve operational effectiveness and efficiency
    9. Develop organisational resilience
    10. Improve loss prevention and incident management
    11. Identify and mitigate cyber-security risk throughout organisations.

    It also helps organisations to choose how it achieves their specified outcomes. These can be through their own processes or adopting other standards and management systems and cross references to other standards, including some from the International Standards Organisation (ISO), such as:

    1. BS ISO/IEC 27001 Information Security Management
    2. ISO/IEC 20000-1 Information Technology. Service Management. Service management systems requirements
    3. ISO 22301 Business Continuity Management
    4. ISO 31000 Risk Management.

    These offer constructive start points for Africa’s eHealth cyber-security. But, as cyber –threats continue to develop, it’s important to keep up too. Acfee’s first in a series of reports on cyber-security  aims to help with this.