• Cyber-security
  • GP practices are vulnerable to cyber-attacks too

    Hospitals are vulnerable to cyber-attacks. GP practices are too. A report in Medical Economics offer ten ways they can improve their cyber-security. It’s especially important because their smaller-scale limits the cyber-security resources at their disposal. Consequently, to improve Personal Health Information (PHI) cyber-security, GP practices may:

    •  Lack basic security policies, procedures and defences
    • Allow users to share passwords
    • Not turn on, configure or update the security features of their EHRs and cyber-security systems
    • Not undertake cyber-security risk assessments.

    Ten steps to protected health information set by Medical Economics are:

    1.     Complete cyber-security risk assessments

    2.     Encrypt data

    3.     Control access to systems

    4.     Authenticate users

    5.     Provide secure remote access

    6.     Implement role-based access

    7.     Don’t store data on users’ devices, so no Bring Your Own Devices (BYOD)

    8.     Use and scan audit logs

    9.     Back up data off site

    10.  Sign and enforce Business Associate Agreements (BAA) with all outside parties that share PHI.

    The impact of these ten measures will only be effective if their performance is a routine in practices’ every-day activities. Provided users don’t extend this into unthinking box ticking, the ten steps will improve cyber-security and lay a foundation for more sophisticated measures. They offer Africa’s GP practices a good foundation to test their performances and identify where improvements are needed.

  • An anti-ransomware manual offers a good start for Africa’s eHealth

    In 1977, Ron Rivest, Adi Shamir and Leonard Adleman (RSA), developed RSA 2048, an algorithm for an Internet encryption system. Now, 40 years later, it seems it’s still the cryptosystem that typical ransomware attacks rely on.

    As ransomware expands its reach, KnowBe4, a security awareness training and simulated phishing platform, has produced a manual to help organisations and people deal with it. Ransomware Hostage Rescue Manual covers a wide range of themes and includes two ransomware checklists, one to deal with an attack, one for prevention.

    Topics include:

    • What’s Ransomware?
    • Are systems infected?
    • When they are, what’s next?
    • Negotiate or pay the ransoms
    • Protecting in the future
    • Resources:

    o   Ransomware Attack Response Checklist (RARC)

    o   Ransomware Prevention Checklist (RPC)

    RARC actions to deal with an attack include steps: 

    1.     Disconnect everything

    2.     Determine the scope of the infection

    3.     Determine the ransomware strain, such as CryptoWall and Teslacrypt

    4.     Determine a response:

    a.     Restore file from backup

    b.     Try to decrypt

    c.     Do nothing and lose files

    d.     Negotiate or pay the ransom

    RPC measures include:

    • Users are the first line of defence
    • Software, such as firewalls and antivirus systems are the second line
    • Backups are third Line of Defence.

    As Africa’s health systems rely more on eHealth and its networks, ransomware becomes an increasing probability. KnowBe4’s manual’s an effective way to both start, and review progress against ransomware. Reviewing defences for other types of cyber-attack is worth it too.

  • How can Africa adopt best practices against phishing and ransomware?

    With phishing still popular with cyber-criminals, and so easy to deploy, adopting best practices is essential. Human firewalls are an essential component. A white paper from Osterman Research, sponsored by KnowBe4, a cyber-security awareness, training and simulated phishing platform, sets out the frequencies of employees’ cyber-security awareness training. 

    There are two main findings. Better phishing and ransomware protection’s needed across the board. Secondly, additional cyber-security awareness training’s needed to help reduce infection rates of phishing and ransomware attacks. 

    How big is the problem? Osterman identified it as a percentage of organisations affected.

    An email phishing attack infiltrated networks

    34%

    One or more endpoints had files encrypted by a ransomware attack

    30%

    Malware has infiltrated networks through unidentified channels

    29%

    Sensitive and confidential data was accidentally or maliciously leaked by email

    17%

    An email spear-phishing attack was infected one or more senior executive users

    14%

    Networks were infiltrated by a drive-by attack from employees Web surfing

    12%

    Emails as part of a CEO fraud or business email attack tricked employees

     11%

    Sensitive and confidential data was accidentally or maliciously leaked

    ·       Through cloud-based tools, such as Dropbox                      

    ·       Through social media apps                                                                                 

    ·       With no reliable source identified                                                                

    ·       None of these things happened                                                                                        

     

         5%

    3%

    1%

    27%


    Perhaps more alarming is the finding that cyber-security incidents are not usually single events. They can occur with some frequency. Over 50% of organisations experienced between one and five cyber-attacks, including ransomware infections, hacker infiltrations and malware infections. The causes were employees clicking on phishing links or attachments.

    Osterman found a relationship between the number of attacks on organisations during the previous year and their self-assessment cyber-security ratings. Organisations reporting no ransomware, malware, hacking or other cyber-security problems rated their cyber-security effectiveness seven percentage points higher than organisations that had experienced at least one cyber-security problem. An excellent self-rating occurred in 41% of organisations, indicating a long road ahead in protecting customers users, networks and data assets from cyber-security threats.

    None     

    7%

    Part of induction

    10%

    Less than annually

    1%

    Annually

    34%

    Bi-annually

    19%

    Quarterly

    13%

    Monthly

    5%

    Weekly                  

    1%

    Continually

    7%

    Occasionally     

    1%

    Only after problems

    1%


    Seven best practices are:

    • Understand the risks you face
    • Develop adequate cyber-security policies
    • Ensure you have good and recent backups
    • Keep systems up-to-date
    • Deploy anti-phishing and anti-ransomware solutions
    • Implement best practices for user behaviour
    • Use robust threat intelligence.

    Osterman’s reports provide valuable benchmarks for Africa’s health systems. Self-assessments should enable them to see where they’re vulnerable, and its extent. 

  • Effective cyber-security training isn’t widespread

    It’s well understood that reliance on technical cyber-security solutions alone isn’t effective enough, especially for phishing attacks. The human firewall’s a vital component. A report from Enterprise Management Associates (EMA) shows how limited it is across seven sectors in the US, including health and pharma combined. For Africa’s health systems, the finding’s alarming. 

    Arrangements across five types of cyber-security training, including do nothing, which isn’t training:

    • Do nothing, so no cyber-security awareness training
    • Break rooms, where employees gather for refreshments or special meetings and are told about cyber-security issues, including what to avoid when they’re surfing the Web and receiving emails from unknown sources
    • Monthly security video, where employees watch short cyber-security awareness training videos to learn how to keep networks and organizations safe and secure
    • Phishing test, where preselected certain employees are sent simulated phishing attacks to test their vigilance in avoiding responses
    • Human firewall, where everyone in organisations are tested to find the percentage of employees prone to phishing attacks, then training everyone on major attack vectors and sending regular simulated phishing attacks.

    The good news’s that more people are being trained in cyber-security. The downside’s that the training isn’t very good. Organisations can adopt a combination of approaches. Even then, the benefits are not high. About 41% do nothing. Almost 60% use methods that are less then effective, such as 23% using break rooms and 36% using monthly security videos. The result’s that two thirds use training methods that aren’t ideal, and don’t necessarily result in cyber-security awareness.

    Compared to the other sectors, healthcare performance looks quite good. It’s at the low end of break rooms and phishing tests and one of the top three for human firewall events, all at just 27%.

    The report sets out a direction for Africa’s health systems cyber-security training. The goal should be to go straight for the best approach.

  • Cyber-security has a smarter step up

    Chasing cyber-threats is a wearisome endeavour. A US healthcare provider’s relying on analytics to deal with some of the drudgery and anxiety. RWJBarnabas Health has twelve hospitals and some 250 clinics. A report in Fierce Healthcare says it’s halfway through a four year cyber-security upgrade that uses data analytics and network visualisation tools to track who’s accessing patient data and which devices are connected to the network. The aims are to detect and report threats and provide its system with more latitude to integrate mobile devices and step up mHealth.

    It’ll also improve the ICT department’s productivity to conduct manual network scans to identify new devices as they were connected. Now, it uses software to track devices in real-time and deploys monitoring tools to track the movement of patient data.

    It may be a benchmark for Africa’s health systems’ cyber-security trajectory. Balancing data sharing and network accessibility with privacy and security’s a challenging prospect with limited numbers cyber-security staff. Using analytics can be part of the solution. 

    The US healthcare systems are enduring sustained, and possibly increasing cyber-attacks. A recent report from Protenus Breach Barometer says almost three times more patient records were accessed in March compared with February and January combined. About a third of March’s 39 breaches were linked to hacking. Nearly 85% targeted hospital providers. These risks could increase as healthcare adopts more Internet of Things (IoT) initiatives and there reliance on networked devices.


  • Microsoft fixes a Word bug and vulnerability

    A bug in all Word versions is called a zero-day vulnerability. Proofpoint, a cyber-security firm, reports that researchers found documents exploited in a large email campaign, mainly in Australia, distributing the Dridex banking Trojan. It’s a type of malware that uses macros from Word to specialise in spying on computer users to steal bank credentials. It’s also known as Bugat and Cridex. Microsoft’s now fixed it with a patch. 

    A zero day vulnerability’s a hole in software that’s unknown to the vendor. It’s exploited by cyber-criminals before the vendor’s aware, and subsequently fixes it. The cyber-crime’s called a zero day attack.

    Dridex works by phishing. It relies on people inadvertently clicking the link and installing the malware. Its success also depends on emails that are superficially convincing. Using documents for phishing has become less frequently, Dridex shows how cyber-criminals can change their approach effortlessly to exploit new opportunities. Proofpoint says Microsoft Word users should install the security updates promptly.

  • Is eHealth’s cyber-security on the march?

    As Africa’s eHealth expands, its exposure to cyber-security risks increase. A cyber-security report from Acfee summarises these cyber-threats. They include:

    • Medical identify theft
    •  Ransomware
    • Denial of Service (DOS) attacks
    • Malware
    • Fraud.

    Reasons for cyber-crime differ from criminal to criminal. Some want money. Others, such as hacktivists, use it as a political campaign strategy. Examples of cyber-criminals’ goals for healthcare are:

    • Diverting funds or pharmaceutical stocks
    • Forging prescriptions
    • Stealing social security data to make fraudulent claims
    • Changing treatment regimens

    South Africa aims to implement comprehensive cyber-security measures driven by the South African Protection of Personal Information (POPI) Act. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) provides the foundation. It fits another, the wider National Institute of Standards and Technology (NIST) initiative reported by eHNA to improve the US cyber-security framework. The Payment Card Industry Data Security Standard (PTI DSS) provides a generic standard that fits healthcare.

    Fortinet, a cyber-security company, has an integrated approach set out in its white paper Countering the Evolving Cybersecurity Challenge with Fortinet Security Fabric. It provides an integrated cyber-security architecture that includes Advanced Threat Protection (ATP), Application Programming Interfaces (API) and layered, segmented firewalls.

    Typically, cyber-security aims to add new devices and cyber-security measure to an over-burdened cyber-security service. This increasing network eventually becomes dysfunctional, failing to solve the problem. Fortinet says there’s a hazardous contradiction. Deploying new devices helps to decrease the time to discover some new cyber-threats. In parallel, cyber-threats are compromising organisations at a faster rate. Hence the need for a shift to a new cyber-security model.

    Africa’s eHealth hasn’t adopted a cyber-security framework like Fortinet’s. As cyber-security awareness increases, it seems like an essential option.

  • Malicious insiders can be a major threat

    It’s important not to disregard the human side of cyber-crime and the threat it poses to healthcare, its EHRs and medical devices. The consequences can be devastating. External cyber-attackers aren’t the only threat. Real criminals can be inside healthcare. This is what happens when people trusted with personal and confidential information abuse trust and misuse their power. They’re known as malicious insiders.

    Employees, former employees, contractors or business partners can all have access to organisations’ networks, systems or data. Disgruntled, they may retaliate by stealing and releasing information that can damage organisations and patients. A global research study by Mimecast reported that an alarming 90% of organisations said malicious insiders pose a major threat.

    Findings from Pretenus Breach Barometer in an  article by Healthcare IT News reveal that the number of healthcare security breaches caused by insiders has doubled from January to February. Findings from 26 incidences reported that:

    1. Malicious insiders contributed to 58% of total breaches
    2. Their attacks are difficult to detect.

    More worrisome findings are:

    1. Only 23% of respondents are confident that their organisations have invested enough in monitoring systems
    2. The top three alleged instigators of malicious insiders threats are; 80% of employees meddling in their relatives or friends, 66% financial identity theft and 51% identity theft
    3. 57% of respondents believe that cyber-attacks are always an inside job
    4.  Attacks are usually for financial gain.  

    This evidence is a major public health concern. If disgruntled healthcare workers have access to personal and confidential patient data, it’s vital that measures are in place to deny them access. To protect patients and healthcare organisations from insider breaches the healthcare sector should invest in strengthening and protecting organisations’ networks, systems and databases especially those storing personal and confidential information.

    Acfee has information for health ICT professionals  on cyber security practices.

  • SMS security’s essential for Africa’s mHealth

    Talking can be an expression and communication of thoughts and ideas. Same for texting. Isaac Asimov, the scientist and sci-fi author said “Writing is, to me, is simply thinking through my fingers.”  The steady expansion of SMS communication in healthcare shows there’s plenty of thinking in the health systems, even if a lot of it’s generated electronically.

    As with all ICT, health SMSs are cyber-criminal targets. It’s essential that SMSs are secure. The CIO’s Guide to HIPAA Compliant Text Messaging by ec first and imprivata, and available from Health IT Security, provides a generic way to do it. Three combined activities are needed, policies, products and practices. The content’s considerable.

    Policies extend across five main areas. The subsets include seven routine actions: 

    1. Confirm recipients of texts 
    2. Confirm delivery and receipt of texts and that confirmation receipts are ideal 
    3. Don’t use shorthand or abbreviations 
    4. Review texts before sending them to ensure accuracy, especially being beware of autocorrect changes
    5. Ensure all text messages, or their annotations, used for clinical-decisions are documented accurately and promptly in medical records  
    6. Delete all texts containing protected health information as soon as the contents are no longer readily needed.

    Product checklists are long. There are 32 criteria from four perspectives. They’re features, usability, administration and security requirements, and vendor requirements. 

    Practices are mainly tracking and monitoring. When a secure SMS solution is deployed, its compliance must be sustained. Active management includes monitoring log files and other audit information to ensure appropriate use. Four core activities are:

    1. Track and monitor users and policies
    2. Ensure authentication events are appropriately captured
    3. Ensure message read receipts are time stamped.  
    4. Ensure a proactive audit practice aligns with an established policy is implemented for managing the secure SMS framework in line with regulations.

    Like all eHealth, there are considerable risks using unencrypted text when sending Electronic Protected Health Information (ePHI). Privacy and confidentiality can be damaged and diminish SMS’s benefits of improved communication with patients and between health workers. Africa’s health systems can benefit by applying the guide.

  • Cyber-attack exposes data of nearly 18,000 patients

    Cyber-attacks can have far reaching affects. These are multiplied when the target’s a healthcare organisation’s storing personal patient data. The  Metropolitan Urology Group in the US began notifying patients that a ransomware attack in November 2016 may have exposed their personal data. Nearly 18,000 patients were affected, according to the Department of Health and Human Services’ Office for Civil Rights, says an article in HealthcareITNews.

    The attack was on November 28, 2016. The organisation only discovered it on January 10. It took two months before it started sending notifications to patients on March 10.

    Two of the organisation’s servers were infected by a virus. It may have exposed data of patients attending between 2003 and 2010. The data contained names, patient account numbers, provider identification, medical procedure codes and dates of services. Roughly five of these patients had their Social Security numbers exposed too.

    Metropolitan Urology has been working with an ICT firm to remove the ransomware. Its learned from the experience too, and applying extra cyber-security measures to deter future attacks. All traffic from the affected servers is blocked, the firewall’s improved, email security’ stepped up and protection of all employee devices is in place. These are part of an overall upgrade to its policies and procedures. The organisation’s currently conducting a risk analysis of its ICT system to determine vulnerabilities.

    As compensation, all affected patients will receive one year of free credit monitoring. Metropolitan Urology has also set-up a call centre to answer questions about the breach.

    Any type of cyber-attack could have serious consequences for patients and the hospital. To protect patient data and ensure patients sustain their trust in eHealth services is crucial. It’s critical that organisations are aware of cyber-security threats and rectify and learn from them promptly. Regular staff training and awareness are crucial cyber-security components. Regular, routine and rigorous checks to ensure systems are intact and not breached are too. These are examples of how Africa’s health systems should approach their eHealth cyber-security endeavours.