• Cyber-security
  • Web sites need cyber-security too

    Malevolent hackers are smart. They know that many organisations’ websites are vulnerable to attacks. Akamai, a cloud security outfit, estimates that it costs attackers about US$40 to mount an attack, smaller than a peanut compared to the gains.

    Its infographic, Does my Enterprise Need  Web Application Security? is available from Health IT Security. It describes the threats and preventive measures. Most alarming’s its estimate that productivity losses of 98% arose from websites compromised in the last 12 months. About 86% have serious vulnerabilities. Most of the attacks are random, with robots searching for vulnerabilities.

    Akamai’s data shows the estimated range of attacks from Distributed Denial of Service (DDoS) activities were: 

    Human - 8%Servers - 30%IoT - 62%

     A solution’s a Web Application Firewall (WAF). About 40% of websites have between none and two. The 6% have more than three. Agamai’s estimate is that a WAF needs three Full Time Equivalent (FTE) staff. 

    Africa’s health systems need these types of cyber-security measures in place for their website plans. Without them, the disruption will degrade their benefits.

  • Expect more cyber-attacks on healthcare

    The next cyber-attack never seems far away, and healthcare may be in criminals’ sights. A UK conference organised by The Guardian, a newspaper, and supported by technology company DXC, has some dark, ominous warnings for the UK’s NHS. They apply to healthcare everywhere.

    The report says some NHS employees expect another cyber-attack similar to WannaCry. In 2017, it caused widespread disruption to hospitals and GP surgeries. Not enough has changed to seek to avoid it.

    Poor leadership, budgetary constraints, deficient ICT systems and a lack of qualified staff combine to make the NHS vulnerable. A member of parliament and chair of the UK parliament’s public accounts committee commented that these limitations are exacerbated by:

    No particular benefit for patients from good eHealtheHealth isn’t a big enough issueIt’s not an instant winMany NHS staff don’t trust their IT systems.

    Lack of clarity on patients’ benefits is another theme that needs attention. It reveals inappropriate eHealth investment.

    A report on the WannaCry incident by the National Audit Office (NAO) found that the attack could have been prevented by basic ICT practices. Cyber-security was weak too. An NHS Digital cyber-security assessment of 88 England’s NHS trusts, about 37%, before WannaCry found none passed. NHS Digital has no power to require action. Consequently, the NHS remained vulnerable.

    These commentaries and findings provide a vital checklist for all health systems’ cyber-security and eHealth investment activities and goals. Waiting for the next attack without preparation’s a high risk approach.

  • Singapore health system hacked

    About 5.9m people live in Singapore. About 25% of their demographic and personal data has been stolen from SingHealth. A report in Channel News Asia says theft of 1.5m records by the cyber-attack was the “most serious breach of personal data.” Some 160,000 patients had their dispensed medicines’ records stolen too. 

    The Ministries of Health and Communications and Information revealed that Prime Minister Lee Hsien Loong’s records were “specifically and repeatedly” targeted. It included his outpatient dispensed medicines details. Several other ministers were also affected. 

    Data taken included names, National Registration Identity Card (NRIC) numbers, addresses, genders, dates of birth and racial origins. Hackers didn’t amend or delete records. Nor did they steal medical records, such as diagnoses, doctors’ notes and health scans

    Database administrators detected unusual activity on a SingHealth’s IT database on July 4. They immediately to stopped it.

    Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) investigations found that the cyber-attack was “deliberate, targeted and well-planned.” They concluded that it was not the work of casual hackers or criminal gangs. They are not revealing more because of operational security reasons.

    Channel News Asia hints at a country’s behind it, with only a few that have the sophistication required. The motivation’s not known. 

    The incident’s another reminder for Africa’s health systems that cyber-security’s essential. Technical measures are not enough. SingHealth’s database managers’ rapid intervention shows that constant vigilance’s needed too. Without them, the breach could have affected more than 25% of the population.

  • There’s a comprehensive cyber-security manual from KnowBe4

    Cyber-security firms regularly release short cyber-security white papers dealing with a single theme. Now, there’s an updated, big-scale, 221-page manual, and it’s free.

    Cyberheist 2018 fromKnowBe4 extends across cyber-security’s wide range. Written by Stu Sjouwerman, Sunbelt Software co-founder and anti-spyware specialist, and a supporting team, Cyberheist’s 19 chapters provides Africa’s eHealth programmes with a comprehensive view of their cyber-security requirements. While there’s an emphasis on commercial and business activities, such as banking, retailer and ePayment scams, cyber-security principles in these chapters are relevant for eHealth. 

    Cyberheist deals with:

    What drives cybercrime?How and why scams survive, thrive, and succeedTypes and methods of attacksPhishing explored and explained Phishing variations: smishing and vishingTargeted scams, including spear phishing, whalingUnderstanding cyber-crime losses and exposureScary cyber-crime reports and statisticsBank scamsCredit card and ePayment scamsMortgage rescue scamsAutomated clearing house scamsRetailer scamsSocial networking scams Safe computing fundamentalsSyncing security policies, user training and monitoringSecurity technology to protect people and assetsManaging online banking securityFostering cyber-security awareness. 

    It has two main goals. One is to help organisations recognise the increasing danger that they, and individuals, face when they use the Internet. The other’s to enable organisations to take proactive measures to protect them from cyber-threats. After reading Cyberheist, strategies and techniques are needed for protection. These should be core to Africa’s eHealth strategies.

  • KnowBe4 updates its ransomware rescue manual

    Cyber-security companies have to keep up with cyber-criminal’s expanding ingenuity. KnowBe4, a cyber-security firm, does it to keep users up to speed. It’s overhauled its Ransomware Hostage Manual What You Need to Know To Prepareand Recover from a Ransomware Attack, available from Health IT Security. It reflects the increasing professionalism of cyber-crime activity over the last five years or so. It deals with:

    What’s ransomware?

    RansomwareBitcoin and cryptocurrencyCryptominingThe Onion Router (TOR)

    Am I infected?

    SymptomsInfection vectors

    I’m infected, now what?

    Disconnect!Determine the scopeWhat strain of ransomware?Evaluate your responses: restore, decrypt, do nothing

    Negotiate or pay the ransom

    First response: restore from backup or shadow volumeSecond response: try to decryptThird response: do nothing and lose filesFourth response: negotiate or pay the ransomRansomware attack response checklist

    Protecting yourself in the future

    Defence in depthSecurity awareness trainingSimulated attacksAntivirus, antispam and firewallsBackups


    Ransomware attack response checklistRansomware prevention Checklist.

    KnowBe4’s checklist’s for dealing with a cyber-attack’s extensive.  It’s in two parts, actions and resources. The main headings are: 

    STEP 1: disconnect everything

    STEP 2: determine the infection’s scope and check the of encryption signs

    STEP 3: determine the ransomware strain

    STEP 4: determine the response

    Response 1: restore files from backupResponse 2: try to decryptResponse 3: do nothing and lose filesResponse 4: negotiate or pay the ransom

    STEP 5: protecting yourself in the future


    Users are the first line of defenceSoftware’s the second lineBackups are third

    For cryptomining attacks:

    Train users to avoid downloading it or exploit kits in the first placeIdentify a baseline performance metric for computers and  servers and monitor and alert excessive utilisationInstruct users to report significant system slowdowns or strange behaviourEnsure endpoint protection’s updated frequentlyConfigure web filtering to update frequently and block outgoing firewall traffic to suspicious IP addresses and Command and Control (C2) networks.

    With users as the first line of defence, effective cyber-security training’s essential. It’s been said before, so sustained users awareness and training should already be in place. It is?

  • What GDPR means for African countries

    If you struggled to access your favourite news site this morning, due to pop-ups insisting that you refresh your privacy settings, you are not alone. And the site is invariably based in the European Union (EU), or doing business with individuals in the EU.

    Today is GDPR Day. The General Data Protection Regulation (GDPR) is a regulation created in EU law to protect the privacy of individuals’ data. It applies to data of all individuals in the EU, whether that data is used within the EU, or anywhere else in the world. It comes into force today, May 25 2018.

    GDPR brings in sweeping changes to how businesses and public sector organisations can handle information. Under the new rules, permission is required before any personal data can be used and how long it is kept is now closely controlled. Anyone can ask a company to delete their personal information too. Read the statement from the European Commission and its links to resources.

    “Personal data is the gold of the 21st century. And we leave our data basically at every step we take, especially in the digital world. When it comes to personal data today, people are naked in an aquarium" said Vera Jourová, Commissioner for Justice, Consumers and Gender Equality.

    The GDPR sets out key principles:

    Lawfulness, fairness and transparencyPurpose limitationData minimisationAccuracyStorage limitationIntegrity and confidentiality (security)Accountability

    The accountability principle requires those who use data to take responsibility for complying with the principles, and to have appropriate processes and records in place to demonstrate that compliance, including appropriate technical and organisational measures to ensure accountability. Regular testing and reviews are required to make certain that the measures remain effective, or to guide remedial action id required.

    These principles form the building blocks of the legislation. Compliance with the spirit of the principles is regarded as critical for good data protection practice. Even though the principles to don’t include fixed rules, penalties for ignoring them are substantial. Failure to comply with the basic principles are subject to fines of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher.

    Individuals have:

    The right to be informedThe right of accessThe right to rectificationThe right to erasureThe right to restrict processingThe right to data portabilityThe right to objectRights in relation to automated decision making and profiling.

    The GDPR introduces a duty on all organisations to report certain types of personal data breach within 72 hours of becoming aware of the breach, and if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, companies must also inform those individuals without undue delay. This requires that robust breach detection, investigation and internal reporting procedures are place to facilitate detection and decision-making.

    Close Circuit Television (CCTV) falls under the GDPR too.

    The UK Information Commissioners Office has extensive guidance. Many companies, such as IBM and Oracle, offer guidance too.

    While the GDPR does not apply to African countries directly, many African businesses will already be affected, due to their business relationships with the EU or its people. Whether you're affected yet or not, GDPR provides a best-practice model for incorporating into business practices and regulatory strengthening.

    African countries' regulatory strengthening is well underway. South Africa's Protection of Personal Information "POPI" Act is one example and provides many components of the GDPR.

    First steps towards compliance could be to:

    Brush up your cyber-security policy, andImplement a privacy management framework to help embed accountability measures and create a culture of privacy across your organisation.

    The commissions’ seven steps for businesses provide pointers too. They are:Check the personal data you review and process, the purpose for which you do it, and on what legal basisInform your customers, employees and other individuals when you collect their personal dataKeep the personal data for only as long as necessarySecure the personal data you are processingKeep documentation on your data processing activitiesMake sure your sub-contractors follow the same rulesConsider additional provisions, such as :Organisations might have to appoint a Data Protection Officer, particularly if processing of personal data is a core part of your businessData Protection Impact Assessment Such an impact assessment is reserved for those that pose more risk to personal data, for instance they do a large-scale monitoring of a publicly accessible area, including video-surveillance.

    In the meantime, dealing with your privacy preference update requests will ensure that data protection remains in the forefront of your mind, at least for today. Happy GDPR Day.


    Image from this tweet by @EU_Commission

  • AI is also attractive for cyber-criminals

    As healthcare increases investment on eHealth projects and services, there should be synchronous investment in security measures.  In 2017, 25% of all data breaches were related to the healthcare industry.  This is because cyber-criminals have been working to make their attacks more advanced to easily target connected devices, cloud, and multi-cloud environments.  These advanced cyber-attacks are even able to evade detection by most legacy security solutions in place. 

    Advancements are aided by adopting AI and machine learning to carry out complex attacks at a rapid pace. Botnets such as Reaper have been made more sophisticated, enabling them to target multiple vulnerabilities at once.  Others, such as polymorphic malware allows for hundreds of variations of a threat to be created for different purposes in a matter of hours. 

    To address these challenges, Fortinet has recently released a few product enhancements that will tip the scales back in the favour of the healthcare industry;

    Fort iOS 6.0 – provides an integrated security architecture that spans the distributed networkFortiGuard AI – is an AI solution that is able to address automated attacksThreat Intelligence Services (TIS) - provides visibility into network activity and metrics to give healthcare security teams an understanding of their threat landscape 

    It has become inexpensive for criminals to mount attacks on healthcare data, but increasingly expensive for their targets. One key to the healthcare security transformation is flipping this paradigm.

  • AlienVault insider’s guide to cyber-security incident response can help

    Preventing cyber-security breaches is a top priority. On its own, it’s not enough. Cyber-criminals are at least one step ahead, so sound preparation for an incident response’s vital.  A book from Alien Vault can help. It's an Insider’s Guide to Incident Response in one eBook! 

    It provides a detailed insight into the fundamental strategies of efficient and effective incident response that security teams need. The goal should be to do more with less to deal with the rapidly changing cyber-threats. The guide deals with: 

    Arming and aiming an incident response teamIncident response processes and proceduresTypes of cyber-security incidentsIncident response toolsIncident response training

    Combating cyber-threats needs teams with a strong mental constitution.  Techniques are needed too. The guide sets out how to build an incident response plan and develop a team that has the right tools and training.

    Observe, Orient, Decide and Act (OODA) loop’s the core methodology.  It’s a cycle developed by military strategist and United States Air Force Colonel John Boyd. He used it to help to prepare for combat operations processes. It’s now applied to understand commercial activities. 

    Benjamin Franklin, the 18th century polymath promoted the original concept. “By failing to prepare, you are preparing to fail.” It applies to eHealth too.

  • Cyber-security projects reveal priorities

    As cyber-security activities step up, Barkly shows how their priorities can indicate strategies that organisations can adopt. 

    Its report identifies twelve cyber-security investment in relative priority order. They’re: 

    Endpoint security using advanced malware protection and prevention, the top priorityAccess and authorisationEndpoint protection using response and threat huntingCyber-security intelligenceData protection using encryptionApplication securityNetwork traffic visibilityWireless securityIncident response toolsBring Your Own Devices(BYOD) securityEmbedded security in IoTDistributed Denial of Service (DDOS) protection, the lowest priority. 

    Alongside these initiatives, cyber-security teams are researching and evaluation cyber-security tools. It’s an activity that needs considerable cyber-security skills and resources. For Africa’s eHealth, it means two initiatives are needed, one to recruit, train and retain experts, and provide additional resources needed by them to fulfil their role. 

  • Healthcare enters the blockchain ecosystem

    Over the last few years, healthcare has seen a record number of security breaches involving healthcare data.  This has prompted several start-ups to realise the work that needs to be done on the cyber-security front to make healthcare data secure.  Blockchain offers one potential solution to this challenge. Other solutions offered by blockchain include interoperability and the ability to connect data silos for more seamless systems and improved patient safety.

    SimplyVital Health is one of those start-ups experimenting with blockchain technology to give the healthcare industry a facelift. The company has developed a decentralised open-source protocol that will enable frictional-less sharing of healthcare data.  Their Health Nexus is a public-permissioned blockchain. It provides a platform to build advanced healthcare applications while maintaining the privacy and security required in the healthcare industry. 

    The developer tools on the Health Nexus are open source and available for free.  Members are able to build and deploy distributed apps utilising the blockchain protocol for transactions, identity and smart contracts, and a distributed hash table (DHT) for data storage, managed by a governance system. This will allow developers to create valuable solutions for pharmacies, healthcare providers, insurers, clinical researchers or patients.  

    Blockchain is certainly paving opportunities for new business models in healthcare.  The trajectory it will follow in the coming years, however, is an unmapped terrain waiting to be explored.  The road ahead for blockchain and healthcare will also require substantial intra-industry cooperation as well as dialogues between the public and private sectors regarding standards and regulatory frameworks.