• Cyber-security
  • Choosing cyber-security services needs a methodology

    As the fight against ransomware hots up with WannaCry and Notpetya expanding the terms of engagement, it’s essential that Africa’s health systems are structured in adding to their cyber-security measures. A white paper from Imperva, a cyber security firm, sets out seven steps needed to choose an effective data-centric audit and cyber-security solution.

    Seven Keys to a Secure Data Solution proposes that the focus should shift to Data-Centric Audit and Protection (DCAP) instead of relying on tools and methods with several disconnected pockets of coverage. Choosing a solution has to navigate the wide range of services and a rigorous evaluation processes. Seven steps are needed: 

    1.     Seeking faster times to achieving value

    2.     More flexibility and adaptability

    3.     More functional breadth and depth

    4.     Increased scalability and predictable planning

    5.     Constant real-time visibility and blocking

    6.     Lower Total Cost of Ownership (TCO)

    7.     Increased focus and responsiveness.

     The approach becomes increasingly relevant as healthcare organisations move beyond using database tools and other narrow products as a cyber-security foundation and governance infrastructure. Instead, effective and efficient DCAP solutions are needed that combine extensive data security and audit functionality with a capability to eliminate the need for disparate management silos and inconsistencies. They achieve this by co-ordinating policies across types of data stores.

    It seems inevitable the growth, reach and brutality of cyber-crime needs a stiffer eHealth resolve. Assessing and applying new cyber-security techniques should now be routine part of eHealth services.

  • UK’s NHS made illegal patient data transfer to Google’s DeepMind

    As eHealth expands its reach, and Artificial Intelligence (AI) becomes routine, benefits will increasingly depend on health systems handing over their patient data to specialist companies. It seems inevitable, but it might not always be legal. The UK’s NHS found that it wasn’t.

    An article in the UK’s Guardian says the Royal Free London NHS Trust, based in London, broke the law in November 2015 when it transferred 1.6m patient-identifiable records to DeepMind, the AI outfit owned by Google. It was part of a project where DeepMind’s built Streams, an app that provides clinical alerts about kidney injury. It needed the data for testing.

    The ruling says by transferring the data and using it for app testing, the Royal Free breached four data protection principles and patient confidentiality under common law. It sees the transfer as not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it, and their information rights weren’t available to them. 

    The UK’s Information Commissioner agreed. Its view’s that the core issue wasn’t the innovation. It was the inappropriate legal basis for sharing data which DeepMind could use to identify all the patients. A better way’s to keep the data in the health system and interface with apps such as Streams only when a clinical need arises. 

    Two issues are important. One’s dealing with an apparent data-grab of millions of patient records by a global organisation. The other’s the way the NHS seems keen to embed a global company into its routing working. Both need regulating and protection of patients’ rights and interests. 

    These offer insights for Africa’s health systems to deal constructively with external eHealth and AI firms. The relationships are already on a trajectory. A lesson from the NHS and DeepMind project’s essential that Africa avoids being dragged along its wake. There’s still time to do it.

  • mHealth’s MDCS needs better cyber-security

    While mHealth’s been successful in developing countries, many initiatives fail to address security and privacy issues. Leonardo Iwaya’s at Karlstad University’s Faculty of Health, Science and Technology. His thesis, Secure and Privacy-aware Data Collection and Processing in Mobile Health Systems, starts from this perspective and describes solution. 

    He sets a context where mHealth often operates in a setting of no specific legislation for privacy and data protection in developing countries. Africa’s health systems exhibit equivalent limitations. His work has several components:

    • A comprehensive literature review of Brazil’s mHealth
    • Design of a security framework, SecourHealth, for Mobile Data Collection Systems (MDCS)
    • Design of a MDCS to improve public health using geographic Information (GeoHealth)
    • Design of Privacy Impact Assessment (PIA) template for MDCS
    • Study of ontology-based obfuscation and anonymisation functions for health data. 

    These offer Africa’s health systems a route into Information security and privacy that are paramount for high quality healthcare. They also protect healthcare professionals and other workers by creating a secure and explicit working environment for their clinical and working practices.

    Iwaya’s objective’s to enhance knowledge of the design of mHealth’s security and privacy technologies, especially the MDCS. These extend across data collection, reporting and replacing paper-based approaches for health surveys and surveillance. It’s a good place to start from to improve mHealth’s general and cyber-security.

  • Cyber-security training must be effective

    Now Africa has its own cyber-security advice, reported on eHNA, it’s important that health systems have effective training in place. The Internet Infrastructure Security Guidelines for Africa was unveiled by the Internet Society and the African Union Commission (AUC) at the African Internet Summit, in Nairobi. It has awareness as one of four core principles that have to be deployed. 

    A report from Enterprise Management Associates says cyber-security awareness programmes have a lot to learn. Already reported by eHNA, it says training that achieve better cyber-security awareness:

    • Involves interactive elements
    • Is continuous, with regular follow-ups
    • Simulates real-life attacks
    • Monitors users’ effectiveness.

    These are four criteria that Africa’s health system can adopt in applying this part of the AUC’s good practices.

  • Hospitals need better cyber-security from their app developers

    The pace of innovation in healthcare is staggering. mHealth apps are helping to push it along. Innovators are speeding apps through development processes to bring them to market as quickly as possible. It often means cyber-security’s not a priority, leaving healthcare organisations to pick up the consequences.

    “There are a million different apps out there – the problem is the low barrier to entry into the healthcare market,” said Kurt Hagerman, CISO at cyber-security firm Armor Defense, in an article in Healthcare IT News.“When you look at the EHR vendors, they cannot be everything, they have to focus on a core set of services and then allow others to supplement those large, monolithic EHR systems with other apps.”

    With some EHRs having a narrow focus, there’s a rush to capitalise on using mHealth to provide personal health data and advice. These factors combined are a challenge for health systems to use the latest innovations without compromising protected health information and personally-identifiable information. 

    The first step’s educating developers about the healthcare industry and its unique requirements. Health systems working with app developers need to be explicit from the outset about their cyber-security requirements. Hagerman says “To protect confidentiality, integrity and availability, you have to build strong authentication credentials, you have to encrypt.

    Beyond education, it’s up to health systems to be better at enforcing cyber-security, ask app developers the right questions and demand the protections that defend patient health data. “A sense of urgency is building – you cannot just build an app, there are security requirements. The industry is starting to correct this a little bit,” he added.

    Healthcare providers need to construct a stronger message for developers. Better cyber-security’s crucial to protect patients’ personal data. They can’t afford to carry the risks of insecure and vulnerable mHealth.   

  • New cybersecurity guidelines for Africa

    Cyber-crime’s severity’s increasing worldwide. The devastation was evident in the Wannacry attacks, reported on eHNA. Africa wasn’t immune.

    Many African countries lag behind with their cyber-security. It leaves eHealth vulnerable. To address this, a new set of Internet Infrastructure Security Guidelines for Africa was unveiled by the Internet Society and the African Union Commission (AUC) at the African Internet Summit, in Nairobi.

    The guidelines are new for Africa. They’re a big step forward in creating a more secure Internet infrastructure and changing African countries’ cyber-security priorities. A joint statement, reported in an article in ITWeb Africa, says "They will help AU member states strengthen the security of their local Internet infrastructure through actions at a regional, national, ISP/operator and organisational level."

    Africa's cyber-security environment faces a unique combination of challenges. They include a lack of strategies, plans and standards, lack of awareness of the risks of using technology, underinvestment, talent shortages and data overloads. Dawit Bekele, Director of the Internet Society African Regional Bureau sees potential improvement. "Africa has achieved major strides in developing its Internet Infrastructure in the past decade. However, the Internet won't provide the aspired benefits unless we can trust it. We have seen from recent experiences that Africa is not immune from cyber-attacks and other security threats. These guidelines, developed in collaboration with the African Union Commission, will help African countries put in place the necessary measures to increase the security of their Internet infrastructure."

    The guidance is just the first step. Moctar Yeday, Head, Information Society Division, African Union says "The Commission of the African Union will continue its partnership with the Internet Society on a second set of guidelines addressing personal data protection in Africa." Keeping up cyber-security’s profile is important to progress, so extra guidance is a constructive step.

    As Africa becomes more connected, healthcare, businesses, governments, citizens and key industries rely on the Internet to provide services. These guidelines provide the essential recommendations to protect Internet infrastructure.

  • Medical devices’ cyber-security testing’s not good enough

    As cyber-attacks expand, and since the alarm bells after WannaCry, reported on eHNA, cyber-security’s priority should’ve increased dramatically. It seems it’s starting from a low baseline for medical devices.

    A survey by Ponemon Institute for Synopsis says device suppliers think the chances of cyber-attacks on their products are 67%. US healthcare organisations as users think the probability’s 56%. These may be a bit low, but despite this, the survey shows only 5% of healthcare providers test their medical devices at least once a year. More alarmingly, 53% don’t test their cyber-security at all.

    A similar deficit prevails with device makers. Only 9% say they test their devices at least once a year. About 43% don’t test their device’s cyber-security. This highlights an important procurement criterion for Africa’s health systems.

    These are vulnerabilities that Africa’s health systems should address too. It’s especially critical when 80% of medical device makers and users say medical devices are very difficult to secure. Another vulnerability’s revealed by only 25% of respondents who say cyber-security protocols or architecture inside devices provide adequate protection for clinicians and patients.

    Medical Device Security: An Industry Under Attack and Unprepared to Defend says patients have already suffered from cyber-attacks and adverse events. About 31% of device makers and 40% of healthcare providers say they are aware of these. Of these, 38% of providers say inappropriate therapy or treatment was provided to patients. About 39% of device makers say cyber-attacks have taken control of their medical devices.             

    Ponemon’s report sets out a string of risks. They’re:

    • Device makers and users low confidence that patients and clinicians are protected
    • Using mobile devices affects healthcare organisations’ cyber-security’s risk postures. Clinicians depend upon their mobile devices to more efficiently serve patients
    • Budget increases to improve medical devices’ cyber-security often happen after a serious breach
    • Medical device security practices aren’t the most effective, relying on cyber-security requirements instead thorough practices such as testing
    • Most organisations don’t encrypt traffic between Internet of Thins (IoT) devices
    • Medical devices contain vulnerable code because of a lack of quality assurance and testing procedures and a rush to release
    • Testing rarely occurs, with only 9% of makers and 5% of users testing at least once a year
    • Accountability medical devices’ cyber-security is lacking
    • Makers and users aren’t aligned on current cyber-security risks, with healthcare providers more likely to be concerned about their devices’ cyber-security and risks, and suppliers’ lack of action to protect patients and users
    • Insufficient compliance with regulatory advice and guidance
    • Most makers and users don’t disclose their medical devices’ privacy and security risks. 

    Ponemon says makers and users say cyber-security’s hard to achieve. It suffers from accidental coding errors, lack of knowledge and training for secure coding practices and pressure on development teams to meet product deadlines. It seems that the clichéd paradigm shift’s needed.

  • Patching for cyber-security’s harder that it looks

    While US hospitals weren’t disrupted much by WannaCry, described in eHNA, their cyber-security experts aren’t complacent. An article in Fierce Healthcare says cybersecurity experts weren’t surprised by WannaCry’s ransomware attack because many had predicted something like it in terms of size and scope.

    Microsoft had provided a patch that prevented the attack, but many organisations hadn’t implemented it. A US cyber-security view’s that it’s an overwhelming task for healthcare exacerbated by two issues, a lack of professionals and weak patch management. Improving both seems likely as WannaCry’s provided healthcare’s ICT risk managers the justification to increase cyber-security investment. It applies to Africa’s health systems too.

    This may not be enough. Better public-private coordination’s critical going forward. US eHealth’s seen as lagging behind modern cyber-security practices, so collaboration must move its priority up. The article says more than 85% of small- or medium-sized hospitals don’t have a qualified cyber-security manager.

    These skills are essential for effective patch and ICT inventory management. It’s a more complex task for healthcare organisations with several software iterations limited asset management systems. Co-ordinating updates for many machines across eHealth and into mHealth needs ICT teams to account for software layered on operating systems that could become inoperable afters a security patch. It’s more awkward when there’s no automated way to applying.

    Challenges for Africa’s health systems are greater. Stretched resources and an even greater lack of people with cyber-security skills and qualifications present an obstacle on the scale of Kilimanjaro. Making a start’s the first step.

  • Symantec’s issued advice about WannaCry

    Now that the dust from WannaCry’s receded, but may not yet be settled, more information’s emerging. It’s an important part of Africa’s eHealth programmes build-up of cyber-security defences. 

    Symantec, the cyber-security firm says it’s confident it can beat WannaCry. The virulent ransomware strain breached hundreds of thousands of computers worldwide since it emerged on 12 May 2017. It’s much more dangerous than other ransomware types because it can spread rapidly across an organisations’ networks by exploiting vulnerabilities in Windows not patched by the Microsoft release MS17-010 in March 2017. The exploit, Eternal Blue, was released online in April as part of a series of leaks by the Shadow Brokers group that claimed it stole the data from the Equation cyber espionage group. 

    WannaCry searches for and encrypts 176 different file types, and appends .WCRY to the end of file names. It than asks users to pay a US$300 ransom in bitcoins. The ransom note says the amount will double after three days. If payment’s not made after seven days, it says the encrypted files will be deleted. Despite this, Symantec hasn’t found any code in the ransomware which would cause files to be deleted. Symantec does not recommend paying the ransom. 

    Decrypting encrypted files isn’t possible yet. Symantec’s researchers are investigating the possibility. If you have backup copies of affected files, you may be able to restore them.

    Symantec’s identified two possible links loosely connecting WannaCry ransomware and the Lazarus Group. Shared code between Lazarus tools and the WannaCry ransomware’s a type of Transport Layer Security (SSL), a computing protocol to ensure data security sent by the Internet using encryption. Symantec sees this as justifying further investigation.

    Some files may be recovered without backups. Files saved on Desktop, My Documents, or removable drives are encrypted and their original copies wiped, so not recoverable. Files stored elsewhere are encrypted and their original copies deleted. They could be recovered using an undelete tool.

    Symantec and Norton customers are protected against WannaCry by a combination of technologies. Proactive protection was provided by:

    • IPS network-based protection
    • SONAR behaviour detection
    • Advanced Machine Learning (AML)
    • Intelligent Threat Cloud (ITC).

    Customers should have these technologies enabled for full proactive protection. Symantec Endpoint Protection (SEP) customers are advised to migrate to SEP 14 to take full advantage of AML signatures.

     

  • Health data in a public cloud needs encrypting

    Hospitals are increasingly turning to cloud-based services. The trend’s set to keep growing as healthcare organisations need more robust infrastructure for advanced analytics, population health and precision medicine, says an article in Healthcare IT News

    Healthcare entities face unique challenges and risks when they store their data in the cloud. Perhaps the most important is ensuring that their patient data’s safe. 

    About 82% of databases in public cloud computing environments aren’t encrypted. It’s an estimate in a report from Redlock, a cyber-security vendor. Cloud Infrastructure Security Trends Report. Some 31% of databases in public cloud environments are open to the Internet, and 40% of organisations have cloud storage resources exposed to the public. This isn’t good.

    The analysis by the RedLock Cloud Security Intelligence team, included cloud environments in several sectors and reviewed more than a million resources processing 12 petabytes of network traffic. It identified 4.8 million exposed records with sensitive data.

    It also found that few customers are happy with cloud infrastructure security. It explains why nearly 80% of organisations are only in the trial-and-planning stage of cloud computing.

     

    With constantly increasing cyber-security risks, it’s imperative that African healthcare organisations provide effective cyber-security for their cloud services. Without it, it’s not possible to be confident of protecting their patients’ personal and private data.