• Cyber-security
  • Cyber-threats keep evolving

    Cyber-criminals have sent millions of fraudulent emails as crude, random attacks, hoping to trick people to reveal their personal or financial information. As organisations and people worked out how not to respond, cyber-criminals began switching to bespoke targeted attacks. These use advance reconnaissance, research and testing, using use specialised knowledge and details about targets to try by-pass defences and penetrate organisations’ networks. They’re more lucrative than random cyber-attacks.

    Trend Micro, a global cyber-security firm, has published a white paper available through Health IT Security. Navigating the evolving threat landscape with a more complete approach to network security deals with:

    How targeted attacks change network security landscapesResponding to increasingly complex threats A cross-generational approach to network securitySecurity fuelled by market-leading global threat intelligenceDetection techniques comprising a smart network defenceIntegration with other security solutionsSeamless threat intelligence sharingCentralised visibility and control.

    Its findings from 264 organisations are alarming:

    80% had experienced a network-based attack or exploit90% had active command and control activity on their network65% had been infected by zero-day or unknown malware17% were being actively breached.

    Zero-day vulnerability is an important concept in cyber-security. It’s an undisclosed software vulnerability that cyber-criminals and other hackers can exploit to disrupt computer programs, data, additional computers and networks.

    An effective response, Trend Micro says, has to be “smart, optimized and connected.” Part of this is sophisticated cyber-security tools that operate alongside existing platforms and applications. Rigorous integration and interoperability ensures a stronger defence. These other technologies include:

    Security Information and Event Management (SIEM)Vulnerability assessment and managementApplication securityNext-generation firewallsBreach detectionVisibility and enforcement of Transport Layer Security (SSL), derived from Secure Sockets Layer and including encryption Software-defined networking and the cloudNetwork Packet Brokers (NPB) that optimise incident analyses by enabling ICT and security services to acquire situational awareness and security intelligence about intrusion and extrusion incidents, enabling faster incident responsesIncident response automation.

    Africa’s health systems should consider enhanced cyber-security as part of their eHealth strategies. It’s affordability can measured against the estimated costs of cyber-security breaches.

  • Better personal cyber-security with these tips

    It’s important that Africa’s health workers are cyber-security conscious. Good practices in their personal cyber-security, such as protecting their identity from theft, can help to improve their cyber-security practices at work.

    Using social media provides opportunities for cyber-criminals to steal personal identities. An article in the UK’s Guardian newspaper offers some tips. Holly Brockwell, a freelance technology journalist and editor of Gadgette, an online magazine offers five tips to minimise the risks. These are essential when some companies use weak security protocols.

    1.     Don’t play social media games because a notorious information security hole is the secret question and answer checks that offer weak security, with answers often in the public domain on social network sites, so often used to access open people’s accounts and can be accidentally provided by playing social network games

    2.     Don’t take dodgy online quizzes, they can ask for information that can provide access to personal accounts, so check trustworthiness by reviewing URLs, internet addresses, that quizzes came from, and if it’s not a recognised, reputable name, don’t do it, but, malicious sites can disguise their addresses, so it may best not to do any quizzes.

    3.     Don’t accept friend requests from strangers, because it provides them with access to historic and future status updates, so set security settings and all previous posts to friends only

    4.     Delete old posts every day

    5.     Use a password manager to help have unique passwords for personal accounts

    6.     Turn on two-factor authentication, such as having a unique passcode sent to a mobile phone, but mobile’s can be hacked to steal codes, so consider an authenticator app such as Google Authenticator, reviewed by Make Tech Easier

    7.     Don’t be anxious about applying effective cyber-security measures.

  • Bitpaymer’s offspring disrupts hospitals

    A variant of Bitpaymer ransomware’s been breaching hospital’s ICT. It’s been in Scotland’s Lanarkshire Trust, previously breached earlier this year by WannaCry, reported on eHNA. Some operations were cancelled, GPs’ work disrupted and patients asked to attend Accident and Emergency only if their needs were essential. ZDNet has a report saying systems were taken offline. Perpetrators say they’ve gathered "private sensitive data."

    Unlike most hacks that prefer to be covert, ransomware makes contact with users to ask for a ransom in return for a decryption key. The ransom request was very high, some 50 bitcoins, about £168,000, US$218,000. Failure to pay may result in the cyber-crooks sharing data they’ve acquired.

    ZDNet has short ransomware guide. Ransomware: An executive guide to one of the biggest menaces on the web. Other guides are Remove All Threats has a guide on removing Bitpaymer. Protect PC Health has a guide too. Both are for PCs.

  • A cyber-security guide addresses healthcare’s increasing vulnerability

    Healthcare’s data’s attractive to cyber-criminals. Protecting it from criminals and general misuse’s essential because it’s highly sensitive, identifiable information. These are two core themes from a white paper from Osterman Research. It helps Africa’s health systems to move their cyber-security initiatives on, 

    Sponsored by Quest, an ICT firm, Protecting Data in the healthcare Industry goes on to identify the types of threats and their subsequent impacts. It succinctly summarises regulatory requirement from the US, UK, the EU and Australia. These provide helpful insights for Africa’s health systems in developing their eHealth regulations. These need supplementing with actions that deal with numerous increasing trends, including:

    Healthcare professionals are increasingly using cloud solutionsIncreasing prevalence of phishing and ransomware, with 72% of healthcare’s malware incidents being ransomware attacks, and 88% of all ransomware attacks during April to June 2016 were on healthcareData breaches are common, with  healthcare attacks up by 35% since 2015Disruptions undermine the reputation and value of affected organisationsHealthcare’s systematically underinvested in cyber-securityHealth workers face a growing array of communication and collaboration tools and trust them as secure and reliable, but they’re notHealthcare professionals are directly vulnerable too.

    Best practices for cyber security defences include:

    Taking cyber-security risks seriouslyBuild cyber-threat awarenessDevelop cyber- security strategiesEstablish thorough and detailed cyber-security policiesEnable encryption at every pointUse threat intelligence to enhance cyber-securityTest cyber-attack recovery plansInvest in cyber-security awareness trainingGovern user behaviour for tools, devices and repositoriesTighten password policies and account accessHave effective cyber-security defences, including

    o   Backups of core data, especially offline

    o   Next-generation firewalls that provide deeper analysis and remediation of active threats

    o   Endpoint security technologies

    o   Robust perimeter defences.

    Total security’s isn’t the goal. Cyber-criminals can often be one step ahead, such as with WannaCray and NotPetya. The objective’s to mitigate and minimise the risk. It’s important that Africa’s health systems keep this focus, making them less attractive targets for cyber-criminals.

  • Kenya’s mHealth standards set SMS and ePrescribing practices

    Using SMS for health and healthcare’s an expanding initiative in Africa. Kenya’s Ministry of Health has set out a rigorous set of standards for it, and ePrescribing, in Kenya Standards and Guidelines for mHealth Systems. 

    As an effective communication tool for health in low-income countries, SMS need regulation and cyber-security standards that minimise the risk of privacy and confidentiality breaches. This extends across several activities. Kenya’s standards include:

    Risks of Personal Health Information (PHI) in SMSsStandards for text messages, including device selections, risk assessments, development practices and trainingPHI security guidelinesRisk management strategy, including password confidentiality and encryption.

    Standards for telephone and eConusltations deal with devices such as Interactive Voice and Video and Response (IVVR), mobile phones, teleconferencing, Voice over Internet Protocol (VoIP. It includes SMSs too. The themes are:

    Good medical practices, duties and responsibilitiesGuidelines for using eHealth and ICT to provide healthcareWhat to do in emergency situations. 

    ePrescribing extends from completing prescriptions, through delivery to pharmcists and on to dispensing to patients. Its goals include better quality healthcare, patient safety, accuracy and continuing care. The standards deal with:

    How to use ePrescribing, including patient choiceAuthenticating ePrescriptionsDelivering ePrescribed drugs and medications and the role of pharmacistsePrescribing data sets that include:

    o   Minimum patient demographics

    o   Prescription identifiers

    o   Product identification.

    While addressing current eHealth requirements, these standards lay a foundation for eHealth’s future scale and direction. It’s an opportunity to move eHealth regulation closer to project implementations, especially for ePrescribing.

  • Choosing cyber-security services needs a methodology

    As the fight against ransomware hots up with WannaCry and Notpetya expanding the terms of engagement, it’s essential that Africa’s health systems are structured in adding to their cyber-security measures. A white paper from Imperva, a cyber security firm, sets out seven steps needed to choose an effective data-centric audit and cyber-security solution.

    Seven Keys to a Secure Data Solution proposes that the focus should shift to Data-Centric Audit and Protection (DCAP) instead of relying on tools and methods with several disconnected pockets of coverage. Choosing a solution has to navigate the wide range of services and a rigorous evaluation processes. Seven steps are needed: 

    1.     Seeking faster times to achieving value

    2.     More flexibility and adaptability

    3.     More functional breadth and depth

    4.     Increased scalability and predictable planning

    5.     Constant real-time visibility and blocking

    6.     Lower Total Cost of Ownership (TCO)

    7.     Increased focus and responsiveness.

     The approach becomes increasingly relevant as healthcare organisations move beyond using database tools and other narrow products as a cyber-security foundation and governance infrastructure. Instead, effective and efficient DCAP solutions are needed that combine extensive data security and audit functionality with a capability to eliminate the need for disparate management silos and inconsistencies. They achieve this by co-ordinating policies across types of data stores.

    It seems inevitable the growth, reach and brutality of cyber-crime needs a stiffer eHealth resolve. Assessing and applying new cyber-security techniques should now be routine part of eHealth services.

  • UK’s NHS made illegal patient data transfer to Google’s DeepMind

    As eHealth expands its reach, and Artificial Intelligence (AI) becomes routine, benefits will increasingly depend on health systems handing over their patient data to specialist companies. It seems inevitable, but it might not always be legal. The UK’s NHS found that it wasn’t.

    An article in the UK’s Guardian says the Royal Free London NHS Trust, based in London, broke the law in November 2015 when it transferred 1.6m patient-identifiable records to DeepMind, the AI outfit owned by Google. It was part of a project where DeepMind’s built Streams, an app that provides clinical alerts about kidney injury. It needed the data for testing.

    The ruling says by transferring the data and using it for app testing, the Royal Free breached four data protection principles and patient confidentiality under common law. It sees the transfer as not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it, and their information rights weren’t available to them. 

    The UK’s Information Commissioner agreed. Its view’s that the core issue wasn’t the innovation. It was the inappropriate legal basis for sharing data which DeepMind could use to identify all the patients. A better way’s to keep the data in the health system and interface with apps such as Streams only when a clinical need arises. 

    Two issues are important. One’s dealing with an apparent data-grab of millions of patient records by a global organisation. The other’s the way the NHS seems keen to embed a global company into its routing working. Both need regulating and protection of patients’ rights and interests. 

    These offer insights for Africa’s health systems to deal constructively with external eHealth and AI firms. The relationships are already on a trajectory. A lesson from the NHS and DeepMind project’s essential that Africa avoids being dragged along its wake. There’s still time to do it.

  • mHealth’s MDCS needs better cyber-security

    While mHealth’s been successful in developing countries, many initiatives fail to address security and privacy issues. Leonardo Iwaya’s at Karlstad University’s Faculty of Health, Science and Technology. His thesis, Secure and Privacy-aware Data Collection and Processing in Mobile Health Systems, starts from this perspective and describes solution. 

    He sets a context where mHealth often operates in a setting of no specific legislation for privacy and data protection in developing countries. Africa’s health systems exhibit equivalent limitations. His work has several components:

    A comprehensive literature review of Brazil’s mHealthDesign of a security framework, SecourHealth, for Mobile Data Collection Systems (MDCS)Design of a MDCS to improve public health using geographic Information (GeoHealth)Design of Privacy Impact Assessment (PIA) template for MDCSStudy of ontology-based obfuscation and anonymisation functions for health data. 

    These offer Africa’s health systems a route into Information security and privacy that are paramount for high quality healthcare. They also protect healthcare professionals and other workers by creating a secure and explicit working environment for their clinical and working practices.

    Iwaya’s objective’s to enhance knowledge of the design of mHealth’s security and privacy technologies, especially the MDCS. These extend across data collection, reporting and replacing paper-based approaches for health surveys and surveillance. It’s a good place to start from to improve mHealth’s general and cyber-security.

  • Cyber-security training must be effective

    Now Africa has its own cyber-security advice, reported on eHNA, it’s important that health systems have effective training in place. The Internet Infrastructure Security Guidelines for Africa was unveiled by the Internet Society and the African Union Commission (AUC) at the African Internet Summit, in Nairobi. It has awareness as one of four core principles that have to be deployed. 

    A report from Enterprise Management Associates says cyber-security awareness programmes have a lot to learn. Already reported by eHNA, it says training that achieve better cyber-security awareness:

    Involves interactive elementsIs continuous, with regular follow-upsSimulates real-life attacksMonitors users’ effectiveness.

    These are four criteria that Africa’s health system can adopt in applying this part of the AUC’s good practices.

  • Hospitals need better cyber-security from their app developers

    The pace of innovation in healthcare is staggering. mHealth apps are helping to push it along. Innovators are speeding apps through development processes to bring them to market as quickly as possible. It often means cyber-security’s not a priority, leaving healthcare organisations to pick up the consequences.

    “There are a million different apps out there – the problem is the low barrier to entry into the healthcare market,” said Kurt Hagerman, CISO at cyber-security firm Armor Defense, in an article in Healthcare IT News.“When you look at the EHR vendors, they cannot be everything, they have to focus on a core set of services and then allow others to supplement those large, monolithic EHR systems with other apps.”

    With some EHRs having a narrow focus, there’s a rush to capitalise on using mHealth to provide personal health data and advice. These factors combined are a challenge for health systems to use the latest innovations without compromising protected health information and personally-identifiable information. 

    The first step’s educating developers about the healthcare industry and its unique requirements. Health systems working with app developers need to be explicit from the outset about their cyber-security requirements. Hagerman says “To protect confidentiality, integrity and availability, you have to build strong authentication credentials, you have to encrypt.”

    Beyond education, it’s up to health systems to be better at enforcing cyber-security, ask app developers the right questions and demand the protections that defend patient health data. “A sense of urgency is building – you cannot just build an app, there are security requirements. The industry is starting to correct this a little bit,” he added.

    Healthcare providers need to construct a stronger message for developers. Better cyber-security’s crucial to protect patients’ personal data. They can’t afford to carry the risks of insecure and vulnerable mHealth.