• Cyber-security
  • New cybersecurity guidelines for Africa

    Cyber-crime’s severity’s increasing worldwide. The devastation was evident in the Wannacry attacks, reported on eHNA. Africa wasn’t immune.

    Many African countries lag behind with their cyber-security. It leaves eHealth vulnerable. To address this, a new set of InternetInfrastructure Security Guidelines for Africa was unveiled by the Internet Society and the African Union Commission (AUC) at the African Internet Summit, in Nairobi.

    The guidelines are new for Africa. They’re a big step forward in creating a more secure Internet infrastructure and changing African countries’ cyber-security priorities. A joint statement, reported in an article in ITWeb Africa, says "They will help AU member states strengthen the security of their local Internet infrastructure through actions at a regional, national, ISP/operator and organisational level."

    Africa's cyber-security environment faces a unique combination of challenges. They include a lack of strategies, plans and standards, lack of awareness of the risks of using technology, underinvestment, talent shortages and data overloads. Dawit Bekele, Director of the Internet Society African Regional Bureau sees potential improvement. "Africa has achieved major strides in developing its Internet Infrastructure in the past decade. However, the Internet won't provide the aspired benefits unless we can trust it. We have seen from recent experiences that Africa is not immune from cyber-attacks and other security threats. These guidelines, developed in collaboration with the African Union Commission, will help African countries put in place the necessary measures to increase the security of their Internet infrastructure."

    The guidance is just the first step. Moctar Yeday, Head, Information Society Division, African Union says "The Commission of the African Union will continue its partnership with the Internet Society on a second set of guidelines addressing personal data protection in Africa." Keeping up cyber-security’s profile is important to progress, so extra guidance is a constructive step.

    As Africa becomes more connected, healthcare, businesses, governments, citizens and key industries rely on the Internet to provide services. These guidelines provide the essential recommendations to protect Internet infrastructure.

  • Medical devices’ cyber-security testing’s not good enough

    As cyber-attacks expand, and since the alarm bells after WannaCry, reported on eHNA, cyber-security’s priority should’ve increased dramatically. It seems it’s starting from a low baseline for medical devices.

    A survey by Ponemon Institute for Synopsis says device suppliers think the chances of cyber-attacks on their products are 67%. US healthcare organisations as users think the probability’s 56%. These may be a bit low, but despite this, the survey shows only 5% of healthcare providers test their medical devices at least once a year. More alarmingly, 53% don’t test their cyber-security at all.

    A similar deficit prevails with device makers. Only 9% say they test their devices at least once a year. About 43% don’t test their device’s cyber-security. This highlights an important procurement criterion for Africa’s health systems.

    These are vulnerabilities that Africa’s health systems should address too. It’s especially critical when 80% of medical device makers and users say medical devices are very difficult to secure. Another vulnerability’s revealed by only 25% of respondents who say cyber-security protocols or architecture inside devices provide adequate protection for clinicians and patients.

    Medical Device Security: An Industry Under Attack and Unprepared to Defend says patients have already suffered from cyber-attacks and adverse events. About 31% of device makers and 40% of healthcare providers say they are aware of these. Of these, 38% of providers say inappropriate therapy or treatment was provided to patients. About 39% of device makers say cyber-attacks have taken control of their medical devices.             

    Ponemon’s report sets out a string of risks. They’re:

    Device makers and users low confidence that patients and clinicians are protectedUsing mobile devices affects healthcare organisations’ cyber-security’s risk postures. Clinicians depend upon their mobile devices to more efficiently serve patientsBudget increases to improve medical devices’ cyber-security often happen after a serious breachMedical device security practices aren’t the most effective, relying on cyber-security requirements instead thorough practices such as testingMost organisations don’t encrypt traffic between Internet of Thins (IoT) devicesMedical devices contain vulnerable code because of a lack of quality assurance and testing procedures and a rush to releaseTesting rarely occurs, with only 9% of makers and 5% of users testing at least once a yearAccountability medical devices’ cyber-security is lackingMakers and users aren’t aligned on current cyber-security risks, with healthcare providers more likely to be concerned about their devices’ cyber-security and risks, and suppliers’ lack of action to protect patients and usersInsufficient compliance with regulatory advice and guidanceMost makers and users don’t disclose their medical devices’ privacy and security risks. 

    Ponemon says makers and users say cyber-security’s hard to achieve. It suffers from accidental coding errors, lack of knowledge and training for secure coding practices and pressure on development teams to meet product deadlines. It seems that the clichéd paradigm shift’s needed.

  • Patching for cyber-security’s harder that it looks

    While US hospitals weren’t disrupted much by WannaCry, described in eHNA, their cyber-security experts aren’t complacent. An article in Fierce Healthcare says cybersecurity experts weren’t surprised by WannaCry’s ransomware attack because many had predicted something like it in terms of size and scope.

    Microsoft had provided a patch that prevented the attack, but many organisations hadn’t implemented it. A US cyber-security view’s that it’s an overwhelming task for healthcare exacerbated by two issues, a lack of professionals and weak patch management. Improving both seems likely as WannaCry’s provided healthcare’s ICT risk managers the justification to increase cyber-security investment. It applies to Africa’s health systems too.

    This may not be enough. Better public-private coordination’s critical going forward. US eHealth’s seen as lagging behind modern cyber-security practices, so collaboration must move its priority up. The article says more than 85% of small- or medium-sized hospitals don’t have a qualified cyber-security manager.

    These skills are essential for effective patch and ICT inventory management. It’s a more complex task for healthcare organisations with several software iterations limited asset management systems. Co-ordinating updates for many machines across eHealth and into mHealth needs ICT teams to account for software layered on operating systems that could become inoperable afters a security patch. It’s more awkward when there’s no automated way to applying.

    Challenges for Africa’s health systems are greater. Stretched resources and an even greater lack of people with cyber-security skills and qualifications present an obstacle on the scale of Kilimanjaro. Making a start’s the first step.

  • Symantec’s issued advice about WannaCry

    Now that the dust from WannaCry’s receded, but may not yet be settled, more information’s emerging. It’s an important part of Africa’s eHealth programmes build-up of cyber-security defences. 

    Symantec, the cyber-security firm says it’s confident it can beat WannaCry. The virulent ransomware strain breached hundreds of thousands of computers worldwide since it emerged on 12 May 2017. It’s much more dangerous than other ransomware types because it can spread rapidly across an organisations’ networks by exploiting vulnerabilities in Windows not patched by the Microsoft release MS17-010 in March 2017. The exploit, Eternal Blue, was released online in April as part of a series of leaks by the Shadow Brokers group that claimed it stole the data from the Equation cyber espionage group. 

    WannaCry searches for and encrypts 176 different file types, and appends .WCRY to the end of file names. It than asks users to pay a US$300 ransom in bitcoins. The ransom note says the amount will double after three days. If payment’s not made after seven days, it says the encrypted files will be deleted. Despite this, Symantec hasn’t found any code in the ransomware which would cause files to be deleted. Symantec does not recommend paying the ransom. 

    Decrypting encrypted files isn’t possible yet. Symantec’s researchers are investigating the possibility. If you have backup copies of affected files, you may be able to restore them.

    Symantec’s identified two possible links loosely connecting WannaCry ransomware and the Lazarus Group. Shared code between Lazarus tools and the WannaCry ransomware’s a type of Transport Layer Security (SSL), a computing protocol to ensure data security sent by the Internet using encryption. Symantec sees this as justifying further investigation.

    Some files may be recovered without backups. Files saved on Desktop, My Documents, or removable drives are encrypted and their original copies wiped, so not recoverable. Files stored elsewhere are encrypted and their original copies deleted. They could be recovered using an undelete tool.

    Symantec and Norton customers are protected against WannaCry by a combination of technologies. Proactive protection was provided by:

    IPS network-based protectionSONAR behaviour detectionAdvanced Machine Learning (AML)Intelligent Threat Cloud (ITC).

    Customers should have these technologies enabled for full proactive protection. Symantec Endpoint Protection (SEP) customers are advised to migrate to SEP 14 to take full advantage of AML signatures.

     

  • Health data in a public cloud needs encrypting

    Hospitals are increasingly turning to cloud-based services. The trend’s set to keep growing as healthcare organisations need more robust infrastructure for advanced analytics, population health and precision medicine, says an article in Healthcare IT News. 

    Healthcare entities face unique challenges and risks when they store their data in the cloud. Perhaps the most important is ensuring that their patient data’s safe. 

    About 82% of databases in public cloud computing environments aren’t encrypted. It’s an estimate in a report from Redlock, a cyber-security vendor. Cloud Infrastructure Security Trends Report. Some 31% of databases in public cloud environments are open to the Internet, and 40% of organisations have cloud storage resources exposed to the public. This isn’t good.

    The analysis by the RedLock Cloud Security Intelligence team, included cloud environments in several sectors and reviewed more than a million resources processing 12 petabytes of network traffic. It identified 4.8 million exposed records with sensitive data.

    It also found that few customers are happy with cloud infrastructure security. It explains why nearly 80% of organisations are only in the trial-and-planning stage of cloud computing.

     

    With constantly increasing cyber-security risks, it’s imperative that African healthcare organisations provide effective cyber-security for their cloud services. Without it, it’s not possible to be confident of protecting their patients’ personal and private data. 

  • After WannaCry, what’s next?

    As a shock to the cyber-security systems, WannaCry was huge. Barkly, a cyber-security firm’s set out in its blog what it zero-day attacks it expects next. It’s valuable information for Africa’s eHealth. Three possibilities are:

    One’s another attack using ETERNALBLUE, the same basis for WannaCray. Organisations struggling to update their systems will be vulnerable, with a possibility that the breach could be more damaging. An example’s Cerber. It’s recently bypassed antivirus solutions that rely on machine learning. The effect of an attack delivering a ransomware like Cerber is seen by Barkly as much worse than WannaCry.  

    Barky says a patch can help. If it's not feasible, restricting access to port 445 or disabling Server Message Blocking (SMB) are options. 

    Another possible attack’s spread through Remote Desktop Protocol (RDP), a Microsoft proprietary protocol developed. It’s accessible through open port 3389 open and exposing RDP to the Internet. Dharma, CrySiS, and SamSam ransomware have exploited RDP. It’s easy for cyber-criminals to find these vulnerabilities. Barkly says masscan, a port scanning tool, can scan the Internet within six minutes, enabling attackers to collect a large victim list

    Another one of the NSA exploits leaked by the Shadow Brokers actually targets RDP, specifically. Called ESTEEMAUDIT, it thankfully only targets a vulnerability affecting Microsoft Windows Server 2003 and Windows XP. But that's not to say an exploit targeting newer systems doesn't also exist and won't be released at some point (more on that possibility below). 

    Cyber-attacks may use another leaked US National Security Agency (NSA) solution, like ETERNALBLUE. Bleeping Computer identified 23. They’re listed in the Barkly blog.

    Many target SMB, so the first step’s to secure it by patching and reviewing port 445 access. The next step’s more challenging because there’s no information on the precise nature of their malicious use.

    An important underlying endeavour’s to learning from WannaCry. First priority’s a rigorous cyber-security review. Next, fix vulnerabilities. Repelling the next set of zero-day attacks can never have totally reliable results. Off-line backups can help to minimise some of the damage that may not be prevented.

  • GP practices are vulnerable to cyber-attacks too

    Hospitals are vulnerable to cyber-attacks. GP practices are too. A report in Medical Economics offer ten ways they can improve their cyber-security. It’s especially important because their smaller-scale limits the cyber-security resources at their disposal. Consequently, to improve Personal Health Information (PHI) cyber-security, GP practices may:

     Lack basic security policies, procedures and defencesAllow users to share passwordsNot turn on, configure or update the security features of their EHRs and cyber-security systemsNot undertake cyber-security risk assessments.

    Ten steps to protected health information set by Medical Economics are:

    1.     Complete cyber-security risk assessments

    2.     Encrypt data

    3.     Control access to systems

    4.     Authenticate users

    5.     Provide secure remote access

    6.     Implement role-based access

    7.     Don’t store data on users’ devices, so no Bring Your Own Devices (BYOD)

    8.     Use and scan audit logs

    9.     Back up data off site

    10.  Sign and enforce Business Associate Agreements (BAA) with all outside parties that share PHI.

    The impact of these ten measures will only be effective if their performance is a routine in practices’ every-day activities. Provided users don’t extend this into unthinking box ticking, the ten steps will improve cyber-security and lay a foundation for more sophisticated measures. They offer Africa’s GP practices a good foundation to test their performances and identify where improvements are needed.

  • An anti-ransomware manual offers a good start for Africa’s eHealth

    In 1977, Ron Rivest, Adi Shamir and Leonard Adleman (RSA), developed RSA 2048, an algorithm for an Internet encryption system. Now, 40 years later, it seems it’s still the cryptosystem that typical ransomware attacks rely on.

    As ransomware expands its reach, KnowBe4, a security awareness training and simulated phishing platform, has produced a manual to help organisations and people deal with it. Ransomware Hostage Rescue Manual covers a wide range of themes and includes two ransomware checklists, one to deal with an attack, one for prevention.

    Topics include:

    What’s Ransomware?Are systems infected?When they are, what’s next?Negotiate or pay the ransomsProtecting in the futureResources:

    o   Ransomware Attack Response Checklist (RARC)

    o   Ransomware Prevention Checklist (RPC)

    RARC actions to deal with an attack include steps: 

    1.     Disconnect everything

    2.     Determine the scope of the infection

    3.     Determine the ransomware strain, such as CryptoWall and Teslacrypt

    4.     Determine a response:

    a.     Restore file from backup

    b.     Try to decrypt

    c.     Do nothing and lose files

    d.     Negotiate or pay the ransom

    RPC measures include:

    Users are the first line of defenceSoftware, such as firewalls and antivirus systems are the second lineBackups are third Line of Defence.

    As Africa’s health systems rely more on eHealth and its networks, ransomware becomes an increasing probability. KnowBe4’s manual’s an effective way to both start, and review progress against ransomware. Reviewing defences for other types of cyber-attack is worth it too.

  • How can Africa adopt best practices against phishing and ransomware?

    With phishing still popular with cyber-criminals, and so easy to deploy, adopting best practices is essential. Human firewalls are an essential component. A white paper from Osterman Research, sponsored by KnowBe4, a cyber-security awareness, training and simulated phishing platform, sets out the frequencies of employees’ cyber-security awareness training. 

    There are two main findings. Better phishing and ransomware protection’s needed across the board. Secondly, additional cyber-security awareness training’s needed to help reduce infection rates of phishing and ransomware attacks. 

    How big is the problem? Osterman identified it as a percentage of organisations affected.

  • Effective cyber-security training isn’t widespread

    It’s well understood that reliance on technical cyber-security solutions alone isn’t effective enough, especially for phishing attacks. The human firewall’s a vital component. A report from Enterprise Management Associates (EMA) shows how limited it is across seven sectors in the US, including health and pharma combined. For Africa’s health systems, the finding’s alarming. 

    Arrangements across five types of cyber-security training, including do nothing, which isn’t training:

    Do nothing, so no cyber-security awareness trainingBreak rooms, where employees gather for refreshments or special meetings and are told about cyber-security issues, including what to avoid when they’re surfing the Web and receiving emails from unknown sourcesMonthly security video, where employees watch short cyber-security awareness training videos to learn how to keep networks and organizations safe and securePhishing test, where preselected certain employees are sent simulated phishing attacks to test their vigilance in avoiding responsesHuman firewall, where everyone in organisations are tested to find the percentage of employees prone to phishing attacks, then training everyone on major attack vectors and sending regular simulated phishing attacks.

    The good news’s that more people are being trained in cyber-security. The downside’s that the training isn’t very good. Organisations can adopt a combination of approaches. Even then, the benefits are not high. About 41% do nothing. Almost 60% use methods that are less then effective, such as 23% using break rooms and 36% using monthly security videos. The result’s that two thirds use training methods that aren’t ideal, and don’t necessarily result in cyber-security awareness.

    Compared to the other sectors, healthcare performance looks quite good. It’s at the low end of break rooms and phishing tests and one of the top three for human firewall events, all at just 27%.

    The report sets out a direction for Africa’s health systems cyber-security training. The goal should be to go straight for the best approach.