• Cyber-security
  • Cyber-security has a smarter step up

    Chasing cyber-threats is a wearisome endeavour. A US healthcare provider’s relying on analytics to deal with some of the drudgery and anxiety. RWJBarnabas Health has twelve hospitals and some 250 clinics. A report in Fierce Healthcare says it’s halfway through a four year cyber-security upgrade that uses data analytics and network visualisation tools to track who’s accessing patient data and which devices are connected to the network. The aims are to detect and report threats and provide its system with more latitude to integrate mobile devices and step up mHealth.

    It’ll also improve the ICT department’s productivity to conduct manual network scans to identify new devices as they were connected. Now, it uses software to track devices in real-time and deploys monitoring tools to track the movement of patient data.

    It may be a benchmark for Africa’s health systems’ cyber-security trajectory. Balancing data sharing and network accessibility with privacy and security’s a challenging prospect with limited numbers cyber-security staff. Using analytics can be part of the solution. 

    The US healthcare systems are enduring sustained, and possibly increasing cyber-attacks. A recent report from Protenus Breach Barometer says almost three times more patient records were accessed in March compared with February and January combined. About a third of March’s 39 breaches were linked to hacking. Nearly 85% targeted hospital providers. These risks could increase as healthcare adopts more Internet of Things (IoT) initiatives and there reliance on networked devices.

  • Microsoft fixes a Word bug and vulnerability

    A bug in all Word versions is called a zero-day vulnerability. Proofpoint, a cyber-security firm, reports that researchers found documents exploited in a large email campaign, mainly in Australia, distributing the Dridex banking Trojan. It’s a type of malware that uses macros from Word to specialise in spying on computer users to steal bank credentials. It’s also known as Bugat and Cridex. Microsoft’s now fixed it with a patch. 

    A zero day vulnerability’s a hole in software that’s unknown to the vendor. It’s exploited by cyber-criminals before the vendor’s aware, and subsequently fixes it. The cyber-crime’s called a zero day attack.

    Dridex works by phishing. It relies on people inadvertently clicking the link and installing the malware. Its success also depends on emails that are superficially convincing. Using documents for phishing has become less frequently, Dridex shows how cyber-criminals can change their approach effortlessly to exploit new opportunities. Proofpoint says Microsoft Word users should install the security updates promptly.

  • Is eHealth’s cyber-security on the march?

    As Africa’s eHealth expands, its exposure to cyber-security risks increase. A cyber-security report from Acfee summarises these cyber-threats. They include:

    Medical identify theft RansomwareDenial of Service (DOS) attacksMalwareFraud.

    Reasons for cyber-crime differ from criminal to criminal. Some want money. Others, such as hacktivists, use it as a political campaign strategy. Examples of cyber-criminals’ goals for healthcare are:

    Diverting funds or pharmaceutical stocksForging prescriptionsStealing social security data to make fraudulent claimsChanging treatment regimens

    South Africa aims to implement comprehensive cyber-security measures driven by the South African Protection of Personal Information (POPI) Act. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) provides the foundation. It fits another, the wider National Institute of Standards and Technology (NIST) initiative reported by eHNA to improve the US cyber-security framework. The Payment Card Industry Data Security Standard (PTI DSS) provides a generic standard that fits healthcare.

    Fortinet, a cyber-security company, has an integrated approach set out in its white paper Countering the Evolving Cybersecurity Challenge with Fortinet Security Fabric. It provides an integrated cyber-security architecture that includes Advanced Threat Protection (ATP), Application Programming Interfaces (API) and layered, segmented firewalls.

    Typically, cyber-security aims to add new devices and cyber-security measure to an over-burdened cyber-security service. This increasing network eventually becomes dysfunctional, failing to solve the problem. Fortinet says there’s a hazardous contradiction. Deploying new devices helps to decrease the time to discover some new cyber-threats. In parallel, cyber-threats are compromising organisations at a faster rate. Hence the need for a shift to a new cyber-security model.

    Africa’s eHealth hasn’t adopted a cyber-security framework like Fortinet’s. As cyber-security awareness increases, it seems like an essential option.

  • Malicious insiders can be a major threat

    It’s important not to disregard the human side of cyber-crime and the threat it poses to healthcare, its EHRs and medical devices. The consequences can be devastating. External cyber-attackers aren’t the only threat. Real criminals can be inside healthcare. This is what happens when people trusted with personal and confidential information abuse trust and misuse their power. They’re known as malicious insiders.

    Employees, former employees, contractors or business partners can all have access to organisations’ networks, systems or data. Disgruntled, they may retaliate by stealing and releasing information that can damage organisations and patients. A global research study by Mimecast reported that an alarming 90% of organisations said malicious insiders pose a major threat.

    Findings from Pretenus Breach Barometer in an  article by Healthcare IT News reveal that the number of healthcare security breaches caused by insiders has doubled from January to February. Findings from 26 incidences reported that:

    Malicious insiders contributed to 58% of total breachesTheir attacks are difficult to detect.

    More worrisome findings are:

    Only 23% of respondents are confident that their organisations have invested enough in monitoring systemsThe top three alleged instigators of malicious insiders threats are; 80% of employees meddling in their relatives or friends, 66% financial identity theft and 51% identity theft57% of respondents believe that cyber-attacks are always an inside job Attacks are usually for financial gain.  

    This evidence is a major public health concern. If disgruntled healthcare workers have access to personal and confidential patient data, it’s vital that measures are in place to deny them access. To protect patients and healthcare organisations from insider breaches the healthcare sector should invest in strengthening and protecting organisations’ networks, systems and databases especially those storing personal and confidential information.

    Acfee has information for health ICT professionals  on cyber security practices.

  • SMS security’s essential for Africa’s mHealth

    Talking can be an expression and communication of thoughts and ideas. Same for texting. Isaac Asimov, the scientist and sci-fi author said “Writing is, to me, is simply thinking through my fingers.”  The steady expansion of SMS communication in healthcare shows there’s plenty of thinking in the health systems, even if a lot of it’s generated electronically.

    As with all ICT, health SMSs are cyber-criminal targets. It’s essential that SMSs are secure. The CIO’s Guide to HIPAA Compliant Text Messaging by ec first and imprivata, and available from Health IT Security, provides a generic way to do it. Three combined activities are needed, policies, products and practices. The content’s considerable.

    Policies extend across five main areas. The subsets include seven routine actions: 

    Confirm recipients of texts Confirm delivery and receipt of texts and that confirmation receipts are ideal Don’t use shorthand or abbreviations Review texts before sending them to ensure accuracy, especially being beware of autocorrect changesEnsure all text messages, or their annotations, used for clinical-decisions are documented accurately and promptly in medical records  Delete all texts containing protected health information as soon as the contents are no longer readily needed.

    Product checklists are long. There are 32 criteria from four perspectives. They’re features, usability, administration and security requirements, and vendor requirements. 

    Practices are mainly tracking and monitoring. When a secure SMS solution is deployed, its compliance must be sustained. Active management includes monitoring log files and other audit information to ensure appropriate use. Four core activities are:

    Track and monitor users and policiesEnsure authentication events are appropriately capturedEnsure message read receipts are time stamped.  Ensure a proactive audit practice aligns with an established policy is implemented for managing the secure SMS framework in line with regulations.

    Like all eHealth, there are considerable risks using unencrypted text when sending Electronic Protected Health Information (ePHI). Privacy and confidentiality can be damaged and diminish SMS’s benefits of improved communication with patients and between health workers. Africa’s health systems can benefit by applying the guide.

  • Cyber-attack exposes data of nearly 18,000 patients

    Cyber-attacks can have far reaching affects. These are multiplied when the target’s a healthcare organisation’s storing personal patient data. The  Metropolitan Urology Group in the US began notifying patients that a ransomware attack in November 2016 may have exposed their personal data. Nearly 18,000 patients were affected, according to the Department of Health and Human Services’ Office for Civil Rights, says an article in HealthcareITNews.

    The attack was on November 28, 2016. The organisation only discovered it on January 10. It took two months before it started sending notifications to patients on March 10.

    Two of the organisation’s servers were infected by a virus. It may have exposed data of patients attending between 2003 and 2010. The data contained names, patient account numbers, provider identification, medical procedure codes and dates of services. Roughly five of these patients had their Social Security numbers exposed too.

    Metropolitan Urology has been working with an ICT firm to remove the ransomware. Its learned from the experience too, and applying extra cyber-security measures to deter future attacks. All traffic from the affected servers is blocked, the firewall’s improved, email security’ stepped up and protection of all employee devices is in place. These are part of an overall upgrade to its policies and procedures. The organisation’s currently conducting a risk analysis of its ICT system to determine vulnerabilities.

    As compensation, all affected patients will receive one year of free credit monitoring. Metropolitan Urology has also set-up a call centre to answer questions about the breach.

    Any type of cyber-attack could have serious consequences for patients and the hospital. To protect patient data and ensure patients sustain their trust in eHealth services is crucial. It’s critical that organisations are aware of cyber-security threats and rectify and learn from them promptly. Regular staff training and awareness are crucial cyber-security components. Regular, routine and rigorous checks to ensure systems are intact and not breached are too. These are examples of how Africa’s health systems should approach their eHealth cyber-security endeavours.

  • NIST consulting on updated cyber-security framework

    Despite a comprehensive cyber-security framework in place in the US, cyber-crime’s a major threat. It didn’t seem to help prevent a huge phishing attack to a hospital, reported on eHNA, indicating the scale and complexity of the challenge.

    The US National Institute of Standards and Technology (NIST) has released for consultation its updated Framework for Improving Critical Infrastructure. It has two main parts, the report and a comprehensive checklist in Excel. They’re both essential for Africa’s health systems in developing their cyber-security.

    The new report expands the cyber-security measures in the original framework from February 2014. Its new content includes:

    A new section on cyber-security measurement and correlating business results to cyber-security risk management metricsExpanded explanation of using the framework for supply chain risk management Refinements to improve accountability for authentication, authorisation and identity proofingBetter explanation of the relationship between implementation tiers and profiles, including establishing or improving a cyber-security programme and using framework tiers for implementation, and integrating framework considerations with risk management.

    The Excel checklist has 23 categories. These lead on to 106 sub-categories and 398 cyber-security reference links. It’s a comprehensive list of actions needed for good cyber-security practices. The 23 categories are including:

    Asset Management (ID.AM) Asset Management (ID.AM):  identifying and managing data, personnel, devices, systems, and facilities consistent with their relative importance to business objectives risk strategies.Business Environment (ID.BE): understanding and prioritising mission, objectives, stakeholders, and activities to inform cyber-security roles, responsibilities, and risk management decisionsGovernance (ID.GV): understanding and using policies, procedures, and processes for managing and monitoring regulatory, legal, risk, environmental and operational requirements to cyber-security risk managementRisk Assessment (ID.RA): understanding cyber-security risks to operations such as mission, functions, image, or reputation, organisational assets and individualsRisk Management Strategy (ID.RM): establish and use priorities, constraints, risk tolerances, and assumptions for operational risk decisionsSupply Chain Risk Management (ID.SC): stablish and use priorities, constraints, risk tolerances and assumptions for risk decisions for managing supply chain risk and implementing processes to identify, assess and manage themIdentity Management and Access Control (PR.AC): limiting and managing access to physical and logical assets and associated facilities to authorised users, processes, and devices consistent with the assessed risk of unauthorised accessAwareness and Training (PR.AT): ensuring personnel and partners are aware of cyber-security and adequately trained to perform their duties and responsibilities consistent with cyber-security policies, procedures, and agreementsData Security (PR.DS): ensuring data’s managed consistent with risk strategies to protect its confidentiality, integrity and availabilityInformation Protection Processes and Procedures (PR.IP): maintain and use cyber-security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination, processes, and procedures to protect information systems and assetsMaintenance (PR.MA): ensure control and information system components are maintained in line with policies and proceduresProtective Technology (PR.PT): manage technical security solutions to ensure cyber-security and resilience of systems and assets consistent with policies, procedures and agreementsAnomalies and Events (DE.AE): detecting and understanding anomalous activity and its potential impact promptlySecurity Continuous Monitoring (DE.CM): monitor information systems and assets at discrete intervals to identify cyber-security events and verify the effectiveness of protective measuresDetection Processes (DE.DP): maintain and test detection processes and procedures ensure timely and adequate awareness of anomalous eventsResponse Planning (RS.RP): implement and maintain response processes and procedures to ensure timely responses to detected cyber-security eventsCommunications (RS.CO): co-ordinate responses with internal and external stakeholders, including external support from law enforcement agenciesAnalysis (RS.AN): analyse and review cyber-security measures to ensure adequate responses that support recovery activitiesMitigation (RS.MI): performed activities to prevent expansion of events, mitigate their effect, and eradicate incidentsImprovements (RS.IM): implement lessons learned from current and previous detections and responsesRecovery Planning (RC.RP): implement and maintain recovery processes and procedures to ensure timely restorations of systems or assets affected by cyber-attackesImprovements (RC.IM): improve recovery planning and processes by incorporating lessons learnedCommunications (RC.CO): co-ordinate restoration activities with internal and external parties, such as coordinating centres, Internet Service Providers (ISP), owners of attacking systems, victims, other Computer Security Incident Response Teams (CSIRT) and vendors.

    Challenges for Africa’s health systems include where to start and how long should it take to set up? The second question depends on the resources available. The reasonable answer to the second question is, pick a start that matches cyber-security priorities. If these aren’t explicit, start at 1. If there’s already been a cyber-attack, start at 1 and 20 may be relevant.

  • Cyber-security needs more than rules

    Africa’s eHealth’s not strong on cyber-security rules and regulations. They’re essential, but a survey of ICT security experts in the US by Level 3 Communications says they’re not enough. The results, available from Health IT Security are that:

    96% feel vulnerable to a data breach63% have suffered one69% say meeting compliance requirements is very or extremely effective in safeguarding sensitive data.

    In the US, eHealth security and privacy rules are set out in the Health Insurance Portability and Accountability Act 1996 (HIPAA). It established national security standards for eHealth. They are a vital component to protect confidential information from unauthorised access. Level 3 says that since the act, cyber-threats and the cyber-security landscape has evolved rapidly, but healthcare can’t keep up. Cyber-security has become more essential to protect data and healthcare availability and continuity.

    Three emerging cyber-security themes have become healthcare’s biggest cyber-security threats:

    Vulnerable connected devices the cyber-criminals can access to plant malwareDistributed Denial-of-Service (DDoS) attacks that render computers or networks unavailablePhishing, accounting for more than 36% of cyber-security breaches.

    Four lessons for Africa’s eHealth are clear. First, ensure effective cyber security standards, rules and regulations. Next, keep them up to date to match the expanding cyber-crime initiatives. Third, ensure compliance. And finally constantly strive to go beyond compliance with effective excellent cyber-security practices.

  • UK’s GCHQ technical director says cyber-security firms promote 'medieval witchcraft'

    Are all the cyber-security firms misleading us about the hazards and dangers of cyber-threats? Dr Ian Levy, technical director at UK’s Government Communication Headquarters (GCHQ), an intelligence and security organisation, says they’re using “Medieval witchcraft” to exaggerate the risks and boost sales. A report in The Register records his view expresses at Usenix Enigma 2017, that their aim’s to sell security defences to tackle “Advanced persistent threats” from highly organised, smart criminals, but hackers are just “Adequate pernicious toe-rags.” The result of the sales campaigns “Are allowing massively incentivised companies to define the public perception of the problem.”  

    Soon after Dr Levy’s comments, the UK Parliament’s Public Accounts Committee  (PAC), a highly respected and fiercely independent spending watchdog, released Protecting information across government. It’s critical of the UK’s cyber-security performance when the “Threat from cyber attacks has been one of the UK’s top four risks to national security since 2010.” It says the current performance “Reduces our confidence in the Cabinet Office’s ability to protect the nation from higher threat cyber attacks. The use of the internet for cyber crime is evolving fast and the government faces a real struggle to find enough public sector employees with the skills to match the pace of change.”

    A quick look at a Symantec user report showed eight cyber-attacks were repelled over a week. Several phishing emails arrived most days. Some were diverted to a junk folder. One’s with new domain names made it to the inbox. Despite the NSCS’s efforts, and their improvements in response to PAC’s report, cyber-criminals are always one step ahead of cyber-security measures. Provided eHealth teams are aware of cyber-security firms’ aspirations to sell on the back of their advice and white papers, which isn’t difficult to spot, the advice offered is free and still very valuable for Africa’s eHealth cyber-security initiatives.

  • Cyber-security can improve by adopting best practices

    Patients and their families expect healthcare professionals to know and apply best practices. They can also expect that eHealth’s cyber-security aspires to the same standards. A white paper from Osterman Research, and sponsored by KnowBe4, a cyber-security and training firm, sets these out for combating phishing and ransomware cyber-attacks.  They offer a good start for Africa’s eHealth. Core themes include:

    Phishing and ransomware are increasing at the rate of several hundred percent a quarterMost organisations have been victimisedPhishing and ransomware are in  security decision makers’ four main concernsSecurity spending will increase significantly in 2017Most organisations don’t seeing improvements in their securitySecurity awareness training is vital to combat phishing and ransomwareOrganisations with well-trained employees are less likely to be infected

    In this increasing challenging cyber-crime world, organisations can adopt many best cyber-security practices to deal with phishing and ransomware. They include:

    Cyber-security awareness training to create a human firewallTest staff periodically to see if cyber-security awareness training’s effectiveRigorous password managementDeploy systems that detect and eliminate phishing and ransomware attacksSearch for and remedy cyber-security risks and vulnerabilitiesMaintaining good, isolated backupsUsing reliable threat intelligenceEstablish communication backchannels for key staff membersKeep reminding employees of the risks of oversharing content on social mediaEnsure every employee maintains robust anti-malware defences on their managed platformsKeep software and operating systems up-to-date.

    These are sensible and pragmatic practices that Africa’s health systems can adopt. Making theme effective needs a cyber-security leader, who must be an executive.