• Cyber-security
  • PASS 555 can help Africa’s eHealth cyber-security

    Standards, so regulation, for cyber-security are essential for Africa’s eHealth. In May 2013, the British Standards Institute (BSI) published Publicly Available Specification (PAS) PAS 555: 2013 Cyber security risk. Governance and management. Specification. It’s relevant for Africa’s eHealth.

    BSI is the world’s first national standards body. Sir John Wolfe-Barry, who designed London’s iconic Tower Bridge, formed it in 1901. It registered its BSI Kitemark in 1903, the first year of life for which Harley Davidson, Crayola crayons and the Tour de France. It has a track record of setting standards for quality.

    PAS 555 is generic, so fits healthcare. It aims to help organisations understand and manage their exposures to cyber-threats, a downside to eHealth’s costs and benefits, healthcare’s reputation and risks to patients and communities. It uses outcomes-based methodologies to define the overall outcomes of effective cyber-security and ensure organisations’ confidence. Its standards comprise:

    Business-led, holistic approach to cyber-securityTechnical aspects of cyber-securityPhysical, cultural and behavioural aspectsEffective leadership and governance.These can help Africa’s healthcare organisations:Focus investment appropriatelyMinimise potential lossImprove operational effectiveness and efficiencyDevelop organisational resilienceImprove loss prevention and incident managementIdentify and mitigate cyber-security risk throughout organisations.

    It also helps organisations to choose how it achieves their specified outcomes. These can be through their own processes or adopting other standards and management systems and cross references to other standards, including some from the International Standards Organisation (ISO), such as:

    BS ISO/IEC 27001 Information Security ManagementISO/IEC 20000-1 Information Technology. Service Management. Service management systems requirementsISO 22301 Business Continuity ManagementISO 31000 Risk Management.

    These offer constructive start points for Africa’s eHealth cyber-security. But, as cyber –threats continue to develop, it’s important to keep up too. Acfee’s first in a series of reports on cyber-security  aims to help with this.

  • AAMI presents 80001-1 standard cyber-risk management response

    Healthcare professionals are integrating technology with medical devices to improve disease management, reduce medical errors, and to increase communication with their patients. All these valuable benefits are reduced by cyber-risk, some of which become cyber-security breaches. The surge of Internet of Things (IoT) and web-connected medical devices has increased these cyber-security risks and vulnerabilities. An article in Forbes says that hacktivists and cyber-criminals exploit vulnerabilities in systems with poor cyber-threat monitoring, lack of regulations and policies. There’s also a need for reactive and detective controls and defences.  

     As The Association for the Advancement of Medical Instrument  (AAMI) celebrates its 50th anniversary this year, it welcomes its new president and CEO Robert Jensen. AAMI’s developed standard 80001-1:2010 to apply to risk management for ICT networks that incorporate medical devices. The most common cyber-security risks are web application attacks with malware that includes viruses, worms, spyware and ransomware. It’s crucial to provide a cyber-security strategy for total product life-cycles, starting from design and stretching to obsolesce to ensure maximum cyber-security.

    80001-1: 2010 stipulates requirements needed to attain vital safety, effectiveness, data and systems and interoperability. It provides guidelines to suppliers, and it’s their responsibilities to comply when manufacturing, installing and distributing their medical devices for use. The first part in 80001-1 aims to guarantee the safety, security and privacy of both delivery and quality healthcare for patients, and address patient and operators risks.  Some recommendations to improve cyber-security are:

    Install benchmarks to test and trail medical devices for any vulnerabilitiesDevelop programs for routine software updatesImpose strict access and control policies to authorised personnelIncrease cyber-security features in medical devices

    Africa’s health systems can adapt the 80001-1 safety requirements to increase the cyber-security in medical devices. This will help secure eHealth systems and go along way in protecting patient data.

  • Do benchmarks offer better cyber-security for medical devices?

    Our privacy, health and EHRs depend on secure and resilient cyber-security.  An article previously on eHNA asked how safe are hospital devices? It’s clear that the increasing number of medical devices connected to the Internet increases cyber-security risks. They could be life threatening and have fatal consequences, so serious in the extreme.  More healthcare providers are using connected medical devices to monitor and treat patients. It’s therefore imperative that these devices are secure.

    The Center for Internet Security (CIS) is developing a set of benchmarks to protect medical devices, such as insulin pumps, pacemakers and defibrillators, from possible hacking or viral malware. In computing, benchmarking is running computer programs to assess the relative performance of an object by running numerous standard tests and trails against it. An article in MobiHealthNews says CIS has invited medical device makers to participate in the project to help to develop cyber-security control guidelines.

    Protecting insulin infusion pumps is the first priority. The Washington Post has an article saying it’s one of the most used medical devices, so it’s likely to attract more attention from stakeholders and increase collaboration on increasing their cyber-security.

    ABI Research has estimated that by 2020, more than 30 billion medical devices will be connected to the Internet of Things (IoT). Diabetes Mellitus and heart diseases are amongst the leading causes of death in South Africa. Although insulin pumps and pacemakers are not yet popular and easily accessible, demand’s growing rapidly. South Africa and other African countries can adapt the CIS cyber-security control guidelines initiative when manufacturing and using medical devices. The aim must be to ensure their safety.

  • How safe are hospital devices?

    Effective and sustainable eHealth is a longstanding priority for many developed countries in improving healthcare and its information, access and quality. It can be a catalysts between healthcare providers and patients to provide quality healthcare while bridging the gap between inequity and distribution of health resources.

    The rapid growth of eHealth has, however, increased concerns about cyber-security. An article in Computer Business Review (CBR) says there are new emerging threats on hospital’s devices connected to web. While there’s considerable emphasis on protecting patients’ records, there’s insufficient accorded to guarding web connected hospital devices. Hacktivists and other cyber-criminals are finding new ways to penetrate hospitals’ health systems vulnerabilities, and these extend to online EHRs and devices.  

    Internet of Things (IoT), hospital and wearable web connected devices, such as insulin pumps, pacemakers, heart and blood pressure monitors, are susceptible to targeted attacks by hacktivists, terrorists and organised crimes gangs. When healthcare data’s placed in the wrong hands, the consequences could be fatal.

    WHO says  health systems in Africa are investing in eHealth and its mHealth component in their quests for Universal Health Coverage (UHC), accessibility and quality. Despite the expanding programmes, Africa’s eHealth is still nascent, with some healthcare providers and public health agencies still unaware of eHealth’s possibilities in improving health and healthcare quality and access.

    As eHealth becomes more widespread in Africa, hospitals should learn from developed countries about a holistic approach in increasing cyber-security in both patients’ records and hospital devices. Allocating equal distribution of resources to implementing eHealth programmess and services and in increasing cyber-security in both hospital records and devices are key. Acfee has a report on eHealth cyber-security. It’ll be available on Acfee’s website soon, then followed up with supplementary commentaries are more information and insights become available. Acfee members will be notified when it’s available.

  • A cyber-security workbook can help achieve good practice

    A common feature of cyber-security’s its general lag behind cyber-threats. Data Breach Incident Response Workbook, from AllClear ID, a cyber-security company, provides general guidance and assistance in developing security standards. It’s essential for Africa’s eHealth.

    Health IT Security says it provides an outline and recommendations for a start to planning well-orchestrated responses to a data compromises. The next step’s engaging external stakeholders. An essential theme’s ensuring plans are recorded and tested thoroughly to achieve effective financial and operational responses to cyber-attacks.

    Its contents include:

    The cyber-threat world and operational and reputational damageAnatomy of a data breachPreparing for a data breachBuilding a strong internal response teamData breach checklistData breach notificationsThe Incident Response Plan Guide.

    Incident response teams shouldn’t be just from ICT teams. They should draw and appoint an incident lead from:

    Executive managementICTCustomer and patient servicesRisk management and securityCompliance and auditLegalPrivacyPublic relations.

    The checklist should document everything that happens and is discovered. Prompt action’s vital, so every action needs fitting into a timeline. Actions include:

    Implement the data breach incident response planSpecify the information needed for reporting summariesIdentify the problemStart the incident reporting processIf the data breach could harm a person or business, contact local policeCreate an incident summary report for executivesCreate a technical incident summary report.

    The Incident Response Plan checklist’s comprehensive. It includes important advice: “Continuously update the information in the contact lists and other documents – don’t get caught in an emergency with outdated information.” It’s obvious, but an elementary error to avoid.

  • Phishing gave hackers access to 80 million health records

    While phishing’s an elementary cyber-attack, its results can be enormous if it works. The US Anthem health insurance attack in 2015 resulted in an employee in a subsidiary organisation opening a phishing email. Attackers then had remote access to move across at least 50 accounts, 90 over systems, including Anthem’s enterprise data warehouse where the bulk of more than 78 million records were stolen.

    A report from the California Insurance Commissioner found that Anthem took “reasonable measures” to protect patient information prior to the breach, the attacker targeted specific weaknesses within the system. On Feb. 18, 2014, an employee within an Anthem subsidiary opened a phishing email, allowing the attacker to gain remote access to the computer and then move laterally across  accounts, including the insurer’s enterprise data warehouse where the bulk of the information was stolen.

    Investigators believe perpetrators of the 2015 Anthem hack that exposed personal records of more than 78 million people may have been acting on behalf of a foreign government, exploiting weaknesses in the insurer’s system that are commonplace within the industry.

    Investigators determined the identity of the hacker with “high confidence.” They concluded with “medium confidence” that the attacker was working on behalf of a foreign government, but didn’t identify the offenders. Officials have previously linked the attack to Black Vine, a Chinese cyber-espionage group. Symantec, the cyber-security firm, says it’s “highly resourceful” and been targeting several high profile entities since 2012, and believes it’s behind the Anthem attack.

     Africa’s health care’s not immune. While cyber-crime opportunities may be more attractive in other health systems, Africa still needs effective cyber-security

  • US FDA issues cyber-security guideline for medical devices

    As cyber-criminals find new ways into eHealth, the US Food and Drug Administration (FDA) seeks to minimise the holes and risks in medical devices, many of which are part of eHealth networks. Its guidance in Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff sets out obligation on manufacturers by encouraging them to address cyber-security throughout device lifecycles. It extends across pre-market and post-market activities, so “Design, development, production, distribution, deployment and maintenance.”

    It’s both realistic and practical. The guidance recognises that the constantly evolving cyber-security risks to medical devices make it impossible to mitigate risks completely by pre-market controls alone. A core action’s for manufacturers to implement comprehensive cyber-security risk management programmes and documentation. The focus of assessing the risk of patient harm should consider:

    Exploitability of cyber-security vulnerabilitiesSeverity of patient harm if vulnerabilities are exploited.

    An example of these assessments is using the Common Vulnerability Scoring System (CVVS) Version 3.0. It has several factors that combine to provide numerical ratings of high, medium and low exploitability levels, including: 

    Attack vector as physical, local, adjacent or  networkAttack complexity as high or lowPrivileges required as (none, low or highUser Interactions as none or requiredScope as changed or unchangedConfidentiality Impact as high, low or noneIntegrity Impact as none, low or highAvailability Impact as high, low or, noneExploit code maturity as high, functional, proof-of-concept or unprovenRemediation level as unavailable, work-around, temporary fix, official fix or, not definedReport confidence as confirmed, reasonable, unknown or not defined.

    As Africa’s eHealth steps up its cyber-security and regulations, the FDA’s guidance provides a constructive reminder that medical devices can’t be ignored. It’s a good starting point for Africa’s health systems to consult on and set the required eHealth regulations in place.

  • There’s a military approach to cyber-security

    When it comes to responding to threats, military organisations have a considerable range of experiences. While they only have a 50% success rate because there’s invariably a loser, the lessons learned are always valuable.

    The late John Boyd was a US Air Force fighter pilot who became a Pentagon strategist. From his experiences, he developed several theories of organisational behaviour. One was the Observe, Orient, Decide and, Act Loop (OODA). It’s an information strategy for information warfare and crises, and stretches across military and business. The goal’s to defeat an enemy by psychological paralysis caused by disrupting another entity’s OODA, which’s where eHealth’s cyber-security fits in. OODA can help to disrupt cyber-criminals activities, so disrupt cyber-threats.

    Alien Vault has adopted the OODA Loop to deal with responses to cyber-incidents. It sees it as tactics rather than strategy. It fits it to cyber-security as:

    Observe: use security monitoring to identify anomalous behaviour that may need investigatingOrient: evaluate what's happening in the cyber-threat intelligence landscape and inside a healthcare organisation, making logical connections and real-time contexts to focus on priority eventsDecide: based on observations and context, choose the best tactic to minimise damage and speed up recoveryAct: remedy, recover and improve incident response procedures based on lessons learned.

    There’s a 90 second video that shows how Alien Vault combines integrated security technologies and emerging threat intelligence. The aim’s to co-ordinate threat detection, incident response, threat management, and do these very quickly. The steps are:

    Identify, isolate, and investigate indicators of compromise (IOCs) before damage occursCorrelate security events with built-in vulnerability scan data threat Intelligence to prioritise response effortsGain essential insight into attackers’ intent and techniquesRespond to emerging threats with detailed, specific actions for cyber-attacks’ contexts that guide each alertValidate that existing security controls work as plannedReport to auditors, managers and executives that incident response programmes are robust and reliable.

    If security controls don’t work as planned, they’ll need fixing. The actions and resources needed should be included in in the report to executives.

    OODA Loop’s a sophisticated, cerebral approach to cyber-security. As Africa’s health systems develop theirs, it’s valuable to keep OODA Loop in mind as a concept to work towards at a rapid pace. The attraction’s that, as cyber-criminals step up their illicit endeavours, it’s becoming a war, metaphorically.


  • Health ICT professionals may be underestimating cyber-security

    It’s a reasonable assumption that cyber-criminals are at least one step ahead. They only have to be lucky once. eHealth security measures have to be lucky all the time. A survey by Tripwire shows that health ICT teams may not have enough luck. The results and recommendations are extremely and directly relevant for Africa’s eHealth.

    It compared confidence with knowledge of health ICT security on seven core security controls needed to detect data breaches. The health ICT professionals believed they had the information needed to detect breaches quickly. They also provided contradictory information about the data, prompting Tripwire to conclude that health ICT professionals are overconfident in their ability to collect the data quickly to detect and remedy cyber-attacks.

    The findings include:

    63% of breaches occur within minutes56% took several months to detect90% say they can detect a configuration change to endpoint devices on their organisations’ networks within hours51% say they’re not sure how long it takes60% believe automated tools don’t collect some critical information needed to identify locations and departments where unauthorised devices were detected83% say the can configure changes to network devices within hours46% are unsure how long it takes43% say less than 80% of patches succeed in a typical patch cycle45% if identified vulnerabilities aren’t remedied within 30 days.

    The seven security controls that match United States Computer Emergency Readiness Team (US-CERT) requirements, and in the study were:

    Payment Card Industry Data Security Standard (PCI DSS)Sarbanes Oxley Act (SOX)North American Electric Reliability Critical Infrastructure Protection (NERC CIP)Monetary Authority of Singapore Technology Risk Management (MAS TRM)National Institute of Standards and Technology (NIST 800-53)Critical Security Controls (CIS) Top 20Internal Revenue Service (IRS) 1075.

    Tripwire’s seven recommendations from the study are for health systems to have:

    Accurate hardware inventoriesAccurate software inventoriesContinuous configuration management and hardeningComprehensive vulnerability managementPatch managementLog managementIdentity and access management.

    All these need including in Africa’s eHealth programmes. With cyber-attacks rising rapidly, they’re urgent actions.

  • Six eHealth types needing strong authentication

    One of eHealth’s perverse equity features’s that all organisation’s are vulnerable. Each one can determine its degree of vulnerability. Health IT Security has access to a white paper How to Secure Data Access Within the Healthcare Industry from VASCO and iSMG. It deals with:

    The changing role of eHealth in healthcareWhy healthcare organisations have headline-grabbing data breachesTypes of eHealth that need strong authenticationBest practices to help healthcare integrate and adopt security without compromising patient experiences.

    They identify six eHealth types that need strong identification:

    EHRsePrescribingPortal applicationsPatient applicationsmHealthNetwork infrastructure.

    Advice that Africa’s health systems should follow is:

    Security isn’t an afterthoughtBreaches negatively affect patients and healthcareCyber-criminals rely on gaps organisations’ authentication security frameworkeHealth regulators, of which there are few in Africa, should accord a high priority to data privacy and security, and set onerous standards that drive effective securityStrong authentication minimises cyber-security risk and makes it harder for cyber-criminals to reach patients’ dataEnd-to-end identity proofing solutions addressing users’ authentication and identification and facilitates secure information exchange between all access points is essentialThese solutions must be platform-agnostic and provide the same level of security across mobile, desktop and proprietary technology, and allow for integration of various technology protocols, such as Bluetooth, token and smartcard.

    Many of Africa’s eHealth programmes have much ground to cover to erect bigger barriers to deter cyber-attacks. eHNA has posted numerous times on the topic, and one theme, regular users’ training, emerges as an essential requirement. The posts are tagged “Cyber-security” to help you access them.