Siemens says that there’s no evidence its scanners have been compromised – but the patches will be ready by the end of the month
Archive for the ‘healthcare’ Category
DoD networks have been compromised, the Shadow Brokers continue their exploits, a Pennsylvania healthcare system gets hit with Petya, and more. Jason Wood of Paladin Security joins us to discuss nations’ offensive technical strengths and defensive weaknesses on this episode of Hack Naked News! Doug’s Stories: http://thehackernews.com/2017/06/shadowbrokers-nsa-hacker.html — Shadowbrokers continue their exploits by planning to dox […]
This is the fifth in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017
Recent ransomware incidents have put a spotlight firmly on the state of security within healthcare and there’s a perception that this industry is trailing others. Is that fair?
If we look at data loss prevention (DLP), which is particularly relevant with GDPR now less than a year away, then the 2016 Data Protection Benchmark Study from the Ponemon Institute, sponsored by McAfee, sheds some light. It puts healthcare “running about six months behind other industries” in terms of DLP deployment length and maturity.
And that’s important, not just because healthcare can be a matter of life and death, but because of the value of that particular data. Ponemon puts an average value of $355 on each patient record.
Meanwhile healthcare comes in second to only financial services in Verizon’s 2017 Data Breach Investigations Report, accounting for 15 per cent of all breaches.
So is this a perfect storm? On the one hand GDPR will mean significant penalties and a consistent framework to adhere to, while on the other hand the bad guys see an industry with valuable data that could be better protected.
Intel’s recent research, of 88 healthcare and life sciences organisations spanning nine countries, highlights a staggering range in readiness for attacks by ransomware, for example, judging by the number of relevant security capabilities these organisations have in place. It may seem strange to connect a discussion on GDPR and ransomware but it makes sense. What is ransomware if not a denial of service against data and how can you be sure that attackers can’t access the data they just encrypted? If you can’t stop the ransomware in the first place, there is a good chance you can’t stop the exfiltration in the next phase of the attack.
However, there are sensible steps the healthcare industry can take to become GDPR-ready. For these causes of data loss in healthcare, for example, Verizon’s report recommends specific actions:
Miscellaneous errors – which in 76 per cent of cases are embarrassingly pointed out by a customer – Have, and enforce, a formal procedure for disposing of anything that might contain sensitive data. And establish a four-eyes policy for publishing information.
Physical theft and loss – Encrypt wherever possible data at rest and establish handling procedures for printing out sensitive data.
Insider and privilege misuse – Implement limiting, logging and monitoring of use, and watch out for large data transfers and use of USB devices.
We would more broadly add that you can’t protect what you can’t detect. Visibility is key. As the Ponemon research put it, DLP solutions should cover data at rest, in processing and in motion, on the corporate network, endpoints and clouds. They form the basis of a good data security programme. Adequate staffing is also important and while automation and machine learning will help, they cannot replace staff entirely.
Some final guidance: Organisations can protect their sensitive data and be more likely to be GDPR-ready by taking these five critical steps:
- Conduct an Impact and Readiness assessment
- Review current data security programme to ensure you can prevent accidental and malicious data theft attempts
- Assess application and DevOps security controls and procedures
- Review your use of cloud infrastructure and software-as-a-service to minimise exposure to data loss
- Develop specific data breach detection and response capability in the SOC
The post Preparing for GDPR – Navigating a Perfect storm in Healthcare appeared first on McAfee Blogs.
More ransomware: this one changes your file extensions to .MOLE, thus the name.
Regulations take many forms, depending upon the industry, the region, and the type of data being protected, but one thing is consistent among them: regulators frown on poor data-protection practices.Compliance can be a chore, and many organizations try to minimize the pain by taking a “one and done” approach. They go through all the necessary steps once and then walk away, assuming the job is done.
Unfortunately, cyber criminals don’t agree. Their tactics are always changing, as are the types of data they seek to steal.
Take healthcare records. It’s safe to say that when U.S. healthcare organizations implemented the Health Insurance Portability and Accountability Act (HIPAA) compliance plans a decade ago, they didn’t expect that these records would become such a hot commodity. And until recently criminals didn’t bother much with them, preferring to pilfer credit card and bank account numbers instead. But as financial institutions have turned up their defenses, crooks have discovered that there’s gold in medical data and even an entire hidden data economy for stolen medical data.
More than 100 million healthcare records were stolen last year, an 11,000% increase over 2014. It turns out that those data troves often contain Social Security numbers, credit card data, and insurance information, which can be used to fraudulently dispense prescriptions and pay for operations. Stolen credit cards go for a couple of dollars on the black market, but insurance records can command $60 each.
With the rise of state-sponsored hacking, new types of healthcare information have also come into play. For example, field trial data about new medications is now a prime target for hackers engaged in corporate espionage or biological warfare. Five years ago, that wasn’t a major issue.
Tactics also change. Few people had even heard of ransomware three years ago; today it’s one of the leading forms of malware. Ransomware is primarily spread through phishing attacks, which demands that organizations exercise increased vigilance with email filtering.
New regulations are raising the bar on compliance. The European Union’s General Data Protection Regulation (GDPR) promises strict rules for protecting data and disclosing data breaches – and hefty fines for non-compliance. While the GDPR doesn’t go into effect until 2018, any organization that does business in Europe needs to begin preparing now for the upcoming changes.
What to do
Compliance tactics for safeguarding data must adjust for this new reality. Most regulations are unspecific about how data should be protected, which is both a good and a bad thing. The positive is that your organization has some flexibility in implementing protections. The negative is that there’s no way to get inside the minds of regulators who come calling for an audit.
A few basic tactics will serve you well.
- Work closely with your legal counsel and internal auditors to understand any specific rules that apply to your company or industry. They shouldn’t be shy about calling up regulators for guidance.
- Scan your inventory to see what kind of information you have. If credit card numbers or Social Security numbers are in your files, you’ll need to protect them. Ignorance is not an excuse, and auditors will give you points for having done this spade work.
- Match protection measures to the data. For example, names and ages may not need to be protected as carefully as financial records and insurance account numbers. Encrypting or tokenizing sensitive data is a good step, but be sure any accounts that have access to encryption keys or tokens are secured with two-factor authentication. The first thing attackers look for is password files.
- Use data loss prevention (DLP) to automatically discover and classify information. DLP software can be set to issue warnings, challenges or outright denials to requests for data. It’s a particularly useful tool for preventing disclosure – whether intentional or not – by insiders.
- Make compliance part of someone’s job. Adherence demands paying close attention to trends and vulnerabilities. One of more people should be accountable for tracking these changes. Auditors will appreciate that when they come to call.
In-brief: SAP AG announced alliances with a string of software and hardware makers to provide end to end security for Internet of Things deployments. Check Point and Intel are among the company’s partners. We noted last week that enterprise systems by the likes of Oracle and SAP are proving to be weak links in the Internet of Things security chain. That story noted this piece over at VICE’s Motherboard that noted some research suggesting that ERP (enterprise resource planning) platforms are being targeted in attacks on firms in the oil and gas industry. Well, it seems that security in the context of IoT isn’t lost on huge platform vendors like SAP. Note this news from Inside SAP about a raft of new partnerships that seek to address security up and down the chain. Among the companies SAP said it will partner with are Check Point Software Technologies, for “a security architecture designed to […]
Posted in Check Point Software Technologies, connected devices, critical infrastructure, Energy, Finance, healthcare, Intel, Internet of things, partnerships, Patching, Reports, SAP, smart infrastructure, Telecommunications, Top Stories, vulnerabilities | Comments (0)
Ars is looking to hire someone to cover healthcare, medicine, and all things related to the science of the body! Our ideal candidate knows the difference between absolute and relative risk and would be able to intelligently discuss both the facts and the real-world implications of health care policy and law. They’d also be interested in how technology is changing the shape of healthcare.
The candidate would cover topics ranging from medical research and progress of emerging diseases to consumer hardware that monitors health and fitness; we might also send you to DR Congo to cover an Ebola outbreak. Ha ha! Kidding! (Maybe.)
This is a full-time position with benefits, including insurance and 401(k), reporting to the Ars Technica editor-in-chief. As with all jobs at Ars, there are daily writing expectations—the candidate would have a regular output of news about healthcare and research happenings and would also write longer report-length (500-1,000 words) and feature-length (2,000+ words) in-depth pieces about topics as they come up. You’ll get to work closely with two senior editors as part of your job and have an opportunity to develop your own editing skills.
Connected devices are working wonders for managing treatment, but their integration with consumer technology and cloud computing raises significant security issues.
What has been happening over the past week or month with your blood pressure, heart rate, glucose level, respiration, or oxygen levels? How much and what type of exercise do you do, and what effect is it having? While the answers to these questions may not be on the tip of your tongue, wearable medical technologies can monitor, store, and transmit this data, providing your healthcare team with more granular information than they have ever had outside of a hospital. These and other connected healthcare devices are improving diagnosis, treatment, and quality of life, while reducing costs.
How much do you weigh? What do you eat? What medications are you taking? What diseases or conditions do you have? Medical information is also one of the most personal and private aspects of our society. While it is important for your healthcare professionals to know these things, it is equally important to keep it private from those who may use the information to take advantage or discriminate against you.
Tiny devices that can be worn, implanted, or even ingested are being invented at an accelerating pace. And they are not just monitoring, but taking an active role in managing a long list of things, including hearts, pain, insulin, and seizures. These devices are working wonders for managing treatment and quality of life outside of hospitals. But their connectivity and integration with consumer technology and cloud computing raise significant security issues. The biggest concerns are privacy violations and intentional disruptions, and one high-profile security incident could discourage adoption for decades.
Personal medical information is valuable to cyber criminals. While stealing credit card numbers is big business, the stolen card has no value once it is reported stolen. Stolen medical data, on the other hand, can be sold for insurance fraud repeatedly and can continue to add value for years. And we can only imagine what other unethical and illegal uses criminals could come up with.
Security By Design
Managing and reducing these security concerns requires a change in how we design, develop, and regulate connected healthcare devices. The first step is a focus on security by design, making upfront investments that will pay back benefits to the device manufacturers and the healthcare community for years. Sharing best practices and building shared or open-source libraries of common functions would go a long way to quickly improving security across the industry.
Then we need better collaboration among vendors, medical practitioners, and regulators to openly discuss and resolve issues, enable innovation and effectiveness, and safeguard the public interest. Regulators themselves need to review the approval process, taking into consideration the pace of technological change and the cloud nature of data that crosses national and corporate borders, while continuing to protect patients. Finally, we need to learn from social media and customer centric design, listening better to the voices of the patients and families involved and incorporating their feedback.
Connected healthcare devices deliver highly personal benefits, embedding the Internet into medical processes. With these tools, we are already seeing improved medical outcomes, better quality of life, and lower healthcare costs, and we are just at the beginning of this transformation. Incorporating security by design, increasing collaboration, and evolving the regulatory process will ensure these benefits are not lost to crybercrime and security breaches.
For more information on the topic, check out Atlantic Council’s recent report at The Healthcare Internet of Things Rewards and Risks.
View the original post on Dark Reading.
The post The Promises And Perils Of The Healthcare Internet Of Things appeared first on McAfee.
After 2 months of patient data exposed for anyone to see, Cottage Health System’s insurance policy should have come as a relief. It didn’t.