Healthcare and Technology news
37.0K views | +8 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past

HIMSS Survey Finds Two-Thirds of Healthcare Organizations Experienced a Significant Security Incident in Recent Past | Healthcare and Technology news | Scoop.it

Cybersecurity was identified as an increased business priority over the past year according to 87 percent of respondents in the newly released 2015 HIMSS Cybersecurity Survey

(http://www.himss.org/2015-cybersecurity-survey). Two-thirds of those surveyed also indicated that their organizations had experienced a significant security incident recently. Released at the Privacy and Security Forum, held in Chicago from June 30-July 1, this research reflects the continued cybersecurity concerns by healthcare providers regarding the protection of their organizations’ data assets.


“The recent breaches in the healthcare industry have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cybersecurity threats,” said Lisa Gallagher, Vice President of Technology Solutions, HIMSS. “Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means implementing threat data,incorporating new tools and sophisticated analysis into their security process.”


The survey of 297 healthcare leaders and information security officers across the industry also found that at least half of respondents made improvements to network security, endpoint protection, data loss prevention, disaster recovery and IT continuity. Despite the protective technologies available, most respondents felt only an average level of confidence in their organizations’ ability to protect their IT infrastructure and data.


Key findings from the survey include the following:


  • Respondents use an average of 11 different technologies to secure their environment and more than half of healthcare organizations surveyed hired full time personnel to manage information security
  • 42 percent of respondents indicated that there are too many emerging and new threats to track
  • More than 50 percent of information security threats are identified by internal security teams
  • 59 percent of survey respondents feel the need for cross-sector cyber threat information sharing
  • 62 percent of security incidents have resulted in limited disruption of IT systems with limited impact on clinical care and IT operations
  • 64 percent of respondents believe a lack of appropriate cybersecurity personnel is a barrier to mitigating cybersecurity events
  • 69 percent of respondents indicated that phishing attacks are a motivator for improving the information security environment
  • 80 percent use network monitoring to detect and investigate information security incidents
  • 87 percent of respondents reported using antivirus/malware tools have been implemented to secure their healthcare organizations’ information security environment
more...
No comment yet.
Scoop.it!

The Security Risks of Medical Devices

The Security Risks of Medical Devices | Healthcare and Technology news | Scoop.it
There are a large number of potential attack vectors on any network. Medical devices on a healthcare network is certainly one of them. While medical devices represent a potential threat, it is important to keep in mind that the threat level posed by any given medical device should be determined by a Security Risk Assessment (SRA) and dealt with appropriately.

So let’s assume the worst case and discuss the issues associated with medical devices. First off, it must be recognized that any device connected to a network represents a potential incursion point. Medical devices are regulated by the FDA, and that agency realized the security implications of medical devices as far back as November 2009, when it issued this advisory. In it, the FDA emphasized the following points:

Medical device manufacturers and user facilities should work together to ensure that cybersecurity threats are addressed in a timely manner.
The agency typically does not need to review or approve medical device software changes made for cybersecurity reasons.
All software changes that address cybersecurity threats should be validated before installation to ensure they do not affect the safety and effectiveness of the medical devices.


Software patches and updates are essential to the continued safe and effective performance of medical devices.


Many device manufacturers are way behind on cybersecurity issues. As an example, many devices are still running on Windows XP today, even though we are one year past the XP support deadline. They are often loathe to update their software for a new operating system. In other situations device manufacturers use the XP support issue as a way to force a client to purchase a new device at a very high price. All healthcare facilities would be well advised to review any purchase and support contracts for medical devices and make sure that things such as Windows upgrades do not force unwanted or unnecessary changes down the road. While there are options to remediate risks around obsolete operating systems, they are unnecessary and costly. Manufacturers should be supporting their products in a commercially reasonable manner.

Why would anyone be interested in hacking into a medical device? Of course there are those that would argue that anything that can be hacked will be hacked, “just because”. While it is possible that hacking could also occur to disrupt the operations of the device, the more likely reason is that getting onto a medical device represents a backdoor into a network with a treasure trove of PHI that can be sold for high prices on the black market. Medical devices are often accessible outside of normal network logon requirements. That is because manufacturers maintain separate, backdoor access for maintenance reasons.


Hackers armed with knowledge of default passwords and other default logon information can have great success targeting a medical device. For example, this article details examples of a blood gas analyzer, a PACS system and an X-Ray system that were hacked. Many times healthcare IT departments are unaware or unable to remediate backdoor access to these systems. These are perhaps more “valuable” as a hack because they are hard to detect and can go unnoticed for a long period of time. As a reminder, the Target data breach last year was initiated because the access that a third party had to the retailer’s network was compromised. A complete SRA should inventory all network connected medical devices and analyze the access/credentials that a device has, and any associated security threat. The best defense is a good offense – make sure that networked devices have proper security built in and implemented. Then your devices will no longer be “the weak link in the chain”.

more...
No comment yet.
Scoop.it!

Healthcare data security is like a box of chocolates

Healthcare data security is like a box of chocolates | Healthcare and Technology news | Scoop.it

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute had more surprises than Forrest Gump’s box of chocolates – surprises that were far from palatable. One key finding was that criminal attacks are up 125 percent and are now the leading cause of healthcare data breaches. Other results of the study were just as unsettling:


Surprise 1: Sixty-five percent of healthcare organizations do not offer any protection services for patients whose information has been lost or stolen. With cyber threats on healthcare data mounting, this is unacceptable. Ironically, the Ponemon study also found that 65 percent of healthcare organizations—the same percentage that don’t offer protection services—believe patients whose records have been lost or stolen are more likely to become victims of medical identity theft.


According to the Ponemon Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Healthcare organizations and business associates must make available medical identity monitoring and identity restoration services to patients whose healthcare records have been exposed.


On the other hand, the majority of people still don’t understand the serious risk of medical identity theft. They pay more attention to their credit score and financial information than they do their insurance EOBs or medical records. They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you, as ID Experts CEO Bob Gregg has said.


Surprise 2: The average cost of a healthcare data breach has stayed fairly consistent over the past five years – $2.1 million. This is in contrast to the average total cost of data breach in general, which has risen 23 percent over the past two years to $3.79 million, according to another recent Ponemon report, 2015 Cost of Data Breach Study: Global Analysis. Cyber liability insurance to cover notification costs, better options for identity monitoring, and more privacy attorneys offering help should reduce the cost of healthcare data breaches over time.


Healthcare organizations can take proactive steps to reduce the likelihood and impact of a data breach. This means addressing the tactical issues of protecting patient data. According to Dr. Larry Ponemon, founder and chairman of Ponemon Institute, healthcare organizations face “the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget.” 


According to the Ponemon report, 96 percent of healthcare organizations had a security incident involving lost or stolen devices, and employee negligence is the greatest concern among these organizations. Dr. Ponemon says healthcare providers should create “a more aggressive training and education awareness program, as well as invest in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information.”

These training and awareness programs should center around protecting PHI, especially education on how to avoid phishing emails and what to do to ensure data is not disclosed. Healthcare organizations must also collaborate with their business associates to also ensure they have similar programs in place. 


For external risks such as the growing number of criminal attacks, Dr. Ponemon says that healthcare providers must “assess what sensitive data needs to be monitored and protected, and the location of this data.” I would add that board and executive management must recognize that professional hackers are targeting health data and records and, as mentioned earlier, that such attacks are now the leading cause of data breaches in healthcare. This awareness should spur enterprise-wide alignment in addressing cyber threats.


Surprise 3: Too many healthcare organizations take an ad-hoc approach to incident risk assessment. Only 50 percent of healthcare organizations in the study performed the four-factor risk assessment following each security incident, as required by the HIPAA Final RuleOf that 50 percent, 34 percent used an ad hoc risk assessment process, and 27 percent used a manual process or tool that was developed internally.


This practice is not acceptable. Healthcare organizations now have software tools available to help automate and streamline processes such as risk assessment and data breach response. By supporting consistent and objective analysis of security incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free an organization’s privacy and security staff to spend more time on prevention.


So far, 2015 has been a bad year for protecting patients and their data. Increasing cyber attacks mean that even more patients and their data will be put in harm’s way. While nobody can escape the inevitable security incidents, it is my hope that we can all learn lessons from the Ponemon study and each other, and work more collectively so that next year will bring fewer unpleasant surprises and many more happy ones.

more...
No comment yet.
Scoop.it!

The radical potential of open source programming in healthcare

The radical potential of open source programming in healthcare | Healthcare and Technology news | Scoop.it

Everyone wants personalized healthcare. From the moment they enter their primary care clinic they have certain expectations that they want met in regards to their personalized medical care.


Most physicians are adopting a form of electronic healthcare, and patient records are being converted to a digital format. But electronic health records pose interesting problems related to sorting through vast amounts of patient data.


This is where open source programming languages come in, and they have the ability to radically change the medical landscape.

So why aren’t EHRs receiving the same care that patients expect from their doctor? There are a variety of answers, but primarily it comes down to how the software interprets certain types of data within each record. There are a variety of software languages designed to calculate and sort through large amounts of data that have been out for years, and one of the most prominent language is referred to as “R”.

What is R?

According to r-project.org “R is an integrated suite of software facilities for data manipulation, calculation, and graphical display.” Essentially this programming language has been built from the ground up to handle large statistical types of data.


Not only can R handle these large data sets, but it has the ability to be tailored to an individual patient or physician if needed. There are a variety of other languages focused on interpreting this type of data, but other languages don’t have the ability to handle it as well as R does.

How can a language like R change the way in which EHRs function?

Take, for instance, the recent debate regarding immunization registry. EHRs contain valuable patient data, including information associated with certain types of vaccine.


If you were able to cross reference every patient that had received a vaccine, and the side effects associated with said vaccine, then you could potentially sort out what caused the side effect and create prevention strategies to deter that certain scenario from happening again.


According to Victoria Wangia of the University of Cincinnati, “understanding factors that influence the use of an implemented public health information system such as an immunization registry is of great importance to those implementing the system and those interested in the positive impact of using the technology for positive public health outcomes.”


This type of system could radically change the way we categorize certain patient health information.


Programming languages like R have the ability to map areas that have been vaccinated versus those that haven’t. This would be ideal for parents who wish to send their children to a school where they know that “x” number of students have received a shot versus those that haven’t. Of course, these statistics would be anonymous, but this information might be critical for new parents who are looking for a school that fits their needs.


This technology could have much bigger implications pertaining to personalized data, specifically healthcare records. Ideally, an individual could tailor this programming language to focus on inconsistencies within patient records and find future illnesses that people are unaware of.


This has the potential to stop diseases from spreading, even before the patient is aware that they might have a life threatening illness. Although such an intervention wouldn’t necessarily stop a disease, it could be a great prevention tool that would categorize certain types of illness.

Benefits of open source

One of the more essential functions that R offers is the ability to be tailored to patient or doctor’s needs. Most information regarding patient health depends on how a physician documents the patient encounter, but R has the ability to sort through a wide variety of documentation pertaining to important statistical information that is relevant to physician needs. This is what makes open source programming languages ideal for the medical field.


One of the great components associated with open source programming languages in the medical field is the cost. R is a completely free language to start working in, and there is a large amount of great documentation available to start learning the language. The only associated cost would be paying a developer to set up, or create a program that quickly sorted through personalized information.


Essentially, if you were well rounded in this language, the only cost associated with adopting it would be the paper you would need to print information on.


Lastly, because of HIPAA, the importance of information security has been an issue, and should be a primary concern when looking at any sensitive electronic document. Cyber security is always going to be an uphill battle, and in the end if someone wants to get their hands on certain material, they probably will.


Data breaches have the ability to cost companies large amounts of money, and not even statistical data languages are safe from malicious intent. A recent issue has been the massive amount of resources that are being built in R that have been shared online. Although this is a step in the right direction for the language, people are uploading malicious code. But if you are on an encrypted machine, ideally the information stored on that machine is also encrypted. Cloud based systems like MySQL, a very secure open source server designed to evaluate data, offer great solutions to these types of problems.


These are some of the reasons why more physicians should adopt these types of languages, especially when dealing with EHRs. The benefits of implementing these types of systems will radically alter the way traditional medicine operates within the digital realm.


More statistical information about vaccinations and disease registries would greatly benefit those that are in need. The faster these types of systems are implemented, the more people we are able to help before their diseases becomes life threatening.


more...
No comment yet.
Scoop.it!

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation

IBM Announces Deal to Acquire Both Phytel and Explorys; Goal Is Data Transformation | Healthcare and Technology news | Scoop.it

Senior executives at the Armonk, N.Y.-based IBM announced in a press conference held on Monday afternoon, April 13, at the McCormick Place Convention Center in Chicago, during the course of the HIMSS Conference, that it was acquiring both the Dallas-based Phytel and the Cleveland-based Explorys, in a combination that senior IBM executives said held great potential for the leveraging of data capabilities to transform healthcare.


Both Phytel, a leading population health management vendor, and Explorys, a healthcare intelligence cloud firm, will become part of the new Watson Health unit, about which IBM said, “IBM Watson Health is creating a more complete and personalized picture of health, powered by cognitive computing. Now individuals are empowered to understand more about their health, while doctors, researchers, and insurers can make better, faster, and more cost-effective decisions.


In its announcement of the Phytel acquisition, the company noted that, “The acquisition once completed will bolster the company’s efforts to apply advanced analytics and cognitive computing to help primary care providers, large hospital systems and physician networks improve healthcare quality and effect healthier patient outcomes.”


And in its announcement of the Explorys acquisition, IBM noted that, “Since its spin-off from the Cleveland Clinic in 2009, Explorys has secured a robust healthcare database derived from numerous and diverse financial, operational and medical record systems comprising 315 billion longitudinal data points across the continuum of care. This powerful body of insight will help fuel IBM Watson Health Cloud, a new open platform that allows information to be securely de-identified, shared and combined with a dynamic and constantly growing aggregated view of clinical, health and social research data.”


Mike Rhodin, senior vice president, IBM Watson, said at Monday’s press conference, “Connecting the data and information is why we need to pull the information together into this [Watson Health]. So we’re extending what we’ve been doing with Watson into this. We’re bringing in great partners to help us fulfill the promise of an open platform to build solutions to leverage data in new ways. We actually believe that in the data are the answers to many of the diseases we struggle with today, the answers to the costs in healthcare,” he added. “It’s all in there, it’s all in silos. All this data needs to be able to be brought into a HIPAA-secured, cloud-enabled framework, for providers, payers, everyone. To get the answers, we look to the market, we look to world-class companies, the entrepreneurs who had the vision to begin to build this transformation.”

more...
No comment yet.
Scoop.it!

Study to Probe Healthcare Cyber-Attacks

Study to Probe Healthcare Cyber-Attacks | Healthcare and Technology news | Scoop.it

In the wake of the recent hacker attacks on Anthem Inc. and Premera Blue Cross that compromised personal data on millions of individuals, the Health Information Trust Alliance is attempting to launch a study to get a better understanding of the severity and pervasiveness of cyber-attacks in the healthcare sector, as well as the attackers' methods.


HITRUST, best known for its Common Security Framework hopes to recruit hundreds of participants for its "Cyber Discovery" study. Organizations that join the study will monitor for signs of attacks for a 90-day period using data gathered with Trend Micro's threat discovery technology, which works with security information and event management systems. "It's like a big sandbox that works in a passive mode and collects everything and tries to analyze everything that comes into the sandbox," Dan Nutkis, HITRUST CEO, tells Information Security Media Group.


Participants can use the data that's collected and analyzed by the technology for their own cyber-intelligence activities. For the study, the participating organizations will provide anonymized data regularly to HITRUST for analytical purposes. "We don't have the name of the organization, just the type of organization," Nutkis says.

Security expert Mac McMillan, CEO of security consulting firm CynergisTek, says that as long as HITRUST can guarantee the data collected from healthcare organizations is anonymized, the alliance might be able to attract participants. And if there are enough participants, "a study such as this based on empirical data can paint a relevant picture with respect to the risk that healthcare entities face, and therefore, would be very valuable if done correctly," adds McMillan, chair of the HIMSS Privacy & Security Policy Task Force.

HITRUST hopes to have the necessary software and hardware installed at all the participating organizations by the end of May, Nutkis says. It will publish an initial report of findings and recommendations approximately four months from the launch of the project.

Digging In

The organization is seeking about 210 voluntary participants from the healthcare sector, including insurers, hospitals, accountable care organizations and clinics. Each will participate for 90 days or longer, Nutkis says. Participants do not have to be members of HITRUST to qualify.


Each participating healthcare organization will get free use the Trend Micro technology during the study. Trend Micro will install the appliance and train organizations how to use it and how to conduct the forensics analysis, Nutkis says.


"The goal is to understand the threat actors, the methods and their targets," he says. Among the questions to be addressed, he says, are: "Are these actors targeting health plans or are they targeting specific types of equipment or types of data? Are they after PHI or PII? What's the level of persistence? What's the duration of them trying to get in? Do they keep coming back?"


The study aims to accurately identify attack patterns as well as the magnitude and sophistication of specific threats across enterprises, he says.

Recent Attacks

When it comes to the recent attacks on Anthem and Premera, and their significance to the healthcare sector, "there's a lot speculation and conjecture about what's going on," he says. "There was a great level of concern after the Community Health System attack" last year, in which hackers compromised data of about 4.5 million individuals. Because they were reported about six weeks apart, the Anthem and Premera breaches raised concerns about whether they were related, he says. While those breach investigations are still ongoing, the healthcare sector is trying to understand who's being targeted, how and for what data, he explains.


Nutkis says HITRUST will consider whether to repeat the study annually to track emerging trends.


McMillan, the consultant, says the value of the study to the healthcare sector will ultimately depend on what is examined. "For instance, will it address social engineering or things like phishing? Phishing is a huge issue for healthcare right now and is believed to have had a role in the many of the high-profile breaches of last year."


more...
No comment yet.
Scoop.it!

Health checks by smartphone raise privacy fears

Health checks by smartphone raise privacy fears | Healthcare and Technology news | Scoop.it

Authorities and tech developers must stop sensitive health data entered into applications on mobile phones ending up in the wrong hands, experts warn.

As wireless telecom companies gathered in Barcelona this week at the Mobile World Congress, the sector's biggest trade fair, specialists in "e-health" said healthcare is fast shifting into the connected sphere.

"It's an inexorable tide that is causing worries because people are introducing their data into the system themselves, without necessarily reading all the terms and conditions," said Vincent Genet of consultancy Alcimed.

"In a few years, new technology will be able to monitor numerous essential physiological indicators by telephone and to send alerts to patients and the specialists who look after them."

More and more patients are using smartphone apps to monitor signs such as their blood sugar and pressure.

The European Commission estimates the market for mobile health services could exceed 17.5 billion euros (19 billion euros) from 2017.

The Chinese health ministry's deputy head of "digital health", Yan Jie Gao, said at the congress on Wednesday that the ministry planned to spend tens of billions of euros (dollars) by 2025 to equip 90,000 hospitals with the means for patients to contact them online securely.

Patients are entering health indicators and even using online health services for long-distance consultations with doctors whom they do not know.

"There is a steady increase in remote consultations with medical practitioners," particularly in the United States, said Kevin Curran, a computer scientist and senior member of the Institute of Electrical and Electronics Engineers.

"Your doctor can be someone who's based in Mumbai. We have to be very careful about our data, because they're the ones who probably will end up storing your data and keeping a record of it."

- Cloud-based healthcare -

Other users are entering personal health data into applications on their smartphones.

This kind of "e-health" could save governments money and improve life expectancy, but authorities and companies are looking to strengthen security measures to protect patients' data before such services become even more widespread.

"I think tech companies are becoming more concerned with privacy and encryption now," said Curran.

"The problem quite often is that a lot of this data is stored not on the phone or the app but in the cloud," in virtual storage space provided by web companies, he added.

"We are at the mercy of who the app providers are and how well they secure the information, and they are at the mercy sometimes of the cloud providers."

Others fear that insurance companies will get hold of customers' health information and could make them pay more for coverage according to their illnesses.

Various sources alleged to AFP that health insurance companies have been buying data from supermarkets about what food customers were buying, drawn from the sales records of their loyalty cards, following media reports to that effect.

The kind of "e-health" indicator most sought after by patients is fitness-related rather than information on illnesses, however, said Vincent Bonneau of the research group Idate.

A study by Citrix Mobile, a specialist in wireless security, showed that more than three quarters of people using e-health applications were doing so for fitness reasons rather than for diagnosing illnesses.


more...
No comment yet.
Scoop.it!

Medical identity theft sees sharp uptick

Medical identity theft sees sharp uptick | Healthcare and Technology news | Scoop.it

The number of patients affected by medical identity theft increased nearly 22 percent over the past year, according to a new report from the Medical Identity Fraud Alliance – an increase of nearly half a million victims since 2013.


In five years since the survey began, the number of medical identity theft incidents has nearly doubled to more than two million victims, according to MIFA, a public/private partnership committed to strengthening healthcare by reducing medical identity fraud,

"Over the past five years, we've seen medical identity theft steadily rising with no signs of slowing," said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the study. "Our research shows more than two million Americans were victims of medical identity theft in 2014, nearly a quarter more than the number of people impacted last year."

In San Diego March 5-6, the two-day Privacy & Security Forum, presented by Healthcare IT News and HIMSS Media, featuring 26 sessions and 40 speakers from healthcare organizations such as Kaiser Permanente and Intermountain Healthcare, will put the focus on cyber crime and data security, discussing best practices to help keep these numbers in check.


Other findings from the report:

  • Sixty-five percent of medical identity theft victims surveyed paid more than $13,000 to resolve the crime. In 2014, medical identity theft cost consumers more than $20 billion in out-of-pocket costs. The number of victims experiencing out-of-pocket cost rose significantly from 36 percent in 2013 to 65 percent in 2014.
  • Victims are seldom informed by their healthcare provider or insurer. On average, victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim. Of those respondents (54 percent) who found an error in their Explanation of Benefits, about half did not know to whom to report the claim.
  • In many cases, victims struggle to reach resolution following a medical identity theft incident. Only 10 percent of survey respondents reported achieving completely satisfactory conclusion of the incident. Consequently, many respondents are at risk for further theft or errors in healthcare records that could jeopardize medical treatments and diagnosis.
  • Nearly half of respondents (45 percent) say medical identity theft affected their reputation in some way. Of those, nearly 90 percent suffered embarrassment stemming from disclosure of sensitive personal health conditions and more than 20 percent of respondents believe the theft caused them to miss out on career opportunities or lose employment.
  • A large majority of respondents (79 percent) expect their healthcare providers to ensure the privacy of their health records. Forty-eight percent say they would consider changing healthcare providers if their medical records were lost or stolen. If a breach does occur, 40 percent expect prompt notification to come from the responsible organization.

"2015 will be a year of increased attention to the pervasiveness and damaging effects of medical identity theft," said Ann Patterson, senior vice president and program director at MIFA, in a press statement. "As we've already seen this year, the healthcare industry is and will continue to be a major target for hackers. Stolen personal information can be used for identity theft, including medical identity theft and the impact to victims can be life-threatening."


more...
No comment yet.
Scoop.it!

'Precision Medicine': Privacy Issues

'Precision Medicine': Privacy Issues | Healthcare and Technology news | Scoop.it

Florence Comite, M.D., a pioneer in the evolving practice of "precision medicine," says extraordinary measures must be taken to protect patient privacy as more genetic and other sensitive data is collected to help personalize their care.

Precision medicine, also known as personalized medicine, involves the use of genomic, environmental, lifestyle and other personal data about patients so that clinicians can better tailor medical treatments that are potentially more effective based an individuals' characteristics.

To safeguard patients' sensitive data, Comite's New York-based endocrinology private practice had a developer build a custom electronic medical record system. The records system incorporates role-based access and encryption, as well as other features to protect patient privacy, she says in an interview with Information Security Media Group.

Comite keeps the most sensitive medical data - such as genetic data indicating that a patient potentially could develop a certain type of cancer or Alzheimer's disease - separate from other information in the patient's records, and often uses pseudonyms for patients to further protect this segregated information, she says.

Most healthcare is geared to mainstream, "one-size fits all" treatments that focus on treating illnesses rather than preventing them, the physician says. And most commercially available electronic records systems are built for those practicing this style of healthcare, she contends. "That's why I created my unique EMR, because I wanted to be able to collect data and equally be able to protect it in such a way that wouldn't undermine the kind of work we're trying to do."

Many patients are afraid of getting genetic testing done because of fear that sensitive data will be inappropriately released, she says. "That prevents a clinician from truly practicing what I see as the healthcare of the future."

In his recent State of the Union Address, President Obama unveiled a Precision Medicine Initiative. The White House calls the plan "a bold new research effort to revolutionize how we improve health and treat disease." In the Obama administration's fiscal 2016 budget, the Department of Health and Human Services is seeking a $215 million to launch the initiative.

In the interview, Comite also discusses:

  • The risks of hacker attacks targeting sensitive health information, such as genomic data;
  • The shortcomings in HIPAA privacy notices provided to patients;
  • The work that Comite's practice will be doing with employers, and how workers' health data privacy will be protected.

Comite is an endocrinologist with multidisciplinary training in internal medicine, pediatrics, gynecology and andrology. She is a graduate of Yale University School of Medicine, where she taught for 25 years as an associate clinical professor. An early practitioner in the emerging field of precision medicine, Comite has conducted clinical research at Yale and the National Institutes of Health in Reproductive Endocrinology and Metabolism. Comite maintains a private practice, ComiteMD, in New York City.


more...
No comment yet.
Scoop.it!

Are you doing your security framework right?

Are you doing your security framework right? | Healthcare and Technology news | Scoop.it
It turns out many healthcare organizations get more than a few things wrong about their information security frameworks – big time. Whether it's about properly integrating a framework or even appropriately tailoring a framework, there's a list of items organizations should pay attention to. 
 
If done right, information security frameworks can be used to meet an organization's risk analysis requirements under the HIPAA Security Rule, in addition to helping define a "baseline of protection," said Bryan Cline, senior advisor at HITRUSTAlliance, but that's only if they're properly selected and implemented. And many organizations don’t necessarily do this successfully. 
 
Cline, who will be speaking at the Healthcare IT News Privacy and Security Forumthis March in a session on data security framework need-to-knows, says the biggest oversight he sees organizations make "is in not tailoring the framework appropriately." Added Cline, "organizations either rely on the framework without tailoring the requirements to address all reasonably anticipated threats, or they tailor the framework's requirements – usually by removing some of them – without fully understanding the additional risk that's incurred."
 
Sure, a security framework will help in the compliance arena, but improper tailoring and failure to keep it updated will inevitably lead to information-related risks being inadequately addressed, he said. This up-to-date piece is crucial, Cline said, because "frameworks also grow stale over time, as it can take several years for most frameworks to be updated and released."
 
Another big oversight, as Cline pointed out? Failing to integrate the framework into everyday operational processes. "For example," he said, "personnel with security responsibilities – whether in the security organization or elsewhere (e.g., HR or IT) – should be tied to the framework's controls and the security services that support their implementation." This, he added, would allow organizations to manage risk through managing the security services.
 
Cline, who is also the managing partner for Cline & Shiozawa Professional Services and previously the chief information security officer at Catholic Health East and The Children’s Hospital of Philadelphia, at his forum session will go over security risk management frameworks and how they can be leveraged and used in an organization's data protection programs. This includes, as Cline pointed out, how they can use these frameworks to meet risk analysis requirements under the HIPAA Security Rule. 


more...
No comment yet.
Scoop.it!

Obama Gives Data Security Some Needed Momentum

Obama Gives Data Security Some Needed Momentum | Healthcare and Technology news | Scoop.it

Every year, I see Mac McMillan at HIMSS and wonder if he’ll ever be positive.

Of course I’m joking, but in a way you can’t blame McMillan—a renowned data security expert, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek—for being a “Debbie Downer.” Data security in healthcare has been and is abysmal.

Every year, the Traverse City, Mich.-based Ponemon Institute releases its annual patient privacy and security study and the results are somewhat startling. This past year, 90 percent of respondents say they’ve had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The economic impact of a breach has remained steadily high.

And this is just one study of many, one voice of many, and one indication that healthcare has a big problem with data security. It’s not exactly far-reaching to say we have a long ways to go if these abysmal statistics are to reverse.

Moreover, it could get worse before it gets better. Hackers are now starting to target healthcare data holders. This week, Jason Roos, CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., explained to me why the exposure of the threat is significant in healthcare, compared to other sectors.

 One of the big problems is that it seems like a lot of high-level executives in hospitals don’t care about data security until it’s too late. They don’t want to be put in protections, do a risk analysis, and pay for extensive training until they have the Department of Health and Human Services’ (HHS) Office of Civil Right (OCR) knocking at their door.

It’s not just healthcare that lags in this way. The retail, entertainment, finance, education, and government sectors seem to have this problem too. In our podcast conversation, McMillan called 2014 the year of the incident. You could say that again. Sony, JP Morgan, Community Health, Home Depot all had high profile breaches. Incidents were everywhere in 2014.

I guess that’s why I was excited to read about President Barack Obama’s dedication to data security, which made the news this week. Specific information on his proposal is sparse, with most details expected to be announced during the State of the Union on Tuesday, but let’s just acknowledge that something is better than nothing. As a privacy expert said in this CNET article, "This is a huge shot in the arm to a much-needed advancement for our legislative protections.”

A nationally recognized data security policy tells every higher up, whether they are in healthcare or not, “Respect the threat. Be prepared.”  

In New York, Attorney General Eric Schneiderman quietly took it a step farther. He proposed a bill that would expand the definition of private information to include email addresses in combination with a password or security question and answer; require entities that store private data have reasonable technical and physical safeguards, assess risks regularly, and obtain third-party certifications showing compliance with these requirements; incentivize companies to provide higher levels of data security and share forensic reports with law enforcement officials. I admire the fact that he wants the strongest data security law in the country.

While these measures are not directed at the healthcare industry specifically, they very well could have a trickledown effect that gives it the kick start that is so desperately needed. In other words, maybe in a few years, I’ll go to HIMSS and Mac McMillan will be a little less annoyed at the way things are with data security in healthcare.


more...
No comment yet.
Scoop.it!

Cameras in operating rooms?

Cameras in operating rooms? | Healthcare and Technology news | Scoop.it

As you know, I’ve become rather obsessed with patient safety ever since I watched bad things happen to my dying father nearly three years ago, so I wanted to pass along a petition and gauge people’s opinions. Should cameras be mandatory in operating rooms? Some people think so. There’s obviously a growing movement in the U.S. to equip police officers with body cameras, in the name of protecting police and the public alike. There just might be a parallel for surgery teams and patients.

A petition went online late last month as Causes.com, calling on legislators to require OR cameras “to reduce harm, and learn from errors.” I learned about it from John James, founder of Patient Safety America. In an e-mail, James explained, “There are many reasons to do this: educational tool, improve performance of surgeons, document skills, have an unbiased record if an adverse occurs, and reduce misstatements in medical records.”
What do you think?


more...
No comment yet.
Scoop.it!

New malware can live inside any USB device undetected

New malware can live inside any USB device undetected | Healthcare and Technology news | Scoop.it


It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.


The duo says that the only way around BadUSB is to more or less treat devices like hypodermic needles; trusting only those that have been used within our personal ecosystem and throwing away any that've come in contact with other computers. Hopefully you don't have a ton of untrustworthy Porsche sticks laying around.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

more...
Technical Dr. Inc.'s curator insight, August 1, 2014 8:39 AM

Contact Details :
inquiry@technicaldr.com or 877-910-0004
- The Technical Doctor Team

zheng lil's curator insight, December 29, 2014 11:31 AM

It turns out that the stalwart USB thumbstick, or any universal serial bus device, isn't as trustworthy as once thought. A pair of security researchers has found we need to worry about more than just malware-infected files that are stored portable drives, and now need to guard against hacks built into our geek-stick's firmware according to Wired. The proof-of-concept malware Karsten Nohl and Jakob Lell have created is invisible and installable on a USB device and can do everything from taking over a user's PC to hijacking the DNS settings for your browser. Or, if it's installed on a mobile device it can spy on your communications and send them to a remote location, similar to the NSA's Cottonmouth gadgets. If those don't worry you, perhaps that the "BadUSB" malware can infect any USB device -- including keyboards -- and wreak havoc, will. What's more, a simple reformat isn't enough to disinfect either, and the solution that Lell and Nohl suggest goes against the core of what many of us are used to doing.

Scoop.it!

Hospital employee gets indicted for fraud

Hospital employee gets indicted for fraud | Healthcare and Technology news | Scoop.it

A former employee at a major New York health system has been indicted, along with seven others, for stealing personal data of 12,000 patients, enabling more than $50,000 in fraud.


Manhattan's district attorney last week announced the indictment of Monique Walker, 32, a former assistant clerk at the eight hospital Montefiore Health System, for swiping patient data and supplying it to an identity theft ring. Walker, who had access to patient names, Social Security numbers, dates of birth, among others, reportedly printed the records of as many as 12,000 patients and supplied them to seven other individuals who used the data to make multiple purchases from department stores and retailers.


Walker, according to the New York County’s District Attorney’s office, sold the patient records for as little as $3 per record. Co-conspirators were able to open credit cards and make several unauthorized big ticket purchases at Barneys New York, Lord & Taylor and Bergdorf Goodman, among others. Defendants have been charged with grand larceny, unlawful possession of personal identification information, identity theft and criminal possession.


"In case after case, we've seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers," said New York County District Attorney Cyrus R. Vance Jr. in a June 18 press statement announcing the indictment. "I thank Montefiore Medical Center for taking immediate steps to alert authorities to ensure that those involved are held responsible, and moving swiftly and responsibly to notify and protect patients."

The case of insider misuse with patient data within healthcare organizations is nothing new. In fact, according toVerizon's annual data breach investigations report published this spring, security incidents caused by insider misuse – think organized crime groups and employee snooping – jumped from 15 percent last year to 20 percent in 2015.


"We're seeing organized crime groups actually position people where possible in healthcare organizations so they can steal information for tax fraud," Suzanne Windup, senior analyst on the Verizon RISK team, told Healthcare IT News this spring. "As organizations are putting in better monitoring and they're reviewing access logs, they're finding more cases of snooping."


As Cathleen A. Connolly, FBI supervisory special agent explained at Healthcare IT News' Privacy & Security Forum this past March, "your people that work for you are a very large threat," speaking in the context of combatting insider threats within healthcare.


What's more, according to data from the U.S. Department of Health and Human Services, unauthorized access or disclosure accounts for 5.3 million of the patient data compromised in HIPAA breaches. 

more...
No comment yet.
Scoop.it!

Indiana medical software company hack exposes protected information of unknown number of patients

Indiana medical software company hack exposes protected information of unknown number of patients | Healthcare and Technology news | Scoop.it

Medical Informatics Engineering, a Fort Wayne, Ind.-based maker of Web-based health information-technology software, said Wednesday it was the victim of a sophisticated cyber attack that exposed the protected health information of an unknown number of patients. 

MIE emphasized that patients of only some of its clients were affected, including the Fort Wayne (Ind.) Neurological Center, Franciscan St. Francis Health Indianapolis, the Gynecology Center in Fort Wayne, Rochester Medical Group in Rochester Hills, Mich. and Concentra, a national network of primary-care and specialty clinics. The company said in a statement that it is working with a third-party forensics firm to determine an “accurate number of affected patients.”

MIE's clients include about 100 small- to medium-sized physician offices.

The hack includes MIE's NoMoreClipBoard subsidiary, which produces a personal health-record management system. 

The servers that were hacked held protected health information including patient names, mailing and email addresses, birthdates, and for some patients, social security numbers, laboratory results, dictated reports and medical conditions. Financial records were not compromised because the company does not collect or store that information, but experts told Modern Healthcare that clinical data can often be even more valuable to identity thieves. 

The company said it learned about the hack after it discovered suspicious activity on one of its servers May 26, at which point it immediately launched an investigation to resolve any system vulnerabilities, in addition to reporting the security breach to law enforcement, including the FBI, company officials said. 

Eric Jones, MIE's chief operating officer, said it's clear that, big or small, healthcare companies must deal with the serious threat of cyber attacks.

“I certainly I think it's becoming obvious to most of us that this is becoming a more common occurrence," Jones said. "There are sophisticated entities out there that want to do harm and we need to be more vigilant, we need to do a better job to protect the information that we hold."

Jones said he doesn't believe that the Web-based nature of the company's software made it an easier target.

"I think everybody is vulnerable, whether your application is Web-based or if your client server is within four walls, I think there's still high risk that you could be impacted this way," Jones said.

MIE and NoMoreClipBoard began contacting clients and patients on June 2, and are offering free credit monitoring and identity protection services to affected patients for the next 24 months. The company also established a toll-free hotline to answer questions about the hack. 

Data breaches in healthcare are the most expensive to remediate and are growing more so, according to a May report from the Ponemon Institute.

more...
No comment yet.
Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


more...
No comment yet.
Scoop.it!

Research surgical robot hacked by computer science experts

Research surgical robot hacked by computer science experts | Healthcare and Technology news | Scoop.it

Researchers at the University of Washington in Seattle have demonstrated the ability to remotely hack a research surgical robot, the RAVEN II platform.


Before continuing, I’ll stop to clarify one thing. The RAVEN II is not a clinically used surgical robot like, say, the Da Vinci surgical robot. It’s an “open-source” surgical robot developed at the University of Washington to test and demonstrate advanced concepts in robotic surgery. We contacted Applied Dexterity which is now in charge of the RAVEN platform and according to co-founder David Drajeske,

The RAVEN II platform is not approved for use on humans. The system has been placed at 18 robotics research labs worldwide…that are using it to make advances in surgical robotics technologies…The low level software is open-source and it is designed to be “hackable” or readily reprogrammed.

Clinically used surgical robots, like the Da Vinci platform, operate on secure local networks using proprietary (i.e. not publicly available) communications protocols between the console and the robot. By contrast, RAVEN II can work on unsecured public networks and uses a publicly available communications protocol (see below). So while some have proclaimed an imminent threat to robotic surgery, that’s simply not the case.


That said, the work does have interesting implications; as pointed out by Mr. Drajeske and co-founder Blake Hannaford, RAVEN II is a great platform for testing these type of security issues. Tamara Bonaci, a graduate student at the University of Washigton, led this study to test the security vulnerabilities that could threaten surgeons using these tools and their patients. In this simulation, they aimed to recreate an environment that would be more akin to using these robots in remote areas.


They tested a series of attacks on the RAVEN II system while an operator used it to complete a simulated task – moving rubber blocks around.


They found that not only were they able to disrupt the “surgeon” by causing erratic movements of the robot, they were able to hijack the robot entirely. They also discovered they were able to easily access the video feed from the robot.


One of the main use cases highlighted for surgical robots, or any number of medical robots for that matter, is that they can function in remote, difficult to reach, and underserved areas. In those areas, some of the conditions of this study are likely to be present – like having to use a relatively unsecured data network. And for cost reasons, using a more open-source platform may be important. So this study does however raise interesting questions about the use of medical robots – it just doesn’t mean that clinically used surgical robots are under some imminent threat.


more...
No comment yet.
Scoop.it!

Healthcare cybersecurity info sharing still a work in progress

Healthcare cybersecurity info sharing still a work in progress | Healthcare and Technology news | Scoop.it

While President Barack Obama issued an executive order to use information sharing and analysis organizations (ISAOs) to boost cybersecurity awareness and coordination between private entities and the government, those efforts need more development before they provide useful information, according to an article at The Wall Street Journal.


About a dozen longstanding nonprofit Information Sharing and Analysis Centers (ISACs) serve specific sectors such as finance, healthcare and energy, and work with government on infomation sharing.


Though more narrowly focused, many ISAOs already exist, Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, told HealthcareInfoSecurity.


Executives who spoke with WSJ say large entities don't get much useful information from ISACs.


"Most of us are willing to put information into it largely because it provides good initial facilitation and informal networking opportunities," Darren Dworkin, CIO of Cedars-Sinai Medical Center and a member of the healthcare ISAC, tells the newspaper. As sharing standards are developed, he adds, "expectations will mount in terms of the kinds of specific data needed as everybody figures it out."


What's more, networking within the industry, Dworkin says, tends to provide more information about what's going on. ISACs generally are more useful to smaller organizations that lack security expertise in-house, the article adds.


The Health Information Trust Alliance (HITRUST), which quickly endorsed Obama's plan, said it is one of the ISAOs. HITRUST is working with providers to test and improve their preparedness for attacks through its CyberRX 2.0 attack simulations. The need for organizations to be more open about attacks was one of the early lessons from that program.


Participants in the recent White House Summit on Cybersecurity and Consumer Protection stressed that threat data-sharing doesn't pose the danger of exposing patients' insurance and healthcare information.


more...
11 Paths's curator insight, April 8, 2015 4:30 AM

This is a great news story

Scoop.it!

Could a Greater Investment in Cyber Insurance Have Saved Anthem?

According to the Identity Theft Resource Center, last year saw 287 breaches and more than 7.7 million records compromised in the medical and healthcare industry alone. Healthcare breaches have made up more than 10 percent of the year’s attacks, proving what those in the industry already know—personal health information is valuable and sought after by hackers.

To this end, the recent breach of the Indianapolis-based health insurer Anthem was a massive one, exposing the personal data of approximately 80 million of its plan members. Shortly after the breach, it was estimated that the hack of Anthem could end up costing more than a billion dollars in total. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars,” said Daniel W. Berger, president and CEO of Redspin, a Carpinteria, Calif.-based health IT security consultant.

What’s more, according to a Business Insurance report, Anthem has $150 million to $200 million in cyber insurance, including excess layers of cyber coverage, sources told the publication. Anthem's primary cyber insurer is Lexington Insurance Co., a unit of American International Group (AIG), Business Insurance revealed, explaining that Anthem has $10 million in primary cyber coverage above a $10 million self-retention with Lexington. However, when a company has up to 80 million current customers, former customers, employees and investors to notify—in addition to lawsuits— this amount may not be enough, says Natalie Lehr, co-founder of cybersecurity firm TSC Advantage, based in Washington, D.C.

Indeed, various news media outlets have suggested that Anthem’s insurance policy could be exhausted. Lehr says that generally speaking, when companies put together their investment for security, they look for a standard where they meet their compliance obligation. The challenge with cases such as Anthem, Lehr says, is that even when the organization’s investments in security are to meet those standards, it’s still insufficient because it may not protect you against the ongoing liability, in this case on the class-action lawsuit side. “This is one of the big reasons why I see this as a watershed moment for the industry in terms of the scale of data taken,” Lehr says. “The intangible financial loss that a company could face can exceed the insurable loss calculation that has historically taken place with the transference of risk to the insurers.”

As such, Lehr notes that if organizations exceed the standard, it reduces the likelihood of compromise, and also the probability of compromise in the future. “It is a testament to any organization that invests in maturity beyond the standard,” she says. “Part of what we have done with our insurance partners is set up a way to measure the security level so clients who do exceed the standard can get a discount on their premium. Historically, that’s not part of the dialogue or pre-binding process thought,” she adds.

Lehr further says that with Anthem specifically, a sophisticated data loss prevention solution could have been put in place, so if the bulk of material from the file transfer protocol (FTP) network, the organization could look through that traffic and look for categories of data that include social security numbers, for instance. “We don’t know for sure if they had that in place, but it seems that with the bulk of the losses that occurred with Anthem, there was a determination made that it was internal data, which wasn’t necessarily required to be encrypted from a compliance standard,” she says. “But there’s a whole host of additional controls that could be applied, and it’s about the nature in which organizations address that.”

At the end of the day, Lehr says while that no one ever envisioned anything being stolen on the scale of what happened at Anthem, it is critical to make sure that you’re leading in terms of security posture, and that you’ve focused your investment around the core parts of your business. “If we look at the past as a marker of the type of cyber breach we’ll see in the future, we’re sort of kidding ourselves,” she says. “We talk to our clients about making sure their strategy isn’t to respond to an incident. That’s not enough. Investment in prevention is testament to investment in future.”


more...
Brian S. Smith, CIC, ARM's curator insight, March 26, 2015 8:16 PM

Interesting article about the data breach event suffered by Anthem.  The insurance costs are staggering as is the exposure.

Scoop.it!

Anthem Arrogantly Refuses Audit Processes. Twice.

Anthem Arrogantly Refuses Audit Processes. Twice. | Healthcare and Technology news | Scoop.it
Recently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.

A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.

Well we have more evidence now, and its not looking good for Anthem.

Recently GovInfoSecurity reported that Anthem has again refused the OIG the ability to scan its network. OIG prefers to perform it’s own vulnerability assessments, so that it does not have to rely on the organizations internal assessments.

This is not the first time this has happened. When Anthem was called “WellPoint” it refused a request from OIG to scan, according to the OIG’s report at the time. OIG stands for Office of Inspector General and is essentially the “generic audit arm” of the US government. They are responsible for ensuring that government contractors are complying with regulations, and Anthem has an important contract to process medical claims for Federal Employees.

Here is what OIG had to say about this issue in September of 2013, the first time that Anthem refused its audit process:

This performance audit was conducted in accordance with generally accepted government auditing standards (GAS) issued by the Comptroller General of the United States, except for specific applicable requirements that were not followed. There was one element of our audit in which WellPoint applied external interference with the application of audit procedures, resulting in our inability to fully comply with the GAS requirement of independence.

We routinely use our own automated tools to evaluate the configuration of a sample of computer servers. When we requested to conduct this test at WellPoint, we were informed that a corporate policy prohibited external entities from connecting to the WellPoint network. In an effort to meet our audit objective, we attempted to obtain additional information from WellPoint, but the Plan was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers (see the “Configuration Compliance Auditing” section on page 9 for additional details.)

As a result of the scope limitation on our audit work and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Just months before, in July of 2013 Anthem (as WellPoint) had just payed 1.7 Million dollars for a HIPAA violation. That fine was the result of an investigation that found that Athem had not:

adequately implement policies and procedures for authorizing access to the on-line application database
perform an appropriate technical evaluation in response to a software upgrade to its information systems
have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

Vulnerability scanning is intended, among other things, to detect exactly these kinds of problems.

Anthem felt, in 2013, that even though it just had a massive breach, that it was in a position to deny OIG the capacity to verify Anthem’s claims about its own network. Now, in 2015, Anthem has just had a second massive breach, and has again indicated to OIG that is has a “corporate policy” that again prevents OIG from conducting a vulnerability scan as part of its independent audit. Quoting the OIG spokesperson featured in the GovInfoSecurity piece:

“we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is ‘corporate policy.’”

I have just been defending the notion that Anthem might have been doing the right thing, and that perhaps it was just the victim of a really clever hacker team. As you can imagine, when you say things like this on the Interwebs, you get a flock of people saying “If you are defending Anthem you really don’t care about patient privacy…” etc etc. My only point at the time was “We really need more evidence before we publicly condemn an organization for deprioritizing patient privacy.”

Well the evidence is in.

The notion that Anthem thinks its corporate policies trump the public’s ability to make sure they are doing their job as a Federal contractor was arrogant in 2013, when it just had one massive breach. Now this organization believes that its “corporate policies” still exempt it from scrutiny? I am aghast. Really, I should be coding right now, but instead I am writing this. I am a fairly jaded healthcare/security professional, and I thought I had seen it all. This takes the cake. Seriously, WTF?

I can only think of a few examples of this kind of bold, unfiltered, unapologetic raw arrogance. But instead of causing scenes at music award shows, the arrogance of Anthem has damaged hundreds of thousands of people more than once.

Anthems should be given a brief opportunity to rethink its policy on this issue, and assuming it does not immediately see the error of its ways its government contract should be put up for new bids from other organizations. I think we might be able to location some other health insurance company that has a less inflated respect for their own “corporate policies”.
more...
No comment yet.
Scoop.it!

Health IT Security: What Can the Association for Computing Machinery Contribute?

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”

The challenge of defining a strategy has now been picked up by the US branch of the Association for Computing Machinery, the world’s largest organization focused on computing. (Also probably it’s oldest, having been founded in 1947 when computers used vacuum tubes.) We’re an interesting bunch, having people who have helped health care sites secure data as well as researchers whose role is to consume data–often hard to get.

So over the next few weeks, half a dozen volunteers on the ACM US Public Policy Council will discuss what to suggest to the Senate. Some of us hope the task of producing a position statement will lead the ACM to form a more long-range commmittee to apply the considerable expertise of the ACM to health IT.

Some of the areas I have asked the USACM to look at include:

Cyber-espionage and identity theft
This issue has all the publicity at the moment–and that’s appropriate given how many people get hurt by all the data breaches, which are going way up. We haven’t even seen instances yet of malicious alteration or destruction of data, but we probably will.

Members of our committee believe there is nothing special about the security needs of the health care field or the technologies available to secure it. Like all fields, it needs fine-grained access controls, logs and audit trails, encryption, multi-factor authentication, and so forth. The field has also got to stop doing stupid stuff like using Social Security numbers as identifiers. But certain aspects of health care make it particularly hard to secure:

  • The data is a platinum mine (far more valuable than your credit card information) for data thieves.
  • The data is also intensely sensitive. You can get a new credit card but you can’t change your MS diagnosis. The data can easily feed into discrimination by employees and ensurers, or other attacks on the individual victims.
  • Too many people need the data, from clinicians and patients all the way through to public health and medical researchers. The variety of people who get access to the data also makes security more difficult. (See also anonymization below.)
  • Ease of use and timely access are urgent. When your vital signs drop and your life is at stake, you don’t want the nurse on duty to have to page somebody for access.
  • Institutions are still stuck on outmoded security systems. Internally, passwords are important, as are firewalls externally, but many breaches can bypass both.
  • The stewards/owners of health care data keep it forever, because the data is always relevant to treatment. Unlike other industries, clinicians don’t eventually aggregate and discard facts on individuals.
Anonymization
Numerous breaches of public data, such as in Washington State, raise questions about the security of data that is supposedly anonymized. The HIPAA Safe Harbor, which health care providers and their business associates can use to avoid legal liability, is far too simplistic, being too strict for some situations and too lax for others.

Clearly, many institutions sharing data don’t understand the risks and how to mitigate against them. An enduring split has emerged between the experts, each bringing considerable authority to the debate. Researchers in health care point to well-researched techniques for deidentifying data (see Anonymizing Health Data, a book I edited).

In the other corner stand many computer security experts–some of them within the ACM–who doubt that any kind of useful anonymization will stand up over the years against the increase in computer speeds and in the sophistication of data mining algorithms. That side of the debate leads nowhere, however. If the cynics were correct, even the US Census could not ethically release data.

Patient consent
Strong rules to protect patients were put in place decades ago after shocking abuses (see The Immortal Life of Henrietta Lacks). Now researchers are complaining that data on patients is too hard to get. In particular, combining data from different sites to get a decent-sized patient population is a nightmare both legally and technically.
Device security
No surprise–like every shiny new fad, the Internet of Things is highly insecure. And this extends to implanted devices, at least in theory. We need to evaluate the risks of medical devices, in the hospital or in the body, and decide what steps are reasonable to secure them.
Trusted identities in cyberspace
This federal initiative would create a system of certificates and verification so that individuals could verify who they are while participating in online activities. Health care is a key sector that could benefit from this.

Expertise exists in all these areas, and it’s time for the health care industry to take better advantage of it. I’ll be reporting progress as we go along. The Patient Privacy Rights summit next June will also cover these issues.


more...
No comment yet.
Scoop.it!

Lessons from the Anthem hack

Lessons from the Anthem hack | Healthcare and Technology news | Scoop.it

Anthem experienced a major data breach recently, and reportedly some records (Social Security Numbers and other identifying information, but not health data) of up to 80 million members and employees were obtained by hackers.

There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

The social security number is the only universal unique identifier we have at our disposal in this country. It's easy to ask for, and to use, but ... it's not supposed to be used for anything other than administration of Social Security benefits. Until not all that long ago, states used SSNs as driver's license numbers. No longer (at least around these parts). Most of us get asked for the last 4 (or 5 or 6) digits of our SSNs constantly for all kinds of reasons. How many of us refuse every time?

Way back in 1998, as folks were trying to figure out how to implementHIPAA, the question arose: Gee, why don't we establish a unique patient identifier system so that we can be assured that each electronic health record is properly tied to the right individual? (Check out this vintage HHS white paper on the Unique Health Identifier, published as prologue to a rulemaking process that never went anywhere.) Eventually, that approach was taken for providers (UPIN, then NPI), but not for patients. In fact, every year since then, Congress has included a special line in the HHS budget that says "thou shalt not establish a unique patient identifier system."

This approach has spawned a sub-industry that scrubs data sets to ensure that an individual patient doesn't have duplicate records, each including only a part of the whole, by triangulating from all the data points used to perpetrate identity theft: SSN, DOB, name, address, etc. All those data points are needed in order to make sure that we're talking about the right Mr. Jones. If the only identifier attached to the health data were the patient ID number, then health records would suddenly become much less valuable to identity thieves -- and it would be easier to determine which record belongs to whom.

Using patient ID numbers (which could be encrypted and thus protected -- because, after all, who wants to get a new patient ID number? Getting a new credit card number after some system or other gets hacked is bad enough, and remember, you can't get a new SSN just because your health records have been hacked) would be one element of a data minimization approach designed to lessen the likelihood of damage resulting from a breach. Couple that with the auditing capabilities that allowed Anthem to notice its breach in short order (vs. some breaches which were exploited over the course of years before anybody noticed), and we'd be looking at some real improvements to health data security.

more...
No comment yet.
Scoop.it!

Cybersecurity in healthcare is now center stage. So who should be responsible?

Cybersecurity in healthcare is now center stage. So who should be responsible? | Healthcare and Technology news | Scoop.it

I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves.

We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on.

I’m both excited and pleased to see a number of healthcare focused cybersecurity experts, like Kamal Govindaswamy from RisknCompliance Consulting Group, preaching similar proactive and holistic guidance around compliance and security.

I asked Kamal a simple question – if cybersecurity is an emergent property of a system, who should be held responsible/accountable for it? Here’s what Kamal said, and it’s sage advice worth following:
Advertisement

Information Security in general has historically been seen as something that the organization’s CISO (or equivalent) is responsible for. In reality, the Information Security department often doesn’t have the resources or the ability (regardless of resources) to be the owners or be ultimately “accountable” or “responsible” for information security. In almost all cases, the CISO can and must be the advisor to business and technology leaders or management in the organization. He could also operate/manage/oversee certain behind-the-scenes security specific technologies.

If your CISO doesn’t “own” Information Security in your organization, who should?

At the end of the day, everyone has a role to play in Information Security. However, I think the HealthIT managers and leaders in particular are critical to making security programs effective in healthcare organizations today.

Let me explain…

Of all the problems we have with security these days, I think the biggest stumbling block often has to do with not having an accurate inventory of the data we need to protect and defining ownership and accountability for protection. This problem is certainly not unique to Healthcare. No amount of technology investments or sophistication can solve this problem as it is a people and process problem more than anything else.

Healthcare is unfortunately in a unenviable position in this regard. Before the Meaningful Use program that has led to rapid adoption of EHRs over the last five years, many healthcare organizations didn’t necessarily have standard methods or technologies for collecting, processing or storing data. As a result, you will often see PHI or other sensitive information in all kinds of places that no one knows about any longer, let alone “own” them – Network file shares, emails, a legacy application or database that is no longer used etc. The fact that HealthIT in general has been overstretched over the last five years with implementation of EHRs or other programs hasn’t helped matters either.

In my opinion and experience, the average Healthcare organization is nowhere close to solving the crux of the problem with security programs – which is to ensure ownership, accountability and real effectiveness or efficiencies.

Most of us in the security profession have long talked about the critical need for the “business” to take ownership among business and technology leaders. For the most part however, I think this remains a elusive goal for many organizations. This is a serious problem because we can’t hope to have effective security programs or efficiencies without ownership and accountability.

So, how do we solve this problem in Healthcare? I think the answer lies in HealthIT leadership taking point on both ownership and accountability.

HealthIT personnel plan, design and build systems that collect/migrate/process/store data, interact with clinical or business leadership and stakeholders to formulate strategies, gather requirements, set expectations and are ultimately responsible for delivering them. Who better than HealthIT leaders and managers to be the owners and be accountable for safeguarding the data? Right?

So, let’s stop saying that we need “the business” to take ownership. Instead, I think it makes much more pragmatic sense to focus on assigning ownership and accountability on the HealthIT leadership.

I present below a few sample mechanics of how we could do this:

Independence of the CISO. For a start, Healthcare CIOs or leaders should insist on independence for the CISO (or equivalent) in their organizations. Even if the CISO or security director or manager happens to be reporting to the CIO (as it still happens in many organizations), I think it is absolutely critical that you reorganize to make the role one of an advisor and support role and not an IT function itself. The CISO and his may also have their own operational responsibilities, such as management of certain security technologies or operations, performing risk assessments, monitoring risk mitigation or remediation programs, assisting with regulatory compliance and so on. Regardless, they must be an independent function with a strong backing or support from the CIO.

IT (Data) Asset Discovery, Classification and Management. To start with, all IT assets (hardware and software) that collect, receive, process, store or transmit data (CRPST) need to be identified, regardless of whether these assets are owned/leased/subscribed or where they are hosted. Every physical or virtual asset (network device, server, storage, application, database etc.) must have one assigned owner at a manager/director/VP level who is ultimately accountable for security of the information CRPSTed by the asset. As the owner may choose or need to delegate responsibilities (see #3 below) the asset meta-data should also include information regarding personnel that have delegated responsibilities. If you are a smaller organization, you may have one person being the owner that is “accountable” as well as “responsible” .

Directives to HealthIT executives and managers. It is important that Healthcare CIOs send a clear message of sponsorship and accountability to their executives and managers regarding their “ownership” related to security. The asset owners (see #2 above) may in turn delegate “responsibilities” to other personnel (not below a manager) in her department. For example, the VP or Director of IT Infrastructure may delegate responsibilities to Manager of Servers and Manager of networks. Similarly, the VP/Director of Applications may delegate responsibilities to the Database Manager and Manager of Applications and so on. Regardless of the delegation, the VP or Director retains the “ownership” and “accountability” for security of information CRPSTed by the asset.

Bolted-in Security. The HealthIT strategy and architecture teams need to work in close collaboration with the CISO’s team. It is critical that security is an important planning and design consideration and not something of an afterthought. It is much more cost effective to plan, design and implement secure systems from the start (hence bolted-in) than trying to look for a patch-work of controls after the systems are already in place.

Need for HealthIT managers with “responsibilities” to be proactive. Let me explain this with a few examples of the Server Manager’s role in #3 above.
The Server Manager must at all times know the highest classification of the data stored on his servers so he is sure he has appropriate controls for safeguarding the data as required by the organization’s Information Security Policy and standards. If a file server is not “authorized” to contain PHI or PII on its shares, he should perhaps reach out to the CISO with a request for periodic scans of his servers to detect any “sensitive” data that users may have put on their file shares, for example.
If a file server is authorized to store PHI for use by the billing department for example, the Server manager must work with the billing department manager to have her periodically review the access that people have to the billing file shares. If your organization’s Identity and Access Management (IAM) solution or program has capabilities for automating these periodic access reviews, the Server Manager must work with the CISO (or whoever runs the IAM program) to operationalize these access reviews as part of your Business-As-Usual (BAU) activities. The key point here is that it is the Server Manager’s responsibility (and not the Billing Manager or the CISO’s) to ensure that the Billing Manager performs the access reviews in compliance with the organization’s policies or standards for access reviews of PHI repositories.
The Server Manager must all times be aware of who all have administrative access to these servers, so he must look for ways to get alerts for every change that happens to the privileged or administrator access to the servers. If your organization has a Log Management or a Security Information Event Management(SIEM) solution, the Server Manager should reach out to the CISO or his designate so the SIEM solution can collects those events from your servers and send email alerts for any specific administrator or similar privilege changes to the Server Manager. While we are on SIEM, the Server Manager should also work with the CISO and the Billing Manager so the Billing Manager gets an email alert every time there is a change to the access privileges on the file shares containing PHI or PII used by the billing department.
If one of the servers happens to be a database server, the Server Manager may be responsible for the operating system level safeguards while the Database Manager may have the responsibility for the database “asset”. She will in turn need to work with the CISO and the relevant business managers for automation of access reviews, monitoring of potential high risk privilege changes in the database etc.

more...
No comment yet.
Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

'Wiper' Malware: What You Need to Know

'Wiper' Malware: What You Need to Know | Healthcare and Technology news | Scoop.it

The FBI has reportedly issued an emergency "flash alert" to businesses, warning that it's recently seen a destructive "wiper" malware attack launched against a U.S. business.

Security experts say the FBI alert marks the first time that dangerous "wiper" malware has been used in an attack against a business in the U.S., and many say the warning appears to be tied to the Nov. 24 hack of Sony, by a group calling itself the Guardians of Peace

Large-scale wiper attacks are quite rare, because most malware attacks are driven by cybercrime, with criminals gunning not to delete data, but rather to quietly steal it, and for as long as possible, says Roel Schouwenberg, a security researcher at anti-virus firm Kaspersky Lab. "Simply wiping all date is a level of escalation from which there is no recovery."

Many Sony hack commentators have focused on the fact that previous wiper attacks have been attributed to North Korea, and that the FBI alert says that some components used in this attack were developed using Korean-language tools.

But Schouwenberg advocates skepticism, saying organizations and IT professionals should focus their energies on risk management. "We are much better off trying to understand the attack better, and maybe use this incident as an opportunity for businesses everywhere to basically re-evaluate their current security strategy, which probably isn't quite tailored to this type of scenario and say: 'Hey, this is where I can improve my posture,'" he says. "So we should be focusing on that technical aspect, rather than on the potential motivations of the attackers."

In this interview with Information Security Media Group, Schouwenberg details:

  • The relative ease with which wiper malware attacks can be crafted;
  • Steps businesses can take to improve their security defenses against wiper malware;
  • The importance of whitelisting applications - meaning that only approved applications are allowed to run on a PC, while all others are blocked.



more...
No comment yet.