Healthcare and Technology news
46.5K views | +0 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Compromised logs can hamper IT security investigations 

Compromised logs can hamper IT security investigations  | Healthcare and Technology news | Scoop.it

At the heart of most devices that provide protection for IT networks is an ability to log events and take actions based on those events. This application and system monitoring provides details both on what has happened to the device and what is happening. It provides security against lapses in perimeter and application defences by alerting you to problems so defensive measures can be taken before any real damage is done. Without monitoring, you have little chance of discovering whether a live application is being attacked or has been compromised.

 

Critical applications, processes handling valuable or sensitive information, previously compromised or abused systems, and systems connected to third parties or the Internet all require active monitoring. Any seriously suspicious behaviour or critical events must generate an alert that is assessed and acted on. Although you will need to carry out a risk assessment for each application or system to determine what level of audit, log review and monitoring is necessary, you will need to log at least the following:

  • User IDs
  • Date and time of log on and log off, and other key events
  • Terminal identity
  • Successful and failed attempts to access systems, data or applications
  • Files and networks accessed
  • Changes to system configurations
  • Use of system utilities
  • Exceptions and other security-related events, such as alarms triggered
  • Activation of protection systems, such as intrusion detection systems and antimalware

Collecting this data will assist in access control monitoring and can provide audit trails when investigating an incident. While most logs are covered by some form of regulation these days and should be kept as long as the requirements call for, any that are not should be kept for a minimum period of one year, in case they are needed for an investigation.  However, monitoring must be carried out in line with relevant legislation, which in the UK is the Regulation of Investigatory Powers and Human Rights Acts. Employees should be made aware of your monitoring activities in the network acceptable use policy.

 

 

Log files are a great source of information only if you review them. Simply purchasing and deploying a log management product won’t provide any additional security. You have to use the information collected and analyse it on a regular basis; for a high-risk application, this could mean automated reviews on an hourly basis. ISO/IEC 27001 control A.10.10.2 not only requires procedures for monitoring the use of information processing facilities, but demands the results are reviewed regularly to identify possible security threats and incidents.

 

However, even small networks can generate too much information to be analysed manually. This is where log analysers come in, as they automate the auditing and analysis of logs, telling you what has happened or is happening, and revealing unauthorised activity or abnormal behaviour. This feedback can be used to improve IDS signatures or firewall rule sets. Such improvements are an iterative process, as regularly tuning your devices to maximise their accuracy in recognising true threats will help reduce the number of false positives. Completely eliminating false positives, while still maintaining strict controls, is next to impossible, particularly as new threats and changes in the network structure will affect the effectiveness of existing rule sets. Log analysis can also provide a basis for focused security awareness training, reduced network misuse and stronger policy enforcement.

 

ISO/IEC 27001 controls A.10.10.4 and A.10.10.5 cover two specific areas of logging whose importance is often not fully appreciated: administrator activity and fault logging. Administrators have powerful rights, and their actions need to be carefully recorded and checked. As events, such as system restarts to correct serious errors, may not get recorded electronically, administrators should maintain a written log of their activities, recording event start and finish times, who was involved and what actions were taken. The name of the person making the log entry should also be recorded, along with the date and time. The internal audit team should keep these logs.

 

There are two types of faults to be logged: faults generated by the system and the applications running on it, and faults or errors reported by the system's users. Fault logging and analysis is often the only way of finding out what is wrong with a system or application. The analysis of fault logs can be used to identify trends that may indicate more deep-rooted problems, such as faulty equipment or a lack of competence or training in either users or system administrators.

 

All operating systems and many applications, such as database server software, provide basic logging and alerting faculties. This logging functionality should be configured to log all faults and send an alert if the error is above an acceptable threshold, such as a write failure or connection time-out. The logs should be reviewed on a regular basis, and any error-related entries should be investigated and resolved. While analysing all logs daily is likely an unrealistic goal, high-volume and high-risk applications, such as an e-commerce Web server, will need almost daily checking to prevent high-profile break-ins, while for most others a weekly check will suffice.

 

There should be a documented work instruction covering how faults are recorded or reported, who can investigate them, and an expected resolution time, similar to a service contract if you use an outside contractor to support your systems. Help desk software can log details of all user reports, and track actions taken to deal with them and close them out.

 

No matter how extensive your logging, log files are worthless if you cannot trust their integrity. The first thing most hackers will do is try to alter log files to hide their presence. To protect against this, you should record logs both locally and to a remote log server. This provides redundancy and an extra layer of security as you can compare the two sets of logs against one another -- any differences will indicate suspicious activity.

 

If you can’t stretch to a dedicated log server, logs should be written to a write-once medium, such as a CD-R or DVD-R, or to rewritable media such as magnetic tape data storage or hard disk drives that automatically make the newly written portion read-only to prevent an attacker from overwriting them. It's important also to prevent administrators from having physical and network access to logs of their own activities. Those tasked with reviewing logs should obviously be independent of the people, activities and logs being reviewed.

 

The protection of log information is critical. Compromised logs can hamper IT security investigations into suspicious events, invalidate disciplinary action and undermine court actions.

 

Another point to bear in mind is system clocks need to be synchronised so log entries have accurate timestamps. Check computer clocks and correct any significant time variations on a weekly basis, or more often, depending on the error margin for time accuracy.

 

Clocks can drift on mobile devices and should be updated whenever they attach to the network or desktop. Always record the time of an event in a consistent format, such as Universal Coordinated Time (UTC) across all files. For additional security, add a checksum to each log entry so you can detect if any entries have been tampered with. Controls also need to be in place to ensure there is ample log storage. If your logs can be trusted, they can help you reconstruct the events of security incidents and provide legally admissible evidence.

 

Logging and auditing work together to ensure users are only performing the activities they are authorised to perform, and they play a key role in preventing, as well as in spotting, tracking and stopping unwanted or inappropriate activities.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

 
more...
No comment yet.
Scoop.it!

Providers Looking for More out of HIEs

Providers Looking for More out of HIEs | Healthcare and Technology news | Scoop.it

Healthcare providers’ health information exchange (HIE) needs have moved beyond connecting disparate systems and meeting meaningful requirements. They are now looking for HIEs to ease access to “actionable” data, according to a report from NORC at the University of Chicago.


The researchers conducted an in-depth examination consisting of site visits and 37 semi-structured discussions in six states (Iowa, Mississippi, New Hampshire, Utah, Vermont, and Wyoming) in the early months of 2014 to understand provider perspectives on the state HIE program and their experiences with electronic exchange. The report was funded by the Office of the National Coordinator for Health Information Technology (ONC).


The report found that providers highlight the potential for HIE to ease access to actionable data that integrates data from across the care continuum and provides clinicians with information at the point of care to improve care delivery and care coordination. Providers highlighted several exchange priorities: admission, discharge, transfer (ADT) alerts, services that facilitate care coordination, and interstate exchange.


Additionally, meaningful use and payment reform are creating new requirements for health IT-enabled information sharing related to care coordination and management as well as new models for patient care. Providers anticipate a growing need for vendor provided HIE services and infrastructure as expectations for electronic exchange of health information increase under this shift, the report found.


Providers also encountered various challenges, specifically competing priorities, issues managing multiple funding streams, lack of qualified staff on the provider side, and difficulty obtaining adequate support from electronic health record (EHR) and HIE vendors. They also noted a need for interoperable systems to meet exchange and health system reform goals.


What’s more, providers in most states believed that the state HIE program contributed to building awareness around HIE and the benefits of exchanging information. Providers conveyed a general sentiment that a state-based HIE effort is important, due to their stature as neutral entity, capable of bringing stakeholders together. Even though the meaningful use program did not provide incentive payments to long-term care and behavioral health providers, the state HIE program was instrumental in engaging these providers, identifying their specific needs and the gaps that grantees needed to fill, particularly around care continuity, the report revealed.


The researchers concluded, “Throughout the life of the program, HIE has become more visible and better established, meaning that provider priorities and challenges have likewise evolved.” In addition to highlighting providers’ current needs and perspectives on HIE, findings from these conversations emphasize certain areas, the researchers said:

  • Providers have additional use cases beyond meaningful use and payment reform they are or would like to pursue to meet their specific exchange needs.
  • New healthcare system priorities, such as care coordination suggest expanding interoperable health IT systems and services to providers in eligible for meaningful use to ensure that the information needed to manage care is available electronically.
  • There is a need to push for interoperability at the vendor level.
more...
No comment yet.
Scoop.it!

Phone Systems that keep the Practice and Patient Connected 

Phone Systems that keep the Practice and Patient Connected  | Healthcare and Technology news | Scoop.it

Today’s medical practice office is increasingly concerned with patient satisfaction. Of course, the health and well-being of patients has always been a concern; but as revenue and billing cycles quickly shift to a larger percent of patient responsibility, it’s becoming important to focus on ways to keep the conversation between practice and patient open and customer-centric at all times.

 

Healthcare providers have begun looking to technology solutions to up their patient satisfaction game. One likely solution? Automated phone systems that keep the practice and patient connected. Here’s a look at some of the key pros and cons of using automated phone systems in healthcare.

 

Everyone can relate to being annoyed by automated phone systems that keep directing callers around in circles, never to reach a human voice. That experience doesn’t translate to high patient appreciation. But it’s important to note that a good automated phone system can be far easier to use and more personalized for your practice needs.

 

Pros of Automated Phone Systems

 

Save Money. Automated phone systems have the potential to cover all of the work of your standard receptionist. Calls can be directed to the right party fairly quickly and the practice is still saving on the man hours it takes to answer and direct those calls manually.


Easy Installation and Upkeep. Most phone systems can be installed and up and running in a short amount of time and they can be hosted by the provider, meaning that the office will not need to worry about troubleshooting problems.


Routing Calls. New systems are exceptionally advanced and calls can easily be routed to the right destination, as well as voicemail boxes.


Setting Up Call Options. If the office manager takes a good look at what patients generally call about, they can narrow down specific options so that callers are quickly directed to the right location. For instance, if the largest number of calls come in to schedule appointments, “Scheduling” should be the first item on the automated list.


Cons of Automated Phone Systems

 

Patient Approval. No matter how well designed the phone system is, there will always be patients who are opposed simply because they’ve had bad experiences with automated systems–potentially not even in healthcare, but in another industry altogether. Most patients will get used to a new system, though practices should definitely listen to feedback and adjust to better serve the patients.

 

Voice Recognition Mistakes. Voice recognition is exceptionally useful so that patients can speak their choices and be directed immediately, without punching in any keys. Many people prefer this method, but voice recognition does still have occasional issues in deciphering speech, especially with differing accents.

 

Managers should take some time researching the company and product before deciding on any system. Taking the patients’ needs into consideration can go a long way in making the decision, as well as breeding satisfaction with patients as they become better acquainted with the phone system. Looking to the future of healthcar, technology plays the biggest role in facilitating patient satsifaction.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top Health Industries Issues for 2015 « Healthcare Economist

What are the top health industry issues for 2015?  A PwC report believes the following 10 issues should top the list:

HRI’s top 10 issues for the health industry in the year ahead:

  1. Do-it-yourself healthcare. U.S. physicians and consumers are ready to embrace a dramatic expansion of the high-tech, personal medical kit. Wearable technology, smartphone-linked devices and mobile apps will become increasingly valuable in care delivery.
  2. Making the leap from mobile app to medical device. A proliferation of approved and portable medical devices in patients’ homes, and on their phones, makes diagnosis and treatment more convenient, redoubling the need for strong information security systems.
  3. Balancing privacy and convenience. Privacy will lose ground to convenience in 2015 as patients adopt digital tools and services that gather and analyze health information.
  4. High-cost patients spark cost-saving innovations. The soaring cost of care for Medicare and Medicaid “dual eligibles,” aging boomers and patients with co-morbidities will foster creative care delivery and management systems.
  5. Putting a price on positive outcomes. With high-priced new products and specialty drugs slated to hit the market in 2015 increasing demand for new evidence and definitions of positive health outcomes are expected.
  6. Open everything to everyone. New transparency initiatives targeting clinical trial data, real-world patient outcomes and financial relationships between physicians and pharmaceutical companies will improve patient care and open new opportunities.
  7. Getting to know the newly insured. 2015 will be a revelatory year for the U.S. health sector as a portrait of the newly-insured emerges, fostering better care management programs and shifting marketing strategies.
  8. Physician extenders see an expanded role in patient care. Physician “extenders” are becoming the first line of care for many patients, as doctors delegate tasks, monitor patients digitally and enter into risk-based payment models.
  9. Redefining health and well-being for the millennial generation. As the economy rebounds and baby boomers retire, employers and insurers look for fresh ways to engage, retain and attract the next generation of health consumers.
  10. Partner to win. In 2015, joint ventures, open collaboration platforms and non-traditional partnerships will push healthcare companies out of the comfort zone toward new competitive strategies.



more...
No comment yet.