Healthcare and Technology news
45.0K views | +7 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Phishing: Learning from Anthem Breach

Phishing: Learning from Anthem Breach | Healthcare and Technology news | Scoop.it

The hack attack against Anthem Inc., which the health insurer says started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.

"The Anthem breach is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.

In addition to Anthem, a growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.

"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."

He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.

A Shift to Mobile

As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.

"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."

Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.

"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."

Also discussed during this interview:

  • Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
  • How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
  • Why employee education related to phishing must be ongoing and consistent.

Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.


more...
No comment yet.
Scoop.it!

Digital health in 2015: What's hot and what's not?

Digital health in 2015: What's hot and what's not? | Healthcare and Technology news | Scoop.it

I think it’s fair to say that digital health is warming up. And not just in one area. The sheer number and variety of trends are almost as impressive as the heat trajectory itself. The scientist in me can’t help but make the connection to water molecules in a glass — there may be many of them, but not all have enough kinetic energy to ascend beyond their liquid state. The majority are doomed to sit tight and get consumed by a thirsty guy with little regard for subtle temperature changes.


With this in mind, let’s take a look at which digital health trends seem poised to break out in 2015, and which may be fated to stay cold in the glass. As you read, keep in mind that this assessment is filtered through my perspective of science, medicine, and innovation. In other words, a “cold” idea could still be hot in other ways.

Collaboration is hot, silos are not. Empowerment for patients and consumers is at the heart of digital health. As a result, the role of the doctor will shift from control to collaboration. The good news for physicians is that the new and evolved clinician role that emerges will be hot as heck. The same applies to the nature of innovation in digital health and pharma. The lone wolf is doomed to fail, and eclectic thinking from mixed and varied sources will be the basis for innovation and superior care.

Scanners are hot, trackers are not. Yes, the tricorder will help redefine the hand-held tool for care. From ultrasound to spectrometry, the rapid and comprehensive assimilation of data will create a new “tool of trade” that will change the way people think about diagnosis and treatment. Trackers are yesterday’s news stories (and they’ll continue to be written) but scanners are tomorrow headlines.

Rapid and bold innovation is hot, slow and cautious approaches are not. Innovators are often found in basements and garages where they tinker with the brilliance of what might be possible. Traditionally, pharmaceutical companies have worked off of a different model, one that offers access and validation with less of the freewheeling spirit that thrives in places like Silicon Valley. Looking ahead, these two styles need to come together. The result, I predict, will be a digital health collaboration in which varied and conflicting voices build a new health reality.

Tiny is hot, small is not. Nanotechnology is a game-changer in digital health. Nanobots, among other micro-innovations, can now be used to continuously survey our bodies to detect (and even treat) disease. The profound ability for this technology to impact care will drive patients to a new generation of wearables (scanners) that will offer more of a clinical imperative to keep using them.

Early is hot, on-time is not. Tomorrow’s technology will fuel both rapid detection and the notion of “stage zero disease.” Health care is no longer about the early recognition of overt signs and symptoms, but rather about microscopic markers that may preempt disease at the very earliest cellular and biochemical stages.

Genomics are hot, empirics are not. Specificity — from genomics to antimicrobial therapy — will help improve outcomes and drive costs down. Therapy will be guided less and less by statistical means and population-based data and more and more by individualized insights and agents.

AI is hot, data is not. Data, data, data. The tsunami of information has often done more to paralyze us than provide solutions to big and complex problems. From wearables to genomics, that part isn’t slowing down, so to help us manage it, we’ll increasingly rely on artificial intelligence systems. Keeping in mind some of the inherent problems with artificial intelligence, perhaps the solution is less about AI in the purest sense and more around IA — intelligence augmented. Either way, it’s inevitable and essential.

Cybersecurity is hot, passwords are not. As intimate and specific data sets increasingly define our reality, protection becomes an inexorable part of the equation. Biometric and other more personalized and protected solutions can offer something that passwords just can’t.

Staying connected is hot, one-time consults are not. Medicine at a distance will empower patients, caregivers, and clinicians to provide outstanding care and will create significant cost reductions. Telemedicine and other online engagement tools will emerge as a tool for everything from peer-to-peer consultation in the ICU to first-line interventions.

In-home care is hot, hospital stays are not. “Get home and stay home” has always been the driving care plan for the hospitalized patient. Today’s technology will help provide real-time and proactive patient management that can put hospital-quality monitoring and analytics right in the home. Connectivity among stakeholders (family, EMS, and care providers) offers both practical and effective solutions to care.

Cost is hot, deductibles are not. Cost will be part of the “innovation equation” that will be a critical driver for market penetration. Payers will drive trial (if not adoption) by simply nodding yes for reimbursement. And as patients are forced to manage higher insurance deductibles, options to help drive down costs will compete more and more with efficacy and novelty.

Putting it all together: What it will take to break away in 2015?

Beyond speed lies velocity, a vector that has both magnitude and direction. Smart innovators realize that their work must be driven by a range of issues from compatibility to communications. Only then can they harness the speed and establish a market trajectory that moves a great idea in the right direction. Simply put, a great idea that doesn’t get noticed by the right audience at the right time is a bit like winking to someone in the dark. You know what you’re doing, but no one else does.


more...
No comment yet.
Scoop.it!

Obama Gives Data Security Some Needed Momentum

Obama Gives Data Security Some Needed Momentum | Healthcare and Technology news | Scoop.it

Every year, I see Mac McMillan at HIMSS and wonder if he’ll ever be positive.

Of course I’m joking, but in a way you can’t blame McMillan—a renowned data security expert, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek—for being a “Debbie Downer.” Data security in healthcare has been and is abysmal.

Every year, the Traverse City, Mich.-based Ponemon Institute releases its annual patient privacy and security study and the results are somewhat startling. This past year, 90 percent of respondents say they’ve had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. The economic impact of a breach has remained steadily high.

And this is just one study of many, one voice of many, and one indication that healthcare has a big problem with data security. It’s not exactly far-reaching to say we have a long ways to go if these abysmal statistics are to reverse.

Moreover, it could get worse before it gets better. Hackers are now starting to target healthcare data holders. This week, Jason Roos, CTO at Stanford Hospital & Clinics and Stanford University Medical Center in Palo Alto, Calif., explained to me why the exposure of the threat is significant in healthcare, compared to other sectors.

 One of the big problems is that it seems like a lot of high-level executives in hospitals don’t care about data security until it’s too late. They don’t want to be put in protections, do a risk analysis, and pay for extensive training until they have the Department of Health and Human Services’ (HHS) Office of Civil Right (OCR) knocking at their door.

It’s not just healthcare that lags in this way. The retail, entertainment, finance, education, and government sectors seem to have this problem too. In our podcast conversation, McMillan called 2014 the year of the incident. You could say that again. Sony, JP Morgan, Community Health, Home Depot all had high profile breaches. Incidents were everywhere in 2014.

I guess that’s why I was excited to read about President Barack Obama’s dedication to data security, which made the news this week. Specific information on his proposal is sparse, with most details expected to be announced during the State of the Union on Tuesday, but let’s just acknowledge that something is better than nothing. As a privacy expert said in this CNET article, "This is a huge shot in the arm to a much-needed advancement for our legislative protections.”

A nationally recognized data security policy tells every higher up, whether they are in healthcare or not, “Respect the threat. Be prepared.”  

In New York, Attorney General Eric Schneiderman quietly took it a step farther. He proposed a bill that would expand the definition of private information to include email addresses in combination with a password or security question and answer; require entities that store private data have reasonable technical and physical safeguards, assess risks regularly, and obtain third-party certifications showing compliance with these requirements; incentivize companies to provide higher levels of data security and share forensic reports with law enforcement officials. I admire the fact that he wants the strongest data security law in the country.

While these measures are not directed at the healthcare industry specifically, they very well could have a trickledown effect that gives it the kick start that is so desperately needed. In other words, maybe in a few years, I’ll go to HIMSS and Mac McMillan will be a little less annoyed at the way things are with data security in healthcare.


more...
No comment yet.
Scoop.it!

Top 3 trends reshaping the cloud in healthcare IT | Healthcare IT News

Top 3 trends reshaping the cloud in healthcare IT | Healthcare IT News | Healthcare and Technology news | Scoop.it

2015 is all about cloud platforms for healthcare IT, which means the New Year will bring dramatic changes to the cloud landscape. Three factors that are reshaping the cloud moving into 2015 are cost, customization, and collaboration.

1) Cost. Cost is a significant consideration when talking about cloud technology because most healthcare IT systems are expensive. The software is costly and the number of servers that providers need to purchase gets prohibitively expensive. Moving into the cloud means moving into a completely foreign pricing model for most healthcare IT firms, with a fully virtualized cloud environment that does not require space or additional servers, which can help eliminate costs. 

Multi-tenancy is also a way to control cost in the cloud. With multi-tenancy, healthcare IT firms can create a single instance of a database server to serve all of their clients /tenants. The application has to be architected to be secure within a multi-tenant environment, but as the healthcare IT firm crafts its applications to be a multi-tenant application, they can share more pieces of the infrastructure puzzle.

With a legacy/turn-key application, healthcare IT firms might have been able to share the database but couldn’t share the application servers or the front-end user experience.  As they morph their application to be truly multi-tenant, now they can share the database servers and the application servers, and potentially the user experience.  

2) Customization. Customizations are different in the cloud. In the traditional IT environment, healthcare IT firms would branch off of a client's environment and modify their UI (User Interface) to get their own special installation. Healthcare IT firms don't want to do this in the cloud because they want to be able to share these instances between multiple tenants. So now, software has to get more intelligent with data-driven configurations versus having a different binary for Tenant A versus Tenant B.

The customizations are modeled in the configuration database, so when Tenant A comes in, the healthcare IT firm retrieves the configuration from their database and it says Tenant A gets this color-scheme, Tenant A can see these fields, but Tenant B has a personalized, tweaked customization experience.  

Legitimately, everything has been moving that way even within in-house turn-key solutions because it is a challenge from a development standpoint to manage 20 branches of code that are all customized. With the cloud, data-driven configurations are modeled within the database.

3) Collaboration. These days, it seems everything is going to cloud and healthcare IT is no exception to this trend. 

Nowadays, healthcare IT firms, like Invidasys, are enabling the collaboration layer within their software, with the Lync component. Healthcare IT firms can integrate the entire user account experience within their application so that applications such as Word for Office 365 are supported directly in the application.

For instance, a user can pull up a Word online document, have real-time collaboration on a web page, and pull in additional CSRs, or customer support reps, that are looking at particular data on the screen for an online chat. With the cloud, these kinds of integrations for the user’s benefit occur seamlessly and can be updated at any time because they are always available in the cloud. 

In conclusion, 2015 is going to be a big year for the cloud and healthcare IT firms, especially with factors like cost, customization and collaboration. With the cloud, healthcare IT services are becoming more cost effective for the industry, because there is less need for in-office space for servers, costly software upgrades or hardware replacements etc.

The cloud is still as customizable as traditional hardware because features are written into the code during development to allow for a streamlined, configurable user experience. Now that all software is available online, it is easy to collaborate with others and for systems to collaborate with each other. There is no need for sharing versions of work or communicating on separate platforms because having everything accessible in the cloud, all the time, allows for anytime access for anyone on the team.


more...
No comment yet.