IT Support and Hardware for Clinics
36.4K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Is Your Staff Ready for the Next Cyber Attack?

Is Your Staff Ready for the Next Cyber Attack? | IT Support and Hardware for Clinics | Scoop.it

As business and society rely increasingly on technology, the data being created and processed is increasing exponentially. With information effectively becoming the fuel that drives modern organizations, it has become a valuable commodity. Every day organizations face an increasing number of cyber attacks as criminals target their infrastructure and data. Not only are these attacks increasing in frequency, but they are also growing in sophistication. Hackers are finding new and innovative ways to infiltrate networks, compromise systems, and steal data every day. Taking all these factors into account, do you believe your staff is ready for the next cyber attack?

Defending Against Modern Cyber Attacks is Challenging

In today’s digitally-driven world, cybersecurity is growing more complex, cyber attacks are on the increase, and attackers are becoming more sophisticated. Here’s how each of these factors are presenting risks to your organization.

Complexity Introduces Risk

The evolution of technology has helped organizations increase their productivity and efficiency. It has also increased the complexity businesses face when trying to manage it. This complexity increases your cybersecurity risk as there are many more attack vectors hackers can leverage to compromise your systems.

Cyber Attacks Are Increasing in Frequency

According to ISACA’s 2018 State of Cybersecurity findings, more than 50% of security leaders surveyed have seen an increase in cyber attack volumes when compared to the previous year. ISACA’s study also found that 80% of respondents said they are likely or very likely to be attacked this year. These statistics show that organizations are under constant cyber attack. They must remain vigilant and put measures in place to defend themselves.

Attacks Are Growing in Sophistication

As software vendors and cybersecurity professionals patch software and find new ways to fend off attacks, hackers evolve and continue to find new and innovative ways to compromise systems. This continuous evolution has many organizations rating cybersecurity risk as their biggest technology concern.

How to Equip Your Employees

Many argue that your employees are the weakest link in the security chain. The 2018 Cyberwar and the future of Cybersecurity Report confirmed this with 44% of respondents ranking end users as their company's weakest security link. However, with the right training and support, your staff could be the first line of defense against a sophisticated cyber attack.

Implement Good Password Hygiene Practices

According to the Verizon 2018 Data Breach Investigations Report, the vast majority of data breaches result from lost, stolen, or weak passwords. Implementing a policy that forces your employees to follow proper password hygiene practices can go a long way in securing your organization. Employees should use a unique password for every system they access, change it regularly, and not use a weak password that is easy to guess. Routinely evaluating the enforcement of your policy by conducting regular security assessments is also recommended to ensure your employees are following these guidelines.

Use Multi-Factor Authentication

Even great passwords can get cracked. Hackers using sophisticated tools and leveraging the power of cloud computing can compromise systems protected with the most robust passwords. Implementing a solution that requires users to submit a second verification factor, such as a One Time Pin, before granting them access can mitigate this risk substantially.

Implement Defense in Depth and the Principle of Least Privilege

As cyber attacks grow in number and sophistication, implementing a Defense in Depth strategy and the Principle of Least Privilege can help you secure your business. By deploying layers of security, and ensuring employees only have the minimum access needed to perform their duties, you can limit the damage of a cyber attack considerably.

Train Your Employees to Identify Phishing Emails

Phishing is the most common form of cyber attack and has grown in sophistication with hackers even using websites with secure padlocks to deceive users. This development means determined attackers can circumvent standard browser security measures and the only real defense is a well-trained user. Training your users to identify phishing emails is now more crucial than ever.

Training Reduces Your Cybersecurity Risk

With cyber attacks on the increase and growing in sophistication, organizations need to train their employees to mitigate modern security threats. Cybersecurity awareness training can help reduce errors, enhance security, increase compliance, and protect the reputation of your business.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Healthcare Industry: 5 Key Areas Security Professionals Should Consider

Healthcare Industry: 5 Key Areas Security Professionals Should Consider | IT Support and Hardware for Clinics | Scoop.it

The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector.

 

In my opinion, the WannaCry compromise was the crescendo of almost a decade’s worth of neglect. Unpatched servers, legacy applications, forgotten risk registers and discarded business cases for investment all played their part. However, it did answer the million-dollar-question asked of all security teams: “What is the real risk of us being attacked?”

 

At the time of the attack, security teams across the country were rallying to resolve the issue, with many (I’m sure) searching for evidence that they had once warned their organization of the dangers of poor cyber-response arrangements and poor patch management.

 

Dare we ask how many servers compromised by WannaCry only required a reboot to enable the patch – denied only because no agreement could be reached to arrange a maintenance window?

As sad and as controversial it sounds, sometimes it takes an incident of this magnitude and publicity for organizations to remember the basics. Despite the irresistible urge for some to shout “I told you so,” we must understand how we can improve now that we have the attention of executive management who wish to avoid the implications of another WannaCry.

 

In recent years, I spent less time on policy and more on advising on change – mostly trying to mediate between innovation and security. In adapting my thinking to include transformation and change, I have identified five key areas I believe all security (and IT) professionals should be considering:

1. THE ‘GIG ECONOMY’

Organizations want to try new things and do not want to be bogged down with procedures and policy. However, we must be mindful of integration and support. Get the right contracts in place; secure robust support agreements and software assurance. Do not become dependent on a third-party application. We all know solutions with security flaws with vendors having no appetite to fix them.

Finally, be prepared to forgo the usual third-party assessments for these smaller firms. Streamline it, and document exceptions!

2. DIGITAL TRANSFORMATION

The right digital plan must be established. It must be designed with a care plan/business strategy at its heart and underpinned by robust architectural designs and operational basics. Base your security strategy around this, and you will not go far wrong. (It also makes asking for investment far easier!)

3. DATA, DATA, DATA

If you cannot extract data from a solution to demonstrate value and outcomes, why bother with it?

And critically, look for a common integration and data extraction tool rather than a swathe of bespoke interfaces known only to the developer who left the organisation two years ago.

4. A RETIREMENT PLAN

Support functions cannot be expected to support operating systems that are no longer supported by the vendor. Like the financial sector, it will only be a matter of time that the healthcare sector will be required to provide decommissioning plans and timelines.

Be proactive with your hardware; refresh and ensure your third-party vendors are contracted to ensure their applications are supported by the latest technology and operating systems.

5. COURAGE

Finally, we must have the courage to stand up for what we know is the right thing to do: do not be swayed by pressure to adopt bad practice or technology.

Whilst saying “No” is never really an option, the transferral of risk certainly is.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How Serious is the Cybersecurity Talent Shortage? 

How Serious is the Cybersecurity Talent Shortage?  | IT Support and Hardware for Clinics | Scoop.it

Across all industries worldwide, cybersecurity has become a top priority. Hackers keep pumping out new types of malware, and data breaches keep occurring. As of April 8, there were already 281 breaches exposing nearly 6 million records in 2019 so far, according to the Identity Theft Resource Center. Businesses can’t afford to sit back and wait until they’re attacked to defend themselves against cybercriminals.

 

With the average cost of a data breach globally totaling $3.86 million according to IBM and the Ponemon Institute, the wisest course of action is to proactively protect your organization with a comprehensive cybersecurity strategy.

 

However, everyone looking to effectively combat IT security threats faces a significant obstacle: a cybersecurity talent shortage. If you’re a business leader seeking to minimize your data breach risk, consider the following information on the extent of this issue and what you can do to overcome it.

 

The Cybersecurity Workforce Gap by the Numbers (ISC)² – an international, nonprofit association for information security professionals – released a report on the cybersecurity workforce gap in 2018. The report draws on a survey of nearly 1,500 cybersecurity pros and IT pros who spend at least 25 percent of their time on cybersecurity tasks.

 

Here are a few key statistics from the report that illustrate the extent of the talent shortage: The global shortage of cybersecurity professionals is approximately 2.93 million. 63 percent of survey respondents said their organizations have a shortage of IT staff focused on cybersecurity. 59 percent also say their organizations have a moderate or extreme cyberattack risk level because they lack sufficient cybersecurity talent. “Awareness of the cybersecurity skills shortage has been growing worldwide,” the report’s introduction states.

 

“Nevertheless, that workforce gap continues to grow, putting organizations at risk. Despite increases in tech spending, this imbalance between supply and demand of skilled professionals continues to leave companies vulnerable.” What’s Behind the Cybersecurity Talent Gap?

 

The increasing popularity of e-commerce and the rise of new technologies like mobile devices and the Internet of Things has created more opportunities for cybercrime. In the past few years, in particular, the demand for cybersecurity talent has surged, according to Verizon. Basically, the supply hasn’t had time to catch up to the skyrocketing demand. Universities and training programs need time to develop the right courses so that job candidates have the cybersecurity skills companies are searching for, Verizon explains.

 

However, it will take a while for college students to complete the new coursework and find their way into the workforce. Another, faster answer to the talent shortage is for workers to learn through on-the-job training.

 

What Can Businesses that Need IT Security Expertise Do to Overcome the Talent Gap? There are several ideas out there already concerning how to remedy the growing and highly concerning cybersecurity skills shortage.

 

Here are a few notable proposals: Form an industry-wide alliance: If large enterprises in the IT world (e.g., Dell, Cisco, Microsoft, Google and so on) join forces, they could put cybersecurity training programs in motion to address the talent shortage, according to the CSO opinion piece “The cybersecurity skills shortage is getting worse” by Jon Oltsik, a principal analyst at Enterprise Strategy Group. Broaden the job search to include candidates with the potential to learn.

 

Companies shouldn’t necessarily rule out professionals who don’t have the ideal qualifications in terms of degrees, certifications, and experience, Arctic Wolf Networks CEO Brian NeSmith advises in the Forbes article “The Cybersecurity Talent Gap Is An Industry Crisis.” Be open-minded and consider that intelligent candidates with great problem-solving skills might do well in the role, even if they don’t have all the prerequisites.

 

Turn to a third-party provider for assistance. A managed security services provider like Stratosphere Networks can help you gain access to high-level cybersecurity expertise while still containing costs. Services such as virtual CISO and CSO can give you all the benefits of having a security pro on staff without drawbacks like the price of training and hiring an in-house executive.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Cybercriminal gang plunders up to $1 billion from banks over two years

Cybercriminal gang plunders up to $1 billion from banks over two years | IT Support and Hardware for Clinics | Scoop.it

A still-active cybercriminal gang has stolen up to a $1 billion from banks in at least 25 countries over the last two years, infiltrating networks with malware and spying on employees’ computers to facilitate large wire transfers, Kaspersky Lab said Sunday.

The computer security vendor, which said it will release a report Monday on its findings, said the gang penetrated deeply into the banks’ networks, taking time to learn about internal procedures to make their fraudulent activity less suspicious.

In some cases, the gang learned about wire transfer systems by watching administrators’ computers over video.

“In this way the cybercriminals got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out,” Kaspersky said in a news release.

The group, called Carbanak after the malware the gang installed on computers, attempted to attack up to 100 banks and e-payment systems since 2013 in 30 countries. The gang members are suspected to be from Russia, Ukraine, other parts of Europe and China.

Some of the financial institutions affected are in Australia, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Ireland, Morocco, Nepal, Norway, Poland, Pakistan, Romania, Russia, Spain, Switzerland, Taiwan, Ukraine, the U.K., the U.S.

None of the banks or financial institutions have been named. Kaspersky said in a news release on that Interpol and Europol are involved in the investigation.

Each theft took between two and four months, Kaspersky said. Bank computers would be infected with malware through spear-phishing attacks, which involves sending targeted emails with malicious attachments or links to select employees.

Spear-phishing emails are crafted in a way to make it likely a recipient will open an attachment or click a link that appears innocuous but installs malicious software on a computer.

As much as $10 million was stolen in a raid at a time, Kaspersky said. Funds were transferred using online banking or e-payment systems to the gang’s own accounts or to other banks in the U.S. and China.

In other instances, the attackers had deep control within a bank’s accounting systems, inflating account balances in order to mask thefts. For example, Kaspersky said that an account with $1,000 would be raised to $10,000, with $9,000 transferred to the cybercriminals.

ATMs were also targeted, Kaspersky said. The gang commanded the machines to dispense money at a certain time, with accomplices ready to pick up the disgorged cash.


more...
No comment yet.
Scoop.it!

8 Questions Your Board Will Ask About Your Cybersecurity Program

8 Questions Your Board Will Ask About Your Cybersecurity Program | IT Support and Hardware for Clinics | Scoop.it

Cybersecurity coverage is a critical concern for every modern business. Whether you're a growing company or an established multinational business, your IT infrastructure needs to be secured against a growing range of threats. 

 

An effective cybersecurity program needs to be both robust and capable of change. All possible threats and risk tolerance levels must be clearly defined and managed from the outset. Active participation by all stakeholders is required to ensure the best possible outcomes. 

 

From setting the direction of the program to making operational decisions and providing oversight, the board of directors and all C-suite executives need to understand, engage with, and take ownership of the program.

 

Let's look at eight big questions you need to answer to give your board full confidence in your cybersecurity coverage.

1) What attributes define a complete cybersecurity strategy?

A comprehensive cybersecurity program needs to protect relevant corporate information and systems, both now and in the future. Cybersecurity is all about managing cyber risk.  To properly manage cyber risk, it is critical to have a basic understanding of the key components of a comprehensive and mature cybersecurity program.  By comprehensive and mature we mean broad and deep.  Broad – including all of the key components, and deep – ensuring that each key component is addressed to the degree that mitigates the cyber risk to the level that is acceptable to the Board and C-Suite.

 

Before you can protect the data that defines your organization, it's important to evaluate your current systems based on their structural integrity and ability to adapt. 

  • Maturity and consistency - Maturity is based on consistency over an extended period. This doesn't happen by accident, with effective security solutions adapted carefully to meet the specific needs of an organization. Your security architecture needs to be defined, your documentation needs to be thorough, and your working practices need to align with your security goals.
  • Flexibility and agility - Modern computer systems are changing all the time, and effective security solutions need to adapt to the wider world. Agility and flexibility are critical as security breaches often take place immediately after an update. If maturity is defined by the structural integrity of your security framework, then agility is defined as your ability to respond effectively at any given moment.

2) Have we got adequate review and training initiatives?

Effective cybersecurity solutions demand continual reviews, updates, and training initiatives. Whether it's buying new computers, updating network protocols, or training staff, security risk assessment is an ongoing process that helps to identify risk and ensure compliance at every turn.

 

Your cybersecurity program needs to be reviewed periodically by an independent and objective third party to ensure the relevance of hardware tools, systems and services, and human beings. Updates are not enough in isolation, with alignment between hardware and software, and software and staff also needed. 

 

Security risk assessments, ongoing testing, and awareness training are all required to mitigate risk and ensure safety. Employee training initiatives have a particularly vital role to play, with security breaches often the result of poorly trained staff or incomplete training methods that fail to align with technology updates. 

3) How do we ensure compliance?

Compliance is a critical element of IT security. Regulations put in place across industry sectors help to define appropriate levels of risk and protect information. Whether it's the CSF framework defined by the NIST, the HITECH Act legislation for health providers, or the HIPAA legislation to promote data privacy and security, your organization needs to ensure compliance at every level.

Active participation by all stakeholders is an essential part of the compliance process as well. To meet your obligations, you need to be aware of them first. From there, you can put appropriate measures in place to ensure your security and operational coverage. 

Compliance is about more than ticking boxes. It is an effective strategy and an essential part of your wider security stance.

Below are a few of the most important compliance standards:

  • NIST and CSF - The National Institute of Standards and Technology (NIST) promotes a Cyber Security Framework (CSF) to help organizations better manage and reduce their cybersecurity risk. This framework is used to create consistent standards and guidelines across industry sectors. It is also used to augment specific industry regulations like HIPAA.
  • HITECH and HIPAA - While HITECH and HIPAA are separate laws, they often reinforce each other and both apply to the health industry. The HITECH Act was created in 2009 to support the secure adoption of electronic health records, with HIPAA adopted in 1996 to protect the security and privacy of patient health data.     

Learn more about common compliance regulations here.

4) How do we establish an acceptable risk tolerance level?

While protecting your organization demands diligence at every turn, a no-compromise attitude is rarely effective. Zero risk is impossible as a realistic protection objective, with each organization needing to decide how much loss they can tolerate before a threshold of damage is breached. 

Defining an appropriate level of acceptance or tolerance to risk is one of the most important discussions you can have. To quantify these risks, you must identify likely threats and their potential financial impacts. Security breaches can be significant because they influence both productivity losses and the cost of cleanup.

Before you can set up a robust and effective cybersecurity program, it's important to establish an acceptable risk tolerance level. What value are you trying to protect? And what price are you willing to pay to protect it properly? The NIST Risk Management Framework (RMF) is one important framework used to measure risk tolerance. 

5) Are we aware of our existing vulnerabilities?

Professional vulnerability assessment is needed to measure risk and allocate resources effectively. To align the potential impact of each security incident with an acceptable level of risk, it's important to carry out a professional vulnerability assessment. By breaking down your current security infrastructure, you can find existing vulnerabilities and create solutions that protect your organization.

6) What is our incident response plan?

Incident response and management is an important part of every cybersecurity strategy. While proactive measures are critical, it's just as important to have a response plan in place if something does go wrong. A comprehensive cyber incident management plan involves dedicated recovery measures for specific breaches. This multi-pronged reactive process must begin immediately following an intrusion and be able to adapt to changing circumstances.

7) Have we thought of third-party risk management and insurance?

Cybersecurity is an essential part of every vendor relationship, with malware and other forms of malicious code often hidden in supply chain entry points. A vendor may include a cloud service provider, an IT consultant, a data processor, or even an accounting firm.

Vendor policy management and insurance need to be built into every relationship you have, with effective management programs helping to mitigate risk, and insurance providing protection if something does go wrong. You need to understand risk and ensure best practice at every turn and strengthen vendor indemnities by ensuring that all key risk categories are addressed.

Along with mechanisms for vulnerability assessment and incident response, it's also important to consider the contractual language and documentation used to define the vendor relationship. When it comes to insurance, you need to be protected against internal and vendor-based threats. It's important to mandate your company as an additional insured on all third-party insurance policies.

8) What is the roadmap towards comprehensive  coverage?

Robust and effective cybersecurity demands resources and funding, with an ongoing review of your current security program a great place to start. There is a roadmap involved with achieving comprehensive  coverage, from the initial security assessment through to ongoing testing procedures, incident response plans, equipment updates, and employee training. 

While asking questions is a great place to start, proactive measures, professional solutions, and insurance are needed to ensure comprehensive  coverage in the months and years ahead. 

Effective security measures demand diligence and constant engagement. From your technology and software systems to the people who use them every day, safety and compliance demand your full attention.

Cybersecurity and compliance is a team initiative that demands engagement at every level. From the board and C-suite executives who make the decisions to the people who work with the technology, security is everyone's responsibility.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do the Cyber Risks of the IoT in Healthcare Outweigh the Benefits?

Do the Cyber Risks of the IoT in Healthcare Outweigh the Benefits? | IT Support and Hardware for Clinics | Scoop.it

The Internet of Things, or IoT, is a system of internet-connected objects that collect, analyze and monitor data over a wireless network. The IoT is used by organizations in dozens of industries, including healthcare. In fact, the IoT is revolutionizing the healthcare sector as devices today have the capability to gather, measure, evaluate and report patient healthcare data.  

 

Unfortunately, IoT connected devices also exponentially increase the amount of access points available to cyber criminals, potentially exposing sensitive and confidential patient information.  In order to take advantage of this valuable new technology, healthcare firms need to ensure that they are aware of the risks and address them ahead of implementation.

How are healthcare organizations using the IoT?

Businesses in the healthcare sector are taking advantage of the IoT to provide better care, streamline tracking and reporting, automate tasks, and often decrease costs. Here are a few examples of how healthcare organizations are using IoT:

  • Medicine dispensers are now integrated with systems that automatically update a patient’s healthcare provider when they skip a dose of medication.
  • Smart beds are equipped with sensors that indicate when it is occupied, alerting the nursing staff if the patient is trying to get up.
  • Caregivers are taking advantage of ingestion monitoring systems whereby swallowed pills transmit data to a device, tracking whether a patient is taking medication on schedule or not.
  • Smart inhalers can now track when asthma and Chronic Obstructive Pulmonary Disease (COPD) sufferers require their medicine. Some of these devices are even equipped with allergen detectors.

 

Connectivity of healthcare solutions through cloud computing gives providers the ability to make informed decisions and provide timely treatment. With the IoT connected technology, patient monitoring can be done in real-time, cutting down on doctor visit expenses and home care requirements.

 

However, as healthcare organizations begin to integrate IoT technology into devices more frequently, cybersecurity risks increase significantly.

Cyber risks of healthcare IoT tech

Cyber risks have become sophisticated and there has been an enormous increase in the quantity and severity of attacks against healthcare providers. In fact, since 2009 the number of healthcare industry data breaches has increased every year, progressing from only 18 in that year to 365 incidences in 2018.  Significant financial costs to a healthcare organization are a consequence of these breaches due to fines, settlements, ransoms, and of course the costs to repair the breach itself.  

 

Businesses are becoming progressively vulnerable to cybersecurity threats due to rapid advancement and increasing dependence on technology. Unsecured IoT devices pose a higher risk by providing an easily accessible gateway for attackers looking to get inside a system and deploy ransomware. Everything from fitness bands to pacemaker devices can be connected to the internet, making them vulnerable to hacking. Most of the information transmitted isn't sufficiently secured, which presents cybercriminals with an opportunity to obtain valuable data.

Managing IoT cybersecurity risks

No organization, including healthcare firms, can block all attackers. However, there are ways in which they can prepare themselves. Use these tips to help protect your healthcare organization from IoT-related cybersecurity risks:

  • Encrypt data to prevent unauthorized access

  • Leverage multi-factor authentication

  • Execute ongoing scanning and testing of web applications and devices

  • Meet HIPAA compliance requirements

  • Ensure vendors meet HIPAA compliance requirements

  • Protect endpoints like laptops and tablets

  • Healthcare staff should be educated to look for signs of phishing emails like typos and grammatical errors

IoT device-specific protection tips:

  • Acquire unique logins and device names. Avoid using the default configurations
  • Ensure the latest version of the software is installed
  • Take an inventory of all apps and devices that documents where it resides, where it originated, when it moves, and its transmission capabilities

Smart devices connected through the IoT increase access points for cyberattacks, significantly increasing risk and organizations need to be prepared in advance to prevent damage from such threats.  The healthcare industry is one of the most sensitive and frequently targeted sectors as well as one of the most costly in which to address a breach. Therefore, it is prudent for organizations to include IoT devices in a thorough cybersecurity risk assessment and ensure that they take all the necessary precautions to minimize vulnerabilities from implementing these IoT devices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to stop ransomware: It's really not that complicated

How to stop ransomware: It's really not that complicated | IT Support and Hardware for Clinics | Scoop.it

Ransomware. The word itself is scary enough, let alone the glimpse of just how damaging such attacks could be that the world saw in WannaCry and NotPetya during May and June. But cybersecurity experts counter that ransomware shouldn’t actually be so overwhelming to information security professionals -- if they adhere to simple best practices. 

For starters, backup files are crucial and those should be both encrypted and kept offline -- separate from the main network, according to Engin Kirda, professor of electrical and computer engineering and computer and information science at Northeastern University.

 

Lee Kim, HIMSS’ director of privacy and security said the real problem is that hospitals are often stuck running outdated, legacy systems. And even keeping pace with software patches is not always completely effective. Both NotPetya and WannaCry, for instance, leveraged vulnerabilities in these legacy systems.

In fact, Kim explained that when hospitals system must run these outdated systems, including those upon which medical devices are built, it’s necessary to make sure the ports of entry are as closed off as possible. 

 

“If an organization needs to run these systems, shelter the technology from the outside world and segment it from the network,” Lee said. “It’s always best practice to segment the network and not make it possible for one hacker to get in and pivot around your system.”

After patching, segmenting and software needs, Kim said that hospitals can increase defenses with pen testing, which actively scans the system or network for exploitable vulnerabilities.

“I can’t think of a better way to be prepared,” said Kim. “[Pen testing] should be done not just once in a blue moon, it needs to be done regularly. 

Hospitals should authorize the testing with a vendor or security employee with experience to ensure there are no disruptions due to high traffic. 

Risk assessments can also help reveal weaknesses and build defenses. 

 

“We want to make things more difficult for the attackers and reduce the volume of attacks,” she said.

Not surprisingly, the crux of the ransomware issue boils down to the biggest weakness to all networks: the user.

It’s a simple technique, hackers craft emails and trick users into action, Kirda said. “It’s just that some users don’t understand ransomware, and they end up doing things that allow a successful attack.”

 

So phishing training is critical, explained Kim. “It’s the adage of you’re only as strong as your weakest link. You can’t ignore teaching employees what to do and what not to do.”

Fortunately, there’s a lot that can be done with the human element. Naturally, employees should be trained to be cautious about opening attachments. “For an attack to be successful,” Kim said, “they just need a door or one hole to squeeze through.”

Some organizations are also labeling email as external, which can help employees determine the validity of an email sent supposedly from a member within the company. IT can add it to the bottom of every email in red. If an email is sent from outside it will push through the designated filter and notify the user it’s from an outside party.

 

Anti-phishing, user education and clearly marking emails as external or internal are basic blocking and tackling that can go a long way to thwarting attacks. Kim also recommended seeking outside help when you need it.

 

“Study up or hire someone experienced in cybersecurity,” Kim said. There are plenty of ethical hacking pointers available online, and “yet there are so many health organizations vulnerable to attacks. It’s really a twilight zone experience.” 

Ultimately, the issue lies with infosec professionals explaining why cybersecurity needs to be at the forefront of budget discussions and planning -- because it’s a safe bet that the attacks will keep on coming due to profitability. 

“Healthcare is low-hanging fruit,” Kim said. “That’s the unfortunate reality: the dragon is at the door.” 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Year of the Data Breach - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

As early as July, 2014 was already being called “The Year of the Data Breach”. Big brands like Home Depot and Target were the headliners, but they weren’t alone.  Retailers and financial institutions of all sizes were combating cyber crime after cyber crime. Meanwhile, the healthcare industry suffered its share of incidents as well. In fact, 2014 saw the U.S. Department of Health and Human Services’ database of major breach reports (those affecting 500 people or more) surpass 30.1 million people.

The good news is that 2014 is over. The bad news is that in 2015, things could get even worse.


It seems that 2014 was more of “a sign of things to come” than it was “a moment in time.” This rings especially true for those of us who are safeguarding protected health information.

We have entered an unprecedented era where cyber attacks are becoming more frequent and more sophisticated with every passing day.

In a recent 60 Minutes special, FireEye CEO David DeWalt estimated that 97 percent of companies are getting breached, with hundreds of thousands of attacks happening on a weekly basis across the globe.


Retailers, banks and others are consistently increasing their spending related to security. They are trying diligently to prevent attacks. But in today’s environment, DeWalt believes that breaches “are inevitable.”

The burden that breaches place on the economy, individual organizations and consumers is significant. Widespread compromises of data are driving $11 billion plus in fraud each year. Just as costly is the fact that we are teetering on a crisis of confidence. Can anyone really protect sensitive data?

Given all this, should we just waive the white flag and surrender?

Obviously, the answer is no. While breaches may indeed be “inevitable” at the macro level, there are absolutely things that can be done to reduce the amount of breaches that occur, and to give your organization a better chance of not being part of the statistics. What’s more, the eventual damage a breach causes is highly contingent upon how well you respond to it.

Consider this scary statistic. From the time a “bad guy” hacks into sensitive data, it typically takes 229 days for the breach to be detected. 229 days!

DeWalt argues, as do we, that trying to prevent a breach is only part of what your organization should be doing. A comprehensive approach means that you are assessing your risk of falling victim to a breach, identifying ways to mitigate that risk from coming to life and appropriately planning for how you will respond if you do experience a breach. In other words, how are you assessing and managing information risk within your organization?

The criminals eventually are going to find their way into organizations.

So, the task at hand if you’re among the unlucky ones is to make sure the bad guys don’t gain access to your most important information, that you identify breaches much more quickly and that you stop the criminals from leaving with valuable information. In short, limit the damage.

The plain truth is that the year ahead promises more of the same. A cybersecurity war is being waged, and your data is at the center of it. Make sure you are prepared for battle. If you haven’t done so already, I’d encourage you to download Clearwater’s whitepaper explaining our Information Risk Management Capability Advancement Model. It’s a free resource, and it offers an extensive framework for determining how well you are equipped to manage information risks, and what steps you should consider in the year ahead to strengthen your internal programs.

Here’s to hoping 2015 is a breach-free year for you!


more...
No comment yet.