IT Support and Hardware for Clinics
38.4K views | +3 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

What is a Security Patch?

What is a Security Patch? | IT Support and Hardware for Clinics | Scoop.it
What is a Security Patch?

A security patch is software that corrects errors in computer software code. Security patches are issued by software companies to address vulnerabilities discovered in the company’s product. Vulnerabilities can be discovered by security researchers. Vulnerabilities can also be found in the aftermath of a cyberattacker exploiting a vulnerability of an operating system – a vulnerability the software manufacturer was not previously aware of. 

 

Applying security patches that respond to the latest threats, enhances device security.

What is the Importance of a Security Patch?

Failure to timely implement a security patch may place the confidentiality, integrity, and availability of covered entity’s electronic protected health information (ePHI) at risk.

 

The Office for Civil Rights (OCR) of the Department of Health and Human Services (the Department that enforces HIPAA) has issued reminders to healthcare providers of the importance of patch management to achieve HIPAA compliance.

 

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

What is a Patch Management Process?

patch management process consists of identifying, acquiring, installing, and verifying patches for products and systems. 

OCR has stated that a HIPAA compliant patch management process for a networked organization should include the following elements:

  • Evaluation. Evaluation consists of determining whether a given patch is applicable to a covered entity’s software and systems.
  • Patch Testing. Patch testing should consist of testing the patch on one isolated system first, to see if the patch causes problems such as software malfunctions or system instability. 
  • Approval. Approval consists of approving a specific patch for application, after relevant tests have proven successful.
  • Deployment. Deployment consists of actually applying the patches on live systems. 
  • Verification and Testing. Verification consists of testing and auditing systems after deployment to see if the patches were applied correctly, and that there were no unforeseen side effects. 

What are the Benefits of Keeping Security Patches Up to Date?

Keeping security patches up to date allows you to:

  • Reduce Exposure to Cyberattacks. In many instances, security patches are available before a hacker can exploit a system vulnerability.  
  • Protect Your Data. Hackers have the ability to use personal data from one system to gain access to a different one. If, for example, a hacker gains access to a user ID/password from someone who uses these same credentials to access multiple systems, the hacker can gain access to these multiple systems.
  • Protect Data of Patients. Covered entities and business associates must take steps to safeguard ePHI. Security patch installation plays an important role in the safeguarding process.
  • Protect Other Network Users. Worms are a type of malware that remain active on one computer as they infect other computers. Security patches play an important role in stopping the spread of computer worms to other networked devices.

When Is Patch Installation Required Under the HIPAA Security Rule?

The HIPAA Security Rule requires entities to perform risk analysis and risk management. 

The scope of the risk analysis and risk management processes encompasses the potential risks and vulnerabilities to all ePHI that an organization creates, receives, maintains, or transmits. This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI.

 

Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate.

 

In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access)

 

Security patches play an important role in an organization’s cybersecurity strategy. Patches ensure that devices and user data have the most up-to-date protection against current cyberattacks.

 

Whether one is securing a single device, or an array of computer systems for a large organization, one needs to have a plan in place for patch management.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Are medical devices a security risk for your healthcare organization?

Are medical devices a security risk for your healthcare organization? | IT Support and Hardware for Clinics | Scoop.it

Medical organizations are taking advantage of the IoT (Internet of Things) with Medical Devices

Your medical organization likely implements hundreds to thousands of class 3 medical devices every year.  From heart monitors to hip implants, these devices are amazing innovations that are extending and improving quality of life.  These devices come equipped with features like wireless connectivity and remote monitoring which allow for noninvasive adjustments which reduces the cost, risk and frequency of visits for the patient.

 

What are the risks associated with Medical Devices? 

As a healthcare organization implementing these devices, it is also extremely important for you to understand the risks associated with these devices.

Many manufacturers lack the technical skills required to implement security controls.  Security must be a collaborative effort between manufacturers and hospital systems.  New devices arriving in hospitals were designed at least 5-6 years ago.  Comparatively, if you connect a computer from that long ago to the internet, you can expect compromise within 10 minutes without security software or updates.  What's more, some wearable devices may be implanted for 15 years on average causing a huge security risk for the patient.

Medical devices currently lack the capacity to detect threats.  It is difficult to integrate security controls into medical devices because of their critical function.  In many cases, the medical device will continue to be used even if a security flaw is detected because healthcare providers have no alternative option, the device is required to manage the patient’s health.

The FDA does provide guidance regarding medical devices, but it is not enforcing regulations.  The FDA wants manufacturers to focus on the safety and functionality of these devices instead of putting the burden of compliance on them.  A high profile case involving a pacemaker administered by Saint Jude Medical was actually the first case of a FDA recall of a medical device in 2017.  This was their first major move since issuing an alert for cyber risks of infusion pumps in 2015 which led to their guidance for medical devices in 2016.

Are you taking steps to protect your patients and organization while using medical devices?

Security risk is a patient safety issue.  Medical devices implanted into your patients carry their data and perform critical functions to maintain patient’s lives.  Loss or alteration of patient data could also present an issue to your patient’s health as they can be denied coverage or treatment as a result.  As a healthcare organization it is your responsibility to monitor your healthcare devices and their security as well.

The responsibility of maintaining medical device security is shared among manufacturers, hospitals and IT professionals.  The first step hospitals can take to ensure patient safety with medical devices is to work with manufacturers who adhere to FDA Cybersecurity guidelines.  Always ask your manufacturer about Cyber security.  Hospitals should adopt a testing schedule for medical devices.  Knowing which devices are in use, and what potential security risks these devices may have can lower the chance of problems occurring once they have been implanted. 

Many hospitals have their CIOs overseeing medical device management, not hospital IT, this means that clinical or biomedical engineering staff with little understanding of cybersecurity risks are connecting and monitoring medical devices on hospital networks.  As demonstrated time and again, medical devices can be used as an entry point into the hospital network, to reprogram and execute patients or even hold them at ransom.

T professionals at hospitals need to think differently about medical devices in the IoT than they do about their hospital network security.  Consider how the medical device and EMR are identifying the patient, this protects the data as it is transmitted.  Use security, authentication and access controls to confirm the patient's identity to ensure the data cannot be altered.  Always use devices which capture date and timestamps so the provider knows when the data was gathered. Data transmission protocols should be adopted per device.  You may manually transmit data from the patient's device during a visit or automatically transmit that data via the internet.  Encryption should always be used to protect data transmissions.

By being proactive regarding your medical device management, you are preparing for security risks that may arise.  

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Ramping Up Automobile Cybersecurity

Ramping Up Automobile Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.

See Also: Solving the Mobile Security Challenge

For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.


Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.

"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.

The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.

But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.

"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."

Key Risks

Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.

Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.

"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."

Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."

Security Gaps Remain

The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.

Among the findings:

  • Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.

Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.

Legislation

The new legislation proposed by Markey would include three key requirements:

  • All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
  • All collected information must be appropriately secured and encrypted to prevent unwanted access; and
  • The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.

To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.

"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.

But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says. "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."

Proactive Approach

As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.

Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."

Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."

In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.

It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.


Secunoid's curator insight, February 19, 2015 1:52 PM

The next frontier to keep an eye out for from security perspective, Automobiles.

Sandesh's curator insight, March 23, 2015 9:55 AM

They have introduced the cybersecurity which is attached withh audio player

Scoop.it!

Malware runs on Apple's iOS7 and iOS8 to steal photos, texts and contacts

Malware runs on Apple's iOS7 and iOS8 to steal photos, texts and contacts | IT Support and Hardware for Clinics | Scoop.it

Hackers are using spyware to steal text messages, contacts, pictures and other personal information from iPhones, according to computer security experts.

Anti-virus company Trend Micro claims it has discovered new software that infects iPhones running iOS 7 and iOS8.

The software is spread via phishing attacks that are sent from the phones of friends and associates to encourage targets to click on a link and install the spyware.


The XAgent malware will run on Apple devices like the new iPhone 6 (above) even if they are not jailbroken

Known as XAgent, the spyware will then collect text messages, contact lists, pictures, location data, lists of apps and any software running on the device.

This information is then sent to a remote server while the malware will also switch on the iPhone's microphone and record everything going on around it.

Trend Micro believe the malware has been created by a group of Russian hackers who have in the past been targetting governments, the military and the media.

WHAT IS XAGENT MALWARE? 

The XAgent malware is not the first to hack into Apple's iOS software for its mobile devices.

iPhone users were left unaware for approximately a year-and-a half that a software bug could have made them the victims of ‘hi-tech eavesdropping’.

Security experts warned that past iterations of iOS software - dating from as long ago as September 2012 - had a vulnerability that hackers could have exploited to see financial transactions, emails and Facebook activity.

The vulnerability was eventually fixed by an update to the iOS7 software last February.

Hackers also claim to have been able to circumvent the fingerprint recognition hardware installed on the iPhone 5S and iPhone 6.

Some iPhone users reported last May that they received messages telling them their phones had been hacked by Oleg Pliss and demanding money for their devices to be unlocked.

However, perhaps the worst breach of Apple security was the hack into the company's iCloud that saw the leak of hundreds of personal and naked photographs belonging to celebrities, Jennifer Lawrence, Kelly Brook and Rihanna. 

It is thought that XAgent was designed by the group to help them obtain information from specific high profile targets.

Trend Micro said it had also identified a second malware programme that is focused on recording audio from so-called 'jailbroken' devices. These devices have had limitations on their iOS software removed, which can compromise the phone's security.

Feike Hacquebord, senior threat researcher at Trend Micro, said: 'While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targetted attack.

'The XAgent app is fully functional malware. After being installed on iOS 7, the app’s icon is hidden and it runs in the background immediately.

'When we try to terminate it by killing the process, it will restart almost immediately.

'Installing the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot restart automatically.

'This suggests that the malware was designed prior to the release of iOS 8 last September 2014.'

Nearly three quarters of Apple iPhones and tablets are now thought to be using iOS8, although a quarter are still running the older iOS7 software.

This could mean that up to 200 million devices could be the most vulnerable to the spyware.

Trend Micro believe the XAgent malware is related to another type of spyware it has been tracking that works on Microsoft Windows' systems called SEDNIT.

They claim that the malware has been created by a group of hackers that it calls Operation Pawn Storm. 

XAgent can turn on the microphone of any iPhone it runs on and record the sound going on around it

Experts at Micro Trend first identified Operation Pawn Storm as being behind a series of online attacks targeting military officials and defence contractors in a cyber-espionage operation.

Subsequently they have also been linked to attacks against government officials and journalists.

Trend Micro said that it is unclear exactly how the new iOS malware is spread, although the group tends to infect the devices of contacts and friends of its targets.

Writing on its blog, Mr Hacquebord and his colleagues who have been investigating XAgent, said they had seen one instance where the malware was attacked to a simple link with the words 'Tap Here to Install the Application'.

However, they added: 'The exact methods of installing these malware is unknown.

'There may be other methods of infection that are used to install this particular malware.

'One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.


Via Paulo Félix
No comment yet.
Scoop.it!

Cyber-Security Is Important For Your Dental Practice

Cyber-Security Is Important For Your Dental Practice | IT Support and Hardware for Clinics | Scoop.it

If you run a dental practice, keeping your computer systems secure at all times is essential.

 

Due to the increasing frequency and sophistication of cyber-threats, it’s more important than ever to keep your computer systems secure.

 

However, if you’re unsure how to protect your data, you certainly aren’t alone.

 

The data that you store on your computer systems contains highly sensitive information about your patients, which can make it a target of hackers.

 

Not only do these records contain important identifying information of your patients that could be targeted by identity thieves, but they also contain protected medical records that are protected by HIPAA.

 

PROTECTING YOUR DATA REQUIRES MORE THAN JUST AN ANTIVIRUS SOFTWARE

 

An effective antivirus program can play a major role in protecting your data and improving dental practice security, but it’s not the whole story.

 

You need to make sure that your employees are trained on how to avoid malware on the web, avoid falling prey to phishing, and are well-educated on the importance of cyber-security.

 

In addition, it’s essential to make sure that your employees are familiar with how to identify suspicious emails and ensure that they avoid clicking on links from an unknown sender.

 

WHAT CAN BE EXPECTED IN THE FUTURE?

 

While cyber-security threats are likely to become more advanced as time goes on, health IT security systems are likely to advance as well, which means that there will be new ways to protect your computer system from hackers.

 

For instance, antivirus programs are becoming increasingly effective at detecting new forms of malware, and many antivirus programs now make it possible to flag websites that could be dangerous.

 

These programs are likely to become far more sophisticated, which is likely to thwart a large portion of cyber-attacks. Furthermore, IT technology is being increasingly utilized for a wide range of dental devices, such as dental cameras, CNC machines, and 3D printers used in the dental industry.

 

As a result, the list of dental devices that you’ll need to keep secure is likely to increase considerably in the future.

 

Luckily, you’ll have the opportunity to protect these smart devices with cybersecurity technologies that are more sophisticated and effective than ever.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

3 Cisco Cloud Security Products to Check Out 

3 Cisco Cloud Security Products to Check Out  | IT Support and Hardware for Clinics | Scoop.it

Cisco continues to evolve its cloud security profile with new developments from Meraki, Umbrella and Duo products. These three products are made to seamlessly integrate with your systems to better protect your business. Learn more about each below.

Cisco Meraki

Cisco Meraki combines security cameras, cloud-management, and analytics with the MV lineup. The MV22 and MV72 cameras provide reliable security. They are easy to set up and manage through the Meraki dashboard. This tool eliminates the single point of failure, so you don’t have to worry about one camera failing and taking down the whole system. Both models have 256GB of solid states storage and up to 1080 pixels of high definition resolution. The Meraki dashboard allows for monitoring and management of all cameras from anywhere in one or multiple locations with no extra software required. The dashboard uses analytics to provide valuable insights to protect your business. An example is performing a motion search, which can detect people using pixels at certain periods of time during the day. Additionally, under the Meraki brand, the Meraki SD-WAN is 100% centralized cloud management for security, networking and application control. The dashboard enables network admins to view networked clients, bandwidth consumption, and application usage across all sites. Some of its features include no external modem, high availability, and advanced security license/firewire.

Cisco Umbrella

Cisco Umbrella Solution is a cloud-based secure internet gateway and provides the first line of defense from threats on the internet – even if the end-user is working remotely from a company device or their own computer. The Umbrella boasts an easy deployment and an even easier system to operate. It integrates directly with Meraki products and the rest of the Cisco security profile. With Umbrella, users are protected anywhere they access the internet with or without a VPN. The DNS is the biggest threat to security and most of the time isn’t monitored. The Umbrella Cloud Solution solves this gap as the first line of defense. It not only solves requests, but it also looks at comparisons in the data to better detect similar threats from cyber fingerprints used by attackers.

Duo

The duo is the most recent addition to the Cisco family. This tool offers a streamlined way to improve the user experience during the multi-factor authorization while also protecting your business. The duo takes it a step further by checking devices managed and unmanaged to ensure it meets security standards before granting access. 


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication | IT Support and Hardware for Clinics | Scoop.it

Apple has improved the security of FaceTime and iMessage, its voice/video and multimedia chat communication tools. The services got two-factor authentication today as an option for users to enable, meaning that even if someone uses their Apple ID email and password to enable iMessage or FaceTime on a new device, they’ll still need to use a pin code from an existing trusted device to gain access to those services.

You may recognize the system from iCloud’s two-factor authentication, or if you’ve tried to set up Keychain to keep your passwords in sync between Apple devices. If you’ve previously enabled two-factor for iCloud, it’ll also be enabled to FaceTime and iMessage. The additional level of protection applied to these services helps ensure that people will have a harder time grabbing potentially private images from your iMessage history, or pretending to be you via online communication methods.

Two-step comes into play when users log out of an account on their device and try to log back in, as well, meaning you’ll have to get that trusted device out should you temporarily disable your account on the device, or in some cases if you run a system update or switch SIMs. This is a good step for Apple, and hopefully an indication that it intends to roll out two-step security to all of its services in good time.

Gabriela Atuesta's curator insight, February 17, 2015 12:25 AM

Nuevo sistema de seguridad para el uso de IMessage y de FaceTime en los dipositivos Apple.