IT Support and Hardware for Clinics
38.4K views | +2 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

What is a Security Patch?

What is a Security Patch? | IT Support and Hardware for Clinics |
What is a Security Patch?

A security patch is software that corrects errors in computer software code. Security patches are issued by software companies to address vulnerabilities discovered in the company’s product. Vulnerabilities can be discovered by security researchers. Vulnerabilities can also be found in the aftermath of a cyberattacker exploiting a vulnerability of an operating system – a vulnerability the software manufacturer was not previously aware of. 


Applying security patches that respond to the latest threats, enhances device security.

What is the Importance of a Security Patch?

Failure to timely implement a security patch may place the confidentiality, integrity, and availability of covered entity’s electronic protected health information (ePHI) at risk.


The Office for Civil Rights (OCR) of the Department of Health and Human Services (the Department that enforces HIPAA) has issued reminders to healthcare providers of the importance of patch management to achieve HIPAA compliance.


Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

What is a Patch Management Process?

patch management process consists of identifying, acquiring, installing, and verifying patches for products and systems. 

OCR has stated that a HIPAA compliant patch management process for a networked organization should include the following elements:

  • Evaluation. Evaluation consists of determining whether a given patch is applicable to a covered entity’s software and systems.
  • Patch Testing. Patch testing should consist of testing the patch on one isolated system first, to see if the patch causes problems such as software malfunctions or system instability. 
  • Approval. Approval consists of approving a specific patch for application, after relevant tests have proven successful.
  • Deployment. Deployment consists of actually applying the patches on live systems. 
  • Verification and Testing. Verification consists of testing and auditing systems after deployment to see if the patches were applied correctly, and that there were no unforeseen side effects. 

What are the Benefits of Keeping Security Patches Up to Date?

Keeping security patches up to date allows you to:

  • Reduce Exposure to Cyberattacks. In many instances, security patches are available before a hacker can exploit a system vulnerability.  
  • Protect Your Data. Hackers have the ability to use personal data from one system to gain access to a different one. If, for example, a hacker gains access to a user ID/password from someone who uses these same credentials to access multiple systems, the hacker can gain access to these multiple systems.
  • Protect Data of Patients. Covered entities and business associates must take steps to safeguard ePHI. Security patch installation plays an important role in the safeguarding process.
  • Protect Other Network Users. Worms are a type of malware that remain active on one computer as they infect other computers. Security patches play an important role in stopping the spread of computer worms to other networked devices.

When Is Patch Installation Required Under the HIPAA Security Rule?

The HIPAA Security Rule requires entities to perform risk analysis and risk management. 

The scope of the risk analysis and risk management processes encompasses the potential risks and vulnerabilities to all ePHI that an organization creates, receives, maintains, or transmits. This includes identifying and mitigating risks and vulnerabilities that unpatched software poses to an organization’s ePHI.


Mitigation activities could include installing patches if patches are available and patching is reasonable and appropriate.


In situations where patches are not available (e.g., obsolete or unsupported software) or testing or other concerns weigh against patching as a mitigation solution, entities should implement reasonable compensating controls to reduce the risk of identified vulnerabilities to a reasonable and appropriate level (e.g., restricting network access or disabling network services to reduce vulnerabilities that could be exploited via network access)


Security patches play an important role in an organization’s cybersecurity strategy. Patches ensure that devices and user data have the most up-to-date protection against current cyberattacks.


Whether one is securing a single device, or an array of computer systems for a large organization, one needs to have a plan in place for patch management.

Technical Dr. Inc.'s insight:
Contact Details : or 877-910-0004

No comment yet.!

Are medical devices a security risk for your healthcare organization?

Are medical devices a security risk for your healthcare organization? | IT Support and Hardware for Clinics |

Medical organizations are taking advantage of the IoT (Internet of Things) with Medical Devices

Your medical organization likely implements hundreds to thousands of class 3 medical devices every year.  From heart monitors to hip implants, these devices are amazing innovations that are extending and improving quality of life.  These devices come equipped with features like wireless connectivity and remote monitoring which allow for noninvasive adjustments which reduces the cost, risk and frequency of visits for the patient.


What are the risks associated with Medical Devices? 

As a healthcare organization implementing these devices, it is also extremely important for you to understand the risks associated with these devices.

Many manufacturers lack the technical skills required to implement security controls.  Security must be a collaborative effort between manufacturers and hospital systems.  New devices arriving in hospitals were designed at least 5-6 years ago.  Comparatively, if you connect a computer from that long ago to the internet, you can expect compromise within 10 minutes without security software or updates.  What's more, some wearable devices may be implanted for 15 years on average causing a huge security risk for the patient.

Medical devices currently lack the capacity to detect threats.  It is difficult to integrate security controls into medical devices because of their critical function.  In many cases, the medical device will continue to be used even if a security flaw is detected because healthcare providers have no alternative option, the device is required to manage the patient’s health.

The FDA does provide guidance regarding medical devices, but it is not enforcing regulations.  The FDA wants manufacturers to focus on the safety and functionality of these devices instead of putting the burden of compliance on them.  A high profile case involving a pacemaker administered by Saint Jude Medical was actually the first case of a FDA recall of a medical device in 2017.  This was their first major move since issuing an alert for cyber risks of infusion pumps in 2015 which led to their guidance for medical devices in 2016.

Are you taking steps to protect your patients and organization while using medical devices?

Security risk is a patient safety issue.  Medical devices implanted into your patients carry their data and perform critical functions to maintain patient’s lives.  Loss or alteration of patient data could also present an issue to your patient’s health as they can be denied coverage or treatment as a result.  As a healthcare organization it is your responsibility to monitor your healthcare devices and their security as well.

The responsibility of maintaining medical device security is shared among manufacturers, hospitals and IT professionals.  The first step hospitals can take to ensure patient safety with medical devices is to work with manufacturers who adhere to FDA Cybersecurity guidelines.  Always ask your manufacturer about Cyber security.  Hospitals should adopt a testing schedule for medical devices.  Knowing which devices are in use, and what potential security risks these devices may have can lower the chance of problems occurring once they have been implanted. 

Many hospitals have their CIOs overseeing medical device management, not hospital IT, this means that clinical or biomedical engineering staff with little understanding of cybersecurity risks are connecting and monitoring medical devices on hospital networks.  As demonstrated time and again, medical devices can be used as an entry point into the hospital network, to reprogram and execute patients or even hold them at ransom.

T professionals at hospitals need to think differently about medical devices in the IoT than they do about their hospital network security.  Consider how the medical device and EMR are identifying the patient, this protects the data as it is transmitted.  Use security, authentication and access controls to confirm the patient's identity to ensure the data cannot be altered.  Always use devices which capture date and timestamps so the provider knows when the data was gathered. Data transmission protocols should be adopted per device.  You may manually transmit data from the patient's device during a visit or automatically transmit that data via the internet.  Encryption should always be used to protect data transmissions.

By being proactive regarding your medical device management, you are preparing for security risks that may arise.  


Technical Dr. Inc.'s insight:
Contact Details : or 877-910-0004

No comment yet.!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics |

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.

No comment yet.!

New Trustwave Report Reveals Security Deficiencies That Increase Data Breach Risk

New Trustwave Report Reveals Security Deficiencies That Increase Data Breach Risk | IT Support and Hardware for Clinics |

CHICAGO, IL--(Marketwired - Dec 9, 2014) - A new report from Trustwave reveals many businesses still struggle with information security deficiencies and common security weaknesses that can elevate their risk of data breaches.

Based on a global survey of 476 information technology and security professionals located in more than 50 countries, the 2014 State of Risk Report from Trustwave offers benchmarks by which IT and security professionals can compare their risk stance against their peers. Data from the report can also be used to inform senior leadership about the largest threats they are facing, gaps that need filling and how they can remediate weaknesses and improve their security posture.

Key findings from the 2014 State of Risk Report include:

  • Data is the lifeblood of business: 81 percent of businesses store and process financial data, 71 percent store intellectual property and 47 percent store payment card data.
  • High level executives are only somewhat involved: 45 percent of businesses have board- or senior-level management who take only a partial role in security matters; 9 percent do not partake at all.
  • Sensitive data may be off the radar: 63 percent of businesses do not have a fully mature method to control and track sensitive data, while 19 percent do not have one at all. Additionally less than half (49 percent) fully encrypt stored sensitive data, with 51 percent only partially or not at all.
  • If they're breached, they don't know what to do: 21 percent of businesses do not have incident response procedures in place; 20 percent of businesses do not have a process that enables the reporting of security incidents.
  • They understand legal implications but fail to take action: 60 percent of businesses are fully aware of their legal responsibilities in safeguarding sensitive data, yet 21 percent never perform security awareness training, 23 percent never hold security planning meetings and 24 percent do not have employees that read and sign their businesses' information security policy.
  • They do not know where their valuable data lives: 33 percent of businesses have not commissioned a risk assessment to identify where their valuable data lives and what controls -- if any -- are in place to protect it.
  • Assumptions about third-party providers' security controls: 58 percent of businesses use third-parties to manage sensitive data, yet almost half (48 percent) do not have a third party management program in place.
  • They lack patch management programs: 58 percent of businesses do not have a fully mature patch management process in place, and 12 percent do not have a patch management process in place at all.

"Businesses must look at security as a business-as-usual imperative," said Michael Aminzade, vice president of Global Compliance & Risk Services at Trustwave. "Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached."

No comment yet.!

Why Cyber-Security Is Important For Your Dental Practice

Why Cyber-Security Is Important For Your Dental Practice | IT Support and Hardware for Clinics |

If you run a dental practice, keeping your computer systems secure at all times is essential.


Due to the increasing frequency and sophistication of cyber-threats, it’s more important than ever to keep your computer systems secure. However, if you’re unsure how to protect your data, you certainly aren’t alone.


The data that you store on your computer systems contains highly sensitive information about your patients, which can make it a target of hackers.


Not only do these records contain important identifying information of your patients that could be targeted by identity thieves, but they also contain protected medical records that are protected by HIPAA.




An effective antivirus program can play a major role in protecting your data and improving dental practice security, but it’s not the whole story.


You need to make sure that your employees are trained on how to avoid malware on the web, avoid falling prey to phishing, and are well-educated on the importance of cyber-security.


In addition, it’s essential to make sure that your employees are familiar with how to identify suspicious emails and ensure that they avoid clicking on links from an unknown sender.




While cyber-security threats are likely to become more advanced as time goes on, health IT security systems are likely to advance as well, which means that there will be new ways to protect your computer system from hackers.


For instance, antivirus programs are becoming increasingly effective at detecting new forms of malware, and many antivirus programs now make it possible to flag websites that could be dangerous.


Using a certified EHR or Electronic Health Records system will help keep your patients’ information safe, certified EHRs are tested by the government to make sure it is of the highest security standards.


These programs are likely to become far more sophisticated, which is likely to thwart a large portion of cyber-attacks. Furthermore, IT technology is being increasingly utilized for a wide range of dental devices, such as dental cameras, CNC machines, and 3D printers used in the dental industry.


As a result, the list of dental devices that you’ll need to keep secure is likely to increase considerably in the future. Luckily, you’ll have the opportunity to protect these smart devices with cyber-security technologies that are more advanced and effective than ever.

Technical Dr. Inc.'s insight:
Contact Details : or 877-910-0004

No comment yet.!

Healthcare environment: Achieving mobile security

Healthcare environment: Achieving mobile security | IT Support and Hardware for Clinics |

Using mobile devices in the healthcare world offers many benefits, but it also present major risks when it comes to security. In this guest post, Gene Fry, VP of technology and compliance officer at a company that streamlines paper-intensive processes, and protects sensitive and business-critical information, provides a guide healthcare organizations can use to develop a culture of mobile security.


Mobile devices are transforming the way professionals communicate, collaborate and coordinate care in the healthcare setting. In addition to improving operational efficiencies, mobile devices have been proven to help speed up health outcomes and reduce length-of-stay. In 2016, a study of approximately 11,500 patients at two hospitals found that patients whose care providers used secure text-messaging as a means of communication had shorter lengths-of stay, compared to patients whose providers used paging systems.

While there’s no denying the potential benefits of mobile devices, their use remains a significant risk if improperly managed. Of the 260 major healthcare breaches reported by the U.S. Department of Health and Human Services (HHS) in 2015, close to 10% involved a mobile device. Statistics such as this only go to strengthen the argument that IT leaders and CIOs need to look carefully at both sides of the coin when considering implementing a mobile strategy within an organization.

The following steps are intended to guide healthcare organizations through the process of developing a culture of mobile security in such a way that allows them to realize the benefits, while keeping risks to a minimum.

Conduct a risk assessment

The single greatest mobile-related risk to a healthcare organization is a breach of protected health information (PHI). A breach of this nature, which would fall under HIPAA, can carry significant fines, as well as both civil and criminal penalties.

To avoid such scenarios, it’s vital that healthcare organizations take necessary actions to thoroughly assess their technology infrastructure for potential vulnerabilities, and evaluate how best to protect against identified risks. Conducting a security risk assessment, which is a key requirement of the HIPAA security rule, should identify the following information:

  • every mobile device (both past and present) that has had any level of access to the organization’s internal systems, and
  • the type of information that has been accessed, stored or relayed via mobile devices.

Use the right tools for the job

Text messaging and email are inherently risky, due to a lack of encryption around the data being shared between and stored on devices. Should a device wind up lost or stolen, any data that resides on the device itself becomes under threat.

Therefore, organizations that access, store, send or receive PHI on mobile devices should only ever carry out such tasks within the secure environment of purpose-built, HIPAA-compliant applications that ensure data remains safeguarded at all times. These secure solutions can help mitigate risks by encrypting information while in transit and storage, enabling users to control and invigilate how this information is accessed.

Secure all mobile devices

Security measures such as password and PIN protection are often a device’s first line of defense when it comes to keeping sensitive information out the hands of bad actors. This considered, all devices that come in contact with PHI must be adequately protected, via the following security parameters:

  • multi-factor authentication
  • password and PIN protection
  • device encryption
  • firewalls, and
  • regularly updated software and applications.

This is particularly important within organizations that permit BYOD (Bring Your Own Device), where staff may be using the same devices for both professional and personal activities, increasing the likelihood of loss or theft.

Establish policies for mobile usage

Many security-related horror stories can be traced back to an internal source, such as an employee downloading an unauthorized mobile application, which in turn jeopardizes the security of all sensitive data stored on that device. More often than not, individuals don’t intend to cause harm by downloading non-secure applications or programs, but their seemingly innocent actions can introduce security vulnerabilities into the company’s IT infrastructure with potentially devastating consequences.

To avoid such scenarios, employers should establish clearly defined policies to encourage safe mobile usage, and ensure all staff are trained to comply with those policies, while also being made aware of any sanctions for violation.

Ideally, mobile policies should outline procedures for:

  • remote disabling and wiping
  • deletion of messages after a period of time
  • password protection and access authorization, and
  • downloading applications and files.

At the very least, healthcare organizations need to clearly define a list of acceptable and unacceptable actions, and formulate a response plan in case a device is lost, stolen or compromised.

Educate staff

Humans have always been, and will remain, the weakest link in the security chain, and the introduction of mobile devices into the healthcare workplace only accentuates this vulnerability. While the steps outlined above provide a good foundation for healthcare organizations to build upon, cracks will soon begin to show if staff aren’t adequately trained to identify and mitigate risks themselves.

The benefits of mobile technology should be embraced by the healthcare industry, not feared, but when the security risks remain so significant, that’s easier said than done.

Technical Dr. Inc.'s insight:
Contact Details : or 877-910-0004

No comment yet.!

Why Are We So Stupid About Passwords?

Why Are We So Stupid About Passwords? | IT Support and Hardware for Clinics |

Despite the seemingly nonstop pace of data breaches, organizations worldwide still don't seem to be paying much attention to detail when it comes to the proper use of passwords.

The latest entrant into the password "hall of shame" is Sony Pictures Entertainment, as the ongoing leaks of purloined Sony data by Guardians of Peace - a.k.a. G.O.P. - continue to highlight. It wasn't just that Sony was - according to numerous reports - using weak, overly short passwords for many systems. Sony was also storing lists of passwords in text files, Word documents and Excel spreadsheets, Mashable reports. Furthermore, none of those files appears to have been password-protected or encrypted.

 You don't store passwords in Word files or in Excel spreadsheets. 

Security experts react with incredulity at Sony's alleged password missteps. "You don't store passwords in Word files or in Excel spreadsheets," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells me.

G.O.P. didn't have to look far to unearth sensitive passwords for Sony's internal network, social media accounts and Web services. Indeed, many of them appear to have been shared on file-servers in a folder labeled "Passwords."

Sony has not responded to my multiple requests for comment about the hack attack and its password security practices.

Did Sony Learn From LulzSec?

But leaving passwords gift-wrapped for anyone who's able to penetrate the corporate network suggests that Sony's executives haven't learned from their previous information security missteps.

In 2011, Anonymous offshoot LulzSec claimed to have compromised 1 million users' passwords, as well as "all admin details of Sony Pictures (including passwords)."

Over the course of that year, in fact, the company was pummeled by 21 separate attacks that resulted in breaches of Sony sites, including the theft of 77 million consumers' credit card numbers. The attacks began not long after Sony had laid off a portion of its security staff. Sony subsequently received the year's Pwnie Award - decided by a distinguished panel of information security experts - for "most epic fail," as well as a fine of £250,000 (about $400,000) from the U.K. Information Commissioner's Office, which said in a statement that "the security measures in place were simply not good enough."

Missing: Password Management

Three years after what should have been Sony's security wakeup call, G.O.P. struck via what many security experts suspect was a phishing attack. How well-prepared was Sony for such an attack? After reviewing a recent batch of leaked documents, Buzzfeed claims Sony wasn't even using a social media management system. That's essential for adding two-factor authentication to restrict multi-user access to corporate Twitter and Facebook accounts. Internally, meanwhile, the "Passwords" folder means Sony wasn't enforcing the use of easy-to-use password management software.

Security experts recommend everyone use password managers, which automate the process of generating strong, random passwords; corralling them in one place; storing them in encrypted format; and restricting access. "It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials," says TK Keanini, CTO of network security firm Lancope.

"There were many major mistakes made at Sony, but the question everyone should ask is: Why does it take a major incident to find these mistakes? Why didn't anyone catch these incredibly obvious insecurities prior to the incident and fix them?" Keanini asks.

Every other organization should now ask itself what would happen if - like Sony - attackers penetrated its network. Would they find social media credentials and lists of admin passwords to tens of thousands of systems in an unprotected Excel spreadsheet?

The obvious takeaway is that enterprises need to get smart about not just requiring strong passwords, but encrypting and restricting access to those passwords, preferably using multi-factor authentication.

Even better, look to advanced authentication mechanisms that provide risk-based access controls. For example, consider products that work with the FIDO Alliance - for "fast identity online" - specification. FIDO offers a "bring what you've got" approach that can treat combinations of a user's mobile device, public/private key, one-time passwords, USB security tokens and more as access tokens, thus eliminating the need for passwords.

Until that happens, of course, organizations must pay close attention to password security, or else risk becoming the next Sony.

No comment yet.