IT Support and Hardware for Clinics
32.4K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Healthcare environment: Achieving mobile security

Healthcare environment: Achieving mobile security | IT Support and Hardware for Clinics | Scoop.it

Using mobile devices in the healthcare world offers many benefits, but it also present major risks when it comes to security. In this guest post, Gene Fry, VP of technology and compliance officer at a company that streamlines paper-intensive processes, and protects sensitive and business-critical information, provides a guide healthcare organizations can use to develop a culture of mobile security.

 

Mobile devices are transforming the way professionals communicate, collaborate and coordinate care in the healthcare setting. In addition to improving operational efficiencies, mobile devices have been proven to help speed up health outcomes and reduce length-of-stay. In 2016, a study of approximately 11,500 patients at two hospitals found that patients whose care providers used secure text-messaging as a means of communication had shorter lengths-of stay, compared to patients whose providers used paging systems.

While there’s no denying the potential benefits of mobile devices, their use remains a significant risk if improperly managed. Of the 260 major healthcare breaches reported by the U.S. Department of Health and Human Services (HHS) in 2015, close to 10% involved a mobile device. Statistics such as this only go to strengthen the argument that IT leaders and CIOs need to look carefully at both sides of the coin when considering implementing a mobile strategy within an organization.

The following steps are intended to guide healthcare organizations through the process of developing a culture of mobile security in such a way that allows them to realize the benefits, while keeping risks to a minimum.

Conduct a risk assessment

The single greatest mobile-related risk to a healthcare organization is a breach of protected health information (PHI). A breach of this nature, which would fall under HIPAA, can carry significant fines, as well as both civil and criminal penalties.

To avoid such scenarios, it’s vital that healthcare organizations take necessary actions to thoroughly assess their technology infrastructure for potential vulnerabilities, and evaluate how best to protect against identified risks. Conducting a security risk assessment, which is a key requirement of the HIPAA security rule, should identify the following information:

  • every mobile device (both past and present) that has had any level of access to the organization’s internal systems, and
  • the type of information that has been accessed, stored or relayed via mobile devices.

Use the right tools for the job

Text messaging and email are inherently risky, due to a lack of encryption around the data being shared between and stored on devices. Should a device wind up lost or stolen, any data that resides on the device itself becomes under threat.

Therefore, organizations that access, store, send or receive PHI on mobile devices should only ever carry out such tasks within the secure environment of purpose-built, HIPAA-compliant applications that ensure data remains safeguarded at all times. These secure solutions can help mitigate risks by encrypting information while in transit and storage, enabling users to control and invigilate how this information is accessed.

Secure all mobile devices

Security measures such as password and PIN protection are often a device’s first line of defense when it comes to keeping sensitive information out the hands of bad actors. This considered, all devices that come in contact with PHI must be adequately protected, via the following security parameters:

  • multi-factor authentication
  • password and PIN protection
  • device encryption
  • firewalls, and
  • regularly updated software and applications.

This is particularly important within organizations that permit BYOD (Bring Your Own Device), where staff may be using the same devices for both professional and personal activities, increasing the likelihood of loss or theft.

Establish policies for mobile usage

Many security-related horror stories can be traced back to an internal source, such as an employee downloading an unauthorized mobile application, which in turn jeopardizes the security of all sensitive data stored on that device. More often than not, individuals don’t intend to cause harm by downloading non-secure applications or programs, but their seemingly innocent actions can introduce security vulnerabilities into the company’s IT infrastructure with potentially devastating consequences.

To avoid such scenarios, employers should establish clearly defined policies to encourage safe mobile usage, and ensure all staff are trained to comply with those policies, while also being made aware of any sanctions for violation.

Ideally, mobile policies should outline procedures for:

  • remote disabling and wiping
  • deletion of messages after a period of time
  • password protection and access authorization, and
  • downloading applications and files.

At the very least, healthcare organizations need to clearly define a list of acceptable and unacceptable actions, and formulate a response plan in case a device is lost, stolen or compromised.

Educate staff

Humans have always been, and will remain, the weakest link in the security chain, and the introduction of mobile devices into the healthcare workplace only accentuates this vulnerability. While the steps outlined above provide a good foundation for healthcare organizations to build upon, cracks will soon begin to show if staff aren’t adequately trained to identify and mitigate risks themselves.

The benefits of mobile technology should be embraced by the healthcare industry, not feared, but when the security risks remain so significant, that’s easier said than done.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Are We So Stupid About Passwords?

Why Are We So Stupid About Passwords? | IT Support and Hardware for Clinics | Scoop.it

Despite the seemingly nonstop pace of data breaches, organizations worldwide still don't seem to be paying much attention to detail when it comes to the proper use of passwords.

The latest entrant into the password "hall of shame" is Sony Pictures Entertainment, as the ongoing leaks of purloined Sony data by Guardians of Peace - a.k.a. G.O.P. - continue to highlight. It wasn't just that Sony was - according to numerous reports - using weak, overly short passwords for many systems. Sony was also storing lists of passwords in text files, Word documents and Excel spreadsheets, Mashable reports. Furthermore, none of those files appears to have been password-protected or encrypted.

 You don't store passwords in Word files or in Excel spreadsheets. 

Security experts react with incredulity at Sony's alleged password missteps. "You don't store passwords in Word files or in Excel spreadsheets," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells me.

G.O.P. didn't have to look far to unearth sensitive passwords for Sony's internal network, social media accounts and Web services. Indeed, many of them appear to have been shared on file-servers in a folder labeled "Passwords."

Sony has not responded to my multiple requests for comment about the hack attack and its password security practices.

Did Sony Learn From LulzSec?

But leaving passwords gift-wrapped for anyone who's able to penetrate the corporate network suggests that Sony's executives haven't learned from their previous information security missteps.

In 2011, Anonymous offshoot LulzSec claimed to have compromised 1 million SonyPictures.com users' passwords, as well as "all admin details of Sony Pictures (including passwords)."

Over the course of that year, in fact, the company was pummeled by 21 separate attacks that resulted in breaches of Sony sites, including the theft of 77 million consumers' credit card numbers. The attacks began not long after Sony had laid off a portion of its security staff. Sony subsequently received the year's Pwnie Award - decided by a distinguished panel of information security experts - for "most epic fail," as well as a fine of £250,000 (about $400,000) from the U.K. Information Commissioner's Office, which said in a statement that "the security measures in place were simply not good enough."

Missing: Password Management

Three years after what should have been Sony's security wakeup call, G.O.P. struck via what many security experts suspect was a phishing attack. How well-prepared was Sony for such an attack? After reviewing a recent batch of leaked documents, Buzzfeed claims Sony wasn't even using a social media management system. That's essential for adding two-factor authentication to restrict multi-user access to corporate Twitter and Facebook accounts. Internally, meanwhile, the "Passwords" folder means Sony wasn't enforcing the use of easy-to-use password management software.

Security experts recommend everyone use password managers, which automate the process of generating strong, random passwords; corralling them in one place; storing them in encrypted format; and restricting access. "It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials," says TK Keanini, CTO of network security firm Lancope.

"There were many major mistakes made at Sony, but the question everyone should ask is: Why does it take a major incident to find these mistakes? Why didn't anyone catch these incredibly obvious insecurities prior to the incident and fix them?" Keanini asks.

Every other organization should now ask itself what would happen if - like Sony - attackers penetrated its network. Would they find social media credentials and lists of admin passwords to tens of thousands of systems in an unprotected Excel spreadsheet?

The obvious takeaway is that enterprises need to get smart about not just requiring strong passwords, but encrypting and restricting access to those passwords, preferably using multi-factor authentication.

Even better, look to advanced authentication mechanisms that provide risk-based access controls. For example, consider products that work with the FIDO Alliance - for "fast identity online" - specification. FIDO offers a "bring what you've got" approach that can treat combinations of a user's mobile device, public/private key, one-time passwords, USB security tokens and more as access tokens, thus eliminating the need for passwords.

Until that happens, of course, organizations must pay close attention to password security, or else risk becoming the next Sony.


more...
No comment yet.
Scoop.it!

TorrentLocker ransom rampage encrypts 285 million files and counting

TorrentLocker ransom rampage encrypts 285 million files and counting | IT Support and Hardware for Clinics | Scoop.it

Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted—a misery-inducing 285 million to date.

Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.

On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.

Of the nearly 40,000 victims detected by analyzing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.

As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.

A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realized, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.

Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.

“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Lveill.

As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.

The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users—an alleged unpaid invoice, a speeding ticket, and package tracking—all localized to the country of the victim.



more...
No comment yet.
Scoop.it!

New Trustwave Report Reveals Security Deficiencies That Increase Data Breach Risk

New Trustwave Report Reveals Security Deficiencies That Increase Data Breach Risk | IT Support and Hardware for Clinics | Scoop.it

CHICAGO, IL--(Marketwired - Dec 9, 2014) - A new report from Trustwave reveals many businesses still struggle with information security deficiencies and common security weaknesses that can elevate their risk of data breaches.

Based on a global survey of 476 information technology and security professionals located in more than 50 countries, the 2014 State of Risk Report from Trustwave offers benchmarks by which IT and security professionals can compare their risk stance against their peers. Data from the report can also be used to inform senior leadership about the largest threats they are facing, gaps that need filling and how they can remediate weaknesses and improve their security posture.

Key findings from the 2014 State of Risk Report include:

  • Data is the lifeblood of business: 81 percent of businesses store and process financial data, 71 percent store intellectual property and 47 percent store payment card data.
  • High level executives are only somewhat involved: 45 percent of businesses have board- or senior-level management who take only a partial role in security matters; 9 percent do not partake at all.
  • Sensitive data may be off the radar: 63 percent of businesses do not have a fully mature method to control and track sensitive data, while 19 percent do not have one at all. Additionally less than half (49 percent) fully encrypt stored sensitive data, with 51 percent only partially or not at all.
  • If they're breached, they don't know what to do: 21 percent of businesses do not have incident response procedures in place; 20 percent of businesses do not have a process that enables the reporting of security incidents.
  • They understand legal implications but fail to take action: 60 percent of businesses are fully aware of their legal responsibilities in safeguarding sensitive data, yet 21 percent never perform security awareness training, 23 percent never hold security planning meetings and 24 percent do not have employees that read and sign their businesses' information security policy.
  • They do not know where their valuable data lives: 33 percent of businesses have not commissioned a risk assessment to identify where their valuable data lives and what controls -- if any -- are in place to protect it.
  • Assumptions about third-party providers' security controls: 58 percent of businesses use third-parties to manage sensitive data, yet almost half (48 percent) do not have a third party management program in place.
  • They lack patch management programs: 58 percent of businesses do not have a fully mature patch management process in place, and 12 percent do not have a patch management process in place at all.

"Businesses must look at security as a business-as-usual imperative," said Michael Aminzade, vice president of Global Compliance & Risk Services at Trustwave. "Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached."



more...
No comment yet.