Categories

Tag: information security

Top 3 Myths About Digital Identity in Healthcare

By GUS MALEZIS

Healthcare is in the midst of a digital transformation, creating information security, compliance, and workflow challenges. The engagement of an increasingly decentralized workforce along with anytime anyplace healthcare and the proliferation of cloud-based applications, databases, and mobile devices have now (or soon will have) eroded the once well-defined network perimeter.

The healthcare industry remains one of the most highly targeted for cyber-attacks – a recent report from Beazley Breach Insights showed that, 41 percent of all breaches in 2018 occurred in the healthcare sector. This means that, going forward, healthcare organizations must pay particular attention to cybersecurity and do so without restricting or compromising access to the systems and services providers and patients are now using and may do in the future. A successful cybersecurity plan requires these organizations to focus on establishing and managing trusted digital identities for all users, applications, and devices throughout the entire extended digital healthcare enterprise – from the hospital, to the cloud, and beyond.

Why are modern hackers targeting healthcare? Because they can, and they have the opportunity to do so! Hackers also know the value of the data stored within provider systems. Today, medical records fetch up to ten times more money on the dark web than the average credit card.  

Continue reading…

The Joy of Success

As the year ends, I’ve spoken to many CIOs.   2011 was a hard year filled with Meaningful Use (including many upgrades to certified systems or self-certification),  5010 (the deadline for upgrading billing systems is January 1, 2012), accelerating compliance demands,  new security threats, rapidly evolving technologies, and unprecedented demand for new projects driven by the consumerization of IT.

At the same time that CIOs and IT professionals are running marathons, they are being held accountable for events that are not directly under their control.   They are not being congratulated for the miracles they create every day, but are being criticized for not moving faster.

What do I mean?

One CIO received a negative audit report because new generations of viruses are no longer stopped by state of the art anti-virus software.   Interesting.  The CIO cannot control the virus authors, nor the effectiveness of anti-virus software.    No one in the industry has solved the problem, but audit firms revel in creating fear, uncertainty and doubt at the Board level as it enhances the reputation of the auditor.

Another CIO was held accountable for infrastructure demands that were not forecasted, planned, or communicated.   CIOs do their best to be proactive, but in the world of Big Data, past trends may not predict future needs.

Another CIO was was given 10 goals and 5 unplanned urgent projects.   She completed 8 of the planned goals and all the urgent projects, yet was told she only met 80% of expectations.

In a world that expects leaders to continuously perform miracles with constrained resources in limited time,  we all need to step back and take our own steps to stop the madness.

With your own staff, celebrate the joy of success and focus on what really matters.

Continue reading…

Hacking the Hospital: Medical Devices Have Terrible Default Security

 Screen Shot 2014-04-29 at 10.28.40 AM

Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago’s Thotcon, “Just What The Doctor Ordered?” is a terrifying tour through the disastrous state of medical device security.

Wired’s Kim Zetter summarizes Erven’s research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords.

For example: Surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks — or to withhold them when needed.

Doctors’ instructions to administer therapies can be intercepted and replayed, adding them to other patients’ records.

You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee’s laptop with a trojan, you can roam free.

You can change CT scanner parameters and cause them to over-irradiate patients.Continue reading…

Why Healthcare Should Be Worried About the Target Cyber Attacks

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why: Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman-Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker: Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Continue reading…

Decentralizing the Analysis of Health Data

The transition from paper to digital health care records promises a significantly enhanced ability to leverage claims and clinical data for secondary uses – uses beyond that for which the health data was originally collected, such as research, public health surveillance, or fraud prevention. Done properly, these secondary uses of data that were originally collected for treatment or payment can aid the creation of a more effective, information-driven health care system. For example, researchers are using digital claims data to provide the public with comparisons of the quality and cost effectiveness of treatment for particular conditions among plans or health care facilities in a given market.

Patient privacy and data security are among the first considerations of agencies establishing such programs, and many agencies have instituted strong technical controls (such as de-identifying the data) and policy frameworks to protect the confidentiality and integrity of the data. Although a strong policy framework is essential, the technical architecture of information exchange is another important factor. This week, the Center for Democracy & Technology (CDT) released a report challenging the prevailing centralized model of health data analysis and urging Dept. of Health and Human Services (HHS) to explore distributed systems for secondary use programs. The paper comes at the same time that the Centers for Medicare and Medicaid (CMS) issued a final rule for its risk adjustment program – mandated by the Affordable Care Act of 2010 – that would use a distributed system as a default, changing course from the proposed rule, which would have required a centralized model.

Continue reading…

assetto corsa mods