ArchiveCategory Archives for "Blog"
Blog articles about the latest technology, threats, attack techniques, and vulnerabilities.
Blog articles about the latest technology, threats, attack techniques, and vulnerabilities.
An undisclosed computer problem forced United Airlines to ground all domestic flights on Sunday. The halt lasted only an hour, but that was long enough to produce an avalanche of delays and customer complaints across the country. A similar incident last October disrupted United flights worldwide. A month before that, British Airways resorted to issuing hand-written boarding passes after its passenger check-in systems failed. A buggy router caused Southwest Airlines to cancel 2,300 flights at the height of last year’s vacation season.
He who defends everything defends nothing. – Frederick the Great
Every organization faces the same challenge regarding cybersecurity: how to best use a limited pool of resources to defend against unlimited threats. Take your pick of potential foes, from professional criminals and hostile nations to disgruntled insiders. In healthcare, these threats go beyond the IT department and even the bottom line. They can have a direct impact on human lives.
In finance, systemic risk often refers to the collapse of the entire financial system or market. In other applications, it refers to the risk associated with an entire system (e.g., human body, factory) or system of systems (e.g., air traffic control).
In the world of cybersecurity, we are faced with the fact that the Internet is really one large system of systems (or a network of networks really), which means issues in any one area or organization have the potential of rippling out to many others.
We have seen this played out countless times through the spreading of Internet viruses and worms, and even issues with the core services like DNS (Domain Name Service, which translates a computer’s IP address into a human friendly form: 10.1.5.6 = www.mycomputer.com).
Last week, the National Institute of Standards and Technology (NIST) issued a draft update of its Framework for Improving Critical Infrastructure Cybersecurity, or as we call it in the biz, the Framework. This is the first proposed change since the voluntary guidelines were published in February 2014.
While watching Alice in Wonderland today with the kids I was reminded of dealing with Cyber Security in Healthcare Organizations. No, not because I think everyone in IT is mad! Although the cyber scene will make even the most sane person at least a little nutty. A conversation between Alice and the Mad Hatter got me thinking:
Alice: Would you tell me, please, which way I ought to go from here?
The Cheshire Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where.
The Cheshire Cat: Then it doesn’t much matter which way you go.
Alice: …So long as I get somewhere.
The Cheshire Cat: Oh, you’re sure to do that, if only you walk long enough.”
Often in IT, we fix things. We have a million things on our list and so we start working. The cyber risk landscape is ever changing and often as we are working to just get somewhere we find that we are falling behind with the times. In order to change our approach and make sure we are meeting goals and continuing to react to the changing times, we need to make sure our strategy for where we are going is effective.
The easiest way to get nowhere is by all of your staff just getting somewhere independently. Superiors need to make sure goals are set out and the path to get there is shared by the whole team. Creating a linked system that tracks who is doing what and what progress is being made helps with organization and planning. Regular reviews should be in place to give yourself checkpoints. Encourage staff to report with transparency and honesty. Checking your egos at the door will mean data is reported accurately. When risk is not appropriately reported upstream then priorities are disillusioned, resources aren’t made available and goals get altered. Quickly, you are headed somewhere but not where you need to go.
Simply put, you’re going to end up just going somewhere if you don’t have goals. To achieve goals we must have both the resources and the plan to use them. To get resources we have to accurately communicate risk upstream. To accurately communicate risk we have to perform risk assessments and extract quality data. Discover, Analyze, Treat, Monitor. We all know the steps but sometimes we get in our own way.
Make sure you take the time to analyze your security status, analyze yourself and how accurately you are reporting and analyze your team to make sure you are all working on the same plan.
Here’s wishing you a good trip thru wonderland.
Below is an email we received from OCR. It has some very valuable information we’d like to share with our readers. If you’d like to receive these informative emails click here.
June 7, 2016
What’s in Your Third-Party Application Software?
Recently, it has been reported that third-party application software security vulnerabilities are on the rise. Third-party application software is designed to work within operating systems and to assist users in executing tasks on computers and other devices. For example, Microsoft Windows 7 is an operating system that controls the way computers work and how other programs function, but Acrobat Adobe is a third-party application that is utilized by computer users to create, modify, and read PDF files. Many Covered Entities and Business Associates may think their computers and devices that utilize operating systems are secure because the Covered Entities and Business Associates are deploying operating-system updates, but many systems are still at risk from third-party software.
According to a recent study, a majority of companies use third-party applications or software, but less than 1 in 5 companies has performed verification on these third-party software. Also, it was reported in companies that install their operating-system patches, a fair amount have third-party software that remain unpatched.
Furthermore, third-party software may have numerous security vulnerabilities that do not stem from the applications themselves. Misconfigured servers, improper files settings, and outdated software versions may contribute to third-party software security vulnerabilities.
Covered Entities and Business Associates Should Consider:
Testing Software Prior to Installation
Covered Entities and Business Associates should define the criteria they are willing to accept for safe third-party applications, including open source and public domain applications. Applications should meet the corporate standards set by the entities and also satisfy compliance requirements, and entities should test against these criteria.
The purpose of conducting security testing on software is to reveal flaws in its security mechanisms and finding the vulnerabilities or weakness of software applications. For example, conducting testing may find out how vulnerable a system may be to flaws in applications and determine whether data and resources are protected from potential intruders.
Covered Entities and Business Associates should work with their Business Associate vendors to test their applications for security vulnerabilities prior to installation, and on a regular basis after the software has been installed.
Installing Software Patches or Updated Versions
Software patches repair “bugs” in applications and software programs. Patches are updates that fix a particular problem or vulnerability within a program. Covered Entities and Business Associates should be installing patches or updating the software versions promptly and on a continuous basis. The majority of software developers disclose their security flaws to public; however, attackers exploit these known vulnerabilities if Covered Entities and Business Associates do not fix the security flaws in a timely manner.
Though applying patches is essential to ensure the security of information systems, patches should be assessed prior to deployment to determine the risk they pose to the Covered Entity’s information systems.
Reviewing Software License Agreements
A software license agreement (also known as end user license agreement (EULA)) highlights the risks that can make ePHI vulnerable. Data can be compromised if Covered Entities and Business Associates ignore the language in a software license agreement, as such behavior can expose a computer and its connected networks and systems to security risks.
Software license agreements are legal binding agreements that can have restrictions on how the software can be used; the agreements can require entities to agree to certain conditions when using the software, and can also limit their ability to sue for damages.
To protect information systems and networks from security and privacy problems related to EULAs, US-CERT recommends that entities:
United States Computer Emergency Readiness Team (US-CERT): www.us-cert.gov – (Software guidance)
This email is being sent to you from the OCR-Security-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.
This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR’s civil rights authorities and responsibilities can be found on the OCR home page athttp://www.hhs.gov/ocr/office/index.html.
If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.&NBSP; For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
To subscribe to or unsubscribe from the list serv, go to https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-SECURITY-LIST&a=1
The NIST Cybersecurity Framework is not a foolproof formula for cybersecurity, after all there is no one-size-fits-all solution for security, but implementation of this voluntary guideline will surely improve your security game! The Framework includes leading practices from various successful standards bodies as well as delivers regulatory and legal advantages. Created by NIST (The National Institute of Standards and Technology), the framework was developed after 10 months of collaborative discussions with more than 3,000 security professionals.
What is the Framework?
The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
The Framework consists of three parts:
• The Framework Core: set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
• The Framework Profiles: by using the profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources.
• Framework Implementation Tiers: provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.
By using the Framework organizations will be able to 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk.
With the NIST Cybersecurity Framework you can now shift from a reactive compliance driven approach to a proactive risk-management process. Adopting the framework will not only help improve your cybersecurity program, but also potentially advance your regulatory and legal standing in the future.
Visit the NIST.gov website for more information:
With years of consulting in the Healthcare industry, we have seen our fair share of cyber security and risk issues. However, one constant we have found is that many hospitals simply do not have a good measure of their own compliance with the HIPAA security rule.
The HIPAA Security Rule establishes national standards for the security of electronic protected health information. It specifies a series of administrative, technical, and physical security safeguards for covered entities and their business associates to assure the integrity, availability, and confidentiality of electronic protected health information. Compliance with the Security rule was required as of April 20, 2005, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.
The authority to administer and enforce the Security Rule was transferred to OCR on July 27, 2009. (1)
Since that time, there have been over 30 civil money penalties handed out for non-compliance. While the average penalty amount is $850,000, fines do regularly exceed $3M mark.
As of January 31, 2016, over 69% of the organizations investigated since April 13, 2003 by the Office of Civil Rights required corrective action! (2)
An additional concern for organizations is the announcement of random HIPAA compliance audits being carried out by OCR(3). Every covered entity and business associate will be eligible to be audited regardless of size or type. Organizations that are found to have serious compliance issues, may initiate a compliance review for further investigation.
Even if organizations do have a good measure on their compliance, many do not always have an effective way to develop and manage their corrective actions plans. Entities need an easy way to monitor and quickly report the status of their compliance and remediation efforts to management and auditors.
HIPAA MRI is an easy to use, easy to implement software that allows you to assess and develop remediation plans for your HIPAA Security compliance. Built specifically for the healthcare industry, the HIPAA MRI software is based on the guidance and standards developed by HHS (U.S. Department of Health and Human Services) and NIST (National Institute of Standards and Technology). Now, compliance and security professionals can save time and resources, assess their compliance, easily develop and manage their remediation plans and track progress toward their HIPAA security compliance.
HealthGuard is proud to introduce one of our security product offerings called PhishAlarm®, a new Wombat Security behavior reinforcement tool. This email client add-in allows employees to alert security and incident response teams to suspected phishing emails with the click of a button. This is an important feature for organizations as early reporting of suspicious emails can dramatically reduce the duration and impact of an active phishing attack.
PhishAlarm further strengthens Wombat’s Continuous Training Methodology by capitalizing on awareness and understanding of phishing issues, and allowing end users to actively apply best practices in defense of their data and systems. Employees who have been educated about the different traps and tricks associated with social engineering attacks are better equipped to accurately recognize and report suspicious emails.
While in Beta trials, a number of our customers — spanning industries such as global manufacturing, food and beverage, energy, and consulting — successfully implemented the PhishAlarm add-in within their organizations. A Senior Cyber Security Analyst from a multinational energy company had this to say about the new email reporting button:
“We’ve been using Wombat’s PhishAlarm product for some time and can already see the positive impact it’s having on our organization. PhishAlarm easily replaced antiquated suspicious email reporting with a consistent and user friendly process that positively affected employee behavior.”
PhishAlarm reinforces the actions that are central to long-term behavior change, and this in turn reduces the risks organizations face from social engineering attacks. This new reporting button offers a number of benefits:
According to the Department of Health and Human Services “The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
SO, the questions surrounding Phase 2 are:
WHEN? Currently underway
WHO? Every covered entity and business associate is eligible for an audit. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
HOW DO THEY CONTACT YOU? Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov
HOW DOES THE AUDIT WORK? OCR plans to conduct desk and onsite audits for both covered entities and their business associates. Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer in person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate.
See all information from the Department of Health and Human Services here.
Read the Phase 2 Announcment here.