Category Archives: Data leakage

croc

How to share information securely in online support groups

Pathcare is a HIPAA-compliant service for sharing and private messaging with support group members and support group leaders and faciliators. Inside the Pathcare private social network for healthcare– you don’t have to worry about your personal or protected health information being disclosed.

But sometimes – you have to get off the private social network for healthcare and send a doctor some information by email.

You think, that should be easy, you’ll just fire up Gmail and then what happens? How do you protect your personal information from being read by someone else besides the recipient?  In this day and age of Snowden you cannot be blamed for being paranoid even if truth be told it is friends and family breaching patient privacy – not hackers and whistle blowers

The only problem is Email encryption software is clumsy and hard to use and an unexpected surprise for your recipient.  You don’t want to have to walk your doctor through a lengthy tech support telephone conversation  after you sent her your first encrypted email. Of course that will be hours after you’ve managed to get the necessary software installed and worked out how to generate your key pairs etc.

We have been longing for a user friendly encryption product for years, one that can be used by anyone and that will allow your recipient the ability to decrypt it without the need for them to buy the same software or even install something on their PC. Most people don’t understand encryption and have no wish to learn the finer points. They just want a method of exchanging potentially sensitive information securely.

The Answer

Finally smart technology is allowing the emergence of this type of encryption product. Software that allows you not only to encrypt emails and their attachments but also much larger files for exchange via cloud servers, thumb drives, CD ROMs even DVDs. The clear front-runners in email encryption make use of identity-based encryption.

Why Identity-based Encryption?

There are three very good reasons why identity-based encryption is highly desirable:

  • With identity-based encryption you immediately ensure you link the private data to be shared with the intended recipient.
  • You can negate the need to create another password that has to be remembered.
  • You don’t have to burden the user with the need to understand “key pairs” along with the exchange of their public key.

Think about it, the one thing that will be unique when emailing someone is his or her email address! A system where a user’s email address is bonded in this way can generate key pairs associated with the address. These keys will be used to encrypt and decrypt any emails the user requires protecting.

No Limits

But why limit it to just emails? Some software products of this type allow the same simple system to be used for; files, disks, thumb-drives, CD-ROMs pretty much anything you require to be encrypted.

How Does It Work

Let me try to explain in simple terms how this all works. Every email or data file you want to encrypt and subsequently share with someone else has to be encrypted using that persons “public key”. Their “public key” will have a twin known as a “private key”. Together they are known as a “key pair”. The “private key” of an individual is used to decrypt something that has been encrypted with it’s twin or “public key”.

OK, so now we need a method of exchanging “public keys”. By generating and then associating the “key pair” with someone’s email address you have automatically produced a unique “key pair”. The system will know if you are sending an encrypted message to Fred it must generate a “key pair” for Fred. Using Fred’s “public key” it will then encrypt the message. When Fred receives his encrypted email he will be asked to retrieve his private key by logging onto the system using his email address, which will be used to authenticate him and then automatically decrypt his message.

These matching key pairs can be one-time pairs that will only apply to each email or data exchange further improving the security. Since each key pairing is only good for one exchange if they were to be compromised it does not result in and future or past exchange being put at risk, clever!

What to Look For

Considerations to bear in mind when selecting this type of product are;

  • How good is the algorithm being used?
  • Has the algorithm been implemented correctly?
  • Has sufficient entropy been collected to utilise the full force of the algorithm?

Say what? I know! This is where it gets quite technical. However there are some products out there that have been independently certified by experts in the field so that you can take assurance that the product offers robust protection. Try out   Egress’s Email Encryption software called Switch. Looks like it answers all the above requirements for robustness and user-friendlieness.

Tell your friends and colleagues about us. Thanks!
Share this
risk-driven medical device security

How to protect your personal information from medical data theft

Private, personal information can be bought and sold on the black market for as little as fifty cents to a dollar, according to a report from Fox Business. But personal medical information can go for much higher prices, creating a market for criminals looking to defraud insurance companies of exorbitant sums of money. Overall, about $40 billion in annual health care fraud can be attributed to medical identity theft. As a result, consumers need to take extra efforts to ensure their personal information is protected from medical identity theft. The best way to guard yourself is to understand the methods through which criminals try to acquire this sensitive information.

1. Don’t give information over the phone

The telephone is a prime channel for criminals attempting to defraud private individuals. They typically pose as insurance companies, medical clinics, doctors’ offices or other institutions to solicit your private information, according to the Federal Trade Commission. Be very hesitant when revealing this information over the phone. Ask for additional information to verify their identity, and if you can’t confirm the individual or the organization, explain that you simply aren’t comfortable giving that information over the phone. Most legitimate medical entities will understand this concern, while scam artists will be frustrated and thwarted.

2. Pay close attention to medical bills and statements

You should keep a close eye on the paper trail of your medical bills, services and statements. When criminals steal your medical identity, they can’t cover up all evidence of this fraud. Services billed to your insurance company, for example, will count toward your deductible and/or coverage limits and show up on statements. Bills from the doctor’s office should also be closely watched.

Once you’ve thoroughly reviewed this information, shred the documents before throwing them away. Billing statements and other documents can be a source of your private information for criminals who go dumpster diving in hopes of finding opportunities to defraud.

3. Enlist the help of identity protection and monitoring services

Pursuing protective and preventative services is one way to protect your identity before you suffer the ill effects of fraud. Companies like LifeLock specialize in monitoring your activity and protecting clients from being defrauded in the first place. If your personal information is stolen and used for these purposes, identity protection services can pick up on this criminal activity right away, putting an end to theft, thus minimizing its negative impact on your finances. These services should not stop consumers from shredding sensitive documents and employing safe habits, but they can be an excellent supplement offering protection where the typical person is exposed.

4. Investigate inaccuracies and strange listings on your medical record

Your medical record follows you wherever you go, and it lists all of the conditions, injuries and other medical activity you have experienced over the years. When someone uses your medical identity for their own purposes — such as gaining access to prescription drugs — this activity is recorded on your medical history. If you are suspicious of possible medical identity theft, inconsistencies and inaccuracies on your medical record could point to instances of fraud. You can always ask your doctor for your medical records, so if you’re ever in doubt, pull them out and take a close look.

Tell your friends and colleagues about us. Thanks!
Share this
Protecting your blackberry

Why Google is a bad idea for security and compliance

Dear consultant,

I worry because so many of the best practices documents I read say that we need to store data in the cloud in Canada if we do business in Canada. See page 19 here – Health privacy in Canada

Sincerely – consumer healthcare product manager

Dear consumer healthcare product manager –

First of all. Don’t worry be happy! Thanks for sharing.

Everyone uses Google to ask questions.  That includes security and compliance specialists in Israel for biomed like me (Danny Lieberman) and my company (Software Associates).

The problems start when clients start consulting with Google for their data security and privacy compliance affairs.   Unlike healthcare problems, where there are very large numbers of people asking and answering questions and wisdom of the crowds kicks in – data security and privacy compliance is a niche market and it’s very political.

The bottom line is that you do not have host locally in Canada – until they change the law.

There is no specific legal requirement in Canadian law for country-hosting (as in France).

Unfortunately – as elsewhere in the world – there is a certain amount misinformed, and/or politically-motivated media discussion following the Snowden affair.

People that write these documents like to point at the US Patriot Act as a reason for country hosting – by not bothering to note what the Patriot Act really is – a US law that is intended to Provide Appropriate Tools Required to Intercept and Obstruct Terrorism and intercept lone wolf terrorists.

The suggestion that the NSA will intercept depersonalized consumer health records that you collect in your application  as part of the war on individual terrorists borders on the absurd.

Suppose you have a user who is obese and/or has Type II diabetes and/or is pregnant and/or loves to dance Zumba.  Is that information part of the NSA threat model for lone wolf terrorists?

I don’t think so.

The document in question  makes an  absurd suggestion on Page 19 that individual doctor offices are more secure than in a Tier 1 Cloud service provider.

The data loss risk in a doctor office is several orders of magnitude higher than in Microsoft, Amazon or Rackspace cloud hosting facilities.

Since the document is misleading from a security and compliance perspective (misleading regarding the Patriot Act and incorrect regarding data loss risk) – we see that we cannot rely on it as a source of so-called “security best practices”.

In general – it is not best practice to use Google for security and compliance best practice.

Yours,

Danny Lieberman-Security and compliance specialists for biomed companies

Tell your friends and colleagues about us. Thanks!
Share this
risk-driven medical device security

Picking Your Way Through the Mime Field

Picking Your Way Through the Mime Field

We’re a professional software security consultancy and  experienced software developers. Almost 10 years, one of our partners proposed that we develop a utility to encrypt Microsoft Outlook email messages.   A prototype was developed – but an interesting thing happened when we started talking to potential beta customers – lawyers who had sensitive client information and technology development companies who have valuable intellectual property that they need to protect.

When we asked senior executives what they thought about encrypted email – the answer was universally – “We don’t really care”

Fast forward 10 years and the situation has changed dramatically.  We routinely counsel clients to carefully read the terms and conditions of their cloud  email service providers. For this reason we generally recommend to our medical and healthcare customers not to use Microsoft Skydrive due to their problematic privacy policy.

Today – encrypted email is an option you must consider.

Google Does What?

Online security in particular email security just got a whole lot more interesting with Google’s revelation that it does read emails it handles. Apparently Google have stated this fact in their submissions to hopefully dismiss a class action lawsuit that accuses them of breaking wire tap laws. I have always maintained that writing to someone via email is akin to writing them a postcard. The content of the email just like a postcard can be read on route. Now it’s a bit of a stretch of the imagination to think of the Post Office having someone read all of our postcards that we send but we still would not write to a friend of colleague about private matters on a postcard. We would seal it in an envelope.

Google in their defense of their position regarding the reading of our emails say; “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS (electronic communications service) provider in the course of delivery.” Using this analogy fails to acknowledge the fact that when an assistant opens their bosses mail they do so with the prior consent of their boss and they are subject to confidentiality agreements, if not specific most certainly implied by their position. Google on the other hand can make no such claim, because they explicitly then share that scanned information with the National Security Agency’s (NSA) under the provisions of the Patriot Act. Privacy does not exist when communicating by email, if this is news to you and you want to do something about it today read on.

Sealing Your Email

If you want to continue using email to send your private communications via any web-based communication service you are going to have to make use of encryption. Now this isn’t the time to stop reading because you think I can’t be asked to learn all about that malarkey. Modern email encryption can be extremely easy take a look at Egress Switch. It’s not like back in the day, when both sender and recipient needed to have bought into the same product, nowadays you can send a friend an encrypted email without having to have previously set the whole thing up!

Where Do I Sign-up?

Finding the right product for you is important; if you are looking for a corporate solution for private messaging and encrypted mail then it becomes a little more involved.

Software Associates are an experienced IT security consultancy with top flight consultants and has been operating since 2003 serving large publicly traded companies and small startups with the same care and highest level of attention to providing cost-effective security countermeasures.if you don’t mind corporate America and big brother reading all of your mail do nothing, however if that’s not how you want things to play out you need to adopt email encryption right now!

 

Tell your friends and colleagues about us. Thanks!
Share this

Kick start your European privacy compliance

The CNIL’s Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc.

On 3 January 2014, the CNIL’s Sanctions Committee issued a 150 000 € monetary penalty to GOOGLE Inc. upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification.

Does your web site / web service / web application have a privacy policy?

Was that privacy policy written by lawyers who may or may not understand your business and may or may not understand that European states like France have their own regulation of privacy?

You may be facing a stiff penalty for having a non-compliant privacy policy.

The CNIL penalty on Google is a wake-up call.

Thousands of  service providers just like you are sitting on the fence and wondering how to comply with European and French privacy regulation as fast and as effective as possible.

Where do you start?

We’re here to help you get going fast with some common Q&A

Q. Is my existing privacy policy sufficient?

A. Maybe. Maybe not.    A 2 hour review with  with us will give you a clear picture of what you need to do. After the review we will help you rewrite your your privacy policy and terms of service in order to minimize your exposure. For starters, here are 4 points you need to cover:

  1. Does your site sufficiently inform its users of the conditions in which their personal data are processed?
  2. Does your site obtain user consent prior to the storage of cookies?
  3. Does your site define retention periods applicable to the data which it processes?
  4. Does your site  permit itself to combine all the data it collects about its users?

Q. What special systems or security products are required?

A. None. Security defenses are a mistake.  See the next question and answer.

Q. How many hours should I budget for Data Protection compliance? How should I protect my data?

A.  We have an 8 week plan to take you from zero to full Data Protection compliance – budget 6 hours / week and you will get there. You also need to identify and mitigate vulnerabilities in your Web site – our Practical Threat Analysis process will pinpoint what you need to do from a perspective of policies and procedures, cloud servers and application security.

Q. What do I do when I complete the 8 week plan for Data Protection compliance?

A. Well, you’ll be sitting on a much more robust system of technical, administrative, policy and procedural controls so go out and have some fun – you deserve it!

If you provide digital services in countries like France and the UK who have local database registration requirements – we will help you comply with local CNIL and UK Data Commissioner requirements.

See CNIL Sanctions on Google for the full story.

Tell your friends and colleagues about us. Thanks!
Share this
cyber attacks

Is Your Small Business Safe From Cyberattacks?

Of the 855 data breaches Verizon examined in its 2012 Data Breach Investigations Study, 71 percent occurred at businesses with fewer than 100 employees. The Association of Certified Fraud Examiner finds the median small business loss due to fraud to be $200,000. These losses can be prevented with better protection and more knowledge about fraud and cybercrime. With small business cyberattacks on the rise, knowing how to protect your business assets is more important than ever. Start with these tips.

Training Employees to Stay Safe

Familiarizing yourself and your employees with different types of cybercrime helps everyone do their part in monitoring security threats. During the average day, your employee may be at risk in the following situations:

  • Traveling to and from work, due to theft of personal devices or documents containing sensitive information
  • Traveling for business, due to theft of personal devices or documents containing sensitive information
  • Checking work email at a cafe or restaurant, if a hacker accesses sensitive information
  • Buying business lunch with the office credit card, if a hacker skims the card number
  • Checking work email, if the employee falls prey to a phishing attempt
  • Working from home on an unsecured wireless network

Unfortunately, these are just a few of the daily situations that put the average worker at risk of cybercrime and identity theft. Offer staff a list of online resources. For example, Lifelock offers identity protection tips and information about the dangers of phishing, skimming and other criminal strategies. Staff can familiarize themselves with ways to protect personal and professional data. Should staff then sign up for Lifelock’s identity theft protection services they can earn free rewards miles from AA.

Keeping the Workplace Secure

By teaching your employees about cybercrime, you enable them to alert you to any suspicious emails or internet activity. Additionally, take the following precautions, with help from the Small Business Administration, to minimize your risk:

  • Secure the workplace’s wireless and IT infrastructure using firewalls, anti-virus software and malware/spyware detection
  • Use a business credit card for all business transactions, and keep completely separate business and personal bank accounts and credit cards. This way, a hacker who obtains your business bank account information will not be able to seize your personal assets.
  • Familiarize yourself with business bank account and credit card policies regarding fraud, so you know what protections you enjoy if your business is attacked.
  • Limit financial transactions to one computer – Keep a separate computer for financial transactions, and do not use this computer for email checking, social media or other online activity.
  • Promote “best practice” computing security, including password strength.
  • Purchase business insurance so that if you do experience fraud, your business assets are protected.
  • Set a policy regarding security of employee personal devices if you allow staff to use personal devices (BYOD) in the workplace.

Tools to Use

  • Cloud backup utility – In the event of a data breach, a secured cloud backup such as Dropbox can help you get back on your feet.
  • Antivirus, malware and spyware – Sophos offers free mobile, Mac and PC antivirus software, so there’s no excuse to not secure your technology.
  • Spam/phishing email filter – Not only will this cut down on junk mail, making employees more productive, it can also screen out phony emails.
Tell your friends and colleagues about us. Thanks!
Share this
Three business people working

Out of control with BYOD in your hospital?

The number of bring your own device (BYOD) workplaces is increasing.

Hospitals are certainly no exception with nursing staff, doctors and contractors bringing their own mobile devices into the hospital – and in many cases, jacking into WiFi networks in the hospital premises.

With mobile access points via  your smart phone – you don’t even need the courtesy of a hospital-provided WiFi network – you can jack in via your phone.

This is a real threat to data security in a hospital.  So the question is – Can the IT department of your hospital rein in wide use of personal mobile devices?

Nearly one third of CIOs surveyed said they support employees accessing the company network with their personal devices, writes IT World. But many IT departments remain resistant to such policies. BYOD has been around for awhile in one way or another. Now IT can get it under control, and here are a few reasons why it’s good for them.

BYOD is an Old Problem

People have been bringing their own tech gadgets to work for years, notes the Digital Workplace Forum. External hard drives, thumb drives, DVD burners, music players and personal laptops have shown up in employee offices for a long time. It has always been a headache of IT departments to maintain security in environments where people bring their personal digital tools.

To alleviate this, some places put tight controls in place that limit an employee’s access to the company’s computer resources. The result is frustrated employees, lower productivity, and a problem that still exists. One solution is to establish policies and controls that allow IT to manage all of the devices that employees use to access the system.

More Controls Allow Greater Flexibility

The development of mobile device management (MDM) systems allows IT to support a workplace with multiple, different devices. Employees are no longer satisfied with just their company desktop computer to do their jobs. Forrester Research cites that 74 percent of employees use two or more devices to complete their tasks and 52 percent use three or more.

MDMs allow employees to bring their own devices to work, connect them to the network, and maintain the integrity and security of the company’s resources. Solutions such as the BlackBerry MDM let various types and brands of devices to be registered and recognized by the system. Once a device is registered, IT can track the device’s activity and amount of use. This is more visibility than IT has typically had of employee devices.

Security is the First Priority

The Wall Street Journal reports that more than 80 percent of the younger employees polled said they brought in to work and used their own devices regardless of the company policy. More than 60 percent of the older employees replied the same way. Getting more controls in place is a way IT departments can finally keep their systems secure.

MDMs give visibility to the devices using the system. They can track the applications used so that unauthorized apps can be limited or restricted entirely. In the event that an employee reports a lost device, or when employees leave the company, the device can be wiped of any company apps and data. The tablet stolen from a hotel room during a conference is no longer a threat to the company’s security.

By controlling the apps available to the employee, IT can ensure that malware is not introduced to the system by people downloading apps from unauthorized sites. A central repository of custom in-house apps, commercial off the shelf (COTS) programs and app store products gives employees a selection of tools without risking the system security.

Creating virtual work spaces when people log into the system isolates their activity to a small portion of the system. Cloud services such as Dropbox and Skydrive help by creating collaborative workspaces outside of the company’s resources. The more that IT can move unpredictable activities to separate work areas, the more secure they can keep their company resources.

Tell your friends and colleagues about us. Thanks!
Share this
Identify theft with Dumpster Diving

Rejuvinating Your Credit Muscles After a Mail Theft Attack

I have always been amused by calculations of the cost of identify theft and data breaches as I have written here, here, here and here.   Not surprisingly, security product and service vendors like Symantec, Mcafee and Websense are quick to present statistics regarding the damage to companies due to data breaches of personal information as a means of justifying purchase of DLP, anti-virus and  other end-point security products.

However, the real damage is not for companies but for consumers like you and me.

It is highly arguable that companies actually suffer significant financial damage from data breaches (outside of a handful of high-profile cases like CVS and Hannaford).  In fact – the lion’s share of damage from a data breach that leads to identity theft is not borne by the merchant or online web site but by the consumer.

Identity theft is a major challenge in America. The 2012 Identity Theft Report conducted by Javelin Strategy and Research revealed that there was one new identity theft victim every three seconds in 2012. That alarming statistic translates to 12.6 million victims affected in 2012, with losses totaling over $21 Billion. Once a person’s personal information was breached, thieves used their information for 48 days on average (in 2012). Though the amount of time identity thieves have had to use information obtained has fallen (from an average of 55 days in 2011 and from an average of 95 days in 2010), victims should still move as quickly as possible if a breach is suspected. If you or a loved one have been victimized, here are a few steps to help you clear your good name and rebuild your credit:

Alerting The Social Security Administration

Identity theft involving a victim’s Social Security number can be more damaging than you could imagine. If you suspect that someone has obtained your social security number for fraudulent purposes, contact the Social Security Administration as soon as possible at 800-269-0271. By doing so, you place officials at the SSA on alert so that activity involving your social security number can be appropriately monitored and, if necessary, deflected.

Alter Any Accounts Affected

If you login to any online accounts or review statements from your bank and find that you have indeed fallen victim to identity theft, alert those businesses as soon as possible. Close the affected accounts and re-open under a new account.

Often, when accounts are established, you are asked to create a new personal identification number (or PIN) as well as a new password. While you may have established a habit of using certain numbers, if a breach has happened, you will want to avoid using anything that may have also been revealed during the breach. Passwords including the last four digits of your social security number or consecutive numbers (such as 1, 2, 3, 4, etc.) should be avoided. You should also avoid using the name of your spouse or children, your mother’s maiden name as well as easily obtained data such as your date of birth or telephone number. Make your passwords as difficult as possible to guess, When possible, use numbers or punctuation marks in odd places within the password. This may help prevent fraudulent access to your accounts in the future.

Take Steps to Protect Yourself in the Future

One of the leading methods thieves use to get information about potential victims is through “dumpster diving” or sorting through your trash to find identifying information. While many consumers routinely shred their bank statements or other financial documents, many fail to shred the envelopes those statements come in. According to Paige Hansen, Manager of Educational Programs at Life Lock, failing to shred your documents makes the job of a would-be thief easier, as it practically hands them a piece of your identification puzzle. Hansen advises consumers to not only shred, but to be sure they utilize cross-cut shredding techniques which make piecing together those documents virtually impossible.

Tell your friends and colleagues about us. Thanks!
Share this
selling security products with fear, ignorance and online marketing

Why security defenses are a mistake

Security defenses don’t improve our understanding of the root causes of data breaches

Why is this so? Because when you defend against a data breach – you do not necessarily understand the vulnerabilities that can be exploited.

If do not understand the root causes of your vulnerabilities, how can you justify and measure the effectiveness of your defensive measures?

Let me provide you with an example.

Conventional IT security practice says that you must install a firewall in front of a server farm.

Firewalls prevent the bad guys from getting in. They don’t prevent sensitive data assets from leaving your network during a data breach.

If you have a dozen servers, running Ubuntu 12.04 with the latest patches, hardened and only serving responses to requests on SSH and HTTPS services not only is there no added value in a firewall but installing and maintaining a firewall will be a waste of money that doesn’t defend against a data breach.

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up. Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has also become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

In summary – before handing over a PO to your local information security integrator – I strongly suggest a systematic threat analysis of your systems. After you have prioritized set of countermeasures – you’ll be buying, but not necessarily what he’s selling.

Tell your friends and colleagues about us. Thanks!
Share this

The dangers of default passwords – 37% of Data Breaches Found to be Malicious Attacks

A malicious attack by malware or spear phishing on valuable data assets like PHI (protected health information) exploits known vulnerabilities  and one of the most common vulnerabilities in medical devices and healthcare IT systems is default passwords.

“Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting a wide variety of medical devices. According to the report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. ICS-CERT has been working closely with the Food and Drug Administration (FDA) on these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations.” See http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01

And nothing beats hard coded / default passwords in medical devices as a vulnerability for PHI data leakage exploits, whether its an attack by malware, attack by retrieving sensitive data from stolen devices or a software defect that enables an attacker to obtain unauthorized access and transfer sensitive data from the internal network.

Data Breach Infographic

The World’s Leaking Data Infographic created by LifeLock.com

Tell your friends and colleagues about us. Thanks!
Share this