Tag Archives: data breach

informed-consent-consideration

Why HIPAA Policies and Procedures are not copy and paste

Compliance from Dr. Google is a very bad idea.

Searching for HIPAA Security Rule compliance yields about 1.8Million hits on Google. Some of  the information is outdated and does not relate to the Final Rule and a good deal of other information is sponsored by service providers and technology companies selling silver bullets for HIPAA compliance.

The online dialog on HIPAA Security Rule compliance is dominated by discussions by requirements for health providers.   There is very little information online for the downstream medtech and medical device vendors who are increasingly using the cloud to store data and process transactions for their covered entity customers

If you are a small medtech or medical device company, and you copy from a big healthcare provider you will be overpaying and over-implementing SOP’s which may not be relevant to your business situation.

The risk analysis for a SaaS provider or medical device that stores PHI in the cloud is not even remotely similar to the risk analysis for a hospital.

If you copy and paste a risk analysis – you won’t understand what you’re doing and why you’re doing it and since HIPAA privacy infractions carry both a criminal civil penalty, you don’t want to even attempt to comply via Google.

For example – if you are a mobile medical device vendor – you will need to take into account technology and privacy considerations such as mobile app software security, application activity monitoring, mobile and cloud data encryption and key management none of which may be relevant for a traditional IT hospital-run electronic health records system.

What policies and procedures do I need for HIPAA compliance?

We provide clients with  a bespoke package of SOP’s which are required by HIPAA – Acceptable use, Incident response, Security and risk management process, Disaster recovery plan, and Security Officer Job description (which is required by the Final Rule).     This is in addition to the Risk Analysis / Security Assessment report (§ 164.308(a)(1)(ii)(A) ).

6 reasons why  HIPAA security policies and procedures are not copy and paste:

  1. It depends on the business situation and technology model. A biotechnology company doing drug development will not have the same threat surface as a mobile health company.
  2. Your security is worse than you think. When was the last time you looked? Or had an external audit of your encryption policies?
  3. It also depends on timing – if the life science company is doing clinical research, then informed consent may release the sponsor from HIPAA privacy rule compliance. But in clinical research, physician-investigators often stand in dual roles to the subject: as a treating physician (who has to comply with the HIPAA Privacy Rule) and as a researcher (who has to comply with both GCP and 21 CFR Parts 50 and 56 regarding informed consent with adults and children).  In my experience with medical device companies, they often do clinical trials in parallel to commercial betas and work closely with physician-investigators. This means that your HIPAA Security Rule compliance posture needs to be nailed down in order to eliminate holes of privacy leakage.
  4. Life science companies have quality management systems as part of their FDA submissions – the HIPAA Security Rule policies and procedures need to become part of your quality system.We work with you to make sure that your regulatory/QA/QC leads understand what it means to implement them and help them integrate into their own internal formats, policies and training programs.
  5. Covered entities may also have impose specific  requirements in their BAA on the life science vendor;  we then need to customize the policies and procedures to comply with the their internal guidelines.     Sometimes these are quite strange like  the story of the West Coast hospital that deliberately weakened the WiFi signal of their routers in the thought that it was a security countermeasure for hacking their wireless access points.
  6. There are also situations of intersection with other Privacy regulation such as CA 1280.15 for Data breach – California is sticky on this and then if  you do business with U of C – there are will be additional things to cover

Feel free to contact us  for a free quote – we’re always looking for interesting projects.

 

Tell your friends and colleagues about us. Thanks!
Share this
Ethics and data protection

Why the Clinton data leaks matter

In the middle of a US Presidential election that will certainly become more contrast-focused (as politically correct Americans like to call mud-slinging), the Clinton data leaks are interesting and also worth investigation for their longer-term impact on the US economy,

Shaky ethics versus data protection

A friend who is a political science professor told me that Hilary was no different than other US politicians who walk the wrong side of the line of data protection.

But the Hilary Clinton private mail server, her flagrant disregard for protecting sensitive government communications and her dubious personal ethics on US State Department data security policies is much much more than a peculiarly American political issue that is news today and gone tomorrow.

Back in October 2015, the EU High Court struck down a the Safe Harbor agreement – a trans-Atlantic pact used by thousands of companies to transfer Europeans’ personal information to the U.S., throwing into jeopardy data traffic that underpins the world’s largest trading relationship.

The Safe Harbor executive decision allows companies to self certify to provide “adequate protection” for the data of European users to comply with the European data protection directive, and with fundamental European rights such as the right to privacy (under Article 8 of the European Convention for the Protection of Human Rights).

The Americans are just slow or maybe they don’t care about privacy

The Commission issued 13 recommendations for improving Safe Harbor in November 2013 (that is 2 years before the EUJ ruling ) but negotiations to rework the framework are still ongoing.

The ECJ’s judgement is the culmination of a 2013 legal challenge by European privacy campaigner Max Schrems who filed complaints against several U.S. Internet giants — including Facebook — in the Irish courts for alleged collaboration with the NSA’s Prism program. The Irish courts dismissed the complaint.

Why it matters to the rest of the world

A large number widely quoted  (4,700) of US companies rely on Safe Harbor to operate businesses in the region. It also affects those companies that outsource data processing of E.U. users’ data to the U.S.

However – many more than 4700 US companies are affected by Safe Harbor dismissal.    Any company with a US corporate presence will also be impacted.    We saw this recently with an Israeli biotech company with offices in Boston who was requested by a Danish hospital to provide alternate assurances for data protection.   This is a curious case where it is actually better to be Israeli rather than American.

The EU has recognized that the State of Israel provides an adequate level of protection for personal data as referred to in Directive 95/46/EC with regard to automated international transfers of personal data from the European Union to the State of Israel or, where those transfers are not automated, they are subject to further automated processing in the State of Israel.  See this EU ruling on Israeli data protection

You can see the full list of countries (not the US) that provide adequate data protection here.

Long term impact to US economy?

With Snowden, Prism, the contrasted  US Presidential elections, the Hilary Clinton data leaks and the attempts by the FBI to establish a dangerous anti-privacy precedent under the guise that they cannot hack an Apple iPhone – I would not expect resolution of Safe Harbor anytime soon.

The long term impact will be innovative technology / cloud / SaaS companies like our Biotech customer with Boston offices, taking their business out of the US to safer harbor places like Tel Aviv.

Which has better weather than Boston anyhow.

Tell your friends and colleagues about us. Thanks!
Share this
dilbert Data Security

3 things a medical device vendor must do for security incident response

You are VP R&D or CEO or regulatory and compliance officer at a medical device company.

Your medical devices measure something (blood sugar, urine analysis, facial anomalies, you name it…). The medical device interfaces to a mobile app that provides a User Interface and transfers patient data to a cloud application using RESTful services over HTTPS.

Sound familiar?

The Medical device-Mobile app-Cloud storage triad is a common architecture today for many diagnostic, personal well-being and remote patient monitoring indications.

We have numerous clients with the Medical device-Mobile app-Cloud storage system architecture and we help them address 4 key security issue –

  1. How to ensure that personal data and user authentication data is not stolen from the mobile medical app,
  2. How to ensure that the mobile medical app is not used as an attack pivot to attack other medical device users and cloud servers,
  3. How to comply with the HIPAA Security Rule and ensure that health data transferred to the cloud is not breached by attackers who are more than interested in trafficking in your users’ personal health data,
  4. How to execute effective security incident response and remediation – its a HIPAA standard but above all – a basic tenet for information security management.

How effective is your security incident response?

The recent SANS Survey on Security Incident Response covers the challenges faced by incident response teams today—the types of attacks they detect, what security countermeasures they’ve deployed, and their perceived effectiveness and obstacles to incident handling.

Perceived effectiveness is a good way of putting it – because the SANS Survey on Security Incident Response report has some weaknesses.

First – the survey that is dominated by large companies: over 50% of the respondents work for companies with more than 5,000 employees and fully 26% work for companies with more than 20,000 employees.    Small companies with less than 100 employees – which cover almost all medical device companies are underrepresented in the data.

Second – the SANS survey attempts, unsuccessfully, to reconcile reports by the companies they interviewed that they respond and remediate  incidents within 24 hours(!) with reports by the PCI (Payment Card Industry) DSS (Data security standard) Association that retail merchants take over 6 months to respond.       This gap is difficult to understand – although it suggests considerable variance in the way companies define incident response and perhaps a good deal of wishful thinking, back-patting and CYA.

Since most medical device companies have less than 100 employees – it is unclear if the SANS findings (which are skewed to large IT security and compliance organizations) are in fact relevant at all to a medical device industry that is moving rapidly to the medical device-App-Cloud paradigm.

3 things a medical device vendor must have for effective incident response

  1. Establish an IRT.  (Contact us and we will be happy to help you set up an IRT and train them on effective procedure and tools).  Make sure that the IRT trains and conducts simulations every 3-6 months and above all make sure that someone is home to answer the call when it comes.
  2. Lead from the front. Ensure that the head of IRT reports to the CEO.   In security incident response, management needs to up front and not lead from behind.
  3. Detect in real time. Our key concern is cloud server security.    Our recommendation is to install OSSEC on your cloud servers. OSSEC sends alerts to a central server where analysis and notification can occur even if the medical device cloud server goes down or is compromised.
Tell your friends and colleagues about us. Thanks!
Share this
Protecting your blackberry

Dealing with DLP and privacy

Dealing with DLP and privacy

It’s a long hot summer here in the Middle East and with 2/3 of  the office out on vacation, you have some time to reflect on data security. Or on the humidity.  Or on a cold beer.

Maybe you are working on building a business case for DLP technology like Websense or Symantec or Verdasys, or Mcafee or Fidelis in your organization.  Or maybe you  already purchased DLP technology and you’re embroiled in turf wars that have put your DLP implementation at a standstill as one of your colleagues is claiming that there are employee privacy issues with DLP and you’re trying to figure out how to get the project back on track after people get back from their work and play vacations in Estonia and brushing up on their hacking skills.

Unlike firewall/IPS, DLP is content-centric. It is technology that drives straight to the core of business asset protection and business process.  This frequently generates opposition from people who own business assets and manage business process. They may have legitimate concerns regarding the cost-effectiveness of DLP as a data security countermeasure.

But – people who oppose DLP on grounds of potential employee privacy violations might be selling sturm and drang to further a political agenda.   If you’re not sure about this – ask them what they’ve done recently to prevent cyber-stalking and sexual harassment in the workplace. 

For sure, there are countries such as France and Germany where any network or endpoint monitoring that touches employees is verboten or interdit as the case may be; but if you are in Israel, the US or the UK, you will want to read on.

What is DLP and what are the privacy concerns?

DLP (data loss prevention) is a solution for monitoring/preventing sensitive outbound content not activity at an endpoint. This is the primary mission. DLP is often a misnomer, as DLP is more often than not, DLD – data loss detection but whatever…Network DLP solutions intercept content from the network and endpoint DLP agents intercept content by hooking into Windows operating system events.  Most of the DLP vendors offer an integrated network DLP and endpoint DLP solution in order to control removable devices in addition to content leaving network egress points. A central command console analyzes the intercepted content and generates security events, visualizes them and stores forensics as part of generating actionable intelligence. Data that is not part of the DLP forensics package is discarded.

In other words, DLP is not about reading your employees email on their PC.  It’s about keeping the good stuff inside the company.    If you want to mount surveillance on your users, you have plenty of other (far cheaper) options like browser history capturer or key loggers. Your mileage will vary and this blog does not provide legal guidance but technically – it’s not a problem.

DLP rules and policies are content-centric not user-centric.

A DLP implementation will involve writing custom content signatures (for example to detect top-secret projects by keyword, IP or source code) or selecting canned content signatures from a library (for example credit cards). 

The signatures are then combined into a policy which maps to the company’s data governance policy – for example “Protect top-secret documents from leaking to the competition”. 

One often combines server endpoints and Web services to make a more specific policy like “Alert if top-secret documents from Sharepoint servers are not sent via encrypted channels to authorized server destinations“. 

In 13 DLP installations in 3 countries, I never saw a policy that targeted a specific user endpoint. The reason for this is that it is far easier using DLP content detection to pickup endpoint violations then to white list and black list endpoints which in a large organization with lots of wireless and mobile devices is an exercise in futility.  

We often hear privacy concerns from people who come from the traditional firewall/IPS world but the firewall/IPS paradigm breaks when you have a lot of rules and endpoint IP addresses and that is why none of the firewall vendors like Checkpoint ever succeeded in selling the internal firewall concept. 

Since DLP is part of the company data governance enforcement, it is commonly used as a tool to reinforce policy such as not posting company assets to Facebook. 

It is important to emphasize again, that DLP is an alert generation and management technology not a general purpose network traffic recording tool – which you can do for free using a Netoptics tap and  Wireshark.

 Any content interception technology can be abused when in the wrong hands or in the right hands and wrong mission.  Witness NSA. 

Making your data governance policy work for your employees

Many companies, (Israeli companies in particular) don’t have a data governance policy but if they do, it should cover the entire space of protecting employees in the workplace from cyber-threats.

An example of using DLP to protect employees are the threat scenarios of cyber-stalking, sexual harassment or drug trafficking in the workplace where DLP can be used to quickly (as in real-time) create very specific content rules and then refined to include specific endpoints to catch forensics and offenders in real-time. Just like inCSI New York New York.

In summary:

There are 3 key use cases for DLP in the context of privacy:

  1. Privacy compliance (for example PCI, HIPAA, US State and EU privacy laws) can be a trigger for installing DLP. This requires appropriate content rules that key to identifying PHI or PII.
  2. Enforcement of your corporate  data governance and compliance policies where privacy is an ancillary concern.   This requires appropriate content rules for IP, suppliers and sensitive projects. So long as you do not target endpoints in your DLP rules, you will be generating security events and collecting forensics that do not infringe on employee privacy.   In some countries like France and Germany this may still be an issue.  Ask your lawyer.
  3. Employee workplace protection – DLP can be an outstanding tool for mitigating and investigating cyber threats in the workplace and at the very least a great tool for security awareness and education. Ask your lawyer.

If you liked this or better yet hated it,  contact  me.  I am a professional security analyst specializing in HIPAA compliance and medical device security and I’m based in Israel and always looking for interesting and challenging projects.

Idea for the post prompted by Ariel Evans.

Tell your friends and colleagues about us. Thanks!
Share this
mindless IT research

It’s friends and family breaching patient privacy – not Estonian hackers.

A 2011 HIPAA patient privacy violation in Canada, where an imaging technician accessed the medical records of her ex-husband’s girlfriend is illustrative of unauthorized disclosure of patient information by authorized people.

Data leakage of ePHI (electronic protected health information) in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.

Humans being are naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family. Being human, they will bend rules to get information and in the course of bending rules, breach patient privacy.

The right to patient privacy

The Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients’ right to confidentiality and HIPAA’s Privacy Rule grants federal protections for patients’ personal health information held by covered entities and gives patients rights regarding that information.

What is ePHI?

The Department of Health and Human Services defines ePHI as a combination of personal identifiers and clinical data in order to protect patient privacy.

Electronic Protected health information (ePHI) is any information in an electronic medical record (EMR) that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. This includes names, geographical locations, dates of birth etc, phone numbers, email, social security numbers, medical record numbers, license plate numbers, driver license number, biometrics.

Basically any combination of personal identifiers that can be used to steal a persons identity, when combined with EMR data becomes ePHI.

HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia reveal that most patient privacy breaches are not perpetrated by hackers but by friends and family seeking information or insurance companies seeking to validate claims.

Social engineering methods are often employed with or without a “sweetener” and do not need to rely on exploiting software security vulnerabilities in order to breach patient privacy.

Courtesy of my friend Alan Norquist from Veriphyr

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

  • Failing to inform the victim of any disciplinary action against the perpetrator.
  • Not reporting the breach to the appropriate professional regulatory college.
  • Not following up with an investigation to determine if policy changes were required.

The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inappropriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

Sources:
(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information – Ottawa Citizen, January, 2011

Tell your friends and colleagues about us. Thanks!
Share this
risk-driven medical device security

How to protect your personal information from medical data theft

Private, personal information can be bought and sold on the black market for as little as fifty cents to a dollar, according to a report from Fox Business. But personal medical information can go for much higher prices, creating a market for criminals looking to defraud insurance companies of exorbitant sums of money. Overall, about $40 billion in annual health care fraud can be attributed to medical identity theft. As a result, consumers need to take extra efforts to ensure their personal information is protected from medical identity theft. The best way to guard yourself is to understand the methods through which criminals try to acquire this sensitive information.

1. Don’t give information over the phone

The telephone is a prime channel for criminals attempting to defraud private individuals. They typically pose as insurance companies, medical clinics, doctors’ offices or other institutions to solicit your private information, according to the Federal Trade Commission. Be very hesitant when revealing this information over the phone. Ask for additional information to verify their identity, and if you can’t confirm the individual or the organization, explain that you simply aren’t comfortable giving that information over the phone. Most legitimate medical entities will understand this concern, while scam artists will be frustrated and thwarted.

2. Pay close attention to medical bills and statements

You should keep a close eye on the paper trail of your medical bills, services and statements. When criminals steal your medical identity, they can’t cover up all evidence of this fraud. Services billed to your insurance company, for example, will count toward your deductible and/or coverage limits and show up on statements. Bills from the doctor’s office should also be closely watched.

Once you’ve thoroughly reviewed this information, shred the documents before throwing them away. Billing statements and other documents can be a source of your private information for criminals who go dumpster diving in hopes of finding opportunities to defraud.

3. Enlist the help of identity protection and monitoring services

Pursuing protective and preventative services is one way to protect your identity before you suffer the ill effects of fraud. Companies like LifeLock specialize in monitoring your activity and protecting clients from being defrauded in the first place. If your personal information is stolen and used for these purposes, identity protection services can pick up on this criminal activity right away, putting an end to theft, thus minimizing its negative impact on your finances. These services should not stop consumers from shredding sensitive documents and employing safe habits, but they can be an excellent supplement offering protection where the typical person is exposed.

4. Investigate inaccuracies and strange listings on your medical record

Your medical record follows you wherever you go, and it lists all of the conditions, injuries and other medical activity you have experienced over the years. When someone uses your medical identity for their own purposes — such as gaining access to prescription drugs — this activity is recorded on your medical history. If you are suspicious of possible medical identity theft, inconsistencies and inaccuracies on your medical record could point to instances of fraud. You can always ask your doctor for your medical records, so if you’re ever in doubt, pull them out and take a close look.

Tell your friends and colleagues about us. Thanks!
Share this

Kick start your European privacy compliance

The CNIL’s Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc.

On 3 January 2014, the CNIL’s Sanctions Committee issued a 150 000 € monetary penalty to GOOGLE Inc. upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification.

Does your web site / web service / web application have a privacy policy?

Was that privacy policy written by lawyers who may or may not understand your business and may or may not understand that European states like France have their own regulation of privacy?

You may be facing a stiff penalty for having a non-compliant privacy policy.

The CNIL penalty on Google is a wake-up call.

Thousands of  service providers just like you are sitting on the fence and wondering how to comply with European and French privacy regulation as fast and as effective as possible.

Where do you start?

We’re here to help you get going fast with some common Q&A

Q. Is my existing privacy policy sufficient?

A. Maybe. Maybe not.    A 2 hour review with  with us will give you a clear picture of what you need to do. After the review we will help you rewrite your your privacy policy and terms of service in order to minimize your exposure. For starters, here are 4 points you need to cover:

  1. Does your site sufficiently inform its users of the conditions in which their personal data are processed?
  2. Does your site obtain user consent prior to the storage of cookies?
  3. Does your site define retention periods applicable to the data which it processes?
  4. Does your site  permit itself to combine all the data it collects about its users?

Q. What special systems or security products are required?

A. None. Security defenses are a mistake.  See the next question and answer.

Q. How many hours should I budget for Data Protection compliance? How should I protect my data?

A.  We have an 8 week plan to take you from zero to full Data Protection compliance – budget 6 hours / week and you will get there. You also need to identify and mitigate vulnerabilities in your Web site – our Practical Threat Analysis process will pinpoint what you need to do from a perspective of policies and procedures, cloud servers and application security.

Q. What do I do when I complete the 8 week plan for Data Protection compliance?

A. Well, you’ll be sitting on a much more robust system of technical, administrative, policy and procedural controls so go out and have some fun – you deserve it!

If you provide digital services in countries like France and the UK who have local database registration requirements – we will help you comply with local CNIL and UK Data Commissioner requirements.

See CNIL Sanctions on Google for the full story.

Tell your friends and colleagues about us. Thanks!
Share this
cyber attacks

Is Your Small Business Safe From Cyberattacks?

Of the 855 data breaches Verizon examined in its 2012 Data Breach Investigations Study, 71 percent occurred at businesses with fewer than 100 employees. The Association of Certified Fraud Examiner finds the median small business loss due to fraud to be $200,000. These losses can be prevented with better protection and more knowledge about fraud and cybercrime. With small business cyberattacks on the rise, knowing how to protect your business assets is more important than ever. Start with these tips.

Training Employees to Stay Safe

Familiarizing yourself and your employees with different types of cybercrime helps everyone do their part in monitoring security threats. During the average day, your employee may be at risk in the following situations:

  • Traveling to and from work, due to theft of personal devices or documents containing sensitive information
  • Traveling for business, due to theft of personal devices or documents containing sensitive information
  • Checking work email at a cafe or restaurant, if a hacker accesses sensitive information
  • Buying business lunch with the office credit card, if a hacker skims the card number
  • Checking work email, if the employee falls prey to a phishing attempt
  • Working from home on an unsecured wireless network

Unfortunately, these are just a few of the daily situations that put the average worker at risk of cybercrime and identity theft. Offer staff a list of online resources. For example, Lifelock offers identity protection tips and information about the dangers of phishing, skimming and other criminal strategies. Staff can familiarize themselves with ways to protect personal and professional data. Should staff then sign up for Lifelock’s identity theft protection services they can earn free rewards miles from AA.

Keeping the Workplace Secure

By teaching your employees about cybercrime, you enable them to alert you to any suspicious emails or internet activity. Additionally, take the following precautions, with help from the Small Business Administration, to minimize your risk:

  • Secure the workplace’s wireless and IT infrastructure using firewalls, anti-virus software and malware/spyware detection
  • Use a business credit card for all business transactions, and keep completely separate business and personal bank accounts and credit cards. This way, a hacker who obtains your business bank account information will not be able to seize your personal assets.
  • Familiarize yourself with business bank account and credit card policies regarding fraud, so you know what protections you enjoy if your business is attacked.
  • Limit financial transactions to one computer – Keep a separate computer for financial transactions, and do not use this computer for email checking, social media or other online activity.
  • Promote “best practice” computing security, including password strength.
  • Purchase business insurance so that if you do experience fraud, your business assets are protected.
  • Set a policy regarding security of employee personal devices if you allow staff to use personal devices (BYOD) in the workplace.

Tools to Use

  • Cloud backup utility – In the event of a data breach, a secured cloud backup such as Dropbox can help you get back on your feet.
  • Antivirus, malware and spyware – Sophos offers free mobile, Mac and PC antivirus software, so there’s no excuse to not secure your technology.
  • Spam/phishing email filter – Not only will this cut down on junk mail, making employees more productive, it can also screen out phony emails.
Tell your friends and colleagues about us. Thanks!
Share this

The dangers of default passwords – 37% of Data Breaches Found to be Malicious Attacks

A malicious attack by malware or spear phishing on valuable data assets like PHI (protected health information) exploits known vulnerabilities  and one of the most common vulnerabilities in medical devices and healthcare IT systems is default passwords.

“Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting a wide variety of medical devices. According to the report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. ICS-CERT has been working closely with the Food and Drug Administration (FDA) on these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations.” See http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01

And nothing beats hard coded / default passwords in medical devices as a vulnerability for PHI data leakage exploits, whether its an attack by malware, attack by retrieving sensitive data from stolen devices or a software defect that enables an attacker to obtain unauthorized access and transfer sensitive data from the internal network.

Data Breach Infographic

The World’s Leaking Data Infographic created by LifeLock.com

Tell your friends and colleagues about us. Thanks!
Share this

Are passwords dead?

A recent article on CSO online ponders the question of whether or not passwords are dead – since they are not much of a security countermeasure anyhow (or so the article intimates). The article quotes a person who seems to believe that SQL injection attacks have to do with password security.

Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, “not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices.”

He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. “The only password security requirement was a password of at least five characters,” he says, “(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123,” plus common dictionary words.

Besides that, the passwords were stored in plain text format, along with users’ email addresses.

Frenz says some websites (Hotmail recently among them) now require more complex passwords with multiple character types.

I’m speechless.

SQL injection attacks on Web sites are made possible because of poor coding practices that take input strings from forms or query strings and concatenate with SQL snippets like this:

2′;Update tbl_accountParent set Email=Email+’;obama@whitehouse.giv’;select * from  tbl_accountParent where ‘1’=’1

From now on, whenever any user asks for password reminder, Mr. Obama will get a nice email with his user name and password.

And frankly, I don’t understand programmers or Web site operators who tolerate storing passwords in plain text or encrypting them instead of using one-way hashes

Maybe a bunch of people should read the online introduction to cryptography by Dan Bernstein.

Tell your friends and colleagues about us. Thanks!
Share this