Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#healthcare’

08e4fdf7-1b6d-4784-8868-d224dc881485

Children’s Dallas docked $3.2 million over patient privacy breaches

February 2, 2017

Children’s Medical Center of Dallas has paid a penalty of more than $3.2 million to the federal government over privacy breaches dating back to 2007 that left the data for thousands of patients at risk.
The facility voluntarily reported potential disclosures of patient health information, but it did not implement strong safeguards to ensure that the breaches would not happen again, according to a statement issued Wednesday from the U.S. Department of Health and Human Services.
Ensuring security precautions to protect health information is essential, said Robinsue Frohboese, acting director of the Office for Civil Rights in the statement.

“A lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” she said.

Children’s Health responded Thursday saying that it has fully cooperated with the government’s investigation, and that it does not believe any patient or their family was affected by the incidents.
In 2010, the medical center reported that the personal information for about 3,800 patients had been accessible on an unencrypted, non-password protected BlackBerry device used at the Dallas-Fort Worth International Airport the previous year.
However, according to the federal investigation, they were aware of the potential risk of that kind of incident since at least 2007. A security analysis conducted by the healthcare consulting firm Strategic Management Systems over a 3-month period ending February 2007 uncovered gaps.
So did a separate analysis in 2008 from the consulting firm PwC. It said encryption should be a “high priority” for the medical center, as stolen devices could put patient data at risk.

Still, no security plan was established, and the encryption issue was not corrected on laptops, workstations and other devices distributed to the Children’s workforce until April 2013, the civil rights office investigation found.
That month a laptop was stolen in a separate breach that contained unencrypted data for nearly 2,500 people. Children’s reported the HIPAA (Health Insurance Portability and Accountability Act) violation to the Office of Civil Rights three months later.
In January, the medical center declined its right to request a hearing and challenge the fine, which totaled $3,217,000.
“We have decided to pay the imposed fine because efforts to formally contest the claims would be a long and costly distraction from our mission to make life better for children,” said Scott Summerall, a spokesperson for Children’s Health. “We remain committed to protecting the privacy of our patients.”

Tags: , , ,

Main Entrance Of Modern Hospital Building With Signs

Hackers Split On ‘Ethics’ Of Ransomware Attacks On Hospitals

September 14, 2016

Ransomware might be lucrative for some cybercriminals, but there are those who condemn holding hospitals to ransom.

Ransomware attacks against hospitals represent a growing threat which is becoming increasingly lucrative for some cybercriminals — even while other hackers are openly condemning extortion attempts against healthcare providers.
A combination of hospitals’ reliance on equipment powered by older operating systems and their often very urgent need to access medical data means that some hackers have looked at the institutions as a potentially rich target.
That was demonstrated when a Los Angeles hospital paid a $17,000 Bitcoin ransom after a Locky infection took down its network. But that wasn’t a one-off attack: there’s been a surge in ransomware-based cyberattacks against hospital networks across the globe, but particularly in the US.
Cybersecurity researchers from Intel Security analysed ransomware code from attacks against hospitals made during the first quarter of the year and discovered numerous Bitcoin wallets used to transfer ransom payments — Bitcoin having become the preferred currency of the cybercriminal — which showed that the hackers behind these hospitals attacks had amassed $100,000 from ransoms alone.
Researchers have described the ransomware attack methods used by such attackers as “effective but not very sophisticated”. While they don’t specify which variants of ransomware are being used, the description could point to the culprits using something like Cerber, which has been seen being made available as a ransomware-as-a-service scheme for use by even the most technically-illiterate wannabe cybercriminal.
Researchers also suggest the hospital attacks weren’t carried out by the sort of “malicious actors we normally face in ransomware attacks or breaches”.
Indeed, they found evidence that suggests that cyberattacks against hospitals are being carried out by those viewed as renegades even within the cybercriminal fraternity, judged negatively for their decision to carry out attacks against those which provision healthcare. In the Russian underground in particular, there’s an ‘ethical’ code of conduct which places hospitals off-limits — even in countries usually targeted by Russian-speaking hackers.
In one forum, criminals discussed the ethics of attacking hospitals at length: “Yes, this is pretty sad and a new low. These ransom attacks are bad enough, but if someone were to die or be injured because of this it is just plain wrong,” one user said, while another labelled hospital attackers as “dumbest hackers ever”.
While hospitals currently only account for a small percentage of ransomware victims, it’s feared that as ransomware becomes an increasingly appealing method of attack for hackers, more and more of them will attack the healthcare sector.
“With cybersecurity threats including ransomware rising at such a rapid rate, organisations are having to come to terms with the fact that it’s fast becoming a question of ‘when’, not ‘if’, they suffer a breach,” says Raj Samani, CTO at EMEA Intel Security. “It’s crucial that the likes of healthcare pick up the pace with cybersecurity. Vulnerabilities in these sectors provide hackers with access to extremely personal, valuable and often irreplaceable data and IP.”
Despite a few high profile cases, Intel Security researchers found that, in most instances, hospitals that became victims of ransomware didn’t pay hackers a ransom. In these cases, it’s likely that organisations found another way to decrypt the files — or they simply deemed the encrypted files to not be important enough to pay to get back.
Cybersecurity researchers and the authorities have both warned about the increasing threat of ransomware to corporate and public sector networks.

Tags: , , , , , , , ,

photolibrary_rf_photo_of_medication_in_hand

NHS Hospitals Told To Swallow Stronger Anti-Ransomware Medication

September 13, 2016

NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice and guidance about the latest threats and security best practices.
A service that initially focused on pushing out alerts about threats will be expanded to include three new services, each of which begins testing this month:
• CareCERT Knowledge – a new e-learning portal to help all health and care organisations train their staff in cybersecurity basics.
• CareCERT Assure – a service to help organisations assess their local cybersecurity measures against industry standards, including recommendations on how to reduce vulnerabilities.
• CareCERT React – advice on reducing the impact of a data security incident.
Public health and innovation minister Nicola Blackwood announced the expansion at the Health and Care Innovation Expo on Thursday. The rollouts come at a time of increasing security threats to UK hospitals and clinics, particularly from file-encrypting ransomware.
Almost half (47 per cent) of NHS trusts have been subject to a ransomware attack in the past year, according to figures from a freedom of information (FOI) request published last month. NCC Group’s FOI is based on requests to 60 trusts, 28 of which confirmed they had been victims of ransomware.
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that the increase in security services ought to be considered as a move to drive security improvements in UK hospitals in general, rather than a specific response to the ransomware threat.
“I do not see this as a reaction to ransomware as a recent FOI request submitted by Channel 4 showed that out of 152 NHS Trusts 39 were affected by ransomware,” Honan explained. “However, with the rising number of threats against computer systems this is a welcome and prudent move to enhance the security of the data, computers, systems, and networks the NHS increasingly relies on to provide its services.”

Tags: , , , , , , , ,

leikkausali_neo

Are Unsecure Medical Devices Opening the Backdoor for Hackers?

August 17, 2016

The increased adoption of connected devices into medical services and processes is streamlining and improving the manner in which medicine can be tracked, developed, sourced and distributed.
On call/off site medical staff are also able to access information and source medicine on site, improving service levels and productivity. However, the exponential advantages of integrating connected devices into this industry can potentially open up points of vulnerability which should increase security fears for decision makers.
The biggest threat to any organization, large or small, is understanding who actually has access to information and at what levels they can access the network. With the Internet of Things (IoT), access can come in many shapes and sizes, from an off site doctor accessing medical history and prescription requirements to ambulance and emergency staff needing to log cases.
Medical/health institutions must prioritize the management of user access if they want to ensure they have the adequate security levels around these access points. The variety of job roles that need to access a vast array of files from a connected network will also require different levels of access, for example a doctor on call will need access to all previous medical history and prescription requirements, whereas an on-call care worker may only need medical history and is not qualified to distribute or access prescriptive files.
Therefore organizations must ensure that the right person is accessing the network or device, each time a request takes place with the correct level of attributed trust. However, individual access identification may now not be sufficient enough to fully eliminate security and safety fears in this area.
Although the correct person may have access to a network from a specific place and use the correct logins, there is no guarantee that a rogue infiltrator hasn’t “piggy backed” the connection giving them the same level of access as the individual.
Through effectively moonlighting as the employee or third party, hackers can utilize the open connection to the network to gain the same level of access as the member of staff. This may encourage hackers to potentially target gateway devices such as medical distribution tools that require a network connection. The device in this instance doesn’t hold or contain sensitive information, however it does act as a gateway onto the network.
Now, it is here that access management solutions must be considered to allow damage limitation to take place if a hack does happen, providing granular access controls and monitoring for every access request.
We know hackers use a variety of methods to gain access from rogue emails to downloadable PDF’s that open access to personal and organizational data. However, security implications must also be considered on a more tangible level, in addition to digital and internet driven attacks. If we take reference from the Barclays hack that took place in 2013 and cost the bank £1.3 million, it helps us uncover the level of simplicity, but outright tenacity that some hackers will go to in hope of gaining access to data. This hack saw insiders pose as IT engineers and fitted a device that gave access to its network remotely and allowed them to transfer money into their own accounts.
There are two recommended strategies for organizations to protect themselves against hacks such as this. Firstly, to ensure all staff are trained on the variety of risks that are present when exchanging emails or other digital communications. Secondly, organizations need to protect their networks by securely supervising, auditing and controlling access to their assets, data and IP via a privileged access managed solution.
The increased adoption of connected devices into medical services and processes is streamlining and improving the manner in which medicine can be tracked, developed, sourced and distributed.

Tags: , , , , , , ,

Ransomware-Cryptofortress-TeslaCrypt1-825x510

With Ransomware On The Rise What Can You Do To Protect Yourself From Ransomware Attack

June 20, 2016

The recent attacks on hospitals across the world affecting hundreds of thousands patients information globally obtained by hackers emphasize the scale of the issue. The ever rising trend of cyber-attacks on healthcare with ransomware happens mainly through phishing email and the reason being is underestimated importance of cybersecurity measures to be taken in the healthcare industry.
In the instance of Wyoming Medical Centre cyber-attack through email scam the damage involved exposure of nearly 3,300 patient’s sensitive information. The attack performed through legitimate looking phishing email to which employee have responded, and thus letting hackers an access to Hospital network enabled them to obtain patients personal information as names, contact details, health insurance details, social security numbers and other sensitive data that may cause harm if landed in wrong hands.
Based on the scenarios of recent attacks on healthcare establishments, InfoSec industry suggests in the average several crucial tips to follow to prevent corporate email network from being a victim of a phishing scam:
1. If you received excel or other files instructing you to enable some options like macros to be able to view the so called “important information” – do not do it.
2. NEVER provide your password to anyone via email
3. If you are a Healthcare Establishment – use only HIPAA compliant email service (ShazzleMD is one of them and provides an easy solution, no password required and works like any other email)
Be suspicious of any email that:
4. Requests personal information.
5. Contains spelling and grammatical errors.
6. Asks you to click on a link.
7. Is unexpected or from a company or organization with whom you do not have a relationship.
If you are suspicious of an email:
8. Do not click on the links provided in the email.
9. Do not open any attachments in the email.
10. Do not provide personal information or financial data.
11. Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and then delete it from your Inbox.
12. Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.
Be suspicious of any email that:
13. Includes multiple other recipients in the “to” or “cc” fields.
14. Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a Gmail or other “disposable” address for a business sender. However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.
Following the above mentioned tips will increase cyber security of a healthcare network, and not only, from a ransomware attack performed via phishing emails that are increasing with high tempo every month.

Tags: , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
venmo
What’s Wrong With Your Venmo Account, and How to Fix It
December 4, 2018

ILLUSTRATION: RICHARD BORGE By Katherine Bindley Dec. 4, 2018 9:02 a.m. ET Few social-media e...

Read more
private
Private Blockchains Could Be Compatible with EU Privacy Rules, Research Shows
November 12, 2018

Private blockchains, such as interbanking platforms set to share information on customers, could be...

Read more
apple
Apple launches privacy portal, initiatives
October 18, 2018

Apple (NASDAQ:AAPL) launches a new privacy website letting users find personal data the company has ...

Read more
private
Just Don’t Call It Privacy
September 23, 2018

What do you call it when employers use Facebook’s advertising platform to show certain job ads onl...

Read more
static2.politico.com
Privacy and security: no simple solution, warns Rachel Dixon
September 18, 2018

The tide is turning when it comes to privacy and security, with Australians gradually becoming more ...

Read more