Archive for the ‘Personal Health Information’ category

Security of the end point devices

June 15th, 2017

A Recent survey conducted by Ponemon Institute shows that Sixty-three percent of participants are not able to monitor endpoint devices after they leave the corporate network. Fifty-five percent of endpoint devices contain sensitive data.

Absolute sponsored the survey which also contains below findings –

Fifty-six percent of participants don’t have a cohesive compliance strategy

Seventy percent mentioned that they have a below average ability to limit endpoint failure damages

Twenty-eight percent use automated analysis and inspection for determining compliance.

“It’s clear that enterprises face real visibility and control challenges when it comes to protecting the data on corporate endpoints, ensuring compliance and keeping up with threats,” Ponemon Institute chairman and founder Dr Larry Ponemon said.

The number of malware-infected endpoints devices has increased in the past one year. Also, forty-eight percent are not happy with their endpoint security solution.

“The trends that drove the extraordinary activity in 2016 are continuing unabated in 2017,” Risk-Based Security executive vice president Inga Goddijn said in a statement. “We have seen the return of widespread phishing for W-2 details, large datasets continue to be offered for sale, and misconfigured databases remain a thorny problem for IT administrators.”

Another survey by SACA shows that fifty-three percent reported an increase in cyber attacks. There is a general rise in data breaches.

“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” ISACA board chair Christos Dimitriadis said in a statement. “Cyber security professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”

Many believe there should be a rise in the budget for the security.

“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” Dimitriadis said. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cybersecurity challenges faced by all enterprises.”

___________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

IoT Security

June 6th, 2017

The Internet of Things (IoT) is seeing the rapid rise but it seems to repeat the history of technology evolution. The pace of growth is not matched with security requirements. IoT helps automation as well as real-time synchronization of business processes. The implementation helps for precise response in real time.

 “IoT devices assist businesses in real-time responses to supply-and-demand market effects, they empower patients and healthcare professionals to continuously monitor conditions, and they enable electric grid operators to adjust the production, flow, and cost of electricity according to real-time market demands to ensure the most efficient, resilient, and cost-effective solution,” says James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a Washington DC-based cybersecurity think tank.

 Hundreds of companies now provide IoT solutions. But security aspect is lagging behind.

 “As was shown in the Dyn attack, we appear doomed to repeat the mistakes we made with PCs and mobile devices in IoT,” says Tom Byrnes, founder and CTO of ThreatSTOP. “Once again, cost reduction has made security an afterthought, if a consideration at all, with predictably disastrous consequences.”

It is different than other systems as threat involved is higher due to many connection points. As per the Intel, 200 billion IoT devices will be online by 2020.

“Most IoT devices and sensors lack any form of security or security-by-design,” says Scott.

 “Without the layered security of the IoT microcosms, hacktivists can disrupt business operations, cyber-criminals can compromise and ransom pacemakers, and cyber-jihadists or nation-state sponsored threats can compromise and control the grid,” to name just a few of the potential IoT security attack scenarios.

“Every IoT device has inherent vulnerabilities and exploitable weaknesses resulting from a culture that sacrifices security in the design process in favour of meagre savings and in the rush to market,” says Scott. “The overwhelming preponderance of insecure IoT devices in the future will render security an impossibility in the future.”

Most of IoT devices do not have computational power or battery life to have security applications.

“We need to develop cost-effective IoT devices that incorporate security-by-design rather than cheaper and less secure alternatives,” says Scott. “While that may save a few dollars in the short-term, it puts the public and critical infrastructure at risk of losing millions of dollars and valuable data in the long-term.” 

Also, there is a lack of platform standards.  

“With old devices lasting longer than ever before, there are many devices currently in use that do not support new standards,” says Sam Rehman, Chief Technology Officer of Arxan. “Hackers will always see legacy devices as a prime choice of the entry.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Increase in DDoS Attacks

May 26th, 2017

Verisign recent report shows that 59 percent of distributed denial of service attacks peaked over 1 Gbps. Also, 23 percent peaked over 10 Gbps. The average peak attack size was 14.1 Gbps which is 26 percent increase over the last quarter.

The biggest attack included 60 Gbps for more than 15 hours.

“The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks.”

Survey also mentioned that IT services/cloud/SaaS industry was the prime target.

“In Q1 2017, Verisign observed that DDoS attacks remain unpredictable and persistent, and vary widely in terms of volume, speed and complexity,” the report mentioned. “To combat these attacks, it is becoming increasingly important to constantly monitor attacks for changes in order to optimize the mitigation strategy.”

Imperva’s Global DDoS Threat Landscape mentioned that 74 percent of DDoS attack victims were repeated.

“In the most extreme case, an established U.S.-based science news website was hit 1,046 times by low-volume bursts lasting 10 minutes or less,” Igal Zeifman, Incapsula security evangelist at Imperva, told eSecurity Planet by email. “This attack, and many other repeat assaults, fit the pattern of online harassment.”

“These attacks are a sign of the times — launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service,” Zeifman added.

“Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber vandalism in what is essentially a form of Internet trolling.”

It also mentioned that the U.S. was the most targeted country and majority of attacks came from China.

Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report mentioned that the average cost of a DDoS attack amounts to $2.5 million in lost revenue.

“The question organizations must ask now is how they are prepared to manage these highly disruptive events,” Neustar head of research and development Barrett Lyon mentioned in a statement.

“Are they prepared for the bad day where they customers call and ask why the website is down?”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Cyber Security Professional Salaries

May 16th, 2017

Salaries of information security personnel of U.S. government agencies should increase approximately $7,000 to match the annual salaries of their private sector counterparts.

As per the recent survey sponsored by (ISC)2, Booz Allen Hamilton and Alta Associates, eighty seven percent believe that hiring and retaining qualified information security professionals is important for organization’s infrastructure.

“It’s crystal clear that the government must enhance its benefits offering to attract future hires and retain existing personnel given its fierce competition with the private sector for skilled workers and the unprecedented demand; unfortunately, the layers of complexity involved in fulfilling that goal are significant,” (ISC)2 managing director Dan Waddell mentioned in a statement.

As per the respondents, effectiveness of the security can be achieved by –

Increase in training programs (62 percent)

Monetary package for professional cyber security certifications (62 percent)

Improving salary packages (57 percent)

Flexible work schedules (56 percent)

“In today’s environment where cyber talent is scarce, organizations must recruit and train untapped talent pools, focusing on women, minorities, veterans and older workers,” Booz Allen Hamilton senior executive advisor Ron Sanders said.

“And while it can be difficult for government agencies to compete on salary alone when vying for these cyber warriors, they can appeal to a recruit’s sense of mission and purpose, tout the cutting-edge work being done and highlight opportunities for advancement,” Sanders added.

Challenges in Security

“The U.S. federal government is racing to boost data security against odds not generally faced in the private sector today,” 451 Research principal analyst Garrett Bekker said in a statement. “A major challenge in securing the far-flung systems in the U.S. federal government is the plethora of aging legacy systems still in place, with one example being a 53-year-old Strategic Automated Command and Control System at the Department of Defense that coordinates U.S. nuclear forces and uses 8-inch floppy disks.”

“In short, this ‘perfect storm’ of very old systems, tight budgets and being a prime cybercrime target has created a stressful environment,” Bekker added.

Accenture conducted survey of 3500 US citizens. It found out that seventy four percent do not have much confidence in government considering data security.

“While government agencies face many cyber security challenges, the research found strong citizen support for government organizations to take steps to increase data security and protect citizen information,” Accenture public service strategy lead Peter Hutchinson said in a statement.

“Government agencies that take a comprehensive end-to-end security approach by integrating cyber security deep into their organizations will not only secure their data, but also win the trust and confidence of the citizens they serve,” Hutchinson added.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Privacy and Security for Americans

May 12th, 2017

A Recent survey conducted by AnchorFree shows that more than eighty percent of Americans are worried about online privacy and security as compared to previous year.

The bill is passed which allowed companies to collect personal data without permission through ISPs. Ninety-five percent of respondents are concerned about this bill. More than fifty percent people are looking to increase their security for personal data.

The survey also shows that more than 70 percent are employing more ways to protect their data as compared to previous year.

“Our survey finds that the majority of consumers are concerned in the aftermath of the Federal Communications Commission’s rollback of Internet privacy protections,” AnchorFree founder and CEO David Gorodyansky said in a statement.

“As more connected devices emerge and threats to Internet freedom persist, it’s imperative for Americans to learn about online privacy protection options and take personal responsibility for safeguarding their health, wealth and family,” Gorodyansky added. “They otherwise risk the misuse of this data by hackers and third party companies.”

Another survey by TeleSign survey shows that thirty-one percent of consumers have their online life worth of $100,000 or more. Fifty percent believe that businesses are primarily responsible for security.

“Companies make plenty of money with the time and money we invest in them and they should do the same to protect our accounts and personal identity,” one survey respondent said.

A survey conducted by Lawless Research shows that 51 percent faced data breach in the previous year. Forty-two percent suffered financial loss. One-third of the respondents stopped doing business with that companies.

Almost 61 percent changed their password after it was compromised. Seventy percent said that they use reused passwords.

Another survey conducted by EyeVerify mentioned that eighty-six percent believes that biometrics makes logging in apps easier. Also, seventy percent believe mobile apps are more secure with biometrics authentication.

“Most people use some form of biometrics every day, but they want more opportunities to use it to make their lives easier and more secure,” EyeVerify CEO and founder Toby Rush said in a statement.

 ___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Corporate Security Survey

May 10th, 2017

Bromium conducted a survey of 210 security professionals which showed that thirty-five percent have bypassed their own corporate security one way or the other. Ten percent have paid a ransom or hid a breach without letting the team know.

“While we expect employees to find workarounds to corporate security, we don’t expect it from the very people overseeing the operation,” Bromium co-founder and CTO Simon Crosby said in a statement. “Security professionals go to great lengths to protect their companies, but to learn that their decisions don’t protect the business is frankly rather shocking.”

“To find from their own admission that security pros have actually paid ransoms or hidden breaches speak to the human factor in cyber security,” Crosby added.

Another survey conducted by ESET shows that one-third respondents among 400 have not received any form of cyber security training at their organization.

A recent ESET survey of over 400 U.S. adults found that third of respondents hadn’t received any form of cyber security training at their organization. Sixty-two percent said they don’t receive recurring cyber security training.

Participants also provided insights about the cyber security knowledge gaps which includes as below –

Email Threats – 30%

Protecting Mobile Devices – 30%

Smart Device – 29%

Strong Passwords – 16%

A survey conducted by MediaPro shows that seventy percent of cybersecurity risks or novices can be reduced with increased awareness. The study also shows that respondents have less knowledge of reporting, identifying personal information, working remotely, cloud computing, and acceptable use of social media.

“The results of this survey strongly suggest retailers need to rethink cyber security and data privacy as matters of overall risk management, not just check-the-box compliance based on PCI standards alone,” the MediaPro report states. “Retailers limit their employee education to PCI training at their own risk, as threats to an organization’s financial and reputational well-being exist beyond the typical coverage of this training.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Verizon Survey

May 5th, 2017

Verizon mentioned that increase in the propriety research, prototypes, and amounts of confidential personal data is the major factor for the rise in the phishing attack. It also mentioned that there is an increase in 50 percent in the attacks last year.

Almost 95% of the attacks include the phishing technique of software installation on the user device. There is also rise in getting the information by pretending someone else. These are called pretexting attacks. Eighty-eight percent of pretexting attacks originated from emails.

Many smaller organizations also suffered a data breach. Sixty-one percent of breach occurred at the companies having less than 1000 employees.

“Cyber-attacks targeting the human factor are still a major issue,” Verizon Enterprise Solutions Global Security Services Executive Director Bryan Sartin said in a statement. “Cybercriminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

Verizon mentioned that three quarters of the breaches was caused by outsider. Almost 51% involves criminal groups.

Finance sector was the major area where attacker focused. Almost 24% attacks counted for this sector. Healthcare involves 15% of data breaches.

“The cybercrime data for each industry varies dramatically,” Sartin explained. “It is only by understanding the fundamental workings of each vertical that you can appreciate the cyber security challenges they face and recommend appropriate actions.”

Survey also found out that 73% percent of the attacks are financially motivated.

“Social engineering is a common means for cybercriminals to establish a foothold,” report authors warned. “And employees are making this easy by using easy-to-guess passwords. Users, and even IT departments are even often guilty of not changing the default passwords that devices come with, and can easily be looked up online.”

The report author at Verizon mentioned that encryption and two-factor authentication also help to limit the damage.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach trends in 2016

April 5th, 2017

As per the IBM report, data breach increased 566 percent in 2016 from 600 million to more than 4 billion. The report also mentioned that healthcare in no longer the most attacked sector. Most of the attack was carried out on financial services industry.

In 2016, 12 million records were affected in healthcare. In previous year, the breach was 100 million records which counts to eighty eight percent drop. IBM surveyed 8000 security clients in 100 countries.

IBM Security Vice President of Threat Intelligence Caleb Barlow mentioned that the cyber attacks was carried out with innovative techniques.

“While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment,” Barlow said in a statement. “The value of structured data to cyber-criminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”

IBM mentioned that for ransomware attacks, 70 percent of the companies paid more that $10,000 to regain the access to data. According to the FBI, cyber-criminals were paid $209 million in first three months of 2016.

Ransomware attacks are on the rise with 400 percent increase. In the coming time healthcare will do many reforms which includes increase in internet of things (IoT) technology. This will increase the attacks.

“Retail and financial services have battened down their hatches,” IDC Health Insights Research President Lynne Dunbrack told HealthITSecurity.com in a 2016 interview. “Now the cyber criminals might still be nipping at those heels, but they are looking at other targets, healthcare being one of them.”

CynergisTek Vice President Dan Berger mentioned that attacks against healthcare are carried out with sophistication.

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger stated.

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Insider security breach at KY

April 2nd, 2017

Kentucky-based Med Center Health mentioned that a former employee accessed certain patient billing information without permission. As per the reports, facility found out that on two instances the person “obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health.”

“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its letter, signed by CEO Connie Smith.

Person accessed the data and copied it on encrypted CD and encrypted USB drive. Facility mentioned that the data is not related to work responsibilities of the employee. Affected information included Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services. Patients medical records were not copied.

Patients who were treated at The Medical Center Bowling Green, The Medical Center Scottsville, The Medical Center Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS between 2011 and 2014 got impacted.

Law enforcement asked the facility to delay its data breach notification process.

“We sincerely apologize for any concern and inconvenience this incident may cause you,” the letter read. “We continue to review the incident and to take steps aimed at preventing similar actions in the future. Those actions include re-enforcing education with our staff regarding our strict policies and procedures in maintaining the confidentiality of patient information.”

Facility did not mention the number of individuals affected. It has established a dedicated call center to answer patients’ queries.

As per the statement, “We are offering credit monitoring and identity protection services to eligible patients and enrollment instructions are contained in the letters sent to the patients. We also recommend that you review the explanation of benefits that you receive from your health insurer. If you see services that you did not receive, please contact your health insurer immediately.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach at UNC

March 31st, 2017

University of North Carolina Health Care recently suffered data breach. It is notifying patients of a potential data breach at two UNC Health Care obstetric clinics. The incident involved PHI of 1,300 prenatal patients. The data was transmitted to local county health departments inadvertently.

Data breach involved patients who completed Pregnancy Home Risk Screening Forms at their clinical visits between April 2014 and February 2017 at the Women’s Clinic at N.C. Women’s Hospital and UNC Maternal-Fetal Medicine at Rex.

“If you completed a Pregnancy Home Risk Screening Form, it may have included information about you, such as demographic information (like your name and address), your race and ethnicity, your Social Security number, information about your physical and mental health, sexually transmitted diseases, your HIV status, smoking, drug and alcohol use, and medical diagnosis information related to your pregnancy and any prior pregnancies,” UNC Health Care said in the notification letter.

UNC Health Care after the incident set up a call center. It has also changed/modified its process for submitting patient pregnancy forms. The new provision will ensure eligible patients forms for Medicaid are sent to county health departments. Staff is trained to handle new procedure.

UNC has also asked all county health departments to delete the electronic health information on non-Medicaid patients from their systems.

As per the statement:

“UNC Health Care is committed to providing its patients with superior health care services and takes very seriously its obligation to protect the privacy of patients’ medical information. While UNC Health Care does not believe that any of the patients will be at financial risk as a result of the release any of this information to county health departments, UNC Health Care included in the letters a number of options available to patients for monitoring and reviewing their credit reports and has offered fraud resolution services for any patient who suffers from identity theft as a result of this incident, free of charge.”

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.