PCIHIPAA Publishes “10 Steps to Practical HIPAA Compliance” to Assist Healthcare Professionals with HIPAA Law – EIN News (press release)

PCIHIPAA Publishes “10 Steps to Practical HIPAA Compliance” to Assist Healthcare Professionals with HIPAA Law
EIN News (press release)
SANTA MONICA, CA, UNITED STATES, December 6, 2016 /EINPresswire.com/ -- PCIHIPAA published a white paper, “10 Steps to Practical HIPAA Compliance” to support the mandatory HIPAA compliance of healthcare practices. HIPAA Section Code ...

Alert: OCR warns providers of scam HIPAA audit email – Becker’s Orthopedic & Spine

Alert: OCR warns providers of scam HIPAA audit email
Becker's Orthopedic & Spine
A scam email is floating around practices' emails, claiming that practices are participating in the HIPAA Privacy, Security and Breach Rules Audit Program, according to JD Supra Business Advisor. Here are five key notes: 1. HHS' Office of Civil Rights ...
UMass Amherst Settles HIPAA Violations with OCR for $650000JD Supra (press release)
Beware the Trojan: OCR Announces First Malware SettlementLexology (registration)
Data Breach at UMass Leads to Settlement; Sends Warning to ...insideARM.com
Mondaq News Alerts (registration)
all 6 news articles »

Half of IT Pros Most Concerned About Insider Threats

A considerable proportion of IT security budgets are directed to securing the network perimeter and with good reason. Hackers are breaking through security defenses with increasing frequency and this year has seen some of the biggest cyberattacks ever reported.

However, internal threats should not be ignored. According to a recent Dimensional Research/Preempt study, most IT security professionals believe internal threats have increased over the past few years to the point that they are now of greater concern than cyberattacks by hackers.

For the study, 317 independently verified IT security professionals from organizations that employed more than 1,000 staff members were asked a range of questions about insider threats, including the barriers preventing organizations from mitigating risk and the measures employed to deal with the threat.

When asked about whether they were concerned about internal threats, only one respondent out of 317 said they had no concerns and 49% of survey respondents said they were more concerned about internal threats than they are about external attacks.

The biggest cause for concern – rated by 87% of respondents – was a lack of security awareness and employees bending company rules to get the job done. Other top concerns were accidental malware downloads (73%), theft of user credentials (66%), data theft (65%), and abuse of admin privileges (63%).

Tackling insider threats is proving problematic due to a lack of skills, appropriate technology, and a lack of resources. 10% of respondents said members of the security staff lacked the necessary skills and 64% of respondents said they had staff members with sufficient skill levels to address the risk, but were so overworked that they have been unable to respond to the insider threat.

Risk can be minimized by ensuring that end users only have access to data and systems necessary for them to perform their work duties, yet 91% of respondents said insiders had access to systems that they shouldn’t. Unfortunately, organizations lack the time and resources to address that problem.

A lack of resources and the appropriate technology to monitor data access was also an issue. 70% of respondents said they were unable to effectively monitor the activities of privileged users.

Training end users on security best practices and improving cybersecurity awareness can help organizations reduce risk. 95% of respondents said training was provided to staff, mostly via newsletters and email alerts (68%), online training (61%) and in-person training (47%). However, training programs were not seen as being particularly effective.

Seven out of ten respondents said their training was somewhat effective and only one in ten felt training programs were very effective. One of the main issues was getting end users put effort into learning. The majority of respondents said their organization’s employees were willing to take part in security training, but only 25% said end users actually put any effort into learning about security best practices.

With the threat from within growing, organizations must do more to mitigate risk; however, without an increase in investment, insider breaches are likely to increase. Organizations must also do more to improve their security training and engage end users in training programs.

According to Ajit Sancheti, co-founder and CEO of Preempt, “Without real-time prevention solutions and improved employee engagement, these threats will not only increase, but find more sophisticated ways to infiltrate and navigate a network. The future of security practices relies on the ability to not only understand users and anticipate attacks, but also how to mitigate threats as quickly as possible.”

The post Half of IT Pros Most Concerned About Insider Threats appeared first on HIPAA Journal.

Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries.

The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium.

The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary.

By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It was also possible to increase the time that the devices could receive messages, allowing further malicious attacks to be conducted.

The researchers used inexpensive commercial off-the-shelf equipment to intercept and reverse-engineer communications between the devices and their device programmers and base stations. The equipment used to conduct the dummy attacks needed to be in relatively close proximity to the devices – up to 5 meters (around 16 feet) although the researchers said it would be possible to increase that distance by tens or hundreds of times if sophisticated antennas were used.

It was possible to intercept and manipulate signals with no prior understanding of the devices, even though the device manufacturers had taken some steps to obfuscate the data transmitted to and from the devices.

Fortunately, in order for the attacks to be conducted, an attacker would need to hold a magnetic programming head close to the device after it had been implanted in order for the device to be capable of receiving radio signals. Once activated it would be possible to send messages to the device for a period of up to two hours.

According to the researchers, “Our work revealed serious protocol and implementation weaknesses on widely used ICDs, which lead to several active and passive software radio-based attacks that we were able to perform in our laboratory” The researchers also explained that “security-by-obscurity is a dangerous design approach that often conceals negligent designs. Therefore, it is important for the medical industry to migrate from weak proprietary solutions to well-scrutinised security solutions and use them according to the guidelines.”

The findings of the research study will be presented at the Annual Computer Security Applications (ACSAC) conference in Los Angeles this week. The research paper can be viewed on this link.

The post Medical Devices Can Be Hacked Using Black Box Approach appeared first on HIPAA Journal.