Author Archives: Nicole

logo-critical-alertInternet Explorer Vulnerability

Update: 5/1/2014

Microsoft released a patch this morning to update Internet Explorer and resolve the “Operation Clandestine Fox” vulnerability. Windows is including XP in this round of updates, allowing our practices some more time to make the transition to Windows 7.

The Windows Update should automatically apply to most computers overnight – however you may see a prompt show up in the task bar (pictured below). Please make sure to click on this and run Windows Update prior to using Internet Explorer. If you would like to apply the update now, it is also available in the control panel under the item titled “Windows Update.” This update will require a reboot, so save all work before applying it!

clip_image003

Original Post: 4/29/2014

This past Saturday, Microsoft announced a Zero-Day vulnerability present in Internet Explorer versions six through eleven. These versions represent all currently used Internet Explorer browsers, and are present on all Windows desktops. The vulnerability, dubbed “Operation Clandestine Fox” by the security firm that discovered it, takes advantage of the Adobe Flash plugin to gain access to the computer. From there, hackers can remotely control the desktop, execute code, install malware, and a variety of other nefarious activities.

The recommended approach to protect yourself from this vulnerability is to use a different browser until Microsoft has a chance to patch Internet Explorer. Mozilla Firefox or Google Chrome are both safe browsers to use for now. Some business applications or sites require Internet Explorer’s architecture. In this case, we recommend accessing only these specific applications in Internet Explorer, while using a different browser for all other sites.

Once a solution is discovered, Microsoft will only be patching its supported systems: Windows Vista and above. This will leave Windows XP systems unpatched and vulnerable. We highly encourage replacement or repurposing of all XP systems to remove them from the external environment. If you have XP systems in your infrastructure, please give us a call so we can develop a plan to maintain the security of your network.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

logo-critical-alert

HeartBleed Vulnerability

By now, many of you have probably heard about the HeartBleed OpenSSL vulnerability discovered this week – a concerning back-door that has been present in the popular encryption libraries for the past 2 years. This allowed hackers to take advantage of the built in “heartbeat” function, potentially gleaning username and password combinations and any other transmitted content. Immediately following public notification of this vulnerability, Kali Systems patched all servers using the OpenSSL encryption protocols at our office and at client locations, and reissued all certificates.

Unfortunately, simply patching servers does not mitigate all risk associated with this vulnerability. Personal account information on various websites may have already been compromised. The following link shows an updated list of sites that were vulnerable, and displays their current patch status:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Passwords on these websites should be changed immediately. If the same password is used for any other applications, especially those used for business, it should also be changed immediately. IT best practice recommends using a unique password for business applications – if your information is compromised on a personal web page, your business data is not put at risk.

Customers with mail servers should be on the lookout for suspicious activity occurring in your email accounts. This may include receiving “bounced mail” notifications for emails you didn’t send, or responses from people you haven’t emailed. If you notice any suspicious activity, please call us so we can assist you with password changes. We are also monitoring your servers to ensure no connections are being initiated from outside the USA.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

HIPAA Refresher

We would like to make sure all of our valued clients remain up to date on the latest HIPAA developments that affect their practices. In light of the Omnibus Rule updates, and considering the looming onset of Meaningful Use 2, allow us to provide a quick refresher!

All practices should, by now, have completed a HIPAA Security Risk Assessment (RA), whether or not they have attested for Meaningful Use. As is the nature of legislation, the regulations this RA is based off of have been changed yet again. Updating the RA for these changes is a key aspect of a practice’s compliance program.

The first major change that happened with the onset of the Omnibus Rule this past September has to do with us – Business Associates. Direct liability for safeguarding patient data has been imposed, including a requirement for us to complete our own RA! Practices, however, just need to make sure their Business Associate Contracts have been updated. These should be updated as they expire, or within a year of 9/23/13 (whichever is sooner).

Breach Notification requirements were also amended. The definition of a breach of PHI has been updated; now, a breach is not reportable to HHS if a practice can determine, via a RA, that there is a low probability the PHI has been breached. Furthermore, fines cannot be imposed if the breach was not due to willful neglect and was corrected within 30 days.

The Privacy Rule has not been missed in this recent HIPAA makeover. Changes have been made to permissible uses and disclosures, patient’s right to access their PHI electronically, and restrictions on the sale of PHI. In light of this, a practice should update their Notice of Privacy Practices.

As always, Kali Systems is available to help with your HIPAA compliance efforts. We would be happy to answer your questions, assist you with your RA updates, or provide templates for NPPs and BA Contracts.

The End of an Era – Microsoft Discontinues Support for XP Operating System

microsoft-xp

Microsoft’s announcement to discontinue support for XP systems has been widely reported in the news lately, and many industry leaders have voiced their opinions on the implications this has for security. From broadly replacing all XP systems, to taking these workstations off the internet, to not doing anything at all, what is the best option for your practice?

Discontinued support does not mean that XP systems will cease to run properly – all this means is that Microsoft will no longer be patching (updating) the operating system as security flaws are detected. For reference, Microsoft currently patches their systems monthly, and sooner for critical vulnerabilities. As these systems go unpatched, malware developers will discover an increasing number of vulnerabilities to exploit, compromising the security of the computer.

We do have options for XP systems, especially for our Virtualized clients employing Terminal Servers. We are able to convert these workstations into “Thin Clients” – the workstation connects to a session on the server from which the desktop, operating system, and software is provided. This eliminates external connections from the unsupported XP system, mitigating associated security risks. It also saves cost by utilizing existing infrastructure rather than purchasing replacement desktops for all the XP machines in your office.

We are available to discuss this further with each of you, along with additional solutions we have available, and come up with a plan tailored to fit your needs. Give us a call or send us an email to get started!