Category Archives: Health Care Technology

logo-critical-alertInternet Explorer Vulnerability

Update: 5/1/2014

Microsoft released a patch this morning to update Internet Explorer and resolve the “Operation Clandestine Fox” vulnerability. Windows is including XP in this round of updates, allowing our practices some more time to make the transition to Windows 7.

The Windows Update should automatically apply to most computers overnight – however you may see a prompt show up in the task bar (pictured below). Please make sure to click on this and run Windows Update prior to using Internet Explorer. If you would like to apply the update now, it is also available in the control panel under the item titled “Windows Update.” This update will require a reboot, so save all work before applying it!

clip_image003

Original Post: 4/29/2014

This past Saturday, Microsoft announced a Zero-Day vulnerability present in Internet Explorer versions six through eleven. These versions represent all currently used Internet Explorer browsers, and are present on all Windows desktops. The vulnerability, dubbed “Operation Clandestine Fox” by the security firm that discovered it, takes advantage of the Adobe Flash plugin to gain access to the computer. From there, hackers can remotely control the desktop, execute code, install malware, and a variety of other nefarious activities.

The recommended approach to protect yourself from this vulnerability is to use a different browser until Microsoft has a chance to patch Internet Explorer. Mozilla Firefox or Google Chrome are both safe browsers to use for now. Some business applications or sites require Internet Explorer’s architecture. In this case, we recommend accessing only these specific applications in Internet Explorer, while using a different browser for all other sites.

Once a solution is discovered, Microsoft will only be patching its supported systems: Windows Vista and above. This will leave Windows XP systems unpatched and vulnerable. We highly encourage replacement or repurposing of all XP systems to remove them from the external environment. If you have XP systems in your infrastructure, please give us a call so we can develop a plan to maintain the security of your network.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

logo-critical-alert

HeartBleed Vulnerability

By now, many of you have probably heard about the HeartBleed OpenSSL vulnerability discovered this week – a concerning back-door that has been present in the popular encryption libraries for the past 2 years. This allowed hackers to take advantage of the built in “heartbeat” function, potentially gleaning username and password combinations and any other transmitted content. Immediately following public notification of this vulnerability, Kali Systems patched all servers using the OpenSSL encryption protocols at our office and at client locations, and reissued all certificates.

Unfortunately, simply patching servers does not mitigate all risk associated with this vulnerability. Personal account information on various websites may have already been compromised. The following link shows an updated list of sites that were vulnerable, and displays their current patch status:

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Passwords on these websites should be changed immediately. If the same password is used for any other applications, especially those used for business, it should also be changed immediately. IT best practice recommends using a unique password for business applications – if your information is compromised on a personal web page, your business data is not put at risk.

Customers with mail servers should be on the lookout for suspicious activity occurring in your email accounts. This may include receiving “bounced mail” notifications for emails you didn’t send, or responses from people you haven’t emailed. If you notice any suspicious activity, please call us so we can assist you with password changes. We are also monitoring your servers to ensure no connections are being initiated from outside the USA.

Please do not hesitate to contact us via phone or email if you have any questions or concerns. We consider the security of our clients to be of the highest priority, and are available if you or any other staff need help addressing this issue.

The End of an Era – Microsoft Discontinues Support for XP Operating System

microsoft-xp

Microsoft’s announcement to discontinue support for XP systems has been widely reported in the news lately, and many industry leaders have voiced their opinions on the implications this has for security. From broadly replacing all XP systems, to taking these workstations off the internet, to not doing anything at all, what is the best option for your practice?

Discontinued support does not mean that XP systems will cease to run properly – all this means is that Microsoft will no longer be patching (updating) the operating system as security flaws are detected. For reference, Microsoft currently patches their systems monthly, and sooner for critical vulnerabilities. As these systems go unpatched, malware developers will discover an increasing number of vulnerabilities to exploit, compromising the security of the computer.

We do have options for XP systems, especially for our Virtualized clients employing Terminal Servers. We are able to convert these workstations into “Thin Clients” – the workstation connects to a session on the server from which the desktop, operating system, and software is provided. This eliminates external connections from the unsupported XP system, mitigating associated security risks. It also saves cost by utilizing existing infrastructure rather than purchasing replacement desktops for all the XP machines in your office.

We are available to discuss this further with each of you, along with additional solutions we have available, and come up with a plan tailored to fit your needs. Give us a call or send us an email to get started!

Cybersecurity a greater risk than natural disasters

A majority of companies, including healthcare organizations, now rank cybersecurity risks as greater than natural disasters, fires and other major business risks, according to a new survey by the Ponemon Institute.

In a previous study, Ponemon put the average cost of a data breach at $188 for each lost or stolen record.

Looking at healthcare in particular, it reported that 94 percent of the 80 participating healthcare organizations experienced at least one data breach that they were aware of in the previous two years, and that such breaches cost organizations a total of $6.78 billion annually.

Among the new survey findings:

  • Protecting against the financial impact of cyber security risks ranks as high as or higher than other insurable risks.
  • Responsibility for managing that risk is moving outside the IT department, with risk management or compliance officers more likely to manage that.
  • Most companies either have cyber security insurance or are considering adoption. Thirty percent of respondents notetheir company has no interest in purchasing a policy at this time.

Healthcare and pharmaceuticals represented the third-largest industry segment polled.

Jared Rhoads, lead author and senior research specialist for a report from CSC’s Global Institute for Emerging Healthcare Practices, previously recommended taking a holistic approach to managing the risk posed by cyber criminals.

Privacy experts speaking at the Healthcare Privacy Summit earlier this summer said healthcare organizations tend to be too reactive in their approach to health data security.

But the industry is waking up to the risk. A new survey of the cyber security workforce by the public-private partnership Semper Secure just found healthcare the fourth-largest employer of cyber professionals after government, manufacturing and defense/aerospace.

To learn more:
– Read the Ponemon survey report (.pdf)
– Here’s the Semper Secure survey (.pdf)

<Reprint of article by Susan D. Hall – FierceHealthIT ©2013>

Choose Your IT Vendor Carefully!

As Brian Horowitz writes in his article on eWeek:

“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.”

While this is not entirely new information, and those who know Kali Systems know that we have been promoting this fact for quite some time now, the news really is that the regulators are focusing on this now – and have a meaningful enforcement arm (the Office of Civil Rights) and a penalty structure which is, frankly, quite intimidating.

The article also states:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

The IT vendors that healthcare practices use will often have access to their EHR, be responsible for data backup and otherwise have broad access to a great many forms of ePHI in the practice. That privilege comes with some serious responsibility and obligation to comply on the part of the vendor. The practice is ultimately responsible for assuring that their vendors meet the standards and have compliant Business Associate Agreements in place prior to providing access to protected data.

The Risk Assessment process, as outlined by HHS guidelines, clearly includes a review of all Business Associates as part of the process. Our Risk Assessment product covers this requirement, along with other requirements necessary for Meaningful Use attestation.

Please see full eWeek article by Brian Horowitz here:
http://www.eweek.com/security/hipaa-update-tightens-data-breach-liability-risks-for-it-companies/

Virus Alert – BBB Complaint PDF

Alert for current virus activity.

Our scanning gateways will identify virus and spam activity occurring in the wild. Over the last few days – the gateways have reported a very high number of hits with a particular virus. Though they differ slightly in Subject and the attachment, all reference a BBB Complaint either in the subject or the body of the email, and all have an attached PDF file which is actually an executable file. All containing the virus Mal/BredoZp-B (as identified by Sophos).

Virus infection is a costly event in any environment, but is significantly more sensitive in a healthcare setting. What is the virus doing? Is it accessing local data and reporting is back to an outside party? What data may have been accessed? At the very least, it is an “incident” to be dealt with, documented and evaluated for any possible data access. At worst – it can become a reportable breach.

All practices should have strict policies about opening attachments in email from unknown sources or with any suspect attributes. What is even more effective is gateway scanning which simply does not allow the delivery of any executable attachments. Our SafeMail services/gateways do exactly that and all practices should consider gateway scanning whether from Kali Systems or any other outside provider.

Kali Systems will continue to post alerts when a particular virus appears to be extremely widespread.

Why you need a gateway security solution

Business today is all about connectivity. Available data suggests email and web access represent 90 percent of business-critical applications used by small- and mid-sized companies. Yet the gains in efficiency and productivity that companies have realized by incorporating the Internet into their business models have also benefited malware authors. Threats that once took months to infect a few thousand computers can now reach hundreds of thousands in mere minutes.

Gartner suggests that between 80 and 95 percent of all email entering a company’s network is spam ….two to six percent carries a threat such as viruses, Trojans and rootkits.

Continue reading

Healthcare and Email – Dangerous Assumptions

Email has truly become our central production form of communication, both internally and externally. We rely on the ease and rapidity of messaging, and our ability to readily attach documents, pictures or other relevant information. And we are increasingly going mobile (read that as “real time”) with our email connectivity. A recent comScore study revealed that Americans are increasingly using their mobile phones and tablets to access email on the run.

As a result, the information we find useful to have in email is increasing. And services like GMail have made it easy to integrated email, calendaring and contacts all available from web browsers, mobile devices and our home computers – all for a very reasonable price indeed! But hang on here… when we use our “personal” email in such a fashion, what have we really given to these third party providers? Are we really secure? Are we even compliant? Continue reading

Medical Technology and Compliance

What a subject! And what a dynamic and challenging industry for both health care providers and the various vendors they use to keep a practice running. We are going to try to get the latest and most relevant issues which are constantly arising and bring them here for awareness and discussion. Comments will always be welcome, but highly moderated. So play nice!