Call Us (877) 740-5028
Call Us (877) 740-5028
Next Wednesday, Online Tech heads to Detroit, Michigan to join the region’s Fortune 1000 CIOs while exhibiting secure hosting solutions, including the encrypted cloud, at Evanta’s 11th Annual Detroit Executive Summit at the Sheraton Detroit Novi Hotel. The summit is hosted by the Technology and Business Innovation Forum (TBIF) of the Stephen M. Ross School of Business at the University of Michigan, as well as Detroit’s Society for Information Management (SIM). Built “by CIOs, for CIOs,” the event features a number of sessions and keynotes on the topics of cybersecurity, information security, cloud computing and other innovations in information technology. A few of the more notable talks include: How is Cloud Changing the Way IT Works? Speakers: Charlotte Decker, VP & CTO, The Auto Club Group – AAA Cliff Burgess, Director Information Technology, Gentex Corp. Dave Katt, VMware Accelerate Americas Executive, VMware, Inc. Description: As organizations move away from legacy systems, CIOs must understand the capabilities of cloud and the way its integration affects the structure of IT. CIOs are well versed in the technical aspects of cloud-based solutions, but cloud’s implementation may challenge the way they understand the structure of their IT organization, such as employees that require retraining, skills that must be repurposed, and…
Although the updated Adobe hack number was last reported at 38 million users, Paul Ducklin of Sopho’s Naked Security blog has reported 150 million breached records have been found in a database dump online. While the passwords are encrypted, plaintext password hints have also been published alongside each record. However, the database dump doesn’t include any of the 2.9 million sencrypted credit and debit cardholder data that was also stolen in breach. Why is this such a serious breach? As I wrote about in Source Code, Encrypted Data Stolen as 2.9 Million Affected in Adobe Breach, according to Holden as reported by ThreatPost.com, a breach of the source code of an end user product allows hackers to write new malware and viruses. Additionally, the hackers have been reportedly using ColdFusion exploits since January – targeting vulnerabilities in ColdFusion 10, 9.02, 9.0.1 and 9.0 for Windows to bypass authentication schemes and remotely control Web servers running ColdFusion. Not sure if you’re been affected? LastPass has a handy and secure online tool that allows you enter your email and check if you’ve been affected by this breach. Visit Was My Adobe Account Hacked? to find out. To combat future exploits, learn more about deploying…
The Dept. of Health & Human Services has a HIPAA security guide outlining their recommendations for securing ePHI (electronic protected health information) on mobile devices, including remote access. The HHS covers ePHI in a variety of instances ranging from accessing, storing and transmitting data. Their format presents a potential risk, then the technical, administrative or physical security recommendation to prevent said risk. Below I’ve summarized their guide to highlight some of the top pointers along with some additional technical info: Accessing ePHI Risk: Password or user login info was lost or stolen, resulting in either unauthorized access or viewing/modification of ePHI. How to Mitigate: Implement two-factor authentication for remote access to systems containing ePHI. Secure and encrypted remote access can be achieved with a combination of SSL certificates, VPNs (Virtual Private Networks) and two-factor authentication that requires a secondary factor for access (i.e., push notifications and passcodes authenticated by your personal phone). HHS also recommends using RADIUS (Remote Authentication Dial-In User Service) or other similar tools to support a technical process to create unique usernames and to perform authentication for remote access. Risk: Systems infected by an external device with the intent to gain remote access to systems housing ePHI….
The Dept. of Health & Human Services has a HIPAA security guide outlining their recommendations for securing ePHI (electronic protected health information) on mobile devices, including remote access. The HHS covers ePHI in a variety of instances ranging from accessing, storing and transmitting data. Their format presents a potential risk, then the technical, administrative or physical security recommendation to prevent said risk. Below I’ve summarized their guide to highlight some of the top pointers along with some additional technical info: Accessing ePHI Risk: Password or user login info was lost or stolen, resulting in either unauthorized access or viewing/modification of ePHI. How to Mitigate: Implement two-factor authentication for remote access to systems containing ePHI. Secure and encrypted remote access can be achieved with a combination of SSL certificates, VPNs (Virtual Private Networks) and two-factor authentication that requires a secondary factor for access (i.e., push notifications and passcodes authenticated by your personal phone). HHS also recommends using RADIUS (Remote Authentication Dial-In User Service) or other similar tools to support a technical process to create unique usernames and to perform authentication for remote access. Risk: Systems infected by an external device with the intent to gain remote access to systems housing ePHI….
Results from the 2013 IDG Enterprise Cloud Computing report found that the percent of total IT environment to be moved to the private cloud grew from 28 to 36 percent, with a lower TCO (total cost of ownership) being the top internal selling point for those surveyed (23 percent). The report included surveyed readers of CIO, Computerworld, CSO, InfoWorld, ITworld, and Network World. Other top arguments for using the private cloud include the ability to enable business continuity (20 percent); replacing on-premise legacy technology (20 percent); and speed of deployment (19 percent). While these are true, other benefits of a private cloud include access to and control of your environment via a virtual machine operations manager, dedicated compute and storage, and, if your cloud provider supports this, built-in, hardware-based encryption. Encryption of data at rest and in transit are considered best practices for the healthcare, financial, ecommerce and other industries concerned with data security. An encrypted HIPAA cloud, for example, should be audited to data regulation standards that require compliance not only at the technical level, but also the administrative and physical security levels. No two clouds are alike – read What to Look for in a HIPAA Cloud Provider…
Online Tech is liveblogging from Milwaukee at Rock IT Around the Clock! That’s the theme for the HIMSS Midwest Area Chapters Fall Technology Conference November 10-12, where we’re exhibiting our HIPAA hosting solutions at booth #501. Here’s our takeaways from a session on cyber security: Session: Cyber Attacks from Shanghai: Prepared? Speaker: Ali Pabrai Firewalls are our first line of defense! Antivirus control Many vulnerabilities enter the network via employees’ email activities. Authentication control This is a critical area We struggle with password management and credential information. It can lead to more problems. Key: Encrypt all passwords during transmission and storage on all system components. There are too many generic accounts (physician accounts, and nurse accounts, etc.) Implement two-factor authentication for remote access. We’re going to get more, not less remote access When OCR does audits, one of the questions they ask is whether or not you have two-factor authentication. Especially people who have to meet more than just HIPAA requrements (like PCI), it’s a mandate for other compliances Audit Log consolidation control. Establish process for linking all access to system components (especially privileged access such as root) to each individual. Implement automated audit trails for all system components to reconstruct the event….
Last week I wrote about CryptoLocker in Offsite Backup: Thwarting the Profitable Encryption Malware Cryptolocker, the well-known malware that is categorized as ‘ransomware’ – it encrypts files on your computer and refuses to decrypt until you pay the malware authors a fee. To help combat the malware spread, CIS (Center for Internet Security) released some pointers for organizations concerned about possible infection: Block traffic to a number of IP addresses at your network perimeter devices to prevent the malware from getting the encryption key from the C2 server. These are just a few (see the rest of them here): 46.149.111.28 83.69.233.25 144.76.192.130 192.155.83.72 212.2.227.70 95.59.26.43 162.243.66.243 Here are some sample email subjects, attachment naming conventions, sender email addresses, sender IPs and hosts that might indicate presence of the malware: Subject: “Annual Form – Authorization to Use Privately Owned Vehicle on State Business” Attachment: Attachments follow the naming convention of “Form_[Varying Digits and Numbers].zip. For example: Form_nfcausa.org.zip, Form_20130810.exe, Form_f4f43454.com.zip. Spoofed Sender: “[email protected]” “[email protected]” Sender IP: 209.143.144.3 Sender Host: mail.netsential.com CIS also lists a few registry and file system path indicators for Windows. Other recommendations include: Most emails containing CryptoLocker are sent via spoofed email accounts – spread awareness throughout your users to ensure they check…
Here’s the best of mobile security from 2013, including articles, white papers, previously recorded webinars and more that explain mobile health IT (mHealth) data security and how to prevent compromised data in your organization. Online Tech is also headed to the 2013 mHealth Summit this December in Washington, D.C. to exhibit encrypted HIPAA hosting solutions for mobile software as a service (SaaS) and other health IT companies. Visit us at booth #1112 if you’re attending, and follow us @OnlineTech on Twitter for our updates. Mobile Security Articles: HIPAA Encryption: Protecting Patient Data on Tablets & Smartphones A guest blog from HITECHAnswers.net lists security tips from HHS.gov to help ensure that patient data is secure in a BYOD (Bring Your Own Device) environment that includes the use of personal devices such as iPhones and iPads in the … Continue reading → mHealth Trends and Strategies 2013 from AnyPresence AnyPresence is proud to announce the availability of a new white paper entitled mHealth Trends and Strategies 2013. The report was authored by Andre’ Guillemin of 43,000 Feet LLC and Kevin Benedict from Cognizant, both of whom are well respected … Continue reading → The APPS Act Addresses Mobile Security Concerns Striving for…
Online Tech is heading to Milwaukee to Rock IT Around the Clock! That’s the theme for the HIMSS Midwest Area Chapters Fall Technology Conference November 10-12, where we’ll be exhibiting our HIPAA hosting solutions at booth #501. Morning Keynote: Howard J. Jacob, Ph.D. from HMGC It’s all about the data. Personalized medicine What is it? Is it a reality any time soon? Big Data Building Collective Data There’s a disproportionate number of people that aren’t physicians that practice medicine that people don’t realize, and that are being underrepresented. Personalized medicine is a $450 Billion marketplace. Humans have 6 Billion data points within their genome, and 30,000 genes per person. Of these 6 Billion data points, there are really only about 4-6 million points that can cause us to look strikingly different from one another. There is, scientifically found, a mitochondrial Eve and a Y chromosomal Adam. This means we all are pretty much derived from the same people, with the same general makeup. Family history is really important. But, how much do you really know about your family? Most people don’t give complete and accurate information to their families, so it’s harder to be sure your family history is accurate….
Yesterday, I blogged about the new PCI DSS 3.0 document that contains a number of clarifications, additional guidance and evolving (new) requirements. The part I’m going to focus on is the evolving requirements, as they represent the changes that ensure that the standards are up to date with emerging threats and changes in the market. They also represent the greatest changes between the old and new documents, and are relevant to merchants and service providers that are already PCI DSS compliant, but may need to update according to the newly added requirements. For a complete list of the new PCI DSS 3.0 requirements, visit our site: PCI DSS 3.0: Complete List of Newly Added Requirements. Here’s a continuation of the new requirements; you can find the first 1.1.3-6.5.10 in PCI DSS 3.0: New Requirements Released for Merchants & Service Providers. 8.2.3 – Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. Why they added it: This requirement specifies that a min. of seven characters and both numeric and alphabetic characters should be used for passwords/phrases. For cases…