ECRI Institute Releases List of Top 10 Health Technology Hazards

While dirty hospital mattresses and the failure to properly disinfect medical gear are among top safety risks posed to patients, ransomware and other cyberattacks will pose even bigger threats to patients in 2018, according to the ECRI Institute. The non-profit patient safety research organization named ransomware and cybersecurity threats as the No. 1 health technology hazard for 2018.

"This is the first year ransomware has been included in the ECRI Institute's Top 10 Health Technology Hazards list," says Juuso Leinonen, senior project engineer at the health devices group of ECRI. "Cybersecurity topics have been covered in the past, but this is the first year acybersecurity topic has been ranked No. 1 in the list."

During the past year, ransomware showed its potential to disrupt healthcare delivery, he says. "We saw several global ransomware attacks that impacted various organizations, including some hospitals. Ransomware has the potential to impact technologies crucial for patient care, such as patient information systems and medical devices," Leinonen says. "Lack of access to these systems and devices can result in compromise or delay to patient care, which can lead to patient harm. Ransomware can also result in financial losses due to disruption to hospital operations such as postponed appointments and elective surgeries."

ECRI's top 10 list of health technology hazards identifies the potential sources of danger involving medical devices and other health technologies that the research organization says warrant the greatest attention for the coming year.

Global Health Threat

Global attacks, including those involving WannaCry and NotPetya, have had a heavy impact on the healthcare sector across the globe so far in this year, from the National Health System in the United Kingdom to medical device manufacturers including Bayer AG and pharmaceutical giant, Merck.

During the WannaCry ransomware attacks back in May, at least two U.S. hospitals reported that their imaging systems from Bayer AG had been infected.

Numerous other hospitals and clinics in the U.S. have also been victims of ransomware attacks that have greatly disrupted the delivery of patient care.

For instance, just last month, Arkansas Oral & Facial Surgery Center acknowledged that a ransomware attack in July not only shut down access to some electronic patient data but also rendered imaging files, including X-rays, inaccessible for an undisclosed period of time.

One of the highest-profile cyberattacks in 2016, which was suspected of involving ransomware, greatly disrupted patient care for several days at MedStar Health. The 10-hospital system serving Maryland and Washington area said it shut down many of its systems to avoid the spread of malware.

Ransomware and Medical Devices

The Food and Drug Administration recently called attention to the risks malware poses to medical devices. In an Oct. 31 blog post, Suzanne Schwartz, M.D., associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, wrote: "A computer virus or hack resulting in the loss of or unauthorized use of data is one thing. A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device."

Schwartz, who'll be a speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 14-15, wrote that the FDA "encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner" to avoid having their products compromised by ransomware or other cybersecurity threats.

Taking Action

Managing cybersecurity in a healthcare environment is extremely difficult, ECRI's Leinonen says, because a hospital might have "thousands of devices from hundreds of vendors."

Healthcare facilities need to acknowledge that mitigating the risk of ransomware is not solely a problem for IT, he stresses.

"Collaboration within your organization is a key to success. Various departments, including IT, clinical engineering, information security, risk management, purchasing and clinicians all have a part to play," he says.

Susan Lucci, chief privacy officer and senior consultant at security consultancy Just Associates, says all healthcare entities can take two steps to better prepare and deal with emerging cyber issues that can pose a hazard to patient privacy and safety.

"Have a well-established privacy and security committee that meets to review subjects like this regularly, and have a clearly defined breach response plan and breach response team to quickly respond to immediate threats that may arise," she says.

Malware can pose risks to patients in several ways, says Curt Kwak, CIO of Proliance Surgeons in Washington state. "Ransomware will halt workflows, halt data processing and the [malware's] ongoing threat of data corruption could jeopardize the practitioner's trust in the data that they are utilizing to treat their patients," he says.

Nevertheless, some organizations fail to realize that ransomware poses a threat to patient safety, says Keith Fricke, principal consultant at tw-Security. For example, he notes, "those entities that have experienced ransomware events may have been inconvenienced by files getting encrypted that did not directly impact patient care." So they may not see ransomware as a patient safety issue.

Fricke says many organizations' data backup plans are insufficient, putting them at additional risk. "In addition, those with mature backup strategies have to be wary of ransomware-encrypted files getting replicated to their offsite backups," he points out.

And because ransomware and other cyberattacks show now sign of abating, Kwak stresses that it's "critical for the organizations to continue to monitor and protect their data environment and educate their end users on the best cybersecurity practices."

If you thought browsing securely (and privately) was as easy as opening a new incognito window, think again. Private browsing is all the rage now that it’s necessary in order to access certain websites in some countries. Luckily, there are lots of ways to access the web that doesn’t require Safari, Firefox, or Chrome. There are also ways to surf the internet that aren’t actually secure at all -- even if they’re advertised as such. The first step to tapping into a safe connection is understanding what a safe connection is -- and what it’s not.

This is not what private browsing looks like.

Google Chrome’s Incognito mode may cover your tracks online locally, but it doesn’t erase them entirely. When you choose to browse privately using a major web browser, the places you visit online will not accumulate in your computer’s history. This way, no one else who accesses your device will be able to see the websites you used during your private browsing session. (In fact, you won’t even be able to see them yourself.)

Except...you can. In fact, anyone can; That is, anyone who has access to your internet bill. All it takes is calling up your internet service provider and requesting a log of the websites you visited at any given time and day. (Yes, this can include times and days when you were browsing “privately.”)

Yet you and anyone with access to your internet bill aren’t the only ones with access to your browsing history! All of the websites you’re visiting can also see you, even if you’re not logged into an account associated with their services. This is because your path to that website isn’t protected. Online, who you are is defined by how you arrived there.

Encryption is the Key

Truly private browsing requires an encrypted connection through a browser that has Virtual Private Network (VPN) capabilities. This isn’t your typical browser, but rather a special kind that you may have to do a bit of Googling to find (that is, unless you’re lucky enough to find yourself reading this article).

When you connect to the internet through a VPN, where your connection originates is indistinguishable. This is because your connection is made possible through a web of devices and a remote server (some private browsers allow users to choose from a number of remote servers, but most don’t). Unlike when you connect to the web using a standard connection, when you browse through a VPN, your device’s point of origin is unidentifiable.

The only thing that is visible when you’re browsing utilizing a VPN, is the location you chooseto be visible. Private browsers with VPN capabilities allow you to choose from connections around the world to display as your point of origin. (If you connect through a VPN location in Switzerland, it will appear as though you are browsing the web via Switzerland, even if your physical location is Palo Alto, California.)

Encrypted Browsing in the Work Place

In the workplace, things get a bit more complicated. Although a VPN connection will encrypt your traffic, your employer’s IT department may be able to still tell if you are using an encrypted connection especially if you’re on the company network. This may be against your company’s policy, so be aware of the consequences.

Also if you’re on a company machine, then it may already be controlled by corporate and your activities are already being monitored regardless if a VPN is on or not. The safest bet is use to a VPN on your own personal device over data and not on your company network to keep your browsing private from your employer.

How to Choose a Private Browser

There are many private browsers out there that are completely free, which is why choosing the right one to do the job can be a daunting task. Ever since the rise in popularity of private browsing in recent months, some have even adopted questionable means of serving their users (including feigning VPN capabilities and selling data).

The first thing to note when shopping for a private browser is what makes it private. If the only thing advertised is an ability to delete your local history, then you’re being pushed a glorified incognito window. Almost all today’s browser’s incognito mode does not encrypt your traffic.

The first thing that should be advertised is what VPN options the browser offers. A user friendly private encrypted browser will have different servers to connect to the web through, easy ways to switch between servers, as well as an intuitive interface for connecting, and disconnecting from the web.

Encryption is crucial for truly private browsing because it masks information about your surfing habits such as how long you stayed on a site, how many times you visited, and what your activity log looked like for any particular website. Someone snooping on your online activity may be able to see how much data you’re using in a browsing session, but they won’t be able to see how it’s used if your connection is encrypted.

There are a number of quality private browsers out there that can be downloaded for free, but it’s important to lookout for any hidden catch. When a web product or service is offered for free, sometimes the reason for that is because you’re paying for it with your data.

Other Ways to Stay Safe Online

Browsing privately isn’t the only way to protect your data on the internet. You can start using these tools even without a private browser to enhance your traditional web experience and make it harder to be tracked.

Start by switching up your default search engine. Google’s AdSense makes a private browsing experience impossible using Google. A private search engine such as DuckDuckGo and StartPage don’t creep on your habits for the sake of targeting advertisements to you.

If you browse the web primarily from your phone, be sure to turn off Geotagging to prevent the public caching of your physical location each time you take a photo. (If you’re using a private browser but still have this feature turned on, your browsing location with conflate with your physical location.)

There are many free password managers available that will help you generate passwords that are difficult to be compromised, and will remind you when it’s time to change up your passwords.

Last but not least, you can use browser security tools such as HTTPS Everywhere and Privacy Badger to protect your data even when you’re not browsing privately.

https://youtu.be/i4YQRLQVixM When Apple announced the iPhone X earlier this year, it promised its new unlocking mechanism, Face ID, was twice as secure as its predecessor, Touch ID. The company said it had tested it six ways from Sunday — including using masks — and that unless you had an identical twin running around, the chances of somebody breaking into your phone were “one in a million.” This week, Bkav says they’re the one. The Vietnamese cybersecurity firm claims they’ve successfully hacked an iPhone X using a mask.

The mask, a combination of silicon, paper, fabric, and 3-D printouts that looks like something out of a low-budget horror film, cost $150, according to Bkav. The firm posted a video in which they claim to break into the phone, and a blog post answering questions about how they did it. “The recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID’s AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.” Of course, this is just one firm’s claim and the technique video hasn’t been confirmed or replicated by anybody else. (Wired tried and failed to defeat Face ID using masks earlier this fall.) Don’t go panicking just yet.

The internet was developed on university campuses, and it revolutionized education. As a student, you probably don’t have access to a highly secured campus network that restricts and regulates the traffic and new devices. You’re responsible for your own online security, so here are some tips to help you be safe and privacy-savvy on campus. 1. Keep Security Systems Up to Date All of your connected devices should have updated antivirus, operating software and apps. Turn the auto updates on! It’s important to have the latest protection against viruses, malware and other threats to which you’re exposed.

2. Check Your Bank Statements Frequently This should become a habit. Aim to check your statements once a day, so you’ll make sure all transactions are legitimate.

3. Only Shop on Secure Sites Online shopping is great but you have to make sure you’re doing it from a secure network. Avoid sensitive transactions like shopping and banking when using a public campus network; instead, consider using a virtual private network (VPN) or your smartphone’s hotspot for more secure browsing.

Pay attention to the websites, too. Check to make sure the URL starts with https:// and search for reviews to make sure it’s safe.

4. Back Everything Up What if you’re working on an important research project and you lose everything right before the deadline? Store your work safely on the cloud or on an external hard drive.

5. Get Informed About Ransomware Hackers can remotely lock your computer and keep your private files encrypted until you pay them. Do not pay the ransom! Get informed so you’ll know what to do in such a situation. To protect your files from this, be wary about clicking links or opening attachments in emails.

6. Improve Your Passwords Do not use the same password for different services. Avoid passwords that are easy to guess, such as those that include your name, birthday or address. Make your password a sentence that is at least 12 characters long – focus on positive sentences that are easy to remember – on many sites you can even use spaces!

7. Never Share Passwords So you’re expecting an important email and you thought your roommate could check it for you? Do not do that! It doesn’t mean you don’t trust them. Do not share your passwords!

8. Keep Your Passwords Safe How do you remember all those passwords? Do not keep them in a note on your phone. If someone gets their hands on it, they will have access to everything. Write the passwords in your diary, a notebook or a piece of paper that you’ll keep in a safe place away from your computer – or consider using a password manager that will store them for you.

9. Learn What to Do in Case of a Data Breach Campus networks and servers are at risk of a data breach, meaning hackers can break in to computer accounts. You can’t do much to protect yourself against these practices, but if there is a breach impacting your accounts, immediately change all passwords. Check and control your bank statements, too!

10. Use Public Computers Very Carefully You’re using a computer in the library? Never save your passwords on the websites you visit. Always log out before leaving a website. Delete all files you may have downloaded or saved from the device.

11. Don’t Fall for a Phishing Scam If a suspicious site or email or other message asks for sensitive information like your credit card number, Social Security number or phone number, do not provide it.

12. Protect Your Devices Protecting your devices includes keeping them safe from physical theft. Never leave devices unattended in public. When you leave your devices in your room on campus, don’t leave them in a visible spot. You can use a cable lock for laptops and other devices to keep them secure.

13. Manage Your – and Others’ – Privacy No one should post photos of you on social media without your permission. Unflattering content – or photos of you under the influence or engaging in risky behavior – could present disciplinary risks and/or impact your ability to get jobs in the future. Ask friends to get your permission before posting about you, and do the same for them. The golden rule applies online as well.

14. Think Before You Click Before you open any email or click any link you’re not sure about, stop and think. Make sure your antivirus is updated. Think: do you really need to click? When in doubt about a link or attachment, throw it out.

15. Share With Care Social media is all about sharing, but it doesn’t mean you should make your whole life public. Do not make your personal information public. You don’t have to inform the world when you’re leaving the dorm room and leaving your belongings unattended.

In the wake of new high-profile cybersecurity breaches, such as those experienced by Equifax and Deloitte, the subject of protecting technology and data is on everyone’s mind. Even if your business is not as big of a target as Deloitte or Equifax, protecting your and your customers’ sensitive data is a major obligation. Cybercriminals look for any opening to commit a virtual smash-and-grab. Letting your guard down for even a moment is typically all the opportunity the bad guys need to commit a crime that can have dramatic and catastrophic effects on your business and your customers’ financial stability. Knowing this, it makes sense for all businesses to establish some commonsense safeguards when it comes to their use of technology. Although having strong cybersecurity protocols in place and partnering with a qualified cybersecurity firm, such as Nebula Consulting, can go a long way to protecting data and technology, following a few simple procedures also can have a significant impact on security posture.

STAY AWAY FROM PUBLIC HOTSPOTS It cannot be stressed enough how dangerous it is to share one’s personal or financialIt cannot be stressed enough how dangerous it is to share one’s personal or financialinformation with any website or any person over the Internet while using a public connection.Public Wi-Fi networks are common hunting grounds for attackers and data snoopers who tryto access users’ personal information. Since public networks have negligible security, usersshould try to avoid using them while making online payments – or if they really have to, thenthey must use a VPN – a Virtual Private Network.

KNOW WHERE YOUR DATA IS Even if you use a third party for payment transactions, you are still liable for managing the data. You need to check to make sure you’re not securing credit card payment information on mobile devices and that the data center you’re using to store data has fully-implemented information security policies and procedures in accordance with PCI requirements and industry standards. These also apply to any storage of personal data associated with customers and employees. It’s mandated this information be securely held.

MANAGE PASSWORDS As basic as this might seem, passwords continue to be incredibly important. Require your employees to use strong passwords and to change them often – every 90 days. Use a password manager and employ other factors for authentication, where possible to build defense in depth.

USE A RELIABLE E-COMMERCE PAYMENT SOLUTION Safe payment acceptance technology integrated within your website ensures any transaction completed via a credit card will be secure. The consumer will be able to make purchases without any personal information being accessed by outside forces, and your bank accounts connected to the website will also be secure. You, as well as the consumer, can feel comfortable completing payments within your site.

SECURITY LAYERS When it comes to DDoS attacks, proxy or scrubbing services should be used. Firewalls can help limit DDoS attacks, but they suffer from the same resource issues that a web server or router would when attacked. They may handle it a bit better but are not considered DDoS prevention tools. E-commerce sites can benefit from cloud-based DDoS protection and managed domain name system services to further protect themselves from attacks. Always employ best practices in the software development process.