Healthcare as an industry lacks IT security
Posted on August 19, 2015 in Data Breach, IT Security, IT Security Assessment
“Healthcare as an industry has not taken seriously security in the past, to the extent that other kinds of industries have taken security and privacy, and has not bothered to put those security components into place that would protect the privacy of that information,” says Kibbe in an interview with Information Security Media Group. “They are trying to play catch-up now, very desperately.”
Recent breaches in the healthcare sector, such as the cyber attack on Anthem Inc., which impacted nearly 80 million individuals, show that “information is in these giant repositories, and is quite vulnerable to the bad guys breaking into that information and making use of it,” he says.
“It’s worse in healthcare than it is in other industries that have hardened their security practices as a result of these hacks,” he says. “We’re starting to see healthcare institutions and organizations being hacked because they’re easier targets.”
Kibbe recently testified at a Senate Committee on Health, Education, Labor and Pensions hearing about the state of secure information exchange in the healthcare sector, which is often hindered by intentional “information blocking” (see How to Unblock Secure Info Exchange) .
That includes information blocking caused by interoperability issues between electronic health record systems from different vendors, as well as situations in which healthcare providers incorrectly use the HIPAA privacy rule as an excuse for refusing to share patient information with other healthcare entities.
There are several important steps that healthcare entities can take to improve the overall protection of health data, as well as safeguard patient information that’s being exchanged with others, Kibbe says. That includes implementing strong encryption for data at rest and in transit; using multi-factor authentication; and building much better awareness of security and privacy throughout the healthcare sector.
Healthcare entities need “to take privacy and security very, very seriously beyond their own enterprises,” he urges. “We now live in a world where health information, as well as other personal information, exists in the cloud and people need to be very wary. They can put moats around their own information resources, servers, but you have to think about everybody else’s servers at the same time.”
In the interview, Kibbe also discusses:
The security and privacy challenges faced by health information exchange organizations that handle and store large volumes of patient data;
A progress update on the use of Direct secure messaging in the healthcare sector;
DirectTrust’s plans to unveil in 2016 Direct-based secure texting and “chats” for use on mobile devices, such as smartphones, in the healthcare sector.
Kibbe, a physician, is founding president and CEO of DirectTrust, a nonprofit alliance that created and maintains the security and trust framework for using the Direct Project for secure e-mail in the healthcare sector. He is also senior adviser to the American Academy of Family Physicians. Kibbe in 2014 was named a top 10 Healthcare Information Security influencer by Information Security Media Group.
This article was published in August 14, 2015 edition of DataBreach Today.
http://www.databreachtoday.com/interviews/how-neglect-made-healthcare-no1-target-i-2840?rf=2015-08-18-edbt&mkt_tok=3RkMMJWWfF9wsRolsqvLZKXonjHpfsX67%2BUtX6G3lMI%2F0ER3fOvrPUfGjI4ETMpkI%2BSLDwEYGJlv6SgFSrXEMbp407gPWBY%3D
The Best Free Ways to Send Encrypted Email and Secure Messages
Posted on July 7, 2015 in Secure Email
Infoencrypt
Infoencrypt is a free, web-based service for easily securing your messages. Simply enter the text of your message and the encryption password that will be used for both encryption and decryption. The program encrypts your message using a strong encryption algorithm, making it secure to send. Anyone who intercepts the encrypted message without the password will not be able to read the original message.
SafeGmail
SafeGmail is a free extension for Google Chrome that allows you to send encrypted emails to anyone. The messages are encrypted and decrypted within the browser and remain encrypted in both the sender’s and receiver’s email inboxes. The messages also automatically expire after a random amount of time.
RMail
RMail allows you to easily send emails with end-to-end security and compliance. Send encrypted email from your current email address (10 free messages allowed per month) and automatically receive a Registered Receipt™ record proving encrypted delivery and compliance with open tracking.
Sendinc
Sendinc is a web-based service that makes it safe and simple to transmit sensitive information via email. You and your recipients can use Sendinc for free. No software is required.
Sendinc secures your message by ensuring that your data remains encrypted from the time it leaves your computer through the time your recipients retrieve it. At no point in the process is your message data transmitted or stored in an unencrypted format. Sendinc further ensures the safety of your messages by verifying your recipients are in fact your intended recipients.
Messages are encrypted with a powerful randomly-generated encryption key that is emailed to your recipients in the form of a link. Sendinc does not save a copy of your recipients’ encryption keys and your message can not be decrypted without the key – not even by Sendinc. This means only your recipients can decode the message data.
Hushmail
Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).
Lockbin
Lockbin is a free web application for sending private email messages and files. Lockbin ends message persistence, which means your email message will not be backed up on email servers or stored in backup files. Network sniffers can also spy on your email traffic while in transit. Use Lockbin to obscure the content of your message and avoid these hazards to your privacy.
No registration is required to use Lockbin. Your message and file attachments are protected by strong AES-256 bit encryption and your secret password. You invent the password and deliver it to the recipient using a different secure method, not email.
iSafeguard
iSafeguard is a software package that provides easy-to-use and highly secure encryption and digital signature solutions for everyone from big companies to individual users. The software allows you to sign and encrypt files, folders, and emails and verify digital signatures and countersignatures. It provides a secure text editor and allows you to wipe files, folders, and free disk space. It also integrates with the Windows shell.
The freeware edition of their software is for non-business, individual users. Although it lacks some of the features the enterprise and professional editions have it does provide powerful encryption and digital signatures capabilities, and security is as strong as the enterprise and professional editions.
Hushmail
Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).
Paid plans are also available that provide additional storage, unlimited email aliases, dedicated technical support, and desktop access.
Crypto Anywhere
Crypto Anywhere is a program that is small enough to fit on a USB flash drive, providing free secure email on the go. Don’t have a computer yourself but want to protect your web based e-mail at your local internet cafe? Crypto Anywhere is for you. If you run Crypto Anywhere from a USB flash drive, you can encrypt your email without even installing software on your workstation. With Crypto Anywhere you can send and receive secure email to and from anyone with an email account – the recipients do not have to have Crypto Anywhere themselves.
Crypto Anywhere is free for personal and corporate use.
The information is the blog post was accumulated from multiple sources but especially http://www.howtogeek.com/
Some basic strategies for safe and private web browsing
- Spam email filtering
Spam email introduces web links or attachments in emails that entice your users to click potentially introducing viruses/malware on business computers/networks. These spam emails can also redirect your employees to websites where they offer up information (either personal or business) that should remain private or confidential.
- Internet content filtering
An effective web content filtering solution is essential for because granting your employees unfettered access to the Internet opens your company to a multitude of problems.
- Security: Grave risk to the companies’ security.
- Legal Trouble: Liability of inappropriate content.
- Productivity: Loss of employee productivity due to Internet abuse.
- Use private browsing options for your browser
Mozilla Firefox – https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history
Google Chrome – https://support.google.com/chrome/answer/95464?hl=en
Internet Explorer–http://browsers.about.com/od/internetexplorertutorials/ss/How-To-Activate-Inprivate-Browsing-Mode-In-Internet-Explorer-11_3.htm
- User alternate web browser
WhiteHat Aviator – blocks holes through which most malicious sites infect your computer. It cuts out all ads and disables the media autoplay.
- VPN (virtual private network) web browsing
- VPN cloaks and encrypts your signal, making your online activity completely illegible to any eavesdroppers.
- VPN manipulates your IP address, making you appear to come from a different machine/location/country.
Remote Employees and IT Security
Posted on in IT Security, Remote Access
Q: What are some IT standard practices and procedures that we should implement when dealing with our field or remote employees?
A: Depending on the technology needs of your remote employees you should implement the following as standard security practices:
(a) You should have a plan in place where the technology in the field returns to the main corporate office on a regular basis for security and software updates; (b) Field computers should have local firewall software installed for browsing the Internet off-site (Windows firewall does not count!); (c) Limit or forbid use of public wireless networks (Use personal mobile hot-spots instead); (d) Eliminate and restrict actual data on the local computers (use remote application servers for running apps and storing data. Use the local computer as a “dumb-terminal”); (e) Make it policy that employees are using VPN (virtual private network) when accessing company servers and data remotely; and (f) If data must absolutely reside locally on the remote computers, use hard drive encryption built into the notebook’s base system or use third-party encryption software.
Q: Smartphones have become an increasingly large part of our field employee’s toolkit. What should I do to protect ourselves with regard to these computing devices?
A: (a) Make certain smartphones are owned by the company and used for the company business ONLY! (You cannot dictate IT policy on an employee’s personal phone); (b) Again, use local cellular data plan rather than public Wi-Fi access for accessing data and browsing the Internet for information; (c) Password protect and auto-lock your devices; (d) Use remote find and/or remote wipe capabilities of the smartphones if they are lost or stolen; and (e) Limit your use of document sharing/sync apps (Sugarsync, Box.net) and of course … iCloud! I95
Disaster Recovery
Posted on in Disaster Recovery
Dave Thomas has been providing sound IT consulting advice to SMBs for over 20 years. He is a certified Microsoft engineer and is dedicated to helping these same businesses weather the current storms with IT systems and data security.
Q: I am worried about the ever increasing IT threats to my business. What can I do as insurance in the event that my primary security fails?
A: There are a number of things that businesses can do to prepare for a significant IT security event.
Multiple data backup/restoration options: Having multiple data restoration options ensures that you will have more than one place to look when a disaster takes place. Local onsite data backups are crucial in that compromised systems and data need to be restored quickly. Off-site/Internet-based backups limit the amount of data that can be downloaded and restored so that you don’t choke their service provider’s Internet connection speed for their other customers. However, off-site backups are equally important in the event that there is a physical disaster in your office (fire, water, etc.) that renders your live data and local backups unusable.
Imaging software: There are multiple options of imaging software available for servers and desktops. Imaging software allows for taking a complete snapshot of your workstation or server’s current configuration, software and data at a given moment in time. This type of backup allows for a complete restoration of a desktop or server in minutes rather than hours or even days.
Written Disaster Recovery Plan: Create a detailed plan for what you will do in the event of an IT disaster. When disaster strikes you will need a plan that you can easily find and execute thereby minimizing down time. Such a plan should include a list of your IT vendor’s contact information and account numbers, locations of most recent backups and clearly defined steps for data restoration and a plan for securing temporary office space in the event of a total disaster. I95
Kenneally Technology Services
410-321-9558
www.jlktech.com
