Monthly Archives: October 2017

Organizations around the world have fallen victim to a highly-targeted phishing campaign which intercepts ongoing email threads to customize messages and spread malware.

Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customized phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.

The target still believes they’re in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.

Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organization and ‘individuals with indirect ties to a country in North East Asia’

Dubbed FreeMilk – after words found in the malware’s code – by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.

The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.

The exploit allows attackers to take full control of an infected system – likely through credential theft – then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.

Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system – named PoohMilk and Freenki by researchers.

PoohMilk’s primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold – the first is to collect information from the host and the second is to act as a second-stage downloader.

Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use.

Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.

While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.

Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom

While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.

But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organization they’re targeting.

via:  zdnet

Your holiday wish list just got one item longer.

Google held its annual hardware event Wednesday, at which it unveiled its newest Pixel and Google Home, among other products. But, it was an item revealed late in the presentation that might have been the most mind-blowing.

Google’s Pixel Buds are essentially the company’s answer to Apple’s AirPods. They’re earbuds that connect to a smartphone–in this case, the Pixel–via Bluetooth. At $159, they’re priced exactly the same as AirPods.

But, because they pair with the Pixel smartphone, and thus Google’s software, the headphones can do something Apple’s headphones can’t do: Translate spoken language in real time.

The operation is performed using Google Translate, which is built into the Google Pixel. The wearer taps the right earbud and says something like, “Help me speak Spanish,” and Google gets to work. A person standing nearby can speak out loud in Spanish, and the earbuds will give the wearer the English translation in her ear. She can then hold down her right earbud and speak in English, and her phone will project the Spanish translation from the Pixel’s speaker. The live translation begins only a second or two after the person stops speaking.

Google demoed the technology in action on Wednesday, and the earbuds quickly translated a conversation between English and Swedish–to much applause from the audience. The platform operates in 40 different languages. That’s essentially like having a translator that can speak in 1,600 different language combinations right in your ear.

The Pixel Buds can be used with the iPhone too, but only Pixel owners will be able to use tools like Translate and the Google Assistant.

The earbuds don’t have any buttons–you can adjust the volume by swiping or change music tracks by swiping. They connect to your phone wirelessly, but the two earbuds are tethered together by a cloth-like cord.

The Pixel Buds come with a case that’s also used to charge them. According to a blog post on Google’s site, they can play music for about 24 hours without needing a charge.They will be available in November, conveniently just in time for your holiday shopping.

via: inc

Google Chrome yesterday announced its initiative in blocking autoplay web video in Chrome browser. It is a perfect move to stop the most irritating and bandwidth consuming autoplay videos.

Chrome released a roadmap on this, starting from Chrome 63 they are to add a new user option which allows users to completely block audio for a website and it will persist among perusing sessions, permitting users to modify when and where the sound will play.

Starting with Chrome 64, autoplay will be allowed when either the media won’t play sound, or the user has indicated an interest in the media. This will allow autoplay to occur when users want media to play, and respect users’ wishes when they don’t.

With Safari version 11 it enables more granular options enabling users to mute sound or even completely blocking the auto play media.

With the Chrome’s new update media content will be allowed to autoplay only under the following conditions:

• The content is muted or does not include any audio (video only)
  
• The user tapped or clicked somewhere on the site during the browsing session
  
• On mobile, if the site has been added to the Home Screen by the user
  
• On desktop, if the user has frequently played media on the site, according to the Media Engagement Index

Roadmap

September 2017 New autoplay policies announced Site muting available in M63 Beta Begin collecting Media Engagement Index (MEI) data in M62 Canary and Dev

October 2017 Site muting available in M63 Stable. Autoplay policies available in M63+ Canary and Dev

December 2017 Autoplay policies available in M64 Beta

January 2018 Autoplay policies available in M64 Stable

With these new options, it will give more control to the users in controlling media and also be making it easier for publishers to implement autoplay where it benefits the user.

via:  gbhackers

People assume that staying safe from cyber hackers requires a lot of money. While spending money in the right area is important, common sense features costing little to no money and are the most effective defenses to thwart a cyber attack. Let’s face it, no one is 100% safe from cyber hackers so each of us needs to be vigilant to protect our personal information. Below are some basic cyber practices that are easy to employ and do not break our wallet.

Passwords keep our private data private. This is completely in our control, yet every day people still create weak passwords that are simple to guess or hack. Creating long and strong passwords with a minimum of 14 characters that includes numbers, uppercase, lowercase and symbols is essential. Of course, the stronger the password is, the harder it is to hack, but also the more difficult it will become to remember. So don’t write down and store your passwords on a sticky note on your keyboard. If you are guilty of this, try a password manager. It might just help you stay organized and secure. There are dozens of password managers available. I personally use and recommend LastPass because it is secure, effective, and mostly free. If you are old school, give PassowordsFast a try. It looks like a calculator but allows you to manually store all your login credentials on one device that cannot be connected to the internet or Wi-Fi. This might seem inconvenient but all data is encrypted and stays securely in your pocket.

One day on a whim, I tried to guess my friend’s password by thinking about his favorite sport, hockey. I already knew his favorite player which he often talked about, so I decided to start from there. I was dumbfounded when on the first attempt, I was able to compromise his account. It is not uncommon for people to create easy, guessable passwords with common things they can remember, but what happened next blew my mind. I decided to see if he was foolish enough to use the same password across multiple sites and he was! Password reuse is one of the greatest problems in cybersecurity.More than half of all Internet users reuse passwords across multiple sites. Don’t believe me, ask a few colleagues if they ever reuse the same password across more than one site. You might be surprised by their answer. When a hacker compromises a user’s password, the first thing they do is try that same password across multiple platforms looking for reuse. There are even tools available that automate the hacking process for reused passwords automatically as well as ‘paste’ sites where attackers publicly post the email addresses and passwords they’ve stolen. It’s no mystery as to why at a web summit in Lisbon, Alex Stamos, Chief Security Officer at Facebook, declared “The reuse of passwords is the No. 1 cause of harm on the internet.”

Don’t be too social on social media. With all the catfishing and online fraud, you would think that people would be more wary of online strangers and connections but people are too trusting. Everything we post on social media is on the Internet, and thus, available to everyone, including hackers. Don’t be too quick to ‘Like’ or Tweet something. Each interaction forms a digital footprint of the individual that can be used against them. All modern browsers provide private browsing modes. Use them for normal browsing to lessen your digital footprint. And if you don’t trust Apple’s or Google’s privacy policies, consider a secure browser that does not collect cookies at all such as Duck Duck Go for truly anonymous browsing.

You know those annoying birthday questions and automated wishes from all of your connections? I recommend you lie about your birthday in order to make it more challenging for hackers trying to steal your ID or take credit out in your name. For example, I’ve posted my birthdate incorrectly across numerous social media sites so if or when a hacker calls a bank posing as me with my credentials and provides the wrong birthdate, the conversation is over. Always think twice before posting information that could be used against you. Social media implies that we share things freely and socially with our friends and colleagues but strangers lurking around or posing as our friends are the ones who truly benefit from that information.

It’s ok to lie about your security challenge questions. Honesty is normally the best policy but that does not apply when we are asked a security challenge question such as ‘What high school did you attend?’ This is where I create a unique password or response that only I know. Why is it dangerous to answer honestly? Answers to some personal questions regarding high school, street names and pets are practically public knowledge thanks to the Internet and social media. A quick search can yield detailed results in seconds.

Stop clicking on those attachments. Phishing attacks are huge and cost individuals and companies over $5 billion dollars each year. So who falls for these scams? Every day over 80,000 people click on attachments in which malware and ransomware are then downloaded. Even with a good firewall, junk filter, spam filter, virus and malware software, there will be a small percentage of malicious email that still gets through. When going through email, take your time by hovering your mouse over any links embedded in the body of the email before clicking on it. Observe the link address to see if it looks weird and if so, DO NOT CLICK on it. Always type out the website address directly in the new browser window unless you are expecting a specific email from that source.

Also look for telltale signs such as poor spelling and grammatical errors as many hackers do not speak or write English as their primary language. If an email is asking for personal information such as your address, credit card or social security number, a red flag should immediately go up. Most email scams also invoke a sense of urgency, motivating the user to click before it is too late. And of course, when the email is encouraging you to win 5 million dollars just by clicking and it seems to good to be true, then it is too good to be true.

Regularly update security patches. We have become accustomed to annoying reminders to update security patches to the point of numbness but that doesn’t make them any less crucial. Next time you receive an update reminder, do not put it off until later. Take action and immediately update to the recommended security patch. The same holds true applications as well as (OS) Operating System updates.

The best way to stay safe on the Internet is to minimize the size of the targets on all of our backs. Hackers will never give up completely, but they will move onto easier targets. Stay Safe.

via:  bmc

The new EU General Data Protection Regulation (GDPR) is the biggest shake-up in privacy legislation and data management approach for many years. It will impact any organization throughout the world that processes personal data relating to EU citizens. Organizations that breach the regulation can be fined up to four percent of their annual global turnover or 20 million Euros, whichever is greater.

Breaches will apply to firms that do not have adequate customer consent for processing their personal data or violate the principle of the privacy-by-design concepts and model.

It is crucial to note that both data controllers and processors are subject to the rules, especially if they fail to either carry out a privacy impact assessment or notify the authority (ICO, the Information Commissioner’s Office, in the UK) about a breach.

In this article, we will look at GDPR from the IT security perspective where ISO 27001plays an important role.

GDPR: AN INSIGHT

Firstly, we investigate the main characteristics of GDPR and key differences from previous EU directives.

1. Scope

GDPR defines how EU citizens’ data must be handled by countries inside and outside the EU. Furthermore, the regulations will apply to the processing of personal data in the EU by a data controller or processor who is not in the EU. For example, any business that provides services or goods to EU residents is by definition processing EU citizens’ data and therefore will have to comply. In addition, GDPR encompasses personally identifiable data within social media, photos, email addresses and IP addresses.

2. Consent

GDPR has changed and reinforced the conditions of consent in that it expects clear, plain language consent from data subjects in an easy, accessible and intelligible form. Subsequent withdrawal of the consent must be as effortless as giving it.

3. Fines and Penalties

GDPR sanctions substantial fines of up to €20m or four percent of annual revenue.

4. Privacy by Design

Processes will need to be amended to consider privacy by design whereby the controller must apply adequate technical and organizational procedures to fulfill the requirements of GDPR and protect the rights of individuals (data subjects).

5. Data Portability

Personally identifiable data must be portable by open use of common file formats that are machine-readable when the data subject receives them.

6. Right to Access

GDPR provides the right to data subjects to request the data controller to confirm whether their personally identifiable data is being processed, where, and for what purpose. In addition to this, the data controller must provide a free electronic copy of any personally identifiable data.

7. Right to be Forgotten

The data subject is entitled to request that the data controller permanently or on-demand delete his/her personally identifiable data, cease further distribution of the data, and demand third parties halt processing of the data.

8. Breach Notification

As a data breach is likely to result in a risk to the rights and freedoms of individuals, GDPR requires a mandatory breach notification to be submitted to the relevant authority within 72 hours of the organization first becoming aware of the breach. In addition, data processors are required to notify their customers without unnecessary delay.

9. Data Protection Officer (DPO)

It will be mandatory for data controllers and processors to appoint a DPO. However, this only applies to those data controllers and processors whose central activities entail processing operations that need consistent and systematic monitoring of data subjects on a large scale or of special groups of data.

MAPPING IT SECURITY GOVERNANCE AND GDPR

IT governance will be impacted by the requirements of GDPR but there are benefits to organizations, too. The regulations will encourage them to have a more secure data management approach in place. Compliance will require an IT governance framework to be adjusted to encompass issues such as personal responsibilities relating to data transfer, data subject consent, and privacy by design.

GDPR is not explicit on several topics, and it could take years for the legal interpretation of such matters to become clear. The first court cases will help to provide clarity. From an IT governance point-of-view, organizations should focus on the dynamics of legal, technical and organizational factors.

As discussed, GDPR introduces several privacy arrangements and control mechanisms that are intended to safeguard personal identifiable data. Many of those controls are also recommended by ISO/IEC 27001:2013, ISO/IEC 27002:2013 and other “ISO27k” standards, as well as COBIT 5.

For example, ISO27K controls, such as A.18.1.4 and A.9.1.1, relate to  privacy and risk assessment. Both controls can be interpreted as addressing privacy concerns around data transfer or privacy by design in relation to personally identifiable information or data subject information.

Regarding COBIT, the IT Management Framework and its management practices of APO01 relate to organizational structure. COBIT 5 also refers to privacy officers with responsibility for screening the risk and organizational impacts of privacy regulations whilst ensuring such legislations are adhered to. This definition is similar to article 37 of GDPR with its requirement for the designation of a Data Protection Officer (DPO).

As discussed, the aspects of GDPR that directly concern IT security governance are varied. One of the main issues, however, will be to assess the capability of IT governance to identify and pinpoint identifiable personal data in the organization. This is a condition of Article 30, regarding requesting records of processing activities.

In addition, it is a requirement for rights of access by the data subject in Article 15, the modification of incorrect personal data in Article 16, and the right to be forgotten in Article 17. Therefore, these requirements provide a good basis for readiness. Organizations with good data management in place that enable them to describe the information lifecycle will automatically be compliant with most of the GDPR requirements.

To work towards ensuring compliance of their data, organizations should take the following actions:

• Establish and locate all personal identifiable data that is within the scope of GDPR.
  
• Focus explicitly on data risk management for a complete risk picture of data, using data categorization based on their processing and storage in various services and facilities.
  
• Note that an effective data risk management demands a definition of adequate protection process and procedures for the various categories of GDPR data.
  
• Coordinate and map data protection needs to other services and IT systems across the entire organization.

CONCLUSION

The GDPR comes into force on 25th May 2018, and the Government has confirmed that the UK’s decision to leave the EU will not affect commencement of the new regulations. It is evident that the new rules should provide enhanced safeguarding of personal data and give data subjects more control over their data.

With a comprehensive plan in place well in advance, organizations that act as data controllers or processors will be able to ensure compliance with the new rules in a timely manner, including implementing an adequate testing period. Organizations will need to investigate their current IT security and data assurance practices to perform a gap analysis between where they are now and where they need to be by next May at the latest.

Adopting recognized standards such as ISO27001 and COBIT will go a long way towards achieving greater transparency over data, and building regular reviews into such activities will also support compliance going forward. Robust tried and tested controls will support IT governance activities and protect individuals from loss of control over their personal data, as well as businesses from financial and, not to be underestimated, reputation loss through failure to comply with the new regulations.

In our next article, we will look at other elements of GDPR in regard to Data Privacy by Design (DPD), Data Impact Assessment (DPI), data subject consent, dealing with data breaches, and the appointment of Data Protection Officer (DPO).

via:  tripwire

Microsoft Excel users rejoice. Your favorite spreadsheet is about to get a lot smarter, thanks to the help of machine learning and a better connection to the outside world.

As Jared Spataro, Microsoft’s general manager for Office, and Rob Howard, the company’s director of Office 365 ecosystem marketing, showed me during a briefing at the company’s Ignite conference today, Excel will soon be able to understand more about your inputs and then pull additional information from the internet as necessary.

“We’re pleased to introduce new data types,” Spataro explained. “That doesn’t sound all that interesting and we had this interesting discussion about what we’d name these things, but at the end of the day we realized that if you’re really an Excel wonk, the thing that you’re going to get is that there’s new data types.”

This isn’t just a feature for Excel wonks, though. In today’s demo, Spataro showed me how you will soon be able to tag a list of company names as — well — company names, for example. Once you’ve done that, Excel can pull in more information about the company from Microsoft’s Bing API, including stock data and market cap, for example. Excel can even automatically detect that a list of names is indeed a list of company names or a list of cities, for example, which then allows you to pull in population data, among other things.

“Historically, Excel has always been good at numbers and you can enter in text and use conditional formatting and things like that,” Spataro said. “We are adding the idea that Excel can now recognize data types that are richer than those two.”

In addition, the Office team is also launching a new built-in tool for Excel that will automatically try to pull the most interesting data from a spreadsheet and visualize it. “Insights,” as the company is currently calling it, is modeled on a very similar feature in the Power BI data visualization and analysis tool, and it’s worth noting that Google Sheets also offers a comparable tool. “It is meant to take any list of data and then start to generate insights,” Spataro said. “It will look at combinations, charts, pivot tables and it will recognize those that are most interesting by looking at outliers, looking at trends in the data, looking at things that represent changes.” If you like one of the graphs the service generates, you can easily import those into your Excel sheets and manipulate them to your heart’s content.

As Microsoft also announced earlier this week, Excel will soon be able to pull in machine learning models that a company’s data scientists have created to analyze information in Excel, and you can also now use JavaScript to write more complex scripts for manipulating data or pulling in data from virtually any third-party service with an API.

The new data types will launch early next year. Insights will arrive in a spreadsheet near you in early 2018.

As Spataro also noted, these kind of connections to third-party service are what differentiates Office 365 from the perpetual versions of Office. “Services breathe new life into these applications,” he said. “We think these apps still have a lot of life in them for just working on your content, but we do believe that these connections just makes it magical.”

If you do want a perpetual license for Office, though, and not pay a subscription fee, you are in luck, because as the company also announced today, the next perpetual version of Office will launch in the second half of 2018, and, because that’s almost 2019, it will be called Office 2019.

“Cloud-powered innovation is a major theme at Ignite this week. But we recognize that moving to the cloud is a journey with many considerations along the way,” Spataro writes in today’s announcement. “Office 2019 will be a valuable upgrade for customers who feel that they need to keep some or all of their apps and servers on-premises, and we look forward to sharing more details about the release in the coming months.”

via:  techcrunch

The healthcare sector and social media users are popular targets for cyber attackers, a report has revealed.

Healthcare surpassed the public sector in cyber security incident reports in the second quarter of 2017, according to the latest threat report by security firm McAfee.

This is the first time in six quarters that the US public sector has not topped the list of sectors with the most security incidents.

While overall healthcare data breaches are most likely the result of accidental disclosures and human error, the report said cyber attacks on the sector continue to increase.

The trend began the first quarter of 2016 when numerous hospitals around the world were hit by ransomware attacks.

“Whether physical or digital, data breaches in healthcare highlight the value of the sensitive personal information organizations in the sector possess,” said Vincent Weafer, vice-president for McAfee Labs.

“They also reinforce the need for stronger corporate security policies that work to ensure the safe handling of that information.”

Also in the second quarter of 2017, the Faceliker Trojan helped drive the quarter’s 67% increase in new malware samples targeting social media sites.

The second quarter of 2017 saw Facebook emerge as a notable attack vector, the report said, with Faceliker accounting for as much as 8.9% of the quarter’s 52 million newly detected malware samples.

This Trojan infects any web browser used to visit malicious or compromised websites, and then hijacks users’ Facebook “likes” and promotes the content without users’ knowledge or permission.

At scale, hijacking “likes” can make money for those operating Faceliker because the hijacked clicks can make a news article, video, website or ad appear more popular or trusted than it really is.

“Faceliker leverages and manipulates the social media and app-based communications we increasingly use today,” said Weafer.

“By making apps or news articles appear more popular, accepted and legitimate among friends, unknown actors can covertly influence the way we perceive value and even truth. As long as there is profit in such efforts, we should expect to see more such schemes in the future.”

Rise of fake news

Research has shown that around 50% of the US public regard Facebook as their main source of news, according to Jessica Barker, co-founder and socio-technical lead at cyber security consultancy RedactedFirm.

The research suggests that news on Facebook unconsciously influences the way those who consume it feel and how they see the world, she told a recent security roundtable in London.

Barker predicts that while we have seen fake news targeted mainly at politics, in coming years there will be an increasing incidence of fake news targeting corporations and key individuals.

“We really need to focus on how we can build critical thought and encourage people who create and consume news to check and verify stories,” she said.

Notable worldwide threats

Other notable cyber threat trends detailed in the McAfee report include a 3% increase in the number of publicly disclosed security incidents in the second quarter compared with the previous quarter; the fact that the majority (78%) of all publicly disclosed security incidents in the second quarter took place in the Americas; and that the health, public, and education sectors comprised more than 50% of total incidents in 2016-2017 worldwide.

However, unlike the Americas, the report said the public sector led in reported second quarter incidents in the Asia-Pacific region, followed by financial services and technology. In Europe, public sector also led the sectors substantially in the second quarter, followed by entertainment, health, finance and technology.

Account hijacking led disclosed attack vectors, followed by distributed denial of service (DDoS) attacks, leaks, targeted attacks, malware and SQL injections.

There was a 67% increase in new malware samples in the second quarter to 52 million. This increase, the report said, is in part due to a significant increase in malware installers and the Faceliker Trojan. The total number of malware samples grew 23% in the past year to almost 723 million samples.

New ransomware samples again increased sharply (54%) in the second quarter, while the number of total ransomware samples grew 47% in the past year to 10.7 million samples.

Total mobile malware grew 61% in the past year to 18.4 million samples. Global infections of mobile devices rose by 8% in the second quarter, with Asia again leading the regions with 18%.

With the decline of adware, Mac OS malware has returned to historical levels, growing by only 27,000 in the second quarter. This is still small compared with Windows threats, as the total number of Mac OS malware samples increased by just 4% in the second quarter.

New macro malware rose by 35% in the second quarter, and 91,000 new samples raised the total overall sample count to 1.1 million.

The botnet Gamut again claims the top rank in volume during the second quarter, continuing its trend of spamming job-related junk and fake pharmaceuticals. The Necurs botnet was the most disruptive, pushing multiple pump-and-dump stock scams during the quarter.

via:  computerweekly

Healthcare providers in the APAC region are looking to the cloud and big data analytics to enhance services and lower cost.

Around 30,000 hospitals have deployed healthcare IT in the Asia-Pacific (APAC) region to date – a number that is set to grow significantly in the coming years, thanks to the rise of India and other ASEAN nations as medical tourism destinations.

In addition, countries such as Australia, Japan, Singapore and China are already digitising healthcare services in public and private hospitals through healthcare IT. Such digitisation efforts will go a long way in building healthcare data repositories that can be shared at national levels through data exchange platforms.

With better access to data, healthcare service providers can reduce operational costs, improve patient care and enhance the productivity of healthcare workers. The benefits of healthcare IT can be realised through five key areas: interoperability, could adoption, big data, patient engagement and security.

The interoperability of health data is necessary to ensure authenticity and integrity of exchanged data. More than 80% of hospital IT decision makers unanimously agree on the importance of technology that fosters data interoperability.

Hospitals in APAC are likely to invest more than $400m in health data continuity by 2021, in efforts to reduce costs related to data redundancies, provide easy access to patient information, and eliminate duplicate medical tests for patients.

Cloud adoption and big data

Investment in cloud services saves significant costs for hospitals because on-premise IT systems can be costly.

Across the region, more hospitals are deploying software as a service (SaaS) to reduce IT expenses and promote interoperability, as well as to provide updates on patient conditions to their families.

According to Frost & Sullivan research, almost 90% of hospital IT decision makers plan to invest in cloud services in next three to five years. These investments in the APAC region are expected to generate around $2.5bn in revenue for healthcare IT suppliers in next three years.

Besides enhancing operational and financial efficiencies of hospitals, big data analytics in the context of healthcare IT uses predictive models based on health data from medical records and other data sources to generate treatment guidelines.

Almost 52% of hospitals in APAC are planning to invest around $2.5bn in big data and analytics tools in next two years.

Patient engagement and security

Patient engagement encourages patients to manage their own health through clinical and entertainment platforms, as well as inculcate positive behaviour in patients.

Over 63% of hospitals in APAC are planning to roll out patient engagement tools, such as mobile apps that are connected to electronic health record systems, wearables and online platforms that enable patients to schedule appointments. Spending on patient engagement applications and platforms will reach $2bn by 2021.

Meanwhile, security is a growing concern for the entire healthcare industry. Primarily, providing access to healthcare data through employee devices such as laptops and smartphones is creating data security challenges for hospitals in the APAC region.

At present, few hospitals are deploying blockchain technology to secure patients’ health data. Healthcare organisations in APAC are likely to invest around $500m by 2021 to secure patients’ health data and prevent possible data losses that might occur due to cyber attacks.

via:  computerweekly

Healthcare attorney Matthew Fisher on how providers can work toward better compliance policies and avoid common mistakes.

“As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone,” said Matt Fisher at the HIMSS Security Forum in Boston.

For a healthcare organization to be HIPAA compliant it needs to ensure the right patient controls and rights are in place when it comes to protected health information. But in an age where cyber threats are growing in both sophistication and proliferation, it adds a level of complexity.

HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O’Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on Monday.

“The best thing an organization can do is try to stay ahead of the issues,” Fisher said. “As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone.”

In fact, it’s cheaper to take care of issues up front, than to try and fix it after an incident has occurred, explained Fisher. Some of Fisher’s clients have attempted this route, but the thought process is flawed due to healthcare’s “particular issues and nuances that can cause an organization to foul up.”

For Fisher, there are five large challenges when it comes to ensuring HIPAA compliance.

Firstly, many healthcare providers make the mistake of assuming general insurance is enough to cover cyber incidents. But Fisher said that’s simply not the case.

“Your coverage is based on the premium you pay. When you have general coverage, it’s meant for the other areas of your organization,” said Fisher. “Cyberattacks are also near-certainty at this point, and the insurance company will only make a profit by holding onto money.”

As a result, general insurance isn’t enough. Fisher said insurance companies are still developing its own model for what it will offer for coverage.

“If you’re not fully accurate in what is covered by your policy, you’re wrong about your organization’s security efforts,” said Fisher.

Part of that is performing a risk assessment across the organization — and not attempting to go it alone, said Fisher. When reviewing systems and activities, it’s best to blend outsourcing and insourcing to make sure the assessment is done correctly.

Social media is another area where organizations need to have a plan to make sure all communications are HIPAA compliant. Fisher explained that providers need to have a plan and can’t go into using social media platforms haphazardly.

“As much as social media is just another form of communication, you can always make a misstatement,” said Fisher. “The difference with social media is that once you put something out there, it’s impossible to get it back. Even if you delete it, it can be archived somewhere.”

“It’s about thinking through the different elements to make sure you’re doing what you need to do,” he added. “If you actually think about what you want to do and get the right people involved, you can make a positive impact.”

Another consideration is with business associate agreements. Fisher said he still hears from clients who admit they haven’t read the document before signing. But the issue is that the “BAA is a legal contract — and you’re obligated to comply.”

State laws should be considered, as well.

Providers also often fall victim to vendors that claim to be ‘HIPAA-certified.’ But here’s the problem: These companies are deceiving organizations, as “there’s no such thing as being designated HIPAA compliant or certified. A product, by itself, cannot be compliant,” said Fisher.

“HIPAA applies to covered entities and business associates,” said Fisher. “Relying on statements from vendors will just lead you into trouble… Security can be an issue, and there will be troubles that arise, but you always have to ask questions.”

via:  healthcareitnews

Forget fingerprint authentication, retinal scanning or advanced facial recognition that has recently been implemented by Apple in its iPhone X—researchers developed a new authentication system that doesn’t require any of your interaction, as simply being near your device is more than enough.

A group of computer scientists at the University of Buffalo, New York, have developed a new cardiac-scan authentication system that uses your heart’s shape and size as a unique biometric to identify and authenticate you.

Dubbed Cardiac Scan, the new authentication system makes use of low-level Doppler radar to wirelessly and continuously map out the dimensions of your beating heart, granting you access to your device so long as you’re near it.

In simple words, your office device should be able to recognize that it is you sitting in front of the computer, and sign you in without any password or interaction, and automatically should log you out if you step away from your computer for a lunch break.

Since, according to researchers, your old ticker’s shape and pulsations are unique, useful for identifying you, authenticating access, unlocking devices, and so on.

The researchers said your heart’s shape and cardiac motions are unique and only present in a person who is alive, and therefore are harder to spoof than fingerprint or iris scanners, making Cardiac Scan a reliable way to identify you, authenticate access, or unlock devices.

“No two people with identical hearts have ever been found. And people’s hearts do not change shape unless they suffer from serious heart disease,” Wenyao Xu, lead author on the paper and assistant professor at University of Buffalo’s department of computer science and engineering said in a Monday press release.

The Cardiac Scan system takes about 8 seconds to scan a heart for the very first time, and after that, the system continuously recognizes your heart, making sure another user has not stepped into your device.

To test their radar design, the researchers conducted a study on 78 people and found that their Cardiac Scan system scored a 98.61% balanced accuracy with an equal error rate (EER) of 4.42%, proving that it is a robust and usable continuous authentication system.
When talking about potential health effects of the heart scans, the team said the strength of the signal is much less than that of Wi-Fi, and other smartphone authentication systems, which emit harmful SAR (Specific Absorption Rate) radiation, and therefore does not pose any health concern.

“We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices,” Xu said. “The reader is about 5 mill watts, even less than 1 percent of the radiation from our smartphones.”

Currently, Cardiac Scan is not practical to use because of its size, but the team of researchers hopes to shrink it to the point where the system can be installed into the corners of computer keyboards and smartphones.

However, there are some privacy and security concerns over the technology, like anyone can unlock your computer or smartphone as long as you are standing near your device. Another concern is that the device may end up not recognizing a person if his/her heart is changed due to heart disease.

For more technical details, you can head on to the research paper [PDF] titled “Cardiac Scan: A Non-Contact and Continuous Heart-Based User Authentication System.”

via:  thehackernews