‘Orangeworm’ the new superworm hacking group that’s targeting healthcare

Hacking activity targeting the healthcare sector continues to rise.  New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’.  Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe.  Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.

Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.

Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information.  The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.

The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms.  If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”

The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.

Director of Technology, Security & Governance, JP Norman advises:  “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:

•        A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
•        All operating systems, anti-virus and other security products are kept up-to-date.
•        All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
•        Strong password policies are in place and password reuse is discouraged.
•        Network, proxy and firewall logs should be monitored for suspicious activity.
•        User accounts accessed from affected devices should be reset on a clean computer.”

Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management.  Our Sales and Security teams  are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes.  Just call us on +44 2380 429429”.

 

MS Office 365 cleared for email use in the NHS

Microsoft has been confirmed as the first non NHS organisation to pass the high bar of ISB 1596 requirements for data handling.  Their Outlook application in Office 365 has passed the English Health and Social Care Secure Email ISB 1596 standard, published in February 2014.  This allows Outlook, in Office 365, to be used for emails containing personal and sensitive data including patient data.

The ISB 1596 standard provides a set of rugged, independently audited governance and compliance controls which affirm that data, which can identify a person, can be safely transmitted by staff following correct data handling procedures.

As public sector general manager at Microsoft UK, Derrick McCourt commented:  “Microsoft is pleased to have worked with the Health and Social Care Information Centre to meet this standard”. 

Up until now NHSmail has dominated the NHS and sister organisations as the main customised secure email software for healthcare, meeting government standards around patient and confidential data.  In June, the Department of Health announced that Accenture had won a £350m contract with the Crown Commercial Service to supply a new email system, dubbed NHSmail2.

This is an important step for Microsoft allowing them to access one of the largest organisations in the UK, made sweeter after their loss to rival Google over supplying internal apps within HMRC.  However, the commercial impact is great for health or social care organisations.  Primary and secondary care organisations including GP practices and hospitals, will now be able to access a more competitive market, leveraging substantial cost efficiencies of Microsoft Office 365 email, whilst remaining safe in the knowledge they are compliant with this standard.

JP Norman, Head of Technology & Governance, commented: “This accreditation will allow already challenged NHS organisations a third alternative for email systems. Selecting Office 365 Email would potential remove a considerable amount of effort for any NHS organisation that does not wish to move all email to NHSmail.   Up until this point the only two choices were migrate all email to NHSmail or ensure local email solutions meet the ISB 1596 standard by June 2016.  In May 2014 NHSmail had a total of 938,592 registered mailboxes and generic accounts with 618,806 person accounts in regular (daily) use within the NHS of which 91,029 were in Scotland. 445 organisations and many thousands of GP Practices use it as their sole email service (more than 70% of their accounts active), with another 723 organisations using it to a lesser extent. Having choice in this part of their service administration is a luxury these health workers have not been afforded before now”.

Les Keen, Director of Sales at Amicus ITS, commented on this new opportunity:  “It is an important win for Microsoft getting Office 365 Email accredited for patient data transmission.  It will open up many opportunities for MSPs serving the healthcare space.   From our point of view, the timing could not be better for Amicus ITS.  We have a well-established, fully scalable Cloud Services Framework that we offer http://goo.gl/SOFmLV, but excitingly we are just about to launch a brand new service called “Cloud First”. This is a complete IT support service model for SMEs, offering a simple £100 cost per user for 5 – 150 staff”. 

“Cloud First would be absolutely ideal for GP practices, especially given our accreditation and history of service in the healthcare sector”. 

Cloud First service summary:
• Office 365
• UK based IT Service Desk support from trained technical staff
• Any device, anywhere support
• 1 Tb data storage per user
• Upfront Service Level Agreements

Anyone interested in discussing Cloud First or speaking to any of the G-Cloud Team can call 02380 429429.

office-365-logo_gallery-100266091-large

This week’s technology news – 19th September 2014

Heavyweight US auditors report glaring holes in US healthcare website security
It will come as no surprise that a government website is a leviathan and complex structure, often leaving much to be desired from a user friendly point of view.  However, one will always hope and demand that such a public body website is at least safe to use.

This was not the case, as the Government Accountability Office found with HealthCare.gov, run by “CMS” (Centers for Medicare & Medicaid Services) in the US.  “Technical controls protecting the confidentiality, integrity and availability” of data, were found to be lacking.  In particular, they identified the operator’s failure to enforce strong passwords, implement software patches and properly configure the administrative network for the “Federally Facilitated Marketplace” (FFM) – this being the area where US citizens buy their health insurance.   Whether or not the end user dislikes eight or more character passwords, it remains a base necessity, until tighter personal verification procedures are deployed like biometrics eye, fingerprint or vein scanners as we have documented recently.

With more than $500m spent to date on the site’s construction however, public sympathy will be hard to find.  At its core, secure network connectivity, authentication procedures and threat and vulnerability management must form the base strategy of any good governance plan going forwards.  Public sector bodies, like many large and long established organisations, whichever side of the Pond, are often burdened by complex legacy systems (in this case backend integration connects the federal site to federal agencies, state governments and insurance companies). So, a central part of any security review should seek to work towards simplification of the IT infrastructure to make it more manageable in future, rather than just adding more sticking plasters and spending on quick fixes vs a long term solution of commercially construed investment and the chance to regain trust with its public.

KPMG id’s the most disruptive IT trends
In KPMG’s Global Technology Innovation survey of 768 technology business leaders, respondents reviewed disruptive trends across technology and identified the Internet of Things (IoT), 3D printing and biotech (healthcare IT), as the top three most likely to impact on the way people work and live over the next three years.  This is more than double the number of responses to these topics in KPMG’s 2013 survey.

Other technologies identified as most likely to transform enterprise included: mobile, cloud computing, big data analytics, digital currencies, artificial intelligence and autotech.

ABI Research in New York estimate that there will be 40 billion active wireless-connected devices by 2020, more than double the present number.  ABI Research also predict that this explosion will be driven by IoT (Gartner estimated that IoT would drive increased installation to a lower figure of 26 billion units).

It is the risk factor associated with disruptive technologies that is challenging swifter adoption by businesses.  However, analysts anticipate that those companies prepared to gamble will be the ultimate winners.  Business leaders in the survey believed that so-called ‘intelligent shopping’ has the greatest potential to generate revenue because of IoT (20%) – as devices communicate with each other. Respondents also suggest home automation (14%), and surveillance/security and social interaction (12% respectively), will also act as revenue drivers in the next three years.

Digital currency Bitcoin, was also identified as one of the emerging technologies most likely to impact on business between now and 2017. However, geography played a massive part in differentiating countries anticipation of wider exploitation of this method of payment:

 Europe (32%)    America (15%)    China (70%)

Counterpoints to advances will always exist and those cited most commonly as likely to limit or constrain innovation were :
• Restrictive regulatory policies – 34%
• “Consumer fatigue” – 29%
• ROI – 27%
• Security – 27%
• Technology complexity – 22%
• Customer adoption – 21%

Rome was not built in a day, but the end user has come a long way and fast in technology.  With such a crowded marketplace, official standards will be required with the IoT (see 4th July 2014 blog) and growth and opportunity for MSPs and providers will come through intelligent mapping and strategy, with the winners including good governance in their plans.


UK No. 3 in world connectivity rankings but can we stay at the top?

Fast and reliable internet connectivity has long since moved from being a luxury to an absolute necessity. Being able to connect instantly to customers, providers and partners is vital in today’s economy.

A newly released study from major Asia telecoms manufacturer Huawei, has ranked countries by score on internet connectivity. This is not just wired broadband connections, but access to high speed mobile internet on smartphones. From these scores, the UK has been ranked third  worldwide, just behind the USA with Germany taking the top spot.

Specific industry sectors are driving the growth of connectivity more than others including; finance, education, oil and gas and manufacturing.   The impact of better internet connectivity was also attributed as being directly linked to the GDP growth of each country, varying from 1.4% to 1.9% per capita and Chile and Kenya scoring very highly because of their relative scales of investment in telecoms infrastructure.

Whilst being ranked third worldwide in connectivity is definitely something for the UK to be proud of, we are still faced with the legacy of BT having an unreasonable monopoly still on infrastructure provision. This is different to the slightly more competitive market in Germany and a far more competitive landscape in the US. The effect may be to restrict the wider enablement of businesses long term in being able to compete if we are to count it on a truly nationwide basis vs the continual plugging of high speed connections to our main City hubs.  With faster and more accessible access to high speed internet comes greater opportunity for our country in the future.  We cannot rest on our laurels though; the majority of the UK score comes thanks to its current connectivity, with a smaller portion dedicated to Growth Momentum.  There is still an urgent need for deep investment and a level playing field in both wired and wireless to keep on top of the game – and for that the Government and regulators are the only ones able to change the landscape.

The rise and fall of Smart Phone sales
Many things in the world of technology change at a rapid pace, with fierce competition in development of new, innovating hardware and software enabling new devices to come out of a left field, taking many by surprise. Some trends however stay fixed. Apple announced the iPhone 6 and iPhone 6 Plus last week on schedule, taking no one by surprise. This week Apple announced another pre-order record for both smartphones topping over 4 million pre-orders so far. This yearly event is naturally a big deal for phone networks and retailers, with all taking pre-orders, including independent mobile phone retailer Phones 4u.

This week Phones 4u, despite financial stability and plenty of pre-orders for the iPhone 6 went into administration. This comes from the unexpected news, for Phones 4u at least, that both Vodafone and EE (parent company of both Orange and T-mobile) would not be renewing contracts, preventing Phones 4u to sell subsidised phones on their networks. Earlier this year O2 pulled support, which would have left them only able to sell Virgin mobile contracts.

So why would all the major UK network carriers pull out of what appeared to be a successful partnership? The allure of higher profit margins is likely to be the top reason. Selling phones exclusively direct forgoes splitting profits with an independent. Back when Phones 4u opened shop in 1996, splitting profits made a lot more sense to expand reach and brand awareness.  But the mobile industry is a very different beast today, with the only players left being giants. In addition new strategic partnerships, such as rival Carphone Warehouse and Dixons increasing their already dominant high street presence, made Phones 4u the weaker of the two to attack.

Carphone Warehouse despite its stronger position is likely to be doing its best to secure future contracts on a longer term basis and evaluating alternative strategies just in case. A stronger emphasis on non-network subsidised plans and its own phones services is a better tactic. The closing of Phones 4u will mean less competition and potentially higher prices when buying contracted phones from your network carrier of choice. When you contract is up for renewal, consider buying your phone separate to your phone plan as now more than ever, this will likely be the more sensible route going forwards as the US model is showing.

iphone6

 

This week’s technology news – 22nd August 2014

Cloud savings for all

Cloud storage has always had its advantages over traditional options but price was often a premium. Thanks to heavy competition from providers both big and small, the cost per GB has been falling steadily over the last few years with some sharper drops being made recently. With price options now a relatively non-issue, the balance of pros and cons to cloud storage now sit very comfortably on the pro side of the scale.  Non-cloud setups now have one less obstacle to worry about when moving to Cloud, whether completely replacing their existing solution or as a hybrid.

With less focus on cost therefore, it is now much easier to have a clear discussion on the true flexibility and benefits Cloud can offer over traditional storage solutions. As adoption increases, so will employee expectations of having their data available via the web and mobile, but most importantly, securely. With a lower bar of entry, cloud adoption is likely to be boosted. Gartner predicts half of large enterprises will be using hybrid cloud deployments by 2017.

So the question that needs to be asked is – if you are not on cloud yet, why not?

US healthcare data hacking on vast scale revealed

Community Health Systems (CHS), the second largest hospital chain in the US running 206 hospitals in 29 states,  confirmed this week it had been hacked with a systems breach and the theft of personal data for 4.5 million people as a result of the Heartbleed flaw.  The open SSL code run by Jupiter for CHS which would normally scramble sensitive data proved ineffective against Heartbleed and despite fixes being issued, proved too late to stop what appears to be one of the largest known worldwide data breaches.

Back in April, UK’s Mumsnet had 1.5 million members details exposed whilst the Canadian tax authority, The Canada Revenue Agency, had 900 people’s social insurance numbers stolen and these two incidents were the previous “world record holders”.  The Heartbleed bug allowed names, phone numbers, addresses, and social security numbers to be stolen.

It is understood that the same malicious players have been targeting companies in the healthcare and medical device industry to gather intellectual property data.  A new report by Gartner has shown that worldwide spending on information security is estimated to reach US$71.1 billion in 2014, an increase of 7.9% over 2013 as organizations adapt to the growing threat of cybercrime. This is expected to rise further to 8.2% in 2015 and reach $76.9 billion, with a greater reliance on mobile, cloud and social platforms with greater reliance on mobile, cloud and social platforms. Gartner estimates that more than 30% of security controls used by small or mid size organisations will be Cloud based by 2015 and drive the use of security technology through 2016 and beyond.

Fixing this healthcare breach (believed to have originated in China) is one thing, fixing the trust with the patients involved is another and whilst neither medical nor financial data is believed to have been accessed, it once again highlights the imperatives for organisations to ensure their data is secured and protected as the sheer volume of bits of data to be managed, wherever it is held, increases exponentially year on year.

Met Police want lock down on phones

The Met in London are seeking pre-set pin locks from manufacturers to secure mobile phones, installed pre-sale at the factory, as a deterrent to the high numbers of mobile thefts.   Their research reveals that three in five people do not set a pin code lock of any kind on their phone. This leaves a user exposed to the theft of personal (or corporate data depending on the use of the device), plus the potential for expensive bills to be run up from web downloads without them knowing.  If factory set, it would also ensure that devices bought online vs from high street retailers would similarly benefit from the security layer.  Apple’s Activation Lock has produced results which show direct falls in crime as a result of its activation.  Whilst hopefully a factory code would be randomised already, the UK Mobile Phone Crime Unit (NMPCU) comment that they would encourage users to set their own memorable personal code thereafter (though not a generic ie. 1234 or 1111).   Previously, such lazy security enabled journalists from the News of the World to hack data of celeb mobiles as well as listen to their voicemails.  Opting-out vs opting-in is always going to be a better route to maintaining adoption for security measures – and anything that thwarts unauthorised use exposing consumers and companies to risk is to be lauded.

Don’t just miniaturize for mobile

When creating content for smart phones it can be easy to think; “Let’s take what we have on PC and shrink it down to fit on Smartphones” but this approach is rarely the best. Whether it is a website or an app, taking a step back to re-think how to best display content is key.   True, smartphones have a lot smaller displays than PCs but they also pack their own tricks often not seen on their bigger brothers such as GPS location, cameras, touch screen, accelerometers and more.

Mobile users often have lots of frequently used Apps installed on their device so breaking this behaviour to add your own app into their stable can be challenging. The key is not to replicate, but to create something unique for the platform, redesign your user interface (so all vital info can be seen once the app is launched) – and don’t be afraid to use sensors such as GPS to detect a device’s location and deliver relevant information (this can also be combined with a QR code scanner in-app to quickly load relevant information of a product or service).

As smart as you can make your app by taking advantage of the devices smart features, it can also be too easy to go overboard.  One area in particular where having restraint will be appreciated by your users is push-notifications. Don’t bombard your users with pop-up messages – or they are likely to delete your app, no matter how smart, instead of turning the feature off.

Google Glass gets The Minority Report feel

One of the main obstacles to wider adoption of Google Glass has been the awkward control methods, however that may be in the past with the introduction by US Thalmic Labs of muscle sensor armbands to the technology. The new enterprise has integrated its clever wearable sensors with Google Glass, Epson Moverio and Recon Jet. The net effect is that users can quickly flick through documents, contacts and apps with subtle hand and finger gestures vs tapping the Glasses at the side of the head and fiddling with a tiny trackpad.  With this practical physical change, wider adoption by industry could be faster than anticipated and could make wearable technologies a relied on technology vs a curiosity at present.

This week’s technology news – 21st March 2014

Microsoft Office on an iPad near you soon
The first press engagement next week for new Microsoft CEO Satya Nadella, is rumoured to include an announcement for the long-awaited launch of an Office application for iPad.  Any misgivings internally about this move weakening the Windows platform is put into context when set against the estimated gap in revenue that this dedicated app would bring of around $2.5 billion per year.  Microsoft seem intent to ramp up the software onto as many platforms as possible having released applications onto iPhone, OneNote, Sky-Drive and Outlook for the iPad. 

Innovative evolution for wearable technology in US healthcare pilot
Wearable computing has moved one step further with the employment of Google Glass in a small pilot at the ED of Beth Israel Deaconess Medical Centre in Boston, USA.  Clinicians wearing unmissable orange specs, would glance at a bar code or QR code and receive patient details, location, lab results and other data through the glasses during examination.  The real time access to patient data through the glasses proved effective and life-saving during the pilot.  Concerns about data security were satisfactorily answered with data being held behind the BIDMC firewall and patient reaction and clinician usability both got approval.  With further testing ongoing, for limited or summarised information, the glasses have proved an effective compliment to current desktops and iPads in speeding up clinician workflow and enabling them to work hands free. The results will be closely monitored.  The potential for wider adoption across the US and internationally is tantalisingly close, whilst the use of tablets in healthcare may see a decline if it takes off.


Google Glass for clinicians
Google Glass for clinicians

The path of data security is never smooth

4th largest supermarket Morrisons, already facing a tough time in the UK press last week after announcing a sharp fall in profits, promptly endured a major security breach from a disgruntled employee, who published the payroll details of 100,000 of the company’s employees on a website including names, addresses and bank details.  Clearly, the need to secure confidential data from rogue internal use vs the cybercriminal bogeyman is less comfortable, but of equal necessity to firms.  This could have been the end of it, but perhaps the final lesson in what not to do, came with the retailers choice of messaging to inform and reassure staff about the data breach via social media behemoth, Facebook.  In this digital age, HR departments have the powerful and certainly more private tools of email and text to communicate private messages to staff. Perhaps if they had done this, it would have kept the last vestiges of their laundry from being aired quite so publicly.

Google – to infinity and beyond for mobile technology
Google has created an Android Wear mobile operating system to power smart watches. This smart strategy ties in with its move into robotics, Google Glass and data analytics.  As intelligence conjoins through Google Now, the company’s PA software, this helps inform and interact with the user to provide a more effective experience for the information and services received.  Globally, this strengthens Google’s wearable technology offerings promised in 2014, but they will not be on their own, as Motorola has announced it is launching the Moto 360 smart watch to run on Android Wear too.  Working with several consumer electronic partners including Samsung, Motorola, Asus, LG and HTC, plus chip makers, Google is ensuring that if it builds out this particular technology wardrobe, that it wants its software across as many devices as possible as the Android platform goes beyond today’s smartphones and laptops.

EE paves the way for changing operations for NHS Trust

Faster mobile connectivity using 4G has transformed mobile working efficiency for Berkshire Healthcare NHS Foundation Trust. Serving a population of 900,000 and employing 4,000 members of staff over 100 trust sites, home visits placed enormous demands on healthcare workers trying to manage their time during and between appointments. Previous attempts by the Trust to use 3G failed, due to slow and unreliable connections where healthcare workers needed to check and update patient records “live”. The new technology uses speeds five times faster than 3G and nurses armed with laptops and Mi-Fi devices can now see one or two extra patients every day from time savings. However, it was not only the technical impact that has resonated with the Trust. After the initial investment, training and deployment, nursing staff have been able to increase the quality of time with their patients which is a key Trust priority. Schemes like this are likely to rise as MSPs and their healthcare clients seize the opportunity to roll out pilots, where success can be better measured and risk minimised whilst outcomes are assessed.

This week’s technology news from Amicus ITS – Friday 21st June 2013

ATIV_Q

There’s no appathy in healthcare
There are estimated to be 40,000 healthcare apps for smartphones and tablets. The market for healthcare apps is estimated to be worth $400m by 2016. Few doubt delivery of clinical care management and diagnostics will increasingly engage with this technology (some 62% of US doctors had some form of tablet in 2012). Apart from obvious cost reduction opportunities, apps offer UK healthcare providers and the mobile care workforce improved patient visit time and reduce lengthy paperwork duties. The benefits of remote monitoring of drug delivery, tracking patient welfare, calibration of devices etc. are all positives. Enabling the mobile workforce is critical, it just needs to be aligned to proper security and governance policies measures.

Dawn readiness for cyber attack
Quantum Dawn 2, a planned simulated cyber attack, is to be held later this month in the States amongst selected Wall Street firms and government agencies. The initiative is a bid to identify flaws which could otherwise cripple the nation’s economy. Attempts by hacktivists last year caused US banks to put aside their normal rivalries for the common good of sharing defence mechanisms and outcomes. Gartner believes that all firms should undertake regular drills on Distributed Denial of Service (DDoS) to confirm continuity of phone and email communications to fully flex their DR and protection plans. This is something that more firms would be well advised to undertake.

Samsung ATIV Q: Windows 8 and Android all in one
Today at the Samsung Premiere several new mobile devices were unveiled. One of the most interesting is the Samsung ATIV Q. At first glance it looks like any high-end tablet but its party trick may turn a few heads. Running both Windows 8 and Android, users get the benefit of all their legacy Windows applications, as well as Microsoft’s own modern tablet Apps in addition to the full catalogue of Android Apps. No reboots required, you can pin Android Apps to the Windows 8 start screen and vice versa. Making for a versatile tablet. Whether Samsung has a true market winner on their hands has yet to be seen, but the full breadth of App compatibility this solution offers, should bring the ATIV Q in to your consideration list for your next business tablet.

Big companies reveal US government data requests
Further to recent news stories around ‘Prism’ (US Government surveillance programme on users data), IT big names including Microsoft, Apple and Facebook have revealed how many requests for users data they receive. Microsoft confirmed over 30,000 requests in the second half of 2012, Apple had 5,000 requests and Facebook 19,000. When these requests come in companies have a legal obligation to pass over information stored on their servers. The exception is services like Apple’s iMessage which use end-to-end encryption. Even Apple themselves are unable to unencrypt this data and so it cannot be handed over. Although these figures are alarming at first, Apple stated the majority of cases are from police and the data used assisted searches for missing children, locating patients with Alzheimer’s and preventing suicides.