Yet another NHS cyber-vulnerability: fax machines

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2018/08/attackflow1.png” thumb_width=”250″ /]Now fax machines are hackable, say the white hats at Check Point Research. Your GP or doctor thinks they are safe, but their protocols haven’t been updated since the Big ’80s. Check Point found that all a hacker needs is the fax number to hack into one. 

The ‘how to’ is in the article. New ‘all in one’ printers which are connected to phone lines and wirelessly to networks can receive a malicious fax as an entry point into the network. Data is then exfiltrated through another fax as illustrated above left. Check Point’s study cited the HP OfficeJet Pro All-in-One fax printer but others would be vulnerable as well. Online electronic fax numbers may also have problems.

NHS’ census, released via a FOIA request, indicates it uses 9,000 fax machines. NHS has minimized the risk they present. HP has since issued security updates for its fax printers. Also Digital Health. 

The cybersecurity black hole–and bad flashback–that is the Internet of Things

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2016/10/blackhole_596.jpg” thumb_width=”150″ /]One week after the Dyn DDoS attack, the post-mortems get more alarming. Our Readers knew they were coming in 2014-2015 (our ‘Is IoT really necessary–and dangerous?)

IoT devices, and a lot of older networked medical devices, have been proven to be easy to hack, as even this non-ITer, non-codegeek realized then. But those in tech have been to this movie before–with Bluetooth circa 2002! Now shouldn’t designers have learned? From ZDNet:

“It’s almost like we’ve learned nothing from Bluetooth” says Justin Dolly, CISO at cybersecurity firm Malwarebytes.

“Seeing what these IoT vendors are doing, it just blows me away because they haven’t learned from history,” says Steve Manzuik, director of security research at Duo Security’s Duo Labs. “They’ve completely ignored everything that’s ever had bad vulnerabilities”.

Many of these devices, according to these experts, have default log in credentials, if they have them at all. IoT devices are also allegedly findable on a snoop site called Shodan. Reason why: the financial and market need to get products out fast and cheaply.

Over at data security company Varonis’ blog, with the great title in part, “Revenge of the Internet of Things”, another succinct and telling quote:

Once upon a time in early 2016, we were talking with pen tester Ken Munro about the security of IoT gadgetry — everything from wireless doorbells to coffee makers and other household appliances. I remember his answer when I asked about basic security in these devices. His reply: “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

Privacy by Design is not part of the vocabulary of the makers of these IoT gadgets

Varonis also gives a how-to on changing settings in your router so you don’t become a victim, and how to secure your gadgets.

Bottom line: when Hackermania is Running Wild, do you, or anyone, really need to be an early adopter of an internet- connected coffee maker or fridge? And if you need internet-connected home security, telemedicine virtual consults, telehealth/remote patient monitoring or telecare….best heed Varonis and secure it!

Earlier in TTA: Friday’s cyberattack is a shot-over-bow for healthcare 

UCLA Health data breach may affect 4.5 million patients

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

“Who do I call?” when the cyberalarm goes off

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”175″ /]A top read for the weekend is this short article by Gillian Tett in the FT on the lack of coordination in the US in not only protecting systems from cyberattack, but also the lack of coordination between public and private sectors in protection–and when something does go wrong. As Henry Kissinger famously said about Europe when various crises loomed, ‘who do I call?’

Indicators of a gathering storm are everywhere:

* Wednesday’s hours-long, still unexplained outages at the NYSE and United Airlines. (The Wall Street Journal website going down for a bit was the topping on the jitters)

* A joint report from Cambridge University and Lloyds insurance group, also released Wednesday, estimated that a hack shutting down the US electrical grid would create $1 trillion in damage. (more…)

Roundup: data breaches ’round the world

Following on our review of recent articles on why medical identity theft is so attractive, here’s our review of data breaches in the news, including a new (to this Editor) report from Europe.

  • It’s not Europe, blame the UK! That is one of the surprising findings of a meta-review of all types of data breaches released earlier this month by the Central European University’s Center for Media, Data and Society (CMDS). While not specific to healthcare, it is the first study this Editor has seen on EU data breaches and is useful for general trends. 229 verified incidents were analyzed by the CMDS across  28 EU member countries plus Switzerland and Norway, 2005-3rd Quarter 2014, and includes unusual healthcare breaches such as Danish HIV patients’ personal information included in a PowerPoint presentation later published online. Key findings:
    1. 57 percent of breaches were due to insider theft, mismanagement or error; 41 percent were hacker-instigated
    2. It’s common: “for every 100 people in the study countries, 43 personal records have been compromised”
    3. In terms of impact, the UK by far, then Greece, Norway, Germany and Netherlands were the top five countries for incidents and numbers of records breached (report page 9) (more…)