3 08, 2016

Cyber Security 101: basic tips to keep you safe online and with the Internet of Things (IoT)

By | August 3rd, 2016|Current Health Topics, Data Security|0 Comments

CybercrimeI’ve written about cyber attacks, cyber extortion using ransomware in hospitals, medical identity theft, data mining risks with health/medical apps and fitness trackers, and more. I am not an IT professional so I’ve written this for the un-indoctrinated, which until a year ago, included myself.

It makes sense to review a few basics about how to stay safe if you use email, engage in social media (Facebook, Twitter, LinkedIn, etc.) shop online, browse the internet, use health or medical apps, bank online or have smart devices in your home. Even if all you do is search on the internet for answers to health questions, these strategies apply to you.

Knowledge is power. The more you know, the more easily you can make an informed choice.

Think of your computer, smart phone, iPad, and other electronic devices like you do your home. We all want to be safe at home and most of us implement strategies to support that safety. We lock our doors and windows, install alarms, have protective dogs, and more. Consider taking steps to protect yourself in much the same way while using your electronic devices that connect to the internet or Wi-Fi.

With the advancement of technology and the Internet of Things (IoT), we are all more interconnected. That means we need to be informed about the risks of interconnectedness and learn how to protect ourselves from hackers and other cyber criminals. Technology is growing too fast for us not to implement a few basics to prevent identity theft, financial theft, hacking, malware, phishing scams, and more.

The Basics

Public Open Wi-Fi

If while eating a muffin and drinking a latte at your local coffee bistro, you decide to do a little online shopping while you’re there, stop. Don’t do it. Public open Wi-Fi is not secure and most people don’t realize just how easy it is for a hacker to eavesdrop on your internet communication through the Wi-Fi and snag your personal information, including username and passwords. Your information can be exposed and retrieved by cyber criminals to commit identity theft.

Public open Wi-Fi is available to everyone in that location and no password is needed for use. It is not protected in any way. Coffee stores, hotels, gyms, universities, airports and other public places offer public Wi-Fi as a free service. It’s up to you to protect yourself.

  • Be sure to set your smart phone, laptop or other device to manually select Wi-Fi. This way you choose when you want to connect to Wi-Fi rather than your device automatically connecting.
  • Do not do online shopping, online banking or engage in social media if you use public open Wi-Fi. Your personal information will be at risk to hackers who can so easily eavesdrop on your activity.
  • Public open Wi-Fi users should only visit secure websites with https addresses. It looks like this–https.www.samplewebsite.com

 

Facebook, Twitter, LinkedIn & Other Social Media Sites

“Cyber criminals often create fake profiles to befriend you on Facebook,” according to Heimdal Security. “Their goal is to get you to leak confidential information to them. Be careful about friend requests on all social media sites.”

On LinkedIn, cyber criminals create fake profiles to help themselves to your personal data, such as your connections, your email address, and your phone number. Check every LinkedIn connection request before you accept.

Suspicious connection requests look like this:

  • Very few connections
  • Very little info in the person’s bio.
  • Generic information.

 

Strengthen Your Passwords

Admittedly, changing your passwords to beef them up is a big hassle. Who can remember their passwords? I know I can’t. I have them written down in a secure place. And yes, I’ve had to change my passwords more than once because I can’t remember my new passwords.

  • Create a unique password for each unique account. Don’t use the same password for multiple accounts. Although I have to admit I’ve been guilty of this.
  • Use a more complicated password that has the following: ! and #, numbers, upper and lower case letters.
  • Don’t reuse old passwords.
  • Don’t use your birthdate, telephone number or your street address. Cyber criminals can find that information on the internet. It’s common for people to use this information in passwords and hackers know it.
  • Use two-factor authentication, known as 2FA. It is a two-step verification, an extra layer of security that requires not just a password and username but something unique to you.
  • The rule of thumb has been to change passwords fairly often to outrun hackers. But a colleague pointed out that there is new research that unveils that changing passwords can actually decrease security. See for yourself here. Thanks to Meg Helgert for the information and this study.

 

Health/Medical Apps and Fitness Trackers

I don’t use these myself for security reasons. I purchased a FitBit some time ago and after reading the fine print, I returned it to the seller. FitBit, JawBone and other fitness trackers collect, share and sell consumers’ data to health insurers, employers, data brokers and others. Health/medical apps do it too.

More info in my article, How much health care data is mined without your knowledge.

Health related apps aren’t regulated by the FDA and aren’t covered by HIPAA, which means that the majority collect your sensitive data and do with it what they will. Most don’t have good privacy or security, according to PC World’s article, Why hackers love health apps.

 

Phishing Emails

Most of us use email in some form or another. What you might have received already and hopefully deleted, are phishing emails meant to fool you into thinking they are sent from a known business or bank. Cyber criminals make these phishing emails look real by using photos, images and logos from the original businesses. Many go undetected.

A phishing email might ask you to click on a legitimate-looking link or ask you to download an attachment.

Don’t do it.

The phony email might ask you to authenticate your username or password. You may be informed of a deposit or withdrawal and then asked to click on a link. Phishing emails lure you into giving them personal information such as social security numbers, credit card details, birth date, mother’s maiden name and more. This information can give a hacker all he needs to gain access to your accounts or to commit identity theft.

In 2013, Walmart customers were tricked into believing an email scam that requested that they update their account information urgently to keep them safe.

 

“Unsubscribe” Email Scam

According to the Identity Theft Resource Center, a new scam has arrived. “Savvy scammers have leveraged the power of annoying spam and dangerous phishing emails by combining them. The result is a barrage of identical looking spam emails that promise everything from weight loss to skin care products, all of which offer you multiple chances to click “unsubscribe” in order to stop receiving the emails.

Their tactic is to bombard you with these spam emails so you’ll do just about anything to make them stop. However, embedded in the “unsubscribe” link is a virus or malware that could infect your computer.

If you don’t recognize the sender, or you didn’t sign up for the emails, do not click on the “unsubscribe” link provided. Report the email as spam by clicking on the spam button on your email program.

Spam email can also include malware that allows a cyber criminal to control your computer remotely, freeze the contents and demand a ransom in exchange for the release of your personal photos and other data. More information on malware in my blog, Hospitals are sitting ducks for ransomware and other cyber attacks.

You can report phishing emails to the Federal Trade Commission at spam@UCE.gov or see their website here https://www.consumer.ftc.gov/articles/0038-spam

 

Keep Your Software Updates Current

Download your software updates on your computer, iPad, smart phone or other electronic device as soon as they become available. Or turn on the auto-download on your software updates. Software updates keep security on your device current. Updating the software on your apps can prevent 85 percent of targeted attacks. See Heimdal Security for more info on this.

 

Purchase Anti-Virus Software

Yes, you need it. I use Intego Mac Security. This is not an endorsement, just what my IT tech recommended. So far, my computer has been safe.

However, I did just hear from an IT person who read this blog and said that third party anti-virus software is unnecessary. You’ll have to do your own research on this as there seem to be two schools of thought.

 

Check Your Bank Statements Weekly

Even if you don’t bank online, you should be checking your accounts on a weekly basis. Review your statements for unfamiliar withdrawals and deposits. Alert your bank if you notice suspicious activity. Change your password immediately if you do.

 

Smart TVs, Smart Refrigerators, Smart Homes, Virtual Home Assistants, Smart Security Cameras, Smart Thermostats—The Internet of Things (IoT)

I don’t own any of these for a reason. I’m not against them as they make lives easier and I know people who love them. If you do purchase or already own a Smart TV or for example Amazon Echo (Alexa,) be sure to read the fine print. The voice command feature, if left on, can collect and send your voice data to a third party service that converts speech to text. Talk about a privacy issue, not to mention a creepy one. Read more about this here, Your Samsung SmartTV is Spying on You.

Please read the FBI’s warning about these Smart Devices.

I hope this helps.

1 08, 2016

Hospitals are sitting ducks for ransomware and other cyber attacks

By | August 1st, 2016|Current Health Topics, Data Security|0 Comments

cybersecurityImagine you are a patient in a hospital that gets attacked by ransomware. Your medical records and other data are seized, and all users including your physicians and nurses, are denied access to them. Let’s say you are about to receive chemo, radiation, or another vital treatment.

What would you do? What can you do?

Not a whole lot, unless of course you have your own personal back up of your hospital medical records on hand. And even then the hospital may not be operable.

Think this sounds implausible? Think again. And read on.

As many as 75 percent of U.S. hospitals have been hit with ransomware in the last year. Hospitals are considered the perfect targets because they need the information on patients immediately, don’t have the necessary tools to prevent such an attack, and many haven’t taken the necessary steps to educate and train their employees on how to avoid such an attack. Many simply pay up. But not without extensive delays and having to turn patients away or evacuate patients from the healthcare facility.

This kind of cyber extortion can put patients at risk and compromise patient safety.

If this is new to you, ransomware is malicious software that seizes all data in a computer or computer network. Cybercriminals hold it for ransom until payment is made in exchange for release of the information. In a hospital, it will lock up all electronic patients’ records and other data in its computers and computer networks. The information is left completely inaccessible to medical professionals who need it for patient care. Messages are installed by cybercriminals demanding payment, usually in the form of Bitcoin, in exchange for accessibility to the seized information. Sometimes the cyber extortionists release the data after receiving the ransom payment and sometimes they don’t.

According to the FBI, “Ransomware attacks are growing in number and are becoming more sophisticated.” The FBI also reports that hacking victims in the U.S. have paid more than 209 million in ransom payments in the first three months of this year.

Hospitals and other healthcare facilities are the targets of most ransomware attacks. According to U.S. News& World report, ransomware is the most profitable scam to date.

Malicious malware can be sent in an email to a specific person with an attachment that appears to be legitimate such as an invoice or electronic fax. Or the email can contain a legitimate looking URL which the victim clicks on and then is taken to a website that infects the computer with malicious software.

There are new cases of ransomware where cyber criminals don’t use emails at all. They seed legitimate websites with malicious code which then seizes the computer and possible other networks and back up drives.

In May of 2016 Kansas Heart Hospital was hit with ransomware and extorted twice.

In April of 2016, three Southern California hospitals, owned by Prime Healthcare Services, were attacked by ransomware. Prime Healthcare Services stated in a Los Angeles Times article that they did not pay the ransom. The FBI recommends not paying the ransom. One can understand why hospitals would pay up to get their systems and patient care running as soon as possible. There just aren’t enough tools in place for them to do much else. Some hospitals do refuse to pay the ransom and rely on back up copies of information. Still, it can take several days for them to get back to some degree of normalcy.

In March of 2016, cyber criminals attacked 10-hospital MedStar Health, located in the Maryland and District of Columbia region. The hackers encrypted the hospital chain’s computer networks so all information was frozen. The Baltimore Sun reported that the malware attacks left ten MedStar hospitals unable to access patient data and in some cases having to turn patients away.

Also in March of 2016, Methodist Hospital in Henderson, Kentucky, was crippled by ransomware and claimed to be operating in a state of internal emergency. The hospital was forced to shut down all of its computers because of the malicious malware. The message left on the affected systems via Locky malware demanded a ransom in bitcoin.

In February of 2016, the Hollywood Presbyterian Medical Center, located in Los Angeles, had their computer networks attacked by cyber criminals who demanded 17,000 in bitcoin to release patients’ records. Hollywood Presbyterian paid the ransom.

Not a cyber extortionist attack but noteworthy all the same, in July of 2015, UCLA Health was the victim of a major cyber attack. 4.5 million patients’ data was compromised which included social security numbers.

Among others, Anthem Blue Cross disclosed that 80 million customers’ data was compromised in 2015.

The list goes on.

Sen. Bob Hertzberg authored a bill in effort to make ransomware a felony. Let’s hope that passes. But I have to wonder how cyber criminals would be charged since most cyber attacks originate outside of the U.S. This is an update on a bill already passed that introduces new penalties specifically for ransomware attacks. If the update passes, cyber criminals would be fined up to $10,000 and sentenced to two, three, or four years in jail.

Seems like a paltry sum and a much-too-short jail sentence if you ask me. After all cyber extortion is basically data kidnapping that could put patients lives at risk. Under federal law extortion carries up to a 20-year sentence, depending on the circumstances. Perhaps Hertzberg’s new bill is a good start on a massive, growing problem.

Hospitals must focus on prevention of these ransomware attacks. Real time backing up of patient electronic medical records and other data is an important strategy, but it still only addresses the problems after the cyber attack has been committed. Many hospitals don’t even back up. Preparing for a ransomware attack is essential for every hospital or other healthcare facility. Many hospitals claim to have insufficient funding to pay for internal experts such as chief security officers or to enlist a solid cybersecurity company’s services.

“Educating and training all system users is crucial,” states Healthcare IT news in its article, Tips for protecting hospitals from ransomware as cyberattacks surge. “All it takes is one uneducated user.” It’s the employees in hospitals who click on phishing emails or visit corrupt websites.

It’s not just the hospitals or healthcare facilities that become victims to ransomware. Patients must be protected.

I welcome your comments.

5 05, 2016

Cyber IN-Security: your medical records are gold mine for cyber criminals

By | May 5th, 2016|Current Health Topics, Data Security|0 Comments

CyberInsecuritySome say privacy is an illusion. I hope that isn’t true but I do know that our medical records are not safe. Why do I care? Because our medical records contain our social security numbers, health insurance information, our home addresses, phone numbers, emergency contacts and their phone numbers, our email addresses, possibly our driver’s license numbers, and likely credit card payment information if you’ve ever paid your co-pay with a credit card. I know I have.

Your medical record is worth 10 times more to a cyber criminal than your credit card number. And with healthcare’s mandatory transition to electronic medical records, cyber thieves have taken full advantage.

If you think major institutions are immune to cyber attacks, think again. You might recall the cyber attacks on our U.S. government. One in particular compromised personal information on 22.1 million people and 5.6 million fingerprints were stolen.

No doubt you’re aware of the major ransomware attacks on hospitals across the country where cyber criminals seized patients’ electronic medical records and held them for ransom to be paid in Bitcoin. See article here http://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, 90 percent of healthcare organizations have been hacked, exposing millions of patients’ medical records.

You probably remember the major cyber attacks on the three major health insurers, Blue Cross Blue Shield where over 10 million patients’ medical records were exposed.

According to Modern Healthcare, nearly one in eight patients have had their medical records exposed in breaches in the United States. Since that article was published in 2014, that number has likely doubled.

You might be asking yourself, “What could cyber criminals do with my personal information housed in my medical records?”

Cyber criminals can monetize your personal information to obtain credit cards or loans, to commit tax fraud, send fake bills to insurance providers, acquire government benefits from Medicare and Medicaid, and much more. Your personal information can also be used to purchase healthcare services, prescription medications and medical equipment. It can also be used to obtain your credit report.

The above can also corrupt your medical history with inaccurate diagnoses and treatments.

According to the same Ponemon Institute study, 65 percent of medical theft costs each victim $13,500 to resolve the crime.

This is pretty scary stuff. I’ve heard from friends and colleagues that they can only take in small amounts of information because it’s so frightening and they feel it’s beyond their control.

There is something you can do.

It is up to doctors, hospitals, and other healthcare organizations/companies to secure their electronic medical records, back up hard drives, use secure cloud platforms (if there is such a thing,) encrypt emails, update software and more. Many just aren’t doing it.

According to the HIPPA Breach Notification Rule, a hospital or health insurance company that has been victim to a security breach, must inform patients, if more than 500 people have been affected. Unfortunately most do not. Patients find out about errors on their Explanation of Benefits (EOBs,) in letters from collection agencies, by finding mistakes in their health records or on their credit reports.

As a patient you are at risk. So am I. And we are all patients even if we just see a physician once every year or two. Had a baby? Had a vaccine? Been treated for the flu? All of us are patients and have been since we saw pediatricians as kids.

What You Can Do to Protect Yourself

  1. Read your Explanation of Benefits (EOBs) that come from your health insurance plan. Call your health insurance company if you do not recognize a charge. Check for total amount covered and amount paid.
  2. Get copies of your medical records from doctors and review them for errors. Look out for misdiagnoses, incorrect pre-existing conditions, procedures you didn’t have, incorrect treatments, allergies you weren’t treated for, and more. If you have trouble understanding your medical records, ask your doctor or his/her nurse to help you understand the information.
  3. Monitor your credit reports and billing statements for errors.
  4. Do not give out your social security number to anyone unless absolutely necessary. Often the last four digits will do.
  5. If you have your medical records or any personal information on your smart phone, be careful about using public Wi-Fi. If you send or receive an email or browse the internet while using public Wi-Fi, a hacker can eavesdrop on your transmission and gain access to the information on your device.
  6. Be wary of health apps. Generally, apps are not secure. See article here http://www.martineehrenclou.com/healthcare-data-mining-is-your-patient-privacy-being-breached/
  7. Be wary of public Wi-Fi. This includes any hospital. If you are a patient or visitor at a hospital, make sure the Wi-Fi is encrypted. If it is encrypted it will require a WPA or WPA2 password. Even if encrypted, think twice about sending any personal information via email or text while you are there.
  8. Set your laptop or computer to manually select the public Wi-Fi network in the healthcare facility you are in.
  9. Look for web addresses that begin with https. These are more secure.
  10. Do not share personal information on file sharing sites. Often they are not secure, according to Becker’s Hospital Review, 10 Ways Patient Data is Shared With Hackers.

The FBI recommends:

1. Keep your firewall turned on.

2. Install and/or update your antivirus software.

3. Keep your operating system up to date.

4. Be careful what you download.

5. Turn off your computer at night.

 

For more information on cyber attacks, cyber security, data mining and patients medical records, see the following:

Rapid Increase of Cyber Attacks http://www.martineehrenclou.com/rapid-increase-of-cyber-attacks-on-patients-medical-records-8-tips-to-protect-your-data/

Patients’ Medical Records hacked at Alarming Rate http://www.martineehrenclou.com/patients-medical-records-hacked-at-alarming-rate-tips-to-protect-yourself/

Healthcare Data Mining: is your privacy being breached? http://www.martineehrenclou.com/healthcare-data-mining-is-your-patient-privacy-being-breached/

 

 

10 03, 2016

Hello Barbie? New toy puts kids at risk.

By | March 10th, 2016|Current Health Topics, Data Security|0 Comments

CyberhackThere’s a new Barbie in town. There’s nothing appealing about Hello Barbie, developed by Mattel. In fact it’s downright Orwellian. Well-meaning parents, grandparents and other loved ones might not know what they are getting into when they give Hello Barbie to a 6 to 8 year-old-child.

Hello Barbie has a microphone and speaker that allows it to capture and engage in conversations with your child. This is no wind up doll from decades past that spewed pre-recorded greetings.

All your child has to do is press a button on the Hello Barbie’s belt buckle and talk into the speaker. A recording of your child’s conversation is then transmitted through your Wi-Fi connection to a company called ToyTalk. Speech Recognition Software converts the audio recording of your child into text. Artificial intelligence software allows Hello Barbie to respond to your child based on keywords extracted from your child’s words.

Hello Barbie is like a baby monitor that talks back. Remember the hackers who hacked into baby monitors and scared the living daylights out of the children and the parents? See article here. Each one was accomplished by hacking each family’s Wi-Fi.

Hello Barbie collects every detail of what your child says to it and saves it on a cloud based storage platform. The information is used to create personalized conversations with your child. See Newsweek article, Hello Barbie, Your Child’s Riskiest Christmas Present.

Not concerned yet? Read on.

Mattel and ToyTalk capture popular topics your child talks about to Hello Barbie. For example, your daughter or son confesses to the doll that she/he wants to see the new Disney movie coming soon to theaters. Hello Barbie may have thoughts about upcoming local showings of that Disney movie.

Getting the picture?

Does this remind you of how social media sites and Google insert ads according to your online searches and preferences on the internet?

It gets worse.

Third party vendors are also privy to your child’s captured data through Hello Barbie and transmitted to ToyTalk, according to their privacy policy. See ToyTalk Privacy policy here.

Parents have to download a mobile app and connect to Hello Barbie through their wireless network (Wi-Fi.) In essence, parents grant their permission for their child’s data to be stored, translated into text and shared with third party companies.

That is if parents read the fine print.

Another disturbing angle is that parents have full access to all of their child’s audio conversations with Hello Barbie. But to gain access to their child’s recorded inner secrets, they must allow ToyTalk to hold on to the information.

To say that this is an invasion of the child’s personal privacy is an understatement. It’s worse than reading a diary.

Even more disturbing, is that parents can also share their child’s personal conversations with Hello Barbie on Facebook and Twitter with a simple push of a button. This just isn’t right. Posting a child’s personal conversations on Facebook or Twitter is a violation of a child’s privacy. What 6 or 8 year old can grant permission to a parent to post his/her conversations with Hello Barbie on social media and understand the repercussions? Some parents might not think that their children have rights but I do.

There’s something else even more sinister that you have to consider regarding Hello Barbie. Given the number of cyber attacks on large banks, Sony, the U.S. government, health insurance companies, hospitals and more, what is to stop hackers from retrieving information from your Wi-Fi network through which your child’s conversations are transmitted? What stops a hacker from hacking into the server on which your child’s data is stored?

Imagine a 6 year-old child’s conversations with Hello Barbie. Most likely, information would be shared about where he/she lives, who he/she lives with, the school the child attends, names of friends, and more. Would you want your child’s personal conversations stored on ToyTalk’s servers? No server is immune to hacking no matter what companies claim.

What about parents who don’t read the fine print about Hello Barbie’s risks and simply download the app and connect it to the Wi-Fi? They won’t know that their child’s data will be transmitted not just to ToyTalk’s servers, but also shared with overseas companies that do not have the same privacy laws that we do in the United States. See ToyTalk privacy policy here.

This reminds me of the new “Smart TVs.” Samsung makes one that actually eavesdrops on the owner’s conversations. If you have a “Smart TV” that is connected to the internet, you can flip a switch to turn on the voice recognition feature that allows the TV to follow your voice commands, instead of using the remote control. That feature allows the “Smart TV” to listen to everything you say even if you don’t want it to. Your words are then processed by the television and then transmitted to a third party. Even Samsung warns, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among data captured and transmitted to a third party through your use of Voice Recognition.” See link here.

Like Samsung, Hello Barbie also uses Voice Recognition software. Why wouldn’t the same warning apply to the doll?

Child privacy advocates don’t like Hello Barbie either. The Campaign for a Commercial-Free Childhood has launched a campaign it calls #HellNoBarbie that warns parents about the toy. They are concerned that a child’s conversations are going straight to the advertisers. They might be right.

Personally, I would not buy a Hello Barbie for any child. Not just because I think it’s creepy, but data can be extracted from any number of servers through the storage and sharing of that information and used for a number of nefarious purposes.