Category Archives: Regulation

GDPR enforcement over the past two years

Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals. The GDPR’s first two years have been marked by … More

The post GDPR enforcement over the past two years appeared first on Help Net Security.

IoT security: In 2020, action needs to match awareness

As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices. But small steps can greatly increase the overall security of IoT. A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due … More

The post IoT security: In 2020, action needs to match awareness appeared first on Help Net Security.

SQL Server Security Basics

Security is of paramount importance in any IT context today, especially when you are looking to protect something as precious and potentially vulnerable to attack as an SQL server.

Here is a quick primer on the basic aspects of security which matters most for SQL server solutions, since the cost of a breach will vastly outweigh the effort of learning and following best practices.

Encryption

There is no doubt that encryption should be part of any modern DataOps strategy, particularly given the scope and scale of the threats that exist in the age of unfettered connectivity.

You can encrypt data stored on your SQL server, and indeed you should make sure that this is enabled as standard. You also need to take into account how the data is protected when it is in transit, when it might be exposed to exploitation while passing through public networks and devices.

There are different types of encryption to consider, with SSL encryption keeping data safe when it is on the move while cell-level encryption will allow comprehensive protection even while the data is cached on server RAM. The greater the level of encryption you choose, the more potential complications can arise, so it is a matter of balancing your needs against the risks.

Backup

All the security measures in the world will be for naught if your SQL server is breached, damaged or otherwise compromised in such a way that leaves the information it contains inaccessible or unrecoverable for some reason.

This is why a good SQL server backup solution needs to be factored into your security efforts, providing you with a lifeline to restore mission-critical data in the direst of circumstances.

There are quite a few points to consider when selecting a backup strategy. Opting for a differential backup, for example, will allow you to perform the backup process faster and without the same penalty in terms of storage requirements. A full backup will form the foundations of a differential backup as well as being used to underpin transaction log backups, which allow for time-specific restoration.

All backup varieties take time and require a commitment of hardware and network resources, while also posing a security risk in their own right, so remember not to overlook this aspect.

Access

Managing access to your SQL server is vital, not just in terms of taking control of which users and apps can retrieve data or make changes to the database, but also with regards to the physical hardware itself.

This is not something that will immediately seem obvious, especially at a time when more and more organizations are choosing to migrate to remotely hosted or hybrid cloud setups, but even if your IT resources feel nebulous, they are still founded on tangible servers.

If you are directly responsible for housing this hardware, restricting physical access to it is just as crucial as vetting digital access. Locking server rooms is a minimum; making sure that only employees with a legitimate reason to access them should also be part of your security protocols.

Updates

Although cybersecurity threats are growing and evolving all the time, software firms do a good job of fixing vulnerabilities and patching problems whenever they rear their heads.

This means that it is the responsibility of SQL server specialists to keep their software up to date, installing vital security patches as soon as possible. Failure to do so will leave you exposed unnecessarily and could lead to breaches that would have been entirely preventable. Both the SQL software and the OS it runs on need to be updated as a matter of urgency.

The post SQL Server Security Basics appeared first on CyberDB.

Reality bites: Data privacy edition

May 25th is the second anniversary of the General Data Protection Regulation (GDPR) and data around compliance with the regulation shows a significant disconnect between perception and reality. Only 28% of firms comply with GDPR; however, before GDPR kicked off, 78% of companies felt they would be ready to fulfill data requirements. While their confidence was high, when push comes to shove, complying with GDPR and GDPR-like laws – like CCPA and PDPA – are … More

The post Reality bites: Data privacy edition appeared first on Help Net Security.

Are you ready for the new FINTRAC rules on identity verification?

Canadian financial institutions must revamp their identity verification procedures by June 1 of this year to comply with new anti-money laundering regulations. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) was updated last year to allow regulated businesses to rely on digital identification from customers when they conduct financial transactions. Now, the…

GDPR Checklist For Small Businesses

The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.

This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:

  • Understanding your data and responsibilities
  • Defining your data consent policy
  • Access requests and disposing of old data
  • Setting up a data storage and security policy
  • Training all staff on GDPR
  • Creating data processing notices

  1. Understanding your data and responsibilities

In order to be GDPR compliant it’s important that you understand what data you’re collecting and your responsibilities as a business. It’s therefore a good idea to get clued up on what is defined as ‘personal data’ and set out strict guidelines on how much information you need to collect. This is because a huge part of GDPR is ensuring that you only collect personal information you actually need and that it is only used for the intended purpose. The less you collect the easier it is to stay compliant.

You’ll also want to ensure anyone that is involved in the handling of data understands how to collect and store the data effectively, as well as how to process it in line with GDPR. As you collect data, it’s a good idea to keep a note of how consent is being obtained and what processes the data goes through once it has been collected.

 

  1. Setting out your data consent policy

Getting clear and explicit consent from individuals to collect and use their data is one of the most important aspects of GDPR. For this reason, you need to outline to customers or those using your services why you’re collecting their data and how you intend to use it in the future. Once they have actively agreed, you can then collect their data – this is usually done through sign-up forms or pop-ups. However, if they do not give you permission then under no circumstances should you record their personal information.

You must be able to show that they have obtained consent for all the data that you have collected. Otherwise, you run the risk of being fined. Another point worth noting is that you can no longer rely on underhand tactics such as pre-ticked boxes to gain consent. This is now illegal under GDPR and can land you in trouble. Finally, you must make it easy for individuals to opt-out of receiving your communications. The best way to do this is by adding an unsubscribe button at the bottom of all emails.

 

  1. Access requests and disposing of old data

If you haven’t already, GDPR states that you must get re-permission from customers whose information you held before the new guidelines were implemented in May 2018. If they do not give you their consent once again or they do not reply to your email at all, you must delete their data as soon as possible. An important part of your GDPR checklist should be getting auditing processes in place that determine how long you will store data. For example, if a customer has not engaged with your brand in 12 months it is no longer necessary to keep their information and it should therefore be deleted.

What’s more, as part of GDPR every EU individual has the right to access their data. Therefore you need a system in place to deal with access requests. You’ll have 30 days from receiving the request to provide them with an electronic copy of all the information you have on them. They can also request that this be deleted, so you need a system in place to get this done as quickly as possible.

 

  1. Setting up a data storage and security policy

GDPR is set out to protect the rights and personal information of individuals, therefore you need to make sure you’re taking care of the data you’re collecting. This means knowing where it is stored and ensuring you’ve got the security measures in place to keep it safe. Mapping out all the places where you store data, be that email, databases or cloud-based systems, makes it easier to find and deal with access or deletion requests. Your storage and security policy should outline where everything is stored, how it is protected and who has access to said data.

You also need to know how data is being transferred and the flow of information around your business. This stops information seemingly getting lost or falling into the wrong hands. It also pays to have a system in place just in case your hardware is accessed or lost, whilst containing sensitive information. For example, if a laptop full of information is misplaced, having the data encrypted means you’re less likely to fall victim to a breach or face a fine.

 

  1. Training all staff on GDPR

Most data breaches or security mistakes come as a result of human error. But unfortunately, in this case ignorance isn’t bliss, you cannot use ignorance as an excuse for mishandling data. For this reason, it’s important that all members of your team are clued up on GDPR, their personal responsibilities for looking after personal data, and how to recognise a breach. As part of GDPR, you must report any data breaches within 72 hours, this becomes much easier if everyone in your team is educated on what this looks like and who they need to report to.

 

  1. Creating data processing notices

Finally, data handling needs to be a clear and transparent process and therefore it’s a good idea to create a notice to explain how your business collects and processes data. This is often called a Fair Processing Notice and can be sent out to customers/users as well as being displayed somewhere on your website. It should outline how you capture, use and store data, as well as giving instructions on how an individual can make and access or deletion request. This helps them to understand how you are protecting their data and can be great for building your reputation as a legitimate and caring business.

 

The post GDPR Checklist For Small Businesses appeared first on CyberDB.

5 Promising vendors focusing on Cyber Security for Medical IoT (IoMT)

Medical IoT devices operate in care facility environments that encompass care giving, case management, customer service, and clinic management. As such, the risk of data gathered and managed by medical devices extends beyond the device itself. A compromise of clinic management services can propagate to IoT device command and control, allowing compromise of devices in attacks that do not directly touch the device at all. This is clearly the major driver for the emerging category of “Medical IoT (IoMT) Cyber Security ”

A large hospital for examples could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack. A recent report from Irdeto,  found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year.

Going over the players in this industry, it is clear that the Medical IoT security category includes a number of different approaches with the common target to provide the customer with a clear assets discovery and timely alerting on security breaches and attacks on its Medical environment.

Although many large security players are addressing this niche too, CyberDB identified a number of emerging players that are focusing on this industry and as such we expect them to benefit from the growth in this market. These players are (in alphabetical order):

Due to the clear use case and the growing awareness and need in this market, we can see general-purpose IoT security players moving towards the Medical IoT security market.

According a recent report by BisResearch, the overall Medical IoT Cyber security market has been witnessing a steady growth. The market is expected to continue to grow with a double digit CAGR of 41.38% during the forecast period 2019-2028.

 

 

 

 

 

 

CyberMDX

CyberMDX is a pioneer in medical cyber security, delivering visibility, threat prevention and analytics for medical and IoT devices and clinical assets. It is a best of breed product built from the ground up for healthcare delivery organizations. CyberMDX is established in 2017, acts globally and raised so far $10M of funds. Its headquarters reside in Tel Aviv & New York City

 CyberMDX counters and prevents growing cyber-threats against hospitals, ensuring its critical assets operational continuity as well as patient and data safety. CyberMDX  delivers endpoint visibility, network threat prevention and operational analytics for medical, IoT, and OT devices. The agentless solution automates the most granular, context-aware device profiling available on the market and combines it with healthcare tailored risk assessment and remediation capabilities.

Using CyberMDX, healthcare teams can easily:

  • Audit devices for software vulnerabilities and prioritize patching
  • Detect malicious activity and behavioral anomalies, triggering responses accordingly
  • Manage risks proactively via smart micro-segmentation planning and automation
  • Streamline clinical compliancy programs
  • Report device-relevant FDA recalls
  • Optimize device allocation and procurement decision based on usage insights
  • Track and manage medical asset lifecycles
  • Provide rich reports in support of HIPAA and corporate compliance efforts
  • Seamlessly integrate with existing cyber and IT solutions to enrich data sets, enhance workflows, and enable operational excellence

Differentiators

  1. Interdepartmental HDO functionality and true workflow enablement: CyberMDX takes a holistic, 360° view of healthcare organizations and understands that only by building a common frame of reference and cross-departmental synergies can wholesale progress be achieved. Beyond mere security, CyberMDX provides security, IT, clinical engineering and compliance teams with a platform for data-driven workflow enablement and collaboration.
  2. Unmatched, context-aware visibility: CyberMDX delivers deep visibility into medical devices, protocols, and connected things of all sorts — along with a clear-eyed view of their clinical context. This deep and contextual visibility drives prevention, incident response, risk mitigation, and lifecycle management (including patch availability notifications). The solution covers medical devices, IoT, and OT across the entire network — providing a single pane of glass from which to view all connected healthcare assets.
  3. Superior depth and breadth of risk reporting around clinical and critical assets: CyberMDX has a dedicated research team focused solely on connected healthcare and IoMT. The team works with medical device manufactures and regulatory bodies such as CISA, ECRI, MITRE and the FDA to spot and lock down cybersecurity hazards and vulnerabilities before they can be exploited by malicious actors.

Back

 

 

Cynerio

Cynerio was established in 2017 by a versatile team with expertise in cybersecurity, medical devices, and healthcare IT. Headquartered in New York City, Cynerio works with leading Healthcare Delivery Organizations (HDOs) worldwide and delivers the only medical-first cybersecurity solution clinical ecosystems require to stay secure and operate with the peace of mind they need to put their focus where it’s needed most: on patient care.

The Problem

The IoT is an emerging space with a broad sphere of challenges that gets even more complicated when placed in the healthcare context. Hospitals and other HDOs have limited visibility into which devices exist on their networks, device behavior, and vulnerabilities. This limited visibility and understanding impairs IT personnel’s ability to remediate without interrupting patient care.

Securing the healthcare IoT poses the multifold challenge of securing medical devices developed without security in mind. Many of these devices run on outdated operating systems and can’t be patched. Hospital staff often has limited knowledge of the scope of security risks and vulnerabilities introduced to the network by unprotected devices. This is further complicated by traditional security solutions that are ineffective in dealing with connected devices in general.

Hospitals also rely on various non-traditional medical devices to help deliver essential care, such as elevators used to transport patients and smart refrigerators used to store sensitive biological material and medications. These devices are connected to the clinical ecosystem and are involved in medical workflows but are often not given the proper priority when evaluating the security strategy.

The Solution

Cynerio’s holistic medical-first approach to healthcare  / Medical IoT cybersecurity management provides HDOs with a one-stop shop they can rely on by prioritizing patient care and privacy above all else while contextualizing risk and remediation within the framework of healthcare business goals. This approach to security allows HDOs to gain control over their clinical assets and helps achieve immediate security goals and meet strategic, long-term objectives.

Cynerio’s agentless and nonintrusive solution analyzes device communications and behavior to provide ongoing, accurate, and contextual assessments of risk and security posture. This enables swift remediation without impacting operations.

Back

 

 

Medigate

 

Medigate is a comprehensive platform for IoT cybersecurity. Distinguished by powerful capabilities driving use-cases that have revolutionized expectations around what clinical visibility can mean, Medigate is successfully partnering with health systems across the world to monetize risk reduction practice.

Not unlike other industries, Healthcare’s vaunted digital transformation is based on unprecedented, new levels of visibility. Although having the ability to identify connected endpoints represents a step forward, it is not the game-changer. Rather, it’s the device-specific, detailed attribution and utilization metrics passively captured by Medigate that competitively separates its offering. Made even more real by meaningful and fully operationalized integrations to the systems that can naturally benefit (e.g. NAC, firewalls, SIEM, CMMS and emerging applications in supply chain, procurement and finance), Medigate’s excellent track record with some of the nation’s largest health systems is easily verified.

It is not “magic” and Medigate’s engineering-heavy company profile reflects it. Medigate has done the heavy lift required to passively fingerprint all connected assets, including serially connected modules and/or devices “hidden” behind legacy and modern integration points. The approach is known as deep packet inspection (DPI).  Having invested in the engineering talent required to effectively parse the transmission flows between devices, nested modules, integration points and their payload destinations (e.g. EMRs), Medigate delivers the most detailed and accurate baselines available, while also providing continuously monitored, dynamic views of the entire connected ecosystem.

Emboldened by widely publicized and successful attacks, the FDA’s changing guidance, Joint Commission directives and the recognition by acute care providers that ultimately, it’s a patient safety issue, risk capital has poured into the problem space. Validating Medigate’s approach, competitors use deep packet inspection (DPI) when they can and rely on probabilistic methods (i.e. behavioral models promoted as AI) when they cannot. For DICOM and other protocols packaged in the HL7 framework, all vendors use DPI, but that’s as far as they go, and that’s a seminal difference. Solution evaluators should investigate that difference and make up their own minds.

Medigate’s deterministic approach relies on its proven ability to resolve more than one hundred unique medical device protocols encompassing thousands of common devices that would otherwise go uncovered. The skillsets required to do that, and the resulting superior data quality, have fueled far more meaningful system integrations, non-traditional cross functional collaborations and numerous new use-cases that are turning risk reduction into a more strategically diverse, revenue creation practice. In terms of clinical network visibility, Medigate-powered “views” of what’s now possible are strengthening IT’s ROI mission to the enterprise.

Back

 

 

 

Sternum

Sternum, the multilayered cybersecurity solution offering real-time, embedded protection for IoT devices, was founded in 2018 in Tel Aviv by a team of highly experienced R&D and business leaders. Sternum has a profound understanding of embedded systems and deep insights into the dynamics of today’s threats, offering a new standard of cybersecurity for medical IoT devices. In accordance with the FDA’s pre-market cybersecurity guidelines (which included our commentary), and with unique technology that is ensuring the security of all connected medical devices, Sternum is protecting patients’ lives.

The result: Robust defense of lifesaving devices such as pacemakers and insulin pumps by mitigating known threats while simultaneously adapting to and combating new ones.

 

The company has developed two holistic solutions:

  • Sternum’s Embedded Integrity Verification (EIV) identifies and blocks cyberattacks in real time. This integrity-based attack prevention can be deployed to any medical device, including distributed and unmanaged IoT devices. EIV operates like an on-device firewall, validating each operation within the device. EIV only needs to be deployed once. Once EIV is installed, every new piece of code (including 3rd party) receives protection automatically, fitting into the low resource environment of medical devices and providing security throughout the device’s lifecycle.
  • Sternum’s Real-time IoT Event Monitoring System (RIEMS) provides first-of-its-kind visibility from within IoT devices (including operating systems and other 3rd party components) so that OEMs who manufacture the devices, enterprises who implement them, and consumers who use them are immediately alerted to indications of any cyber breach, including prevented attack attempts. RIEMS also continuously monitors devices outside managed networks, enabling OEMs to maintain control of product security for all distributed devices.

How is Sternum’s software-only product suite revolutionary in the medical IoT world?

  • Sternum, as a high-diversity and platform-agnostic solution, is the only on-device, real-time cybersecurity solution supporting all types of real-time operating systems (RTOS) and homegrown OS.
  • Sternum’s solution operates during runtime with exceptionally low overhead of 3%.
  • Because it operates in real time, the solution thwarts zero-day attacks.
  • While network security solutions fail to adequately secure today’s distributed medical devices, Sternum provides real-time monitoring of devices outside managed networks.
  • Cyberattack prevention is near-perfect when utilizing Sternum’s EIV solution; for over 170 cyberattacks, 96.5% were prevented when benchmarked with RIPE (Runtime Intrusion Prevention Evaluator).

Sternum’s unique, flexible cyber security solution for the Internet of Medical Things (IoMT) can be seamlessly integrated with any medical device’s operating system and development process.

Back

 

 

 

 

VDOO

Founded in 2017 by serial cybersecurity entrepreneurs Netanel Davidi and Uri Alter, VDOO has raised $45 million from top-tier investors including 83North, Dell Technology Capital, WRVI Capital, GGV Capital, NTT DOCOMO Ventures and MS&AD ventures. The company currently has more than 65 employees at our offices in the US, Japan and Israel, and dozens of well-known customers around the globe including Medtronic, Stanley Healthcare, NTT and MS&AD.

With device security quickly becoming a strategic imperative for the healthcare market, product security teams that work on medical devices cannot keep making long-term decisions based on a partial picture of possible vulnerabilities at a single stage of the device lifecycle. In order to scale their ability to provide optimal security, they must replace the time- and resource-intensive point solutions they are using today with a single integrated platform.

This is where VDOO comes in. Our Product Security Platform for Connected Devices is the only automated security solution that is integrated across the entire medical device lifecycle – from design and development all the way to deployment, post-deployment and legacy. The end-to-end platform includes modules for security analysis, gap resolution, regulatory compliance, embedded protection, operations monitoring, executive insights and threat intelligence.

VDOO’s unique approach to providing optimal security for medical devices is based on the combination of our patented technology with advanced binary analysis and highly sophisticated machine learning capabilities. This is augmented by our research team, which includes some of the world’s leading embedded security experts, that has built the most comprehensive device security database available today based on the thorough analysis of hundreds of millions of binaries and tens of thousands of connected products.

The VDOO platform’s key differentiators and benefits:

  1. Contextual and focused device-specific security – Speed up time-to-market and reduce the risk of attacks by cutting out the noise and focusing on the right threats
  2. Automated security processes for the entire device lifecycle – Improve the efficiency of SDLC processes, reducing operational resource requirements across the board
  3. Verified compliance with leading standards and regulations – Increase product sales while improving customer adoption by ensuring that all devices are compliant
  4. Full visibility into the software supply chain – Reduce dependency on third parties by owning your security, thus lowering legal, monetary and reputational risks
  5. Comprehensive end-point security visibility and analytics – Monetize security as a business model by offering monitoring and protection services to end-users

Back

 

 

The post 5 Promising vendors focusing on Cyber Security for Medical IoT (IoMT) appeared first on CyberDB.

ITAR compliance: ignorance is no excuse

The ITAR (International Traffic in Arms Regulations) legislation details what measures businesses and individuals must take to comply with ITAR requirements and specifies severe penalties, both civil and criminal, for non-compliance. The reach of the regulations is broad and suppliers of all kinds may be subject to requirements to keep sensitive information secure and restricted.