"Medical Device Security: What Really Works?New Collaborative Effort Hopes to Validate, Then Share, Best Practices

Marianne Kolbasuk McGee , October 24, 2017


A new collaborative effort aims to advance "evidence-based security" for medical devices through the sharing of best practices, says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security consortium.

"We believe that 2017 is the year that we truly hit a tipping point where the majority of ... healthcare delivery systems and leading [device] manufacturers ... have come to be aware of medical device cybersecurity risk potential. That is a very important first step," Nordenberg says in an interview with Information Security Media Group..."


-------------------------------



"Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies
Posted on October
3, 2017, Author

Critical Infrastructure Protection Review


Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.

Paulino 
do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.

Equifax initially called its investigation around the breach “substantially complete,” but said it was 
still

carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn’t find any additional vulnerabilities. The extra 2.5 million Americans figure came “during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.”


The company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.

Equifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them."



--------------------

"IT Modernization Bill Clears Senate as Part of Defense Authorization Bill

Critical Infrastructure Protection Review

September 20, 2017



The Modernizing Government Technology Act—and several other tech amendments—passed the Senate as part of the annual defense appropriations bill.

The $700 billion National Defense Authorization Act, which sets defense personnel
, policy and spending, passed by a vote of 89 to 8 Monday evening.

Sens. Jerry Moran, R-Kan., and Tom Udall, D-N.M., introduced the MGT Act as amendment 1006—oneofhundreds lawmakers parsed through. MGT Act creates a $500 million central modernization fund over two years agencies can borrow against to update aging, unsecure systems.

It also creates working IT capital funds that agencies can stash savings from other modernization projects—like migrating to cloud computing—to use for future projects."


---------------------------------


"The Internet of Things is connecting more devices every day, and we're headed for a world that will have 24 billion IoT devices by 2020.

Business Insider, Dec 19, 2016; Andrew Meola


New developments would allow connected cars to link up with smart city infrastructure to create an entirely different ecosystem for the driver, who is simply used to the traditional way of getting from Point A to Point B.

And connected healthcare devices give people a deeper and fuller look at their own health, or lack thereof, than ever before.

But with all of these benefits comes risk, as the increase in connected devices gives hackers and 
cyber criminals more entry points.


IOT Privacy Issues..."


--------------------------------

"How the Internet of Things will affect security & privacy

Business Insider, Dec 19, 2016, Andrew Meola



"IoT Security Issues

Public Perception: If the IoT is ever going to truly take off, this needs to be the first problem that manufacturers address. The 2015 Icontrol State of the Smart Home study found that 44% of all Americans were "very concerned" about the possibility of their information getting stolen from their smart home, and 27% were "somewhat concerned." With that level of worry, consumers would hesitate to purchase connected devices.


Vulnerability to Hacking: Researchers have been able to hack into real, on-the-market devices with enough time and energy, which means hackers would likely be able to replicate their efforts. For example, a team of researchers at Microsoft and the University of Michigan recently found a plethora of holes in the security of Samsung's SmartThings smart home platform, and the methods were far from complex.


Are Companies Ready?: AT&T's Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against hackers.


True Security: Jason Porter, AT&T's VP of security solutions, told BI Intelligence, Business Insider's premium research service, that securing IoT devices means more than simply securing the actual devices themselves. Companies also need to build security into software applications and network connections that link to those devices."


-----------------------------


 Instagram Warns Hack More Widespread Than Expected Darknet Database Markets 6 Million Stolen Email Addresses or Phone Numbers

Mathew J. Schwartz (euroinfosec) • September 5, 2017 



The popular social media app - owned by Facebook - first warned Wednesday that a hack attack appeared to have compromised some accounts of "high-profile users." It said an unspecified number of email addresses and phone numbers were stolen due to attackers "exploiting a bug in the Instagram API."

But on Friday, Instagram warned that the hack had affected more than just "high-profile users."

The email address - but not phone number - tied to the Instagram account for pop star Miley Cyrus is being offered for sale via Doxagram. (Source: RepKnight)

The API bug has been expunged. "We quickly fixed the bug, and have been working with law enforcement on the matter," Instagram CTO Mike Krieger said in a Friday blog post.

Instagram, however, says it does not know exactly how many of its 700 million monthly users may have had their personal details stolen or accounts hacked. "Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts," Krieger says.

But its estimate might be based on a darknet site that claims to be offering email addresses, and in some cases also phone numbers, tied to 6 million Instagram accounts.

https://www.databreachtoday.com/instagram-warns-hack-more-widespread-than-expected-a-10256


_______________________________________________________________________


Homeland Security starts with Hometown Security

(https://www.dhs.gov/topic/critical-infrastructure-security)


"DHS provides free tools and resources to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure. The Department encourages businesses to Connect, Plan, Train, and Report. Applying these four steps in advance of an incident or attack can help better prepare businesses and their employees to proactively think about the role they play in the safety and security of their businesses and communities." DHS states:


"CONNECT: Reach out and develop relationships in your community, including local law enforcement. Having these relationships established before an incident occurs can help speed up the response when something happens. 

PLAN: Take the time now to plan on how you will handle a security event should one occur. Learn from other events to inform your plans. 

TRAIN: Provide your employees with training resources and exercise your plans often. The best laid plans must be exercised in order to be effective.  

REPORT:  'If You See Something, Say Something™” is more than just a slogan. Call local law enforcement.' " 


------------------------------------------------------------------------------------

 




dmgroth@laetarecyber.com

Securing America's Critical Infrastructures


LAETARE CYBERSECURITY, LLC

443-844-9149