s Ransomware - The New Kid on the Block | I2P: Information to Pharmacists - Archive
Publication Date 01/02/2013         Volume. 5 No. 1   
Information to Pharmacists

Editorial

From the desk of the editor

Well 2013 has certainly begun and I must admit it has been hard to get out of “holiday mode” and back into “pharmacy mode”.
This year is looking quite challenging as many issues left in abeyance in 2012 are bubbling over , so I don’t anticipate a restful year.
One important issue we will cover for some time yet is the quality of drug  evidence in the Australian setting, and to kick off the debate the feature article  “Sense About Science”describes what is happening in the UK to help tidy up science in that country.
Comparisons have been made with the Australian experience and it seems that we have a long way to go before it can be regarded as “tidy”,

read more
open full screen

Recent Comments

Click here to read...

News Flash

Newsflash Updates for February 2013

Newsflash Updates

Regular weekly updates that supplement the regular monthly homepage edition of i2P. 
Access and click on the title links that are illustrated.

read more
open full screen

Feature Contribution

Sense About Science – or Up To Your Ankles in Waste Water

Neil Johnston

My recent holiday reading included catching up on subjects that have slipped off my radar, mainly because the issues themselves have adopted a lower profile.
Then an article in the 6Minutes e-publication caught my eye.
It concerned a UK initiative by a group called Sense About Science”, that has started a campaign to have all clinical trials registered and have the results published, while simultaneously urging the patients to boycott trials if the researchers cannot guarantee the findings will be made public.
They have published a petition (found at www.alltrials.net) and are encouraging people to sign it.
The petition has the support and backing of the BMJ, the James Lind Alliance and Ben Goldacre (author of Bad Pharma) and is designed to put pressure on researchers, pharmaceutical companies and institutions who are in a position to bury research data that may reflect on reputations and drug company profits.

read more
open full screen

Face of Priceline - Australian of the Year 2013

Peter Sayers

Few would not recognise Ita Buttrose, an iconic Australian well-deserved of the Australian of the Year Award for 2013. The award was presented in Canberra on Australia Day (January 26 2013), by PM Julia Gillard.
And there must be a lot of backslapping going on in the Priceline camp for their recent signing of her to front for their 200 member pharmacy franchise.
Ita’s profile was already stellar, but with the added impetus of the Australian of the Year Award, the Priceline brand will now increase in value considerably.

read more
open full screen

Determining needs and wants…

Joseph Conway

In pharmacy media commentary, I often come across the idea that we need to give people advice on what they need as opposed to what they want. This is understandable given that we have specialist knowledge on medication therapy and live our lives discussing health issues with patients and dispensing their medication. We get to know very intimate details about people and many pharmacists working in community pharmacy get to follow people as they grow older and are a tiny (but important) part of their lives sharing their health issues over ongoing chats at the dispensary counter if they choose to shop at our store.

read more
open full screen

Is the ‘weekend’ an anachronism whose usefulness and relevance has passed?

Neil Retallick

When I taught Sunday School, which seems to be about a hundred years ago but was only about forty, we learned from the Bible that on the seventh day, God rested.
After all, he had been busy for six days.
I do not wish to belittle anybody’s religious beliefs in these comments but use them to focus attention on just how much our society has changed.
At the same time I was teaching Sunday School, the shops all closed at mid-day on Saturday and at 5.30pm during the week.
A trip into town to shop on the weekend meant getting up bright and early on Saturday morning and being at the bus stop by 8.30am at the latest.

Comments: 1

read more
open full screen

Fitting Your Pharmacy for the Future - Funding & Depreciating for Best Tax Effect

Chris Foster

Editor's Note:
I2P will be developing a series on pharmacy designs - ideas and concepts in respect of clinical services spaces.
In designing such spaces it was realised very early in the exercise, that to be properly integrated in an Australian pharmacy setting it could not be just an “add-on” but a whole of pharmacy redesign.
Similarly with the introduction of automated dispensing machines (original packs and dose administration aids) it is important to design workflows properly to capture efficiencies, and this also entails a “whole of pharmacy” redesign.
2013 may be the year of decision in terms of the type of pharmacy design to house your market offering. To survive you need to be different and there is not a lot to differentiate one pharmacy from the other, even if you belong to a marketing group.

read more
open full screen

Ransomware - The New Kid on the Block

Steve Jenkin

Editor's Note:
Late in 2012, a medical practice on the Gold Coast of Queensland came under cyber attack in a unique way.
Instead of patient data being stolen, it was kidnapped in place, by encrypting all practice data so that it could not be read.
A key was then offered at a price so that the data could be opened.
Thus was born "Ransomware", and a a new threat had emerged.
i2P asked Steve Jenkin, our resident IT expert to give some insights to this new threat and what precautions we might all need, to eliminate this new approach to hacking.
If you need an incentive, just imagine if your PBS claim data was locked up for a week and your ability to generate a claim was locked up for six weeks, plus all attendant costs in restoring your data.
Would you survive in your business?
This reference article by Steve is important enough to use as a checklist for your IT provider or for your IT consultant to utilise in the next complete review of your entire system.
Steve's comments follow:

read more
open full screen

Workplace Pressure in Pharmacy

Kay Dunkley - BPharm, Grad Dip Hosp Pharm, Grad Dip Health Admin, MPS, MSHPA

The psychological definition of stress is a feeling of strain and pressure.  Small amounts of stress may be desired, beneficial, and even healthy.  Positive stress helps improve performance.  It also plays a factor in motivation, adaptation, and reaction to the environment.  Excessive amounts of stress may lead to many problems in the body that could be harmful.  Symptoms may include a sense of being overwhelmed, feelings of anxiety, overall irritability, insecurity, nervousness, social withdrawal, loss of appetite, depression, panic attacks, exhaustion, high or low blood pressure, skin eruptions or rashes, insomnia, lack of sexual desire (sexual dysfunction), migraine and gastrointestinal difficulties (constipation or diarrhoea).  It may also cause more serious conditions such as heart problems.

read more
open full screen

Arm Yourself For The Battle For The Mind

Barry Urquhart

Social media, and the internet in general, are largely “blind” media.
They can be frustrating, time-wasting and inefficient.
Entries and enquires about wide-ranging but pertinent topics, products and services elicit countless responses, most of which are irrelevant and unappealing. Information overload abounds.Use of SEO's (Search Engine Optimisers) simply cluster companies, brand and service names, among large, often spuriously ranked groupings.Being on the shopping list has very little quantifiable and lasting value. Nor does the standing of being “first amongst equals”.
Establishing and sustaining unique, differentiated presences in the marketplace is difficult.
In the brave and new world of digital, mobile, on-line, multi or omni-channel reality, the importance, nature and value of effective branding is deepened and broadened.

read more
open full screen

Positive thinking has no negatives

Harvey Mackay

One of life's great annoyances is the tendency of folks who ask you to perform an impossible task, list the issues they foresee and the problems that have plagued previous attempts -- and then admonish you to "think positive."
Wow! Does that mean you are so good that you can achieve what no one else has? Or are you being set up to fail?   
Because I am an eternal optimist, I prefer to believe the first premise. Positive thinking is more than just a tagline. It changes the way we behave. And I firmly believe that when I am positive, it not only makes me better, but it also makes those around me better. I think that good attitudes are contagious. I want to start an epidemic!

read more
open full screen

Feasting on Fat

Loretta Marron OAM BSc

With the Christmas and New Year opportunities to over-indulge, it was easy for girths to increase a little.
If so, it might be very difficult to lose those extra kilos.
Many advertised products and services allegedly help us lose fat without diet and exercise.
Most will fail; some might even be dangerous.

read more
open full screen

Hanukkah, Oxygen Masks and Christmas

Mark Neuenschwander

I've been thinking about Hanukkah, oxygen masks, and the Christmas presents I am duty bound to muster for my kids and grandkids. Thank God dad asked for pajamas.
Today I’m flying from Las Vegas to Seattle. About the only thing I liked about Sin City was the fountain show at Bellagio, the Elvis Christmas songs that popped up here and there, and a pretty good keynote address by Bill Clinton. Just thinking of shopping makes me wonder if the cabin isn’t losing its pressure.

read more
open full screen

Antioxidants Prevent Cancer and Some May Even Cure It

Staff Writer

Orthomolecular Medicine News Service, January 24, 2013

Antioxidants Prevent Cancer and Some May Even Cure It

Commentary by Steve Hickey, PhD

(OMNS Jan 24, 2013) It is widely accepted that antioxidants in the diet and supplements are one of the most effective ways of preventing cancer. Nevertheless, Dr. James Watson has recently suggested that antioxidants cause cancer and interfere with its treatment. James Watson is among the most renowned of living scientists. His work, together with that of others (Rosalind Franklin, Raymond Gosling, Frances Crick, and Maurice Wilkins) led to the discovery of the DNA double helix in 1953. Although his recent statement on antioxidants is misleading, the mainstream media has picked it up, which may cause some confusion.

read more
open full screen

HMR Moratorium – Killing Jobs in Pharmacy

Joseph Conway

It’s no secret that the Pharmacy Guild has called for a moratorium on HMRs until the alleged abuse of a tiny minority of Independent Pharmacists potentially rorting the system is investigated and the system is changed to reduce the possibility of such rorting.
They say that this is necessary as the budget for HMR’s has been overrun and any potential rorting could put the viability of future pharmacy-centric programs at risk too.
The Guild want payments stopped so that the business rules behind HMR’s are “tightened” to stop this apparent rorting.
If there is actually rorting going on, then I think that it’s in all pharmacists’ interest to “fix” this issue.
I for one have nothing against tightening the rules to stop pharmacists “Warehousing” HMRs?
This is great.

read more
open full screen

Part one -HMR Evolution

Neil Johnston

With the furore created when the PGA went to print stating that the funds available for HMR’s were almost exhausted, it created an instant “blame game” and conjecture as to what really lay behind the belated PGA announcement.
I came to a conclusion early that it was a result of PGA mismanagement as the immediate problem, but also coupled with an underlying systemic flaw that was the major problem.
Between them they impact and threaten the long term development and survival of the consultant pharmacist program.
It has prompted me to create an analysis of some aspects of the program to evaluate what has gone wrong.

read more
open full screen

Part two - Fixing the HMR Flaws

Neil Johnston

The PGA has succeeded in upsetting a broad spectrum of pharmacists that includes all accredited pharmacists, some employer pharmacists (with designs on creating a business model with professional services at the core), and employee pharmacists who see job opportunities being squandered.
It is obvious that the “engine room” for consultant pharmacists (The Australian Association of Consultant Pharmacy) needs urgent reform and a new focus, or be replaced completely.
And the PGA should stop its interference.

read more
open full screen

Part three - a Better Umbrealla Organisation

Neil Johnston

Because a workable umbrella model for management consultants already exists, it is suggested that this model be adapted for consultant pharmacist use.
The existing umbrella model established for consultant pharmacists would need to be altered dramatically and be opened up to other organisations e.g Consumer Health Forum, APESMA)
Or an entirely new organisation could be developed from scratch.
This is, in fact happening and is unrelated to any of my activities.
However, I am suggesting that the umbrella model of organisation provided by the Institute of Management Consultants (Australia) provides an excellent reference to adapt to a consultant pharmacist version.

read more
open full screen

Thought Bubbles From a Book Group Refugee

Gerald Quigley

Editor's Note:
One night recently, I received the following email from Gerald:
"My wife has a book-group here. I’m locked in my study and inspired to write!"
That's good news for an editor/publisher - getting copy in on time well in advance!
Then followed (the same night), three separate and disparate thoughts that were not directly concerned with a pharmaceutical issue.
But they all had application for pharmacy improvement, with a bit of applied creativity.
As these "thought bubbles" wafted in over the Internet I began to wonder how I might splice them together with some editorial ingenuity.
The following is the result.

read more
open full screen

What Really Causes Kidney Stones (And Why Vitamin C Does Not)

Staff Writer

Orthomolecular Medicine News Service, February 11, 2013

What Really Causes Kidney Stones
(And Why Vitamin C Does Not)

(OMNS Feb 11, 2013) A recent widely-publicized study claimed that vitamin C supplements increased the risk of developing kidney stones by nearly a factor of two.[1] The study stated that the stones were most likely formed from calcium oxalate, which can be formed in the presence of vitamin C (ascorbate), but it did not analyze the kidney stones of participants. Instead, it relied on a different study of kidney stones where ascorbate was not tested. This type of poorly organized study does not help the medical profession or the public, but instead causes confusion.

read more
open full screen

For health's sake, time to take on food giants

Staff Writer


Food Industry marketing practices are increasingly being brought under the spotlight as are various other worrying problems regarding additives to manufactured food products, also how food is grown using genetically modified seed and the range of toxic herbicides and pesticides.
These latter substances now pollute the entire food chain and not enough is being done to protect our food chain.
Many illnesses can be traced back to ingestion of unnatural substances over a long period of time.
It's time to grow your own.

read more
open full screen

Consultant Pharmacists Should Lead The Way - But They Have No Leaders.

Mark Coleman

Isn’t it time that consultant pharmacists took control of their own direction and carved out a future?
Or is the current system of a single-product (HMR) service controlled by the PGA and the PSA, sufficient to provide an interesting and creative future?
How can the aspirations of consultant pharmacists be serviced by an organisation controlled by two major pharmacy-political bodies, when one of them (PGA) is directly working against consultant pharmacist interests.

read more
open full screen

APESMA Campaigns for Pharmacist Lunch Hour Entitlements

Staff Writer

Australian pharmacists have been warned to carefully check exactly how much compensation they are getting for routinely working through lunch after an APESMA survey found 28 per cent of Australian pharmacists reported that they receive no financial compensation at all for the lack of a lunch break.
CEO of APESMA Chris Walton said working through every lunchtime was an unacceptable practice that could cause dangerous levels of fatigue.
APESMA has advised pharmacists who have signed any agreement to remove their lunch breaks to immediately ask their employer to itemise any compensation they are being paid in lieu of all award entitlements such as their lunch breaks.

read more
open full screen

CHC Emphasises the Importance of Research

Staff Researcher

In light of a recent paper published in the Royal Society's Open Biology journal, proposing a theory that antioxidants can be detrimental in the late stages of cancer treatment, the Complementary Healthcare Council (CHC) of Australia emphasises the importance of clinical trials and studies into the prevention and treatment of cancer. Executive director of the CHC, Dr Wendy Morrow, highlighted this theory as being interesting and warranting more research.

read more
open full screen

Advancing our understanding and treatment of motor impairment

Staff Researcher

NeuRA has secured significant funding to expand research into motor impairment, a problem that arises from many diseases and aging, and a growing public health challenge.
Everything the human body does requires movement, but our muscles—and our brain and nerves that control them—are often the first tissues attacked by a long list of disorders that includes stroke, spinal cord and brain injury, multiple sclerosis, Parkinson’s disease, musculoskeletal injury and cerebral palsy.Prof Simon Gandevia is an expert in the brain’s control of human movement at NeuRA (Neuroscience Research Australia) and will spearhead the nearly $7 million multidisciplinary program of study, funded by the National Health and Medical Research Council of Australia.

read more
open full screen

PSA WELCOMES GOVERNMENT’S HMR ANNOUNCEMENT

Peter Waterman

Media releases issued from the office of Tania Pliberseck and the PSA arrived this morning.
What follows is the PSA take on recent events surrounding HMR managent.

read more
open full screen

Pharmedia - The Vaccine Poll Hijacked by Pharmacists?

Neil Johnston

Editor's Note:
Professional services development was stymied when the AMA reneged on an agreement to support pharmacist vaccination clinics.
It has caused anger and unprofessional behavior has evolved on both sides.
It also appears that while the professional bodies of the AMA and the PGA attempt to disrupt each other, patients at large will become the eventual losers.
The PGA is central to other clinical service disruptions, even those within pharmacy involving contractor pharmacists.
This is damaging to an orderly development of clinical services in a pharmacy setting and demonstrates that current leaders of the PGA and the AMA are not fit to claim the title of "leader".
We asked Mark Coleman to provide commentary on an article recently published in Australian Doctor.

Comments: 2

read more
open full screen

Ransomware - The New Kid on the Block

Steve Jenkin

articles by this author...

Steve Jenkin has spent 40 years in ICT in a wide variety of roles and systems.
He developed an interest in Quality and Turnarounds, "Working Smarter" and reducing wasted effort.
From working in Telecommunications, he was imbued with the notion of "Client First" and owing a "Fiduciary Duty" towards clients, as underlies Medicine. His current interests include the intersection of Quality, Safety and I.T. in Medicine and Healthcare.

Editor's Note:
Late in 2012, a medical practice on the Gold Coast of Queensland came under cyber attack in a unique way.
Instead of patient data being stolen, it was kidnapped in place, by encrypting all practice data so that it could not be read.
A key was then offered at a price so that the data could be opened.
Thus was born "Ransomware", and a a new threat had emerged.
i2P asked Steve Jenkin, our resident IT expert to give some insights to this new threat and what precautions we might all need, to eliminate this new approach to hacking.
If you need an incentive, just imagine if your PBS claim data was locked up for a week and your ability to generate a claim was locked up for six weeks, plus all attendant costs in restoring your data.
Would you survive in your business?
This reference article by Steve is important enough to use as a checklist for your IT provider or for your IT consultant to utilise in the next complete review of your entire system.
Steve's comments follow:

open this article full screen

If you run a Healthcare-realted Business, things changed in the last 6 months...
Ransomware is set to boom [0] and cyber-security is now part of our National Security Plan.
Businesses now have to secure their computers and data just as they secure their premises and goods.
Ask yourself this: "If my computers were destroyed, how long could I continue the business?
At reduced capacity or at all?"- then act accordingly.

The Internet is defined by its explosive growth: A few For-Profit hackers have noticed Business Ransomware is an ideal way to monetise remote computer attacks & exploits.
Expect these attacks to double every few months now.
In a year they will be endemic.

Every business that can raise $5,000 and relies on its systems and data for daily operations is now in their sights.
If you haven't taken adequate steps to protect your computer systems and data, your general insurance company may refuse claims of damage now, certainly in the near future.
Expect Data Insurance and Computer Security Assessment businesses to come knocking on your door looking to sign you up.

Vendors will promise "golden bullets" to solve all problems, but you, as the owner of the business, have ultimately responsibility for opening the doors and trading.
They don't.
It's your business, not theirs - and on the line, act accordingly.

The Prime Minister has released a new Security Policy and cyber security, for both Government and Private sectors, is seen as a crucial on-going activity. [1] [2][3]
At least 70% of the cyber intrusions the Defence Signals Directorate [DSD, responsible for Govt. cyber-security standards & some operations] responded to in 2012 could have been prevented if organisations had implemented the top four of the mitigation strategies (listed below), up from 70% in 2009 [4].

The government also neatly divides cyber-attackers into four categorises, but in business your focus has to be on the money: For-Profit attackers. [5]

If you read and apply DSD's "top 35 mitigation strategies", noting nothing is 100% safe from all attacks, there are still some things you need to be doing. Good Security is never "static" but active, and you have to be doing more than put in place "protection". [4]

* Your Business is Your Data.

Don't just do backups, practice restores and actively check your data is complete, correct and consistent.

* Hardware is Cheap.

Have some laptops pre-built as replacements for all operational systems. Slow service is far, far better than no service.

* Not Everything should be connected to the Internet.
For-Profit hackers won't bother trying to get past "air-gaps" onto isolated networks. Traffic segregation and Network segmentation are cheap, powerful security techniques.

These same mitigations will also address Business Continuity issues from many sources.
The Gold Coast medical practice that lost its records had been compromised two weeks before their files were encrypted and a ransom demanded. The hackers turned off the daily backups and nobody noticed.

Otherwise, they were a model business.
They had just upgraded their firewall, ran separate servers, had security experts setup and administer their systems and religiously did backups.
They definitely would've complied with the "top 4" DSD recommendations, probably all in the "top 35".

Nobody had thought to tell them that "whilst backups are done, only restores are ever requested". They, like most businesses, didn't actively check their precious data, just assumed "it worked once, so what could possibly go wrong?".

Here is a simple strategy for small businesses, especially Healthcare-related high-value targets:

* Add another layer to you backups, snapshots over the network. Never rely on just one method or copy of your data.
* Find someone that cares about the business and integrate checking backup data into their daily schedule. Checks can never be "make work", they have to be real, useful tasks.  [6]
* Practice your Business Continuity procedures regularly and completely in Drills.
* Perform regular Post Drill Reviews to Refine your Process and Documents [7][8].

You can make this a heavyweight, expensive and laborious process or design a lightweight, simple and quick process.
The key is: never let someone else sell or install a process you don't follow or can't competently manage by yourself.

A friend whom I convinced to run his practice on an isolated computer did his backups to a rotating set of USB Flash drives.  The only extra step he needed was to have his partner, not himself, restore a backup onto a spare laptop and check totals and summaries.

But wait, there's more...

Having done all this you will have a reasonably secure systems and very robust Business Continuity processes to take Internet exploits in your stride.
There are three other important strategic areas of Security you need to consider and address.

Vendor Compromise: if attackers plant "backdoors" in your software, you're gone. [10]
Monocultures [9]

* If everyone runs the same O/S and Software, it's Nirvana for attackers.

Insider Attacks

* Attacks from the Internet are a rising threat and not to be ignored, but people already working for you, doing their authorised work have more potential for fraud and damage.

If Sony can foul up and send out compromised software, anyone might if they aren't actively checking.

Now is a good time to ask all your Software Vendors if they are covered for Contingent Liabilities caused by their negligence or inadequacy in releasing compromised software.

There are very simple and completely effective actions you can take to recover your Business Operations quickly: pre-built, pre-positioned hardware, good backups, regular Drills + Reviews, Daily summary checks from backups by an owner.

If your current I.T. support doesn't agree or can't supply those services, you need to be seeking a second opinion.

After all, what have you to lose but your entire livelihood and investment?



Appendix 1.

A simple Backup/Continuity strategy for small businesses, especially Healthcare-related high-value targets:

Perform regular Post Drill Reviews to Refine your Process and Documents [7]: Use the classic Ishikawa categories to help. Add another layer to you backups, never rely on just one method or copy of your data:

* store critical data on a network device with automatic, continuous or periodic backups (or "snaphots") to an off-site device.
* For extra-credit, provide a dedicated link and very restrictive firewall for just this purpose at both ends.

Find someone that cares about the business and integrate checking backup data into their daily schedule. Checks can never be "make work", they have to be real, useful tasks.

* Nobody cares more about a business than an owner. Nor can risk be delegated or outsourced.
* Print or view from the backup daily summary reports of all accounting and line-of-business transactions (sales, consults, patients, work dispatched).
* Look for and investigate small errors, they are meaningful. Computers don't "just make mistakes", one of the best documented international hacking/espionage cases came from a diligent administrator looking into a minor discrepancy. [6]

Practice your Business Continuity procedures regularly and completely in Drills.

* Safely turn-off or disconnect all your regular systems and equipment, then try to restore normal operations.

* For many people, stopping and restarting normal operational systems is a challenge in itself.

You need to time how long individual things take.

You need a meticulous, independent "note taker" in every main area of activity, because later on you'll construct an exact timeline as part of your Post Drill Review.
You have to assume "9/11" conditions:

* assume "the experts" along with all the equipment are unavailable.
* only ordinary staff run the Data Drill and only from the written instructions.
* Phone support is allowed, just not to "the I.T. expert".

After you're back on-line, collect all notes and hold for the Review.
Owners need to be present, but not necessarily for the whole exercise.

* The outcome of the review is for the benefit of the Owners.
* If the Owners aren't committed to the process and willing to personally pursue the changes needed, the Drills and Reviews should be skipped.

Review leaders have to be independent and skilled to encourage full and frank disclosure.

* Staff must be able to speak openly, critically and without fear of consequences.
* Even the best Employer-Employee relationship has "no go" areas that you need to find a way around to discover important information.
* After the first one or two Reviews, you might run them yourself, only having paid Consultants back every year or two to keep you on-track and refresh your process.

What worked?
What didn't work?
People, Management, Method, Machines, Materials, Maintenance, Measurement and Environment. [8]

You can make this a heavyweight, expensive and laborious process or design a lightweight, simple and quick process. The key is: never let someone else sell or install a process you don't follow or can't competently manage by yourself.

A friend whom I convinced to run his practice on an isolated computer did his backups to a rotating set of USB Flash drives. When one failed, he replaced the set. The only extra step he needed was to have his partner, not himself, restore a backup onto a spare laptop and check totals and summaries. With his low turnover, weekly or monthly would've sufficed. I looked for storage appliances that supported encrypted "snapshots" and secure access for him, so he and a business peer could be off-site backups for one another, but at the time none were available. He was interested and willing if I could find him something in the $500 bracket.



Appendix 2.

Three additional important strategic areas of Security you need to consider and address.

Monocultures [9]

* It wasn't a virus that caused the 5-year long Irish Potato famine in the mid-1800's, but the lack of diversity. Only one variety of potato was planted, when an infection arose, it spread everywhere, quickly.
* Most PC's and servers in small business are Microsoft based. Because they're popular, this is what hackers target. If you arrange to run your software on other systems, even as Virtual Machines, you will immediately reduce your desirability for attackers and increase the tools at your disposal for Intrusion Prevention and Detection.

* Pharmacies and Medical Practices in Australia overwhelming run the same practice software. Practices that choose other software immediately greatly reduce their chances of being compromised: For-profit attackers make sensible commercial decisions on where to use their resources and what/whom to target.

Insider Attacks

* Attacks from the Internet are a rising threat and not to be ignored, but far from the only threat.
* The highest impact and value attacks come from people within the system, doing what they are trained and authorised to do.
* Sometimes these people may not be on-site or even work for you: the staff of consultants, supplier, database suppliers and vendors may all potentially defraud you.
* It could be as subtle as a common database of claimable items and values being manipulated.
Proof of this is the all too frequent media reports of Bank employees being detected and charged with significant fraud/theft, often going back many years.
What we never hear of are those thieves the Banks detect but don't charge.
There is extensive anecdotal evidence that large institutions prefer to learn from successful exploits and theft: perpetrators can be given indemnity if they teach the full exploit to the corporation, along with how to detect and prevent it.
In the mid-70's, their were rumours that operations/administration staff who discovered and exploited security flaws would move from Bank to Bank running the same exploit. Because corporations aren't required to release or share Security information, even anonymous and historical, this attack is entirely plausible and hence has to be assumed effective and done.
There is no defence against this sort of attack, only vigilance and good systems that will detect it sooner rather than later. This is why Accounting does Audits and normal practice is to require two independent people be needed for payments and authorisations.

Vendor Compromise: if attackers plant "backdoors" in your software [10]

* If your Vendor has inadequate security processes and procedures and is compromised, attackers can use them to get access to your systems.
* Done well, you and they might never know, or at least only find out on "Zero Day" when everyone has their bank accounts drained at once and hard disks wiped.
* Vendors with dominance in any market segment are prime targets for these attacks. Why would a For-Profit attacker attempt to compromise 3500 Medical Practices individually when they can just take over one Vendor and own everyone else.
* This isn't a theoretical risk. In 2005 Sony released a new feature on CD-ROM drives to automatically delete pirated music. Unfortunately, they'd let a virus, a rootkit, get into their software, presumably undetected. [11]
While all attacks can't be defeated, Vendors need to take extraordinary measures to prevent and detect backdoors being silently inserted into their code.
In the current environment, I'd expect all Healthcare and related Software Vendors to supply statements by Independent Security Testers and Auditors on their Policies, Procedures and Practices.
And proof of some sort of Indemnity Insurance against Contingent Liability claims from all clients.
* If your working Bank Account is drained,
* and you're off the air for a week or two,
* and you've had to pay for teams of consultants to recover and clean your systems,that's a lot of money per individual claim.
* If they have 3-4000 clients each demanding $1-5M, are they insured for that and can the Insurer cover the full amount?
Now is a good time to ask all your Software Vendors if they are covered for Contingent Liabilities caused by their negligence or inadequacy in releasing compromised software.


Links

[0] My previous piece on Healthcare-related businesses as "soft" targets.
[http://stevej-on-it.blogspot.com.au/2013/01/security-healthcare-systems-are-soft.html]

[1] Strong and Secure: A Strategy for Australia's National Security [http://www.dpmc.gov.au/national_security/national-security-strategy.cfm]
PDF 3.44MB: Strong and Secure: A Strategy for Australia's National Security

[2] Australian Cyber Security Centre. January, 2013.
[http://www.pm.gov.au/press-office/australian-cyber-security-centre]

A new Australian Cyber Security Centre will be established in Canberra to boost the country’s ability to protect against cyber-attacks.
Already around 73 per cent of Australians use the internet more than once a day. Australians’ use ;of cyberspace is estimated to be worth $50 billion to our economy, with the rollout of the NBN only expected to accelerate these changes.

Yet Australia's cyberspace is subject to threats:
* In 2011-12, there were more than 400 cyber incidents against government systems requiring a significant response by the Cyber Security Operations Centre.

* In 2012, 5.4 million Australians fell victim to cyber crime with an estimated cost to the economy of $1.65 billion. Securing and protecting our networks, and ensuring confidence in the online environment, is pivotal to Australia’s economy.

[3] Gillard vows to fight 'malicious' cyber attacks
[http://www.abc.net.au/news/2013-01-23/gillard-national-security-strategy/4480448]
* 2011-12 saw a 27 per cent increase in the number of 'cyber incidents requiring a significant response'.
* The Federal Government spent 80 million on cyber security in 2011-12.
[4] DSD: Strategies to Mitigate Targeted Cyber Intrusions
[http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm]
PDF: 700KB http://www.dsd.gov.au/publications/Top_35_Mitigations_2012.pdf

At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the first four mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:
* use application whitelisting to help prevent malicious software and other unapproved programs from running
* patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
* patch operating system vulnerabilities
* minimise the number of users with administrative privileges.

[5] Speech by Director Defence Signals Directorate, 26 February 2010
[http://www.dsd.gov.au/speeches/20100226_nsa_ddsd.pdf]

We judge that the cyber threat comes from a wide range of sources, representing a broad range of skills and varying levels of sophistication. They include:

* individuals working alone;
* issues-motivated groups;
* organised criminal syndicates, as well as
* state-­based foreign intelligence services.

[6] The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage , by Clifford Stoll.
[http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787]

Summary of "The Cuckoo's Egg" on Wikipedia. Broad strokes only. The book is well-written and very readable, if a little idiosyncratic as you might expect from an Academic Astromoner-turned-Administrator.
[http://en.wikipedia.org/wiki/The_Cuckoo's_Egg]

[7] Project Retrospectives: A Handbook for Team Reviews, by Norman L. Kerth
[http://www.dorsethouse.com/books/pr.html]

This is the definitive guide to running the many types of "Reviews" and makes a case as to why what happens after a Project (or Event/Drill) is more important than anything: you get to learn and develop a corporate memory.

Many might first think this approach is too "touchy-feely".Quality Improvement and its twins, Performance and Cost/Efficiency Improvement, are solely based on People Learning and Changing what's done. If People are involved, then at some point Change will require "touchy-feely" work, something many people find confronting or uncomfortable.

[8] Wikipedia has a very basic overview of Ishikawa "Fishbone" diagrams. They may or may not be useful, but his Quality Improvement questions are as good as it gets.


[9] The Dangers of a Software Monoculture, By Bruce Schneier. November 2010

[http://www.schneier.com/essay-331.html]

In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate.

The basic problem with a monoculture is that it's all vulnerable to the same attack. The Irish Potato Famine of 1845--9 is perhaps the most famous monoculture-related disaster. The Irish planted only one variety of potato, and the genetically identical potatoes succumbed to a rot caused by Phytophthora infestans. Compare that with the diversity of potatoes traditionally grown in South America, each one adapted to the particular soil and climate of its home, and you can see the security value in heterogeneity.

[10] Reflections on Trusting Trust, Ken Thompson. You can't trust code that you did not totally create yourself.

[http://cm.bell-labs.com/who/ken/trust.html]

This wasn't a piece of speculative writing, but a research report on what works in practice.

[11]Wikipedia on the Sony BNG copy protection rootkit scandal

[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal]

Return to home

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

health news headlines provided courtesy of Medical News Today.

Click here to read more...

Practice Development

Information Technology

Preventive Medicine

If any difficulty is found in subscribing, please use the "Contact Us" panel found in the navigation bar with the message "subscribe" and your email address.

Subscribe to our mailing list

Email Format
 

 

  • Copyright (C) 2000-2020 Computachem Services, All Rights Reserved.

Website by Ablecode