s Ransomware - The New Kid on the Block | I2P: Information to Pharmacists - Archive
Publication Date 01/07/2014         Volume. 6 No. 6   
Information to Pharmacists

Editorial

From the desk of the editor

Welcome to the July 2014 homepage edition of i2P (Information to Pharmacists) E-Magazine.
At the commencement of 2014 i2P focused on the need for the entire profession of pharmacy and its associated industry supports to undergo a renewal and regeneration.
We are now half-way through this year and it is quite apparent that pharmacy leaders do not yet have a cohesive and clear sense of direction.
Maybe the new initiative by Woolworths to deliver clinical service through young pharmacists and nurses may sharpen their focus.
If not, community pharmacy can look forward to losing a substantial and profitable market share of the clinical services market.
Who would you blame when that happens?
But I have to admit there is some effort, even though the results are but meagre.
In this edition of i2P we focus on the need for research about community pharmacy, the lack of activity from practicing pharmacists and when some research is delivered, a disconnect appears in its interpretation and implementation.

read more
open full screen

Recent Comments

Click here to read...

News Flash

Newsflash Updates for July 2014

Newsflash Updates

Regular weekly updates that supplement the regular monthly homepage edition of i2P. 
Access and click on the title links that are illustrated

Comments: 1

read more
open full screen

Feature Contribution

Woolworths Pharmacy - Getting One Stage Closer

Neil Johnston

It started with “tablet” computers deployed on shelves inside the retailer Coles, specifically to provide information to consumers relating to pain management and the sale of strong analgesics.
This development was reported in i2P under the title Coles Pharmacy Expansion and the Arid PGA Landscape”
In that article we reported that qualified information was a missing link that had come out of Coles market research as the reason to why it had not succeeded in dominating the pain market.
Of course, Woolworths was working on the same problem at the same time and had come up with a better solution - real people with good information.

Comments: 5

read more
open full screen

Intensive Exposition without crossing over with a supermarket

Fiona Sartoretto Verna AIAPP

Editor's Note: The understanding of a pharmacy's presentation through the research that goes into the design of fixtures and fittings that highlight displays, is a never-ending component of pharmacy marketing.
Over the past decade, Australian pharmacy shop presentations have fallen behind in standards of excellence.
It does not take rocket science - you just have to open your eyes.
Recently, our two major supermarkets, Woolworths and Coles, have entered into the field of drug and condition information provision - right into the heartland of Australian Pharmacy.

read more
open full screen

The sure way to drive business away

Gerald Quigley

I attended the Pregnancy, Baby and Children’s Expo in Brisbane recently.
What an eye and ear opening event that was!
Young Mums, mature Mums, partners of all ages, grandparents and friends……...many asking about health issues and seeking reassurances that they were doing the right thing.

Comments: 1

read more
open full screen

‘Marketing Based Medicine’ – how bad is it?

Baz Bardoe

It should be the scandal of the century.
It potentially affects the health of almost everyone.
Healthcare providers and consumers alike should be up in arms. But apart from coverage in a few credible news sources the problem of ‘Marketing Based Medicine,’ as psychiatrist Dr Peter Parry terms it, hasn’t as yet generated the kind of universal outrage one might expect.

read more
open full screen

Community Pharmacy Research - Are You Involved?

Mark Coleman

Government funding is always scarce and restricted.
If you are ever going to be a recipient of government funds you will need to fortify any application with evidence.
From a government perspective, this minimises risk.
I must admit that while I see evidence of research projects being managed by the PGA, I rarely see community pharmacists individually and actively engaged in the type of research that would further their own aims and objectives (and survival).

read more
open full screen

Organisational Amnesia and the Lack of a Curator Inhibits Cultural Progress

Neil Johnston

Most of us leave a tremendous impact on pharmacies we work for (as proprietors, managers, contractors or employees)—in ways we’re not even aware of.
But organisational memories are often all too short, and without a central way to record that impact and capture the knowledge and individual contributions, they become lost to time.
It is ironic that technology has provided us with phenomenal tools for communication and connection, but much of it has also sped up our work lives and made knowledge and memory at work much more ephemeral.

read more
open full screen

Academics on the payroll: the advertising you don't see

Staff Writer

This article was first published in The Conversation and was written by Wendy Lipworth, University of Sydney and Ian Kerridge, University of Sydney
In the endless drive to get people’s attention, advertising is going ‘native’, creeping in to places formerly reserved for editorial content. In this Native Advertising series we find out what it looks like, if readers can tell the difference, and more importantly, whether they care.
i2P has republished the article as it supports our own independent and ongoing investigations on how drug companies are involved in marketing-based medicine rather than evidence-based medicine.

read more
open full screen

I’ve been thinking about admitting wrong.

Mark Neuenschwander

Editor's Note: This is an early article by Mark Neuenschwander we have republished after the soul-searching surrounding a recent Australian dispensing error involving methotrexate.
Hmm. There’s more than one way you could take that, huh? Like Someday when I get around to it (I’m not sure) I may admit that I was wrong about something. Actually, I’ve been thinking about the concept of admitting wrong. So don’t get your hopes up. No juicy confessions this month except that I wish it were easier for me to admit when I have been wrong or made a mistake.
Brian Goldman, an ER physician from Toronto, is host of the award-winning White Coat, Black Art on CBC Radio and slated to deliver the keynote at The unSUMMIT for Bedside Barcoding in Anaheim this May. His TED lecture, entitled, “Doctors make mistakes. Can we talk about it?” had already been viewed by 386,072 others before I watched it last week.

read more
open full screen

Dispensing errors – a ripple effect of damage

Kay Dunkley - BPharm, Grad Dip Hosp Pharm, Grad Dip Health Admin, MPS, MSHPA

Most readers will be aware of recent publicity relating to dispensing errors and in particular to deaths caused by methotrexate being incorrectly packed in dose administration aids.
The Pharmacy Board of Australia (PBA), in its Communique of 13 June 2014, described a methotrexate packing error leading to the death of a patient and noted “extra vigilance is required to be exercised by pharmacists with these drugs”.
This same case was reported by A Current Affair (ACA) in its program on Friday 20 June
http://aca.ninemsn.com.au/article/8863098/prescription-drug-warning

read more
open full screen

Take a vacation from your vocation

Harvey Mackay

Have you ever had one of those days when all you could think was, “Gosh, do I need a vacation.”
Of course you have – because all work and no play aren’t good for anyone.
A vacation doesn’t have to be two weeks on a tropical island, or even a long weekend at the beach. 
A vacation just means taking a break from your everyday activities. 
A change of pace. 
It doesn’t matter where.
Everyone needs a vacation to rejuvenate mentally and physically. 
But did you also know that you can help boost our economy by taking some days off? 
Call it your personal stimulus package.

read more
open full screen

Explainer: what is peer review?

Staff Writer

This article was first published in the Conversation. It caught our eye because "peer review" it is one of the standards for evidence-based medicines that has also been corrupted by global pharma.
The article is republished by i2P as part of its ongoing investigation into scientific fraud and was writtenby Andre Spicer, City University London and Thomas Roulet, University of Oxford
We’ve all heard the phrase “peer review” as giving credence to research and scholarly papers, but what does it actually mean?
How does it work?
Peer review is one of the gold standards of science. It’s a process where scientists (“peers”) evaluate the quality of other scientists' work. By doing this, they aim to ensure the work is rigorous, coherent, uses past research and adds to what we already knew.
Most scientific journals, conferences and grant applications have some sort of peer review system. In most cases it is “double blind” peer review. This means evaluators do not know the author(s), and the author(s) do not know the identity of the evaluators.
The intention behind this system is to ensure evaluation is not biased.
The more prestigious the journal, conference, or grant, the more demanding will be the review process, and the more likely the rejection. This prestige is why these papers tend to be more read and more cited.

read more
open full screen

Dentists from the dark side?

Loretta Marron OAM BSc

While dining out with an elderly friend, I noticed that he kept his false tooth plate in his shirt pocket. He had recently had seven amalgam-filled teeth removed, because he believed that their toxins were making him sick; but his new plate was uncomfortable. He had been treated by an 'holistic dentist'. Claiming to offer a "safe and healthier alternative" to conventional dentistry, are they committed to our overall health and wellbeing or are they promoting unjustified fear, unnecessarily extracting teeth and wasting our money?

read more
open full screen

Planning for Profit in 2015 – Your key to Business Success

Chris Foster

We are now entering a new financial year and it’s a great time to reflect on last year and highlight those things that went well and those that may have impacted negatively in the pursuit of your goals.
It's also a great to spend some time re-evaluating your personal and business short, medium and long term goals in the light of events over the last year.
The achievement of your goals will in many cases be dependent on setting and aspiring to specific financial targets. It's important that recognise that many of your personal goals will require you to generate sufficient business profits to fund those aspirations

read more
open full screen

ReWalk™ Personal Exoskeleton System Cleared by FDA for Home Use

Staff Writer

Exoskeleton leader ReWalk Robotics announced today that the U.S. Food and Drug Administration has cleared the company’s ReWalk Personal System for use at home and in the community.
ReWalk is a wearable robotic exoskeleton that provides powered hip and knee motion to enable individuals with Spinal Cord Injury (SCI) to stand upright and walk.
ReWalk, the only exoskeleton with FDA clearance via clinical studies and extensive performance testing for personal use, is now available throughout the United States.

read more
open full screen

Attracting and Retaining Great People

Barry Urquhart

Welcome to the new financial year in Australia.
For many in business the past year has been described as a challenging period.
Adjectives are a key feature of the English language.  In the business lexicon their use can be, and often is evocative and stimulate creative images.  But they can also contribute to inexact, emotional perceptions.
Throughout the financial pages of newspapers and business magazines adjectives abound.
References to “hot” money draw attention and comment.  The recent wave of funds from Chinese investors, keen to remove their wealth from the jurisdiction and control of government regulations is creating a potential property bubble in Australia.

read more
open full screen

Updating Your Values - Extending Your Culture

Neil Johnston

Pharmacy culture is dormant.
Being comprised of values, unless each value is continually addressed, updated or deleted, entire organisations can stagnate (or entire professions such as the pharmacy profession).
Good values offer a strong sense of security, knowing that if you operate within the boundaries of your values, you will succeed in your endeavours.

read more
open full screen

Evidence-based medicine is broken. Why we need data and technology to fix it

Staff Writer

The following article is reprinted from The Conversation and forms up part of our library collection on evidence-based medicines.
At i2P we also believe that the current model of evidence is so fractured it will never be able to be repaired.
All that can happen is that health professionals should independently test and verify through their own investigations what evidence exists to prescribe a medicine of any potency.
Health professionals that have patients (such as pharmacists) are ideally placed to observe and record the efficacy for medicines.
All else should confine their criticisms to their evidence of the actual evidence published.
If there are holes in it then share that evidence with the rest of the world.
Otherwise, do not be in such a hurry to criticise professions that have good experience and judgement to make a good choice on behalf of their patients, simply because good evidence has not caught up with reality.

read more
open full screen

Laropiprant is the Bad One; Niacin is/was/will always be the Good One

Staff Writer

Orthomolecular Medicine News Service, July 25, 2014
Laropiprant is the Bad One; Niacin is/was/will always be the Good One
by W. Todd Penberthy, PhD

(OMNS July 25, 2014) Niacin has been used for over 60 years in tens of thousands of patients with tremendously favorable therapeutic benefit (Carlson 2005).
In the first-person NY Times best seller, "8 Weeks to a Cure for Cholesterol," the author describes his journey from being a walking heart attack time bomb to a becoming a healthy individual.
He hails high-dose niacin as the one treatment that did more to correct his poor lipid profile than any other (Kowalski 2001).

read more
open full screen

Culture Drive & Pharmacy Renewal

Neil Johnston

Deep within all of us we have a core set of values and beliefs that create the standards of behaviour that we align with when we set a particular direction in life.
Directions may change many times over a lifetime, but with life experiences and maturity values may increase in number or gain greater depth.
All of this is embraced under one word – “culture”.
When a business is born it will only develop if it has a sound culture, and the values that comprise that culture are initially inherent in the business founder.
A sound business culture equates to a successful business and that success is often expressed in the term “goodwill” which can be eventually translated to a dollar value.

read more
open full screen

ReWalk™ Personal Exoskeleton System Cleared by FDA for Home Use

Staff Writer

Exoskeleton leader ReWalk Robotics announced today that the U.S. Food and Drug Administration has cleared the company’s ReWalk Personal System for use at home and in the community.
ReWalk is a wearable robotic exoskeleton that provides powered hip and knee motion to enable individuals with Spinal Cord Injury (SCI) to stand upright and walk.
ReWalk, the only exoskeleton with FDA clearance via clinical studies and extensive performance testing for personal use, is now available throughout the United States.

read more
open full screen

Pharmacy 2014 - Pharmacy Management Conference

Neil Johnston

The brave new world of health and wellness is not the enemy of Pharmacy, it is its champion.
Australian futurist, Morris Miselowski, one of the world's leading business visionaries, will present the Opening Keynote address on Pharmacy's Future in the new Health and Wellness Landscape at 2.00pm on Wednesday July 30.
Morris believes the key to better health care could already be in your pocket, with doctors soon set to prescribe iPhone apps, instead of pills.
Technology will revolutionise the health industry - a paradigm shift from healthcare to personal wellness.
Health and wellness applications on smartphones are already big news, and are dramatically changing the way we manage our personal health and everyday wellness.

read more
open full screen

Generation and Application of Community Pharmacy Research

Neil Johnston

Editor’s Note: We have had a number of articles in this issue relating to pharmacy research.
The PGA has conducted a number of research initiatives over the years, including one recently reported in Pharmacy News that resulted from an analysis of the QCPP Patient Questionnaire.
Pharmacy Guild president, George Tambassis, appears to have authored the article following, and there also appears to be a disconnect between the survey report and its target audience illustrated by one of the respondent comments published.
I have asked Mark Coleman to follow through, elaborate and comment:

read more
open full screen

Ransomware - The New Kid on the Block

Steve Jenkin

articles by this author...

Steve Jenkin has spent 40 years in ICT in a wide variety of roles and systems.
He developed an interest in Quality and Turnarounds, "Working Smarter" and reducing wasted effort.
From working in Telecommunications, he was imbued with the notion of "Client First" and owing a "Fiduciary Duty" towards clients, as underlies Medicine. His current interests include the intersection of Quality, Safety and I.T. in Medicine and Healthcare.

Editor's Note:
Late in 2012, a medical practice on the Gold Coast of Queensland came under cyber attack in a unique way.
Instead of patient data being stolen, it was kidnapped in place, by encrypting all practice data so that it could not be read.
A key was then offered at a price so that the data could be opened.
Thus was born "Ransomware", and a a new threat had emerged.
i2P asked Steve Jenkin, our resident IT expert to give some insights to this new threat and what precautions we might all need, to eliminate this new approach to hacking.
If you need an incentive, just imagine if your PBS claim data was locked up for a week and your ability to generate a claim was locked up for six weeks, plus all attendant costs in restoring your data.
Would you survive in your business?
This reference article by Steve is important enough to use as a checklist for your IT provider or for your IT consultant to utilise in the next complete review of your entire system.
Steve's comments follow:

If you run a Healthcare-realted Business, things changed in the last 6 months...
Ransomware is set to boom [0] and cyber-security is now part of our National Security Plan.
Businesses now have to secure their computers and data just as they secure their premises and goods.
Ask yourself this: "If my computers were destroyed, how long could I continue the business?
At reduced capacity or at all?"- then act accordingly.

The Internet is defined by its explosive growth: A few For-Profit hackers have noticed Business Ransomware is an ideal way to monetise remote computer attacks & exploits.
Expect these attacks to double every few months now.
In a year they will be endemic.

Every business that can raise $5,000 and relies on its systems and data for daily operations is now in their sights.
If you haven't taken adequate steps to protect your computer systems and data, your general insurance company may refuse claims of damage now, certainly in the near future.
Expect Data Insurance and Computer Security Assessment businesses to come knocking on your door looking to sign you up.

Vendors will promise "golden bullets" to solve all problems, but you, as the owner of the business, have ultimately responsibility for opening the doors and trading.
They don't.
It's your business, not theirs - and on the line, act accordingly.

The Prime Minister has released a new Security Policy and cyber security, for both Government and Private sectors, is seen as a crucial on-going activity. [1] [2][3]
At least 70% of the cyber intrusions the Defence Signals Directorate [DSD, responsible for Govt. cyber-security standards & some operations] responded to in 2012 could have been prevented if organisations had implemented the top four of the mitigation strategies (listed below), up from 70% in 2009 [4].

The government also neatly divides cyber-attackers into four categorises, but in business your focus has to be on the money: For-Profit attackers. [5]

If you read and apply DSD's "top 35 mitigation strategies", noting nothing is 100% safe from all attacks, there are still some things you need to be doing. Good Security is never "static" but active, and you have to be doing more than put in place "protection". [4]

* Your Business is Your Data.

Don't just do backups, practice restores and actively check your data is complete, correct and consistent.

* Hardware is Cheap.

Have some laptops pre-built as replacements for all operational systems. Slow service is far, far better than no service.

* Not Everything should be connected to the Internet.
For-Profit hackers won't bother trying to get past "air-gaps" onto isolated networks. Traffic segregation and Network segmentation are cheap, powerful security techniques.

These same mitigations will also address Business Continuity issues from many sources.
The Gold Coast medical practice that lost its records had been compromised two weeks before their files were encrypted and a ransom demanded. The hackers turned off the daily backups and nobody noticed.

Otherwise, they were a model business.
They had just upgraded their firewall, ran separate servers, had security experts setup and administer their systems and religiously did backups.
They definitely would've complied with the "top 4" DSD recommendations, probably all in the "top 35".

Nobody had thought to tell them that "whilst backups are done, only restores are ever requested". They, like most businesses, didn't actively check their precious data, just assumed "it worked once, so what could possibly go wrong?".

Here is a simple strategy for small businesses, especially Healthcare-related high-value targets:

* Add another layer to you backups, snapshots over the network. Never rely on just one method or copy of your data.
* Find someone that cares about the business and integrate checking backup data into their daily schedule. Checks can never be "make work", they have to be real, useful tasks.  [6]
* Practice your Business Continuity procedures regularly and completely in Drills.
* Perform regular Post Drill Reviews to Refine your Process and Documents [7][8].

You can make this a heavyweight, expensive and laborious process or design a lightweight, simple and quick process.
The key is: never let someone else sell or install a process you don't follow or can't competently manage by yourself.

A friend whom I convinced to run his practice on an isolated computer did his backups to a rotating set of USB Flash drives.  The only extra step he needed was to have his partner, not himself, restore a backup onto a spare laptop and check totals and summaries.

But wait, there's more...

Having done all this you will have a reasonably secure systems and very robust Business Continuity processes to take Internet exploits in your stride.
There are three other important strategic areas of Security you need to consider and address.

Vendor Compromise: if attackers plant "backdoors" in your software, you're gone. [10]
Monocultures [9]

* If everyone runs the same O/S and Software, it's Nirvana for attackers.

Insider Attacks

* Attacks from the Internet are a rising threat and not to be ignored, but people already working for you, doing their authorised work have more potential for fraud and damage.

If Sony can foul up and send out compromised software, anyone might if they aren't actively checking.

Now is a good time to ask all your Software Vendors if they are covered for Contingent Liabilities caused by their negligence or inadequacy in releasing compromised software.

There are very simple and completely effective actions you can take to recover your Business Operations quickly: pre-built, pre-positioned hardware, good backups, regular Drills + Reviews, Daily summary checks from backups by an owner.

If your current I.T. support doesn't agree or can't supply those services, you need to be seeking a second opinion.

After all, what have you to lose but your entire livelihood and investment?



Appendix 1.

A simple Backup/Continuity strategy for small businesses, especially Healthcare-related high-value targets:

Perform regular Post Drill Reviews to Refine your Process and Documents [7]: Use the classic Ishikawa categories to help. Add another layer to you backups, never rely on just one method or copy of your data:

* store critical data on a network device with automatic, continuous or periodic backups (or "snaphots") to an off-site device.
* For extra-credit, provide a dedicated link and very restrictive firewall for just this purpose at both ends.

Find someone that cares about the business and integrate checking backup data into their daily schedule. Checks can never be "make work", they have to be real, useful tasks.

* Nobody cares more about a business than an owner. Nor can risk be delegated or outsourced.
* Print or view from the backup daily summary reports of all accounting and line-of-business transactions (sales, consults, patients, work dispatched).
* Look for and investigate small errors, they are meaningful. Computers don't "just make mistakes", one of the best documented international hacking/espionage cases came from a diligent administrator looking into a minor discrepancy. [6]

Practice your Business Continuity procedures regularly and completely in Drills.

* Safely turn-off or disconnect all your regular systems and equipment, then try to restore normal operations.

* For many people, stopping and restarting normal operational systems is a challenge in itself.

You need to time how long individual things take.

You need a meticulous, independent "note taker" in every main area of activity, because later on you'll construct an exact timeline as part of your Post Drill Review.
You have to assume "9/11" conditions:

* assume "the experts" along with all the equipment are unavailable.
* only ordinary staff run the Data Drill and only from the written instructions.
* Phone support is allowed, just not to "the I.T. expert".

After you're back on-line, collect all notes and hold for the Review.
Owners need to be present, but not necessarily for the whole exercise.

* The outcome of the review is for the benefit of the Owners.
* If the Owners aren't committed to the process and willing to personally pursue the changes needed, the Drills and Reviews should be skipped.

Review leaders have to be independent and skilled to encourage full and frank disclosure.

* Staff must be able to speak openly, critically and without fear of consequences.
* Even the best Employer-Employee relationship has "no go" areas that you need to find a way around to discover important information.
* After the first one or two Reviews, you might run them yourself, only having paid Consultants back every year or two to keep you on-track and refresh your process.

What worked?
What didn't work?
People, Management, Method, Machines, Materials, Maintenance, Measurement and Environment. [8]

You can make this a heavyweight, expensive and laborious process or design a lightweight, simple and quick process. The key is: never let someone else sell or install a process you don't follow or can't competently manage by yourself.

A friend whom I convinced to run his practice on an isolated computer did his backups to a rotating set of USB Flash drives. When one failed, he replaced the set. The only extra step he needed was to have his partner, not himself, restore a backup onto a spare laptop and check totals and summaries. With his low turnover, weekly or monthly would've sufficed. I looked for storage appliances that supported encrypted "snapshots" and secure access for him, so he and a business peer could be off-site backups for one another, but at the time none were available. He was interested and willing if I could find him something in the $500 bracket.



Appendix 2.

Three additional important strategic areas of Security you need to consider and address.

Monocultures [9]

* It wasn't a virus that caused the 5-year long Irish Potato famine in the mid-1800's, but the lack of diversity. Only one variety of potato was planted, when an infection arose, it spread everywhere, quickly.
* Most PC's and servers in small business are Microsoft based. Because they're popular, this is what hackers target. If you arrange to run your software on other systems, even as Virtual Machines, you will immediately reduce your desirability for attackers and increase the tools at your disposal for Intrusion Prevention and Detection.

* Pharmacies and Medical Practices in Australia overwhelming run the same practice software. Practices that choose other software immediately greatly reduce their chances of being compromised: For-profit attackers make sensible commercial decisions on where to use their resources and what/whom to target.

Insider Attacks

* Attacks from the Internet are a rising threat and not to be ignored, but far from the only threat.
* The highest impact and value attacks come from people within the system, doing what they are trained and authorised to do.
* Sometimes these people may not be on-site or even work for you: the staff of consultants, supplier, database suppliers and vendors may all potentially defraud you.
* It could be as subtle as a common database of claimable items and values being manipulated.
Proof of this is the all too frequent media reports of Bank employees being detected and charged with significant fraud/theft, often going back many years.
What we never hear of are those thieves the Banks detect but don't charge.
There is extensive anecdotal evidence that large institutions prefer to learn from successful exploits and theft: perpetrators can be given indemnity if they teach the full exploit to the corporation, along with how to detect and prevent it.
In the mid-70's, their were rumours that operations/administration staff who discovered and exploited security flaws would move from Bank to Bank running the same exploit. Because corporations aren't required to release or share Security information, even anonymous and historical, this attack is entirely plausible and hence has to be assumed effective and done.
There is no defence against this sort of attack, only vigilance and good systems that will detect it sooner rather than later. This is why Accounting does Audits and normal practice is to require two independent people be needed for payments and authorisations.

Vendor Compromise: if attackers plant "backdoors" in your software [10]

* If your Vendor has inadequate security processes and procedures and is compromised, attackers can use them to get access to your systems.
* Done well, you and they might never know, or at least only find out on "Zero Day" when everyone has their bank accounts drained at once and hard disks wiped.
* Vendors with dominance in any market segment are prime targets for these attacks. Why would a For-Profit attacker attempt to compromise 3500 Medical Practices individually when they can just take over one Vendor and own everyone else.
* This isn't a theoretical risk. In 2005 Sony released a new feature on CD-ROM drives to automatically delete pirated music. Unfortunately, they'd let a virus, a rootkit, get into their software, presumably undetected. [11]
While all attacks can't be defeated, Vendors need to take extraordinary measures to prevent and detect backdoors being silently inserted into their code.
In the current environment, I'd expect all Healthcare and related Software Vendors to supply statements by Independent Security Testers and Auditors on their Policies, Procedures and Practices.
And proof of some sort of Indemnity Insurance against Contingent Liability claims from all clients.
* If your working Bank Account is drained,
* and you're off the air for a week or two,
* and you've had to pay for teams of consultants to recover and clean your systems,that's a lot of money per individual claim.
* If they have 3-4000 clients each demanding $1-5M, are they insured for that and can the Insurer cover the full amount?
Now is a good time to ask all your Software Vendors if they are covered for Contingent Liabilities caused by their negligence or inadequacy in releasing compromised software.


Links

[0] My previous piece on Healthcare-related businesses as "soft" targets.
[http://stevej-on-it.blogspot.com.au/2013/01/security-healthcare-systems-are-soft.html]

[1] Strong and Secure: A Strategy for Australia's National Security [http://www.dpmc.gov.au/national_security/national-security-strategy.cfm]
PDF 3.44MB: Strong and Secure: A Strategy for Australia's National Security

[2] Australian Cyber Security Centre. January, 2013.
[http://www.pm.gov.au/press-office/australian-cyber-security-centre]

A new Australian Cyber Security Centre will be established in Canberra to boost the country’s ability to protect against cyber-attacks.
Already around 73 per cent of Australians use the internet more than once a day. Australians’ use ;of cyberspace is estimated to be worth $50 billion to our economy, with the rollout of the NBN only expected to accelerate these changes.

Yet Australia's cyberspace is subject to threats:
* In 2011-12, there were more than 400 cyber incidents against government systems requiring a significant response by the Cyber Security Operations Centre.

* In 2012, 5.4 million Australians fell victim to cyber crime with an estimated cost to the economy of $1.65 billion. Securing and protecting our networks, and ensuring confidence in the online environment, is pivotal to Australia’s economy.

[3] Gillard vows to fight 'malicious' cyber attacks
[http://www.abc.net.au/news/2013-01-23/gillard-national-security-strategy/4480448]
* 2011-12 saw a 27 per cent increase in the number of 'cyber incidents requiring a significant response'.
* The Federal Government spent 80 million on cyber security in 2011-12.
[4] DSD: Strategies to Mitigate Targeted Cyber Intrusions
[http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm]
PDF: 700KB http://www.dsd.gov.au/publications/Top_35_Mitigations_2012.pdf

At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the first four mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:
* use application whitelisting to help prevent malicious software and other unapproved programs from running
* patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
* patch operating system vulnerabilities
* minimise the number of users with administrative privileges.

[5] Speech by Director Defence Signals Directorate, 26 February 2010
[http://www.dsd.gov.au/speeches/20100226_nsa_ddsd.pdf]

We judge that the cyber threat comes from a wide range of sources, representing a broad range of skills and varying levels of sophistication. They include:

* individuals working alone;
* issues-motivated groups;
* organised criminal syndicates, as well as
* state-­based foreign intelligence services.

[6] The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage , by Clifford Stoll.
[http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787]

Summary of "The Cuckoo's Egg" on Wikipedia. Broad strokes only. The book is well-written and very readable, if a little idiosyncratic as you might expect from an Academic Astromoner-turned-Administrator.
[http://en.wikipedia.org/wiki/The_Cuckoo's_Egg]

[7] Project Retrospectives: A Handbook for Team Reviews, by Norman L. Kerth
[http://www.dorsethouse.com/books/pr.html]

This is the definitive guide to running the many types of "Reviews" and makes a case as to why what happens after a Project (or Event/Drill) is more important than anything: you get to learn and develop a corporate memory.

Many might first think this approach is too "touchy-feely".Quality Improvement and its twins, Performance and Cost/Efficiency Improvement, are solely based on People Learning and Changing what's done. If People are involved, then at some point Change will require "touchy-feely" work, something many people find confronting or uncomfortable.

[8] Wikipedia has a very basic overview of Ishikawa "Fishbone" diagrams. They may or may not be useful, but his Quality Improvement questions are as good as it gets.


[9] The Dangers of a Software Monoculture, By Bruce Schneier. November 2010

[http://www.schneier.com/essay-331.html]

In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate.

The basic problem with a monoculture is that it's all vulnerable to the same attack. The Irish Potato Famine of 1845--9 is perhaps the most famous monoculture-related disaster. The Irish planted only one variety of potato, and the genetically identical potatoes succumbed to a rot caused by Phytophthora infestans. Compare that with the diversity of potatoes traditionally grown in South America, each one adapted to the particular soil and climate of its home, and you can see the security value in heterogeneity.

[10] Reflections on Trusting Trust, Ken Thompson. You can't trust code that you did not totally create yourself.

[http://cm.bell-labs.com/who/ken/trust.html]

This wasn't a piece of speculative writing, but a research report on what works in practice.

[11]Wikipedia on the Sony BNG copy protection rootkit scandal

[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal]

Return to home

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

health news headlines provided courtesy of Medical News Today.

Click here to read more...

If any difficulty is found in subscribing, please use the "Contact Us" panel found in the navigation bar with the message "subscribe" and your email address.

Subscribe to our mailing list

Email Format
 

 

  • Copyright (C) 2000-2020 Computachem Services, All Rights Reserved.

Website by Ablecode