November 30th, 1988, should be marked as a day of infamy for our modern, connected times. During that month, researchers at Cornell University discovered an unknown virus lurking in their computer systems. This so-called “Morris worm” would quickly spread to other connected university systems. If it had been stopped there, people would have let out a sigh of relief, and the virus would have been relegated to a footnote in some obscure scholastic journal.

Unfortunately, it did not. The virus was also discovered in ARPANET, the predecessor to the World Wide Web aka the Internet. The US Defense Advanced Research Projects Agency (DARPA), in response, submitted a recommendation to deal with such computer attacks on a 24/7 basis. This led to the establishment of the National Computer Infection Action Team (NCAT). Shortly afterward, the Software Engineering Institute (SEI) assembled the Computer Emergency Response Team (CERT) for a similar purpose. However, it would be the Association for Computing Machinery’s (ACM) Special Interest Group on Security, Audit, and Control over at Washington, D.C. that finally selected November 30th for National Computer Security Day (CSD). Why? “November 30 was chosen for CSD,” notes Network World, “so that attention on computer security would remain high during the holiday season – when people are typically more focused on the busy shopping season than thwarting security threats.”

In honor of this lesser-known but important day, we’re covering select cybersecurity issues in the healthcare, industrial, and enterprise verticals with suggestions on managing them. 

Keeping People Authenticated In Healthcare

The increased use of digital and mobile technologies in healthcare have introduced many benefits to health organizations, hospitals, providers, and patients. We’ve covered several like the use of robotics in healthcare, digital collaboration, and the importance of a digital front door

All that delicious data, though, has attracted the cybercriminal element. A stolen medical record, according to one governmental task force on healthcare, is worth $10 to $1,000 each to criminals depending on the completeness of patient information. In addition, healthcare IT (HIT) is hampered by:

  • The sheer amount of information generated from electronic sources like EMR and network medical devices, the latter which can number 10 to 15 per hospital bed.
  • Tight and stagnant IT budgets. On average, healthcare organizations spend about five percent of their IT budget on cybersecurity.
  • Stringent HIPAA rules which are mandatory for all healthcare organizations and carry expensive penalties if violated.

Authenticating one’s staff is our recommendation to celebrate Computer Security Day in healthcare. One-way authentication, like a password, is a start. Unfortunately, it’s vulnerable to “social engineering,” or manipulation by cybercriminals, to obtain such confidential information. Phishing is a well-known form of social engineering.

Two-way identification, like a nurse logging in on a medical computer via RFID, is much more secure. A physical item like an RFID card is quickly becoming the standard for securing logins to sensitive data. Smartcards and biometrics use similar means of secondary ID. All these methods make sure only authorized personnel get access to confidential data.

Legacy Devices Require Modern Solutions   

The industrial vertical has been trending with lots of new concepts and even paradigm shifts. Some that have caught our eye include the Fourth Industrial Revolution, Industrial Internet of Things (IoT), and Smart Factories.  What they all have in common is a massive amount of connectivity among the once disparate parts in the manufacturing segment. 

As expected, all this growth ﹘ and with the monies pouring in to fund it ﹘ have caught the hungry eye of the cybercriminal. In 2020, a cyber-attack denied Honda personnel from accessing internal systems ranging from email to servers. Operations were affected in Japan, the UK, North America, Turkey, and Italy. And last year’s ransomware attack on the Colonial Pipeline caused fuel shortages in the states of Alabama, Florida, North Carolina, and South Carolina. The oil company paid nearly $5 million in bitcoin to obtain the decryption tool from the perpetrators. 

For this year’s Computer Security Day, we recommend the incorporation and protection of legacy devices. These items, both hardware and software, are considered outdated by today’s standards but are still in use. One such example is serial ports. Once used to connect PCs to peripherals like a modem, printer, or mouse, they have been replaced by faster and more efficient USB ports. Unfortunately, the Operational Technology (OT) department at manufacturing plants cannot easily replace serial-equipped legacy devices, many of which are irreplaceable, too costly, have proprietary protocols, or may require taking critical manufacturing systems offline. An industrial rugged mini PC with the right number of serial ports can keep such devices humming along while providing today’s cybersecurity protocols.     

Just Say No to BYOD

BYOD, or Bring Your Own Device, is the practice of employees using their own personal mobile devices for work purposes, whether in enterprise or any other industry. Usually these are smartphones and tablets, though the definition has included laptops and even smart watches. Proponents of the policy say it’s less costly (since the company doesn’t have to pay for the proper equipment like, you know, a real business tablet), and employees (supposedly) get greater satisfaction in using their beloved mobile all day.

Here’s our contribution on this issue for Computer Security Day: Don’t. Do. It

We’ve covered our four major reasons in the post, Are BYOD Policies In Healthcare a Mistake? With one exception (which we’ll get into a moment), they apply to all three verticals: 

It’s the Liability Principle

Who’s responsible when the employee’s BYOD breaks or is stolen? Tablets can be secured with Kensington locks to prevent theft. And PCs truly dedicated to the workplace are equipped with a Trusted Platform Module (TPM) to encrypt the hard disk so cybercriminals won’t be able to access the data contained with it.

Tainted IT 

BYOD are a hodgepodge of operating systems and apps, many of them not optimized for the business network environment. And IT won’t be able to open them up or even touch them depending on liability concerns. Who, then, for example, deals with that virus that jumped from the BYOD and is now infecting the entire network? 

The Sound of (No) Standards 

Information Technology, whether it’s HIT, OT, or simply the IT department, is responsible for the smooth workings of business computer networks from web portals to operating systems and programs. It usually does so by standardizing them to one or a few platforms. BYOD shatters such harmony by introducing disparate operating systems (Android, iOS, Windows, and Symbian to name a few), the different iterations of the OSs (for Android, that’s KitKat, Lollipop, Marshmallow, the two versions of Nougat and Oreo…) and all their apps (Play Store, App Store, etc.), many of which are not compatible with each other. 

Hey HIPAA

HIPAA, which stands for “Health Insurance Portability and Accountability Act,” is exclusive to the healthcare vertical. This federal statute governs the privacy of patient’s medical records. As we mentioned earlier, its rules are strict and carry severe penalties for violators like heavy fines and even jail time. HIT stays in compliance by making sure all hardware and software are within compliance, something BYOD does not do (or may not even be capable of). 

 

It’s almost hard to believe a simple computer virus back in 1988 prompted so much response from the public and private sectors. National Computer Security Day stands as a reminder of how important computers are in our lives, and their vulnerabilities to cybercriminals. If you’re interested in finding out how to guard your businesses’ systems, contact the experts at Cybernet today!