Microsoft’s Second Warning Concerning the BlueKeep Vulnerability Patch

Microsoft released one more warning concerning the need to patch the BlueKeep vulnerability (CVE-2019-0708). The vulnerability required immediate patching considering the October 23 mass attack that took advantage of this vulnerability.

The attack was first identified on November 2, but the attacker was unable to totally exploit the vulnerability. It seems that the threat actor has a low skill level and launched the campaign to exploit the flaw to deploy cryptocurrency mining malware. Microsoft gave another warning that things could go worse.

The first try of mass exploitation acquired a great deal of attention from mass media, but it seems that it did not have a great effect on the seriousness of patching. SANS Institute performed a scan and observed that the speed of patching didn’t quite change after the mass attack. Microsoft released the patch in May and the number of unpatched devices diminished, yet there are still a lot of devices that can be exploited by BllueKeep.

Even though the attack was extensive, it had minimal success. In the majority of cases, the exploit employed failed to work properly and the devices merely crashed. In the event that an expert threat actor exploited the vulnerability with success, it’s possible to connect a vulnerable device via RDP services without the need for user interaction. Codes may be implemented on unsecured computer systems, in order that the attacker can access, modify, and steal data, install malware, and begin attacks on other unpatched devices connected to the network system, which include those that are not exposed on the web.

In 2017, security specialist Marcus Hutchins discovered and initialized a ‘kill switch’ to take care of the WannaCry ransomware damages. At this point, he is cautioning that a ransomware attack is capable of causing a big disruption even with no worm, considering that the vulnerable devices were servers.

Microsoft said that although it is unlikely to prevent the BlueKeep attacks, there are other more threatening exploits that could be made and used in massive attacks on vulnerable devices. Microsoft customers need to identify and update all vulnerable devices straight away.

NIST Launches the Latest Big Data Interoperability Framework

The National Institute of Standards and Technology (NIST) launched its final Big Data Interoperability Framework (NBDIF) to assist with the design of data analysis software applications which could operate on just about any computing platform and be conveniently transferred from one computing platform to a different one.

NBDIF is the end result of many years of work and joint venture of over 800 authorities from the government, academe, and private community. The final document consists of nine volumes talking about big data definitions and taxonomies, use circumstance & prerequisites, reference architecture, roadmap standards, privacy and security, a reference architecture interface, and adoption and modernization.

The primary intent behind NBDIF is to advise developers on the design and deployment of greatly helpful tools for big data examination that could be used on diverse computing platforms; from one laptop computer to multi-node cloud-based settings. Developers must make their big data analysis tools to enable them to immediately be migrated from platform to platform and enable data analysts to be changed to more complex algorithms without being forced to retool their computer settings.

Developers can use the framework to make an agnostic setting for big data analysis tool production to ensure their tools could help data analysts’ findings to run continuously, even when their targets change and technology improves.

The amount of files that require analysis has increased significantly recently. Data is presently obtained from a huge range of devices, such as an assortment of sensors hooked up to the internet of things. A few years ago, close to 2.5 exabytes which equal billion billion bytes, of information are generated daily around the world. By 2025, international information generation has been estimated to have 463 exabytes each day.

Data scientists may use large datasets to acquire precious observations and big data analysis tools will permit them to level up their analyses from just one laptop unit to distributed cloud-based settings that work through various nodes and analyze big amounts of information.

So as to do that, data analysts might be required to recreate their tools from the start and employ varied computer languages and algorithms to permit them to be employed on varied platforms. The usage of the framework will boost interoperability and substantially minimize the problem on data analysts.

The final copy of the framework comprises consensus definitions and taxonomies to be sure developers understand each other when talking over options for new analysis tools, besides data privacy and security prerequisites, and a reference architecture interface spec to direct deployment of their tools.

The reference architecture interface specification is beneficial to vendors when developing flexible settings where any tool could function in. In the past, no standard for developing interoperable options are available. At this time there is.

The big data analysis tools could be utilized in different ways, for instance in drug discovery where experts have to assess the behavior of some candidate drug proteins in one set of assessments, then utilize that information into the succeeding round. The flexibility to make changes immediately will help to hasten the analyses and minimize drug development expenditures. NIST, in addition, proposes that the tools can help analysts distinguish health scams with less effort.

The reference architecture will permit the user to pick whether to do analytics using the most recent machine learning and AI tactics or the conventional statistical methods.

Forsythe To Offer Catbird’s Vsecurity® Software To Its Customers

Catbird is the pioneer in security and compliance for virtual, cloud and physical networks. The company has now entered into a partnership agreement with Forsythe, a leading IT infrastructure consultant and integrator, according to which Forsythe will offer Catbird’s vSecurity® software to bring PCI, HIPAA and SOX compliance to its customers who are moving to virtual and cloud-based infrastructure.

This software from Catbird harnesses the power of virtualization to deliver the industry’s most comprehensive security and compliance solution for virtual and cloud systems. The software introduces a new model for data center security and enforces controls on virtual machines, their network attributes, virtual networks, and the switch fabric – protecting the whole data plane.

“Security and compliance are critical components for every IT infrastructure. As environments are virtualized, new risks are introduced due to a loss of process control across four change dimensions,” says David Poarch, VP, security of Forsythe. “Catbird has developed a solution specifically for virtualized environments that delivers dynamic, elastic security and integrated compliance for sensitive and mission-critical applications.”

“Recent guidance from PCI, NIST and SANS proves that relying on traditional physical firewalls and physical network inspection is risky and will not pass an audit. Catbird vSecurity® was built from the ground up to do virtual and cloud security better, faster and cheaper,” said Edmundo Costa, Catbird CEO. “Forsythe’s extensive experience in integrating not only virtualized solutions, but also physical infrastructure solutions, across security, servers, networks and storage make them a strong partner in helping our virtualization clients with their security needs.”

“Virtualization security opens the door for mission-critical applications that have traditionally been left out of virtualization roll-outs,” added Costa. “vSecurity will provide Forsythe customers with the ability to meet the new requirements and maximize their virtualization and cloud ROI by being able to include in their deployment plans most applications that were previously excluded, such as, for example, applications that handle PCI data.”

Harris Corporation to support VA’s transition to new coding standards

The U.S. Department of Veterans Affairs (VA) has awarded Harris Corporation a $5.3 million two-year contract to provide remediation to the VA’s Health Administration Center (HAC) Cache System to address new medical coding standards. Harris will support the VA’s migration to new coding]]>

This transition will also help HAC to produce more accurate records as well as conduct more detailed population assessments and studies. Additionally, the ICD-10 migration will improve the HAC’s payment systems for veterans and their family members with more accurate billing information. The Harris team, along with subcontractors 7 Delta Inc. and Vangent Inc., will complete all phases of the ICD-10 integration and software development life cycle.

International Statistical Classification of Diseases and Related Health Problems (ICD) Codes are used to classify diseases and other medical problems under a single standard and promote international comparability with treatment and billing. As part of the Health Insurance Portability and Accountability Act (HIPAA) 5010 transition, the U.S. Department of Health and Human Services (HHS) has mandated that all covered healthcare entities be ICD-10 compliant by Oct. 1, 2013.

“The ICD-10 transition will enable the HAC to improve the accuracy and efficiency of claims processing for veterans and their family members,” said Jim Traficant, president, Harris Healthcare. “By migrating to ICD-10, the Health Administration Center continues to lead the healthcare industry in adopting the latest standards to better serve our veterans.”

97% of Americans want more control on their PHI: New survey reveals

Privacy advocate Dr Deborah Peel ‘s Patient Privacy Rights Foundation and Zogby International has conducted a new survey which has revealed that a whopping 97% of the 2,000 adults questioned want the right to control their own personal medical information and be allowed to limit with whom their “sensitive information” is shared.

In a press release accompanying the release of the survey results Dr Peel said “No matter how you look at it, Americans want to control their own private health information. They overwhelmingly believe that they are the only people in the right position to make decisions about how their information can be used. Researchers do not get a free pass.”

The survey reveals that many of the Americans want to be in control of all of their electronic medical records and have the right to limit with whom their doctors, insurance companies and even the government can allow the information to be given to. Some of them showed their worry about the fact that their sensitive information was at risk of being accessed by employers, researchers, ex-spouses and abusive partners.

Dr Peel’s Austin, TX based advocacy group is calling for the creation of a “do not release” list, something that would work along the same lines as the “do not call” lists that telemarketers must abide by. 73% of those surveyed said they would sign up if such a list were ever to be created.

HIMSS webinar on importance of HIPAA compliance to an IT manager

A Health Information & Management Systems Society (HIMSS) webinar based on the importance of HIPAA compliance for an IT manager is to be held on October 20, 2011, which will be sponsored by Axway, the Business Interaction Networks company.

The webinar which has been entitled, “What does HIPAA Compliance mean to an IT Manager?” will be a case study with Catholic Healthcare West. The webcast will explore how Catholic Healthcare West is managing the challenges of rapidly building their healthcare managed file transfer (MFT) ecosystem while continuing to adhere to Health Information Portability and Accountability Act (HIPAA) compliance. Catholic Healthcare West will share their secrets as to how they ensure patient privacy, and build partner networks that make end-to-end management of certain patient files possible.

The webinar will include discussions between Axway and Catholic Healthcare West on how to leverage technology in a way that allows to access critical health information while maintaining security and the public’s trust at the same time. Various companies participating in the webinar will also get an opportunity to share their experiences designing internal project support for building large-scale MFT infrastructure projects and impart lessons learned during deployment.

Shared Health awarded the HIPAA Security and Privacy Covered Entity accreditations from URAC

URAC is a Washington, DC-based health care accrediting organization that establishes quality standards for the health care industry. It has awarded the HIPAA Security and Privacy Covered Entity accreditations to Shared Health, one of the leaders in HealthCare Industry.

URAC’s HIPAA Security Accreditation program provides an emphasis on the fundamentals of ongoing risk managemen. It enables health care organizations to validate their security compliance program to safeguard Protected Health Information (PHI) in accordance with the HIPAA Security Rule. Thus, this rpogram ensure healthcare organizations’ commitment to fair information practices, and also helps them show others that they have taken the necessary steps to protect health information privacy in accordance with the HIPAA Privacy Rule.

“We are thrilled to achieve this high level in health care information security and privacy,” said Jana Skewes, chief executive officer of Shared Health. “The URAC accreditations highlight our commitment to delivering the most secure, best privacy protection practices in our industry through innovative health information technology solutions at the point of care, which is the perfect prescription for better health nationwide.”

Shared Health has shown lead by implementation of a comprehensive security compliance plan, rigorous management policies and procedures, administrative, physical and technical safeguards and special requirements for group health plans. It also met stringent standards for privacy protection, including implementation of a privacy compliance plan, strict policies and procedures, workforce training, disclosures, complaints and special requirements for health plans, group health plans, hybrid entities, health care providers, affiliated covered entities and organized health care arrangements.

“By applying for and receiving the HIPAA Security and Privacy Covered Entity accreditations, Shared Health has demonstrated a commitment to quality health care,” said Alan P. Spielman, URAC president and CEO. “Quality health care is crucial to our nation’s welfare and it is important to have organizations that are willing to measure themselves against national standards.”

MGMA survey reveals that practices still not prepared for HIPAA 5010

The Medical Group Management Association has released its survey which reveals that most of the physicians are still unprepared for a shift to the new electronic claims submission standards known as HIPAA 5010, although the adoption deadline is just six months away. Only 9.2 per cent of the physicians were performing test procedures to the software updates provided by the electronic medical record vendors and about 38.2 per cent had no schedules for such tests as yet.

Of the 356 practices that MGMA surveyed, just 15.2% had conducted an impact analysis to examine what the practice needed to do to prepare. Most practices said they had either not started preparing (45.2%) or were less than 25% done preparing (26.4%).

However, whether the medical practices participated in the event of 15th June was not revealed by the survey. The Centers for Medicare & Medicaid Services had declared June 15 as National 5010 Testing Day. The American Medical Association and the MGMA had suggested that CMS conduct such an event.

RAC agrees to pay $1 million to settle violations of HIPAA

The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, and maintain adequate levels of privacy and security when disposing off various information.

When media circulated various videotaped incidents in a variety of cities across United States in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. Rite Aid pharmacy stores in several of the cities were highlighted in media reports. Following this, OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC and found it guilty.

Now, Rite Aid Corporation and its 40 affiliated entities has decided to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. It has also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. Along with this, it has also agreed to take corrective action to improve measures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.

“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA,” said Georgina Verdugo, director of OCR. “We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

HHS proposes to expand the HIPAA rights for patients

The Department of Health and Human Services (HHS) proposes to expand the Health Insurance Portability and Accountability (HIPAA) privacy rule through its new amendment which provides that a patient should be allowed to receive a report on individuals and organizations that have accessed his or her electronic medical records. At present, the healthcare organizations are required by HIPAA to track access to electronic protected health information, but they are not currently required to share this information with patients.

The notice of proposed rulemaking from HHS states that HIPAA accounting provisions should be expanded to provide individuals “with the right to receive an access report indicating who has accessed electronic protected health information”.

The department is making the change to the HIPAA privacy rule to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information. We need to protect peoples’ rights so that they know how their health information has been used or disclosed”, said Georgina Verdugo, director of the HHS Office of Civil Rights.

“The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates”, the HHS department said.

Comments on the proposed rule are due August 1, 2011.