Tag Archives: review

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Attackers targeting medical devices to bypass hospital security

http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html By Steve Ragan Salted Hash CSO Online June 4, 2015 A preview copy of a report from TrapX Labs, which will be released later this month, highlights three successful attacks against healthcare organizations. The incidents prove that defending assets in a healthcare environment isn’t as easy as some would have you think. In fact, given the wide range of devices on a given network, it can be nearly impossible. Last year, Community Health Systems had an incident that resulted in the compromise of 4.5 million records. It served as a reminder that medical information was an important commodity to criminals. In March of this year, the Identity Theft Resource Center (ITRC) tagged healthcare as the source of 33-percent of all listed incidents nationwide, noting that nearly 100 million healthcare records were compromised in the U.S. alone in Q1 2015. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Tallinn 2.0 and a Chinese View on the Tallinn Process

http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/ By Ashley Deeks LAWFARE May 31, 2015 This past week, the NATO Cooperative Cyber Defense Center of Excellence put on its annual Cyber Conflict conference in Tallinn, Estonia. The conference boasted a number of experienced cyber-hands, including Adm. Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert Mike Schmitt. One of the most interesting sessions, which included a presentation by Mike, focused on aspects of the Tallinn Manual versions 1.0 and 2.0. Version 1.0, produced by an independent group of experts, came out in 2013. It proffered what the experts saw as current black letter law on jus ad bellum and jus in bello rules relevant to cyber operations. The Manual includes both crisp articulations of the rules and more extensive commentary setting out the legal basis for the rule and any differences that arose among the experts. Version 2.0 picks up where Version 1.0 left off, and will set forth the experts’ views on what international law applies to cyber activity that falls below the level of armed conflict or the use of force. Mike previewed some of the topics that 2.0’s group of experts will discuss, including customary rules related to sovereignty. As Mike notes, sovereignty is not simply a factor restricting a state’s activities in other states’ territory. It also is the basis for states to regulate and exercise jurisdiction within their territory over people, hardware, and cyber operations. One challenge for the experts will be to achieve consensus on what types of activities by one state violate another state’s sovereignty: what level of damage, intrusion, or alteration of data suffices? Other norms up for discussion relate to due diligence obligations by states to stop actions that produce adverse consequences for other states, and the applicability of state responsibility (including counter-measures and the use of “necessity” arguments). Tallinn 2.0 has the potential to be even more influential than Tallinn 1.0, because it systematically will address activities that are far more prevalent in the cyber realm than uses of force or armed attacks. Bill Boothby, a former Deputy Director of Legal Services for the UK Royal Air Force, then provided a retrospective look at Tallinn 1.0. Mike Schmitt had asked Bill to review all of the literature that offered reviews or critiques of Tallinn 1.0, to assess whether to consider certain modest amendments to the Manual’s commentary (though not to its black letter rules) or to take up certain issues that Tallinn 1.0 did not cover. Bill assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions” on the issues it took up and that there were only a few amendments worth pondering. In particular, Bill wondered whether the definition of what constitutes a “cyber attack” might need to expand to include “major disruptions” that nevertheless do not produce physical harm to the affected state. He also asked whether the jus in bello rule on precautions was ill-suited to cyber, given that states utterly have failed to segregate their military cyber infrastructure from civilian cyber infrastructure. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Security Experts Hack Teleoperated Surgical Robot

http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot/ MIT Technology Review Emerging Technology From the arXiv April 24, 2015 A crucial bottleneck that prevents life-saving surgery being performed in many parts of the world is the lack of trained surgeons. One way to get around this is to make better use of the ones that are available. Sending them over great distances to perform operations is clearly inefficient because of the time that has to be spent travelling. So an increasingly important alternative is the possibility of telesurgery with an expert in one place controlling a robot in another that physically performs the necessary cutting and dicing. Indeed, the sale of medical robots is increasing at a rate of 20 percent per year. But while the advantages are clear, the disadvantages have been less well explored. Telesurgery relies on cutting edge technologies in fields as diverse as computing, robotics, communications, ergonomics, and so on. And anybody familiar with these areas will tell you that they are far from failsafe. Today, Tamara Bonaci and pals at the University of Washington in Seattle examine the special pitfalls associated with the communications technology involved in telesurgery. In particular, they show how a malicious attacker can disrupt the behavior of a telerobot during surgery and even take over such a robot, the first time a medical robot has been hacked in this way. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] CfP – Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015)

Forwarded from: “Egner, A.I.” *** Apologies for multiple copies *** CALL FOR PAPERS ************************************************************************ Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015) Université Paul Sabatier, Toulouse, France, August 24th – 28th, 2015 http://www.ares-conference.eu/conference/ares-eu-symposium/au2eu/ ************************************************************************ Cloud services and cloud-based applications have become increasingly popular in the recent years. Security and privacy of the cloud-based applications have always been major roadblock for wide use of cloud services that involve sensitive data. Therefore this research field attracts a lot of attention from the academia and industry. The aim of the workshop is to provide the environment to exchange ideas and to foster discussions on a broad list of aspects related to privacy and security of cloud-based applications, and to find answers to questions like: How do we design authentication and authorization frameworks for cross-cloud environments, supporting different identity/attribute providers and organizational policies while guaranteeing privacy, security and trust? How can we extend current solutions with higher assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption techniques to address specific security and confidentiality requirements of large distributed infrastructures? What is the best way to validate practical aspects of the cloud-based applications, such as scalability, efficiency, maturity and usability? Next to regular sessions with research papers, the workshop will include an invited talk as well as a round table on “Evolution of privacy-preserving authentication and authorization tools: from concepts to deployment“, presenting the results of the FP7 AU2EU project (http://www.au2eu.eu/). CONFERENCE TOPICS The conference topics include, but are not limited to: – Privacy-preserving Authentication – Attribute-based Authorization – Integrated Authentication and Authorization – Assurance of Claims – Crypto-based Policy Enforcement – Attribute-based Encryption – Secure Data Management – Key Management – Trust Management – Operations under Encryption – Homomorphic Encryption – Searchable Encryption – Privacy-Preserving Data Mining – Security as a Service – Big Data Security PAPER SUBMISSIONS The proceedings of ARES 2014, published by Conference Publishing Services (CPS), are available here in the IEEE XPlore Digital Library. Authors are invited to submit research and application papers according the following guidelines: 8 pages (a maximum of 10 pages is tolerated), two columns, single-spaced, including figures and references, using 10 pt fonts and number each page. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, presentation and clarity of exposition. Simultaneous submission of the same work to multiple venues, submission of previously published work, or plagiarism constitutes dishonesty or fraud. ARES, like other scientific and technical conferences and journals, prohibits these practices and may take action against authors who have committed them. Contact author must provide the following information at the ARES conference system: paper title, authors’ names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Double blind review: ARES requires anonymized submissions – please make sure that submitted papers contain no author names or obvious self-references. Details about submission can be found here: http://www.ares-conference.eu/conference/conference/submission/ IMPORTANT DATES Submission Deadline May 8, 2015 Author Notification June 1, 2015 Proceedings Version June 8, 2015 Conference August 24-28, 2015 PROGRAM CHAIRS – Milan Petkovic (General Chair), Philips Research / Eindhoven University of Technology – Netherlands – Jan Camenisch (Program Co-Chair), IBM Research – Zurich, Switzerland – John Zic (Program Co-Chair), CSIRO – Sydney, Australia – Alexandru Egner (Organization Co-Chair), Eindhoven University of Technology – Netherlands PROGRAM COMMITTEE – Giuseppe Ateniese, Sapienza University of Rome, Italy – George Danezis, University College London, UK – Refik Molva, EURECOM, France – Gerrit Bleumer, Scheidt & Bachmann, Germany – Ljiljana Brankovic, University of Newcastle, Australia – Jeroen Doumen, Irdeto, Netherlands – Csilla Farkas, University of South Carolina, USA – Pietro Colombo, University of Insubria, Italy – Simone Fischer-Hubner, Karlstad University, Sweden – Dieter Gollmann, Hamburg University of Technology, Germany – Tanya Ignatenko, Eindhoven University of Technology, Netherlands – Mizuho Iwaihara, Waseda University, Japan – Sushil Jajodia, George Mason University, USA – Nguyen Manh Tho, Vienna University of Technology, Austria – Guenther Pernul, University of Regensburg, Germany – Bart Preneel, KU Leuven, Belgium – Kai Rannenberg, Goethe University Frankfurt, Germany – Ahmad-Reza Sadeghi, Darmstadt University, Germany – Andreas Schaad, Huawei Research – Yuan Zhang, State University of New York at Buffalo, USA – Sabrina De Capitani di Vimercati, University of Milan, Italy For any questions, please contact the organization co-chair: a.i.egner (at) tue.nl


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Call for Papers – Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015)

Forwarded from: “Egner, A.I.” CALL FOR PAPERS ************************************************************************ Workshop on Security and Privacy in Cloud-based Applications (in conjunction with ARES EU Projects Symposium 2015) Université Paul Sabatier, Toulouse, France, August 24th – 28th, 2015 http://www.ares-conference.eu/conference/ares-eu-symposium/au2eu/ ************************************************************************ Cloud services and cloud-based applications have become increasingly popular in the recent years. Security and privacy of the cloud-based applications have always been major roadblock for wide use of cloud services that involve sensitive data. Therefore this research field attracts a lot of attention from the academia and industry. The aim of the workshop is to provide the environment to exchange ideas and to foster discussions on a broad list of aspects related to privacy and security of cloud-based applications, and to find answers to questions like: How do we design authentication and authorization frameworks for cross-cloud environments, supporting different identity/attribute providers and organizational policies while guaranteeing privacy, security and trust? How can we extend current solutions with higher assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption techniques to address specific security and confidentiality requirements of large distributed infrastructures? What is the best way to validate practical aspects of the cloud-based applications, such as scalability, efficiency, maturity and usability? Next to regular sessions with research papers, the workshop will include an invited talk as well as a round table on “Evolution of privacy-preserving authentication and authorization tools: from concepts to deployment“, presenting the results of the FP7 AU2EU project (http://www.au2eu.eu/). CONFERENCE TOPICS The conference topics include, but are not limited to: – Privacy-preserving Authentication – Attribute-based Authorization – Integrated Authentication and Authorization – Assurance of Claims – Crypto-based Policy Enforcement – Attribute-based Encryption – Secure Data Management – Key Management – Trust Management – Operations under Encryption – Homomorphic Encryption – Searchable Encryption – Privacy-Preserving Data Mining – Security as a Service – Big Data Security PAPER SUBMISSIONS The proceedings of ARES 2014, published by Conference Publishing Services (CPS), are available here in the IEEE XPlore Digital Library. Authors are invited to submit research and application papers according the following guidelines: 8 pages (a maximum of 10 pages is tolerated), two columns, single-spaced, including figures and references, using 10 pt fonts and number each page. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, presentation and clarity of exposition. Simultaneous submission of the same work to multiple venues, submission of previously published work, or plagiarism constitutes dishonesty or fraud. ARES, like other scientific and technical conferences and journals, prohibits these practices and may take action against authors who have committed them. Contact author must provide the following information at the ARES conference system: paper title, authors’ names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Double blind review: ARES requires anonymized submissions – please make sure that submitted papers contain no author names or obvious self-references. Details about submission can be found here: http://www.ares-conference.eu/conference/conference/submission/ IMPORTANT DATES Submission Deadline May 8, 2015 Author Notification June 1, 2015 Proceedings Version June 8, 2015 Conference August 24-28, 2015 PROGRAM CHAIRS – Milan Petkovic (General Chair), Philips Research / Eindhoven University of Technology – Netherlands – Jan Camenisch (Program Co-Chair), IBM Research – Zurich, Switzerland – John Zic (Program Co-Chair), CSIRO – Sydney, Australia – Alexandru Egner (Organization Co-Chair), Eindhoven University of Technology – Netherlands PROGRAM COMMITTEE – Giuseppe Ateniese, Sapienza University of Rome, Italy – George Danezis, University College London, UK – Refik Molva, EURECOM, France – Gerrit Bleumer, Scheidt & Bachmann, Germany – Ljiljana Brankovic, University of Newcastle, Australia – Jeroen Doumen, Irdeto, Netherlands – Csilla Farkas, University of South Carolina, USA – Pietro Colombo, University of Insubria, Italy – Simone Fischer-Hubner, Karlstad University, Sweden – Dieter Gollmann, Hamburg University of Technology, Germany – Tanya Ignatenko, Eindhoven University of Technology, Netherlands – Mizuho Iwaihara, Waseda University, Japan – Sushil Jajodia, George Mason University, USA – Nguyen Manh Tho, Vienna University of Technology, Austria – Guenther Pernul, University of Regensburg, Germany – Bart Preneel, KU Leuven, Belgium – Kai Rannenberg, Goethe University Frankfurt, Germany – Ahmad-Reza Sadeghi, Darmstadt University, Germany – Andreas Schaad, Huawei Research – Yuan Zhang, State University of New York at Buffalo, USA – Sabrina De Capitani di Vimercati, University of Milan, Italy For any questions, please contact the organization co-chair: a.i.egner (at) tue.nl


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] TrueCrypt security audit is good news, so why all the glum faces?

http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/ By Dan Goodin Ars Technica Apr 2, 2015 The ongoing audit of the TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts has reached an important milestone—a detailed review of its cryptographic underpinnings that found no backdoors or fatal flaws. The 21-page Open Cryptographic review published Thursday uncovered four vulnerabilities, the most serious of which involved the use of a Windows programming interface to generate random numbers used by cryptographic keys. While that’s a flaw that cryptographers say should be fixed, there’s no immediate indication that the bug undermines the core security promise of TrueCrypt. To exploit it and the other bugs, attackers would most likely have to compromise the computer running the crypto program. None of the vulnerabilities appear to allow the leaking of plaintext or secret key material or allow attackers to use malformed inputs to subvert TrueCrypt. The report was produced by researchers from information security consultancy NCC Group. “The TL;DR is that based on this audit, TrueCrypt appears to be a relatively well-designed piece of crypto software,” Matt Green, a Johns Hopkins University professor specializing in cryptography and an audit organizer, wrote in a blog post accompanying Thursday’s report. “The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.” “The good news is there weren’t any devastating findings, which is great news,” Kenn White, a North Carolina-based computer scientist and audit organizer, told Ars. “The mixed news is what happens next with the project.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI Threat Intelligence Cyber-Analysts Still Marginalized In Agency

http://www.darkreading.com/risk/fbi-threat-intelligence-cyber-analysts-still-marginalized-in-agency/d/d-id/1319618 By Sara Peters Dark Reading 3/25/2015 Despite good progress, 9/11 Review Commission says that analysts could have a greater impact on FBI counter-terrorism activities if they had more domain awareness, forensics capabilities, and were more empowered to question agents. FBI threat intelligence analysts, a position created post-9/11, have proven their worth to counter-terror operations, but their impact has been limited by a lack of domain awareness, insufficient computing technology, and a lack of status within the Bureau, according to a report released today by the FBI 9/11 Review Commission. While the analysts are providing agents with tactical input, they are not yet participating in any strategic way. Part of the intelligence analysts’ job description, as described by FBIAgentEdu.org, is cyber-forensics and cyber-surveillance


Facebooktwittergoogle_plusredditpinterestlinkedinmail