Identitätssicherheit

3 reasons to invest in digital identity security

Our world is increasingly digitized and in many areas only takes place online. This also increasingly applies to our everyday working lives; companies are networked in the cloud thanks to communication and collaboration tools. Our systems such as CRM or ERP have also been outsourced to the cloud for better data availability. At the same time, questions are now increasingly being asked about the best possible protection for this outsourced infrastructure. It has become clear that VPN and virus protection alone are no longer sufficient to reliably protect your company’s IT from unauthorized access.

For this reason, you should definitely consider—if you haven’t already done so—meaningful identity management and deeper protection of your employee identities. This includes the question of how your employees can digitally identify themselves. So they can protect themselves from misuse of their own identity and its consequences. We’ve rounded up 3 key reasons why you should invest in digital identity security in your organization now, at the latest.

Secure tomorrow’s workplace today

The future is digital—that also means remote! True, remote work has existed before 2020. But 2020 was a booster for faster digitization in office applications. “Digital-only” therefore already applies to collaboration and communication. Despite the misgivings of many companies, employees have coped surprisingly well with this. They have quickly learned to anticipate these new ways of working and reap the benefits for themselves. But this is only part of the story. Although the introduction of communication and collaboration tools has been well received, network security and, in particular, the safeguarding of employee identities have often been neglected. The priority was to get operationally up and running quickly; thinking about IT security was a second step if it was thought about at all.

Yet the shift of (working) life to the digital world has created the perfect conditions for cybercrime. Phishing and social engineering attacks on companies have increased as a result of the crisis. By introducing a second factor to secure applications, they prevent identity misuse. After all, only those who can identify themselves twice—with a 2nd factor known only to them—will ultimately gain access to a file or system. Sensible and restrained access management also ensures that only those employees who really need access to sensitive areas of your corporate IT have it.

Improved usability increases employee satisfaction

Today, we expect a high level of usability and a consistent user experience with our applications. No longer just in our private lives, but also in the applications we use at work. Passwordless login increases the productivity and acceptance of your employees: because they don’t have to remember a multitude of complex passwords and can log on to their PC and applications with a single click. The combination of a multifactor authentication solution with single sign-on functionality allows fast, convenient, and uninterrupted switching between different applications. Without compromising on security.

Simplify your compliance processes

Centralized management of user identities and simplified login via single sign-on increase the productivity and effectiveness of your employees in the long term. Lengthy processes for (repeated) logins to individual applications and mandatory password changes in specific cycles are eliminated. Life is also easier for your administrators, who can dispense with complex password policies and the need to control them. Even a simple, insecure password has become a secure login with the highest security requirements through MFA.

At the same time, with a sensible Identity and Access Management and a secure multifactor authentication method, you introduce an important milestone to protect your corporate compliance. After all, the theft of (employee) identities poses a profound threat to your company; the compromise of your IT landscape and the possible associated data loss can be followed by data protection lawsuits and corporate compliance investigations. These are often more expensive than the actual damage caused by lost productivity.

ePA

How secure is the Electronic Patient Record?

Since the beginning of the month, the Electronic Patient Record has been available in Germany, in which insured persons can store and manage their data in a central location. The central storage of their health data is intended to facilitate communication between patients and doctors. In the initial phase, however, patients will have to take care of filling their digital files themselves. There are also still data protection concerns: Patients will not be able to select which doctor has access to which parts of the medical record until 2022. For the time being, anyone who wants to use the Electronic Patient Record provides their doctor with all the information it contains – or none at all.

What is an Electronic Patient Record?

The Electronic Patient Record allows patients to voluntarily store their health and diagnostic data centrally in one place. The information it contains can be shared with doctors, pharmacies, and hospitals to shorten treatments. Or prevent duplicate examinations. In the future, patients will also be able to use the app to manage the information it contains. They can then decide which doctor can see which information. The digitization of bonus books, vaccination cards, and maternity records is also planned for the future.

When does the Electronic Patient Record come into effect?

Patients will be able to have their health insurers issue the Electronic Patient Record from the beginning of 2021. For the time being, however, they will have to fill it out themselves. Until July, it will only be available to around 200 practices and hospitals on a trial basis; only then will its use be extended to the whole of Germany. The health insurers, on the other hand, have no insight into the stored data, even though the Electronic Patient Record is intended to provide communication channels to their own health insurer. This prevents the insured person from suffering any disadvantages as a result of diagnoses or findings.

How secure is my data?

The Electronic Patient Record stores patient data in encrypted form. Data is exchanged with doctors and other healthcare facilities via the so-called telematics infrastructure network. However, critics have still identified security deficiencies here: For example, the TI’s virus protection is said to be insufficient to actually protect sensitive health data reliably. Also, too lax IT security measures in medical practices can be a security risk. Easy-to-guess passwords or shared admin and access rights are unfortunately still commonplace in many medical practices. You can also read a comprehensive review of the current data security in healthcare as well as the criticism of the telematics infrastructure in our blog post here.

Cases from abroad, such as a successful hacker attack in Finland, have also shown how weakly protected our sensitive healthcare data still is. Experts, therefore, advise being selective about what information you want to include in the Record. The inclusion of psychotherapeutic documents is currently not advisable. This is because such data could have negative consequences for those affected when looking for new insurance companies or employers, should this data fall into the hands of third parties without authorization.

Unfortunately, the risks and benefits of the Electronic Patient Record must be weighed up here as well. On the one hand, centrally stored data enables faster and more favorable treatment success. This saves time, costs, and nerves on both sides. However, if this sensitive data falls victim to a cyberattack, the insured person may suffer disadvantages, the consequences of which cannot yet be assessed.

Will you use the Electronic Patient Record? Join the discussion here.

Corona vaccine

Corona vaccine data targeted by hackers

On Wednesday evening, unknown hackers managed to penetrate the system of the European Medicines Agency (EMA). In doing so, they were able to capture individual pieces of information on a Corona vaccine that is currently in the approval process. The authority is currently reviewing the approval of the vaccine developed by the Mainz-based company Biontech and the US pharmaceutical giant Pfizer. EMA has not yet disclosed exactly how many and which data are involved.

Who has an interest in data on the Corona vaccine?

It is also still unclear who is responsible for the attack. Experts suspect that secret services, for example from Russia or China, are behind the attack. However, this has not yet been proven. Nevertheless, there are indications that this was a state-initiated attack; The initial approval of an effective and low-risk Corona vaccine is more than just a prestige project for a nation; it is of great economic value. For one thing, patent sales have a direct impact on the national economy. For another, an effective vaccine can ease lockdown regulations, which additionally allows the national economy to recover more quickly.

Biontech and Pfizer emphasize that no data were stolen that would allow conclusions to be drawn about individual test subjects. EMA also announces that the incident has no impact on the further approval process.

Can such attacks be prevented in the future?

Nevertheless, the cyberattack shows how important increased IT security standards are for all organizations in a chain: Biontech and Pfizer’s IT systems are very well secured, experts say. The company emphasizes that it could not notice any activity on their systems. This shows that the hackers did not focus on the well-secured private sector systems. But on the less well-secured ones of the EU authority.

Data protection experts have previously complained, particularly for the healthcare sector, that important data is often only secure in the government’s own system. It is not advisable to assume that upstream and downstream systems meet the same security requirements. This has been proven once again by the current incident. The introduction of a uniformly high-security standard in public institutions as well would therefore be beneficial.

You can read more about data protection problems in IT in the German healthcare sector here.

In this blog article, we have summarized why the healthcare sector is coming under the scrutiny of hackers, especially in times of a pandemic.

Black Friday

Black Friday – How Cybercriminals are hunting for your data

It’s the end of November and thus bargains time for most of us: Under names like Black Friday, Black Week, Cyber Week, Cyber Friday – or other creative names – companies are now luring us bargain hunters in the fight for pre-Christmas business. But the bargains not only attract us as consumers but also cybercriminals. And these in turn lure us with “offers” via e-mail or online ads, to elicit our data unnoticed. The British National Cyber Security Centre (NCSC) has now renewed its warning on the occasion of the Shopping Week to be careful when shopping online. Consumers should be particularly careful where they store and what data they disclose when they do so, especially in the rush to buy and find bargains.

Black Friday offers via phishing e-mails

However, this mindfulness begins even before the actual shopping experience. Because under the flood of actual offer e-mails from various providers, one or the other phishing e-mail can also be hidden. Of course, everyone wants to participate in the pre-Christmas business, but these phishing emails are out to get usernames, passwords, or credit card information – for nothing in return, of course. You’d better be wary of receiving offers from merchants you don’t know. Or when direct links to bargain items are offered. In any case, it’s better to manually enter the merchant’s site into the search box to make sure you end up on the right homepage. The offer will be there already if it is a real offer from the dealer. Because often enough the rule is: If the offer is too good to be true, then it probably is!

More information?! – Then better no information

There is nothing to be said against trying out smaller and unknown retailers and not always buying from the same well-known multinational supplier. But there are a few clues that help to distinguish serious websites from dubious ones. For example, the payment process should be clearly arranged and no personal information should be requested that is not necessary. Additional security details such as a codeword or a secret question may sound trustworthy at first – but they are not at all. During the payment process, you should really not be asked for your mother’s maiden name, your first pet, or your brother’s place of residence. At this point at the latest, you should cancel the purchase process. Ideally, before you have given your bank details.

Check the security of the payment process

Completely different from an unnecessary security query, the question of multi-factor authentication is to be evaluated. Multi-factor authentication serves to identify you as the buyer. Without entering a second factor in addition to the password – usually, a code sent to you by e-mail or SMS – nobody can place an order. This ensures that only those who have access to your e-mail address or your smartphone can carry out this process. However, not all serious online stores offer this: If you want at least a little security, check the address bar of your browser before entering your data. If there is a padlock symbol there, it means that the connection to the merchant is secure. Of course, this does not mean that the dealer is legitimate, but at least the connection is secure.

And if the store asks you to save your payment data, do so only if you are really sure that you want to order there again. Otherwise, this information is absolutely unnecessary. And creates another factor of low security.

Black(out) Friday and Amazon Phishing Day

A similar phenomenon as around Black Friday can also be found on Amazon Prime Day: Here, too, cybercriminals take advantage of an event and the bargaining mood of the customers around it to obtain passwords, credit card data, and the like. In their phishing campaigns, cybercriminals use a similar structure to their fake Amazon site and often use similar actions as the “real” Amazon. These actions are especially perfidious because the URLs also want to come as close as possible to the original and have at least “amazon” in their name. Often the URL is unnecessarily long so that it is not obvious at first glance that this is a completely different page, which seems to belong to Amazon, but is ultimately hosted somewhere else.

You should always be suspicious if you are not supposed to enter a password at Amazon – but other personal information, including your credit or debit card number. Security experts therefore strongly recommend that you always start on the actual page and never from an email link, even for special promotions such as Amazon Prime Day or Black Friday. Also, if you enter your information differently than usual, you may be dealing with a fraudulent fake site. And pay attention to details: Does the page look the way you are used to? Is the shopping cart icon in the same place as usual? Are all pictures in focus? Can you get to the store’s homepage by clicking on the store’s logo? Is continuous navigation in the store possible? Is the URL complete and logical? Only when all these things are correct should you start the payment process.

cybersecurity in the healthcare system

Data protection and cybersecurity in the healthcare system

The digitalization of our healthcare system is progressing massively: The German federal government is promoting the networking of medical facilities through the so-called telematics infrastructure Telematik Infrastruktur, TI). As a result of the corona crisis, the need for online communication between doctors and patients has increased. In addition to these developments, the electronic patient file will be introduced in January 2021.

With such networking of our healthcare system, it is time to take a critical look at the security of the systems and thus of our data. The importance of cybersecurity for the protection of patient records is unfortunately demonstrated by those cases in which attackers have succeeded in penetrating an institution’s system, paralyzing it, or – in the worst case – even stealing data records.

There have also been many reports of major attacks on hospital IT worldwide in recent times. However, it should not be forgotten that cyberattacks can affect not only large medical institutions. It also affects small, independent doctor’s offices – such a singular attack can threaten their existence for various reasons. And it also involves risks for us consumers.

Securing IT structures in the healthcare system properly

Basics of secure IT systems

First of all, medical institutions, more than any other, must carefully select and maintain their IT infrastructure. An up-to-date operating system with all relevant security updates, a functioning hardware firewall, and an up-to-date and intelligent anti-virus program should be standard. Besides, there should be regular security updates and, ideally, daily backups that cannot be processed from the system. In this way, facilities can be up and running again quickly in the event of a ransomware attack. And the loss of data in your own systems is at least limited.

But password security is also an important point that all too often gets lost in everyday professional life: For many physicians in private doctor’s office, it is necessary to find a compromise between security and practicability. Especially because computers at reception or in laboratories may be used by several people. Nevertheless, even these shared passwords should comply with security standards and be renewed regularly. We also recommend the introduction of a practicable multi-factor authentication.

Since this is a sensitive infrastructure, clear rules for IT use in the workplace should also be established: May private mails be checked? Are online purchases or other surfing behavior allowed? May own storage media be brought and used? Are there special devices that are not connected to the doctor’s office network? It is important here to increase awareness of possible security gaps that could arise from this behavior. Employee training courses on cybersecurity, phishing, or social engineering should therefore be held regularly.

Cyber insurance can also minimize the (financial) risks that arise after an attack has taken place. Often good security concepts ensure that the contribution is minimized, and only the compulsion to deal with this topic creates good conditions for the actual implementation of plans.

Increased security thanks to telematics infrastructure (TI)?

With the large-scale introduction of the telematics infrastructure (TI) in German medical doctor’s offices since 2018, the security of the systems was to be further increased. Patient information was to be made available quickly and securely via this secure channel to reduce treatment costs through repeated examinations. However, reports are accumulating that the connection to the network is not as secure as announced.

Which security gaps in TI are described?

Although the TI has been forced to connect to the network, liability in the event of cyber-attacks in particular – and thus for data protection issues – has not been sufficiently clarified. Last year, the IT-expert Jens Ernst from happycomputer already revealed considerable data protection deficiencies when connecting to the telematics infrastructure.

This starts with the way the TI connector is integrated into the network of doctor’s offices. This is where you have the option of choosing between serial and parallel integration. Although serial integration initially requires more installation effort, it offers the advantage that all devices in the doctor’s offices are included in the federal security network. Extra protection on the part of the doctor’s office owners is not necessary according to information of the Gematik. Parallel integration, on the other hand, requires that the physicians make their own efforts to secure their existing systems and devices. This actually only makes sense for larger units that have already integrated many devices into their system before.

Nevertheless, it seems that most units were connected in parallel operation. In this case, the doctor’s office owners themselves would now have to ensure that their own systems were secured. However, many claims that they have not been sufficiently informed about this by their IT provider. Ernst describes that even with the few facilities that have been connected serially, security systems do not function correctly. This is because the firewall of the TI connector in use would not be sufficient to detect an anti-virus test file that he had installed. This means that even in this case there is no security against access by third parties without further security measures. In the vast majority of doctor’s offices, there is therefore no hardware firewall, regardless of how they are integrated. Besides, the virus protection on the computer and the software firewall, which every computer has today, was often switched off.

How can the healthcare system guarantee cybersecurity?

Ernst calls for an open approach to the topic of cybersecurity, which basically rests on three pillars:

  1. A doctor’s office needs a higher security level than just a router, as is often the case today.
  2. Sensitive data should not be sent via a WIFI network. The connector’s LAN network sends data unencrypted; by intruding into the WIFI, it is possible to “listen in”.
  3. Devices that cannot be sufficiently protected due to their design should not be used or operated in a DMZ (Demilitarized Zone).

He also proposes the development of a DMZ in which all TI systems are included. This is currently not even the case for the telematics infrastructure itself. He also criticizes the fact that IT specialists do not need a separate certificate from Gematik to connect the TI. This would ensure that only trained personnel are allowed to carry out the installation and that sufficient educational work is done with the liable physicians.

In summary, Ernst states that the security of all systems can only be guaranteed if the vast majority of surgeries completely remove their computers and devices from the network. Neither the TI connectors nor their own systems would offer any protection whatsoever to safely store consumer data.

As security experts, we too say that security should clearly be the most important starting point for digitization. The security of the systems must be guaranteed before any equipment is connected.

What do you think? Discuss with us.

Cybersecurity in hospitals

Viruses in hospitals – Cybersecurity in the Corona pandemic

The corona pandemic is pushing hospitals and care facilities to their limits. And this also affects the cybersecurity of many facilities. According to Interpol, an increasing number of attacks on the IT network of hospitals has been reported in recent months.

Particularly in the USA, the FBI has been warning since October about increasing cyber attacks on hospitals and the service providers connected to them. At the end of October, various facilities were successfully infected with so-called ransomware. Due to data encryption, the normal operation of the hospitals was no longer possible. Read more here.

But why do hospitals in particular offer such good targets for cyberattacks?

IoT implementation despite low security standards

Hospital IT is one thing in particular: historically grown. And that is exactly problem, in two respects. Historical means that sometimes not all operating systems and application structures are state-of-the-art. Often important security updates or patches are missing to protect the systems. At the same time, the technical infrastructure in the healthcare sector is growing rapidly due to the digitalization of various processes.

This affects medical devices that can communicate via IoT, but often also with the office network. The latter is potentially high-risk since an attack on office computers also affects the IoT devices in the background. Portable medical devices that remotely monitor patients’ vital signs could fail under certain circumstances. A cyber attack would therefore be life-threatening for patients.

Also, hospitals are using opportunities for further digital expansion in the area of office IT: new PCs, tablets, or other smart devices are being purchased that can be used to communicate patient data internally. However, these devices may not even be designed for use in a highly sensitive environment such as a hospital and do not comply with data protection laws or cybersecurity standards. Weak points in their security systems are therefore also ideal starting points for compromising the technical infrastructure.

Besides, some institutions are forced to cut costs and often lack the budget for adequate security of their IT systems. Although they invest in the latest technology, they lack the money and know-how for the corresponding security. And sometimes the clinics themselves are not in control of security installations. Whenever they are connected to third-party providers and their systems. Because even if their own IT has very good security standards, this is not necessarily right for external providers.

Cybersecurity – not just a matter of time

Lack of personnel and thus lack of time are unfortunately everyday life in the medical and nursing professions. Often there is not enough time for the actual work – so where do they get the time to deal with cybersecurity? Most people are probably familiar with simple rules such as switching on a lock screen as soon as you leave your desk or checking the sender of an e-mail. But often the necessary time and/or awareness of the dangers involved is lacking in everyday business life. Employee training courses on cybersecurity could help here – if only time and budget were available.

However, increased attention would make sense. Hospitals are public institutions and therefore easily accessible. Even if the measures in the corona period make access more difficult, it should at least be noted that reception in particular poses a potential cybersecurity risk. In an unattended moment, a potential attacker could enter the hospital’s IT system and could unnoticed install malware on the reception PC via a USB stick.

Also, modern hospitals themselves act as IT service providers. WIFI access is provided for patients and visitors. If the systems are not detached from the actual company network, a potential gateway for hackers is left open.

Increasing the endpoint security of the diverse hospital IT landscape

As you can see, hospitals and other medical facilities already have a diverse IT landscape as a unit. These interwoven areas make the entire IT system vulnerable as soon as a weakness becomes apparent. Due to the sensitivity and criticality of the data and the associated devices and procedures, they require very high security standards. Increasing the endpoint security of KRITIS facilities should therefore be a concern.

A mantra that not only we repeat again and again is the active training of employees, which as an organizational unit belongs to endpoint security: Education creates an awareness of possible sources of danger and how to prevent them. A well set up mail protection is also mandatory for a KRITIS institution.

Besides, Internet access should only be available on those devices that need it. RDP ports (Remote Desktop Protocol) should be secured in such a way that access from outside is not possible. And above all: business-critical areas and the visitor and patient WIFI should not be connected under any circumstances!

And – we can’t repeat this often enough – activate Multi-Factor Authentication (MFA) for all applications connected to business-critical networks. This provides a high hurdle against intrusion by unauthorized third parties and above all against compromising the systems by them.

New draft law on the monitoring of messenger services

How far may German secret services go in revealing terrorist organizations on the Internet?

Especially in the context of right-wing attacks in Germany, this question has once again moved into the focus of public debate. The German government now wants to regulate the powers of the secret services to read encrypted messenger services such as WhatsApp, Telegram or Skype by law. And thus replace the old legislation, which still distinguishes between telephony and internet services.

The current draft states that German secret services—after approval by a G10 commission of the Bundestag—can now also gain access to messenger data from written communication. Up to now, secret services have only been allowed to listen in on ongoing messenger conversations of suspicious persons. An original draft law, which also allowed online sniffing (i.e. covert access to computers, smartphones and other IT services), was rejected.

The draft is controversially discussed in the Bundestag and by external parties.

Proponents see the draft law as an opportunity to adapt German jurisdiction to the current state of the art. And to guarantee the independence of German secret services in the detection of terrorist-motivated crimes. Up to now, they have been dependent on tips and assistance of foreign secret services, to which such hurdles do not apply. At the same time, some data protectionists see the draft as an upgrade of civil rights: because missing regulations would not necessarily lead to higher data protection. After all, only constitutional rules on data surveillance would create barriers that also apply to foreign secret services, for example. If these are missing, this would weaken rather than strengthen civil rights.

Opponents, on the other hand, see the draft law as a curtailment of the fundamental rights of the individual. In particular through the extension of competences of the “Office for the Protection of the Constitution”, which the draft also contains.

#dataprotection #messengerservices