Weekly CyberTip: Celebrating “Unboxing Day”
Get Cyber Safe, Canada’s national public awareness campaign, is proposing a new tradition: “Unboxing Day”. Taking place on December 27 – the day after Boxing Day in Canada – Unboxing Day is meant to be designated as a time to ensure your home is cyber safe over the holidays. In their recent blog post, Get Cyber Safe presents a handy tip sheet for securing your home and new devices, from securing your home network to locking down and personalizing new devices. Check it out this holiday season.
BC privacy watchdog issues report outlining “troubling” personal health data security issues
In a report released December 15, the Office of the Information and Privacy Commissioner (OIPC) in British Columbia has highlighted a number of significant risk exposures in the personal health information security system in that province.
“It is troubling that the Provincial Health Services Authority (the PHSA), charged with responsibility for managing the System, has known about these risks since at least 2019, and has made little progress to address them,” according to B.C.’s Information and Privacy Commissioner Michael McEvoy.
The document identifies a number of areas in which the systems maintained by the PHSA are potentially vulnerable to attack. “Multi-factor authentication is the industry standard for securing personal information, however it is not universally required for System access. Very disturbingly, there exists no proactive audit program that would alert authorities to those who try to use the System for nefarious purposes. Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act,” charges the report.
Other issues identified include inadequate SIEM technology, the lack of comprehensive security architecture documentation, the absence of penetration testing on the PHSA network, and potential weaknesses in endpoint security administration.
The report makes seven key recommendations:
- implement and support an improved SIEM solution
- produce and maintain comprehensive, auditable security architecture documentation
- implement a vulnerability management solution
- implement encryption to protect personal information
- conduct pen testing at least annually
- improve endpoint and desktop security
- implement an identity access management solution
As a cautionary tale, McEvoy cites the 2021 cyber attack on Newfoundland and Labrador’s largest health authority, an incident that exposed the personal data of over 58,000 people and disrupted healthcare services for months.
“These impacts are serious, and we need to treat them seriously,” McEvoy says.
In response to the OIPC report, David Byres, President & CEO of the PHSA issued a brief statement outlining some of the security changes they have implemented recently, confirming that the “PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected.”
The statement did not acknowledge the specific issues raised by the OIPC, only thanking the privacy watchdog for the report, and committing to “carefully reviewing the findings and continuing to ensure our databases are safe and secure for everyone we serve.”
Report: 90% of largest healthcare data breaches in 2022 involve third-party vendors
In a year-end analysis, Security Magazine explains that 90% of the 10 largest U.S. healthcare data breaches reported in 2022 could be traced to exposure created by third-party vendors. “The fallout for many of these cyberattacks resulted in impacts for multiple connected providers, with two of these vendor incidents affecting hundreds of providers,” the report explains.
“These incidents should serve as a warning to revisit third-party vendor relationships, ensure the entity is at least annually performing a review of vendors, and consider consolidating vendors where possible.”
Strengthening third-party and supply chain security can reduce the likelihood of a damaging cyber incident, and help protect patient and staff data.
NSA releases 2022 Year in Review report
On December 15, the National Security Agency (NSA) in the United States released their annual Year in Review. The report highlights some of the NSA’s key achievements in 2022, noting their success in collaborating with industry to harden billions of endpoints against active and ongoing nation-state threats, disclosing zero-day vulnerabilities, releasing cybersecurity guidance, setting new security standards, and delivering tools and technology to help all industries protect themselves against cyber attack.
Happy Holidays from ISA Cybersecurity CyberNews!
CyberNews will be on hiatus for the holidays, returning on Tuesday, January 3, 2023. All the best to you and your families for the season. Stay cyber safe!