Category: Uncategorized

Microsoft’s Azure cloud service recently suffered a major disruption at one of its data centers in Texas. A truly epic lightning storm caused even the backup generators to go offline. Every time the center struggled back to a semblance of normal operations, another round of thunderbolts blew through and the center was offline again. It took about eight hours to fully restore service to the affected clients.

Cloud opponents will point to this and say that this proves the cloud is unreliable; no hospital can afford eight hours down. And Microsoft would rightly reply that, had those clients who were affected chosen to set up a redundant site in another region, their workload would have been seamlessly shifted over to a center out of harm’s way.

Microsoft would also note that eight hours a year of downtime is a miraculous figure compared to some hospitals that operate their own data centers. Virtually all of us have had the experience of having a health care provider tell us that they couldn’t do this or that because “the computers are down.”

What’s Coming in Cloud 2.0?

While some providers are waffling over whether to move anything to the cloud and if so, what, others are racing to get ahead of the coming tsunami of artificial intelligence (AI) products that are in the pipeline. Remember that Amazon, Microsoft, and Google are all working in collaboration to make medical records more uniform and permit rapid data exchange, where there is effectively “one patient, one chart,” no matter how many providers the patient sees.

This obvious step forward fills many providers with dread. Michael Robinson, the Vice President for healthcare at VMware, a Dell subsidiary, puts it like this: “A huge barrier to cloud adoption is that healthcare organizations want to run their own private environments and do not trust public cloud providers to secure their data.” (Robinson 2018.)

The consulting firm McKinsey sees a major divide coming between firms that adopt AI and those that don’t – to the great detriment of the latter (MIT Interview). The leaders will be so far ahead of the pack that the stragglers will never catch up.

What Is The Value Added?

AI will offer an enormous basket of goodies in the next five years. Virtual agents will enable replacing a lot of the legwork that providers’ employees do. But the big payoff for organizations in the near term will be in the realm of analysis. Data analysis becomes ever more important for all organizations.

Deep learning and similar techniques have been derided as “curve fitting,” but the point is that they are not only fitting lines to the curves, they are finding curves that no one suspected was there. And a lot of the patterns being discovered have to do with money. Hospitals often have no idea what they charge for a given procedure and why they are charging that amount. The prices are usually set in negotiations between payers and providers. AI can discover the real cost of procedures and show what is being overcharged and what is being undercharged. The latter, obviously, are revenue opportunities.

Of course, doing this kind of analytical work involves de-siloing financial and clinical data and making all of it available in one large data lake. Some level of data cleaning is a necessity. CMS, for example, spent over a billion dollars a year cleaning up Medicare and Medicaid data before doing analyses. You will not have to spend a billion, but you would be well-advised to spend something. It is also important to have good consultants to assist in the de-siloing and that data lake creation. Time spent on the front end will save a lot of frustration on the back end.

The value added will be understanding what’s going on in your organization at the deepest levels. Comprehension of this type enables rational actions towards critical business goals. Of course, if your organization has no goals that are stated in quantitative terms, then the analysis is of no use to you. If, on the other hand, you know what “good care” is in terms of costs, infection rates, lengths of stay, morbidity and mortality, and other operational parameters, you will be ahead of the game.

What Are The Risks Of Non-Adoption?

You can choose not to adopt the coming AI revolution. The risk you run there is being eclipsed by your competition, who will be enjoying the fruits of better, faster operations, and lowered personnel costs. You could find yourself in a negative business position from which you cannot recover.

For most healthcare organizations, the biggest worries are security, compliance, and privacy but the paradox here is that the security that cloud providers can give you is far better than you can provide for yourself. You may also fear the loss of control. Again, cloud providers will generally provide whatever level of security you ask for. You can ask for a private cloud and get utmost security there. If you take that direction, you lose the opportunity to reduce your IT staff, but that may be a price you are willing to pay.

In summary, the risks of not moving to cloud 2.0 are infinitesimal compared to the benefits. It’s a move you’ll eventually have to make so why not take the plunge now?

With the 2018 midterm elections on the horizon, there are increasing concerns regarding cybersecurity and the voting systems in each state. These security concerns have to extend far beyond our voting systems with this election because digital platforms are also vulnerable to cyber threats. This means that not only are voting and vote tabulation processes at risk, the operations of political parties and candidates are vulnerable as well.

 

 

Election cybersecurity is so important right now because there are forces constantly working to undermine trust in our election system and confidence in the outcome.

Growing Trends Leading Up To The Election

Tom Burt, Microsoft’s corporate VP for security and trust, spoke with a panel at a conference in mid-July, about how the company had detected and helped block phishing attempts against three midterm candidates. Hackers had registered a fake Microsoft phishing website designed to trick staff members into handing over passwords or downloading malware onto their computer. These attacks were similar to those sustained by the DNC in 2016.

A few weeks later, Microsoft then reported how it had to disable six Russian-launched websites masquerading as official websites of the U.S. Senate, two conservative think tanks, and the company’s OneDrive cloud storage service. Microsoft President Brad Smith said that they were “concerned that these and other attempts pose security threats to a broadening array of groups connected with both political parties.” Microsoft warned that Moscow was broadening its attacks.

In late August, Microsoft revealed that Russian and Iranian hackers were using the company’s Azure cloud platform to set up fake domains so they could send phishing attacks that were targeted at political campaigns. These websites were so realistic-looking because the hackers used misappropriated company logos and trademarks.

Google also recently alerted Senator Pat Toomey of Pennsylvania, about how hackers with ties to a “nation-state” had sent phishing emails to old campaign email accounts. Steve Kelly, a spokesman for the senator, said the accounts hadn’t been used since the end of the 2016 campaign. Kelly said that these actions underscore the cybersecurity threats our government, campaigns, and elections are currently facing. The news article goes on to report how Senator Jeanne Shaheen of New Hampshire has also been the target of phishing attacks.

These cybercriminals are targeting our political system by trying to gain access inside political campaigns. They also probe our electoral systems, where they can potentially alter voter data and election results. Fake ads and accounts on social media are other methods used to spread disinformation and division.

They will continuously try to do everything they can to breach our systems and disrupt elections in November. Are you prepared for it?

How Candidates, Staff, and Consultants Should Be Protecting Themselves

1. Security Awareness Training

Security awareness training provides everyone with the knowledge on how to recognize cybercrime and learn more about security risks, including social engineering, online phishing, and web-browsing risks. Continually emphasizing the critical nature of data security and the responsibility of each person in protecting this data, will have a significant impact.

2. Data Incident Reporting Procedures

Knowledge about data incident reporting procedures and awareness of a computer operating outside its norm (unexplained errors, running slowly, changes in desktop configurations, etc.) are also critical. When everyone on your team can recognize a legitimate warning message or alert, this will allow these incidents to be reported to IT immediately, so they can mitigate and investigate the threat.

3. Strong Password Selection

Making sure that everyone knows how to select strong and secure passwords is essential. The stronger the passwords, the more secure your computers and accounts are. Have users create a very long easy-to-remember passphrase that never changes, and then add app-based two-factor authentication for accounts with sensitive information, e.g. email.

4. Responsible Email Usage

Responsible email usage is another great defense for preventing data theft. Accepting email that only comes from someone you know; someone you have received mail from before; something you are expecting; doesn’t look odd with unusual spellings or characters; and passes your anti-virus program test will help thwart these phishing attacks. Also, be particularly cautious with emails containing links and attachments.

5. Hire A Security Partner

Your final defense is to hire a good cybersecurity provider and form a partnership where remote monitoring and constant maintenance allows them to keep ahead of any threats. There are so many ways hackers can cause chaos on your network and try to tamper with information, without you knowing about it. Sometimes your IT team just doesn’t catch it quickly enough and the damage will already have been done. Many eyes are essential to a proactive defense.

Are you the next target of these cybercriminals? They’re going to attack, it’s the where and when that’s uncertain.

KTG recently brought on a new client in the Nashville area who provides political campaign strategy services. The company reached out to us to make sure they are as secure as possible. We have implemented several layers of additional security to protect their employees, the candidates, and the staff they are working for during this election cycle.

By partnering with KTG, you will have consistent, “on guard” protection for your network, essential data, applications, people, and processes. Please contact us today because vigilant cybersecurity management leading up to and during these elections is needed now, more than ever.

With a range of technology continuing to encompass upgrades and versions improving on previous ones, there are constantly new ways for people to improve their Wi-Fi speed. Considering the most recent developments, the below provides instructions for minimizing obstacles to your connection speed while optimizing it as much as possible.

Watch this great video from Steve Dotto below.

 

How Can I Use A Speed Test For Optimization?

Speed tests can be helpful to locate problems and potential in your Wi-Fi network. The two most fundamentally concerning or relevant aspects of your connection are the speeds by which it can upload or download data. This can affect aspects of your operations including:

• How quickly you can send large files in your business
• How quickly manual or automatic updates take to download
• Media and a range of aspects of web browser speeds
• Computer, internet of things (IoT) devices, and cloud file transfers
• File attachments in emails
• Sending live video streams
• Uploading media such as images

Running a speed test allows you to view measurements of the ping, or the effective response time of the Wi-Fi connection, which is measured in milliseconds. Users naturally want to have a low number for their measurement. Many free speed tests are available online, such as Speedtest.net recommended by LinkSys, created and maintained by OOKLA, an online metrics business. The test offered through their organization has over eight billion tests of experience, and functions by using sample uploads and downloads analyzed through their program.

Before starting a test, users are recommended to ensure that their connection is maintained in a normal manner so that the reading is accurate. For example, if multiple family members are using hotspots, streaming, using online gaming, using downloads, etc., it is recommended that the user wait until the use of service ends so that ideal testing conditions are established. Additionally, users are recommended to ensure their router or routers are not obstructed in some way.

After testing, if you are not satisfied with the results, you can take some actions in an attempt to make improvements. You could also consider upgrading your router or changing Wi-Fi providers. Purchasing a superior router can also give you better security as you browse. Some users, especially those in large offices or homes use a range extender to improve performance.

Other options include resetting your router, then retesting to ensure that the low speed observed wasn’t simply random or a ‘fluke.’ Next, you can attempt to transfer your router or routers to a more open area of your building to be sure that electronics or building materials weren’t responsible for a reduced signal strength causing the speed drop.

Beyond this, check to see if your modem is outdated. If you have a dual-band router, you can enter into its settings to see if you can increase a common 2.4 GHz frequency set to a 5 GHz one, which will reduce signal congestion. Lastly, you can compare your ethernet to your Wi-Fi connection with an ethernet cable to determine the extent that your speeds are due to your internet service provider (ISP) or a device. Your ISP may not actually be providing the speeds that they advertise. If you determine that the ISP is the culprit here, contact them and explain that you’ve checked to make sure that your slow speeds are not due to any other thing and insist on them taking action on their end.

In addition to the link provided above, NetSpot recommends users consider their speed app or one of four others listed on their website: Wifiner, Network Speed Test, LAN Speed Test, or Google Speed Test. Click the link for details regarding these tests and other relevant information.

How Can I Begin To Take Steps To Increase Robustness And Reliability?

Beyond the basic steps listed here, you can begin to take more involved steps to optimize your connection. Firstly, you can update the firmware of your router. There may be a new version that has been created since your last install. Firmware updates are important because they involve better security or other speed related upgrades that can improve your service. The administration page of your router’s firmware generally has access to this.

In addition to building material interference and excessive use bogging, you may be experiencing interference from other devices you use. Home telephones, Bluetooth speakers, microwaves, baby monitors, and other devices, according to USA Today, can affect a Wi-Fi network. Creating a ‘heat’ map of potential issues using an application such as HeatMapper could assist you with finding them. You can also attempt to change the channel you established for your router, or use network settings and rules to limit the bandwidth or accessibility of other users to reduce their capacity to affect your speed.

The Quality of Service (QoS) feature available in some routers can also potentially help, as it allows users to prioritize their traffic in accordance to the nature of the information that is transferred in the process. Applications that are sensitive to latency, such as Skype, streamed media, and online games can have higher prioritization than other types of activity; this can be addressed for better results in practical use.

How Can I Further Optimize My Router?

Beyond changing the settings and updating the firmware, you can upgrade. If you navigate to the settings feature of your existing firmware, you should be able to enter into “Advanced Settings” and access channels. Changing the channel to a ‘clear’ one that no one else is using can help. LifeWire has more channel-related recommendations.

How Can I Use A Powerline Or Wi-Fi Signal Strength Increaser?

Wi-Fi extenders, which are devices made specifically for the purpose of improving your wireless power, can also be a worthwhile investment. According to TechRadar, such devices have been increasingly useful in helping people experience greater improvements to their network capacities. Relatively inexpensive, they significantly increase coverage without the extent of installation or restructuring required in implementing new network cables. The most effective use of them is their placement in areas where the signal in the network has been observed as weak. Specific devices that TechRadar recommends for this use include:

• Netgear’s AC1200 EX6150 and EX6200 models
• D-Link’s DAP-1520 Dual Band Range Extender model
• TP-Link’s RE350 AC1200 model
• Linksys’ RE6500 AC1200 and Velop models
• D-Link’s DAP-1320 N300 and DAP-1650 AC1200 models
• Trendnet’s 1200 AV2 model

How Can I Make The Most Of The Netgear Genie Program?

Netgear Genie is a desktop application program that can be configured to manage home routers for the purposes of:

• Network speed tests
• Live parent controls
• SSID and password changes
• Guest network controls
• Viewing a connected device map

Most of these help users do what has already been discussed here more easily. The network map feature shows when connections are problematic.

What Should I Do?

Use these recommendations as a basic guideline. While you may not need to upgrade your hardware or even your software, it’s likely that you can take some action to increase your Wi-Fi performance.

What is ‘ZeroFont’ Phishing?

‘Phishing’ is where hackers attempt to get a user to willingly provide personal information, generally through posing to be someone else. It is one of the more threatening forms of hacking, as it is among the most difficult to protect against traditional security measures.

Hackers continue to find new ways to breach spam and other filters while representing authorities with practical reasons to request information. It is ultimately the user’s decision to trust the hacker which results in information misuse. Users must, therefore, be aware of the nature of phishing tactics and vulnerabilities to best protect themselves.

‘ZeroFont’ phishing attacks have been successful against Office 365 users. In this attack, hackers use a zero-sized font in order to hide identifying information while posing as a reputable account-hosting organization. Users are unable to view zero-sized fonts so they are easily tricked.

What’s Been Happening?

Attacks have been increasing as security researchers learn about this type of internet hacking. ZeroFont phishers have been bypassing Advanced Threat Protection (ATP) processes in popular email services, such as those provided with the commonly used Office 365. Although the advanced Microsoft software uses security processes with many AI and machine learning procedures for blacklisting and other forms of phishing defenses, the ZeroFont method is able to evade these. The use of zero font sizes has proven to be a clever method that allows hackers to sneak in and steal information from a wide range of users.

ZeroFont attacks are actually not new. They were used by hackers in the past but faded into the background for quite some time. For years, hackers have used simple phishing scams to trick users into visiting unsafe sites or giving up their log-in information. This basic method of exploiting internet users has been very successful but cybercriminals are always looking for new and easy ways to steal our money.

Microsoft’s natural language processing has made it more vulnerable to zero font attacks. One example of a hacker using this approach for a successful attack against an Office 365 user involves fraudulent email. The emails are created by a phisher who pretends to be a legitimate Microsoft representative. The email they send out says something about how Microsoft is attempting to notify them that they’ve reached a quota limit of some sort.

Assuming they’ve received an actual message from someone who is their subscription representative, and with the words ‘Microsoft Office 365,’ the email urges the user to divulge personal information. Because of the zero font size, the security program does not recognize relevant keywords and the email is not correctly identified as a ‘spoof’ or spam. Instead, users may choose to cooperate in providing personal information.

ZeroFont attackers can exploit an ability to display a message to users that cannot be properly read by anti-phishing filters. These emails can look as if they are being sent by Facebook, PayPal, Apple, or your financial institution. They urge users to give up sensitive personal information that can then be misused. Hackers have been able to take over Amazon, Facebook and eBay accounts.

While natural language processing is regarded as a powerful aspect of software, highly efficient and effective while safeguarding against email phishing, exploitations of its vulnerabilities have caused ongoing demands for security upgrades. Avanan has more information about the nature of ZeroFont, Punycode, Unicode, and Hexadecimal Escape Character attacks being used today.

Online sources explain that this form of attack has been common, if not rampant since the extent of certain vulnerabilities in Office 365 has been realized.

Security Affairs reported recent phishing ‘campaigns’ that have successfully used this approach, and The Hacker News also reported on a campaign that ‘wildly’ attempted to target a wide range of Office 365 users. The latter was reported to involve a representation of Microsoft while directing users, via a link, to a SharePoint document established to record sensitive information.

As the bodies of the emails sent made use of a zero font size to avoid anti-phishing filters, users were presented with messages that appeared to be legitimate. Imagine getting SharePoint invitations asking for your collaboration or cooperation from Microsoft. It can be tempting to follow the instructions that hackers provide and just do what they say.

Clicked links resulted in automatic openings of the SharePoint file, which hyperlinked the user to an unsafe URL. Therefore even users that did not log in were vulnerable to hacking through the hyperlink, while users that attempted a login also provided their account information to the phisher.

The only way Microsoft can identify such attempts is to scan links within shared documents for URLs that appear to be created for the sake of phishing. Hackers have now become well aware of this. Even if all links are correctly identified, the software would have to blacklist links to all SharePoint files to blacklist the bad URL. This is not a practical fix for the problem.

The Hacker News reported that approximately 10 percent of registered Office 365 users had been targeted by a phishing campaign within just a two week time window.

 

What Should I Do?

Microsoft recommends, in addition to following best practices for trusting a claim of authority in an email, to:

• Ensure the best ATP anti-phishing software and updates are installed.
• Use all applicable anti-phishing features.
• Use the Security & Compliance Center for more information and system- or software-specific instructions and optimization.

 

Schools and libraries applying for E-rate technology funding discounts must be CIPA Compliant. CIPA stands for the Children’s Internet Protection Act and mandates that if an institution is receiving a discount for network and network-adjacent services, then it must develop a protocol for use of these services by minors. Further, CIPA stipulates that the public must be notified that the district, school, or library is going to be developing an internet safety protocol, and offer a public hearing before developing the protocol (again with adequate notice to the public ahead of time).

The E-Rate discount applies to:

• Data Transmission Services and Internet Access
• Voice Services
• Internal Connections
• Managed Internal Broadband Services
• Basic Maintenance of Internal Connections

It does not apply to funding the actual computers, VoIP phones, software, or any other devices that use the above telecommunication services.

Eligible institutions or educational consortiums accepted into the program will receive need-based discounts of between 20-90% off of the costs for the above-mentioned services.

CIPA Compliance Overview

Before implementing an internet use policy, schools, and libraries have to provide reasonable notice to their learning communities that they’re going to be putting one together. Additionally, they must hold at least one public hearing where citizens may ask questions or register concerns.

Lastly, the policy must include two certification requirements: online protection of minors such as filters that can block out objectionable content, and they must include a plan to educate minors on internet safety, cyberbullying, “Netiquette” and more.

The 2011 update also notes that public libraries are not subject to CIPA compliance.

Additionally, schools and libraries have to put into their policy:

• Education on safe direct-link contacts such as email or chat.
• Unauthorized access like hacking perpetrated by minors and other unlawful acts committed by minors using school devices or using internet services on school property.
• Unauthorized access, dissemination of, or use of minors’ personal information including grades, addresses, medical alerts, etc.
• Restrict minor children’s ability to access potentially harmful material.

Here is an example of a CIPA Compliance Contractor used by Walled Lake Consolidated Schools in Walled Lake, Michigan.

Adults on Campus

Adults using the internet for appropriate, necessary means are permitted to remove filters blocking access to necessary websites and programs. Adults are also not subject to internet tracking.

Who Determines What Materials Are Appropriate?

Local and state authorities determine what content is appropriate or inappropriate. Further, the blocking of entire social networking sites such as Facebook is not required per CIPA, though individual instances of objectionable or mature content should be filtered out.

Important Additions to CIPA as of 2011

E-rate finding discount recipients must develop and implement a workable strategy for protecting minors and their information, and for educating minor students in how to properly present and protect themselves online.

Schools must provide lessons in “Netiquette” and direct communication (e.g., chat sessions, email) safety education for minors using the internet on school property or with school devices.

What About BYOT/BYOD?

The biggest wrench in the works after funding issues is the BYOD/BYOT phenomenon. It’s natural to allow students to bring in their own devices. It takes care of a few problems regarding access and funding. Plus it reduces the amount of class time needed to train students on an unfamiliar device since they are using their own devices. However, the problems that Bring Your Own Device programs include far outweigh the benefits.

What Is Due Diligence On The Educator’s Part?

Really, the same tried-and-true methods that caught kids with comics or Playboys behind their textbooks still work today. Move around the room as you would for any other group activity or quiet study time, and make your presence known.

Screen mirroring works too and has the added bonus of allowing you to pretend that you’re a TSA agent or mall security officer. It does not allow for classroom management best practices, however, since the instructor may be glued to the screen too closely. It also opens teachers up to liability regarding students’ privacy since a distracted teacher may leave a mirrored workspace screen unattended, giving someone else an opportunity to access student work.

Going back to BYOD, which almost certainly would not be mirrored, students may use a personal broadband or other mobile networks to get around filters. Of course, it would be a violation of not only CIPA-related policies but likely policies already on the books in just about every school district. The best protection is to have a clear, promulgated policy in place that spells out expectations as well as consequences for violations of the policy.

Personal use on a private network also does not currently fall under CIPA’s scope, nor is there any reason to think that it ever would, since CIPA compliance relates to use of school network services and devices. Making the access to restricted materials difficult, expensive, or extremely inconvenient will naturally cut down on the number of people trying to do so.

Last Word – “The Spirit Of CIPA”

Due to the nature of technological innovation today, there are going to be instances of uncertainty. If you “keep in the spirit of CIPA,” you should be all right. Districts developing their policies should make it clear that students and educators failing to make a good faith effort to remain in compliance put funding and the safety of minors at risk, therefore violations will have consequences. It should not be too difficult to uphold the spirit of the CIPA since CIPA guidelines line up faithfully with the goals of all educators: to provide a secure learning environment for students.

The next E-Rate training webinar is Wednesday September 19, 2018 and it takes educators through the invoicing process.

 

What is Fluxion?

Fluxion is a new program that combines social engineering and technology to trick users into giving up their log-in and password information. This program is a step above Wifiphisher, which lacks the ability to verify WPA passwords. Fluxion takes all the work out of hacking using a variety of processes that quickly and easily convince users to provide their Wi-Fi password.

Hackers can acquire these passwords through a few simple taps on a keyboard. Fluxion is regarded as a success in making it easier than ever for cyber thieves to steal valuable information from users.

Fundamentally, or in terms of many aspects of its basic framework, it is similar to previous developments but uses a twin access point in combination with handshake capture and integrated jamming functions. These can work together so that aspects of hardware and software operations that normally take place in the standard functionality of the user account are overwhelmed.

What Recent Developments And Potentials Should I Be Concerned With?

The extent that Fluxion has developed in combination with its accessibility and ease of use online is the most concerning. A search of Google or other major internet search engines will reveal numerous instructional pages that can be downloaded. These instructions provide anyone with a little Internet skill to begin a new career as a cyber thief. These sites provide public access to a range of resources that make it possible for anyone to violate user privacy and accounts and steal login information.

The program initiated as an improvement over a successful attack and was rewritten, so both the structure and coding have been strategically optimized in addition to its user-friendliness and availability.

How Does Fluxion Work?

Fluxion uses what is known as a WPA handshake to affect the functionality of a login page as it attempts to gain receipt of user information. It can affect how the user’s entire script is controlled as the original network is jammed, and a clone is created with the same name, attempting to persuade the user into making an unsafe connection under the guise of a familiar one. It often requests that the user allow time for their router or firmware to reload or be updated. This is just a ploy; the real objective is to steal sensitive information.

Fluxion is an EvilAP attack tool, written with a combination of Bash and Python, that is used for MiTM attacks on WPA Wireless networks. Online sources report on Fluxion as a potentially beneficial tool while touting its features similar to how potential improvements in business functions could be experienced through software installation. Hack Insight claims that the use of Fluxion allows network scanning, handshake capture, web interface use, imitating original access points, the de-authentication of all users on a network, capturing and redirecting of all DNS requests, captive portal launching, password verification processes, and automatic program termination following the recording of a viable password. Technology and strategies applied include the launching of FakeAP instances for access point emulation, fake DNS server launching, and MDK3 process spawning.

What’s Been Happening In Research And Development?

Research and development (R&D) regarding Fluxion and related computer software security processes have involved multiple studies and patents in the past year. At the 12^th International Conference on Recent Innovations in Science, Engineering, and Management, researchers reported having developed a highly successful cracking system by using Fluxion as their foundation. They explained that the damage that can be done with new hacking software using Fluxion demands better software processes in addition to network strategies in currently maintained and improving systems, particularly those that handle network connections and passwords.

At the 2017 IEEE International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), researchers reported that a number of new security patents have been involved in safeguarding against new hacking techniques that are relevant to the processes used by Fluxion. Fluxion was projected to remain a target of ethical hackers in ongoing research and development, and a foundation of the more damaging tools developed and made accessible online.

What’s The Bottom Line?

• Accessibility and ease of use make Fluxion particularly dangerous
• Combines multiple processes for high potential effectiveness
• Foundation of new and more deadly cyber security attacks
• Warrants multiple security upgrades and ongoing R&D

You may have an EHR system, decision support systems, purchasing, payroll, laboratory, pharmacy, personnel, finance, planning, and a myriad of other systems running on hardware that’s getting very long in the tooth.

Many PCs are still running some older version of Windows. These issues can be a constant source of security headaches for the IT staff of today’s healthcare organization. From causing security breaches to all-out system failures, this type of trouble can cost your health organization money. In addition, your staff will not have the modern tools they need to do their jobs.

The cloud vendors see your suffering, and, as they are kind, they offer to take this all off your hands and move all your IT operations to the cloud. “For how much?” you ask. “Between $35 and $165 per seat per month,” they reply. You are taken aback. $35 per seat per month is about what you’re paying for Microsoft Office Enterprise, which, you dimly recall, sort of runs in the cloud, or at least it can. What a deal! Where do you sign?

What Was That You Said About Cost Again?

The first thing you realize is that cost is the actual cost of cloud operations once the migration has been completed. Nothing was said (yet) about the cost of moving to the cloud. Digging deeper, you note that the amount charged will vary by processor load, storage used, and “egress” – the cost of moving your data out of the cloud vendor’s data centers down to your PCs, smartphones, and tablets. You quickly discover that if all you want to do is store your data, the cloud is an incredible bargain. If you want to use your data, on the other hand, then this is a whole different story.

There are two choices when it comes to the Cloud: the private and the public cloud. In addition, there are two big vendors: Amazon Web Services (AWS) and Microsoft’s Azure.

So many choices to make and it’s important to make the right ones in order to get exactly what your healthcare organization needs without paying too much.

If your hospital is located in a rural area with practices spread far and wide, then your healthcare facility will need many different services than if you are a single large hospital in a big city. Keeping all of this info on a yellow legal pad may not be ideal. With so many different choices to make, it can be beneficial to work with a trusted IT consultant instead.

There are so many decisions to make and it’s important to find the right IT provider who will oversee everything from start to finish. If you run a busy healthcare facility, you probably don’t have the time or the skills to do all this work yourself. Once you find the right IT service provider, work very closely with them to develop a migration plan, an infrastructure plan, a schedule for moving services, backup storage, and security services.

So, What Are The Real Cloud Advantages?

Moving your operations to the cloud has four substantial advantages:

1. You no longer have to worry about back-end hardware. All that goes away, except for the servers that interface with the cloud.
2. You no longer have to worry about capacity, in terms of processor load, memory, or storage. Whatever you need, the cloud provides.
3. Your security worries will be, not eliminated, but drastically reduced.
4. You will be able to reduce your in-house IT staff, possibly substantially.

These benefits are arguably worth a tidy sum to most healthcare organizations. AWS, Azure, and a private cloud can provide all of them. So how do you choose?

How Do I Choose The Vendor?

The first thing you need to realize is that you will need a redundant, “failover” site that automatically comes online if the cloud provider’s main site for your applications is down. This does happen – Amazon ran into this issue with its own site on Prime Day 2018.

The cost of this is not automatically included, and it can be substantial. The second thing is that private clouds, where the vendor can treat you as a sole client, are much more configurable than the public cloud (AWS or Azure), which has to be configured to support all comers. Of course, if the situation demands it, you can run part of your operations in a private cloud, and the rest in the public cloud; setting up communication between them is relatively easy.

Should I Wade In Or Jump In?

McKinsey, the renowned consulting firm, has studied both failed and successful cloud migrations and recommends a phased approach. Of course, no solution is one-size-fits-all, but there is a good deal of thought and expertise behind their recommendations. In other words, they say wade in, don’t jump in.

Wading rather than jumping allows you to:

• Test the feasibility of cloud migrations
• Orient your IT staff to cloud operations
• Distribute costs over time
• End the project gracefully if it is proving infeasible

Wading will also give you a much more realistic appreciation of the costs and the benefits that are involved.

So, What’s The Bottom Live?

Unless the IT gods are smiling at your organization, you will not be running all your IT operations in the cloud for the $35 you pay for Microsoft Office Enterprise. When site redundancy, egress costs, and processor surge demands are considered, your total costs per seat per month are likely to be higher than this.

When you consider that cost versus a realistic assessment of your current costs (including hardware, software, staff costs, network costs, electricity, cooling, backup, and security), moving to the cloud may still be a bargain. It totally depends on your organization’s needs and the way it handles data. With most healthcare organizations growing by leaps and bounds and considering the high demands that doctors and patients place on the healthcare system, there’s every reason to believe that you will eventually have to make the switch.

What is CVE-2018-6177?

Today’s new releases of browser software are supposed to be improvements over past versions in terms of functionality, helpful features, security, and the speed of overall operation. However, these changes often involve new vulnerabilities which hackers can target and exploit. A recent release of Google Chrome is a good example. A vulnerability allowed hackers to access user information stored in major web platforms such as Facebook and Google. This vulnerability was identified as CVE-2018-6177. It was only recently addressed with the release of a patch known as Chrome 68.

How Have People Been Affected?

The Chrome vulnerability has caused people to hesitate about upgrading to the most current version of the browser. The previous release’s vulnerability has allowed hackers to have increased access to data stored on online databases, including Google and Facebook, leaving a full range of personal information exposed.

The vulnerability exploits a weakness in audio and video HTML tags used in the engine. It has been listed in the Common Vulnerabilities and Exposures database, a dot.org website dedicated to such issues. The National Vulnerability Database (NVD), a US government establishment also dedicated to this cause notes an entry about these issues that is incomplete.

The most severe attacks that a user can experience include identity theft, resources theft, and system damage through the execution of arbitrary code. Users could also experience common side effects of hacker attacks, including being locked out of their accounts, or having to address unauthorized messages or postings. Users may also be redirected to sites that could involve phishing attempts or some other damaging hacking effort. Denial-of-service and authorized network accounts are also possible for organizations or individuals becoming victims to hackers exploiting the vulnerability.

The Center for Internet Security reported that the most recent release of the browser will show unsecure designations on websites using HTTP rather than HTTPS (standard hyper-text transfer protocol rather than secured protocol of this type). This may make users assume that state, local, tribal, or territorial (SLTT) government websites are not secure. While users are recommended to follow federal and developer organization guidelines for security, the risk of the vulnerability remaining in the software is classified as high for multiple user types. More specifically, the range of vulnerability levels for user types are reported as being:

• ‘High’ for large and medium government and business entities
• ‘Medium’ for small government and business entities
• ‘Low’ for home or individual users

The vulnerability is also referred to as a cross-origin information leak specific to the internal Blink Engine, or web browsing database used as a foundational operating platform for the browser. The Center for Internet Security recommends that users:

• Apply the stable channel update available through Google
• Run software as a non-privileged or non-administrative user (to minimize impacts of successful attacks)
• Ensure non-trusted links are not browsed
• Inform all users of the vulnerability and its demands
• Apply a Principle of Least Privilege (maximizing security and minimizing accessibility amid organizational requirements) to all systems, users, and services

Reporting on potential instances of successful hacks through this vulnerability, The Hacker News described a scenario where a user with a Facebook account could potentially have their personal information accessed and misused.

A researcher with this source made several Facebook posts, using different combinations of audiences to categorize potential victim types by personal traits categorized by the service, and confirmed the nature of the vulnerability. When a website embeds multiple Facebook posts of this type on a webpage, it loads and displays only some of them, based on matching to individual profile information.

The vulnerability allows hackers to gain access to the personal information of visitors to such pages, and regardless of their privacy settings. The browser version does not have a direct way for administrators to determine if embedded posts were loaded for specific visitors, creating a security demand to check and address this.

Users can attempt to rely on Cross-Origin Resource Sharing (CORS), a security feature within the browser that blocks websites from reading content from other sites without authorization. However, as the aforementioned audio and video HTML tags do not validate the types of content retrieved from other sources or block responses with invalid Multipurpose Internet Mail Extensions (MIMEs), hackers are able to use multiple hidden tags on websites to request Facebook post information.

While the approach does not generate Facebook posts, hackers can exploit the vulnerability while using JavaScript to gauge request numbers and read the sizes of cross-origin resources to determine which posts and information sets they can get from users. Since several scripts run simultaneously, hackers can effectively data mine once they are able to generate these responses.

Hackers can potentially design sites to return different response sizes dependent on the traits of the logged-in users, and then record information from all people observed through the connections.

The vulnerability is similar to another recent browser issue, a related difficulty involved in cross-origin requests that allowed hackers to read Gmail and Facebook messages. The previous issue was patched in June, and although the current issue was addressed in a patch included with Chrome 68, unpatched users remain vulnerable to the described exploitations.

What’s The Bottom Line?

• Chrome releases have been subject to audio and video HTML tag vulnerabilities.
• Facebook and Google messages, along with personal information are vulnerable.
• Chrome 68 has addressed the issue; users are recommended to replace their older version with the patched version immediately.

What’s smart about a smart home? Well, you can talk to it. You can tell your phone to tell the oven to turn itself down to 200 degrees. You can tell your thermostat to drop the nighttime temperature to 68. You can start the car from the upstairs guest bathroom. And so on.

What you may not realize is that the technology behind these simple tasks is staggering. All of them wholly or partially involve the transmission of data from the oven, the thermostat, and the car across the internet, and anything involving voice recognition is likely to invoke a mainframe running in the cloud to do the voice processing. All of that takes place in an amount of time short enough for you not to notice any lag between the command and the execution.

If that’s what a smart home looks like, what does a smart healthcare organization look like?

The answer to that question involves noting that we are moving from the first generation of cloud services into the second, while most healthcare organizations are only making partial use of the first generation. And we need to take note of what the renowned consulting firm McKinsey calls the “data culture,” one which most healthcare organizations have yet to adopt.

Is Your Hospital As Smart As Your Thermostat?

The Nest Learning Thermostat is capable of learning the temperature control patterns you use and going through them even when you are away. In addition, you can control it from anywhere in the world with your phone. Simply memorizing a pattern is not very advanced. What is advanced is discovering patterns that no human suspected were even there.

A famous example was Walmart’s discovery, made by an AI system, that there was a surge in sales of strawberry Pop-Tarts whenever a hurricane was forecast in South Florida. Not cinnamon and brown sugar Pop-Tarts. Not green apple Pop-Tarts. Strawberry Pop-Tarts. Hurricanes were forecast, so the Walmart trucks loaded up with strawberry Pop-Tarts and rolled towards South Florida. Walmart’s profits inched up a little bit. Of such small fragments are large corporate incomes made.

What Does The Strawberry Pop-Tarts Story Tell Us?

To make that profit-making discovery, Walmart’s systems needed to have data available – detailed sales records, broken down by ZIP code, inventory records are broken down by store, and weather data, all available to the same system. This is the first lesson. Data can no longer be siloed. If patterns are to be found, the data in which they exist must at least appear as one data set.

The second lesson is like the first: For analysis, old(er) data is fine. For action, data must be real-time. It does no good if the Nest thermostat is adjusting the in-home temperature based on the outside temperature readings from six months ago.

The third lesson, somewhat less obvious than the other two, is this: To be effective, the actions taken must make a difference. The difference here was in profit. In a health care organization, it might be patient load, room occupancy, revenue stream, patient satisfaction, physician satisfaction, nurse retention, or cost reduction.

The key is linking action to some parameter that is important. Analysis for the sake of analysis is likely to be fruitless, and organizations that engage in it will be disappointed and decide that AI is not for them. And if they decide that, they are almost certain to reduce their future competitiveness, and perhaps their very survival.

How Is Cloud Evolution Affecting AI?

The cloud is rapidly evolving from a place where data is simply stored to a place where the vast majority of an organization’s data is used to create a bigger bottom line.

The advantages of a cloud for health care organizations are increased security, decreased hardware and software expenses, decreased IT staff expenses, and lack of worries about capacity in terms of processors, memory, or storage.

The big worry for healthcare organizations is the loss of control. Cloud providers are becoming more sensitive to this issue and devoting more resources to collaborating with clients in health care to increase their comfort level.

Cloud providers are also very aware that their clients are interested in using AI and are moving to capture that market. One piece of advice is not to combine a migration to the cloud with a major rollout of AI unless you know the pitfalls in advance and have made contingency plans for when things don’t work. Having competent consultants can make the difference between success and failure.

What Is Needed For AI Success?

McKinsey refers to the part of organizational culture that thinks about and uses data as the “data culture.” Its research has discovered that there are wide differences in the data culture of organizations.

Key elements are:

• General employee awareness of data and its benefits
• An integrating of data into the organization’s day-to-day operations (as opposed to “cool stuff” that gets developed and never used)
• Executive and board buy-in
• The linkage of data with affirmative actions

This latter does not mean that you know what you will do with the results that AI produces before they happen. It does mean that the organization is “reality-based” and is committed to taking the actions that AI reveals as possibilities, provided they are linked to parameters that are important to the organization.

What Are The Key AI-Enabled Technologies Of Cloud 2.0?

Advanced analysis, deep learning, voice recognition, virtual agents (software that acts like humans for specific tasks), robotics, machine learning, image recognition and analysis, natural language programming, and more are all available today.

The key question is what hospitals can use them for. One obvious application is voice recognition and virtual agents for patients able to communicate, replacing the call bell in a hospital room. Instead of having an aide go to the room to answer the bell, then come back and tell the nurse what is needed, just put an Amazon Echo Dot in each room.

The hospital saves time and money while patient satisfaction improves. This is just one of a vast number of ways hospitals could use today’s advanced AI technologies to improve healthcare. The question is whether they’re ready to move into 21^st century technology.

 

Improvements in technology have led to increased connectivity with improvements in security, but have also involved unique vulnerabilities and potential for hackers to access a wide range of information. Particularly problematic to businesses is the potential for a phisher to represent a part of the organization, or a supplier with a business connection to it, as they request organizational information or even funding.

What Are Current Major Risks?

Business managers and employees run the risk of being phished from their work accounts while seemingly doing normal business, only to find that they inadvertently provided company funds or information that could be used to damage the company’s systems or even their reputation. This creates new demand for organizational and network security processes and defenses, with phishing, internet-of-things (IoT) security, and general WPA2 hacking being among the greatest current threats to major organizations, small businesses, and individuals alike.

Phishing internally can lead to thousands or even millions of dollars accidentally provided or outright stolen after the critical information is inadvertently provided. An individual can create an email using some phishing technique to hide, mask, or otherwise misrepresent their actual identity while claiming to be an active member, supplier, or some other legitimate affiliate of the organization. The recipient may receive a SharePoint document link that is hyperlinked to malware capable of hacking or damaging system software, and while being directed to a login screen or invoice to request funds or sensitive information to be further misused.

Hackers have the potential to work around even the most advanced anti-phishing filters, using tactics such as reducing the triggering text to a font size of zero to avoid detection. This allows them to pass the filters with how the data is read while displaying apparently legitimate communications and requests to an organizational manager or employee.

According to the Business Owner’s Guide to Technology, these instances have been common. The reporters cited two recent instances of tens of thousands of dollars being accidentally sent amid a phishing campaign. This campaign went beyond the fake login screen to record credentials in attempts to involve phony invoices as well. There have been cases where millions of dollars were lost through a similar approach.

Another major risk that organizations have, amid a false sense of security, is the size of their network in their maintained IoT. While it has become common for tablet devices, personal laptops, mobile phones, and other devices to be used within a business network for increased internet connectivity and email, it is also becoming more common for hackers to use their own devices to access information. This can potentially be done internally or externally, creating a demand for increased security or upgrading beyond vulnerabilities in the WPA2 security protocol. This issue follows along the lines of phishing potentials in terms of general security vulnerabilities that are the greatest threat to large businesses, small businesses, and individuals alike.

WPA2 hacking, in general, has become more effective, as the protocol itself has been upgraded and developed for security vulnerabilities realized to demand a completely new protocol, WPA3.

Inc. explained that hackers may very well have preferences for businesses, due to the probability that at least some bit of useable information can be recorded from the network. While managers and even network administrators may assume that the most recent mainstream releases of security software and protocol recommendations are enough to protect them, hackers continue to work against these, demanding that upgrades and software that have yet to become mainstream be implemented. This, therefore, demands ongoing research and dedication to optimizing network security.

What Other Specific Recommendations Are There For General Risks?

Beyond general best practices and the issues listed above, experts continue to make recommendations for the optimization of security. To optimize defenses against phishing, a combination of proactive awareness campaigns of recent threats and optimizing the use of available security features is all experts can recommend avoiding inadvertent user cooperation.

To optimize defenses against WPA2 hacking, if transfer to the now-available WPA3 is not possible or deemed sufficiently feasible, minimizing network accessibility to essential job functions or requirements only for all users, while maximizing all relevant security, is recommended. Multi-step user authentications can help against both phishing and hacking attempts.

Other issues are not as commonplace or severe, but are still regarded as important. Network owners are advised to watch out for privilege escalations, which hackers may use in an attempt to gain increasing access to information once they have breached the network to any extent. Maintaining control though rootkit detection is also recommended, as are methods to scan activities and ‘backdoors’ for forms of malware left by hackers who may have been able to remove their event logs before installing their own backdoor access.

As a final measure, taking extra steps to ensure that all employees are actually operating in compliance with security protocols is recommended, as many organizational managers may not even be aware of the extent of shortcuts or vulnerabilities they effectively allow for the sake of convenience. Purple Griffon is one online source that has compiled additional details regarding these potential threats and recommended protective actions.

What’s Most Important?

• Ensuring compliance and best practices against phishing
• Advanced anti-phishing protection (ATP) or related software
• Network security optimization or WPA3 integration
• Remaining current with news, research, and developments