Naavi.org

Two incidents reported yesterday in two different hospitals highlight the risk in automation of health care processes and the criticality of information security.

In one of the incidents, a virus left three hospitals in disarray and cancellation of all routine operations and outpatient appointments. (Read the Story Here)

The Virus infection affected two hospitals namely the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG). Due to use of some shared services, a third hospital United Lincolnshire Hospitals NHS Trust (ULHT) also had to cancel operations.

Hopefully this is more like a “Denial of Medical Services” and unless some of the cancelled operations were time critical, the damage may be contained with some inconvenience.

But the incident highlights how a normal information security incident gets into “life Threatening” mode in a health care scenario making Information security that much more of a critical care issue.

There was another incident which is also of concern which indicates how some times human intervention should always be at standby when we use automation in health care.

This incident (See Report here) occured during a robotic surgery when a laser beam being used in surgery caught fire at Tokyo Medical University Hospital. The cause of the fire was unfortunately farting (passing of gas) by the woman during the surgery. The gas being inflammable was ignited by the laser beam and caused severe burns in the 30 year old women undergoing ovarian surgery.

This fire incident may not directly be called an “Information Security Incident” but it must be recognized that the robotic surgery was not equipped to stop the laser beam instantly when the surrounding environment changed due to an unforeseen incident.

The incident is similar to the automatic brake system of a Google car failing when a crash is imminent. It must be attributed to the failure of the safety system in the automation of the health care process.

This could eventually be considered as “Negligence” of the “System” and the company manufacturing the equipment and the user (hospital) may be held negligent as an “Intermediary” and have to bear the liabilities.

When HDPSA is drafted, it will incorporate certain aspects of the “Telemedicine Act” which was once contemplated in India and abandoned which had elaborate provisions for the medical equipment manufacturers to be registered and monitored.

Naavi

The Information Technology Act 2000 which was substantially amended in 2008 (ITA2008) and presently under another revision, was enacted as a “Special Act” that was applicable to “Electronic Documents”. In view of the international obligations, only the IPR regulations like the Copyright Act was kept as an overriding provision in case of any conflict. Otherwise wherever an “electronic Document” was a subject matter of law, ITA 2008 was considered as the final law to resolve conflicts if any.

ITA 2000/8 was generous to extend its provisions to every other law and did not negate any law since Section 4 simply stated that “Wherever any law requires a document to be in writing, it can be rendered in electronic form”. Similarly, Section 5 extended the validity of a “Signature” by stating that “Wherever any law requires a document to be signed, the requirement can be fulfilled in the form of digital signature as defined under section 3 (later extended to electronic signature defined under section 3A)”

The ITA 2008 made many provisions under “Data Protection” which indirectly provided protection to “Privacy” though  there was no other legislation providing privacy protection in India. There were civil and criminal remedies and the Adjudication proceedings to render justice. By defining “Health Information” as “Sensitive personal Information”, it was also prescribed that there had to be “Reasonable Security Practices”  to protect the Confidentiality, Integrity and Availability of such information when Body Corporates handled the same. Under the concept of “Due Diligence” under Section 79, all the known best principles of Privacy protection used in International practice were made part of ITA 2008.

Now therefore when HDPSA is enacted with the specific provisions that are meant to protect the privacy and security of health information there could be several overlapping provisions between HDPSA and ITA 2008.

Ensuring that the conflicts are avoided not only in the provisions but in enforcement would be one of the prime considerations of the new law makers who draft HDPSA.

For example, “Hospitals or Health Care Providers” under HDPSA may be considered as “Body Corporates under Section 43A of ITA 2008” if they are companies. But if they are “Trusts” or a medical practitioner who is not an “association of individuals”, there could be a debate on whether it falls under the explanation of Section 43A which states

“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

On the other hand, whether any of the covered entities under HDPSA are considered “Intermediaries” would also be debated.

Another point of debate would be while ITA 2000/8 is restricted to electronic documents, will HDPSA be available for protecting privacy when data is breached in non electronic form?… Will the security cover physical security of privacy documents in paper or voice form?

There will also be a debate…When things go wrong, is there a remedy under HDPSA with its own adjudicator or is the remedy under ITA 2000/8 with the adjudicators appointed under Section 46 of ITA 2000/8?

It is therefore necessary to understand the possible areas of conflict and steer clear of collision possibilities at the drafting stage itself.

Hope the ministries will take necessary steps

Naavi

A small mistake by a “Bug Bounty” hunter who had perhaps no intention of committing a crime has landed him in a serious problem with the law enforcement in USA.

Mr Meetkumar Hiteshbhai Desai, obviously of Indian origin from a place called “Maricopa” in USA, (Arizona) is reported to have developed an exploit for showing a vulnerability in the ios system which could have earned him a reward under the bug bounty program.

See Report here

Unfortunately, when he wanted to share a benign version of the exploit with his friends which was meant to display a pop up in their phones, he actually shared a version which automatically dialled 911 number and hang up. This resulted in a DDOS attack on the 911 system which is the public service for emergencies (like 100).

Mr Desai has now been charged of an offence which is equivalent to a “Cyber Terrorism” though he can plead “No Malicious intention”. But his negligence and the problem he might have caused will probably result in some punishment which should be a lesson to many persons who dream to be “Ethical hackers” .

I sincerely hope that the US police would understand the situation and limit the punishment to some public service. Hopefully he will be careful from now on and not indulge in such irresponsible activities in future.

Naavi

In a shameful security lapse by the Jail authorities, 8 dreaded convicted SIMI terrorists have reportedly escaped from a Bhopal prison considered one of the secure jails, after overpowering and killing just one guard. The guard was strangulated in a hand combat and not through any sophisticated weapons, indicating the primitive security that the jail had.

See the report here

There is no doubt that the escape was made possible by corruption in the system and hopefully the corrupt persons will be brought to book.

In the meantime, it is important for the serious professionals in the Law Enforcement System to completely revamp the security systems in our jails and make it impossible for such escapes to happen.

There was a time when private sector used to hire retired Policemen for their security thinking that they are good in preventing thefts and burglaries in the industrial premises. Later when the industry realized that the most precious asset they have is in the form of “Information” and not in the form of physical assets, they started hiring “Electronic Security Experts” to manage security and today they have risen to the ranks of “CISO”s in the industry and occupy a coveted post.

Even in the Information Security scenario, physical security is an important component and therefore there are either specialized physical security manpower assisting the CISO or the CISOs themselves are experts in physical security also. Since most of the Physical security gadgets today are in fact “Electronic Devices”, there is a lot of “information Security Expertise” required even to manage the “Physical Security”.

Now that private sector has developed an expertise in preventing unauthorized persons gaining entry into a secure physical premises, it is time to use this expertise in reverse to prevent unauthorized exit of people from the so called “Jails” .

We therefore look forward to the LEA immediately reinforcing the security of Jails by appointing an expert corporate CISO and install the various physical security gadgets that can prevent unauthorized escape of inmates of a jail.

First and the most important security measure that needs to be taken for high security prisoners such as terrorists is to monitor them on a 24×7 basis through a GPS collar or an implant device which cannot be easily removed without raising an alarm at multiple centers with multiple security levels. These devices should be monitored at all times even when the prisoners are sleeping and intelligence should be built in to identify any unusual patterns of movements of the prisoners.

Raising the perimeter wall, implanting electronic surveillance systems like “Mines on the Walls” to monitor any attempted scaling of the walls as well as CCTV cameras are normal security measures which should anyway be in place.

The security should be built with the “Defense in Depth” concept with multiple layers separated by mantraps, turnstiles and other similar devices which make it impossible for anybody to force their way out without raising alarm.

I wish the Jail authorities go through the available systems for prison security  (Check here) worldwide and incorporate them in our country too. (Also check this Report)

There is no doubt that the best secured prisons will also be broken some day. But it requires that much more expertise to break the Techno-Physical security systems and such attempts have to come from outside hackers which the SOC of the prison can try to tackle.

Probably this should also create lot more job opportunities for IS persons who want to serve the nation. Man of them may take up such assignments out of their love for the nation if  Mr Modi makes a call.

In the meantime, I urge some corporate security teams to offer their services to secure the local prisons on a voluntary basis under Corproate Social Responsibilities….. Let’s see if there is a political will.

Naavi

A few months back, Corporation Bank suddenly changed its account numbering system and issued new account numbers to all its customers.  While doing so, it was expected that the Bank would prepare it’s systems to manage the transition by accepting old account numbers for a certain period of time so that if any remittances are received with the old account numbers, the amount would be automatically credited to the new accounts.

This could have been easily done with the maintenance of a mapping database which mapped the new numbers to the old numbers and initiating a process of checking of the data base whenever an error is logged. It could have been a manual intervention at this stage also if required.

Unfortunately, the system engineers did not plan the transition properly and hence NEFT remittances received in the new account number were rejected by the system. The old numbers are still getting accepted indicating that some systems have not yet been updated.

The branch does not seem to have a clue on this error and are unable to provide a solution. They seem to think that there could be problems in interbank remittances but not in corporation bank to corporation bank remittances.

I would like to draw the attention of the Bank to this problem which besides being a customer service issue could also be looked at as a “Denial of Service Issue”. If remittances are not received, businesses may not be able to conduct their regular business transactions and the ripple effect of this would be on many of the Bank’s customers as well as the business associates of the customers.

It is possible that the problem may be at the Switch maintained by NPCI or IDRBT where there may be a cache of account particulars which is rejecting the transactions due to the mismatch between the new account number and the names associated with the old account numbers.

I hope that the IT personnel of the Bank will be alert to this note and set things right at the earliest.

Naavi

Yesterday (29th October 2016), there was an ODI cricket match between India and New Zealand in which we saw the Indian cricketers sporting new tea shirts carrying the names of their mothers on their back. So Dhoni wore a jersy which read “Devaki” and Kohli wore a jersy showing “Saroj”. Other players also wore jersies showing their respective names of their mothers except one in which there was a “printing error” as we understand.

Women rights activists might have hailed the initiative of Star TV as a new found empowerment of women and importance given to the mothers. Apparently it was so. But for those who are aware of “Cyber Risks”, the first thing that struck was that what we were seeing was “mother’s maiden name” which is a typical parameter used for recovery of forgotten passwords in many of the websites. The dates of birth of all these cricketers are already known and that forms another critical parameter of recovery of forgotten passwords.

With two of the forgotten password recovery keys now being available to the millions of viewers, the social media accounts and may be some e-mail and bank accounts of our favourite crickets might have been placed at a risk of compromise.

So far security architects thought that there was some confidentiality in “Mother’s Maiden Name” and used it as a security parameter. This has been destroyed by the Star TV campaign perhaps without realizing the damage they have done to the system.

Now all companies who are using the “Mother’s Maiden Name” as a security parameter should drop it and use some thing else such as “What is your Pet’s Name”?, “What is your Favourite Actor?” etc. This is therefore a Y2K moment for all such companies to spend money to erase the “Mother’s Maiden Name” from the list of security questions.

I am not sure how much cost is there to the community in such a massive exercise ..all caused by some hair brained marketing person and/or the Advertising agency who/which thought of this campaign.

If there is any specific incident following this where a financial loss occurs to any of these cricketers, they should hold Star TV responsible for the loss and claim damages. At the same time, “Due Diligence” and “Reasonable” security practices would require recognition of this cyber risk by the security community and a change of processes wherever it is required to eliminate this “Known Risk”.

Naavi