Tag Archives: Cyber Insurance

The IoT brings down the Internet

29 October 2016

Last Friday, a large botnet, which was powered by the Mirai malware, caused a significant outage of Internet in the United States. This headline in MOTHERBOARD sums it up: ‘Blame the Internet of Things for Destroying the Internet Today’.

IoT devices are inherently insecure.

  • IoT devices are, for instance, very often secured by default passwords, which need not be necessarily changed during startup. And for ease of startup WLAN is powered on by default.
  • A software life-cycle concept, e.g. patching of critical vulnerabilities, is in general not provided. With this, the devices become vulnerable to the exploitation of new critical software bugs during operating time.

A single compromised IoT device creates no significant impact on the internet. But if attackers exploit the vulnerabilities of millions of devices and join them to a botnet, it is very likely that this will have a major impact even on well secured critical infrastructures.

We need to save the Internet from the IoT. Strict statutory guidelines are required to prevent the collapse of critical infrastructures. Some easy to implement technical rules are for example:

  • WLAN is by default off.
  • WLAN can only be activated through an out-of-bound connection.
  • WLAN is activated only after the default password has been changed.

A security label for IoT devices is required to support consumers. The European Commission already established the basis for a security label in the ‘Cybersecurity Strategy of the European Union’, published February 6, 2013:

‘Develop industry-led standards for companies’ performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market.’

Devices which do not comply with the basic requirements should be labeled accordingly. In addition, the vendors of such devices are obliged to take out a cyber insurance to mitigate the impact posed by insecure devices.

In ‘We Need to Save the Internet from the Internet of Things’ published on October 6, 2016 in MOTHERBOARD, Bruce Schneier states:

The IoT will remain insecure unless government steps in and fixes the problem.

Let’s start!

Have a good weekend.

Patient privacy: Can past lessons prevent future failures?

7 May 2016

Niam Yaraghi’s post ‘Patient privacy: Can past lessons prevent future failures?’, published May 5, 2016 on Brookings Techtank Blog, is absolutely worth reading. The post is a summary of the research report ‘Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches’. In this report Niam Yaraghi provides a superb root cause analysis of the data breaches in the U.S. health care industry of the last years, and some recommendations for getting a grip on the problem.

A big issue comes from HIPAA itself. HIPAA came into force in 1996. With that, it falls short of addressing modern cyber security challenges. The statements of a CIO on page 18 of the report make this impressively clear:

“HIPAA reflects how nerds thought about security 20 years ago.”

“HIPAA is in complete disconnect with the realities of today’s digital technology and we cannot expect a national standard to be agile enough and be in pace with cyber technology. For example, HIPAA has nothing about malware and ransomware, intrusion detection, specific cyber incident responses, or multifactor authentications.”

It is the same old story with standards. Without regular review and adaptation, the effectiveness of standards decreases dramatically. For that reason, ISO 27001 demands the implementation of a risk management process according to ISO 27005. This ensures that changes in external conditions, e.g. new cyber security challenges, are considered during risk assessment even if internal conditions have not changed.

The report lays out some recommendations on how to mitigate the problem.

  • The health care sector should embrace cyber insurance

This is a really interesting idea. A cyber insurance has the potential to become a game-changer because organizations will have a direct economic incentive to cut insurance costs.

  • OCR should establish a universal HIPAA certification system

To me, this sounds like reinventing the wheel. HIPAA should be developed further to meet today’s cyber security challenges. But this must not inevitably lead to a new umbrella standard.

I would propose to develop a smart HIPAA standard on top of a ISO 27001 ISMS. This has the big advantage that it can be quickly adapted to meet new cybersecurity challenges. In addition, health care businesses can start immediately managing risks by implementing an ISMS due to ISO 27001.

Have a good weekend.