Contact us at info@uzado.com

The Difference Between Anti-virus’ vs Firewalls

Alix Postan

Firewall graphic.png

If you can take anything away from this post, it’s to implement both tools!

It’s a common misconception that anti-virus software and firewall software are meant for the same purpose; however, they are two different, complimentary security applications that can be run simultaneously. What’s the difference?

Anti-viruses work at a “file level” – it will scan files to prevent, detect and remove malware (malicious software) that is either already installed in your system, or are about to be installed in your system. Updated anti-virus software can protect against: browser hijackers, ransomware, keyloggers, backdoors, trojan horses, worms, spyware, adware and many other forms of malware. Depending on the software, it can quarantine, permanently remove files/applications, fix them, etc. It usually runs daily/weekly/ad hoc scans on the system and reports the threats, the fixes, and the number of clean files that were scanned. Anti-virus software should be frequently updated, so that it can detect new forms of malware.

Firewalls, on the other hand, act as a sieve – blocking specific data from coming into, or leaving a network. They are also a security software, but instead, work at the network-level or at an application level. Network firewalls screens traffic between two or more networks (i.e. an internal network and an external network – like the internet). Host-based firewalls provides a layer of software on one host that controls network incoming and outgoing network traffic.

Still not convinced? Check out the article 10 Signs You Should Invest in Security for more information.

For more information on ways to manage risk and vulnerabilities, check out Uzado’s Whitepaper: Risk-Based Approach to Vulnerability Remediation

A Risk-Based Approach  to Vulnerability Remediation

Read More
Topics: Security

Four Measures Your Organization Needs to Achieve HIPAA Compliance

David Millier

HIPAA Compliance Healthcare Survey.jpg

With revisions to federal legislation around the security and storage of health information in the US, many businesses are aware that they need to ensure compliance with standards mandated in the Health Insurance Portability and Accountability Act (HIPAA). But that's left many with a big question: how does my organization become HIPAA compliant?

What Is HIPAA?

HIPAA is a federal legislation from 1996 that governs the security and storage of medical information in the United States. Health information can be important, especially if doctors need to share information with hospitals or other practitioners. But this kind of information is also very sensitive, and the act is designed to keep patients and their medical records safe in the digital age.

What Does It Take to Be Compliant?

Businesses become HIPAA compliant when they follow the standards of practice set out in the law. With the passage of the Patient Protection and Affordable Care Act of 2010 and the subsequent rollout of changes to the US medical care program, there has been a renewed focus on HIPAA and its standards.

Any company that deals with protected health information must comply with HIPAA. To do so, the business must ensure that the following four measures are being followed: physical, network, process security measures and “addressable” measures.

Physical Security Measures

Perhaps the simplest part of being HIPAA compliant is ensuring that physical security measures are in place and followed. These requirements focus on physical access to information and the workstations they're accessible from. To be compliant, you'll need to implement workstation security. This includes policies and procedures for workstation use that identify the work to be done and how it is to be done at that station, as well as protocols around the disposal of media and equipment that may have stored health information on it. Procedures addressing how to remove information from reusable media are also required.

Network Security Measures

There are 5 requirements in HIPAA that address network and network access in order to provide more security for sensitive health information. To be HIPAA compliant, you must implement unique user identification to facilitate tracking, create an emergency access procedure, and implement audit controls to record and monitor systems and workstations that collect and store electronic health information. You must also have an authentication process to ensure that someone requesting access to health information is the person they claim to be.

Process Security Measures

These administrative measures are probably the most difficult to implement—and the most important. To be compliant with HIPAA, your organization must perform risk analysis and risk management and have proper procedures in place. You must also designate HIPAA officers to monitor compliance. You must regularly audit and review use of workstations. Sanctions also need to be in place to discipline employees in breach of policy. If multiple organizations will have access to files or workstations, you need to ensure that only those who are authorized will have access to health information. You are also required to develop a contingency plan to protect sensitive health information in an emergency. You are required to evaluate your compliance and update it when necessary, and when you enter into an agreement with another business, you are responsible for ensuring that they will operate in compliance with HIPAA.

Addressable Measures

In addition to the required measures, there are also a number of items that HIPAA considers "addressable." While businesses aren't required to implement these measures to be HIPAA compliant, these additional measures provide added security for sensitive health information. These measures range from having a facility security plan to and clients. protecting your systems against malware. These items should be addressed by businesses dealing with health information—not just to be compliant with the law, but to provide more security for patients.

To learn more on how Uzado can help your organization become HIPAA Compliant, click below to request a demo.

 Request A Demo

Read More
Topics: Compliance, HIPAA Compliance, Security

Cybersecurity and Health Care Don’t Mix… Said No One…

Alix Postan

1% of Health Care Organizations say they are not vulnerable to cyber-attacks.security-health-IT.jpg

The truth is, Cybersecurity and Health Care should be much more intertwined. HealthCareCAN and the Canadian College of Health Leaders requested that IPSOS survey health care professionals in March 2017, after the WannaCry Ransomware virus spread throughout 310 countries and shut down 16 hospitals in the UK. As a result of the malware attack, Canadians wanted to know, how secure is their healthcare system – hence the survey.

The United States has a protection act (Health Insurance Portability and Accountability Act – HIPAA) which requires healthcare services to mandate a certain level of cybersecurity within their organizations. In Canada, we have PIPEDA (Personal Information Protection and Electronic Documents Act), which is applicable to federally-regulated organizations (i.e. banks and telecommunications companies) and private-sector organizations. According to McMillan, PIPEDA was amended in 2015 with regulations for responding to a breach or an attack; however, still lacks preventative regulations.

According to the HealthCareCAN and the Canadian College of Health Leaders’ 2017 survey, 85% of hospital CEOs, department heads, medical directors and other senior health administrators say their organizations are vulnerable to cybersecurity attacks. 85%!! The survey found that 90% of these institutions were confident that they are prepared for natural disasters (floods, fires, ice storms, etc.) or man-made emergencies (terrorist attacks, infrastructure failures, etc.) – but not cybersecurity.

The poll also indicated that 32% of health leaders believe there’s an urgent need for the federal government to become more involved in “setting up standards, oversight and providing leadership to address cybersecurity.” That’s followed by “security monitoring/protection” (22%); “provide funding” (19%); “address IT/cybersecurity issues” (13%); “help with infrastructure” (12%); and “providing plans/strategies” (9%).

The statistics from this article are derived from GlobeNewswire.

For more information on becoming HIPAA Compliant, click here.

Why Compliance Does NOT Equal Security

Read More
Topics: Compliance, HIPAA Compliance, Security

Can Smartphones get hacked?

Alix Postan

Smartphone.jpg

Simply put – yes. But… there are ways to protect against it.

**If this has happened to you, and you live in the United States, go to IdentityTheft.gov and file a report.  If you live in Canada, please go to http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm**

Some Preventative Actions for Protecting your Mobile Device:

  • Turn on Apple’s “Find My Phone” or Android’s “Find My Device”
  • Lock your phone – use at least a 6-digit passcode, fingerprint, or pattern lock
  • Use the LockBox app to protect your credit card information, passwords, PINs, etc.
  • Back up the data on your phone

By locking your phone AND using the LockBox app, you are enforcing a two-factor authentication, which makes it more difficult for hackers to access. The second authentication step adds an extra layer of security as it acts as an extra hurdle. A biometric password (finger print, in this case), while unique to each user, is not a fail-proof password solution. Some organizations are unlikely to use biometric authentication, as storing this personal information comes at a high cost and stricter regulations. On the other hand, hackers could still get into the system where the biometrics are stored, change them and add new ones, with the potential to gain even more access than if they were to hack regular passwords. Finger prints are not the only biometric authentication; voice identification (when saying “Hey Siri” or “Ok, Google” to turn on your virtual “personal assistant”), a heartbeat monitor, a retina scan, etc. For more information on biometric authentication, check out Mahdhumita Murgia’s article in The UK Telegraph.

Response Actions if You Think Your Device Has Been Breached:

  • Change passwords for all of the accounts, whose passwords were stored on the phone
  • Watch for notifications that a new device has attached itself to your email or accounts
  • Notify the carrier that the phone was lost or stolen, so that they can disable the SIM card (temporarily or permanently).

For more information on the Federal Trade Commission’s (FTC) guidelines for lost/stolen mobile devices, click here. The Government of Ontario also has some recommendations on how to prevent identity theft online and on mobile devices here.

Don’t forget to check out Uzado’s article on creating secure passwords here: Don’t make ‘Password’ your password.

Request A Demo

Read More
Topics: Security