CCPL

The challenges faced by Canadian healthcare in protecting the confidentiality, integrity and availability of the health and personal data of Canadian patients is great. But so too is the job of ensuring that healthcare IT systems and other critical infrastructure remains available to treat patients in today's IT-centric health delivery model, where system outages possibly as the result of a cyber attack, can mean life or death for a patient.

This was the subject of a workshop today at the 2017 Canadian Conference on Physician Leadership in Vancouver, BC, where many of Canada's top Physicians and Chief Medical Officers met to discuss many of the challenges and concerns facing the industry.

Participants learned not just about some of the cyber threats and risks being faced by healthcare in Canada and world wide, but also about some of the successes of other health providers to put in place effective, holistic security controls to block attacks and to protect personal health information, clinical research and other intellectual property from compromise.

As the leader of these workshops, I would like to extend my sincere thanks to everyone who attended and contributed to the debate. Canadian healthcare took a giant step forward today in recognizing, not just how much the industry needs to catch up with the better funded banks and other financial institutions, but also in understanding that cybersecurity is a business risk in which clinicians play a critical and leading part in helping to secure vital IT systems from attack.

A copy of the deck presented today can be downloaded here.

A Slippery Slope?

Like many cybersecurity professionals, I was somewhat pleased to finally read about the sentencing of convicted Russian cybercriminal Roman Seleznev to 27 years imprisonment by a US court. While this sets a new precedent in the sentences handed out to cybercriminals, many of whom have cost banks and retailers billions of Dollars, Pounds and Euros in losses, and forced other businesses to close shop entirely, the case raises some interesting legal, moral and political questions.

Namely, should it be the role of the United States judiciary to police the Internet and prosecute perpetrators of cybercrime, many of whom, reside in parts of the world outside of accepted standards of functional law enforcement. And if so, what lengths should be considered internationally acceptable for US law enforcement to go to, in order to capture, or apprehend individuals for future prosecution, when those individuals are discovered in, or transiting through, other countries, with whom the United States has no extradition treaty?

This was plainly the case in the apprehension of Seleznev who was vacationing with his family in the Maldives – a country with no extradition treaty with the United States. Yet, he was detained, handed over to US law enforcement officials, who then took him against his will to Guam, and onto Washington State where he was charged under US law for his crimes in the United States having never (as far as we know) even visited the country. Essentially, this is a non-US citizen, kidnapped by US law enforcement officials, in a neutral third country, and forcibly extradited without warrant to the United States to face charges in that country.

Don’t get me wrong, I’m all for the arrest of cyber criminals and the imposition of long deterrent sentences to keep them off the cyber streets, as well as to send a message to other (young) wannabes that cybercrime doesn’t pay. My concern is one of the basic rule of international law and whether this could one day back-fire against the United States.

I’m no lawyer but if due process was ignored in the apprehension of this individual then he’ll be out of jail on a technicality very quickly when this goes to appeal. If the intent was to use Saleznev as a bargaining chip with the Russians, then that raises a whole different set of questions, and this entire case moves more towards a political abduction scenario.

While Seleznev, the son of an influential Russian politician, was plainly protected in Russia from prosecution by the country’s barely functioning legal system, by his father’s close friendship with Vladimir Putin and contacts at the FSB, does the United States have a moral, ethical or legal right to enforce its laws half the way around the globe in countries where it has no legal jurisdiction, and against citizens of other nations? Does the United States regard itself as the Internet judge, jury and executioner for electronic crimes?

Few would dispute the morality of the lengths undertaken to bring to justice a mass-murderer like Osama Bin Laden by the US military, but does this morality extend to perpetrators of financial crimes, and, if so, where do we draw the line?

Jeff Fridges raised some interesting questions in his comments to Brian Krebs story of the sentencing of Roman Seleznev and while Jeff’s comments might be considered somewhat unlikely by many, let's not forget that we have seen these kind of event-chains in the past. No one expected the Spanish Inquisition, and few predicted the rise of the Nazis, Kim Il Sung, Mao Tse Tung, or Stalin.

[quote]
I’m bothered that the US apparently feels it has jurisdiction over the entire Internet, and can arrest anyone ‘anywhere in the world’ who violates ‘US law’ online.

Sure, this guy was a crook … but what about the next guy?

Consider this scenario. Street violence by right-wing militias in the US gets worse over April and May. Early in June, someone caps Trump. Pence becomes President and at the same time the assassination spurs a huge mobilization of Trump’s right-wing base. By the time everyone’s heads have stopped spinning, it’s martial law, draconian new legislation is being passed by the Republican congress (dominated by Tea Party evangelicals) and rubber-stamped by Pence. A Supreme Court stacked with ultraconservative Christian judges (Gorsuch, et al) looks the other way as the Constitution is put to the torch. Trade unionists and Muslims are rounded up and “disappeared” or deported, after which a purge of Hispanics begins — later it will be the Jews, though until the new forces have cemented their power thoroughly they and their powerful lobby and bankster friends will be left alone or even, for a while, convinced that “this time won’t be like the last time” for them.

By December the US is a de-facto fundamentalist Christian theocracy. Free speech is outlawed. Non-Christian religions, the teaching of evolution or climate change, p0rn, etc. are all outlawed.

And the US continues to act as if its borders contain the entire Internet.

Now someone in Cambodia blogs about climate change, or a European scientist publishes online a paper about evolutionary biology. Plenty of websites exist for mosques, synagogues, Buddhist temples, etc., run out of various corners of the world. And of course the net is awash in p0rn.

Do the proprietors of all of these websites start getting rounded up and renditioned, “extradited”? After all, though they’re not inside US borders, what they are doing is illegal under US law and they are doing it online …

Now are you worried?
[end quote]

Regardless of who’s in the US White House (or Mar-a-Lago) and lets face it, Washington is a revolving door every few years, the questions that Jeff raises, and the scenario he paints, needs further discussion rather than simple dismissal as being radical or highly unlikely.

While the United States with its overwhelmingly superior military might, has been the global policeman for many years, is this a role that the US intends to formally expand to the policing of the Internet, and is this a conscious decision as agreed by elected leaders and set in policy and law, or one brought about by the independent actions of US law enforcement officials frustrated at the failure, or lack of functional legal systems in other parts of the world. Legal systems rife with corruption, where cyber criminals can “live big” and publicly boast about their activities, ... till now safe in the knowledge that the right people have been paid off, and that they are immune from prosecution?

Did the United States make a conscious decision to go to war and militarily occupy South Vietnam, or was it a political slippery slope driven by a succession of events and decisions from which it became increasingly difficult to turn back?

“Those who don't know history are doomed to repeat it.”
- Edmund Burke

Perhaps an examination of historical events is necessary to attempt to understand where this action could lead, and if it is the right type of action to address the policing of the Internet globally.


Securing Medical Devices - The Need for a Different Approach - Part 2



This is a two-part story. The first part can be read here.

I recently met with the CIO and CISO of a large US healthcare system to chat about how the system was going about securing its 350,000 network attached medical devices. They were busy assessing and profiling all of the disparate devices from a multitude of different vendors that the pre-merger, independent hospitals had purchased over the past twenty years or so. The Health System had multiple teams of third party vendors from many of the big names in bio-engineering, working with its own IT team to review configurations, firmware and OS/ application versions, and to make updates where necessary in order to improve the security posture of these devices.

The CIO however was greatly concerned by the number and churn in these devices – given warranty replacement units and new devices arriving at hospitals seemingly on a weekly basis. He was concerned whether they would ever be able to get in front of their hardening project, and whether reconfiguration and lock-down would ever really secure these network attached systems at the end of the day.

After listening carefully to his plan and all the activities he and his CISO had sanctioned, I suggested cautiously, that perhaps the health system was on the wrong path. My argument was that they would never be able to keep up with and manage 350,000 disparate biomedical devices, growing by twenty percent per annum, using a strategy essentially designed to manage PCs and workstations. One where domain level tools could be used to patch and configure the vast majority of endpoints. The manpower requirements alone I suggested, would consume his entire IT team’s bandwidth and budget at some point, if not very soon.

I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services like TFTP, FTP, TelNet and SSH, that many of his medical devices had left the factory with enabled, and instead look at other control points to secure those devices (compensating security controls) that would enable much higher levels of automation, and reduce the margin for human error that a manual process would inevitably lead to.

I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec - a built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical information systems only…. and nothing else!

By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec, (something that was already being used to manage guest wireless access), the health system could create uniform enterprise policy implementation across all sites and locations, and avoid the need for possibly hundreds of firewall engineers to write and update access control lists in switches, routers, and firewalls. What’s more, rules written in ISE could be written in easy-to-understand business language, rather than complex access control syntax for direct entry into infrastructure devices by firewall and network engineers.

Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!

I continued, “What’s more, the same profile you assign to a medical device in one hospital, is used for a similar device in another hospital so long as its all part of the same ISE domain. Thus you can more effectively manage your medical device asset inventory across hospitals, by assigning medical devices when and where needed rather than to tie up money in unused assets in each location.”

“In other words” I explained, “Using ISE and TrustSec, you can provide your users with dynamic segmentation capabilities such that you can take a medical device (or truck load of medical devices) from one site to another site in need of those devices, (for perhaps local disaster management), and have those devices immediately recognized by the network and assigned the right access permissions as soon as they are plugged in or otherwise connected to the network. No need to engage a firewall or network engineer to add MAC addresses to an ACL (access control list) at 2am in the morning – just plug it in and it will work!”

Essentially you will have an enterprise-wide dynamic automated user and device access system, that is enterprise policy-driven in easy to understand language (versus firewall and switch syntax), that will actually save your biomed team money because they can run a minimal asset inventory across the entire health system. What’s more, in so doing, you are actually securing the un-securable and protecting medical devices from attack, as well as protecting the main hospital business network from being attacked from an easily compromised medical device.

A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.

For more information on this approach, read Cisco’s Segmentation Framework and the Software-Defined Segmentation Design Guide.

For information about how Cisco’s Security Advisory Services can to assist you to design secure segmentation in your environment, please review Cisco's Security Segmentation Service or contact your Cisco sales team.


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Securing Medical Devices - The Need for a Different Approach - Part 1



It’s hard not to notice a growing collection of medical devices whenever you visit a hospital or clinic. They surround today’s medical bed, almost like a warm scarf around a bare neck on a cold winter’s day. If they weren’t there you would wonder why. They provide all kinds of patient telemetry back to the nurses station: O2 sat levels, pulse rate, blood pressure, etc. They provide automatic and regular administration of medication via pumps and drips and oxygen dispensers. The medical bed itself tracks patient location across the hospital as the patient is wheeled to and from the OR, imaging or other specialties.

What is not recognized however, is that the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally. What's more, this growth rate is increasing. For the BioMed staff that has historically been responsible for managing them, it’s an almost impossible task. One that gets more difficult by the day as more and more devices are plugged in or wirelessly connected to the network.

The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also to everything else attached to the network on one side of the device, and the patient on the other side.

Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation - unlike a Windows PC, which sometimes appears to have been designed to work for a month more than its manufacture warranty! Medical devices tend to stop working when subjected to things outside of their design parameters. Things like multicast network traffic caused by worms, viruses and other malware. Things like ICMP, NMAP and other network traffic used to illuminate, query, or profile devices perhaps by attackers. What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?

Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities – many open TCP/UDP ports, and numerous by default enabled protocols like TFTP, FTP, Telnet, etc. - many of which are highly vulnerable to attack. Several popular medical pumps have been exposed in the past year for the ease at which they could be hacked and taken over by an attacker. If one of these pumps were employed to administer at a gradual and regular level, for example, pain medication such as morphine or perhaps insulin to a patient, what damage would be inflicted upon that patient if the pump was hacked and told to administer its entire medication all at once?

While older standalone medical devices were built to run on obscure, custom, often hardened UNIX operating systems, or even eProm, many of today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.

Windows Embedded is subject to many of the same vulnerabilities and freely available exploits as the regular Windows XP operating system. A targeted attack against modern medical devices is thus relatively easy given a mass of known and proven exploits. Yet we continue to attach insecure, unprotected pumps and all kinds of other devices with the potential to do damage to patients, knowing that at any time a nefarious hacker or almost innocent intruder could turn the device into an execution tool.

Just because it hasn’t happened yet, doesn’t mean to say that it won’t happen today… or perhaps tomorrow!

Part 2 of this blog will be published tomorrow.


This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Who’d want to be a CISO?


Lets face it, being a CISO (Chief Information Security Officer) is no bed of roses. The ultimate responsibility for protecting the organization against a rising tide of hackers and state sponsored cyber spies intent on breaking in and stealing information rests firmly on the CISO’s broad shoulders. Being the CISO in most companies today usually means being starved of resources for additional headcount, tools, and services, while you spend each and every day with your back against a wall! And did I say every day? Being a CISO is not a nine-to-five job. You need to keep your wits about you during the dark hours when your boss and most of the Executive Leadership Team (ELT) are out for dinner or sleeping soundly in their beds. The ‘witching hours’ are between 7pm and 7am and at weekends when cyber criminals know all too well that the fort is unmanned and they can usually get away with whatever they want – largely unnoticed.

7pm US Eastern Time, is breakfast time in Beijing and Shanghai where many of China’s best cyberspies work. The Peoples’ Republic of China (PRC) has invested in vast campuses full of specialized Peoples’ Liberation Army units, whose role is to attack foreign organizations and steal not just defense secrets, but also commercial secrets that may help Chinese companies to catch up with and surpass their western counterparts. Despite an agreement between President Xi and President Obama in 2015, the dashboards of western Security Operations Centers stay lit with the Chinese IP addresses of active attackers every day and every night. According to a former FBI Special Agent, “China's corporate cyber-espionage apparatus is too big and too effective to shut down". "The genie is out of the bottle" he concludes.

7pm US Eastern Time marks 2am in Moscow when club revelers call it a night and return to their flats amongst the sprawling public housing projects. While they have been out clubbing, their neighbors have been busy testing the cyber defenses of their latest targets. The Hackers here are more ‘freelancers for hire’ working on occasions for the government, the FSB or perhaps for a favor for someone well connected, but just as equally for themselves, paid by the job or paid by results. Entrepreneurial and opportunistic, these are the ‘shadow–dwellers’ who prey upon the weak and unprotected with phishing campaigns, malware, and much, much worse – anything that could generate them income, today, tomorrow, or next month.

The Russians and Chinese are not alone, they are just the largest adversaries by volume on the CISO’s situational threat board. It’s fair to say that in a global economy, the threats don’t just come out at night, it’s just that the attacks seem scarier when everyone else has gone home for the night and its dark outside!

The CISO has to be aware of not just the constant attacks against his or her network, or the spear phishing campaigns against users attempting to get them to unwittingly reveal secrets, or to click on a link that will deposit a dropper or other malware on their company computer. It’s a continuum of threats and risks that the CISO and his team have to defend and protect against. And when something goes wrong and some nefarious bot or person gets by the paper defenses? It’s the CISO who takes the fall, and takes responsibility for everything that went wrong leading to the breach – lax controls, inadequate staff for 24 by 7 operations coverage, no budget for user security awareness training, a mish-mash of out of date security products and applications, and the CIO or CFOs decision to select a proposal from a less-expensive implementation vendor who undercut the experts who actually knew what they were doing!

Decisions are often made by those above the CISO, safe in the knowledge that they have a ‘fall guy’. No wonder so many CISOs start updating their resumes, the day they start a new job! It’s a thankless job - a very, very stressful job, and if it were paid by the hour rather than salaried, CEOs might just begin to understand the level of expertise required and work involved to secure a company from dynamically changing cyber threats.

Despite the challenges of the job, the role of the CISO attracts some of today's brightest and the best corporate executives - those able to understand, protect and promote the success of the business, and able to negotiate the boardroom and ELT politics, yet at the same time understand the intricate complexities of risk, security, privacy and compliance and the associated technologies used to monitor, measure and protect the business from cyber attack.

It takes a unique and broad set of skills to be a successful CISO, but it also takes a certain kind of person, one that doesn't give up easily and can get back up after being knocked down. Vision, passion, dedication, perseverance and sheer tenacity are key traits that usually come to mind for the job. The role of CISO is changing however, from a deeply technical role implementing tools within IT, to an executive role managing and reporting enterprise security risks to the ELT and the Board.

Retaining top CISO talent in a highly competitive landscape where demand massively outstrips supply is becoming an increasing problem however. CISO salaries have risen sharply over the past two years and the trend is showing no signs of slowing down. In fact CISOs in the big US cities can make in excess of $350,000 to $420,000 based upon studies by SilverBull and by Healthcare IT News. CISOs are increasingly being asked to present directly to the board on an ongoing basis, and IDC predicts that “by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, rather than the CIO” which has been the norm till now.

With over one million open cybersecurity jobs, and average CISO salaries in sharp ascent, its clear that effective CISO’s are desperately needed and will continue to be a challenge to attract and retain.

SecurityCurrent Average CISO Salary Report, prnewswire.com

This blog is also published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Unsecured Endpoints in the Hospital Environment


Unsecured Endpoints in the Hospital Environment - Securing IOT and Medical Devices

Medical devices are growing by an estimated 20% per annum the world over, as are other IOT devices that control critical infrastructure in our hospitals. Yet, most cannot be secured by traditional endpoint computer means due to a combination of device limitation and regulation. Nor can most be patched and updated against known security vulnerabilities. At the same time, formerly isolated networks have converged to support digital transformation of healthcare, thus increasing risks exponentially for both the clinical business and biomedical networks used to treat patients.

How then do we go about "securing the un-securable" using the tools at our disposal to protect patients, their data and hospital systems from attack and ransom?

This is the subject of a recent presentation given to the HIMSS Healthcare Cybersecurity Community by Richard Staynings, (Cisco’s Cybersecurity Leader for the Healthcare Life Sciences Industry), and Craig Williams, Technical Outreach Leader at Cisco Talos.

In their presentation, Richard and Craig discuss what the future may hold for targeted attacks against hospital IOT and medical devices, and what healthcare technology and security leaders should consider doing to protect them.



Watch the recording here.

View the slides here.

BC Aware


The 'BC Aware Privacy and Security in Healthcare Conference' took place today at the Vancouver General Hospital in Vancouver, Canada. Richard Staynings, Cisco's Global Cybersecurity Leader for the Healthcare Industry kicked off the conference sharing trends and industry intelligence along with recent innovations to aid in securing hospitals, universities and standalone clinical research establishments.

Richard was joined by Drew McArthur, Information and Privacy Commissioner for British Columbia and by Oliver Gruter-Andrew, Chief Information Officer for Provincial Health Services Authority, Providence Health Care and Vancouver Coastal Health.


Presentations and discussion centered around the need for improved privacy and security across all aspects of healthcare, improved regulation and enforcement of privacy laws, and the need for holistic security, to include IoT and medical devices in hospitals and medical centers.

Oliver Gruter-Andrew and Richard Staynings conduct a Q&A at the BC Aware Privacy and Security Conference




2017 Annual Cybersecuritry Report


The 2017 Annual Security Report is released today. This is the tenth year of the report which delivers analysis on the evolving threats and trends from 2016, insights from a survey of more than 2,900 security professionals worldwide, as well as guidance on how to be more secure in 2017 and beyond.

The report investigates the impact a breach can have on businesses - operational disruption, lost customers, missed opportunity, a hit to brand reputation, and in some cases, declining revenue.

The report also highlights the fact that malicious actors are taking advantage of expanding attack surfaces and evolving tactics to keep their windows of opportunity open so as to maximize their attacks.

Read or download the full report:


David Ulevitch, head of Cisco’s Security Business Group, and John Stewart, Cisco's Chief Security and Trust Officer, share report highlights from the 2017 Cisco Annual Cybersecurity Report in this video.

Digital Value in the Healthcare Industry


With Effective Security, Healthcare Organizations Can Take Advantage of Opportunities to Enable Innovation and Growth with Greater Speed, Efficiency, and Agility

To address the global shortage of pediatric specialists in many rural areas and around the world, the Lucile Packard Children’s Hospital enables remote clinical interactions for pediatric care. Using high-quality video conferencing, network-connected medical devices, and a virtual patient network, clinical data, patients, doctors and specialists are now connecting to offer better care to children. The University of Virginia Center for Telehealth is also accelerating healthcare delivery, increasing access to specialty services, and providing training to physicians. From Spanish tele-interpretation services to video consultations and virtual meetings, the center is optimizing patient care while increasing productivity for UVA’s healthcare workers.

These are just a couple of examples of how the healthcare industry is embracing digital transformation. In fact, Forrester’s Global Business Technographics Business and Technology Services Survey, 2015 found that 53% of healthcare organization respondents are currently undergoing a digital transformation – more than any other sector – while 26% are exploring such an initiative. These organizations realize that while digitization is disruptive, it also provides enormous opportunity to drive value, including improving patient experience and reducing operational costs. Let’s take a closer look at five of the trends in healthcare that are motivating digital transformation.

1. Rising healthcare costs are driving digital transformation but leaving the healthcare industry struggling to keep pace with security risk. Recognizing this gap, bad actors increasingly set their sights on healthcare providers. For years healthcare has lagged other industries in security investments; in tools, technologies and specialized security staff making the industry an easy target. With demand for security professionals outstripping supply by a factor of 12 to 1, healthcare faces a daunting challenge to hire and retain the quality security talent it needs to defend against attacks. What’s more, healthcare information is extremely lucrative for hackers, fetching 10 times more than credit card information on the black market. Patient records can command such a return as they include not just financial information but personally identifiable information as well as insurance and prescription information. Medical records are also highly prized because that data is valid for life and compromises are more difficult to detect. Just to put this in context—in contrast, banks have sophisticated controls in place to identify unusual activity in bank accounts and to quickly detect and cancel stolen credit cards. The healthcare industry is well aware of the significant financial and reputational costs when patient records are breached. The industry is also waking up to the increased risk to patient safety; a DDoS or ransomware attack can restrict access to clinical information systems that are essential to render care.

2. Electronic health records are another driver of digital transformation. The meaningful use and exchange of information for more efficient and accurate diagnosis is requiring healthcare providers to digitize patient information and improve interoperability of digital health systems. Hospitals are being encouraged by the government to integrate discrete, standalone systems to enable the sharing of information between different providers and, ultimately, improve quality of care and patient outcomes.

3. Administrative operational systems and standalone clinical treatment systems must also talk to each other to help streamline operations and improve patient care, particularly as new reimbursement models emerge. Better collaboration and communication across the organization, improves workflow so clinicians and administrators can share data and gain efficiencies while maintaining quality care.

4. New service delivery models from telehealth and telemedicine to the emergence of robotic surgery are also driving digital transformation. Multi-gigabit, highly resilient medical-grade networks are required to support the next level of services that not only improve the patient experience and outcomes, but also offer more cost-effective and efficient care for patients in remote locations, or for those who are home-bound.

5. Medical devices are becoming more pervasive and essential for the reliable, affordable delivery of quality care. Spurred by innovation, an aging population, and extended life expectancies, the worldwide market for medical devices such as heart monitors, morphine and insulin pumps, to deliver care, and CT scanners, X-ray and MRI machines for diagnosis, is expected to grow 25% by 2020 according to the 2016 International Trade Association Medical Devices Top Markets Report.

The healthcare industry has a lot to gain by digital transformation. However it also has a lot to lose if it doesn’t start with security as a foundation. Instead of being bolted on as an afterthought and getting in the way of rendering care, it has to be built into processes and workflows making it seamless for clinicians, administrators, and patients. Without the appropriate security controls and expertise in place, healthcare organizations risk breaches that require directing funds to fines, restitution, and punitive damages that could put some institutions out of business, leading to further declines in patient care. Patient confidence and trust could also erode, leading some patients to not be honest with their caregivers or even avoid seeking treatment.

With effective security, the healthcare industry can take advantage of new opportunities to enable innovation and growth with greater speed, efficiency, and agility. Hospitals can reduce operational costs, adopt new service delivery models, improve the quality and efficiency of care, decrease inpatient volume, and shift to new reimbursement models. At the same time, patients and their families benefit from a better experience and better outcomes. By starting the journey with an approach that puts security first, the prognosis for digital value in the healthcare industry is extremely positive.


This article was co-authored with Ashley Arbuckle, VP of Security Services at Cisco and was also published by Security Week.

Australian Healthcare Highly at Risk


Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here


Turning Cybersecurity into a Strategic Advantage

Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.



Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services.  This blog is also published here.

Insiders: The often forgotten threat


Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....

so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network. 

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.

Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry. 

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.


Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.

The 'Senior Cyborgs' are Coming!

The Silver Tsunami of Baby Boomers hitting retirement by itself would be enough to worry the most well prepared healthcare system, however in the United States, rising healthcare delivery costs and little to no change in the number of professional caregivers is putting the system under never before seen pressures. Everyone is looking to provide more cost-effective ways to provide care and keep people independent, safe, happy and healthy at home, and that was the focus of a panel discussion at this week's Louisville Innovation Summit.
Senior Cyborgs & the Rise of Digital Health
The session discussed the evolution of disruptive digital health technology, a new force of digital caregivers and the entrepreneurs that are changing the way care is delivered. The audience learned about new technologies to deliver care to the elderly, to monitor and assess their condition, mood and well-being as indicators of onsetting medical conditions, and some of the technologies that will enable the elderly to stay in their homes rather than in much more expensive and often despised elderly residential care.

However with increased adoption of clinical alerting and other medical technologies being sent home with post-acute patients, combined with an ever-increasing number of across-the-shelf health monitoring and tracking systems filling homes, the bigger question, which unfortunately often goes unanswered, is how can this ever growing mass of medical devices be secured. The confidentiality, integrity and availability of medical systems and the protected health information that they produce needs to be secured in the home just as it would in a hospice or hospital. This lack of security confidence has in many cases slowed the adoption of technologies that enable patients to spend their twilight years in the comfort of their own homes. It appears then, that security is the primary key to unlocking the doors to what the elderly are asking for and what Medicare Administrators would prefer to fund.

One other key that appears to be required however, is the need to change healthcare payment models for both private and government funded programs such that providers can get paid for community-based care. The panel agreed that current payment and reimbursement models are hugely out of date and this is one of the reasons why the United States lags the rest of the developed world in its adoption of cheaper and more convenient telehealth and telemedicine.

Other areas of discussion focussed upon the need to improve the interoperability of digital health systems, such that meaningful data and meta-data can be better exchanged between providers with different EMRs, and other clinical information systems. We heard that the industry itself has made some strides towards this, but competitive business practices have failed to break down the proprietary data formats used by different HIT vendors. Government will probably need to take a bigger role in mandating common data formats so that meaningful use can be fully achieved.

Read more at TechRepublic and at grandCARE who also reported on the session.

Taiwan National Day

I was privileged to be invited to celebrate Taiwan National Day this year with an assembly of Ambassadors, Senators, Congressmen, State Representatives, Mayors, retired Generals and other US military personnel who served in the 1950s and 60's protecting the country at the height of the Cold War.

Economic, political and cultural relations with the Republic of China (Taiwan) have never been higher. Great to meet everyone and a very happy Taiwan National Day.

The Author pictured here with Zhang chu Zhang

Security in Healthcare: Bolstering Connectivity and Protecting Patients

http://pubs.cyberthoughts.org/2016-Security-in-Healthcare-Bolstering-Connectivity-and-Protecting-Patients.pdf

Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. Medical professionals can access patient data and real-time health status in a way that can dramatically enhance their understanding of the progression of a disease and improve their response to patient health incidents. Medical equipment can automatically identify system failures and even generate maintenance tickets. Remote treatment allows doctors and patients to communicate no matter where they are.

But this connectivity comes at a price. More devices and more communication increase the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure well-being if their private records are stolen............ (read more)

Cisco 2016 MCR


Cisco’s 2016 Midyear Cybersecurity Report is released this week presenting the latest research, insights and perspectives from Talos and the rest of Cisco Security. It updates security professionals on the trends covered in Cisco’s previous security report while also examining developments that may affect the security landscape later this year and beyond.

The report highlights recent developments from the dark net and within the shadow economy, that cybercriminals have become even more focused on generating revenue. Ransomware has become a particularly effective moneymaker, and evidence suggests that enterprise users appear to be the preferred target of some operators. The report dissects observed ransomware techniques and operational trends and goes some way to predict the next wave of ransomware development. Furthermore, it examines the many ways organizations can and should take action to start improving their defenses. This includes the following recommendations:

  1. Instituting and testing an incident response plan that will enable a swift return to normal business operations following a ransomware attack 
  2. Not blindly trusting HTTPS connections and SSL certificates 
  3. Moving quickly to patch published vulnerabilities in software and systems, including routers and switches that are the components of critical Internet infrastructure 
  4. Educating users about the threat of malicious browser infections 
  5. Understanding what actionable threat intelligence really is 
The sad fact is, that attackers currently enjoy unconstrained time to operate. Their campaigns, which often take advantage of known vulnerabilities that organizations and end users could / should have known about and addressed, can remain active and undetected for days, months, or even longer.

Defenders, meanwhile, struggle to gain visibility into threat activity and to reduce the time to detection (TTD) of both known and new threats. They are making clear strides but still have a long way to go to truly undermine adversaries’ ability to lay the foundation for attacks - and strike with high and profitable impact.

Read the full report here

Ransomware – a wake up call for effective security controls

“The digital canary in the digital coal mine”

A “canary in the coal mine” is an idiom that refers to an early warning sign for upcoming trouble.  This comes from the day when there was no technology to detect leaks from unseen pockets of toxic gas in the rock of a coal mine. Canaries are more sensitive to the toxic gas in the mines than humans so miners used to take poor canaries with them as an early warning sign of toxic gas. If the canary is on the bottom of the cage it’s time to get out of the mine FAST! So how does this relate to ransomware – bear with me for a while and I will explain how ransomware is the early warning sign that security threats have a free rein in your environment.

Ransomware is big business today. Ransomware miscreants encrypt a victim’s files and only provide the decryption keys after the victim pays the “ransom”—usually in the vicinity of $US300 to $US500. Unlike most other online crimes that target businesses exclusively, ransomware impacts end users directly. Ransomware campaigns are not discrete about their victims as this is a volume game and the bad guys will attempt to compromise tens of thousands of victims per day whether they be a grandparent at home looking at photos, or a corporate banker making billion dollar deals. The pay day for their efforts can be staggering. Cisco recently worked with Level 3 Threat Research Labs to disrupt an Angler exploit kit botnet which Cisco estimates to have be earning at least $US30M annually and I hope this disruption hurt the bad guys.

The effectiveness of Ransomware can be seen in a recent CERT Australia survey where 72% of companies reported malware incidents in 2015 which has more than quadrupled since 2013 (17%). 72% of respondents also stated that Ransomware “is the threat of most concern”.  These figures are staggering when the survey is targeting corporations and it’s not surprising as I have seen ransomware execute and encrypt data on ASX Top 200 companies' systems and Fortune 100 enterprise servers as well as our relatives' laptops.  Quite frankly, ransomware is everywhere and one of the key reasons why it’s a huge concern is that signature based anti-malware products such as anti-virus are mostly ineffective as ransomware is written and tested to avoid detection by AV products and the signatures can change hundreds of times in rapid succession.

Now let's get back to the “canary in the coal mine” analogy.  I believe that the most troubling aspect of ransomware is NOT its effect on the end user, but more that it is so incredibly effective in:
  • Penetrating corporate network perimeter defences
  • Able to execute as a new process on a victim machine
  • Call out to a server on the Internet to download an encryption key (refer to the update below)
  • Typically, the first time anyone detects the malware is because their work files (or cat videos) cannot be accessed because they are encrypted

I often get asked “can you restore my files?” Unfortunately, the answer most often is “No”. Ironically most ransomware uses strong and well implemented cryptography and it is not economically or technically viable for anyone to attempt decryption. The point here is that we need to move on from believing all attacks can be prevented; we also must realise that attacks must be detected quickly to prevent damage to the business. The fact that most attacks are not directly detected by the victim, but by the action of the external party (encrypting data) is what really troubles me as a security professional. Security controls should be preventing as close to 100% of attacks as possible, but there remains a fraction of successful attacks that we must detect and respond to before significant damage is done to our businesses.

I think we should be closely looking at the lessons we learn from ransomware to show us how effective our security preventative and detective controls are, and how they have failed. Every time ransomware is able to execute and encrypt data, our preventative controls have failed. We can use this incredibly destructive and annoying malware as a tool to learn about the shortcomings of our security program, or the digital canary in the digital coal mine (when the canary is dead it’s time to evacuate) so we can:

  1. Prevent and detect more ransomware and other malware incidents
  2. Be better able to defend our enterprises against more skilled and determined attackers such as organised crime and nation state funded actors
The point is that if ransomware can operate in your environment then there is little hope you have of being able to defend against the more skilled and determined attackers. The critical questions that must be answered is “how did the ransomware get through my perimeter controls?” and “how was it able to execute and encrypt data without being detected before a victim loses access to their critical business documents (and cat photos)?”

Detecting a threat in the environment is critical to minimising the damage malware does in the network, which is why we need multiple layers of controls to protect. We should not get too far into the preventative controls here, but like our mothers used to tell us “An ounce of prevention is worth a pound of cure” (my mother never went metric). There have been PLENTY of articles written about preventing ransomware and other malware so I do not want to rehash what has already been done. If you want to look for articles on prevention I suggest you have a read of the Cisco Talos blog “Ransomware: Past, Present, and Future”.

One last word on prevention, before we move on to what we are here for. There’s a simple to deploy technique that is being overlooked by most information security professionals – blocking DNS lookups of known malicious sites. Cisco acquired OpenDNS in 2015. One of OpenDNS’ main functions is to provide a safe DNS infrastructure for name resolution services. The differentiator with OpenDNS over many standard DNS services is it provides protection by blocking name resolution for known malicious domains. The reason blocking DNS lookups for ransomware is effective, is that most, if not all, ransomware uses a multi-stage attack where an email is typically used to deliver the payload and when the payload executes it calls crypto.evil.com (for example) to generate an encryption key. Yes, it is not perfect as we are playing catch up, and would be preferable to prevent the initial infection, but if you don't get your data encrypted we can call that a win!  More details of this functionality can be found here.

Now lets get to the crux of concept of the canary in the coal mine analogy. What I’m trying to say is that the presence of ransomware is an indicator of bigger problems. You can think of ransomware as the (unfortunately) dead canary on the bottom of the cage that has detected the gas leak. I believe that you should be looking for the root cause of the ransomware incident rather than concentrating on your canary problem. Root cause analysis will show how the ransomware got into the enterprise and when you can understand that, you can start to fix the problem. Please do not go and buy a shiny new security object to fix the security problem before it is properly understood. Without fully understanding the problem you may be fixing something that will not improve your security posture commensurately. We all have the shiny object syndrome, but choose your time to act and resist the pressure from your peers as much as possible.

Consider the points I made above about:
  1. Malware (typically) comes into the network through the corporate email system
  2. Unknown software (ransomware) being able to run without human intervention on one of your corporate systems inside the corporate boundary
  3. Then connects to the outside world through your corporate proxy server, IPS and firewall(s)
This is remarkably like the tactics used by nation state attackers when setting up their beachhead inside the corporate boundary before stealing your intellectual property.

Starting to smell rotten eggs now? This is the real reason why we are so concerned about where ransomware can run, because if ransomware can run, so can nation state attackers and they can do a far sight more damage to your business than encrypting a few files. The typical motivation of nation state attackers is to steal your intellectual property, pricing information, customer data et. al. for the financial benefit of their own country.

This brings into a stronger focus the benefits of doing a proper root cause analysis of the ransomware incident as it’s not just about the one, two or more systems that run the latest ransomware variant and cause the ensuing mayhem of trying to minimise the damage and recover the data.

If you have planned ahead and have decent backups of your critical data (kudos to you if you have), then you don't need to get too spun up about the effects of the ransomware and the recovery is pretty straight forward. Make sure you learn the lesson that the ransomware incident has taught you. Find out how the ransomware got inside your organisation, and put in better controls to stop it happening again, or at least minimise the chance of it happening again (there’s no panacea for all ransomware). Then work out what it did on the endpoint and build a strategy for stopping from that happening again.

Next is to look at the network communications and determine how you could have a) disconnected it (e.g. blocking DNS calls to known malicious domains); or b) detected it earlier to minimise the damage.

One of the key differences between nation state attackers and the cybercriminals behind ransomware is the end goal. Cybercriminals are after money and typically the faster the better, whereas nation state attackers are playing the long game and looking for the data of choice. They want to maintain access and stay in your network for the long term, whilst extracting the data that they are looking for. Nation state attackers move laterally, hopping from system to system, looking for the data that they have been tasked with finding, and acquiring the administrator credentials often necessary to get access to this data. All of these actions have signatures, or indicators of compromise that you can detect with the right tools.  If you have not looked for them, or had a skilled team working on your behalf, you might be shocked at what you discover.

The objective is to learn from the incident and make continuous improvements to your defences and detection capabilities. If ransomware can run in your environment, then so can the tools that nation state attackers use, and this is a cyber arms race against attackers, whether they be nation state, cybercriminals, or activists with a keyboard. So when you realise that the adversary is continuously improving their tools and techniques (as recently demonstrated by the cybercriminals and their ransomware campaigns), then you had better be doing the same to maintain your edge so your business can survive.

Remember that ransomware, whilst annoying and inconvenient, is just the canary in the coal mine. If your yellow bird is on the bottom of the cage, you’ve potentially got bigger problems.

Update: 20 July 2016

A new version of the Locky ransomware operates in offline mode so does not need to call back home to get encryption keys. Read the following PC World piece for more details.


Guest Blog - First published by my colleague and good friend Goma  and inspired by the Western Australia outback - not that there are many canaries there!

The Changing Face of the Healthcare Security Leader



If you worked with just about any hospital or healthcare provider a mere ten years ago you may have come across the Information Security Manager, Director of Security and Compliance, or someone who filled this role under another title. Their role was to lead ‘IT Security’ and manage a small staff of security administrators or analysts, whose role in turn, was to provision users to systems, and troubleshoot access problems. The team would also occasionally check firewall and other security logs when time permitted, amongst a myriad of other tasks and responsibilities, including vulnerability testing and HIPAA and PCI self-assessments.

Healthcare security teams usually were (and still are) smaller, less skilled and poorly paid compared to their peers in other industries. Their need to be generalists prevented the development of specialists with deep technical security skills. Security was often an afterthought in IT architecture or development conversations, and usually seen somewhat negatively as being an obstacle to the release of new systems or feature improvements to older ones.

The security leader, even if they had a ‘CISO’ title, often reported into IT, usually below the CIO, CTO, or someone even more detached from the Board. The conflict between IT’s mission to provide technology systems for users, versus security’s mission to protect the enterprise was very apparent. Security usually lost most battles with IT, and with end users. Rebellions were commonplace against improved user security controls, even for something like the implementation of complex passwords rotated every 90 days - things we take for granted today. A mere ten years ago healthcare was a living bastion of the past. A loud and vociferous user base dominated by Physicians happy to take their complaints directly to the Board, or to threaten to take their business elsewhere ensured that nothing was put in the way of patient care – even a password! Such was the power that Physicians wielded.

Security was usually funded with whatever was left over or could be spared from the IT budget. Consequently it was seen as a drain on new tools and improved functionality for users. Whatever security received, it was usually way too small to do much with.

Occasional vulnerability and penetration testing along with compliance assessments against HIPAA, PCI and security frameworks like ISO and NIST were duly reported to CIO, CTO, or the designated compliance officer, complete with a list of identified gaps. However remediation of gaps was usually given little priority compared to the IT mission to build and release new application functionality “required” by the business. That is, a business, run and largely controlled by clinicians and a business focused more or less solely on providing patient care.

It was doubtful that the hospital or healthcare Board of Directors was ever provided with specific details of any such security audits or assessments, merely informed that the Covered Entity was compliant with HIPAA, PCI and any other regulatory requirements (if the subject came up at all). The security leader had no direct access to the Board, and was considered too junior to address these chieftains in person. Even if offered the opportunity, the security leader would probably talk in a language that the Board wouldn’t understand. Security Leaders were largely kept in the shadows, their message relayed and filtered by the CIO or CTO.



Today’s Healthcare Security Leader

Move ahead ten years and the picture has begun to change. Larger healthcare providers have an executive level security leader, or even a Chief Information Security Officer (CISO) who, while they may still report to the Chief Information Officer or Chief Compliance Officer, will have a seat at the table for Quarterly Board Meetings and may now chair sub-committees on security, privacy and compliance.

Security is now recognized as one of the most important enterprise risks by healthcare Boards of Directors. Media fixation with security breaches at other provider or payer organizations, complete with news of fines, penalties and reciprocity to patients whose information may have been disclosed, has ensured this. So too has media attention to ransomware outbreaks at health providers and the encryption of hospital data and IT systems needed to treat patients. Such is the power of the media, and the impact to business revenues and reputation when security incidents occur.

This increased focus on security by the Board, is leading to demands for not only regular situation reporting on security, privacy and risks from the CISO, but also reporting from the CTO, COO, CFO and CEO on what is being done to address identified risks. In the course of ten years, Security Leadership reporting has gone from almost unnoticed to 'center stage'.

In fact, corporate boards are now in some cases directly appointing external highly experienced CISOs to lead security and to act as change agents across the organization. These 'Change Agent’ or 'Advisory' CISOs are often brought in from leading security organizations like Cisco or the Big 4 audit firms, and are deployed for a finite period of time in order to achieve rapid advancement in the security, risk, and compliance posture of the organization to satisfy its board.

Despite this recent focus, according the Cisco Security Capabilities Benchmark Study (PDF) healthcare organizations are still not implementing as full an array of strong security defenses as organizations in other industries. Furthermore, the report claims that healthcare organizations are more likely than those in other industries, to try to manage their security needs internally instead of outsourcing services such as monitoring, incident response, remediation, and auditing. This slowness to embrace expert services in key specialty areas, may account for the recent spike in healthcare breaches as hackers focus their attention on easy targets.

The same survey also indicated that CISOs tend to be more optimistic than their SecOps colleagues about their security protections. It could be that as security leadership gets further away from the hands-on defense of the realm, so too does their realization of the ability of healthcare, to respond to a threat landscape that changes almost daily. Healthcare is after all, under attack as widely reported in previous articles and publications!

Given the scarcity of security resources, and the ability of healthcare to attract and retain such professionals in a highly competitive market, this is hardly surprising. According to Cisco’s 2015 Mid Year Security Report there is now a 12x demand over supply for qualified or experienced security professionals, and despite limited success to hire or grow additional security resources, healthcare simply cannot onboard enough security staff to defend itself against current attacks.

The result is that many healthcare providers are now looking at ways to maximize the effectiveness of their limited security staffs, by consuming managed security services for much of their security operations threat detection (PDF) and incident response (PDF) in order to free up security team members for higher value tasks.

This change in focus was recently identified in the Cisco2016 Annual Security Report.

As security professionals become aware of threats, they may be seeking ways to improve their defenses for example, by outsourcing security tasks that can be managed more efficiently by consultants or vendors. In 2015, 47 percent of our surveyed companies outsourced security audits, an increase from 41 percent in 2014. Also in 2015, 42 percent outsourced incident response processes, compared with 35 percent in 2014. (See figure below)

In addition, more security leaders are outsourcing at least some security functions. In 2014, 21 percent of the survey respondents said they did not outsource any security services. In 2015, that number dropped significantly, to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.


While healthcare security leadership and better visibility has greatly improved the size breadth and expertise of security teams, it has by and large, made only limited advances to overall security, fueled in part by limitations on security budgets and the availability of additional or specialist security professionals. At the same time, the enormity of the threats leveled against healthcare payer, provider and pharmaceutical organizations has grown exponentially, creating further gaps in security. The need for security leaders to evaluate security needs holistically and to spend money wisely is perhaps more important now than ever before.

Information Security is also not immune to the ‘Do More With Less’ mantra that is affecting all areas of business, and must be creative in how it allocates its resources, and selective where it spends its money. Looking for opportunities to improve efficiencies while at the same time improving the probability of security outcomes, is now the new ‘modus operandi’ for security leaders.




Tomorrow’s Healthcare Security Leader

The security leader of tomorrow will be an executive in charge of his or her own budget, staff and the procurement where it makes sense, of vendor provided security functions that can be consumed as a service, often better, cheaper and faster than developing or running these from within. In the same way that the cloud has changed application development and the internal data center, so too will the consumption of security services.

Tomorrow’s security leader will also more than likely be titled ‘CISO’ or some other ‘C’ level derivative, fulfilling the role of information security leadership and governance. They will likely report outside of IT to the COO, CFO or directly to the CEO. They might even sit at the right hand of the CEO in Board meetings, and will be instrumental in helping to maintain the confidence of the CEO in the eyes of the Board.

During the dot-com bubble we used to talk of an ‘Internet Year’ being nothing more than a few months or weeks. Its not surprising then, that in the period of a mere ten solar years, the role of the healthcare security leader has evolved an ‘Internet millennium’.

Given the almost exponential change in cybersecurity, how many solar years will it take for the healthcare security leadership role to evolve another Internet millennium?

Perhaps just as important:

What cybersecurity event or series of events will accelerate this shift in paradigm – of not just security leadership and governance, but also healthcare security posture and spend?

Will it require a hospital system to be sued out of business following a massive breach of patient, financial or other critical healthcare information? Or will healthcare leadership pro-actively address its business-life-threatening risks before its too late?


This blog is also posted to http://blogs.cisco.com/security/the-changing-face-of-the-healthcare-security-leader