Who'd want to be a CISO?

Challenging job, but increasingly well paid

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Ai & Automation in Healthcare Security

An increasing reliance upon healthcare IT and IoT including thousands of medical devices and wearables to deliver health services is changing the balance of risk across the industry

There was a fine balance between health technology services, risk and security before 2020. Some would say that this balance was nothing of the sort and that the entire healthcare life sciences industry has been accepting far too many cybersecurity risks for far too long as exemplified by all the ransomware attacks against hospitals going back 5 or more years. Or the massive theft by a nation-state of Anthem's entire health insurance customer database in 2015. Most pharmaceutical and clinical research organizations have also been targeted by cyber attack and intellectual property theft for at least a decade and most recently by a number of nation-states all in search of data on COVID-19 cures. No matter how you view the evidence, the healthcare industry out-gunned and out-manned has not fared well against a well funded and highly motivated cadre of cyber thieves and extortionists.

Now enter COVID-19 this year and the massive digital transformation forced upon HDOs in order to spin-up telehealth and telemedicine plans to diagnose and treat patients from their homes rather than on-prem, and at the same time support a non-clinical workforce all working remotely from home.

The threat surface more then doubled over night and risks exploded, all at a time that healthcare CEOs were focused upon pandemic disease management, treating COVID patients, and keeping HDOs financially afloat without their lucrative elective procedures - A throw-back and lasting legacy of the "pay per service" model of US healthcare.

With furloughs of IT and in some cases security staff too, in order to stop the hemorrhaging HDOs suddenly became massively at risk of cyber-attack at precisely the worst possible time. Perpetrators quickly recognized their opportunity and the cyber attacks of 2020 bear witness to the perfect storm impacting healthcare today.

With a steady stream of new technologies to support telehealth, and the replacement of nursing staff with medical devices to monitor and manage patients remotely as far as possible, how are hospital security leaders possibly going to protect healthcare IT and IoT systems from attack and keep patients safe?

With limited budgets and security headcount (or the availability of additional security resources), automation and increased use of artificial intelligence is a CISO's only recourse. This was the subject of my panel discussion recently at the Denver AI & Automation Security Forum where I was privileged to moderate a panel of experts in the field including: 

  • Dr. Benoit Desjardins, M.D., Ph.D, Associate Professor of Radiology and Medicine at the University of Pennsylvania, 
  • Michael Archuleta, CIO at Mount San Rafael Hospital 
  • Powell Hamilton, CISO at Centaura Health 
  • Esmond Kane, CISO at Steward Health 
  • Joe Searcy, CSO at Elemental Health


Watch the 30 minute video to hear what each of these experts had to say.



What Keeps Healthcare Security Leaders up at Night?


In these trying times of COVID-19, the cancellation of elective procedures and the general population "avoiding the Doctors Office like the Plague", it's no wonder that hospitals and other HDOs are furloughing staff and tightening their belts. But what does this mean for hospital cybersecurity programs?

The impact of COVID-19 on the healthcare industry has been perhaps been even more dramatic than the transportation and tourism industry, with airlines and hotels going bankrupt all over the world. Both industries have suffered a massive downturn in their traditional business and both have had to quickly pivot to the new reality of conducting business during a global pandemic. But unlike travel and tourism, healthcare has been in the forefront of a treating those infected with the SARS-CoV-2 and dealing with massive levels of disease control, while minimizing those on-site.

At the same time the delivery model for healthcare has drastically changed from on of principally elective procedures and screenings to a model where 90% of business, outside of ICU services for COVID-19 patients, is now conducted remotely via telehealth. In fact, healthcare is widely considered to have undergone the greatest single digital transformation of all time and all within the space of a few weeks, while most IT and security staff were forced to work off-site.

We are condemned to live in interesting times


Cyber-criminals know this too and have plied their craft without let-up since early March with a proliferation of spear phishing campaigns targeting often overworked healthcare staff, many of whom are now working alone from home.

But these are far from the only challenges facing the industry and those whose job it is to secure the systems, data and patient safety so vital to the delivery of healthcare services. Hear from four leaders in the healthcare security and technology space as they discuss the issues facing the sector and offer up some options and effective approaches

  • Richard Staynings, Chief Security Strategist at Cylera 
  • Christian AbouJaoude, CTO at USC Keck School of Medicine. 
  • Esmond Kane, CISO at Steward Health 
  • Brett Cattell, Director of Systems at Robin Healthcare




Healthcare Needs better Access Control

 

A rising tide of opportunistic ransomware and targeted nation state cyber attacks against medical research labs working on cures for COVID19 has made cybersecurity a turning point for most providers.


Last week in the Cylera blog I wrote about Zero Trust which is slowly growing in popularity across organizations like Google, but has so far, only limited deployment across the healthcare industry. Zero trust may prove to be nothing more than another panacea at the end of the day against a rising tide of cyberattacks, or, it may prove to be a vital cog in the wheel that finally redresses the balance between defenders and attackers by minimizing what can be attacked. I'm betting on the latter personally.

Zero Trust works on the basis of well-known, frequently voiced, but usually not fully implemented security principles of 'Least Privilege' and 'Trust But Verify'. Trust your staff but verify their activity and don't provide them more access than they need to do their jobs. The principles are not too dissimilar to military personnel, where access is granted on the basis of 'need to know' following 'mandatory access control' principles - based upon your role, rank and assignment.

In other words instead of being given access to everything when you join an organization, you should be provided access only to what you need in order to do your job. You get a key to this box and that box but no other boxes and what you access is monitored. Essentially you have segmented or compartmentalized access rather than carte blanche. As your role or assignment changes, so certain keys are revoked and new ones are provided.


One way of looking at this segmentation approach is to think about the story of a fox in the hen house. Rather than one large hen house and one large door, segmentation places each hen in its own hen house with its own locked door. A hungry fox can then only get to one hen with each breach rather than them all at once as is the case in most hen houses today. By limiting and containing a successful attack, the fox only gets to steal one hen which may not be worth the effort to break down its coup door. The loss of one hen won’t put the farmer out of business and alerts him to the fact that there is a fox in his midst and to get his shotgun.

Of course, in this example the fox is an outside threat, but malicious insider threats are a growing concern with rising levels of cyber espionage and theft of commercial trade secrets and intellectual property by staff. The recent story of Xiaolang Zhang is perhaps a good example. Zhang, had worked at Apple in the Bay Area for several years on its autonomous self-driving car project. He announced his intention to leave the company after returning from a trip to China, in order to join a competitor XMotors (aka Xiaopeng Motors) based in Guangzhou.

Before handing in his resignation however, he trolled the Apple network for data and copied over 40GB of trade secrets, and walked out the building with a Linux server, and circuit boards. He was arrested by the FBI at San Jose airport before boarding a plane out of the country. Zhang was caught because he had gone outside of the swim-lane required for his role and had raised suspicions. 'Trust but Verify' in this case landed Zhang in court when verification of his activities took place and were found to be illegitimate.


In healthcare, there is an implicit trust across staff to do the right thing and a common belief that everyone is mission-orientated to provide the best possible patient care. However, that may not always be the case. The value of healthcare data – PII, PHI, and IP such as clinical research into new drugs and treatments is rising in value, and a number of clinical researchers have been caught stealing intellectual property of the hospital or research facility they work for.

Last year a husband and wife team, Yu Zhou, 49, and Li Chen, 46, were charged with stealing intellectual property related to pediatric medical treatments they had worked on while employed at Nationwide Children's Hospital in order to launch their own pharmaceutical company in China. When they took this company public in China, it netted them millions of dollars based on the cutting edge research developed at Nationwide Children's.

Zhou and Chen are not alone however, and nor are they the only Chinese citizens involved in medical IP theft. The NIH and FBI are investigating 180 individual cases of alleged intellectual property theft of biomedical research funded by the U.S. government, primarily involving Chinese or Chinese American researchers, The New York Times reports.

While the principles of Zero Trust and Segmentation would probably not have averted all of these attacks, it is likely that many could have been contained to smaller thefts of data, and alerts raised earlier as verification of access took place, thus alerting security staff to suspicious access.

Zero Trust is a key ingredient in helping to solve healthcare security. Not only is it a very effective preventative control, restricting access by users and objects like applications or devices to data, but it's also a critical indicator of risk, letting your operations team know when anomalous access behavior is attempted.

A Career in Cybersecurity


Anyone who is considering their career choices will have noticed that there's a lot of job openings in the cybersecurity space. Every week someone, somewhere, is trying to hire a cybersecurity professional of some particular skill set or other. The job ads are full of openings and anyone with 'cybersecurity' on their Linkedin profile or online resume, is probably getting connection requests from recruiters like they just won a large sum of money and offered to give it all away.

According to the Cisco Annual Cybersecurity Report there has been a consistent 12x demand over supply for qualified, certified or experienced, security professionals for the past 5 years. That means that there's currently 12 open security jobs for every person able to fill that role. With statistics like that, cybersecurity professionals will never be out of a job for long.

But what does it take to get into the field of cybersecurity? How do you get a foot in the door? How do you gain the experience that everyone is asking for to get the job in the first place?

Sometimes it can be a bit of a Catch 22 - and that's a bit of an understatement. Just read some of job postings requiring 3-5 years experience for an entry level position plus a current CISSP certification. However, those who may have looked into sitting their 6 hour long CISSP exam will have noticed that you need 5 years of experience to get the certification that is required for the job in the first place! (Or 4 years and a Masters Degree in a related field).

The truth is that job postings are written by HR professionals, most of whom have very little understanding of what the actual job they are hiring for involves. Someone should make a movie about it and call it "Recruiters are from Mars" because they might as well be. A classic example of this was a job posting I saw last week that wanted someone with ten years experience of Kubernetes and a whole laundry list of other skills and experience. This was noticed by many others as well as myself, who quickly pointed out that Kubernetes is only five years old as a technology, so no one could have more than five. Not only did it make a mockery of the job posting and the reputable company that had posted it, but it highlighted the problem of unrealistic job posting requirements. 

Whether the problem ultimately lies with HR, recruiters or hiring managers, there is an unreal expectation in the cybersecurity space. This is a highly, highly, competitive space for scarce security resources so whether this comes down to company salary scales that are out of touch with market rates, and the need to use approved more senior job requirements to hire in junior staff at a rate they will consider, I don't know. But cybersecurity professionals are currently making 25 to 30 percent more than their peers in IT with the same experience and levels of qualifications.

Some of the job postings that demand all kinds of experience would probably command a salary package of at least a million dollars a year if someone had all of those skills, certifications and experience. While I would like to believe that security professionals in their 30s are making seven figure salary packages a year, that probably isn't the case for most. In other words, JOB REQUIREMENTS are nothing more than a WISH LIST.
Treat the 'JOB REQUIREMENTS' as 'DESIRED SKILLS' 
But it's not just experience, the same is true for security certifications and academic qualifications. 

Any recruiter claiming that 'x' security experience, plus 'y' certifications, plus 'z' masters or doctoral degrees is a MUST HAVE simply couldn't afford to hire the perfect candidate if he or she walked through the door today. 

In other words, you should apply anyway. It might not work all of the time but you only need it to work once to get your foot in the door. It is after all, getting more competitive each year as more and more companies attempt to hire the few security resources that might be looking. Increasingly, companies are having to re-think who they hire, at what level, and what skills are really necessary. They are taking what they can get and providing on-the-job training instead, in order to fill vacancies and get bums in seats. 

Companies looking for security certifications will usually pay for the training, the materials and the examination if they want you to obtain one. While the Catch22 nature of the CISSP might be out of reach for entry level candidates, get yourself certified in an easier credential such as the CompTIA Security+ or some of the SANS GIAC foundational courses. That combined with a desire to work towards a higher more widely recognized certification or qualification, might be enough to get you past a cert required in the job posting and on to the next level with a video interview.

The same is true with academic certificates and degrees. Most universities are now running courses on-line thanks to COVID and many have solid cybersecurity programs at the Associates, Bachelors and Masters level. There are many government grants, and university stipends available each year and companies will often pay for you to study for degree or certificate programs so take advantage of this. It may take you a couple of years of part time evening or weekend study but a degree will boost your career opportunities and salary expectations so is most definitely worth your time. It may also exempt you from having to keep up with professional certifications like the CISSP, and pay these commercial bodies annual membership fees which can be expensive. 

But you as a candidate need to start somewhere.

In the following 90 minute video, I outline:
  • What is cybersecurity and why is it front and center as we adopt increasing levels of automation and digitalization?
  • Who are the main perpetrators of cyber attacks and what are their motivations?
  • Why is cybersecurity so important today?
  • What are the security frameworks being used to secure organizations?
  • Why you should consider a career in cybersecurity
  • What are those opportunities?
  • How to develop a cybersecurity career strategy
  • What security certifications and qualifications should you consider?


A PDF of this presentation can be downloaded or viewed here:
http://pubs.cyberthoughts.org/A_Career_in_Cybersecurity.pdf

Ransomware and Increased Attacks against Healthcare



The number of attacks against healthcare and hospitals continues to rise as cyber criminals and pariah nation states take advantage of the current Coronavirus crisis where hospitals in many part of the United States and around the world are distracted by large numbers of infected patients and a workforce that by and large, is now entirely remote outside of clinical care.

This was the subject of discussion for a panel of healthcare security experts today at the Washington HIMSS Chapter Meet Up.




Tri-State MSSF

The challenges of securing healthcare don't get any easier over time. Rising digitalization, adoption of AI and ML, a massive growth in the number of medical and other HIoT devices, and an IT & IS workforce now largely working from home, all introduce additional challenges for CISOs and CIOs.

In the Tri-State area this is compounded by the competition for scarce security resources. Lured by the lucrative salaries and stock options of the New York financial services sector, the problem is becoming acute. How can security leaders attract and retain quality security staff and keep their skills sharp enough to defend against sophisticated attacks when budgetary pressures might otherwise suggest the formation of a team of security generalists?

This was the topic of my discussion panel today with Tim Buntz, Chief of Security at Virtua Health, Esmond Kane, CISO of Steward Health, and Michael Archuleta, CIO of Mt. San Rafael Hospital.





Cybersecurity in a Crisis


Livestream from the HMG Live! Denver CIO Virtual Summit.

The COVID-19 pandemic has required all of us no matter what industry we focus on to re-evaluate our cybersecurity posture and controls given that most staff at most companies now work from home. 

This panel of esteemed security leaders discusses the nuances of cybersecurity today and provides useful advice on what CISOs should consider in their security strategy and tactical controls. 

Do Healthcare Providers Need Help?

Photo: Frank Busch

In an escalating war of cybercrime, smaller healthcare providers are plainly losing more battles than they are winning. Is it time to try a different approach to security?


An increasing number of healthcare providers globally are succumbing to the overwhelming resources of sophisticated nation-state military espionage units and organized crime syndicates. Is it now time for some to consider throwing in the towel and transferring their cyber risks to specialist healthcare managed security services providers?

Covid-19 has transformed healthcare around the world. Many staff have been furloughed as non-emergency procedures are postponed, nearly all non-clinical employees now work from home, and telehealth has largely replaced doctor visits and consults. The attack surface has radically increased and attackers know it!

Many criminals are using this confusion and disruption to attack exposed healthcare systems. They do so for everything from simple criminal monetary gain, via ransomware attacks and other forms of extortion, to the attempted theft of clinical research, other IP, and non-public data, as we reported in our previous article.

Already outnumbered at least five to one, the odds of successfully defending a cyberattack for healthcare providers just got much worse. Would they be better, therefore passing the defensive torch to an outside team of cybersecurity experts?

This was a question I put to my panel of guests this week at the CTG Intelligence Cybersecurity Virtual Forum in Albuquerque, NM. Watch what they had to say below in this 32-minute video.


COVID-19 May Have Just Saved US Healthcare


There’s nothing like a good crisis to cause a re-evaluation of how we do things. While any epidemic is sure to stress the health system of just about any country, in the United States we needed to be jarred out of our comfort zone to re-think how we do things and how we more efficiently deliver healthcare services to the population.

While no one is doubting the dedication of our doctors and nurses or the many others involved in the delivery of health services, we have unfortunately inherited a broken legacy system from the post-war 1940s that has struggled to contain costs, and to provide healthcare services to all who need them. Unrealistic vertical demand for health services has combined with corruption and mass profit taking by certain parts of the system that has led to huge inefficiencies that divert scarce funds away from where they are needed. It has also highlighted the horrific imbalance of access to health services. One only has to look at the COVID death rates between rich and poor Americans to realize that something is very wrong. 
 
Medical malpractice insurance doubles the costs of a medical procedure, while an overly complex and bureaucratic medical billing and insurance system creams a good percentage off the top of available funds. Reimbursement delays from insurance and patients, neither of whom can figure this stuff out compound losses, however it is the exorbitant costs of pharmaceutical drugs in the US that sucks the life out of the system. It is actually cheaper for Americans to fly to the other side of the world to purchase their US and European manufactured drugs than it is to buy them with insurance at home. This is a subject I wrote about last year to much popular acclaim in a three part story on Medical Tourism.
 
But public health is a 'public good' to all of us. There is an economic, social, and moral utility for the person sat next to me on the subway or an aircraft to be healthy and disease free for my own benefit, and those I work and live with. Surely this is a lesson we should have learned in the 19th century with Typhoid and other communicable diseases. Yet our national approach to pandemic disease control, appears to be closer to a King in the Middles Ages trying to containing the Black Death, than to 21st century science-based pandemic disease control - even accounting for the fact that some of our elected representatives plainly flunked out of their middle school science classes. Lets face it, US healthcare is in serious trouble. The needless deaths of hundreds of thousands of Americans to the SARS-CoV-2 virus, is just a symptomatic expression of much bigger structural problems in our health system. 
 



 
In fact, COVID-19 may have just saved US Healthcare from its swan dive – and a spiraling decline of rising costs, and diminishing reimbursement rates, while much of the population is denied access. In the last decade hospitals have frantically engaged in massive cost-shifting between federal, state, IHS, and insurance systems to try and stay afloat. Many haven’t, and that has been devastating for the rural communities they once served. Let’s face it, the system has been broken for a quite a while, and we have done very little about fixing it. COVID-19 however, has changed that!

The truly massive growth in telehealth and telemedicine since February has been amazing. Doctors and nurses love it, patients love it, and it keeps the slightly sick away from those who may be highly contagious and in need of radical medical intervention. Both primary care and specialist physicians have commented how many more patients they can see per hour using video technology, but there are things that we need to fix.

This session looks at what the future of digital healthcare will be, post-COVID, using new tools, new approaches and improved broader access to health services. It will examine necessary changes to regulation, patient identity verification, cybersecurity and the rise of healthcare IoT including wearables.

Hear from two national experts as they share their thoughts for the future of US healthcare.


Hospitals Targeted by Cyber Attack During Covid Crisis



Cyber-criminals and pariah nation-states are taking advantage of the disruption caused by the pandemic to run amok. 

Few things elicit the question of ethics than a lawyer chasing an ambulance leaving a road traffic accident or a hacker targeting a hospital during a global crisis, but the latter is precisely what has been happening since February.
The public and government officials alike, are outraged that cyber criminals would target health systems during a time of global pandemic crisis.

Increase in Cyber Attacks Against Healthcare

As our brave doctors and nurses fight each day to save lives those infected with the coronavirus, hackers and pariah nation-states fight each day to break into our health systems and research centers working on a vaccine or a cure. Ironically, both the virus and many of those engaged in the theft of research into a vaccine appear to come from the same country.

Photo: H.Shaw
 
Between the months of February and May of this year, there have been 132 reported breaches of healthcare covered entities, according to the HHS. This is an almost 50% increase in reported breaches during the same time last year. Perpetrators appear to be taking advantage of a distracted often remote workforce easily susceptible to phishing and other scams, or gaining access to hospital networks through insecure medical devices and other healthcare IoT systems. "These systems are notoriously difficult to secure and are an acknowledged cybersecurity risk," claimed Tim Ozekcin, CEO of biomedical security company, Cylera.

In a letter this week signed by international political and business leaders, the International Committee of the Red Cross called for governments to take “immediate and decisive action” to punish cyber attackers.

“There are more and more cyberattacks...on the healthcare sector and unless there are really strong measures taken, they will continue,” said Cordula Droege, chief legal officer at the ICRC. “What we’re seeing at the moment are still indications of how devastating it could be.”

Also this week, NATO, issued a statement condemning the "destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes. These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most, and jeopardise our ability to overcome the pandemic as quickly as possible."

Invoking its founding principle of Collective Defense and its’s more recent Cyber Defence Pledge, NATO confirmed that it is ready to take action against the perpetrators of these cyber attacks.

"Reaffirming NATO's defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," NATO said.

The World Health Organization has reported a 500% increase in cyberattacks on its systems during the spread of the Coronavirus pandemic through April compared with the same period last year, and has been dealing with a major email security breach at the same time while trying to deal with the largest pandemic to hit the world on over a century.

So far this year, the U.S. Department of Health and Human Services has investigated 177 data-breach incidents at medical organizations, nearly double the 91 under investigation in the same period in 2019.

Photo: Lianhao Qu

Opportunistic Rise in Cyber-Crime

Cyber-crime appears on the rise everywhere while most of us are out of our comfort zone working from home or otherwise disrupted. According to the FBI, the number of reported cybercrimes has quadrupled for the period of December - April compared to the same period last year. The FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day as COVID-19 spread across the United States.

According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cyber criminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.

The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted either. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.

“We’re very concerned now that we have these very sophisticated actors - nation-states, particularly China and Russia - targeting Covid-19 research, treatment protocols and vaccine development,” said John Riggi, Strategic Advisor for Cybersecurity and Risk at the American Hospital Association.

The message to watch out for potential theft of intellectual property has gone out right across the industry, especially by sophisticated nation-state actors according to officials at a number of leading academic medical centers. "Its like we're fighting two battles at the same time - the Covid-19 pandemic and defending against an escalation in cyber attacks against healthcare, " claimed Chad Wilson, CISO of Stanford Childrens' Hospital.

Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a coronavirus news site, health and well-being site, to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the Centers for Disease Control in Georgia otherwise known as the CDC. And there have been a whole range of scam sites setup to supply N95 masks, rubber gloves and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment from mainly Chinese manufacturers or none at all.

Intellectual property theft especially at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has also been rife, especially from so-called international partners, some of whom may have been already compromised. Nation-state-actors are focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines with more than one nation-state appearing to be involved.

Photo: CDC

Healthcare & Medical Research Targeted

Most alarmingly though, is a spate of targeted ransomware attacks against hospitals. Last month a number of Czech hospitals and medical research centers were attacked, by as yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in the city of Brno in Moravia. According to Reuters,“The country’s NUKIB cybersecurity watchdog said the attacks, designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.” The similarity with Russian FSB and GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement as would the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks.




Colorado Medical Center Hit

But ransomware attacks against hospitals have hit closer to home. At least one US hospital has been hit in the past week by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but one carefully crafted against a known Pueblo, Colorado hospital with a un-patched perimeter. The hospital and many of its IT systems are still off-line at the time of writing this post and patient care is still being impacted by the attack. Its website came back up as we were about to post this article with the following message to the community.


This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.

"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action should expect consequences," he added.


Drawing a Line in the Sand

Whether the pandemic cyber-attacks are just highly opportunistic criminals with no moral compass, or are a deliberate escalation of the hybrid warfare executed by a few pariah nation-states that have been pushing the boundaries of acceptability over the past few years, the perpetrators are treading on very dangerous ground.

Attacks against national critical infrastructure risk a very different kind of response from governments the world over. Just over a year ago, the Israeli Defense Forces dealt a very firm blow to nefarious cyber actors planning an attack on Israel with an air strike that wiped out HamasCyberHQ flattening the building and all inside.


HAMAS CyberHQ. Photo: Forbes

The US has also taken out a number of cybersecurity adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The prospects therefore, for those cybercriminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.

Whether and how the US and other countries decide to respond to attacks against life-sustaining critical infrastructure like hospitals and healthcare research is a topic of hot debate. One issue is the problem of attribution. It's difficult to positively attribute an attack to an individual or a group especially when more sophisticated attackers are good at covering their tracks or leaving breadcrumbs that point to others. Its also time-consuming, meaning that many years can go by before the culprit of an attack can be finally identified and dealt with.

Once identified, however, there are a wide range of options open to governments, extradition being only one of them. The international rule of law is opaque at best and needs to meet different standards and evidentiary bars in each country and its respective legal system. Even then, some people are considered beyond the law due to their connections. Some countries, notably Russia and the communist block, lack extradition treaties with the rest of the world. Going after perpetrators via legal means in the Peoples Republic of China or North Korea is also senseless as they usually operate at the behest of the state, unlike Russia that employs freelance proxies in order to claim plausible deniability. Therefore, governments sometimes need to employ other methods, as Bobby Chesney the co-founder of the Lawfare blog and a very highly respected figure in US national security circles, explained during a recent podcast.

According to Chesney, there are many perfectly legal avenues for US government agencies to pursue in the apprehension of cybercriminals that dare go after critical US Infrastructure, especially at a time of declared national emergency. "There is an unpublished line in the sand that if crossed could mean significant consequences for those that do" he claims.

That includes a wide range of punitive measures including black ops, as Roman Seleznev the son of a close Putin ally who was widely regarded as being beyond the law in Russia found out in 2017. Renditioned to the USA, tried and convicted of cybercrimes in at least two different states, Seleznev has the next 27 years to look forward to as a guest of the US prison service.

Photo: NIST Cybersecurity Framework (CSF)

A Change of Focus

Recognizing that not all cyber attacks can be prevented, many CISOs are focusing more of their attention on the Detect, Response and Recover segments of the NIST CSF. Their focus is on limiting damage and restoring functionality as quickly as possible to minimize impact. "Every minute a critical hospital system is down could mean patient lives, so speedy restoration is critical," claimed Esmond Kane, CISO of Steward Health. "The fact that a breach occurred or a perpetrator was able to gain access to the network and HIT systems, is of secondary concern once systems are back up and running. We have to deal with that later" he adds.


Recovery from Attack

In order to turn the lights back on and restore systems following a cyberattack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. First, however, the malicious exploit and ransomware code must be identified, forensically preserved by law enforcement for later prosecution of perpetrators, and systems cleaned up and formatted. This can be very time consuming, taking many days and of course, will impact patient care and safety.

Perpetrators also know that thanks to better backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms which would be illegal in many jurisdictions. Hence they are now executing combined infiltration-theft extortion attacks, as was seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet with a second extortion payment demand threatening to release more regulated PII and PHI data. This is similar to a recent REvil Attack against a Los Angeles celebrity law firm that claimed to have masses of dirty laundry on Donald Trump as well as contracts and other documents for celebrity clients.


Cisco's ZeroTrust Micro Segmentation






Containment and Risk Mitigation

While adoption of a Zero-Trust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is the identification of sleeper malware or extraneous communications by that malware to command and control severs. That's where Cylera’s MedCommand software comes into its element by quickly identifying suspicious network traffic, and tracing that traffic back to infected code that can then be eradicated from the network so that restoration of Health IT systems can commence.

Its just one more use of the Cylera MedCommand system in addition to its primary objective of identifying healthcare IoT (HIoT) connected assets, profiling and risk assessing them for security group tag allocation and for network micro-segmentation under Zero Trust. Its also in addition to a recent feature that was added to the software that allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.

Covid patient in hospital isolation room

More about Cylera MedCommand

Many healthcare IT and Security teams are yet to even gain a full understanding of which medical and IoT devices are connected to their network, much less an understanding of their level of risk and susceptibility to different forms of malware. Cylera’s MedCommand is an agent-less solution designed to fill this capability gap. MedCommand provides organizations with a complete, real-time inventory of all connected HIoT devices, an understanding of the vulnerabilities affecting them, information on their configurations and patch levels, and real-time threat detection tailored to each device. Teams can then make use of Cylera’s actionable recommendations and automated micro-segmentation policy generation to proactively protect HIoT devices and provide a missing layer of security to the devices that need it most.

To learn more about MedCommand and how it may help you identify suspicious traffic on your network contact us to request a demo.

This article was first published here.


Covid-19 kills off 'Suprise' or 'Balance Billing'


Surprise Billing is a major cause of bankruptcy each year

The despised practice by healthcare providers of ‘surprising billing’ where the gap between what your health insurance regards as a fair and equitable charge for services and what your medical provider actually charges for that service, has been essentially outlawed during the Coronavirus epidemic.

The Department of Health and Human Services which is providing emergency funding to providers during the crisis, has tied millions of dollars in payments to its terms. Those state: "For all care for a possible or actual case of COVID-19, the provider will not charge patients any more in out-of-pocket costs than they would have if the provider were in-network, or contracted with the patient's insurance company to provide care.”

The agreement is posted on the HHS.gov page.

"HHS broadly views every patient as a possible case of COVID-19," the guidance states. "The intent of the terms and conditions was to bar balance billing for actual or presumptive COVID-19," an HHS spokesperson said late Friday. "We are clarifying this in the terms and conditions."

Many states have for a long time outlawed the practice of balance billing but some states have failed to legislate this.

HHS might have done with fine print what Congress and the White House could not do — despite bipartisan support and public outrage at the practice.


Photo: Vladimir Solomyani

Surprise Billing

Surprise billing often occurs when a patient goes to an in-network hospital for a procedure, but an out of network physicians or anesthetist is involved in the operation attempts to bill the insurance a rate much higher than the agreed upon in-network rate for his or her services. Insurance declines anything over the agreed upon rate and the patient is left footing the bill. This places the patient who was unaware of and wasn’t asked to approve any out of network services, up the proverbial creek without a paddle.

Balance billing which can sometimes amount to hundreds of thousands of dollars, is financially devastating for patients and a major cause of bankruptcy in the United States. The practice is outlawed in many states but has yet to be outlawed nationally despite bi-partisan support in Congress, thanks in part to the immense corrupting power of the healthcare lobby.

According to patient advocacy groups, certain lobbying groups later revealed to be connected to physician staffing firms owned by profit-driven private equity companies, spent millions last summer to buy political ads that targeted members of Congress who were working on legislation to end surprise billing.

Whether the fault of balance billing lies with insurance companies paying too little to cover procedures, or with some healthcare providers charging more than what insurance calls ‘market rates’ for their services, has been the subject of intense debate for years. Law suits and several media expose’s have embarrassed greedy providers and stingy insurance companies into rectifying their wrongs, but most of the media’s ire has been directed at for-profit health systems that attempt to shift costs from a growing number of Medicare and Medicaid patients where reimbursements are fixed (take it or leave it) to those with insurance who are not protected by the government from predatory billing practices.

Given the trillions of dollars currently being spent by the government on healthcare through the current epidemic, and the need to invest heavily for future pandemics, federal public health spend is at an all-time high and probably will be for the future. Not since the Second World War has the federal government surpassed insurers and individuals in the funding of critical health services to the American people. Given the rising grey tide of retirees claiming Medicare, and popular support for a universal safety net of public health services among Millennials and others, COVID-19 may have brought about some fundamental changes in health coverage and national health policy.

This story was first published here



Business Continuity and Securing a Remote Workforce during a Pandemic Crisis

How to survive the transition from two office locations to 25,000 and still remain secure.


The COVID-19 pandemic has critically changed the traditional concept of work for a major part of the workforce, possibly forever, as office staff work from home, and traveling salesmen work opportunities by video conference with customers. But what are the implications of this change for corporate cybersecurity and how can CIOs and CISOs adapt their technology infrastructure and cybersecurity controls to this new reality? These are just some of the questions that my panel was asked to address in a recent virtual cybersecurity conference on the challenges of working through an epidemic.

With ‘Stay at Home’ orders in effect across most of the world, this of course means that many customer-facing businesses are suffering. It’s certainly not a good time to be in the airline, hotel, or restaurant business as nearly everyone stays at home. Similarly, companies that have not completed their migration to the cloud and cloud-based services may be experiencing additional difficulties necessitating that remote staff VPN into the corporate network in order to access legacy client-server systems and applications.

And of course, the COVID-19 Pandemic since its humble beginnings in Wuhan China and subsequent spread around the globe, has reaped massive emotional and economic distress, as well as the deaths of thousands, and the making of millions more sick. Whether the recent relaxation of lockdowns in China and elsewhere is a permanent condition or results in a second wave of infections remains to be seen, but the global pandemic will have lasting effects on globalization and supply chains for critical medical and other supplies. It may also permanently change the way many of us work.

Photo: William Manuel Son

The King is dead. Long live the king!

Is there really a need for companies to continue to rent expensive downtown city offices? Is it really necessary for your employees to sit in their cars each day for two hours commuting to their cube through noxious traffic pollution, or be confined to a cramped subway or train car with potentially lots of disease-carrying passengers? It took Spanish Flu 18 months to work itself out, so Trumpian notions of a full return to what was ‘normal’ in a few weeks, is unlikely even by the greatest optimists. The bigger question is do we really want to return to the way things were just for the sake of it? I would suggest not.

Now that the cat is out of the bag, and bosses have seen that their staff work just as well from home, if not more productively than from their office cubes, the argument to keep things the way they are today, suddenly has a lot more weight.

Photo: Mike Von

What Questions Should You Ask?

How should you go about securing tens of thousands of staff now working from their patios, dining room tables, or home offices, connecting to your applications and infrastructure via an over-taxed VPN back to the nearest corporate office?

How can you ensure that your staff’s home wireless internet connection is not being snooped upon if they are not encapsulating and sending everything over the VPN? Do you insist that your staff's home network is running WPA2?

Do you even know if split tunneling is enabled in your VPN and what happens when that employee needs to print something to their home printer and has to disconnect from the VPN?

Have you put in place policies for remote access such that staff are expected to update firmware on their $50 cable modem or DSL router and are they even required to change the default password on these devices?

Do you provide your staff with Integrated Services Routers (ISRs) to connection back to corporate and for VOIP calling?

Do you provide staff with a laptop running a locked-down application stack with your security tools installed? Taking home the office workstation may not be an option and trying to purchase laptops in times of mass demand is becoming almost impossible.

Do you allow your staff to use their own (BYOD) computers to access your applications and data, and if so, what do you require in the way of AV, patching and acceptable use on these machines?

These and other questions were put to my team of security subject matter experts who joined me on virtual stage for a special CTG Intelligence conference on remote business working during Covid-19. Their answers and shared insights may help you to prepare for the new ‘normal’ for as long as it lasts.


https://youtu.be/0ukVUYc4g4M

The panel includes:
Richard Staynings, Chief Security Strategist at Cylera, out of Boulder, CO, USA
Page Jeffrey, Cyber Security Consultant at Trace3, out of Colorado Springs, CO, USA.
Luke McOmie, CxO Advisor Offensive Security at Coalfire out of Westminster, CO, USA.
Steve Harrington, Managing Director at Masergy out of London, UK.
Tanya Walters, Independent Cyber Operations Advisor out of Phoenix, AZ, USA.
Anthony Dezilva, Dir. CxO Services out of Scottsdale, AZ, USA.


This story was first published here where comments can be posted on this blog article and the video presentation. 


The growing need for Artificial Intelligence in healthcare

Healthcare needs AI and ML.

The author and other experts, discuss the growing need for Artificial Intelligence in healthcare for everything from clinical decision support to administration / revenue cycle and cybersecurity. 

Machine learning algorithms are already transforming healthcare and security tools like Cylera MedCommand, but there’s an arms race with cyber-criminals where having the right tools to identify and block an attack is becoming critical.



See the full HIMSS AsiaPac Interview


See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also AI Will Radically Change Healthcare Security my keynote from HIMSS AsiaPac19


HHS in Targeted Cyber Attack

A recent attack against U.S. Health and Human Services is a lesson to us all to better manage cyber risk in a healthcare environment

The U.S. Health and Human Services Department suffered a cyber-attack on Sunday night according to Bloomberg that appears to have been purposely intended to disrupt its computer systems, and thus an attempt to undermine HHS’s response to the coronavirus pandemic gripping the country. The attack which occurred just before midnight involved overloading HHS servers with millions of hits over several hours and may have been an attempted distributed denial of service attack (DDOS). Initial investigations appear to suggest that the attack may have been the work of a foreign actor. A number of news outlets are pointing the finger towards Russia, however it may take weeks or months for a full forensic investigation before the cyber attack can be accurately attributed.

The fact is that during a healthcare crisis and a huge influx of sick patients, the resiliency of hospital and clinic IT systems becomes even more important to ensure patient survivability. Recognizing this, and with an expected escalation of threats during a national crisis, HHS had recently implemented an expanded risk-based approach to cybersecurity assessment of threats, vulnerabilities and controls.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," said Caitlin Oakley, a spokeswoman for HHS.

While this ‘risk-based’ approach to cybersecurity worked in HHS’s favor to protect it from cyber attack and to keep critical services up and running, most health systems are not so lucky. Many are still following a ‘controls-based’ approach to security, ignorant of the actual cyber-risks in their hospitals and clinics from devices they may think are safe from attack, but which have never been tested or even profiled, let alone risk-assessed.

According to an investigation conducted by Cylera last year, more than 90% of US hospitals and clinics do not have a current and accurate inventory of all IT and IoT assets that connect to their networks. This includes not only workstations and servers, but also BYOD devices like personal phones and tablets, network connected building management systems that control elevators and air conditioning, and a rapidly growing number of medical devices, many of which are managed by third-party vendors and have never been patched.

"When your patients are relying upon you to provide medical services and to possibly keep them alive through a pandemic, five, six, or seven nines availability* is an absolute must." said Richard Staynings, Chief Security Strategist with Cylera and HIMSS and AEHIS Cybersecurity Expert. "The last thing you want is for one of your un-assessed healthcare IoT devices to take down an entire hospital building or even a floor of your clinic. The availability of health IT and IoT systems is critical to the way we treat patients in today’s digital healthcare service no matter where you live or where you go to seek treatment or to get help with breathing." he added.

Automated tools like Cylera MedCommand, make extensive use of AI and ML to thoroughly risk-assess medical and other devices so you can understand risks and implement compensating security controls before something bad happens.


MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.
Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.



* Five nines availability indicates the expected uptime of a system i.e. 99.999% availability, (roughly 5 minutes per year). Similarly, seven nines would be 99.99999% uptime equating to 3.16 seconds downtime per year.

This story was first published here.  

Medical Wearables and HIoT

Patient Safety in the era of medical wearables and Healthcare IoT: Is new technology helping us to stay healthy or introducing risks?


“medical
Medical Wearables.



Most of us now wear some form of fitness tracker and many hospitals and insurers are utilizing this 'personal health data' to supplement 'provider data' in our overall healthcare management. The volumes of healthcare data on each of us is staggering and is critical for our health management and overall well-being as patients. But what happens when that data is compromised, changed or deleted?

Like it or not healthcare delivery is more reliant upon technology today than ever before to diagnose, treat, observe, manage and monitor patients. A basic systems outage is enough to bring an entire hospital or clinic to its knees. Just look at what happened in the UK when Ransomware took down much of the NHS.

But our technology reliance is not just focused on IT systems any longer, there are a multitude of different Healthcare Internet of Things (HIoT) devices that we use to improve patient outcomes. All kinds of medical devices, from IMDs, to network connected pumps and scanners, to patient and nurse call systems, all of which are critical in direct patient care. And let’s not forget, that we cannot do without HVAC systems, elevators, power, water and other hospital building management systems, nearly all of which are now ‘smart’ and ‘connected’, often managed by business partners from thousands of kilometers away via the Internet.

What happens when these simple devices are attacked by extortionists and cyber-criminals? Does anyone even know how many HIoT devices are connected at each location, let alone when they were last patched and what security risks they pose to patients and to hospital IT systems? Just because they may be connected to an isolated network or VLAN doesn’t mean they are enclaved or segmented as far as security is concerned.

How can we gain greater visibility into what’s happening in our hospitals and become better prepared to defend ourselves from the next inevitable attack?

This was the subject of a recent presentation by the author to the HIMSS Australia Digital Health Summit in Sydney, NSW attended by many of the top thought leaders from across Australia, New Zealand and much of Asia.

“Richard
The Author addresses the HIMSS Australia Digital Health Summit in Sydney. Photo: HIMSS


Medical wearables could prove to be a valuable asset in the fight to prevent on the onset of disease. Diseases that by and large, are very expensive to treat. Primary care physicians have been urging us all for years for better preventative care, yet in many countries there is still a financial disincentive to go see the doctor or a specialist. In the United States where High Deductible Health Insurance pushes patients away from seeing their care team till they have met their often massive deductible before receiving any benefits, and in the developing world where the choice is sometimes to see the doctor or feed the family for a week. A trip to the doctor is also considered as being inconvenient and time consuming by many - even when there is no charge. What better then, than to automate the monitoring and well-being of patients using simple ubiquitous tools like an Apple Watch, or a Fitbit, something that avoids having to go see the doctor and actively engages patients in their own well-being.

An Apple A Day Keeps the Doctor Away

An old adage claims “an apple a day keeps the doctor away”. It may originate from the days of scurvy and a general lack of fruits and vegetables in people's diet, but maybe there is some truth to the saying in today's hi-tech healthcare world.

Can an Apple on your wrist keep the doctor away?

A recent HIMSS survey claimed that 64% of surveyed patients might be more willing to wear an Apple Watch or a medical wearable if it means fewer trips to see the doctor.

A similar survey of hospital executives from HIMSS and AT&T found 47% of hospitals are providing wearables to patients with chronic diseases and are also conducting remote monitoring via in-home medical devices and smartphone apps.

Is this the future of regular health observation and maintenance? My Apple Watch already reminds me to get up and walk about several times a day when I have been busy sat typing or in meetings. Will future versions also tell me to cut down on my carbohydrate intake and to look for a less stressful job based upon my diet, activity levels, and heart rate?

The big question is, to what extent can consumer healthcare data be trusted as being accurate and not fudged to reduce health insurance premiums, and what should our health systems do to integrate that data into our medical record?

“My
Australia's My Health Record.


In Australia the existing My Health Record (MHR) initiative will see the roll-out of new functionality in 2020 for apps to connect into the MHR. Australians already have the ability to view their complete medical record (unlike most other countries) so the hope is that this should be the primary place where Aussies go to check their healthcare activity and well-being. Its precisely this type of public-private partnership that will lead to improved patient outcomes and reduced spending on chronic diseases, or so its authors claim with some justification.

Consumer wearables like Apple Watches and Fitbits are just some of a huge wave of Healthcare Internet of Things (HIoT) devices that are being used to monitor, manage, diagnose and treat patients. In all but the smallest critical access hospitals, HIoT devices already well-outnumber traditional IT computers and other systems. The challenge for the industry is how to manage and secure such a broad range of fairly dumb devices at a time when the healthcare industry is under an increasing number of cyber attacks.



How should Healthcare Executives go about securing their HIoT?

Managing traditional HIT assets like servers, laptops and workstations is a touch job in a healthcare environment because of a lack of standardization and the need to run so many different versions of operating systems and legacy applications. Trying to manage hundreds of thousands of discrete HIoT devices is near impossible without the right tools. The first problem is that most healthcare providers have no idea how many devices they own, rent, or have connected to their networks, nor the risks that each of them poses to patient safety or other network assets like the EMR, so this is where we need to start.

The following workflow may be useful as a guide:

  • Identify Assets – Most hospitals don’t know what they have!
  • Risk Assess those HIoT Assets to NIST 800-30 or similar standards for compliance
  •      Identify CVEs and Zero-Days, any known patches and apply
  •      Beat up vendors for patches – some are better than others. Some are outright negligent. 
  •      With hundreds of thousands of devices you will never be able to regularly patch them all!
  • Identify and Map Legitimate Traffic Patterns – Ports, Protocols, IPs, etc.
  • Construct a 'Zero Trust' white list of usual traffic patterns so that anomalous activities can be flagged and investigated or blocked
  • Implement Micro-Segmentation as a compensating security control to protect patients and networks against devices that cannot be secured. Employ the Zero Trust white list to construct your NAC's Security Group Tags (SGTs) to automate protection.


What tools should you consider?

The good news is that this exercise is no longer a daunting labor-intensive manual process. There are first and second generation tools now available that can do this for you with varying levels of automation. Second generation tools like Cylera MedCommand, make extensive use of AI and ML to more thoroughly risk assess devices and seamlessly integrate to your existing asset management, GRC, SIEM and NAC technologies. Through a combination of passive and active security controls you can safely monitor and log traffic till you feel confident to turn your NAC to '
'active' or 'blocking' mode without having to worry that you may inadvertently isolate a device.



“Cylera
Cylera MedCommand.



'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

The solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact Cylera to schedule a conversation.