Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Hong Kong Hospital Crisis Easing

Patients left in hallways due to overcrowding at Queen Elizabeth Hospital. Photo: Sam Tsang.

A capacity crisis in Hong Kong's hospitals is beginning to ease thanks to money being made available by the Government for an expansion of healthcare services to meet growing demand. This was the message I received during meetings this week with senior health leaders in Hong Kong.

Earlier this year Chief Executive Leung Chun-Ying promised that public hospitals would get an additional 5,000 beds and 90 operating theatres in the next 10 years as part of a HK$200 billion bundle of development projects. Those funds are now finally making it to where the money is needed.

Saint Teresa's Hospital, Ma Tau Wai.

The investment includes new construction and expansion at all Hong Kong public hospitals and in particular large redevelopment projects at Tuen Mun Hospital, Prince of Wales Hospital and Princess Margaret Hospital. It will also provide an additional 90 operating theatres increasing capacity by 40% across the territory and a significant increase in the number of medical school places to grow the physician population.

Investment also includes Childrens' Hospital at the former Kai Tak Airport.

The capacity crisis in Hong Kong is not too dissimilar to issues being faced by mature public healthcare systems across the world. An aging population of baby boomers is consuming more healthcare services, and spikes in demand for services during the flu season, which spreads quickly amongst Hong Kong's tightly packed population is combining with population growth fueled by immigration from Mainland China to excerpt pressure on the system.

This year's flu season coincided with the Health Authority’s decision to send 30 frontline doctors to Beijing to attend a one-week national education class left hospitals severely understaffed for the unexpected surge. Accident and Emergency services were running at an average 110% capacity with some hospitals at 130%. Lines formed out the doors of hospitals into the street and patients had to wait hours to be see.

The situation got so bad that an appeal went out to private physicians across Hong Kong to help out at public hospitals, and several private hospitals made available free or low cost beds to help with the overflow at public facilities.

Long wait times for patients. Photo Sam Tsang.

In meetings this week with the Hong Kong Hospital Authority I was told that while some of the larger projects would take many years to complete, capacity has already been improved at many public hospitals, and new measures put in place to reschedule non-urgent procedures outside of peak demand, especially during flu season.

Improvements in healthcare security are also being made but are being funded from other sources outside of capacity improvement measures. Hong Kong continues to lag behind the UK, US and Australia in its cybersecurity maturity and this will likely be another area of targeted improvement over coming years. Compared to the capacity and modernisation initiatives, cybersecurity remains however, a fairly low priority for now I was told.



Australian Healthcare Highly at Risk


Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here


Aussie Healthcare Scrambles to Catch Up

Assessing the cybersecurity outlook for Australian Healthcare.   Photo: Paul Carmona, Sydney.

Australian Healthcare providers are scrambling to defend against increasingly well-armed and financially-motivated opponents in the battle between good and evil going on across cyberspace. After years of staying out of the spotlight, healthcare is now being targeted by cyber gangs looking to get rich quickly, and foreign nation states seeking leverage over individuals.

Fifteen to twenty years behind other industries like banking and financial services, Australian Healthcare is suffering from a case of 'Too Little, Too Late' in its build-out and investment in robust cyber defences and is now beginning to pay the price.

Well publicised attacks against flagship hospitals such as Royal Melbourne and others have finally alerted the Australian general public and health system leaders alike, to the looming threats facing the healthcare sector. Its not just the big city hospitals either; ransomware and other cyber attacks have been reported right the way across the country and even in small GP practices in remote rural communities.

Theft of lucrative personal information and personal health information, especially as medical records go digital, is a rising threat, as is attack by ransomware and other forms of extortion.

Surveys suggest that presently most Australians are not that worried if their medical records go up for sale on the web, though most have not really considered the possible impact of identity theft. What is more concerning to Australians, is a denial of service attack such as ransomware, that could take critical systems off-line when needed to treat someone or to save a life. Most Aussies simply haven't given that much thought to the security of their medical records or a possible attack on their doctors office or local hospital. Very few people surveyed were even aware of the growing number of network connected medical devices and the threat they pose to patient safety.

These and other cybersecurity concerns have been the subject of discussions this week at executive workshops led by the author in a series of meetings with healthcare leaders stretching from Brisbane through Sydney and Melbourne to Perth. From State healthcare systems through to private providers and payers of health services, the message is pretty much the same. "We have failed to invest in information security in the way we probably should have over the past five to ten years", said one State CIO. "That includes technology infrastructure and the skilled resources to manage our security program."

While government Ministers stress the importance of making improvements to healthcare security, additional capital and operational budgets have not yet been made available to hospitals to make changes claimed the leaders of several hospitals in a workshop in one major city.

In a meeting with the leaders of one of Australia's largest private healthcare providers, the CIO acknowledged the critical need for improvements to be made to the organisation's security program, adding that security investments would probably have to wait till next year as he already had a heap of even more critical needs in front of it.

A stormy outlook has caused Australian Healthcare to play catch-up. Photo: Kieren Andrews, Melbourne.

The need for improved security to protect hospitals, doctors and patients from cyber attack is finally being recognised across the country, though it remains to be seen just how much of a priority it will be to secure patient health information, and prevent cyber attacks that compromise critical clinical information systems needed to treat patients. "It may take another one or two Royal Melbourne Hospital sized incidents before security gets the kind of funding and support that is really needed" suggested one healthcare senior leader who asked not to be named.


Kiwicon X

Kiwicon X, Wellington, New Zealand
Part hacker conference, part cult event, part rock concert; Kiwicon X fully lived up to expectations this week. Attendees were treated to an almost constant barrage of live hacks, demonstrations, presentations and more live hacks in the southern hemisphere's answer to Black Hat without the tackiness and desert heat of Las Vegas.

That's not to say that attending Kiwicon is in any way safer then Black Hat - leave anything electronic a mile away from the conference, and if you do take a credit card then make sure you have a lead-lined wallet to prevent it being inadvertently scanned by someone.

Live hack demonstration

Oh, and did I mention the plutonium or uranium brought on stage to demonstrate how to break cryptography in a presentation entitled “Radiation-Induced Cryptographic Failures and How to Defend Against Them.” Maybe the attendees dressed up in silver radiation costumes weren't exactly wearing 'costumes' if you know what I mean!

Laser light show, Kiwicon X Hacker Conference, Wellington, New Zealand

If the radiation didn't fry you and the pyrotechnics didn't burn you, then the lasers almost certainly blinded you - albeit temporarily! What a show!

Fireproof conference attire advised for anyone in the first 5 rows

With an opening presentation that could easily have been incorporated into an episode of the X-Files TV series, and other presentations that included "Hacking the Red Star OS" - North Korea's only approved PC operating system, and “Defending the Gibson in the Age of Enlightenment” I was never quite sure whether the coffee I was drinking had been spiked or not.

“The Truth Is In Here” by Metlstorm opening presentation

Kiwicon X was informative and entertaining on SO many levels!

The house was packed for nearly every presentation 
Despite a major earthquake that shut down Wellington not long before the conference and multiple aftershocks during the conference, the show was a great success.

Kiwicon X, Wellington, New Zealand

It was great to meet and chat with so many utterly smart if slightly deranged people. I hope to drop in again for another Kiwicon at some point in the future.

More lasers at the Closing Presentation


Light at the end of the tunnel for New Zealand Healthcare

Te Whanganui-A-Hei Marine Reserve. Photo: David Sutton.

Despite continuing austerity measures across the country, there is light beginning to appear at the end of the tunnel for New Zealand Healthcare. This includes a number of measures underway to expand capacity to reduce waiting times. It also includes some long-needed improvements to cybersecurity and privacy. This was the message I received during meetings this week with the New Zealand Ministry of Health in Wellington.

The Ministry of Health oversees some 20 District Health Boards each of which is responsible for administering the delivery of health services in their designated area. While some of the DHBs have pooled their resources for shared IT and security services, there are little to no common IT or security solutions across the entire country. Each board is free to do it's own thing we were informed. The result is disparate clinical and health information technologies across a sparsley populated country of just over 4.6m people.

Some areas of New Zealand appear to be better served by IT and IS capabilities than others, though common areas of concern appear to exist across all DHBs. These include the need for improved identity and access management, threat intelligence and security operations center expertise to identity and respond quickly to cyber attacks.

The greatest challenges however appear to be political in nature, in getting the DHBs to agree to common systems and processes or shared cybersecurity expertise for threat intelligence, security operations and incident response. While at the Ministry level this need seems to be recognised, the DHBs appear to be fiercely protecting their turf - at least for now!




Turning Cybersecurity into a Strategic Advantage


Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.



Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services.  This blog is also published here.

Insiders: The often forgotten threat


Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....
so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network.

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.
Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry.

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.

Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.
 

The 'Senior Cyborgs' are Coming!

Richard Staynings and other panelists at the Louisville Innovation Summit

The Silver Tsunami of Baby Boomers hitting retirement by itself would be enough to worry the most well prepared healthcare system, however in the United States, rising healthcare delivery costs and little to no change in the number of professional caregivers is putting the system under never before seen pressures. Everyone is looking to provide more cost-effective ways to provide care and keep people independent, safe, happy and healthy at home, and that was the focus of a panel discussion at this week's Louisville Innovation Summit.
Senior Cyborgs & the Rise of Digital Health
The session discussed the evolution of disruptive digital health technology, a new force of digital caregivers and the entrepreneurs that are changing the way care is delivered. The audience learned about new technologies to deliver care to the elderly, to monitor and assess their condition, mood and well-being as indicators of onsetting medical conditions, and some of the technologies that will enable the elderly to stay in their homes rather than in much more expensive and often despised elderly residential care.

However with increased adoption of clinical alerting and other medical technologies being sent home with post-acute patients, combined with an ever-increasing number of across-the-shelf health monitoring and tracking systems filling homes, the bigger question, which unfortunately often goes unanswered, is how can this ever growing mass of medical devices be secured. The confidentiality, integrity and availability of medical systems and the protected health information that they produce needs to be secured in the home just as it would in a hospice or hospital. This lack of security confidence has in many cases slowed the adoption of technologies that enable patients to spend their twilight years in the comfort of their own homes. It appears then, that security is the primary key to unlocking the doors to what the elderly are asking for and what Medicare Administrators would prefer to fund.

One other key that appears to be required however, is the need to change healthcare payment models for both private and government funded programs such that providers can get paid for community-based care. The panel agreed that current payment and reimbursement models are hugely out of date and this is one of the reasons why the United States lags the rest of the developed world in its adoption of cheaper and more convenient telehealth and telemedicine.

Other areas of discussion focussed upon the need to improve the interoperability of digital health systems, such that meaningful data and meta-data can be better exchanged between providers with different EMRs, and other clinical information systems. We heard that the industry itself has made some strides towards this, but competitive business practices have failed to break down the proprietary data formats used by different HIT vendors. Government will probably need to take a bigger role in mandating common data formats so that meaningful use can be fully achieved.

Read more at TechRepublic and at grandCARE both of whom also reported on the session.

Taiwan National Day

Richard Staynings
The Author pictured here with Ambassador Zhang Chu Zhang

I was privileged to be invited to celebrate Taiwan National Day this year with an assembly of Ambassadors, Senators, Congressmen, State Representatives, Mayors, retired Generals and other US military personnel who served in the 1950s and 60's protecting the country at the height of the Cold War.

Economic, political and cultural relations with the Republic of China (Taiwan) have never been higher. Great to meet everyone and a very happy Taiwan National Day.

GA HIMSS 2016

Cybersecurity was the topic de jour at the GA HIMSS Annual Conference in Atalanta this week as the author co-hosted a session with Dmitry Kuchynski of Cisco on the cyber threats and possible mitigations impacting hospitals, clinics and primary care facilities.

Richard Staynings and Dmitry Kuchynski received a warm welcome @ GA HIMSS

In attendance were an assembly of healthcare CEOs, CIOs, CISOs and other executives all keen to learn about the latest cybersecurity trends and threat intelligence, along with any tips, tricks and help they could receive towards planning an approach to protect their institutions and patients from cyber attack.

Healthcare organizations are being actively targeted by cyber criminals for the wealth of easily stolen PII and PHI information, and the relative ease at which healthcare networks can be attacked and breached. Hospital networks were designed to facilitate universal access by clinicians and support staff with little to no network or user segmentation. The result is that once the perimeter is breached, hackers enjoy universal access to virtually all information systems.

Ransomware was a big concern of attendees

The recent epidemic of ransomware which has plagued many US and overseas organizations over recent months was a huge concern to most attendees who wanted to know what they could do to protect against a ransomware attack on their institution.

While there are claims that ransomware is being used to target a specific company, health system or industry, that fact is that most ransomware attacks are indiscriminate in who and what they attack so long as the attack could generate payment for the perpetrators.

According to Cisco research, the Angler ransomware campaign alone resulted in over 300 ransoms being paid each day until Cisco and international law enforcement took down the criminal gang responsible. The gang was netting over $34m USD per year, which goes to show just how lucrative ransomware can be....for a while at least!

So was converging biomedical networks

Converging biomedical networks and the rapid growth of network-connected medical devices was similarly a huge concern for attendees representing hospitals and clinics, where the number of biomedical devices is growing exponentially.

Medical devices are just one aspect of a growing number of IoT devices attached to hospital networks that cannot be managed by group policy and other common tools for securing endpoints. Each medical device is proprietary to its vendor and many single-vendor systems can be incredibly unique. Despite guidance from the FDA and other bodies, both vendors and hospitals have been slow to tackle the medical device challenge as a previous post has examined.

Cisco has been helping many of its healthcare customers to manage and contain threats to medical devices and other IoT network-attached devices like hospital and clinic building management systems, by use of network security segmentation. By locking down access to and from medical devices on a least-privileged / zero-trust basis, segmentation helps to control the who, what, why and where of access to these largely unprotected endpoints, as well as containing any malware outbreaks to affected subnets - thus preventing a full system outage as some hospital systems have suffered recently.

With attacks against healthcare organizations on the rise, the industry faces some tough challenges over the coming years to balance the need to treat patients with the increasing need to invest heavily in security to protect those patients, and at the same time that reimbursement rates for treatment is declining. Regardless of whether healthcare institutions are being targeted for cyber attack or not, the fact is, that they represent a treasure-tove of valuable information for theft or extortion, and most are largely unprotected today.

As cyber criminals turn their collective attention to the easy money of ransomware, payers, providers, research and pharmaceuticals will increasingly come under attack. Putting in place modern day defenses like security segmentation is not something that can be done overnight. Developing a strategy and approach to cope with the new realities of conducting business today, is something that requires expert help and planning, and most importantly some lead time. All the better then to start that process now, rather than when under cyber attack where risks to patient safety go through the roof.



Postscript: Medical device security has been examined extensively in this blog and the need for adopting a different approach to securing healthcare data, and devices discussed widely. IoT security was also the subject of a recent HIMSS Security Community webinar given by the author.


Security in Healthcare: Bolstering Connectivity and Protecting Patients

http://pubs.cyberthoughts.org/2016-Security-in-Healthcare-Bolstering-Connectivity-and-Protecting-Patients.pdf

Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. Medical professionals can access patient data and real-time health status in a way that can dramatically enhance their understanding of the progression of a disease and improve their response to patient health incidents. Medical equipment can automatically identify system failures and even generate maintenance tickets. Remote treatment allows doctors and patients to communicate no matter where they are.

But this connectivity comes at a price. More devices and more communication increase the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure well-being if their private records are stolen............ (read more)

Cisco 2016 MCR


Cisco’s 2016 Midyear Cybersecurity Report is released this week presenting the latest research, insights and perspectives from Talos and the rest of Cisco Security. It updates security professionals on the trends covered in Cisco’s previous security report while also examining developments that may affect the security landscape later this year and beyond.

The report highlights recent developments from the dark net and within the shadow economy, that cybercriminals have become even more focused on generating revenue. Ransomware has become a particularly effective moneymaker, and evidence suggests that enterprise users appear to be the preferred target of some operators. The report dissects observed ransomware techniques and operational trends and goes some way to predict the next wave of ransomware development. Furthermore, it examines the many ways organizations can and should take action to start improving their defenses. This includes the following recommendations:

  1. Instituting and testing an incident response plan that will enable a swift return to normal business operations following a ransomware attack 
  2. Not blindly trusting HTTPS connections and SSL certificates 
  3. Moving quickly to patch published vulnerabilities in software and systems, including routers and switches that are the components of critical Internet infrastructure 
  4. Educating users about the threat of malicious browser infections 
  5. Understanding what actionable threat intelligence really is 
The sad fact is, that attackers currently enjoy unconstrained time to operate. Their campaigns, which often take advantage of known vulnerabilities that organizations and end users could / should have known about and addressed, can remain active and undetected for days, months, or even longer.

Defenders, meanwhile, struggle to gain visibility into threat activity and to reduce the time to detection (TTD) of both known and new threats. They are making clear strides but still have a long way to go to truly undermine adversaries’ ability to lay the foundation for attacks - and strike with high and profitable impact.

Read the full report here

Ransomware – a wake up call for effective security controls

“The digital canary in the digital coal mine”

A “canary in the coal mine” is an idiom that refers to an early warning sign for upcoming trouble.  This comes from the day when there was no technology to detect leaks from unseen pockets of toxic gas in the rock of a coal mine. Canaries are more sensitive to the toxic gas in the mines than humans so miners used to take poor canaries with them as an early warning sign of toxic gas. If the canary is on the bottom of the cage it’s time to get out of the mine FAST! So how does this relate to ransomware – bear with me for a while and I will explain how ransomware is the early warning sign that security threats have a free rein in your environment.

Ransomware is big business today. Ransomware miscreants encrypt a victim’s files and only provide the decryption keys after the victim pays the “ransom”—usually in the vicinity of $US300 to $US500. Unlike most other online crimes that target businesses exclusively, ransomware impacts end users directly. Ransomware campaigns are not discrete about their victims as this is a volume game and the bad guys will attempt to compromise tens of thousands of victims per day whether they be a grandparent at home looking at photos, or a corporate banker making billion dollar deals. The pay day for their efforts can be staggering. Cisco recently worked with Level 3 Threat Research Labs to disrupt an Angler exploit kit botnet which Cisco estimates to have be earning at least $US30M annually and I hope this disruption hurt the bad guys.

The effectiveness of Ransomware can be seen in a recent CERT Australia survey where 72% of companies reported malware incidents in 2015 which has more than quadrupled since 2013 (17%). 72% of respondents also stated that Ransomware “is the threat of most concern”.  These figures are staggering when the survey is targeting corporations and it’s not surprising as I have seen ransomware execute and encrypt data on ASX Top 200 companies' systems and Fortune 100 enterprise servers as well as our relatives' laptops.  Quite frankly, ransomware is everywhere and one of the key reasons why it’s a huge concern is that signature based anti-malware products such as anti-virus are mostly ineffective as ransomware is written and tested to avoid detection by AV products and the signatures can change hundreds of times in rapid succession.

Now let's get back to the “canary in the coal mine” analogy.  I believe that the most troubling aspect of ransomware is NOT its effect on the end user, but more that it is so incredibly effective in:
  • Penetrating corporate network perimeter defences
  • Able to execute as a new process on a victim machine
  • Call out to a server on the Internet to download an encryption key (refer to the update below)
  • Typically, the first time anyone detects the malware is because their work files (or cat videos) cannot be accessed because they are encrypted

I often get asked “can you restore my files?” Unfortunately, the answer most often is “No”. Ironically most ransomware uses strong and well implemented cryptography and it is not economically or technically viable for anyone to attempt decryption. The point here is that we need to move on from believing all attacks can be prevented; we also must realise that attacks must be detected quickly to prevent damage to the business. The fact that most attacks are not directly detected by the victim, but by the action of the external party (encrypting data) is what really troubles me as a security professional. Security controls should be preventing as close to 100% of attacks as possible, but there remains a fraction of successful attacks that we must detect and respond to before significant damage is done to our businesses.

I think we should be closely looking at the lessons we learn from ransomware to show us how effective our security preventative and detective controls are, and how they have failed. Every time ransomware is able to execute and encrypt data, our preventative controls have failed. We can use this incredibly destructive and annoying malware as a tool to learn about the shortcomings of our security program, or the digital canary in the digital coal mine (when the canary is dead it’s time to evacuate) so we can:

  1. Prevent and detect more ransomware and other malware incidents
  2. Be better able to defend our enterprises against more skilled and determined attackers such as organised crime and nation state funded actors
The point is that if ransomware can operate in your environment then there is little hope you have of being able to defend against the more skilled and determined attackers. The critical questions that must be answered is “how did the ransomware get through my perimeter controls?” and “how was it able to execute and encrypt data without being detected before a victim loses access to their critical business documents (and cat photos)?”

Detecting a threat in the environment is critical to minimising the damage malware does in the network, which is why we need multiple layers of controls to protect. We should not get too far into the preventative controls here, but like our mothers used to tell us “An ounce of prevention is worth a pound of cure” (my mother never went metric). There have been PLENTY of articles written about preventing ransomware and other malware so I do not want to rehash what has already been done. If you want to look for articles on prevention I suggest you have a read of the Cisco Talos blog “Ransomware: Past, Present, and Future”.

One last word on prevention, before we move on to what we are here for. There’s a simple to deploy technique that is being overlooked by most information security professionals – blocking DNS lookups of known malicious sites. Cisco acquired OpenDNS in 2015. One of OpenDNS’ main functions is to provide a safe DNS infrastructure for name resolution services. The differentiator with OpenDNS over many standard DNS services is it provides protection by blocking name resolution for known malicious domains. The reason blocking DNS lookups for ransomware is effective, is that most, if not all, ransomware uses a multi-stage attack where an email is typically used to deliver the payload and when the payload executes it calls crypto.evil.com (for example) to generate an encryption key. Yes, it is not perfect as we are playing catch up, and would be preferable to prevent the initial infection, but if you don't get your data encrypted we can call that a win!  More details of this functionality can be found here.

Now lets get to the crux of concept of the canary in the coal mine analogy. What I’m trying to say is that the presence of ransomware is an indicator of bigger problems. You can think of ransomware as the (unfortunately) dead canary on the bottom of the cage that has detected the gas leak. I believe that you should be looking for the root cause of the ransomware incident rather than concentrating on your canary problem. Root cause analysis will show how the ransomware got into the enterprise and when you can understand that, you can start to fix the problem. Please do not go and buy a shiny new security object to fix the security problem before it is properly understood. Without fully understanding the problem you may be fixing something that will not improve your security posture commensurately. We all have the shiny object syndrome, but choose your time to act and resist the pressure from your peers as much as possible.

Consider the points I made above about:
  1. Malware (typically) comes into the network through the corporate email system
  2. Unknown software (ransomware) being able to run without human intervention on one of your corporate systems inside the corporate boundary
  3. Then connects to the outside world through your corporate proxy server, IPS and firewall(s)
This is remarkably like the tactics used by nation state attackers when setting up their beachhead inside the corporate boundary before stealing your intellectual property.

Starting to smell rotten eggs now? This is the real reason why we are so concerned about where ransomware can run, because if ransomware can run, so can nation state attackers and they can do a far sight more damage to your business than encrypting a few files. The typical motivation of nation state attackers is to steal your intellectual property, pricing information, customer data et. al. for the financial benefit of their own country.

This brings into a stronger focus the benefits of doing a proper root cause analysis of the ransomware incident as it’s not just about the one, two or more systems that run the latest ransomware variant and cause the ensuing mayhem of trying to minimise the damage and recover the data.

If you have planned ahead and have decent backups of your critical data (kudos to you if you have), then you don't need to get too spun up about the effects of the ransomware and the recovery is pretty straight forward. Make sure you learn the lesson that the ransomware incident has taught you. Find out how the ransomware got inside your organisation, and put in better controls to stop it happening again, or at least minimise the chance of it happening again (there’s no panacea for all ransomware). Then work out what it did on the endpoint and build a strategy for stopping from that happening again.

Next is to look at the network communications and determine how you could have a) disconnected it (e.g. blocking DNS calls to known malicious domains); or b) detected it earlier to minimise the damage.

One of the key differences between nation state attackers and the cybercriminals behind ransomware is the end goal. Cybercriminals are after money and typically the faster the better, whereas nation state attackers are playing the long game and looking for the data of choice. They want to maintain access and stay in your network for the long term, whilst extracting the data that they are looking for. Nation state attackers move laterally, hopping from system to system, looking for the data that they have been tasked with finding, and acquiring the administrator credentials often necessary to get access to this data. All of these actions have signatures, or indicators of compromise that you can detect with the right tools.  If you have not looked for them, or had a skilled team working on your behalf, you might be shocked at what you discover.

The objective is to learn from the incident and make continuous improvements to your defences and detection capabilities. If ransomware can run in your environment, then so can the tools that nation state attackers use, and this is a cyber arms race against attackers, whether they be nation state, cybercriminals, or activists with a keyboard. So when you realise that the adversary is continuously improving their tools and techniques (as recently demonstrated by the cybercriminals and their ransomware campaigns), then you had better be doing the same to maintain your edge so your business can survive.

Remember that ransomware, whilst annoying and inconvenient, is just the canary in the coal mine. If your yellow bird is on the bottom of the cage, you’ve potentially got bigger problems.

Update: 20 July 2016

A new version of the Locky ransomware operates in offline mode so does not need to call back home to get encryption keys. Read the following PC World piece for more details.


Guest Blog - First published by my colleague and good friend Goma  and inspired by the Western Australia outback - not that there are many canaries there!

The Changing Face of the Healthcare Security Leader




If you worked with just about any hospital or healthcare provider a mere ten years ago you may have come across the Information Security Manager, Director of Security and Compliance, or someone who filled this role under another title. Their role was to lead ‘IT Security’ and manage a small staff of security administrators or analysts, whose role in turn, was to provision users to systems, and troubleshoot access problems. The team would also occasionally check firewall and other security logs when time permitted, amongst a myriad of other tasks and responsibilities, including vulnerability testing and HIPAA and PCI self-assessments.

Healthcare security teams usually were (and still are) smaller, less skilled and poorly paid compared to their peers in other industries. Their need to be generalists prevented the development of specialists with deep technical security skills. Security was often an afterthought in IT architecture or development conversations, and usually seen somewhat negatively as being an obstacle to the release of new systems or feature improvements to older ones.

The security leader, even if they had a ‘CISO’ title, often reported into IT, usually below the CIO, CTO, or someone even more detached from the Board. The conflict between IT’s mission to provide technology systems for users, versus security’s mission to protect the enterprise was very apparent. Security usually lost most battles with IT, and with end users. Rebellions were commonplace against improved user security controls, even for something like the implementation of complex passwords rotated every 90 days - things we take for granted today. A mere ten years ago healthcare was a living bastion of the past. A loud and vociferous user base dominated by Physicians happy to take their complaints directly to the Board, or to threaten to take their business elsewhere ensured that nothing was put in the way of patient care – even a password! Such was the power that Physicians wielded.

Security was usually funded with whatever was left over or could be spared from the IT budget. Consequently it was seen as a drain on new tools and improved functionality for users. Whatever security received, it was usually way too small to do much with.

Occasional vulnerability and penetration testing along with compliance assessments against HIPAA, PCI and security frameworks like ISO and NIST were duly reported to CIO, CTO, or the designated compliance officer, complete with a list of identified gaps. However remediation of gaps was usually given little priority compared to the IT mission to build and release new application functionality “required” by the business. That is, a business, run and largely controlled by clinicians and a business focused more or less solely on providing patient care.

It was doubtful that the hospital or healthcare Board of Directors was ever provided with specific details of any such security audits or assessments, merely informed that the Covered Entity was compliant with HIPAA, PCI and any other regulatory requirements (if the subject came up at all). The security leader had no direct access to the Board, and was considered too junior to address these chieftains in person. Even if offered the opportunity, the security leader would probably talk in a language that the Board wouldn’t understand. Security Leaders were largely kept in the shadows, their message relayed and filtered by the CIO or CTO.





Today’s Healthcare Security Leader
Move ahead ten years and the picture has begun to change. Larger healthcare providers have an executive level security leader, or even a Chief Information Security Officer (CISO) who, while they may still report to the Chief Information Officer or Chief Compliance Officer, will have a seat at the table for Quarterly Board Meetings and may now chair sub-committees on security, privacy and compliance.

Security is now recognized as one of the most important enterprise risks by healthcare Boards of Directors. Media fixation with security breaches at other provider or payer organizations, complete with news of fines, penalties and reciprocity to patients whose information may have been disclosed, has ensured this. So too has media attention to ransomware outbreaks at health providers and the encryption of hospital data and IT systems needed to treat patients. Such is the power of the media, and the impact to business revenues and reputation when security incidents occur.

This increased focus on security by the Board, is leading to demands for not only regular situation reporting on security, privacy and risks from the CISO, but also reporting from the CTO, COO, CFO and CEO on what is being done to address identified risks. In the course of ten years, Security Leadership reporting has gone from almost unnoticed to 'center stage'.

In fact, corporate boards are now in some cases directly appointing external highly experienced CISOs to lead security and to act as change agents across the organization. These 'Change Agent’ or 'Advisory' CISOs are often brought in from leading security organizations like Cisco or the Big 4 audit firms, and are deployed for a finite period of time in order to achieve rapid advancement in the security, risk, and compliance posture of the organization to satisfy its board.

Despite this recent focus, according the Cisco Security Capabilities Benchmark Study (PDF) healthcare organizations are still not implementing as full an array of strong security defenses as organizations in other industries. Furthermore, the report claims that healthcare organizations are more likely than those in other industries, to try to manage their security needs internally instead of outsourcing services such as monitoring, incident response, remediation, and auditing. This slowness to embrace expert services in key specialty areas, may account for the recent spike in healthcare breaches as hackers focus their attention on easy targets.

The same survey also indicated that CISOs tend to be more optimistic than their SecOps colleagues about their security protections. It could be that as security leadership gets further away from the hands-on defense of the realm, so too does their realization of the ability of healthcare, to respond to a threat landscape that changes almost daily. Healthcare is after all, under attack as widely reported in previous articles and publications!

Given the scarcity of security resources, and the ability of healthcare to attract and retain such professionals in a highly competitive market, this is hardly surprising. According to Cisco’s 2015 Mid Year Security Report there is now a 12x demand over supply for qualified or experienced security professionals, and despite limited success to hire or grow additional security resources, healthcare simply cannot onboard enough security staff to defend itself against current attacks.

The result is that many healthcare providers are now looking at ways to maximize the effectiveness of their limited security staffs, by consuming managed security services for much of their security operations threat detection (PDF) and incident response (PDF) in order to free up security team members for higher value tasks.

This change in focus was recently identified in the Cisco2016 Annual Security Report.

As security professionals become aware of threats, they may be seeking ways to improve their defenses for example, by outsourcing security tasks that can be managed more efficiently by consultants or vendors. In 2015, 47 percent of our surveyed companies outsourced security audits, an increase from 41 percent in 2014. Also in 2015, 42 percent outsourced incident response processes, compared with 35 percent in 2014. (See figure below)

In addition, more security leaders are outsourcing at least some security functions. In 2014, 21 percent of the survey respondents said they did not outsource any security services. In 2015, that number dropped significantly, to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.




While healthcare security leadership and better visibility has greatly improved the size breadth and expertise of security teams, it has by and large, made only limited advances to overall security, fueled in part by limitations on security budgets and the availability of additional or specialist security professionals. At the same time, the enormity of the threats leveled against healthcare payer, provider and pharmaceutical organizations has grown exponentially, creating further gaps in security. The need for security leaders to evaluate security needs holistically and to spend money wisely is perhaps more important now than ever before.

Information Security is also not immune to the ‘Do More With Less’ mantra that is affecting all areas of business, and must be creative in how it allocates its resources, and selective where it spends its money. Looking for opportunities to improve efficiencies while at the same time improving the probability of security outcomes, is now the new ‘modus operandi’ for security leaders.





Tomorrow’s Healthcare Security Leader
The security leader of tomorrow will be an executive in charge of his or her own budget, staff and the procurement where it makes sense, of vendor provided security functions that can be consumed as a service, often better, cheaper and faster than developing or running these from within. In the same way that the cloud has changed application development and the internal data center, so too will the consumption of security services.

Tomorrow’s security leader will also more than likely be titled ‘CISO’ or some other ‘C’ level derivative, fulfilling the role of information security leadership and governance. They will likely report outside of IT to the COO, CFO or directly to the CEO. They might even sit at the right hand of the CEO in Board meetings, and will be instrumental in helping to maintain the confidence of the CEO in the eyes of the Board.

During the dot-com bubble we used to talk of an ‘Internet Year’ being nothing more than a few months or weeks. Its not surprising then, that in the period of a mere ten solar years, the role of the healthcare security leader has evolved an ‘Internet millennium’.

Given the almost exponential change in cybersecurity, how many solar years will it take for the healthcare security leadership role to evolve another Internet millennium?

What cybersecurity event or series of events will accelerate this shift in paradigm – of not just security leadership and governance, but also healthcare security posture and spend?

Will it require a hospital system to be sued out of business following a massive breach of patient, financial or other critical healthcare information? Or will healthcare leadership pro-actively address its business-life-threatening risks before its too late?




This blog is also posted to http://blogs.cisco.com/security/the-changing-face-of-the-healthcare-security-leader

OISC

Richard Staynings keynotes at the Ohio Information Security Conference
Richard Staynings keynotes the Ohio Information Security Conference

We need to get out of the reactive security operations mode that many organizations are stuck in. We need to get away from checking 'after-the-fact' logs of security events that tell us we were hacked over the weekend when no one was watching, and the perpetrators are now long gone. Oh, an incidentally, they got out with a whole heap of valuable information that is going cause the CEO to have to personally apologize to shareholders and to customers.

That was the message I gave to attendees during my keynote at the Ohio Information Security Conference yesterday in Dayton, Ohio.

We need to understand where our organization is from a operational security maturity and build a plan for the CEO to take us from a 're-active' posture to a 'pro-active' one using better tools than legacy SIEMs and log aggregators, to ones using big data, holistic monitors and threat intelligence. We need to get away from allocating a third of an FTE to managing the security operations of the organization to a 'round-the-clock' team of pro-active threat hunters or a managed service that can do that for us cheaper, better, faster using a leveraged resource cost model.

Just because additional budgets have not been assigned to improved security, doesn't mean that as technology or security leaders its not our jobs to assess, plan and design what is needed to protect the enterprise. Its our responsibility to make recommendations to the CEO so that the Board can make a well-informed decisions on risk - whether to accept, mitigate or transfer that risk. Regardless of whether our recommendations fall on deaf ears or not, and regardless of whether they result in improved security budgets, we have done our job as security leaders and covered our backsides. You can't do much more than that!

The 2016 OISC was help in Dayton Ohio this week















Thanks also to ‘TechnologyFirst’ for organizing the event, along with all the sponsors for making it such a success. I wasn’t able to attend all of the presentations, but those that I did, were top notch, well thought-out, very insightful, and highly educational - even for those of us who have been playing in the security sandbox for many years!

There was hardly an empty seat in the house! And that, despite the competition from Bill Clinton, who was presenting at a political event just down the street. I’m sure the entrance price for the OISC was considerably better value however, than the ‘donation’ required to get you in front of Bill!

For those who asked, I have made my presentation available for reference. You can either view the slides using the built in slide viewer or can download a PDF.

Just How Secure is Healthcare?

Richard Staynings Interview
HIMSS Interview with Richard Staynings

During HIMSS 2016 in Las Vegas I was interviewed by the press for my thoughts on the cybersecurity risks now facing the healthcare industry, and how effective healthcare boards were in managing down these growing risks to their business. While some of the content was broadcast, the following is an edited transcript of the full interview:


 Interviewer:
Welcome.  I'm here with Richard Staynings, Security Principal and global leader of cybersecurity for the Healthcare Industry at Cisco. Richard is a respected thought-leader in healthcare security and is here at HIMSS with us today.


Richard, I know that you're on a journey talking with healthcare executives and their boards about cybersecurity risks, threats and security best practices, but how receptive, and how aware is the industry to your message? What level of awareness and understanding are you finding when meeting with healthcare leaders?

Richard S.:
I think healthcare executive and Board understanding of cybersecurity has evolved quite radically from where it was, say as little a five years ago. Most of this evolution has occurred quite recently in fact.

I think there's been a late awakening amongst Boards of Directors of healthcare providers, payers, and pharmaceutical organizations; a realization of the cyber security threat, and the way that that impacts not only their current business, but also their future business. If we talk about intellectual property loss within the pharmaceutical industry for example, it's a huge concern. The next generation of genomics-based medications is already assumed to have been stolen, largely by foreign nation states, in order to bolster their own pharma sector. All this, largely because of ineffective security across the industry to protect its intellectual property.


At the same time, we're seeing a large amount of media attention generated with regard to cyber breaches of our healthcare systems - patient health information being stolen and exposed, or patient information being encrypted and held to ransom, as has been the case at several hospital systems over the past month. Or malware infestations on hospital networks that have resulted in the hospital having to revert to paper, or even worse, to unplug their network core so that they could deal with the outbreak.

Boards are now aware of some of these issues, many of them have a good understanding of the enterprise risk and potential impact to their business of cyber security, which I think is something that historically wasn't the case. Security and the Board to a large degree speak different languages and its taken a new breed of security leadership to bridge that gap and to translate. By and large, that language barrier caused some historic rifts, and didn't go far in engendering trust towards what security leaders were telling their Boards and executive leaders.


I think there's been a growing realization that in order to communicate to boards, you need to use appropriate language. You need to talk in terms that board members will understand: profit and loss, balance sheets, the cost of action versus the cost of inaction, for example. I think there's a greater risk in healthcare however, because it's not just a question of fines, penalties, restitution costs, or even loss of reputation, it's the fact that there could be physical damage caused to patients, where cyber attacks could compromise patient safety. Protecting patient safety has been the holy grail of healthcare risk management for as long as I have been working in the industry, and now we are seeing a convergence of cyber risks and patient safety concerns.

Cyber attacks can now be leveled against the actual delivery of care to patients in hospitals. Many medical devices are easily compromised to the extent that it's not inconceivable that patients could soon be assassinated in our hospitals. Its relatively easy to compromise the medical devices that patients are attached to, and which maybe keeping them alive, or surgical devices being used in an operating theater. This is something I think boards of directors are beginning to recognize, though from what I've seen, most have yet to fully comprehend the magnitude of the threat.


Interviewer:
Do you think that once they understand the risks, that leaders have the ability to react quickly? Is it something that they have to go back to their foundation to fix, or is it something that they could put a task force on it and get remediation fairly rapidly?

Richard S.:
The healthcare industry is a juggernaut. It's quite conservative. It takes a lot of effort to stop, and doesn't change direction quickly. Security has largely been an afterthought in the healthcare space. The focus has always been on patient care. Security across the healthcare industry has been massively underfunded and understaffed compared to other industries. Healthcare is probably 10 years behind financial services in most areas of security, and even more so in the formation of high caliber security teams for example. Healthcare is not seen as a glamorous destination for many security professionals. Most transfers into the industry recognize that they will be fighting an uphill battle just to play catch-up to where they were in their previous organizations.

With the right Board and executive sponsorship, reinforced by effective governance and security leadership, and of course funding, the security gap could be narrowed quickly, through more effective adoption of expert managed security services. This would allow the small number of experienced professionals that work in security to focus on higher value tasks.

More importantly, I think there are some more fundamental and structural problems in the way that security is viewed within most healthcare organizations today. Security needs to be elevated in terms of priority at the executive and board level. Security leaders need a seat at the table in Board meetings, so that Boards can effectively discuss, and be made aware of cyber risks and issues that may accompany new service offerings, new business ventures, mergers and acquisitions, etc. The Board needs to be fully informed to make the right decisions and that's not going to happen if the security message is being relayed through the CIO, or someone else with direct access to the Board.



Interviewer:
Given Board understanding of the risks, and the desire and funding to secure their organizations, what should security leaders focus on first?

Richard S.:
Healthcare security leaders would love an unlimited budget to go out and secure their environments. They have years of under-investment to catch up on, but we need to recognize that Rome wasn't built in a day, and healthcare doesn't have unlimited funds. If anything funds are getting tighter, which means dollars allocated to security need to come from elsewhere, IT, charitable patient care, etc.

Realistically, and to answer your question, I think that comes down to fully understanding the risks that are being born by the organization, and the potential impact to the organization's ability to function. That means understanding how the organization works, where there are opportunities to make significant improvements to the risk/reward balance, and to target scarce resources most effectively.

One of the most effective ways of understanding risk is to conduct a risk assessment but then to prioritize the remediation of risks and control gaps based upon the reduction in enterprise risk. What level of risk can I reduce with the least amount of money? Can I tackle remediation of these really big risks over the course of many years? (Because hospitals have very limited budgets and that situation is not getting any better.) There's an increasing squeeze on healthcare provider budgets especially, because of reduced reimbursement rates from insurance companies and government, and that is really compounding the difficulty for CISOs to block gaps in their overall infrastructure, through the implementation of new more effective security controls.


I think there's also been a historic problem with what I call the "shiny object effect."
"There's a new tool out there that looks to be a panacea to many of the security problems that I have. It's very expensive; the cost to implement is not really fully understood; the time to implement is not really fully understood, and it may be many years before the new tool is able to effectively reduce risk from the time its purchased."
There's been a temptation by CISOs to go after that shiny object, rather than to look at what is the most effective use of the scarce resources at their disposal. There are many opportunities for CISOs to reduce risks very quickly without the outlay of large sums of money, however these opportunities are often missed because security leaders fail to look at security through the conceptual lens of enterprise risk management and risk reduction.


One particular concern in healthcare has to do with the growing security resource shortage. The whole of security is suffering from a massive shortage of qualified, experienced, security professionals and this was reflected in the 2015 Cisco Mid-Year Security Report which found that there's a 12x demand over supply for security professionals. Healthcare doesn't pay as well as financial services and many other industries, and therefore, it's lower down the stack, in terms of its ability to attract and retain top cyber security talent; skilled resources needed to help defend against the attacks that are being leveled at the industry.

I think there's a growing recognition across the healthcare industry, of the need to look at optimizing the scarce security resources that it's able to attract and retain, and to focus the attention of those professionals, at the areas of greatest need in healthcare security. Areas like security architecture and security awareness training for example. Healthcare is a very labor-intensive industry, and users have largely disparate levels of computer literacy and security awareness. I think we do that by looking at what can we accomplish more effectively; by procuring services from service providers, that can provide expert services that we could never justify staffing ourselves; and to do that cheaper, better, faster, than if we were to build those capabilities internally.


Interviewer:
You've dealt with high-level executives and boards, can you compare and contrast the ones that 'get it' versus the ones that don't get it? What's contributing to that?

Richard S.:
I think there's been a change in the makeup of healthcare boards over the past few years. I've been presenting to boards of directors for probably 15 years or more. I think historically, healthcare boards were made up almost exclusively of clinicians or those sponsoring health services, - nuns for example in the Catholic Health System, retired and active physicians, line of business owners, as well as the CEO and his team of direct reports.

More recently I've seen a diversification of typical board membership, and the skills and backgrounds of members. This is a big differentiator to those boards that 'get it' and those that have a hard time understanding cybersecurity. It's not universal across all organizations by any means, but there is a growing trend towards diversification.

I'm seeing expertise brought in from other industries, from banking and finance, and some retired military. Also, some people from government and defense backgrounds, that are on the boards of larger healthcare organizations, and are able to bring experience of how other industries 'do security', and an understanding of the cyber risks that they've seen during their active career, or in their full time jobs. They're able to share those experiences and contribute to a much richer board decision-making process.



Interviewer:
I hear a lot of times that the biggest risk factor for security is just workforces themselves. How do you believe companies are dealing with that issue - that the workforce may be the weakest link in security?

Richard S.:
Well, your people are your greatest asset, and also your biggest risk. This is particularly so in healthcare. You have at one extreme, some of the brightest, smartest people on the planet - physicians. Very computer literate, many of these physicians are extremely capable at working their way around rudimentary security controls that IT may have put in place over the years. At the other end, you have scrub nurses, food services, and janitorial staff that may almost be computer illiterate. It creates an interesting challenge when it comes to the question of, "How do we take a security message out to our entire workforce?" Whether they're contractors – (most physicians for example), or whether they're employees – (nursing, admin and billing staff), or whether they're contract service providers for janitorial services, maintenance or food services.


How do we take a message out so that all of our people are working together towards a common goal of securing the network, securing the hospital, and protecting patients? I think we have to do that via a quite elaborate security awareness program, and it can't be a just one-off program where all users sit down in front of the same computer and answer a few questions at the end of a video. It also can't be something they do once a year, as part of a staff or contractor attestation that they will follow security and privacy policy.

It needs to be an ongoing process, and it needs to be differentiated and targeted to different types of users. Physicians should see one type of training program, executives see another type; those people who work in IT and may have elevated permissions see yet a different type of program, and those people that are on the cutting edge of delivery out at the nursing stations, should be provided a different type of awareness program that's more privacy focused, and more targeted towards the types of phishing attacks and social engineering that they may experience while fulfilling their jobs. They are in a very different situation to IT, admin or senior executives who, by and large, work most of their days behind closed doors, or at sites where they don't see the public at all.


On that note, where I've seen the most effective security awareness program is where there's a rich and diverse multimedia approach. Where there are a variety of web-based delivery systems, classroom based lectures, and brown-bag seminars / group lunch discussions, and where users are required to participate. Most importantly, where there are constant reminders to awareness themes throughout the workplace, so its not forgotten.

One particular health system I do a lot of work with, has little cartoon characters on their elevators and at doorways. It's to remind the staff subtlety not to talk about patients in public areas because they could be overheard. Most patients that walk through the hospital probably just think it's a cute little animal for the kids, and have no idea of the value it's also providing to staff privacy and security awareness. The value that these animals provide is immeasurable in terms of making the staff aware and making them think,  "Hey, I'm in a public area. I can't discuss patient issues here".


Interviewer:
Healthcare rightly or wrongly is seen as an increasingly highly regulated industry. Have you found that these governing organizations are helping to advance security?

Richard S.:
I think compliance in the healthcare space was the initial spark that really led towards improved security and privacy across the industry. I don't think it's necessarily as effective as it could be however.

In the United States, we have the HIPAA regulations. They were written in 1996 when most of us didn't even have modems attached to our home computers, and many of us were running Windows 95. We didn't have web 2.0 social media technologies. We didn't post to Facebook, Instagram, or SnapChat every 10 minutes, as my kids tend to. We didn't have instant message, or many of the technologies many of us live on today – especially the younger ones! 

Hospitals were largely paper-based back in 1996 when the HIPAA regulations were created. HIPAA was a political compromise in order to put something in place to protect the privacy, initially, and later security of healthcare. It's been enhanced with the HITECH Act and Omnibus changes, but it's still a high-level advisory type regulation, and is widely open to interpretation. It's not a prescriptive rule set in the way that we have in other industries, like PCI DSS that says, "You shall do this, this way, and this way only, and if you don't do it exactly as written, you're non-compliant."


HHS OCR, the Health and Human Services, Office of Civil Rights, has come in with its audit protocol and looked at HIPAA compliance from a very different paradigm. OCR looks at it from an audit compliance perspective, more so than the checkbox mentality that the healthcare industry itself has tended to follow. OCR assessors look for the effectiveness of controls in the same way that a financial auditor would, and they look for evidence that a control has been tested for its effectiveness and that this has been documented. That's beginning to change things across the industry.

In other jurisdictions, we have new regulations that are slowly being implemented or enhanced: Singapore Privacy Act, Caldicott, Australian Privacy Act, European Privacy Directive, etc. These tend to be more privacy focused, but increasingly cover many aspects of traditional security – cyber attack and breach notification for example, or use of patient data in research. And we've got other regulations in the process of being revised or expanded in other countries, as well.


I think compliance was the initial spark that led to awareness of the need for security in healthcare, but I think that's now minor compared to other risks, particularly around cyber attacks and breaches of PHI, which seem, almost every other week, to be all over the papers and TV news channels. We're seeing a growth in targeted attacks against healthcare; ransomware, for example, the encryption of medical records, and then holding them to ransom for tens of thousands or dollars, or even larger sums of money in some circumstances. That's just the beginning in my opinion. Where I see things going, is towards not so much the ransom of information, or the theft of PHI, but towards open extortion and ransoming of patient lives, where hackers may have gained control of entire parts of our hospitals and be able to inflict real life-threatening damage.


I don't think we are far-off before we're going to see ransom attempts leveled at hospitals to say, "If you don't pay a thousand BitCoin, I'm going to start killing babies in NICU" or, "I'm going to start assassinating people on life support in your ICU, or undergoing surgery in your operating theaters."

One massive attack vector that very few hospitals have considered is their ICS or Industrial Controls Systems. Systems that manage HVAC for example, which are critical in healthcare for disease control and for clean rooms like operating theaters. As a hacker, if I own your HVAC systems, I can mess with the airflow, temperature and humidity levels, and render whole parts of the hospital useless – and lock everyone else out of the system at the same time.

If I've gained control of your elevator systems, I can prevent you from transporting patients between floors – maybe on their way to or from the operating theater.

If I own your water management or electrical management systems, even for a short time, I can wreak havoc. Many of these ICS systems are totally automated in our hospitals today, and are remotely managed over the Internet by a service provider. 

All of these are very feasible attack vectors against healthcare, and most of the people running these attacks live tens of thousands of miles away, in other countries, out of the reach of law enforcement. There's recent evidence to suggest that many of the perpetrators of some of the recent ransomware attacks against healthcare, are in fact, employees of state cyber espionage units, moonlighting after hours.

I think some more forward thinking boards of directors are slowly becoming aware of the real risks to their organizations and patients, and are beginning to look at ways that stronger controls can be put in place, to manage the very broad range of threats that could be leveled against healthcare.


Interviewer:
That's amazing stuff. It's almost like a controlled outbreak ...

Richard S.:
You imagine a man made Hurricane Katrina. During Hurricane Katrina, the New Orleans hospitals were rendered useless because the water, sewer, power, air circulation, all eventually came to an end. Back up generators ran out of fuel. Fuel trucks couldn't get to those hospitals. Flooding rendered large parts of the hospitals inaccessible, and very quickly full of mold, such that patients could no longer stay inside for their own health and safety. Patients were carried out (where they could be carried out) and placed on flood debris in many cases, which was on dry ground to get them out of the hospitals that were filling up with airborne mold spores. Many patients were too heavy to carry down flights of stairs. Elevators didn't work because there was no power, so they died in their beds.


Imagine if I were a rogue nation state or a well-organized and skilled terrorist group conducting a cyber war against the United States. I would most likely first go after power generation and distribution systems, water management and other critical infrastructure to disable the domestic systems the military and modern Americans have come to rely upon – running water, regular power, etc.

After critical infrastructure, I would attack hospital systems, because that's where the weakest and most vulnerable people in American society would be found – those unable to look after themselves. I could tie up thousands of National Guard troops forcing them to care for, or rescue, the most needy in society, divert them from defending against other attacks, and weaken a speedy counter-attack by the military. These are all feasible, albeit unpleasant, scenarios and many people have written and published in this area.


Interviewer:
Wow!

Richard S.:
Oh, it's scary alright!


Interviewer:
What's the biggest leap forward that you've seen within the last year with regard to security?

Richard S.:
Security is always developing and there are a lot of cool new capabilities every few months so it seems. However, given the kinds of attacks we are seeing against healthcare, I would have to say Real Time Threat Analytics. Understanding where threats are coming from, and recognizing an attack almost immediately; the ability we have now, to identify anomalous user and system behavior, and to light up our networks so we can use the network as a sensor and as an enforcer of the security policy that the board approves, and is enforced by the CISO or security leader.

Recognizing when an attack is underway is incredibly valuable so we can block it, and thwart the attack before data is stolen or compromised. Historically, we've looked at things forensically and 'after-the-fact', when damage has already been done. We bring in forensics teams to investigate the integrity of file systems that may have been compromised; we bring in forensic investigators to work with law enforcement and to preserve evidence for prosecution. But in healthcare a breach is a breach and I'm already in a world of hurt!

In most hospitals we're not being active in terms of saying, 
"There's an attack coming in. There's some malware that's just been added to my network. I've got suspicious behavioral activities, and new communications out to the Internet, that are out of the ordinary. They don't fit the usual pattern of activity on my network. I'm under attack," 
and be able to pull the plug or to block that attack; to put defensive measures in place to thwart that attack before the damage is done; before my files are encrypted; before I need to notify patients that their records were compromised; before I need to contact the OCR and let them know that there's been a breach, and my reputation is tarnished, because I'm now on the HSS OCR 'Wall of Shame'.



Interviewer:
I like the predicative nature of that.  What do you think differentiates successful attacks on some healthcare providers from those that fail?

Richard S.:
Let me start by saying that across healthcare delivery, the vast majority of attacks go totally unnoticed. Healthcare simply doesn't have the resources to monitor what's happening on all of its systems, and its rapidly expanding network of partners, suppliers and HIEs. There's no single regulatory body to identify a common point of information disclosure for identity theft, or medical insurance fraud, etc. like there is in the payment card industry for example. And information stolen from healthcare, by and large doesn't expire, in the way that a credit card number does after a certain period of time. I can use or sell that stolen information whenever I like.

With the exception of the very largest providers, most organizations lack a security operations center, or have staff viewing event management systems 24 by 7. Those that have invested in a SIEM have a hard time getting usable, high-fidelity information from alerts. 'False-positives' keep security operations staff chasing their tails, rather than quickly being able to identify real attacks and risks, and to remediate them. SIEM alerts need to be validated before the truth is known. This can be very time-intensive, and will ultimately delay response to an attack.

The critical differentiator between successful attacks and unsuccessful attacks is the ability of the organization to quickly recognize when an attack in underway, such that the attack can be blocked before damage is done. Before PII, PHI or IP can be exfiltrated from the healthcare network. Speed is key today. Attackers are in and out in a matter of a few hours in most cases.

Once you're looking at things forensically and after-the-fact, then the damage has already been done. You've already lost patient information, your IP is gone, and it's out on the Internet. Once an attack is underway against a patient, then that patient could have already been harmed.



Interviewer:
Is healthcare under attack more than other industries do you think?

Richard S.:
Healthcare by and large provides easy pickings for cyber criminals. They've been after banks and credit card companies for a number of years and that water fountain is drying up. What I see is a concerted attacked against healthcare. Big payer breaches, big provider breaches, and pharma networks are largely owned by foreign states, and their well-funded cyber espionage units. This is not going to stop anytime soon. We need to put in place effective security controls wherever possible, wherever feasible, and to do it quickly before more damage can be done, and we suffer a widespread loss of confidence from patients. Before hospitals are forced to close, because they can't afford to pay the fines, penalties, identity theft monitoring, and other standard restitution expenses. Before they get hit with a billion dollar class action suit from patients, that is going to force them out of business!



Interviewer:
How has the digital era changed the way we're facing security?


Richard S.:
The digitalization of healthcare has brought around a large number of changes in healthcare delivery particularly. We now have the capability to provide all kinds of new services to patients, and most patients are very eager to consume those services, but they introduce new risks to our healthcare organizations. I refer particularly to the meaningful exchange of health information, to and from the proliferation of other service providers out there. 

I'm no longer tied to a single service provider and can shop around to get the best deal. I no longer need to go to the hospital to get my X-Ray, and pay $1,000 for that X-Ray. Most of us are now on High Deductible Health Plans, which means we now pay for service rather than insurance. I can go to a simple imaging center and pay $300 for the exact same thing, with probably half the wait.

I can go to a web portal that my provider has put up that allows me to communicate with my physician or my specialist. I can look at my images from my X-Ray or my cat scans, and I can read the diagnosis online, rather than have to book an appointment, drive across town, come into see a specialist, consume his time and my time, to basically reiterate something that's already been written down, that I could read myself. In order to provide these types of services, we need security around them however.


I'm seeing a growth in a large number of opportunities for increased Digitalization, Telehealth, Telemedicine, all types of new services that are more cost effective in the delivery of healthcare services to patients, but again, we need security in order to facilitate that. I need to be able to authenticate legitimate users, and to communicate with them securely, I need to be able to store information securely, and I need effective security controls so that I don't introduce new risks as a result of the new services I am providing to patients.


I think payers and providers are now recognizing the fact that Connected Care, and increased Digitalization, will provide opportunities for huge cost savings and new avenues for revenue generation, while simplifying and improving patient experience with their care team. However there's a huge cost to this if its not done right. You need to apply appropriate security controls, before you can provide these services to patients.



Interviewer:
How is healthcare going to cope with this new reality?  What trends are you seeing?

Richard S.:
I'm seeing a consolidation within the healthcare delivery industry, particularly in the US where we've had a multitude of different standalone small hospitals and health systems. Its driven by cost pressures and the need to spread meaningful use costs, and the need for improved security over a greater number of beds and patients. 

The same is true in the payer space. Organizations are coming together under one umbrella, and building shared services organizations to better leverage scarce resources, and this is saving healthcare money, and at the same time improving technology, security and other services.

I've seen a recent increase in the adoption of cloud-based services, and wider use of mobility as payers and providers become more comfortable with these things. This is all helping to drive growth. I've seen a syndication of technology services to smaller hospitals. Larger hospital systems that have the money to invest in new clinical technologies, in expensive, state of the art systems and applications, are able to recoup some of that investment by providing IT or application services for example, to smaller hospitals that can't afford the investment needed for those types of things. Of course wherever systems are being shared you need to segment and secure, to prevent a whole host of possible issues down the road. It's a decent revenue generator for a lot of health systems, and I see that trend continuing.



Interviewer:
Thank you very much Richard for your insights. I'm hoping that some of your predictions don't come true, but recognize that awareness across the industry may help to avert some of these security risks and threats.

Richard S.:
Lets hope so!