Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Hong Kong Hospital Crisis Easing

Patients left in hallways due to overcrowding at Queen Elizabeth Hospital. Photo: Sam Tsang.
A capacity crisis in Hong Kong's hospitals is beginning to ease thanks to money being made available by the Government for an expansion of healthcare services to meet growing demand. This was the message I received during meetings this week with senior health leaders in Hong Kong.

Earlier this year Chief Executive Leung Chun-Ying promised that public hospitals would get an additional 5,000 beds and 90 operating theatres in the next 10 years as part of a HK$200 billion bundle of development projects. Those funds are now finally making it to where the money is needed.

Saint Teresa's Hospital, Ma Tau Wai.
The investment includes new construction and expansion at all Hong Kong public hospitals and in particular large redevelopment projects at Tuen Mun Hospital, Prince of Wales Hospital and Princess Margaret Hospital. It will also provide an additional 90 operating theatres increasing capacity by 40% across the territory and a significant increase in the number of medical school places to grow the physician population.

Investment also includes Childrens' Hospital at the former Kai Tak Airport.
The capacity crisis in Hong Kong is not too dissimilar to issues being faced by mature public healthcare systems across the world. An aging population of baby boomers is consuming more healthcare services, and spikes in demand for services during the flu season which spreads quickly amongst Hong Kong's tightly packed population, and is combining with population growth fueled by immigration from Mainland China to excerpt pressure on the system.

This year's flu season coincided with the Health Authority’s decision to send 30 frontline doctors to Beijing to attend a one-week national education class which left hospitals severely understaffed for the unexpected surge. Accident and Emergency services were running at an average 110% capacity with some hospitals at 130%. Lines formed out the doors of hospitals into the street and patients had to wait hours to be see.

The situation got so bad that an appeal went out to private physicians across Hong Kong to help out at public hospitals, and several private hospitals made available free or low cost beds to help with the overflow at public facilities.

Long wait times for patients. Photo Sam Tsang.
In meetings this week with the Hong Kong Hospital Authority I was told that while some of the larger projects would take many years to complete, capacity has already been improved at many public hospitals, and new measures put in place to reschedule non-urgent procedures outside of peak demand, especially during flu season.

Improvements in healthcare security are also being made but are being funded from other sources outside of capacity improvement measures. Hong Kong continues to lag behind the UK, US and Australia in its cybersecurity maturity and this will likely be another area of targeted improvement over coming years. Compared to the capacity and modernisation initiatives, cybersecurity remains however, a fairly low priority for now I was told.

Australian Healthcare Highly at Risk

Just learned that my interview with Nick Whigham at Australia's has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here

Aussie Healthcare Scrambles to Catch Up

Assessing the cybersecurity outlook for Australian Healthcare.   Photo: Paul Carmona, Sydney.
Australian Healthcare providers are scrambling to defend against increasingly well-armed and financially-motivated opponents in the battle between good and evil going on across cyberspace. After years of staying out of the spotlight, healthcare is now being targeted by cyber gangs looking to get rich quickly, and foreign nation states seeking leverage over individuals.

Fifteen to twenty years behind other industries like banking and financial services, Australian Healthcare is suffering from a case of 'Too Little, Too Late' in its build-out and investment in robust cyber defences and is now beginning to pay the price.

Well publicised attacks against flagship hospitals such as Royal Melbourne and others have finally alerted the Australian general public and health system leaders alike, to the looming threats facing the healthcare sector. Its not just the big city hospitals either; ransomware and other cyber attacks have been reported right the way across the country and even in small GP practices in remote rural communities.

Theft of lucrative personal information and personal health information, especially as medical records go digital, is a rising threat, as is attack by ransomware and other forms of extortion.

Surveys suggest that presently most Australians are not that worried if their medical records go up for sale on the web, though most have not really considered the possible impact of identity theft. What is more concerning to Australians, is a denial of service attack such as ransomware, that could take critical systems off-line when needed to treat someone or to save a life. Most Aussies simply haven't given that much thought to the security of their medical records or a possible attack on their doctors office or local hospital. Very few people surveyed were even aware of the growing number of network connected medical devices and the threat they pose to patient safety.

These and other cybersecurity concerns have been the subject of discussions this week at executive workshops led by the author in a series of meetings with healthcare leaders stretching from Brisbane through Sydney and Melbourne to Perth. From State healthcare systems through to private providers and payers of health services, the message is pretty much the same. "We have failed to invest in information security in the way we probably should have over the past five to ten years", said one State CIO. "That includes technology infrastructure and the skilled resources to manage our security program."

While government Ministers stress the importance of making improvements to healthcare security, additional capital and operational budgets have not yet been made available to hospitals to make changes claimed the leaders of several hospitals in a workshop in one major city.

In a recent meeting with the leaders of one of Australia's largest private healthcare providers, the CIO willingly acknowledged to me the critical need for improvements to be made to the organisation's security program, adding that security investments would probably have to wait till next year as he already had a heap of even more critical needs in front of it.

A stormy outlook has caused Australian Healthcare to play catch-up. Photo: Kieren Andrews, Melbourne.
The need for improved security to protect hospitals, doctors and patients from cyber attack is finally being recognised across the country, though it remains to be seen just how much of a priority it will be to secure patient health information, and prevent cyber attacks that compromise critical clinical information systems needed to treat patients. "It may take another one or two Royal Melbourne Hospital sized incidents before security gets the kind of funding and support that is really needed" suggested one healthcare senior leader who asked not to be named.

Kiwicon X

Kiwicon X, Wellington, New Zealand
Part hacker conference, part cult event, part rock concert; Kiwicon X fully lived up to expectations this week. Attendees were treated to an almost constant barrage of live hacks, demonstrations, presentations and more live hacks in the southern hemisphere's answer to Black Hat without the tackiness and desert heat of Las Vegas.

That's not to say that attending Kiwicon is in any way safer then Black Hat - leave anything electronic a mile away from the conference, and if you do take a credit card then make sure you have a lead-lined wallet to prevent it being inadvertently scanned by someone.

Live hack demonstration

Oh, and did I mention the plutonium or uranium brought on stage to demonstrate how to break cryptography in a presentation entitled “Radiation-Induced Cryptographic Failures and How to Defend Against Them.” Maybe the attendees dressed up in silver radiation costumes weren't exactly wearing 'costumes' if you know what I mean!

Laser light show, Kiwicon X Hacker Conference, Wellington, New Zealand

If the radiation didn't fry you and the pyrotechnics didn't burn you, then the lasers almost certainly blinded you - albeit temporarily! What a show!

Fireproof conference attire advised for anyone in the first 5 rows

With an opening presentation that could easily have been incorporated into an episode of the X-Files TV series, and other presentations that included "Hacking the Red Star OS" - North Korea's only approved PC operating system, and “Defending the Gibson in the Age of Enlightenment” I was never quite sure whether the coffee I was drinking had been spiked or not.

“The Truth Is In Here” by Metlstorm opening presentation

Kiwicon X was informative and entertaining on SO many levels!

The house was packed for nearly every presentation 
Despite a major earthquake that shut down Wellington not long before the conference and multiple aftershocks during the conference, the show was a great success.

Kiwicon X, Wellington, New Zealand

It was great to meet and chat with so many utterly smart if slightly deranged people. I hope to drop in again for another Kiwicon at some point in the future.

More lasers at the Closing Presentation

Light at the end of the tunnel for New Zealand Healthcare

Despite continuing austerity measures across the country, there is light beginning to appear at the end of the tunnel for New Zealand Healthcare. This includes a number of measures underway to expand capacity to reduce waiting times. It also includes some long-needed improvements to cybersecurity and privacy. This was the message I received during meetings this week with the New Zealand Ministry of Health in Wellington.

The Ministry of Health oversees some 20 District Health Boards each of which is responsible for administering the delivery of health services in their designated area. While some of the DHBs have pooled their resources for shared IT and security services, there are little to no common IT or security solutions across the entire country. Each board is free to do it's own thing we were informed. The result is disparate clinical and health information technologies across a sparsley populated country of just over 4.6m people.

Some areas of New Zealand appear to be better served by IT and IS capabilities than others, though common areas of concern appear to exist across all DHBs. These include the need for improved identity and access management, threat intelligence and security operations center expertise to identity and respond quickly to cyber attacks.

The greatest challenges however appear to be political in nature, in getting the DHBs to agree to common systems and processes or shared cybersecurity expertise for threat intelligence, security operations and incident response. While at the Ministry level this need seems to be recognised, the DHBs appear to be fiercely protecting their turf - at least for now!

Turning Cybersecurity into a Strategic Advantage

Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.

Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services. This blog was originally published here.

Insiders: The often forgotten threat

Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....
so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network.

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.
Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry.

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.

Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.

The 'Senior Cyborgs' are Coming!

Richard Staynings and other panelists at the Louisville Innovation Summit

The Silver Tsunami of Baby Boomers hitting retirement by itself would be enough to worry the most well prepared healthcare system, however in the United States, rising healthcare delivery costs and little to no change in the number of professional caregivers is putting the system under never before seen pressures. Everyone is looking to provide more cost-effective ways to provide care and keep people independent, safe, happy and healthy at home, and that was the focus of a panel discussion at this week's Louisville Innovation Summit.
Senior Cyborgs & the Rise of Digital Health
The session discussed the evolution of disruptive digital health technology, a new force of digital caregivers and the entrepreneurs that are changing the way care is delivered. The audience learned about new technologies to deliver care to the elderly, to monitor and assess their condition, mood and well-being as indicators of onsetting medical conditions, and some of the technologies that will enable the elderly to stay in their homes rather than in much more expensive and often despised elderly residential care.

However with increased adoption of clinical alerting and other medical technologies being sent home with post-acute patients, combined with an ever-increasing number of across-the-shelf health monitoring and tracking systems filling homes, the bigger question, which unfortunately often goes unanswered, is how can this ever growing mass of medical devices be secured. The confidentiality, integrity and availability of medical systems and the protected health information that they produce needs to be secured in the home just as it would in a hospice or hospital. This lack of security confidence has in many cases slowed the adoption of technologies that enable patients to spend their twilight years in the comfort of their own homes. It appears then, that security is the primary key to unlocking the doors to what the elderly are asking for and what Medicare Administrators would prefer to fund.

One other key that appears to be required however, is the need to change healthcare payment models for both private and government funded programs such that providers can get paid for community-based care. The panel agreed that current payment and reimbursement models are hugely out of date and this is one of the reasons why the United States lags the rest of the developed world in its adoption of cheaper and more convenient telehealth and telemedicine.

Other areas of discussion focussed upon the need to improve the interoperability of digital health systems, such that meaningful data and meta-data can be better exchanged between providers with different EMRs, and other clinical information systems. We heard that the industry itself has made some strides towards this, but competitive business practices have failed to break down the proprietary data formats used by different HIT vendors. Government will probably need to take a bigger role in mandating common data formats so that meaningful use can be fully achieved.

Read more at TechRepublic and at grandCARE both of whom also reported on the session.

Taiwan National Day

Richard Staynings
The Author pictured here with Ambassador Zhang Chu Zhang

I was privileged to be invited to celebrate Taiwan National Day this year with an assembly of Ambassadors, Senators, Congressmen, State Representatives, Mayors, retired Generals and other US military personnel who served in the 1950s and 60's protecting the country at the height of the Cold War.

Economic, political and cultural relations with the Republic of China (Taiwan) have never been higher. Great to meet everyone and a very happy Taiwan National Day.


Cybersecurity was the topic de jour at the GA HIMSS Annual Conference in Atalanta this week as the author co-hosted a session with Dmitry Kuchynski of Cisco on the cyber threats and possible mitigations impacting hospitals, clinics and primary care facilities.

Richard Staynings and Dmitry Kuchynski received a warm welcome @ GA HIMSS

In attendance were an assembly of healthcare CEOs, CIOs, CISOs and other executives all keen to learn about the latest cybersecurity trends and threat intelligence, along with any tips, tricks and help they could receive towards planning an approach to protect their institutions and patients from cyber attack.

Healthcare organizations are being actively targeted by cyber criminals for the wealth of easily stolen PII and PHI information, and the relative ease at which healthcare networks can be attacked and breached. Hospital networks were designed to facilitate universal access by clinicians and support staff with little to no network or user segmentation. The result is that once the perimeter is breached, hackers enjoy universal access to virtually all information systems.

Ransomware was a big concern of attendees

The recent epidemic of ransomware which has plagued many US and overseas organizations over recent months was a huge concern to most attendees who wanted to know what they could do to protect against a ransomware attack on their institution.

While there are claims that ransomware is being used to target a specific company, health system or industry, that fact is that most ransomware attacks are indiscriminate in who and what they attack so long as the attack could generate payment for the perpetrators.

According to Cisco research, the Angler ransomware campaign alone resulted in over 300 ransoms being paid each day until Cisco and international law enforcement took down the criminal gang responsible. The gang was netting over $34m USD per year, which goes to show just how lucrative ransomware can be....for a while at least!

So was converging biomedical networks

Converging biomedical networks and the rapid growth of network-connected medical devices was similarly a huge concern for attendees representing hospitals and clinics, where the number of biomedical devices is growing exponentially.

Medical devices are just one aspect of a growing number of IoT devices attached to hospital networks that cannot be managed by group policy and other common tools for securing endpoints. Each medical device is proprietary to its vendor and many single-vendor systems can be incredibly unique. Despite guidance from the FDA and other bodies, both vendors and hospitals have been slow to tackle the medical device challenge as a previous post has examined.

Cisco has been helping many of its healthcare customers to manage and contain threats to medical devices and other IoT network-attached devices like hospital and clinic building management systems, by use of network security segmentation. By locking down access to and from medical devices on a least-privileged / zero-trust basis, segmentation helps to control the who, what, why and where of access to these largely unprotected endpoints, as well as containing any malware outbreaks to affected subnets - thus preventing a full system outage as some hospital systems have suffered recently.

With attacks against healthcare organizations on the rise, the industry faces some tough challenges over the coming years to balance the need to treat patients with the increasing need to invest heavily in security to protect those patients, and at the same time that reimbursement rates for treatment is declining. Regardless of whether healthcare institutions are being targeted for cyber attack or not, the fact is, that they represent a treasure-tove of valuable information for theft or extortion, and most are largely unprotected today.

As cyber criminals turn their collective attention to the easy money of ransomware, payers, providers, research and pharmaceuticals will increasingly come under attack. Putting in place modern day defenses like security segmentation is not something that can be done overnight. Developing a strategy and approach to cope with the new realities of conducting business today, is something that requires expert help and planning, and most importantly some lead time. All the better then to start that process now, rather than when under cyber attack where risks to patient safety go through the roof.

Postscript: Medical device security has been examined extensively in this blog and the need for adopting a different approach to securing healthcare data, and devices discussed widely. IoT security was also the subject of a recent HIMSS Security Community webinar given by the author.

Security in Healthcare: Bolstering Connectivity and Protecting Patients

Connectivity and the Internet of Things (IoT) are pushing the boundaries of healthcare treatment. Medical professionals can access patient data and real-time health status in a way that can dramatically enhance their understanding of the progression of a disease and improve their response to patient health incidents. Medical equipment can automatically identify system failures and even generate maintenance tickets. Remote treatment allows doctors and patients to communicate no matter where they are.

But this connectivity comes at a price. More devices and more communication increase the opportunities for attackers to breach defenses. On the one hand, the healthcare industry has been resistant to changes because it fears that interfering with critical systems could harm patients. On the other hand, not investing in security may not only affect patient healthcare if systems are disrupted but also injure well-being if their private records are stolen............ (read more)

Cisco 2016 MCR

Cisco’s 2016 Midyear Cybersecurity Report is released this week presenting the latest research, insights and perspectives from Talos and the rest of Cisco Security. It updates security professionals on the trends covered in Cisco’s previous security report while also examining developments that may affect the security landscape later this year and beyond.

The report highlights recent developments from the dark net and within the shadow economy, that cybercriminals have become even more focused on generating revenue. Ransomware has become a particularly effective moneymaker, and evidence suggests that enterprise users appear to be the preferred target of some operators. The report dissects observed ransomware techniques and operational trends and goes some way to predict the next wave of ransomware development. Furthermore, it examines the many ways organizations can and should take action to start improving their defenses. This includes the following recommendations:

  1. Instituting and testing an incident response plan that will enable a swift return to normal business operations following a ransomware attack 
  2. Not blindly trusting HTTPS connections and SSL certificates 
  3. Moving quickly to patch published vulnerabilities in software and systems, including routers and switches that are the components of critical Internet infrastructure 
  4. Educating users about the threat of malicious browser infections 
  5. Understanding what actionable threat intelligence really is 
The sad fact is, that attackers currently enjoy unconstrained time to operate. Their campaigns, which often take advantage of known vulnerabilities that organizations and end users could / should have known about and addressed, can remain active and undetected for days, months, or even longer.

Defenders, meanwhile, struggle to gain visibility into threat activity and to reduce the time to detection (TTD) of both known and new threats. They are making clear strides but still have a long way to go to truly undermine adversaries’ ability to lay the foundation for attacks - and strike with high and profitable impact.

Read the full report here

Ransomware – a wake up call for effective security controls

“The digital canary in the digital coal mine”

A “canary in the coal mine” is an idiom that refers to an early warning sign for upcoming trouble.  This comes from the day when there was no technology to detect leaks from unseen pockets of toxic gas in the rock of a coal mine. Canaries are more sensitive to the toxic gas in the mines than humans so miners used to take poor canaries with them as an early warning sign of toxic gas. If the canary is on the bottom of the cage it’s time to get out of the mine FAST! So how does this relate to ransomware – bear with me for a while and I will explain how ransomware is the early warning sign that security threats have a free rein in your environment.

Ransomware is big business today. Ransomware miscreants encrypt a victim’s files and only provide the decryption keys after the victim pays the “ransom”—usually in the vicinity of $US300 to $US500. Unlike most other online crimes that target businesses exclusively, ransomware impacts end users directly. Ransomware campaigns are not discrete about their victims as this is a volume game and the bad guys will attempt to compromise tens of thousands of victims per day whether they be a grandparent at home looking at photos, or a corporate banker making billion dollar deals. The pay day for their efforts can be staggering. Cisco recently worked with Level 3 Threat Research Labs to disrupt an Angler exploit kit botnet which Cisco estimates to have be earning at least $US30M annually and I hope this disruption hurt the bad guys.

The effectiveness of Ransomware can be seen in a recent CERT Australia survey where 72% of companies reported malware incidents in 2015 which has more than quadrupled since 2013 (17%). 72% of respondents also stated that Ransomware “is the threat of most concern”.  These figures are staggering when the survey is targeting corporations and it’s not surprising as I have seen ransomware execute and encrypt data on ASX Top 200 companies' systems and Fortune 100 enterprise servers as well as our relatives' laptops.  Quite frankly, ransomware is everywhere and one of the key reasons why it’s a huge concern is that signature based anti-malware products such as anti-virus are mostly ineffective as ransomware is written and tested to avoid detection by AV products and the signatures can change hundreds of times in rapid succession.

Now let's get back to the “canary in the coal mine” analogy.  I believe that the most troubling aspect of ransomware is NOT its effect on the end user, but more that it is so incredibly effective in:
  • Penetrating corporate network perimeter defences
  • Able to execute as a new process on a victim machine
  • Call out to a server on the Internet to download an encryption key (refer to the update below)
  • Typically, the first time anyone detects the malware is because their work files (or cat videos) cannot be accessed because they are encrypted
I often get asked “can you restore my files?” Unfortunately, the answer most often is “No”. Ironically most ransomware uses strong and well implemented cryptography and it is not economically or technically viable for anyone to attempt decryption. The point here is that we need to move on from believing all attacks can be prevented; we also must realise that attacks must be detected quickly to prevent damage to the business. The fact that most attacks are not directly detected by the victim, but by the action of the external party (encrypting data) is what really troubles me as a security professional. Security controls should be preventing as close to 100% of attacks as possible, but there remains a fraction of successful attacks that we must detect and respond to before significant damage is done to our businesses.

I think we should be closely looking at the lessons we learn from ransomware to show us how effective our security preventative and detective controls are, and how they have failed. Every time ransomware is able to execute and encrypt data, our preventative controls have failed. We can use this incredibly destructive and annoying malware as a tool to learn about the shortcomings of our security program, or the digital canary in the digital coal mine (when the canary is dead it’s time to evacuate) so we can:

  1. Prevent and detect more ransomware and other malware incidents
  2. Be better able to defend our enterprises against more skilled and determined attackers such as organised crime and nation state funded actors

The point is that if ransomware can operate in your environment then there is little hope you have of being able to defend against the more skilled and determined attackers. The critical questions that must be answered is “how did the ransomware get through my perimeter controls?” and “how was it able to execute and encrypt data without being detected before a victim loses access to their critical business documents (and cat photos)?”

Detecting a threat in the environment is critical to minimising the damage malware does in the network, which is why we need multiple layers of controls to protect. We should not get too far into the preventative controls here, but like our mothers used to tell us “An ounce of prevention is worth a pound of cure” (my mother never went metric). There have been PLENTY of articles written about preventing ransomware and other malware so I do not want to rehash what has already been done. If you want to look for articles on prevention I suggest you have a read of the Cisco Talos blog “Ransomware: Past, Present, and Future”.

One last word on prevention, before we move on to what we are here for. There’s a simple to deploy technique that is being overlooked by most information security professionals – blocking DNS lookups of known malicious sites. Cisco acquired OpenDNS in 2015. One of OpenDNS’ main functions is to provide a safe DNS infrastructure for name resolution services. The differentiator with OpenDNS over many standard DNS services is it provides protection by blocking name resolution for known malicious domains. The reason blocking DNS lookups for ransomware is effective, is that most, if not all, ransomware uses a multi-stage attack where an email is typically used to deliver the payload and when the payload executes it calls (for example) to generate an encryption key. Yes, it is not perfect as we are playing catch up, and would be preferable to prevent the initial infection, but if you don't get your data encrypted we can call that a win!  More details of this functionality can be found here.

Now lets get to the crux of concept of the canary in the coal mine analogy. What I’m trying to say is that the presence of ransomware is an indicator of bigger problems. You can think of ransomware as the (unfortunately) dead canary on the bottom of the cage that has detected the gas leak. I believe that you should be looking for the root cause of the ransomware incident rather than concentrating on your canary problem. Root cause analysis will show how the ransomware got into the enterprise and when you can understand that, you can start to fix the problem. Please do not go and buy a shiny new security object to fix the security problem before it is properly understood. Without fully understanding the problem you may be fixing something that will not improve your security posture commensurately. We all have the shiny object syndrome, but choose your time to act and resist the pressure from your peers as much as possible.

Consider the points I made above about:
  1. Malware (typically) comes into the network through the corporate email system
  2. Unknown software (ransomware) being able to run without human intervention on one of your corporate systems inside the corporate boundary
  3. Then connects to the outside world through your corporate proxy server, IPS and firewall(s)
This is remarkably like the tactics used by nation state attackers when setting up their beachhead inside the corporate boundary before stealing your intellectual property.

Starting to smell rotten eggs now? This is the real reason why we are so concerned about where ransomware can run, because if ransomware can run, so can nation state attackers and they can do a far sight more damage to your business than encrypting a few files. The typical motivation of nation state attackers is to steal your intellectual property, pricing information, customer data et. al. for the financial benefit of their own country.

This brings into a stronger focus the benefits of doing a proper root cause analysis of the ransomware incident as it’s not just about the one, two or more systems that run the latest ransomware variant and cause the ensuing mayhem of trying to minimise the damage and recover the data.

If you have planned ahead and have decent backups of your critical data (kudos to you if you have), then you don't need to get too spun up about the effects of the ransomware and the recovery is pretty straight forward. Make sure you learn the lesson that the ransomware incident has taught you. Find out how the ransomware got inside your organisation, and put in better controls to stop it happening again, or at least minimise the chance of it happening again (there’s no panacea for all ransomware). Then work out what it did on the endpoint and build a strategy for stopping from that happening again.

Next is to look at the network communications and determine how you could have a) disconnected it (e.g. blocking DNS calls to known malicious domains); or b) detected it earlier to minimise the damage.

One of the key differences between nation state attackers and the cybercriminals behind ransomware is the end goal. Cybercriminals are after money and typically the faster the better, whereas nation state attackers are playing the long game and looking for the data of choice. They want to maintain access and stay in your network for the long term, whilst extracting the data that they are looking for. Nation state attackers move laterally, hopping from system to system, looking for the data that they have been tasked with finding, and acquiring the administrator credentials often necessary to get access to this data. All of these actions have signatures, or indicators of compromise that you can detect with the right tools.  If you have not looked for them, or had a skilled team working on your behalf, you might be shocked at what you discover.

The objective is to learn from the incident and make continuous improvements to your defences and detection capabilities. If ransomware can run in your environment, then so can the tools that nation state attackers use, and this is a cyber arms race against attackers, whether they be nation state, cybercriminals, or activists with a keyboard. So when you realise that the adversary is continuously improving their tools and techniques (as recently demonstrated by the cybercriminals and their ransomware campaigns), then you had better be doing the same to maintain your edge so your business can survive.

Remember that ransomware, whilst annoying and inconvenient, is just the canary in the coal mine. If your yellow bird is on the bottom of the cage, you’ve potentially got bigger problems.

Update: 20 July 2016

A new version of the Locky ransomware operates in offline mode so does not need to call back home to get encryption keys. Read the following PC World piece for more details.

Guest Blog - First published by my colleague and good friend Goma  and inspired by the Western Australia outback - not that there are many canaries there!

The Changing Face of the Healthcare Security Leader

Yesterday’s Healthcare Security Leader
A mere ten years ago, if you worked with just about any hospital or healthcare provider you may have come across the Information Security Manager, Director of Security and Compliance, or someone who filled this role under another title. Their role was to lead ‘IT Security’ and manage a small staff of security administrators or analysts, whose role in turn, was to provision users to systems, and troubleshoot access problems. The team would also occasionally check firewall and other security logs when time permitted, amongst a myriad of other tasks and responsibilities, including vulnerability testing and HIPAA and PCI self-assessments.

Healthcare security teams usually were (and still are) smaller, less skilled and poorly paid compared to their peers in other industries. Their need to be generalists prevented them from specializing in key areas like threat analysis and incident response, or the development of deep technical security skills. Security was often an afterthought in IT architecture or development conversations, and usually seen somewhat negatively as being an obstacle to the release of new systems or feature improvements to older ones.

The security leader, even if they had a ‘CISO’ title, often reported into IT, usually below the CIO, CTO, or someone even more detached from the board. The conflict of interests between IT’s mission to provide technology systems for users, versus security’s mission to protect the enterprise was very apparent. Security usually lost most battles with IT as well as with end users over new requirements. Rebellions were commonplace against improved user security controls, even for something like the implementation of complex passwords rotated every 90 days - things we take for granted today. A mere ten years ago healthcare was a living bastion of the past; a loud and vociferous user base dominated by Physicians happy to take their complaints directly to the board or to threaten to take their business elsewhere. This ensured that nothing was put in the way of patient care – even a password! Such was the power that Physicians wielded.

Security was usually funded with whatever was left over or could be spared from the IT budget. Consequently it was seen as a drain on new tools and improved functionality for users. Whatever security received, it was usually way too small to do much with.

Occasional vulnerability and penetration testing along with compliance assessments against HIPAA, PCI and security frameworks like ISO and NIST were duly reported to CIO, CTO, or the designated compliance officer, complete with a list of identified gaps. However remediation of gaps was usually given little priority compared to the IT mission to build and release new application functionality “required” by the business. That is, a business, run and largely controlled by clinicians and a business focused more or less solely on providing patient care.

It was doubtful that the hospital or healthcare board of directors was ever provided with specific details of any such security audits or assessments, merely informed that the covered entity was compliant with HIPAA, PCI and any other regulatory requirements (if the subject came up at all). The security leader had no direct access to the board, and was considered too junior to address these chieftains in person. Even if offered the opportunity, the security leader would probably talk in a language that the board wouldn’t understand. Security leaders were largely kept in the shadows, their message relayed and filtered by the CIO or CTO.

Today’s Healthcare Security Leader
Move ahead ten years and the picture has begun to change. Larger healthcare providers have an executive level security leader, or even a Chief Information Security Officer (CISO) who, while they may still report to the Chief Information Officer or Chief Compliance Officer, will have a seat at the table for quarterly board meetings and may now chair sub-committees on security, privacy and compliance.

Security is now recognized as one of the most important enterprise risks by healthcare boards of directors. Media fixation with security breaches at other provider or payer organizations, complete with news of fines, penalties and reciprocity to patients whose information may have been disclosed has ensured this. So too has media attention to ransomware outbreaks at health providers and the encryption of hospital data and IT systems needed to treat patients. Such is the power of the media and the impact to business revenues and reputation when security incidents occur.

This increased focus on security by the board is leading to demands for not only regular situation reporting on security, privacy and risks from the CISO, but also reporting from the CTO, COO, CFO and CEO on what is being done to address identified risks. In the course of ten years, Security Leadership reporting has gone from almost unnoticed to 'center stage'.

In fact, corporate boards are now in some cases directly appointing external highly experienced CISOs to lead security and to act as change agents across the organization. These 'Change Agent’ or 'Advisory' CISOs are often brought in from leading security organizations or from the Big 4 audit firms. They are deployed for a finite period of time in order to achieve rapid advancement in the security, risk, and compliance posture of the organization and to get up and going, a security program that can be taken over my a more junior full time replacement once the Interim leader has done his or her work.

Despite this recent focus, according the Cisco Security Capabilities Benchmark Study (PDF) healthcare organizations are still not implementing as full an array of strong security defenses as organizations in other industries. Furthermore, the report claims that healthcare organizations are more likely than those in other industries, to try to manage their security needs internally instead of outsourcing services such as monitoring, incident response, remediation, and auditing. This slowness to embrace expert services in key specialty areas, may account for the recent spike in healthcare breaches as hackers focus their attention on easy targets.

The same survey also indicated that CISOs tend to be more optimistic than their SecOps colleagues about their security protections. It could be that as security leadership gets further away from the hands-on defense of the realm, so too does their realization of the ability of healthcare, to respond to a threat landscape that changes almost daily. Healthcare is after all, under attack as widely reported in previous articles and publications!

Given the scarcity of security resources, and the ability of healthcare to attract and retain such professionals in a highly competitive market, this is hardly surprising. According to Cisco’s 2015 Mid Year Security Report there is now a 12x demand over supply for qualified or experienced security professionals, and despite limited success to hire or grow additional security resources, healthcare simply cannot onboard enough security staff to defend itself against current attacks.

The result is that many healthcare providers are now looking at ways to maximize the effectiveness of their limited security staffs, by consuming managed security services for much of their security operations threat detection (PDF) and incident response (PDF) in order to free up security team members for higher value tasks.

This change in focus was recently identified in the Cisco 2016 Annual Security Report.

As security professionals become aware of threats, they may be seeking ways to improve their defenses for example, by outsourcing security tasks that can be managed more efficiently by consultants or vendors. In 2015, 47 percent of our surveyed companies outsourced security audits, an increase from 41 percent in 2014. Also in 2015, 42 percent outsourced incident response processes, compared with 35 percent in 2014. (See figure below)

In addition, more security leaders are outsourcing at least some security functions. In 2014, 21 percent of the survey respondents said they did not outsource any security services. In 2015, that number dropped significantly, to 12 percent. Fifty-three percent said they outsource services because doing so was more cost-efficient, while 49 percent said they outsource services to obtain unbiased insights.

While healthcare security leadership and better visibility has greatly improved the size breadth and expertise of security teams, it has by and large, made only limited advances to overall security, fueled in part by limitations on security budgets and the availability of additional or specialist security professionals. At the same time, the enormity of the threats leveled against healthcare payer, provider and pharmaceutical organizations has grown exponentially, creating further gaps in security. The need for security leaders to evaluate security needs holistically and to spend money wisely is perhaps more important now than ever before.

Information Security is also not immune to the ‘Do More With Less’ mantra that is affecting all areas of business, and must be creative in how it allocates its resources, and selective where it spends its money. Looking for opportunities to improve efficiencies while at the same time improving the probability of security outcomes, is now the new ‘modus operandi’ for security leaders.

Tomorrow’s Healthcare Security Leader
The security leader of tomorrow will be an executive in charge of his or her own budget, staff and the procurement where it makes sense, of vendor provided security functions that can be consumed as a service, often better, cheaper and faster than developing or running these from within. In the same way that the cloud has changed application development and the internal data center, so too will the consumption of security services.

Tomorrow’s security leader will also more than likely be titled ‘CISO’, or 'CSO', fulfilling the role of information security leadership and governance. They will likely report outside of IT to the COO, CFO or directly to the CEO. They might even sit at the right hand of the CEO in board meetings, and will be instrumental in helping to maintain the confidence of the CEO in the eyes of the board.

During the dot-com bubble we used to talk of an ‘Internet Year’ being nothing more than a few months or weeks. Its not surprising then, that in the period of a mere ten solar years, the role of the healthcare security leader has evolved an ‘Internet millennium’.

Given the almost exponential change in cybersecurity, how many solar years will it take for the healthcare security leadership role to evolve another Internet millennium?

What cybersecurity event or series of events will accelerate this shift in paradigm – of not just security leadership and governance, but also healthcare security posture and spend?

Will it require a hospital system to be sued out of business following a massive breach of patient, financial or other critical healthcare information? Or will healthcare leadership pro-actively address its business-life-threatening risks before its too late?

This blog was originally published to