Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Australian Healthcare Highly at Risk


Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here


Aussie Healthcare Scrambles to Catch Up

Assessing the cybersecurity outlook for Australian Healthcare.   Photo: Paul Carmona, Sydney.

Australian Healthcare providers are scrambling to defend against increasingly well-armed and financially-motivated opponents in the battle between good and evil going on across cyberspace. After years of staying out of the spotlight, healthcare is now being targeted by cyber gangs looking to get rich quickly, and foreign nation states seeking leverage over individuals.

Fifteen to twenty years behind other industries like banking and financial services, Australian Healthcare is suffering from a case of 'Too Little, Too Late' in its build-out and investment in robust cyber defences and is now beginning to pay the price.

Well publicised attacks against flagship hospitals such as Royal Melbourne and others have finally alerted the Australian general public and health system leaders alike, to the looming threats facing the healthcare sector. Its not just the big city hospitals either; ransomware and other cyber attacks have been reported right the way across the country and even in small GP practices in remote rural communities.

Theft of lucrative personal information and personal health information, especially as medical records go digital, is a rising threat, as is attack by ransomware and other forms of extortion.

Surveys suggest that presently most Australians are not that worried if their medical records go up for sale on the web, though most have not really considered the possible impact of identity theft. What is more concerning to Australians, is a denial of service attack such as ransomware, that could take critical systems off-line when needed to treat someone or to save a life. Most Aussies simply haven't given that much thought to the security of their medical records or a possible attack on their doctors office or local hospital. Very few people surveyed were even aware of the growing number of network connected medical devices and the threat they pose to patient safety.

These and other cybersecurity concerns have been the subject of discussions this week at executive workshops led by the author in a series of meetings with healthcare leaders stretching from Brisbane through Sydney and Melbourne to Perth. From State healthcare systems through to private providers and payers of health services, the message is pretty much the same. "We have failed to invest in information security in the way we probably should have over the past five to ten years", said one State CIO. "That includes technology infrastructure and the skilled resources to manage our security program."

While government Ministers stress the importance of making improvements to healthcare security, additional capital and operational budgets have not yet been made available to hospitals to make changes claimed the leaders of several hospitals in a workshop in one major city.

In a meeting with the leaders of one of Australia's largest private healthcare providers, the CIO acknowledged the critical need for improvements to be made to the organisation's security program, adding that security investments would probably have to wait till next year as he already had a heap of even more critical needs in front of it.

A stormy outlook has caused Australian Healthcare to play catch-up. Photo: Kieren Andrews, Melbourne.

The need for improved security to protect hospitals, doctors and patients from cyber attack is finally being recognised across the country, though it remains to be seen just how much of a priority it will be to secure patient health information, and prevent cyber attacks that compromise critical clinical information systems needed to treat patients. "It may take another one or two Royal Melbourne Hospital sized incidents before security gets the kind of funding and support that is really needed" suggested one healthcare senior leader who asked not to be named.


Kiwicon X

Kiwicon X, Wellington, New Zealand
Part hacker conference, part cult event, part rock concert; Kiwicon X fully lived up to expectations this week. Attendees were treated to an almost constant barrage of live hacks, demonstrations, presentations and more live hacks in the southern hemisphere's answer to Black Hat without the tackiness and desert heat of Las Vegas.

That's not to say that attending Kiwicon is in any way safer then Black Hat - leave anything electronic a mile away from the conference, and if you do take a credit card then make sure you have a lead-lined wallet to prevent it being inadvertently scanned by someone.

Live hack demonstration

Oh, and did I mention the plutonium or uranium brought on stage to demonstrate how to break cryptography in a presentation entitled “Radiation-Induced Cryptographic Failures and How to Defend Against Them.” Maybe the attendees dressed up in silver radiation costumes weren't exactly wearing 'costumes' if you know what I mean!

Laser light show, Kiwicon X Hacker Conference, Wellington, New Zealand

If the radiation didn't fry you and the pyrotechnics didn't burn you, then the lasers almost certainly blinded you - albeit temporarily! What a show!

Fireproof conference attire advised for anyone in the first 5 rows

With an opening presentation that could easily have been incorporated into an episode of the X-Files TV series, and other presentations that included "Hacking the Red Star OS" - North Korea's only approved PC operating system, and “Defending the Gibson in the Age of Enlightenment” I was never quite sure whether the coffee I was drinking had been spiked or not.

“The Truth Is In Here” by Metlstorm opening presentation

Kiwicon X was informative and entertaining on SO many levels!

The house was packed for nearly every presentation 
Despite a major earthquake that shut down Wellington not long before the conference and multiple aftershocks during the conference, the show was a great success.

Kiwicon X, Wellington, New Zealand

It was great to meet and chat with so many utterly smart if slightly deranged people. I hope to drop in again for another Kiwicon at some point in the future.

More lasers at the Closing Presentation


Light at the end of the tunnel for New Zealand Healthcare

Te Whanganui-A-Hei Marine Reserve. Photo: David Sutton.

Despite continuing austerity measures across the country, there is light beginning to appear at the end of the tunnel for New Zealand Healthcare. This includes a number of measures underway to expand capacity to reduce waiting times. It also includes some long-needed improvements to cybersecurity and privacy. This was the message I received during meetings this week with the New Zealand Ministry of Health in Wellington.

The Ministry of Health oversees some 20 District Health Boards each of which is responsible for administering the delivery of health services in their designated area. While some of the DHBs have pooled their resources for shared IT and security services, there are little to no common IT or security solutions across the entire country. Each board is free to do it's own thing we were informed. The result is disparate clinical and health information technologies across a sparsley populated country of just over 4.6m people.

Some areas of New Zealand appear to be better served by IT and IS capabilities than others, though common areas of concern appear to exist across all DHBs. These include the need for improved identity and access management, threat intelligence and security operations center expertise to identity and respond quickly to cyber attacks.

The greatest challenges however appear to be political in nature, in getting the DHBs to agree to common systems and processes or shared cybersecurity expertise for threat intelligence, security operations and incident response. While at the Ministry level this need seems to be recognised, the DHBs appear to be fiercely protecting their turf - at least for now!