Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

2017: A Milestone Year for UAE

The American Hospital Dubai.
The American Hospital Dubai.
2017 was a watershed year for healthcare providers in the United Arab Emirates. Joint ventures with US, UK, European and other healthcare partners saw the start or completion of a number of large hospital construction projects, vastly expanding the number of beds and types of procedures that can be conducted throughout the emirate.

Partnerships with US-based Childrens' National Medical Center, The Cleveland Clinic, Johns Hopkins, MD Anderson, and the Mayo Clinic, have greatly helped improve care for UAE citizens, resident workers, and health tourists coming to the UAE for medical procedures.

Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.
In fact health tourism is a major area of growth for both Dubai and Abu Dhabi. During a recent visit to the emirate, I was told that health tourism is on track to seeing 500,000 overseas medical tourists by 2021. Judging by the prolific amount of hospital construction evidenced during my visit and the apparent brain-drain of top physicians and healthcare administrators being lured from the west, the UAE is on track to become a major medical tourism destination.

A number of successful organ transplants took place this year including the first full heart transplant at the Cleveland Clinic Abu Dhabi, the Basmah free cancer treatment initiative got underway and Dubai achieved mandatory health insurance for all its residents, as part of a UAE-wide initiative underway to health insure the entire country.

New Medcare Women and Children's Hospital in Dubai.
New Medcare Women and Children's Hospital in Dubai.
New hospital facilities ready to go.
UAE is a major Health Tourism destination.
UAE is a major Health Tourism destination.

Health Tourism. Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.
The deployment of UAE's electronic medical record system continues to help improve patient outcomes and some 1.4m Dubai residents now have ‘smart’ medical records. On top of all this, plans were agreed for 2,000 more nurses, midwives and allied health professionals to be recruited by the Department of Health, Abu Dhabi.

Saudi German Hospital, Dubai.
Saudi German Hospital, Dubai.
But all is not well in paradise. 2016 and 2017 were also watershed years for cyber crime in the United Arab Emirates. Studies suggest that compared to the rest of the world, UAE and its larger neighbour Saudi Arabia, are being targeted for attack and that this is beginning to impact both oil-rich nations.

A recent study by the Ponemon Institute shows that the average cost of a data breach in Saudi Arabia and the UAE in 2017 was $4.94 million (Dh18.1 million), up 6.9 per cent since 2016. These breaches on average cost organisations $154.70 per lost or stolen record on average. On top of that, Saudi Arabia and the UAE are amongst the top spenders ($1.43 million) on post-data breach response.

The 2017 Cost of Data Breach report also revealed that malicious or criminal attacks are the most frequent cause of data breach in Saudi Arabia and the UAE. Fifty-nine per cent of incidents involved data theft or criminal misuse. These types of incidents cost companies $171.70 per compromised record, compared to $130.70 and $128.50 per compromised record as a result of a breach caused by system glitch or employee negligence, respectively.

The average cost of a data breach in Saudi Arabia and the UAE in 2017 was $4.94 million (Dh18.1 million)
Average cost of a data breach in UAE in 2017 was $4.94 million (Dh18.1 million)
Top factors that contributed to the increased cost of a data breach in Saudi Arabia and the UAE include compliance failures and the extensive use of mobile platforms.

Scott Manson, cybersecurity leader for the Middle East and Turkey at Cisco, said: "Cybersecurity is finally becoming a top-of-mind business objective for many with many organisations making the board hold accountability, which makes sense considering a large security breach/incident doesn't only affect finances and productivity, but can severely damage customers' trust towards the brand."

According to the study, how quickly an organisation can contain data breach incidents has a direct impact on financial consequences. Globally, the cost of a data breach was nearly $1 million lower on average for organisations that were able to contain a data breach in less than 30 days compared to those that took longer than that. On average, organisations in Saudi Arabia and the UAE took 245 days to identify a breach, and 80 additional days to contain a breach once discovered.

Most of the large recent security breaches in UAE have targeted financial institutions, but as banks continue to invest rapidly and heavily in security, so other UAE industries are becoming the focus of cyber criminals. That includes healthcare. With patient safety directly impacted by cybersecurity and system availability of critical treatment systems, hospitals have much more to lose in the event of a successful cyber attack. While none of the hospitals I recently visited had knowledge of a security breach, many executives acknowledged that it was only a question of time before their institution could be hit. While investment in UAE hospitals and clinics has been huge, most of the money to date, has been targeted at the direct delivery of clinical services to patients. Security and privacy have yet to catch up.

Health Tourism. Cleveland Clinic Abu Dhabi.
Cleveland Clinic Abu Dhabi.
Health Tourism. Cleveland Clinic Abu Dhabi.

As the healthcare industry in the UAE continues to develop and expand to a global provider of services to international patients, the emirate needs to invest heavily in cybersecurity and privacy capabilities to protect patient information and critical clinical information technology from cyber attack. Otherwise the huge investments in buildings, equipment and highly-skilled medical staff will all be for nothing.

Once those investments in cybersecurity controls and staff are in place, UAE will surely be on the top of many people's lists for elective medical procedures. After-all, who wouldn't want to recuperate in a luxury desert oasis!

Beverly Hills Security Summit

What keeps your CEO up at night?
Beverly Hills Security Summit CISO Forum. Photo: Tina Kitchen.
  • What is it that keeps your CEO and Board up at night?

  • How do you communicate cybersecurity risk to the Executive Leadership Team and the board, and do you talk to enterprise risk or just technology security risk?

  • In planning to address ELT and board risk concerns, how are you going about the development of a security risk remediation plan?

  • Have you considered the development and maintenance of a multi-year enterprise Security Roadmap and do you have anyone to help you in its development?

  • What approaches work best at other healthcare entities and what can we all learn from one another?
Richard Staynings hosts the cybersecurity forum
Richard Staynings. Photo: Tina Kitchen.
These were just some of the discussion points between the assembled Chief Information Security Officers and other senior healthcare leaders during a Leadership Roundtable at the Beverly Hills Health IT Summit and Security Forum today.

The event was held at the Sofitel Los Angeles at Beverly Hills, and attracted several hundred CISOs, CIOs, COOs,  along with various Directors of Technology, Cybersecurity and Health Information Management.

The lunch was arranged and sponsored by Optum Security Solutions, part of Optum under the UnitedHealth Group umbrella, and was hosted by Optum's Tina Kitchen.

Mark Hagland, Editor and Chief at Healthcare Informatics, and Richard Staynings of the HIMSS Privacy and Security Committee led the discussion.

Institutional reputation remains one of the biggest concerns, particularly at high profile clinics attended by celebrities, but is the patient population becoming sufficiently jaded and numb to all of the breaches of health information to walk elsewhere? And if most other healthcare delivery outlets are impacted by security breaches then where do patients go? At the end of the day, law suits and restitution notwithstanding, we heard that patients want the best possible treatment they can afford, and will suffer through the diminished reputation of a clinic in order to receive that care and attention.

The complexity of large health systems, particularly as mergers and acquisitions drive even larger conglomerates, creates political and technological barriers to the implementation of enterprise-wide holistic security controls and causes duplication of effort and expense. Where management of these systems has not been consolidated and centralized, the Enterprise Chief Information Security Officer will have an especially hard time. Numerous divisional leaders including CIOs and COOs need to be consulted before new security controls can be implemented, and this task becomes even more daunting for the CISO in research or academic health where conflicting business drivers can seriously compound problems in access to PHI.

The frequency and magnitude of attacks against healthcare continues to climb, as well-funded and highly motivated attackers, be they nation states or criminal gangs, ply their craft at healthcare's expense. This is keeping all of us on our toes and stretching security in many hospitals to the limit. Understanding where threats are coming from and quickly identifying potential indicators of compromise is increasingly becoming a challenge and one where for healthcare, the need for help from specialist partners becomes increasingly evident.

Risk remediation needs to be targeted to the areas of greatest potential impact for each institution. Available resources simply don't allow for the remediation of all areas of weakness. The number of security resources available to security leaders is also a constraining factor and is leading to a dramatic increase in the consumption of managed security services from partners like Optum and others. This trend is set to continue as the availability of security resources becomes even more competitive and better-funded financial services organizations attract more and more healthcare security professionals.

Taking all these factors into account, we heard that the importance of an Enterprise Security Roadmap is becoming critical in not only security planning, but also for communication upwards of that plan to senior executives and the board. We also heard that Optum Security Solutions has had great success in helping healthcare customers to develop and maintain security roadmaps for a wide range of healthcare entities, and these have greatly helped reduce security risk and to stave off attacks.

Overall the lunchtime session resulted in a full and frank exchange of ideas from assembled guests along with a better understanding of what seems to work best in a healthcare environment, where compliance, institutional reputation and patient safety all play a critical role.

Attendees included:
  • Sriram Bharadwa, CISO, UC Irvine Health
  • Carl Cammarata, CISO, Northwestern University - Feinberg School of Medicine
  • Cris Ewel, CISO, UW Medicine
  • Mark Hagland, Editor and Chief, Healthcare Informatics
  • Norman Hibble, County of San Luis Obispo - Health Agency
  • Chris Joerg, CISO, Cedars-Sinai
  • Tina Kitchen, Sr. Solutions Executive, Optum
  • Surya Mishra, IT Director, Blue Cross Blue Shield Association
  • Olaf Neumann, CIO, Inland Behavioral and Health Services, Inc.
  • Casie Phillips, Regional Manager, Healthcare Informatics
  • Richard Staynings, HIMSS Privacy and Security Committee
Thanks to everyone for their participation and a great exchange of ideas.

Photo: Tina Kitchen.

Securing Health IT Value

Richard Staynings kicks off the VA HIMSS Annual Conference.
Richard Staynings kicks off the VA HIMSS Annual Conference.  Photo: David Stewart.
One of the fundamental conditions to deliver health IT value is security. Without it Health IT Systems cannot protect confidential data, validate the integrity of medical records, or ensure that clinicians can access IT systems in order to treat patients.

The recent WannaCry attack that took out part of the British NHS, and other ransomware attacks that have crippled hospitals all over the U.S. should be a wake-up call for healthcare leaders. Without security, health IT can be a liability rather than an asset. Furthermore, cybersecurity and patient safety are now inextricably joined at the hip.

Richard Staynings. Working the audience.
Richard Staynings works the audience. Photo: David Stewart.
Emerging and new technologies will help drive the efficiency and security of Health IT, but their adoption or readiness for widespread production use, may be 3 to 5 years away. New technologies require planning and forethought, and not all of them will be suitable for everyone. Given the pace of change and the inability of many healthcare payers and providers to attract and retain top cybersecurity talent, alternative approaches to the consumption of these new capabilities may be necessary.

Rather than hire, build and integrate, it may be faster and more cost effective to procure capabilities as a service. This is particularly so in security where fierce competition to attract and retain cyber resources places the healthcare industry at a disadvantage compared to other better paying employers.

Richard Staynings keynotes the VA HIMSS Annual Conference.
Keynoting VA HIMSS 17. Photo: David Stewart.
This was the theme of my keynote presentation today at the Virginia HIMSS Conference at the Kingsmill Resort in in Williamsburg, VA. attended by just under 400 of the Commonwealth’s healthcare technology leaders and those that help to keep them being successful.

Richard Staynings. Machines already outnumber Humans.
Machines already outnumber Humans. Photo: David Stewart.
My keynote was followed up later in the day with a second High Impact Ted style talk on the changing face of security and IoT in a healthcare environment. I think I had everyone's undivided attention!

My special thanks for the VA HIMSS Executive Team for making me feel so welcome and for an extremely well planned and organized event. And what an idyllic location for a day of charity golfing followed by two days of educational conference! I'll have to remember this place. Your hospitality was inspiring as were all of the speakers who presented.

Richard Staynings, Cisco
Richard Staynings, Cisco. Photo: Leigh Thomas Williams.
As promised, here are links to my decks. Feel free to leverage for your own graphically assisted conversations with your boards of directors / regents, and your executive leadership team.
Anyone needing CPE credits here's your link

HITSecurity Forum

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017
Richard Staynings, HIMSS Privacy & Security Committee. Photo: Tina Kitchen.

‘Security is an industry where we are continually developing new solutions without understanding the problem we are trying to fix’.

This was the basis for a presentation I gave to the HIMSS Healthcare Security Forum today in Boston.

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017
Richard Staynings presents new security technologies. Photo: Malissa O'Rourke Miot.
The session discussed the adoption of new and emerging tools and approaches to secure healthcare data and IT system availability. Tools like NGFW, Micro-Segmentation, Biometrics and MFA, Blockchain, Big Data Analytics, Machine Learning and AI. Tools that boost automation, protection, visibility, and intelligence, leading to improved threat detection, and containment of inevitable attacks.

Richard Staynings
Richard Staynings discusses new security tools. Photo: Tina Kitchen.
As with any new tool or approach, security leaders need to fully understand the costs, benefits and drawbacks before adoption, and how quickly, easily or difficult each tool can be integrated into the existing infrastructure. Furthermore, they need to be able to articulate and defend exactly what business risk gaps, each tool will address, what business benefits it will provide to the organization and what legacy tools it will retire.

As security leaders, we need to work smarter, not harder, and with an average 65 disparate security vendors in each US hospital, we need to consolidate to a smaller, leaner and more manageable toolbox.

Richard Staynings addresses the audience at the HIMSS Healthcare Security Forum 2017
Photo: Tina Kitchen.
Thanks to the attendees, sponsors and organizers of the HIMSS Media Healthcare Security Forum today in Boston.

Understanding Medical Device Security

The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying is that the medical device subject to the recall, a cardiac rhythm management product, or “pacemaker” to the rest of us, is probably not an anomaly. Many other medical devices more than likely also lack adequate security.

To understand the risks, we first need to understand the problem. To be honest, this could require an extensive series of blog posts over weeks to fully examine and explain this properly, but here’s the 50,000-foot version.

Different types of medical devices and the risks they pose

First, there are the implantable medical devices (IMDs) like the medical pacemaker at the center of this story. This group of medical devices includes the implanted insulin pump that security researcher Barnaby Jack hacked live on stage at the Miami Hacker Halted Conference in 2011, reconfiguring the device to deliver a lethal drug dose. It also includes a pacemaker that was hacked, again by Jack, at the Melbourne BreakPoint Security Conference in 2012 to deliver a lethal 830 volt electric shock to a patient.

Second are the much wider range of network-attached medical devices used in healthcare delivery. These include:

  • Diagnostic imaging systems: ultrasound, MRI, PET, CT scanners, and X ray machines 
  • Treatment equipment: infusion pumps, medical lasers, and surgical machinery 
  • Life support: ventilators, anesthetic and dialysis machines 
  • Medical monitors for oxygen saturation, blood pressure, ECG and EEG, and many, many more. 

The greatest data-security risks for medical devices

Network-attached devices far outnumber implantable ones, but both have one thing in common—a very long life span! No one wants a pacemaker that needs to be replaced every couple of years, and hospitals simply can’t afford to rip and replace their multi-million-dollar investment in x-ray machines, and PET and CT scanners if they still work perfectly. Many current medical devices are 15 or 20 years old already, placed into service when the rest of us were deploying Windows 95 and dial-up modems.

The greatest risk to medical devices, however, is that many lack even the basic security protections that a $200 home PC has - things like antivirus software and a host firewall. The danger is that when a malware worm gets into a hospital and spreads its way laterally across the network to reach highly vulnerable medical devices, it either quickly infects them (many of the newer models run a form of Windows XP), or the malware multicast traffic storm causes the medical device to crash or just stop working. It’s not that someone hacked and changed a parameter - although that is a distinct possibility, but it’s more likely that its battery becomes quickly drained and powers off, or the system blue screens and ceases to provide life-sustaining care.

Understanding the Problem

You can't protect what you don't know about and most hospital systems have very little idea just how many medical devices they have on premise and how many attach to their wired or wireless network and therefore pose the highest risk. Or more importantly, how many of those devices contain PHI and are therefore subject to annual HIPAA Risk Assessment and OCR validation that a risk assessment has been conducted annually.

To manage a problem you first need to understand the problem. Performing an accurate and periodic or ongoing asset inventory is a first step. The difficulty is twofold however: medical devices do not just simply show up in a Windows Explorer or Finder view of the network, nor can they be actively scanned in many cases. Secondly, many devices are powered on as needed for patient care and powered off when not and returned to storage. So understanding exactly how many you have, what each does, and what versions of OS and software each is running, while at the same time trying to avoid double counting is not exactly easy.

What is needed is a way to passively monitor the network to identify typical medical device network traffic along with endpoint IP addresses, VLAN and physical location, and to perform some sort of profiling of devices including the identification and recording of unique device characteristics. Fortunately, there are tools and companies that do this now, so you don't need to reinvent the wheel.

Once an inventory is obtained you can identify potential weaknesses, known threats and vulnerabilities and evaluate probability and likelihood as you would for other IT devices subject to HIPAA Risk Analysis. Once you have identified your highest risk devices, you can set about patching or otherwise remediating risks, or implement compensating security controls till such time as a longer term solution can be implemented or the vulnerable assets retired and replaced. Unfortunately, most medical devices today exhibit some level of risk and older devices may prove to be more secure than newer ones thanks to obscure operating systems or firmware compared to today's COTS (commercial off the shelf) embedded OS versions.

How to reduce risk and protect devices

It’s going to take years to patch or replace the arsenal of insecure medical devices and billions of dollars that healthcare providers simply don’t have. So, we need to look at alternatives to secure them for the rest of their life-spans. This is best accomplished by the use compensating security controls, which doubles as an acceptable audit of risks as far as HIPAA and OCR are concerned.

By far the most effective approach is use of network access control (NAC) using microsegmentation, where medical devices are locked down and secured by the software defined network (SDN) they are attached to. (Attempting to manage 350,000 individual medical devices otherwise in a hospital is near impossible.)

Modern network infrastructure supports security technologies like Cisco TrustSec©, where each network port acts as a virtual firewall. Using security group tags (SGTs), and identity services engine (ISE), network traffic is controlled so that only specifically authorized users - biomedical equipment technicians (or BMETs, as they are known) - have access to reprogram devices, and these systems are only able to communicate with designated internal IP addresses using predetermined ports and protocols. The network will drop everything else, like malware traffic and any connection attempts from unauthorized users. Many of the more advanced healthcare providers have already adopted such an approach, and by employing compensating security controls like ISE and TrustSec have been able to secure their networked medical devices from attack at the click of a button.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above. 

FDA announces first-ever recall of a medical device due to cyber risk


This week, the FDA took the unprecedented step of recalling a medical device – a pacemaker – because it was found to be vulnerable to cyber threats. The recall arose from an investigation by the FDA in February that highlighted a number of areas of non-compliance. While there are no known reports of patient harm related to the implanted devices affected by the recall, the step was taken as a preventative measure. A firmware update has been developed (and approved by the FDA) that can be applied during a patient visit with their healthcare provider.

Medical device vulnerabilities have been on the FDA’s radar for some time. In July 2015, the FDA issued an Alert highlighting cyber risks related to infusion pumps. Then, at the end of 2016, it issued what it called “guidance” on the post-market management of cybersecurity for medical devices. But aside from market pressure, there was no enforcement mechanism for any of these alerts and statements. To make matters worse, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to reduce or mitigate device security risks. Many thought leaders in the healthcare security space have been pushing for greater governance of medical devices as more and more security vulnerabilities and back doors to these devices have been discovered.

While “homicide by medical device” may seem like a far-fetched Hollywood-esque scenario right now, it’s not completely out of the realm of possibility. “The potential for immediate patient harm arising from hackers gaining control of a pacemaker is obvious, even if the ability to do so on a mass scale is theoretical,” Fussa pointed out. “For example, imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid. In this week’s recall alone, 465,000 devices are affected. An attack of this type would pose an immediate risk to all of these patients and would likely overwhelm the ability to respond.”

While it’s good news that the FDA is acting to protect patients from harm due to cyberattack, connected devices continue to pose a threat to both patients and facilities. There’s been no shortage of press on the subject, and most healthcare executives are keenly aware of the problem. However, very few have an effective or scalable solution.

Many hospital systems have in excess of 350,000 medical devices, before you even start to count the implantable ones that leave with patients. Most of these devices were never designed with security in mind, and many have multiple ways in which they can be compromised by a hacker. The fact that we are not aware of any reported patient deaths yet is a good thing, but the industry has a very short window to secure its medical device arsenal before hospitals and patients get held to ransom. Health systems need to be looking at segmentation as a compensating security control to prevent attacks, until the medical device industry catches up.

Do you have a plan in place to secure your facility’s medical devices? Are you able to segment and isolate traffic to them?

Do you have visibility into who and what is communicating with your biomed systems and do you have ransomware protection?

Having specific answers to these questions will be key to a strong, ongoing defense against attacks.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Threats and Response to Healthcare Cyber Attack

Nearly everything is now connected.
We live, work and treat patients today in a world of inter-connectivity; where almost every thing, business and person is connected more or less all of the time. A world where in 2008, the number of ‘things’ connected to the Internet surpassed the global human population. A world in which by 2020 there will be in excess of 30 billion smart 'connected' devices.

It should be no surprise then to any of us, that this interconnected world that we have built for ourselves, presents not only a shifted paradigm in health treatment practices, but one that presents unique new challenges to secure hospitals and other healthcare services.

The 'Internet of Everything': - connected hospitals, connected cities, connected cars, and other ‘things’, has changed the face of security. No longer can we build walls around our business and IT systems; today the security paradigm is one of controls without absolutes, without well-defined boundaries and perimeters; walls which were once easy to secure.

Attacks by opportunist cyber criminals, are increasing in size and scope as they search to maximize their impact. Thanks to greater reliance on technology in our hospitals, the impact of a cyber attack on a healthcare provider is now enormous. The lack of clinical systems availability to treat patients (because of a ransomware or denial of service attack), threatens the lives of patients in our hospitals and clinics. Healthcare is part of our critical infrastructure and as we add IoT devices inside and outside of the hospital, we need to be extremely vigilant in making sure that every precaution is taken to secure and protect critical health IT systems.

This includes addressing widespread problems in our hospitals, some of which have been responsible for the recent spate of ransomware attacks against health systems. These include  slow patching of IT systems with known critical vulnerabilities, retirement of old no-longer supported platforms and applications, daytime-only security operations, and lackluster poorly practiced security incident response procedures.

Ransomware is a current favorite among attackers, but this appears in its latest iterations to have evolved into DeOS or ‘destruction of service’ offering no return for those not equipped with full off-site and disconnected backups. Even then, the time to restore and rebuild for most organizations is prohibitive, certainly not if a patient's well being depends upon the availability of an IT system.

Improved visibility, comprehensive 'round the clock' security operations and effective security incident response has become key to business continuity and keeping hospitals open. The first step however, is understanding what you are up against, how both exploits and defenses work, and what tools and technologies are available to bolster your security people and processes.

This was the subject of an hour long webex presentation given last week to healthcare IT and security leaders across Canada by Sean Earhard and myself. To watch the recording, open the link below to the Webex player.

Watch the WebEx recording

Healthcare in Canada is just as vulnerable to IoT.  Photo: Kai Oberhauser.

2017 Midyear Cybersecurity Report

Cisco released its 2017 Mid Year Cybersecurity Report today, outlining security trends over the past six to twelve months, and providing valuable research into the antics of cyber criminal elements.As in previous Cisco annual or midyear security reports, threats and attack vectors continue to evolve, with bad actors adding new and ever-more sophisticated spins to their exploits.

The report identifies a new trend of what Cisco has coined 'DeOS' (destruction of service), where attackers destroy data under the auspices of thinly-veiled ransomware demands. This is accomplished in such a way that the attacks prevent defenders from ever restoring systems and data.

Perpetrators continue to employ new methods to evade detection by rapidly pivoting campaigns and changing attack vectors, the report states. This is accomplished using both new tools and exploit kits, while combining attack vectors with old favorites like business email compromise (BEC) and social engineering to by-pass sandbox defenses.

As expected, exploitation of IoT devices continues to grow as attackers defeat grossly inadequate security of these appliances. Compromised devices are then used in Botnet networks for IoT-driven DDoS attacks or “1-TBps DDoS” as Cisco describes them. If big enough these attacks can significantly disrupt almost the entire Internet. Furthermore, these large Botnets are increasingly being used to provide highly lucrative “DDOS-as-a-service” engagements by the hacker community.

Malware continues to develop in its sophistication and is evolving in ways that can help attackers with delivery, obfuscation, and evasion. Cisco also notes the growth of “ransomware-as-a-service” (RaaS) platforms that allow adversaries to quickly enter the lucrative ransomware market.

Overall, MttD (mean time to detection) is improving across Cisco security tools and services, down now to an average of 3.5 hours. Cisco security appliances and services are identifying known threats quickly such that attackers are under more pressure than ever to find new tactics to avoid detection.

The report also includes a new section. Cisco’s Security Capabilities Benchmark Study. This provides useful advice to customers in pinpointing how key verticals can reduce complexity in their IT environments and embrace automation.

The report concludes by highlighting the need for defenders to fully understand the risks in their environment, and to devote well-trained and practiced resources to swiftly respond to threats, in order to minimize the potential damage of an attack. Furthermore, it recommends that the community of defenders should share research and ideas across the industry so we’re not in the dark about successful security approaches.

Read or download the full report here.

NH-ISAC Spring Conference

Richard Staynings with Mike Freeman and Chad Speiers from Sentara Health at the NH-ISAC Spring Conference
Richard with Mike Freeman and Chad Spiers from Sentara Health

Thanks to everyone who attended the NH-ISAC Spring Conference in Orlando. Great to see such amazing thought leadership and lots of very useful information being shared. What a great place to network. Look forward to the next one.

Richard Staynings with David Anderson from Adventist Health at the NH-ISAC Spring Conference
Richard with David Anderson from Adventist Health

Paul Singleton from Cisco addresses the audience at the NH-ISAC Spring Conference
Grand Rounds Breakout Session led by Paul Singleton of the Cisco Umbrella Team


Richard Staynings
Richard Staynings presents at the Canadian Conference on Physician Leadership
The challenges faced by Canadian healthcare in protecting the confidentiality, integrity and availability of the health and personal data of Canadian patients is great. But so too is the job of ensuring that healthcare IT systems and other critical infrastructure remains available to treat patients in today's IT-centric health delivery model, where system outages possibly as the result of a cyber attack, can mean life or death for a patient.

This was the subject of a workshop today at the 2017 Canadian Conference on Physician Leadership in Vancouver, BC, where many of Canada's top Physicians and Chief Medical Officers met to discuss many of the challenges and concerns facing the industry.

Participants learned not just about some of the cyber threats and risks being faced by healthcare in Canada and world wide, but also about some of the successes of other health providers to put in place effective, holistic security controls to block attacks and to protect personal health information, clinical research and other intellectual property from compromise.

As the leader of these workshops, I would like to extend my sincere thanks to everyone who attended and contributed to the debate. Canadian healthcare took a giant step forward today in recognizing, not just how much the industry needs to catch up with the better funded banks and other financial institutions, but also in understanding that cybersecurity is a business risk in which clinicians play a critical and leading part in helping to secure vital IT systems from attack.

A copy of the deck presented today can be downloaded here.

A Slippery Slope?

Like many cybersecurity professionals, I was somewhat pleased to finally read about the sentencing of convicted Russian cybercriminal Roman Seleznev to 27 years imprisonment by a US court. While this sets a new precedent in the sentences handed out to cybercriminals, many of whom have cost banks and retailers billions of Dollars, Pounds and Euros in losses, and forced other businesses to close up shop entirely, the case raises some interesting legal, moral and political questions.

Should it be the role of the United States judiciary to police the Internet and prosecute perpetrators of cybercrime, many of whom, reside in parts of the world outside of accepted standards of functional law enforcement. And if so, what lengths should be considered internationally acceptable for US law enforcement to go to, in order to capture, or apprehend individuals for future prosecution, when those individuals are discovered in, or transiting through, other countries, with whom the United States has no extradition treaty?

This was plainly the case in the apprehension of Seleznev who was vacationing with his family in the Maldives – a country with no extradition treaty with the United States. Yet, he was detained, handed over to US law enforcement officials, who then took him against his will to Guam, and onto Washington State where he was charged under US law for his crimes in the United States having never (as far as we know) even visited the country. Essentially, this is a non-US citizen, kidnapped by US law enforcement officials, in a neutral third country, and forcibly extradited without warrant to the United States to face charges for crimes allegedly perpetrated in that country.

Don’t get me wrong, I’m all for the arrest of cyber criminals and the imposition of long deterrent sentences to keep them off the cyber streets. I'm also keen for this to send a message to other (young) wannabes that cybercrime doesn’t pay. My concern is one of the basic rule of international law and whether this could one day back-fire against the United States.

I’m no lawyer but if due process was ignored in the apprehension of this individual then he’ll be out of jail on a technicality very quickly when this goes to appeal. If the intent was to use Saleznev as a bargaining chip with the Russians, then that raises a whole different set of questions, and this entire case moves more towards a political abduction / ransom  scenario.

While Seleznev, the son of an influential Russian politician, was plainly protected in Russia from prosecution by the country’s barely functioning legal system, and by his father’s close friendship with Vladimir Putin and contacts at the FSB, does the United States have a moral, ethical or legal right to enforce its laws half the way around the globe in countries where it has no legal jurisdiction and against citizens of other nations? Does the United States regard itself as the Internet judge, jury and executioner for electronic crimes?

Few would dispute the morality of the lengths undertaken to bring to justice a mass-murderer like Osama Bin Laden by the US military, but does this morality extend to perpetrators of financial crimes, and, if so, where do we draw the line?

Jeff Fridges raised some interesting questions in his comments to Brian Krebs story of the sentencing of Roman Seleznev and while the scenario Jeff paints might be considered a little far fetched, let's not forget that we have seen these kind of event-chains in the past. No one expected the Spanish Inquisition, and few predicted the rise of the Nazis, Kim Il Sung, Mao Tse Tung, or Stalin.

I’m bothered that the US apparently feels it has jurisdiction over the entire Internet, and can arrest anyone ‘anywhere in the world’ who violates ‘US law’ online.

Sure, this guy was a crook … but what about the next guy?

Consider this scenario. Street violence by right-wing militias in the US gets worse over April and May. Early in June, someone caps Trump. Pence becomes President and at the same time the assassination spurs a huge mobilization of Trump’s right-wing base. By the time everyone’s heads have stopped spinning, it’s martial law, draconian new legislation is being passed by the Republican congress (dominated by Tea Party evangelicals) and rubber-stamped by Pence. A Supreme Court stacked with ultraconservative Christian judges (Gorsuch, et al) looks the other way as the Constitution is put to the torch. Trade unionists and Muslims are rounded up and “disappeared” or deported, after which a purge of Hispanics begins — later it will be the Jews, though until the new forces have cemented their power thoroughly they and their powerful lobby and bankster friends will be left alone or even, for a while, convinced that “this time won’t be like the last time” for them.

By December the US is a de-facto fundamentalist Christian theocracy. Free speech is outlawed. Non-Christian religions, the teaching of evolution or climate change, p0rn, etc. are all outlawed.

And the US continues to act as if its borders contain the entire Internet.

Now someone in Cambodia blogs about climate change, or a European scientist publishes online a paper about evolutionary biology. Plenty of websites exist for mosques, synagogues, Buddhist temples, etc., run out of various corners of the world. And of course the net is awash in p0rn.

Do the proprietors of all of these websites start getting rounded up and renditioned, “extradited” to the US? After all, though they’re not inside US borders, what they are doing is illegal under US law and they are doing it online …

Now are you worried?
[end quote]

Regardless of who’s in the US White House (or Mar-a-Lago) and lets face it, Washington is a revolving door every few years, the questions that Jeff raises, and the scenario he paints, needs further discussion rather than simple dismissal as being radical.

While the United States with its overwhelmingly superior military might, has been the global policeman for many years, is this a role that the US intends to formally expand to the policing of the Internet, and is this a conscious decision as agreed by elected leaders and set in policy and law, or one brought about by the independent actions of US law enforcement officials frustrated at the failure, or lack of functional legal systems in other parts of the world. Legal systems rife with corruption, where cyber criminals can “live big” and publicly boast about their activities as Seleznev did, (till now) safe in the knowledge that the right people have been paid off, and that they are immune from prosecution?

Did the United States make a conscious decision to go to war and militarily occupy South Vietnam, or was it a political slippery slope driven by a succession of events and decisions from which it became increasingly difficult to turn back?

“Those who don't know history are doomed to repeat it.”
- Edmund Burke

Perhaps an examination of historical events is necessary to attempt to understand where this action could lead, and if it is the right type of action to address the policing of the Internet globally.

Securing Medical Devices - The Need for a Different Approach - Part 2

This is a two-part story. The first part can be read here.

I recently met with the CIO and CISO of a large US healthcare system to chat about how the system was going about securing its 350,000 network attached medical devices. They were busy assessing and profiling all of the disparate devices from a multitude of different vendors that the pre-merger, independent hospitals had purchased over the past twenty years or so. The Health System had multiple teams of third party vendors from many of the big names in bio-engineering, working with its own IT team to review configurations, firmware and OS/ application versions, and to make updates where necessary in order to improve the security posture of these devices.

The CIO however was greatly concerned by the number and churn in these devices – given warranty replacement units and new devices arriving at hospitals seemingly on a weekly basis. He was concerned whether they would ever be able to get in front of their hardening project, and whether reconfiguration and lock-down would ever really secure these network attached systems at the end of the day.

After listening carefully to his plan and all the activities he and his CISO had sanctioned, I suggested cautiously, that perhaps the health system was on the wrong path. My argument was that they would never be able to keep up with and manage 350,000 disparate biomedical devices, growing by twenty percent per annum, using a strategy essentially designed to manage PCs and workstations. One where domain level tools could be used to patch and configure the vast majority of endpoints. The manpower requirements alone I suggested, would consume his entire IT team’s bandwidth and budget at some point, if not very soon.

I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services like TFTP, FTP, TelNet and SSH, that many of his medical devices had left the factory with enabled, and instead look at other control points to secure those devices (compensating security controls) that would enable much higher levels of automation, and reduce the margin for human error that a manual process would inevitably lead to.

I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec - a built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical information systems only…. and nothing else!

By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec, (something that was already being used to manage guest wireless access), the health system could create uniform enterprise policy implementation across all sites and locations, and avoid the need for possibly hundreds of firewall engineers to write and update access control lists in switches, routers, and firewalls. What’s more, rules written in ISE could be written in easy-to-understand business language, rather than complex access control syntax for direct entry into infrastructure devices by firewall and network engineers.

Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!

I continued, “What’s more, the same profile you assign to a medical device in one hospital, is used for a similar device in another hospital so long as its all part of the same ISE domain. Thus you can more effectively manage your medical device asset inventory across hospitals, by assigning medical devices when and where needed rather than to tie up money in unused assets in each location.”

“In other words” I explained, “Using ISE and TrustSec, you can provide your users with dynamic segmentation capabilities such that you can take a medical device (or truck load of medical devices) from one site to another site in need of those devices, (for perhaps local disaster management), and have those devices immediately recognized by the network and assigned the right access permissions as soon as they are plugged in or otherwise connected to the network. No need to engage a firewall or network engineer to add MAC addresses to an ACL (access control list) at 2am in the morning – just plug it in and it will work!”

Essentially you will have an enterprise-wide dynamic automated user and device access system, that is enterprise policy-driven in easy to understand language (versus firewall and switch syntax), that will actually save your biomed team money because they can run a minimal asset inventory across the entire health system. What’s more, in so doing, you are actually securing the un-securable and protecting medical devices from attack, as well as protecting the main hospital business network from being attacked from an easily compromised medical device.

A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.

For more information on this approach, read Cisco’s Segmentation Framework and the Software-Defined Segmentation Design Guide.

For information about how Cisco’s Security Advisory Services can to assist you to design secure segmentation in your environment, please review Cisco's Security Segmentation Service or contact your Cisco sales team.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Securing Medical Devices - The Need for a Different Approach - Part 1

It’s hard not to notice a growing collection of medical devices whenever you visit a hospital or clinic. They surround today’s medical bed, almost like a warm scarf around a bare neck on a cold winter’s day. If they weren’t there you would wonder why. They provide all kinds of patient telemetry back to the nurses station: O2 sat levels, pulse rate, blood pressure, etc. They provide automatic and regular administration of medication via pumps and drips and oxygen dispensers. The medical bed itself tracks patient location across the hospital as the patient is wheeled to and from the OR, imaging or other specialties.

What is not recognized however, is that the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally. What's more, this growth rate is increasing. For the BioMed staff that has historically been responsible for managing them, it’s an almost impossible task. One that gets more difficult by the day as more and more devices are plugged in or wirelessly connected to the network.

The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also to everything else attached to the network on one side of the device, and the patient on the other side.

Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation - unlike a Windows PC, which sometimes appears to have been designed to work for a month more than its manufacture warranty! Medical devices tend to stop working when subjected to things outside of their design parameters. Things like multicast network traffic caused by worms, viruses and other malware. Things like ICMP, NMAP and other network traffic used to illuminate, query, or profile devices perhaps by attackers. What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?

Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities – many open TCP/UDP ports, and numerous enabled protocols by default like TFTP, FTP, Telnet. Most of these are highly vulnerable to attack. In June 2013 DHS tested 300 medical devices and all of them failed basic security checks. In 2015 we had 'white-hats' demonstrating hacks of implantable medical devices (IMDs) live on stage at security conferences. Since this time several popular medical pumps have been very publicly exposed for the ease at which they could be compromised by an attacker. (Some manufactures have issued recalls and firmware upgrades but not all.) If one of these pumps were employed to administer at a gradual and regular level, for example, pain medication such as morphine or perhaps insulin to a patient, what damage would be inflicted upon that patient if the pump was hacked and told to administer its entire medication all at once?

While older standalone medical devices were built to run on obscure, custom, often hardened UNIX operating systems, or even eProm, many of today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.

Windows Embedded is subject to many of the same vulnerabilities and freely available exploits as the regular Windows XP operating system. A targeted attack against modern medical devices is thus relatively easy given a mass of known and proven exploits. Yet we continue to attach insecure, unprotected pumps and all kinds of other devices with the potential to do damage to patients, knowing that at any time a nefarious hacker or almost innocent intruder could turn the device into an execution tool.

Just because it hasn’t happened yet, doesn’t mean to say that it won’t happen today… or perhaps tomorrow!

Read Part 2 of this blog.

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.