Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

HIMSS19

Jason Hawley & Richard Staynings co-present at HIMSS19 today in Orlando.  Photo: Ty Greenhalgh.
Don’t Let Your IT and OT Systems Become Antiques.

The problem of out of date legacy hardware, operating systems and applications across the healthcare industry is endemic. This is especially so at small hospitals and clinics where tiny IT and security staffs and highly constrained budgets, prevent the upgrading of end-of-life and often vulnerable technologies. Aggressive sun-setting of Windows versions and near constant patching requirements compound the pressure on small IT staffs to support and secure their health IT infrastructure. This situation introduces risk into the healthcare delivery environment as IT systems continue to operate with unpatched CVEs and unsupported hardware and software.

Poor coordination between HIT vendors and Microsoft causes healthcare applications to break if patched or remain vulnerable if unpatched. Lack of support for current Windows operating systems means that new workstations and servers need to be downgraded in order to run EMR or other HIT applications.

"Windows 10 comes with .NET version 3.5 built in, however our EMR only supports .NET version 3.2, so when we upgraded our desktop OS from Windows 7 to Windows 10, we had to uninstall .NET and reinstall an old out-of-date version" claimed Jason Hawley, CIO of Yuma District Hospital and Clinics, a critical access system in rural Colorado. "We can no longer run automatic updates from Microsoft as patches break our EMR. HIT software developers are constantly behind the Microsoft development curve," he added.

Going to to the CFO and asking for money to replace and upgrade, just because systems are end-of-life doesn't work according to Hawley. "The money simply isn't available to upgrade or replace",  he states. "We don't have the man power and we can't justify the re-licensing costs."

Jason is not alone in his experience. Many security and technology leaders in similar-sized facilities make the same complaint, where IT hardware is used till it breaks and software is run well beyond its vendor support.

So how can CIOs and CISOs of small or critical access facilities get away from having to support dangerous legacy hardware and software?

"The obvious solution is to move what you can to the cloud as soon as possible, but this presents challenges in itself," claims Richard Staynings with the HIMSS Cybersecurity Committee. Regulated data needs to be highly secured - especially if its being moved off-site. Consequently, many CEOs are reluctant to take the leap of faith needed to support this change.

However most cloud service providers probably do a better job of securing their customers' PHI data than any critical access hospital is able to do anyway. Especially given small IT and security staffs, low levels of security expertise and limited budgets for upgrading. In fact for most critical access facilities migrating to the cloud is a major security improvement over the current state.

"Cloud providers have an added incentive to double-down on security as their reputation is highly dependent upon the security of their services," claims Staynings. "Educating the CEO and board to that fact is however a different issue and an often lengthy process that should probably be started sooner rather than later," he adds.

Moving the IT budget from a 'CapEx' model of asset purchase and depreciation over a long period of time to an 'OpEx' model of annualized services, will likely take some persuasion and the support of the CFO. However once approved will enable small providers to finally retire out-of-date and end-of-life assets.

In the mean time CIOs and CISOs have a duty to report the risks of legacy no-longer-supported hardware and software in the organization's Risk Register. This should include OT devices like hospital building management systems and medical devices which have even longer life-spans than IT systems like servers and workstations. Most of these OT devices have little to no built-in security and require compensating security controls such as network segmentation to protect themselves and the rest of the network from attack. But first you need to find these devices, which isn't easy. Fortunately there are some new tools now to help you with your medical device asset inventory.


CEOs and their boards need to make well-informed risk management decisions to accept, transfer or remediate those risks. 'Ignoring' or 'avoiding' a risk should not be an option, which unfortunately is an all-too-common process being used today in small under-funded healthcare delivery facilities.


Jason Hawley is CIO, CSO and Biomed Director at Yuma Hospital and Clinics - a critical access system in rural Colorado. Richard Staynings is a Global Healthcare Security Strategist. Both currently serve as members of the HIMSS Cybersecurity Committee. Slides from their HIMSS presentation can be viewed or downloaded here.

Converging Paths



Patient safety has always been a major concern for healthcare providers but never before has it been so inextricably linked with cybersecurity. This is a subject I have blogged about, lectured to students of healthcare and cybersecurity, and spoken about to audiences of senior healthcare leaders at conferences and summits all over the world.

It's a convergence that we all need to become familiar with as enterprise risks change across the industry and the threats to the business evolve as we increasingly digitize.

Today, I had the pleasure of sharing this message with the HIMSS Cybersecurity Community. A community of healthcare leaders, technologists and security professionals that do their best to make sure that your non-public information remains confidential, integral and available, and that the IT systems employed to diagnose, treat, and monitor you as a patient, do not become compromised by nefarious nation states or cyber criminal actors. The HIMSS Security Community does a great job of sharing information across thousands of providers globally, to help leaders protect their patients and their patient data.

We all know that the global healthcare industry has problems and needs all the help in can get at a time of aging populations, static budgets and increased cyber risk. What compounds these concerns is a long history of under funding for the day-to-day security of hospitals and clinics, and  the longer term maintenance and replacement of end of life IT systems.

This is a subject that I will be addressing in more detail with Jason Hawley, CIO and CISO at Yuma District Hospital at the HIMSS Annual Conference this year in Orlando on Monday February 11th. If you are planning to attend HIMSS19, please come along to the Security Forum and join us as we dig deeper into this subject.

For those able to attend my webinar today, many thanks and it was great to address many of your questions. For those unable to attend I have posted a link to the WebEx recording and to my presentation slides below.




Webinar Recording

Presentation