Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Singapore eHealth - Innovative Technologies and Security

The Author addresses the Singapore eHealth Summit. Photo: Dean Koh
Singapore faces many of the same problems affecting patient care in Europe and North America; an aging population, rising demand and increasing costs. The need to implement more value-driven initiatives to increase efficiency and improve patient outcomes will become critical here in Singapore just as it is in other countries with declining populations or unsustainable rising healthcare costs. This includes the need for wider mainstream adoption of new and disruptive technologies like data analytics, machine learning and artificial intelligence, combined with highly innovative procedures to accurately identify, diagnose and treat patients.

The recent Singapore eHealth and Health 2.0 summit was unique in that it brought together some of the best minds and best ideas from all over the world under one roof, to showcase a plethora of quality treatment ideas and disruptive emerging technologies which promise to revolutionize the healthcare industry.

As with the adoption of any new technologies, there are risks which must first be evaluated before a technology can be introduced, and in healthcare, increasingly these risks focus upon cybersecurity.

In Singapore, which suffered its largest ever breach last year with the theft of 1.5m SingHealth patient identities along with the prescription records of its Prime Minister and other V.I.P.s, security is of particular concern. Several smaller healthcare breaches this year including publication of the personal details of over 800,000 blood donors, and the exposure of 14,200 HIV patient records has compounded the need for the industry to get security right.

Confidentiality, Integrity and Availability

The ASEAN region, according to CIO Magazine, with its dynamic position as one of the fastest growing digital economies in the world has become a prime target for cyber-attacks, accounting for 35.9% of all cyber attacks globally in 2017. The targeted attack against SingHealth is perhaps a wake-up call for the region to do a better job of securing Confidentiality, Integrity and Availability (CIA) its healthcare and other critical services.

But the risks impacting healthcare are way more nefarious than just the disclosure of confidential patient information. Far more worrying is the threat to the INTEGRITY of health records and other clinical data, and the AVAILABILITY of HIT systems needed to treat patients.

  • What happens when a patient's blood type, allergies or past treatment records are altered by a hacker?
  • What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack?
  • Patient Care suffers and Patient Safety is placed at risk
The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per year by some estimates. Furthermore, most are connected now to hospital networks and talk directly to core HIT systems like the Electronic Health Record. Hackers know this and have used the fact that HIoT systems are by and large unprotected against cyber-attack to launch their infiltration campaigns.


Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.

Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched or secured with AV and host firewalls as even a Windows PC can be, and the fact that they are most often connected to patients.

On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patients death. Yet, the US FDA, Australia TGA, UK MHRA, and EU EMA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few if any, are ever updated with security patches once sold.

The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one currently is required to forensically investigate a failed medical device. Instead when is device is suspected of failing, all data is wiped to comply with HIPAA, SPA, and other privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.

The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point, as OCR in the United States and the TGA in Australia, starts to ask questions about risk analysis of these devices many of which are covered under the HIPAA Security Rule and the APA. However healthcare IT and Security teams face several daunting challenges before they can mitigate security risks and chase compliance.

1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups also outside of IT, manage building management and other hospital IoT systems. Consequently, there is limited security visibility, if any at all!

2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually as devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.

3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.

4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.

5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation, adding a tumor to an image or removing one as security researchers at Ben Gurion University recently discovered.



Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, remediate and manage HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards disruptive innovative technologies, so are the security risk management tools being used to support the adoption of new technologies and new procedures.

Cylera’s 'MedCommand' solution, empowers healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT,
and operational technology.


The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

This blog was originally published here.


When Cyber Attacks Go Too Far





News today that Israel has responded to a cyber-attack with a kinetic response is perhaps a first but, in many ways, to be expected, given a rising tide of global cyber-attacks by those who cause increasing levels of damage, yet hide from attribution by use of proxies or through anonymity.

According to Forbes:

The escalating global threat of cyber-attacks against nation-states took a turn yesterday when Israel's military announced that it had "thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work….HamasCyberHQ.exe has been removed," the tweet concluded.

Now that the precedent has been set, it should serve as a very real warning to cyber criminals everywhere that just because they reside in a state that turns a blind eye to international lawlessness, they are not immune from being brought to justice. In the case of the Hamas hackers planning an attack on Israel, when their building was flattened on top of them by the Israeli Defense Forces (IDF).

This may not be the first kinetic response to an act of cyber warfare but its certainly the first one mass-publicized. The US has reserved the right to retaliate against cyber-attacks with military force since 2011, and in 2015 it launched a hellfire missile attack from a drone to assassinate British born Islamic state hacker Junaid Hussain as he walked down a street in Raffa, Syria.

Many people have been expecting a kinetic response to a cyber attack for some time and talking about the advent of hybrid warfare, but can either of these bombings be seen as the turning point? The fact is that Hamas had launched over 600 missiles at Israel and Israel had conducted over 250 air strikes of Hamas targets in retaliation. In the case of Junaid Hussain, he was known to be actively planning terrorist attacks in the west. Both were thus legitimate targets in existing kinetic conflicts, and both appear to satisfy the UN Charter for 'National Collective Self Defense'. But will this latest attack be used to justify a kinetic response to a future cyber attack or the perceived threat of one by a credible adversary? Maybe!

Iran should certainly watch its back, where we are told, there has been a steady escalation in threats against the United States over recent months. The recently announced positioning of the USS Abraham Lincoln Strike Group to the Persian Gulf together with a Bomber Strike Group may be seen as a strong warning to Tehran. It may also be considered as positioning for future retaliatory kinetic attacks for recent wave of cyber and other attacks against the United States. This may mark the return of more aggressive US policies against terrorists and others who attack the west with assumed impunity. Just as Reagan’s bombing of Libya in 1986 signified a line drawn in the sand for Qaddafi’s support of terrorism against United States citizens, with hawks like John Bolton and Mike Pompeo advising Trump things could escalate very quickly.

But Iran is not alone on the 'Bad Boy' list of cyber-attacks going too far. According to the Center for Strategic and International Studies most of the world’s cyber-crime is originated in four countries – the Peoples Republic of China, the Russian Federation, the Democratic People's Republic of (north) Korea and the Islamic Republic of Iran, as the chart below shows:




The 2017 'WannaCry' ransomware attack that brought down hundreds of organizations worldwide including the effective closure of a large number of British hospitals and other critical facilities, has been attributed to the Shadow Brokers, an outfit that works in the PRC and PDK for the Kim regime of North Korea. According to an Op-Ed in the Wall Street Journal, Tom Bossert, then Homeland Security Advisor to President Donald Trump, firmly attributed the attacks to Kim Jong-Un who gave the order to launch the malware attack, he claimed. "We do not make this allegation lightly. It is based on evidence." Bossert stated. Canada, New Zealand, Japan, and the UK all agreed with the US attribution.

Right on the heals of WannaCry, the 'Not Petya' attacks of June 2017 were an act of cyber warfare instigated by the Russian GRU, according to a CIA analysis of the attack reported by the Washington Post. Not Petya or Nyetya as it was also named, was disguised as a new variant of ransomware, but with no way to recover information or the hard drives storing the data, it destroyed millions of dollars of computer equipment and cost businesses the world-over, somewhere between $4bn and $8bn according to Wired. Not Petya thus became known as a broadcast 'wiperware" and as a cyber weapon by many.

According to the CIA, Russia created NotPetya, in order to support its kinetic and cyber war against Ukraine that has been ongoing since popular revolution there ousted the pro-Russain former Ukrainian President and CCCP Communist Party Member Viktor Yanukovych. The attack which initially targeted Ukrainian accounting tax software company M.E.Doc, brought down virtually all of Ukraine’s government along with Ukrainian hospitals, power companies, airports, and banks. Since then there has been a steady stream of cyber attacks directed by Moscow against Ukrainian critical infrastructure and power utilities knocking them off-line, constant attacks against Ukrainian businesses, and various kinetic attacks including the military occupation and annexation of Crimea, the instigation of Russian nationalism, ethnic unrest and military support of separatists in Eastern Ukraine, that resulted in the death of 285 passengers and 15 crew aboard MH17 as it flew between Amsterdam and Kuala Lumpur in July 2014 when it was hit by a Russian surface to air missile.

The impact of Not Petya spread far beyond the borders of Ukraine and caused massive damage across the world. First investigated by the Ukrainian security agency, known as the SBU, it was quickly attributed to Russian security services, a fact reflected in other countries subsequent investigations into the cyber attack including all of the Five Eyes nations of the United States, UK, Canada, Australia and New Zealand. This was reflected by a White House statement issued February 15, 2018:

"In June 2017, the Russian military launched the most destructive and costly cyberattack in history, NotPetya "quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."

Putin's Russia has continued to push the boundaries of acceptability with each new attack from the hacking of the US Democratic Party, former US Secretary of State and presidential candidate Hillary Clinton, to influencing of the US and German presidential elections and the Brexit referendum via its social media bots, to literally hundreds of attacks against think tanks and NGOs according to Microsoft, most of which have been attributed to a group called 'Strontium' - otherwise known as 'Fancy Bear' or 'APT28'.

Meanwhile in the east, The Peoples' Republic of China has kept up a relentless attack against businesses the world over, in its quest to steal the intellectual property and business secrets of the leading global companies. Despite agreements between US and Chinese presidents in 2015, to stop the wholesale cyber-theft of intellectual property, the attacks continue as China tries to surpass the rest of the world with its home-grown companies, using stolen patents and trade secrets invented by others.

The big question is, "how far is too far"? At what point does it become necessary to send a loud and clear message that cyber-attacks will be met with real consequences? Israel certainly deemed it necessary to deal with a group in Hamas that was responsible for cyber attacks against its country and citizens.

Countries may not readily invade one another today as they once did in the nineteenth and twentieth centuries leading to major global conflicts and massive loss of life. That is, perhaps with the recent exception of China's building of military islands off the coast of the Philippines and Vietnam in international waters in an apparent land grab of most of the South China Sea. But we know from history, that if you don't stand up to a bully at least once, then the bullying will continue. Hitler's occupation of the Rhineland in 1936 is perhaps a good example of what happens when you ignore a problem for too long.

Sometimes we forget that cyber warfare is after all just another form of warfare!

Now that the precedent has been set, those involved in cyber espionage, wholesale theft of IP, extortion, and cyber attacks against businesses and critical infrastructure of countries might want to consider a new profession, or be on the lookout for things falling from the sky!


CIA, Cyber Risk and Patient Safety

Most global healthcare compliance requirements focus upon protecting the CONFIDENTIALITY of PHI and PII, but security and in particular Patient Safety, are reliant upon securing the other 2 sides of the 'CIA' security triangle.

All this and more in my recent interview with Bruce Steinburg, MD and EVP of HIMSS International.

The Growth of Medical Tourism 3


This is a multi-part story over 3 days. Take me to the beginning.

Trends in Medical and Dental Tourism

Patients Beyond Borders, a publisher of guidebooks for "medical tourists" estimates that more than 20 million people will travel to another country for medical treatment this year, up 25% from 16 million last year. Meanwhile, a 2016 report by Visa estimated that the medical tourism industry was worth $50bn a year, and continuing to grow.

In fact according to Deloitte medical tourism has been growing at 10% per annum or greater for the past 15 years. BCC Research predicts that double digit growth is expected to continue for at least another five years with destinations like Mexico, Thailand, Malaysia, Taiwan and Costa Rica leading the popularity charts.

But it's not just a migration of US medical consumers to these locations. Its a global trend of Americans and Europeans looking to cut costs and avoid wait times on one side, and the super wealthy in developing nations like China and India in search of specialist treatments not available in their own countries going the other way.

Despite its free National Health System, many UK residents are avoiding long wait lists for consults and procedures and traveling overseas for medical and dental treatment for less than half of private treatment at home. This includes cosmetic surgery and other treatments not covered under the NHS.

Medigo, a German-based medical travel company says that queries from UK residents jumped 53% last year. Official figures from the UK's Office of National Statistics also show that a rising number of people are going abroad for treatment.

The trend is similar in the US where the number of American health tourists goes up every year. About 422,000 traveled outside of the country for medical and dental procedures in 2017 according to the US National Travel and Tourism Office. That is up from 295,383 in 2000.

As the number of uninsured Americans continues to climb, it seems more than likely that high deductibles and reductions in insurance coverage are pushing more Americans to search elsewhere for affordable medical and dental care. With more attacks underway against the US Patient Protection and Affordable Care Act, otherwise known as 'Obamacare', and employers increasingly shifting healthcare costs to employees, medical tourism looks to become a key facet of most people's future healthcare and dental care.

Read the entire story:

The Growth of Medical Tourism 2



This is a multi-part story that launched yesterday.

My employer-sponsored-health-plan provides me and my family with an annual physical with our primary care physician. This normally involves a 40 to 60-minute appointment where a nurse measures my height and weight, checks my vision, draws some blood and has me pee in a cup before my doctor gives me a physical examination. Thanks to Obamacare this little interaction is annual and free, meaning no co-pay, no-deductible or other disincentive to see someone. It also provides the opportunity to discuss with my primary care provider anything that concerns me but didn’t warrant me shelling out money to book a regular appointment with the him or her. Finally, it also allows me to unlock and renew my prescriptions for the medications I am supposed to be on for another 12 months - even though I have been on the exact same stuff for more years than I can remember.

Sure, my free annual physical is valuable but just how valuable is it someone like me? I am at early risk of coronary heart disease, to a stroke, cancer or some ailment that will one day take me surprise and whisk me off to an early death, or worse, a lingering and expensive demise that medically bankrupts my family when my employer sponsored health insurance runs out? Welcome to US healthcare!

Would my 40 minute interaction with my doctor once a year actually discover such a risk?
Highly unlikely I suspect.

Would my health insurance pay for me to undergo a battery of tests to find out?
Also highly unlikely!

The current US Payer-Provider preventative care system is nowhere near as good as politicians would have us believe, and nowhere near as good as physicians would advise or recommend.


I guess my concerns are shared by many people over 40 and that may be why many of us receive flyers in the mail advertising advanced cholesterol or cancer screening – the “Plus Version” of an annual physical if you like. One where you are made to run on a treadmill while connected to an ECG and put through a battery of other tests not covered by your “free annual physical". “Prevention is better and cheaper than cure” as the saying goes and I’m sure all of us would agree.

So my wife and I looked into the costs of a comprehensive health check at home and abroad, including travel. We also looked into the costs of a dental checkup cleaning and treatments since we didn’t elect dental insurance this year. We both look after our teeth and the costs of dental insurance just didn’t make economic sense. What we found surprised us.


We could fly all the way to Bangkok, Thailand, stay in a 5 star hotel, enjoy a highly comprehensive health check - including in my case a full workup, get our teeth cleaned and fixed (and take a short vacation) all for significantly less than what it would cost us in the US..... And do it all at top-notch hospitals and dental clinics.






Our Medical Health Check

We selected Bumrungrad International Hospital in the heart of Bangkok for our health check and City Dental Clinic just down the road from the hospital for our teeth cleaning and maintenance. Not only is Bumrungrad reportedly one of the top ten JCI accredited hospitals in the world, it has one of the best hospital workflows I have ever seen. They have the health check workflow down to an art. It truly was a pleasure to witness and observe.



From the pleasant greeting upon entry to the five-star service throughout including lunch catered by the nearby JW Marriott, everyone spoke excellent English as well as half a dozen other languages to cater to guests from Europe, Australasia, the Americas, the Middle East and Asia, including a number of local Thai and Burmese.

No "nickel and diming" either and no unexpected costs. You select exactly what you want in advance from a menu of different health check options when you book your appointment, so you know what you need to pay when you show up on the day. If you need to add extras after your health check, like a consult with a specialist, the hospital will do its best to schedule you in that evening or the following day - even over the weekend. And the costs of an additional specialist consult? About $22 in my wife’s case.

What makes it all the more convenient, is that you can charge it to your healthcare savings card and pay for your medical treatments with pre-tax US earnings.

Need a procedure like a biopsy? $100 to $200 often on the same day and certainly while you are in town. Now if only US healthcare could be as efficient! For that reason, it’s probably best to schedule your health check on day 2 or day 3 of your stay so you have time for any additional follow up.

The only thing to look out for is that the hospital pharmacy is quite a bit more expensive than pharmacies outside. That's generally the case everywhere, but you don't have to purchase your meds from the Bumrungrad hospital pharmacy if you don't want to. You can just ask your doctor to write them down and have the billing clerk remove them from your bill when its time to pay for any extras if they were added. No need for official prescriptions in Thailand either. Pharmacies abound on every street and every mall in Bangkok so you have your choice of drug suppliers. Most Pharmacists speak excellent English and are very well trained and qualified. Don't have what you are looking for? The Pharmacist will be able to recommend a different drug and dosage and discuss side effects or other concerns with you.

The other thing to beware of is that some doctors will only schedule office hours in Bumrungrad on a couple of days per week so if you want to see a certain named specialist, then its best to plan a little extra time. Of course you could always opt for someone else in the same specialty area as we did and still get excellent advice. Many doctors we found will schedule office hours from 5pm onwards or weekends only, which was a little unusual from our experience in the US. In actuality, this worked out well for us as we were busy during the normal business day anyway.


Our Dental Checkup


Our dental checkups were equally as pleasant at the City Dental Clinic across the street from the hospital. A young but very well qualified dentist checked my teeth and then sonically cleaned them all for about $20. My wife needed a couple of fillings for a chipped tooth and some depleted enamel. Her clean and procedure came to a whopping $195 – way less than most people's dental insurance co-pay for a single filling let alone 3, and not including the the bi-weekly or monthly premiums most people pay for dental insurance.

Why would anyone NOT take a trip to Thailand or other parts of the world for elective procedures and proactive health checks? Beats me - that’s all I can say! In fact, we are already planning our checkups and dental cleanings for next year.

Concerns about quality medical and dental staff? Bumrungrad International Hospital achieved Joint Commission status years ago and continues to be one of the top hospitals in the world. It serves over 400,000 medical tourists annually who by all accounts save between 50% and 75% on medical expenses they would have incurred for similar services in the US. The hospital's repeat international clientele is probably testament to its reputation and the quality of service patients receive.

Everyone we met was top notch – as good as you would find at home – just with lower hospital billing and insurance overheads, and significantly lower malpractice premiums to pay, thanks to the absence of both ambulance-chasing lawyers in Thailand and a legal system written by lawyers to encourage the use of ....... lawyers for every little disagreement.

Why the US is falling so far behind the developing world should be obvious to all of us who work in the industry, but no one seems interested in fixing a broken system, removing overheads and getting healthcare costs down. With so many vested parties needing to be involved all wanting to keep their cut, that may never happen here. And so, medical tourism is likely to continue to expand as consumers vote with their feet.

Continue on to the final chapter of this story

The Growth of Medical Tourism 1


Despite the United States having arguably some of the best healthcare in the world, it also has the singularly most expensive. We have all heard the story of the hundred-dollar Aspirin. Many of us have witnessed or been fleeced by the ridiculous markups some US hospitals attempt to profit from - sometimes in excess of 1,000% or 1,500%. The US spends twice as much on healthcare as most comparable nations, yet has highly unequal access to healthcare services, and quite frankly, terrible patient outcomes if you happen to be poor, or live in the wrong part of the country.

As the costs of US health services continues to spiral, consumers are facing ever-increasing healthcare charges. This includes massive annual deductibles which effectively render insurance useless for most until the end of the year when deductibles have been met, and increasingly high co-pays that cause many to forgo their prescription medications and doctor visits in order to pay rent or put a meal on the table for their family.

Just ask anyone who works in the profession how the advent of high-deductibles and other rising out of pocket costs is affecting their businesses. Designed to contain employer and employee healthcare costs, high deductibles have led to much higher out of pocket costs for consumers and quite seriously changed user consumption patterns. Many medical practices are empty at the beginning of the calendar year when a fresh deductible kicks in, for all but the most serious of emergencies. What's more, it stays that way for months till patients have met their deductible and are no longer dis-incentivized to visit their medical providers.

Most of us who have tried to purchase medications in the US that are not included in our medical insurance formulary list have experienced first-hand unregulated US pharmaceutical prices that gouge consumers for $200 or more for the exact same medication that sells outside of the US for $20. It’s no wonder that so many Americans stock up on their prescriptions when on vacation abroad, regardless of whether they have health insurance at home or not.

Yes - Your over-the-counter drug price in other countries is often cheaper than your insurance co-pay at home!

But what other aspects of their healthcare are Americans looking abroad for?

In this multi-part blog, I explore the rise of medical tourism and how it is often better and cheaper to get on a plane and fly across the world for treatment in a modern top-notch accredited hospital rather than subject yourself to the co-pays, high-deductibles, obscured billing practices, and unexpected / underhanded out-of-network surprise charges not covered by your US health plan.

Read Part 2 of this story

HIMSS19

Jason Hawley & Richard Staynings co-present at HIMSS19 today in Orlando.  Photo: Ty Greenhalgh.
Don’t Let Your IT and OT Systems Become Antiques.

The problem of out of date legacy hardware, operating systems and applications across the healthcare industry is endemic. This is especially so at small hospitals and clinics where tiny IT and security staffs and highly constrained budgets, prevent the upgrading of end-of-life and often vulnerable technologies. Aggressive sun-setting of Windows versions by Microsoft and near constant patching requirements compound the pressure on small IT staffs to support and secure their health IT infrastructure. This situation introduces risk into the healthcare delivery environment as IT systems continue to operate with unpatched CVEs and unsupported hardware and software.

Poor coordination between HIT vendors and Microsoft causes healthcare applications to break if patched or remain vulnerable if unpatched. Lack of support for current Windows operating systems means that new workstations and servers need to be downgraded in order to run EMR or other HIT applications.

"Windows 10 comes with .NET version 3.5 built in, however our EMR only supports .NET version 3.2, so when we upgraded our desktop OS from Windows 7 to Windows 10, we had to uninstall .NET and reinstall an old out-of-date version" claimed Jason Hawley, CIO of Yuma District Hospital and Clinics, a critical access system in rural Colorado. "We can no longer run automatic updates from Microsoft as patches break our EMR. HIT software developers are constantly behind the Microsoft development curve," he added.

Going to to the CFO and asking for money to replace and upgrade, just because systems are end-of-life doesn't work according to Hawley. "The money simply isn't available to upgrade or replace",  he states. "We don't have the man-power and we can't justify the re-licensing costs."

Jason is not alone in his experience. Many security and technology leaders in similar-sized facilities make the same complaint, where IT hardware is used till it breaks and software is run well beyond its vendor support.

So how can CIOs and CISOs of small or critical access facilities get away from having to support dangerous legacy hardware and software?

"The obvious solution is to move what you can to the cloud as soon as possible, but this presents challenges in itself," claims Richard Staynings with the HIMSS Cybersecurity Committee. Regulated data needs to be highly secured - especially if its being moved off-site. Consequently, many CEOs are reluctant to take the leap of faith needed to support this change.

However most cloud service providers probably do a better job of securing their customers' PII and PHI data than any critical access hospital is able to do anyway. Especially given small IT and security staffs, low levels of security expertise and limited budgets for upgrading. In fact for most critical access facilities migrating to the cloud is a major security improvement over the current state.

"Cloud providers have an added incentive to double-down on security as their reputation is highly dependent upon the security of their services," claims Staynings. "Educating the CEO and board to that fact is however a different issue and an often lengthy process that should probably be started sooner rather than later," he adds.

Moving the IT budget from a 'CapEx' model of asset purchase and depreciation over a long period of time to an 'OpEx' model of annualized services, will likely take some persuasion and the support of the CFO. However once approved will enable small providers to finally retire out-of-date and end-of-life assets.

"Cloud migration is not as straight forward as simply moving a VM from a data center hypervisor to a cloud one," claims Staynings. "There's a lot of planning and optimization that needs to take place to make sure that you don't get unexpected usage bills for running AV and other scans 24 by 7 on each of your systems. For that reason, if you've not done this before you should probably seek help"

In the mean time CIOs and CISOs have a duty to report the risks of legacy no-longer-supported hardware and software in the organization's Risk Register. This should include OT devices like hospital building management systems and medical devices which have even longer life-spans than IT systems like servers and workstations. Most of these OT devices have little to no built-in security and require compensating security controls such as network segmentation to protect themselves and the rest of the network from attack. But first you need to find these devices, which isn't easy. Fortunately there are some new tools from the likes of CyberMDX, ZingBox, ClearData and others entering the market to help you with your medical device asset inventory and initial threat assessment.


CEOs and their boards need to make well-informed risk management decisions to accept, transfer or remediate those risks. 'Ignoring' or 'avoiding' a risk should not be an option, which unfortunately is an all-too-common process being used today in small under-funded healthcare delivery facilities.


Jason Hawley is CIO, CSO and Biomed Director at Yuma Hospital and Clinics - a critical access system in rural Colorado. Richard Staynings is a Global Healthcare Security Strategist. Both currently serve as members of the HIMSS Cybersecurity Committee. Slides from their HIMSS presentation can be viewed or downloaded here.

Converging Paths



Patient safety has always been a major concern for healthcare providers but never before has it been so inextricably linked with cybersecurity. This is a subject I have blogged about, lectured to students of healthcare and cybersecurity, and spoken about to audiences of senior healthcare leaders at conferences and summits all over the world.

It's a convergence that we all need to become familiar with as enterprise risks change across the industry and the threats to the business evolve as we increasingly digitize.

Today, I had the pleasure of sharing this message with the HIMSS Cybersecurity Community. A community of healthcare leaders, technologists and security professionals that do their best to make sure that your non-public information remains confidential, integral and available, and that the IT systems employed to diagnose, treat, and monitor you as a patient, do not become compromised by nefarious nation states or cyber criminal actors. The HIMSS Security Community does a great job of sharing information across thousands of providers globally, to help leaders protect their patients and their patient data.

We all know that the global healthcare industry has problems and needs all the help in can get at a time of aging populations, static budgets and increased cyber risk. What compounds these concerns is a long history of under funding for the day-to-day security of hospitals and clinics, and  the longer term maintenance and replacement of end of life IT systems.

This is a subject that I will be addressing in more detail with Jason Hawley, CIO and CISO at Yuma District Hospital at the HIMSS Annual Conference this year in Orlando on Monday February 11th. If you are planning to attend HIMSS19, please come along to the Security Forum and join us as we dig deeper into this subject.

For those able to attend my webinar today, many thanks and it was great to address many of your questions. For those unable to attend I have posted a link to the WebEx recording and to my presentation slides below.




Webinar Recording

Presentation