Who'd want to be a CISO?

Challenging job, but increasingly well paid

Hong Kong Healthcare Crisis Easing

Capacity improvement measures beginning to have an impact

Security and the Board Need to Speak the Same Language

How Security Leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

The Evolution of Healthcare

The author presents to the HIMSS19 Eurasia Health IT Conference and Exhibition in Istanbul, Turkey

Healthcare has been transformed over the past century from a largely palliative care delivery model for the sick and dying to an advanced technology-infused and increasingly digitized integrated healthcare delivery model. Technology has fueled massive improvements in patient outcomes. It has enabled us to improve the human condition, to beat diseases that used to ravage families and communities, and to live longer and better than ever before. This was the subject of my presentation today at the HIMSS19 Eurasia Conference held in Istanbul, Turkey.

Increasing use of artificial intelligence and personalized genomic medicines will continue to push the boundaries of care forward in a highly positive way. But digitization comes at a cost, and that cost is in the form of new cybersecurity risks to the confidentiality, integrity, and availability of personal health data and the IT systems that are relied upon to provide care to patients. In fact, in today’s healthcare delivery model, clinicians would find it extremely difficult to maintain the current levels of patient care if health IT systems—and increasingly healthcare IoT—are not available to diagnose, treat, manage, and monitor patients.

The author between the Turkish Minister for Communications and the Deputy Minister for Healthcare
L->R: Ömer Fatih Sayan, Richard Staynings, Ömer Abdullah Karagözoğlu, Mette Harbo, Dr. Mehmet Bedii Kaya.

The number of connected IoT systems surpassed the global human population sometime around 2007-2008. Today, there are in excess of 20 billion IoT devices connected to the Internet, and most have little to no security designed into them at all! Estimates suggest that by 2050 there will be in excess of 1 trillion connected devices—many of them employed in healthcare.

With so many endpoints in our hospitals and clinics, how do we even go about tackling this expanded threat landscape? A good start is adopting a risk-based approach to healthcare security.

You can’t assess what you don’t know about, and with such a large number of medical devices and other HIoT systems used across healthcare, identifying even a basic inventory of IoT assets is an almost impossible manual task given the ever-changing number of connected devices.


That’s where tools like Cylera's MedCommand™ platform come in.

Cylera's MedCommand™ platform will identify HIoT assets, perform a full risk analysis of each device and device type, profile the legitimate traffic patterns of each device type for zero-trust security controls, alert on any anomalous traffic detected outside of legitimate traffic patterns, and even automatically remediate discovered risks with compensating security controls via a hospital’s existing network access control and/or firewall technology.

Cylera's Richard Staynings and Timur Ozekcin
Cylera is proud to be a sponsor of the HIMSS Eurasia 19 Conference

Presenting Cybersecurity to the Board

Don’t speak "geek" to the Board or you will receive a cool reception





At some point in our careers, many of us will be called upon to present to the board of directors. This could be to report the findings of an audit, compliance, or risk assessment. It could be to provide an annual or quarterly update on ‘the state of the union.’ It could be to report a recent incident. Or it could be to request support for a new initiative.

Whatever the case, presenting to the board is no straight-forward task—and newbies would be well advised to thoroughly prepare for this kind of appearance, which differs greatly from meetings with the C-Suite, peers, auditors, consultants, and technology professionals.

Board members are elected or appointed by a corporation’s shareholders to represent shareholder interests and to ensure that the company's management acts on their behalf. A board's mandate is to establish policies for corporate management and oversight, making decisions on major company issues. Every public company must have a board of directors, and in healthcare—regardless of whether that health system is "for-profit" or "not-for-profit"—boards almost always govern and provide oversight to the C-Suite.

Hospital board members are drawn from shareholders, investors, independent industry, and cross-industry experts, and often include academics and notable physicians. Overall, they are business people and know how to run a business. Most don’t understand or speak technology—they are from business/finance/physician backgrounds after all. And almost none will speak or comprehend "cybersecurity". In fact, some might even have a difficult time spelling it! They do, however, understand business enterprise risk, profit and loss, and cost of risk acceptance, transfer, and remediation.

When addressing the board, CISOs need to speak in the terms and language that board members understand, rather than the language used to report to the CIO or other members of the C-Suite. Failure to do so will result in the message being lost or largely unheard.

Most board members picked up what little they know of cybersecurity from articles they read in the Wall Street Journal and other periodicals. They lack the technology backgrounds and domain expertise to go deep to understand the technicalities of cybersecurity. So how do you establish a common language and communicate understandable metrics to the board? By translating cybersecurity risks and strategies into business risks and strategies in order to make it relevant to board members. You likely won’t get money for tools to tackle APTs, but you might get money to ensure the business stays up and running following an attack.

Richard Staynings presents to the VA HIMSS Annual Conference this week


This was the subject of a presentation I gave this week to the Virginia HIMSS Annual Conference in Williamsburg, VA, where 300 or so healthcare leaders from across the region gathered to learn and share best practices on healthcare management, technologies, security, risk, and compliance. And of course to raise money in a day of charity golfing at the beautiful Kingsmill Resort.


So what were some of the takeaways?


Make Cybersecurity Part of Broader Enterprise Risk Management:

Use similar language being used to describe other business risks for how you talk about cybersecurity. Senior executives and boards are very familiar with assessing the probability and negative impact of risks, establishing a risk tolerance level, and developing risk management plans. If you use the same approach and terminology, it will help them to understand the big picture and make more informed decisions about the actions you suggest.


Talk about Program Maturity:

Maturity models are embraced by senior management and the board because they are familiar with them from many other programs, like quality management. Use the same tactics and language to discuss cybersecurity.


People, Process, & Technology:

Help senior management understand that cybersecurity requires the orchestration of people, processes, and technology—and that they have a critical role in it. Security practitioners usually fail by myopically focusing on just technologies and tools.


Establish a Culture of Cybersecurity:

Get everyone on-board with the mission to secure the organization; from the Board and CEO all the way to Interns. Buy-in from department leaders is especially important in order to establish cross-functional support for security initiatives.


Standards and Frameworks:

Aligning the security program with a widely used security standard or framework allows you to benchmark the program against other companies and that standard. Inevitably, senior management is going to ask you, “how are we doing against other companies?” If your program can reference the NIST Cybersecurity Framework, ISO27001, or CIS CSC, you will be able to compare the maturity of your program with a broad, diverse group of companies.


Addressing the Board

  • First impressions count, so dress and act appropriately. That means business formal— better to be over-dressed than under-dressed.
  • Research every board member on LinkedIn or in the press.
  • Get coaching from a board member or the CEO to understand what the board is looking for from you.

Define your Purpose

  • What are you there for? Own it!
  • Be succinct, honest, and direct—Corporate Chieftains don’t suffer fools lightly.
  • Coach members on the basics but don’t treat them as fools—they don’t come from your world but they need to be educated on the basics in order to make informed decisions.
  • Avoid the weeds—focus on the big picture and on business benefits, not security details.


Be Prepared

  • If you are lucky you will get 5 to 8 minutes to make your case—plan and use the time wisely.
  • Talk to the CEO or other executives beforehand to ask for tips and advice.
  • Prepare a well written brief and have the CEO’s admin print and bind copies ready for the meeting.
  • Use maturity models and frameworks. This is what board members want to see. This is how they think!
  • Understand how the company compares to others. Saying that something is simply a "best practice" won’t win you support.
  • Anticipate questions—you’ll get lots. Be prepared with smoothly delivered confident answers.
  • Be prepared for politics! Boards have their feuds and sub-agendas - try and see through the fog.


Be Strategic

  • Boards are strategic, not tactical—so stay out of the details. That’s for the C-Suite to understand.
  • Find metrics that tie into your mission for compliance, patient safety, up-time/availability, etc.
  • Talk about reputation—it’s the board’s responsibility to protect it.

Avoid Surprises
  • Boards hate surprises, so provide a pre-brief before the meeting to help them adjust to new information—especially if its bad information.
  • Keep things high-level and strategic—and above all business-focused.
  • Avoid talking about specific technology, types of attacks, and especially acronyms.

End Result
At the end of the day, the board needs to feel confident that you as the CISO know what you are doing, and that the organization is in good hands. Presenting to the board is as much about you building your reputation with them, as it is about your program gaining the active support and sponsorship it needs in order to be successful in protecting the company.

This blog was originally published here
 

AI Will Radically Change Healthcare Security


Cyber-attacks are becoming a major global concern. Not just against nation-states but also for a myriad of critical infrastructure services including healthcare which is firmly in the cross-hairs of perpetrators. Healthcare presents an easy and lucrative target for cyber-attackers for the value of PII, PHI and IP but also and increasingly so for the extortion value of holding sick patients or their medical data to ransom.

It’s no longer just a case of opportunistic criminals and organized crime hiding in remote parts of the world that lack effective local law enforcement, and criminals safe in the knowledge that paid-off officials and a lack of international extradition treaties means that they can continue their pursuits at will. It’s now a case of nation-state cyber-military units attacking other countries for political and economic advantage pushing at the boundaries of cyber war, carefully calculating that their actions will not cause a kinetic or major economic response from those attacked or those shocked and appalled at their actions.

But cyber-attacks are increasingly becoming automated using AI to get past cyber defenses by removing the human constraint factor that causes an attacker to pause for consideration and to prevent an attack from going too far. ‘Offensive AI’ mutates itself as it learns about its environment to stealthily mimic humans to avoid detection. It is the new cyber offensive weapon of choice and will automate responses to defensive measures rather like playing chess with a computer – it learns as it goes!


The author presenting how AI will radically change healthcare security at the HIMSS AsiaPac19 
Annual Conference in Bangkok, Thailand.


We are all used to critically evaluating an image to look for the tale-tale signs of photoshopping or other image manipulation before believing what we see. The same is true for audio recordings – was that really the President saying that or was it an impersonator? What we are not used to is video manipulation – this is new territory for our brains to critically process and evaluate for truth and accuracy. AI is increasingly being used in sophisticated technology to create ‘deepfakes’ where a face is superimposed on someone else’s body or the entire video is computer generated.



But AI’s intent is not just to steal information but to change it in such a way that integrity checking will be difficult if not impossible. Did a physician really update a patient’s medical record or did ‘Offensive AI’? Can a doctor or nurse trust the validity of the electronic health information presented to them? Ransom of patient lives may not be too far away – especially at times of heightened global tensions.

But AI is already being used very effectively for cyber defense across healthcare and other industries. Advanced malware protection that inoculates the LAN and responds in nano-seconds to anomalous behavior patterns. Biomedical security tools that use AI to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks. AI-powered attacks will outpace human response teams and outwit current legacy-based defenses. ‘Defensive AI’ is not merely a technological advantage in fighting cyber-attacks, but a vital ally on this new battlefield and the only way to protect patients from the cyber criminals of the future.