Who'd want to be a CISO?

Challenging job, but increasingly well paid

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Ethics and the Criminal Mind

Few things elicit the question of ethics than a lawyer chasing an ambulance leaving a road traffic accident or a hacker targeting a hospital during a global pandemic, but this is precisely what has been happening since February – attacks on hospitals that is, rather than lawyers chasing ambulances.

The public and government officials alike, are outraged that cyber criminals would target health systems during a time of global pandemic crisis.

Increase in Cyber Attacks
According to the FBI, the number of reported cyber crimes has quadrupled for the period December - April compared to the same period last year. The FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day as the COVID-19 pandemic spread across the United States.

According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cyber criminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.

The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted either. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.

Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a coronavirus news site, health and well-being site, to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the Centers for Disease Control in Georgia otherwise known as the CDC. And there have been a whole range of scam sites setup to supply N95 masks, rubber gloves and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment from mainly Chinese manufacturers or none at all.

Intellectual property theft especially at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has also been rife, especially from so-called international partners, some of whom may have been already compromised. Nation-state-actors are focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines with more than one nation state appearing to be involved.

Healthcare & Medical Research Targeted
Most alarmingly though, is a spate of targeted ransomware attacks against hospitals. Last month a number of Czech hospitals and medical research centers were attacked, by as yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in the city of Brno in Moravia. According to Reuters,“The country’s NUKIB cybersecurity watchdog said the attacks, designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.” The similarity with Russian FSB and GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement as would the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks.

Colorado Medical Center Hit
But ransomware attacks against hospitals have hit closer to home. At least one US hospital has been hit in the past week by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but one carefully crafted against a known Pueblo, Colorado hospital with a un-patched perimeter. The hospital and many of its IT systems are still off-line at the time of writing this post and patient care is still being impacted by the attack.

This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.

"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action should expect consequences," he added.

This marks yet another escalation in government response to cyber attacks against national critical infrastructure. Back in May 2019, Israeli Defense Forces dealt a very firm blow to a cyber gang planning an attack on Israel with an air strike that wiped out HamasCyberHQ flattening the building and all inside.

The US has also taken out a number of cyber security adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The prospects therefore, for those cyber criminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.

Recovery from Attack
In order to turn the lights back on and restore systems following a cyber attack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. First however, the malicious exploit and ransomware code must be identified, forensically preserved by law enforcement for later prosecution of perpetrators, and systems cleaned up and formatted. This can be very time consuming, taking many days and of course will impact patient care and safety.

Perpetrators also know that thanks to better backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms which would be illegal in many jurisdictions. Hence they are now executing combined infiltration-theft extortion attacks, as was seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet with a second extortion payment demand threatening to release more regulated PII and PHI data. By further upping the stakes against the healthcare delivery systems of the United States and other countries, cyber criminals have perhaps unwittingly invited a kinetic military response for their actions, especially if they reside in parts of the world that lack effective law enforcement or means of extradition.

Containment and Risk Mitigation
While adoption of a Zero-Trust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is the identification of sleeper malware or extraneous communications by that malware to command and control severs. That's where Cylera’s MedCommand software comes into its element by quickly identifying suspicious network traffic, and tracing that traffic back to infected code that can then be eradicated from the network so that restoration of Health IT systems can commence.

Its just one more use of the Cylera MedCommand system in addition to its primary objective of identifying healthcare IoT (HIoT) connected assets, profiling and risk assessing them for security group tag allocation and for network micro-segmentation under Zero Trust. Its also in addition to a recent feature that was added to the software that allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.

More about Cylera MedCommand
Many healthcare IT and Security teams are yet to even gain a full understanding of which medical and IoT devices are connected to their network, much less an understanding of their level of risk and susceptibility to different forms of malware. Cylera’s MedCommand is an agent-less solution designed to fill this capability gap. MedCommand provides organizations with a complete, real-time inventory of all connected HIoT devices, an understanding of the vulnerabilities affecting them, information on their configurations and patch levels, and real-time threat detection tailored to each device. Teams can then make use of Cylera’s actionable recommendations and automated micro-segmentation policy generation to proactively protect HIoT devices and provide a missing layer of security to the devices that need it most.

Read more blog articles from Cylera.

To learn more about MedCommand and how it may help you identify suspicious traffic on your network contact us to request a demo.

This article was first published here.

Covid-19 kills off 'Suprise' or 'Balance Billing'

Surprise Billing is a major cause of bankruptcy each year

The despised practice by healthcare providers of ‘surprising billing’ where the gap between what your health insurance regards as a fair and equitable charge for services and what your medical provider actually charges for that service, has been essentially outlawed during the Coronavirus epidemic.

The Department of Health and Human Services which is providing emergency funding to providers during the crisis, has tied millions of dollars in payments to its terms. Those state: "For all care for a possible or actual case of COVID-19, the provider will not charge patients any more in out-of-pocket costs than they would have if the provider were in-network, or contracted with the patient's insurance company to provide care.”

The agreement is posted on the HHS.gov page.

"HHS broadly views every patient as a possible case of COVID-19," the guidance states. "The intent of the terms and conditions was to bar balance billing for actual or presumptive COVID-19," an HHS spokesperson said late Friday. "We are clarifying this in the terms and conditions."

Many states have for a long time outlawed the practice of balance billing but some states have failed to legislate this.

HHS might have done with fine print what Congress and the White House could not do — despite bipartisan support and public outrage at the practice.

Photo: Vladimir Solomyani

Surprise Billing

Surprise billing often occurs when a patient goes to an in-network hospital for a procedure, but an out of network physicians or anesthetist is involved in the operation attempts to bill the insurance a rate much higher than the agreed upon in-network rate for his or her services. Insurance declines anything over the agreed upon rate and the patient is left footing the bill. This places the patient who was unaware of and wasn’t asked to approve any out of network services, up the proverbial creek without a paddle.

Balance billing which can sometimes amount to hundreds of thousands of dollars, is financially devastating for patients and a major cause of bankruptcy in the United States. The practice is outlawed in many states but has yet to be outlawed nationally despite bi-partisan support in Congress, thanks in part to the immense corrupting power of the healthcare lobby.

According to patient advocacy groups, certain lobbying groups later revealed to be connected to physician staffing firms owned by profit-driven private equity companies, spent millions last summer to buy political ads that targeted members of Congress who were working on legislation to end surprise billing.

Whether the fault of balance billing lies with insurance companies paying too little to cover procedures, or with some healthcare providers charging more than what insurance calls ‘market rates’ for their services, has been the subject of intense debate for years. Law suits and several media expose’s have embarrassed greedy providers and stingy insurance companies into rectifying their wrongs, but most of the media’s ire has been directed at for-profit health systems that attempt to shift costs from a growing number of Medicare and Medicaid patients where reimbursements are fixed (take it or leave it) to those with insurance who are not protected by the government from predatory billing practices.

Given the trillions of dollars currently being spent by the government on healthcare through the current epidemic, and the need to invest heavily for future pandemics, federal public health spend is at an all-time high and probably will be for the future. Not since the Second World War has the federal government surpassed insurers and individuals in the funding of critical health services to the American people. Given the rising grey tide of retirees claiming Medicare, and popular support for a universal safety net of public health services among Millennials and others, COVID-19 may have brought about some fundamental changes in health coverage and national health policy.

This story was first published here

Business Continuity and Securing a Remote Workforce during a Pandemic Crisis

How to survive the transition from two office locations to 25,000 and still remain secure.

The COVID-19 pandemic has critically changed the traditional concept of work for a major part of the workforce, possibly forever, as office staff work from home, and traveling salesmen work opportunities by video conference with customers. But what are the implications of this change for corporate cybersecurity and how can CIOs and CISOs adapt their technology infrastructure and cybersecurity controls to this new reality? These are just some of the questions that my panel was asked to address in a recent virtual cybersecurity conference on the challenges of working through an epidemic.

With ‘Stay at Home’ orders in effect across most of the world, this of course means that many customer-facing businesses are suffering. It’s certainly not a good time to be in the airline, hotel, or restaurant business as nearly everyone stays at home. Similarly, companies that have not completed their migration to the cloud and cloud-based services may be experiencing additional difficulties necessitating that remote staff VPN into the corporate network in order to access legacy client-server systems and applications.

And of course, the COVID-19 Pandemic since its humble beginnings in Wuhan China and subsequent spread around the globe, has reaped massive emotional and economic distress, as well as the deaths of thousands, and the making of millions more sick. Whether the recent relaxation of lockdowns in China and elsewhere is a permanent condition or results in a second wave of infections remains to be seen, but the global pandemic will have lasting effects on globalization and supply chains for critical medical and other supplies. It may also permanently change the way many of us work.

Photo: William Manuel Son

The King is dead. Long live the king!

Is there really a need for companies to continue to rent expensive downtown city offices? Is it really necessary for your employees to sit in their cars each day for two hours commuting to their cube through noxious traffic pollution, or be confined to a cramped subway or train car with potentially lots of disease-carrying passengers? It took Spanish Flu 18 months to work itself out, so Trumpian notions of a full return to what was ‘normal’ in a few weeks, is unlikely even by the greatest optimists. The bigger question is do we really want to return to the way things were just for the sake of it? I would suggest not.

Now that the cat is out of the bag, and bosses have seen that their staff work just as well from home, if not more productively than from their office cubes, the argument to keep things the way they are today, suddenly has a lot more weight.

Photo: Mike Von

What Questions Should You Ask?

How should you go about securing tens of thousands of staff now working from their patios, dining room tables, or home offices, connecting to your applications and infrastructure via an over-taxed VPN back to the nearest corporate office?

How can you ensure that your staff’s home wireless internet connection is not being snooped upon if they are not encapsulating and sending everything over the VPN? Do you insist that your staff's home network is running WPA2?

Do you even know if split tunneling is enabled in your VPN and what happens when that employee needs to print something to their home printer and has to disconnect from the VPN?

Have you put in place policies for remote access such that staff are expected to update firmware on their $50 cable modem or DSL router and are they even required to change the default password on these devices?

Do you provide your staff with Integrated Services Routers (ISRs) to connection back to corporate and for VOIP calling?

Do you provide staff with a laptop running a locked-down application stack with your security tools installed? Taking home the office workstation may not be an option and trying to purchase laptops in times of mass demand is becoming almost impossible.

Do you allow your staff to use their own (BYOD) computers to access your applications and data, and if so, what do you require in the way of AV, patching and acceptable use on these machines?

These and other questions were put to my team of security subject matter experts who joined me on virtual stage for a special CTG Intelligence conference on remote business working during Covid-19. Their answers and shared insights may help you to prepare for the new ‘normal’ for as long as it lasts.


The panel includes:
Richard Staynings, Chief Security Strategist at Cylera, out of Boulder, CO, USA
Page Jeffrey, Cyber Security Consultant at Trace3, out of Colorado Springs, CO, USA.
Luke McOmie, CxO Advisor Offensive Security at Coalfire out of Westminster, CO, USA.
Steve Harrington, Managing Director at Masergy out of London, UK.
Tanya Walters, Independent Cyber Operations Advisor out of Phoenix, AZ, USA.
Anthony Dezilva, Dir. CxO Services out of Scottsdale, AZ, USA.

This story was first published here where comments can be posted on this blog article and the video presentation. 

The growing need for Artificial Intelligence in healthcare

Healthcare needs AI and ML.

The author and other experts, discuss the growing need for Artificial Intelligence in healthcare for everything from clinical decision support to administration / revenue cycle and cybersecurity. 

Machine learning algorithms are already transforming healthcare and security tools like Cylera MedCommand, but there’s an arms race with cyber-criminals where having the right tools to identify and block an attack is becoming critical.

See the full HIMSS AsiaPac Interview

See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also AI Will Radically Change Healthcare Security my keynote from HIMSS AsiaPac19

HHS in Targeted Cyber Attack

A recent attack against U.S. Health and Human Services is a lesson to us all to better manage cyber risk in a healthcare environment

The U.S. Health and Human Services Department suffered a cyber-attack on Sunday night according to Bloomberg that appears to have been purposely intended to disrupt its computer systems, and thus an attempt to undermine HHS’s response to the coronavirus pandemic gripping the country. The attack which occurred just before midnight involved overloading HHS servers with millions of hits over several hours and may have been an attempted distributed denial of service attack (DDOS). Initial investigations appear to suggest that the attack may have been the work of a foreign actor. A number of news outlets are pointing the finger towards Russia, however it may take weeks or months for a full forensic investigation before the cyber attack can be accurately attributed.

The fact is that during a healthcare crisis and a huge influx of sick patients, the resiliency of hospital and clinic IT systems becomes even more important to ensure patient survivability. Recognizing this, and with an expected escalation of threats during a national crisis, HHS had recently implemented an expanded risk-based approach to cybersecurity assessment of threats, vulnerabilities and controls.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," said Caitlin Oakley, a spokeswoman for HHS.

While this ‘risk-based’ approach to cybersecurity worked in HHS’s favor to protect it from cyber attack and to keep critical services up and running, most health systems are not so lucky. Many are still following a ‘controls-based’ approach to security, ignorant of the actual cyber-risks in their hospitals and clinics from devices they may think are safe from attack, but which have never been tested or even profiled, let alone risk-assessed.

According to an investigation conducted by Cylera last year, more than 90% of US hospitals and clinics do not have a current and accurate inventory of all IT and IoT assets that connect to their networks. This includes not only workstations and servers, but also BYOD devices like personal phones and tablets, network connected building management systems that control elevators and air conditioning, and a rapidly growing number of medical devices, many of which are managed by third-party vendors and have never been patched.

"When your patients are relying upon you to provide medical services and to possibly keep them alive through a pandemic, five, six, or seven nines availability* is an absolute must." said Richard Staynings, Chief Security Strategist with Cylera and HIMSS and AEHIS Cybersecurity Expert. "The last thing you want is for one of your un-assessed healthcare IoT devices to take down an entire hospital building or even a floor of your clinic. The availability of health IT and IoT systems is critical to the way we treat patients in today’s digital healthcare service no matter where you live or where you go to seek treatment or to get help with breathing." he added.

Automated tools like Cylera MedCommand, make extensive use of AI and ML to thoroughly risk-assess medical and other devices so you can understand risks and implement compensating security controls before something bad happens.

MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.
Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

* Five nines availability indicates the expected uptime of a system i.e. 99.999% availability, (roughly 5 minutes per year). Similarly, seven nines would be 99.99999% uptime equating to 3.16 seconds downtime per year.

This story was first published here.