Ransomware attacks have become a significant problem in the healthcare sector. These criminal operations have become a formidable foe that needs a concerted response from healthcare groups. The recent high-profile cyber-attacks on prominent healthcare institutions have highlighted the critical need to tighten cyber security in the healthcare business. Proactive efforts are required since ransomware attacks not only endanger patient data, but also considerably raise the risk to medical care.

Preparing for Ransomware Attacks

In view of the increasing threat of ransomware attacks, healthcare companies must take a proactive approach to preparation. Thorough risk assessments are a critical component of this planning. These evaluations provide the core of ransomware mitigation strategies. At this stage, organizations in the healthcare industry carefully identify system flaws and analyze the dangers associated. Organizations can build a plan for delivering successful mitigation measures by appropriately identifying potential vulnerabilities in their cyber security architecture.

Developing a robust response strategy is also critical to their ransomware preparedness. Healthcare institutions that use this strategy will be directed like a compass through the turbulent waters of a ransomware attack. In the event of an attack, it provides precise, logical procedures that must be taken. This action plan includes procedures for isolating contaminated systems, an efficient reporting method for law enforcement, and an effective patient and staff communication approach. It is impossible to overstate the importance of having a well-organized reaction strategy since it ensures a coordinated and effective response when time is of the essence.

Furthermore, the value of the human aspect in cyber security cannot be emphasized. Employee training initiatives are a key priority for healthcare firms to equip their first line of defense. These courses provide healthcare personnel with the knowledge and skills to recognize specific ransomware threats. Employees are trained on how to identify phishing emails, which are regularly used as entry points for ransomware attacks, and how to report any suspicious behavior immediately.

Last but not least, proactive security deployment is critical for mitigating ransomware attacks. For this, reliable technologies like firewalls, antivirus software, and intrusion detection systems must be used. These layers of defense increase detection and mitigation, making it more difficult for hackers to infiltrate the system.

Responding to Ransomware Attacks

In the unfortunate event of a ransomware attack, a rapid and well-planned response is critical to reducing damage and regaining control.

Isolating Infected Systems

The first line of defense is to isolate vulnerable systems as quickly as possible. This precaution is required to prevent ransomware from spreading throughout the network. By isolating the susceptible systems, healthcare institutions can limit the attack’s reach and prevent further data compromise. Isolation is the first step in regaining control of the situation.

Collaborating with Law Enforcement

Cooperation with law enforcement is critical when responding to ransomware attacks. Their knowledge and resources aid in investigating, mitigating, and monitoring of cyber criminals, which helps the overall reaction and pursuit of justice while also avoiding new attacks.

Effective Communication with Stakeholders

Managing the aftermath of a ransomware attack necessitates open communication and fast information sharing. Personnel and patients must be informed about the incident’s impact on data security and medical services as soon as possible. Maintaining confidence, managing expectations, and ensuring a coordinated response contribute to a lower overall effect.

Data Restoration from Backups

Reliable data backup and recovery are critical for mitigating the effects of ransomware. They enable data restoration in order to sustain care and minimize long-term impacts. Updated backups serve as a safety net, allowing for recovery without falling into hackers’ demands and, eventually, resuming normal corporate operations.

Balancing Innovation and Security

While technologies such as generative AI and data modernization have immense potential, it is critical that cyber security is not jeopardized in the process. Given the rapid speed of technological advancement, the healthcare business cannot afford to remain complacent regarding security. Finding this balance is critical because it allows healthcare organizations to adopt developing technology while also ensuring the availability, confidentiality, and integrity of critical data and services.

In this day and age, healthcare must emphasize effective cyber security. This necessitates the deployment of cutting-edge technology, thorough risk analysis, and stringent standards. Leveraging innovation without accepting unnecessary risks is made feasible by improving cyber security while embracing technology. This harmony preserves patient information, maintains trust, and ensures the continuance of healthcare services.

Healthcare facilities are becoming vulnerable to ransomware attacks, a major problem that must be addressed immediately.

Strategies for Ransomware Preparedness

A comprehensive strategy for ransomware preparation includes several critical tactics:

• Rigorous Risk Assessment: Identifying vulnerabilities and threats via rigorous assessments is the cornerstone of resilience.
• Effective Response Planning: Prepares for every ransomware event. Regular response strategies should be developed and maintained.
• Employee Education: Ongoing training programs enable employees to proactively spot and resolve hazards.
• Robust Security Infrastructure: Investing in cutting-edge security practices and technology builds strong protection against cyber threats.
• Patient-Centric Approach: Maintaining patient trust and resolving patient concerns about data security are crucial in the healthcare sector.
• Continuous Improvement: Continuous improvement is made feasible by frequently reviewing protection, detection, reaction, and recovery capacities.

Healthcare facilities are becoming vulnerable to ransomware attacks, a major problem that must be addressed immediately. Proactive actions must be taken to build defenses against these dangers in order to protect patient care and the general public’s health. By conducting thorough risk assessments, developing specific response plans, educating employees, implementing advanced security measures, addressing patient concerns, and embracing technology while fortifying cyber security, healthcare organizations can successfully prepare for and respond to ransomware threats. These strategies are critical to ensuring that the healthcare business remains a reliable guardian of patients’ well-being in the face of evolving cyber threats.

The post Ransomware Preparedness for Healthcare: Enhancing Resilience Amid Growing Threats appeared first on HealthTech Magazines.

Cyberattacks occur worldwide almost every day, yet it is challenging to learn the type and target of an attack in real time. A vast amount of cyber intelligence goes untapped; even if it could benefit everyone, companies do not want to share sensitive information broadly. Doing so, they may expose themselves to legal or regulatory scrutiny. 

Companies certainly see the need and benefit of sharing real-time cyber intelligence if there was a way to share more information without revealing too much. Perhaps, we should look at creating a Blockchain-based cyber intelligence platform in conjunction with:

1. Zero-knowledge proof that separates data verification from the data itself. One party (the prover) can prove to another party (the verifier) the possession or existence of some information without revealing all the detailed information.
   
   
2. Multi-party computation on data sets can reveal how many companies have been impacted by a similar attack without revealing the company’ details. This method can allow multiple parties to make calculations using their combined data without revealing their input.
   
   
3. Homomorphic encryption allows users to perform computations on its encrypted data without first decrypting it, protects data, and lets users run queries on the data to gain insights.

This method may enable—privately and safely—shared, real-time attack metrics, which analytics can use to uncover trends in the attack’s location, type and sophistication. I would encourage further financial and technical studies of this method to ensure it’s effectiveness and efficiency. More people must collaborate to address this challenge.

Companies worldwide may be able to share real-time data about cyberattacks, while using a key to protect details. Sharing the keys can also become a path to commercialization, where attack details are transmitted via smart contracts with agreed-upon customers, government agencies, and regulators. 

Currently, no major player is utilizing Blockchain to share intelligence and trends around cyberattacks. They still use legacy, information sharing methods—often outdated or inaccurate—utilizing data exchange or Application Programming Interface (API). 

The establishment of this type of Blockchain could directly connect to a company’s cybersecurity defense infrastructure that can ingest relevant pieces of information flowing through the Blockchain—protecting the company from a new type of cyberattacks.

In cybersecurity, once you’re able to gather verifiable, accurate information about cyberattacks, it becomes extremely valuable to ingest that information into existing technologies deployed to protect the company. 

This method may crowdsource cyberattack defenses. Attacks seen in one part of the world on an individual computer could be transmitted almost in real time using Blockchain. This global communication could allow defensive measures to be set up in near real time. Global sharing can thwart the creation of new hacking groups, as their initial attacks will not succeed, and they will require more time to grow.

Exciting trends and new technologies are emerging to help address cybersecurity challenges, Blockchain being one of them. Several use cases come to my mind involving Blockchain and cybersecurity. For example, the above approach can also be utilized to safely share data with the third parties a company does business with; other combinations of Blockchain and Cryptography may provide unique use cases in cybersecurity.

The best solution may vary by person and organization. Instead, I encourage provoking conversation that, perhaps, inspires others to develop leading-edge solutions to solve cybersecurity issues that were once difficult and challenging years ago—well before the technological and innovative advances we are able to leverage today.

The post Thoughts on Cyber Intelligence and Blockchain appeared first on HealthTech Magazines.

Improving an organization’s cybersecurity posture often involves an investment of significant time and dollars. Whether it be a new tool to scan for threats or an off-network backup solution, the capital and operational expenditures often leave organizations struggling to invest in a comprehensive protection portfolio. So, while you are saving up for that next revolutionary cyber tool, here are five “nearly” free things your organization can do to better protect your technology and data assets.

The first thing you should do is move to at least 10-character passwords with complexity (12 would be even better). There are many charts that show how long it takes to crack eight-character passwords with complexity; the consensus is about eight hours. With more computing power becoming available regularly, that shortens every day. My experience with a hacking team I once hired proved the time to decipher an eight-character password from one of our users was 55 seconds. By comparison, a 10-character complex password currently takes four to five years to crack. More characters add exponential time to brute force cracking attempts. Remember, given enough time, all passwords can be brute forced. Your goal is to make that time impractical for your adversary. And eight-character passwords are so 2004. We are all going to end up with longer passwords eventually, so what are you waiting for?

Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk.

Secondly, patch your systems. One of the largest components of every organization’s cybersecurity risk is unpatched systems. Research has shown that 60 percent of cybersecurity breaches involve a vulnerability for which a patch is available but not applied. Think about that for a moment—you have the solution in your hand, you just haven’t used it yet. The primary reason that patches don’t get installed in organizations is that the IS team needs to stop an application that your operational employees use to apply the fix, thereby disrupting operations. Creating a patch window for your IS team and telling your operations that there will be downtimes during that window can significantly increase your cyber posture. That window can be after hours if needed. Believe it or not, almost every IS professional will work off hours to do this as they know it is important work and they want to protect their organization. They just need the support and permission to do so.

Third, host an all-employee cybersecurity awareness webinar. It doesn’t have to be lengthy; 30 minutes will do. Employees need to know that they are the front line to protecting the organization. You can no longer think it won’t happen to you. In fact, you should be thinking it will happen to you (because it will). And most likely, it will be one of your employees that enabled it, whether through susceptibility to a phishing email or social engineering. You need employees to refrain from clicking any links from external emails. Also, they should not re-use passwords. Their work password should be distinct from any other password they use in their lives. Next, they should never give their password to anyone, even to their own IS personnel (we don’t need their passwords, ours work for what we need to do). Lastly, if they fall victim, they need to know they should notify their IS and Cybersecurity personnel. After your employees’ cybersecurity webinar, ensure your new employee onboarding process covers the same information. A knowledgeable workforce is an excellent prevention against cyberattacks.

Fourth, reduce your administrative accounts and privileged access. Both local and domain accounts allow users to install software. Some organizations allow all their employees to have these privileges, which is a very precarious position. In that instance, any one of your employees clicking a malicious link will allow ransomware to easily install on your environment. A properly controlled organization will have less than two percent of its employees with these accounts, primarily a subset of your IS personnel. Employees should work with those IS professionals when they need to install software, the extra step to accomplish that software install protects your organization. Also, your IS personnel should know what every one of those local and domain accounts is for and review them frequently to ensure no one creates an unknown malicious account and uses it against you. If they cannot explain every one of them, you are at risk.

Fifth, ensure your Employee Discipline and IS policies reference each other. Your employees need to know that repeated breaches of your IS policies will result in formal discipline. If we harken back a bit, we can all understand that an employee who consistently leaves an unlocked cash box on top of a desk after being told not to would eventually have their responsibilities changed or be disciplined. However, we tend to think that those that repeatedly click phishing emails or install malicious software on company computers are just victims of circumstance. In this day an age the latter creates far more risk to your organization than the former. And while I know disciplining employees for repeated, undesired behavior is never something we look forward to; sometimes you need to either reassign the employee or let them be successful at something else. Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk. 

So, while clinking coins into your piggy bank for your next big leap forward in cybersecurity, remember these five “nearly” free cybersecurity improvements that you and your team can do to minimize the likelihood that you are the next victim. We all like flashy new tools, but good cybersecurity posture is often the result of good IS practices and good employee behavior.

The post Nearly Free Cybersecurity Improvements appeared first on HealthTech Magazines.

Healthcare organizations have been experiencing an uptick in the number of security breaches since the start of the COVID-19 pandemic. While pre-pandemic cybersecurity was mainly focused on fortifying the network perimeter defenses, the pandemic required Information Technology (IT) and cybersecurity teams to quickly adapt to the new normal, the remote workforce. Healthcare workers are also required to adapt, driving the need for them to rely more on technology, such as telehealth, to provide patient care aiming to offer the same level of service. There is no doubt that the velocity in which healthcare organizations needed to provide solutions to the remote workforce was unprecedented. IT teams were at the front and center as business enablers in providing remote workers access to corporate networks expeditiously, while ensuring the security and availability to patient support systems was done in accordance with security policies.

The healthcare industry continues its transformation and innovation journey to provide high-quality patient-focused care and also to provide more efficient, faster and cost-effective healthcare services. However, new technologies cannot be deployed without considering the potential unknown cyber risks introduced to an organization. Some of the most recent security breaches in healthcare have been the result of targeted phishing emails campaigns, which resulted in breach of security exposing millions of patient records, and even opening the door for successful ransomware attacks. In 2017, HHS entered into a resolution agreement with a covered entity due to a violation of policy for the proper destruction of protected health information (PHI) records. In 2019, OCR launched an investigation against a GA ambulance company, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a lack of a failure to implement HIPAA Security Rule policies and procedures, and a lack of providing security awareness training programs. Under the HIPAA Security Rule, Sanction Policy 164.308(a)(1)(ii)(C), it requires covered entities to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care.

The Challenges

Employees’ action are often viewed as being a greater security risk in an organization. Recent security industry threat reports have concluded that one factor which has contributed to cybercriminals being able to penetrate corporate networks, which resulted in security breaches, was employees not following corporate security policies. Although the implementation of a security policy may improve the overall security posture of an organization, policies may not be effective if employees fail to comply. While I can agree with the fact that behavior adjustment is an essential part of any cybersecurity program, many technologies using AI are being developed to identify users’ misbehavior and take action to detect, protect and prevent security incidents. Security misbehavior can be broadly defined as the set of users who violate security policies, which leads to unauthorized access, security data breaches, or ransomware attacks. For over a decade, practitioners and researchers alike have emphasized the need to evaluate computer users’ security behaviors to develop and implement more secure information systems to mitigate risks. This problem has been looked at from many angles, including user awareness of security policies, security education, training, and awareness programs, computer monitoring, behavior intentions, users’ accountability, felt-responsibility, attitudes towards compliance with security policies, etc.; however, the problem still exists. A recent report found that healthcare workers are lacking cybersecurity training. Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care. A problem that poses a great risk to organizations, patient care, and patient safety. Some organizations have invested in cybersecurity awareness solutions based on Phishing simulation campaigns, that help employees recognize dangerous phishing emails, aiming to educate and change users’ behaviors. The question is: are these solutions really working? Are we overloading our healthcare workers with training requirements that may not represent the real world?

The Balance

Security is a delicate balance between the risks and the security controls. If the controls are too lax, the risk is high. On the other hand, if the controls are too stringent, the risk is low, but this may lead users circumvent security controls and put organizations at high risk. There will always be tension between security controls and computer users (“users”). While security is important to ensure the protection of information and maintain a patient safety environment, users often perceive security controls to be an impediment, which often leads to violation of the organization’s security policies, putting the organization at risk of potential security breached. Some security researchers and IT professionals argue that cybersecurity is purely a technology issue. Others argue that cybersecurity management is a multifaceted domain that should be approached from many different directions, including technology strategy and human behavior.

Best Practices

The HIPAA Security Rule (Section 164.308 (a)(5)(i)) requires a covered entity or business associate to implement a security awareness and training program for all members of its workforce (including management). One size doesn’t fit all! Thus, cybersecurity awareness programs must be carefully planned, understanding the audience, and developing role-appropriate security awareness programs where individuals are cognizant of the consequences of their actions and how easily one click on an inappropriate link can compromise an entire network, which may, ultimately lead to the compromise of patient records, or even worse, open their organizations to ransomware attacks. In addition, healthcare organizations must develop and implement targeted/tailored security awareness training programs that promote responsibility and accountability that will help employees adjust their attitudes towards cybersecurity policy compliance. After all, “security is everyone’s responsibility.”

The post The Need for Enhancing Cybersecurity Awareness Training Programs in Healthcare appeared first on HealthTech Magazines.

Defense-in-Depth, a concept to employ technical security controls in a layered manner throughout an information system’s deployment, is not a new concept. The goal is simple. If a vulnerability is exploited, minimize the damage that may result. Many years ago, a traditional architecture was comprised of an internal network, a perimeter firewall with a demilitarized zone (DMZ) with an Internet connection. Today’s architecture includes on-prem, cloud, and 3^rd party locations.

In today’s world, we have to incorporate non-technical components, such as Cyber Security Awareness and Training into a complete defense-in-depth solution. What are fundamentals?  Every company has different architectural implementations. That said, there are principle architecture, technologies, and non-technical aspects that can be employed within a complete defense-in-depth environment.

Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise.

Email Security

For many years, delivery of malicious payloads via email has been at the top of every Information Security professional’s most feared “what keeps me awake at night?” list. Knowing that email is the number one method of exploitation, the primary concentration to combat bad actors is to stop that at the front door. It is very important to implement an email protection program that detects and stops SPAM; quarantines or deletes detected malicious content in file attachments or hyperlinks; employs isolation services for hyperlinks in emails, and includes security awareness training. One of the most effective methods of protection related to email is awareness training for your employees. Implement white-hat phishing within your organization. 

Secure Architecture

At the root of secure architecture is the principle of least access. Only allow systems to communicate on what is necessary for operations. No matter where you are in the maturity of this principle, you must have a plan in place to achieve systems only communicating on the ports and protocols that are necessary. Today’s computing environments have many facets (internal network, DMZ, cloud, virtual environments, etc.), therefore the solution is very dynamic.

Many of the top vendors on the infrastructure and virtual sides offer micro-segmentation capabilities. Micro-segmentation must also be combined with other network access controls.  From a priority perspective, start with your primary networking infrastructure; industrial controllers; shared application services such as email, DNS, NTP, etc.; systems providing public services, and then critical business applications. This will be a learning experience, and at times you may even have to back out configurations as you determine there were other necessary communications that you were not aware of. Incrementally, step-by-step, start provisioning micro-segmentation and access controls within your company to limit all lateral movement to that only necessary.

Vulnerability Management

Another fundamental in-depth protection is to keep your systems up-to-date with operating and application security patches. Work with your business and application owners to establish formal maintenance/downtime schedules. Keeping systems patched is a mandatory piece of defense-in-depth program. Establishing known maintenance schedules builds assurance across the organization that we do have the ability to bring systems down. Place priority from a patching perspective in this order: public infrastructure, systems providing public services (content, application, and database), internal infrastructure, critical applications, and then secondary applications. For all systems that are publicly accessible or providing public services, remediate all vulnerabilities with priority on exploitable vulnerabilities. For internal systems, concentrate on exploitable vulnerabilities by risk.

Endpoint Security

In the past, anti-virus protection was based on known signatures. Today that is necessary, but is only a part of the overall endpoint security solution. For endpoint in today’s world, and part of a defense-in-depth deployment, the fundamental components of an endpoint protection program are comprised of the following. The endpoint solution still includes protection against common known vulnerabilities. In addition, capability includes protection against both application and browser-based exploits. Endpoint tools today detect user behavior, this is referred to as User Based Analytics (UBA). UBA consists of monitoring a user’s behavior, establishing a baseline, and when something happens outside that baseline, has the ability to either stop that behavior or alert on it. Endpoint tools should also have the ability to import threat intelligence for known indicators of compromise (IOCs), and when detected have the ability to stop or alert on that detection. Endpoint controls should include host-based intrusion detection/prevention. Needless to say, the endpoints are where the average user is computing, where they are reading emails with files and hyperlinks, surfing the Internet, downloading files, etc. Therefore implementing very dynamic endpoint controls is an absolute necessity.

Cyber Security Awareness and Training

Though this is not an architectural or direct security control, it is as important as either of these. All companies must train their employees on the expected behavior of their employees related to handling of company electronic information. This includes formal training on email protection; being aware of who senders of emails are; not opening files or links from senders they are not aware of or were not expecting; how to use isolation services; and how to report suspicious emails. They need to be trained on expectations of approved company data stores, how to use those, and only use approved data stores. A comprehensive program will include white-hat phishing testing, and additional training for those that fail phishing testing. Employees that routinely fail phishing testing should be assigned mandatory training and/or disciplinary actions.

In conclusion

Defense-in-depth incorporates three primary areas: architecture, technical controls, and non-technical processes. This article provides the fundamental principles, components, and some very quick areas to address. Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise. It is better to have a strategic goal and begin implementing items as you can. With slow wins, over time, you incrementally accomplish your goal.

The post Defense in Depth – A Strategy for Today appeared first on HealthTech Magazines.

My previous article on the Cyber Maginot Line explained how any cybersecurity strategy that does not realistically consider the possibility of compromise, however fortified and well-conceived — is dangerous. News media regularly report on a lack of adequate cybersecurity preparedness throughout the nation. Large and small companies must defend against cyber-attacks perpetrated by sophisticated threat actors (TA). According to Global Threat Report 2022 by Crowdstrike, there was an 82% increase in ransomware-related data leaks last year. This article explores strategies for expanding layers of cyber safeguards that are now essential given today’s threat landscape. 

Private Cyber Battlespace

Military strategy is an appropriate analog for cybersecurity. Foreign criminal enterprises and nation-states are perpetrating many of today’s sophisticated cyber-attacks. In modern warfare, the term ‘battlespace’ depicts a unified military strategy to integrate and combine armed forces in a military theatre of operation, combining air, information, land, sea, cyber and outer space to achieve military objectives.  

The concept of a private cyber battlespace is one way to conceptualize an effective cybersecurity strategy. This paradigm implies a broad array of safeguards to reduce the overall cyber-attack surface of an organization and thwart an advanced cyber-attack at any point along the pathway of the attack.

Defend in the Cloud

At the outermost perimeter, keep “the battle” away from the network(s) where the most sensitive assets are located. Tactics can be employed to expand the defensive perimeter so that cybersecurity workloads execute in the Cloud. Web browsing and links in email messages can be inspected, filtered and if necessary, blocked in the Cloud with tools such as browser isolation and URL rewriting. Domain Name Systems (DNS) filtering allows for Cloud inspection and blocking of “known bad” websites. These techniques enable threats to be blocked without ever reaching a network firewall. Much like the defensive perimeter, the Navy establishes a battlegroup around an aircraft carrier and the threats are kept distant from the most valuable assets.

Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.

Defend the perimeter

Defending the immediate network perimeter with a firewall is a basic cybersecurity safeguard. But building an effective perimeter strategy requires a thorough assessment of all means of ingress and egress to understand the vulnerabilities in network fortifications. No need to find a way through the firewall if a user’s personal computer can be hacked in their home through a virtual private network (VPN) connection. This is an acute concern given the current work-at-home paradigm. Contemporary standards for perimeter security now include next-generation firewalls, multifactor authentication (MFA), and mobile device management (MDM) software for cell phones and tablets. Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.

Detect and eradicate threats on the inside

What if the unthinkable happens? An advanced TA gains access to a private network and executes a “cyber kill chain” attack, a term coined by Lockheed Martin in 2011. The kill chain begins with penetration and access to a network-connected device. Command and control (C2) is established to the TA’s external C2 server on the Internet from which the attack can be directed. The TA conducts reconnaissance to locate the network’s most sensitive assets and proceeds to move laterally and escalates the level of privileged access using techniques such as “pass the hash” and remote desktop (RDP). Finally, the TA deploys ransomware, exfiltrates valuable data and gains control over sensitive technology assets.

To build an effective defense against this level of attack, it starts with a realistic assessment of vulnerabilities relative to the cyber-kill-chain scenario and developing and deploying countermeasures. Preparedness starts with basic cybersecurity hygiene, including patch management, elimination of end-of-life technology, and education to foster a security culture. But today’s advanced TA leverages standard utilities – referred to as “living off the land” – that do not contain software flaws and necessitate more advanced defensive tactics. Network segmentation is an important network design concept that can minimize the TA’s movement once inside the network. Much like transverse bulkheads in ships that prevent the movement of water after a breach, network segmentation techniques quarantine and restrict lateral movement of the TA in the network. Advanced endpoint detection and response software uses artificial intelligence (AI) to detect and eradicate sophisticated malware. Of paramount importance is having an incident response apparatus that is capable of the response and recovery actions that are critical.

Testing

Testing is critically important. Unless defenses are regularly tested, there could be unforeseen flaws stemming from misconfigurations or heretofore unknown vulnerabilities. Red and purple teams are “ethical hackers” that probe and test cyber defenses. These teams formulate attack strategies just like an actual TA. Given pre-established boundaries, they attack and attempt to penetrate. They provide invaluable learning for the cybersecurity team. In addition, they foster an improved understanding of how cyber defenses will stand up to a real-world attack.

Conclusion

This article describes a framework – a private cyber battlespace – to help understand what is needed to thwart advanced cyber threats. These cybersecurity challenges can seem overwhelming. An effective cybersecurity program starts with conceptualizing a strategy that includes a layered array of defenses at all points along the TA’s cyber kill chain and prioritizes investments in safeguards based upon an accurate assessment of an organization’s underlying cyber risk.

The post Private Cyber Battlespace appeared first on HealthTech Magazines.

I have been in healthcare IT for over half of my almost 30 years in IT. Healthcare definitely has its uniqueness compared to other industries; however, it is not unique in the fact that everything can be broken down into three key areas: people, process and technology. Cybersecurity will always be a moving target for organizations, especially healthcare. I believe that the most important thing within any organization is building an IT security and awareness culture. I have stated throughout my career that security is not something that you can simply turn on/off—it needs to be a part of every individual and organization’s DNA.

The overall objectives in building an IT security and awareness culture in healthcare comes down to three things:

1. Protecting patient, company and employee data
2. Continual risk mitigation
3. Regulatory compliance

Threats

Threats come from all sorts of directions, including everything from foreign countries, organized crime, employees, vendors, terrorists, etc. The majority of threats are primarily about financial gain or causing disruption or both. The unfortunate thing is that most threats are initiated through employees (people) who inadvertently open or click on something they shouldn’t have. People are your biggest weakness within any organization.

Technology

I’m not going to spend a lot of time on any specific IT security technology. It is critical that your organization is continually evaluating and implementing a solid IT Security Technology Stack. I believe it starts with developing a Security Scorecard against current IT security best practices. You can use the Scorecard to help build your plan of attack or strategy for continued risk mitigation. The Scorecard would include everything from Endpoint Protection and Multifactor Authentication (MFA), to Data Loss Prevention (DLP) and IT Security Awareness Training. There will always be new vulnerabilities that can be exploited accompanied by new security software that provides various protection. From my experience, it has always been about layering and finding the balance of what is “good enough” without breaking the bank. Technology is critical in taking decision points out of individuals’ hands. Simply put, you need a solid IT Security Technology Stack that attempts to provide visibility or prevent the bad things from ever happening; and if something does bad happen, allows you to minimize the damage and ultimately recover from an incident.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII.

Process & People

Technology is accessible compared to the process and people aspect of building an IT security awareness culture. As mentioned in the beginning, security needs to be a part of your organization’s DNA. What does that mean? It means that it has to become automatic or baked in. You want people to have an awareness and ask questions. If they are unsure of something, they need to err on the side of caution. It is important that an organization create an ongoing IT Security and Awareness Program. This includes not only providing the initial tools and knowledge when employees start working for your organization, but over the entire relationship. This should again be a layered approach, i.e., security awareness emails and training videos, etc. The frequency can vary, but one approach I have seen work is having things that are weekly, monthly and annually. You need the content to be meaningful and not just noise that individuals gloss over or ignore. Leadership needs to champion the importance of IT security to all levels of the organization—no one is above or exempt from learning. Many security incidents occur because people are moving too fast. This can be as simple as someone reviewing or opening an email message to a system administrator, forgetting to patch or make the needed security configurations when implementing changes into production. I use this saying: “You need to slowdown to move fast.” I know that sounds crazy, but it’s really about making sure that we are all being observant and making thoughtful choices and decisions no matter what we are working on.

Some key processes an organization needs to have in place to consider bricks and mortar-type things, include assuring all systems are being patched/updated, assuring all systems have end-point protection and are being updated, assuring backups are being completed and tested, and enabling Multifactor Authentication (MFA). A lot of these will be identified on your IT Security Scorecard mentioned previously. In my opinion, if you are not doing the basics, then you are setting yourself up for failure.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII. It’s important to find a healthy balance between regulatory requirements and operating efficiencies. Sometimes the more you over-engineer something, the more risks are introduced. Again, you need to educate individuals that just because you can do something doesn’t mean you should do something.

It is important as part of the process to create an environment that is more educational than punishment. There is a difference between someone making a mistake and being reckless. Yes, if there is a trend of poor judgment, it needs to be addressed. Building this type of culture increases individuals to ask more questions around security/risk without fear of embarrassment or retribution.

There is no perfect or one-size-fits-all when building an IT security and awareness culture within your organization. The important thing to remember is it’s something that does require ongoing focus and dedication from everyone.

The post Healthcare Cybersecurity – “Building an IT Security & Awareness Culture” appeared first on HealthTech Magazines.

With an exclusive focus on breach prevention as ‘a layer in defense in-depth’, the firm advocates proactive practices to avert attacks that happen on the go. Morphisec’s CTO and Head of Threat Intelligence, Michael Gorelik, shares his insights on the security domain and ever-evolving threat landscape. Along with Morphisec’s research team, Gorelik believes in pushing the envelope to understand and navigate complex cybersecurity challenges.

“We’ve been swamped in the last few years as the pandemic and remote work have dramatically increased the risk of damaging attacks. Morphisec was the first to report the CCleaner supply chain attack, the first to discover the Jupyter infostealer as well as several rare fileless and evasive techniques used by the developers of Phobos ransomware,” he says. “We’ve kept our ears close to the ground when it comes to the evolution of ransomware.”

Morphisec’s suite of cloud-based endpoint and server security solutions leverage zero trust at runtime to automatically pinpoint and block modern attacks. Unlike traditional security solutions based on human intervention or behavioral technologies, Morphisec delivers operationally simple, proactive prevention to protect businesses worldwide from the most dangerous and sophisticated cyberattacks.

The company’s most notable customer success stories include Freeman Health System, a three-hospital network in Newton County, Missouri that struggled with endpoint security and wanted to fortify its security stack. Morphisec’s endpoint security solution met their needs by working in the backend and enabling their staff to focus on patient care without sweating about ransomware.

Citizens Medical Center offers another example. A 238-bed hospital in Victoria, Texas with over a thousand employees, it offers critical care to the city and seven surrounding counties. Citizens Medical Center was unable to secure their environment with operational resources using traditional endpoint security solutions. Their IT infrastructure was a legacy combo of Windows 10 with a virtual desktop infrastructure (VDI) from VMware Horizon. Accessing patient data via VDI was critical to the medical staff.

After a year’s research, their IT Director chose Morphisec and Microsoft Defender AV to secure their VDI and physical endpoints. He replaced their legacy antivirus with Microsoft Defender AV and applied the savings to Morphisec’s breach prevention solution to create a layer of protection against unknown memory attacks.

This IT Director realized Morphisec instantly neutralized a live attack and addressed it without requiring staff to respond to alerts. It was a Trickbot attack trying to deliver Ryuk ransomware. In fact, Morphisec not only blocked the attack, it gave Citizens Medical Center deep visibility into the attack chain. They could identify the attack and its origin, and received specific remediation advice that would be impossible for the client to do alone. This saved the hospital time and money, and ensured patients continued to receive the life-saving care they needed.

“We’re privy to the newest developments in the cybersecurity industry, including the newest techniques and tactics that cybercriminals are deploying in the field. When cybercriminals adapt, we adapt as well,” says Gorelik. 

Morphisec’s leadership and team are well-versed in the diverse aspects of the cybersecurity industry. They have fought and successfully prevented bad actors around the globe so that CIOs, CISOs and those in charge of security enjoy peaceful sleep.

Morphisec’s solution guards critical systems with a lightweight, easy-to-install agent that doesn’t require updates to keep infrastructure secure. Their solution is deployed across more than 8.5 million endpoints and averts up to 30,000 advanced attacks per day. This solution seamlessly fits and elevates the native security features of Windows and other antivirus and endpoint solutions to proactively prevent breaches and reduce management burden. 

The product protects your organization’s servers and workloads from all exploit-based, memory injection attacks in your applications such as browsers and productivity tools,” says Gorelik.

Morphisec Guard, the flagship offering, uses Morphisec’s patented moving target defense technology (MTD) to protect against in-memory, zero-day, and other advanced persistent threats (APTs) that target static defenses. It augments legacy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to counter these threats.

Guard is compatible with virtually any endpoint security product, and integrates with Microsoft Defender to enhance native security controls for Windows. This means businesses don’t have to pay extra for security that comes in the package.

“When we set out to develop Morphisec Guard,” explains Gorelik, “We had two important goals in mind. The first was to prevent the breaches that bypass businesses’ NGAV and EDR tools, and the second was to make sure no one has to pay for security features that the operating system already provides.” This full-stack endpoint solution offers scope beyond antivirus or EDR to bring transparency, control, and anti-tampering to Windows native security. Morphisec also offers a free, Lite version of Guard that brings enterprise-wide security control and visibility to Microsoft Defender Antivirus to help organizations bolster their endpoint defense strategies and lower costs.

Morphisec Keep, a server protection solution, secures your most critical server assets, whether they run on Windows, Linux, on-premises, cloud, or hybrid. It’s the only proactive, prevention-first zero trust security protection solution for servers and cloud workloads which prevents the execution of evasive advanced persistent threats that other technologies miss. “The product protects your organization’s servers and workloads from all exploit-based, memory injection attacks in your applications such as browsers and productivity tools,” says Gorelik. “What’s really important for healthcare organizations is that it does all this in a deterministic manner, without generating alerts to be analyzed, via a lightweight, easy to install 3MB agent that requires no administration.”

Additionally, Morphisec offers a vulnerability prioritization and visibility product called Morphisec Scout. It identifies application, operating system, and other vulnerabilities that can lead to security breaches. Morphisec’s incident response services help resource-constrained teams assess their overall security posture and identify, contain, and report on security incidents in progress while also verifying the presence of a breach. If ransomware attacks a server, it can feasibly cost a company thousands or even millions of dollars by locking up or exposing critical data. It can also put patient lives in danger, which we know is a real threat based upon the past few years. Morphisec’s engineered zero-trust, proactive cloud workload protection solution effectively protects Linux and Windows servers. These are usually the servers that hold the most critical assets and are susceptible to the most evasive and advanced attacks. Morphisec does this with zero performance impact and no false positive alerts.

Most importantly, these solutions ensure a better patient experience, and give healthcare professionals peace of mind that their patient and HIPAA regulated information is safe. “We give them that vital, dedicated memory defense layer that prevents attacks from gaining a foothold without slowing down operations,” concludes Gorelik. In addition, Morphisec is advancing anti-ransomware, mitigation, and deception capabilities in the coming months, so businesses of all sizes can stay protected against these advanced persistent threats.

The post Morphisec-A Proactive Defense in Healthcare Cybersecurity appeared first on HealthTech Magazines.

Application rationalization is a term thrown around often by those in IT – and its application in health care is paramount to supporting continued efforts to keep up in an increasingly digital world.

Why your organization must invest time in application rationalization

Health systems are challenged today more than ever to find talented IT resources to support increasingly complex environments. The proliferation of software solutions to address health care challenges has grown while the pool of available talent has continued to shrink. As these trends continue through the next decade, the organizations that can manage this complexity and optimize systems to support and integrate will be most successful. 

Siloed solutions within a health care system can increase costs and decrease innovation as it relates to digital transformation.

Application rationalization defined

Simply put, application rationalization is reviewing current applications in use and reducing duplicate and old applications that no longer serve the organization.

Application rationalization requires a detailed look at workflows, applications, staffing and budgets, in addition to cybersecurity risks.

It requires the organization to not just stop using an application, but to archive and provide access to the data from the application, manage licensing and legal issues and migrate possibly reluctant users to new platforms. It’s challenging, but worth it — effective application rationalization is the key to moving towards a less analog and more digital industry.

Why is application rationalization important?

There are four reasons why application rationalization in health care is important:

• Resiliency: Complex environments are harder to manage. Simplifying their environment allows health systems to be agile and resilient.
  
  
• Talent: Good talent in IT is hard to find, and finding enough people to support complicated environments is challenging. A simpler environment means fewer people are needed to support it.
  
  
• Cost: It’s expensive to pay multiple vendors for many applications. When you have a simpler environment, you pay less.
  
  
• Cybersecurity: Having more applications gives bad actors more opportunities to commit ransomware or spyware attacks.

Rush University System for Health is a medium-sized health care system that is prioritizing digital transformation. Being medium-sized means that we need to stay agile and smart about our investments to stay ahead of the curve and prioritize our digital transformation work.

Bigger hospital systems may have more freedom with what they can afford to cut or not cut, but cost-cutting is an ever-present topic in healthcare that is applicable no matter the size of your health system. Ensuring robust licensing, support, security and talent can drain resources for any health system, so it’s important to be smart and not absorb cost implications for multiple applications that do the same thing.

Application rationalization may sound like you can just hire a consulting firm and be done with it —but it’s actually very complicated and requires a massive communications and change management effort to accomplish. For every system, you need to know what the application is, how it’s used within your organization, what you’ll do with its data, how to migrate to the new application, how to retire the old one and the terms and timing of contractual commitments that you have with the old and target application vendors.

Once you decide what is going to change, you need to communicate to end-users and implement the new enterprise solution. Most importantly, you can’t forget to de-commission old applications. You’ll be hard-pressed to get the benefits of application rationalization if you don’t do this.

Different approaches to application rationalization

There are two complementary approaches to application rationalization timing: you can let business needs drive it or you can let the expiration of support agreements drive it.

Letting business needs drive it may mean buying out of some existing agreements, while letting the expiration of agreements drive it may be a smarter financial move, but it may take longer.

Application rationalization doesn’t always move at the pace you wish it would, but it’s important to be realistic about what’s possible. Letting agreements expire may seem like the “less sexy” option, but it’s often a better option than buying out of an agreement.  

It’s important to have a plan, understand your opportunities and not miss windows where you can evaluate an application and its usefulness. As a CIO, it would be inefficient for me to unconsciously approve an extension of a contract and push out the opportunity for rationalization even further.

How application rationalization connects to digital transformation

As we work towards a more digital world and push forward digital transformation agendas, being agile is important, and so is having a reliable foundation on which to build digital relationships.

Even more important is the need to not have siloed solutions. Siloed solutions within a health care system can increase costs and decrease innovation as it relates to digital transformation.

One example of digital transformation work at Rush is our efforts to have a centralized CRM. We have multiple departments with CRM solutions, but they’re not always as integrated as we’d like, and do not provide a common view of our customers. We have a unique strength as a teaching hospital in that we are able to connect with clinical staff at the beginning of their journey — but to help people through a digital journey, it’s vital to have a universal understanding of their preferences and their digital experience. Rationalizing a CRM is one way to help that work along.

In that respect, it’s easy to see how it benefits us to have a common system of which everyone has deeper expertise than multiple systems where knowledge is spread across multiple departments.

We still have an urgent need to be efficient and effective in the applications we choose. We can’t get complacent and lose opportunities to rationalize and improve. The demand in complex health care settings is changing, and we need to change with it.

The post Application Rationalization in Healthcare: A Marathon, Not A Sprint appeared first on HealthTech Magazines.

Healthcare’s cybersecurity problem is a half-century old affliction that began with the first step towards digitization.

When hospitals introduced computerized systems in the late 1960s and 1970s, they also unwillingly exposed themselves to cyber threats. To cyber criminals, healthcare organizations were “no [longer] viewed as…sacrosanct institutions of mercy” and consequently not immune to computer crime, wrote Robert A. Hershbarger in 1977.

Some of the hospital information systems developed in the 1970s (such as the Dutch BAZIS system) incorporated high availability and strict access control requirements in their designs. The need to safeguard hospital information system software and hardware components—including the patient data stored in system databases—against unauthorized access and use (and computer crime) was understood.

Of course, the IT operational environment of the 21st healthcare industry is significantly larger, more complex, and interconnected.

In the United States, the use of information technology is ubiquitous in a healthcare industry comprised of over 119,000 entities:

• Hospitals—6,090
• Long-term care facilities—65,000
• Independent pharmacies—22,000
• Urgent care centers—9,600
• Hospice care—4,300
• Freestanding emergency rooms—566
• Medical device companies—6,500
• Registered health insurance companies—5,600

This doesn’t include the numerous private practices, independent radiology centers, and state health information exchanges (HIEs).

If we incorporate the number of U.S. physician office visits (883 million in 2016) and emergency department visits (130 million in 2018) to the equation, the impact of a cyberattack can be much more considerable and frightening than anything imagined in the early years of healthcare’s digital transformation.

And while the attack surface of health IT has significantly grown, the weapons of choice have not really evolved. Malware and phishing emails remain the most popular and successful means of breaching healthcare organizations:

• Patient zero of Anthem’s 2015 data breach was the employee of a subsidiary who opened a phishing email with malicious content.
  
  
• The 2017 global WannaCry attack exploited Windows XP and Windows 2003 computers that were missing a critical Microsoft Windows security patch that had been released months before the attack. The attack crippled 70% of the U.K.’s National Health Service.
  
  
• New York’s Wyckoff Heights Medical Center and St. Lawrence Health System, and Pennsylvania-based Universal Health Services, Inc, (with over 400 acute hospitals across the United States) suffered crippling ransomware attacks in 2020. Security firm Mandiant told NPR that such attacks typically start as “corporate communications containing Google Docs and PDFs with malicious links.”

In response to the affliction of cyberattacks, numerous public and private partnerships between healthcare organizations and with government agencies have developed. There has never been a more cooperative and educational environment in health IT security.

Additionally, sophisticated security tools and services have come to the marketplace. However, these solutions—for example, endpoint detection and response (EDR) systems, cloud access security brokers (CASBs), user behavior analytics (UBA)—are beyond the means of a multitude of healthcare organizations. And integrating them to existing security portfolios isn’t seamless.

However, responding to cybersecurity threats does not necessarily require sophisticated or expensive solutions. Some studies have shown that practical cyber hygiene practices can stop 95% of cyberattacks.

Organizations like the Healthcare and Public Health Sector Coordinating Council Joint Cyber Security Working Group and the DHS Cybersecurity and Infrastructure Security Agency have promoted cyber hygiene in the healthcare industry. Among their recommendations include:

• Using strong passwords.
• Employing anti-virus.
• Backing up critical data.
• Ensuring computer operating systems are regularly patched.
• Employee training and awareness.

Add to this mix multi-factor authentication, offered for free to Microsoft 365 and Google G-suite customers.

Nevertheless, much like healthcare clinicians’ struggle with hand hygiene compliance, the adoption of basic cyber hygiene is seemingly poor in the industry.

The Ponemon Institute’s sixth annual study, “Privacy & Security of Healthcare Data,” found that many healthcare organizations and business associates didn’t have the financial or human resources to address cybersecurity threats, even those considered preventable mistakes.

The study, however, also found that many of the study participants were “negligent in the handling of patient information.” 50% of the participants said they weren’t attentive to ensuring partners and third parties safeguarded patient information.

There is a considerable risk of non-compliance with even basic cyber hygiene. Successful and disruptive cyberattacks may increase clinicians’ reported stress levels when using health IT systems, leading to underutilization or even the cessation of further technology investments. There are already public reports of clinicians lacking confidence in electronic health record systems, because of design flaws that have allegedly led to patient deaths and other adverse health outcomes.

The public’s confidence in health IT systems is also at risk. Taxpayer-funded incentives to use technology to efficiently manage patient care, reduce medical errors, produce better health outcomes, and effectuate cost savings could be questioned if health IT systems are unreliable and easily disrupted by cyberattacks.

Despite continuing and significant challenges with health IT interoperability, healthcare services are coordinated (perhaps sometimes haphazardly) using a web of interconnected IT systems and devices that involve explicit and implicit data sharing agreements. And often the contractual and technical relationships and data flows between parties aren’t clear. Consequently, the risks and security gaps of one can be shared by all. Sometimes unknowingly.

The specter of cyber threats is clearly not neoteric. It has been the monster in the closet and under our beds for over 50 years.

Obviously, cyber criminals have never hesitated to attack healthcare institutions. They have not cared that crippling a hospital—including safety net hospitals that serve the uninsured and low-income communities—may risk lives. They have not cared that stealing and selling the records of a breast cancer research project and registry can adversely affect the lives of hundreds of thousands of women.

Cyber criminals are a malady that target all the organs of the healthcare system. No organization is immune. And successful cyberattacks can have residual effects with no effective treatment. But the industry has acquired the knowledge—painfully and traumatically—that can protect all tiers of the healthcare system, albeit not 100%.

We know that 95% of cyberattacks can be prevented if healthcare organizations—no matter their size or role—implement and adhere to basic cyber hygiene practices.

And we know that it is important that clinicians and the public have faith in the reliability and availability of the systems used to provide and manage care.

More importantly, we know that lives are literally at risk if we all don’t do a better job of safeguarding health IT systems.

The post Cyberattacks Against Healthcare Can Be Prevented appeared first on HealthTech Magazines.