Ransomware attacks have become a significant problem in the healthcare sector. These criminal operations have become a formidable foe that needs a concerted response from healthcare groups. The recent high-profile cyber-attacks on prominent healthcare institutions have highlighted the critical need to tighten cyber security in the healthcare business. Proactive efforts are required since ransomware attacks not only endanger patient data, but also considerably raise the risk to medical care.

Preparing for Ransomware Attacks

In view of the increasing threat of ransomware attacks, healthcare companies must take a proactive approach to preparation. Thorough risk assessments are a critical component of this planning. These evaluations provide the core of ransomware mitigation strategies. At this stage, organizations in the healthcare industry carefully identify system flaws and analyze the dangers associated. Organizations can build a plan for delivering successful mitigation measures by appropriately identifying potential vulnerabilities in their cyber security architecture.

Developing a robust response strategy is also critical to their ransomware preparedness. Healthcare institutions that use this strategy will be directed like a compass through the turbulent waters of a ransomware attack. In the event of an attack, it provides precise, logical procedures that must be taken. This action plan includes procedures for isolating contaminated systems, an efficient reporting method for law enforcement, and an effective patient and staff communication approach. It is impossible to overstate the importance of having a well-organized reaction strategy since it ensures a coordinated and effective response when time is of the essence.

Furthermore, the value of the human aspect in cyber security cannot be emphasized. Employee training initiatives are a key priority for healthcare firms to equip their first line of defense. These courses provide healthcare personnel with the knowledge and skills to recognize specific ransomware threats. Employees are trained on how to identify phishing emails, which are regularly used as entry points for ransomware attacks, and how to report any suspicious behavior immediately.

Last but not least, proactive security deployment is critical for mitigating ransomware attacks. For this, reliable technologies like firewalls, antivirus software, and intrusion detection systems must be used. These layers of defense increase detection and mitigation, making it more difficult for hackers to infiltrate the system.

Responding to Ransomware Attacks

In the unfortunate event of a ransomware attack, a rapid and well-planned response is critical to reducing damage and regaining control.

Isolating Infected Systems

The first line of defense is to isolate vulnerable systems as quickly as possible. This precaution is required to prevent ransomware from spreading throughout the network. By isolating the susceptible systems, healthcare institutions can limit the attack’s reach and prevent further data compromise. Isolation is the first step in regaining control of the situation.

Collaborating with Law Enforcement

Cooperation with law enforcement is critical when responding to ransomware attacks. Their knowledge and resources aid in investigating, mitigating, and monitoring of cyber criminals, which helps the overall reaction and pursuit of justice while also avoiding new attacks.

Effective Communication with Stakeholders

Managing the aftermath of a ransomware attack necessitates open communication and fast information sharing. Personnel and patients must be informed about the incident’s impact on data security and medical services as soon as possible. Maintaining confidence, managing expectations, and ensuring a coordinated response contribute to a lower overall effect.

Data Restoration from Backups

Reliable data backup and recovery are critical for mitigating the effects of ransomware. They enable data restoration in order to sustain care and minimize long-term impacts. Updated backups serve as a safety net, allowing for recovery without falling into hackers’ demands and, eventually, resuming normal corporate operations.

Balancing Innovation and Security

While technologies such as generative AI and data modernization have immense potential, it is critical that cyber security is not jeopardized in the process. Given the rapid speed of technological advancement, the healthcare business cannot afford to remain complacent regarding security. Finding this balance is critical because it allows healthcare organizations to adopt developing technology while also ensuring the availability, confidentiality, and integrity of critical data and services.

In this day and age, healthcare must emphasize effective cyber security. This necessitates the deployment of cutting-edge technology, thorough risk analysis, and stringent standards. Leveraging innovation without accepting unnecessary risks is made feasible by improving cyber security while embracing technology. This harmony preserves patient information, maintains trust, and ensures the continuance of healthcare services.

Healthcare facilities are becoming vulnerable to ransomware attacks, a major problem that must be addressed immediately.

Strategies for Ransomware Preparedness

A comprehensive strategy for ransomware preparation includes several critical tactics:

• Rigorous Risk Assessment: Identifying vulnerabilities and threats via rigorous assessments is the cornerstone of resilience.
• Effective Response Planning: Prepares for every ransomware event. Regular response strategies should be developed and maintained.
• Employee Education: Ongoing training programs enable employees to proactively spot and resolve hazards.
• Robust Security Infrastructure: Investing in cutting-edge security practices and technology builds strong protection against cyber threats.
• Patient-Centric Approach: Maintaining patient trust and resolving patient concerns about data security are crucial in the healthcare sector.
• Continuous Improvement: Continuous improvement is made feasible by frequently reviewing protection, detection, reaction, and recovery capacities.

Healthcare facilities are becoming vulnerable to ransomware attacks, a major problem that must be addressed immediately. Proactive actions must be taken to build defenses against these dangers in order to protect patient care and the general public’s health. By conducting thorough risk assessments, developing specific response plans, educating employees, implementing advanced security measures, addressing patient concerns, and embracing technology while fortifying cyber security, healthcare organizations can successfully prepare for and respond to ransomware threats. These strategies are critical to ensuring that the healthcare business remains a reliable guardian of patients’ well-being in the face of evolving cyber threats.

The post Ransomware Preparedness for Healthcare: Enhancing Resilience Amid Growing Threats appeared first on HealthTech Magazines.

Cyberattacks occur worldwide almost every day, yet it is challenging to learn the type and target of an attack in real time. A vast amount of cyber intelligence goes untapped; even if it could benefit everyone, companies do not want to share sensitive information broadly. Doing so, they may expose themselves to legal or regulatory scrutiny. 

Companies certainly see the need and benefit of sharing real-time cyber intelligence if there was a way to share more information without revealing too much. Perhaps, we should look at creating a Blockchain-based cyber intelligence platform in conjunction with:

1. Zero-knowledge proof that separates data verification from the data itself. One party (the prover) can prove to another party (the verifier) the possession or existence of some information without revealing all the detailed information.
   
   
2. Multi-party computation on data sets can reveal how many companies have been impacted by a similar attack without revealing the company’ details. This method can allow multiple parties to make calculations using their combined data without revealing their input.
   
   
3. Homomorphic encryption allows users to perform computations on its encrypted data without first decrypting it, protects data, and lets users run queries on the data to gain insights.

This method may enable—privately and safely—shared, real-time attack metrics, which analytics can use to uncover trends in the attack’s location, type and sophistication. I would encourage further financial and technical studies of this method to ensure it’s effectiveness and efficiency. More people must collaborate to address this challenge.

Companies worldwide may be able to share real-time data about cyberattacks, while using a key to protect details. Sharing the keys can also become a path to commercialization, where attack details are transmitted via smart contracts with agreed-upon customers, government agencies, and regulators. 

Currently, no major player is utilizing Blockchain to share intelligence and trends around cyberattacks. They still use legacy, information sharing methods—often outdated or inaccurate—utilizing data exchange or Application Programming Interface (API). 

The establishment of this type of Blockchain could directly connect to a company’s cybersecurity defense infrastructure that can ingest relevant pieces of information flowing through the Blockchain—protecting the company from a new type of cyberattacks.

In cybersecurity, once you’re able to gather verifiable, accurate information about cyberattacks, it becomes extremely valuable to ingest that information into existing technologies deployed to protect the company. 

This method may crowdsource cyberattack defenses. Attacks seen in one part of the world on an individual computer could be transmitted almost in real time using Blockchain. This global communication could allow defensive measures to be set up in near real time. Global sharing can thwart the creation of new hacking groups, as their initial attacks will not succeed, and they will require more time to grow.

Exciting trends and new technologies are emerging to help address cybersecurity challenges, Blockchain being one of them. Several use cases come to my mind involving Blockchain and cybersecurity. For example, the above approach can also be utilized to safely share data with the third parties a company does business with; other combinations of Blockchain and Cryptography may provide unique use cases in cybersecurity.

The best solution may vary by person and organization. Instead, I encourage provoking conversation that, perhaps, inspires others to develop leading-edge solutions to solve cybersecurity issues that were once difficult and challenging years ago—well before the technological and innovative advances we are able to leverage today.

The post Thoughts on Cyber Intelligence and Blockchain appeared first on HealthTech Magazines.

Improving an organization’s cybersecurity posture often involves an investment of significant time and dollars. Whether it be a new tool to scan for threats or an off-network backup solution, the capital and operational expenditures often leave organizations struggling to invest in a comprehensive protection portfolio. So, while you are saving up for that next revolutionary cyber tool, here are five “nearly” free things your organization can do to better protect your technology and data assets.

The first thing you should do is move to at least 10-character passwords with complexity (12 would be even better). There are many charts that show how long it takes to crack eight-character passwords with complexity; the consensus is about eight hours. With more computing power becoming available regularly, that shortens every day. My experience with a hacking team I once hired proved the time to decipher an eight-character password from one of our users was 55 seconds. By comparison, a 10-character complex password currently takes four to five years to crack. More characters add exponential time to brute force cracking attempts. Remember, given enough time, all passwords can be brute forced. Your goal is to make that time impractical for your adversary. And eight-character passwords are so 2004. We are all going to end up with longer passwords eventually, so what are you waiting for?

Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk.

Secondly, patch your systems. One of the largest components of every organization’s cybersecurity risk is unpatched systems. Research has shown that 60 percent of cybersecurity breaches involve a vulnerability for which a patch is available but not applied. Think about that for a moment—you have the solution in your hand, you just haven’t used it yet. The primary reason that patches don’t get installed in organizations is that the IS team needs to stop an application that your operational employees use to apply the fix, thereby disrupting operations. Creating a patch window for your IS team and telling your operations that there will be downtimes during that window can significantly increase your cyber posture. That window can be after hours if needed. Believe it or not, almost every IS professional will work off hours to do this as they know it is important work and they want to protect their organization. They just need the support and permission to do so.

Third, host an all-employee cybersecurity awareness webinar. It doesn’t have to be lengthy; 30 minutes will do. Employees need to know that they are the front line to protecting the organization. You can no longer think it won’t happen to you. In fact, you should be thinking it will happen to you (because it will). And most likely, it will be one of your employees that enabled it, whether through susceptibility to a phishing email or social engineering. You need employees to refrain from clicking any links from external emails. Also, they should not re-use passwords. Their work password should be distinct from any other password they use in their lives. Next, they should never give their password to anyone, even to their own IS personnel (we don’t need their passwords, ours work for what we need to do). Lastly, if they fall victim, they need to know they should notify their IS and Cybersecurity personnel. After your employees’ cybersecurity webinar, ensure your new employee onboarding process covers the same information. A knowledgeable workforce is an excellent prevention against cyberattacks.

Fourth, reduce your administrative accounts and privileged access. Both local and domain accounts allow users to install software. Some organizations allow all their employees to have these privileges, which is a very precarious position. In that instance, any one of your employees clicking a malicious link will allow ransomware to easily install on your environment. A properly controlled organization will have less than two percent of its employees with these accounts, primarily a subset of your IS personnel. Employees should work with those IS professionals when they need to install software, the extra step to accomplish that software install protects your organization. Also, your IS personnel should know what every one of those local and domain accounts is for and review them frequently to ensure no one creates an unknown malicious account and uses it against you. If they cannot explain every one of them, you are at risk.

Fifth, ensure your Employee Discipline and IS policies reference each other. Your employees need to know that repeated breaches of your IS policies will result in formal discipline. If we harken back a bit, we can all understand that an employee who consistently leaves an unlocked cash box on top of a desk after being told not to would eventually have their responsibilities changed or be disciplined. However, we tend to think that those that repeatedly click phishing emails or install malicious software on company computers are just victims of circumstance. In this day an age the latter creates far more risk to your organization than the former. And while I know disciplining employees for repeated, undesired behavior is never something we look forward to; sometimes you need to either reassign the employee or let them be successful at something else. Lack of addressing repeated poor cybersecurity behavior accepts a great deal of enterprise risk. 

So, while clinking coins into your piggy bank for your next big leap forward in cybersecurity, remember these five “nearly” free cybersecurity improvements that you and your team can do to minimize the likelihood that you are the next victim. We all like flashy new tools, but good cybersecurity posture is often the result of good IS practices and good employee behavior.

The post Nearly Free Cybersecurity Improvements appeared first on HealthTech Magazines.

Healthcare organizations have been experiencing an uptick in the number of security breaches since the start of the COVID-19 pandemic. While pre-pandemic cybersecurity was mainly focused on fortifying the network perimeter defenses, the pandemic required Information Technology (IT) and cybersecurity teams to quickly adapt to the new normal, the remote workforce. Healthcare workers are also required to adapt, driving the need for them to rely more on technology, such as telehealth, to provide patient care aiming to offer the same level of service. There is no doubt that the velocity in which healthcare organizations needed to provide solutions to the remote workforce was unprecedented. IT teams were at the front and center as business enablers in providing remote workers access to corporate networks expeditiously, while ensuring the security and availability to patient support systems was done in accordance with security policies.

The healthcare industry continues its transformation and innovation journey to provide high-quality patient-focused care and also to provide more efficient, faster and cost-effective healthcare services. However, new technologies cannot be deployed without considering the potential unknown cyber risks introduced to an organization. Some of the most recent security breaches in healthcare have been the result of targeted phishing emails campaigns, which resulted in breach of security exposing millions of patient records, and even opening the door for successful ransomware attacks. In 2017, HHS entered into a resolution agreement with a covered entity due to a violation of policy for the proper destruction of protected health information (PHI) records. In 2019, OCR launched an investigation against a GA ambulance company, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a lack of a failure to implement HIPAA Security Rule policies and procedures, and a lack of providing security awareness training programs. Under the HIPAA Security Rule, Sanction Policy 164.308(a)(1)(ii)(C), it requires covered entities to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care.

The Challenges

Employees’ action are often viewed as being a greater security risk in an organization. Recent security industry threat reports have concluded that one factor which has contributed to cybercriminals being able to penetrate corporate networks, which resulted in security breaches, was employees not following corporate security policies. Although the implementation of a security policy may improve the overall security posture of an organization, policies may not be effective if employees fail to comply. While I can agree with the fact that behavior adjustment is an essential part of any cybersecurity program, many technologies using AI are being developed to identify users’ misbehavior and take action to detect, protect and prevent security incidents. Security misbehavior can be broadly defined as the set of users who violate security policies, which leads to unauthorized access, security data breaches, or ransomware attacks. For over a decade, practitioners and researchers alike have emphasized the need to evaluate computer users’ security behaviors to develop and implement more secure information systems to mitigate risks. This problem has been looked at from many angles, including user awareness of security policies, security education, training, and awareness programs, computer monitoring, behavior intentions, users’ accountability, felt-responsibility, attitudes towards compliance with security policies, etc.; however, the problem still exists. A recent report found that healthcare workers are lacking cybersecurity training. Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care. A problem that poses a great risk to organizations, patient care, and patient safety. Some organizations have invested in cybersecurity awareness solutions based on Phishing simulation campaigns, that help employees recognize dangerous phishing emails, aiming to educate and change users’ behaviors. The question is: are these solutions really working? Are we overloading our healthcare workers with training requirements that may not represent the real world?

The Balance

Security is a delicate balance between the risks and the security controls. If the controls are too lax, the risk is high. On the other hand, if the controls are too stringent, the risk is low, but this may lead users circumvent security controls and put organizations at high risk. There will always be tension between security controls and computer users (“users”). While security is important to ensure the protection of information and maintain a patient safety environment, users often perceive security controls to be an impediment, which often leads to violation of the organization’s security policies, putting the organization at risk of potential security breached. Some security researchers and IT professionals argue that cybersecurity is purely a technology issue. Others argue that cybersecurity management is a multifaceted domain that should be approached from many different directions, including technology strategy and human behavior.

Best Practices

The HIPAA Security Rule (Section 164.308 (a)(5)(i)) requires a covered entity or business associate to implement a security awareness and training program for all members of its workforce (including management). One size doesn’t fit all! Thus, cybersecurity awareness programs must be carefully planned, understanding the audience, and developing role-appropriate security awareness programs where individuals are cognizant of the consequences of their actions and how easily one click on an inappropriate link can compromise an entire network, which may, ultimately lead to the compromise of patient records, or even worse, open their organizations to ransomware attacks. In addition, healthcare organizations must develop and implement targeted/tailored security awareness training programs that promote responsibility and accountability that will help employees adjust their attitudes towards cybersecurity policy compliance. After all, “security is everyone’s responsibility.”

The post The Need for Enhancing Cybersecurity Awareness Training Programs in Healthcare appeared first on HealthTech Magazines.

Defense-in-Depth, a concept to employ technical security controls in a layered manner throughout an information system’s deployment, is not a new concept. The goal is simple. If a vulnerability is exploited, minimize the damage that may result. Many years ago, a traditional architecture was comprised of an internal network, a perimeter firewall with a demilitarized zone (DMZ) with an Internet connection. Today’s architecture includes on-prem, cloud, and 3^rd party locations.

In today’s world, we have to incorporate non-technical components, such as Cyber Security Awareness and Training into a complete defense-in-depth solution. What are fundamentals?  Every company has different architectural implementations. That said, there are principle architecture, technologies, and non-technical aspects that can be employed within a complete defense-in-depth environment.

Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise.

Email Security

For many years, delivery of malicious payloads via email has been at the top of every Information Security professional’s most feared “what keeps me awake at night?” list. Knowing that email is the number one method of exploitation, the primary concentration to combat bad actors is to stop that at the front door. It is very important to implement an email protection program that detects and stops SPAM; quarantines or deletes detected malicious content in file attachments or hyperlinks; employs isolation services for hyperlinks in emails, and includes security awareness training. One of the most effective methods of protection related to email is awareness training for your employees. Implement white-hat phishing within your organization. 

Secure Architecture

At the root of secure architecture is the principle of least access. Only allow systems to communicate on what is necessary for operations. No matter where you are in the maturity of this principle, you must have a plan in place to achieve systems only communicating on the ports and protocols that are necessary. Today’s computing environments have many facets (internal network, DMZ, cloud, virtual environments, etc.), therefore the solution is very dynamic.

Many of the top vendors on the infrastructure and virtual sides offer micro-segmentation capabilities. Micro-segmentation must also be combined with other network access controls.  From a priority perspective, start with your primary networking infrastructure; industrial controllers; shared application services such as email, DNS, NTP, etc.; systems providing public services, and then critical business applications. This will be a learning experience, and at times you may even have to back out configurations as you determine there were other necessary communications that you were not aware of. Incrementally, step-by-step, start provisioning micro-segmentation and access controls within your company to limit all lateral movement to that only necessary.

Vulnerability Management

Another fundamental in-depth protection is to keep your systems up-to-date with operating and application security patches. Work with your business and application owners to establish formal maintenance/downtime schedules. Keeping systems patched is a mandatory piece of defense-in-depth program. Establishing known maintenance schedules builds assurance across the organization that we do have the ability to bring systems down. Place priority from a patching perspective in this order: public infrastructure, systems providing public services (content, application, and database), internal infrastructure, critical applications, and then secondary applications. For all systems that are publicly accessible or providing public services, remediate all vulnerabilities with priority on exploitable vulnerabilities. For internal systems, concentrate on exploitable vulnerabilities by risk.

Endpoint Security

In the past, anti-virus protection was based on known signatures. Today that is necessary, but is only a part of the overall endpoint security solution. For endpoint in today’s world, and part of a defense-in-depth deployment, the fundamental components of an endpoint protection program are comprised of the following. The endpoint solution still includes protection against common known vulnerabilities. In addition, capability includes protection against both application and browser-based exploits. Endpoint tools today detect user behavior, this is referred to as User Based Analytics (UBA). UBA consists of monitoring a user’s behavior, establishing a baseline, and when something happens outside that baseline, has the ability to either stop that behavior or alert on it. Endpoint tools should also have the ability to import threat intelligence for known indicators of compromise (IOCs), and when detected have the ability to stop or alert on that detection. Endpoint controls should include host-based intrusion detection/prevention. Needless to say, the endpoints are where the average user is computing, where they are reading emails with files and hyperlinks, surfing the Internet, downloading files, etc. Therefore implementing very dynamic endpoint controls is an absolute necessity.

Cyber Security Awareness and Training

Though this is not an architectural or direct security control, it is as important as either of these. All companies must train their employees on the expected behavior of their employees related to handling of company electronic information. This includes formal training on email protection; being aware of who senders of emails are; not opening files or links from senders they are not aware of or were not expecting; how to use isolation services; and how to report suspicious emails. They need to be trained on expectations of approved company data stores, how to use those, and only use approved data stores. A comprehensive program will include white-hat phishing testing, and additional training for those that fail phishing testing. Employees that routinely fail phishing testing should be assigned mandatory training and/or disciplinary actions.

In conclusion

Defense-in-depth incorporates three primary areas: architecture, technical controls, and non-technical processes. This article provides the fundamental principles, components, and some very quick areas to address. Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise. It is better to have a strategic goal and begin implementing items as you can. With slow wins, over time, you incrementally accomplish your goal.

The post Defense in Depth – A Strategy for Today appeared first on HealthTech Magazines.

Not that long ago, the cyber threat landscape of most health delivery organizations (HDOs) was much simpler than it is today. The general consensus on cybersecurity was that it was an IT issue and the core focus of our Biomedical Engineers was to keep our devices maintained and properly operating to the manufacturer’s specifications. However, there was a distinct organizational separation between the Biomedical team and the IT departments. There was a distinct view of what we refer to as “traditional IT devices” and biomedical devices. The interaction between our IT and Biomedical Departments was very siloed and transactional. Our IT security departments dealt with defending “computing assets” identified as IP addresses and VLANs from viruses and ransomware without much concern for what the devices were, with policies that were pretty promiscuous. In today’s rapidly evolving world, EVERYTHING is redefined. For the leadership of HDOs, these new challenges were enough to shake their foundations and keep them from a restful slumber.

We have learned, and many are still learning, that we must look at everything differently, we must challenge everything and it is incredible what you find when you shine the light on the darkest corners of your enterprise. Healthcare organizations are among the most complex operating environments in the world. Depending on the specialties at the organization, our technologists are learning that our organizations are among the most extremely diverse from a technology mix perspective on the planet. As you gain visibility, you will find that you have gaming systems (Nintendos, PlayStations, XBoxes, etc), interactive exercise equipment (Peloton, NordicTrack, etc). Further, our organizations were forced to find innovative approaches to operational efficiency in all areas. We adopted new approaches to physical security with broad networks of IP cameras and NVRs, card access systems, and a barrage of networked environmental sensors for occupancy, air, and water quality, etc. This is on top of the existing security systems, elevator/escalator controllers, HVAC, and plant equipment controllers.

Today the IT Security and Biomedical departments need to work hand in hand to ensure the cradle to grave management of the cyber posture of our connected medical devices.

Over the past couple of years, the exponential growth in cyberattacks has brought light to the fact that the number of unmanaged, nontraditional IT devices in most organizations dwarfs the number of managed devices by far. Additionally, the majority of these unmanaged IoT devices cannot host traditional IT controls such as virus scanners and vulnerability management agents. These combined facts should be enough for IT leadership to never sleep again. This newly found awareness has ushered in a lot of attention from cyber security companies driven by a sincere desire to protect the technology that is used by our organizations to save and improve lives every day. These new, rapidly evolving tools brought to the table new capabilities to identify and classify every device connected to our networks, whether it’s managed or not. These tools additionally evolved the capability to ingest MDS2 documents and vulnerability disclosure documents that can rapidly parse your equipment inventory and determine where your risks lie and where you should focus your attention.

While these new tools bring so much capability and greatly accelerate its time to remediate vulnerabilities, it is not without challenge. Like every new technology, there are challenges in adopting new tools and techniques. To properly address cyber risk, particularly with medical devices, you need to engage new stakeholders that IT security has not had to deal with in the past. One of the most important stakeholders is the device manufacturers. For the most part, device manufacturers continue to sit out of the cyber defense conversation and will not engage security teams beyond providing boilerplate responses and service documentation. However, a couple of key players have rolled up their sleeves and actively participating in the conversation.

Another key stakeholder is the IT Security Department. Traditionally the extent of the IT department’s engagement was to provide a connection for the device and then allow the biomedical team and the device manufacturer to complete the configuration and set up of the device. This is no longer an acceptable approach to ensure the proper defense and management of our connected medical devices. Today the IT Security and Biomedical departments need to work hand in hand to ensure the cradle to grave management of the cyber posture of our connected medical devices. The IT department needs to be a gatekeeper that ensures that we adopt a whitelist approach where only the required IPs, domains, ports and protocols are enabled for devices. This can be a difficult task without deploying one of the new technologies for identifying the devices on your network such as Medigate, Ordr, Armis or the like. Unfortunately, traditional IT network management tools do not provide insight into what the device actually is and what it is doing on your network. You will also find that these tools will identify many new device types residing on your networks that your teams had no idea were there.

One of the key challenges of introducing these new approaches and tools to managing your landscape is the resistance to change. The tools and techniques that our network defenders use are well established and they have progressively evolved to where they are today. The positive is that these teams share your frustration with the limitations and challenges that we all face with this diverse technological landscape. Another key challenge that most organizations face is that these technologies require significant financial investment and they need champions to usher them through the adoption phase. Once the commitment is made to introduce these new tools, you will quickly find that the new vision they provide is truly enlightening and empowering. You will be able to quickly assess where your biggest exposures are and you will be able to generate and implement network policies that will address them.

In conclusion, the bottom line is that you can no longer afford to ignore the new tools available for identifying and profiling the devices on your network. Failing to adopt these new tools is the equivalent of flying a plane blindfolded. You can not defend what you can not see and continuing to hold the status quo will not end well.

The post The Challenge of Securing That Which Is Invisible appeared first on HealthTech Magazines.

I’m sure you’ve heard the expression, “We’re all in this together.” Unfortunately, this sentiment has never been more accurate than when speaking about your healthcare organization’s information security. In today’s environment, having a culture of security within your organization is a must. 2021 was an historical year in both the increased use of technology in the healthcare setting, as well as the increased number of cyberattacks that have crippled organizations, and 2022 is along the same upward trajectory so far.

COVID-19 brought with it many new digital tools to help address a variety of needs that arose seemingly overnight; an extensive telehealth usage increase, a large percentage of workforce moved to remote settings, and reporting and dashboards became essential tools for providing up-to-the-minute insight. These were among some of the top technology expansions, although there were many more. Along with this technology boom, cyber attacks grew exponentially, negatively affecting patient care, consuming scarce organizational resources, and skyrocketing costs for affected organizations. These increased attacks were especially impactful during a period with unprecedented staffing shortages, increased hospitalization rates, and constantly changing requirements.

It is clearly evident that healthcare’s typical approach of ‘the responsibility for preventing these cyberattacks lies solely within organizational IT and security teams’ is no longer adequate. While these teams do have a large role in ensuring that everything ‘technically’ possible is being done to lower risk and mitigate adverse outcomes from cyber attacks, our employees remain are our greatest risk. In fact, every single person in the organization has a role to play in the prevention of attacks, as well as the response.

It is also important to note that, while the cyber attacks have grown significantly over the past few years, there have been a wide variety of results from these attacks, with a marked difference in the amount of downtime, the overall costs, and the negative impact inflicted. For example, in 2020, a top healthcare organization had nearly six weeks of downtime, resulting in a reported $63 million in costs, while other organizations had minimal downtime, and little monetary impact. This highlights the difference seen between a well-prepared healthcare system experiencing an inevitable attack and an unprepared organization. An organization with a strong security culture responds quickly, decisively, and in a well-rehearsed, organized manner. In contrast, an unprepared organization can experience results that are absolutely devastating, sometimes even leading to closure.

While an organizational security culture takes time to build, you can start today by developing a strategy, building consistency across the organization, and being fully engaged with making security a system-wide priority.

The overall cost of a cyberattack goes beyond just the immediate financial loss, and includes the risk of reputational harm to the organization, the possible negative impact on patients’ lives, and even cost increases for cyber insurance policy premiums. With the sharp rise in attacks, cyber Insurers are now evaluating organizational cyber posture, including technical controls, educational programs, and incident response training as key components to their renewals. Some insurers are even scanning organizations’ networks and providing reports to their customers to assist with improving their security posture.

In addition, with the marked escalation in cyber threats with the Russia–Ukraine war in recent weeks, it is even more imperative that healthcare organizations embrace a culture of security by sharing information with their staff regarding the constantly evolving threat landscape and how to identify potential threats. No longer is security a once-a-year, one-hour training session for staff. Instead, security now involves sharing continual insights and education to ensure that staff are aware, constantly vigilant, and fully understand how to respond when an attack occurs. 

While most facilities fall somewhere in the middle of the cyber preparedness spectrum, it is imperative that organizations change their approach to security by creating an organization-wide culture that recognizes the importance of information security, and embraces security controls. This is the key to keeping bad actors out of our networks, as well as controlling the spiraling costs of security. 

An organizational security culture takes time to build, but it can be achieved by developing a strategy, building consistency across the organization, and being fully engaged with making security a system-wide priority. Strong security training during onboarding for new staff, ongoing security education, incident response training, and active phishing testing are key components to creating the security culture. In addition, there must be active engagement in security protocols across the board, with every individual understanding their contribution to the overall security of the organization’s information.

The good news is that you don’t have to do this alone. There are a growing number of federal and state resources available for healthcare organizations to leverage, and most are free. For example, CISA has teams available to assist healthcare organizations in improving security. The FBI has trained regional cyber security experts for organizations to partner with on security enhancements, and there are state and local security organizations. In addition, there are a number of new grants available to healthcare organizations to help defray the cost of implementing a robust security program. While the threats are growing, so are the resources.

With today’s high-technology healthcare environment, it’s important that healthcare facilities begin adopting a culture of security across the entire organization now! While strong technical security controls are a necessity for every security program, building a culture of security must be at the center of the strategy. How your organization responds to the inevitable attack can be a matter of life and death for your patients, and your facility. Are you ready?

The post The Importance of Creating a Culture of Security in Healthcare appeared first on HealthTech Magazines.

When my daughter was young, she jumped on the beanie baby bandwagon and worked her way through the family governance structure to get a healthy capital investment so she could purchase every new beanie baby that hit the market. While the Peace bear was great last month, the only way to beat her goal this month was with Pounce the cat. I often compare our application collection to beanie babies because we collected them with the same level of enthusiasm and most have the same level of value today.

Providence is a large health system spanning seven states, 52 hospitals, 1000 clinics, 18 Home Health & Hospice agencies and more. Over the last decade, Providence has come together to operate as a single health system and along the way, has created affiliations with partnerships with many other health systems. While this has made for a stronger health system, it has given us a significant collection of applications totaling over 4000 unique instances or applications. 

We have been on a journey not just to consolidate our applications but to ensure we are moving to modern platforms that can thrive in a cloud environment and meet the needs of an ever-evolving health system.

We have been on a journey not just to consolidate our applications but to ensure we are moving to modern platforms that can thrive in a cloud environment and meet the needs of an ever-evolving health system.

At a high level, this seems simple enough. Figure out your application portfolio, evaluate the best products, create transparent governance, select the future state products, implement and finally sunset the old applications. Rinse and repeat. The reality is each step in the process takes significant effort and discipline. Our rationalization was such a large endeavor we have named the core projects after Greek gods (Hercules, Titan & Zeus). 

Technology can be transformational, but it is critical to have modern platforms. This means working with our clinician and executive leadership to create a clear vision for our future offerings. From there, we must work with our vendors to ensure health care applications have all the best that technology has to offer in 2022, not 2000.

No one is going to engage patients with 20 separate experiences,

No one is going to implement best practices with 5 EHRs,

No one is going to save money by having 1000 different vendors,

No one is going to ensure a secure platform with outdated software and very few health systems have one-of-a-kind Princess bear applications that should be saved at all costs.

Providence has learned many lessons along the way, but I am happy to share we have seen significant progress, including over 1000 applications instances moving to the cloud and 100M in cost savings due to both rationalization & sunsetting. Our tools and processes continue to become mature and we are well on the way to delivering significant value with our core applications.

Now back to the beanie babies, I clearly need to update my sunset plan as my daughter has moved on to adulthood and I am still storing bins of cute stuffed animals in my attic, but that is not something I recommend for our health care applications.

If anyone is just starting out of this journey, we are always happy to share our learnings. Health care has come a long way, but we still have a lot of work to do to ensure our technology is truly meeting the needs of our caregivers and patients.

The post Application Rationalization Journey in a Large Complex Health System appeared first on HealthTech Magazines.

My previous article on the Cyber Maginot Line explained how any cybersecurity strategy that does not realistically consider the possibility of compromise, however fortified and well-conceived — is dangerous. News media regularly report on a lack of adequate cybersecurity preparedness throughout the nation. Large and small companies must defend against cyber-attacks perpetrated by sophisticated threat actors (TA). According to Global Threat Report 2022 by Crowdstrike, there was an 82% increase in ransomware-related data leaks last year. This article explores strategies for expanding layers of cyber safeguards that are now essential given today’s threat landscape. 

Private Cyber Battlespace

Military strategy is an appropriate analog for cybersecurity. Foreign criminal enterprises and nation-states are perpetrating many of today’s sophisticated cyber-attacks. In modern warfare, the term ‘battlespace’ depicts a unified military strategy to integrate and combine armed forces in a military theatre of operation, combining air, information, land, sea, cyber and outer space to achieve military objectives.  

The concept of a private cyber battlespace is one way to conceptualize an effective cybersecurity strategy. This paradigm implies a broad array of safeguards to reduce the overall cyber-attack surface of an organization and thwart an advanced cyber-attack at any point along the pathway of the attack.

Defend in the Cloud

At the outermost perimeter, keep “the battle” away from the network(s) where the most sensitive assets are located. Tactics can be employed to expand the defensive perimeter so that cybersecurity workloads execute in the Cloud. Web browsing and links in email messages can be inspected, filtered and if necessary, blocked in the Cloud with tools such as browser isolation and URL rewriting. Domain Name Systems (DNS) filtering allows for Cloud inspection and blocking of “known bad” websites. These techniques enable threats to be blocked without ever reaching a network firewall. Much like the defensive perimeter, the Navy establishes a battlegroup around an aircraft carrier and the threats are kept distant from the most valuable assets.

Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.

Defend the perimeter

Defending the immediate network perimeter with a firewall is a basic cybersecurity safeguard. But building an effective perimeter strategy requires a thorough assessment of all means of ingress and egress to understand the vulnerabilities in network fortifications. No need to find a way through the firewall if a user’s personal computer can be hacked in their home through a virtual private network (VPN) connection. This is an acute concern given the current work-at-home paradigm. Contemporary standards for perimeter security now include next-generation firewalls, multifactor authentication (MFA), and mobile device management (MDM) software for cell phones and tablets. Zero trust is now a common term used to denote the concept that highly reliable authentication techniques must be established before “trust” is granted and access is allowed through any perimeter defense.

Detect and eradicate threats on the inside

What if the unthinkable happens? An advanced TA gains access to a private network and executes a “cyber kill chain” attack, a term coined by Lockheed Martin in 2011. The kill chain begins with penetration and access to a network-connected device. Command and control (C2) is established to the TA’s external C2 server on the Internet from which the attack can be directed. The TA conducts reconnaissance to locate the network’s most sensitive assets and proceeds to move laterally and escalates the level of privileged access using techniques such as “pass the hash” and remote desktop (RDP). Finally, the TA deploys ransomware, exfiltrates valuable data and gains control over sensitive technology assets.

To build an effective defense against this level of attack, it starts with a realistic assessment of vulnerabilities relative to the cyber-kill-chain scenario and developing and deploying countermeasures. Preparedness starts with basic cybersecurity hygiene, including patch management, elimination of end-of-life technology, and education to foster a security culture. But today’s advanced TA leverages standard utilities – referred to as “living off the land” – that do not contain software flaws and necessitate more advanced defensive tactics. Network segmentation is an important network design concept that can minimize the TA’s movement once inside the network. Much like transverse bulkheads in ships that prevent the movement of water after a breach, network segmentation techniques quarantine and restrict lateral movement of the TA in the network. Advanced endpoint detection and response software uses artificial intelligence (AI) to detect and eradicate sophisticated malware. Of paramount importance is having an incident response apparatus that is capable of the response and recovery actions that are critical.

Testing

Testing is critically important. Unless defenses are regularly tested, there could be unforeseen flaws stemming from misconfigurations or heretofore unknown vulnerabilities. Red and purple teams are “ethical hackers” that probe and test cyber defenses. These teams formulate attack strategies just like an actual TA. Given pre-established boundaries, they attack and attempt to penetrate. They provide invaluable learning for the cybersecurity team. In addition, they foster an improved understanding of how cyber defenses will stand up to a real-world attack.

Conclusion

This article describes a framework – a private cyber battlespace – to help understand what is needed to thwart advanced cyber threats. These cybersecurity challenges can seem overwhelming. An effective cybersecurity program starts with conceptualizing a strategy that includes a layered array of defenses at all points along the TA’s cyber kill chain and prioritizes investments in safeguards based upon an accurate assessment of an organization’s underlying cyber risk.

The post Private Cyber Battlespace appeared first on HealthTech Magazines.

I have been in healthcare IT for over half of my almost 30 years in IT. Healthcare definitely has its uniqueness compared to other industries; however, it is not unique in the fact that everything can be broken down into three key areas: people, process and technology. Cybersecurity will always be a moving target for organizations, especially healthcare. I believe that the most important thing within any organization is building an IT security and awareness culture. I have stated throughout my career that security is not something that you can simply turn on/off—it needs to be a part of every individual and organization’s DNA.

The overall objectives in building an IT security and awareness culture in healthcare comes down to three things:

1. Protecting patient, company and employee data
2. Continual risk mitigation
3. Regulatory compliance

Threats

Threats come from all sorts of directions, including everything from foreign countries, organized crime, employees, vendors, terrorists, etc. The majority of threats are primarily about financial gain or causing disruption or both. The unfortunate thing is that most threats are initiated through employees (people) who inadvertently open or click on something they shouldn’t have. People are your biggest weakness within any organization.

Technology

I’m not going to spend a lot of time on any specific IT security technology. It is critical that your organization is continually evaluating and implementing a solid IT Security Technology Stack. I believe it starts with developing a Security Scorecard against current IT security best practices. You can use the Scorecard to help build your plan of attack or strategy for continued risk mitigation. The Scorecard would include everything from Endpoint Protection and Multifactor Authentication (MFA), to Data Loss Prevention (DLP) and IT Security Awareness Training. There will always be new vulnerabilities that can be exploited accompanied by new security software that provides various protection. From my experience, it has always been about layering and finding the balance of what is “good enough” without breaking the bank. Technology is critical in taking decision points out of individuals’ hands. Simply put, you need a solid IT Security Technology Stack that attempts to provide visibility or prevent the bad things from ever happening; and if something does bad happen, allows you to minimize the damage and ultimately recover from an incident.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII.

Process & People

Technology is accessible compared to the process and people aspect of building an IT security awareness culture. As mentioned in the beginning, security needs to be a part of your organization’s DNA. What does that mean? It means that it has to become automatic or baked in. You want people to have an awareness and ask questions. If they are unsure of something, they need to err on the side of caution. It is important that an organization create an ongoing IT Security and Awareness Program. This includes not only providing the initial tools and knowledge when employees start working for your organization, but over the entire relationship. This should again be a layered approach, i.e., security awareness emails and training videos, etc. The frequency can vary, but one approach I have seen work is having things that are weekly, monthly and annually. You need the content to be meaningful and not just noise that individuals gloss over or ignore. Leadership needs to champion the importance of IT security to all levels of the organization—no one is above or exempt from learning. Many security incidents occur because people are moving too fast. This can be as simple as someone reviewing or opening an email message to a system administrator, forgetting to patch or make the needed security configurations when implementing changes into production. I use this saying: “You need to slowdown to move fast.” I know that sounds crazy, but it’s really about making sure that we are all being observant and making thoughtful choices and decisions no matter what we are working on.

Some key processes an organization needs to have in place to consider bricks and mortar-type things, include assuring all systems are being patched/updated, assuring all systems have end-point protection and are being updated, assuring backups are being completed and tested, and enabling Multifactor Authentication (MFA). A lot of these will be identified on your IT Security Scorecard mentioned previously. In my opinion, if you are not doing the basics, then you are setting yourself up for failure.

In healthcare, there is a lot of regulatory compliance, which does provide organizations the needed push to implement formal processes and procedures when it comes to protecting things such as PHI/PII. It’s important to find a healthy balance between regulatory requirements and operating efficiencies. Sometimes the more you over-engineer something, the more risks are introduced. Again, you need to educate individuals that just because you can do something doesn’t mean you should do something.

It is important as part of the process to create an environment that is more educational than punishment. There is a difference between someone making a mistake and being reckless. Yes, if there is a trend of poor judgment, it needs to be addressed. Building this type of culture increases individuals to ask more questions around security/risk without fear of embarrassment or retribution.

There is no perfect or one-size-fits-all when building an IT security and awareness culture within your organization. The important thing to remember is it’s something that does require ongoing focus and dedication from everyone.

The post Healthcare Cybersecurity – “Building an IT Security & Awareness Culture” appeared first on HealthTech Magazines.