Healthcare’s cybersecurity problem is a half-century old affliction that began with the first step towards digitization.

When hospitals introduced computerized systems in the late 1960s and 1970s, they also unwillingly exposed themselves to cyber threats. To cyber criminals, healthcare organizations were “no [longer] viewed as…sacrosanct institutions of mercy” and consequently not immune to computer crime, wrote Robert A. Hershbarger in 1977.

Some of the hospital information systems developed in the 1970s (such as the Dutch BAZIS system) incorporated high availability and strict access control requirements in their designs. The need to safeguard hospital information system software and hardware components—including the patient data stored in system databases—against unauthorized access and use (and computer crime) was understood.

Of course, the IT operational environment of the 21st healthcare industry is significantly larger, more complex, and interconnected.

In the United States, the use of information technology is ubiquitous in a healthcare industry comprised of over 119,000 entities:

• Hospitals—6,090
• Long-term care facilities—65,000
• Independent pharmacies—22,000
• Urgent care centers—9,600
• Hospice care—4,300
• Freestanding emergency rooms—566
• Medical device companies—6,500
• Registered health insurance companies—5,600

This doesn’t include the numerous private practices, independent radiology centers, and state health information exchanges (HIEs).

If we incorporate the number of U.S. physician office visits (883 million in 2016) and emergency department visits (130 million in 2018) to the equation, the impact of a cyberattack can be much more considerable and frightening than anything imagined in the early years of healthcare’s digital transformation.

And while the attack surface of health IT has significantly grown, the weapons of choice have not really evolved. Malware and phishing emails remain the most popular and successful means of breaching healthcare organizations:

• Patient zero of Anthem’s 2015 data breach was the employee of a subsidiary who opened a phishing email with malicious content.
  
  
• The 2017 global WannaCry attack exploited Windows XP and Windows 2003 computers that were missing a critical Microsoft Windows security patch that had been released months before the attack. The attack crippled 70% of the U.K.’s National Health Service.
  
  
• New York’s Wyckoff Heights Medical Center and St. Lawrence Health System, and Pennsylvania-based Universal Health Services, Inc, (with over 400 acute hospitals across the United States) suffered crippling ransomware attacks in 2020. Security firm Mandiant told NPR that such attacks typically start as “corporate communications containing Google Docs and PDFs with malicious links.”

In response to the affliction of cyberattacks, numerous public and private partnerships between healthcare organizations and with government agencies have developed. There has never been a more cooperative and educational environment in health IT security.

Additionally, sophisticated security tools and services have come to the marketplace. However, these solutions—for example, endpoint detection and response (EDR) systems, cloud access security brokers (CASBs), user behavior analytics (UBA)—are beyond the means of a multitude of healthcare organizations. And integrating them to existing security portfolios isn’t seamless.

However, responding to cybersecurity threats does not necessarily require sophisticated or expensive solutions. Some studies have shown that practical cyber hygiene practices can stop 95% of cyberattacks.

Organizations like the Healthcare and Public Health Sector Coordinating Council Joint Cyber Security Working Group and the DHS Cybersecurity and Infrastructure Security Agency have promoted cyber hygiene in the healthcare industry. Among their recommendations include:

• Using strong passwords.
• Employing anti-virus.
• Backing up critical data.
• Ensuring computer operating systems are regularly patched.
• Employee training and awareness.

Add to this mix multi-factor authentication, offered for free to Microsoft 365 and Google G-suite customers.

Nevertheless, much like healthcare clinicians’ struggle with hand hygiene compliance, the adoption of basic cyber hygiene is seemingly poor in the industry.

The Ponemon Institute’s sixth annual study, “Privacy & Security of Healthcare Data,” found that many healthcare organizations and business associates didn’t have the financial or human resources to address cybersecurity threats, even those considered preventable mistakes.

The study, however, also found that many of the study participants were “negligent in the handling of patient information.” 50% of the participants said they weren’t attentive to ensuring partners and third parties safeguarded patient information.

There is a considerable risk of non-compliance with even basic cyber hygiene. Successful and disruptive cyberattacks may increase clinicians’ reported stress levels when using health IT systems, leading to underutilization or even the cessation of further technology investments. There are already public reports of clinicians lacking confidence in electronic health record systems, because of design flaws that have allegedly led to patient deaths and other adverse health outcomes.

The public’s confidence in health IT systems is also at risk. Taxpayer-funded incentives to use technology to efficiently manage patient care, reduce medical errors, produce better health outcomes, and effectuate cost savings could be questioned if health IT systems are unreliable and easily disrupted by cyberattacks.

Despite continuing and significant challenges with health IT interoperability, healthcare services are coordinated (perhaps sometimes haphazardly) using a web of interconnected IT systems and devices that involve explicit and implicit data sharing agreements. And often the contractual and technical relationships and data flows between parties aren’t clear. Consequently, the risks and security gaps of one can be shared by all. Sometimes unknowingly.

The specter of cyber threats is clearly not neoteric. It has been the monster in the closet and under our beds for over 50 years.

Obviously, cyber criminals have never hesitated to attack healthcare institutions. They have not cared that crippling a hospital—including safety net hospitals that serve the uninsured and low-income communities—may risk lives. They have not cared that stealing and selling the records of a breast cancer research project and registry can adversely affect the lives of hundreds of thousands of women.

Cyber criminals are a malady that target all the organs of the healthcare system. No organization is immune. And successful cyberattacks can have residual effects with no effective treatment. But the industry has acquired the knowledge—painfully and traumatically—that can protect all tiers of the healthcare system, albeit not 100%.

We know that 95% of cyberattacks can be prevented if healthcare organizations—no matter their size or role—implement and adhere to basic cyber hygiene practices.

And we know that it is important that clinicians and the public have faith in the reliability and availability of the systems used to provide and manage care.

More importantly, we know that lives are literally at risk if we all don’t do a better job of safeguarding health IT systems.

The post Cyberattacks Against Healthcare Can Be Prevented appeared first on HealthTech Magazines.

When most people hear the term “Information Security,” they immediately think of “the protection of our data.” Our regulatory regimes back such observations, with the requirements of protecting health information (HIPAA/HITECH), personally identifiable information (PII, credit card data, banking data, etc.), and other sensitive data. Within healthcare, we have been training and educating our workforces since at least 2005 to handle these sensitive data with the utmost care when the HIPAA Security Rule became enforced.

Cybercriminals are now weaponizing their stolen access with tools to cause vast damage inside of organizations.

I posit that the Information Security profession has matured well beyond simple ‘data protection’ within healthcare. As threats to this space have gotten more sophisticated over time, the Information Security profession has matured Cybersecurity resiliency. Our mission and goals? Protect the health and safety of our patients and our organizations. We have moved way beyond simply protecting data; the role of the cyber professional today is to protect its organization against active malicious actors who intend to harm. As was unfortunately demonstrated in Dusseldorf, Germany this last year, lives are at stake.

History of Disruptive Cyber Attacks

According to the 2020 Verizon Data Breach Investigations Report, of the 977 breaches evaluated in their 2020 report, 55% of them were conducted by Organized Crime. By October 2020, at least 59 publicly reported ransomware attacks impacted more than 510 facilities (Frank Bajak 2020). According to Cybersecurity firm Emisoft, more than 2,300 government, healthcare, and schools were impacted by ransomware in 2020 (Ryan Lovelace 2021). That is a staggering amount of damage. Data is one means to an end of these cybercriminals, but their real intention is financial.

Electronic extortion attacks (aka ransomware) are not new. The first documented ransomware attack occurred in 1989. The vector? A 5.25-inch floppy drive. This incredibly unsophisticated attack hid and changed the names of files and folders on the computer from the operator, with a note replaced to the operator to pay $189 to a P.O. Box in Panama to recover their data. Over the decades, we saw more examples of this type of malware. Users are unwittingly downloading and installing malicious software that encrypted, changed, renamed, or otherwise destroyed data on local computers. As we moved into the 2010s, we started seeing this malware begin encrypting files on mapped drives and other file servers these computers were connected to. The first versions of ransomware were generally opportunistic attacks that required a user to instantiate the software. The damage would be restricted to the access that the computer itself had on the organizational networks.

This all changed with the rise in organized crime, the dark web, and the establishment of new ‘Cybercrime-as-a-Service’ economies (HHS HC3 2020). In today’s era, we face not just a single threat but also an entire underground marketplace where buyers can rate the sellers of stolen data, promise a Return on Fraudulent Investment, and establish a malicious supply chain for the buying and selling access to corporate organizations.

Cybercriminals are now weaponizing their stolen access with tools to cause vast damage inside of organizations. The adversary we face is no longer that opportunistic malware being downloaded onto a computer (don’t get me wrong, that still happens), but rather a wide-scale hacking effort that thoroughly penetrates your organizational networks and uses these ransomware tools as the last step in shutting down systems so they might extort your organization. Worse, since organizations have gotten better at backing up their critical files, the extorters are now destroying those backups and exfiltrating your data as part of their attack. In short, they are threatening to release the data publicly that they have stolen even if they were unsuccessful at shutting down your organizational systems.

The Solution

I know this all feels quite daunting, especially for those Healthcare organizations that are very limited in their resources to protect themselves. Fortunately, there are solutions to these problems. In 2017, Health and Human Services convened a meeting of over 70 industry leaders charged with one singular purpose: How can we align and improve the cybersecurity posture across the industry to assist the small providers up to the large health systems. This meeting was the beginnings of the 405(d) Task Group, a public-private partnership sponsored by the U.S. Department of Health and Human Services that has grown to over 250 participants across industry and government, with its authority granted under the Cybersecurity Act of 2015.

I am the industry leader of this Task Group, working in partnership with a government co-lead within HHS. Collectively, this Task Group produced its first 250-page cyber practices compendium at the end of December 2018. This publication, the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP, pronounced ‘hiccup’) outlines five cyber threats that every healthcare provider faces and ten practices (and upwards of 89 sub-practices) that can mitigate them (Decker and Chua 2018). Think of this publication as your recipe book for fighting cybercrime. The volume is broken into multiple components, a main document for the masses, technical volume 1 which offers solutions for small practices. And technical volume 2 offer solutions for medium and large-sized practices.

Just recently, on January 5^th, congressional bill HR 7898 was signed into law (now referred to as Public Law 116-321). This law amends HITECH to offer regulatory relief for organizations who have adopted “recognized cybersecurity practices” and subject to a cyber breach. This law specifically recognizes the 405(d) Task Group’s work products as a recognized cybersecurity practice. HICP will not only protect your patients’ lively hoods and data, but it will also protect your organization as well.

Our Task Group continues to produce more content, including an update to HICP and new materials forthcoming related to enterprise risk management. Keep an eye out for these updates.

The post Tag line: Cyber Safety is Patient Safety appeared first on HealthTech Magazines.

The CURES Act Final Rule’s provision requiring healthcare providers to give access to the health information in their electronic medical records without delay is coming on April 5. This means that patients will be able to use their application of choice to access their medical records and store them on their devices. This also means that providers will have to open secured Application Programming Interfaces (APIs) for the applications to access this data. There are security requirements around these APIs, mainly the use of OAuth2 authentication and Transport Layer Security (TLS) version 1.2 or greater.  This can help ensure that the transfer of data to our patients is secured.

Given the environment that we are in, the consequences for having unencrypted info flying around due to HITECH, and the implicit encryption and security requirements in the CURES Act Final Rule, it’s time to revisit what’s unencrypted on our internal networks.

However, we also need to look internally to ensure that the provenance of patient data is protected from its point of origin to its ultimate destination on our patients’ devices. Most healthcare systems have been running numerous technologies since before HIPAA and the Security Rule were published as a Final Rule in 2003. The Security Rule was written and drafted long before encryption was pervasive. 45CFR 164.312( e)(1), Standard:  Transmission security, requires us to implement technical security measures to guard against unauthorized access to Electronic Protected Health Information (ePHI) that is being transmitted over an electronic communications network.

What this part of the rule means is that we must ensure the confidentiality, integrity, and availability (CIA) of ePHI as it is transmitted over a network. The implementation specifications for Transmission Security were marked as addressable. According to the Federal Register of February 20, 2003, addressable has three components:

• If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must implement it.
  
  
• If a given addressable implementation specification is determined to be an inappropriate and/or unreasonable security measure for the covered entity, the covered entity may implement an alternative measure that accomplishes the same end as the addressable implementation specification.
  
  
• A covered entity may decide that a given implementation specification is simply not applicable and that the standard can be met without the implementation of an alternative measure in place of the addressable implementation specification.

If the measure cannot be implemented, the risk mitigation steps taken must be documented. When the Security Rule was written, the use of secure channels was novel. While e-commerce sites utilized them, they were expensive and prohibitive to set up. Malware that exfiltrated patient data was also not prevalent. It was not difficult to make the argument that implementing encryption was not reasonable and appropriate, and that keeping data on an internal network was feasible.

With the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act (ARRA) of 2009, there was an expansion of the HIPAA compliance requirement set. According to Entrust, this requires the disclosure of data breaches of “unprotected”, aka unencrypted personal health records. This also includes those by business associates, vendors, and related entities. One of the interpretations of the HITECH Act has been that if the data could be seen by others between its source and destination, it could be considered breached.  Another is that if the data is unprotected at rest using encryption and algorithms approved by NIST, then the data is also considered breached. 

Also, given the time we are in, we have three alternatives. Microsoft and other vendors have made the use of secure channels pervasive, and only offer secure versions by default for their Application Programming interfaces. The use of Secure Shell (SSH) is also now pervasive and is now a default in Windows 10. You can use it to “tunnel” insecure traffic over an encrypted channel. Virtual Private Networks are also now common, and can be easily configured, even within your own virtual environments.

The use of legacy file transfer mechanisms such as older Health Level 7 implementations, File Transfer Protocol (FTP), Server Message Block, Network File System (NFS), internal e-mail, or older versions of Secure Shell don’t work well to protect patient data.  These protocols do not protect the confidentiality, integrity, or availability of data.  They also often force organizations to run older applications and services that cannot be configured to support newer services such as FHIR.  The old agage of “it ain’t broke, don’t fix it” does not apply to the protection of patient data from threats to confidentiality, integrity, or availability.  Upgrading these transfer mechanisms, applications, and services will put you in a better position to provide customers what they need as part of the CURES Act.

What you and your organizations need to do is to look at any unencrypted traffic you have with those legacy systems and find out how to encrypt it in transit using one of these three methods. Either you or your vendors need to address these for your applications. Given the environment that we are in, the consequences for having unencrypted info flying around due to HITECH, and the implicit encryption and security requirements in the CURES Act Final Rule, it’s time to revisit what’s unencrypted on our internal networks. Just Internal is just no longer the case.

The post “Just Internal” is No Longer the Case. What organizations need to do to protect themselves given the CURES Act. appeared first on HealthTech Magazines.

In 2020, every healthcare organization was stretched to its limits by the worldwide pandemic. Throughout this historic year, IT was heavily relied upon as an essential component to solving a complex puzzle that changed daily. Instantly enabling and supporting telehealth platforms, moving employees off-site as part of the new remote workforce, and standing up COVID-19 dashboards were common themes of how IT departments responded to the evolving needs. However, interwoven into this complexity was another theme – the significant uptick in security events that threaten to bring healthcare facilities to their knees. During the early days of the pandemic, hackers vowed to give healthcare a free pass on ransomware attacks. However, this proved to be an empty promise, with attacks skyrocketing for the remainder of the year. In fact, the FBI’s Cyber Division reported that cybersecurity complaints quadrupled to over 4,000 incidents a day, and a recent Bitglass study reported a 55% jump in healthcare data breaches from 2019 to 2020. Why are hackers attacking healthcare? It’s simple – follow the money. Trustwave reported recently that healthcare records could bring more than $250 per record on the dark web, in comparison to $5.40 for the next highest valued record.

Most larger organizations contribute more resources to cybersecurity as the full impact of these attacks has become apparent. But there are still several barriers for small, community-based organizations that prevent them from improving cybersecurity within their environments.

With the frequency of attacks on the rise, the healthcare environment is now universally dependent on electronic records. This has grown exponentially since 2011 (the Meaningful Use era) where healthcare once lagged other industries in moving to electronic systems. By 2017, Healthcare Innovation reported that 99% of hospitals had adopted Electronic Health Records (EHRs). And it’s difficult to secure given the complexity within hospital systems, including a large variety of medical devices, information systems, and computing requirements leading to a tangled web of networked devices that are ripe with opportunity for dark web trollers. 

Sadly, healthcare is now facing that many organizations have also lagged in implementing information security programs. But today, a robust information security program is not an option for even the smallest healthcare facility. In fact, according to a 2018 hospital cybersecurity article, the entire national health system is only as strong as its weakest link – no matter the size.

Most larger organizations contribute more resources to cybersecurity as the full impact of these attacks has become apparent. But there are still several barriers for small, community-based organizations that prevent them from improving cybersecurity within their environments. The biggest barrier is simply the lack of financial resources, with many facing extremely thin operating margins with no room in the budget for security. Next, information security’s complex nature makes it difficult to find and retain security talent, especially in rural communities. Additionally, the attacks are a relentless, moving target. To guard against these attacks requires a culture shift that prioritizes security across the organization, not just within the IT department. Every staff member must understand and accept their part in reducing the risk, from the laundry worker who is checking email to the physician who now needs to enter MFA codes, to the senior administrators who must support security spending, and everyone in between.

How do these smaller organizations begin their journey to a strong cybersecurity program given all the challenges that exist?  If an organization is unsure where to start, following these steps will help get the ball rolling.

1. Select a Security Officer to lead the organization along the journey. Be sure this is someone who can build the relationships needed and understands how to build a security-centric culture.
   
   
2. Decide on a security framework for the organization. Most smaller organizations select NIST because it is less complex, but you could also use HITRUST. NIST has a healthcare-specific program.
   
    
3. Perform a Security Risk Assessment. If hiring an outside firm is too costly, use a free self-assessment tool can be found at HealthIT.gov.
   
   
4. Penetration testing is essential in locating the “holes” in your network that hackers can use to gain access. Make sure not to skip this step.
   
   
5. Once the assessment and penetration testing are complete, don’t just put the reports on the shelf until next year and continue with the normal day-to-day business! Use these valuable tools to build organizational awareness and buy-in for addressing the identified critical and high-risk areas within your organization.
   
   
6. Then develop and adopt a plan to address the identified issues, prioritized by the risk level. 

If these steps are still too complex, many organizations have chosen to engage a managed security services firm to address their security needs. A growing number of firms offer these services, which can help eliminate the barriers and get the security program off the ground.

Also, note that, the government has committed to helping healthcare organizations in recent years and there are several free resources available. These are a great place to start:

• The Cybersecurity Act of 2015, Section 405(d) provides resources and guidance for the Healthcare and Public Health (HPH) sector.   
  
  
• Health Information Sharing and Analysis Center (H-ISAIC) has working groups and resources.
  
  
• HealthIT.gov has several resources beyond the self-assessment tool.
  
  
• The Cybersecurity & Infrastructure Security Agency (CISA) provides tools, training resources, alerts, and more.
  
  
• The FBI Cyber Crime Division provides alerting, training, and support. Connect with your local FBI office to coordinate training for your staff.
  
  
• The newly announced MITRE Resource Center for Hospitals and Health Systems has an amazing collection of links and references.

As Ben Franklin said, “Failing to plan is planning to fail,” so start now and take the first step. Having a strong program will not necessarily mean always avoiding an attack since it is just a matter of “when” not “if” an attack will occur. However, the ability to have a plan and react quickly will make a huge difference in the outcome for your organization and your patients.

The post Building a Strong Healthcare Cybersecurity Program is a MUST! appeared first on HealthTech Magazines.

The U.S. FDA’s Center for Devices and Radiological Health (CDRH) has always remained committed to promote and protect public health, including the safe and effective use of medical devices and diagnostic devices that are connected to the Internet, hospital networks, and most any other medical devices.

Labs are becoming automated more than ever, which increases the risk on unsecured connected devices as someone can hack and use it to infiltrate the broader organizations infrastructure.

The diagnostic industry, specifically laboratory and radiology instruments, has consistently been a lagging industry for cybersecurity and addressing the risks associated with their products. Why? It’s my opinion that the majority of this is due to over-regulation and the expenses for recertification coupled with manufacturers who tie their software and hardware performance to an ever-changing operating system industry. 

Last year, the U.S. FDA issued warnings about Urgent 11 malware, which created vulnerabilities in medical devices.

We have a big gap between what is possible and what is probable. So, should hospitals and the healthcare industry be concerned?

The answer is “yes.” Ensuring lab devices remain secure from cyber threats is all about controlling access, and having a consistent, documented management process with your vendors is essential. In addition, access and connectivity to the network are paramount. Often you have devices in your diagnostic areas running a version of Windows, which is either at or near the end of life. Your institution is not about to replace instruments just because the vendor has failed to go back to recertify an up-to-date O.S. or has extended support from the O.S. vendor. Either way, you’re stuck making sure the connection is there in a form that is safe to the environment and provides timely results into your Electronic Health Record (EHR) for effective patient care – a true balancing act for any CISO and organization.

Labs are becoming automated more than ever, which increases the risk on unsecured connected devices. Someone can hack and use it to infiltrate the broader organization’s infrastructure. What is perhaps more likely is a vendor coming in to patch an extended support device and putting an infected USB drive in after using it at home and accidentally adding malicious software onto it.

Connecting a device to a network is like punching a tiny hole in that network, and you’re looking at potentially hundreds of interconnections.

Most manufacturers aren’t doing much to protect their devices from threats. They see cyber threats as minimal risks and the expense to mitigate the ties to defunct O.S.’s and their core diagnostic software is too great. 

From a manufacturer’s perspective, when the software or firmware update significantly changes the device, only resubmission of a 510(k) notification is needed for FDA.. The FDA’s device software functions and mobile medical apps policy does not require software developers to seek FDA re-evaluation for minor, iterative product changes. According to the FDA Guidance for Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, notifications are not required for cybersecurity patches. Without fear of needing revalidation or altering the device’s function or results, users and manufacturers can install security patches to their devices.

So what is the problem?  In my opinion, it has several fronts. Many vendors work with their O.S. suppliers to develop firmware patches, but we are still faced with;

1) Logistics of updating patches,
2) Manufacturers may not push automatic patch installation,
3) Installation of a patch will alter the device’s operation.
My main point is vendors need to stop tying their software running instruments to a particular O.S. They need to disconnect the dependencies and code better software that can run independently of the O.S.

Under the Healthcare Sector Coordinating Council, FDA is co-leading the legacy device task group to define better current and future device management guidelines. The FDA is taking a tailored, risk-based approach that focuses on the software side of this equation. We all understand that software in the diagnostic industry spans a wide breadth. In contrast, some software carries minimal risk; those with dependencies to operating systems pose a greater risk to patients will require FDA review.

The immediate concern and focus should be on disconnecting the diagnostic software’s codependency from any operating system. The O.S. vendors cannot possibly care about your software when making changes and patches happen far too frequently for the industry to test – time to make the instruments agnostic of an O.S. version or update.  

Resources: For a list of device software function, manufacturers and developers can search the FDA’s public database of existing classification by type of software (for example, diagnostic). Approved/cleared device software functions will also be listed in the FDA’s 510(k) and PMA databases and on the FDA’s Registration & Listing Database.

The post Healthcare Cyber Security and the Challenges with the Diagnostic Vendor Space appeared first on HealthTech Magazines.

The mitigation of security risks in cloud computing is a challenge to many healthcare organizations. As organizations move to the cloud more frequently, cloud security is a major concern for CIOs and CISOs.  

Most organizations fear the loss of control by moving to the cloud. The discussion around security risk in the cloud requires organizations to find the difference between real risk and uneasiness. They may worry about losing control of the data and fear the risks that come with this approach.

Organizations need to invest time to develop a cloud security strategy.

Cloud Security Strategy

What follows is a high-level cloud strategy for evaluating security risks and identifying what an organization should consider when mitigating those risks.

Review cloud risk implications

• Review all areas of risk. Decision-makers contemplating cloud computing adoption face several challenges relating to policy, procedures, technology, guidance, security, and standards. In the cloud, data is entrusted to a third party and shares tenancy with other people’s data requiring stringent access security. Regulatory compliance might require visibility into where data is stored and who has access.
  
  
• Discuss cloud risk implications and stakeholder concerns. Most cloud projects are driven by IT and focus on specific technologies. To deliver organizational value and minimize risk exposure, such initiatives should be aligned to the organization’s business strategies. The Board or risk management governance committees’ active engagement and oversight are essential prerequisites for the success of a cloud security program.

Mitigate cloud security and compliance threats

• Identify key security threats in the cloud. Security risks of cloud computing may include compliance violations, identity theft, malware infections, data breaches, diminished customer trust, and potential revenue loss. 
  
  
• Evaluate the role and limits of assurance. Identify and review data storage issues raised by multi-tenancy, such as how different clients’ assets are segregated and what assurances about separation can be provided to the data owners.
  
  
• Review compliance requirements. Legal opinion should be sought to ensure that regulatory requirements are addressed for specific organizational needs related to HIPAA, PCI-DSS, and other security regulations.
  
  
• Develop an action plan of steps to mitigate cloud security threats. Consider utilizing a Single Sign-on solution and implementing end-to-end encryption.

Address cloud availability and reliability challenges

• Discuss availability and reliability challenges. Confirm that the cloud solution will be available and reliable; consider continuity planning and ensure that a defined set processes are in place to manage and reclaim data should the service cease permanently.
  
  
• Review current recovery capabilities and requirements. Ensure the organization has the required network connectivity, bandwidth, and proper technology to enable adequate services from a cloud provider. For example, when the internal network goes down or becomes unstable, employees cannot access any applications hosted on the cloud.
  
  
• Assess mitigation tactics for availability and reliability risks. Organizations have to make sure that security is built into their cloud infrastructure – which includes selecting the right cloud deployment option from a supplier who can offer the right security measures.

Assess cloud integration challenges

• Understand integration challenges in the cloud. Integration plays a vital role in the cloud as it ensures that applications, infrastructure, and data with interdependencies maintain their connections.
  
  
• Review current integration processes and plans. Consider cloud service brokers, which provide an intermediate layer between multiple cloud vendors and users while offering services such as selection, aggregation, integration, performance management, and security. They should be able to unify legacy services and new multi-sourced cloud-based offers into a common management platform and provision preconfigured applications as part of a service integration solution.
  
  
• Outline application relationships and integration challenges. Review list of applications that may potentially move to the cloud. Determine if any applications should remain on-premise.

Identify the impact on internal infrastructure

• Identify impacted infrastructure and data components. Putting in place the right enterprise architecture framework, which contains the processes, products, tools, and techniques needed to create a complete IT system architecture for all infrastructure.
  
  
• Determine cloud infrastructure requirements. A security architecture model may be useful during security architecture design. Conceptual security services can be grouped into high-level areas such as hosting, security governance, compliance, integrity, availability, cryptography, risk, and access management.

Identify required staff resources and costs

• Understand the shift in IT responsibility. To effectively manage cloud service providers and appropriately staff the internal IT department, IT expertise and roles must be inventoried and appropriately resourced. Identify changes to existing staff resourcing.
  
  
• Review Service Level Agreements (SLAs) and contract. The help desk team may need to contact vendors directly to log tickets or go through the IT vendor management team. SLAs should clearly set expectations with users about the time to resolve issues. If these expectations are realistic and based on vendor SLAs, end-users should remain satisfied. Some internal SLAs may need to change to accommodate new cloud vendor SLAs.
  
  
• Evaluate Total Cost of Ownership (TCO) for cloud services. A TCO analysis involves creating a breakdown of expenses related to implementing cloud services. These costs are generally divided into four categories: ISP bills, staffing, hardware, and software. Vendors may provide calculators to help determine costs but consider the physical environment, application, process, and people. Keep in mind the different cloud deployment and support models, noting which models might be the best for you, as they affect the cost.

Although this list is a high-level review of a cloud security strategy, organizations should gain buy-in from senior leadership. Providing awareness training to senior leadership and the Board may improve chances for cloud computing adoption. Cloud computing presents many security issues. The organization should understand its respective role and the security issues inherent in cloud computing.

The post Developing a Cloud Security Strategy appeared first on HealthTech Magazines.

Businesses are moving at the speed of a Ferrari and the massive ongoing digital transformation is fueling it. Indeed, the COVID-19 pandemic has been the reason for many organizational digital transformations, but in reality this has been occurring long before COVID-19. The threat actors are improvising and already a step ahead by tapping into the disruptive technologies powered by AI, machine learning. In this fast-paced business environment, who is responsible for Cybersecurity?

• Business Units – In most cases, cyber-criminals are shooting in the dark and hoping someone catches their bait. Some Business Units are high-value targets (e.g., Finance, HR) and favorites for threat actors to execute threats such as Business Email Compromise. When it comes to accounting, Cybersecurity is a cost-center vs the various Business Units which generate revenue, so there is always a balancing act between robust cybersecurity and allowing the business to run and make money. However, Business Units can be the first line of defense in thwarting cyber attacks if they are equipped with relevant and good security awareness and training.

• Compliance – Compliance is good for cybersecurity, but not the sole driver for cybersecurity. A well-built Cybersecurity Program should incorporate an organization’s compliance requirements, but a Compliance-based Cybersecurity Program is merely checking the boxes. Compliance plays a significant role in ensuring security controls are tested, audited, and meet all applicable regulatory compliance guidelines and highlights areas of improvement before a threat actor exploits vulnerabilities to access organizational assets.

• Internal Audit – A solid Internal Audit Program is a saving-grace in many situations. They audit organizational Programs and help identify gaps from security, regulatory, and performance of internal controls perspective. It is critical for internal auditors to stay up to date on the current cybersecurity risk and threats landscape to bring in an independent perspective on how to improve an organization’s cybersecurity posture. On the flip side, too many audits can result in audit-fatigue. It is imperative for cybersecurity leaders to build a good relationship with Internal Audit and share their input into the audit plans and guide them to areas of most importance based on risk.

• Enterprise Risk Management – A well-defined Enterprise Risk Management Program exists to guide a CISO in developing and defining a Cybersecurity Risk Management Program for the organization. The Enterprise Risk management team helps a CISO validate cyber risks and define cyber risk tolerances within which a CISO is responsible to maintain the organization’s cyber risk posture. The Enterprise Risk Management Program helps liaise with the Board of Directors to ensure an organization manages cyber risk according to its risk appetite and advocates for funding and resources, as needed, to manage cyber risk within defined cyber risk tolerances.

• Board of Directors – They are the ultimate body responsible for shaping an organization’s Cybersecurity Program. They have a fiduciary duty to reduce risk to the organization. It should come as no surprise that Cybersecurity is a top risk for any organization with a digital presence in today’s world. The Board approves an organization’s Cybersecurity Program and inputs on changes in cyber risk posture via periodic Cybersecurity Program reporting from the CISO. They are critical in approving resources and funding as needed to enhance an organization’s Cybersecurity Program and reduce cyber risk in line with organizational goals. It is the CISO’s responsibility to ensure the Board stays current in its understanding of the cyber risk posture of an organization, is well-aware and trained on the ever-changing cyber risk and threats landscape.

• Information Technology (IT) – IT plays a vital role in maintaining and elevating any organization’s cybersecurity posture. You can’t have good security if you don’t have good IT. A good Cybersecurity Program starts with policies and standards which everyone in the organization should follow. Since IT owns system administration, endpoint management, network management, server-builds, and runs operations, it is critical for IT to follow the laid-out policies and be good advocates of Cybersecurity. IT’s primary focus is to keep the business up and running and contribute to digital transformation, innovation, and building new business solutions. In contrast, Cybersecurity is focused on reducing risk to the Business and safeguarding organizational assets, and because of these priorities, it is imperative to find a good balance between IT and Cybersecurity and both teams to be lock-step in every single strategy development and deployment.

• Shadow IT Teams – Every organization has them. The small IT team within a Business Unit or system administrators managing their individual systems outside of an organization’s IT department. These Shadow IT teams were likely once created to better serve the Business with all the right intentions, but they create a big challenge for Cybersecurity and IT teams – individualization and deviating from best-practices, bypassing change control, and not including IT and Cyber teams being the top. The best practice calls for consolidating the Shadow IT teams into enterprise IT and Cyber teams, but it’s not easy. A CISO can educate the Shadow IT teams on cybersecurity best practices, train them on security awareness, and extend the enterprise policies, standards. The Shadow IT teams equally share cybersecurity responsibility along with the enterprise Cybersecurity team.

• End-Users –
  • Standard Users – Depending on the industry vertical, end-users can be very tech-savvy or novice. In healthcare, most end-users are not technical and for good reasons – doctors, nurses, and clinicians are focused on improving well-being and providing care. Cybersecurity may not necessarily be on top of their mind and it’s the CISO’s job to increase their security awareness and train them to spot cyber threats. Ransomware and Phishing are top threats for many organizations and email is a top threat vector for such cyber threats. End-users are the first line of defense and can spot social engineering attacks if they are trained to do so and can contribute towards reducing cyber risk by following good security hygiene practices.
    
    
  • Privileged Users – Privileged users who are system administrators, engineers, developers, and in some cases, also help desk staff have additional access than a standard end-user, their identities are more valuable to cybercriminals. Typically, once a cybercriminal gets their foot into the door (e.g., with a phishing email), they move on to steal privileged access credentials to continue with lateral or vertical movement within the network. This makes it critical for the Cybersecurity team to protect privileged identities and workstations and for the privileged users to follow best-practices of refraining from using their privileged credentials for day-to-day tasks and stay up-to-date on the latest cybersecurity threats.
    
    
  • C-Suite – Many C-Suite executives are cognizant of cybersecurity threats and typically on top of the target list of cybercriminals due to the authority, access privileges, and influence they hold in an organization. This makes it even more important for the C-Suite to be cyber-aware and report suspicious events to the Cybersecurity team. For this reason, there should be focused security awareness training for the C-Suite.

• Vendors – Vendors are not directly responsible for an organization’s cybersecurity, but they greatly impact the cybersecurity posture indirectly. Due to the multitude of products vendors provide and partnerships they hold with organizations to enhance their cybersecurity posture, vendors play an important role in ensuring their products are built securely, free from security vulnerabilities, and patches are provided when vulnerabilities are identified. There has been an increase lately in a vendor-related security breaches and supply-chain attacks. A good Third-Party Risk Management Program can provide the governance needed to put accountability on vendors to ensure they follow security best-practice controls within their own environment and adequately secure and manage their products, client credentials, and client data.

Bottom Line: Cybersecurity is a risk, not a task. No one entity or team can be solely responsible for Cybersecurity. Moreover, it’s an enterprise risk, which means cyber threats are not targeted at or disrupt any one team or Business Unit. In fact, they impact the entire organization. Therefore, the entire organization is responsibile for reducing cyber risk by partnering with the Cybersecurity team to change organizational cybersecurity culture, manage cyber risk in their individual Business Units and areas within the organization’s risk tolerance levels, and advocate for cyber best-practices.

The post Who is responsible for Cybersecurity? appeared first on HealthTech Magazines.

Cybersecurity has become an essential and critical component of every organization. From retail corporations, financial institutions, healthcare organizations, government agencies to small businesses safeguarding information assets and maintaining compliance with laws and regulations has become a priority. As some organizations live in heavily regulated environments with significant regulatory oversight, compliance expectations influence senior management and the Board of Director’s investments in cybersecurity. Thus, to guarantee information assets are secured, and protected organizations must implement a cybersecurity program, develop a multi-year strategic plan and ensure the proper investments are made to support both the security programs and the strategic plan. Does this phenomenon pose the following question, if a company is perceived to comply with laws, regulations, and standards, then is it likely that cybersecurity investments will decrease?

A significant amount of evidence shows that organizations in every industry experience a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches (Symantec, 2019; Verizon DBR, 2019; Trend Micro, 2019). In an effort to prevent security breaches, organizations have heavily invested in technical controls for the protection of critical systems and sensitive information (SANS, 2014). Security breaches and their impact on organizations can be the consequence of weaknesses of technical and non-technical control implementations. Organizations have implemented technical and non-technical measures to mitigate these risks (Siponen et al., 2007). Considering the consequences of recent computer security breaches, industry security reports have pointed out that one factor contributing to this phenomenon was the resulting lack of information security investments. Furthermore, substantial financial investments committed to technology-based security solutions have not resulted in decreased IS security risks and threats (Öğütçü et al., 2016).

Cybersecurity programs serve to maintain a sound security posture beyond regulatory compliance. Also, information security manager should not base their information security program solely on the premise that compliance requirements should drive security or that security investments are enough as long as regulatory requirements are met. In other words, organizational investments in cybersecurity should not be driven solely by regulatory compliance requirements.

Depending on the industry, some organizations are meeting regulatory compliance. For instance, financial and banking institutions are required to comply with the Gramm-Leach-Bliley Act (GLBA), healthcare organizations are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), educational organizations must comply with Family Educational Rights and Privacy Act (FERPA), etc. In healthcare organizations, the HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronically protected health information (ePHI.) As a result, security managers may interpret this premise as “doing only the minimum to meet the requirements to comply” but not really focus on having a robust strategy beyond what is required. Research has been focusing on the premise that “compliance does not equal security.”

Other factors that influence the need to ensure cybersecurity programs are effective in providing the proper security controls are in place to protect an organization’s information assets include :

(1) Changes in cyber threats landscape (new and more sophisticated attacks),

(2) Changes in regulations (state, federal, and international),

(3) Challenges to adapt to the rapid changes in technology (innovations),

(4) Challenges to secure and adequate monitor legacy systems,

(5) Challenges to hire, train, and retain human capital.

For these reasons, two critical questions must be asked:

1. What are the drivers that influence investments in information security?
2. How should security managers prioritize investments to enhance an organization’s security posture?

An economics perspective naturally recognizes that while some investment in information security is good, more protection is not always worth the cost (Gordon, 2002). By leveraging a risk-based approach to security, progressive organizations can reduce risk, reduce costs, improve response readiness and increase risk-posture visibility (ISACA Journal 2013). Security practitioners have taken a more comprehensive approach to prioritize investments to enhance their information security programs. Some of these approaches are based on risk management practices (proactive), as a result of a security incident, incident-driven practices (reactive), or by following regulatory guidelines (compliance-driven). However, the compliance-driven approach only forms part of a holistic approach to security (Anderson and Choobineh, 2008). Other issues may arise from external regulatory pressure that could have a potential impact on information security investments.

Previous research has not addressed the problem of why reactive information security investment fails. In recent years, ransomware attacks against healthcare organizations have increased significantly. According to a report from Emsisoft data, 560 Healthcare providers fell victim to ransomware attacks in 2020. After action reports have uncovered severe weaknesses in healthcare organizations’ cybersecurity programs and their lack of cybersecurity investments, some security experts say that organizations have a reactive security posture. When organizations take a reactive approach, issues that arise from previous failures, to invest in information security initiatives, they face the potential to spend more in remediation and mitigation efforts, not to mention regulatory fines. Thus, regulatory compliance and security breaches trigger investment in information security.

However, focusing on a proactive approach to information security holistically may help organizations strengthening their cybersecurity programs. Several factors are likely to influence a proactive approach to information security. These factors include the need for managers to take a risk management posture to anticipate, adapt, prevent, and effectively manage potential security incidents. Drivers that influence investments in information securityAccording to Siponen et al. (2014), information security investments are not keeping pace with information technology investments and investigating the drivers that influence investments in information security are essential elements to determine the cybersecurity programs’ efficacy and effectiveness. By looking at factors such as business process, organizational climate, senior management evolution and support, technology innovation, risks, threats landscape, and regulatory issues should help justify the investment in an organization’s security program.

The importance of information security might be unclear within the management team. Important drivers for investing in information security are attributed to senior management support and their overall understanding (beliefs) of security issues beyond compliance (Barton et al., 2016).  In addition, senior management must have a strong commitment to ensuring that information security investments support the business objectives, are commensurate with the risks, and ensure regulatory compliance requirements.

The post Examining the Impact of Reactive and Proactive Investments in Cybersecurity appeared first on HealthTech Magazines.

The COVID-19 pandemic changed health care dramatically almost overnight. Across the country, those health care systems hit hard early were in crisis mode, trying to manage the overwhelming influx of patients. Those not yet impacted watched with morbid anticipation of the potential impact they might realize as the pandemic spread towards them. All health care systems have made difficult decisions about which services to continue delivering versus those that need to be suspended in order to reallocate resources towards COVID-19 preparation and response. The downstream financial impact of these changes has been significant and has created an existential threat to many systems already faced with razor-thin margins. Increased pressure to protect existing revenue streams, restart suspended services and reduce unnecessary expenses amplified the focus on revenue cycle processes to ensure their stability and reliability. In addition to these risks, the transition of revenue cycle teams to a largely remote workforce has introduced a new set of cybersecurity-related risks that must be managed carefully to ensure the continuity of business operations.

Cyber attackers are looking to take advantage of the opportunity to prey on health care systems while our attention is diverted toward responding to this crisis. The need to be vigilant has never been more important. Those organizations that take the necessary measures to protect themselves will significantly reduce the likelihood of a successful attack.

Amongst all the competing priorities, five key areas of focus should be emphasized:

1. Establish Clear Expectations of a Remote Workforce. The rapid transition to a remote workforce resulted in many organizations not being prepared with remote work policies and guidance for their new remote workforce. Setting clear expectations quickly with staff is essential. It’s critical to ensure that everyone understands their responsibility to conduct their work safely and securely given the sensitive nature of the systems and data they use.

2. Security Technical Controls and Protections. The consequences of poor security controls for remote workers can have a significant impact. How an organization approaches security controls and device protection will depend on whether the remote workers use corporate-owned devices to conduct their work or use personally-owned devices. In either case, it’s essential that all devices connecting to your organization are patched appropriately, have current versions of anti-malware/anti-virus software installed with recent signature updates, are using a VPN to connect to your organization, and perhaps most importantly, require the use of multi-factor authentication to access organizational systems and data remotely. Also, consider the benefit of additional email protection services, which can enhance the ability to detect and prevent malicious email from being successfully delivered. 

3. Cyber Training and Awareness. Employees are often your first and last line of defense. Cybercriminals, like water, usually follow the path of least resistance, which is often your employees. To reduce the likelihood of this path being exploited, cybersecurity training and awareness of your employees can be one of the most effective ways to mitigate this risk. Phishing and other social engineering tactics are often the most frequently used mechanisms to compromise an organization. Why? Because they work. Consider increasing the amount and level of difficulty of phishing tests to provide employees with an improved ability to differentiate legitimate emails from a phishing message. Leverage cloud-based solutions to complement your email systems’ ability to proactively detect and address email-borne threats targeted at your users. There is a strong correlation between the quality and quantity of education and awareness with the ability to successfully detect attempts to compromise an organization using these types of social engineering tactics.
   
   
4. Incident Response Preparedness. As the saying goes, you have either already been breached or you will be breached. The key to this likely inevitability is preparation for how you’ll respond. Hardening your incident response preparedness will force you to evaluate your security posture and identify weaknesses in your defenses that you need to harden. Organizations with mature incident response processes understand the layers of defense that protect them, how to monitor each layer for indicators of compromise, which might require action to investigate and respond, and how to test each layer to find weaknesses that could be exploited. Any opportunity to harden your environment will reduce the likelihood of a successful compromise by a cyber attacker.

5. Workforce Management. As previously stated, your employees are often both your first and last line of defense. The health and well-being of your workforce can be a key differentiator leading to improved productivity, highly engaged employees, customer value, and mitigation of risk. The opposite can also be true. Stress, a non-productive working environment, distractions, and cultural erosion due to being disconnected can lead to lower productivity, a disengaged workforce, inefficiency, complacency, and increased risk. A remote workstyle requires different thinking about employee engagement, maintaining connectedness with peers and leadership, the physical impacts of increased screen time, as well as emotional health and wellness needs. Managed well, the benefits of a highly engaged workforce will contribute towards a reduction of cyber risk and a higher likelihood that staff will detect attempts to compromise the organization as a result of phishing or other attempted social engineering tactics. A happy, healthy workforce is a productive, more secure workforce.

Cyber attackers are looking to take advantage of the opportunity to prey on health care systems while our attention is diverted toward responding to this crisis.

The world is continuing to change around us and our ability to adapt and flex with these changes is increasingly important. The lessons we’re learning as we transition to a more remote workstyle are important because when we finally emerge from this current pandemic crisis, we will find the new normal will be far different from life pre-COVID. If fortune favors the prepared, how will you guide your organization through these emerging challenges to be best prepared for the future?

The post Securing the Revenue Cycle Remote Workforce appeared first on HealthTech Magazines.

Maya Angelou, a noted civil rights activist, once said, “hope for the best, prepare for the worst, and be unsurprised by anything in between.” This is useful thinking in support of effective cybersecurity.

The French Maginot Line

On May 10, 1940, Germany began the invasion of France through the Ardennes Forest in Southeast Belgium. The French believed an attack through this dense, rugged terrain was improbable. They had spent the past nine years and $3b francs constructing a 280-mile fortification called the Maginot Line. The French were aware the Maginot Line might be bypassed, but they did not seriously consider the Ardennes as a plausible alternative.

Many factors made the Ardennes attack successful and applicable to cybersecurity. The blitzkrieg tank tactics, the excellent command, and control and advanced radio communications in the Panzer tanks, the scouting reports of German activity in the Ardennes that was dismissed by the French. But most importantly, the Germans had the intent, resources, and creativity to dominate in a new type of warfare. It took six weeks for the defeat of France, Belgium, Luxembourg, and the Netherlands. Once the German Army penetrated France, allied forces morale quickly deteriorated, command and control broke down. The French were ill-prepared for the eventuality of a successful military penetration.

Maginot Thinking-What is cyber-Maginot thinking?

Many technical tools add great value to an effective cyber defense, which includes next-generation firewalls, advanced end-point antivirus, and state of the art email security platforms. But there is no one-and-done when it comes to cybersecurity. Any strategy predicated on building up defensive safeguards that support the “I am now secure” mindset is dangerous. This thinking assumes threat actors will not continue to adapt their tactics and try again even if they fail the first time. Federal and state security regulations are certainly extensive and important. The Health Insurance Portability and Accountability Act (HIPAA), being the most notable in healthcare, is a solid framework for driving compliance with baseline standards. But compliance is not the same as security, especially with the nefarious motivations and capability of international threat actors prevalent today.

Changing Threat Landscape

Today, it is possible for cyber-criminals and nation-state threat actors to construct effective offensive cyber capability with very modest resources. Building an effective cybersecurity defense program is more challenging. The National Institute of Standards and Technology (NIST) has done a good job in identifying and defining standards for the many elements of cybersecurity defense. The NIST Cyber Security Framework (CSF) is an excellent paradigm for thinking about a security architecture that starts with the right mindset. As defined in NIST CSF, there are five core functions to an effective defense:  Identify, Protect, Detect, Respond, and Recover. The last three tacitly assume an attack will occur, and therefore: 1) the importance of early detection, 2) the need for a flexible and comprehensive incident response process, and 3) that response mitigation and recovery will eventually be needed.

In October 2020, the FBI began issuing warnings that international cybercriminals were targeting the US healthcare system. Within a few weeks, there were reports in the media of ransomware infections at hospitals and health systems around the country. In December 2020, some of the most stalwart security firms, including SolarWinds and FireEye, announced they had been compromised. These are firms corporate America relies upon to stay secure, and yet even they were vulnerable.

According to Mandiant (a division of FireEye), in their 2020 M-Trends report, the global median dwell time, defined as the duration between the start of a cyber-intrusion and it being identified, was 56 days. The more time a threat actor has inside a network, the more time they have to conduct reconnaissance, scan for vulnerabilities, seek to escalate privileges, and gain access to technical and corporate data that could represent an existential risk to almost any organization.

The requisite cyber defenses for every organization will, of course, vary depending upon all the unique characteristics of each entity’s digital footprint. Some may have moved extensive resources to the Cloud. This presents both risk and opportunity. Moving to the Cloud can improve an organization’s security posture because providers such as Amazon Web Services or Microsoft have vastly more resources to apply to cybersecurity. On the other hand, assessing the efficacy of Cloud services before making a move is critical. Not all Cloud providers are alike.

People, processes, and tools are all critically important for effective cybersecurity controls. New job roles, such as threat hunters, are becoming more commonplace. Rapid detection of an intrusion is essential in responding effectively and being able to recover with minimal impact. New skills are required for detection and other state of the art security functions. 

Continuous testing is also critical. When critical weaknesses are found, any patch or remediation should always be tested again to ensure efficacy. Nothing should be taken for granted. For this type of penetration testing, outsourcing may be a viable option, especially if the staff you would rely upon internally to conduct the testing are the same individuals responsible for implementing the technical controls.

Cyber Security Governance

Cybersecurity is highly technical and complex. For many companies, it represents a significant organizational risk. One of the most important safeguards is not technical. Governance and effective risk management are foundational to an effective cybersecurity program. Some important governance questions include:  How are we balancing resources with other competing funding priorities? What levels of cyber liability insurance are appropriate for the organization? 

Effective governance is fundamental to technology adoption in general. Cybersecurity governance is most effective when it supports well-crafted strategies and tactics supported with capital and operating funds over a sustained period of years, along with the mindset that supports flexibility and adaptability in an ever-changing and increasingly dangerous threat landscape.

Those with ill intent have shown they have the resources and creativity to be successful. In cybersecurity, Maginot thinking — a faulty reliance on strategies that do not realistically consider the possibility of compromise, however fortified and well-conceived — is dangerous.

The post The Cyber Maginot Line appeared first on HealthTech Magazines.