The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Healthcare needs all the help it can get.

Understaffed, under-equipped, and under-funded, for security tools and services, the healthcare industry is being targeted by cyber criminals and pariah nation states for the value of its assets. This includes its extensive PHI, PII and valuable clinical trail data and research IP. 

The Russian Federation and the Peoples Republic of China have both this year, been caught red-handed attempting to steal clinical trial and research data surrounding COVID vaccines. And that says nothing of the wholesale theft of other IP from university and pharmaceutical labs, along with other research facilities going back for a decade or more in China's case. 

In fact, the Chinese Communist Party (CCP) has dedicated tens of thousands of PLA officers in its various cyber divisions, to the theft of western IP and commercial trade secrets, as previously reported by Fireeye-Mandiant and many others including this blog. These actions appear to be not only purposefully targetted but part of a centrally directed campaign by Chinese leaders to ensure the success of the the CCPs 'Made in China 2025' program when it plans to be totally self sufficient from the need for western goods and services.

It is however, the rise in extortion attacks that are most worrying. A recent uptick in the level of background chatter in cyber criminal hacker forums, was cause for the FBI, HHS and CISA to issue a threat briefing that healthcare was being actively targeted by Russian Trickbot-Ryuk ransomware gangs, and that healthcare IT and security staff should be on alert. This however was not before a massive ransomware attack had decimated one more US based international health system.

After decades of under-funding and de-prioritization, how can hospitals and other healthcare providers possibly build up their cybersecurity defenses to a level that is needed to protect against a rising wave of attacks and keep patients safe? This was the subject of the first ever Healthcare Managed Security Services Forum recently attracting over 150 attendees and more than 30 speakers and panelists drawn from the crème de la crème of healthcare. A full day virtual conference that heard from CEOs, CIOs, CISOs, CMIOs, Professors and Doctors of Medicine, and more than a few experts in the field of clinical engineering and biomedical / HIoT security. 

I was privileged to be asked to compère for the the all day event. Listen to the kick off below: 

The Cost of a Data Breach


According to the IBM / Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).

The cost of a data breach includes losses such as lost business, legal fees, and compensation & restitution to affected customers. Its also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas in that lead to this growing cost. These include:
  • Detection, escalation, and investigation, incident handling, etc.
  • Lost business with customers and partners
  • Notification of affected parties, partners, and regulatory authorities
  • Cleanup and response including the remediation of vulnerabilities that should, in retrospect, have been fixed long before the breach

These sums do not include the cost of the loss of reputation, nor do they include business lost forever as a result of loss of confidence by partners and customers, some of whom may have been significantly damaged as a result of the cybersecurity incident, or the failure of the attacked company to deliver according to contractual agreements during the incident.

Nor do these figures include the expanded costs of investigation and clean up of a distributed 'remote' workforce as has become common under COVID restrictions in 2020. In such cases this average cost rises to over $4 million US dollars the report concludes.

According to the study, the average time to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective 24/7 security operations monitoring or incident response capabilities, and that many incidents often go unnoticed till a regulator intercedes, by investigating a discovered breach of non-public data.

While cyber-forensic investigation is not cheap by any means, the greatest costs to businesses of a breach is lost business, the reports claims, which represents about 40% of the total average cost of a data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.

Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.

Healthcare

While all industries are affected by data breaches, the costs of a healthcare breach far exceeds all other verticals. It is perhaps the combination of a rich and diverse source of data - PHI, PII and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make healthcare a particularly expensive breach proposition. The healthcare industry’s breach life-cycle is also longer, averaging about 329 days compared to the overall average of 280 days. That leads to higher costs. At the same time, healthcare spends less on cybersecurity than most other industry verticals, and so is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness.

“Healthcare is a highly regulated industry and faces a lot of regulatory burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.

While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the average cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.

"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't." claimed Debeck.

“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs” he added.

"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices. "The problem is, that in healthcare, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities," he added.

Read the full Ponemon Report for details.

 

 

Tweens and Technology

Cybersecurity interns and entry level recruits aren't dropped off by the stork - they need to be nurtured!

I have written much about the need to better equip the children of today for the jobs of tomorrow, particularly when it comes to building a knowledgeable and capable cybersecurity workforce. The Cisco Annual Cybersecurity Reports and many other organizations with a vested interest in a ensuring a good pipeline of entry level recruits, have been highlighting the gap between available resources and cybersecurity job openings for many years now. Despite theirs, and many others, best efforts, the gap between demand for cybersecurity professionals and the available supply, appears to be getting larger each year. 

This is not that our cyber and technology-equipped school leavers aren't increasing numerically or in the depth of their skills, but that those numbers are not increasing fast enough to keep pace with demand. 

A lot of children are also being left behind, starting school with little to no exposure to math, sciences or technology. Many lack a computer at home or any form of access to the Internet till they get to school age, by which time they are well and truly left behind. Many children today learn the basics of computing and technology at 2 or 3, at or before Pre-School. They arrive in Kindergarten with the know-how to operate a computer, engage in educational games and other learning content and will be on their way to basic programing by second or third grade. Starting early appears to be critical to success in life, and with technology as perhaps the critical pillar for academic study, work, and success after school, who can blame parents for wanting their children to be provided every opportunity for development and future success. 

But many children are disadvantaged by poverty, unequal access to education and parent(s) working 3 jobs and therefore are not able to spend time with their off-spring at a critical stage of their development. This is where Tweens and Tech comes into play, providing educational technology-based summer camps and free computers to primary and middle school children in the Raleigh Durham area of North Carolina. But Tweens and Tech provides much more than that, so please read their words on their website rather than mine on this one - a great organization performing a worthy and noble cause, and one replicating quickly in other states across the country.

Today I was pleased to join a Fireside Chat with Dr. Anindya Kundu, a Senior Research Fellow at the City University of New York who has written extensively in early childhood development, Rob Martin from Cisco who helped start the Tweens and Tech organization with Derrick Thompson its founder, and two participants of the program - one a current student, the other a graduate of the program and now a teen volunteer.  
 
Watch the video recording of our discussions below: