The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Showing posts with label Compliance. Show all posts
Showing posts with label Compliance. Show all posts

Cyber Risk Insurance Won't Save Your Reputation

A myopic focus on healthcare compliance has resulted in checkbox mentality

A myopic focus on healthcare compliance has resulted in checkbox mentality, rather than a holistic risk-based approach to cybersecurity.

The financial and reputational costs associated with a security breach can be expensive and reputationally damaging. But in critical industries like healthcare, a cybersecurity attack could expose patients to some major safety risks that no amount of cyber breach insurance will likely fix.

Healthcare has historically had a myopic focus on privacy and protecting the confidentiality of patient information–largely caused by HIPAA, Caldicott, APA, PDPA, GDPR, and state breach rules. These have resulted in a skewed compliance-based approach to security by senior management and a 'checkbox mentality' of ‘have we done the minimum necessary’, rather than a holistic, risk-based approach to identify, protect, detect, respond, and recover from threats and vulnerabilities.

Risks change, and in healthcare those risks are changing quickly (as are legal liabilities and exposure to inadequate cybersecurity protection). CISOs, CROs, and GC/CLOs (General Council or Chief Legal Officers) are beginning to understand these changes and how cybersecurity posture and preparation are critical to protecting patient safety. Many of their bosses in the CEO seat are slowly beginning to understand not just their patient safety exposure in the age of digital inter-connectivity and cyber attacks, but also the potential impact on reputation.

“Cybersecurity is no longer a question of simple compliance,” said one hospital CEO at a recent US healthcare conference, “it’s about protecting the hospital’s reputation and ensuring patient safety while our systems are under attack and misbehaving."

"We purchased cyber risk insurance to cover all the un-budgeted costs associated with an attack. We keep our fingers crossed that we won’t need it.” he added.

But many insurers are now claiming that cyber attacks are an 'Act of War' and are therefore exempt from coverage under the terms of their policies, a fact that is currently being disputed in court by drug maker Merck and its insurers. So maybe the insurance, a company is counting on won't be there when really needed.

An OCR fine and the institution’s name being posted to the OCR 'Wall of Shame' is one thing, but patients being turned away or even held to ransom by cyber-attacks compromising medical devices are an entirely different order of magnitude!

Given our reliance today on HIT / HIoT systems to treat patients, there's a real risk that someone could die on us because critical systems are not available to diagnose and treat them following a cyber-attack. So too is the reputation hit when a hospital is forced to go on Full Divert following a cyber-attack as part of the British NHS had to when attacked by WannaCry in 2017. More recently, Campbell County Health in Wyoming, USA was forced to go on Full Divert following a similar cyber-attack.

“I would find it much more preferable to have HHS OCR camped out in my office examining all my papers following a breach, than the FBI walking the halls investigating a series of patient deaths at my hospital caused by a cyber-attack.” said a prominent San Francisco area CISO who preferred not to be named without clearing his statement with his employer. “One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it,” he added.

“One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it!”


Some years ago I did a walk-through of a hospital in Tasmania as part of its parent company’s risk assessment. The top floor was dedicated to a large and sprawling maternity department. Patient rooms with open doors and sleeping new moms and their infants lined either side of a wide corridor so nurses could come and go to check on both. Mothers and infants had similar plastic straps around their wrists with their name, D.O.B., and patient identifier. Neither were RFID-tagged. It would be very easy for someone to walk into a room, remove the sleeping child, and walk down the corridor to the elevator and take that straight to the underground parking complex. There was no physical security to stop them–only a few nurses moving in and out of rooms.


In our debrief, I asked the Obstetrician running the department what would happen if someone were to abduct a newborn. She protested at first to say that no one ever would, nor had anyone in the past – this was Tasmania - where there was a surplus of babies. But she did acknowledge that maybe this might be a problem in Sydney or Melbourne. After thinking about it for a minute, she announced, “In a small-knit community like ours, we would close! It would ruin our reputation and no one would come here to give birth again!”

The message here is that no amount of liability insurance is going to protect your reputation fully. It can cover costs for forensic investigation, breach notification, loss of business while down or recovering, and even for extortion payments if you are unable to recover critical data wiped out during a ransomware attack–but it can never cover what your customers think of you! Cyber risk insurance is valuable, but it’s no replacement for a well-functioning cybersecurity program.

Some of us continue to shop at Target following its massive breach of customer data some years ago, but most of us would never apply for a Target Card, nor would we ever consider using an email service provided by Yahoo for similar reasons!

“Once damaged, reputation is a big problem to fix” said the US hospital CEO. “It’s something that is becoming an increasing concern for all of us in healthcare. But how do you do that without spending a fortune on cybersecurity?”



Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 3


Is there a more challenging position anywhere in information security than that of a healthcare organization’s cyber risk management leader? If there is, I can’t think of what it would be. Whether your title is CISO, CSO, CTO, CIO or some variation thereof, the task is daunting.

As we mentioned in Part 1 of this series, healthcare as an industry has a huge target on its back. Cyber attackers focus on healthcare not only because patient information is valuable, but also because patient lives are at stake. That can make threats such as ransomware attacks more effective. Cyber attacks in other industries – banking, for example – can have devastating financial consequences, but people’s lives aren’t generally at risk, as they are in healthcare.

At the same time, healthcare IT environments are exceedingly complex, which makes managing information security that much more complicated. The healthcare IT ecosystem typically includes dozens – if not hundreds – of applications, including the electronic health record (EHR) system, administrative and operational applications (scheduling, patient tracking, billing, claims, insurance and payer systems and interfaces), clinical applications (patient monitoring systems, radiology information systems, lab results reporting, clinical decision support, patient portals, etc.) and others too numerous to mention.

On top of this, add the countless devices that connect to a healthcare organization’s network, from the desktop computer at the registration desk, to the tablet the physician or nurse uses, to the smart infusion pump at the patient’s bedside, to BYOD devices like the smartphone a patient uses to access lab results through a patient portal.

Enterprise-wide Cyber Risk Assessment

Because of this complexity, no single “shiny object” or new security tool will be sufficient to mitigate all of the critical information security risks in a healthcare environment. As we discussed in Part 2 of this series, the only way to approach cyber risk management in a complex healthcare organization is to begin with a comprehensive, OCR-quality, security risk assessment and analysis.

Healthcare organizations must conduct this type of analysis in order to be HIPAA-compliant. But just as important is the fact that healthcare organizations cannot begin to develop a meaningful and effective cyber risk management program without first gathering the information that a comprehensive risk analysis provides.

As mentioned in the previous post, a security risk analysis essentially boils down to three tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
The HIPAA Security Rule, OCR Guidance, and resources developed by NIST provide plenty of details on how to properly conduct a risk assessment and complete these tasks. These resources are freely accessible on the internet. In theory, any healthcare organization could use these resources to conduct and complete an OCR-quality risk analysis without any outside support. However, that’s easier said than done.

Task 1: Identifying Risk

Risk identification begins with creating an information asset inventory that documents each asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI). This includes not just the obvious choices, such as laptops, servers, and enterprise applications, but also less obvious choices, including medical devices, backup media, and nonclinical, internet-connected assets such as building management applications and networks.

As noted in my previous post, creating an asset inventory is only the first step in risk identification. Risk has three components: an asset, a threat and a vulnerability. OCR guidance specifies that healthcare organizations must identify and document threats and vulnerabilities to each asset, in addition to creating an inventory of information assets.

Task 2: Rating Risk

Once you have exhaustively inventoried every aspect of risk – including every asset, and each of the threats and vulnerabilities associated with each asset – the HIPAA Security Rule and subsequent OCR guidance specifies that you must also estimate the likelihood (probability) and impact (magnitude of loss) of potential harm from each asset/threat/vulnerability combination. This is the risk rating.

NIST provides guidance for these tasks. NIST SP 800-30, Appendix G, includes several examples of assessment scales related to threat event likelihood. Appendix H, in the same publication, offers examples of scales for measuring impacts.

Task 3: Prioritizing Risk

After all information assets have been identified; after all potential threats and vulnerabilities have been documented; and after the likelihood and impact of each asset/threat/vulnerability combo has been calculated, each asset/threat/vulnerability combination will have an assigned risk rating.

As part of the cyber risk assessment/analysis process, every healthcare organization should establish a risk threshold. Establishing a risk threshold is part of the information security governance process. The risk threshold will be unique to the organization and will take into account the organization’s unique risks and resources. For example, using the 25-point scale, one organization might establish 15 as their threshold, meaning that any risk with a rating of 15 or below falls into the acceptable risk category, and will not be a priority with respect to mitigation.

A comprehensive information security risk analysis, combined with the organization’s established risk threshold, enables a healthcare organization to make informed, strategic decisions about which cyber security risks require urgent mitigation versus those that can be put on the “back burner” until more resources are available.

The Bottom Line

Conducting a comprehensive risk assessment is necessary for both HIPAA compliance and for establishing the foundation for a healthcare organization’s enterprise cyber risk management system (ECRMS). It is challenging, but not impossible, for a healthcare organization to conduct this analysis using only internal resources and guidance that is available on the internet.

Alternatively, healthcare organizations can use the specialized solutions and professional expertise to quickly and efficiently conduct a comprehensive cyber risk analysis. Because ultimately, completion of the analysis is only the first step. The sooner a comprehensive security risk analysis is completed, the sooner a healthcare organization can begin addressing vulnerabilities and mitigating high priority risks.  

Read more in this series:




Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 2


Healthcare CIOs, CISOs, and other information risk management leaders face daunting challenges when it comes to deciding where to apply their limited resources to make the biggest difference in their organization’s cyber risk posture. As I mentioned in my previous post, healthcare security leaders can be tempted by shiny new objects – i.e., new security tools – that promise to be the panacea to their most pressing security problems.

Cyber security leaders can also be distracted by Executive Board members and other stakeholders who prioritize the cyber threat of the day. They may respond to cyber attack headlines by button-holing the CISO and asking, “What are we doing about THIS???”


The solution to a scattershot, reactive approach to cyber security is to develop an enterprise cyber risk management system (ECRMS). And the first step in developing an ECRMS, is conducting a HIPAA-compliant risk assessment and analysis.

HIPAA Compliance and Risk Assessment

HIPAA’s Security, Privacy and Breach Notification Rules are designed to ensure the confidentiality, integrity and availability (CIA) of protected health information (PHI). HIPAA’s Security and Privacy Rules apply to any entity that “creates, receives, maintains or transmits protected health information” per 45 C.F.R. § 160.103. This means that whether you are a healthcare provider, a health plan, a healthcare clearinghouse or a business associate of any of this entities, HIPAA applies to you.

The HIPAA Security Rule actually defines three different types of assessments that organizations must conduct in order to be compliant. Those three types of assessments include:
  • HIPAA Security Non-Technical Evaluation, a.k.a. Compliance Gap Assessment
  • HIPAA Security Technical Evaluation, a.k.a. Technical Testing
  • HIPAA Security Risk Assessment/Analysis
The difference between these three types of assessments is a topic for another blog post. What’s important to understand for our purposes is that organizations must conduct all three types of security assessments in order to be HIPAA compliant. One type of assessment (for example, Technical Testing or Compliance Gap Assessment) cannot be substituted for another type of assessment (Risk Assessment/Risk Analysis).

The first step – the foundational step – in developing an enterprise cyber risk management system, is to conduct a security risk assessment and analysis as defined within the HIPAA Security Rule. Two other information sources help to provide a comprehensive and detailed definition of what a HIPAA-compliant risk assessment looks like: first, OCR guidance – including the results of OCR enforcement actions and audits – gives a clear picture of what a comprehensive risk analysis includes. Second, NIST standards around information security provide a model for how to properly conduct a risk assessment – and how to start developing a strategic framework once you have the assessment results.

What an OCR-Quality Risk Analysis Entails

At its most basic level, risk analysis includes three primary tasks:
  1. Identifying risk
  2. Rating risk
  3. Prioritizing risk
Identifying risk starts with identifying and documenting every information asset in your organization. Information assets include all electronic equipment, data systems, programs and applications that are controlled, administered, owned or shared by an organization and which contain, transmit or store ePHI. This includes traditional forms of assets, such as IT systems and applications (e.g., EHR systems, clinical information applications, lab applications, medical billing and claims processing applications, email applications, etc.).

Information assets also include biomedical assets, such as patient monitoring devices, implantable devices, and remote chronic disease management applications. Internet of Things (IoT) assets must also be included in your asset inventory. (Incidentally, a key challenge for hospitals and health systems in conducting a comprehensive information asset inventory has been their capability to identify and document electronic medical devices. New technology from IoMT / HIoT security companies identifies medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device.)

Risk analysis does not stop with a simple inventory of information assets, however. Risk has three components: an asset, a threat, and a vulnerability. Adequately identifying risk means addressing each of these components for each information asset. For example, an information asset might be a tablet computer used by staff or clinicians. One threat to that tablet could be theft. Vulnerabilities that create risk when that table is stolen include a lack of encryption, weak passwords, and a lack of data backup. In other words, each information asset can be compromised by many different types of threats. In turn, those threats become real due to the vulnerabilities associated with them.

A comprehensive, HIPAA-compliant risk assessment requires documentation of a considerable amount of detail. It’s easy to see how healthcare organizations who attempt to conduct an inventory of information assets, with their associated threats and vulnerabilities, are quickly overwhelmed with pages and pages of spreadsheets.

Rating and Prioritizing Risk

And yet there is more.

Because a bona fide, OCR-compliant risk analysis includes not only identifying information assets, threats and vulnerabilities, but also rating risk. This involves estimating the likelihood (probability) and impact (degree of harm or loss) on the organization of each possible asset/threat/vulnerability combination. Which makes our spreadsheet even more complex. 

After all information assets have been inventoried, all asset/threat/vulnerability combinations have been documented, and the likelihood and impact of each potential risk calculated, the result is a “risk rating” for each potential threat.

The beauty of the risk rating is that it allows each healthcare organization to identify, rate and prioritize the particular risks associated with that organization’s unique information asset inventory, threat/vulnerability combinations, and calculated risks.

Each organization is able to establish their own risk threshold. For example, an organization might specify a risk rating of “20” as their threshold. That means that information risk management strategic priorities would center on mitigating risks for those items that rated 20 or higher. In the example above, security leadership would be able to use this information to make a persuasive case for security tools that enabled encryption of ePHI contained on tablet computers, as the “25” risk rating indicates this risk is a high priority for this organization.

The Value of a Comprehensive Risk Analysis

Conducting an OCR-quality, security risk assessment and analysis has value for healthcare organizations beyond assuring compliance with HIPAA guidelines. As the example above illustrates, a comprehensive risk analysis helps security leaders not only identify, but also rate and prioritize enterprise-wide cyber security threats.

The information uncovered by the risk analysis can help security leaders develop relevant and meaningful cyber risk management systems by providing a framework for making decisions. With an accurate and updated security risk assessment in place, security leaders no longer have to make purchasing decisions based on the strength of a vendor’s demo, or in reaction to cyber threat headlines. With a security risk assessment and analysis in place, healthcare security leaders are empowered to make proactive and strategic decisions about the tools and strategies that will mitigate their highest priority risks.

In the third part of this 3-part series, Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment, I will explore some of the resources, solutions and services that can not only help security leaders efficiently conduct a security risk analysis, but also help healthcare security leaders leverage the completed security risk analysis to develop an enterprise cyber risk management system.
 

Check out the first blog in this series here: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment–Part 1



Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 1



You’re the CISO of a healthcare organization and you just sat through an amazing sales presentation by one of your security vendors. You are considering cutting a PO to purchase that new security tool. You’ve been thinking for some time about purchasing tools to close security gaps that you’re aware of and this particular tool appears to address a critical area of weakness in your information security program.

At the same time, you’ve got limited resources for addressing your healthcare organization’s cybersecurity risk. You experience ongoing challenges around finding and retaining IT staff with expertise in information risk management. You know you’ll need staff resources to implement that new security tool, but your IT budget never stretches quite far enough to cover all of your organization’s technology needs, let alone managing cybersecurity risk.

Sound familiar?

Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability


Healthcare security leaders are often tempted to buy the “shiny new object” that promises to be the panacea to their most pressing security problems. Perhaps an audit or assessment highlighted the gap and executive management jumped all over it. Perhaps a breach or security incident became a compelling event, and the vendor’s new tool looks like a silver bullet. Vendors often encourage this line of thinking, being only too happy to make another sale.

Though new security tools can be tempting, their purchase is sometimes the result of a myopic focus on a single critical area of weakness or vulnerability. Yet the vast majority of healthcare organizations have many security gaps, spread over a wide range of areas. This is true regardless of the size of an organization’s dedicated IT staff or their information risk management budget.

When a shiny new security tool attracts your attention, how do you determine whether or not this is the best use of your resources? How do you make the case to your Board that purchasing this particular tool should be your organization’s number one priority?

The Changing Cyber Risk Landscape

All too often, healthcare security leaders are put in the position of simply reacting to the latest, headline-grabbing cyber security threats. A short time ago, cyber attackers seemed mostly intent on hacking into healthcare networks in order to steal patient data and sell it on the black market. The consequences of a data breach are far-reaching, including a loss of customer trust, penalties and settlement fees imposed by the Office for Civil Rights (OCR) for HIPAA violations, and the cost of remediation measures. A recent Ponemon Institute report estimates the average total cost of a data breach at $3.86 million. As a result, stakeholders including Board of Trustees members and consumers clamor for assurance that their healthcare providers have tools and strategies in place to prevent data breaches.

But even as data breaches continue to pose a real threat to healthcare organizations, new threats have emerged. Ransomware attacks on healthcare organizations have turned out to be just as lucrative for cyber criminals, if not more so, than selling healthcare records on the black market. The impacts of last year’s WannaCry ransomware attacks have continued to play out in healthcare organizations in the U.S. and in the U.K.

WannaCry compromised IT system availability in order to shake down healthcare providers for ransom money. But other types of emerging malware attacks – such as NotPetya – pretend to be ransomware while actually destroying critical systems and data. The increase in cyberattacks that target system availability have made IT system availability and resiliency the new cybersecurity mantra.

At the same time, new attack surfaces in healthcare organizations are attracting the attention of hackers. Network-attached medical devices – think Internet of Things (IoT) – are just as susceptible to malware and ransomware attacks as other, more traditional targets, such as the enterprise data center.

All this means that cyber risk management in a healthcare organization is a continually moving target. Cyber attackers’ motives, strategies and targets evolve quickly. By the time a new security tool comes on the market, a different threat has emerged, requiring a different approach to risk mitigation.

Given the constantly changing cyber security threat landscape, how is a CISO to respond? Is there a better way to protect your organization than being swayed by the latest, greatest vendor presentation? Is there a better way to protect your organization than yielding to Board pressure to respond to the cyber threat du jour currently making headlines?

The Big Picture: Enterprise Cyber Risk Assessment

The good news is that there actually is a better way.

And the better news is that this “better way” not only helps your organization meet HIPAA compliance requirements, it also helps your organization develop a strategic approach to enterprise-wide information risk management. It’s a deliberate and considered approach that can help guide your organization’s information risk management purchasing decisions and will strengthen your organization’s cybersecurity posture.

It begins with an enterprise-wide cyber risk assessment.

By an enterprise-wide cyber risk assessment, I’m not referring to marking off boxes on a controls checklist. I am also not referring to your latest technical testing, security gap assessment, or pen test. I’m talking about conducting a bona fide, enterprise-wide, HIPAA-compliant, security risk assessment and analysis.

What does a HIPAA-compliant security risk assessment look like?

Stay tuned. I will explore that topic in Part 2 of this three-part blog series: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment.