The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Securing Medical Devices - The Need for a Different Approach - Part 2



This is a two-part story. The first part can be read here.

I recently met with the CIO and CISO of a large US healthcare system to chat about how the system was going about securing its 350,000 network attached medical devices. They were busy assessing and profiling all of the disparate devices from a multitude of different vendors that the pre-merger, independent hospitals had purchased over the past twenty years or so. The Health System had multiple teams of third party vendors from many of the big names in bio-engineering, working with its own IT team to review configurations, firmware and OS/ application versions, and to make updates where necessary in order to improve the security posture of these devices.

The CIO however was greatly concerned by the number and churn in these devices – given warranty replacement units and new devices arriving at hospitals seemingly on a weekly basis. He was concerned whether they would ever be able to get in front of their hardening project, and whether reconfiguration and lock-down would ever really secure these network attached systems at the end of the day.

After listening carefully to his plan and all the activities he and his CISO had sanctioned, I suggested cautiously, that perhaps the health system was on the wrong path. My argument was that they would never be able to keep up with and manage 350,000 disparate biomedical devices, growing by twenty percent per annum, using a strategy essentially designed to manage PCs and workstations. One where domain level tools could be used to patch and configure the vast majority of endpoints. The manpower requirements alone I suggested, would consume his entire IT team’s bandwidth and budget at some point, if not very soon.

I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services like TFTP, FTP, TelNet and SSH, that many of his medical devices had left the factory with enabled, and instead look at other control points to secure those devices (compensating security controls) that would enable much higher levels of automation, and reduce the margin for human error that a manual process would inevitably lead to.

I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec - a built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical information systems only…. and nothing else!

By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec, (something that was already being used to manage guest wireless access), the health system could create uniform enterprise policy implementation across all sites and locations, and avoid the need for possibly hundreds of firewall engineers to write and update access control lists in switches, routers, and firewalls. What’s more, rules written in ISE could be written in easy-to-understand business language, rather than complex access control syntax for direct entry into infrastructure devices by firewall and network engineers.

Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!

I continued, “What’s more, the same profile you assign to a medical device in one hospital, is used for a similar device in another hospital so long as its all part of the same ISE domain. Thus you can more effectively manage your medical device asset inventory across hospitals, by assigning medical devices when and where needed rather than to tie up money in unused assets in each location.”

“In other words” I explained, “Using ISE and TrustSec, you can provide your users with dynamic segmentation capabilities such that you can take a medical device (or truck load of medical devices) from one site to another site in need of those devices, (for perhaps local disaster management), and have those devices immediately recognized by the network and assigned the right access permissions as soon as they are plugged in or otherwise connected to the network. No need to engage a firewall or network engineer to add MAC addresses to an ACL (access control list) at 2am in the morning – just plug it in and it will work!”

Essentially you will have an enterprise-wide dynamic automated user and device access system, that is enterprise policy-driven in easy to understand language (versus firewall and switch syntax), that will actually save your biomed team money because they can run a minimal asset inventory across the entire health system. What’s more, in so doing, you are actually securing the un-securable and protecting medical devices from attack, as well as protecting the main hospital business network from being attacked from an easily compromised medical device.

A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.

For more information on this approach, read Cisco’s Segmentation Framework and the Software-Defined Segmentation Design Guide.

For information about how Cisco’s Security Advisory Services can to assist you to design secure segmentation in your environment, please review Cisco's Security Segmentation Service or contact your Cisco sales team.


This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Securing Medical Devices - The Need for a Different Approach - Part 1



It’s hard not to notice a growing collection of medical devices whenever you visit a hospital or clinic. They surround today’s medical bed, almost like a warm scarf around a bare neck on a cold winter’s day. If they weren’t there you would wonder why. They provide all kinds of patient telemetry back to the nurses station: O2 sat levels, pulse rate, blood pressure, etc. They provide automatic and regular administration of medication via pumps and drips and oxygen dispensers. The medical bed itself tracks patient location across the hospital as the patient is wheeled to and from the OR, imaging or other specialties.

What is not recognized however, is that the number of medical devices employed in the delivery of care to patients is currently growing at almost twenty percent per annum globally. What's more, this growth rate is increasing. For the BioMed staff that has historically been responsible for managing them, it’s an almost impossible task. One that gets more difficult by the day as more and more devices are plugged in or wirelessly connected to the network.

The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also to everything else attached to the network on one side of the device, and the patient on the other side.

Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation - unlike a Windows PC, which sometimes appears to have been designed to work for a month more than its manufacture warranty! Medical devices tend to stop working when subjected to things outside of their design parameters. Things like multicast network traffic caused by worms, viruses and other malware. Things like ICMP, NMAP and other network traffic used to illuminate, query, or profile devices perhaps by attackers. What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?

Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities – many open TCP/UDP ports, and numerous enabled protocols by default like TFTP, FTP, Telnet. Most of these are highly vulnerable to attack. In June 2013 DHS tested 300 medical devices and all of them failed basic security checks. In 2015 we had 'white-hats' demonstrating hacks of implantable medical devices (IMDs) live on stage at security conferences. Since this time several popular medical pumps have been very publicly exposed for the ease at which they could be compromised by an attacker. (Some manufactures have issued recalls and firmware upgrades but not all.) If one of these pumps were employed to administer at a gradual and regular level, for example, pain medication such as morphine or perhaps insulin to a patient, what damage would be inflicted upon that patient if the pump was hacked and told to administer its entire medication all at once?

While older standalone medical devices were built to run on obscure, custom, often hardened UNIX operating systems, or even eProm, many of today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.

Windows Embedded is subject to many of the same vulnerabilities and freely available exploits as the regular Windows XP operating system. A targeted attack against modern medical devices is thus relatively easy given a mass of known and proven exploits. Yet we continue to attach insecure, unprotected pumps and all kinds of other devices with the potential to do damage to patients, knowing that at any time a nefarious hacker or almost innocent intruder could turn the device into an execution tool.

Just because it hasn’t happened yet, doesn’t mean to say that it won’t happen today… or perhaps tomorrow!

Read Part 2 of this blog.


This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Who’d want to be a CISO?


Lets face it, being a CISO (Chief Information Security Officer) is no bed of roses. The ultimate responsibility for protecting the organization against a rising tide of hackers and state sponsored cyber spies intent on breaking in and stealing information rests firmly on the CISO’s broad shoulders. Being the CISO in most companies today usually means being starved of resources for additional headcount, tools, and services, while you spend each and every day with your back against a wall! And did I say every day?

Being a CISO is not a nine-to-five job. You also need to keep your wits about you during the dark hours when your boss and most of the Executive Leadership Team (ELT) are out for dinner or sleeping soundly in their beds. The ‘witching hours’ are between 7pm and 7am and at weekends when cyber criminals know all too well that the fort is unmanned and they can usually get away with whatever they want – largely unnoticed!

Photo: Evan Brockett







A Typical Threat Scenario

7pm in New York and Midnight in London, is breakfast time in Beijing and Shanghai where many of China’s best cyber-spies work. The Peoples’ Republic of China (PRC) has invested in vast campuses of Peoples’ Liberation Army Cyber Units, whose role is to attack foreign organizations and steal not just defense secrets, but also commercial secrets that may help Chinese companies to catch up with and surpass their western counterparts. Despite an agreement between President Xi and President Obama in 2015, the dashboards of western Security Operations Centers stay lit with the Chinese IP addresses of active attackers every day and every night. According to a former FBI Special Agent, “China's corporate cyber-espionage apparatus is too big and too effective to shut down". "The genie is out of the bottle" he concludes.

7pm in New York and Midnight in London, marks 2am in Moscow when club revelers call it a night and return to their flats amongst the sprawling public housing projects. While they have been out clubbing, many of their neighbors have been busy testing the cyber defenses of their latest targets. The Hackers here are more ‘freelancers for hire’ working on occasions for the government, the FSB, GRU, or perhaps for a favor for someone well connected, but just as equally for themselves, paid by the job or paid by results. Entrepreneurial and opportunistic, these are the ‘shadow–dwellers’ who prey upon the weak and unprotected with phishing campaigns, malware, and much, much worse – anything that could generate them income, today, tomorrow, or next month.

The Russians and Chinese are not alone, they are just the largest adversaries by volume on the CISO’s situational threat board. It’s fair to say that in a global economy, the threats don’t just come out at night, it’s just that the attacks seem scarier when everyone else has gone home for the night and its dark outside, and as CISO, you may be standing alone!


Photo: Lionello DelPiccolo









CISO Responsibilities

The CISO has to be aware of not just the constant attacks against his or her network, or the spear phishing campaigns against users in an attempt to deposit a malware dropper on their network attached computer. It’s a continuum of threats and risks that the CISO and his team have to defend and protect against. And when something goes wrong and some nefarious bot or person gets by the paper defenses? It’s the CISO who takes the fall, and takes responsibility for everything that went wrong leading to the breach – lax controls, inadequate staff for 24 by 7 operations coverage, no budget for user security awareness training, a mish-mash of out of date security products and applications, and the CIO or CFOs decision to select a proposal from a budget implementation vendor rather than the experts who actually knew what they were doing!

Decisions are often made by those above the CISO, safe in the knowledge that they have a ‘fall guy’. No wonder so many CISOs start updating their resumes, the day they start a new job! It’s a thankless job - a very, very stressful job, and if it were paid by the hour rather than salaried, CEOs might just begin to understand the level of effort and expertise required to secure a company from constantly changing cyber threats.



Why You Need an Exceptional Security Leader

Despite the challenges of the job, the role of the CISO attracts some of today's brightest and the best corporate executives - those able to understand, protect and promote the success of the business, and able to negotiate the boardroom and ELT politics, yet at the same time understand the intricate complexities of risk, security, privacy and compliance and the associated technologies used to monitor, measure and protect the business from cyber attack.

It takes a unique and broad set of skills to be a successful CISO, but it also takes a certain kind of person, one that doesn't give up easily and can get back up after being knocked down. Vision, passion, dedication, perseverance and sheer tenacity are key traits that usually come to mind for the job. The role of CISO is changing however, from a deeply technical role implementing tools within IT, to an executive role managing and directly reporting enterprise security risks to the ELT and the Board.

Vision, strategy and the implementation of a holistic enterprise-wide plan to minimize cyber risks and protect the CEO from having to step down following a headline breach is key. Gone are the days of simply promoting the "security guy" to a fancy new title to keep the board of directors happy. What is needed is much more. A proactive holistic approach to security that can be relied upon, rather than a reactive one to plug holes in the dyke. Advanced protection is always cheaper than remediation following a breach. Repairing a damaged reputation takes even more money, time and effort. After all, you cannot "un-ring the bell that has been rung!"

Finding a top quality cybersecurity talent is not easy when there's a 12x demand over supply for security professionals. Attracting a top-notch security leader is almost impossible as SecurityCurrent pointed out in 2015, and the problem is not getting any easier. In fact its getting worse.

Photo: Victoria Heath








What You Need to Pay to Attract and Retain Top Security Leadership Talent

CEOs are experiencing a tough time attracting and retaining top CISO talent in today's highly competitive landscape. And it should be a CEO concern - not something left to HR. As a CEO your job security depends on the ability of your CISO to protect your reputation and the assets and credibility of the company you're charged with running.

CISO salaries have risen sharply over the past two years and the trend is showing no signs of slowing down. In fact CISOs in the big US cities can make in excess of $350,000 to $420,000 based upon 2016 salary studies by Forbes, Healthcare IT News, and by SecurityCurrent. Its non uncommon for the very best CISO total compensation packages to approach or exceed seven figures today.

CISOs are increasingly being asked to present directly to the board on an ongoing basis, and IDC predicts that by the time you read this article, 75% of Chief Security Officers (CSO), and Chief Information Security Officers (CISOs) will report directly to the CEO, rather than the CIO which used to be the case.

Given the trend towards 'cloud' and 'just about everything-as-a-service', many Chief Information Officer and Chief Technology Officer roles are going away, to be replaced by a corporate Chief Innovation Officer. It may not be long before the Chief Innovation Officer reports to their CISO; and for one simple reason, when you no longer own and operate everything, you are inherently reliant upon your partners to provide secure and resilient services to your customers. The job of validating that, falls on the CISO to ensure that innovative cloud technologies do not introduce unmitigated risk to the business.

With over one million open cybersecurity jobs, and average CISO salaries in sharp ascent, its clear that effective CISO’s are desperately needed and will continue to be a challenge to attract and retain. Despite a recent surge in the availability of undergraduate and post graduate courses in cybersecurity related disciplines, it will be many years before graduates have enough experience to take over a CISO role. Until then, you need to REALLY look after your CISO.

SecurityCurrent Average CISO Salary Report, prnewswire.com

This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Unsecured Endpoints in the Hospital Environment



Unsecured Endpoints in the Hospital Environment - Securing IOT and Medical Devices

Medical devices are growing by an estimated 20% per annum the world over, as are other IOT devices that control critical infrastructure in our hospitals. Yet, most cannot be secured by traditional endpoint computer means due to a combination of device limitation and regulation. Nor can most be patched and updated against known security vulnerabilities. At the same time, formerly isolated networks have converged to support digital transformation of healthcare, thus increasing risks exponentially for both the clinical business and biomedical networks used to treat patients.

How then do we go about "securing the un-securable" using the tools at our disposal to protect patients, their data and hospital systems from attack and ransom?

Richard Staynings
Richard Staynings
Craig Williams
Craig Williams
















This is the subject of a recent presentation given to the HIMSS Healthcare Cybersecurity Community by Richard Staynings, Cisco’s Cybersecurity Leader for the Healthcare Life Sciences Industry, and Craig Williams, Technical Outreach Leader at Cisco Talos.

In their presentation, Richard and Craig discuss what the future may hold for targeted attacks against hospital IOT and medical devices, and what healthcare technology and security leaders should consider doing to protect them.




Watch the WebEx recording here.

View the slides here.



BC Aware

Richard Staynings
ISACA BC Aware Privacy and Security Conference. Photo: Justin Malczewski.
The 'BC Aware Privacy and Security in Healthcare Conference' took place today at the Vancouver General Hospital in Vancouver, Canada. Richard Staynings, Cisco's Global Cybersecurity Leader for the Healthcare Industry kicked off the conference sharing trends and industry intelligence along with recent innovations to aid in securing hospitals, universities and standalone clinical research establishments.

Richard was joined by Drew McArthur, Information and Privacy Commissioner for British Columbia, and by Oliver Gruter-Andrew, Chief Information Officer for Provincial Health Services Authority, Providence Health Care, and Vancouver Coastal Health.

Richard Staynings addresses the audience at BC Aware
Richard Staynings addresses the audience at BC Aware. Photo: Justin Malczewski.
Presentations and discussion centered around the need for improved privacy and security across all aspects of healthcare, improved regulation and enforcement of privacy laws, and the need for holistic security, to include IoT and medical devices in hospitals and medical centers.

Oliver Gruter-Andrew and Richard Staynings conduct a Q&A at the BC Aware Privacy and Security Conference
Oliver Gruter-Andrew and Richard Staynings conduct a Q&A with attendees. Photo: Justin Malczewski.




Many thanks to my fellow speakers for sharing their insights and for attendees for braving the snow. Thanks also to the Vancouver ISACA chapter for hosting such a well run event.

2017 Annual Cybersecuritry Report


The 2017 Annual Security Report is released today. This is the tenth year of the report which delivers analysis on the evolving threats and trends from 2016, insights from a survey of more than 2,900 security professionals worldwide, as well as guidance on how to be more secure in 2017 and beyond.

The report investigates the impact a breach can have on businesses - operational disruption, lost customers, missed opportunity, a hit to brand reputation, and in some cases, declining revenue.

The report also highlights the fact that malicious actors are taking advantage of expanding attack surfaces and evolving tactics to keep their windows of opportunity open so as to maximize their attacks.

Read or download the full report:


David Ulevitch, head of Cisco’s Security Business Group, and John Stewart, Cisco's Chief Security and Trust Officer, share report highlights from the 2017 Cisco Annual Cybersecurity Report in this video.

Digital Value in the Healthcare Industry


With Effective Security, Healthcare Organizations Can Take Advantage of Opportunities to Enable Innovation and Growth with Greater Speed, Efficiency, and Agility

To address the global shortage of pediatric specialists in many rural areas and around the world, the Lucile Packard Children’s Hospital enables remote clinical interactions for pediatric care. Using high-quality video conferencing, network-connected medical devices, and a virtual patient network, clinical data, patients, doctors and specialists are now connecting to offer better care to children. The University of Virginia Center for Telehealth is also accelerating healthcare delivery, increasing access to specialty services, and providing training to physicians. From Spanish tele-interpretation services to video consultations and virtual meetings, the center is optimizing patient care while increasing productivity for UVA’s healthcare workers.

These are just a couple of examples of how the healthcare industry is embracing digital transformation. In fact, Forrester’s Global Business Technographics Business and Technology Services Survey, 2015 found that 53% of healthcare organization respondents are currently undergoing a digital transformation – more than any other sector – while 26% are exploring such an initiative. These organizations realize that while digitization is disruptive, it also provides enormous opportunity to drive value, including improving patient experience and reducing operational costs. Let’s take a closer look at five of the trends in healthcare that are motivating digital transformation.

1. Rising healthcare costs are driving digital transformation but leaving the healthcare industry struggling to keep pace with security risk. Recognizing this gap, bad actors increasingly set their sights on healthcare providers. For years healthcare has lagged other industries in security investments; in tools, technologies and specialized security staff making the industry an easy target. With demand for security professionals outstripping supply by a factor of 12 to 1, healthcare faces a daunting challenge to hire and retain the quality security talent it needs to defend against attacks. What’s more, healthcare information is extremely lucrative for hackers, fetching 10 times more than credit card information on the black market. Patient records can command such a return as they include not just financial information but personally identifiable information as well as insurance and prescription information. Medical records are also highly prized because that data is valid for life and compromises are more difficult to detect. Just to put this in context—in contrast, banks have sophisticated controls in place to identify unusual activity in bank accounts and to quickly detect and cancel stolen credit cards. The healthcare industry is well aware of the significant financial and reputational costs when patient records are breached. The industry is also waking up to the increased risk to patient safety; a DDoS or ransomware attack can restrict access to clinical information systems that are essential to render care.

2. Electronic health records are another driver of digital transformation. The meaningful use and exchange of information for more efficient and accurate diagnosis is requiring healthcare providers to digitize patient information and improve interoperability of digital health systems. Hospitals are being encouraged by the government to integrate discrete, standalone systems to enable the sharing of information between different providers and, ultimately, improve quality of care and patient outcomes.

3. Administrative operational systems and standalone clinical treatment systems must also talk to each other to help streamline operations and improve patient care, particularly as new reimbursement models emerge. Better collaboration and communication across the organization, improves workflow so clinicians and administrators can share data and gain efficiencies while maintaining quality care.

4. New service delivery models from telehealth and telemedicine to the emergence of robotic surgery are also driving digital transformation. Multi-gigabit, highly resilient medical-grade networks are required to support the next level of services that not only improve the patient experience and outcomes, but also offer more cost-effective and efficient care for patients in remote locations, or for those who are home-bound.

5. Medical devices are becoming more pervasive and essential for the reliable, affordable delivery of quality care. Spurred by innovation, an aging population, and extended life expectancies, the worldwide market for medical devices such as heart monitors, morphine and insulin pumps, to deliver care, and CT scanners, X-ray and MRI machines for diagnosis, is expected to grow 25% by 2020 according to the 2016 International Trade Association Medical Devices Top Markets Report.

The healthcare industry has a lot to gain by digital transformation. However it also has a lot to lose if it doesn’t start with security as a foundation. Instead of being bolted on as an afterthought and getting in the way of rendering care, it has to be built into processes and workflows making it seamless for clinicians, administrators, and patients. Without the appropriate security controls and expertise in place, healthcare organizations risk breaches that require directing funds to fines, restitution, and punitive damages that could put some institutions out of business, leading to further declines in patient care. Patient confidence and trust could also erode, leading some patients to not be honest with their caregivers or even avoid seeking treatment.

With effective security, the healthcare industry can take advantage of new opportunities to enable innovation and growth with greater speed, efficiency, and agility. Hospitals can reduce operational costs, adopt new service delivery models, improve the quality and efficiency of care, decrease inpatient volume, and shift to new reimbursement models. At the same time, patients and their families benefit from a better experience and better outcomes. By starting the journey with an approach that puts security first, the prognosis for digital value in the healthcare industry is extremely positive.


This article was co-authored with Ashley Arbuckle, VP of Security Services at Cisco and was also published by Security Week.

Hong Kong Hospital Crisis Easing

Patients left in hallways due to overcrowding at Queen Elizabeth Hospital. Photo: Sam Tsang.
A capacity crisis in Hong Kong's hospitals is beginning to ease thanks to money being made available by the Government for an expansion of healthcare services to meet growing demand. This was the message I received during meetings this week with senior health leaders in Hong Kong.

Earlier this year Chief Executive Leung Chun-Ying promised that public hospitals would get an additional 5,000 beds and 90 operating theatres in the next 10 years as part of a HK$200 billion bundle of development projects. Those funds are now finally making it to where the money is needed.

Saint Teresa's Hospital, Ma Tau Wai.
The investment includes new construction and expansion at all Hong Kong public hospitals and in particular large redevelopment projects at Tuen Mun Hospital, Prince of Wales Hospital and Princess Margaret Hospital. It will also provide an additional 90 operating theatres increasing capacity by 40% across the territory and a significant increase in the number of medical school places to grow the physician population.

Investment also includes Childrens' Hospital at the former Kai Tak Airport.
The capacity crisis in Hong Kong is not too dissimilar to issues being faced by mature public healthcare systems across the world. An aging population of baby boomers is consuming more healthcare services, and spikes in demand for services during the flu season which spreads quickly amongst Hong Kong's tightly packed population, and is combining with population growth fueled by immigration from Mainland China to excerpt pressure on the system.

This year's flu season coincided with the Health Authority’s decision to send 30 frontline doctors to Beijing to attend a one-week national education class which left hospitals severely understaffed for the unexpected surge. Accident and Emergency services were running at an average 110% capacity with some hospitals at 130%. Lines formed out the doors of hospitals into the street and patients had to wait hours to be see.

The situation got so bad that an appeal went out to private physicians across Hong Kong to help out at public hospitals, and several private hospitals made available free or low cost beds to help with the overflow at public facilities.

Long wait times for patients. Photo Sam Tsang.
In meetings this week with the Hong Kong Hospital Authority I was told that while some of the larger projects would take many years to complete, capacity has already been improved at many public hospitals, and new measures put in place to reschedule non-urgent procedures outside of peak demand, especially during flu season.

Improvements in healthcare security are also being made but are being funded from other sources outside of capacity improvement measures. Hong Kong continues to lag behind the UK, US and Australia in its cybersecurity maturity and this will likely be another area of targeted improvement over coming years. Compared to the capacity and modernisation initiatives, cybersecurity remains however, a fairly low priority for now I was told.

Australian Healthcare Highly at Risk


Just learned that my interview with Nick Whigham at Australia's www.news.co.au has gone viral. The interview which was published last week, talks about the general state of security surrounding the Australian Healthcare industry and is based upon two weeks of workshops and other meetings I ran across the country in November with Senior Healthcare Executives.

The full article can be found here


Aussie Healthcare Scrambles to Catch Up

Assessing the cybersecurity outlook for Australian Healthcare.   Photo: Paul Carmona, Sydney.
Australian Healthcare providers are scrambling to defend against increasingly well-armed and financially-motivated opponents in the battle between good and evil going on across cyberspace. After years of staying out of the spotlight, healthcare is now being targeted by cyber gangs looking to get rich quickly, and foreign nation states seeking leverage over individuals.

Fifteen to twenty years behind other industries like banking and financial services, Australian Healthcare is suffering from a case of 'Too Little, Too Late' in its build-out and investment in robust cyber defences and is now beginning to pay the price.

Well publicised attacks against flagship hospitals such as Royal Melbourne and others have finally alerted the Australian general public and health system leaders alike, to the looming threats facing the healthcare sector. Its not just the big city hospitals either; ransomware and other cyber attacks have been reported right the way across the country and even in small GP practices in remote rural communities.

Theft of lucrative personal information and personal health information, especially as medical records go digital, is a rising threat, as is attack by ransomware and other forms of extortion.

Surveys suggest that presently most Australians are not that worried if their medical records go up for sale on the web, though most have not really considered the possible impact of identity theft. What is more concerning to Australians, is a denial of service attack such as ransomware, that could take critical systems off-line when needed to treat someone or to save a life. Most Aussies simply haven't given that much thought to the security of their medical records or a possible attack on their doctors office or local hospital. Very few people surveyed were even aware of the growing number of network connected medical devices and the threat they pose to patient safety.

These and other cybersecurity concerns have been the subject of discussions this week at executive workshops led by the author in a series of meetings with healthcare leaders stretching from Brisbane through Sydney and Melbourne to Perth. From State healthcare systems through to private providers and payers of health services, the message is pretty much the same. "We have failed to invest in information security in the way we probably should have over the past five to ten years", said one State CIO. "That includes technology infrastructure and the skilled resources to manage our security program."

While government Ministers stress the importance of making improvements to healthcare security, additional capital and operational budgets have not yet been made available to hospitals to make changes claimed the leaders of several hospitals in a workshop in one major city.

In a recent meeting with the leaders of one of Australia's largest private healthcare providers, the CIO willingly acknowledged to me the critical need for improvements to be made to the organisation's security program, adding that security investments would probably have to wait till next year as he already had a heap of even more critical needs in front of it.

A stormy outlook has caused Australian Healthcare to play catch-up. Photo: Kieren Andrews, Melbourne.
The need for improved security to protect hospitals, doctors and patients from cyber attack is finally being recognised across the country, though it remains to be seen just how much of a priority it will be to secure patient health information, and prevent cyber attacks that compromise critical clinical information systems needed to treat patients. "It may take another one or two Royal Melbourne Hospital sized incidents before security gets the kind of funding and support that is really needed" suggested one healthcare senior leader who asked not to be named.


Kiwicon X

Kiwicon X, Wellington, New Zealand
Part hacker conference, part cult event, part rock concert; Kiwicon X fully lived up to expectations this week. Attendees were treated to an almost constant barrage of live hacks, demonstrations, presentations and more live hacks in the southern hemisphere's answer to Black Hat without the tackiness and desert heat of Las Vegas.

That's not to say that attending Kiwicon is in any way safer then Black Hat - leave anything electronic a mile away from the conference, and if you do take a credit card then make sure you have a lead-lined wallet to prevent it being inadvertently scanned by someone.

Live hack demonstration

Oh, and did I mention the plutonium or uranium brought on stage to demonstrate how to break cryptography in a presentation entitled “Radiation-Induced Cryptographic Failures and How to Defend Against Them.” Maybe the attendees dressed up in silver radiation costumes weren't exactly wearing 'costumes' if you know what I mean!

Laser light show, Kiwicon X Hacker Conference, Wellington, New Zealand

If the radiation didn't fry you and the pyrotechnics didn't burn you, then the lasers almost certainly blinded you - albeit temporarily! What a show!

Fireproof conference attire advised for anyone in the first 5 rows

With an opening presentation that could easily have been incorporated into an episode of the X-Files TV series, and other presentations that included "Hacking the Red Star OS" - North Korea's only approved PC operating system, and “Defending the Gibson in the Age of Enlightenment” I was never quite sure whether the coffee I was drinking had been spiked or not.

“The Truth Is In Here” by Metlstorm opening presentation

Kiwicon X was informative and entertaining on SO many levels!

The house was packed for nearly every presentation 
Despite a major earthquake that shut down Wellington not long before the conference and multiple aftershocks during the conference, the show was a great success.

Kiwicon X, Wellington, New Zealand

It was great to meet and chat with so many utterly smart if slightly deranged people. I hope to drop in again for another Kiwicon at some point in the future.

More lasers at the Closing Presentation


Light at the end of the tunnel for New Zealand Healthcare


Despite continuing austerity measures across the country, there is light beginning to appear at the end of the tunnel for New Zealand Healthcare. This includes a number of measures underway to expand capacity to reduce waiting times. It also includes some long-needed improvements to cybersecurity and privacy. This was the message I received during meetings this week with the New Zealand Ministry of Health in Wellington.

The Ministry of Health oversees some 20 District Health Boards each of which is responsible for administering the delivery of health services in their designated area. While some of the DHBs have pooled their resources for shared IT and security services, there are little to no common IT or security solutions across the entire country. Each board is free to do it's own thing we were informed. The result is disparate clinical and health information technologies across a sparsley populated country of just over 4.6m people.

Some areas of New Zealand appear to be better served by IT and IS capabilities than others, though common areas of concern appear to exist across all DHBs. These include the need for improved identity and access management, threat intelligence and security operations center expertise to identity and respond quickly to cyber attacks.

The greatest challenges however appear to be political in nature, in getting the DHBs to agree to common systems and processes or shared cybersecurity expertise for threat intelligence, security operations and incident response. While at the Ministry level this need seems to be recognised, the DHBs appear to be fiercely protecting their turf - at least for now!





Turning Cybersecurity into a Strategic Advantage


Most C-suite leaders think about cybersecurity as a way to stop threats. But in today’s intensely competitive digital economy they should be thinking about cybersecurity as a strategic advantage that not only protects business value, but enables new business value.

The prevailing focus on threats to protect business value isn’t surprising. Modern digital businesses go beyond traditional walls and spawn new attack vectors in today’s dynamic threat landscape. Businesses face a cybercrime wave that is increasing in intensity and sophistication. According to a recent article in Forbes, “Corporate and home computers have been hit with an average of 4,000 ransomware attacks every day this year, a 300% increase over 2015,” citing United States Department of Justice sources.

While we must continue to work diligently to protect valuable data and assets, to achieve growth, the biggest opportunity comes when we make cybersecurity a foundational component of our digital strategies. One of the biggest downsides to cybersecurity weakness is how it inhibits innovation. In fact, 71% of respondents in a Cisco survey said cybersecurity risks and threats hinder innovation in their organization.

Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.

As Mike Dahn, head of data security and industry relations at Square, Inc., put it in this Cybersecurity as a Growth Advantage report, “I think it’s really important that we stop thinking about security as a defense-centric approach that is sold by fear, uncertainty, and doubt. We need to start thinking of it as an enabler that supports innovation … and helps the business go forward.”

You know your organization is well-positioned to move forward when:
  1. You recognize that cybersecurity concerns can hold back innovation and hinder growth. While cybersecurity concerns can hinder the development of new digital business models and driving innovation, smart organizations realize they must move forward, or be left behind by digital disruptors and other agile competitors.

  2. As a business leader, you are much more engaged in cybersecurity issues than your typical peers. Sixty-six percent of Boards do not believe they are properly secured against cyber-attacks. (Source: Cybersecurity in the Boardroom, Veracode 2015). And, the Board, the CEO, and other key stakeholders likely hold you responsible for cybersecurity issues, even if you don’t hold an IT or technical role. That’s because the success of digital programs that are shaping the future of the business, is predicated upon strong security practices. As business leaders develop digital initiatives they proactively collaborate with IT to ensure that security is included in plans from the earliest stages.

  3. You believe your organization is prepared to address cybersecurity challenges in three key digital capabilities – Big data/analytics, cloud computing, and the Internet of Things (IoT). These capabilities are critical to digital growth strategies that depend on connectivity. The level of confidence you have in incorporating these digital technologies into your business processes and offerings allows you to accelerate innovation and time-to-market and capture a greater share of digital value at stake.
The digital era is here. Those who embrace it will have a competitive edge, but not without a secure foundation that allows innovation with speed and confidence.

Take time during this year’s Cyber Security Awareness Month to evaluate how you can turn cybersecurity into a strategic advantage. If you are not sure where to start, our Security advisors can help. If you are already on your way to a digital transformation, we can help you assess your readiness and work with you to design and implement a secure digitization strategy.


Guest Blog - written by my colleague and good friend, Ashley Arbuckle.  Ashley is Vice President of Cisco Security Services. This blog was originally published here.

Insiders: The often forgotten threat


Insider threats are of particular concern to organisations, as the impact of a rogue insider can be catastrophic to the business. The 2016 Verizon Data Breach Investigations Report showed that 15% of data breaches were a direct result of insider deliberate or malicious behaviour. Given that it is not likely that all insider breaches are discovered and/or reported, this number may well be under represented in Verizon’s statistics. In addition, insiders often have legitimate access to very sensitive information, so it is no wonder that it is difficult to detect these breaches. Regardless, they can negatively impact the business in a big way, and must not be overlooked.

As I speak to a lot of customers about this, I see views of insider threats vary considerably by industry vertical. For example, financial services and gaming companies see financial objectives as the main motivator; manufacturing/high technology/biotech see intellectual property theft as their biggest concern; and personal services store and process large amounts of personally identifiable information, which they must protect from insider theft. The unique challenge faced is that insiders are often more difficult to identify behaving maliciously as they are often misusing their legitimate access for inappropriate objectives such as fraud or data theft.

Strong user access policies are a key building block to a good insider threat management strategy. Regular review of user access rights, along with job rotation, mandatory leave, separation of duties, and prompt removal of access rights for departing employees have been the core of managing insider risk for many years. Once you have these key components in place it's time to go to the next level.

As with everything in security there is no single answer, and frankly you should question anyone that tells you they can fix all of your security problems with one service. To reduce the risk of the insider threat, I would suggest the following strategy:

1. Classify your Sensitive Data.

This is the most critical step and often difficult as this requires the technology team and the business to align in order to classify what data is sensitive and to ensure there is consistency in the classification strategy. Remember to not boil the ocean; this step should focus solely on identifying sensitive data that could effect the business should it be stolen. Carnegie Mellon University has a good example that can be adapted to most organisations.

2. Implement a Protection Plan

a. Instrument the network....
so you can detect atypical accesses to your data. To validate if your instrumentation is setup correctly, you should be able to answer the following questions:

  • Have new users started accessing sensitive data?
  • Have your authorised users accessed more sensitive data than usual?
  • Have your authorised users accessed different groups of sensitive data more than before?
Many fraud management professionals would recognise these questions as lead indicators of possible fraudulent activity, and astute HR professionals would recognise these as possible lead indicators of an employee about to leave the business. Both of these scenarios are very typical lead indicators of insider data loss. You should try to make use of fraud management and HR personnel to assist you in determining what to look for and actions you can/should take when you detect a possible insider incident.

Data flow analytics may also assist from the technical side as well. Cisco Stealthwatch uses NetFlow to build profiles of expected behaviour for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behaviour. Data hording is one typical use case where data flow analytics detects anomalous behaviours. For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behaviour and can take steps to mitigate it before that data makes it out of the network.

b. Data Loss Prevention software...

or DLP as it is more commonly known, is software that monitors data flows much like an IPS as well as monitoring data usage at the endpoint. Network DLP uses signatures like an IPS, but the signatures are typically keywords in documents or data patterns that can identify sensitive data. Endpoint DLP can be used to control data flow between applications, outside of the network and to physical devices. This becomes especially important if there are concerns about sending data to external data storage systems (Google Drive, Box, SkyDrive etc.) or to USB attached storage. DLP can control access to all of these systems, but it is a matter of policy and vigilance as new capabilities are released at the endpoint.

There is a lot of skill in effectively setting up DLP software and much of the complaints about the lack of effectiveness of DLP comes down to a lack of proper data classification and poor DLP software configuration. There is also an argument that network DLP is losing relevance with the increasing amount of encryption of network traffic. This is certainly true and enterprises need to have SSL interception properly configured to maximise the effectiveness of their DLP investment. Still not all traffic will be able to be decrypted and you must determine whether your risk appetite will allow for users having encrypted communications you cannot monitor. This is not exclusively an IT decision, but one that needs to be decided by a well-briefed executive.

c. Network segmentation....

is unfortunately something that is often not done well until after a security breach. One of the benefits of a properly segmented network is that a malicious insider keeps bumping into network choke points. If these choke points are properly instrumented then alerts flow to warn of potential inappropriate access attempts. This gives the defender more time to detect and respond to an attack before sensitive data leaves the network. For example, if your Security Operations Centre (SOC) observes a user in Finance trying to access an Engineering Intranet server then you should be raising an incident to address why this user is trying to access a server that most likely holds no relevance for their job function.

3. Honeypots

These are one of the more controversial strategies that may not be for everyone. The honeypot should be setup with decoy data and a similar look and feel to the production environment. The decoy data needs to look authentic and the knowledge of the existence of a honeypot needs to controlled on a need to know basis. The great advantage of a honeypot over other technical strategies is that all traffic that goes to the honeypot can be considered malicious and by its very nature as the honeypot has no business relevance. The honeypot is only there to trap those that could be looking for sensitive data inappropriately. I have found it useful in the past to use the same authentication store as the production environment so you can quickly see which user is acting inappropriately, or you may have an external attacker using the legitimate credentials of an insider to hunt for sensitive data. Either way, you need to act quickly and deliberately to head off possible data loss. Like every data loss scenario you need a robust process for managing these incidents types.

4. Use of non-core applications, especially social media applications

There has been an explosion of social media applications in recent years ranging from Skype, WhatsApp, QQ, WeChat, LINE, Viber and many others. Businesses are worried that their staff are using these applications to send sensitive data out of the business. These applications are often used for business purposes and depending on the sensitivity of the data this may be considered inappropriate behaviour. Our favoured strategy is to use some of the recommendations above, classify your data, and instrument the network to look for inappropriate use. But, from the user’s perspective, they are trying to perform their job in the most efficient manner and no one wants to discourage “good behaviour!” If there is a legitimate business use for a social media application, we recommend that a corporate social media application be deployed so staff can be efficient in their job. Security needs to enable users to get their job done and not hold up business progress and increase business complexity. Additionally, users must understand the ramifications of their actions and know what data can be sent externally and what cannot leave the organisation without appropriate protections. Education is the key to achieving an effective balance and reminders, like a “nag screen” that alerts the user that they are accessing sensitive data can reinforce the user’s training. Document watermarks and strongly worded document footers about the document sensitivity can also serve as another valuable reinforcement.

5. Hunt for caches of sensitive data

You need to have the ability to hunt for caches of sensitive data – one phenomena that that our security consultants see time and again is that people have the habit of creating a cache of sensitive data to steal before they send or take it out of the organisation. This is true not just for insiders, but often with external attackers that are preparing to exfiltrate data. Our consultants use endpoint tools to look for caches of documents in user directories, desktop and temp directories as the most common places to find document caches. Often the documents will be compressed into an archive such as a ZIP, RAR or GZ file for quicker data exfiltration and to avoid tripping the DLP keyword filters. Whatever tool you use to hunt for data caches it must be able to return the name and type of documents when it does its scans. You should select a tool that can hunt on the basis of a threshold of data volume and be able to dynamically tune the amount. Some of the more sophisticated DLP solutions can implement this functionality also.
Complexity is the arch nemesis of a good security program

Like every good superhero we have our arch nemesis, and this is often the complexity of our security environment and not the bad guys that are trying to compromise our networks. The 2016 Cisco Annual Security Report recently found the average number of Information Security vendors in enterprises was 46! A shocking number, but one which goes to show that there are a lot of point products in this industry.

One of the constant comments from our customers is “can you make all of these products work together?” We hear you, and recommend that when you are devising your strategy to combat the insider threat that you also consider that the output from these controls is going to have to be acted upon, and you cannot continue to overburden the existing SOC team. We recommend that you review how the insider threat strategy will integrate with your existing threat management process and platform as a key consideration before you get involved in the “speeds and feeds” bake offs with products.

We hope this blog has given you some ideas about key strategies you can deploy to prevent, detect and respond to insider threats. If you would like to learn more about how to get started, Cisco Security Services can work with you to conduct an Intellectual Property Risk Assessment to get a full view of insider threats in your business and can assist with designing a custom strategy to address these threats.

Guest Blog - written by my colleague and good friend, Mark Goudie. Mark is Principal and Director of Security for APJC at Cisco.
 

The 'Senior Cyborgs' are Coming!

Richard Staynings and other panelists at the Louisville Innovation Summit

The Silver Tsunami of Baby Boomers hitting retirement by itself would be enough to worry the most well prepared healthcare system, however in the United States, rising healthcare delivery costs and little to no change in the number of professional caregivers is putting the system under never before seen pressures. Everyone is looking to provide more cost-effective ways to provide care and keep people independent, safe, happy and healthy at home, and that was the focus of a panel discussion at this week's Louisville Innovation Summit.
Senior Cyborgs & the Rise of Digital Health
The session discussed the evolution of disruptive digital health technology, a new force of digital caregivers and the entrepreneurs that are changing the way care is delivered. The audience learned about new technologies to deliver care to the elderly, to monitor and assess their condition, mood and well-being as indicators of onsetting medical conditions, and some of the technologies that will enable the elderly to stay in their homes rather than in much more expensive and often despised elderly residential care.

However with increased adoption of clinical alerting and other medical technologies being sent home with post-acute patients, combined with an ever-increasing number of across-the-shelf health monitoring and tracking systems filling homes, the bigger question, which unfortunately often goes unanswered, is how can this ever growing mass of medical devices be secured. The confidentiality, integrity and availability of medical systems and the protected health information that they produce needs to be secured in the home just as it would in a hospice or hospital. This lack of security confidence has in many cases slowed the adoption of technologies that enable patients to spend their twilight years in the comfort of their own homes. It appears then, that security is the primary key to unlocking the doors to what the elderly are asking for and what Medicare Administrators would prefer to fund.

One other key that appears to be required however, is the need to change healthcare payment models for both private and government funded programs such that providers can get paid for community-based care. The panel agreed that current payment and reimbursement models are hugely out of date and this is one of the reasons why the United States lags the rest of the developed world in its adoption of cheaper and more convenient telehealth and telemedicine.

Other areas of discussion focussed upon the need to improve the interoperability of digital health systems, such that meaningful data and meta-data can be better exchanged between providers with different EMRs, and other clinical information systems. We heard that the industry itself has made some strides towards this, but competitive business practices have failed to break down the proprietary data formats used by different HIT vendors. Government will probably need to take a bigger role in mandating common data formats so that meaningful use can be fully achieved.

Read more at TechRepublic and at grandCARE both of whom also reported on the session.

Taiwan National Day

Richard Staynings
The Author pictured here with Ambassador Zhang Chu Zhang

I was privileged to be invited to celebrate Taiwan National Day this year with an assembly of Ambassadors, Senators, Congressmen, State Representatives, Mayors, retired Generals and other US military personnel who served in the 1950s and 60's protecting the country at the height of the Cold War.

Economic, political and cultural relations with the Republic of China (Taiwan) have never been higher. Great to meet everyone and a very happy Taiwan National Day.