Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment – Part 1

You’re the CISO of a healthcare organization and you just sat through an amazing sales presentation by one of your security vendors. You are considering cutting a PO to purchase that new security tool. You’ve been thinking for some time about purchasing tools to close security gaps that you’re aware of and this particular tool appears to address a critical area of weakness in your information security program.

At the same time, you’ve got limited resources for addressing your healthcare organization’s cybersecurity risk. You experience ongoing challenges around finding and retaining IT staff with expertise in information risk management. You know you’ll need staff resources to implement that new security tool, but your IT budget never stretches quite far enough to cover all of your organization’s technology needs, let alone managing cybersecurity risk.

Sound familiar?

Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability

Healthcare security leaders are often tempted to buy the “shiny new object” that promises to be the panacea to their most pressing security problems. Perhaps an audit or assessment highlighted the gap and executive management jumped all over it. Perhaps a breach or security incident became a compelling event, and the vendor’s new tool looks like a silver bullet. Vendors often encourage this line of thinking, being only too happy to make another sale.

Though new security tools can be tempting, their purchase is sometimes the result of a myopic focus on a single critical area of weakness or vulnerability. Yet the vast majority of healthcare organizations have many security gaps, spread over a wide range of areas. This is true regardless of the size of an organization’s dedicated IT staff or their information risk management budget.

When a shiny new security tool attracts your attention, how do you determine whether or not this is the best use of your resources? How do you make the case to your Board that purchasing this particular tool should be your organization’s number one priority?

The Changing Cyber Risk Landscape

All too often, healthcare security leaders are put in the position of simply reacting to the latest, headline-grabbing cyber security threats. A short time ago, cyber attackers seemed mostly intent on hacking into healthcare networks in order to steal patient data and sell it on the black market. The consequences of a data breach are far-reaching, including a loss of customer trust, penalties and settlement fees imposed by the Office for Civil Rights (OCR) for HIPAA violations, and the cost of remediation measures. A recent Ponemon Institute report estimates the average total cost of a data breach at $3.86 million. As a result, stakeholders including Board of Trustees members and consumers clamor for assurance that their healthcare providers have tools and strategies in place to prevent data breaches.

But even as data breaches continue to pose a real threat to healthcare organizations, new threats have emerged. Ransomware attacks on healthcare organizations have turned out to be just as lucrative for cyber criminals, if not more so, than selling healthcare records on the black market. The impacts of last year’s WannaCry ransomware attacks have continued to play out in healthcare organizations in the U.S. and in the U.K.

WannaCry compromised IT system availability in order to shake down healthcare providers for ransom money. But other types of emerging malware attacks – such as NotPetya – pretend to be ransomware while actually destroying critical systems and data. The increase in cyberattacks that target system availability have made IT system availability and resiliency the new cybersecurity mantra.

At the same time, new attack surfaces in healthcare organizations are attracting the attention of hackers. Network-attached medical devices – think Internet of Things (IoT) – are just as susceptible to malware and ransomware attacks as other, more traditional targets, such as the enterprise data center.

All this means that cyber risk management in a healthcare organization is a continually moving target. Cyber attackers’ motives, strategies and targets evolve quickly. By the time a new security tool comes on the market, a different threat has emerged, requiring a different approach to risk mitigation.

Given the constantly changing cyber security threat landscape, how is a CISO to respond? Is there a better way to protect your organization than being swayed by the latest, greatest vendor presentation? Is there a better way to protect your organization than yielding to Board pressure to respond to the cyber threat du jour currently making headlines?

The Big Picture: Enterprise Cyber Risk Assessment

The good news is that there actually is a better way.

And the better news is that this “better way” not only helps your organization meet HIPAA compliance requirements, it also helps your organization develop a strategic approach to enterprise-wide information risk management. It’s a deliberate and considered approach that can help guide your organization’s information risk management purchasing decisions and will strengthen your organization’s cybersecurity posture.

It begins with an enterprise-wide cyber risk assessment.

By an enterprise-wide cyber risk assessment, I’m not referring to marking off boxes on a controls checklist. I am also not referring to your latest technical testing, security gap assessment, or pen test. I’m talking about conducting a bona fide, enterprise-wide, HIPAA-compliant, security risk assessment and analysis.

What does a HIPAA-compliant security risk assessment look like?

Stay tuned. I will explore that topic in Part 2 of this three-part blog series: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment.

Read More

Security Tools and SaaS

With between 45 and 65 different security vendors' tools in the average hospital CISO's tool box, healthcare providers need to make sure that third-party tools work well together and do not create unwanted complexity or introduce their own vulnerabilities.

Smaller providers in particular should look to partner with service providers to procure and consume expert security services rather than continue to pour money into the management of in-house tools. Most simply can no longer afford to attract and retain the levels of cybersecurity staff needed to defend against sophisticated attacks or to maintain an adequate level of risk management and compliance.

Security-as-a-Service (SaaS) is helping to reset the imbalance between attacker and defender, and when healthcare security teams are outnumbered 5 to 1, they need all the help they can get!

This was the subject of my recent video interview with HIMSS.

Read More

Shiny Objects

Security leaders all too often succumb to the distraction of a new shiny object that promises to be the panacea to all their security problems. Vendors encourage this line of thinking happy to make another sale and to have a new customer. What makes things worse is that a focus on CapEx budgets at most organizations to buy and implement more tools encourages this behavior when really an annual service may be a far cheaper, better, and faster solution to meet organizational needs.

Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability

'Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability. Perhaps an audit or assessment highlighted the gap and Executive Management jumped all over it. Perhaps a barrage of vendors telling you that you must have something in a particular space wore the CISO down, but be assured that security gaps are usually many, and are usually spread across a wide range of areas even for the most well-staffed and best-funded security departments.

Understanding Risk

Before rushing to implement solutions and being distracted by shiny objects, first make sure you have a comprehensive and holistic understanding of Digital and Integrated Risk as part of the organization's overall business enterprise risk strategy. Think about new areas of digital risk such as IoT that may not have been included in your last security audit or compliance assessment. Think about new business offerings and the strategic IT plan and how that may introduce weaknesses to the cyber defenses you have already put in place. And remind yourself that compliance is just one side of the CIA triangle that CISOs are responsible for.

Attacks against the Availability of IT systems is on the rise - just look back to the recent WannaCry and Not Petya attacks. The damage was far greater monetarily and reputationally  than a fine or slap on the wrist for a confidentiality breach. With the rise in BotNet scale and sophistication and their increasing use by cyber criminals and state actors to distract or execute attacks, protecting the availability of data and systems will become far more important, if in fact it isn't already. Just ask Maersk or the British National Health Service!

First identify ALL assets. That includes IoT devices that are network attached, could be network attached but aren't currently, or contain sensitive data. This includes hospital medical devices and building management systems - even if they are on their own VLANs. Unless they are on air-gapped networks or are securely segmented using firewalls or Cisco ISE/TrustSec then they can be easily attacked and usually have little to no defenses. Just ask Cisco Talos which has been conducting extensive testing and hacking of building management systems over the past year. How embarrassing would it be to have to report to the CEO that an attack against the enterprise SAN was executed from a hacked office thermostat?

Use new discovery tools to identify IoT assets. New services from the likes of CyberMDX, CloudPost, ZingBox and others will identify medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device. Active and passive scanning of business networks will identify traditional assets. IRM tools like IRM|PRO from Clearwater Compliance and others can consume scan data and combine with other information to perform full Risk Analysis, as well as HIPAA security and privacy compliance or NIST framework assessment.

Risks need to have 3 components: An Asset, a Threat and a Vulnerability



Threats come in 4 categories according to NIST: Accidental, Adversarial, Structural or Environmental

Risk = Likelihood * Impact

Many if not most IRM tools use a 25 point scale to evaluate risk, such that a risk appetite can be agreed with the board of typically 15 (or lower for more mature or risk adverse organizations) and any identified risk above that threshold needs to be dealt with. Risks are typically dealt with via remediation, eradication, transfer, or by compensating controls. Once identified, risks should be prioritized and entered into a risk register and remediation plans drawn up.

Overall Risk
Impact	Disastrous (5)	Low	Medium	High	High	Critical
	Major (4)	Low	Medium	Medium	High	High
	Moderate (3)	Low	Low	Medium	Medium	High
	Minor (2)	Low	Low	Low	Medium	Medium
	Insignificant (1)	Low	Low	Low	Low	Low
		Rare (1)	Unlikely (2)	Moderate (3)	Likely (4)	Almost Certain (5)
	Likelihood

Clearwater uses a 25 point scale from zero to 25 as do many other leaders in the IRM space.

New Tools

Before investing in a new tool, figure out how long its going to take to put that tool into production and what level of effort it will take to get there. Till that tool goes live its nothing more than expensive shelf-ware and could become a thorn in your side if implementation proves to be longer than the board or executive team's patience.

Many security tools can require upwards of 2 years to fully implement and take their place in the defensive line up. According to CIO Magazine the average CISO tenure is now 17 months. Ponemon places it at 2.1 years. Either way, your 2 year project is unlikely to get from PO to production implementation before you move on to the next opportunity or challenge, so what does that say for the prospects of eventual completion under a different security leader? More importantly, how will your efforts been seen in hindsight - as a success or failure, especially if you aren't there to see it through?

SaaS - Would a Security Service be Better?

The nice thing about security-as-a-service is that if it begins to no longer meet your changing requirements or you fall out of love with it, then you simply part company at the end of the contract and fire-up an agreement with a competitor. It allows you to have the best protection you can afford each year and not get stuck with something out of date.

Procuring and implementing tools gets you locked into a multi-year marriage often with a spouse you have never met before. Depending on your depreciation schedules you could be stuck for 5 or 10 years. Whats-more, you will not be defended by the new tool till you have figured out how to use it and how to get it to production.

SaaS makes particular sense for smaller companies that may be resource-constrained by the number and caliber of security staff they can attract and retain in an increasingly highly competitive job market. It also makes great sense where a significant risk has been identified and where no compensating security controls can be leveraged to reduce risk exposure for the period it takes to procure, build, test and implement a new tool. When you absolutely have to have something now, a service will generally be a much more immediate fix.

More About Shiny Objects

Shiny objects may be OK when we are talking about a SaaS based service, but their shininess is very much dependent upon a thorough understanding of a solid and comprehensive risk analysis before the business can justify service procurement.

Most organizations have a hard enough time conducting a proper risk analysis let alone avoiding the distractions of shiny objects. No wonder then that so many fail.

To leave a comment, simply post it to the box below.

Read More

Hacking Healthcare Live: Bits and Bytes Meet Flesh and Blood

Possibly one of the BEST EVER demos at RSA of all time for anyone in the medical space. Watch a live simulated medical device hack as an unsuspecting ER doctor faces the reality of practice in a brave new world of insecure technologies and vulnerable patients.

Doctors Christian Dameff MD and Jeff Tully MD from the University of California Health System are joined by Josh Corman from I Am The Cavalry to demonstrate what can happen when a medical device attached to a an ER patient is hacked.

Healthcare cybersecurity is in critical condition. This session takes you to the front-line of efforts to save lives threatened by ransomware and runaway pacemakers.

Learning Objectives:
1: Understand how recent attacks and device vulnerabilities threaten patient lives.
2: Explore the recommendations of the Healthcare Industry Cybersecurity Task Force.
3: Witness a doctor undergo a live clinical simulation of a hacked medical device.

Speakers
Dr. Christian Dameff, Emergency Physician and Clinical Informatics Fellow, University of California San Diego
Dr. Jeff Tully, Anesthesiologist and Pediatrician, University of California Davis
Josh Corman, CSO/Founder, PTC / I am The Cavalry

Hacking Healthcare Live: Bits and Bytes Meet Flesh and Blood from the 2018 RSA Conference.

This video demonstration starts at 0:30 and runs for approximately 45 minutes.

Read More

2018 Annual Cybersecurity Report

Cisco today released it's 2018 Annual Cybersecurity Report providing a freshly updated view into the current techniques that adversaries use to elude defenses and evade detection, along with insights and recommendations designed to help organizations and users defend against attacks.

The report is based upon a study conducted by Cisco of 3600 Chief Information Security Officers (CISOs) and security industry leaders from 26 countries.

This year’s report findings show a maturing, more sophisticated tradecraft by attackers. Case in point: adversaries are increasingly embracing encryption – meant to enhance security – to conceal command-and-control activity. The Cisco Talos threat research team reports that 50 percent of global web traffic was encrypted as of October 2017, a 12 percent volume increase from November 2016. Cisco also observed a more than threefold increase in encrypted network communication used by inspected malware samples during that time. As the volume of encrypted global web traffic grows, adversaries are broadening their use of encryption as a way to mask command-and-control activity, providing them more time to operate and inflict damage sight-unseen.

The evolution of ransomware was another of the most significant threat developments in 2017. By introducing network-based ransomware worms, attackers have eliminated the need for human interaction in launching ransomware campaigns. They also changed the game from pursuing ransom to the outright destruction of systems, data and operations. We all saw these rapid-moving, network-based attacks with WannaCry and Nyetya, and Cisco expects more automated crypto-worm activity in the year ahead.

The report report spotlights how adversaries are evolving their approaches to exploit new technology security gaps, particularly in IoT devices which are often exposed because they were deployed improperly or left open intentionally for convenience. This includes the growing number of medical devices in hospitals and other healthcare delivery sites, which are often not patched or maintained once purchased.

See the full report for additional perspectives and what defenders can do to to set the security bar higher.

Read More

New Zealand Healthcare - Just Keeping its Head Above Water!

New Zealand Healthcare - Just keeping its head above water.  Photo: Hamish Clark.

Securing the delivery of healthcare services in New Zealand faces many of the same challenges as in other mixed public / private health systems. Chronic under-funding of the public health system by government austerity measures is putting pressure on a system already overloaded. Net immigration to New Zealand is combining with a rapidly aging population that is living longer, and contributing to increased patient numbers and demand for services. Hospital administrators have been forced to make tough decisions to prioritize what little resources are available to only the most critical of patients. The result is that many elective surgeries especially for the elderly are in decline and little funding remains to secure and defend hospitals from cyber attack.

As a result of the crisis in the public health system and waitlists approaching a year for patients requiring surgery, those who can afford it, are switching to private healthcare delivery and health insurance. The overall percentage of healthcare services delivered via the New Zealand public system has consequently dropped to roughly 75%. A growth in private care is picking up the rest.

Could New Zealand's Health System come crashing down?  Photo: Lindsey Costa.

New Zealand spends roughly a third of the per-capita expenditure on health compared with the United States. Despite this, healthcare in the country is comprehensive yet quite inefficient, and heavily reliant upon legacy models of care, including more expensive hospital treatment. A fragmented and decentralized system of twenty District Health Boards results in repetition and duplication with wasted spending on "unique solutions to common problems", disparate "stovepipe systems", and "widely different care paths for common conditions" according to a report by Deloitte.

A lack of national uniform IT and security strategy combines with moribund health IT computer systems across DHBs, and manual labour-intensive work practices by doctors and nurses to compound inefficiencies.

The reality is that much of the national health budget appears to be squandered on administrative overhead. In fact, according to the Deloitte study, "some OECD researchers have estimated that well over 2% of New Zealand’s GDP is wasted on administrative inefficiencies."

With budget deficits and almost no money to spend on security, an increasing number of people are concerned that the whole system could come crashing down. Cyber attacks on hospitals and primary care facilities in other countries have massively damaged already fragile health systems. Attacks have caused further delays to patients awaiting treatment and life sustaining operations. If nothing changes, then the same fate may befall New Zealand one day soon.

"Its not a matter of IF but WHEN a major cyber-attack will cause massive disruption to the country’s health sector" claims Scott Arrol, Chief Executive of NZ HealthIT (NZHIT).

But the security problem is not just one of sufficient funding, its also a one of prioritization and implementation of recommendations. The British National Health Service has many similarities to the New Zealand health model and is also chronically starved of resources. Out of date and out of support computer systems, combine with fragmented NHS Trusts to result in security vulnerabilities left unremediated, leaving much of the system open to attack when WannaCry struck in May last year.

According to the UK National Audit Office (NAO) more than a third of trusts in England were disrupted by the WannaCry ransomware, and at least 6,900 NHS appointments were cancelled as a result of the attack, 139 of which were considered urgent. NHS England data shows that at least 80 out of 236 trusts were affected – with 34 infected and locked out of devices. A further 603 primary care and other NHS organisations were infected by WannaCry, including 8 per cent of GP practices (595 out of 7,454).  No information has been published on the larger impact of the NHS outage including reduced patient outcomes or increased mortality, but one can only surmise that despite the best efforts of care givers, some patients were significantly impacted by the NHS's lack of security preparations.

The attack breached NHS Digital via open SMB holes in NHS firewalls and then spread quickly through thousands of unpatched Windows machines. Most infected systems ran Windows 7, but some 18% of systems were still running the no-longer supported Windows XP operating system, which went End of Life in April 2014, some 3 years earlier!

Securing healthcare delivery is not something that can be left on the side lines till next year, to a new budget, or a new administration. The potential impact on the population of a major cyber attack is too great. With the British NHS debacle as a recent example of what can happen if security is ignored, the New Zealand Ministry of Health needs to act now - before its too late!

New Zealand Healthcare steams forward with minimal security.  Photo: Stephen Crowley.

Read More

2017: A Milestone Year for UAE

The American Hospital Dubai.

2017 was a watershed year for healthcare providers in the United Arab Emirates. Joint ventures with US, UK, European and other healthcare partners saw the start or completion of a number of large hospital construction projects, vastly expanding the number of beds and types of procedures that can be conducted throughout the emirate.

Partnerships with US-based Childrens' National Medical Center, The Cleveland Clinic, Johns Hopkins, MD Anderson, and the Mayo Clinic, have greatly helped improve care for UAE citizens, resident workers, and health tourists coming to the UAE for medical procedures.

Cleveland Clinic Abu Dhabi.

In fact health tourism is a major area of growth for both Dubai and Abu Dhabi. During a recent visit to the emirate, I was told that health tourism is on track to seeing 500,000 overseas medical tourists by 2021. Judging by the prolific amount of hospital construction evidenced during my visit and the apparent brain-drain of top physicians and healthcare administrators being lured from the west, the UAE is on track to become a major medical tourism destination.

A number of successful organ transplants took place this year including the first full heart transplant at the Cleveland Clinic Abu Dhabi, the Basmah free cancer treatment initiative got underway and Dubai achieved mandatory health insurance for all its residents, as part of a UAE-wide initiative underway to health insure the entire country.

New Medcare Women and Children's Hospital in Dubai.

New hospital facilities ready to go.

UAE is a major Health Tourism destination.

Cleveland Clinic Abu Dhabi.

The deployment of UAE's electronic medical record system continues to help improve patient outcomes and some 1.4m Dubai residents now have ‘smart’ medical records. On top of all this, plans were agreed for 2,000 more nurses, midwives and allied health professionals to be recruited by the Department of Health, Abu Dhabi.

Saudi German Hospital, Dubai.

But all is not well in paradise. 2016 and 2017 were also watershed years for cyber crime in the United Arab Emirates. Studies suggest that compared to the rest of the world, UAE and its larger neighbour Saudi Arabia, are being targeted for attack and that this is beginning to impact both oil-rich nations.

A recent study by the Ponemon Institute shows that the average cost of a data breach in Saudi Arabia and the UAE in 2017 was $4.94 million (Dh18.1 million), up 6.9 per cent since 2016. These breaches on average cost organisations $154.70 per lost or stolen record on average. On top of that, Saudi Arabia and the UAE are amongst the top spenders ($1.43 million) on post-data breach response.

The 2017 Cost of Data Breach report also revealed that malicious or criminal attacks are the most frequent cause of data breach in Saudi Arabia and the UAE. Fifty-nine per cent of incidents involved data theft or criminal misuse. These types of incidents cost companies $171.70 per compromised record, compared to $130.70 and $128.50 per compromised record as a result of a breach caused by system glitch or employee negligence, respectively.

Average cost of a data breach in UAE in 2017 was $4.94 million (Dh18.1 million)

Top factors that contributed to the increased cost of a data breach in Saudi Arabia and the UAE include compliance failures and the extensive use of mobile platforms.

Scott Manson, cybersecurity leader for the Middle East and Turkey at Cisco, said: "Cybersecurity is finally becoming a top-of-mind business objective for many with many organisations making the board hold accountability, which makes sense considering a large security breach/incident doesn't only affect finances and productivity, but can severely damage customers' trust towards the brand."

According to the study, how quickly an organisation can contain data breach incidents has a direct impact on financial consequences. Globally, the cost of a data breach was nearly $1 million lower on average for organisations that were able to contain a data breach in less than 30 days compared to those that took longer than that. On average, organisations in Saudi Arabia and the UAE took 245 days to identify a breach, and 80 additional days to contain a breach once discovered.

Most of the large recent security breaches in UAE have targeted financial institutions, but as banks continue to invest rapidly and heavily in security, so other UAE industries are becoming the focus of cyber criminals. That includes healthcare. With patient safety directly impacted by cybersecurity and system availability of critical treatment systems, hospitals have much more to lose in the event of a successful cyber attack. While none of the hospitals I recently visited had knowledge of a security breach, many executives acknowledged that it was only a question of time before their institution could be hit. While investment in UAE hospitals and clinics has been huge, most of the money to date, has been targeted at the direct delivery of clinical services to patients. Security and privacy have yet to catch up.

Cleveland Clinic Abu Dhabi.

As the healthcare industry in the UAE continues to develop and expand to a global provider of services to international patients, the emirate needs to invest heavily in cybersecurity and privacy capabilities to protect patient information and critical clinical information technology from cyber attack. Otherwise the huge investments in buildings, equipment and highly-skilled medical staff will all be for nothing.

Once those investments in cybersecurity controls and staff are in place, UAE will surely be on the top of many people's lists for elective medical procedures. After-all, who wouldn't want to recuperate in a luxury desert oasis!

Read More

Beverly Hills Security Summit

Beverly Hills Security Summit CISO Forum. Photo: Tina Kitchen.

• What is it that keeps your CEO and Board up at night?


• How do you communicate cybersecurity risk to the Executive Leadership Team and the board, and do you talk to enterprise risk or just technology security risk?


• In planning to address ELT and board risk concerns, how are you going about the development of a security risk remediation plan?


• Have you considered the development and maintenance of a multi-year enterprise Security Roadmap and do you have anyone to help you in its development?


• What approaches work best at other healthcare entities and what can we all learn from one another?

Richard Staynings. Photo: Tina Kitchen.

These were just some of the discussion points between the assembled Chief Information Security Officers and other senior healthcare leaders during a Leadership Roundtable at the Beverly Hills Health IT Summit and Security Forum today.

The event was held at the Sofitel Los Angeles at Beverly Hills, and attracted several hundred CISOs, CIOs, COOs,  along with various Directors of Technology, Cybersecurity and Health Information Management.

The lunch was arranged and sponsored by Optum Security Solutions, part of Optum under the UnitedHealth Group umbrella, and was hosted by Optum's Tina Kitchen.

Mark Hagland, Editor and Chief at Healthcare Informatics, and Richard Staynings of the HIMSS Privacy and Security Committee led the discussion.

Institutional reputation remains one of the biggest concerns, particularly at high profile clinics attended by celebrities, but is the patient population becoming sufficiently jaded and numb to all of the breaches of health information to walk elsewhere? And if most other healthcare delivery outlets are impacted by security breaches then where do patients go? At the end of the day, law suits and restitution notwithstanding, we heard that patients want the best possible treatment they can afford, and will suffer through the diminished reputation of a clinic in order to receive that care and attention.

The complexity of large health systems, particularly as mergers and acquisitions drive even larger conglomerates, creates political and technological barriers to the implementation of enterprise-wide holistic security controls and causes duplication of effort and expense. Where management of these systems has not been consolidated and centralized, the Enterprise Chief Information Security Officer will have an especially hard time. Numerous divisional leaders including CIOs and COOs need to be consulted before new security controls can be implemented, and this task becomes even more daunting for the CISO in research or academic health where conflicting business drivers can seriously compound problems in access to PHI.

The frequency and magnitude of attacks against healthcare continues to climb, as well-funded and highly motivated attackers, be they nation states or criminal gangs, ply their craft at healthcare's expense. This is keeping all of us on our toes and stretching security in many hospitals to the limit. Understanding where threats are coming from and quickly identifying potential indicators of compromise is increasingly becoming a challenge and one where for healthcare, the need for help from specialist partners becomes increasingly evident.

Risk remediation needs to be targeted to the areas of greatest potential impact for each institution. Available resources simply don't allow for the remediation of all areas of weakness. The number of security resources available to security leaders is also a constraining factor and is leading to a dramatic increase in the consumption of managed security services from partners like Optum and others. This trend is set to continue as the availability of security resources becomes even more competitive and better-funded financial services organizations attract more and more healthcare security professionals.

Taking all these factors into account, we heard that the importance of an Enterprise Security Roadmap is becoming critical in not only security planning, but also for communication upwards of that plan to senior executives and the board. We also heard that Optum Security Solutions has had great success in helping healthcare customers to develop and maintain security roadmaps for a wide range of healthcare entities, and these have greatly helped reduce security risk and to stave off attacks.

• Read more about Optum Security, Privacy and Compliance


• Read more about Optum Managed Services

Overall the lunchtime session resulted in a full and frank exchange of ideas from assembled guests along with a better understanding of what seems to work best in a healthcare environment, where compliance, institutional reputation and patient safety all play a critical role.

Attendees included:

• Sriram Bharadwa, CISO, UC Irvine Health
• Carl Cammarata, CISO, Northwestern University - Feinberg School of Medicine
• Cris Ewel, CISO, UW Medicine
• Mark Hagland, Editor and Chief, Healthcare Informatics
• Norman Hibble, County of San Luis Obispo - Health Agency
• Chris Joerg, CISO, Cedars-Sinai
• Tina Kitchen, Sr. Solutions Executive, Optum
• Surya Mishra, IT Director, Blue Cross Blue Shield Association
• Olaf Neumann, CIO, Inland Behavioral and Health Services, Inc.
• Casie Phillips, Regional Manager, Healthcare Informatics
• Richard Staynings, HIMSS Privacy and Security Committee

Thanks to everyone for their participation and a great exchange of ideas.

Photo: Tina Kitchen.

Read More

Securing Health IT Value

Richard Staynings kicks off the VA HIMSS Annual Conference.  Photo: David Stewart.

One of the fundamental conditions to deliver health IT value is security. Without it Health IT Systems cannot protect confidential data, validate the integrity of medical records, or ensure that clinicians can access IT systems in order to treat patients.

The recent WannaCry attack that took out part of the British NHS, and other ransomware attacks that have crippled hospitals all over the U.S. should be a wake-up call for healthcare leaders. Without security, health IT can be a liability rather than an asset. Furthermore, cybersecurity and patient safety are now inextricably joined at the hip.

Richard Staynings works the audience. Photo: David Stewart.

Emerging and new technologies will help drive the efficiency and security of Health IT, but their adoption or readiness for widespread production use, may be 3 to 5 years away. New technologies require planning and forethought, and not all of them will be suitable for everyone. Given the pace of change and the inability of many healthcare payers and providers to attract and retain top cybersecurity talent, alternative approaches to the consumption of these new capabilities may be necessary.

Rather than hire, build and integrate, it may be faster and more cost effective to procure capabilities as a service. This is particularly so in security where fierce competition to attract and retain cyber resources places the healthcare industry at a disadvantage compared to other better paying employers.

Keynoting VA HIMSS 17. Photo: David Stewart.

This was the theme of my keynote presentation today at the Virginia HIMSS Conference at the Kingsmill Resort in in Williamsburg, VA. attended by just under 400 of the Commonwealth’s healthcare technology leaders and those that help to keep them being successful.

Machines already outnumber Humans. Photo: David Stewart.

My keynote was followed up later in the day with a second High Impact Ted style talk on the changing face of security and IoT in a healthcare environment. I think I had everyone's undivided attention!

My special thanks for the VA HIMSS Executive Team for making me feel so welcome and for an extremely well planned and organized event. And what an idyllic location for a day of charity golfing followed by two days of educational conference! I'll have to remember this place. Your hospitality was inspiring as were all of the speakers who presented.

Richard Staynings, Cisco. Photo: Leigh Thomas Williams.

As promised, here are links to my decks. Feel free to leverage for your own graphically assisted conversations with your boards of directors / regents, and your executive leadership team.

• KeyNote
• Topical Talk

Anyone needing CPE credits here's your link

Read More

HITSecurity Forum

Richard Staynings, HIMSS Privacy & Security Committee. Photo: Tina Kitchen.

‘Security is an industry where we are continually developing new solutions without understanding the problem we are trying to fix’.

This was the basis for a presentation I gave to the HIMSS Healthcare Security Forum today in Boston.

Richard Staynings presents new security technologies. Photo: Malissa O'Rourke Miot.

The session discussed the adoption of new and emerging tools and approaches to secure healthcare data and IT system availability. Tools like NGFW, Micro-Segmentation, Biometrics and MFA, Blockchain, Big Data Analytics, Machine Learning and AI. Tools that boost automation, protection, visibility, and intelligence, leading to improved threat detection, and containment of inevitable attacks.

Richard Staynings discusses new security tools. Photo: Tina Kitchen.

As with any new tool or approach, security leaders need to fully understand the costs, benefits and drawbacks before adoption, and how quickly, easily or difficult each tool can be integrated into the existing infrastructure. Furthermore, they need to be able to articulate and defend exactly what business risk gaps, each tool will address, what business benefits it will provide to the organization and what legacy tools it will retire.

As security leaders, we need to work smarter, not harder, and with an average 65 disparate security vendors in each US hospital, we need to consolidate to a smaller, leaner and more manageable toolbox.

Photo: Tina Kitchen.

Thanks to the attendees, sponsors and organizers of the HIMSS Media Healthcare Security Forum today in Boston.

Read More