Covid-19 kills off 'Suprise' or 'Balance Billing'

Surprise Billing is a major cause of bankruptcy each year

The despised practice by healthcare providers of ‘surprising billing’ where the gap between what your health insurance regards as a fair and equitable charge for services and what your medical provider actually charges for that service, has been essentially outlawed during the Coronavirus epidemic.

The Department of Health and Human Services which is providing emergency funding to providers during the crisis, has tied millions of dollars in payments to its terms. Those state: "For all care for a possible or actual case of COVID-19, the provider will not charge patients any more in out-of-pocket costs than they would have if the provider were in-network, or contracted with the patient's insurance company to provide care.”

The agreement is posted on the HHS.gov page.

"HHS broadly views every patient as a possible case of COVID-19," the guidance states. "The intent of the terms and conditions was to bar balance billing for actual or presumptive COVID-19," an HHS spokesperson said late Friday. "We are clarifying this in the terms and conditions."

Many states have for a long time outlawed the practice of balance billing but some states have failed to legislate this.

HHS might have done with fine print what Congress and the White House could not do — despite bipartisan support and public outrage at the practice.

Photo: Vladimir Solomyani

Surprise Billing

Surprise billing often occurs when a patient goes to an in-network hospital for a procedure, but an out of network physicians or anesthetist is involved in the operation attempts to bill the insurance a rate much higher than the agreed upon in-network rate for his or her services. Insurance declines anything over the agreed upon rate and the patient is left footing the bill. This places the patient who was unaware of and wasn’t asked to approve any out of network services, up the proverbial creek without a paddle.

Balance billing which can sometimes amount to hundreds of thousands of dollars, is financially devastating for patients and a major cause of bankruptcy in the United States. The practice is outlawed in many states but has yet to be outlawed nationally despite bi-partisan support in Congress, thanks in part to the immense corrupting power of the healthcare lobby.

According to patient advocacy groups, certain lobbying groups later revealed to be connected to physician staffing firms owned by profit-driven private equity companies, spent millions last summer to buy political ads that targeted members of Congress who were working on legislation to end surprise billing.

Whether the fault of balance billing lies with insurance companies paying too little to cover procedures, or with some healthcare providers charging more than what insurance calls ‘market rates’ for their services, has been the subject of intense debate for years. Law suits and several media expose’s have embarrassed greedy providers and stingy insurance companies into rectifying their wrongs, but most of the media’s ire has been directed at for-profit health systems that attempt to shift costs from a growing number of Medicare and Medicaid patients where reimbursements are fixed (take it or leave it) to those with insurance who are not protected by the government from predatory billing practices.

Given the trillions of dollars currently being spent by the government on healthcare through the current epidemic, and the need to invest heavily for future pandemics, federal public health spend is at an all-time high and probably will be for the future. Not since the Second World War has the federal government surpassed insurers and individuals in the funding of critical health services to the American people. Given the rising grey tide of retirees claiming Medicare, and popular support for a universal safety net of public health services among Millennials and others, COVID-19 may have brought about some fundamental changes in health coverage and national health policy.

Read More

Business Continuity and Securing a Remote Workforce during a Pandemic Crisis

How to survive the transition from two office locations to 25,000 and still remain secure.

The COVID-19 pandemic has critically changed the traditional concept of work for a major part of the workforce, possibly forever, as office staff work from home, and traveling salesmen work opportunities by video conference with customers. But what are the implications of this change for corporate cybersecurity and how can CIOs and CISOs adapt their technology infrastructure and cybersecurity controls to this new reality? These are just some of the questions that my panel was asked to address in a recent virtual cybersecurity conference on the challenges of working through an epidemic.

With ‘Stay at Home’ orders in effect across most of the world, this of course means that many customer-facing businesses are suffering. It’s certainly not a good time to be in the airline, hotel, or restaurant business as nearly everyone stays at home. Similarly, companies that have not completed their migration to the cloud and cloud-based services may be experiencing additional difficulties necessitating that remote staff VPN into the corporate network in order to access legacy client-server systems and applications.

And of course, the COVID-19 Pandemic since its humble beginnings in Wuhan China and subsequent spread around the globe, has reaped massive emotional and economic distress, as well as the deaths of thousands, and the making of millions more sick. Whether the recent relaxation of lockdowns in China and elsewhere is a permanent condition or results in a second wave of infections remains to be seen, but the global pandemic will have lasting effects on globalization and supply chains for critical medical and other supplies. It may also permanently change the way many of us work.

Photo: William Manuel Son

The King is dead. Long live the king!

Is there really a need for companies to continue to rent expensive downtown city offices? Is it really necessary for your employees to sit in their cars each day for two hours commuting to their cube through noxious traffic pollution, or be confined to a cramped subway or train car with potentially lots of disease-carrying passengers? It took Spanish Flu 18 months to work itself out, so Trumpian notions of a full return to what was ‘normal’ in a few weeks, is unlikely even by the greatest optimists. The bigger question is do we really want to return to the way things were just for the sake of it? I would suggest not.

Now that the cat is out of the bag, and bosses have seen that their staff work just as well from home, if not more productively than from their office cubes, the argument to keep things the way they are today, suddenly has a lot more weight.

Photo: Mike Von

What Questions Should You Ask?

How should you go about securing tens of thousands of staff now working from their patios, dining room tables, or home offices, connecting to your applications and infrastructure via an over-taxed VPN back to the nearest corporate office?

How can you ensure that your staff’s home wireless internet connection is not being snooped upon if they are not encapsulating and sending everything over the VPN? Do you insist that your staff's home network is running WPA2?

Do you even know if split tunneling is enabled in your VPN and what happens when that employee needs to print something to their home printer and has to disconnect from the VPN?

Have you put in place policies for remote access such that staff are expected to update firmware on their $50 cable modem or DSL router and are they even required to change the default password on these devices?

Do you provide your staff with Integrated Services Routers (ISRs) to connection back to corporate and for VOIP calling?

Do you provide staff with a laptop running a locked-down application stack with your security tools installed? Taking home the office workstation may not be an option and trying to purchase laptops in times of mass demand is becoming almost impossible.

Do you allow your staff to use their own (BYOD) computers to access your applications and data, and if so, what do you require in the way of AV, patching and acceptable use on these machines?

These and other questions were put to my team of security subject matter experts who joined me on virtual stage for a special CTG Intelligence conference on remote business working during Covid-19. Their answers and shared insights may help you to prepare for the new ‘normal’ for as long as it lasts.

https://youtu.be/0ukVUYc4g4M

The panel includes:

Richard Staynings, Chief Security Strategist at Cylera, out of Boulder, CO, USA
Page Jeffrey, Cyber Security Consultant at Trace3, out of Colorado Springs, CO, USA.
Luke McOmie, CxO Advisor Offensive Security at Coalfire out of Westminster, CO, USA.
Steve Harrington, Managing Director at Masergy out of London, UK.
Tanya Walters, Independent Cyber Operations Advisor out of Phoenix, AZ, USA.
Anthony Dezilva, Dir. CxO Services out of Scottsdale, AZ, USA.

Read More

The growing need for Artificial Intelligence in healthcare

Healthcare needs AI and ML.

The author and other experts, discuss the growing need for Artificial Intelligence in healthcare for everything from clinical decision support to administration / revenue cycle and cybersecurity. 

Machine learning algorithms are already transforming healthcare and security tools like Cylera MedCommand, but there’s an arms race with cyber-criminals where having the right tools to identify and block an attack is becoming critical.



See the full HIMSS AsiaPac Interview


See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also AI Will Radically Change Healthcare Security my keynote from HIMSS AsiaPac19

Read More

HHS in Targeted Cyber Attack

A recent attack against U.S. Health and Human Services is a lesson to us all to better manage cyber risk in a healthcare environment

The U.S. Health and Human Services Department suffered a cyber-attack on Sunday night according to Bloomberg that appears to have been purposely intended to disrupt its computer systems, and thus an attempt to undermine HHS’s response to the coronavirus pandemic gripping the country. The attack which occurred just before midnight involved overloading HHS servers with millions of hits over several hours and may have been an attempted distributed denial of service attack (DDOS). Initial investigations appear to suggest that the attack may have been the work of a foreign actor. A number of news outlets are pointing the finger towards Russia, however it may take weeks or months for a full forensic investigation before the cyber attack can be accurately attributed.

The fact is that during a healthcare crisis and a huge influx of sick patients, the resiliency of hospital and clinic IT systems becomes even more important to ensure patient survivability. Recognizing this, and with an expected escalation of threats during a national crisis, HHS had recently implemented an expanded risk-based approach to cybersecurity assessment of threats, vulnerabilities and controls.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," said Caitlin Oakley, a spokeswoman for HHS.

While this ‘risk-based’ approach to cybersecurity worked in HHS’s favor to protect it from cyber attack and to keep critical services up and running, most health systems are not so lucky. Many are still following a ‘controls-based’ approach to security, ignorant of the actual cyber-risks in their hospitals and clinics from devices they may think are safe from attack, but which have never been tested or even profiled, let alone risk-assessed.

According to an investigation conducted by Cylera last year, more than 90% of US hospitals and clinics do not have a current and accurate inventory of all IT and IoT assets that connect to their networks. This includes not only workstations and servers, but also BYOD devices like personal phones and tablets, network connected building management systems that control elevators and air conditioning, and a rapidly growing number of medical devices, many of which are managed by third-party vendors and have never been patched.

"When your patients are relying upon you to provide medical services and to possibly keep them alive through a pandemic, five, six, or seven nines availability* is an absolute must." said Richard Staynings, Chief Security Strategist with Cylera and HIMSS and AEHIS Cybersecurity Expert. "The last thing you want is for one of your un-assessed healthcare IoT devices to take down an entire hospital building or even a floor of your clinic. The availability of health IT and IoT systems is critical to the way we treat patients in today’s digital healthcare service no matter where you live or where you go to seek treatment or to get help with breathing." he added.

Automated tools like Cylera MedCommand, make extensive use of AI and ML to thoroughly risk-assess medical and other devices so you can understand risks and implement compensating security controls before something bad happens.

MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.

Learn more about the company's innovative AI based approach to medical device and other HIoT endpoint management at https://www/cylera.com

* Five nines availability indicates the expected uptime of a system i.e. 99.999% availability, (roughly 5 minutes per year). Similarly, seven nines would be 99.99999% uptime equating to 3.16 seconds downtime per year.

Read More

Medical Wearables and HIoT

Patient Safety in the era of medical wearables and Healthcare IoT: Is new technology helping us to stay healthy or introducing risks?

Medical Wearables.

Most of us now wear some form of fitness tracker and many hospitals and insurers are utilizing this 'personal health data' to supplement 'provider data' in our overall healthcare management. The volumes of healthcare data on each of us is staggering and is critical for our health management and overall well-being as patients. But what happens when that data is compromised, changed or deleted?

Like it or not healthcare delivery is more reliant upon technology today than ever before to diagnose, treat, observe, manage and monitor patients. A basic systems outage is enough to bring an entire hospital or clinic to its knees. Just look at what happened in the UK when Ransomware took down much of the NHS.

But our technology reliance is not just focused on IT systems any longer, there are a multitude of different Healthcare Internet of Things (HIoT) devices that we use to improve patient outcomes. All kinds of medical devices, from IMDs, to network connected pumps and scanners, to patient and nurse call systems, all of which are critical in direct patient care. And let’s not forget, that we cannot do without HVAC systems, elevators, power, water and other hospital building management systems, nearly all of which are now ‘smart’ and ‘connected’, often managed by business partners from thousands of kilometers away via the Internet.

What happens when these simple devices are attacked by extortionists and cyber-criminals? Does anyone even know how many HIoT devices are connected at each location, let alone when they were last patched and what security risks they pose to patients and to hospital IT systems? Just because they may be connected to an isolated network or VLAN doesn’t mean they are enclaved or segmented as far as security is concerned.

How can we gain greater visibility into what’s happening in our hospitals and become better prepared to defend ourselves from the next inevitable attack?

This was the subject of a recent presentation by the author to the HIMSS Australia Digital Health Summit in Sydney, NSW attended by many of the top thought leaders from across Australia, New Zealand and much of Asia.

The Author addresses the HIMSS Australia Digital Health Summit in Sydney. Photo: HIMSS

Medical wearables could prove to be a valuable asset in the fight to prevent on the onset of disease. Diseases that by and large, are very expensive to treat. Primary care physicians have been urging us all for years for better preventative care, yet in many countries there is still a financial disincentive to go see the doctor or a specialist. In the United States where High Deductible Health Insurance pushes patients away from seeing their care team till they have met their often massive deductible before receiving any benefits, and in the developing world where the choice is sometimes to see the doctor or feed the family for a week. A trip to the doctor is also considered as being inconvenient and time consuming by many - even when there is no charge. What better then, than to automate the monitoring and well-being of patients using simple ubiquitous tools like an Apple Watch, or a Fitbit, something that avoids having to go see the doctor and actively engages patients in their own well-being.

An Apple A Day Keeps the Doctor Away

An old adage claims “an apple a day keeps the doctor away”. It may originate from the days of scurvy and a general lack of fruits and vegetables in people's diet, but maybe there is some truth to the saying in today's hi-tech healthcare world.

Can an Apple on your wrist keep the doctor away?

A recent HIMSS survey claimed that 64% of surveyed patients might be more willing to wear an Apple Watch or a medical wearable if it means fewer trips to see the doctor.

A similar survey of hospital executives from HIMSS and AT&T found 47% of hospitals are providing wearables to patients with chronic diseases and are also conducting remote monitoring via in-home medical devices and smartphone apps.

Is this the future of regular health observation and maintenance? My Apple Watch already reminds me to get up and walk about several times a day when I have been busy sat typing or in meetings. Will future versions also tell me to cut down on my carbohydrate intake and to look for a less stressful job based upon my diet, activity levels, and heart rate?

The big question is, to what extent can consumer healthcare data be trusted as being accurate and not fudged to reduce health insurance premiums, and what should our health systems do to integrate that data into our medical record?

Australia's My Health Record.

In Australia the existing My Health Record (MHR) initiative will see the roll-out of new functionality in 2020 for apps to connect into the MHR. Australians already have the ability to view their complete medical record (unlike most other countries) so the hope is that this should be the primary place where Aussies go to check their healthcare activity and well-being. Its precisely this type of public-private partnership that will lead to improved patient outcomes and reduced spending on chronic diseases, or so its authors claim with some justification.

Consumer wearables like Apple Watches and Fitbits are just some of a huge wave of Healthcare Internet of Things (HIoT) devices that are being used to monitor, manage, diagnose and treat patients. In all but the smallest critical access hospitals, HIoT devices already well-outnumber traditional IT computers and other systems. The challenge for the industry is how to manage and secure such a broad range of fairly dumb devices at a time when the healthcare industry is under an increasing number of cyber attacks.



How should Healthcare Executives go about securing their HIoT?

Managing traditional HIT assets like servers, laptops and workstations is a touch job in a healthcare environment because of a lack of standardization and the need to run so many different versions of operating systems and legacy applications. Trying to manage hundreds of thousands of discrete HIoT devices is near impossible without the right tools. The first problem is that most healthcare providers have no idea how many devices they own, rent, or have connected to their networks, nor the risks that each of them poses to patient safety or other network assets like the EMR, so this is where we need to start.

The following workflow may be useful as a guide:

• Identify Assets – Most hospitals don’t know what they have!

• Risk Assess those HIoT Assets to NIST 800-30 or similar standards for compliance

•      Identify CVEs and Zero-Days, any known patches and apply

•      Beat up vendors for patches – some are better than others. Some are outright negligent. 

•      With hundreds of thousands of devices you will never be able to regularly patch them all!

• Identify and Map Legitimate Traffic Patterns – Ports, Protocols, IPs, etc.

• Construct a 'Zero Trust' white list of usual traffic patterns so that anomalous activities can be flagged and investigated or blocked

• Implement Micro-Segmentation as a compensating security control to protect patients and networks against devices that cannot be secured. Employ the Zero Trust white list to construct your NAC's Security Group Tags (SGTs) to automate protection.

What tools should you consider?

The good news is that this exercise is no longer a daunting labor-intensive manual process. There are first and second generation tools now available that can do this for you with varying levels of automation. Second generation tools like Cylera MedCommand, make extensive use of AI and ML to more thoroughly risk assess devices and seamlessly integrate to your existing asset management, GRC, SIEM and NAC technologies. Through a combination of passive and active security controls you can safely monitor and log traffic till you feel confident to turn your NAC to '
'active' or 'blocking' mode without having to worry that you may inadvertently isolate a device.

Cylera MedCommand.

'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

The solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management at https://www.cylera.com.

Read More

A Healthcare Security Mismatch

Healthcare has undergone a radical transformation to digitalization and interoperability but has yet to secure or staff its new delivery model.

Richard Staynings, Chief Security Strategist with Cylera kicks off the Southwest Executive Security Round-Table in Houston with a morning keynote on ‘Patient Safety in the Era of Healthcare IoT’. Photo: Stephen McCollum.

The evolution of healthcare over the past 100 years from providing palliative care for the sick and the dying to today’s technology-intensive preventative model of health interventions has vastly improved the human condition, enabling us to beat diseases that used to ravage families and communities and to live longer and better than ever before. But digitalization has come at a cost as electronic health records (PHI), PII, and medical research IP, is easily stolen by perpetrators from around the world.

Healthcare is under attack, principally from well-funded and highly motivated outlaw nation states and organized criminal gangs who outnumber cyber defenders 5 to 1. "Its a big change from the script kiddies and hacktivists that we used to have to defend against ten or fifteen years ago," claimed Richard Staynings, who opened the day's events in Houston. "These are extremely well funded and equipped adversaries with military precision, intent on the theft of everything from western cancer research and clinical trials of new pharmaceuticals and medical procedures, to the PII and medical records of key individuals like VIPs, Presidents, and Prime Ministers."

Dr. Leanne Field from The University of Texas at Austin who also presented at the event, went on to describe how there is now a major mismatch between supply and demand for healthcare cybersecurity staff. Most hospitals and other health delivery systems are scrambling to attract and retain top cybersecurity talent. The trouble is, that healthcare cannot afford to pay the sort of salaries, stock, and bonuses that other industries like financial services can, and so is at a competitive disadvantage. Protecting healthcare also requires a different skill set from other industries because it is highly regulated and because of the life-threatening patient safety implications of poor cybersecurity in hospitals.

Highlighting the 2019 HIMSS Cybersecurity Survey Dr. Field outlined the top barriers faced by hospitals to mitigate and remediate security incidents. These include too many emerging and new threats, a lack of personnel with the appropriate cybersecurity knowledge and expertise, and lack of financial resources. In fact, until very recently, cybersecurity was not a priority for healthcare delivery organizations and so there is huge gap between current capabilities and where the industry should be, with a lot of catch-up and investment needed to bring security up to par.

However, according to the the Frost and Sullivan and (ISC)2 2017 Global Information Security Workforce Study by 2022 there will be approximately 1.8m unfilled cybersecurity positions globally. This looks particularly challenging for healthcare which badly needs to boost its cybersecurity ranks. In fact, the US Senate Cybersecurity Caucus led by Sen. Mark Warner (D. VA) recently expressed deep concern over healthcare cybersecurity workforce resource and sills shortages in a letter to all US health leaders, according to Dr. Field.

Emerging education programs at The University of Texas at Austin that focus specifically on healthcare cybersecurity may eventually help to address the skills imbalance, but with a steady escalation of attacks against the industry, the current gap between defenders and attackers is getting wider each year.

Healthcare is at a crossroads. Photo: Vladislav Babienko

"We are at a crossroads today in healthcare," said Staynings, "between old and new models of care but have yet to adjust to the reality of our new digital-integrated health model and what that means for patient safety and cybersecurity." The pieces are slowly conning together but delays and difficulties in protecting our patients and healthcare institutions introduce massive levels of risk. Risks that the industry cannot afford to take.

More information can be found here on graduate level healthcare cybersecurity programs at The University of Texas at Austin, or Dr. Leanne Field can be contacted via LinkedIn for questions https://www.linkedin.com/in/dr-leanne-field-87783023 or via The University of Texas at Austin at https://www.utexas.edu/

Read More

Cyber Risk Insurance Won't Save Your Reputation

A myopic focus on healthcare compliance has resulted in checkbox mentality, rather than a holistic risk-based approach to cybersecurity.

The financial and reputational costs associated with a security breach can be expensive and reputationally damaging. But in critical industries like healthcare, a cybersecurity attack could expose patients to some major safety risks that no amount of cyber breach insurance will likely fix.

Healthcare has historically had a myopic focus on privacy and protecting the confidentiality of patient information–largely caused by HIPAA, Caldicott, APA, PDPA, GDPR, and state breach rules. These have resulted in a skewed compliance-based approach to security by senior management and a 'checkbox mentality' of ‘have we done the minimum necessary’, rather than a holistic, risk-based approach to identify, protect, detect, respond, and recover from threats and vulnerabilities.

Risks change, and in healthcare those risks are changing quickly (as are legal liabilities and exposure to inadequate cybersecurity protection). CISOs, CROs, and GC/CLOs (General Council or Chief Legal Officers) are beginning to understand these changes and how cybersecurity posture and preparation are critical to protecting patient safety. Many of their bosses in the CEO seat are slowly beginning to understand not just their patient safety exposure in the age of digital inter-connectivity and cyber attacks, but also the potential impact on reputation.

“Cybersecurity is no longer a question of simple compliance,” said one hospital CEO at a recent US healthcare conference, “it’s about protecting the hospital’s reputation and ensuring patient safety while our systems are under attack and misbehaving."

"We purchased cyber risk insurance to cover all the un-budgeted costs associated with an attack. We keep our fingers crossed that we won’t need it.” he added.

But many insurers are now claiming that cyber attacks are an 'Act of War' and are therefore exempt from coverage under the terms of their policies, a fact that is currently being disputed in court by drug maker Merck and its insurers. So maybe the insurance, a company is counting on won't be there when really needed.

An OCR fine and the institution’s name being posted to the OCR 'Wall of Shame' is one thing, but patients being turned away or even held to ransom by cyber-attacks compromising medical devices are an entirely different order of magnitude!

Given our reliance today on HIT / HIoT systems to treat patients, there's a real risk that someone could die on us because critical systems are not available to diagnose and treat them following a cyber-attack. So too is the reputation hit when a hospital is forced to go on Full Divert following a cyber-attack as part of the British NHS had to when attacked by WannaCry in 2017. More recently, Campbell County Health in Wyoming, USA was forced to go on Full Divert following a similar cyber-attack.

“I would find it much more preferable to have HHS OCR camped out in my office examining all my papers following a breach, than the FBI walking the halls investigating a series of patient deaths at my hospital caused by a cyber-attack.” said a prominent San Francisco area CISO who preferred not to be named without clearing his statement with his employer. “One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it,” he added.

“One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it!”

Some years ago I did a walk-through of a hospital in Tasmania as part of its parent company’s risk assessment. The top floor was dedicated to a large and sprawling maternity department. Patient rooms with open doors and sleeping new moms and their infants lined either side of a wide corridor so nurses could come and go to check on both. Mothers and infants had similar plastic straps around their wrists with their name, D.O.B., and patient identifier. Neither were RFID-tagged. It would be very easy for someone to walk into a room, remove the sleeping child, and walk down the corridor to the elevator and take that straight to the underground parking complex. There was no physical security to stop them–only a few nurses moving in and out of rooms.

In our debrief, I asked the Obstetrician running the department what would happen if someone were to abduct a newborn. She protested at first to say that no one ever would, nor had anyone in the past – this was Tasmania - where there was a surplus of babies. But she did acknowledge that maybe this might be a problem in Sydney or Melbourne. After thinking about it for a minute, she announced, “In a small-knit community like ours, we would close! It would ruin our reputation and no one would come here to give birth again!”

The message here is that no amount of liability insurance is going to protect your reputation fully. It can cover costs for forensic investigation, breach notification, loss of business while down or recovering, and even for extortion payments if you are unable to recover critical data wiped out during a ransomware attack–but it can never cover what your customers think of you! Cyber risk insurance is valuable, but it’s no replacement for a well-functioning cybersecurity program.

Some of us continue to shop at Target following its massive breach of customer data some years ago, but most of us would never apply for a Target Card, nor would we ever consider using an email service provided by Yahoo for similar reasons!

“Once damaged, reputation is a big problem to fix” said the US hospital CEO. “It’s something that is becoming an increasing concern for all of us in healthcare. But how do you do that without spending a fortune on cybersecurity?”

Read More

The Evolution of Healthcare

The author presents to the HIMSS19 Eurasia Health IT Conference and Exhibition in Istanbul, Turkey

Healthcare has been transformed over the past century from a largely palliative care delivery model for the sick and dying to an advanced technology-infused and increasingly digitized integrated healthcare delivery model. Technology has fueled massive improvements in patient outcomes. It has enabled us to improve the human condition, to beat diseases that used to ravage families and communities, and to live longer and better than ever before. This was the subject of my presentation today at the HIMSS19 Eurasia Conference held in Istanbul, Turkey.

Increasing use of artificial intelligence and personalized genomic medicines will continue to push the boundaries of care forward in a highly positive way. But digitization comes at a cost, and that cost is in the form of new cybersecurity risks to the confidentiality, integrity, and availability of personal health data and the IT systems that are relied upon to provide care to patients. In fact, in today’s healthcare delivery model, clinicians would find it extremely difficult to maintain the current levels of patient care if health IT systems—and increasingly healthcare IoT—are not available to diagnose, treat, manage, and monitor patients.

The author between the Turkish Minister for Communications and the Deputy Minister for Healthcare
L->R: Ömer Fatih Sayan, Richard Staynings, Ömer Abdullah Karagözoğlu, Mette Harbo, Dr. Mehmet Bedii Kaya.

The number of connected IoT systems surpassed the global human population sometime around 2007-2008. Today, there are in excess of 20 billion IoT devices connected to the Internet, and most have little to no security designed into them at all! Estimates suggest that by 2050 there will be in excess of 1 trillion connected devices—many of them employed in healthcare.

With so many endpoints in our hospitals and clinics, how do we even go about tackling this expanded threat landscape? A good start is adopting a risk-based approach to healthcare security.

You can’t assess what you don’t know about, and with such a large number of medical devices and other HIoT systems used across healthcare, identifying even a basic inventory of IoT assets is an almost impossible manual task given the ever-changing number of connected devices.


That’s where tools like Cylera's MedCommand™ platform come in.

Cylera's MedCommand™ platform will identify HIoT assets, perform a full risk analysis of each device and device type, profile the legitimate traffic patterns of each device type for zero-trust security controls, alert on any anomalous traffic detected outside of legitimate traffic patterns, and even automatically remediate discovered risks with compensating security controls via a hospital’s existing network access control and/or firewall technology.

Cylera's Richard Staynings and Timur Ozekcin

Cylera is proud to be a sponsor of the HIMSS Eurasia 19 Conference

Read More

Presenting Cybersecurity to the Board

Don’t speak "geek" to the Board or you will receive a cool reception

At some point in our careers, many of us will be called upon to present to the board of directors. This could be to report the findings of an audit, compliance, or risk assessment. It could be to provide an annual or quarterly update on ‘the state of the union.’ It could be to report a recent incident. Or it could be to request support for a new initiative.

Whatever the case, presenting to the board is no straight-forward task—and newbies would be well advised to thoroughly prepare for this kind of appearance, which differs greatly from meetings with the C-Suite, peers, auditors, consultants, and technology professionals.

Board members are elected or appointed by a corporation’s shareholders to represent shareholder interests and to ensure that the company's management acts on their behalf. A board's mandate is to establish policies for corporate management and oversight, making decisions on major company issues. Every public company must have a board of directors, and in healthcare—regardless of whether that health system is "for-profit" or "not-for-profit"—boards almost always govern and provide oversight to the C-Suite.

Hospital board members are drawn from shareholders, investors, independent industry, and cross-industry experts, and often include academics and notable physicians. Overall, they are business people and know how to run a business. Most don’t understand or speak technology—they are from business/finance/physician backgrounds after all. And almost none will speak or comprehend "cybersecurity". In fact, some might even have a difficult time spelling it! They do, however, understand business enterprise risk, profit and loss, and cost of risk acceptance, transfer, and remediation.

When addressing the board, CISOs need to speak in the terms and language that board members understand, rather than the language used to report to the CIO or other members of the C-Suite. Failure to do so will result in the message being lost or largely unheard.

Most board members picked up what little they know of cybersecurity from articles they read in the Wall Street Journal and other periodicals. They lack the technology backgrounds and domain expertise to go deep to understand the technicalities of cybersecurity. So how do you establish a common language and communicate understandable metrics to the board? By translating cybersecurity risks and strategies into business risks and strategies in order to make it relevant to board members. You likely won’t get money for tools to tackle APTs, but you might get money to ensure the business stays up and running following an attack.

Richard Staynings presents to the VA HIMSS Annual Conference this week

This was the subject of a presentation I gave this week to the Virginia HIMSS Annual Conference in Williamsburg, VA, where 300 or so healthcare leaders from across the region gathered to learn and share best practices on healthcare management, technologies, security, risk, and compliance. And of course to raise money in a day of charity golfing at the beautiful Kingsmill Resort.


So what were some of the takeaways?


Make Cybersecurity Part of Broader Enterprise Risk Management:
Use similar language being used to describe other business risks for how you talk about cybersecurity. Senior executives and boards are very familiar with assessing the probability and negative impact of risks, establishing a risk tolerance level, and developing risk management plans. If you use the same approach and terminology, it will help them to understand the big picture and make more informed decisions about the actions you suggest.


Talk about Program Maturity:
Maturity models are embraced by senior management and the board because they are familiar with them from many other programs, like quality management. Use the same tactics and language to discuss cybersecurity.


People, Process, & Technology:
Help senior management understand that cybersecurity requires the orchestration of people, processes, and technology—and that they have a critical role in it. Security practitioners usually fail by myopically focusing on just technologies and tools.


Establish a Culture of Cybersecurity:
Get everyone on-board with the mission to secure the organization; from the Board and CEO all the way to Interns. Buy-in from department leaders is especially important in order to establish cross-functional support for security initiatives.


Standards and Frameworks:
Aligning the security program with a widely used security standard or framework allows you to benchmark the program against other companies and that standard. Inevitably, senior management is going to ask you, “how are we doing against other companies?” If your program can reference the NIST Cybersecurity Framework, ISO27001, or CIS CSC, you will be able to compare the maturity of your program with a broad, diverse group of companies.


Addressing the Board

• First impressions count, so dress and act appropriately. That means business formal— better to be over-dressed than under-dressed.
• Research every board member on LinkedIn or in the press.
• Get coaching from a board member or the CEO to understand what the board is looking for from you.

Define your Purpose

• What are you there for? Own it!
• Be succinct, honest, and direct—Corporate Chieftains don’t suffer fools gladly.
• Coach members on the basics but don’t treat them as fools—they don’t come from your world but they need to be educated on the basics in order to make informed decisions.
• Avoid the weeds—focus on the big picture and on business benefits, not security details.

Be Prepared

• If you are lucky you will get 5 to 8 minutes to make your case—plan and use the time wisely.
• Talk to the CEO or other executives beforehand to ask for tips and advice.
• Understand the CEOs broader agenda so you don't accidentally scuttle the big boss and do yourself out of a job at the same time.
  
• Prepare a well written brief and have the CEO’s admin print and bind copies ready for the meeting.
• Use maturity models and frameworks. This is what board members want to see. This is how they think!
• Understand how the company compares to others. Saying that something is simply a "best practice" won’t win you support.
• Anticipate questions—you’ll get lots. Be prepared with smoothly delivered confident answers.
• Be prepared for politics! Boards have their feuds and sub-agendas - try and see through the fog of war.
  

Be Strategic

• Boards are strategic, not tactical—so stay out of the details. That’s for the C-Suite to understand.
• Find metrics that tie into your mission for compliance, patient safety, up-time/availability, etc.
• Talk about reputation—it’s the board’s responsibility to protect it.

Avoid Surprises

• Boards hate surprises, so provide a pre-brief before the meeting to help them adjust to new information—especially if its bad information.
• If you do need to report a breach, focus your time on what you are doing and will do to mitigate or clean up from the attack.
  
• Keep things high-level and strategic—and above all business-focused.
• Avoid talking about specific technology, types of attacks, and especially acronyms which board member won't remember or understand.

End Result
At the end of the day, the board needs to feel confident that you as the CISO know what you are doing, and that the organization is in good hands. Presenting to the board is as much about you building your reputation with them, as it is about your program gaining the active support and sponsorship it needs in order to be successful in protecting the company.

 

Read More

HIMSS AsiaPac19 Livestream

Livestream from HIMSS AsiaPac19

Offensive Artificial Intelligence (OAI) will radically change how healthcare needs to defend itself from cyber attack and require a new approach to defense using Defensive AI tools (Defensive AI). As an industry we need to start preparing for this. This and other warnings in a live-stream from HIMSS AsiaPac19.




See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also AI Will Radically Change Healthcare Security my keynote from HIMSS AsiaPac19

Read More

AI Will Radically Change Healthcare Security

The massive recent growth in cyber-attacks has become a huge concern for just about everyone all around the world. This includes individuals, business, industry, and governments. Most alarmingly this also seems to include a myriad of critical infrastructure services like healthcare which is firmly in the cross-hairs of perpetrators. Healthcare presents an easy and lucrative target for cyber-attackers for the value of PII, PHI and IP but also, for the extortion value of holding sick patients or their medical data to ransom.

The criminal underworld that is behind many of the current cyberattacks is not just highly organized and specialized, its syndicated, heavily networked across geographic and political boundaries and now forms a giant cartel - a criminal underworld of cyber crime, where the buying and selling of exploits, stolen data, and the laundering of dirty money is as business-like as the 24/7 customer service these groups provide to victims.

 

Just as South American drug lords dominate the manufacture and supply of illegal narcotics sold in the United States, the Russian Mafia and its off-shoots dominate the cyber criminal theft and extortion racket that attacks the United States, Europe and Asia. Thanks to their location in the former USSR  which lacks extradition treaties with the rest of the world, most of these perpetrators are immune from prosecution in the countries where they inflict damage. Their locations also typically lack robust local or national law enforcement, and police officers can be easily paid off to look the other way. In other words cyber criminals can act and ply their trade with impunity unlikely ever to be brought to justice. 

 

Then there are the nation-state actors, who have vast units of military intelligence cyber operatives used to attack and weaken other countries for political and economic advantage. They often push up against the boundaries of acceptability and cyber war, carefully calculating that their actions will not cause a kinetic, or major economic or diplomatic response from those attacked and injured. China leads the ranks with hundreds of thousands of PLA cyber warriors, while the Russian GRU, and FSB, are not far behind. Not without mention are also Iranian state actors or groups operating out of China on behalf of the Kim dynastic regime of North Korea.

Together, these nation states, their proxies and plain and simple opportunistic criminal cartels present a formidable foe for anyone defending a government, a nation's critical infrastructure services or any business. But cyber-attacks are increasingly becoming automated using AI to get past cyber defenses by removing the human constraint factor that causes an attacker to pause for consideration. ‘Offensive AI’ mutates itself as it learns about its environment to stealthily mimic humans to avoid detection. It is the new cyber offensive weapon of choice and will automate responses to defensive measures rather like playing chess with a computer – it learns as it goes! Anyone who has seen the movie 'War Games' a 1983 American Cold War science fiction techno-thriller, will soon realize that this assumed intelligence can be dangerous, as computers lack human reasoning, empathy or broader understanding and could easily take an attack too far.

The author presenting how AI will radically change healthcare security at the HIMSS AsiaPac19 
Annual Conference in Bangkok, Thailand.

 

Deepfakes

We are all used to critically evaluating an image to look for the tale-tale signs of photoshopping or other image manipulation before believing what we see. The same is true for audio recordings – was that really the President saying that or was it an impersonator? What we are not used to is video manipulation – this is new territory for our brains to critically process and evaluate for truth and accuracy. AI is increasingly being used in sophisticated technology to create ‘deepfakes’ where a face is superimposed on someone else’s body or the entire video is computer generated.

Deepfakes

Data Integrity

AI’s intent is not just to steal information but to change it in such a way that integrity checking will be difficult if not impossible. Did a physician really update a patient’s medical record or did ‘Offensive AI’? Can a doctor or nurse trust the validity of the electronic health information presented to them? Ransom of patient lives may not be too far away – especially at times of heightened global tensions.

Defensive AI

But AI is already being used very effectively for cyber defense across healthcare and other industries. Advanced malware protection that inoculates the LAN and responds in nano-seconds to anomalous behavior patterns. Biomedical security tools that use AI to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks. AI-powered attacks will outpace human response teams and outwit current legacy-based defenses. ‘Defensive AI’ is not merely a technological advantage in fighting cyber-attacks, but a vital ally on this new battlefield and the only way to protect patients from the cyber criminals of the future. 

More Resources

See also The Impact of AI and HIoT Related Threats from the HIMSS Show Daily

See also my LiveStream TV Interview from HIMSS AsiaPac19

Read More

The impact of AI & HIoT related threats and recommended approaches

An interview with Richard Staynings, Chief Security Strategist at Cylera at the HIMSS AsiaPac 19 conference in Bangkok, Thailand.

The following article first appeared in the Show Daily of the HIMSS AsiaPac19 conference

Currently leading healthcare security strategy at Cylera, a biomedical HIoT security startup, Richard Staynings has more than two decades of experience in both cybersecurity leadership and client consulting in healthcare. Last year, he served on the Committee of Inquiry into the SingHealth breach as an expert witness in Singapore. He recently spoke to Healthcare IT News on some of the current developments in healthcare cybersecurity.

Sections:

1. AI
2. IoT
3. Keeping Abreast
4. Resources

 

 

 Q. Artificial Intelligence (AI) applications in healthcare are all the rage now, and so are cybersecurity threats, given the frequency and intensity of healthcare-related incidents. In particular, some of the cyber-attacks have become more sophisticated through the use of AI to get past cyber defenses. On the medical devices front, AI is also being used to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks. How do you think the application of AI in healthcare cybersecurity will be like in the next few years?

A. Healthcare is widely considered to be an easy and soft target because “who in their right mind would attack the weak and defenseless?” …. or so the thought goes! The fact is that healthcare presents a rich target for cyber criminals because of the value of the data hosted and processed. When you couple that with a chronic historic under-investment in the development of capable cybersecurity teams and tools across healthcare, you can see why perpetrators are so keen to break in. But it’s no longer the theft of medical records, or PII that concerns me, it’s the wholesale theft of intellectual property from research universities and pharmaceuticals by outlaw nation states, (one in particular) and the potential to hold both hospitals and their patients to ransom by just about anyone - that’s what really worries me most.

I believe we are on the cusp of an AI arms race. Attackers are busy designing new attack vectors and methods to get by cyber defenses that heavily leverage AI and ML (machine learning). Advanced persistent threats (APTs) that hide unnoticed on the network for years sometimes, while gathering vital information and gradually expanding their footprint till they own the entire network, just as the attack on SingHealth in 2017 demonstrated. AI that perfectly emulates the normal acceptable behavior of users and systems on the network and as such goes undetected by even the best cyber defenses. AI that knows when someone of significance is on vacation by their spouse’s Facebook or Instagram posts and can perfectly emulate the exact way that a CEO communicates, in order to seemingly instruct Finance to make payments to an overseas supplier from their yacht on the high seas, well out of cell phone range for any chance of voice verification.

‘Offensive AI’ mutates itself as it learns about its environment to stealthily mimic humans to avoid detection. It is the new cyber offensive weapon of choice and will automate responses to defensive measures rather like playing chess with a computer – it learns as it goes. But increasingly the intent of attacks is not just to steal information but to change it in such a way that integrity checking is impossible. Did a physician really update a patient’s medical record or did ‘Offensive AI’ do it? Can a doctor or nurse trust the validity of the electronic medical information presented to them? This is the new threat and it is best executed by AI.

Did a physician really update a patient’s medical record or did ‘Offensive AI’ do it?

Why would anyone do this? Well, I can think of at least three reasons: Cyber-war, monetary extortion, and as a distraction from even more nefarious attacks against military targets or defense secrets.

AI is already being used very effectively for cyber defense. Advanced malware protection that inoculates the LAN and responds in nano-seconds to anomalous behavior patterns. Biomedical security tools that use AI to constantly manage and secure the rising number of healthcare IoT devices as they connect and disconnect from hospital networks, (just as my company, Cylera makes). AI-powered attacks will outpace human response teams and outwit current legacy-based defenses. ‘Defensive AI’ is not merely a technological advantage in fighting cyber-attacks, but a vital ally on this new battlefield and the only way to protect us all from the cyber criminals of the future.

 

 

Q. You will be conducting a cybersecurity workshop titled “The rising threat of Internet of Things - Everything from Medical Devices to Hospital Management Systems” at the upcoming HIMSS AsiaPac19 conference from October 7-10 held in Bangkok Thailand. Could you give us a primer on some of the common IoT-related cybersecurity threats in healthcare?

A. So unlike IT devices, by and large IoT devices can’t be centrally managed, patched, updated, or secured. IoT devices are simple and functional. They open and close a set of elevator doors, and move the elevator car to the desired floor. That’s all they do. They do it well and they do it millions and millions of times during their life spans.

The same is true with medical devices that administer drugs to a patient at a certain flow rate based upon the drug library, report on vital patient statistics like BP, heart rate and O2 saturation, and scan patients for broken bones, tumors, and other ailments. Most were designed at a time long before sophisticated and well-funded nation state cyber criminals, and a time when devices were by and large not connected to the Internet. Now these devices are managed remotely from hundreds of miles away by third party vendors who can do the job better, faster and cheaper than having a number of FTEs on staff locally. Thanks to digitization and inter-connectivity, devices now communicate directly with HIT applications and the EMR – something most older systems were never designed to do. And they certainly were never designed to connect securely. By network-connecting these highly insure devices we have opened Pandora’s box, and the number of network-connected HIoT devices is growing at an exponential rate.

The big question is how do we understand what we have on our networks, assess and quantify their threats and vulnerabilities, and remediate those risks in such a way that patients are not placed at potential harm from attack by medical device. How do we identify when one of these devices is behaving abnormally so we can swap it out before attempting to treat a patient based upon inaccurate data or behaviour? How can we identify when a device has been compromised and is being used to attack the hospital? These are things that physicians, nurses, and biomedical technicians are not currently trained to look for!

The global WannaCry attack, attributed to North Korea, caused a large number of hospitals especially in the UK to have to turn away ambulances and cancel procedures. It was just the tip of the extortionist’s iceberg. Forget the de-encryption of medical records for a Bitcoin fee, just wait till patients in ICU or NICU are held to ransom - maybe by the medical devices attached to them and keeping them alive. Sound far fetched? So did putting a man on the moon in the 1950s!

Q. Cybersecurity is a constantly evolving field these days with the rapid advancement of technologies as well as the increased sophistication of cyber-criminals. How do cybersecurity professionals learn to stay ahead of the curve and keep abreast of the latest developments & training?

A. Many people who remember the 'dot com' era of the late 90s will remember the term 'Internet Year' to describe the rapid pace of change affecting IT at the time. A time where a year’s worth of development would be crammed into a few months. Well in cybersecurity, things change by the week. That includes threats, vulnerabilities, threat-actors, attack-vectors, new offensive and defensive technologies, and even a few advances on the procedural front as we discover better more efficient ways of doing things.

I can’t talk for everyone in my line of work, but I spend a lot of time reading blogs, tweets and other social media posts from experts in the field, as well as a lot of articles from the cybersecurity and industry trade press like Healthcare IT News. I also read more than my share of white papers and academic journals along with the odd book or two. My reading includes developments not just in cybersecurity but also healthcare and other industries which allows me to consider the implications of new non-security technologies and how they might impact cybersecurity and risk one day.

One thing that really concerns me right now is the exponential growth in IoT – everything from network-connected home thermostats, to internet connected refrigerators, connected vehicles, to connected cities where traffic lights are optimized to allow the free passage of emergency vehicles through rush hour traffic and everything else. This is an area I spend a lot of time researching. IoT devices already outnumber the human population of the planet, and by next year there will be in excess of 20 billion network connected devices. Now consider that even a small percentage of these devices might be out to attack you and you can see the magnitude of the problem. The growth of botnets, now far overshadows unpatched Windows machines that have been turned into zombie attack systems by their real owners – the hackers and nation state cyber forces that easily took advantage of weak security and now OWN their user’s online banking information and shady personal photographs. I sometimes think you should be required to pass some sort of drivers test before being allowed to purchase a home computer!

I also consider security and industry conferences to be a great source of vital information. I probably speak at 20+ conferences every year and attend quite a few more on top of that. I always learn something from the discoveries, war stories and experiences shared by other speakers and practitioners in the space. There’s also a lot to be learned by the way healthcare is delivered and secured in different countries even though I work in quite a few. HIMSS, CHIME, AEHIS, H-ISAC, RSA, BlackHat, and KiwiCon currently top my list, as do conferences and summits put on by various publications in the space. They are all good, and if you can spare the time and afford the admission then I find that I always come away with something new as a result.

 

Q. A constant challenge for healthcare organizations is the management of limited resources and budgets for cybersecurity measures, and cybersecurity can often become an after thought. What advice would you give to them in their approach to cybersecurity, particularly in light of their resource constraints?

A. In one sentence? Treat Cybersecurity risk in the same way you treat Patient Safety because the two are inextricably linked in today’s connected digital healthcare environment. Many hospital CEOs, Boards of Directors and Ministers of Health haven’t realized this yet. The sooner they do the better for all of us.

Another piece of free advice for healthcare boards is that healthcare compliance does not equal to security. The industry suffers from a myopic focus upon protecting the confidentiality of patient data, when in fact operational and reputational risks to data integrity and system availability are far more important and potentially damaging. No one is going to die because of a confidentiality breach, they could however easily die as the result of an integrity or availability cyber-attack. The healthcare industry needs to adopt a risk-based approach to security, based upon assets rather than controls or a compliance checklist. Only then, will healthcare boards begin to understand their level of exposure, and feel inclined to do something about it.

In essence we have several giant gaps currently. A gap between the ease of a perpetrator attacking a victim, making lots of money from that attack, then walking away scott-free, versus making cyber-attacks difficult and very costly for the perpetrator – whether that perpetrator is an individual, a criminal group, or a nation state. Its rather akin to the school playground where a bully is beating up and intimidating other kids stealing their lunch money, but the school rules have yet to catch up to outlaw bullying or place CCTV or a teacher in the playground to grab any bullies by the ear and drag them to the Headmaster’s office for punishment and a corrective action plan!

The other gap we have is in resourcing. According to the Cisco Annual Cybersecurity Report, there is a 12x demand over supply for security professionals. We need to train tens of thousands of security analysts, architects, threat analysts and security operations staff for the world of tomorrow. We also need to allocate much greater budgets towards securing the future of our businesses, whether that business is a profit-making enterprise or a public service. This is a simple legal question of negligence in my opinion. If those ultimately responsible choose to ignore or accept a critical risk against the advice of their security and risk executives, then they should be held liable. Especially in healthcare where patient lives are at stake.

Everyone likes to talk about the next great level of interoperability in health IT but they haven’t figured out yet that to get there, you need to invest in cybersecurity to prevent your patients from being attacked by cyber criminals and their PII and PHI stolen or altered.

Cybersecurity and protecting patients should be viewed as a “business enabler” of new more efficient, more profitable, digital health services and should be an initial design consideration not a last-minute ‘strap-on’ where you are going to spend a lot more time and money for a less secure system. “Security by design” is where we need to be.

“Security by design” is where we need to be.

A true senior security executive, is one that sits at the right hand of the CEO and frequently addresses the board on security matters. He or she directs a comprehensive holistic cybersecurity program staffed with a solid team of security professionals. Together, they facilitate a hospital expanding its range of services to patients for the delivery of more profitable services. Services like telehealth and telemedicine that improve patient satisfaction scores, and the adoption of new riskier technologies like artificial intelligence and machine learning that will ultimately improve patient outcomes by catching tumors earlier and reducing the high costs of intervention for patients with latter stage cancer or similar diseases.

No one expected the Spanish Inquisition but it came all the same

Cybersecurity will also facilitate the advance of personalized medicine by protecting highly confidential information like someone’s genome sequence. A patient can change their name, their address, even their health number following a breach of information. They can’t even attempt to change their genetic sequence. Human cloning may sound rather SciFi but it’s not that far off. China has reportedly already accomplished this. In the fifteenth century, no one expected the Spanish Inquisition but it came about all the same. We need to think outside of the box to prepare for the challenges to our business model in healthcare and the threats and risks that we face.

Click for the original Show Daily PDF

This blog was first published by HIMSS Media and Cylera


See also AI Will Radically Change Healthcare Security

See also my LiveStream TV Interview from AsiaPac HIMSS

Read More