Plainly COVID has changed the paradigm of global healthcare delivery. The industry was forced to pivot quickly to a new and alarming reality and make changes that were necessary but largely unplanned. The pandemic brought about the greatest change to Healthcare technology and working practices ever seen outside of war.
COVID forced us to quickly provide new forms of remote delivery of healthcare services to our patients via telehealth, telemedicine and other remotely delivered services. It forced non-clinical healthcare staff out of dangerous hospitals to their homes where they could work remotely. But all these changes greatly altered the risk posture of healthcare providers and expanded the threat surface to likely attacks.
While diligent security teams have been reassessing risk and security, and slowly implementing new controls to protect against new threats and vulnerabilities, there is still a concerns of what might have been missed.
Despite new controls, what do we need to consider to make sure that these COVID changes have not
exposed our HIT / HIoT systems to elevated risks or more importantly, our patients to new safety concerns?
Cybersecurity has been a secondary consideration for hospital CEOs and their boards for decades, permeated only by minor inconvenient changes to regulations like HIPAA,
Joint Commission and HITECH. But the reality is that the healthcare industry is now the target of attack by cyber criminals looking to monetize stolen PHI, PII and research IP, or to hold providers of health services to ransom.
Plainly, this places consumers of health services at increased risk of patient morbidity and mortality. Patient safety and cybersecurity are now the same thing, interchangeable terms to describe risks to providers and consumers of health services. Yet the reality has not fully sunken in for many. There is a higher chance of you as a patient (and we are all patients at some point in our lives) being negatively impacted by a cyberattack than at any time before. Its no longer a question of convenience, cyber attacks are a question of patient safety.
Listen the the following 38 minute Fireside Chat with Janette Wider, Managing Editor of Healthcare Innovation as Richard and Janette explore the new reality of securing healthcare in a post-pandemic world.
With thousands of new medical devices and healthcare applications being designed and developed each year it's no wonder that hospitals have such a hard time securing them against cyber attack.
With new innovative technologies that improve patient care and clinical outcomes there are many costs and concerns. Integration with other HIT and HIoT systems to accomplish true interoperability becomes increasingly difficult with legacy undocumented systems.
There are also sometimes risks that need to be considered, and in today's environment of near constant cyber attack against healthcare providers and other critical infrastructure industries. Often these attacks are launched by powerful and well equipped belligerent nation states and organised crime syndicates that operate with apparent impunity from behind the iron curtain.
But if only new HIT and HIoT systems were designed with security from the outset perhaps securing these technologies would be less difficult. This was the basis of discussion at a recent MedHealth Matchmaking Mixer where HIT / HIoT innovators and manufacturers came together with technology and security experts in the health IT space.
What are the biggest challenges facing healthcare security leaders today and how do leaders navigate the almost insurmountable obstacles placed in their way?
How can we overcome a long list of clinical, financial, operational, and technology risks to secure patient safety and ensure greater operational resiliency for healthcare services?
Join me for an in-depth panel discussion on the challenges and opportunities that healthcare cybersecurity leaders are presented with today.
Speakers:
Esmond Kane, CISO Steward Health Care
Richard Staynings, Chief Security Strategist, Cylera and Teaching Professor, University of Denver University College
Michael Katz, Security Sales Specialist, Infloblox
Moderated by Janette Wilder, Managing Editor, Healthcare Innovation
Panel hosted by Healthcare Innovation as part of the NorthEast Health IT Summit and Cybersecurity Forum.
Left-right: Richard Staynings, Chief Security Strategist, Cylera; Jonathan Bagnall, Ph.D., Cybersecurity Global Market
Leader, Philips; Andrew Pearce, Senior Digital Health Strategist, HIMSS Analytics (Moderator)
Healthcare is plainly a target of cyber criminal and offensive nation-state actors. Not a week goes by without at least one hospital or clinic somewhere being targeted by cyber extortionists or thieves. When COVID started to spread outside of China, university health systems, pharmaceutical companies, and biomedical labs were the target of state cyber actors, out to steal research and formulations into treatment programs, new drugs or vaccines.
Since the world partially shut down, hospitals and clinics have been the target of organized crime syndicates, plying their ransomware tools and other forms of extortion against overwhelmed and under-protected healthcare providers. This is as true for providers in Asia Pacific as it is in the Americas or Europe.
Healthcare was forced to pivot very quickly to remote services like telehealth and telemedicine for patient services, while non-clinical staff quickly found themselves working from home or on furlough, as hospitals scrambled to figure out how they were going to pay their bills, without the usual elective surgeries and other revenue-generating activities that forms the basis of a typical independent health provider's business model.
New technologies, in many cases rapidly implemented, without the usual security assessments and testing, exposed a highly distracted industry to risks. Risks that perpetrators quickly took advantage of and used to their advantage.
This is what we are beginning to describe as the 'Attackers Arbitrage'.
Watch the linked on-demand video of the subsequent panel discussion between Jonathan Bagnall, Cybersecurity Global Market Leader, with Philips Healthcare; Richard Staynings, Chief Security Strategist with Cylera; and Andrew Pearce, Senior Digital Health Strategist, Analytics, HIMSS
It seems that every year the negative impact of a cyber attack reaches dizzying new levels – overlapping regulatory fines, restitution and identity / credit monitoring, punitive damages, and of course incident handling and clean-up costs for fixing what should have been fixed in the first place, had the organization understood the risks and not chosen to ignore them.
But it’s not just as simple as writing off some vast sum of operating profit and having to explain that loss to shareholders or governing boards. Longer term damage to reputation can take years to recover from – if at all. I know of many firms and individuals that will never do business again with an entity that lost their data and caused them so much pain. Do executives and their governing boards even consider the long-term costs of the loss of their reputation?
And what happens when someone dies as a result of a cyber-attack as happened recently at University Hospital Düsseldorf where prosecutors opened a homicide case against the Russian perpetrators of a ransomware scheme? What will be the long-term impact to the university hospital’s funding, to its patient numbers, its standing in the academic and local communities, and how many medical students, doctors and other medical professionals will want to study or work there?
Medical malpractice suits already run to tens of millions of dollars in the US. What is going to be the financial and reputational costs to a healthcare provider when patients expire on the operating table, or while connected to a medical device that is hacked by cyber criminals? Criminals seeking extortion payments or simply trying to expand their foothold on healthcare networks, while inadvertently breaking critical life-sustaining medical devices?
At this point many executives might be accusing me of raising fear uncertainty and doubt or FUD as its also known. But am I? Doesn’t the German woman who died in Düsseldorf when hospital IT systems were attacked with ransomware make this very real? I would wager that the recent German case is not alone and that many other deaths caused by hackers or weak cybersecurity have simply been reported in a different way, conveniently covering up failures in IT and IoT equipment so as to absolve providers from potential legal liability from families and regulators.
Ethical hackers like Barnaby Jack were demonstrating how easy it is to hack a medical device nearly a decade ago. Ever since, security conferences have featured numerous hackathons of medical equipment, and on-stage demonstrations how to hack an infusion pump, XRay machine, or other piece of medical equipment.
Researchers at Ben-Gurion University of the Negev demonstrated last year how easy it was to intercept medical PACS images and change them to add or remove tumors fooling the majority of radiologists and AI software alike. While Cylera last year, discovered an attack vector that can change the content of a medical DICOM image to include malware that can be used to infiltrate the healthcare network, simply by sharing or viewing a PACS image, something that happens thousands of times a day in every hospital.
This is not science fiction or FUD. This stuff is out there in the public domain and working exploits are most definitely in the wild. Another hospital or an entire health system the size of UHS could be attacked tomorrow and rendered unable to treat patients by a cyber attack against vulnerable IT or IoT assets.
Healthcare providers the world over need to gain a better understanding of what assets they have connecting to their networks and what risks each of those assets represents not only to any patients which may be attached to the device, or being treated by such a system, but also to the broader healthcare network. Any endpoint asset could be used as an infiltration vector and foothold for expanding the attack. You don't need a wooden Trojan horse to get inside the perimeter of a hospital network, just access to an insecure endpoint device. Identifying and risk assessing all your assets is absolutely critical today, and preferably to NIST SP 800-30 standards, which after all is a requirement of the HIPAA Security Rule.
But it’s not just a risk analysis that is needed to protect patients, providers also need to ensure that they have put in place adequate protections and compensating security controls. This is where many HDOs come unstuck - they simply don't have the staff cycles to even evaluate the risks, let alone remediate potential life threatening problems, even though they may already have some of the tools in place to segment high risk devices from the rest of the network.
The Cylera MedCommand platform automates this entire security risk management workflow identifying and then adding assets to an asset management system, risks to GRC and risk management tools, identifying IOCs and creating alerts via an existing SIEM or MDR, while talking directly with an existing NAC to automatically isolate and quarantine any compromised endpoints before patients are put at risk. Learn more or request a demo to understand how Cylera has used artificial intelligence and machine learning to simplify and automate what would otherwise be a labor intensive and cumbersome task.
An uptick in the Russian language criminal underground in the run up to the 2020 US presidential election, suggested a massive coordinated campaign to disrupt the United States by destructive ransomware attacks against US hospitals and other healthcare delivery organizations. Whether this was party motivated by the Kremlin to weaken democratic resolve and confidence in the US election systems is so far unknown, as is any intended manipulation of results to favor one presidential candidate over another. What is known however, is that the United States government in coordination with Microsoft and other technology companies, managed to take down the majority of an extensive global Trickbot network a few weeks before this threat was first discovered, so this may have been an attempted retribution for cyber-criminals. Trickbot is used to infect computers with Ryuk and other malicious ransomware software.
The threat was considered so great, and so many prime US hospitals mentioned by name in criminal underground conversations, that the CISA, FBI and HHS held several joint briefings for hospital executives and those who support them. These briefings outlined the nature of the threat, and advised HDOs to be on the look out for anomalous activity that could be an indicator of compromise (IOC), while patching known attack vectors and other security vulnerabilities with all due haste.
The American College of Clinical Engineering in support of its members, requested that Cylera and its threat intelligence entity CyleraLabs based in Madrid, provide a deeper drive on the Ryuk ransomware family, and brief the ACCE membership on IOCs while providing advice to member hospitals how to prevent and recover from any such attack. The following briefing and panel discussion with MDs, security leaders and clinical engineers is the result of that request.
During the early months of the Covid-19 outbreak, healthcare professionals were overworked and under-supplied. Governments were in chaos and squabbling over even the simplest of safety measures. Frontline facilities overflowed with terrified patients.
A nurse adjusts a face mask she’s been wearing for days. The message “smile for me” that she scribbled on in marker, is now as faded and hollow in message, as she feels in her ability to help the sick. She leans against a wall and checks her phone, hoping for a message from her family. She’s too afraid to go home in case she spreads the disease to her children, so she sleeps in the staff break room, along with her colleagues. Text messages are the only tether she has to hope.
An email pops into her mailbox. The subject line reads: “ALL STAFF: CORONAVIRUS AWARENESS”. The message notifies all medical personnel of facility wide online seminars to discuss new treatment measures and safety requirements. Exhausted, she clicks the link and registers for a seminar and thinks nothing more of another pointless bureaucratic task completed.
In the hours that follow, criminals use her credentials to access patient record systems, medical imaging suites and even internet-connected patient telemetry and treatment devices. By morning, every system critical to patient care is locked down with ransomware. The hospital is rendered useless. As administrators work to relocate patients to equally overloaded hospitals, medical staff resort to 1950’s paper-and-pen communication methods, slowing patient care by minutes and even hours. Those lost ticks of the clock, cost the lives of several patients with pre-existing heart conditions. This has actually happened in a hospital shuttered after a coronavirus-themed attack.
Join Mark Sangster from eSentire and the author as they discuss the cybersecurity risks of Healthcare IoT on the CyberSec Decoded Podcast.
Understaffed, under-equipped, and under-funded, for security tools and services, the healthcare industry is being targeted by cyber criminals and pariah nation states for the value of its assets. This includes its extensive PHI, PII and valuable clinical trail data and research IP.
The Russian Federation and the Peoples Republic of China have both this year, been caught red-handed attempting to steal clinical trial and research data surrounding COVID vaccines. And that says nothing of the wholesale theft of other IP from university and pharmaceutical labs, along with other research facilities going back for a decade or more in China's case.
In fact, the Chinese Communist Party (CCP) has dedicated tens of thousands of PLA officers in its various cyber divisions, to the theft of western IP and commercial trade secrets, as previously reported by Fireeye-Mandiant and many others including this blog. These actions appear to be not only purposefully targetted but part of a centrally directed campaign by Chinese leaders to ensure the success of the the CCPs 'Made in China 2025' program when it plans to be totally self sufficient from the need for western goods and services.
It is however, the rise in extortion attacks that are most worrying. A recent uptick in the level of background chatter in cyber criminal hacker forums, was cause for the FBI, HHS and CISA to issue a threat briefing that healthcare was being actively targeted by Russian Trickbot-Ryuk ransomware gangs, and that healthcare IT and security staff should be on alert. This however was not before a massive ransomware attack had decimated one more US based international health system.
After decades of under-funding and de-prioritization, how can hospitals and other healthcare providers possibly build up their cybersecurity defenses to a level that is needed to protect against a rising wave of attacks and keep patients safe? This was the subject of the first ever Healthcare Managed Security Services Forum recently attracting over 150 attendees and more than 30 speakers and panelists drawn from the crème de la crème of healthcare. A full day virtual conference that heard from CEOs, CIOs, CISOs, CMIOs, Professors and Doctors of Medicine, and more than a few experts in the field of clinical engineering and biomedical / HIoT security.
I was privileged to be asked to compère for the the all day event. Listen to the kick off below:
According to the IBM / Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).
The cost of a data breach includes losses such as lost business, legal fees, and compensation & restitution to affected customers. Its also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas in that lead to this growing cost. These include:
Detection, escalation, and investigation, incident handling, etc.
Lost business with customers and partners
Notification of affected parties, partners, and regulatory authorities
Cleanup and response including the remediation of vulnerabilities that should, in retrospect, have been fixed long before the breach
These sums do not include the cost of the loss of reputation, nor do they include business lost forever as a result of loss of confidence by partners and customers, some of whom may have been significantly damaged as a result of the cybersecurity incident, or the failure of the attacked company to deliver according to contractual agreements during the incident.
Nor do these figures include the expanded costs of investigation and clean up of a distributed 'remote' workforce as has become common under COVID restrictions in 2020. In such cases this average cost rises to over $4 million US dollars the report concludes.
According to the study, the average time to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective 24/7 security operations monitoring or incident response capabilities, and that many incidents often go unnoticed till a regulator intercedes, by investigating a discovered breach of non-public data.
While cyber-forensic investigation is not cheap by any means, the greatest costs to businesses of a breach is lost business, the reports claims, which represents about 40% of the total average cost of a data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.
Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.
Healthcare
While all industries are affected by data breaches, the costs of a healthcare breach far exceeds all other verticals. It is perhaps the combination of a rich and diverse source of data - PHI, PII and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make healthcare a particularly expensive breach proposition. The healthcare industry’s breach life-cycle is also longer, averaging about 329 days compared to the overall average of 280 days. That leads to higher costs. At the same time, healthcare spends less on cybersecurity than most other industry verticals, and so is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness.
“Healthcare is a highly regulated industry and faces a lot of regulatory burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.
While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the average cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.
"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't." claimed Debeck.
“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs” he added.
"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices. "The problem is, that in healthcare, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities," he added.
Cybersecurity interns and entry level recruits aren't dropped off by the stork - they need to be nurtured!
I have written much about the need to better equip the children of today for the jobs of tomorrow, particularly when it comes to building a knowledgeable and capable cybersecurity workforce. The Cisco Annual Cybersecurity Reports and many other organizations with a vested interest in a ensuring a good pipeline of entry level recruits, have been highlighting the gap between available resources and cybersecurity job openings for many years now. Despite theirs, and many others, best efforts, the gap between demand for cybersecurity professionals and the available supply, appears to be getting larger each year.
This is not that our cyber and technology-equipped school leavers aren't increasing numerically or in the depth of their skills, but that those numbers are not increasing fast enough to keep pace with demand.
A lot of children are also being left behind, starting school with little to no exposure to math, sciences or technology. Many lack a computer at home or any form of access to the Internet till they get to school age, by which time they are well and truly left behind. Many children today learn the basics of computing and technology at 2 or 3, at or before Pre-School. They arrive in Kindergarten with the know-how to operate a computer, engage in educational games and other learning content and will be on their way to basic programing by second or third grade. Starting early appears to be critical to success in life, and with technology as perhaps the critical pillar for academic study, work, and success after school, who can blame parents for wanting their children to be provided every opportunity for development and future success.
But many children are disadvantaged by poverty, unequal access to education and parent(s) working 3 jobs and therefore are not able to spend time with their off-spring at a critical stage of their development. This is where Tweens and Tech comes into play, providing educational technology-based summer camps and free computers to primary and middle school children in the Raleigh Durham area of North Carolina. But Tweens and Tech provides much more than that, so please read their words on their website rather than mine on this one - a great organization performing a worthy and noble cause, and one replicating quickly in other states across the country.
Today I was pleased to join a Fireside Chat with Dr. Anindya Kundu, a Senior Research Fellow at the City University of New York who has written extensively in early childhood development, Rob Martin from Cisco who helped start the Tweens and Tech organization with Derrick Thompson its founder, and two participants of the program - one a current student, the other a graduate of the program and now a teen volunteer.
Watch the video recording of our discussions below:
With the COVID-19 pandemic forcing most undergraduate and postgraduate classes online, students face multiple challenges, not least of which is securing their work and study environment from increasing levels of cyber attack.
As we are all distracted by our isolation at home, many of us forced out of our comfort zone, and with few opportunities to share concerns with others, cyber criminals know they have weak and easy targets.
The following is a video recording of a panel discussion between various University College professors of cybersecurity at Denver University.
Artificial intelligence is becoming increasingly important in the defense of healthcare providers and patients, while the number and size of cyber attacks against the industry continues to rise to unprecedented levels. All this at a time when many of us are distracted by the current pandemic and in dire need of health services - perhaps now more than ever in our past, other than perhaps in times of kinetic military conflict.
Our outdated security tools and other controls simply cannot cope with sophisticated APTs - (advanced persistent threats) from pariah nation state military espionage units. Nor can it cope with a newly emboldened Eastern Mafia, where organized crime syndicates operate with impunity from behind the former Iron Curtain, seemingly immune from local law enforcement, prosecution, or deportation to the civilized world, where law and order still largely prevail.
Many of these attacks in fact, whether conducted by military officers or proxies, are nothing more than a form of cyber warfare in order to further the political and economic objectives of their host regimes. Destabilizing the more successful west has been an ambition of the USSR since the advent of the Cold War. Today cyber attacks and information warfare add a new dimension to achieve this lasting objective in the competition for global power. Indeed this cyber conflict has been carefully engineered to take advantage of the trickle technique, where on an ongoing trickle of seemingly innocuous minor attacks has been engineered to weaken the internals of other countries over time, careful not to cross a line in the sand that might cause a massive kinetic or other response from the nation being attacked.
Mainland China's objectives appear to be similar to that of the Russian Federation in its goals of world domination, only less focused on fermenting internal division and more on obtuse power conflict and long term theft of any advantages other nations, including the Russian Federation may possess.
The fact it that as cyber defenders we need better tools to defend and protect against attackers and higher levels of automation since we are out-gunned and out-manned at least 5 to 1 attackers to defenders.
In my presentation below I talk about the rising tide of sophisticated well funded cyber adversaries, the advent of deepfakes, CEO Fraud or Business Email Compromise (BEC) as its also known, and how AI is making these scams even more convincing and difficult to detect. I talk about the need for us to develop and implement AI-based cyber defensive tools to inoculate our networks against attacks. I discuss the need to protect healthcare providers, staff and patients from attack that could result in patient harm or even death. Increased automation and machine intelligence will permit us to respond quickly and thoroughly, and to thwart attacks before patient safety and HIT system availability are impacted.
In healthcare, we need to up our game on the security front. We need to understand what we have connected to our healthcare networks and what risks they pose. We need better threat intelligence and we need better defensive tools to protect against attack. We also need to remove the need and delay for humans to intervene against attacks in process.
As healthcare continues to digitize for improved interoperability and efficiency, cybersecurity needs to be front and center in design considerations and budget allocation if more deaths are to be avoided. Watch my 30 minute presentation below for more on this subject.
An increasing reliance upon healthcare IT and IoT including thousands of medical devices and wearables to deliver health services is changing the balance of risk across the industry
There was a fine balance between health technology services, risk and security before 2020. Some would say that this balance was nothing of the sort and that the entire healthcare life sciences industry has been accepting far too many cybersecurity risks for far too long as exemplified by all the ransomware attacks against hospitals going back 5 or more years. Or the massive theft by a nation-state of Anthem's entire health insurance customer database in 2015. Most pharmaceutical and clinical research organizations have also been targeted by cyber attack and intellectual property theft for at least a decade and most recently by a number of nation-states all in search of data on COVID-19 cures. No matter how you view the evidence, the healthcare industry out-gunned and out-manned has not fared well against a well funded and highly motivated cadre of cyber thieves and extortionists.
Now enter COVID-19 this year and the massive digital transformation forced upon HDOs in order to spin-up telehealth and telemedicine plans to diagnose and treat patients from their homes rather than on-prem, and at the same time support a non-clinical workforce all working remotely from home.
The threat surface more then doubled over night and risks exploded, all at a time that healthcare CEOs were focused upon pandemic disease management, treating COVID patients, and keeping HDOs financially afloat without their lucrative elective procedures - A throw-back and lasting legacy of the "pay per service" model of US healthcare.
With furloughs of IT and in some cases security staff too, in order to stop the hemorrhaging HDOs suddenly became massively at risk of cyber-attack at precisely the worst possible time. Perpetrators quickly recognized their opportunity and the cyber attacks of 2020 bear witness to the perfect storm impacting healthcare today.
With a steady stream of new technologies to support telehealth, and the replacement of nursing staff with medical devices to monitor and manage patients remotely as far as possible, how are hospital security leaders possibly going to protect healthcare IT and IoT systems from attack and keep patients safe?
With limited budgets and security headcount (or the availability of additional security resources), automation and increased use of artificial intelligence is a CISO's only recourse. This was the subject of my panel discussion recently at the Denver AI & Automation Security Forum where I was privileged to moderate a panel of experts in the field including:
Dr. Benoit Desjardins, M.D., Ph.D, Associate Professor of Radiology and Medicine at the University of Pennsylvania,
Michael Archuleta, CIO at Mount San Rafael Hospital
Powell Hamilton, CISO at Centaura Health
Esmond Kane, CISO at Steward Health
Joe Searcy, CSO at Elemental Health
Watch the 30 minute video to hear what each of these experts had to say.
In these trying times of COVID-19, the cancellation of elective procedures and the general population "avoiding the Doctors Office like the Plague", it's no wonder that hospitals and other HDOs are furloughing staff and tightening their belts. But what does this mean for hospital cybersecurity programs?
The impact of COVID-19 on the healthcare industry has been perhaps been even more dramatic than the transportation and tourism industry, with airlines and hotels going bankrupt all over the world. Both industries have suffered a massive downturn in their traditional business and both have had to quickly pivot to the new reality of conducting business during a global pandemic. But unlike travel and tourism, healthcare has been in the forefront of a treating those infected with the SARS-CoV-2 and dealing with massive levels of disease control, while minimizing those on-site.
At the same time the delivery model for healthcare has drastically changed from on of principally elective procedures and screenings to a model where 90% of business, outside of ICU services for COVID-19 patients, is now conducted remotely via telehealth. In fact, healthcare is widely considered to have undergone the greatest single digital transformation of all time and all within the space of a few weeks, while most IT and security staff were forced to work off-site.
We are condemned to live in interesting times
Cyber-criminals know this too and have plied their craft without let-up since early March with a proliferation of spear phishing campaigns targeting often overworked healthcare staff, many of whom are now working alone from home.
But these are far from the only challenges facing the industry and those whose job it is to secure the systems, data and patient safety so vital to the delivery of healthcare services. Hear from four leaders in the healthcare security and technology space as they discuss the issues facing the sector and offer up some options and effective approaches
Richard Staynings, Chief Security Strategist at Cylera
Christian AbouJaoude, CTO at USC Keck School of Medicine.
Esmond Kane, CISO at Steward Health
Brett Cattell, Director of Systems at Robin Healthcare
A rising tide of opportunistic ransomware and targeted nation state cyber attacks against medical research labs working on cures for COVID19 has made cybersecurity a turning point for most providers.
Last week in the Cylera blog I wrote about Zero Trust which is slowly growing in popularity across organizations like Google, but has so far, only limited deployment across the healthcare industry. Zero trust may prove to be nothing more than another panacea at the end of the day against a rising tide of cyberattacks, or, it may prove to be a vital cog in the wheel that finally redresses the balance between defenders and attackers by minimizing what can be attacked. I'm betting on the latter personally.
Zero Trust works on the basis of well-known, frequently voiced, but usually not fully implemented security principles of 'Least Privilege' and 'Trust But Verify'. Trust your staff but verify their activity and don't provide them more access than they need to do their jobs. The principles are not too dissimilar to military personnel, where access is granted on the basis of 'need to know' following 'mandatory access control' principles - based upon your role, rank and assignment.
In other words instead of being given access to everything when you join an organization, you should be provided access only to what you need in order to do your job. You get a key to this box and that box but no other boxes and what you access is monitored. Essentially you have segmented or compartmentalized access rather than carte blanche. As your role or assignment changes, so certain keys are revoked and new ones are provided.
One way of looking at this segmentation approach is to think about the story of a fox in the hen house. Rather than one large hen house and one large door, segmentation places each hen in its own hen house with its own locked door. A hungry fox can then only get to one hen with each breach rather than them all at once as is the case in most hen houses today. By limiting and containing a successful attack, the fox only gets to steal one hen which may not be worth the effort to break down its coup door. The loss of one hen won’t put the farmer out of business and alerts him to the fact that there is a fox in his midst and to get his shotgun.
Of course, in this example the fox is an outside threat, but malicious insider threats are a growing concern with rising levels of cyber espionage and theft of commercial trade secrets and intellectual property by staff. The recent story of Xiaolang Zhang is perhaps a good example. Zhang, had worked at Apple in the Bay Area for several years on its autonomous self-driving car project. He announced his intention to leave the company after returning from a trip to China, in order to join a competitor XMotors (aka Xiaopeng Motors) based in Guangzhou.
Before handing in his resignation however, he trolled the Apple network for data and copied over 40GB of trade secrets, and walked out the building with a Linux server, and circuit boards. He was arrested by the FBI at San Jose airport before boarding a plane out of the country. Zhang was caught because he had gone outside of the swim-lane required for his role and had raised suspicions. 'Trust but Verify' in this case landed Zhang in court when verification of his activities took place and were found to be illegitimate.
In healthcare, there is an implicit trust across staff to do the right thing and a common belief that everyone is mission-orientated to provide the best possible patient care. However, that may not always be the case. The value of healthcare data – PII, PHI, and IP such as clinical research into new drugs and treatments is rising in value, and a number of clinical researchers have been caught stealing intellectual property of the hospital or research facility they work for.
Last year a husband and wife team, Yu Zhou, 49, and Li Chen, 46, were charged with stealing intellectual property related to pediatric medical treatments they had worked on while employed at Nationwide Children's Hospital in order to launch their own pharmaceutical company in China. When they took this company public in China, it netted them millions of dollars based on the cutting edge research developed at Nationwide Children's.
Zhou and Chen are not alone however, and nor are they the only Chinese citizens involved in medical IP theft. The NIH and FBI are investigating 180 individual cases of alleged intellectual property theft of biomedical research funded by the U.S. government, primarily involving Chinese or Chinese American researchers, The New York Times reports.
While the principles of Zero Trust and Segmentation would probably not have averted all of these attacks, it is likely that many could have been contained to smaller thefts of data, and alerts raised earlier as verification of access took place, thus alerting security staff to suspicious access.
Zero Trust is a key ingredient in helping to solve healthcare security. Not only is it a very effective preventative control, restricting access by users and objects like applications or devices to data, but it's also a critical indicator of risk, letting your operations team know when anomalous access behavior is attempted.
Anyone who maybe considering their career choices will have noticed that there are a lot of job openings in the cybersecurity space. Every week someone, somewhere, is trying to hire a cybersecurity professional, or so it seems. The job ads are full of openings and anyone with 'cybersecurity' on their Linkedin profile or online resume is probably getting connection requests from recruiters like they just won a large sum of money and offered to give it all away.
According to the Cisco Annual Cybersecurity Report for the past 5 years in a row, there has been a consistent 12x demand over supply for qualified, certified or experienced, security professionals. That means that there's currently 12 open security jobs for every person able to fill that role. With statistics like that, cybersecurity professionals will never be out of a job for long.
About one million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions, data from CyberSeek shows. Of those, 560,000 are in the private sector. In the last 12 months, job openings have increased 29%, more than double the rate of growth between 2018 and 2019, according to Gartner TalentNeuron, which tracks labor market trends.
Over the past couple of years, demand for cybersecurity staff has literally gone through the roof as one attack follows after another and private and public sector organizations have woken up to the fact that they need more help. In fact, by 2025, it is estimated that there will be 3.5 million unfilled cybersecurity jobs in the USA alone.
The cyber worker shortage is a particular problem with smaller organizations, everything from municipalities and law firms to hospitals and businesses, that can’t offer high enough pay to attract high-skilled workers, according to the SANS Institute. In 2020, the annual mean wage for information security analysts was $107,580, almost double the mean for all U.S. occupations combined, according to data from the Bureau of Labor Statistics. But it's not enough to meet demand and organizations are having to get creative to attract cybersecurity staff.
The Department of Homeland Security recently rolled out a new system for hiring cybersecurity personnel in that would allow federal cybersecurity workers to make as much as $255,800, equivalent to the salary of Vice President Kamala Harris. The new pay scale system was created to help the DHS compete for talent, according to the DHS.
The real problem however, is that the United States and many other OECD countries aren't training enough people in high school, university or in technical / vocational colleges.
'Vocational' versus 'Professional'
With statistics like these it's a wonder that more people aren't running towards a career in cybersecurity, but there are barriers to entry. A clean criminal record is usually required unless you can explain yourself out of prior wrongdoings. Security staff usually have access to all kinds of elevated access permissions in order to do their jobs and no one wants a potential insider working against the team. The classic Catch-22 experience trap that I'll address in more detail later, and finally the professional versus vocational dilemma, all of which confuse successful entry.
A college degree is usually not needed for a vocational job, but it is often required for professional jobs. And in the cybersecurity space the prevailing thought is that security practitioners are professionals, thus the majority of advertised positions require a degree. A recent (ISC2) report indicates that 86% of the current cybersecurity workforce has a bachelor's degree or higher. Furthermore, a quick search on Indeed.com shows about 46,000 cybersecurity jobs, of which 33,000 (>70%) require a degree.
However, ask anyone working in the cybersecurity field whether a degree is really needed for many cybersecurity positions and they would probably tell you no. What is more important they will tell you is aptitude, ability and willingness to learn, and some security experience. By posting job postings that require a degree for lower level jobs, HR and hiring managers are actually disqualifying many deserving candidates perfectly able and willing to take on that role. And because these potential candidates don't have a degree, they are usually less expensive to hire.
Everything is negotiable
Don't have a college degree but keen to work in security? Tenacity and persistence usually pays off - especially in a tight labor market. If you can show sufficient enthusiasm, passion, and willingness to learn including self-study you have undertaken then chances are you can still get an opportunity to prove yourself. Security Hiring Managers would much rather have someone on their team who is keen, and ready and willing to learn, than someone who has countless degrees and believes that they don't have to prove anything to anyone and may believe they can just cruise through life. But experience is also a factor and there lies the classic Catch-22.
How do you get a foot in the door?
How do you gain the 'experience' that everyone is asking for to get the job in the first place? Well, sometimes it can be a bit of a Catch 22 - and that's a bit of an understatement. Just read some of job postings requiring 'n' years experience for an 'entry' level position plus a current CISA, CISM or CISSP certification, the latter of which seems to have become a common entry requirement.
For those who haven't yet come across the CISSP which stands for Certified Information Systems Security Professional, it's a grueling 6 hour long multiple choice exam where every answer is correct but one is more correct than the others. But in addition to passing the exam, in order to become a CISSP, you also need 5 years of experience, or 4 years experience plus a Masters Degree in cybersecurity or a related field.
Its the classic Catch-22 - you can't get the job without the CISSP and you can't get the CISSP without the job experience!
Its also difficult though not impossible to to pass the CISA or CISM certification without at least some experience.
The truth is that job postings are written by HR professionals, most of whom have very little understanding of what the actual job they are hiring for involves. Someone should make a Hollywood movie about it and call it "Recruiters are from Mars" because they might as well be.
A classic example of this was a job posting I saw last week that wanted someone with ten years experience of Kubernetes. However Kubernetes is only five years old as a technology, so no one could possibly have more than five years experience. This post of course was quickly noticed by the security community and the job posting became the center of ridicule for a few days before it was taken down. Not only did it make a mockery of the reputable company that had posted it, (I won't mention their name, but needless to say they should have known better), but it highlighted the problem of unrealistic job posting requirements.
Someone should make a Hollywood movie and call it "Recruiters are from Mars" because they might as well be.
Whether the problem ultimately lies with HR, recruiters or hiring managers, there is an unreal expectation in the cybersecurity space. This is a highly, highly, competitive space for scarce security resources and company salary scales are often totally out of touch with market rates. As an example cybersecurity professionals currently make at least 25 to 30 percent more than their peers in IT with the same years of experience and equivalent number of qualifications. Despite this, companies often use the same salary matrix for IT and cybersecurity staff given that security still reports into IT in many organization, often at the CIO level. The result is that to attract any candidates HR has to post more senior roles with higher salaries to find candidates willing to consider working for the company in the first place.
Some of the job postings that demand all kinds of experience would probably command a salary package of at least a million dollars a year if someone had all of those skills, certifications and experience. While I would like to believe that security professionals in their 30s and 40s are making seven figure salary packages, that probably isn't the case for most. In other words, JOB REQUIREMENTS are nothing more than a WISH LIST.
Treat the 'JOB REQUIREMENTS' as 'DESIRED SKILLS'
But it's not just experience, the same is true for security certifications and academic qualifications.
Any recruiter claiming that 'x' security experience, plus 'y' certifications, plus 'z' masters or doctoral degrees is a MUST HAVE, simply couldn't afford to hire that candidate if he or she walked through the door tomorrow. And don't think that working in cybersecurity is a 'boys club' and not open to other sexes either. There is a steadily and growing chorus of very capable women making their mark at every level of the profession - many as CISO.
In other words, you should apply anyway. It might not work all of the time but you only need it to work once to get your foot in the door. It is after all, getting more competitive each year as more and more companies attempt to hire the few security resources that might be looking. Increasingly, companies are having to re-think who they hire, at what level, and what skills are really necessary. They are taking what they can get and providing on-the-job training instead, in order to fill vacancies and get backsides in seats. If a security job has been posted for a long time it probably means that the company is having difficulty filling the position. That might spell 'opportunity' for some.
Companies looking for security certifications will usually pay for the training, the materials and the examination if they want you to obtain one. While the Catch-22 nature of the CISSP might be out of reach for entry level candidates, get yourself certified in an easier credential such as the CompTIA Security+ or some of the SANS GIAC foundational courses. I am also a fan of the ISACA certifications CISA, CRISC, CISM, etc, and cover much of the material for these certs in the masters courses I teach at University of Denver University College. CompTIA Security+ is also included in many of the Associates Degree programs at your local community college and there are usually educational grants and stipends available to cover your fees. You just need to put in the work and most courses now are available online so you can study at nights and weekend from your home after family dinner or putting kids to bed. So you can kill two birds with one stone if you plan your study well and come out with a degree and some certifications at the same time.
A basic security certification combined with a desire to work towards a higher more widely recognized certification or qualification, and an interest and aptitude in cybersecurity might be enough to get you past a CISSP 'required' in the HR job posting and on to the next level with a Zoom or WebEx interview with the security team.
The same is true with academic certificates and degrees. Most universities are now running courses on-line thanks to COVID and many have solid cybersecurity programs at the Associates, Bachelors and Masters level. That allows you to shop around for the best course from the best university at the best price from any reputable university in the world.
The US has way too many online cybersecurity degree programs to mention here, and the UK and Australia have pivoted most of their 'on-site' programs to 'on-line' as a result of COVID, especially at the masters level. Finally, don't be put off by degree programs in non-English speaking countries, many cybersecurity programs like Germany are taught in English, are incredibly high quality, and are way less expensive than elsewhere.
There are many government grants, and university stipends available for those willing to dig a bit. Companies will also often pay for you to study for degree or certificate.
These education benefits are sometimes capped at $5,000 to $10,000 a year so you may have to plan accordingly and space out your classes to have them fully covered. On a four quarter academic system, pay for Fall and Winter Quarters in one calendar year and expense those fees, then take a course every other Quarter till you are done and have that degree certificate in your hand, all paid for by your employer. This benefits you and may result in a pay raise. It also benefits your employer since you are better skilled and qualified now and they can do more with you - like promote you into a leadership position.
It may take you several years of part time evening or weekend study, but a degree will boost your career opportunities as well as salary expectations so is most definitely worth your time. It may also exempt you from having to keep up with professional certifications like the CISSP, and pay these commercial bodies annual membership fees which can be expensive and annoying.
But How Do I Get Past Automated HR Systems?
Before ubiquitous use of the internet applying for a job involved typing up your resume or CV, making photocopies, and handwriting a cover letter for each job you wanted to apply for and then mail that package into the company. There was a cost in time and materials and this forced people to target the jobs they REALLY wanted to apply to. In the final year of my undergraduate degree, I spent several weeks mailing out over 50 hand written cover letters and resumes to companies I wanted to join on obtaining by bachelors degree. None were successful. Many to this day, never bothered to acknowledge my application or politely decline my application. A broadcast approach to job search didn't work then just as it doesn't work now.
Step forward several decades and today a candidate can blast off thousands of job applications with the click of a button. Linkedin and a heap of other web sites and services will even match your skills and experience to posted job openings and apply automatically for you. Its doubtful many candidates will even remember the names of the companies that they have applied to via these tools, especially if it was weeks ago. The result is, that today employers receive tens of thousands of resumes from all directions for a single job posting.
To cope with this deluge, most companies, somewhat to their detriment, are using automated resume scanning systems to narrow down the thousands of applications they receive. According the Wall Street Journal and a recent Harvard Business School Study these systems are filtering out thousands of good candidates; candidates that would be a good fit for the job if only they could only get in front of the hiring manager.
You might like to review your resume and fill in any employment gaps with volunteer work or study you were involved in between paid jobs. Gaps for pregnancy, child rearing, travel or overseas postings as a military spouse also need to be filled. Neither computer systems or recruiters like to see gaps where you did nothing for 6 months or more. As for missing certifications, you might be able to get past that by adding to your resume that you are currently studying for the CISSP, the CISA or some other "required" certification.
You might also want to try the backdoor if the front door to a company is locked. Farm your contacts on Linkedin for connections you might have to someone who knows someone who might be able to make a call or shoot an email to the right person for you with an introduction. Its all about WHO you know, whether that's directly or not. I get hit up all the time - everyone from distant relatives, to old workmates and colleagues, to former students wanting to see if I can make a warm intro for them somewhere.
Finally, you could research who the hiring manager is, or his or her boss and try and connect with them yourself via Linkedin or some other means without a warm introduction. It shows initiative and persistence. Companies would much rather hire someone who REALLY wants to work for them than simply the best candidate on paper.
If a candidate can be found without cost i.e. direct via an internal recommendation rather than through a recruiter then this could be to your advantage. Head hunters typically charge between 20% and 35% of starting salary in fees to introduce screened candidates which can be expensive. Going direct may help you to negotiate a better base salary and sign-on bonus also, since there are no indirect costs to hire you.
But you as a candidate need to start somewhere.
In the following 90 minute video, I outline:
What is cybersecurity and why is it front and center as we adopt increasing levels of automation and digitalization?
Who are the main perpetrators of cyber attacks and what are their motivations?
Why is cybersecurity so important today?
What are the security frameworks being used to secure organizations?
Why you should consider a career in cybersecurity
What are those opportunities?
How to develop a cybersecurity career strategy
What security certifications and qualifications should you consider?
This post was updated 2021.09.05 with links to the Harvard Business School study above and again on 2021.09.21 with links the the CSO article on CRISC.
The number of attacks against healthcare and hospitals continues to rise as cyber criminals and pariah nation states take advantage of the current Coronavirus crisis where hospitals in many part of the United States and around the world are distracted by large numbers of infected patients and a workforce that by and large, is now entirely remote outside of clinical care.
This was the subject of discussion for a panel of healthcare security experts today at the Washington HIMSS Chapter Meet Up.
The challenges of securing healthcare don't get any easier over time. Rising digitalization, adoption of AI and ML, a massive growth in the number of medical and other HIoT devices, and an IT & IS workforce now largely working from home, all introduce additional challenges for CISOs and CIOs.
In the Tri-State area this is compounded by the competition for scarce security resources. Lured by the lucrative salaries and stock options of the New York financial services sector, the problem is becoming acute. How can security leaders attract and retain quality security staff and keep their skills sharp enough to defend against sophisticated attacks when budgetary pressures might otherwise suggest the formation of a team of security generalists?
This was the topic of my discussion panel today with Tim Buntz, Chief of Security at Virtua Health, Esmond Kane, CISO of Steward Health, and Michael Archuleta, CIO of Mt. San Rafael Hospital.
Livestream from the HMG Live! Denver CIO Virtual Summit.
The COVID-19 pandemic has required all of us no matter what industry we focus on to re-evaluate our cybersecurity posture and controls given that most staff at most companies now work from home.
This panel of esteemed security leaders discusses the nuances of cybersecurity today and provides useful advice on what CISOs should consider in their security strategy and tactical controls.
In an escalating war of cybercrime, smaller healthcare providers are plainly losing more battles than they are winning. Is it time to try a different approach to security?
An increasing number of healthcare providers globally are succumbing to the overwhelming resources of sophisticated nation-state military espionage units and organized crime syndicates. Is it now time for some to consider throwing in the towel and transferring their cyber risks to specialist healthcare managed security services providers?
Covid-19 has transformed healthcare around the world. Many staff have been furloughed as non-emergency procedures are postponed, nearly all non-clinical employees now work from home, and telehealth has largely replaced doctor visits and consults. The attack surface has radically increased and attackers know it!
Many criminals are using this confusion and disruption to attack exposed healthcare systems. They do so for everything from simple criminal monetary gain, via ransomware attacks and other forms of extortion, to the attempted theft of clinical research, other IP, and non-public data, as we reported in our previous article.
Already outnumbered at least five to one, the odds of successfully defending a cyberattack for healthcare providers just got much worse. Would they be better, therefore passing the defensive torch to an outside team of cybersecurity experts?
This was a question I put to my panel of guests this week at the CTG Intelligence Cybersecurity Virtual Forum in Albuquerque, NM. Watch what they had to say below in this 32-minute video.
There’s nothing like a good crisis to cause a re-evaluation of how we do things. While any epidemic is sure to stress the health system of just about any country, in the United States we needed to be jarred out of our comfort zone to re-think how we do things and how we more efficiently deliver healthcare services to the population.
While no one is doubting the dedication of our doctors and nurses or the many others involved in the delivery of health services, we have unfortunately inherited a broken legacy system from the post-war 1940s that has struggled to contain costs, and to provide healthcare services to all who need them.
Unrealistic vertical demand for health services has combined with corruption and mass profit taking by certain parts of the system that has led to huge inefficiencies that divert scarce funds away from where they are needed. It has also highlighted the horrific imbalance of access to health services. One only has to look at the COVID death rates between rich and poor Americans to realize that something is very wrong.
Medical malpractice insurance doubles the costs of a medical procedure, while an overly complex and bureaucratic medical billing and insurance system creams a good percentage off the top of available funds. Reimbursement delays from insurance and patients, neither of whom can figure this stuff out compound losses, however it is the exorbitant costs of pharmaceutical drugs in the US that sucks the life out of the system. It is actually cheaper for Americans to fly to the other side of the world to purchase their US and European manufactured drugs than it is to buy them with insurance at home. This is a subject I wrote about last year to much popular acclaim in a three part story on Medical Tourism.
But public health is a 'public good' to all of us. There is an economic, social, and moral utility for the person sat next to me on the subway or an aircraft to be healthy and disease free for my own benefit, and those I work and live with. Surely this is a lesson we should have learned in the 19th century with Typhoid and other communicable diseases. Yet our national approach to pandemic disease control, appears to be closer to a King in the Middles Ages trying to containing the Black Death, than to 21st century science-based pandemic disease control - even accounting for the fact that some of our elected representatives plainly flunked out of their middle school science classes. Lets face it, US healthcare is in serious trouble. The needless deaths of hundreds of thousands of Americans to the SARS-CoV-2 virus, is just a symptomatic expression of much bigger structural problems in our health system.
In fact, COVID-19 may have just saved US Healthcare from its swan dive – and a spiraling decline of rising costs, and diminishing reimbursement rates, while much of the population is denied access. In the last decade hospitals have frantically engaged in massive cost-shifting between federal, state, IHS, and insurance systems to try and stay afloat. Many haven’t, and that has been devastating for the rural communities they once served. Let’s face it, the system has been broken for a quite a while, and we have done very little about fixing it. COVID-19 however, has changed that!
The truly massive growth in telehealth and telemedicine since February has been amazing. Doctors and nurses love it, patients love it, and it keeps the slightly sick away from those who may be highly contagious and in need of radical medical intervention. Both primary care and specialist physicians have commented how many more patients they can see per hour using video technology, but there are things that we need to fix.
This session looks at what the future of digital healthcare will be, post-COVID, using new tools, new approaches and improved broader access to health services. It will examine necessary changes to regulation, patient identity verification, cybersecurity and the rise of healthcare IoT including wearables.
Hear from two national experts as they share their thoughts for the future of US healthcare.
Cyber Thoughts is dedicated to the disclosure and discussion of cybersecurity events, trends and concerns impacting the global healthcare and life sciences industry. If this is an area of interest for you, please feel free to subscribe to the email RSS feed below, so you don’t miss anything.
Cyber Thoughts welcomes the participation of readers via the comments section of articles and from qualified guest bloggers, healthcare practitioners and cybersecurity thought leaders.
Original stories and articles may be republished for free provided that attribution is provided to the source and author.
There is a danger that our appetite for new medical technology and digital maturity is allowed to outpace our adoption of cyber maturity leading to huge gaps in our security.
Anatomy of an Attack
Ever wondered how a hacker gets inside your network?
It's remarkably easy. Watch this carefully! (You might want to maximize the window so as not to miss anything).
Hacking IoT is easy!
Still think that your IoT isn’t a risk to your business network and applications.
It’s remarkably easy. Watch this carefully! (You might want to maximize the window so as not to miss anything).
Beekeeper Attack
Share this with elderly friends and relatives. This is how hackers steal all your money.
Translate
A Career in Cybersecurity
Considering your career options and interested in getting into a role in cybersecurity? This may be for you.
Featured Interview
Livestream interview from the HIMSS AsiaPac Conference in Bangkok, Thailand.
