Airway Oxygen reported the largest ransomware attack to date to OCR’s wall of shame on June 16th, 2017. It affected 500,000 individuals, making it the second largest breach so far in 2017. I believe there are several takeaways from this incident that the industry show know about.
2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what will we do with it? Will it be a year of great progress, one of marking time, or worse yet one of falling further behind? Meeting the cybersecurity challenges of the future is a job for leaders. There should be no doubt that healthcare institutions are under attack on a regular basis now from external threats, while continuing to face the insidious abuse of insiders. As the old saying goes, “they have it coming and going.”
Based on recent news and the headline of this article, you are likely expecting this will be a discussion of the irresponsible actions of the MedSec and Muddy Waters organizations that outed St. Jude Medical by disclosing vulnerabilities in the medical devices they make. Certainly this is not something I condone or support as the right path to an acceptable end, as it raised fears in the people using those devices, gave the criminal element harmful information and quite possibly
Let’s look seriously and objectively at the dangers inherent in maintaining current systems of user privileging Sam was just another network engineer assigned to the server team at the hospital. Each engineer had two sets of credentials, one with and one without elevated privileges, and they had all been told not to use the one with privileges when just accessing the network or routine services such as email. But Sam always liked to do things his own way, and saw
The modern healthcare ecosystem is all about data and what we can do with it, which is why Data Loss Prevention (DLP) tools should be on everyone’s list of priority solutions to implement. I used to say that DLP solutions paid for themselves based on their ability to control exfiltration, and therefore reduce the risk of breaches, but these solutions are becoming far more important than that. DLP tools have the ability to help users take control of information and
Last week, the Brookings Institute published a very well-written report that accurately illustrated the current threat environment and identified the specific issues that seem to continue to plague healthcare in its efforts to fight cyber incidents. The shame of it was there was no ‘new’ news. In fact, this week seemed like deja vu as Larry Ponemon published his sixth annual report on healthcare cybersecurity, which unfortunately, reflected a lot of the same issues as last years, or even the last
Even before the days of high-profile, massive PHI breaches from Anthem and other health organizations, it was up to cyber insurance companies to pay for damages from data leaks. Since breaches typically cost millions in settlements, mitigation and crisis management, it made sense that health care systems lean on cyber insurance companies to foot the bill.
When I was a kid just about everyone had a sandbox, and if you didn’t, you wanted a friend who did. Sandboxes were great terrain to fight your toy soldiers on and for building off-road tracks for your Matchbox cars. That of course is not the sandbox I’m talking about today, but the analogy with respect to having one – or wanting one – could very well be one in the same.
I’ve not spoken to a single security professional, meaning someone who carries the experience, training and certifications to be called a CISO, who believes that they can adequately protect the healthcare organization they serve by simply being compliant with HIPAA. It’s time we let the air out of that balloon. The last couple of years, and in particular last year, showed everyone that data security in healthcare was no longer for the faint of heart. Securing healthcare today is the
The eBay security breach was announced on May 21, 2014 affecting 145 million users. The hacker(s) were able to gain access to eBay’s network through an employee’s login credentials and gain access to information such as usernames, passwords, physical addresses, phone numbers, and date of birth. Passwords were also available to the hacker(s), however the likelihood of them being compromised is low because the passwords were in an encrypted form.