Info Risk Today Podcast

It's crucial for healthcare sector organizations to vet their artificial intelligence tech vendors in the same robust way they scrutinize the privacy and security practices of all their other third-party suppliers, said attorney Linda Malek of the law firm Crowell & Moring.

Manufacturing enterprises have more identities than ever to manage - human and non - and face more attacks upon these identities. Manual lifecycle management can't keep pace. Trane Technologies' Aaron Havenar talks about automated identity security measures that don't compromise operational efficiency.

Healthcare organizations should rethink some of their approach to security, enhancing focus on insider threats, improving cyber awareness training and securing mobile applications and devices, said Ryan Witt, vice president of industry solutions at Proofpoint, discussing findings of a new study.

It's yet to be determined whether a handful of states or the federal government will lead the charge in adopting comprehensive regulations involving the use of artificial intelligence in healthcare, said regulatory attorney Betsy Hodge, a partner in law firm Akerman.

As threat actors continue to evolve their attacks to circumvent security measures, cyber insurers are raising the bar for prospective healthcare security clients. Underwriters are increasing their scrutiny and adding new coverage requirements, said Chris Henderson of cybersecurity company Huntress.

Recent mega data breaches involving third-party vendors - such as the Change Healthcare cyberattack - are intensifying the spotlight on critical security risk management and governance issues for business associates and other suppliers, said regulatory attorney Rachel Rose.

Preparing healthcare organizations to respond to and rebound from a disruptive ransomware attack is akin to implementing a "12-step program," said Dr. Eric Liederman, CEO of consultancy CyberSolutionsMD and recently retired long-serving director of medical informatics at Kaiser Permanente.

Authentication requiring stored credentials is not only vulnerable to phishing and other compromises, but using these credentials can also be cumbersome for busy clinicians, said Tina Srivastava, co-founder of Badge, a provider of deviceless, tokenless authentication technology.

Unifying fragmented network security technology under a single platform allows for consistent policy application across on-premises, cloud and hybrid environments, said Palo Alto Networks' Anand Oswal. Having a consistent policy framework simplifies management and improves security outcomes.

The interconnectedness of medical devices, which generate data that can be distributed to multiple systems that are often managed by different policies, presents privacy concerns that device manufacturers must address, said Adam Hesse, CEO of Full Spectrum.

Healthcare groups should consider several key points about a recent Texas federal court ruling and its impact on the use of online tracker technology on the healthcare websites of HIPAA-regulated organizations, said privacy attorney Iliana Peters of the law firm Polsinelli.

The deployment of an asset management platform is helping Main Line Health gain deeper visibility and better security over the 100,000-plus medical devices and IoT gear used throughout the group's multiple hospitals and medical facilities, said CISO Aaron Weismann, who discusses the implementation.

What kind of people do cybersecurity for a living? In the past, there was a formula potential practitioners followed, but today there are many ways to get into the field and having people from diverse backgrounds is valued. The Curry brothers discuss the cybersecurity profession.

Securing an organization often requires making fast decisions, said Tom Corn of Ontinue, and AI can gather information that you can use to answer the questions you have about how to handle a security problem. Corn discusses operationalizing an AI-first approach to security.

Implementing a zero trust security approach is critical to avoid the types of major IT disruptions and massive data compromises seen in recent cyberattacks that affected the healthcare, public health and government sectors, said Clinton McCarty, CISO at National Government Services.

Red teaming is not effective for evaluating the efficacy of preventative or detective security controls, said Jared Atkinson of Specter Ops, but purple teaming is. Purple teaming as "the evaluation of security control efficacy through atomic testing, using deliberately selected test cases."

Developers are using more and more open-source code because they "want to move fast," said Cycode's Lotem Guy. But the speed of development and the continuous deployment that follows means security teams have to catch up to the fast-moving development life cycle.

Acronis President Gaidar Magdanurov discusses the need for immutable backups in the current threat landscape and highlights the benefits of integrating security measures with backup systems to facilitate automated recovery from ransomware attacks and minimize downtime.

Payment fraud is the top risk to companies across the globe. Business email compromise is continually on the rise. Johnny Deutsch, co-founder and CEO of B2B payments protection company Creednz, discusses the need to integrate security into financial processes.

Artificial intelligence technologies offer tremendous promise in healthcare, but it's crucial for organizations to carefully assess the complex data privacy concerns involved with different types of AI products and deployments, said Karen Habercoss, chief privacy officer at UChicago Medicine.

The chaos experienced by thousands of healthcare organizations in the wake of the massive Change Healthcare cyberattack and IT outage in February is proof that most organizations are simply unprepared for such devastating incidents, said Bryan Chnowski, deputy CISO at Nuvance Health.

Many healthcare organizations have discovered major gaps in business operations preparedness - the ability to quickly rebound from major IT disruptions, such as those caused by the Change Healthcare cyberattack. Jigar Kadakia, CISO of Emory Healthcare, said it's time to come up with a Plan B.

Healthcare is increasingly complex and interconnected, and the push to exchange more digital patient information among providers adds to the threat of busy staff falling victim to phishing and other scams that can jeopardize data, said Krista Arndt, CISO of United Musculoskeletal Partners.

It's critical for CISOs to study what went wrong in major ransomware IT disruptions and breaches hitting the healthcare sector and to look closely within their own organizations for similar gaps or vulnerabilities, said Michael Prakhye, CISO of Adventist HealthCare.

A study investigating the impact of ransomware attacks on hospitals and the ripple effect on nearby facilities is a call to action for policymakers to seriously address how those assaults can be better handled in the health sector, said researchers Rahi Abouk and David Powell.

By decentralizing the ownership of cybersecurity and increasing security consciousness among everyone in the organization, businesses can improve their security posture, said Dom Lombardi, the vice president of security and trust at Kandji. He discussed the concept of collaborative security.

A recent White House memo on bolstering the security and resiliency of critical infrastructure sectors calls for comprehensive mapping and risk assessment of all critical components and interdependencies within the healthcare ecosystem, said Greg Garcia of the Healthcare Sector Coordinating Council.

Updating software as new vulnerabilities are discovered persistently remains a top medical device cybersecurity challenge, said David Brumley, a cybersecurity professor at Carnegie Mellon University and CEO of security firm ForAllSecure. Solving this requires a major mindset shift, he said.

Oomnitza co-founder and CEO Arthur Lozinski discusses enterprise technology management - a solution that brings software, hardware and infrastructure asset management together in a single database and uses automation to set and enforce policies for the enterprise as a whole.

Information Security Media group CTO and CISO Dan Grosu discusses the challenges of realistically implementing the directives in President Joe Biden's executive order on artificial intelligence. Hint: He thinks it's going to be "a madhouse" if enterprises don't get more educated about AI.

While fewer healthcare websites appear to be using online trackers now than a year ago, nearly 1 in 3 firms are still using Meta Pixel and similar tech tools despite warnings from regulators and a rise in class action litigation alleging privacy violations, said Ian Cohen, CEO of Lokker.

SecurityGate CEO Ted Gutierrez said the SEC's new cybersecurity mandates give "more teeth to the idea that cybersecurity is a business problem." He discussed the need for CISOs to link cyber risk and business outcomes and other ways in which the rules affect the field of cybersecurity.

While most healthcare sector organizations hit with ransomware attacks never imagine giving in to extortion demands, the pressures they face in dealing with the crisis often push about half of them to pay, said attorney Lynn Sessions of BakerHostetler, speaking about the firm's healthcare clients.

Medical device makers submitting products for premarket approval by the Food and Drug Administration often struggle the most with cybersecurity in three major areas - design controls, providing a software bill of materials and testing, according to Nastassia Tamari of the FDA.

In this episode of the "Cybersecurity Insights" podcast, Uptycs CEO Ganesh Pai discusses unifying XDR and CNAPP to improve visibility and explains the coming shift from behavioral detection to outlier or anomaly detection, which uses sophisticated ML and AI.

Healthcare sector organizations often still struggle to implement security frameworks effectively, often not fully understanding the requirements or failing to integrate them into their overall cybersecurity strategy, said Keith Forrester of security firm Optiv, who offers tips to help.

Robotic medical devices, such as surgical gear, offer great potential to improve patient care, but the cyber risks associated with these products must be carefully addressed, said Kevin Fu, director of the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University.

Besides not doing cyberthreat modeling at all, some the biggest mistakes medical device manufacturers can make are starting the modeling process too late in the development phase or using it simply as a "paper weight exercise," said threat modeling expert Adam Shostack of Shostack & Associates.

Healthcare entities can easily achieve many of the cyber performance goals set by regulators if they deploy technology solutions that provide robust security by default and create an organizational culture in which security-mindedness is ingrained, said Taylor Lehmann of Google Cloud.

The National Institute of Standards and Technology's updated Cybersecurity Framework 2.0 can help healthcare organizations better formalize their governance functions to enhance their cybersecurity posture and resilience, said Robert Booker, chief strategy officer at HITRUST.

AI is on the way to embedding itself in our daily lives. CISO Sam Curry and his brother, CMO Red Curry, discuss what generative AI means for copyrights and plagiarism, the "AI bubble," and whether governing AI-derived speech will wind up limiting free speech.

The many kinds of OT and IoT gear that are not regulated medical devices but are critical to run hospitals and other care facilities present a variety of cybersecurity and patient safety concerns, said Dr. Benoit Desjardins, professor of radiology at the University of Pennsylvania Medicine.

In the aftermath of a ransomware attack several years ago, Hackensack Meridian Health embarked on transforming its cybersecurity program with the support of top leadership and increased funding and staff and by implementing critical security tools and best practices, said CISO Mark Johnson.

Healthcare organizations and makers of medical devices need to think about how to safeguard their critical medical gear against future cyberthreats, including the looming dangers posed by quantum computing, said Mike Nelson, global vice president of digital trust at security firm DigiCert.

The U.S. healthcare sector needs to closely watch government regulatory and legislative developments involving artificial intelligence, including the European Union AI Act, said Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society.

It's critical for hospitals and other firms to not only prepare for how they will respond to a cyberattack but also to consider the regional impact if a neighboring provider of services needed in the community is disrupted by a serious cyber incident, said Margie Zuk of Mitre.

Healthcare sector organizations need to focus their attention on meeting the "voluntary" essential and enhanced cybersecurity performance goals set out by federal regulators before they become potential mandates, said Kate Pierce, virtual information security officer at Fortified Heath Security.

The vast healthcare ecosystem disruption caused by the recent attack on Change Healthcare, which affected more than 100 of the company's IT products and services, underscores the concentrated cyber risk when a major vendor suffers a serious cyber incident, said Keith Fricke, partner at tw-Security.

The healthcare sector needs a 911-style cyber civil defense system that can help all segments of the industry, including under-resourced groups, to more rapidly and effectively respond to cyberattacks and related incidents, said Erik Decker, CISO of Intermountain Health and a federal cyber adviser.

The Department of Health and Human Services is working on grant programs and other financial programs to help under-resourced healthcare organizations deal with the cybersecurity challenges they're facing, said La Monte Yarborough, CISO and acting deputy CIO at HHS.