Info Risk Today Podcast

In light of the rapidly evolving cyber threat landscape, a top goal at University of Pittsburgh Medical Center is to identify and stop security incidents before the damage escalates, says John Houston, vice president, information security and privacy.

Attacks against the cloud, using the cloud for command and control of malware attacks, and securing endpoints are posing big worries for all industries, says Brian Kenyon of Blue Coat Systems.

Identity management is going to be a big issue in 2016, and emerging authentication tools, such as biometrics, could very well gain a more significant foothold, although not without posing new risks, says Steve Martino, CISO at Cisco Systems.

DirectTrust is beta testing a new version of its Direct protocol for secure email messaging that can support secure texting and "chats" involving health information on mobile devices, says David Kibbe, M.D., the association's president and CEO.

This could be a record year for HIPAA enforcement actions by federal regulators, both in the number of resolution agreements and in the size of financial settlements resulting from breach investigations, predicts privacy attorney Adam Greene.

Lucia Savage, chief privacy officer at ONC, explains how a new "interoperability pledge" taken by dozens of large electronic health record vendors and healthcare organizations will advance secure health data exchange as well as help patients to securely share their own health information.

The "industrialization" of cybercrime, remote-access attacks and mobile-banking application and online-browser overlay attacks are trends the financial industry should monitor this year, says George Tubin of IBM Security Trusteer.

The HHS Office for Civil Rights is making progress toward launching the long awaited next round of HIPAA compliance audits, which will consist mostly of desk audits. In a critical step, it plans to release its proposed new audit protocol in April, says Deven McGraw, OCR's deputy director of health information privacy.

Too many companies that provide cybersecurity solutions are failing to focus on helping organizations control risk at a reasonable cost, argues Malcolm Harkins, CISO at Cylance.

Debit fraud losses in Canada hit an all-time low in 2015, mainly because of the nearly complete migration to EMV and real-time settlement of debit payments, says Mark Sullivan, who heads fraud management for Interac, Canada's payment network. He offers important lessons for the U.S.

Despite the pervasiveness of data breaches, healthcare organizations are still playing catch-up on implementing strong, risk-based security programs, rather than focusing solely on HIPAA compliance, says David Finn of Symantec. He offers a preview of his session at the HIMSS 2016 Conference about a new survey.

The Department of Homeland security sees malware provenance - which identifies the attributes of malicious codes - as a way to complement its signature-based Einstein intrusion detection and prevention systems to find malware that infects IT systems.

Cybersecurity competitions are being adapted so employers can use them to vet the know-how of prospective employees, U.S. Cyber Challenge National Director Karen Evans says.

It used to be that security was the one big barrier to organizations embracing the cloud. But Troy Kitch of Oracle says that not only is that barrier coming down, but now leaders are seeing cloud as a security enabler.

The PCI Security Standards Council will soon release an update to its PCI Data Security Standard, requiring the use of multifactor authentication for administrators who have access to card data networks. In an interview, the council's Troy Leach explains the new requirements and compliance expectations.

In an in-depth interview, CIO Ed Ricks of Beaufort Memorial Hospital in South Carolina offers insights on how the community hospital, with limited resources, is tackling breach prevention and detection. He'll be a featured speaker at the HIMSS 2016 Conference.

Automobiles have crash ratings. Do they need ratings for cybersecurity, too? In this interview, security expert Jacob Olcott of BitSight Technologies previews a session he'll moderate at the RSA Conference 2016 that will address this question.

It's the perfect time to debate whether the government should compel Apple to help the FBI circumvent protections blocking access to the San Bernardino shooter's iPhone. Hear Apple CEO Tim Cook, FBI Director James Comey, Sen. Marco Rubio and cryptologist Bruce Schneier in this audio report.

In 2015 alone, 84 million new pieces of malware were created. How can organizations hope to keep pace with the new strains and tactics? Through advanced endpoint protection, says John Peterson of Comodo.

Jeff Shaffer, a former Secret Service agent, has investigated cybercrime for more than 25 years. Now a manager at PricewaterhouseCoopers, he discusses how organizations can protect their assets better by understanding their attackers' MO.

Kevin Haley, a researcher at Symantec, says the moneymakers behind Dridex are successfully infecting thousands of users worldwide on a monthly basis, purely through spam - making Dridex the most dangerous banking Trojan on the market today.

When it comes to medical device security, healthcare organizations need to make some bold moves to improve the cybersecurity of devices used in their environments, says medical device cybersecurity expert Stephen Grimes. He'll be a featured speaker at the HIMSS 2016 Conference.

When it comes to responding to network security threats, it isn't just a matter of collecting and analyzing data. It's a question of how quickly you can put that data to work in your defenses, says Dan Holden of Arbor Networks.

Why should CISOs not report to CIOs? And why do CISOs need more direct lines of communication with CFOs? Chris Pierson, a cybersecurity attorney and CISO who'll be a speaker at RSA Conference 2016, provides answers.

Privacy looks to be one of the hottest topics at RSA Conference 2016. Cisco's Michelle Dennedy shares insights on encryption backdoors as well as the likely impact of newly revised EU privacy legislation.

It's the 25th anniversary of the RSA Conference. What's planned for this year's landmark security event? Britta Glade, senior content manager for the conference, and Informatica CISO Bill Burns offer a preview of the RSA Conference 2016 in San Francisco.

Even as the demand for security professionals grows, the outflow of practitioners from the profession is greater than the influx of fresh blood, says (ISC)² CEO David Shearer. How can this trend be effectively addressed?

In this audio report, hear Homeland Security Assistant Secretary Andy Ozment attempt to assuage concerns raised by some business leaders who fear revealing corporate secrets by participating in cyberthreat information sharing. Others also weigh in on the issues.

While the healthcare sector is finally becoming aware of the cyberthreats and risks facing medical devices, new Internet of Things health devices are quickly creating new vectors for cyberattacks, warns cybersecurity expert Tyler Cohen Wood.

It's the ultimate challenge for government agencies: How can they be both secure and compliant - especially when operating in a hybrid cloud environment? Trend Micro's Ed Cabrera offers insight into the unique challenges and emerging solutions.

Chris Rohlf, Yahoo's penetration testing and red team leader, describes how he helps the company take a proactive security approach - and the skills required to get the job done.

A new methodology for assessing whether a medical device cybersecurity issue is likely to pose a danger to patients should be available later this year, says cybersecurity researcher Billy Rios in this in-depth interview.

Mobility and IoT are acknowledged by security practitioners to be a whole different beast when it comes to management. MetricStream's French Caldwell says that GRC likewise needs to change its paradigm to accommodate this disruption.

Retailers have been at the center of high-profile breaches and an ongoing debate with banking institutions. But Brian Engle of the Retail Cyber Intelligence Sharing Center says cross-industry collaboration is helping retailers improve cybersecurity.

When is a breach not a breach? When you can prove that sensitive data has not been accessed - even off a lost or stolen device. And the way to ensure that, says former prosecutor Stephen Treglia, is through Absolute Data & Device Security.

Because cybercriminals are targeting the healthcare sector, organizations must regularly assess the security risks in all their applications, not just those containing protected health information, says risk management expert Angel Hoffman.

Despite their limited resources, smaller healthcare provider organizations must overcome "paralysis" and ramp up efforts to safeguard information systems or risk becoming potential gateways for breaches at larger organizations, says Michael Kaiser of the National Cyber Security Alliance.

A successful startup is fueled by passion, speed and innovation - all enabled by technology. Not securing this technology layer from day one can therefore have expensive consequences later. IEEE's Diogo Mónica shares security insight for startups.

Sophisticated phishing campaigns, increasingly targeted because of social media, are fueling business email compromises - a growing wire fraud scheme that is attacking businesses worldwide, says Jim Hansen of PhishMe.

Why is devising a reliable patient identifier such a critical issue? Because matching a patient to the wrong records creates serious safety risks as well as privacy problems, says CIO Marc Probst, who explains in an interview how he's tackling the issue at Intermountain Healthcare.

Healthcare organizations need to carefully scrutinize the security of electronic health records and other applications they use because encryption and other features often have shortcomings, says Chris Wysopal, CISO at the security firm Veracode.

Because of the U.S. migration to EMV, 2016 is expected to be a watershed year for mobile payment adoption, says Randy Vanderhoof of the EMV Migration Forum. Now, he says, the industry should be more focused on new applications hitting the market than on the number of adopters.

Extortion campaigns waged by cybercriminals are expected to become more damaging in 2016, putting additional pressure on CISOs to enhance protection of internal networks and educate employees about extortionists' techniques, says iSight Partner's John Miller.

If presidential candidates don't have the technical know-how to take an educated stand on whether tech companies should provide the government with a backdoor to encryption, how can we judge if they'll make the right choice if they get elected?

Proposed HIPAA Privacy Rule changes in pending federal legislation could lead to elimination of the requirement to de-identify patient data that's used for research purposes, raising questions about whether that data will be at a higher risk for breaches, warns data de-identification expert Khaled El Emam.

In this in-depth audio report, a panel of experts addresses the challenge of detecting insider threats and outlines the latest approaches, including "sentiment and linguistic" systems.

One of the most dangerous myths about malware is that hackers aren't targeting smaller healthcare entities, says security researcher Lysa Myers, who offers mitigation insights for clinics and others.

In 2016, the healthcare sector faces a variety of complex legislative and regulatory issues, especially those tied to patient privacy, says attorney Kirk Nahra. For example, new rules could emerge covering the use of patient data in research.

As Art Gilliland, CEO of Skyport Systems, assesses cybersecurity in 2016, he sees distinct strengths, weakness and opportunities for the next generation of leaders. The question is: Where will we find these leaders?

When it comes to threat detection, spotting malicious insiders is one thing. They often leave a trail. But how do you protect against the accidental insider threat? Mike Siegel, VP of Products at Forcepoint, shares strategy and solutions.