Info Risk Today Podcast

The Change Healthcare attack is already providing valuable lessons to healthcare firms - mostly about the importance of resilience, especially when it comes the industry's supply chain and third parties, said Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency.

Leaders in cybersecurity - and in any other business - need to keep a bank account filled with the trust and respect of their employees and make sure that account stays in the black, said Chase Cunningham, aka the Doctor of Zero Trust. He discussed his new book on how to be a good leader.

The Change Healthcare mega hack has taken nearly 120 of the company's IT products and services offline since Feb. 21, and that cyber disruption is having serious, widespread impact on the entire healthcare industry including major players, said attorney Sara Goldstein of the law firm BakerHostetler.

Your supply chain is your new attack surface, according to Galit Lubetzky Sharon, the co-founder and CEO of Wing Security. She discusses Wing's solution - Secure SaaS Posture Management, or SSPM - that helps organizations ensure that all of their SaaS apps are safe and compliant.

It's not just medical device cybersecurity that's keeping some healthcare security leaders up at night - it's also the risks posed by other critical connected gear that patients and clinicians depend upon, said Ali Youssef, director of medical device and emerging tech security at Henry Ford Health System.

CISO Sam Curry and CMO Red Curry discuss the chaos and disruption of cyberwar and how attacks on critical infrastructure can tactically help attackers in combat, demoralize the general population and affect critical capabilities at just the right point in time.

The Biden administration's strategy for bolstering health sector cybersecurity, which includes newly released voluntary cyber performance goals and plans to update the HIPAA Security Rule, is fueling uncertainty in some organizations, said privacy attorney Iliana Peters of law firm Polsinelli.

In times of conflict, such as the Israel-Hamas war, intelligence becomes even more important than it is in peacetime. Red Curry, chief marketing officer at Tautuk, and his brother, Sam Curry, CISO at Zscaler, discuss the need for a combined intelligence strategy and better resilience in wartime.

Getting the health sector to vastly improve the state of its cybersecurity will take much more than the recent issuance of federal guidance outlining cyber performance goals for entities. It will also require new government incentives and mandates, said Steve Cagle, CEO of consultancy Clearwater.

Security leaders focus on protection and detection, but the new priority is resilience. A resilience strategy should "get the real 'ground truth' of what has happened" in the attack, said Brian Dye, CEO of Corelight, in this episode of "Cybersecurity Insights."

The ubiquity and anonymity of cryptocurrencies are fueling economic, legal and ethical challenges that put healthcare entities in the crosshairs of cybercriminals, said David Hoffman, general counsel of Claxton-Hepburn Medical Center, which recently filed a lawsuit against ransomware gang LockBit.

Extended Detection and Response (XDR) has evolved significantly over the past few years, becoming more critical than ever for organizations in need of enhanced capabilities. But so, too, have the accompanying managed services evolved. Port53 Technologies President Omar Zarabi explains.

Merck & Co.'s proposed settlement with insurers over a $1.4 billion claim related to the NotPetya attack will change the language the insurance industry uses to exclude acts of war in its policies, and organizations need to consider how those changes affect risk, said attorney Peter Halprin.

AI, machine learning and large language models are not new, but they are coming to fruition with the mass adoption of generative AI. For cybersecurity professionals, these are "exciting times we live in," said Dan Grosu, CTO and CISO at Information Security Media Group.

It's time for companies dealing with non-HIPAA-regulated health information to plan their compliance with Washington state's My Health My Data Act, which goes into effect in the new year and affects organizations that are based in other states, said attorney James Hennessy of law firm Reed Smith.

Educational institutions are prime targets for ransomware and other cyberattacks due to their open nature and troves of sensitive data, requiring continuous investment in cyber defenses and strong security practices, said Steve Zuromski, CIO at Bridgewater State University in Massachusetts.

Healthcare CISOs must recognize the real and imminent threat of AI-fueled cyberattacks and take proactive steps, including the deployment of AI-based security tools, to protect patient data and critical healthcare services, said Troy Hawes, managing director at consulting firm Moss Adams.

AI holds great promise for automating and improving many healthcare processes and tasks - including clinical decision support - but if some users become overly dependent on these systems, that could be potentially detrimental to patients, says attorney Lee Kim of HIMSS.

Protecting domain name systems finally has the attention of cybersecurity professionals -because every recent large data breach has involved a DNS vulnerability. But there is much work to be done. According to Ihab Shraim, chief technical officer at Corporation Services Company, just 1 in 100 security companies knows who their registrar is and where their domain name resides.

With the surge in major cyber incidents involving third-party suppliers, it's critical for healthcare sector entities to raise their security expectations and tighten their requirements for vendors handling sensitive data, said Renee Broadbent, CIO of Southern New England Healthcare.

Yossi Appleboum, CEO of Sepio Systems in Israel, discusses the international support for Israel in the Israel-Hamas war and what his employees are doing to support the war effort, how the war is affecting Sepio Systems' performance and how generative AI can be "not a tool but a member of your team."

After the latest Israel-Hamas war began, Kollender found herself trying to return to her homeland, but "no airline was flying to or from Israel," she said. In this episode of CyberEd.io's podcast series "Cybersecurity Insights," she discussed her personal views about the Israel-Hamas war.

On Nov. 8, Tenable Chairman and CEO Amit Yoran wrote a letter to Congress in support of CISA. In this episode of "Cybersecurity Insights," Yoran calls the agency the "primary focal point of our defensive efforts" and discusses why the country needs to stay unified on defeating cyberthreats.

Zombie APIs are becoming more common, just because of the sheer number APIs and third-party vendors that organizations rely on. Joshua Scott, head of information security and IT at API platform Postman, says businesses need to identify "what is critical to the business and map backward."

In the constant struggle to manage the other five pillars - identify, protect, detect, respond and recover - security leaders often do not have governance at top of mind, said Netography CEO Martin Roesch, but he added, "Good governance is the root of having good security."

In this episode of "Cybersecurity Insights," Eyal Fisher discussed Sweet Security's Cloud Runtime Security Suite, which helps CISOS and security teams defend against all stages of a cyberattack by gathering data, generating insights, baselining the normal environment and looking for deviations.

A directory service should be a "source of truth," said Justin Kohler, vice president of products at Spector Ops. But when users are overprivileged or misconfigurations occur, that creates attack hubs. Kohler discusses BloodHound, a solution he says is like Google Maps for Active Directory.

President Joe Biden's recent executive order for artificial intelligence encourages investment in AI while setting a vision for a regulatory framework to address issues involving AI technology safety, bias and other concerns in healthcare, said attorney Wendell Bartnick of the law firm Reed Smith.

Despite the high frequency of major health data breaches involving vendors, many healthcare sector entities remain lax in their approach to manage and reduce third-party security risk, said Glen Braden, CIO and principal of compliance auditing firm Attest Health Care Advisors.

AI is being used "by everyone" these days, including by malicious nation-state actors, and that is raising the level of threats and risks facing hospitals and other healthcare entities, said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.

Exciting advancements in medicine through the use of AI are already happening, and many more are in the pipeline. But they need to be approached carefully and vetted properly for risk, said Dr. Eric Liederman, medical informatics and national privacy and security leader at Kaiser Permanente.

Regulating AI is "like regulating Jell-O," said Massachusetts risk counsel Jenny Hedderman, but states are looking at regulating "areas of harm" rather than AI as a whole. In this episode of "Cybersecurity Insights," Hedderman discusses privacy, third-party vendor risk, and lawyers' use of AI.

In this episode of CyberEd.io's podcast series "Cybersecurity Insights," former Uber CSO Joe Sullivan discusses the Uber trial and offers guidance to future CISOs. Was the Uber case a data breach or not. Sullivan explained why that making that distinction can be complicated.

Stolen and compromised credentials continue to be the crux of major health data security incidents involving cloud environments. But stronger credential management practices and a focused approach to "least privilege engineering" would help, said Taylor Lehmann of Google Cloud.

In this episode of CyberEd.io's podcast series "Cybersecurity Unplugged," Alex Zeltcer of nSure.ai discusses how fraudsters access your payment information, how industrialized payment fraud attacks operate, and how nSure.ai uses discriminative AI to identify these attacks and cut their scale.

Visibility, consistency, efficiency - are goals every security leader strives to achieve across cloud environments, and remains one of the key digital transformation challenges. Cisco's Sean Baze talks about how to overcome this challenge and discover new efficiencies through a data-driven approach.

Not so long ago, security organizations rallied behind best of breed security solutions. But now, trying to reduce tech debt, rationalize tools and consolidate vendors, there is a push for the platform approach. Cisco's Amilcar Alfaro talks about how to tap into the platform advantage.

The violent surprise attack on Israel by Hamas and the region's escalating war spotlights the critical importance of situational awareness, and especially for healthcare organizations that rely on medical or tech products from Israeli technology firms, said Denise Anderson, president of the H-ISAC.

Cloud compromises and supply chain attacks are overshadowing ransomware as the top cyberthreats worrying healthcare sector organizations - but all such incidents are still viewed as significant risks to patient outcomes and safety, said Ryan Witt of Proofpoint, citing new research findings.

The use of generative AI is being "highly explored" in healthcare and has great promise for a variety of applications, but it needs to be scrutinized closely, said Erik Decker, vice president and CISO of Intermountain Health and a cybersecurity adviser to the federal government.

Eric Eddy, principal technical marketing engineer at Cisco, discusses critical aspects of user-centric security. From alleviating the security burden on users to the role of zero trust in granting access, Eric provides actionable insights for achieving a seamless and robust security posture.

Medical device makers in their premarket submissions to the Food and Drug Administration under the agency's new "refuse to accept" policy for cybersecurity should pay close attention to details such as a product's software bill of materials and vulnerability management, said Jessica Wilkerson of FDA.

In this episode of CyberEd.io's podcast series, "Cybersecurity Insights," Daniel DeSantis, director of CISO Advisory at Cisco, and Pam Lindemoen, CISO adviser at Cisco, discuss how generative AI will change and elevate the role of the CISO as well as what the future holds for network security.

Any healthcare organization that embeds tracking technologies in its website should carefully review whether it is inadvertently violating HIPAA or other federal regulations, said Nick Heesters, senior adviser for cybersecurity at the Department of Health and Human Services' Office for Civil Rights.

Generative AI holds great potential for many amazing applications in healthcare, but it's critical to establish a strong framework before deploying it, said Barbee Mooneyhan, vice president of security, IT and privacy of Woebot Health, a provider of AI-driven online mental health services.

In this episode of CyberEd.io's podcast series "Cybersecurity Insights," Censys CEO Brad Brooks discusses the stresses a CISO experiences in trying to prevent cyberattacks and in dealing with those that do occur. Topics include breach disclosure and cybersecurity marketing to CISOs.

In the aftermath of mergers and acquisitions among healthcare entities - and the resulting IT integration and cost-cutting moves - gaps in technology and skills and other gaps often put organizations at higher risk for attacks and other security incidents, said Jack Danahy of NuHarbor Security.

The number of connected devices used in healthcare is growing as manufacturers constantly introduce new types of IoT equipment. The ever-evolving threat landscape is making it harder for many entities, particularly outpatient care providers, to keep up, said Justin Foster, CTO of Forescout.

It's critical for healthcare sector entities considering - or already using - generative AI applications to create an extensive threat modeling infrastructure and understand all attack vectors, said Mervyn Chapman, principal consultant at consulting and managed services firm Ahead.

The number of major health data breaches is decreasing, but a recent disturbing trend reflects the vulnerability of critical vendors and the tenacity of cybercriminals, say John Delano, a vice president of Christus Health, and Mike Hamilton, CISO and co-founder of security firm Critical Insight.