The CyberPHIx: Meditology Services Podcast

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

• Bombshell report of hospitals sharing PHI with Facebook
• HIPAA compliance analysis for covered entities sending PHI to Facebook
• Legal exposures for sending sensitive information to social media and other website tracking vendors
• Recommendations for healthcare organizations to assess and respond to patient concerns about unauthorized PHI disclosures to Facebook
• HHS issues new guidance for healthcare organizations to improve their cyber posture
• New HIPAA Security Risk Analysis (SRA) tool from OCR
• New OCR guidance and industry feedback related to “recognized security practices” for healthcare organizations (i.e. safe harbors for OCR enforcement) 
• HHS issues warning to healthcare entities about dangerous Emotet malware proliferation
• CISA is developing new guidance for helping organizations overcome supply chain risks
• FBI prevents “despicable” Iranian cyber attack on Boston Children’s Hospital
• DOJ shuts down SSNDOB dark web marketplace
• Massive arrests and seizures of social engineering attack infrastructure across 76 countries
• OCR issues guidance on the upcoming expiration of COVID-19 enforcement exemptions for telehealth HIPAA security mandates

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

• Healthcare Cybersecurity Act introduced in the U.S. Senate; details and analysis about the proposed regulation
• HHS and OCR seek feedback on new HITECH safe harbors for the adoption of cybersecurity best practices including NIST and HITRUST
• OCR requests feedback on how HIPAA civil monetary penalties should be shared with individuals that have been victims of breaches
• University of Pittsburgh Medical Center is required to make payments to 66,000 employees that were victims of a 2014 cyber breach as part of legal settlement
• Proposed PATCH Act that would see the FDA require cybersecurity measures for medical device manufacturers; details and analysis
• New NIST standards for enterprise patching management including NIST SP 800-40 and NIST SP 1800-31
• FDA releases updated guidance on medical device cybersecurity (in addition to the PATCH Act)
• Lapsus$ cyber threat group alerts from the Health Sector Cybersecurity Coordination Center (HC3) as well as prominent arrests of the Lapsus$ gang’s teenage leader 
• Arrest of ransomware leader responsible for 13 ransomware attacks; details of attacks and sentencing
• Germany and the U.S. shut down the world’s largest illegal darknet marketplace
• CISA warns of Uninterruptible Power Supply (UPS) device cyberattacks
• Urgent security alert for Philips MRI monitoring software
• A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell'
• S State Department announces Bureau of Cyberspace and Digital Policy (CDP)

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• President Biden’s cybersecurity warning about Russian cyberattacks on U.S. companies
• New cybersecurity legislation signed that mandates breach reporting within 72 hours
• SEC proposes new cybersecurity disclosure requirements
• New FBI & CISA alert on Russian exploitation of multi-factor authentication and “PrintNightmare” vulnerability
• Hactivists attacks on Russia databases, TV broadcasts, weapons manufacturers, websites, and the Russian Roskomnadzor censorship agency
• Russia’s creation of their own TLS Certificate Authority (CA) and implications for Internet accessibility in Russia
• FBI alert and guidance on the new RagnarLocker ransomware and implications for healthcare entities
• Details of the new Israel/US collaboration on cybersecurity
• Analysis of the Access:7 vulnerabilities affecting medical devices and IoT systems
• OCR / HHS publication and recommendations for healthcare organizations to improve cybersecurity defenses
• Analysis of the new HIMSS Healthcare Cybersecurity Survey
• New attacks emerge against Microsoft Teams

Who can be trusted to protect sensitive healthcare information and systems amidst a daily barrage of breach events?

Healthcare cybersecurity and risk leaders must identify innovative ways to establish and maintain trust in the healthcare ecosystem through cybersecurity programs and functions. This includes being transparent about risk exposures, building relationships internally and externally, responding effectively to breaches, and adopting certification models like HITRUST and SOC 2.

In this episode of The CyberPHIx, we hear from Ed Dame, Chief Information Security Officer for Dasher Services, Inc.

Ed provides insights and wisdom from his years of experience as a CISO in building relationships and establishing trust. Questions covered in this session include:

• Why is trust important in healthcare settings?
• How can cybersecurity programs support and sustain trust?
• What role does transparency play in building or eroding trust?
• What are the boundaries of accountability for trust for healthcare CISOs including third- and fourth-party vendors?
• What role do cybersecurity certifications like HITRUST play in establishing trust with the market?
• What happens when trust is lost or damaged?
• Is there a right and wrong way to respond to breaches that impacts trust?
• What is the different between reacting and responding to cybersecurity incidents?
• What is the role of emerging “zero trust” models and terminology in healthcare?

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyber-attacks stemming from the ongoing conflict between Russia and Ukraine. 

Meditology has been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches.  

This special edition of the CyberPHIx podcast provides guidance for US-based healthcare entities for preparing and responding to cyberattacks and cyberwar tactics deployed as part of this ongoing conflict. We also cover a few other news items trending in healthcare cybersecurity and compliance. 

In this episode, our host Brian Selfridge highlights the following topics: 

• Russia-Ukraine cyberwar overview
• Russia’s cyberwar capabilities & attack methods
• Analysis of darknet cyberwar activity
• Guidance from the CISA, FBI, & NSA on the Russia/Ukraine cyberattacks
• Recommendations for healthcare cybersecurity leaders to prepare and respond to cyberwar activities
• Upcoming deadline for HIPAA breach reporting to HHS
• Details on a new bill introduced to modernize HIPAA
• Analysis of the HHS report on securing Electronic Health Records (EHR)

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

• Lessons learned from a ransomware attack that encrypted 80% of systems across a 54+ hospital health system 
• HHS publishes a detailed report about ongoing Log4J exposure and recommendations for the healthcare industry
• REvil ransomware gang shut down and arrested in Russia following US diplomatic pressure and Russian crackdown
• Settlement reached in Excellus class action data breach lawsuit
• Kaspersky publishes report on telehealth adoption and cyber risks escalation
• Homeland Security launches cyber safety review board to combat supply chain risks
• NIST releases automation-friendly security and privacy assessment procedures
• NIST launches new international privacy resources website

Cyberattacks against healthcare organizations and their business associate vendors have begun to threaten patient safety and fundamental business operations. As a result, SOC 2 audit reports have become one of the most common and cost-effective vehicles for healthcare organizations to demonstrate the adoption of controls relevant to security, availability, confidentiality, processing integrity, and privacy. 

However, acquiring a SOC 2 audit report can be a challenge for many organizations and there are often questions that arise about how to achieve SOC 2 compliance with the least amount of cost, effort, and time.  

Join us for this episode of The CyberPHIx where we hear from Paul Gray, Chief Information Security Officer for Meditology Services.  

Paul provides insights from his decades of experience with SOC 2 best practices including answering some frequently asked questions including:  

• What is SOC 2 compliance?
• What are the different types of SOC audits including SOC 1, SOC 2, and SOC 3?
• Why do healthcare organizations obtain SOC 2 audit reports?
• Are healthcare vendors required to obtain SOC 2 reports?
• What are the AICPA Trust Criteria?
• What other certifications are available for healthcare organizations?
• What should healthcare organizations do to prepare for a SOC 2 audit?
• What are critical success factors for a successful SOC 2 engagement?
• What are some common pitfalls for healthcare organizations seeking to obtain a SOC 2 audit report?

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

• Microsoft issues updates on the critical Apache Log4j vulnerability and active exploits 
• HR and payroll giant Kronos experiences weeks-long ransomware outage 
• EHR vendor QRS has been sued for insufficient cybersecurity protections in the wake of a major breach 
• Healthcare provider settles for $425,000 cybersecurity enforcement from NJ state attorney general 
• OCR issues guidance on Extreme Risk Protection Orders 
• HIPAA Privacy Rule and OCR enforcement changes due to come into effect in 2022 
• EHR giant Cerner is acquired by Oracle; implications for healthcare organizations 
• NIST launches new international cybersecurity and privacy resources website 
• Norton antivirus discovered to be pre-loaded with crypto mining software 

Meditology Services hosts the healthcare industry's leading podcast, The CyberPHIx, and has produced over 85 episodes to date. We have had the pleasure and honor of conversing with many of the nation’s leaders in healthcare cybersecurity, privacy, and compliance.

Join us for this main stage event where we hear from over 20 CISOs and cybersecurity rock stars from the nation's premier healthcare organizations on some of the toughest challenges we face as an industry. Listen in as we hear practical guidance and seasoned insights from CISOs in their own words as they guide us through their thought process and lessons learned.

This special CyberPHIx episode features a curated collection of highlights as we hear directly from the following industry leaders:

• HCA Healthcare - Britton Burton, Director of Risk Management
• Molina Healthcare - Mike Wilson, SVP & CISO
• Sentara Healthcare - Dan Bowden, VP and CISO
• Premise Health - Joey Johnson, CISO
• Children's Healthcare of Atlanta - Stoddard Manikin, CISO
• Horizon Blue Cross Blue Shield of NJ - Chris Golden, Director of Information Security
• Children's Mercy Hospital - TJ Mann, CISO
• Healthix - Nick VanDuyne, SVP/CIO
• Solution Health – Andrew Seward, CISO
• CORL Technologies - Devon Wijesinghe, Chief Transformation Officer
• Risk Recon - Kelly White, CEO
• Lehigh University - Eric Zematis, CISO
• Imprivata - Wes Wright, CTO
• Spiritus – Susan Ramonat, CEO
• Health Partners Plans - Mark Eggleston, CISO
• NYC Healthcare - John Jessop, Associate Director of Information Security Programs
• NASCO - Lauret Howard, Chief Risk Officer
• Meditology Services - Nadia Fahim-Koster, Partner & Bethany Page, Director

This session covers the gamut of major cybersecurity and risk trends for healthcare including:

• HIPAA Compliance and Risk Management
• Ransomware & Incident Response
• Third-Party Vendor Risk Management
• Risk Reporting & Engaging with the Business
• Cloud Security Risk Management
• Medical Device & IoT Security
• Security Certification Options in Healthcare (HITRUST, SOC 2, ISO)

Grab your leather jacket and dial your headphones' volume up to ‘11’ - you won’t want to miss the opportunity to listen in to this many security rock stars in a single session.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• FTC Final Rule released: mandatory penetration testing, MFA, vendor risk management, risk assessments, and more implications for healthcare entities
• New report on healthcare IoT security operations from CrowdStrike and Medigate
• CHIME report on the state of cybersecurity for ambulatory and long-term care facilities
• CISA issues a critical cybersecurity alert related to the holiday season
• US warning of Iranian government-sponsored attacks underway leveraging Microsoft and Fortinet vulnerabilities
• HHS issues alert and guidance on uptick of zero-day attacks for healthcare
• 2022 trends in advanced persistent threats from Kaspersky

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: 

• Details and analysis of the new CISA incident response and vulnerability response playbooks 
• Cloud Security Alliance (CSA) and healthcare CISOs publish a detailed medical device security playbook
• Medical device security best practices and program development
• High-risk alert for Siemens medical device vulnerabilities impacting thousands of devices
• Emerging trends on healthcare Application Programming Interface (API) adoption, attacks, and mitigation recommendations
• Ohio hospital diverts ambulances and patients due to ransomware outage
• International partnerships and agreements with the US, EU, France, and Israel are enacted to address cyberattacks and ransomware
• US charges two major ransomware operators in continued takedown of REvil ransomware gang and other international prosecutions of cybercriminals 

HITRUST provides a range of cybersecurity and privacy certification and accreditation solutions including their flagship HITRUST CSF certification, which is one of the most widely-adopted security frameworks for healthcare organizations.

The demand for cybersecurity certifications and assurances like HITRUST is at an all-time high due to escalations in breaches at healthcare entities and their vendors in the supply chain. However, not all certifications are created equal, and the industry is outgrowing the one-size-fits-all certification model. 

HITRUST has announced new security certification models including the new HITRUST i1 certification. The new HITRUST options are designed to provide more flexibility and speed for HITRUST certifications while reducing the cost and effort to achieve certification. 

Join us for this episode of The CyberPHIx as we hear from Michael Parisi, Vice President of Adoption for HITRUST. We discuss hot-off-the-presses details of HITRUST’s new security certification and solutions including:

• Market trends and demand for security certifications for healthcare entities 
• The history and evolution of security certifications including the HITRUST CSF (now called HITRUST r2), SOC 2, ISO, and others 
• Detailed overview of the new HITRUST i1 certification option 
• HITRUST i1 security controls requirements including focus on implementation of controls 
• HITRUST i1 certification requirements, timing, level of effort, release schedule, impact to HITRUST CSF (HITRUST r2) certified entities 
• Breaking news on changes to the Cybersecurity Maturity Model Certification (CMMC) security certification program 
• Details of the HITRUST Basic, Current State Assessment (bC) 
• HITRUST privacy certification updates 
• Details of HITRUST’s new Results Distribution System (RDS)