The CyberPHIx: Meditology Services Podcast

Cyber hurricanes have been coming in fast and furious for healthcare organizations over the last several years. Their destructive force has left organizations with operational disruptions, financial loss, and reputational damage that may take years to clean up.

It is incumbent upon healthcare entities to take advantage of the tame periods between cyber incidents to make investments in preparation and response capabilities.

In this episode of The CyberPHIx, we tap into the extensive emergency management experience of Patrick Hinnant, Director of IT Operations, Facilities, and Emergency Management for Trillium Health Resources.

We discuss approaches for cyber emergency preparedness and several other topics including:

• Incident response and continuity from the ground level staff perspective all the way up to the executive level
• IT help desk and support best practices for incident response
• Common pitfalls and best practices for emergency response programs
• IT-specific challenges and approaches to emergency response including dealing with hybrid and cloud hosted infrastructures
• Grappling with cyber incidents and outages involving third-party vendors in the supply chain
• Evolving models of behavioral health and how to maintain these critical services during the pandemic
• External resources and guidance for cyber emergency management best practices and standards

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Details of 15+ breaches of business associate vendors servicing healthcare organizations that occurred in the last two weeks alone
• Evolving cybercrime business models and the emergence of Initial Access Brokers (IABs)
• Top cybersecurity and IT certifications that drive the highest salaries for security professionals in the industry
• Recent OCR enforcement activity and fines for HIPAA Privacy Rule violations
• Analysis of the cybersecurity “Bad Practices” catalog from the CISA and implications for healthcare entities

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Big tech firms including Google and Apple make major moves to exit the healthcare industry
• Amazon moves full steam ahead into healthcare, but is struggling to scale solutions due to IT and cyber staffing skill set shortages
• Cybersecurity staffing and talent shortage trends and new initiatives from the White House and CISA designed to build the cyber workforce
• Details of $30b+ cybersecurity investment commitments from President Biden’s summit with ADP, IBM, Apple, Google, Microsoft, Amazon, and other big tech firms
• New targeting of healthcare business associates and outpatient practices by cyber criminals
• California breach notification bulletin details from California’s Attorney General and implications for state regulatory enforcement across the country

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Suing the CISO: analysis of a lawsuit against SolarWinds CISO
• Details of Scripps Healthcare’s $113m reported revenue loss due to ransomware
• Cyber liability protection cost increases
• Analysis of a new report citing $47k per hour downtime costs for breaches
• Cyber security highlights from the HIMSS 2021 conference
• Newly updated guidance from NIST on developing cyber resilient systems
• CSO Magazine’s 15 top strategic priorities for CISOs
• Universal decryption key for Kaseya ransomware leaked in hacker forum
• Accenture’s breach of 6 terabytes of data and $50m ransom demand from hackers

New cybersecurity and privacy regulations have recently come into effect in the United Arab Emirates (UAE). These laws are coming at a time when the US, EU, and other countries are poised to introduce new regulations of their own designed to combat the global epidemic of cyber-attacks.

Listen in to this episode of The CyberPHIx as we speak with Mohammed Fadlalla, Co-Founder and Privacy Practice Leader for Archlight, the premier provider of healthcare cybersecurity and privacy consulting services in the UAE, Middle East and North Africa regions.

In this episode, we discuss details of the emerging cybersecurity regulations and risks in the UAE, as well as their impact to healthcare organizations locally and globally.

Highlights of the discussion include:

• Overview of the new UAE cybersecurity and privacy regulations
• Scope and reach of the regulations and enforcement models
• Comparison of UAE regulations to HIPAA requirements
• Details of the healthcare ecosystem in the UAE
• Implications for vendors, payers, and other players operating in the UAE
• Privacy expectations for patients in the UAE and healthcare tourism
• Guidance for getting started with compliance and prioritizing remediation efforts

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Analysis of IBM’s new 2021 Data Breach Report including:
• • Impacts to healthcare organizations
  • Healthcare’s breach costs and benchmarks against other industries
  • HIPAA compliance implications for breach costs
  • Cloud security breach trends
  • Top sources of breaches and highest risk security domains
  • Ways to reduce breach costs with targeted investments
• Nine critical vulnerabilities identified for the “Pwned Piper” medical device vulnerability issue and related recommendations
• Details of President Biden’s proposed $9.8b cybersecurity budget
• President Biden’s commentary on the likelihood of cyberwars leading to physical wars
• The new cybersecurity memorandum released by the White House this week
• Trends and predictions for new federal and state cybersecurity regulations targeting healthcare

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• The new DHS CIO speaks out on plans for supply chain risk management       
• PracticeFirst healthcare vendor breach impacting 1.2 million individuals
• U.S. government launches one-stop shop for ransomware guidance (StopRansomware.gov)
• CISA publishes cybersecurity guidance for managed services providers in the wake of the Kaseya breach
• Former NSA director’s preview of HIMSS21 presentation on ransomware and cyber risks
• China formerly accused by the EU, UK, US, and others of attacks against Microsoft Exchange
• New SolarWinds zero-day exploit being used by attackers (second SolarWinds incident)
• Urgent security warning for SonicWall supply chain solution and patching details
• HITRUST announces the timing for release of HITRUST CSF version 10
• Class action lawsuit updates against a PACs vendor, Kroger pharmacy, and Blackbaud

Another colossal cyber-attack on the global supply chain took place this month, which saw over 1,500 businesses infected with ransomware via a breach of a third-party vendor, Kaseya. The breach comes on the heels of other large-scale supply chain attacks against SolarWinds, Microsoft, and other major third-party vendors.

This brings critical questions to the forefront for our industry: who is accountable for supply chain breaches and who owns the risk?

In this CyberPHIx episode, we attempt to answer these questions during this engaging podcast interview with Eric Zematis, Chief Information Security Officer of Lehigh University.

Eric discusses approaches for managing liability for supply chain attacks including business accountability and communication, cyber liability insurance, third-party vendor obligations, and government intervention.

Highlights of the discussion include:

• Managing and communicating third party risk with the business
• Accountability for the business in oversight and management of vendor risk
• The history and evolution of cyber liability insurance
• Cyber liability policies and coverage considerations
• Supply chain vendor accountability before, during, and after breach events
• Government accountability and roles in combatting supply chain cyber attacks
• Standards organizations and resources for managing supply chain risks

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Largest ransomware attack on record impacts 1,500 businesses via third-party Kaseya supply chain breach over the holiday weekend
• Several large ransomware providers call it quits due to increased scrutiny and pressure
• Ransomware attack on Ireland health system exceeds $600m in costs and remains active six weeks into the attack
• Ukrainian police arrest members of CLOP ransomware gang
• NIST releases draft guidance for Ransomware Risk Management & CISA releases a ransomware self-assessment tool
• President Biden’s summit with Vladimir Putin and directive for a “no hack” list of US critical infrastructure
• DOJ charges network security executive with hacking a Georgia health system for personal gain
• One billion CVS records exposed in cloud configuration error breach
• Details of the Ponemon Institute’s new third-party cloud compromise report
• OIG and FDA updates on medical device security guidance and new GAO cybersecurity recommendations
• Bipartisan data breach notification bill drafted which includes a 24-hour breach notification requirement
• Meditology Services was ranked the #1 healthcare security and privacy consulting firm according to a new survey reported by Becker’s and Healthcare IT Security magazines

“Digital identity is the new control fabric,” says our CyberPHIx guest Wes Wright, CTO at Imprivata. Wes is one of the healthcare industry's most experienced technology leaders and has held prior roles as CTO for Sutter Health in California, CIO for Seattle Children's, Executive Director of Information Services for Scripps, and much more.

The healthcare industry is moving headlong into digital healthcare models that rely on one common factor: Identity Management.

In this episode, Wes shares his thoughts on industry challenges with patient identification and access control models as they relate to our rapid move into a digital healthcare model.  

We also discuss trends for processes, standards, and technology to address emerging patient and workforce identity challenges as well as the implications for patient privacy, identity fraud, enterprise security, and much more.

Highlights of the discussion include:

• Patient identification challenges and risk impacts
• 21st Century Cures Act implications for patient identification
• Updates to trends in national patient identification
• HIPAA and regulatory compliance drivers for digital identity management
• Technology and automation advances in identity and access management
• The evolution identity technology and current capabilities
• Identity and access control models for cloud-hosted and third-party solutions
• Practical operational guidance for identity management programs to address emerging digital health models

The CyberPHIx Roundup is your quick source for keeping up with the latest in cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Major shifts in cyber liability coverages and protections and results from a recently released U.S. Government Office of Accountability (GAO) report
• Scripps Health system network outage continues a month after initial cyberattack
• Russian SolarWinds attackers are back at it with a large spear phishing campaign following a compromise of USAID systems
• Security firm Rapid7 becomes a victim of a software supply chain breach targeting source code
• OCR’s latest settlement details and analysis on the resolution agreement with Peachstate Health Management
• OCR and HHS “wall of shame” aggregate reporting trends for 2021 and analysis of major reported breaches this past month
• U.S. House Committee on Homeland Security advances five new bills to improve cyber defenses

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this special episode, our host Brian Selfridge provides a rundown of the presidential executive order, Improving the Nation’s Cybersecurity, signed by President Biden in May. Also covered is the executive order, America's Supply Chains, signed in February of this year.

The executive order is the second and most comprehensive of two executive orders issued by President Biden on cybersecurity topics this year. Brian provides a summary of the orders and discusses implications for healthcare entities.

Analysis is provided for key topics from the executive order including:

• Enabling the sharing of threat intelligence and protection mechanisms
• Modernizing federal government cybersecurity
• Enhancing software supply chain security
• The establishment of a cyber safety review board
• Standardizing the federal government’s playbook for responding to cybersecurity incidents and vulnerabilities
• Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
• Improving the federal government's investigative and remediation capabilities
• National security systems requirements

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• National emergency declared for Colonial Pipeline ransomware attack; details and implications for healthcare entities
• Analysis of the Cloud Security Alliance Report titled The State of Cloud Security Concerns, Challenges, and Incidents
• CISA’s new guidance for managing supply chain risks, including lessons learned from a historical review of supply chain attacks for the past decade
• CISA/FBI alert on the “FiveHands” ransomware attackers
• A new GDPR EU directive and pending legislation requiring continuous due diligence of third-party vendors
• NIST soliciting comments for updating their guidance on implementation of the HIPAA Security Rule

Who is responsible for cybersecurity? It’s a simple question, but the answer may be more complex than you think.

Listen in to this episode of The CyberPHIx as we sit down with TJ Mann, Chief Information Security Officer at Children's Mercy Hospital in Kansas City.

TJ helps us understand why it takes a cyber village to protect healthcare organizations. We delve into the roles and responsibilities that various stakeholder groups need to play to support and deliver effective information security programs.

Highlights of the discussion include:

• Which specific roles and stakeholders have the greatest impact on cybersecurity program effectiveness
• Healthcare business units that carry the most risk for healthcare entities
• Managing accountability for third-party vendors and shadow IT groups
• The changing role of enterprise risk management in healthcare
• Busting the myth that there is only one kind of end user
• The tension and collaboration between security, internal audit, and compliance functions
• The impact of the remote workforce on security roles and expectations
• The evolution of security leadership and team roles and functions

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Analysis of Mandiant’s M-Trends 2021 Cyber Attacks and Trends Report and implications for healthcare
• Shifts in threat vectors due to remote work, ransomware focus, and adversary techniques. Teaser: phishing is no longer the top threat vector
• FBI / CISA Alert: Top 5 “favorite” attack methods of the Russian SVR ransomware group targeting healthcare (e.g. Citrix, VMWare, and other specific exploits)
• President Biden’s sanctions and diplomatic pressure on Russia for healthcare cyberattacks
• Breach update: the latest healthcare supply chain breaches and trends with high-risk vendor “categories” like revenue cycle management; CareFirst healthcare payer breach analysis
• $1.5m penalty for the New York DFS cybersecurity regulation and its impact for healthcare entities
• 21st Century Cures Act updates

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• President Biden’s executive order on supply chain risk that calls out healthcare specifically
• Analysis of a claims fraud case in Texas with a troubling scope including intentionally hastening patient deaths
• Highlights from a recent study on increased patient awareness and impact over ransomware and telemedicine breaches
• New UN standards for nation state online behavior and implications for enforcement and deterrents for cyberattacks targeting healthcare
• Macro trends on the momentum of cyberattacks, patient awareness, and countermeasures in national and global theaters

Obtaining enterprise cybersecurity certifications can be a daunting task for those embarking on the process for the first time as well as those that are managing repeat certifications.

Some critical questions emerge: Which certification is the best for my organization? How do I limit the cost, time, and requirements to achieve certification? Will obtaining a healthcare certification make us HIPAA compliant? What else do I need to know to get through the certification process?

Join us for this episode of The CyberPHIx podcast where we speak with Bethany Page Ishii, Director at Meditology Services. Bethany leads Meditology’s healthcare cybersecurity certifications and shares her insights in working to successfully certify countless healthcare entities for more than a decade.

Highlights of the discussion include:

• Overview and adoption levels for cybersecurity certifications in healthcare including SOC 2, HITRUST, ISO, and others
• Common pitfalls that can add time and cost to the certification process
• The role of certifications in addressing major breaches and supply chain risks
• The relationship between HIPAA compliance and security certifications
• How to handle security control gaps and still obtain certifications
• Review of security certifications for individuals and recommendations for healthcare professionals

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• Microsoft’s Exchange email critical exposure for healthcare entities
• New ransomware report cites $20b in losses for healthcare in 2020 alone; details and analysis are provided
• A major hack of over 150,000 security cameras allows external parties to view ICU rooms and other hospital locations
• HIPAA Privacy Rule comment period extensions
• COVID-19 vaccine registration websites getting hit by malware bots

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

• UHS announces $67m cost from recent ransomware attack
• OCR HIPAA enforcement rundown for 2021
• Accellion file transfer application supply chain breach and impacts on healthcare
• SolarWinds CEO testimony and analysis on the surprising position taken by the company
• Cyber warfare perspective and predictions for healthcare