Does Your Cybersecurity Program Have What It Takes?

At a time when the risks of hacking into our health data has never been higher, we catch up with Dan Dodson, President of Fortified Health Security – to give us his views on where the risk is – and what you can do about it. This is what Dan says:

Hackers have clearly placed a bullseye on healthcare organizations. Cybersecurity breaches continue to occur among healthcare providers so pervasively that their numbers exceed those of health plans and business associates combined. Steps must be taken to protect patients, whether from ransomware or connected medical devices attacks, the stakes are simply too high.

Any significant cybersecurity breach results in a big drop in patient confidence. Pressure for patients, as well as inside organizations, are forcing healthcare providers to guard their reputations, develop strategies for better patient engagement and provide increased amounts of sensitive data to multiple interconnected devices.

It’s important for a healthcare organization to recognize the potential impacts of a breach on their organization before one occurs instead of only investing in cybersecurity after they have been negatively impacted by an incident. Yet, at that point, it may be too late for some patients. Reports suggest that nearly forty percent of consumers would abandon or hesitate using a health organization if it is hacked. Fifty percent of consumers would avoid or be wary of using a medical device if a breach was reported and thirty-eight percent would be wary of using a hospital associated with a previously hacked device.

The best prevention against any attack is understanding the fundamentals of a strong cybersecurity program. With proactive employee involvement, a clear process to identify and prevent cybersecurity threats, and understanding that technology is only part of the equation, healthcare providers can better serve and protect patients.

In my view, there are three simple steps that you can take.

Employee training is the first line of defense against hackers.

Your employees are your first line of defense to prevent successful attacks and/or breaches. Educating your employees/users on threats to your organization, safe web browsing practices, the hazards of clicking embedded links or opening attachments in unverified emails, and to scrutinize emails before opening them are just some of the basics.

In order to take your employees’ education to the next level, you should conduct simulated social engineering exercises and campaigns. This will give employees “real world” experience in dealing with such attacks. Social engineering is still the easiest and most effective way that malicious individuals are able to access sensitive information.

Have a process to identify and prevent cybersecurity threats.

Cybersecurity starts with people, but must be strengthened by processes for backups, incident reports, breach notifications, and disaster recovery. It is critical that organizations develop a multi-phased vulnerability management process that includes vulnerability scanning, risk acceptance, and remediation for security risks.

This process is critical to recognizing the potential impacts of a breach on your organization before one occurs so it is clear what steps your team will take to protect patient data. Far too often, healthcare organizations only start investing in a cybersecurity process after they have been negatively impacted by an incident, and at that point, it may be too late for some patients.

Cybersecurity is more than just technology.

Technology by itself is not the answer to protect an organization from a cybersecurity attack, but combined with dedicated people and a defined process, it completes the cybersecurity prevention trifecta.

Technologies such as Security Information and Event Management (SIEM), Data Loss Prevention or Intrusion Prevention Systems (IPS) can be leveraged to identify and even react to a ransomware attack as it is happening. Custom policy and rulesets can be utilized to alert in real time that there is something awry within the operating environment. Additionally, Network Access Control (NAC) platforms could make the isolation of infected devices quicker and easier.

Stakes are too high to put patients at risk.

Cybersecurity threats at their core are patient safety risks. The stakes are high and if you wait until after a breach or attack to take action, it’s too late. The best prevention against any attack is a proactive security strategy built around people, process and technology. Now that you know the fundamentals, lead your healthcare organization through a HIPAA Risk Analysis to see if your organization has what it takes. Remember, protecting your organization from a cybersecurity threat is a journey that requires constant attention and never stops.

About the Author

Dan L. Dodson serves as President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique situation. Dan currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds a M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.

Cyber Security in Healthcare.

It is commonly understood that the recent UK hacking situation in the NHS, was via its connected machinery, rather than direct into the hospital servers. We focus on what’s up at the forthcoming conference in San Francisco, with this  timely announcement from Tel Aviv based company Cynerio, who today announced its mission to protect the future of healthcare by focusing on its weakest link – the connected medical device ecosystem.

What they say is, by building a tailor-made solution for healthcare providers, they deliver  complete visibility into a healthcare organization’s medical device ecosystem, protecting it from cyber threats and helping the organization meet HIPAA regulatory requirements.

The company was founded by cybersecurity experts Leon Lerman, CEO, and Daniel Brodie, CTO, to deliver a cybersecurity solution specially designed for healthcare providers, based on the industry’s first technology that combines device behavior modeling with medical workflow analysis to provide full visibility into medical device behavior and activity on the network, accurately detect anomalies with deep understanding of the medical context and stop the threat to ensure patient safety and data protection.

“Connected medical devices are delivering a new level of patient care, but present new challenges of managing and securing the growing clinical ecosystem. For attackers, medical devices are easy targets, as the devices aren’t built with security in mind and healthcare security teams have limited ability to protect these devices with traditional IT security solutions that are more focused on standard platforms. Our technology offers a comprehensive solution, purposely built to protect the medical device ecosystem and their sensitive data,” explained Lerman.

A FANTASTIC BUZZ AT ENO’S LATEST “MARRIAGE OF FIGARO”!

We review the latest Figaro production at the London Coliseum

Mozart operas at ENO always have fantastic and clever beginnings. If the word “tangential “ applies to probably every ENO production and approach, then last night’s Figaro did not disappoint.

The imagery of a bumble bee trapped inside a harpsichord syncing into the rapid overture, sets the scene, and with a driving orchestra and some standout ensemble and solo performances, especially from Rhian Lois, making her role debut as Susanna, this was a performance that whilst taking just a little time to really get going – absolutely left its audience spellbound. I have always said that, for newcomers to opera, make sure you go to an ENO Mozart performance – then this production (and it was the second time I have seen it) – came alive. You got to go.

So why a difference? You could argue that Figaro of all operas, is the easiest to get along with. Nobody does a bad Figaro. And that misses the point, because yes indeed you can do a boring Figaro. The real trick is to engage with the audience, and this takes subtlety, exquisite direction, timing of humour and of music and dramatic art – all of which this performance has in spades. And it plays to mature opera-goers as well as newbies; my colleagues alongside me were humming along to the melodies, that everyone knows – but we all wanted to hear. The timing particularly of Lucy Crowe, debuting as the Countess, excelled in her “dove sono i bei momenti” aria.

What is there to love?

Sure, the visual complexity of the revolving stage creates the confusion and the rapid movement of players as the drama speeds along, compounds that – but the secret sauce of this production is the speed of the orchestra, that forces the pace.

This in turn forces the key protagonists, particularly in the close ensembles, to be rock solid in timing and harmony – and they belt out their parts. Each player has a point to make. nobody takes any prisoners in this performance but surprisingly, the performance is actually funny! I found myself LOL at the absurdity of it all, and how many times have I seen this opera?

Whilst every singer/performer absolutely does justice to their respective roles – the standout performance that is the glue that links the others – has to be Rhian Lois who has nothing to fear in commanding the big Coliseum stage. Rhian is a Harewood Artist and she reminds me of Mary Bevan in her role in Cosi Fan Tutte.

The ENO bars are closed by the time the performance finished, which is a pity. I took a glass of wine at the adjacent St Martins Hotel hidden gin bar. At times like this, you need to raise your glass.

Cybersecurity again in the News…

We look briefly at two companies that have got in touch…

Fortified Health Security have recently recently partnered with Beacon Health System to strengthen the health system’s overarching cybersecurity program. Their Kristin Deuber writes to us to say:

“The program kicked off in April 2017, during the formation of Beacon, which required the health system to consolidate policies and to implement a more unified and centralized cybersecurity program. Fortified discovered through its baseline research that the health system had moderate cybersecurity system development with data loss prevention, and had deployed a SIEM solution on limited systems. In addition, like most healthcare organizations today, there was zero SIEM visibility into their medical device inventory, as well as the risks associated with those connected devices.”  She attached some deeper info, which is available on demand from us here at ProfoMedia. And we have invited their President, Dan Dodson,  to write a guest article – so watch this space.

Also out of the blue, is the Proficio company, whose Tamara Yaravoy says that they have won some eleven Cybersecurity Excellence Awards. This is clearly better than my 200 mtrs  swimming certificate when I was a kid.  She goes on to explain in more detail:

“In the Cybersecurity Excellence Awards, Proficio won gold in the Best Managed Security Services and Cybersecurity Team of the Year – North America categories. The company was also recognized with a bronze award in the Best Cybersecurity Company category, where they had competed against forty other cybersecurity companies.

Proficio secured top honors in the Info Security PG’s Global Excellence Awards, placing in four different categories. The company won gold in the Cyber Security Vendor Achievement of the Year category for significantly expanding its operations in North America, EMEA, and APAC, silver for Best Security Company of the Year (Services), bronze in the Best Overall Security Company of the Year category, silver in the Managed Security Services category for its SOC-as-a-Service offering, and bronze in the Managed Security Services category for its Splunk Enterprise and Splunk Enterprise Security services. Proficio was the only cybersecurity company to be recognized with two awards in the Managed Security Services category.

In the Cloud Computing Excellence Awards, Proficio was recognized for excellence and innovation in their SOC-as-a-Service offering. Proficio was one of only nine companies selected for this award which honors vendors that have most effectively leveraged cloud computing in their efforts to bring new, differentiated offerings to market.

Proficio was once again awarded a placement on the Security 100 of CRN’s 2018 MSP 500 list as well as San Diego Business Journal’s Top Cybersecurity Organization List. The CRN Security 100 list is designed to help partners wade through the ever-expanding security market, from the long-standing legacy vendors to the niche players, and navigate the fast-growing security vendor market.”

Cyber security in healthcare,  is expected to be the target of choice for those malovelences trying to destabilise how our services work. Last year’s attacks on UK hospitals showed the issues of Windows XP reliance, and that was just a baseline start.

You can look back at our earlier pages on other cyber vendors. Do contact these and the above vendors as this topic will become more visible as the year goes on.

FUTURE OF FINANCE 2018 CONFERENCE

We take a look at the latest IQPC Conference formula and ask – does it work for us?

The man opens the inner door as I and my two colleagues from Portugal – who I have never met before- enter from the outside courtyard.

He is dressed in a Polo shirt, and a bath towel. He has no trousers, and his hair is damp. He has some soft leather sneakers on.

“Are you lost?

Yes of course we are. It is a ten minute walk from the Putney Bridge tube station, past the security barrier and through the immaculate lawns of the Hurlingham Club, and the arboressence of pathways. We are trying to find the Conference.

“Then let me show you a shortcut”.

The man beckons us through, we enter a further courtyard, the man slides into a black 4×4 and we walk up the stone steps into a modern but eloquent glass atrium, which is indeed – where the Conference is.

The Hurlingham Club is as distant as it needs to be. This is no typical Conference mingling among the tourists who are checking out of whatever four star hotel they have found in the city. This is a venue for serious players. The 100 or so Delegates who have found their way here, a sort of crystal maze if you will – are all serious players. Large corporates do not send their key financial execs to this sort of Conference unless they can deliver, and can feel at home on this global stage fo financial business decision makers.

The Future of Finance Conference is three days long. It is a Management Conference, not a Tech event. Sure, the topics discussed inevitably contain technology, but this is no GDPR Roadshow. Life has already moved on. The focus is as much about corporate vision than AI and Robotics. Typically, the 40 minute sessions – and there are many and varied and you pick and choose the ones that work for you etc – focus on Transformation – how to bring your team with you, establishing a culture of improvement – and inevitably, something about Brexit. I could go on. And in between, people mingle and chat in the frequent coffee breaks. Everybody shares anecdotes and business cards.

I had long gone by that time. But it establishes a central truth, that the value in IQPC Conferences is as much in the informal networking amongst peers, as in the more formalised presentations.

My colleagues from Portugal are taking a quick cigarette outside the exit as I make my own way back to the exit. They give a cheerful wave – “see you in Lisbon?” It turns out we both used to work for the same company. The next IQPC Conference will be in Lisbon, and I have been invited.

Will I come?

You bet!!

ENO SCORE ANOTHER HIT!

We look in wonderment at one of ENO’s best productions yet of this classic modern masterpiece.

Alexander Soddy strides into the orchestra pit, waves and encourages his team, and then there is silence for a full five seconds. And then we are off! And its a strange, curious, beginning…

This is redolent of the performance of Wagner’s ”The Mastersingers” a few years earlier; the feeling somehow that this will be the epic performance – when everything goes right. That night, at the end of five hours, all the orchestra hugged each other at the finale. And so it was last night. From whatever opera or music background you come from, this is a performance you have to see.

The secret sauce of this production is the fluidity, sensibility, and sheer forcefulness and continuation of the orchestra – which allows the drama to experiment, to be funny, aggressive, romantic, and convey sincere emotion – without ever losing sight of the fact that essentially, this opera is a dream.

The whole stage is one giant bed. The production relies on the singers/actors/actresses hopping from bed to stage, from awake to asleep, from fantasy to reality. The melodic lines of the music never give away anything you can hum along to, no nice chord progressions and cadences; there is this sense of being suspended somewhere and indeed the third act is precisely that – the three beds suspended in mid air.

And then there is the humour which is less rather than more, – subtle at its best. My standout performance was Eleanor Dennis as Helena, very similar to Mary Bevan some years earlier, also a former Harewood Artist.

But this is to be picky; all of the singing, the characterisation, the direction, was spot on, an integrated whole. Sometimes, particularly at the end of the second act, the drama and clever direction took your breath away

The humour reached its peak at the finale. This was the nearest we got to traditional Shakespeare productions and slapstick humour. It reminded me of the last time I saw this, in Devon – just a couple of years ago.

The difference here – is that the music adds the extra dimension, at times searing, to force the drama.

And then Puck wraps it up… we are back to the original Shakespeare lines…

Was I dreaming? I have no idea. But I am still rubbing my eyes. I can’t believe it.

….They Put Up a Parking Lot

We interview Shaz Ahmad, Nextgate’s VP of Cloud Operations to find out why people don’t miss something until it’s gone.

It is 02.00am Pacific Time and this is the preferred hour of the day for Shaz Ahmad, in his T shirt, to handle an interview. He is a self confessed night owl, but I would’ve thoughts there are limits. For me, it is 10.am GMT and there could be no worse time to make a constructive assessment of why Nextgate’s time has come. I have told my office to hold my calls.

But Shaz is as eloquent as I am even in mid morning, and he needs to be. Nextgate identity management technology is the secret sauce that make your hospital data work, seamlessly, that you do not realise you ever needed, until something goes wrong. It is the one line of code you never appreciated, but which makes your data work. As they say in the song, isn’t it the way it goes, you never realise what you’ve got – until its gone.

Except that with Nextgate – the thing that you don’t “get” – is the problem that you’ve got. As we move more and more into a connected and multiple data source environment, where patients not techies are driving that source of data, so (to paraphrase). Hospitals increasingly cannot map or match the data that they have. In short, the HL7 data is neither clean from one source or another, nor do existing systems talk to each other. And whilst this is technical issue, the problem is commercial. Putting it right takes man hours and costs money.

Except that it doesn’t. And it comes through the decision of starting again, and putting your data on a cloud. What that means is, a cloud-based solution that does identity management, allows hospitals and organisations to rapidly and accurately deliver a patient record at the point of care – with the flexibility and scalability you need in today’s evolving and digital environment.

Shaz does not talk about technology. He talks about Service Level Agreements. He talks about peace of mind. The idea that you as a Hospital (say). can access all of your data, 24/7, safely on a cloud, without the need for local expert support. Amongst all of the solutions that a hospital might have, Nextgate is the single line that makes not just a difference – it is THE difference.

It is the reason why Shaz left his  job at Orion, where he was a user of Nexgate technology, to take up an offer with the company that created the stuff.

Nextgate competes with the big IBM and Corporate Players in data integration. But it is addressing a real market need. The Obama driven “spine” of data accessibility mirrors the attempts in the UK to formalise data accessibility. Nextgate has reference sites and projects that are pan-Atlantic.

Yet it is a hard sell – what Nextgate are saying is; don’t wait until you have an issue before talking to us about our Cloud benefits.   As they say in the song, –  don’t lose sight of Paradise.