Secureworld Atlanta just finished up. Turns out cyber experts do agree about many of the same issues we discuss here. Two days of discussions amongst CISOs, ISOs, security techies, etc. about what to worry about and what to do for cyber protections. Yes, there was a lot of really nerdy discussions but the good news is the central themes do not require geek speak to share with you.
In this episode:
Cyber Experts Agree We Are Not Alone
Today’s Episode is brought to you by:
Where to meet us
- North GA Medical Management Association in Dalton, GA June 14
- 4medapproved Healthcare Cybersecurity Officer Live Webinar Workshop – June 20, 21, 27, 28, 2018
Next HIPAA Boot Camp
Live in Tucker, GA
July 19 and 20th
Want to be part of Help Me With HIPAA? Donate to the cause at www.HelpMeWithHIPAA.com/give
HMWH App now has more features. You can now access a PDF with the show notes ready for your HIPAA training documentation! Find it under the bonus feature in the app for both the Apple and Android versions. It is a little gift box on the app bar.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Cyber Experts Agree We Are Not Alone
When you look at cybersecurity from the viewpoint of enterprises like AT&T, Macy’s, Home Depot, Rheem, Bank of America, IHG, etc our problems are are basically the same just on a smaller scale. The good news is we are much further down the road in healthcare. Maybe not as far as we should be but the requirements under HIPAA make it much easier to know where to start.
Many sessions on internal cyber issues made it clear that insiders are a key concern. Security awareness is a major issue that everyone is trying to figure out. How do you properly teach people to participate in the common goal of protecting the organization?
There were also discussions about getting the leadership onboard. How can you build a company culture around security if you don’t have any leadership support? Turns out this is also a topic that all types of organizations deal with over time. While healthcare organizations do have HIPAA to point to as an objective, most other companies don’t have to worry about it. Interestingly enough that GDPR has gotten a fire under them, apparently.
No matter what type of organization, the cyber experts at this conference all worried about ways you can teach people who are not technical why security matters. We all struggle with that issue. Phishing, spear phishing, and click bait for infected sites all fall under areas that we can only protect the company so far with technology. They are also the most common ways for hackers from the outside to get inside.
In healthcare, we have to worry more about the access to information such as PHI which takes us even further down the road for requiring internal controls and training.
Third party management
As more companies get serious about cybersecurity in their organizations they realize that third parties without security controls can make a major impact no matter their size. Target was hit by HVAC vendor failing to have proper security. There are numerous examples where vendors play a central role in creating or exasperating a cyber incident. Now, they refer to it as the supply chain risk but in healthcare, we will continue to know it as Business Associates. Even though there is other data that should be protected, we still worry about PHI.
According to some of the sessions and discussions, there are major issues with some of the vetting people are doing. As we discussed in the previous episode on vendor vetting, it is getting tough out there. For those of you not in healthcare or not business associates under HIPAA, your time is coming. Prepare now if you are a B2B business. All of your clients will soon be asking if not because of regulations because they need to protect themselves.
No matter what the questions, though, you will need to prove that you are doing these things. It is certainly no longer the simple paperwork world any longer. Even if you are only doing SANS 20 or CIS 20 best practices, document your program. NIST framework requires documentation also.
You can’t just say you do this and blow it off. Someone will call you on it at some point. Apparently, some of the questionnaires are now hundreds of questions. Organizations are scrambling to come to a consensus of what types of certifications meet acceptable criteria for trust. Regular SOC 2 doesn’t cut it. But, there is a new one that is specific for cybersecurity. It is designed for general use and may turn out to be very helpful. We are keeping an eye on it.
Cyber experts are all worried about IoT (Internet of
While I love the idea of the smart home that is fully automated and connected, the reality of it right now is like watching a horror flick. There are plenty of folks telling everyone not to worry about what is out there but that is so not possible if you do more than just trust them. The whole room reacted to IoT discussions with concern at various levels. As one person asked,
“How will we ever get the average person to handle securing these things?”.
When I was in a session about managing open source software the point was clear when they mentioned that 77% of IoT devices use open source software with an average of 677 vulnerabilities built into them.
Just like we discussed previously GDPR is expected to be a watershed moment for cybersecurity and privacy regulations. It is just a matter of time before more of those types of regulations will force most businesses to address formal programs for cyber protection and privacy.
When every discussion of malware included a mention of Russia being behind it. It will likely be brought about by matters of National Security.
Ransomware discussions were as we expected. I did bring up the fact that healthcare adds the breach issue which also includes the forensics requirements. Similar cases exist in financial markets. The room full of cyber experts agreed that if you pay a ransom you will almost certainly get hit again. Another area where cyber experts agree, ransomware isn’t going away any time soon.
One point that was interesting when everyone was talking about phishing tests one person pointed out how they got hit with a banner ad on a legit industry website. Another also mentioned RDP sessions are still open to the internet. How is that still a thing!
New ransomware concerns include not just hacking email accounts but doing that and then encrypting the emails and holding them for ransom. I am glad we have no email server to manage!
Some of the interesting conversations outside of sessions were how STUXNET was implanted and how Atlanta was hit by ransomware. Still, I found no scuttlebutt about Allscripts ransomware attack.
Yes, there was a lot of nerdy conversation at this conference but it is clear that all those security nerds are trying to figure out how to reach everyone else about security. If we don’t all get better the explosion of IoT, wearables, and other devices will be the telling point. Our current systems will not secure all of these things properly. It will take all of us to fight this cyber war and get through to the other side better for having won it.
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!