Security & Privacy

  • Cisco unveils IoT security architecture for healthcare devices

    The new framework includes analytics, cloud security, malware protection and other services. Cisco on Thursday announced its IoT Threat Defense and said that among the first uses of the new architecture is securing services vital to medical care. Related Story: The ROI of Healthcare Security The architecture and services combination can be used to segment […]

  • The ROI of Healthcare Cybersecurity

    Let’s accept the fact that we want to feel secure in some way, whether it is secure in our jobs, our relationships, or our personal safety and wellbeing.  We want the best for our families, our business endeavors or, as in healthcare, for the other people for whom we have some degree of responsibility.  But […]

  • The Right Skills for CISOs

    Welcome to Code Red, HIMSS’s new health IT cyber security podcast. Code Red focuses on cyber security challenges facing health care today & tomorrow, featuring the voices of the people on the front lines. The goal of the podcast is to explore the interplay between the people, processes & technologies that make up an organization’s […]

  • Medical Device Security in the Age of the “Internet of Things”

    On March 12, 2008, the New York Times reported about a team of computer security researchers from Beth Israel Deaconess Medical Center and the Universities of Washington and Massachusetts that able to gain wireless access and reprogram a combination heart defibrillator and pacemaker to deliver potentially fatal jolts of electricity to a person with the […]

  • Tips to Help Prevent Privacy Breaches

      In celebration of Data Privacy Day, taking place each year on January 28th, members of the HIMSS Privacy and Security Committee talk about ways to help protect patient privacy. In part 1 of the series, Meredith Phillips, Chief Information Privacy and Security Officer for Henry Ford Health System discusses several common scenarios involving breaches […]

  • Healthcare cybersecurity up by 13.6 annually as hospitals play catch-up

    With all the data breaches and threats popping up all over by healthcare, expect the market for cybersecurity products and services in U.S. hospitals to grow by 13.6 percent annually between now and 2021.

    That estimate comes from a new, lengthy and pricey report by research firm Frost & Sullivan on the U.S. market for hospital cybersecurity. Frost isn’t releasing dollar figures of its forecast to the media, but the Mountain View, California-based company isn’t holding back in identifying culprits in this expected market growth.

    “There’s been a cultural naïveté about IT security in healthcare,” said lead author Nancy Fabozzi, Frost & Sullivan’s principal analyst for connected health.

    Fabozzi said that many healthcare organizations have wrongly assumed that meeting HIPAA security requirements is enough. But the fact that, according to Frost’s research, there have been 1,437 large breaches of health data, affecting more than 154 million patient records, since 2009 illustrates that their efforts have been sorely inadequate.

    More than 113 million of those records were breached in 2015 alone, so the threat appears to be growing. Of particular note, 98.1 percent of records breached last year were because of hacks or other malicious activity, according to Frost.

    “Hospitals are finally now realizing that health data is so valuable,” Fabozzi said. Unfortunately, she added, until very recently, technology vendors have not had to prove that their offerings are sophisticated enough to meet the threats posed by hackers.

    “In spite of a growing awareness of the problem of increased cyber threats, many healthcare organizations face considerable challenges as they gear up to do battle with cyber attackers. Hospitals’ lack of leadership, appropriately trained staff and adequate financial resources are critical concerns,” Frost explained in a PowerPoint presentation shared with MedCity News.

    But they are starting to get the message. “Hospitals are transitioning from a reactive, piecemeal, fragmented approach to protecting privacy and security that is highly dependent on HIPAA compliance to an approach that is proactive, holistic and coordinated, anchored by integrated solutions designed to protect multiple endpoints (computers and connected medical devices),” the presentation said.

    “The real opportunity here is for consultants — managed services and professional services,” Fabozzi explained.

    In 2015, about 80 percent of healthcare security spending was on software and other products, with just 20 percent dedicated to services, Frost reported. Expect that mix to shift to about 70/30 by 2021.

    With the HIPAA security rule now 13 years old — and based largely on a draft completed in 2000 — Fabozzi said that it’s likely there will be new legislation and regulation on healthcare cybersecurity in the near future, regardless of how the November presidential election plays out.

    “There’s a risk in healthcare that goes far beyond anything in other industries, and that’s hacking into a medical device and harming patients,” Fabozzi noted.

    Timing of this report couldn’t have been any better for Frost & Sullivan. The report — or at least the news release about it — hit the same week Phoenix-based Banner Health disclosed a major breach of payment terminals and other computer system and that Advocate Health Care Network in Illinois reached a record $5.55 million HIPAA settlement over allegedly lax security practices.

    Here’s an infographic from Frost highlighting themes in the report:

    Images: Frost & Sullivan, Flickr user El Hombre Negro

  • Is Cybersecurity Education Failing?


    There’s no doubt that tech pros with security expertise are highly sought after. Yet in the face of that demand, it seems that schools are having a hard time producing enough graduates to fill open security jobs.

    A new study of 121 university programs, conducted by an independent consultant contracted by cloud-based security provider CloudPassage, found that not one of the top ten U.S. computer-science programs (as ranked by U.S. News & World Report in 2015) requires a single cybersecurity course for graduation. In fact, only one of the top 36 U.S. computer-science programs demands such a course (for those keeping score at home, that’s the computer-science program at the University of Michigan).

    CloudPassage CEO Robert Thomas suggested that, when you consider how cyber-attacks are driven more by organized crime and hostile governments armed with sophisticated tools and lots of funding, the average IT organization is operating at a distinct disadvantage. “All you hear over and over again is how many open security position there are… Frankly, it’s only going to get worse.”

    The U.S government alone is looking to hire 1,000 IT security workers by the end of June. Not only are such professionals hard to find—the government isn’t generally competitive when it comes to salaries. As a result, some pundits doubt that federal agencies will achieve that hiring goal.

    Christopher Key, CEO of Verodin, a security start-up focused on automating the testing of security defenses, thinks it’s hard for IT security professionals to keep up with the latest trends, never mind universities and IT generalists. “We think organizations need to first think more about the effectiveness of the money they already spend on security,” he said. “They need to measure if they are actually getting better at providing IT security.”

    The bigger issue is to what degree IT security issues have dampened the willingness of organizations to launch new digital initiatives. While becoming a “digital business” is clearly all the rage these days, there’s a lot security risk associated with such projects.

    Greg Richey, director of professional services for Ingram Micro, an IT distributor that provides support for thousands of small to midsize IT services providers, hasn’t seen a slowdown in the number of projects launched to deal with potential vulnerabilities. The issue isn’t the number of security professionals, he thinks; it’s the quality.

    “I can find plenty of IT security people,” he added. “Finding good IT security people is another matter.”

    In the absence of well-qualified IT security professionals, there’s a lot of interest in IT security automation. That means the use of machine learning algorithms and other forms of artificial intelligence; PatternX, for example, uses A.I. to provide “virtual security analysts” that eliminate many of the lower-level tasks that human security analysts perform manually. But someone still needs to make sense of all those security reports to determine the true nature of a particular threat.

    In the meantime, any tech professional who wants to expand the scope of their IT security skillset must commit to continuous education. The threats that need to be addressed evolve on a weekly basis, both in sophistication and lethality. It’s not a job segment for the faint of heart.

    The post Is Cybersecurity Education Failing? appeared first on Dice Insights.

  • Enterprise Security in the Cloud

    This is a podcast featuring Eddie Potter, Sr. of Zscaler on a discussion about how you can secure your entire healthcare system enterprise. With the unique challenges that hospital systems are facing today continues to become more complex.  There were more than 113M individuals impacted by data breaches in 2015 with 109M of the 113M were […]