Cyber Thoughts

Third-Party Risk Assessment

2026-03-17T00:48:00.007+00:00

Photo Credit: Michael Hiskey

'Healthcare needs a better third-party risk assessment approach'

This was the message I delivered to the HIMSS Global Conference in Las Vegas March 8th through 12th.

Modern Healthcare has become a "whole village” effort. This includes a growing number of third-party vendors, suppliers and partners, each of which provides specific but highly critical functions across healthcare delivery. When one of these third parties is cyber-attacked the repercussions can be alarmingly broad across multiple providers, and at the same time devastating for both patients and providers.

Just look at the impacts that the Synnovis and Change Healthcare attacks have had on patient morbidity and mortality, let alone the financial impact and disruption to providers of healthcare services. The 2024 ransomware attack by a Russian group Qilin, against UK pathology provider Synnovis, a partnership with two of London's largest National Health Service (NHS) Trusts, resulted in the death of at least one patient, a measurable impact on many others, and over 120 cases of low-to-moderate harm, according to NHS data. The financial impact of the UHG Change Healthcare attack by Russian group ALPHV / BlackCat forced the cancellation of procedures following pre-authorization failures and many people to go without their pharmaceutical prescription medications for many weeks - some of which were critical to their survival. The outage which affected a third of US health systems, forced many smaller providers to the edge financially, resulted in the closure of care providers and pharmacies, and had an immeasurable (largely unreported) effect on patient morbidity and mortality.

With such broad and devastating impact, critical third party vendors have become an easy high impact target whether the intention is to create leverage for an ransom extortion payment, or to cause disruption to a critical national industry of an another nation. And attacks against healthcare third parties are doubling every year according to the data!

This serious and now widely exploited vulnerability raises the question of how healthcare delivery organizations should more effectively assess, manage and plan for risks across their vendors, suppliers and partners? Plainly, expecting healthcare providers to risk-assess thousands of individual partners each year is a pipe dream given limited budgets and security resources. And the number of third parties is often in the thousands for each provider.

We therefore need to embrace a different strategy in the light of changing threats and risks - a more scalable approach to managing third-party cybersecurity risk in healthcare through standardized assessment frameworks and shared accountability. One that places more onus upon the third parties themselves to be secure and compliant and to provide evidence of the effectiveness of their security controls. This is especially important where many of those same third parties provide services to hundreds or thousands of different healthcare providers, and where compliance and security control objectives are often shared or very similar.

We need to agree as an industry upon a common framework, a common set of audit questions that can be embodied into an agreed set of audit and assessment control objectives, to avoid the mass duplication of effort we are currently dealing with on both sides.

Lack of Visibility

Understanding the scope of the risk surface is the first problem. With distributed purchasing authority, especially in academic medical centers, and legacy auto-renewing contracts, discovering just how many devices, applications, or other systems have access to a hospital's medical network is half of the battle.

One recent audit of a provider after a lengthy review of contracts and legal vendor agreements, discovered that the hospital's initial number was off by an order of magnitude. The provider was not only paying each year for services it hadn't used in decades, but the person who agreed to an auto-renewing contract had long since retired and in some cases had passed away. Random vendors it seemed, had legacy remote access to hospital networks to maintain and manage leased systems, and rather than shut down unknown remote access permissions, security had been told to leave these accounts up and running despite the risks, because of uncertainly of cutting off something or someone important.

A Common Risk Assessment

In his presentation, Richard examined the need to better assess healthcare third parties, whether HIPAA Business Associates or simple business partners and suppliers.

"Right now" he claimed, "we have things backwards with payers and providers expected to assess each of their vendors. This is not only impractical given the numbers, but also prohibitively expensive in time and resources. We need to squarely place the onus on vendors to prove that they meet or exceed payer and provider security policies and standards. Not the other way around."

"We do this by having our vendors bring us proof that they meet OUR security requirements in the form of a SOC 2 Type II attestation from a reputable auditor, or an ISO27001 or HITRUST certification, where the control objectives can be easily mapped to OUR risk and compliance requirements."

"This requires third parties to get onboard with a set of standardized common security controls under a recognized audit framework to validate that common security compliance and risk control objectives have been met and have proven to be repeatable, rather than a one-off point-in-time validation. And repeatability is critical here", he added. "Just look at some of the third party breaches and how they followed shortly after a recent point-in-time assessment."

Some vendors will be ISO 27001 certified, others may have shelled out for HITRUST, but neither are cheap. Some of these compliance requirements however, may need to be cross-mapped to a payer or provider's specific risk assessment objectives. For others, an SSAE 18 SOC 2 Type II attestation may be easier and more feasible, while larger third parties like Microsoft or Cisco will readily have both ISO and SOC 2s available for their customers.

Perhaps the biggest argument for a SOC 2 attestation over a certification is who pays. Cybersecurity certification costs usually need to come out of the security budget. A SOC 2 is often completed by the same company that performs the organization's annual financial audit and so is usually billed to accounting rather than security. That makes it especially attractive if you are a CISO and have a tight budget.

Separate Annual Assessments can be Expensive for Vendors

Most healthcare providers share the pool of third party vendors that provide healthcare systems or services for pathology, PACS, EMR, Cardiology, billing, etc. They also share the same pool of business software vendors - Microsoft, CloudStrike, Cisco, Oracle, AWS, GCP, etc. Each year the healthcare sector loads up many of these vendors with the exact same audit questions to assess and validate security risk and compliance. That can be a massive hit upon those that don't have a current SOC 2 ready to send that includes mapping to demonstrate each of the audit control objectives requested.

While some third parties have made the move to SOC 2s, other have yet to do so. Plainly they need to review their options if maintaining staff sanity is a priority as audits and assessments ramp up.

Assessment Automation

Audits and assessments can be expensive and very time consuming. Thousands of artifacts to assemble and to match with control objectives, they require a complete project management infrastructure to manage properly to meet compliance dates, or for renewal of cyber risk insurance policies. Most of this is still conducted manually today despite better judgement by audit managers who see their workloads steadily increase year over year.

With a growing number and complexity of third, fourth, and fifth party vendors and suppliers to assess each year, auditors face an up hill challenge. Whether assessments are conducted by a dedicated hospital security and compliance team, or a recognized AICPA / BIG4 auditor like PwC, KPMG, Accenture, or Deloitte, incremental changes to manual labor intensive audit processes can never truly move the needle on costs and efficiency. That's why we need better automated audit tools that leverage AI to help drive efficiency, but ones that don't leverage complicated or proprietary frameworks. Its also important that many of the problems of AI based applications such as potential hallucinations are avoided by requiring use of HITL - especially in audit systems used to calculate and evaluate risk.

New Assessment Tools

Fortunately, new tools are beginning to emerge that support:

• Automated evidence collection which maps to cross-framework controls

• True contextual data evaluation that understands what submitted data means

• AI validation that uploaded evidence meets each specific control

• The full audit sign-off on the same platform that was used for readiness

• AI enabled report generation – because who has time to write reports?

• Full project management with task dependencies

• SOC 2 AICPA standards for both readiness assessments and final audit

This new generation of tools simplifies and streamlines pre-assessment and audit activities. They reduce the amount of time needed for audits and assessments and streamline workflows while reducing cost and complexity. They are undoubtedly the future, but these improvements need to be paired with better visibility into what connects to medical networks and a focus upon third party vendors to provide a SOC 2 attestation or HITRUST certification of security controls. Only then will the growing morass of third party risks become more manageable for healthcare regulated entities. Only then will some semblance of normality, availability, and safety be restored to the patient community reliant upon their health services.

WHX Dubai

2026-02-12T10:04:00.032+00:00

The digital healthcare evolution is leading to more and more highly innovative medical technology that helps to drive efficiency and patient outcomes. Machine Learning has hugely changed clinical decision support, while digital transcription applications are saving physicians hours of pajama time each week in record keeping (and at private hospitals helping them to get paid). AI has revolutionized medical imaging, allowing for lower patient radiation dosages to be used and AI recognition of cellular mass changes vastly improving early identification of cancer and other medical conditions.

BUT this technology also adds to and expands the cyber attack surface. A proliferation of AI based medical applications and a tsunami of medical and other IoT devices is making security almost unmanageable across our hospitals. And that is before you even consider the exponential growth of personal health sensors, interactive devices, and mHealth initiatives or the portalization of physician-patient secure messaging, appointment bookings and the secure posting of lab results.

In 2026 you no longer need to make an appointment to see your primary care physician (PCP) to have him or her, share your latest test results. In many cases the data is posted long before the physicians office will ever call you to let you know the results, or to book an appointment with your PCP to walk you through them. Simply feed your lab results into Google or a growing host of AI medical assistants, and patients can receive instant medical advice - even if that advice deviates towards the mean, as all AI systems tend to do.

While this is a global healthcare concern, the Gulf is seeing perhaps one of the world's most accelerated and dramatic expansions and modernization of healthcare services with hundreds of new systems and applications connected to medical networks every week, and new hospitals and clinics sprouting up in almost every community. There is a revolution occurring here but neither governments or providers are prepared.

The pace of technology adoption has outpaced the implementation of security tools and controls needed to protect that new technology from growing cyberattacks and data breaches. Some of this is plainly the result of the frenetic pace of adoption of new innovative tech and inadequate time or resources for security teams to keep up. But an increasing aspect of this "maturity gap" comes down to the out-of-date way in which technology and cybersecurity are perceived by executive healthcare leaders and government ministers. Rather than being seen as an integral part of the solution, an enabler of fantastic new medical services that will revolutionize patient care, they are seen as "a cost of doing business" or an "overhead" - a necessary evil to host these new AI systems and applications, and this is perhaps why the maturity gap exists between our adoption of new technologies and the security needed to safely deploy and use those technologies.

BUT the stakes are getting higher. What used to be the hospital security team defending against cyber attacks by simple criminal perpetrators out to steal and monetize PHI, has transformed into international terrorism and cyber extortion when hospitals are held to ransom - even though ransom payments are explicitly outlawed across an increasing number of countries for any critical national infrastructure (CNI) industry, many of which are owned and operated by national governments themselves.

The intent of at least some of these attacks however is not to monetize a foothold, but to inflict damage and disruption on a population, or to exact retribution against that country's government for its support for Ukraine and its defense of its land and people. Ransom and other extortionary attacks are increasingly being used as part of Putin's grey or hybrid warfare against other countries. Many of these attacks unfortunately target hospital systems which are a soft target with high population impact. Just last week the conference heard, Polish hospitals and municipal water treatment systems were targeted in new cyber attacks, ostensibly conducted by Russian criminal groups, frequently used as proxies by the Kremlin to inflict maximum damage and disruption. Indeed, Russia's vast array of organized crime groups is allowed to operate with near impunity from prosecution in return for 'favors' to the government and a share of the spoils. The Kremlin is then able to claim 'plausible deniability' for criminal acts that it has ordered against other countries as part of its hybrid warfare campaigns.

While the odds were already stacked against hospital security defenders, the imbalance today is truly disproportionate. Whether highly organized and well funded mafia crime syndicates, or state funded, sponsored, and trained offensive cyber military units within the Russian GRU (Glavnoye Razvedyvatelnoye Upravlenie) - its military intelligence directorate; this is now a David versus Goliath problem. A well equipped army of thousands of professional attackers against a minuscule group of hospital security defenders.

Hospitals typically have small generalist teams of cybersecurity personnel and often out-of-date technology tools with which to defend patients and health IT systems from attack. In fact medical providers are often forced to use out-of-date and end-of-life IT equipment because of inadequate IT investment and the difficulty of upgrading or replacing health IT systems that are in constant use. This is not just a security problem for providers, but chiefly a technology problem of out-of-date systems and applications many of which are rarely ever patched or updated.

This includes a huge and growing number of medical IoT devices that already make up 75% of connected IP assets across hospital networks. Many of these have a 15 or 20 year amortization schedule and many have underlying embedded operating systems based upon long out of support Microsoft operating systems, with a massive number of known and published exploits. While microsegmentation of these devices helps, many providers currently have little to no idea of what actually connects to hospital networks because of fragmented ownership, inadequate tools and poor visibility. Nor do they have an easy way to microsegment 'at-risk devices'. At the same time, providers are adding medical and other IoT systems to their networks each and every month, compounding existing problems.

Providers of medical services therefore face a multi-dimensional threat scenario. A sprawling attack surface, out-of-date and end-of-life internal IT & IoT systems, inadequate visibility of their own networks, and highly capable and motivated adversaries that have them out-gunned and out-matched and every corner.

Plainly there is an increased need for national governments to become more actively involved in the cyber defense of CNIs, and especially healthcare providers, where attacks result in increased patient morbidity and mortality. Only governments have the resources and legal mandates to take on today's cyber perpetrators, and to do what it takes to defend their citizens from increasingly crippling hybrid warfare attacks from failing states. As of yet however, governments have by and large, chosen to play a low-key role in the direct defense of their CNIs for fear of escalation. As the number of citizens killed in hybrid cyber attacks slowly increases, so that approach will be likely be questioned.

These were just some of the topics of discussion at this years WHX Dubai conference where healthcare leaders from across the world gathered to put forward suggestions and recommendations for improving patient care, safety and outcomes through smart security.

Joining me on stage at this prestigious event were Professor Attila Hertelendy, Ph.D., Mike Fell, Charles Aunger and Zekeriya Eskiocak to share their vast knowledge and experience.

Beware of Holiday Scams: How to spot Fake Links and avoid Phishing Attacks

2025-12-09T19:27:00.052+00:00

‘Tiz the season to be jolly’ and between pre-holiday shopping and all the amazing deals that will be posted online for Boxing Day – (that’s December 26th for American shoppers), many of us will be avoiding the snow and shopping from the comfort of our homes, or between meetings from the company laptop as things wind down for the holidays.

But it’s important to remember that the season is not just about putting lights on the tree and stocking up on all kinds of drinks for expected, (and unexpected), guests, nor is it about wearing ugly Christmas sweaters and drinking mulled wine, cider, and hot toddies, it’s also ‘the season to be wary’. Wary about online shopping scams and last-minute deals that look too good to be true – because they very well maybe – untrue that is!

Our guards are down as we relax a little and look forward to meeting friends, attending a few parties, and enjoying some well-deserved downtime. The trouble is, that scammers know this too and each year they make a bonanza out of unaware, perhaps slightly tipsy, online shoppers looking for presents. Last year during the 2024 holiday season, the FBI’s Internet Crime Complaint Center received thousands of complaints about phishing and spoofing scams which drained more than $70 million from victims. And each year the number of victims increases.

It's not just the charges on your credit card or the packages that never show up, its identity theft and a heap of other dangers including malware and even ransomware, getting on your computer - and by extension the company network if you shop from the office.

Type Squatting and Homograph Attacks

While shopping online, scams are getting harder and harder to detect. Even a careful examination of the URL can be misleading as numbers and even Cyrillic characters are substituted for letters. While goog1e.com upon careful examination will reveal a number ‘1’ substituted for the letter ‘l’, most people in a hurry might not notice. This is known as typo squatting and is surprisingly common where fake URLs closely mimic real ones, such as using “PayPa1” instead of “PayPal.”

Sadly, most people don’t even check the full URL of their online shopping cart which may have been hijacked before entering their credit card number and completing a transaction. Using a phone or tablet, and chances are that the full URL might not even be displayed. While Google has the money and foresight to purchase all domains that could appear close to its domain names, other online stores might not have the warewithal or the resources to do so, especially when different Unicode character sets are used. Criminal perpetrators know this and are increasingly exploiting this.

These attacks are known as known as IDN Homograph Attacks, and trick users by substituting Latin letters with visually identical Cyrillic ones (like 'a' for 'ɑ', 'o' for 'о') to create fake sites (e.g., www.google.com vs. www.googlе.com where the 'e' is Cyrillic 'е') that steal credentials; examples include using Cyrillic 'a' (а), 'o' (о), 'T' (Т), 'P' (Р) to mimic real domains for phishing shoppers. Apple: www.apple.com can be spoofed as www.аpple.com (Cyrillic 'а'). Microsoft: www.microsoft.com can become www.microsоft.com (Cyrillic 'о') and the list goes on and on.

To avoid these attacks its best to type the URL directly into a browser, or use a well-established and trusted bookmark rather than a link from another web site. It’s also good to avoid URL shorteners when shopping or banking, and to hover over embedded URL links before clicking as the link might not be what it appears to be.

Social media and many web sites today are powered by syndicated ads where the main site may have very little control over the legitimacy of those rotating ads. Look for red flags such as an “@” symbol within the URL or two web addresses combined using a question mark, especially if the first part looks like a trusted site such as Google.com or Apple.com.

Avoid unknown but familiar sounding domains. While https://www.ebay.com/mye/myebay/watchlist is legitimate https://www.ebay.mywatchlist.xy is probably not legitimate. And watch out for social media messages that ‘appear’ to be from friends who you have not chatted with before. Never trust always validate. Send a message to the sender asking a question that only your real friend will know the answer to or call them and ask did you send me a message via facebook, whatsapp, or whatever. Scammers often hijack or impersonate social media accounts belonging to people you know so this is a common attack vector. If a message from a relative or friend suddenly sounds aggressive, sales-driven or out of character, especially if it includes a link, verify by contacting them directly before clicking.

What to do if you already clicked a scam link?

If you’ve clicked on a suspicious link, the outcome depends on your device’s security protections. Firewalls or antivirus software may block the threat automatically. Without protection, however, action may be needed.

Make sure that your endpoint protection is up to date and watch for signs of malware like unusually slow performance. Reboot and test if you are concerned. Phones are not immune. If infected, avoid using financial apps, clear your browser cache, delete unfamiliar apps or perform a factory reset. Contact your device’s tech support if needed.

Once you have validated that your device is running fine, check your bank and credit card accounts. This is super important this time of year especially. If you see a transaction you don’t recognize, immediately ask family members who may have access to your cards. Check the transaction date, as purchases may take a day or two to post and merchants may not have a credit card ‘merchant name’ that reflects their ‘doing business as’ name. It’s not uncommon for a major brand like a hotel chain to post your room charges under a merchant name you don’t recognize as many hotel properties are franchises as an example. Dates and amounts usually help to sort this out so check against your calendar. If you are still at a loss, then contact the institution if the charge remains unidentified and ask for clarification or to report a fraudulent charge. The card company will invalidate your card and send you a new one in 5 business days usually or less if you ask.

Report the scam: If you lost money, report the incident to the Federal Trade Commission and your local police department. Reporting helps authorities warn others and reduce future victims. The FTC can also help you if your credit card or bank can’t, or won’t, process a credit to your account for a fraudulent transaction. You usually have a maximum of 60 days to report a fraudulent transaction after which you will need the FTC’s help to reverse a charge so don’t leave unknown charges to languish. Staying alert and informed is your best defense against holiday scams and the best way to keep the season joyful and secure. So be vigilant and check your transactions regularly.

Cyber Resilience for Global Health Systems

2025-10-19T00:41:00.017+00:00

I recently returned from the Global Cybersecurity Forum Annual Meeting 2025, perhaps the most prestigious of cybersecurity conferences. This is an event populated by former and current Presidents, Prime Ministers, Sheiks, Sultans, Emirs, Princes, and delegates from the European Commission, United Nations, World Economic Forum, and countless other global bodies. And of course, it has all the pomp and grandeur one expects from a high-level event in the Kingdom of Saudi Arabia.

This year’s focus was upon “Scaling Cohesive Advancement in Cyberspace” across the world. It was built upon the pillars of fostering better alignment, redefining cyber economics and economic cohesion, strengthening cyber inclusion, adopting a behavioral lens on cyberspace, and harnessing technological advancements to tackle fast-evolving challenges in Cyberspace.

The invite-only two day event drew delegates from all over the world to hear more than one hundred experts and thought leaders present to attendees and engage in meaningful discussions. This was my second year attending the event as a presenter, and this year led a discussion panel with fellow healthcare security and AI evangelist, Professor Attila Hertelendy from FIU on “Cyber Immunity: Strengthening Cyber Resilience for Global Health Systems.”

Much of the conference was focused upon the protection of critical national infrastructure industries like healthcare, an industry undergoing a dramatic digital transformation throughout the world and across much of the Gulf region, but especially so in the developing world. These healthcare technology-adopting nations need to embrace the lessons learned and avoid the mistakes made by Europe and America. An uptick in attacks against critical infrastructure is on the rise globally with a hugely disproportionate impact on populations when hospitals and other healthcare delivery facilities are targeted.

When the power or water grid are attacked we can revert to flashlights, candles, and bottled drinking water until services are restored. When healthcare is attacked and hospital systems go dark, patients immediately begin to suffer, with modern diagnosis, treatment, patient monitoring and management systems unable to be used. The longer these systems remain dark, the greater the probability that patients will die or be harmed by delayed or inadequate treatment. Ransomware attacks are especially heinous and lead directly to patient morbidity and mortality as we have seen in an increasing number of recent cyber attacks.

More in my early morning interview with the Saudi Press Agency below:

Online Gambling

2025-10-03T06:00:00.152+00:00

Amidst the rapid digital transformation sweeping Indonesia, a new threat is emerging: online gambling. This phenomenon is not just an online game, but part of a global criminal network with billions of rupiah in daily turnover.

Online Gambling: A Global Criminal Business Amidst Indonesia's Digital Transformation

Many online gambling cases in Indonesia target vulnerable low- and middle-income groups.

Merdeka.com 03 Oct 2025

At the Global Cybersecurity Forum 2025, held on October 1-2 in Riyadh, Saudi Arabia, Richard Staynings, Professor of Cybersecurity – ITC & Healthcare Informatics at the University of Denver, explained that online gambling has long been a favorite tool for cybercriminal groups.

"The internet completely disregards national boundaries, and that's allowed online gambling to flourish. It's used not only for gaming but also for money laundering from various criminal activities," he told merdeka.com.

In Indonesia, online gambling platforms often target low- to middle-income individuals. Offers of initial bonuses, illusory wins, and the lure of "getting rich quick" are enticing entry points. However, behind the scenes, the mechanisms are designed to ensure players' money is never returned.

"They deliberately target the gullibility of people with limited knowledge of cyber risks. Players are lured in with free gambling credits and given the impression they've won, then directed to deposit their own money to increase their winnings. Ultimately, the funds are withheld and never paid out," Staynings explained.

This pattern isn't unique to Indonesia. He believes global syndicates deliberately target the most vulnerable groups. This phenomenon reveals a new facet of cybercrime: it's not just about technology, but also about manipulating social psychology.

Richard Staynings merdeka.com

Regulatory and Educational Challenges

Indonesia is currently at a crossroads. On the one hand, digitalization is driving the economy. However, on the other hand, expanding internet access is opening up opportunities for transnational criminals.

“The rapid growth of Indonesia's digital population must be balanced with higher cyber awareness. The government's job is to ensure the public understands the risks and how to protect themselves,” said Staynings.

He cited the example of several countries in Asia that have successfully suppressed online gambling through massive education campaigns. Digital literacy has proven more effective than simply blocking sites as new ones spring up the next day and it quickly becomes a game of whack-a-mole.

“We need to educate the public about the dangers of online crime. Gambling is just one facet of a broader cyber threat,” he added.

Ransomware and Mobile Apps: The Next Threat

Besides online gambling, another increasingly prominent threat is ransomware targeting mobile apps. With Indonesia's population increasingly reliant on smartphones, these attacks pose a significant challenge.

"Small phone screens make users more easily distracted. They respond to instant messages without thinking, and that's what cybercriminals exploit," Staynings explained.

Even more worrying, around 98% of Android apps on the Play Store were recently detected as having security vulnerabilities. He believes the responsibility lies with both platform providers and app developers to ensure user security and privacy.

The Coordinating Ministry for Political, Legal, and Security Affairs is seriously strengthening digital literacy to prevent online gambling in the Riau Islands, given that thousands of residents are suspected of being involved. Learn about the government's efforts to address this serious threat! Merdeka.com

The Long Road Ahead

Fighting online gambling and other cyber crimes is not an overnight task. It requires synergy between regulation, technology, and society.

For Indonesia, which is pursuing digital transformation, this challenge demands a holistic approach: public education, strong regulations, and collaboration between the government and the private sector. As Staynings emphasized, "Cybersecurity is not just about technology, but also about public awareness and preparedness."

Indonesia, with more than 220 million internet users, is one of the largest markets and a fertile breeding ground for global criminal syndicates.

"This is not just a national legal issue, but a global issue. Indonesia has a huge opportunity to strengthen its cyber resilience, provided it can learn from other countries that have already faced this problem," Staynings concluded.

Digital transformation opens many doors of opportunity, but also pitfalls. Without adequate awareness and protection, the public will become victims in a larger game orchestrated by cross-border cybercriminals.

[Ends]

Original Story published in Bahasa at https://www.merdeka.com/dunia/judi-online-bisnis-kriminal-global-di-tengah-transformasi-digital-indonesia-476391-mvk.html

Copyright © 2025 merdeka.com KLY KapanLagi Youniverse All Rights Reserved.

Can American Cybersecurity Technology Still Be Trusted?

2025-09-12T19:05:00.005+00:00

The radical political transformation of the United States over the past few months has not gone unnoticed by the tech and cybersecurity sector – internally within the country or externally by that sector’s customers. While many see some of these changes as innocuous and hope that any storms will blow over, others see these changes as a fundamental shift with far more nefarious implications.

The decimation of scientific research agencies, the Cybersecurity Infrastructure Security Agency (CISA), the attempted firing of thousands of federal government employees across nearly every agency and department are one thing. The removal of impartial senior military and intelligence commanders who cannot be relied upon to be unquestionably loyal to the new commander-in-chief, is another thing entirely. Loyalty is everything to Donald Trump, and like any mafia boss, when absolute loyalty is not demonstrated it is to be punished publicly. “Kill the chicken to scare the monkey” as the Chinese idiom states.

Just look at Chris Krebbs, Director of the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, who led CISA through the 2020 election and refused to support the MAGA lie that the election had been stolen when their cult leader lost. He was not only fired in the last days of Trump’s first presidency, but he and his next employer SentinelOne were very recently, openly and publicly persecuted - a full 4 years later by Trump in his second term. For Trump this was personal payback and in his narcissistic mind, totally justified for the lack of kowtowing to the wannbe king.

Look at John Bolton, former US Ambassador to the United Nations under George W Bush, and US National Security Advisor in Trump's first term. Bolton has since become an outspoken critic of Trump’s mental decline and his errant foreign policy and has been a frequent guest on both right and left wing TV shows. His family house raided in the middle of the night by the FBI, an agency now controlled by Trump sycophant Kash Petal. The raid was plainly designed to send a message to anyone else who may dare to question the ‘Dear Leader’ in the White House. This is not just domestic politics and a retribution presidency, it’s a seismic shift in the America that everyone trusts, and the world is watching.

The fact is that the unshakable confidence in America that has persisted since World War II has been broken, and that break in confidence extends to American industry and its thriving technology sector. But for how much longer? This to anyone who works in the technology and cybersecurity sector should be very concerning.

So let me explain my concerns.

I have just spent the last ten days visiting security and technology leaders in Asia. I have worked internationally for nearly two decades with big American technology brands including Cisco, CSC, and now for Cylera. I visit Asia several times a year to present at various cybersecurity conferences, to visit customers, or just for a beach vacation in the depths of winter back home. This time however was different. Those that travel internationally will recognize that the reception of Americans outside of the country can be very different to the way other nationalities are welcomed. Fly to Europe or further afield and the comments about American politics and leaders can be quite surprising and sometimes openly hostile. Often this hostility is accompanied by derisory comments about the intelligence of the American electorate and the arrogance of its elected representatives. Foreigners will also quite vociferously question American foreign policy including the Gulf Wars, Afghanistan, Kosovo, and Bosnia, which all stir up a hot discussion even amongst American allies. But that’s not all I discovered during this visit.

I was out for drinks one evening with a number of CIOs and CISOs and the question arose can American technology be trusted? A CIO was considering whether to simply replace and upgrade his American wireless and cellular repeater technology or to consider a replacement strategy based upon cheaper Chinese technology. Putting aside historical issues of stolen American router source code and other “illegally acquired” technology IP, the Chinese tech today is highly innovative, feature rich, and often half the price he argued. And he was right. It’s cheaper and often better but at what price when it comes to security?

The table erupted as other security and technology leaders expressed their concerns about well-publicized and prolific state-sponsored hacking and especially about the various Chinese Typhoon attacks against telco systems. This includes concerns about backdoors and other vulnerabilities in Chinese manufactured technology systems and the fact that China cannot be trusted especially with anything that touches critical infrastructure of any kind. This coming from a mixed group of Asian and European leaders all living and working in Asia today, and all responsible for protecting their employers from an increasing tsunami of cyberattacks.

Not to be trusted

China certainly has a long history of spying on its own people and spends nearly twice as much on internal security as it does on external security. It has the world’s most intensive surveillance network of CCTV cameras in every city, town, and village street. It has pioneered the use of AI facial recognition software to identify and track each of its nearly 1.4 billion residents. The Ministry of State Security (MSS) has listening posts across cities and in public spaces, intercepts conversations, phone calls, and decrypts secure IP-based communications while restricting access to the Internet via the legendary Great Chinese Firewall that blocks news coming into China and prevents Chinese citizens from communicating outside. The PRC has become the Big Brother state envisioned in George Orwell's novel "1984", which of course is banned in China. Only North Korea could aspire to greater levels of surveillance. I say 'aspire', because in the DPRK, the supply of electricity is intermittent at best outside of Pyongyang and surveillance technology requires power.

The ruling 100.27 million strong Chinese Communist Party, (CCP), has for many years been accused of suffering from a well founded paranoia that China’s 1.4 billion citizens will rise up in a counter-revolution against the corruption of the country’s communist ruling elite. Perhaps that’s a real risk as rising living standards can no longer be assured to buy-off the population, but this concern builds upon fears from the comparatively minor 1989 Tiananmen Square student protests requesting more freedoms from the party, a protest that saw party hardliners send in the tanks against their own citizens for daring to challenge the party. A popular uprising against the party elite is undoubtedly one of Xi’s greatest concerns today. Rising disparities of income, declining job opportunities especially among China's millions of annual graduates, and a growing recognition that the 'social contract' that has allowed the CCP to remain in power has expired.

While some of the security failings of Chinese tech can simply be attributed to sloppy coding and poor quality-assurance, a problem that China has faced for decades across every industry, the fact is that few trust the technology or the ability of those running those companies to manufacture quality product free from interference by Chinese state or military agencies. Xi Jin Ping has made it law across China for every company and citizen to work for the communist state’s interests. And few would risk all, to refuse a “request” by the Ministry of State Security to work on their behalf at any given time. That’s likely how China was able to insert hidden substrates into top-end Taiwanese SuperMicro motherboards being fabricated in Chinese factories. Motherboards that were later found to be calling home to China from the US Congress, from Google and Apple data centers, and other sensitive locations.

But America spies on other countries too and has infiltrated sensitive networks all over the world. WekiLeaks published documents appearing to reveal NSA phone intercepts on French Presidents Jacques Chirac, Nicolas Sarkozy, and François Hollande from 2006 to 2012. The NSA also reportedly hacked the Iraqi military command and control network long before the second Gulf War and had been listening in on Iraqi communications for years. When the action started, it was able to effectively shut down Iraqi military and other communications making the alliance military’s job that much easier. Iran’s uranium enrichment plant at Natanz was partially destroyed by the Stuxnet virus in a cyber-physical attack thought to have been developed by the NSA and delivered by Mossad. A virus that enabled the US and Israel to slow down Iraq’s quest to develop nuclear weapons, weapons that would likely be used against Iran’s enemies including Israel and perhaps even the USA.

Can the US be trusted by its allies and non-aligned countries?

The Trump Administration has threatened the future of NATO, Five Eyes, and the overall western alliance. It has imposed debilitating tariffs against its principle trading partners which is isolating the United States and threatening globalization. US attempts to annex Greenland and Panama and absorb Canada against its will as the fifty-first state, have all shattered whatever trust that the US held with the rest of the world. The recent discovery of US agents trying to stir up a Greenland insurgency against rule from Copenhagen have hugely angered European allies. As has America’s apparent switching of sides against NATO and the EU to align with Putinist Russia over a Ukrainian land annexation in return for a succession of hostilities. A ploy most likely rooted in lucrative mineral contracts for the Trump family crime syndicate. It has also sent a very strong and alarming message to the rest of the world that America can no longer be relied upon even for the alliances it leads.

The recent raid of a multi-million dollar Hyundai battery plant under construction in the US state of Georgia by masked and armed ICE agents and the arrest, chaining in shackles, and temporary disappearance of 475 mostly Korean advisors has sent a very powerful message worldwide that the US is no longer to be trusted, nor is it safe to visit or work in.

The arrest and deportation of European tourists arriving in the USA for minor ESTA infractions have caused Canada, the UK, and several European nations, to issue travel advisories for their citizens due to concerns about new immigration policies, and potential arbitrary detentions. The result is a significant decline in visitors, an empty DisneyWorld this summer, and lots of availability on US international flights and many hotels.

Does that political distrust extend to American technology?

The short answer is yes. American technology companies – Google, Apple, Microsoft, Oracle, Amazon, and others are all 'tarred by the same brush' along with thousands of other US-based highly innovative tech companies. Nor have they done a good job of distancing themselves from the chaos of the White House. Quite the contrary in fact, as the leaders of many of these companies have openly become Trump sycophants. The recent Oligarch’s Dinner at the White House where each tech billionaire leader took turns to sickeningly pay homage on camera to the ‘Dear Leader’ is proof enough. This removed any plausible distancing between American Big Tech and Trumpism. But paying homage to Trump can have a huge cost, as Elon Musk discovered when Tesla sales plummeted world wide, damage that appears to be permanent.

When trust in America vanishes, so does trust in its technology companies and its technology products and services. For cybersecurity companies, that eradication of trust could be devastating just as Kaspersky found itself in near ruin thanks to its Russian ties.

The big question is what can the American technology sector do to distance itself from the chaos going on in Washington DC and can its reputation be saved before it’s too late, or does the whole sector go the way that Tesla went?

Stalled spending on healthcare cybersecurity has impact

2025-06-07T18:02:00.000+00:00

A recent report by research application security company Indusface, gave the US healthcare industry its worst privacy and security report yet. Over the past 24 months the report detailed a staggering 1,200 security and privacy breaches of which 83% of incidents exposed patient health information (PHI). This marks a new milestone for the industry and once again raises alarm bells about the lack of investment in healthcare IT or the prioritization of cybersecurity to offset rising attacks and escalating concerns related to patient safety.

Texas topped the charts with 66 data breaches exposing the data of over 14 million Texans with 4 millions of these attributed to a single breach at Concentra Health Services in January 2024. California came in second with over 9 million patient records exposed with approximately half attributed to Blue Shield of California’s sharing of patient data with Google Pixel used for advertising.

“The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak or outdated software and systems,” said Venky Sundar, founder and president of Indusface.

Many of these alarming trends were backed by data in the recently published 2025 Verizon DBIR. The report confirmed that exploits have now overtaken phishing as a leading cause of data breaches. Not only is the healthcare industry running on old, often out-of-date and end-of-life, highly vulnerable software, but the application of patches, even when these are available, is slower than just about any other industry. The report listed an average lag time of over 200 days between the announcement of vulnerabilities, and the patching of vulnerable systems. Unlike other industries however, many of these critical systems are responsible for keeping patients alive or maintaining the confidentiality, integrity, and availability (CIA) of their personal health and identity data.

“If we compare healthcare to other industries, we can see a big difference in the investment in and prioritization of cybersecurity,” claimed Richard Staynings, Chief Security Strategist with New York based healthcare cyber security company Cylera. “The financial services industry reinvests a good chunk of its operating profits in modern IT and well-equipped cybersecurity teams and tools. Healthcare, because much of the industry is setup to be ‘not for profit’, tends to downplay both its operating margins, and the percentage of operating profits allocated to cyber security. Putting aside the massive difference in the size of profits between industries, or the way operating margins are calculated, healthcare providers currently spend less than one tenth of what financial services spends - even though lives are at stake in hospitals, clinics, and other care facilities. Healthcare payers on the other hand have much bigger revenues with profits in the tens of billions of dollars annually, yet have still suffered some massive cyber attacks.

The difference may be attributable to how boards and senior executives perceive and quantify both enterprise risk and cybersecurity return on investment (ROI) in one industry compared to the other. Risk is calculated by multiplying probability of loss by potential impact of loss. When this risk involves money, any high risk identified by a bank of potentially losing a million dollars in assets, or not being able to conduct business with customers for several hours (resulting in billions of dollars of lost revenue), will create a very compelling ROI for cybersecurity spend to quickly remediate that risk. In this case, the costs of 'action' are often tiny compared to the possible or probable costs of 'inaction'.”

Healthcare doesn’t qualify risk in the same way. Risks are usually perceived in different terms as clinical or operational risk. What is the risk of a 90-year-old patient undergoing anesthesia for a procedure? What is the probability of a negative outcome of a particular patient undergoing surgery compared to not being given that surgery? Business risks like operating profit typically come second, while cybersecurity risks often don’t even make it to the board room agenda for discussion.

Of course, some operational risks are becoming increasingly important as evidenced by many health systems declaring bankruptcy or going out of business entirely following a cyber attack. The recent UHG Change Healthcare attack exposed the PHI of over 190 Americans. It more alarmingly, also caused a national outage which resulted in thousands of providers unable to bill for millions of services for weeks on end, or to receive pre-authorization for scheduled procedures or pharmaceutical medications. This caused major cash-flow problems resulting in expensive emergency bank loans to cover staff and other overheads while delaying hundreds of money-earning procedures as surgical staff sat idle for weeks or had to be furloughed.

Operational risks are not just limited to outages of critical third parties but often to core hospital systems when a denial-of-service (DOS) attack or a ransomware attack is launched against a payer or provider. Both attacks are considered ‘availability attacks’ as they essentially render critical systems unavailable for use, stopping most business activity in its tracks. DOS attacks don’t generally last long, usually a few hours or a day or so before the attacker’s systems are blocked, and traffic is restored. However, a ransomware attack will encrypt vital systems and data, shutting these down until a ransom payment is made, or the victim is able to rebuild and restore critical data and systems. The result is often a partial or full hospital outage for many weeks or sometimes several months.

Any outage will have an impact on financial operations, but this may also result in clinical or safety risk to patients by negatively impacting patient morbidity and mortality, and therefore legal liability of providers. But so too, will any cyberattack against patient data unless forensic investigation can irrefutably prove that regulated data was not touched or accessed by hackers. The HIPAA regulation terms this as a ‘data breach’, while security professionals would define this as an attack against the ‘confidentiality’ of protected data. Thus, regulatory risk, clinical risk, and liability risk are far more significant across healthcare when attacked. Despite this, investment in healthcare cybersecurity significantly lags behind other industries like financial services, even though lives maybe at stake.

Until such times that the industry gives greater priority to protecting the information systems that power modern digital healthcare, the sector will continue to be recognized as an easy target to attack by criminals. While growing regulatory fines, restitution, and punitive damages awarded by class action lawsuits are slowly changing the equation between ‘the costs of action versus inaction’, much of the US healthcare delivery industry stands on the edge of bankruptcy, despite the huge sums spent on health insurance each year. With basic concerns of survivability, healthcare cybersecurity will more than likely continue to be underfunded until meaningful structural healthcare reform is enacted.

These risks exist before the Trump Administration's plans to decimate public healthcare funding under Medicaid and Medicare by removing 18 million patients from eligibility. These changes will disproportionately impact rural healthcare providers, whose patient populations heavily rely upon publicly funded healthcare programs. Even though 20% of rural patient populations typically have employer based private health insurance, this will not be enough to keep rural hospitals open, especially on top of UHG Change Healthcare losses. This could result in some rural populations being isolated from critical health services and potentially becoming 4 or 5 hours drive from the nearest trauma or stroke center. A journey many patients will be unlikely to survive.

The impacts of policy changes and unmitigated cybersecurity risks will therefore lead to significant changes in patient morbidity and mortality.

In the absence of countries legislating to outright ban the payment of ransoms and other forms of extortion payments to cyber terrorists, it’s likely that ransomware will continue to plague the health sector given the criticality of this critical national industry. It’s therefore probable, that healthcare cyber attacks will continue to grow in both size and scope for the foreseeable future and as a result, that access to critical healthcare services can no longer be guaranteed.

What is Cyber Espionage and why is it so concerning?

2025-04-16T22:21:00.013+00:00

It's often said that there are two types of healthcare organizations, those that know they have been hacked and those that are still ignorant of the fact. In other words, just about everyone has already been hacked at least once by now. And that includes healthcare payers, providers, bio-pharma and the proliferation of healthcare vendors and suppliers.

But while cyberattacks against availability of IT systems and data - principally Denial of Service (DOS) and Ransomware cyber extortion attacks seem to make the headlines almost every week, there are other stealthier attacks taking place in the background - almost constantly in fact. This involves the exfiltration of non-public data. Sometimes this is used for extortion in secondary and tertiary ransomware demands. This is often via a threat to release confidential non-public data unless an additional ransom is payed to the criminal perpetrators.

Other times, it is for the sale and monetization of data - patient identities, their prescriptions which can be filled and sold on the street, or other PHI or PII data - employee banking information for example. And sometimes perpetrators deliberately search for high value intellectual property data. This last category is usually referred to as 'cyber espionage', and only occasionally makes the front page of the press, usually then only when some government official makes a stink about the sheer levels of cyber espionage and intellectual property theft taking place.

The Art of Espionage

'Espionage' according to the Oxford Dictionary is the practice of spying or of using spies, typically by governments to obtain political and military information.

So 'cyber espionage' is chiefly about obtaining political and military information, not by the use of spies like 007 James Bond, but by means of cyber attacks and infiltration of non-public information systems.

The advent of the internet and the connectivity of government and health systems to the internet has made cyber espionage that much easier. You no longer need someone on-site or in-country - an insider threat, spy or double agent to obtain valuable information. KGB spies like Rudolf Abel, Kim Philby, Oleg Gordievsky, Aldrich Ames, and Anna Chapman for example are a thing of the past in this age of hyper connectivity.

Today all governments spy on one another - even between friends and allies. The US NSA was accused of hacking and listening into the French President’s cell phone some years ago according to Wikileaks, and at that time at least, before the tariff war, France and the USA were friends and allies.

The USA spies on Iran to ascertain the level of uranium enrichment it has achieved since Trump in his first term pulled out of the Iran Nuclear Deal thinking he could negotiate a better deal and failed. The USA also spies on China, North Korea and Russia about each of these nation's military capabilities and a wide variety of other useful data points.

The Art of Cyber Espionage and IP Theft

But countries also occasionally spy on other forms of data. Enter the Peoples Republic of China and the huge revelation exposed by the Mandiant APT1 Report in 2013. If you have not yet read this, or a summary of this report, you really should do. It changed the game and our understanding of cyber espionage against commercial businesses.

APT1 is otherwise known as PLA Unit 61398 (61398部队) a military unit of the Chinese Communist Party, Peoples Liberation Army. These aren’t criminal hackers they are employees of the Chinese Communist State. They are paid to hack, but not just government or military secrets - in this case intellectual property and commercial trade secrets from businesses in other countries.

China is famous for its Great Leap Forward, Mao’s attempt between 1959 to 1961 to take China from a feudal agrarian society to an industrial powerhouse. It failed and resulted in the death of 45 million people. Most of these starved to death, under Mao’s ill-conceived and badly run collective agriculture and industry policy. That’s more than double the total number of soldiers that died during WWII across all theaters to provide some perspective just how big a human calamity this was.

After decades of isolation from the rest of the world, China has since the 1990s, once again been attempting another Great Leap Forward through rapid modernization and industrialization becoming the factory of the world for consumer goods. This time around however, China largely succeeded and has taken millions of its people out of abject poverty, through industrialization, urbanization and education.

Ownership of the Means of Production

But in China the 'means of production' is owned almost entirely by the state. CCP state owned industries dominate and even hold a majority share in joint ventures with global firms which are only allowed to own a 49% stake.

The ruling CCP also puts together 5 year plans. These ambitious documents usually discuss how China will be the global leader in EVs, or the largest manufacturer of pharmaceutical drugs, or the global leader in aeronautical engineering, etc.

But to reach these lofty goals, to make up for the lost years of communist isolationism and stagnation under Mao, and a lack of history, knowledge, and experience, China has had to obtain technologies, manufacturing capabilities, and a heap of other proprietary commercial trade secrets from industry leaders outside of the PRC - usually by what ever means at its disposal. Mostly this means through 'cyber espionage' and is supplemented by process and procedure skills brought back from Chinese diaspora working overseas.

According to a 2022 report by Cybereason one China state actor alone, APT41, has siphoned off trillions of US dollars in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors. The Cybereason investigation entitled 'Operation CuckooBees' was shared with the FBI, and discovered APT41 actively engaged in 'stealing the IP of drugs around diabetes, obesity, depression.' Cyber-criminals were focused on obtaining blueprints for cutting-edge technologies, the majority of which were not yet patented, the report stated.

Chinese IP theft has included the theft of pharmaceutical drug formations, clinical trail methodologies and practices, manufacturing IP and much, much else. It has short-cut 50 plus years of IP development by global pharmaceutical companies, sometime including experimental drugs developed at over a decade or more at the costs of hundreds of millions of dollars, pounds and euros in R&D. China has even patented some these stolen experimental drugs and attempted to sell them back to the global markets that invented them and financed their research.

Levels of Cyber Espionage and IP Theft

Between 2018 and 2019, Bayer and Roche were both targeted by nation-state APT cyber attacks, aimed at industrial espionage, and attempting to steal valuable intellectual property. Both companies claimed to have contained the breaches without significant data or intellectual property loss, but other biotech and pharmaceutical organizations have fared less well.

During COVID-19, both China, and to a lesser extent Russia, Iran, and the DPRK, were discovered to be attacking US, UK, German and other hospitals and bio-labs, in an attempt to steal cutting edge research into vaccine development and treatment regimens. This resulted in CISA, the US Cybersecurity Infrastructure Security Agency, having to issue a warning about cyberattacks by China and others.

Intellectual property theft through cyber espionage for the Peoples Republic of China is strategic, state directed and financed, and seen as being critical for national development. Commercial trade secrets are stolen by the Chinese army and passed directly to army-run state-owned industries. These industries then leverage stolen research, or copy IP for incorporation in new pharmaceutical drugs and other products, which can then be sold on domestic or even overseas markets.

According to the US Select Committee on the Chinese Communist Party, Chinese intellectual property theft was in 2023, estimated to cost the US taxpayer $600 billion per year. This is why 'cyber espionage' is considered so important today for both China which is acquiring it, and the rest of the world which is losing it through cyber theft.

China though is not just engaged in IP theft. Many of its cyber espionage attacks have been focused upon leverage in state negotiations. The cyberattack against Singapore Health (SingHealth in 2018) resulted in the theft of not only medical records but also prescription records for the Prime Minister and his entire cabinet. Again, this was a CCP China advanced persistent threat (APT) attack not to sell the exfiltrated data but to use it as leverage in Sino-Singapore trade negotiations.

The Global Impact of Cyber Espionage

Cyber espionage is one of the most significant and underreported threats to global security, economic stability, and technological innovation. As the digital frontier expands, so does the ease with which nation-states, particularly China, can infiltrate systems, steal intellectual property, and exploit sensitive data for strategic gain. Unlike conventional cyberattacks aimed at disruption or ransom, cyber espionage is systematic, state-sponsored, and deeply embedded in long-term national development strategies. With hundreds of billions lost annually to IP theft and growing evidence of espionage-driven leverage in geopolitical negotiations, the global community must recognize cyber espionage not just as a cybersecurity issue, but as a critical challenge to sovereignty, economic fairness, and the future of innovation.

The Change Healthcare Breach & the Need to Secure Third Party Vendors

2025-03-18T01:28:00.213+00:00

The Change Healthcare cyberattack, which exposed data of an estimated 190 million people, cost UnitedHealth Group (UHG) around $2.87 billion in 2024, including $1.7 billion in direct response costs. Final costs after all the regulatory and punitive fines, damages, and restitution could be much higher, as with any healthcare breach.

This was obviously a landslide attack - bigger and more impactful than all other healthcare cyberattacks anywhere in the world. This attack by Russian group ALPHV completely overshadowed the Chinese theft of 78.8 million medical records during a 2015 cyberattack against Anthem, now Elevance Health – at the time the largest healthcare data breach in history.

While any cyber-attack against a critical national infrastructure industry like healthcare is huge, the impact of the Change breach impacted the Availability of healthcare services for a significant percentage of Americans who were unable to receive approval for medical procedures or even to pick up their pharmaceutical prescriptions. Yet our healthcare regulations which date from 1996 are myopically focused on the protection of Confidentiality – something that is already lost to the vast majority of Americans thanks to countless overlapping cyber attacks.

When all is said and done and dust finally clears after the Change attack, a number of smaller hospitals, clinics and other healthcare providers will have gone out of business depriving entire communities of tertiary healthcare, while patient morbidity and mortality figures will have spiked as a result of denial of needed medical procedures, or life extending prescription medications. This may have appeared to be a simple ransomware attack, but the national security implications are significant.

You can bet that the Russians and Chinese watched what happened with the Change failure and took extensive notes.

Above all there is a very concerning danger that a similar or even bigger more impactful cyber attack could be executed against US healthcare through UHG or another dominant third party vendor that controls much of the US healthcare industry. As consolidation and vertical integration of US healthcare continues unabated, the emergence of single points of critical failure is inevitable and nothing is 'too big to fail'. Especially in times of 'hybrid' or 'grey warfare' between nation states.

CHIMSS

This was the subject of a cybersecurity panel discussion this week at the Colorado HIMSS CxO Advocacy Breakfast Summit, where over 200 local Colorado healthcare leaders gathered with Hal Wolf, President and CEO of HIMSS to discuss the state of the healthcare industry in Colorado.

With ransom attacks soaring in both the number of hospitals being hit and the extortion amount demanded, ransomware has become and existential threat to the survival of many healthcare delivery providers. According to the FBI, the healthcare industry is the top recipient of ransomware attacks because of its fragility, the need to restore patient services quickly, and its intolerance for downtime.

The Change cyberattack raised many concerns about the security of third-party vendors and single points of critical failure in a highly complex and intertwined healthcare ecosystem.

Huge single points of failure like Optum Health which owns Change Healthcare under UnitedHealth Group, dramatically increases risk impact when that organization is attacked. This is especially concerning where “providers cannot quickly pivot to other healthcare clearing houses and service providers”, claimed Howard Haile, CTO at Intermountain Health. “Very few were able to do this, and very few are setup to make such a switch quickly” he exclaimed.

“It taught us that third-party assessments for risk aren’t very effective,” Haile added. “This wasn’t just a vendor going down. You suddenly can’t bill or receive payment; your entire revenue cycle grinds to a halt. It’s not the same as losing access to a few patient records, it’s an existential threat to your operations.”

Another concern raised by Rick Bohm, CISO at Point Solutions Group is that the industry doesn’t properly assess risks of third-party vendors. “We are not testing third party systems to find vulnerabilities until it’s too late. I can guarantee that I can find similar vulnerabilities in the vast majority of vendor systems that healthcare relies upon every day” he claimed.

With literally thousands of third party vendors, suppliers and outsourced services providers its impossible for a Regulated Entity (RE) to audit each of its third parties or to collect and validate SOC2 attestations of security compliance.

“Furthermore, we don’t know what connects to our medical networks” added Richard Staynings, Chief Security Strategist with Cylera. “75% of connected assets – network endpoints – are not managed by IT and at most providers, security teams currently have very limited visibility into these IoT systems. Many don't even have an accurate count of what connects to their networks.

“Many of the medical devices on our networks are 20+ years old, written in EPROM, a programming language from the 1980s – and they are the secure ones! The newer devices run on Windows Embedded, in many cases using the same generation of code as Windows 95 or Windows XP and we all know how secure each of those are today. No one in this room would conduct their Internet banking on a Windows 95 or XP machine, yet we keep patients alive using similar era technology,” Staynings concluded.

Yet, identifying assets, and assessing risks of IoT can be very time consuming and resource intensive. This is where AI comes into its element by automating the entire process because hospital CISOs can’t hire and retain enough staff to do this by any other means.

“Used correctly, AI can be very powerful and very time saving. At Cylera we use Machine Learning (ML) to run passive protocol analysis engines that tell us what systems are communicating over the medical network and from that, can easily identify and risk assess devices unmanaged by IT,” Staynings stated. “That helps healthcare providers build ‘Zero Trust’ across their networks through segmentation and isolation of at-risk devices and other medical systems."

There are certainly many good uses of AI across healthcare to help drive improvements in accuracy and efficiency, as other panels at the CHIMSS event discussed. The concern is when AI algorithmic / training data is poisoned by mis-labeled or deliberately inaccurate data. “We need to be on the lookout for adversarial machine learning and data poisoning,” agreed both Staynings and Bohm.

The recent supply chain attack against GitHub Action and other third parties is a growing concern and in healthcare we use hundreds, if not thousands of third-party vendors, suppliers, and outsourcers. Knowing that your vendors and their systems are secure and meet or exceed your security standards is now absolutely critical for an industry like healthcare.

North Korea pulls off largest-ever theft in digital asset history

2025-02-25T13:54:00.080+00:00

The 21 February heist of Bybit, a Dubai-based cryptocurrency exchange removed a staggering $1.46 billion in cryptoassets according to initial reports. In fact, this incident is likely the biggest known financial theft of all time. Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.

Bybit disclosed that over 400,000 Ethereum and staked Ethereum coins were stolen during the heist. These were initially stored in a "Multisig Cold Wallet," however the funds were somehow transferred to a hot wallet and then siphoned into wallets controlled by the attackers.

"The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic," Bybit explained.

Investigation

According to crypto fraud investigator ZachXBT, the exploiter has already split 10,000 ETH out of the roughly 401,346 ETH stolen in the attack to 48 addresses.

An independent investigation has revealed connections to the infamous Lazarus group. A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group. ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which were added in its X post.

DPRK Crime State

The United States, South Korea, and Japan said in January that North Korean state-backed hacking groups stole over $659 million worth of cryptocurrency last year. Indeed, crypto and other financial theft is the primary avenue through which the heavily sanctioned Hermit Kingdom is able to obtain hard currencies for trade in illicit goods for its nuclear weapons and rocket programs.

However, one month earlier, blockchain analysis company Chainalysis painted a more dire picture, saying North Korean hackers stole $1.34 billion in cryptocurrency in 47 cyberattacks throughout 2024, breaking their previous record of $1.1 billion from 2022.

2025 Proposed HIPAA Security Rule Changes

2025-01-27T00:37:00.005+00:00

Much Needed Update to HIPAA coming in 2025.

A long overdue update the HIPAA Security Rule, last updated in 2013, is currently being drafted. Many things have changed in digital healthcare since the rules’ last update and today, the healthcare industry is near wholly reliant upon technology for the delivery of services to patients. This includes a rapid expansion of medical devices and other IoT systems, the widespread use of AI and in particular Machine Learning (ML) to mine vast data lakes of medical information now being generated by the industry. The updated rules also take account of widespread use of cloud and virtual technologies and includes provision for even newer technologies including virtual reality, and quantum computing.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, at a time when few hospitals or health insurance groups had made the transition to digital records and most users considered a 28.8kbps internet connection to be fast. WiFi, mobile devices, and 5G cellular were still distant dreams as was the meaningful exchange of information in digital format between all those involved in treating patients. The HIPAA Security Rule in particular, was considered out of date the moment it was published, although the act’s Privacy Rule has faired better. In 2009 the HITECH act updated the security requirements of HIPAA Covered Entities (CEs) and Business Associates (BAs) to take account of changes in technology and some major ambiguities in the language of the original rule. A further Omnibus update took place in 2013 for similar reasons.

What is Happening?

On December 27th, HHS OCR announced a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The rule “seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.

What is Changing?

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
Require written documentation of all Security Rule policies, procedures, plans, and analyses.
Update definitions and revise implementation specifications to reflect changes in technology and terminology.
Add specific compliance time periods for many existing requirements.
Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: A review of the technology asset inventory and network map.
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example: Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
Implement written procedures for testing and revising written security incident response plans.
Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
Require encryption of ePHI at rest and in transit, with limited exceptions.
Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: Deploying anti-malware protection.
Removing extraneous software from relevant electronic information systems.
Disabling network ports in accordance with the regulated entity’s risk analysis.
Require the use of multi-factor authentication, with limited exceptions.
Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
Require network segmentation.
Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

HHS OCR has requested feedback on the proposed rule changes be received from REs by March 7, 2025, after which the new rule will be drafted, and a final rule enacted approximately 6 months after that.

Most of these proposed requirements are already being followed by larger and better funded HIPAA CEs, though not all BAs it seems. The proposed rules spell out in a more granular format, each of the ‘required’ and ‘addressable’ rules that CEs and BAs should already be following. What was considered ‘addressable’ is now however, a ‘requirement’ under the proposed rule changes.

Of Specific Interest:

Language of the proposed rule change removes the distinction between ‘Covered Entity’ (CE) and ‘Business Associate’ (BA) and instead employs the term ‘Regulated Entity’ (RE).
Removal of distinction between ‘required’ and ‘addressable’. All are now requirements and must be implemented. Time limits are added to meet requirements and to become compliant.
Changes various terms in the HIPAA Security Rule such as ‘electronic media’ to take account of the wider use of VOIP technologies, telehealth, digital messaging, cloud, and AI.
A complete asset inventory of all network-connected assets is now required along with a network map that illustrates the movement of ePHI throughout the RE network. This needs to be updated at least every 12 months or when new assets are joined to the network.
Each RE needs to know where all of its PHI resides on its network and in which systems, whether owned and operated by the RE or some other entity.
Makes it a requirement for network segmentation between operational and IT networks.
Requires improved regular testing and security risk analysis that includes:
technology asset inventory and network map.
improved identification of threats, vulnerabilities, and risks to the CIA of PHI
Requires improved audit of access to PHI by users.
Requires improved business continuity, contingency planning, and security incident response capabilities.
Requires the use of multi-factor authentication.
Sets minimum 24-hour notification time. This applies for BAs to notify CEs, and for subcontractors to notify BAs.

What is Impacted?

If a Regulated Entity (RE) is fully compliant with the HIPAA Security Rule (as updated by HITECH and Omnibus) then very little changes. However, this is unlikely. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

This means that most REs have some work to do in order to catch up with existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. It also means that more effective risk assessment and analysis is required moving forward.

The intent of this proposed rule change is to remove inconsistent application of the Security Rule across REs. In so doing, it removes the option for ‘reasonableness and appropriateness’ in connection with the costs of security controls, along with often misinterpreted ‘addressable’ implementation specifications to mean they are ‘optional’. These are now ‘required’ and are mandatory.

Furthermore, the rule changes introduce the need to evaluate the ‘effectiveness’ of security controls in supporting the resiliency of the regulated entity. ‘Resiliency’ refers to the entity’s ability to withstand and recover from adverse events. In this regard the changes appear to recognize the vulnerability of REs to denial of service (DOS) and ransomware attacks, and the need to protect against these ‘availability’ attacks through increased resiliency.

This implies the need for much improved business continuity, disaster recovery, and security incident response capabilities so that REs can be back up and running quickly following an incident or attack. It also implies the need for more resiliency in technology architectures using n+2 architectures where a second or third copy of an application can be used in times of need and switched into production quickly. The protracted healthcare downtimes that have impacted the industry recently have been largely caused by single points of failure, an encrypted EMR or other core system with no hot or warm standby, or the ransoming of a critical third party like Change Healthcare as examples.

In Conclusion.

This long-awaited update to healthcare industry security requirements will help to address the chronic imbalance between a growing number of attackers and a largely weak and ill prepared cyber defense across payers and providers. It is intended to lead to massive improvements in security risk assessment and analysis, and the speedy remediation of identified security vulnerabilities. As such, the new rules should reduce the number of successful cyber-attacks, and thus will help to ensure that hospitals and other delivery partners are available in times of medical need by patients and the communities that they serve. Furthermore, these changes will help to reduce growing patient safety concerns, including increased morbidity and mortality when hospitals are under attack.

The need to identify and keep track of connected assets, to know where data resides and moves across medical networks, and to segment operational and IT networks under the proposed rules will be a real deal changer for security. This is well known as the weakest link and is often referred to as the ‘open back door to healthcare security.’ Medical networks and IT / IoT have changed greatly over recent years, as has our reliance upon technologies to diagnose, monitor, treat, and manage patients in our largely digital healthcare system. It's therefore vital that our security controls keep pace with these and other changes.

2025 Healthcare Cybersecurity Predictions

2025-01-02T22:59:00.130+00:00

Twenty Twenty-Five

As someone who has been evangelizing the need for improved healthcare cybersecurity for decades, every year I am hopeful that the new year will be better for healthcare security - that there will be fewer breaches, less supply chain attacks, fewer denial-of-service attempts, and less ransomware attacks. However, statistics don’t lie, nor do trends, so it’s unlikely that I will get my wish in 2025.

The Global Cybersecurity Landscape

Each year, more and more healthcare payers, providers, and life sciences organizations are hit with devastating and costly cyber-attacks. Increasingly these cyber-attacks can impact entire communities. We saw this in West Texas in September and October of 2024 when both UMC and Texas Tech University Health Sciences Center were hit with separate ransomware attacks. This essentially denied Level 1 trauma care to multiple communities impacting an area greater than 250 miles in diameter. It’s likely that we could see more of these high impact overlapping attacks in 2025, for various reasons, as I shall explain shortly.

Healthcare is in the cross hairs and is both an easy and soft target for a growing number of opportunistic perpetrators. It has a large and sprawling supply chain, which when attacked can have sweeping implications for industry players themselves. On top of that, as a critical national infrastructure industry, and in times of geopolitical conflict and cyber warfare, the industry is also a strategic political target. It is being hit from all sides - from organized crime syndicates to state actors, with a rising body of evidence to suggest collaboration and coordination between the two groups.

As a critical national infrastructure industry, healthcare will I believe, be the recipient of increasing levels of government direct and indirect cyber assistance in 2025. Expecting small, independent, or even state-run healthcare providers to defend themselves against the might of the highly organized Russian Mafia crime syndicate or the offensive instruments of a pariah state’s military and intelligence organizations, makes absolutely no sense. Thus, government will need to step in. We are seeing this already in the UK, EU, and Australia with much higher levels of direct involvement and intelligence sharing by government agencies. The US is expected to follow suit in 2025. However, very few governments are ready and prepared to directly protect their healthcare systems at present.

2025 will likely see even more ransomware attacks against healthcare providers. This will no doubt continue until such times that ransom payments and other forms of cyber extortion demand are finally and fully made illegal. Ransomware is a very lucrative industry, whose growth is being fueled by larger and larger payments from victims. Lack of resiliency across the healthcare industry combined with the critical need for operational availability, makes healthcare a prime target for such attacks. As such, expect many more.

Supply chain attacks against the thousands of third-party vendors, suppliers, and services providers will continue to be the open back door to a secure healthcare industry. Software supply chain attacks and strikes against critical single points of failure across the array of healthcare infrastructure will likely continue for as long as the war with Russia does. This means that payers, providers, and life sciences organizations need to develop much stronger risk management processes around their multitude of third-party vendors. This should include full inventory and risk analysis of all organizations who have direct or indirect access to medical networks including third party applications and devices. Cyber-attacks against Synnovis, Change Healthcare, Microsoft, SolarWinds, and others have wreaked havoc across hundreds of organizations with the attack of a single third-party. The return on investment for perpetrators is therefore huge. Expect many more in 2025.

2025 will also see the rise of nation-state attacks. The recent Salt Typhoon attack against critical infrastructure telecommunications providers by the Peoples Republic of China, and a dozen other Chinese Typhoon attacks, are an indication of growing geopolitical tensions as China, Russia, Iran, and the DPRK face off against the western world in what is being termed the ‘Axis of Resistance’. With Russia and Iran already engaged in hybrid and proxy wars, cyber is being viewed increasingly as a convenient weapon of choice that inflicts damage and retribution without crossing a line that will result in a kinetic response from the attacked nation. All critical national infrastructure industries could be the target for increased attention by Axis powers and will need to prepare accordingly. Nation-state cyber-attacks will be 2025’s biggest single threat.

Regulatory Changes

2025 will likely see major changes to US healthcare regulation with the passage (sometime during the year) of the Health Infrastructure Security and Accountability Act (HISAA). This is the long-awaited update or replacement of the ailing and out-of-date 1996 HIPAA security rule which has governed the US healthcare industry for over two decades now. HISAA aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to move the cybersecurity needle, just as NIS2 in Europe and CAF in the UK are already beginning to do. But ‘compliant’ does not mean ‘secure’ and most regulations are out of date the day they are enacted. Its therefore important for healthcare entities to adopt a risk-based approach to security rather than a compliance-based one in its place. That means understanding what, and who, connect to hospital networks, assessing people, processes, and technologies, and conducting a full risk analysis to identify, track and remediate security vulnerabilities on an ongoing basis. This will become ever more important as new innovative technology is added to medical networks.

New Technology

The healthcare industry creates more data than any other industry. To say that there are now healthcare data lakes would be an understatement. Each patient that is seen, diagnosed, and treated, creates vast amounts of useful medical data. This data can then be mined by healthcare data scientists and used to train artificial intelligence (AI) algorithms for machine-learning-based applications used for clinical decision support, and many other areas of medicine.

2025 will see these data lakes become even larger and combined with improvements in AI training to enhance the tools available to clinicians. But just like all data repositories, this highly valuable data needs to encrypted and protected. The RSNA Conference in November highlighted once again, the need for better encryption while revealing new advancements to radiological and medical imaging, thanks in part, to improvements in AI. This is leading to earlier diagnosis and opportunity to medically intervene in patient care, thus driving outcomes while reducing cost. 2025 will see a continuous growth in the capabilities of medical AI, including advances in precision medicine which one day, will totally change the entire paradigm of medical care and treatment of patients.

But often AI is a new technology that introduces new risks. Its data, its algorithms, and its applications all need to be secured from new types of cyberattack, including data poisoning and adversarial machine learning. AI is also being used to weaponize existing malware strains and employed to attack victims by making that malware stealthy, almost impossible to detect, and deadly when its payloads are deployed on unsuspecting networks. 2025 will likely see the continued development of offensive AI attack tools by hackers. At the same time security software companies will be engaged in an arms race to quickly develop defensive AI capabilities in their NDR, XDR and other security applications. Cylera, as an example, and as a next generation IoT security platform, has invested heavily in AI since the company’s founding. It continues to build and deploy new and enhanced AI capabilities that help to automate the orchestration of improved cybersecurity for customers. We will see a lot more AI in 2025 along with better automated security tools and platforms with much faster-than-human response times and the need for less intervention.

Cybersecurity Resource Shortage

The shortage of security professions reached 4.8 million in 2024, a growth of 19% over 2023. There simply aren’t enough soldiers to defend the fort against a rising number of attacks. In fact, according to the World Economic Forum, the global talent shortage, could reach 85 million workers by 2030. While universities and training academies have stepped up their education offerings in cybersecurity, it will take many years before this shortage is addressed – if ever, given rising needs.

Burn-out and retention of cybersecurity professionals is a growing problem as the job of defending an organization, sometimes against truly overwhelming odds, becomes even tougher. The ‘Buck’ really does stop at the CISOs desk, yet CISOs remain relatively unempowered to make decisions around enterprise security risk. Many security leaders still lack direct access to the board to properly relay cyber-risk, despite years of industry groups telling CEOs they need to do so. That is slowly changing, and 2025 will likely see an evolution in the partnership between CISOs and their boards.

While job satisfaction and not feeling ignored remain critical for retention, so too does work-life balance for security teams and their leaders. ‘Return to the Office’ for many, has done little to off-set the practice of working around the clock, something that started during the COVID pandemic, covering for sick collogues and dealing with a huge uptick in security needs. It’s important that security teams and their leaders feel needed and respected yet empowered by senior management not to feel the need to work every weekend. Achieving better work-life balance will be a major objective for many security leaders in 2025.

In Conclusion

2025 will be an evolution of what we saw in 2024 rather than any sort of revolutionary change in January. Domestic and international politics may have a significant role to play in both attack and defense, as both sides re-arrange their players and adjust their cyber strategies. The healthcare security threat surface will continue to expand as more and more devices and applications connect to medical networks and interoperability between healthcare systems continues to advance. Diligence will be critical, as will visibility and understanding of risk. Automation of security tools will become ever more important, as the shortage of people to watch screens becomes critical, and various forms of AI will likely play an increasing role in both healthcare applications and security.

This blog was first posted at the following location.

Healthcare Cybersecurity Year in Review

2024-12-14T22:30:00.038+00:00

Twenty Twenty-Four will go down in history as another watershed year in healthcare cybersecurity. With 386 reported healthcare cyberattacks by the beginning of October, this year is on target to surpass even 2023, which was in itself, an especially bad year for healthcare cybersecurity attacks and breaches.

These projections are supported by the 2024 Ponemon Healthcare Cybersecurity Report, which found that 92% of organizations experienced a cyberattack in the past 12 months—up from 88% in 2023, and that the cost of a healthcare data breach topped $4.7 million in 2024, making healthcare the single most expensive industry for ransomware and other cyber-attack clean-up costs.

The FBI via its Internet Crime Complaint Center (IC3) states that healthcare is now the primary industry target for ransomware gangs, while HHS OCR acknowledges that ransomware attacks against the industry are up a staggering 278% since 2020.

Two Landmark Attacks

Twenty Twenty-Four will also go down in history as the year of the single biggest, most disruptive, and most expensive healthcare cyberattack to-date, when in February, United Healthcare Group’s (UHG) Change Healthcare was attacked and breached by Russian-speaking ransomware group ALPHV/BlackCat, impacting nearly every American and exposing the PHI of at least 150 million individuals.

While the Change Healthcare attack becomes the new record holder, it effectively doubled breach numbers from the prior holder of the title - Anthem Health which in 2014 exposed the PHI of 78.8 million individuals in a landmark case.

Despite paying the criminals a staggering $22 million ransom, UHG was unable to retrieve its data and was then hit with a second extortion demand not to publish stollen PHI the perpetrators had exfiltrated. This was according to UHG CEO Andrew Witty when on May 1st this year he was hauled in front of Congress to explain the breach that had paralyzed much of US healthcare and what UHG was doing about the mess. At the hearings, lawmakers described the UHG Change Healthcare attack was ‘the most significant and consequential cyberattack on the U.S. health care system in American history’.

The Change Healthcare attack severely disrupted healthcare billing and payment operations for months, creating a huge backlog of unpaid claims, including problems with insurance approvals and Medicare reimbursements. It caused unprecedented financial and operational chaos for hundreds of medical facilities, physicians, and pharmacies as well as patients unable to gain approval for scheduled procedures or to pick-up their medications. It has placed hundreds of small and rural providers of healthcare at risk of closure, potentially depriving entire communities of tertiary health services.

Another highly disruptive cyberattack took place in the United Kingdom when in July this year Synnovis, a joint venture pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, was hit by a cyber-attack. The ransomware attack impacted most NHS providers across South London and caused 800 life-saving operations to be cancelled, along with over a thousand other appointments to be forcibly rescheduled. It also led to hospitals being placed on divert and emergency ambulances redirected to the other side of London or to the home counties.

The cyberattack has been attributed to Qilin, a Russian ransomware-as-a-service (RaaS) crime gang, this time with dual motivations so it seems. Qilin demanded $50 million in extortion, which was not paid in accordance with UK government policy, which prohibits making extortion payments to terrorists. The attack paralyzed services at London hospitals for many weeks. According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

In the first half of 2024, ransomware victims have paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. These extortion payments are also fueling the growth of the ransomware industry, so attacks are only likely to get worse in future years so long as ransoms are paid.

Alarmingly, much of this illicit money ends up in Russia via a global money laundering network involving the Chinese triads and other organized crime groups. It thus acts as very useful form of hard currency for the country which is under massive trade and financial sanctions as a result of its war with Ukraine. It's no wonder then, that the Kremlin provides safe harbor and tacit protection for transnational crime groups operating out of the Russian motherland.

A Common Thread

Both Change Healthcare and Synnovis cyberattacks are indicative of a broader trend in healthcare, in that attacks are targeting third parties or business associates (BAs) to healthcare providers. According to John Riggi of the American Hospital Association (AHA), Fifty-eight percent of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a health care business associate - a 287% increase compared to 2022. Based upon the sheer size and impact of both Change Healthcare and Synnovis, it is highly likely that once the data is in for the year, 2024 will further drive this percentage. In other words, it’s no longer just healthcare payers and providers being attacked but their business associates which are now being actively targeted.

Hospitals and other providers have done a great job over recent years of improving their security posture with better risk analysis, risk remediation and implementation of security controls, yet overall healthcare attacks continue to increase. This is largely because cyber criminals and pariah nation states are focusing on the weakest link, in this case, the huge number of third parties now involved in modern healthcare delivery.

According to Riggi, "simply put, the 'bad guys' - foreign ransomware groups, primarily Russian speaking - have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These "strategic nodes" translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment". Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?

In fact, healthcare cyber attacks are all about maximizing disruption, not only to maximize payment pressure for the perpetrators, but also to cause damage and mayhem to critical national infrastructure in countries opposed to Russia’s expansive foreign policy stance, or to gain political advantage in the case of China or Iran. Together, these three adversaries of western liberal democracy are behind, or support and protect, the criminal actors involved in the majority of healthcare cyberattacks worldwide.

So how is it that third parties are now the weak link in healthcare security? The fact is that modern healthcare relies upon literally thousands of different vendors, suppliers, service providers and IT and business processing outsourcers. Everything from core EMR / EPR systems like Epic and Cerner-Oracle, to hundreds of different medical device manufactures and third-party management companies that now adorn our modern digital care centers. From insurance, billing, and collections to lengthy supply chains for medical equipment and supplies, vendors who often have remote access to hospital networks. The list is almost endless, and many providers don’t even have a good understanding or an accurate inventory of who or what, has access to their medical networks, let alone the risks each group, device or system may introduce. IoT is a particular problem, and many unpatched and insecure medical devices are easily compromised by criminals.

The Change Healthcare attack was the result of the vendor, Optum (part of UHG) failing to use multi-factor authentication (MFA) or privileged access management (PAM) on a legacy jump server used to administer the Change environment by systems administrators. It is thought that Optum did not own software licensing for the jump server running an out-of-date operating system it inherited as part of the Change Healthcare acquisition. And since the whole Change Healthcare environment was in the process of being replaced with new applications built to Optum standards, the short-term risks were considered acceptable rather than to spend the time and money building a new temporary jump server accessible only to a small number of trusted internal staff. However, one of the authorized users of this system had reused a password on another account which had previously been compromised. With a little research, hackers were able to put two and two together and gain access to the complete Change Healthcare environment.

Conversely, the Synnovis attack appears to have leveraged credentials from one of two prior attacks by a different Russian group, Black Basta, against its parent company, Synlab. Credentials, including VPN and MFA passwords that evidentially were not reset, nor was the Synlab environment really secure against common malware and other attacks. What was more alarming was that Synlab-Synnovis had very poor business continuity, disaster recovery and security incident response plans (BCP/DR/SIR) resulting in weeks lost restoring systems. This is something totally unacceptable to an ‘operations-critical’ industry like healthcare, where even short outages can lead to dramatic increases in patient morbidity and mortality.

Lessons Learned and Tougher Regulations

Plainly the lessons here are that providers of healthcare services – in the US, HIPAA ‘covered entities’ [CEs], need to mandate that every one of the hundreds of its third parties adhere to the same security standards, capabilities, and controls as hospitals themselves are required to meet. That means more regular and thorough security audits of all third parties. This is especially important, where the vendor is not big enough to provide evidence of ISO 27001 certification, or a SOC2 attestation that it meets key control objectives of the CE in question. [The Cylera platform, used by many providers across the world is ISO 27001 security certified as an example.]

In Europe that means compliance to NIS2 standards, which in the UK translates to adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF) supported by regular Data Security and Protection Toolkit (DSPT) reporting. [CAF and DSPT reporting are built into the Cylera platform, which secures many UK NHS Trusts.]

The Digital Operational Resilience Act (DORA) which goes into effect on 17 January 2025 does not currently apply to healthcare providers, though it may have some impact on insurers. DORA is designed to “consolidate and upgrade ICT [information and communications technology] risk requirements” for the financial services industry and interestingly, has a major focus on third-parties and the impact of third-party risk. Whether some of its provisions are incorporated into NIS2, CAF and HISAA remain to be seen, but its impact on building resiliency and incident reporting and threat sharing is already having an impact across Europe.

2025 will likely see new US healthcare regulations with the Health Infrastructure Security and Accountability Act (HISAA). This aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to continue to move the needle, just as NIS2 and CAF are already beginning to do, but the threats from criminal and pariah state actors are unlikely to be reduced, at least in the immediate term. With an ever-expanding attack surface as new healthcare technologies including AI, mHealth, consumer medical wearables, and more and more medical devices are adopted and deployed, securing healthcare has become of game of cat-and-mouse or whack-a-mole. A seemingly never-ending cycle of identify, protect, detect, respond, and recover as new risks and vulnerabilities are discovered and addressed through remediation, or the implementation of compensating security controls.

While compliance helps focus senior management attention and much needed resources for security, the principal security driver will always be risk and the need for improved visibility. But if you can't see 'what' and 'who' connects to your medical network how can you be expected to risk-assess an operations-critical, rapidly expanding healthcare threat surface to keep your patients and key health systems protected?

This blog was first posted at the following location.

Experts address AI, global security threats, & solutions to cybercrimes

2024-10-17T19:38:00.073+00:00

The annual cost of cybercrime is expected to reach $10 trillion dollars next year. To put that figure into context, in terms of GDP it would be the third biggest economy in the world after the US and China.

From deep-fakes and disinformation to hacks and attacks on infrastructure, healthcare and security networks, cybercrime is becoming the number one challenge for law enforcement and intelligence agencies. And artificial intelligence is already changing the rules of the game.

Our increasingly connected digital world makes us all more vulnerable to criminal gangs and state-sponsored hackers who can access our data and devices. Imagine handing over control of your bank account, your electric vehicle, even your pacemaker.

So how is the international community responding? To gain insights into the scale and nature of the problem, Al Arabiya News’ Riz Khan met leading experts at the Global Cybersecurity Forum in the Saudi capital Riyadh.

UK Ambulance Service

2024-10-11T19:57:00.008+00:00

The UK Ambulance Service is the latest target of Russian hackers according to a recent report.

Like much of the NHS and other critical infrastructure service providers across the country, Russian FSB, SVR, and GRU spies along with criminal proxies have been engaged in a coordinated campaign to infiltrate and reconnoiter large parts of the UK’s critical infrastructure services. This includes the Civil Service, the Ministry of Defence, and many of their contractors.

One of the objects of these cyber-attacks has been key suppliers to the UK Ambulance Service. Here individuals working on the Ambulance Radio Program have been targeted from multiple directions by hackers in a credentials-harvesting campaign to potentially crash the entire communications system. This would leave ambulance command centres unable to communicate with drivers and the police or fire services or prevent them from receiving vital location information.

The incident is believed to form part of a new Russian cyber warfare campaign dubbed by UK intelligence sources “Cyber Wagner”, in reference to the hardline Russian mercenary group run by the late Yevgeny Prigozhin.

“This is the new front in Russia’s aggression against the West,” a western intelligence source monitoring the activity reported “We need to prepare Western states for more aggression and hybrid warfare from Moscow.”

This week, MI5 director Ken McCallum announced that Russia is on a “sustained mission” to create “mayhem” across Britain and Europe. The UK's "leading role" in supporting Ukraine means "we loom large in the fevered imagination of Putin's regime" and further acts of aggression on UK soil should be expected, he warned.

This would not be the first time that critical UK systems have been besieged by cyber adversaries. Russian GRU agents have carried out "arson, sabotage and more dangerous actions conducted with increasing recklessness" since the UK backed Ukraine in its war with Russia, he added.

The revelations come just months after hackers behind a catastrophic NHS cyber-attack in the summer were identified to be part of a wider cyber army working under the Kremlin’s protection trying to destabilise the UK.

In June, healthcare services were disrupted across London after a major cyber-attack targeted Synnovis, a pathology testing organisation, severely affecting services. This led to the cancellation of 8,349 acute outpatient appointments and 1,608 elective procedures across much of South London at King’s College Hospital, and Guy’s and St Thomas’ NHS Foundation Trusts and their associated hospitals and clinics.

Qilin, which was held responsible for the assault, is merely one arm of the wider web of hacking affiliates, using servers based in Russia to carry out attacks on UK critical infrastructure. The hackers said the incident was in response to “unspecified wars”. The attack on the NHS was a “major escalation” of the Kremlin’s use of cyber warfare through use of criminal proxies.

As tensions continue to escalate, these attacks become less about opportunity for criminal profits and more about the desire to inflict damage to the critical infrastructure of another country. The fact that the Kremlin appears to be enlisting the support of criminal groups is not exactly a surprising development for many. It is widely acknowledged, that for many years, the Russian State has been providing safe harbour to Russian organised crime syndicate members accused of crimes in other countries by refusing arrest or extradition requests. So long as perpetrators direct their criminal business to organisations outside of the Russian Federation, they are allowed to operate with near impunity.

Although no definitive connection has been proven between the Russian State, criminal gangs, or the Russian Mafia, a close working arrangement has been evident for quite some time according to cybersecurity experts. Despite this, certain state and non-state actors within Russia appear to be intent, if not on the cusp of, launching a cyberwar with the UK, Europe and North America.

The Pulse of Security

2024-10-03T19:11:00.040+00:00

“Healthcare is increasingly reliant upon technology, whether interconnected systems or online platforms to deliver vital services, but with that reliance comes growing cyber threats. In fact, recent research from Check Point Software shows that the Healthcare Sector experienced an average of around 2,000 cyber-attacks per week in the second quarter of this year, increasing by 15 percent compared to last year. That puts healthcare in third place just behind education and military as one of the most targeted sectors.

“Hackers target hospitals not just because they are gold mine of data but because many facilities are easy targets operating on outdated systems and devices. Needless to say, this is a very serious issue. Cyber-attacks are not just about accessing health insurance information and medical records, but they can force hospitals to shut down critical systems, putting patient care and even lives at risk.

“So how do we navigate this, how can we protect our systems while still embracing innovation in healthcare?

Lara Habib, Senior Presenter, Alarabiya News Channel

Listen to Richard Staynings, Junaid Nabi, and Mike Fell as they explore the challenges facing healthcare and suggest ways in which the industry can better protect itself from a growing wave of cyber-attacks in this 30-minute panel discussion at the Global Cybersecurity Forum 2024 in Riyadh, Saudi Arabia today.

Rural Healthcare and the Catch22 of Cybersecurity

2024-09-30T17:08:00.074+00:00

Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be properly cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or even to cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report. 2024 could be even worse, given the financial brinkmanship caused by the UHG Change Healthcare cyberattack.

Just last month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural Healthcare Needs Help

MSPs and MSSPs will manage a large number of hospitals at the same time, and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.

A version of this blog was initially published here

Isn't it about time we secured BGP?

2024-09-03T22:15:00.032+00:00

Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.

The Growing Rural Healthcare Cybersecurity Crisis

2024-08-30T14:00:00.066+00:00

Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital or ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report.

As recently as this month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let along obtain the budget or expertise to implement the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

MSPs and MSSPs will manage a large number of hospitals at the same time and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.

When is Enough, Enough?

2024-06-04T23:04:00.031+00:00

This week marks yet another dark moment for healthcare with yet another Russian cyber-attack against a supplier of critical services for two major London hospital trusts where over 200 life-saving operations and hundreds of other appointments have had to be cancelled, while ambulances have been placed in divert.

Impacted are King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital – along with their associated primary care services. This includes GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs. All have had to revert to paper for blood tests and transfusions thanks to a ransomware attack against Synnovis, a provider of pathology services.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families,” said an NHS spokesperson in statement.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. On Monday it was hit with a cyber extortion attack, evidently the work of a Russian criminal group known as Qilin, which has demanded a $50 million ransom payment to be made within 120 hours. As a result, an emergency was declared, the National Cyber Security Centre notified, and the Cyber Operations Team called in for assistance. All of Synnovis's IT systems are believed to be affected.

The incident follows a separate case at Synlab Italia, which in April involved a different Russian group known as Black Basta forcing the company's services offline. The group has been linked to the Conti ransomware group, an even more infamous Russian organized crime syndicate. Following this attack, it took the provider nearly a month to restore the majority of its systems. It appears Synlab Italia didn't pay whatever ransom was demanded of it as Black Basta claims it has Synlab's data available for download in its blog. Black Basta is also thought to have been responsible for the attack last month against US healthcare provider Ascension Health.

The attack this week against Synnovis however, appears to be the work of yet another Russian crime group known as Qilin. This ‘Ransomware for rent’ group has targeted IT firms, medical organisations, courts, the 'Big Issue', and appears to operate with Vladimir Putin’s blessing. 'Qilin', also known as 'Agenda', has hacked hundreds of victims over the two years it has been operating under its known identities. Qilin’s 112 known victims span 30 different countries, with Russia and the Commonwealth of Independent States – (ex-Soviet satellite countries) - being the notable exceptions. No need to wonder why!

According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered, but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

The Guy’s and St Thomas’ and the King’s College Hospital NHS Foundation Trust attacks are not unique events. In fact it's the third such attack in the past 12 months against NHS trusts. In June of last year, a Russian cybercrime gang called BlackCat hacked the Barts Health NHS Trust. Then earlier this year yet another Russian gang, INC Ransom, attacked NHS Dumfries and Galloway stealing 3 TB of protected health data.

The Russians have certainly cornered the cyber-extortion market, a criminal industry worth $14 billion as of 2022 and one growing rapidly at 73% according to SANS. Indeed, the growth of this industry appears to be directly linked to the number of ransoms being paid by victims, which in the first half of 2023 were estimated to have been more than $590 million. Cyber-extortion is according to the NCA and FBI, a form of cyber-terrorism. So, in effect, those who pay extortion payments could be breaking the law by giving money to wanted terrorists, yet many still do so and few of those who are directly financing this trade have been arrested or prosecuted thus far.

$590 million is also a valuable source of income and hard currency for Russia given all the trade sanctions the country is under following its partial invasion and ongoing war with Ukraine. What’s also apparent, is that no one in a criminal oligarchy like the Russian State is going to make $20 million a pop in ransom payments without sharing at least some of that new-found wealth with others all the way to the Mafia Don at the top, i.e. one Vladimir Vladimirovich Putin, reportedly the richest man in the world today.

But the costs of a ransom attack are far greater than merely the ransom payment (if payment is made), or the costs of forensic investigation, incident response, fines, lawsuits, and punitive damages. The costs when healthcare is attacked is measured in lives. How many patients die as a result of not receiving timely intervention and treatment (mortality), how many will die earlier than expected or are made to suffer for longer periods of time (morbidity), and how many patients are placed at risk thanks to critical IT and IoT systems being down and whose safety maybe compromised as a result.

Attacks against healthcare are not only an attack by a foreign adversary against a critical national infrastructure industry of a nation state, but also an attack that threatens the lives and wellbeing of its citizens. Attackers therefore run the risk that the full power of the state they attack might be used against them, kinetically, when all legal avenues fail to bring them to justice, or to stop their attacks. Russia does not regard cyber-attacks against other countries as a crime, nor does it honour extradition treaties with the rest of the world. Even then, its criminal justice system is irrevocably compromised and corrupted by money, power, and influence.

It is unknown to what extent the Kremlin is behind cyber-attacks against foreign critical national infrastructure, but Russia certainly turns a blind eye to it at the very least, by offering safe harbour to those engaged in this criminal activity. What is for sure, is that the criminal activities of some Russians, is helping to weaken and degrade many of Russia’s foreign adversaries. At the very least, the use of criminal proxies rather than official state assets, provides the Kremlin with some level of plausible deniability, no matter just how implausible that is now becoming, or how insincere Putin’s claims of denial are today.

Until such times as Russia finally fails as a state, and a new Russia adopts a real legal-judicial system - one uncorrupted by others so that criminals can eventually be held to account, the NHS and other providers of healthcare services including third parties, will need to seriously improve cybersecurity and operational resiliency of key systems needed by patients. The UK will also need to critically evaluate any single points of failure in application or underlying infrastructure, just as the US needs to following the recent UHG-Optum Change Healthcare attack. Relying on a single vendor or single application for critical parts of medical workflow can no longer be supported. The ability to switch out failed components of a modular architecture is already crucially needed, yet few healthcare providers have reached that level of resiliency today.

Out of all industries, health-care providers were the most targeted by ransomware gangs last year, according to a report by Cisco's Talos threat intelligence division. Cisco attributed the targeting to health-care organizations generally having “underfunded budgets for cybersecurity and low downtime tolerance.”

Given the criticality of IT and IoT in today’s digital health system and continuously rising cyber threats by adversaries, we need to focus a lot more time, effort, and money to build our healthcare services to be able to withstand all but the most destructive of attacks.

Post Script

Post incident investigation has determined that one patient died as a result of the attack and a further 14 were injured among 10,000 patient appointments that were cancelled. This marks the third patient to be publicly and openly acknowledged to be killed by a ransomware attack.

An American newborn and an elderly German woman were also killed during separate ransomware attacks, though physicians privately believe the number of victims globally could be in the hundreds.

Hospitals are not required to report separate patient morbidity and mortality figures that are caused, at least in part by cyber attacks. Death certificates state only the medical cause of death, not the causal factors behind that death. Liability and damage to reputation notwithstanding, governments have so far been reluctant to require accurate reporting on the impact of cyber attacks against healthcare providers. In other words, the numbers are likely much, much higher than the public is aware of.

Each of these cyber attacks was conducted by Russian language gangs where attacks were orchestrated from within the Russian Federation - a country that evidence suggests allows cyber criminals to operate freely and with impunity so long as attacks are not against Russian assets or individuals.

Indeed, cyber attacks against critical industry industry sectors such as healthcare are increasingly being used as a form of hybrid warfare against western democratic nations. Given their continuing poor cybersecurity, and rising global tensions, one can expect a large jump in the number of victims over coming months and years.

Mitigating Medical Device Vulnerabilities

2024-03-11T02:00:00.026+00:00

How can health systems secure smart medical devices if manufacturers don't patch them regularly? Richard Staynings, chief security strategist at Cylera, discusses how organizations can mitigate that risk using their existing tools and technologies at HIMSS24 in Orlando, Florida.

Lockbit Take-Down

2024-02-20T13:31:00.084+00:00

Many of us in the cybersecurity community woke this morning to very welcome news that the infamous Lockbit Ransomware as a Service (RaaS) crime syndicate was hit with a take-down action of much of its infrastructure. This was apparently led by the UK’s National Crime Agency (NCA), and the FBI, as part of an international law enforcement task force known as ‘Operation Cronos’.

Lockbit was one of the most prolific and destructive Russian Ransomware-as-a-Service (RaaS) groups, claiming over 2,000 victims worldwide and extorting over $120 million in ransom payments. It was, to put it mildly, ruthless, launching secondary and tertiary attacks against victims who refused to negotiate with the extortionists or to pay their extortion demands.

As part of its initial seeding of compromised networks with ransomware, it exfiltrated confidential information and threatened to publish this on its websites if payments were not made by the organization. When demanded ransoms were not received, the group contacted individuals whose information it had stolen, and demanded they pressure the victim organization to pay the ransom, or sometimes offered to exclude their information from a release if a payment was received.

Richard Staynings, Cylera

“Many times, corporate and individual victims paid the gang only to see their information posted publicly anyway” claimed Richard Staynings, Chief Security Strategist with Cheltenham based cybersecurity firm Cylera. “There is after all, no trust in thieves,” he added.

The group was also known to publicly taunt victims on its web site with a countdown clock when the information would be published unless payment was made.

Operation Cronos appears to have finally brought this criminal RaaS business to a halt, or at the very least slowed it down and ruined its reputation. Whether it stops the affiliates who use the RaaS to execute their attacks remains to be seem as it's likely that many of the Lockbit tools are still out there and affiliates are likely to have copies of these.

It’s also quite likely, that many of the un-indicted perpetrators involved in Lockbit, will simply pick up and move into new crime groups to continue to ply their crafts as part of other cybercrime services. This has happened in the past when law enforcement took down other crime syndicates. It is also possible that a new Lockbit rises from the ashes and starts over again, perhaps even under the same name with some of the same people.

Some of these crime syndicates are thought to be associated with the Russian Mafia and many in the past have worked closely with the Kremlin, FSB and GRU for espionage purposes, or to punish other nations, while Mother Russia can claim plausible deniability.

Many of the cybercriminals who engage in ransomware and other forms of cyber extortion, are of Russian origin and are able to attack victims from within Russia and other former Soviet states with near impunity. This is largely thanks to a lack of extradition treaties between these countries and the rest of the world, combined with a legal system that is easily corrupted by those with power, influence or money.

The FBI has accused Russia of harboring cybercriminals for years, where as long as the perpetrators of cyber crime direct their craft against victims outside of Russia, then the Russian state will conveniently turn a blind eye. This makes it particularly difficult to bring criminals to justice so long as they don't leave the former soviet block of countries.

Of course some wanted criminals used to considering themselves above the law have traveled outside of the former Soviet states and have been arrested or renditioned back to the United States for trial and punishment. One of the more notable of these was Roman Seleznev, the son of a close Putin confident and a member of the Duma lower house of parliament, Valery Seleznev as reported some time ago by this site.

Lockbit was the largest RaaS and worked by selling its criminal services, acting as a one-stop shop to customers known as affiliates. These affiliates then identified and attacked victims using the Lockbit framework of tools and services. Based upon volume, the affiliates then received between 60% and 80% of the ransom payments they were able to extort back from Lockbit. The Lockbit network consisted of hundreds of so called ‘bullet proof’ servers located all over the world. These have now been taken over by law enforcement as part of the Europol action. Copies of the Lockbit code, however, remain on PCs and servers in Russia and other countries where international law enforcement was unable to seize assets, since the crime of ransomware is not recognized in many of these countries.

It was perhaps inevitable that the NCA would lead this takedown effort following a January 2023 ransomware attack against part of the UK Royal Mail in which packages could not be mailed overseas for many weeks. The attack was identified as using Lockbit so the group must have been in the sights of the NCA ever since. The Royal Mail is a critical infrastructure industry (CII) of the UK so any attack against a CII would have garnered attention at the highest levels, just as Lockbit attacks against the NHS have done so in the past.

“While not all cyber crimes can be fully investigated, I am sure that Lockbit and its affiliates were prioritized by the NCA and the UK government following the Royal Mail attack,” said Staynings. “Lockbit ransomware attacks against NHS trusts was already sure to get the NCA’s attention, so the Royal Mail attack may have been the nail in the coffin for the group.”

“Gangs would be well advised to stay clear of national infrastructure industries if they want to avoid unnecessary attention. That goes not just for the UK, but for any law-abiding western power,” Staynings added.

While the Lockbit infrastructure was taken offline and decryption advice and keys posted on its servers, law enforcement reportedly obtained access quite some time ago. It's highly likely that they have been digging around and gaining intelligence on affiliates and those involved in building and maintaining the Lockbit service. It is also likely that they were mapping out the entire infrastructure so as to capture as much of it as possible in one go with a single legal seizure action.

This has resulted in the identification, indictment, and arrest of many of the gang’s generals. But it has also shed light on a much greater number of victims than has been reported, many of whom appear to have paid ransoms against the advice of law enforcement and national laws in their respective countries that forbid extortion payments to terrorists. Ransom and extortion are, after all, forms of terrorism.

“The cat is now out of the bag, and we could see legal actions against business leaders and their legal counsel, who made ransom payments against national laws and hid a cyberattack from shareholders, and the SEC, FCA, and others,” claimed Staynings.

Graeme Biggar, NCA

The NCA’s Graeme Biggar, said it assessed that the group was responsible for 25% of ransomware attacks in the last year including 200 that were known of in the UK - though he added that, there may have been many more. Indeed, total losses and damages from Lockbit and its affiliates could be in the billions of dollars. Whether this surpassed losses from ‘NotPetya’, another Russian cyberattack attributed to the Russian military GRU, remains to be seen.

NotPetya is thought to have caused between $10 and $12 billion in damages to global organizations attacked, including Maersk, Mondelez, Merck, WPP, Reckitt Benckiser, Saint-Gobain and TNT Express.

Maersk alone lost $250 million and suffered a further $300 million in damages. The 2017 cyberattack currently stands as the single most damaging and costly attack of all time. Its attack code was designed to attack Ukraine, but the malware unintentionally spread right the way across the world, impacting Russian businesses as well.

As part of the seizures, more than 200 cryptocurrency accounts believed to be linked to Lockbit have been frozen, so it seems likely that once the investigation is complete, at least a few victims may receive some of their ransom payments returned, as has been the case in other confiscations.

“It’s great to see the home team win a game finally, but there’s a long way to the finals” claimed Staynings. “The trouble is that with cybercrime it takes many months or years to properly attribute actions. That includes victims, criminal actors, and all those involved in a cyberattack.”

“Undoubtedly, law enforcement needs to do things properly in order for prosecutions to stick and to identify all those involved in a criminal act. This was one of the better days, that’s for sure!” he concluded.

Building AI-based cybersecurity solutions

2023-12-21T20:27:00.028+00:00

Richard Staynings, chief security strategist at Cylera, discusses the difficulties involved in being a cybersecurity professional, tackling bad actors and how AI can both improve and hinder strategies to ensure healthcare system security. (7m 14s).

ResonanceFM PassWord - The Security of IoT

2023-12-13T20:59:00.059+00:00

Peter Warren host of 'PassW0rd' part of Future Intelligence (Fi).

Join Richard Staynings and Peter Warren, host of 'PassW0rd' as they discuss the growing problem of the cybersecurity of IoT - the internet of things.

Future Intelligence (Fi) produces PassW0rd, its monthly hour long radio programme from London and Leipzig for broadcast on Resonance FM, London’s oldest independent radio station.

Been Vished Lately?

2023-10-19T16:36:00.006+00:00

By Jon Taylor
Director and Principal of Security, Versa Networks

A lot of vendors lately have been talking about how they can help companies be “less hackable” through the implementation of advanced technology, reducing the attack surface, etc. One item you don’t hear security vendors talking much about is how companies can implement some basic security awareness policies that can also drastically reduce the chances of being compromised, or at least make it a bit harder for bad actors to gain access to the network.

One example that we can discuss in detail was an event that happened at the Defcon Social Engineering Village this year. One such opportunity was thoroughly demonstrated, although I honestly couldn’t believe my eyes (and ears!). On Day One they were having a vishing competition, where teams were placed into a sound booth with a phone dialing system, and they cold-called different businesses to probe for sensitive information on how these companies secured their environments. Now, one might say that there’s no way that someone doing this would really gather anything useful, but the results will absolutely surprise you, as they did me.

Vishing meets supply chain

Now, these vishers weren’t trying to call and gather information from the IT departments of major companies, but instead they were calling franchisees of large companies that we know (and love!). The competing teams were tasked with gathering some key pieces of information, and to do so were calling the individual franchises and acting as if they were from corporate parent company posing at the IT department, franchise relations, or even another franchisee. What’s interesting about this information is that it would have given these vishers the ability to backdoor and compromise not just the franchise, but also gain access to the corporate system as well. The information they were gathering ultimately centered around the franchise-accessed resources provided by the parent company, including technologies such as VPN/ZTNA services and secure websites published to the internet as examples. Some of the resources they were probing for were corporate ordering, timecard/revenue entries, other types of inventory control, etc. They would also ask questions about the type of antivirus/anti-malware being used on the machines, especially the point-of-sale terminals.

If the above sounds bad, it was actually worse. During the exercise, at some point they would have the "mark” go to a mocked-up website from a point of sale (POS) terminal that would self-install a piece of malware, which allowed them to gain access to the computer. Now imagine what would happen if this POS terminal became compromised in some way. Just the amount of credit card information alone would be incredibly valuable on the dark web if it was to be sold. Also, if this terminal had any type of access to the parent network, then the payload could allow the malicious actor to enter the parent corporate system and do anything from planting ransomware to exfiltrating sensitive data. During one call, an employee even offered to share her computer screen and show the visher how they logged into each system using a VPN service and offered up usernames and passwords. If this had been a real malicious actor gathering this information, then this would have been disastrous for both the parent company as well as the franchise as the incident response, public disclosure, and loss of reputation could cost millions.

Now one might say that this is an example of a small business being targeted so of course there isn’t going to be security awareness training, and as long at the parent company has the right security tools they will not be breeched. Well, the latest example of this is the MGM incident. The exact same thing happened to a major corporate brand where someone was able to perform a vishing exercise and ultimately gained access to the corporate environment.

Make people aware

So, what kind of “low-hanging fruit” items should any organization be doing? First off, there should be policies in place for any employee within the company to be able to accurately identify any other employees from the company. There should also be mandatory security awareness trainings for all employees including IT, and it should be renewed within one year of the initial training. In the case of a franchise model and because of the supply chain risk, the franchise parent company should implement these mandatory security awareness trainings as part of their franchise agreement.

Cyber Thoughts

Third-Party Risk Assessment

'Healthcare needs a better third-party risk assessment approach'

Lack of Visibility

A Common Risk Assessment

Separate Annual Assessments can be Expensive for Vendors

Assessment Automation

New Assessment Tools

WHX Dubai

Beware of Holiday Scams: How to spot Fake Links and avoid Phishing Attacks

Type Squatting and Homograph Attacks

What to do if you already clicked a scam link?

Cyber Resilience for Global Health Systems

Online Gambling

Online Gambling: A Global Criminal Business Amidst Indonesia's Digital Transformation

Regulatory and Educational Challenges

Ransomware and Mobile Apps: The Next Threat

The Long Road Ahead

Can American Cybersecurity Technology Still Be Trusted?

So let me explain my concerns.

Not to be trusted

Can the US be trusted by its allies and non-aligned countries?

Does that political distrust extend to American technology?

Stalled spending on healthcare cybersecurity has impact

What is Cyber Espionage and why is it so concerning?

The Art of Espionage

The Art of Cyber Espionage and IP Theft

Ownership of the Means of Production

Levels of Cyber Espionage and IP Theft

The Global Impact of Cyber Espionage

The Change Healthcare Breach & the Need to Secure Third Party Vendors

CHIMSS

North Korea pulls off largest-ever theft in digital asset history

Investigation

DPRK Crime State

2025 Proposed HIPAA Security Rule Changes

Much Needed Update to HIPAA coming in 2025.

What is Happening?

What is Changing?

Of Specific Interest:

What is Impacted?

In Conclusion.

2025 Healthcare Cybersecurity Predictions

Twenty Twenty-Five

The Global Cybersecurity Landscape

Regulatory Changes

New Technology

Cybersecurity Resource Shortage

In Conclusion

Healthcare Cybersecurity Year in Review

Two Landmark Attacks

A Common Thread

Lessons Learned and Tougher Regulations

Experts address AI, global security threats, & solutions to cybercrimes

UK Ambulance Service

The Pulse of Security

Rural Healthcare and the Catch22 of Cybersecurity

Challenges for Rural Healthcare Providers

Rural Healthcare Needs Help

Isn't it about time we secured BGP?

The Growing Rural Healthcare Cybersecurity Crisis

Challenges for Rural Healthcare Providers

When is Enough, Enough?

Post Script

Mitigating Medical Device Vulnerabilities

Lockbit Take-Down

Building AI-based cybersecurity solutions

ResonanceFM PassWord - The Security of IoT

Been Vished Lately?

By Jon TaylorDirector and Principal of Security, Versa Networks

Vishing meets supply chain

Make people aware

By Jon Taylor
Director and Principal of Security, Versa Networks