In 2017, six of the top ten HIPAA breaches reported to the U.S. Department of Health and Human Services (HHS) stemmed from ransomware.[1] In a typical ransomware attack, important data is encrypted and “held for ransom” until the victim pays a designated amount in exchange for gaining access to the keys to decrypt the data once again. In addition, the cyber-criminal might steal important data before encrypting it and deleting potential backups.

Threats due to ransomware and other types of malware have become commonplace as cyber-criminals become stealthier, more skilled, and zealous in their desire to breach corporate security defenses. The healthcare industry is a prime target for ransomware attacks because organizations with health data, including third parties, often have less mature security postures compared with other companies such as financial firms. What’s more, the enduring data of people’s health records tends to be more valuable than transient data like credit card numbers.

Ransomware attacks of medical facilities are particularly onerous. When critical patient records and imaging files like x-rays and MRIs are unavailable, lives can be at stake, so restoring access to data at all costs is paramount.

Following ransomware attacks in 2017, some hospitals were forced to cancel planned patient procedures due to vital information being unavailable. For any industry – not just healthcare – the aftermath of a single attack can be enormous, including the loss of sensitive data, clients, brand and reputation, intellectual property, trade secrets, and finances.

Here are just a few examples of the many significant breaches involving ransomware/malware reported to HHS in 2017.

500,000 individuals affected – Airway Oxygen, Inc, learned that unidentified criminal(s) had gained access to their technical infrastructure and installed ransomware in order to deny Purity Cylinder and Airway Oxygen, two affiliated companies, access to their own data. The types of protected health information that were involved in the breach include some or all of the following data regarding their customer/end users and payment sources: full name, home address, birth date, telephone number, diagnosis, the type of service being provided, and health insurance policy numbers.

300,000 individuals affected – Women’s Health Care Group of PA discovered a virus/ransomware was installed on a server/workstation, preventing the hospital from accessing patient data. The types of data exposed – and potentially stolen – included names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

279,663 individuals affected – Urology Austin was the victim of a ransomware attack that encrypted the data stored on their servers. The investigation indicated that personal information may have been impacted by the ransomware, including name, address, date of birth, Social Security number, and medical information.

There are many steps that a CISO can take to minimize the likelihood/impact of a malware/ransomware breach.

• Ensure anti-virus/anti-malware software is installed and up to date across all endpoints within the business.
• Backup the data and store it off your network. Create the backups as frequently as you can afford and test to ensure that a full restore can be done using the backups.
• Use Group Policy Objects (GPO) restrictions.
• Patch your systems and keep them as current as you can.
• Restrict administrative rights on endpoints.
  • Remember that reducing privileges will reduce the attack surface.
  • Use the local user account as your primary account.
• Use a Secure Internet Gateway on and off the company network.
• Block users from install anything themselves.
  • Go through a helpdesk system (with change control) and have a system administrator only install software that is on the approval list.
• Use a Data Loss Prevention solution and actively monitor it for incidents.
• Use Endpoint Protection and actively monitor it.
• Invest in your Information Security program.
  • Tools are great but it takes a team to properly manage and monitor them.
• Establish security awareness campaigns.
  • Stress the avoidance of clicking on unknown or unexpected links and attachments in email messages.
  • Train often and in a variety of methods (e.g., in person, emails, newsletter, training classes, posters, swag, brown bag lunches, etc.).

Ransomware attacks have caused serious damage worldwide. All organizations should take steps now to avoid becoming the next victim company. Don’t let your company become part of the statistics!

About the author

Named 2017 Cybersecurity Professional of the Year – Cybersecurity Excellence Awards, SC Magazine Chief Privacy Officer 2017 Award, and Global Privacy & Security by Design (GPSbyDesign) – International Council Member – Rebecca Wynn is a “big picture” thinker who brings nearly 20 years of experience in Information Security, Assurance & Technology. Now with Matrix Medical Network as the Head of Information Security, she works with the talented and passionate team to take the company to the next level of excellence. https://www.linkedin.com/in/rebeccawynncissp/

[1] Section 13402(e)(4) of the HITECH Act states that the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.

The post Healthcare Ransomware Attacks – Don’t Be Part of the Statistics appeared first on Security Current.

There are many skilled and intelligent people who aspire to become a Chief Information Security Officer (CISO). I have some career advice for them: Don’t aspire to be a CISO. Instead, seek to be the best professional at each step in your career.

Those of us who do become CISOs do so because we have a solid 10+ years leading Information Security programs. We have strong and proven legal, compliance, risk management, project management, strategic thinking, and technical expertise, along with business knowledge and the ability to see the corporate “big picture” in all of our decisions. You do not obtain that knowledge and expertise from taking a class or having a certification, even though those can assist you in a better understanding of the CISO role. (I have NEVER hired anyone in my career solely because they had a degree or a certification.).

What’s more, it takes a lot of personal hours beyond the normal work day to be a successful CISO. You can expect to put in consistent 55-60 hour work weeks, and depending on the company you work for, there could be extensive travel involved, too.

There are other personal considerations as well:

• If you are not a “big picture” thinker, then this is not the position for you.
• If you do not accept the fact that you may be the first person fired if there is a data breach, then this is not the position for you.
• If you want to be with one company forever, then this is not the position for you.

It wasn’t so long ago that the CISO role was primarily technical, with a focus on tasks such as fixing firewalls and patching vulnerabilities. In recent years, however, the CISO role has evolved significantly to a more business-oriented focus, especially in large organizations and heavily regulated industries. Today’s security chiefs are charged with juggling the day-to-day operations of their security team, and with meeting board expectations while also staying abreast of an ever-evolving threat landscape and a daunting regulatory environment.

One might argue that today’s CISOs have a Sisyphean task in that they are responsible for something they can never provide 100 percent assurance on, that being “securing the enterprise.” All it takes is one missed vulnerability, one careless or malicious insider, or one accidental “insecure” process. The average job can last 18 months or less because a CISO can be dismissed for any number of things, from a breach or a missed vulnerability to failing to align security operations with the board’s business goals. In short, CISOs have an incredibly difficult job.

A CISO needs to have a conscientious combination of hard and soft skills, such as:

Hard Skills

• Extensive knowledge about regulatory compliance rules and security frameworks and guidelines, including HIPAA, SOX, PCI, GDPR, NIST, CSF and others
• Extensive knowledge about third party auditing methodologies
• Strong knowledge in enterprise and security architecture, authentication, VPN, DNS, routing, etc.
• Programming languages such as .Net, Java, JSON, C, C++, C# and PHP and secure coding practices are an asset
• Extensive knowledge of prevention protocols around firewall intrusion and detection
• Strong knowledge of databases, APIs, web applications
• Strong knowledge and understanding of the Internet 4.0

Soft Skills

• Excellent communication skills
• Organization
• Interpersonal skills
• Negotiation
• Collaborative
• Leadership
• Strategic planning
• Public Speaking

The key to getting projects successfully completed on time and on budget is PARTNERSHIP. You have to be able to quickly sync with the C-Suite and other top leaders in the company. Personally, I’ve done all the “geeky” things, so naturally, I want to fix things. However, executives have strong business and strategic backgrounds; they’re committed to excellence. You have to speak their language.

One of the key pillars to successful partnership within an organization and leadership for those in your charge is communication. Here’s how I see that all-important business-critical function.

My communication framework:

• Communicate regularly, and in person when possible
• Be respectful of each position and its responsibilities
• Be ingrained in the business
• Avoid spreading fear without solutions
• Be immersed with the new technology
• Know the ever-changing threat landscape
• Learn to accept and embrace manageable risk
• Learn to protect data while enabling the business to run
• Know your scope, and your boundaries
• Be clear on the priorities

My recommendation is to do what you love and if you are in an enterprise setting, work for a company that appreciates you and will let you grow your talents. Talents are naturally developed when they are nurtured. Living a life with core values and supporting the things which are important for us will give us the possibility to feel our aptitudes in a more effective way. When we are true to ourselves, we discover more than we expect. Don’t settle for not being the best you can be. I don’t.

Named 2017 Cybersecurity Professional of the Year – Cybersecurity Excellence Awards, SC Magazine Chief Privacy Officer 2017 Award, and Global Privacy & Security by Design (GPSbyDesign) – International Council Member – Dr. Rebecca Wynn is a “big picture” thinker who brings nearly 20 years of experience in Information Security, Assurance & Technology. Recently she led the information security, privacy, and compliance pre-acquisition, acquisition, and post-acquisition of LearnVest, Inc. to Northwestern Mutual Life Insurance Company – a Fortune 100 company. She is well known for being a gifted polymath, having deep understanding of current cyber security challenges and privacy issues. Now with Matrix Medical Network as the Head of Information Security, she works with the talented and passionate team to take the company to the next level of excellence.

The post Advice for Aspiring CISOs appeared first on Security Current.