The Software Report is pleased to announce the Top 25 Women Leaders in Cybersecurity of 2019. Hundreds of exceptional women were nominated in this year’s process. We evaluated each nominee based on a series of questions on the candidate’s professional capabilities. The Software Report also conducted candidate evaluation based on research of qualified information sources and publicly available information. We looked for demonstrated cybersecurity expertise, longevity in the industry, career progression and current position among other factors.
The digitalization of healthcare communication has greatly impacted how healthcare professionals use medical devices, perform patient care, and conduct internal operations. Electronic health record (EHR) mandates and widespread adoption of mobile devices has accelerated at such a rapid pace, healthcare cybersecurity companies are making mistakes that are inviting malicious hackers inside. Unfortunately, the healthcare industry has developed a negative reputation due to frequent data breaches, ransomware attacks, and security threats. It is time to revive the industry and get it on a path to a healthy recovery.
Healthcare Cybersecurity Statistics
- More than 300 reported data breaches
- More than 16 million Americans impacted
- 62% of healthcare organizations have experienced a breach in past 12 months
Causes for these attacks like unencrypted, lost and stolen devices, outdated systems, and sheer lack of cyber professional personnel contribute to the health care industry’s demise. It allows cybercriminals to steal financial and billing information from hospitals, patient records, and even bank account numbers.
The following organizations have fallen victim to attacks. Their suffering gives us a glimpse into the severity of healthcare cybersecurity threats. It also sheds light on how healthcare cybersecurity spending can be re-directed to support cyber teams so they can better prevent an attack of their own.
- SSM Health in St. Louis: A former call center employee accessed 29,000 patient records including demographics and clinical information. The former employee did not have access to financial information, according to the statement.
- 21st Century Oncology of Fort Myers, FL: An unauthorized third party gained access to a company database, putting 2.2 million individuals at risk. Data stolen may have included patient names, social security numbers, physician names, diagnosis and treatment information, and insurance information.
- UNC Dermatology and Skin Cancer Center: A stolen computer contained roughly 24,000 patients with records detailing names, addresses, phone numbers, birthdates, Social Security numbers, employment status, and employer names.
- Sinai Health System in Chicago: A phishing scam affected approximately 11,350 people of the seven-member hospital system. The investigation reported no financial information was compromised but patient information may have been compromised.
- Henry Ford in Michigan: A cybercriminal accessed email credentials from a group of employees to view and steal the data of 18,470 patients. While the email accounts were password protected and encrypted, the hacker accessed patient names, dates of birth, medical record numbers, provider names, dates of service, health insurer, medical conditions and locations.
There is good news, however. These threats can be mitigated with the right “medicine.” How?
Stopping Healthcare Cybersecurity Threats
Cybersecurity starts and ends with humans. It is the people controlling the use and deployment of technologies who have the ultimate power to create a secure cyber environment. Therefore, we advocate for a “data privacy first” mentality that places people at the center of cybersecurity in the healthcare industry.
Cyber teams can engage in persistent learning and skill-building opportunities to learn how best to protect patients and minimize security risk and identity theft. Protected health information and patient security is of utmost importance to healthcare cybersecurity so if cyber professionals and non-cyber professionals like understand how to improve data security, patients and the facilities that house them will be better protected.
To learn more about preventative ways to stop healthcare cybersecurity threats and upskill your cyber team, download our infographic: “Cybersecurity in Healthcare.”
Bradley Wolfenden, Director of Cyber Academic Partnerships at Circadence will begin his tenure as the new co-chair for the National Initiative for Cybersecurity Education (NICE) Competitions Subgroup in April, 2019.
WHAT ARE CYBER RANGES?
Cyber ranges were initially developed for government entities looking to better train their workforce with new skills and techniques. Cyber range providers like us deliver representations of actual networks, systems, and tools for novice and seasoned cyber professionals to safely train in virtual, secure environments without compromising the safety of their own network infrastructure. Today, cyber ranges are used in the cybersecurity industry to effectively train the cyber workforce across companies and organizations for stronger cyber defense against cyber attacks. As technology advances, cyber range training advances in scope and potential.
To learn more about Circadence’s cyber range offering, visit https://www.circadence.com/solutions/topic/cyber-ranges/.
The National Initiative for Cybersecurity Education reports cyber ranges provide:
- Performance-based learning and assessment
- A simulated environment where teams can work together to improve teamwork and team capabilities
- Real-time feedback
- Simulate on-the-job experience
- An environment where new ideas can be tested and teams and work to solve complex cyber problems
In order to upskill cybersecurity professionals, commercial, academic, and government institutions have to gracefully fuse the technicalities of the field with the strategic thinking and problem-solving “soft skills” required to defeat sophisticated attacks.
Currently, cyber ranges come in two forms: Bare environments without pre-programmed content; or prescriptive content that may or may not be relevant to a user’s industry. Either cyber range type limits the learner’s ability to develop many skill sets, not just what their work role requires.
UNDERSTANDING CYBER RANGES IN A BOX (OR CYRAAS, as we call it.)
Cyber ranges in a box is a collection of virtual machines hosted on an on-premise or cloud-based environment. Now, don’t let the name “in a box” fool you, at Circadence, you can’t purchase our cyber range solution on its own. To your cyber learning benefit, Circadence offers a cyber-range-as-a-service [CyRaas] solution embedded within the Project Ares cyber learning platform for optimized training and skill building at scale. When you purchase Project Ares, CyRaaS is included. It provides all-encompassing tools and technologies to help professionals achieve the best cybersecurity training available. Our service offers industry-relevant content to help trainees practice offense and defense activities in emulated networks. Cyber ranges also allow learners to use their own tools within emulated network traffic to reflect the real-world feeling of an actual cyberattack. In “training as you would fight,” learners will have a better understanding of how to address cyber threats when the real-life scenario hits.
With advances in Artificial Intelligence (AI), we know cyber ranges can now support such technology. In the case of our own Project Ares, we are able to leverage AI and machine learning to gather user data and activity happening in the platform. As more users play Project Ares, patterns in the data reveal commonalities and anomalies of how missions are completed with minimal human intervention. Those patterns are used to inform the recommendations of an in-game advisor with chat bot functionality so players can receive help on certain cyber range training activities or levels. Further, layering AI and machine learning gives security professionals better predictive capabilities and, according to Microsoft, even “improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.”
To learn how cyber ranges are being used to improve cyber learning for students (and how it can be applied to your organization or company,
DOWNLOAD OUR “LEARN BY DOING ON CYBER RANGES” INFOGRAPHIC.
GAMIFIED CYBER RANGES
With many studies touting the benefits of gamification in learning, it only makes sense that cyber ranges come equipped with a gamified element. Project Ares has a series of mini-games, battle rooms, and missions that help engage users in task completion—all while learning new techniques and strategies for defeating modern-day attacks. The mini-games help explain cyber technical and/or operational fundamentals with the goal of providing fun and instructional ways to learn a new concept or stay current on perishable skills. The battle rooms are environments used for training and assessing an individual on a set of specific tasks based on current offensive and defensive tactics, techniques and procedures. The missions are used for training and assessing an individual or team on their practical application of knowledge, skills and abilities in order to solve a given cybersecurity problem set, each with its own unique set of mission orders, rules of engagement and objectives.
CYBER RANGE SECURITY
There is a lot of sensitive data that can be housed in a cyber range, so system security is the final piece to comprising a cyber range. The cloud is quickly recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure the cyber ranges are operating quickly with the latest updates and to increase visibility of how users are engaging in the cyber ranges across the company, information security in the cloud is the latest and greatest approach for users training in test environments.
We are proud to have pioneered such a state-of-the-art cyber range in many of our platforms including (as mentioned above), Project Ares®, and CyRaaSTM. We hope this post helped you understand the true potential of cyber ranges and how they are evolving today to automate and augment the cyber workforce.
ITSPmagazine’s John Dasher chats with Keenan Skelly, Circadence VP of Global Partnerships & Security Evangelist, for a fascinating conversation on cybersecurity learning, training and assessment through their Ares and Orion products.
One of the top innovators in the training space is Circadence®. The Boulder, CO-based company got its start in the mid-1990s as a pioneer of massive multi-player video games. It then took its expertise in moving massive amounts of gaming data and applied it first to training military cyber warfare specialists, and, next, to training security analysts in the enterprise, government and academic communities.
As our world becomes increasingly dependent on the internet, more safeguards must be put in place in order to keep our information and services we rely on secure. In the last few years, we have seen an increase in regulations and legislation passed to uphold these safeguards, but it is unclear how much this has helped in thwarting attacks. Not only are we as consumers and individuals vulnerable to data breaches and cyberattacks, but our governments are at risk for cyberwarfare and potentially crippling assaults on resources and infrastructure.
Governments around the world are implementing new cybersecurity legislation, such as the NIS Directive in the EU and the Cybersecurity Act of 2015 in the US to provide more structure and protocol to cybersecurity management. Many studies have been conducted to ascertain the level of sophistication in cybersecurity that different territories around the world possess, such as the Asia-Pacific Cybersecurity Dashboard. These studies consider legislation a basic indicator of the security landscape in these territories and helps cyber legislators identify strengths and opportunities for safety improvements.
The number of laws relating to the scope of cybersecurity shows the importance of implementing regulatory frameworks that protect us from a personal and business perspective. These frameworks help us to understand how to implement policy, as businesses generally don’t think much about cybersecurity unless they have to due to regulations. They also contribute to the reduction of security incidents and prevention of IT crime.
CYBERSECURITY LEGISLATION OBSTACLES
There are various obstacles in the way across territories that make the actual establishment and implementation of “global cyber legislation” no easy task. Here are just a few ways that legislation can be blocked, delayed, or become obsolete:
- Laws surrounding cybersecurity can easily fall behind in time and context, considering that technology is advancing at such a rapid rate.
- Technical and legal specification in varying countries make it difficult to respond to and rule on cybersecurity incidents for the industry as a whole.
- Considering that the internet is free and has no physical borders, constitutional or legal conflicts can arise concerning the meaning and conceptions of privacy and freedom of expression.
- There are limitations to the scope of application of some laws, most notably between public and private sectors that each face challenges of information access for use in investigations with security implications, privacy rights, and commercial interests. One such example is the well-known case between the FBI and Apple, in which a U.S. judge requested the cooperation of Apple in order to unlock the phone of a terrorist involved in an attack. However, due to user privacy rights, Apple did not condone unlocking that information.
- There can be delays in the enactment of laws brought on by political upheaval, issues affecting local initiatives, or adherence to international agreements.
- Attribution is always a challenge when it comes to cyberattacks. It can be extremely difficult to find out who did it or to prove who did it, which can make legislation ineffective.
- The global nature of cybercrime makes it incredibly difficult to prosecute those involved, as it all depends on what laws the perpetrators are governed under.
Despite these obstacles, the frequency of cyber laws continues to rise as the number and severity of cyberattack incidents recorded worldwide does as well. Therefore, the aim is to have legal measures in place to require protection within various territories, and in a variety of industry sectors. With this goal in mind, legislators have started to consider the requirements necessary for security in their own countries first, including assessing the capacity to respond to large-scale incidents, the protection of critical infrastructure, and ability to collaborate with other countries.
ENSURING CYBERSECURITY LEGISLATION KEEPS US SAFE
While obstacles may be prevalent, there are actions we can take regardless of territory or region to ensure these laws keep us safe on the ground floor.
- Businesses need to frequently revisit their own cyber protocols and policies to ensure they align with state and federal laws in place, while also protecting their key cyber terrain.
- Leaders need to keep tabs on new legislative efforts to understand how new rules and laws impact them personally and professionally at their business. One of the largest costs of a cyber breach are legal expenses, which can be reduced by staying ahead of the game and mitigating risks.
- The C-Suite must ensure the organization is abiding by new cyber laws, and that disaster recovery involving cyber threats are practiced at least annually.
Staying in tune with cyber legislation can mitigate your company’s risks before, during, and after a potential attack. There remains much to be done in this field, and as both technology and cybercrime continue to evolve, so will the legal landscape surrounding these incidences.
The internet has changed rapidly since its inception in 1983. The way we communicate, consume news and media, shop, and collect data are just a few examples of the way the internet has changed the world. A term you may have heard crop up in recent years is IoT, or The Internet of Things. IoT is about extending the purpose of the internet from use in day to day devices like smartphones and computers to use as a host of connected “things.”
So why would we want to do that? When something is connected to the internet and able to send and receive information, it makes the device smart. The more smart devices we have, the more connected and controllable our environment will become. IoT provides important insights to businesses and people that allow them to be more connected to the world and to do more meaningful, high-level work.
While the Internet of Things holds incredible potential for the world, it also means opening up more avenues of vulnerability for hackers to tap into our infrastructure, our homes, and our businesses. On a large scale, the development of “smart cities” are cropping up, promising better usage of resources and more insights from data among other things. On the other hand, this could allow hackers higher access to critical infrastructure leading to potentially crippling instances of national and industrial espionage. On a smaller scale, things like parking meters can be hacked in order to cheat the system for free parking.
The rise in IoT security must match the explosive growth rates for these devices, which means that a new era of cybersecurity is being ushered in. Nearly half of U.S. companies using an IoT network have been hit by a recent security breach, and spending on IoT security will reach more than $6 billion globally by the year 2023.
Where does this leave us in a world with a seemingly bright technological future that holds such dark potential? As IoT continues to grow and evolve, it’s hard to say what specifics need to be put in place in order to keep it secure. However, there are some good general practices that can mitigate your personal and professional risk of being a victim of a breach.
- Do your research before you buy. Smart devices collect a lot of personal data. Understand what’s being collected, how it’s being stored and protected, and the manufacturer’s policies regarding data breaches.
- It seems obvious, but use strong and unique passwords for your device accounts, Wi-Fi networks, and connected devices (and update them often).
- Use caution when utilizing social sharing features that can expose your location information and could let people know when you’re not at home. This can lead to cyberstalking and other real-world dangers.
- Install reputable security software on your devices and use a VPN to secure data transmitted on your home or public Wi-Fi.
Eventually, there is hope that the IoT industry is able to revolutionize cybersecurity for itself, as compliance and regulation never seem to catch up to the pace required by cyber defense technologies. Since this is still such a new industry and constantly evolving, utilizing the aforementioned tips and tricks will help you stay safe while IoT security gets its footing. There is a lot to look forward to as IoT continues to revolutionize the way the world works, it’s just a matter of time before cyber teams are ready to take on this new wave of security needs.
I had the pleasure of interviewing Keenan Skelly. Skelly has more than 20 years of experience providing security and management solutions across a wide array of platforms to include personnel, physical, and cybersecurity.
Security predictions and directions for 2019 from Laura Lee, EVP of Rapid Prototyping.