The Software Report is pleased to announce the Top 25 Women Leaders in Cybersecurity of 2019. Hundreds of exceptional women were nominated in this year’s process. We evaluated each nominee based on a series of questions on the candidate’s professional capabilities. The Software Report also conducted candidate evaluation based on research of qualified information sources and publicly available information. We looked for demonstrated cybersecurity expertise, longevity in the industry, career progression and current position among other factors.
The digitalization of healthcare communication has greatly impacted how healthcare professionals use medical devices, perform patient care, and conduct internal operations. Electronic health record (EHR) mandates and widespread adoption of mobile devices has accelerated at such a rapid pace, healthcare cybersecurity companies are making mistakes that are inviting malicious hackers inside. Unfortunately, the healthcare industry has developed a negative reputation due to frequent data breaches, ransomware attacks, and security threats. It is time to revive the industry and get it on a path to a healthy recovery.
Healthcare Cybersecurity Statistics
- More than 300 reported data breaches
- More than 16 million Americans impacted
- 62% of healthcare organizations have experienced a breach in past 12 months
Causes for these attacks like unencrypted, lost and stolen devices, outdated systems, and sheer lack of cyber professional personnel contribute to the health care industry’s demise. It allows cybercriminals to steal financial and billing information from hospitals, patient records, and even bank account numbers.
The following organizations have fallen victim to attacks. Their suffering gives us a glimpse into the severity of healthcare cybersecurity threats. It also sheds light on how healthcare cybersecurity spending can be re-directed to support cyber teams so they can better prevent an attack of their own.
- SSM Health in St. Louis: A former call center employee accessed 29,000 patient records including demographics and clinical information. The former employee did not have access to financial information, according to the statement.
- 21st Century Oncology of Fort Myers, FL: An unauthorized third party gained access to a company database, putting 2.2 million individuals at risk. Data stolen may have included patient names, social security numbers, physician names, diagnosis and treatment information, and insurance information.
- UNC Dermatology and Skin Cancer Center: A stolen computer contained roughly 24,000 patients with records detailing names, addresses, phone numbers, birthdates, Social Security numbers, employment status, and employer names.
- Sinai Health System in Chicago: A phishing scam affected approximately 11,350 people of the seven-member hospital system. The investigation reported no financial information was compromised but patient information may have been compromised.
- Henry Ford in Michigan: A cybercriminal accessed email credentials from a group of employees to view and steal the data of 18,470 patients. While the email accounts were password protected and encrypted, the hacker accessed patient names, dates of birth, medical record numbers, provider names, dates of service, health insurer, medical conditions and locations.
There is good news, however. These threats can be mitigated with the right “medicine.” How?
Stopping Healthcare Cybersecurity Threats
Cybersecurity starts and ends with humans. It is the people controlling the use and deployment of technologies who have the ultimate power to create a secure cyber environment. Therefore, we advocate for a “data privacy first” mentality that places people at the center of cybersecurity in the healthcare industry.
Cyber teams can engage in persistent learning and skill-building opportunities to learn how best to protect patients and minimize security risk and identity theft. Protected health information and patient security is of utmost importance to healthcare cybersecurity so if cyber professionals and non-cyber professionals like understand how to improve data security, patients and the facilities that house them will be better protected.
To learn more about preventative ways to stop healthcare cybersecurity threats and upskill your cyber team, download our infographic: “Cybersecurity in Healthcare.”
Bradley Wolfenden, Director of Cyber Academic Partnerships at Circadence will begin his tenure as the new co-chair for the National Initiative for Cybersecurity Education (NICE) Competitions Subgroup in April, 2019.
ITSPmagazine’s John Dasher chats with Keenan Skelly, Circadence VP of Global Partnerships & Security Evangelist, for a fascinating conversation on cybersecurity learning, training and assessment through their Ares and Orion products.
One of the top innovators in the training space is Circadence®. The Boulder, CO-based company got its start in the mid-1990s as a pioneer of massive multi-player video games. It then took its expertise in moving massive amounts of gaming data and applied it first to training military cyber warfare specialists, and, next, to training security analysts in the enterprise, government and academic communities.
As our world becomes increasingly dependent on the internet, more safeguards must be put in place in order to keep our information and services we rely on secure. In the last few years, we have seen an increase in regulations and legislation passed to uphold these safeguards, but it is unclear how much this has helped in thwarting attacks. Not only are we as consumers and individuals vulnerable to data breaches and cyberattacks, but our governments are at risk for cyberwarfare and potentially crippling assaults on resources and infrastructure.
Governments around the world are implementing new cybersecurity legislation, such as the NIS Directive in the EU and the Cybersecurity Act of 2015 in the US to provide more structure and protocol to cybersecurity management. Many studies have been conducted to ascertain the level of sophistication in cybersecurity that different territories around the world possess, such as the Asia-Pacific Cybersecurity Dashboard. These studies consider legislation a basic indicator of the security landscape in these territories and helps cyber legislators identify strengths and opportunities for safety improvements.
The number of new cyber laws shows the importance of implementing regulatory frameworks that protect us from a personal and business perspective. These frameworks help us to understand how to implement policy, as businesses generally don’t think much about cybersecurity unless they have to due to regulations. They also contribute to the reduction of security incidents and prevention of IT crime.
CYBERSECURITY LEGISLATION OBSTACLES
There are various cybersecurity technology obstacles in the way across territories that make the actual establishment and implementation of “global cyber legislation” no easy task. Here are just a few ways that legislation can be blocked, delayed, or become obsolete:
- Laws surrounding cybersecurity can easily fall behind in time and context, considering that technology is advancing at such a rapid rate.
- Technical and legal specification in varying countries make it difficult to respond to and rule on cybersecurity incidents for the industry as a whole.
- Considering that the internet is free and has no physical borders, constitutional or legal conflicts can arise concerning the meaning and conceptions of privacy and freedom of expression.
- There are limitations to the scope of application of some laws, most notably between public and private sectors that each face challenges of information access for use in investigations with security implications, privacy rights, and commercial interests. One such example is the well-known case between the FBI and Apple, in which a U.S. judge requested the cooperation of Apple in order to unlock the phone of a terrorist involved in an attack. However, due to user privacy rights, Apple did not condone unlocking that information.
- There can be delays in the enactment of laws brought on by political upheaval, issues affecting local initiatives, or adherence to international agreements.
- Attribution is always a challenge when it comes to cyberattacks. It can be extremely difficult to find out who did it or to prove who did it, which can make legislation ineffective.
- The global nature of cybercrime makes it incredibly difficult to prosecute those involved, as it all depends on what laws the perpetrators are governed under.
Despite these obstacles, the frequency of cybersecurity laws around the world continues to rise as the number and severity of cyberattack incidents recorded worldwide does as well. Therefore, the aim is to have legal measures in place to require protection within various territories, and in a variety of industry sectors. With this goal in mind, legislators have started to consider the requirements necessary for security in their own countries first, including assessing the capacity to respond to large-scale incidents, the protection of critical infrastructure, and ability to collaborate with other countries.
ENSURING CYBERSECURITY LEGISLATION KEEPS US SAFE
While obstacles may be prevalent, there are actions we can take regardless of territory or region to ensure these laws keep us safe on the ground floor.
- Businesses need to frequently revisit their own cyber protocols and policies to ensure they align with state and federal laws in place, while also protecting their key cyber terrain.
- Leaders need to keep tabs on new legislative efforts to understand how new rules and laws impact them personally and professionally at their business. One of the largest costs of a cyber breach are legal expenses, which can be reduced by staying ahead of the game and mitigating risks.
- The C-Suite must ensure the organization is abiding by new cyber laws, and that disaster recovery involving cyber threats are practiced at least annually.
Staying in tune with cyber legislation can mitigate your company’s risks before, during, and after a potential attack. There remains much to be done in this field, and as both technology and cybercrime continue to evolve, so will the legal landscape surrounding these incidences.
The internet has changed rapidly since its inception in 1983. The way we communicate, consume news and media, shop, and collect data are just a few examples of the way the internet has changed the world. A term you may have heard crop up in recent years is IoT, or The Internet of Things. IoT is about extending the purpose of the internet from use in day to day devices like smartphones and computers to use as a host of connected “things.”
So why would we want to do that? When something is connected to the internet and able to send and receive information, it makes the device smart. The more smart devices we have, the more connected and controllable our environment will become. IoT provides important insights to businesses and people that allow them to be more connected to the world and to do more meaningful, high-level work.
While the Internet of Things holds incredible potential for the world, it also means opening up more avenues of vulnerability for hackers to tap into our infrastructure, our homes, and our businesses. On a large scale, the development of “smart cities” are cropping up, promising better usage of resources and more insights from data among other things. On the other hand, this could allow hackers higher access to critical infrastructure leading to potentially crippling instances of national and industrial espionage. On a smaller scale, things like parking meters can be hacked in order to cheat the system for free parking.
The rise in IoT security must match the explosive growth rates for these devices, which means that a new era of cybersecurity is being ushered in. Nearly half of U.S. companies using an IoT network have been hit by a recent security breach, and spending on IoT security will reach more than $6 billion globally by the year 2023.
Where does this leave us in a world with a seemingly bright technological future that holds such dark potential? As IoT continues to grow and evolve, it’s hard to say what specifics need to be put in place in order to keep it secure. However, there are some good general practices that can mitigate your personal and professional risk of being a victim of a breach.
- Do your research before you buy. Smart devices collect a lot of personal data. Understand what’s being collected, how it’s being stored and protected, and the manufacturer’s policies regarding data breaches.
- It seems obvious, but use strong and unique passwords for your device accounts, Wi-Fi networks, and connected devices (and update them often).
- Use caution when utilizing social sharing features that can expose your location information and could let people know when you’re not at home. This can lead to cyberstalking and other real-world dangers.
- Install reputable security software on your devices and use a VPN to secure data transmitted on your home or public Wi-Fi.
Eventually, there is hope that the IoT industry is able to revolutionize cybersecurity for itself, as compliance and regulation never seem to catch up to the pace required by cyber defense technologies. Since this is still such a new industry and constantly evolving, utilizing the aforementioned tips and tricks will help you stay safe while IoT security gets its footing. There is a lot to look forward to as IoT continues to revolutionize the way the world works, it’s just a matter of time before cyber teams are ready to take on this new wave of security needs.
I had the pleasure of interviewing Keenan Skelly. Skelly has more than 20 years of experience providing security and management solutions across a wide array of platforms to include personnel, physical, and cybersecurity.
Security predictions and directions for 2019 from Laura Lee, EVP of Rapid Prototyping.
What if someone told you that there was a new way to commute to work in the morning? A way that was more efficient than taking the highways or backroads to avoid traffic – a way that would allow you to save time, headaches and the dangers of driving altogether…you’d be interested, right? Maybe a little skeptical, certainly, but interested. So would we! Changing the way we think about a process or an act does not happen at the flip of a switch. We know that. However, the speed at which technology advances and new products and services hit the market with attempts to make our daily lives easier, faster, better requires us to be open to new ways of thinking about traditional approaches. In this blog, it’s about changing how we think about “cybersecurity training.”
While we can’t help you teleport to your office or lend you a flying car, the concept behind the “better way to commute” scenario is exactly what we at Circadence are advocating for—A new way to think about cybersecurity training and skills development. Now, we realize that might not be as “cool” as teleportation but hear us out.
When it comes to cybersecurity, we believe wholeheartedly that there is a better way to train cyber professionals on the latest tactics and techniques. Why? Current ways of developing professionals with “one-and-done” trainings in classroom settings aren’t working. How do we know this? Because businesses are still getting hacked every day. In 2018 alone, we saw a 350% increase in ransomware attacks and 250% in spoofing or business email compromise. If lecture-based, classroom setting, PowerPoint-driven training courses were working, we wouldn’t still be reading about breaches in our local and national news. Something new, something different has to be done.
Talk to your teams
People develop, use and control the technologies we have available to us. People are the mechanisms by which we execute certain security methods and procedures. People are the reason there are actual tools to help us stop threats. Talking to your team can help gain perspective on how they are feeling with their current workloads and where they want to improve professionally.
Without well-trained individuals who persistently learn new skills and find better (more efficient) ways to operationalize cyber processes and techniques, our businesses and our personal information will be exploited—it’s only a matter of time. While you may be thinking “I send my team to an off-site course and they learn new stuff every time” then great! We invite you to take the next step and talk to those teams about how they’re using what they’ve learned in everyday cyber practice. Sometimes the first step in adopting a new way of thinking about a process (in this case, cyber training), we need to talk to the people who actually experienced it (those with boots on the ground).
Talk to your teams about:
- their experience on-site at the training
- what their main takeaways were
- how they are applying learned concepts to daily tasks
- where they see gaps or “opportunities for improvement”
Listening to teams and asking objective questions like this can shed light on what’s working in your cyber readiness strategy and what’s not.
Reframe negative thoughts
Things that are new and different are disruptive and that can be scary for leaders looking for concrete ROI to tie to cyber readiness solutions. Forbes suggests reframing negative thoughts as well. In thinking about a new way to do cyber training, instead of “gamified cyber learning will never work,” come from a place of inquiry and curiosity instead. Reflect on what feelings or experiences are causing you to think negatively about a new way of doing something.
Ask objective questions like:
- What is gamification in the first place?
- What are the pros and cons of gamified learning?
- How could my team even adopt a gamified learning approach?
Understanding how something works or could work for your specific situation is the foundation for evaluating the merit of any new process or approach presented to you.
Know Today’s Cyber Training Options
How cyber training has been conducted hasn’t changed much in the past several years. Participation in courses require professionals to travel off-site to facilities/classrooms where they gather together to listen to lectures, view PowerPoint presentations and videos, and maybe engage in some online lab work to “bring concepts to life.”
Travel costs incur, time away from the frontlines occurs, and learners often disengage with material that is passively delivered to them (only 5% of information is retained with passive-learning delivery).
One of the biggest gaps in cyber training is that there isn’t a way to effectively measure cyber competencies in this traditional method. The proof is in the performance when professionals return to their desks and attempt to identify incoming threats and stop them. That absolute, black and white, way of measuring performance is too risky for businesses to stake their reputation and assets on.
Leaders who send their teams to these trainings need to know the following:
1) what new skills cyber teams have acquired
2) how their performance compares to their colleagues
3) what current skills they have improved
4) what cyber activities have they completed to demonstrate improvement/progression
Today’s off-site trainings don’t answer those questions until it’s too late and a threat has taken over a network. Professionals can “see” really quick when a learned skill doesn’t translate to real life.
Embrace the journey of learning
There is a better way to train professionals and it can happen with gamification. But don’t let us be your only source of truth. Talk to people. Listen to their experiences training traditionally and hear firsthand what they want out of a skill building opportunity. Read the latest research on gamification in the corporate workplace. Then, make connections based on the intel you’ve gathered to evaluate if gamification is right for your organization’s professional development approach.
We’ll be here when you’re ready to dive deeper into specific solutions.