Recent updates from the FDA on securing network-connected medical devices show that there is growing concern for security surrounding the medical industry. Hospital networks, medical devices, and other critical infrastructure are all at risk. An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network. What did he find? According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients, but also their physical well-being.”
You may have heard about the recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations. According to Dark Reading, the "at-risk window" may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015 to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.
Post breach, Chuck Floyd, global president of operations for Hyatt, said "...we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can't know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?
Modern Healthcare recently reported that "Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals..." While this potential data loss doesn't come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.
The FDA recently issued a draft guidance entitled "Postmarket Management of Cybersecurity in Medical Devices" and once again NIST is setting the standard as a recommended framework, specifically the NIST "Framework for Improving Critical Infrastructure Cybersecurity." The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.
“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway
When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry. On the surface this “benchmarking” seems to be a reasonable request. CIOs want to spend as much on security as their peers; CISOs want to be “as secure” as their competitors. Nobody wants to devote wildly more or less resources to the effort than those in their industry. However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.
Let’s be clear – POS is an ill-termed acronym for Point of Sale. As the collective giggles fade, it’s time to think about security in the retail industry. With Black Friday fast approaching, stores preparing for the mad rush of shoppers should ensure their POS systems are secure. Cardholder data has been a lucrative draw for the cybercriminals seeking to make some serious money selling your stolen credit card data. Along with cardholder data comes your customers’ personally identifiable information that is now floating around the Internet and could potentially fall into the wrong hands.
Point of sale systems is the catchall term to describe the consumer’s relationship to the store and how the consumer exchanges money for the goods and/or services. A point of sale system has many different facets operating at different levels. For the purpose of this blog post, I am only referring to the information technology assets that retailers have control over. Payment gateways and bank systems are beyond the scope of this post.
The breaches of Home Depot, Target, and Neiman Marcus are prime examples of major retailer organizations that attested to PCI compliance, yet they were still breached. While PCI compliance is important and ensures your organization has its ducks in a row, it doesn’t necessarily make your POS system more secure. There are additional steps every organization should take to become proactive about securing your POS, arguably the lifeblood of your store.
Recently the New York Stock Exchange (NYSE) released a cybersecurity guide for public companies and succinctly captured 5 questions CEO’s should ask to improve security. I have reposted the questions here in addition to some thoughts and context as to the “so what” behind the answers to these questions.
The Five Questions CEOs Should Ask To Improve Security
1: What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
Risk is hard to quantify, but you have to try. The effort spent measuring risk can often reveal decisions narrowly made through the filter of budget pressures without the business explicitly accepting the risk resulting from those decisions. We’ve worked with organizations obsessed with management by headcount – don’t go over X number – without understanding the consequences of that broadly applied guidance.
CEO’s should explore and push their teams to quantify the maturity of processes and number of people in place to support tool investments. More often than not organizations have more tools then can be effectively deployed and supported with the existing staff. The risk discussion has to go beyond tools and delve into effectiveness of those tools in addressing risk.
Ironically this is no different than the rest of the business. Your Enterprise Resource Planning system for example, doesn’t do anything without the people and processes to make it run effectively. Don’t let the security risk discussion start and stop with the products you have purchased.
Topics: Security Assessment
The Wall Street Journal recently published a consolidated set of highlights from recent surveys and reports dealing with risk and compliance issues. The results will hardly be surprising to security professionals, but they are an abysmal reminder of just how much work still needs to be done before boardrooms are really engaged on the issue of cybersecurity. One report by AT&T found, “75% of companies don’t involve their full boards in cybersecurity oversight, saying it is an IT issue and not a core business concern.” That aligns with my experience with the exceptions being companies who suffer a significant breach, not so surprisingly post breach companies see a substantial increase of board involvement.
How to Engage Your Board in the Conversation
Change has to come from both inside and out. Security leaders inside of companies have to continue advocating for board engagement and navigating corporate politics to effect change. This work is made harder due to the lack of agreed upon metrics and success criteria in cybersecurity, leaving leaders wondering where to start the conversation with their boards.
Topics: Security Assessment
Throughout my time as a security practitioner I’ve had the pleasure of working with security conscious customers stretching across almost every vertical market segment. Something I see time and again is small, medium, and large businesses struggling to implement the fundamental basics of cybersecurity. The greatest source I contribute to this problem is that businesses often believe that they are implementing the appropriate protective measures that will effectively managing risk when in fact- they are not.
Topics: Security Assessment
It’s January so lists and predictions abound and most of them are just fun with prognosticators having no real stake in the accuracy of their predictions. One trend that caught my eye was the prevalence of lists in the security space that were focused on product vendors and “hot” product companies. Dark Reading’s list of “20 Startups To Watch In 2015” and CRN’s list of “Top 10 Security Vendors To Watch In 2015” were both dominated by product companies. The focus on products implies that CIO’s and CISO’s are yearning for even more tools to spread across an already thin staff and that’s not been my experience at all.
Topics: Security Assessment