Massive SolarWinds Breach Exposes Supply Chain Risks

A groundbreaking cyberattack against the Texas-based IT network solutions provider SolarWinds has resulted in unauthorized access to a wide range of government and private sector organizations. The extent, scale, and impact of the attack are still being assessed; however, initial indications are that the attack will have lasting security impacts for months and possible years to come for organizations including healthcare entities. Read More

Buckle Up for Big Regulatory Shifts for HIPAA, HITECH, OCR, & CMS

The era of highly digitized healthcare is upon us. However, there remain multiple obstacles on the patient information superhighway that have been preventing health information transmission from reaching top speeds. That is all about to change due to a fleet of new regulations introduced for HIPAA, HITECH, OCR, and CMS that are scheduled to go into effect in 2021. Recent regulatory updates have been announced that are designed to side-step and remove several obstacles that have been impeding the sharing of patient information across the continuum of care. Read More

Internet of Things Cybersecurity Improvement Act of 2020

Congress passed the Internet of Things Cybersecurity Improvement Act of 2019 on November 17, 2020. The new law is several years in the making and provides a welcome and much needed step forward for securing the growing network of unmanaged endpoint devices employed by healthcare and other industries. Congress passed the new bill and it promptly cleared the Senate by unanimous consent. The President signed the bill into law on December 4, 2020. Read More

The FDA’s New Medical Device Development Tools (MDDT) Program

The US Food and Drug Administration (FDA) announced a new Medical Device Development Tools (MDDT) program on October 20, 2020. The MDDT includes information security evaluation criteria for assigning risk ratings to medical device security vulnerabilities. This blog post provides a summary of the FDA’s MDDT program and its applicability for supporting medical device security programs for healthcare delivery organizations. Read More

NIST SP 800-53 Rev 5: Sizing Up the New Security Standard in Town

The National Institute of Standards and Technology (NIST) has announced an updated version of their flagship security controls framework NIST Special Publication (SP) 800-53. The new version, Revision 5 or “Rev 5”, update is the first overhaul of the NIST SP 800-53 framework in over seven years and represents critical updates that reflect the modern cyber threat landscape. This blog post will help provide some insight into the new controls framework version, its differences from prior iterations and other related standards, and its applicability for healthcare organizations. Read More

The Pandemic of Poor Passwords

In almost 20 years of penetration testing and compliance, there is one theme that I have seen that has consistently led to unauthorized access to sensitive information and systems: BAD PASSWORDS. Bad passwords are a disease that has affected most healthcare organizations domestically and globally. The stats from recent breach reports and regulatory bodies indicate that this outbreak is having a material financial and operational impact on our industry. Read More

Provocative PCI DSS v4.0 | New Requirements and Timing Updates

The PCI Security Standards Council has fielded an unprecedented amount of feedback in 2019 and 2020 related to the much-anticipated release of PCI DSS v4.0 due out early next year. There are several provisions that are proving controversial and generating a healthy debate about effective security controls to stem the torrent of payment card breaches. This blog post provides an overview of some of the more controversial changes proposed in the new PCI standard set for release in 2021. Read More

Navigating the Library of Medical Device Security Standards

Multiple government and industry entities provide regulations and standards for securing medical devices. To date, relevant regulations and standards have not carried meaningful incentives or disincentives for providers to invest time, resources, and energy to tackle this problem. Private industry consortia provide more prescriptive guidance, but there is no clear, concise framework or standard that is comprehensive and prescriptive enough to tackle the challenge. The result is a hodge-podge of guidance, frameworks, and tools that lacks cohesion. However, each standard and regulatory reference can be valuable inputs to medical device security programs if applied in the appropriate areas. Read More