The CyberPHIx Roundup: Industry News & Trends, 5/8/23

PODCAST TRANSCRIPT

Britton: [00:00:15] Hello and welcome to The CyberPHIx Health Care Security roundup. Your quick source for keeping up with the latest cyber security news trends and industry-leading practices, specifically for the healthcare industry. I'm your host, Britton Burton. In addition to this roundup. Be sure to check out our resource center on Meditology services.com, which includes our CyberPHIx interviews with leading health care, security, privacy and compliance leaders, as well as blogs, webinars, articles and lots of other educational stuff. We have a full agenda to cover today, so let's dive into it. Hello loyal listeners, and welcome back to The CyberPHIx. I appreciate you bearing with me as we had a little bit of a gap in producing a podcast here recently, had some dayjob things with our new CORL Cleared product and a little bit of work travel that was taking my time away and I just couldn't get around to producing an episode. But we are back in the saddle. Don't worry, we are not going away. We just couldn't get one out here in the last few weeks. But there are a ton of topics to cover today and we are ready to dive deep because a lot has happened since the last time we talked. So let's get going. Our first big topic, the HHS 405 D program, which of course produced the original HIC or health industry cybersecurity practices back in 2019, has released a new version of the technical volumes, along with two other helpful resources. 

Britton: [00:01:43] So let's review what these three new items entail. As you may recall, the HIC publication, some people do call it HIC. I should mention that we have a debate internally at the office whether or not it's hiccup or hiccup. I'm a hiccup guy. You can be a hiccup guy or gal, it's up to you. But for me, you may recall the HCP publication consists of three core documents. There's the main document that outlines the top five threats facing the healthcare sector and instructions on how to use the publication. Then there's technical Volume one, which provides the ten top cybersecurity practices and the many, many sub-practices underneath that mitigate those five threats for small entities. And then there's technical volume two, which provides the same top ten cybersecurity practices and many more sub-practices for medium and large entities that can be implemented to combat the five threats. So that's the basic makeup, the core document that explains the top five threats, why, how they assembled that data, etcetera. And then two versions of the ten cybersecurity practices, one for small which has many less sub practices because less resources, less budget, and then one for medium and large, which has many more sub-practices, but all oriented towards combating mitigating the top five threats. So the working group that produces Higbee has always stated that it would be a living document that evolves as the industry and threat landscape changes. And this 2023 change is a reflection of that. 

Britton: [00:03:06] This is the first big change. Maybe any change, at least as far as I can remember. But certainly a big change since the original production in 2019. So I wanted to walk through a summary of those changes. You've heard us talk a lot about Higbee on this podcast and about recognized security practices and the fact that it's probably going to need to be more widely adopted by a lot of organizations as part of your assessment processes, your risk management processes, your ability to prove compliance processes. And so I wanted to go through it with you today and make sure you're number one aware that it's out there, but then also try to walk through the big changes at a high level with you so that you can kind of have the primer that you may need to avoid a little bit of your own research that you have to do. All right. So let's start with a summary of the top five threats. They largely stayed the same, except that the former number one was titled email phishing in the original version. And that has now been changed to social engineering, basically to encompass the expansion of that threat beyond traditional email phishing. So it now includes smishing whaling business, email compromise and a few other things, along with, again, the mitigation guidance for all of them. The top five in order actually did not change slight wording changes to a couple that are pretty non-material, but this one changing from email phishing to social engineering as the more broad topic was, was the biggest change in the five threats. 

Britton: [00:04:32] Now, they the group that produced it, did say that nearly every practice and sub-practice received some kind of updated wording, a better example to go along with the wording of what the sub-practice means, for example. But there are a few highlights of big changes that I'll mention here that the group highlighted as well. So starting with two major updates to practices. So remember within as a document, there are practices which are the top ten things, these big, big picture things, big picture kind of control families almost, if you will, and then sub practices underneath, which are more kind of at the control level and actually mapped to NIST 853 controls. So at the practice level, the ten major practices, there were two practice updates. First of all, cybersecurity practice number nine on network-connected medical devices received a full update with several new sub-practices. Cybersecurity practice number ten has been updated from what used to be called cybersecurity policies to now it's called cybersecurity oversight and governance. So it now includes governance and oversight structures that it recommends for each organization to have in place for an effective cybersecurity program at the sub-practice level. Again, wording changes and so on to several of them, but three were actually added as, I guess net new to the document. 

Britton: [00:05:55] Number one attack simulation was added as a sub-practice under practice number seven for vulnerability management. This guides entities on the importance of performing attack simulations and outlines what to include in your own simulations. The second sub-practice addition, cybersecurity insurance was added under practice number ten, which again is cybersecurity, oversight and governance. And this one provides entities new information on, number one, why cyber insurance is important. And then number two, probably most importantly, what your cybersecurity insurance policy should cover. Obviously a topic again that we cover a lot on this podcast and one that is rife with confusion and uncertainty for a lot. So good to see that. Then the third sub-sub practice that was added, cybersecurity risk assessment and management, was also added to practice number ten. Again, practice number ten being cybersecurity, oversight, and governance. This obviously you could probably tell from the title provides entities information on how to perform risk assessments and some free federal tools you can utilize to perform your own risk assessment. I got to say, I'm surprised. I don't remember risk assessment and management not being in the original. That seems like a bit of an oversight not to include that because that's the number one thing that basically every framework starts with for security. So a little bit odd that that wasn't in there, but hey, it's in there now. 

Britton: [00:07:14] So that's that's certainly good. So when it's all said and done, you still have the top five threats and you have the top ten practices to mitigate those threats. And I'm going to run through those real quick in case it's maybe been a while since you've seen this kind of good to just sanity check. If you had to name the top five threats and top ten security practices, what would they be? And see how many of those land on your list for the top five threats. Number one, social engineering. Number two, ransomware. Number three, loss or theft of equipment or data. Number four, insider accidental or malicious data loss. And then number five, attacks against network-connected medical devices for the top ten practices email protection systems, number one. Number two, endpoint protection systems. Number three, access management. Number four, data protection and loss prevention. Number five, asset management. Number six, Network management. Number seven, Vulnerability Management. Number eight Incident Response Number nine Network Connected Medical Device Security. And then number ten, Cybersecurity Oversight and Governance. A lot of similarities to the top 20 there. Obviously some different ordering and not as many, but I'm sure there was some standing on the shoulders of giants with this top ten that probably benefited from the top 20. The document itself contains mapping of every practice and sub-practice to the threats it mitigates, as we've discussed, as well as implementation guidance that is actually especially within the security landscape of the types of things we're used to reading. 

Britton: [00:08:41] Actually very practical and understandable, really. It's a really interesting read in comparison to some of the other documents. Without naming names that you run across in this space that try to get try to give you implementation, implementation, guidance, this truly is practical and understandable. It also contains links to more in-depth resources for almost every practice, Meaning if there are tools out there that can help you accomplish these practices or sub-practices. And maybe one of the coolest things of all with each practice each of the top ten practices, it has a whole section within each one of suggested metrics for measuring those practices or controls that you implement. Metrics I know, is one of those things that most security programs struggle with. Even just coming up with a relatively good metric that gives you value is hard enough. But then, taking that next step and going, can we actually source data for that metric in an efficient way, hopefully automated, not super manual? If it is manual, it's simple to do that part alone is hard. So just seeing sort of a library of metrics that are relevant to these top ten practices, I think, is just a really good thing for security professionals who don't have time to sit around all day and dream up the metrics they wish they could report on or measure themselves against. So as we've said many times, this is an outstanding resource to use. 

Britton: [00:10:02] If you don't really know where to start with conducting a risk assessment of the most relevant threats to your organization. And with HHS announcing that HCP is a recognized security practice late in 2022, you can expect relief from Office of Civil Rights in case of an investigation due to a complaint or breach. So a lot of reasons that this may make sense to look at to at very least incorporate into your SRA process or if you're still struggling with don't even really know where to begin with an SRA process to maybe just have this be your first pass. And I say this alone is not enough. There's you've got to, you know, apply likelihood and impact ratings. You've got to have a vulnerability component to the threat and control component that exists in HCP. But, man, this gets you like two-thirds of the way there, if not more, in terms of the elements you have to meet to satisfy OKRs expectations for SRA. Great document there. Obviously, one, we'll all need to update into our whatever frameworks or SRA approaches you're using. We'll certainly be doing that on the Meditology side to help our clients out. But that's not all from HHS 405 D. They've been a very busy group, and this next one is, I think, a welcome option for any health systems that need a little help. 

Britton: [00:11:15] Maybe on the security awareness front. They also have produced five cyber security trainings that they Corl knowledge on demand, and they of course, align with those top five cybersecurity threats outlined in the HCP 2023 publication. So again, that's social engineering, ransomware loss or theft of equipment or data, insider accidental or malicious data loss, and then attacks against network-connected medical devices. So each of these five topics has its own dedicated awareness video, and each one of them includes a job aid. The interactive video itself a PowerPoint version with presenter notes. If you'd prefer to do an in-person version of that training or a, you know, basically don't watch a video, but like, you know, present to your company, even if it's over WebEx or whatever. And then I think, coolest of all, a zip file, a zip file, excuse me, with all the content packaged up in a way that you can import into your own system if you want to publish there and track compliance, which is actually an obligation, under HIPAA and under meeting the recognized security practices to demonstrate evidence that you're doing security awareness and training. So that's a really cool thing that they did that, too. And I got to say. I watched a couple of them. You know, they're well done. They're each around ten minutes or less than ten minutes long in several cases. They include knowledge checks and multiple knowledge checks throughout. And most importantly, in today's modern world of listening to podcasts and watching videos, the ability to set your playback speed so we don't have to sit there and watch it at one x speed. 

Britton: [00:12:49] We can go 1.25, 1.5, 1.75, and two x And that is really important because no one watches in normal speed anymore. When you can watch a ten-minute video and half the time if you can just bump up the speed, always, always hate it when you don't have that option. So I thought that was cool to see. So a really great resource. Obviously, if you need to do security awareness and training and you either don't have the budget, you don't have the person the time to produce your own content, this is a great way to cross that item off your list because it's produced well it's produced by a group that obviously recognizes and would accept the last resource, maybe a little bit less immediately useful for most of you. But if you're a research type would certainly be of interest. They release what they call the hospital cybersecurity resiliency landscape analysis. And according to the release that they produced with this, the landscape analysis conducted a deeper investigative study into both the methods that cyber adversaries are using to compromise US hospitals, disrupt operations and extort for financial gain. It then benchmarked these results to specific practices of the health industry, cybersecurity practices, HCP in order to outline the most meaningful protections to these specific threats. 

Britton: [00:14:05] Those were their words directly from the release. Really what I'm reading this as is basically it was the updated version of the in-depth study that went into defining the top five threats and then the top ten practices to mitigate. And they're basically just sharing those results with the public and sort of a curated white paper, if you will, about what we learned about the resiliency landscape. There are a lot of interesting sections in there about how they chose the top five threats, what ransomware and disruptions to operations is doing in real, you know, in the real world to hospital systems and the health care industry. So so lots of interesting stuff in there. One really interesting section is where they basically categorize the ten practices, the ten security practices that makeup HCP into buckets that describe how the healthcare industry as a whole is doing. And those four buckets have significant progress made, urgent need for improvement, which, unfortunately, is the largest bucket need for additional research and follow-up. And then further attention is recommended but is not urgent. Kind of an interesting way to bucketize that maybe worth looking at if you wonder, you know, we're kind of struggling with network management or vulnerability management. Where do they put that? The only there's only one with significant progress made that was email protection systems. So that's good. There are five of the ten and urgent need for improvement and then three in the need for additional research and then only one in which further attention is recommended but not super urgent, that one being data protection and loss prevention. 

Britton: [00:15:36] This overall is really cool to see. Or HHS 405 D working group doesn't ever really know what to call them is not itself an organization. Guess it's HHS 405 D Working group. It's really cool to see them continue to evolve and be a value add resource to the healthcare community. We read articles every day. I know you do, about how cash-strapped and just behind the health care industry is. And so things like this are playing a really critical role, especially for the smaller systems, the rural systems, the nonprofit systems, whatever it might be that just can't invest in the way that some other industries or larger organizations can. You can go a really long way in building a solid security program just based on these resources. The first two, obviously, especially if you feel overwhelmed by the NIST S and the ISOs of the world. And then, of course, the good news is that there is NIST control mapping with every single one of the practices and sub-practices. So you can still advance towards those larger frameworks in the NIST case especially. But it's also very easy to find mappings from ISO to NIST, so you can still advance towards those larger frameworks without duplicating effort. 

Britton: [00:16:46] And if you just kind of have the I don't know where to start, what's a reasonable place? The fact that this gives you top five threats gives you ten control areas of urgent need, you know, gives you sub practices, and also gives you the benefit of you can prove to OCR that you're meeting recognized security practices. It's tough to argue with putting Higbee somewhere in your program. Okay. Speaking of NIST, want to make sure that you're all aware of the discussion draft for NIST Cybersecurity Framework 2.0 that was published at the end of April. So this is the preliminary early draft of changes that will be ultimately made into CSF 2.0. It's open for comment now, and those comments will be incorporated into the changes that make their way into the completed 2.0 draft. So basically, this is kind of the draft before the draft, if that makes sense at all. Previously updates to the NIST cybersecurity framework were only minor adjustments that occurred every 3 to 5 years. The previous version or the version that's actually currently published right now, CSF 1.1, was released in 2018. But NIST has said given the rapid changes happening in cybersecurity. They recognize that there's a need for a significant overhaul of the framework. So this update to 2.0, this sort of pre-draft update incorporates newer resources on security and privacy while also addressing emerging risks such as supply chain security, a hot topic, obviously, as well as some changes in technology. 

Britton: [00:18:19] In the latest update to the NIST CSF. Several changes have been made to the five core functions of the framework. In fact, there are now six core functions, and we'll talk about that. The new version places a much greater emphasis on, as we mentioned, supply chain risk management. It also talks about threat intelligence, a lot more talks about self-assessment of cybersecurity risk, a lot more, and vulnerability disclosure, which is an interesting one that I don't believe was really covered in the previous one. Most notably, there is a proposed sixth top-level function called governance, that breaks out the organizational context, risk management strategy, roles and responsibilities, and policies and procedures into a section that's fully focused on governance rather than covering those concepts in part or wholly and identify which is what the previous version did. So that means we'll need to get used to saying governance, identify, protect, detect, respond, recover. Now I've gotten pretty good at saying identity, protect, detect, respond, and recover. How can you say it? I will have to add the G governance to the front of that. And also, just interesting to note from the HCP topic that we just covered they added a governance section as well, and the CSF is in the midst of doing that. I think that speaks to probably what a lot of us have experienced. If you do have a relatively mature security program, still the hardest part can be actually getting the other people in the organization, business owners and, you know, decision-makers that matter beyond technical, beyond cyber, beyond it, to the table involved in managing risk, making decisions about risk, cyber security risk specifically. 

Britton: [00:20:01] So really interesting to see that obviously there must be an outcry in the industry for two of these major, major publications to be to be adding it like they are. There's also a new concept called informative examples or implementation examples. I've seen both of those phrases used by NIST, so I'm not really sure what it will actually be called at the end of the day. But either way, basically, they serve as a resource for organizations to understand how to implement the framework in practice. So very important just talked about that with HCP and there's some really good practical stuff in there. Nist, I would say is not always the best with that part. I think maybe this is their effort to try to bridge that gap a little bit. And so basically, it will be a column down the control set, if you will, that provides specific use cases and scenarios that organizations can use as a reference point to align their cybersecurity activities with those core framework functions, offering concrete examples of how the framework can be applied in different situations or how it actually works in practice. So the informative examples column can help organizations tailor their cybersecurity efforts to those unique needs and challenges. 

Britton: [00:21:10] That's kind of a word salad from NIST about what they're supposed to be, but here are a few examples. I thought that was the easiest way to kind of bring it home in terms of what these informative examples or implementation examples look like in the subcategory for identifying vulnerabilities in first-party and third-party assets. One example is vulnerability scans are performed to identify unpatched and misconfigured software. Okay, that makes sense. Another example is the Austin. The authenticity and cybersecurity of critical technology products and services is assessed prior to acquisition and use. And then another one is facilities, housing, critical computing assets or assess for physical vulnerabilities. So there are a few examples for another couple of examples for you, for the subcategory on monitoring hardware and software for adverse cybersecurity events. One example is operating systems allow only authorized and integrity-verified software and software updates to be installed. And then another example is authentication. Attempts are monitored to identify attacks against credentials and unauthorized credential reuse. So there are only a few of these examples in the discussion draft. They have not written all of those. That's an example, I guess, of what's different between a pre-draft and a draft draft. But if if those are received well by, you know, in the comment period by the public who reviews this and comments on it, it sounds like the entirety of the framework would include those. 

Britton: [00:22:36] Those were okay. Guess is how I'd say it. There's some good stuff there. Maybe some room for improvement. I don't know. But anything that, you know, steps towards practical implementation tips with anything in a NIST document, I think I think is a good step forward, even if they're not perfect when 2.0 comes out, it's a starting point that can be built upon and can be made more, more real, more practical in future versions. And maybe they'll just knock it out of the park, and they'll be great the first time out. 

Britton: [00:23:05] So the last thing I want to cover here is just the timing. 

Britton: [00:23:07] There's still a ways to go. If you check out the NIST CSF website, you'll find their timeline. It's published at the top of one of the links. They anticipate moving this discussion draft to the final draft in the summer of 2023, leading up to a fall virtual workshop that they've actually had two of before this to kind of help get to this point. There's one more in the fall date TBD as of now. And then, after that fall workshop, they'll open up another comment period with what would be called the final draft document. Essentially that then moves to all they said is early 2024. So No. One, I don't think we know exactly what that means. It probably doesn't mean January, but it probably doesn't mean, you know, May, either. And that is their target for publishing the final 2.0 document. So there's your NIST CSF update. Obviously, a lot of us are basing our programs on it at this point. Any changes like this while we celebrate maybe on one hand that, hey, that's good, they're keeping up with the trends and the threats and that, you know, we've got to adapt to the modern landscape. It's also the groan of, oh, no, what does this mean for my GRC and my SRE and my all the things? Right. So got to keep your eye on this. If it's a core of how you're building your program and make sure you're on top of it. Moving on, an interesting study conducted by Armis attempted to identify the riskiest medical and IoT devices in a healthcare setting using vulnerability data from the platform of more than 3 billion assets that they track through their technology. 

Britton: [00:24:40] The analysis revealed that Nurse Corl systems are the riskiest connected medical devices, with 39% of them having unpatched critical vulnerabilities and 48% having other unpatched vulnerabilities. Infusion pumps came in as second riskiest, with 27% having at least one unpatched critical vulnerability and 30% having other unpatched. And then third, medication dispensing systems had 4% of devices containing unpatched critical flaws and a little bit of a surprising 86% of other unpatched vulnerabilities. Maybe it's interesting that actually kind of those numbers tell me there's a risk management approach in the industry to those. Those are not the kind of devices you want to be touching a loT in my experience. Usually, the vendor themselves had to do the patching on them. They wouldn't let the local IT teams do it. And so it kind of tells me they're actually doing pretty good with critical if they're only at 4%, but they just kind of leave the other stuff alone. So that's interesting in and of itself. The analysis also revealed that 32% of those analyzed medication dispensing systems were running on unsupported versions of Windows. So maybe my risk management comment was a little too early there. Across all connected medical devices, 19% were running on unsupported operating systems. I don't think that's probably a shock to most of you. Maybe. Maybe it's a shock that the number is only 19%. But it's still good data to see Aam is also monitors. 

Britton: [00:26:09] Ip cameras and found that 56% of those have unpatched critical vulns and 59% had had other unpatched vulnerabilities which makes IP cameras the riskiest IoT devices second and third in the Iot space where printers were second with 37% critical unpatched and VoIP devices with 53% on critical, but only 2% non-critical unpatched. So I brought these up. I know I just threw a ton of numbers at you. I brought these up because I just kind of thought it was a good nugget to consider these kinds of devices for, you know, for segmentation or higher scrutiny in your vulnerability management approach, whatever it might be. Because I think all of us kind of we know the IoT and the Iomt world are problem areas, and we know they're sort of avenues for larger compromise, you know, get into the environment through those vulns pivot and do damage. But it's such an overwhelming problem because there are so many Iot devices and medical devices connected now. You kind of go like, well, I can't segment every single Iot or every single medical device, can I? And so maybe just hearing some data like this, that's, you know, it's backed by by some real data, the volume of data that you need actually to make some claims like this and to go, well, maybe if I just start with Nurse Corl systems, infusion pumps, and medication dispensing systems, those on the medical side and, you know, IP cameras, printers and VoIP devices on the IoT side, at least that's a starting point for what appear to be some of the worst offenders in terms of being vulnerable and being at risk to do your segmentation, your, you know, your enhanced EDR endpoint protection type things, your enhanced vulnerability monitoring and vulnerability management with those if you can. 

Britton: [00:27:58] Of course, the problem with a lot of these is that they're difficult to vulnerability manage. You may not be able to patch them, and that's probably why they're winding up on this list. But I think just seeing the discrete like these three in IoT, these three in Iomt was just a really interesting nugget as you think through how to problem solve some of that. The Health Sector Coordinating Council or the SCC Cybersecurity Working Group is working to bridge the gap between the haves and have-nots in health care when it comes to cyber. So you may have seen the NIST Cybersecurity Framework implementation guide they released, but I'm actually more interested in covering the eight-part video series they produced. It's called Cybersecurity for the Clinician. So the series consists of eight short videos, each lasting around 5 to 6 minutes, and provides valuable training and awareness information to obvious organizations in health care. Videos cover essential cybersecurity topics such as ransomware and medical device security in a way that is intended to be easy to understand and can be integrated into an organization's existing security training programs. The series is actually hosted by a person named Dr. Christian DeMuth. He's an emergency room physician who just sort of dabbles, apparently in hacking. He's a self-taught hacker, according to the release saw. So Dr. DeMuth offers actionable tips for clinicians who may find themselves struggling to access medical records or critical devices amid a cyber event, Making this series particularly useful for those health care professionals who may not have that extensive background in cybersecurity.

Britton: [00:29:30] Personally, I love that it's a doctor doing it. I think there are probably plenty of doctors and other types of clinicians who have heard people like me, their security guy saying, you know, here's the problem. Here's what we need you to do. And they can know it's easy to tune us out. We can be the boy that cried wolf all too often. But maybe if you hear one of your brethren, you know, speaking on it, it carries a little more weight. 

Britton: [00:29:53] So it's available on YouTube and can be used by private or academic institutions, private clinical practices or academic institutions. Any type of health care provider of all sizes really can use this. 

Britton: [00:30:04] They can also be used to obtain a CME credit. Which is great because, you know, obviously, medical professionals constantly have to get those. The fact that this can be used in that way can drive some attention to it, drive the actual, you know watching of them. And it also meets documentation requirements for various regulatory bodies such as the CMS Emergency preparedness rule, the National Fire Protection Association, the Joint Commission for Facility Hazard Vulnerability Analysis and Risk Analysis. So lots of really good sort of boxes. You can check that people who don't live the cybersecurity life every day like us may perk up when they go. Hey, wait, we can check a box for that for this audit we have coming up. Let's do it. And we can get a CE credit for it too. 

Britton: [00:30:50] Let's do it. 

Britton: [00:30:51] The eight topics that are covered are cyber safety is patient safety. Healthcare is critical infrastructure impacts and consequences of a cyber attack. How they do it, meaning, I assume, how attackers do it. Medical device cybersecurity tips for protection after an attack and then a conclusion video. 

Britton: [00:31:11] So, another great resource that's free for any of you who need help with your awareness programs. That's two today. So no more excuses if you're struggling with the awareness program. 

Britton: [00:31:21] Okay. An April report from Moody's confirms what most of us already know. But given that it's from Moody's, I wanted to mention it because it's this is not just another cybersecurity firm saying things like this with really at the end of the day, simply just the goal of driving revenue. This is an independent organization that we trust to report on things like this. And Moody's and I thought it was fairly important to cover. 

Britton: [00:31:45] So the report is based on healthcare organizations lagging behind other industries in implementing cybersecurity practices. And there were four main takeaways from the report. So I'll just kind of walk through those real quick with you. 

Britton: [00:31:57] First, healthcare organizations have an abundance of data and digital technologies that makes them vulnerable to hackers who could disrupt medical operations and steal sensitive patient data. And that, of course, would result in regulatory consequences and reputational damage. We all know that, right? Here's the key. The health care. 

Britton: [00:32:13] Industry is lagging behind other industries when it comes to implementing better cybersecurity practices, particularly not for profit health care organizations are at a very high risk. While corporate Health care organizations are at a high risk of cyber attacks. 

Britton: [00:32:27] Number three investing in better cybersecurity practices is becoming harder for hospitals and health systems as they face financial strain. Moreover, cyber insurance is increasing, making it more expensive for healthcare organizations to invest in cybersecurity. And then, number four, hospitals and health systems must be transparent and reporting cybersecurity breaches to their stakeholders to develop solutions for dealing with an attack. This transparency can lead to less reputational damage for the organization. So those are the main takeaways. I don't think there's anything there that you don't already know inherently or you haven't heard, but just the fact that it was Moody's and not, you know, Tim's cybersecurity consulting organization I thought was worth mentioning. 

Britton: [00:33:07] In a story we've covered several times from several angles. The director of the HHS Office for Civil Rights, Melanie Fonts Rainer, confirmed in an interview with Ismg recently that tracking pixels on HIPAA-covered entity websites and compliance with the HIPAA rules around those pixels is now an enforcement priority for OCR. She stated that the department is actively looking into noncompliance by HIPAA-covered entities and that HIPAA-regulated entities that use those tracking technologies to disclose to third parties without authorization or bars should expect enforcement actions to be taken against them very soon. So really strong language there, obviously. Got to have our eyes on this At this point. This isn't a surprise to anyone. This story has been around for a while. But when the OCR director publicly says it that plainly in an interview, we must mention it here. So if you have not checked your own website footprint for these pixels and assess what information is flowing, please please do so immediately. This is an urgent thing that you need to raise the flag on within your organization if you haven't already done so immediately. I think you also have to consider putting contract terms in place with your third parties to make sure they are not using those pixel trackers on data as you might be sending to their websites. That area will probably be the next chain in this event of higher scrutiny on this. 

Britton: [00:34:31] As it said, you can use those technologies if you have a bar in place or if you obtain that authorization from visitors to your website prior to collection of their fee. But both of those can be very, very difficult. So I've listened to a few interviews with people much smarter than me. Our friends in the legal community release legal community recently, and basically their prevailing guidance is just to turn them off if you can. It's just kind of not worth it. And you've got to have a really good reason to have them running at this point. So please, please ask your your marketing folks, your website folks to do a scan contract, someone to help you figure out if you're using these and see if you can turn them off or at very least minimize the data points that are flowing through them. All right. I read a recent article. This one's going to be kind of metrics and data-point-heavy. I know those can gloss you over when you're listening, but there were some really good ones in here that I thought, you know, if when you're building presentations, and you need those couple bullet points on the threat landscape or why the risk is high, these are the kinds of data points that really stand out. So several good ones in here about regulatory and lawsuit pressure. 

Britton: [00:35:37] For example data breaches of 10,000 to 500,000 records now see an average of 12 to 13 lawsuits filed and but lawsuits are being filed even for smaller data breaches. And the example they give there is breaches of less. Less than a thousand records typically see four lawsuits filed according to this, I should have mentioned. 

Britton: [00:36:00] Bakerhostetler is the law firm that put this together. And Bakerhostetler also said lawsuits have doubled since last year. And we're now at the stage where basically legal action is just almost a certainty following a data breach. That's a topic that Brian Selfridge before me covered frequently and that I've covered as well, that it's just kind of becoming a part of the deal, maybe more so than ever. And seeing these numbers, you know, 12 to 13 for the 10,000 to 500,000 records and even with what we would consider a small breach and, by today's standards, less than a thousand seeing four lawsuits filed, you've just got to count on that in your risk management modeling and certainly in partnering with your legal teams to know how you're going to respond. Shifting gears a little bit, but in the same report, the average ransom demand and payment increased in six out of the eight industries tracked in 2022 by this Bakerhostetler report. 

Britton: [00:36:56] Health care had an average ransom demand of, I'll just say 3.2 million without going to the to the sense. And the median was 1.47 5,000,000in 2022. The average payment increased 78% to about 1.5 million, the median being 500,000 and then paid ransoms just across all industry sectors increased by 15% to 600,000 as an average. And then one more interesting one. In 2022, they say the cost of cyber attacks has risen considerably due to an increase in forensic investigation expenses by 20% from last year.  

Britton: [00:37:35] Some of the other reasons they cited for this 20% increase other than forensic investigation expenses was the cost of business disruption, data, reviews, notification and then indemnity claims that come along with it. Some good news from the same report, that companies have improved in detecting and containing cybersecurity incidents. 

Britton: [00:37:56] Dwell time decreased from an average of 66 days in 2021 to 39 days in 2022. So that's good. The time taken for containment fell from four days to three days, and investigation time decreased from 41 days in 21 to 36 days in 2022. 

Britton: [00:38:13] So, some good news there to end it out. But some interesting numbers. If the numbers bore you, wake back up now, and let's finish the podcast.

Britton: [00:38:22] In the third-party risk realm, according to a recent report by Gartner chief Supply Chain Officers or CSOs. That was a new acronym for me, so I had to introduce it. If you haven't heard CISO, I wouldn't have known what that is. But. Chief Supply Chain Officer our feeling increasing pressure and ownership over supply chain cybersecurity. So this is apparently driven by a shift in customer expectations. With cybersecurity risk is now becoming a primary buying consideration for these CSOs when they choose suppliers. Super interesting point, right? The report states that organizations are being held accountable for the security of their suppliers. We certainly know that. And they are now expected to conduct due diligence to ensure that those suppliers are adequately protected against cyber attacks. So this is place an increased focus on cybersecurity for these CSOs and their teams, where maybe it wasn't something top of mind for them before with other sorts of costs and pressures they feel when building their supply chains. In addition to the changing expectations of customers, regulatory compliance is a key driver for these CSOs to prioritize cybersecurity. Basically, these folks are becoming aware that failure to comply with regulations can result in financial penalties and reputational damage, and so on, all the things we're aware of. But they feel that it's more ball in their court because of the supply chain risk trend that is kind of enveloping the industry. So, as a result, those CSOs are increasingly taking some ownership of supply chain cybersecurity to ensure that their organization and its suppliers are compliant with regulations and of course, adequately protected against cyber threats. 

Britton: [00:40:00] It actually the report actually mentions that these CSOs need to collaborate closely with other departments in the business, such as IT cybersecurity and Legal, to manage this supply chain security risk effectively. And this includes implementing risk management strategies for cyber, you know, not just their typical risk management, where I think they think of like diversification of suppliers. 

Britton: [00:40:22] And, you know, cost management and things like that. That's their traditional lens on risk management, but now including cyber into that and then developing incident response plans and also conducting regular audits and assessments of their suppliers and vendors. 

Britton: [00:40:36] So I thought this was really, really interesting to hear for our heads of cybersecurity out there that listen to this. I know when I was in the role, I always looked for any kind of ally I could find. That's more on the business side than you are when you're in security or in it because any kind of ally I could find to help with my message, it was just a massive multiplier of my effectiveness, you know, And it usually came that those allies usually came from people who had some skin in the game when it came to dealing with the fallout of a cyber security incident. You know, I found I don't know if you're like this or not. I found that CIOs tended to be my greater allies than the CFOs and CEOs who were maybe a little less excited to talk to me because. 

Britton: [00:41:24] Those CEOs felt so much more of the pain from the disruption that cybersecurity can cause. 

Britton: [00:41:29] So maybe these chief supply chain officers or, you know, other supply chain leaders, if you don't have a chief level maybe they can be that next ally for you because they do feel some of that pain, that that that duty that this is on me to manage risk even though it's got a cyber angle to it. 

Britton: [00:41:48] And the final story for today is a cool one to cover, I think, maybe from a personal standpoint. But also, you know, if you manage company MDM for your company, it comes from Apple. If you didn't see this, they're releasing what they call rapid security responses, which is a new software release type for iOS Ipados and macOS. Basically, the idea here is to just deliver important security updates timely between the major software updates they release rather than waiting for. 

Britton: [00:42:16] Those bigger update packages Apple states they may be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported. 

Britton: [00:42:24] To exist in the wild so there are some steps an individual user has to take in settings on their device to enable them. I did it. It's very simple. If you Google the term rapid security responses for Apple, I think you'll find it very simple to do on your own. And then if you and for Macs as well, if you were in the position of managing your MDM solution or managing patch management for your Macs, think you probably want to take a look at enabling this in mass. 

Britton: [00:42:52] Across your organization. Obviously, you have to weigh the risk of whatever possibility of breaking anything if you allow these to happen in some sort of out-of-band way from your typical patching cycles. But I'd say it's at least worth a look when you consider that Apple looks at it through the lens of, you know, things that are actively exploited or reporting to exist. 

Britton: [00:43:13] In the wild. I think this is great, the really neat thing that they're doing. That's all for this session of The CyberPHIx Health Care Security roundup. We hope this was informative for you, and we'd love to hear from you if you want to talk about any of this. 

Britton: [00:43:33] Please just reach out to us at [email protected]. That's all for this week. So long. And thanks for everything you do to keep our healthcare organization safe.