The CyberPHIx Roundup: Industry News & Trends, 9/2/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:12] Good day and welcome to the CyberPHIx Health Care Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry leading practices, specifically for health care. I'm your host, Brian Selfridge's. In addition to this Roundup, be sure to check out our Resource Center on MeditologyServices.com, which includes our CyberPHIx interviews with leading health care security, privacy compliance leaders, as well as blogs, webinars, articles and lots of other educational material. We have some great updates to cover today, so let's dive into it.

Brian Selfridge: [00:00:49] The first big update this week is around a few major moves by big tech firms in the cybersecurity and health care space specifically. Google is reportedly in the process of getting out of the health care business. In 2018, Google's health care initiatives were starting to resemble the health care industry as a whole, with sprawling services and capabilities that really lacked cohesion and integration. At the time, Google hired an industry leader, David Feinberg, to reincarnate the whole Google health model and ecosystem and consolidate their fragmented health care tech. It looks like that last ditch effort in twenty eighteen is dissolving or has dissolved, as Mr. Feinberg left Google to join Cerner as their CEO this past week. At the same time, Forbes and other news outlets are reporting that an internal memo went out from Google that indicates that they'll be officially shutting down an initiative to consolidate health care endeavors at Google Health. So I think this appears to be a larger trend versus just a single individual shifting around roles.

Brian Selfridge: [00:01:48] Google is going to reportedly still continue to manage their existing health care projects around health records, search platforms, artificial intelligence, personal health record platform that they've been developing in other niche solutions that they've worked on. It should be noted, though, that Google also shut down their health vault project in 2019. So it looks like Google Health may go the way of the dodo and become extinct. You know, health care is a wildly complex industry, as as you all know, that are listening. And the barrier to entry into providing tech and services for the industry has long been known to be pretty formidable. But it's fascinating that a behemoth innovation engine like Google couldn't solve this riddle right now, as you may recall. Google also had its bouts with the regulated nature of health care when privacy concerns were raised. When they partner with Ascension Health a couple of years back and started amassing large volumes of patient data, that information, just as a traditional business associate there, wasn't sort of disclosed as anything larger than that. And this was at the same time when Facebook and other tech giants were having some pretty bad PR issues with getting outed for violating privacy norms as well. During that time. So health care might just be too complex an animal or too hot to handle for new entrants into the market. Even those as big as Google that have been in the market for for almost a decade or so, trying to create new solutions.

Brian Selfridge: [00:03:07] So very interesting trend now. And it's not an isolated situation because in related news, the tech giant Apple or just Apple, I'm sure you know who they are, also announced that they're scaling back a strategic health care project called Health Habit, which was targeted to patients to manage their fitness, to hypertension and communicate with health care providers. And they had rolled this out to their to their employee base initially as a pilot. And then we're looking to scale it out beyond that. But we'll see if this pretends a larger trend at Apple as well as, you know, that that whole run for the hills with health care, with Google sort of moving out, Apple sort of rolling back their their projects as well. And I wonder, you know, what will these moves mean for organizations like Amazon, who has a fledgling health care initiative and programs going on as well? They seem to actually be putting more chips on the table into health care rather than walking away or taking steps away the way that these other organizations have, as Amazon has recently launched. Amazon Care and reports have come out that out of the gate that Amazon is actually struggling to scale the Amazon care program because it relies pretty heavily on the ability to hire a large volume of health care, I.T. and cyber talent that we all know here on the CyberPHIx, as you've been listeners and actively following this, that there's been a critical shortage for several years and counting on staffing in these key areas.

Brian Selfridge: [00:04:28] So if that's what Amazon's banking on hiring up, that's going to be harder than than they think. But it's interesting that some organizations like Amazon are still looking at the big financial powerhouse that health care is and still trying to find ways to get inroads into into the industry and try to deliver more tech to us. And so it'll be interesting to see how this plays out and we'll, of course, keep you posted on how it does. Now, on the related theme of sort of staffing shortages, I want to dive into that a little bit deeper, because there's several other items this week that are really kind of highlighting this this issue. I can't tell you how many open jailbreaks there are in health care and cybersecurity right now. It's from CISO level, director level, all the way down to entry level roles. There's just seems to be a deluge of of open positions. And many of our clients who are Meditology are struggling to fill key positions. And the volume of LinkedIn posts that I see, gosh, it's almost like every third post is an open position. Come join us. We have a great team. And these post these positions are lingering and are having trouble finding the right fit. There's also a significant increase in turnover, partly having to do with sort of the the the mass resignation of folks following the pandemic and people wanting a change, coupled with just the tight skill set market that we have for cybersecurity.

Brian Selfridge: [00:05:43] So that we've noticed also here at Meditology that we've seen a big uptick in placing our virtual CISO and CISO as a Service type of resources that are in high demand, as well as our staff augmentation resources that have, you know, staff level folks and managers that we can deploy out to clients who are really struggling to find place and train talent, especially with the growing attention, with all of the the budgets coming down and the attention from the board funneling into security programs. There's there's a lot of attention and fortunately a lot of fiscal support for that. But a lot of that requires hiring and placing talent. And it's coming at a time where it's becoming increasingly more difficult to do that. And the breaches and ransomware and everything else are mounting at the same time. So tricky problem for us all to manage. And the availability of specialized skills like cloud security and cloud architecture roles in particular are extremely limited right now. And the market seems to be clamoring for more help here. So this is a good place for a quick plug and a shout out to Meditology health care cloud security team. They're just incredible group of folks and rapidly training the next generation of cloud security experts and creating new services. But we all have a long way to go in this industry toward meeting the overall demand, not only for cloud security stuff, but just overall cybersecurity skills to highlight this further.

Brian Selfridge: [00:07:00] President Biden also acknowledged this talent shortfall this week in a cyber summit that he had where he announced the publication of the US government's cyber talent management system, or CTMS, which is designed to help fill the gap of what they estimate is over 500,000 unfilled cyber jobs that they estimated for this year for 2021. The Biden administration also raised the top salary figure for cyber officials in the US government to two hundred fifty five thousand dollars to help even start to compete with the industry and private industry demand and pay for top cyber leaders. So that's that's a step in the right direction as well, to try to get the talent to the government, as well as private sector organizations. Also, the new head of the CISA, Jen Easterly, also made comments this week about how they plan to tackle the talent shortage. The CISA now aims to hire people who can reverse engineer malware run analytics on hacks, as well as they want to find recruits who aren't technical by training, but are versatile enough to be assets in other ways. So they're starting to get creative. And I think that's the same thing the private industry has been doing for a while, trying to find talent in other places and help groom and train them to become the leaders that we need them to be and the resources that we need them to be. Same thing that we're doing here in the consulting space for sure.

Brian Selfridge: [00:08:15] Now, stepping back to our tech giant friends for a moment, it's not all doom and gloom with these folks. There may be some maybe taking some steps away from health care, but they are there's others that are diving in headfirst into cybersecurity investments overall as a response to a recent summit at the White House on this same topic. So let's talk about that a little bit. So as I mentioned earlier, President Biden held a summit of big tech leaders this week to work together to combat the escalating cyber attacks on the U.S. critical infrastructure. As a result, the CEOs from ADP, IBM, Microsoft, Amazon, Apple and some of the major banks and a bunch of other tech firms announced this week that they are pledging over thirty billion dollars over the next several years to invest in cybersecurity protections of critical infrastructure and response capabilities. In fact, a group of CEOs created a list of pledged investments in a wide range of areas. I'm going to summarize them here for you actually run through in some detail, but you can check out the full list in the fact sheet that the White House released this week on the same topic. So let me give you a rundown of what was in this commitment letter from the CEOs.

Brian Selfridge: [00:09:26] So they announced that, first off, that the National Institute of Standards and Technology are NIST will collaborate with the industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. So that is very much not a surprise. Supply chain was number one on the list. We've been talking about that for months. We know that that the federal government is paying a lot of attention to this as we all are. So this includes putting efforts around security for open source software, as well as organizations like Microsoft, Google, IBM, Travelers Insurance and others who will be involved in that NIST led initiative. So that's great stuff. They also announced in this summit the formal expansion of the industrial control system cybersecurity initiative to a second major sector to natural gas pipeline. So we see more. It's going to sort of roll out. We started with the colonial pipeline and we're looking at health care as a critical sector. So that's going to continue to roll our way.

Brian Selfridge: [00:10:22] Apple also announced, even though they're stepping back on some things, they announced they'll establish a new program to drive continuous security improvements throughout the technology supply chain. So once again, see that word supply chain coming back up as part of the program, Apple's looking to work with with its suppliers of more than 9000 organizations in the U.S. to drive the mass adoption of multifactor authentication. That's a big theme we're seeing across the board and definitely expect. To see regulation around multifactor authentication requirements in the near term, in my view, that's my take on it. Just from the the trends that we're seeing. But they're also looking to drive adoption of security training, vulnerability remediation, event logging and instant response as well.

Brian Selfridge: [00:11:02] And Google put up a big chip onto the table and announced it will invest 10 billion dollars over the next five years to expand their zero trust, identity and access management programs to help secure the software supply chain. Again, supply chain, big theme. And they announced that will help 100,000 Americans are an industry recognized digital skills certificates that provide the knowledge that can lead to high paying jobs and growth. So keep an eye on if you're a staff member out there, if you can get connected into Google's program to help get certified, you might be able to get some subsidization there.

Brian Selfridge: [00:11:34] IBM announced it will train hundred and fifty thousand people in cybersecurity skills over the next three years and will partner with more than 20 historically black colleges and universities to establish cybersecurity leadership centers and grow a more diverse cybersecurity workforce. So that's very, very useful and helpful.

Brian Selfridge: [00:11:50] Microsoft, not to be outdone, announced it will invest twenty billion dollars. By my count, that's the largest commitment so far of all these groups over the next five years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. They said they will make available one hundred and fifty million dollars in technical services to help federal, state, local governments in updating their protections and will expand partnerships with community colleges and nonprofits for cybersecurity training.

Brian Selfridge: [00:12:18] So that's great news. Amazon, who we mentioned earlier, mentioned earlier, is getting more into the health care space, announced it will make available to the public at no charge the security awareness training that same that it offers to its employees. And they'll also make available all Amazon Web services account holders at no cost. A multifactor authentication device to protect against cybersecurity threats like phishing and password theft. So that's interesting. They'll send you a device. You know, it's a departure from sort of the phone based multifactor, which is pretty, pretty interesting.

Brian Selfridge: [00:12:47] There were several other organizations, a company called Resilience, a cyber insurance provider, that's saying it's going to help with some conditional coverage and help more organizations get coverage. Although, you know, that's that's with a grain of salt as we're seeing the cyber liability insurance providers sort of move the other direction and increase costs for premiums, as well as limit who they're providing coverage to. So that's that's the macro sort of trend. This resilience organization sounds like they're making some commitments in the other direction for now. We'll see how that goes. Another organization, Coalition, another cyber insurance provider, is saying similar things. They're going to make their cyber risk assessment and monitoring program available to all organizations. So there's there's several other organizations that made some commitments. Girls Who Code announced it will provide a credentialing program. The University of Texas health system, or University of Texas system, I should say, more broadly, announced it will be expanding and developing a short term credentials in cyber related fields to strengthen the cybersecurity workforce and will make that available to reskill over one million workers in the U.S.

Brian Selfridge: [00:13:53] So that's pretty cool stuff. And there are some other community colleges that were noted as well. So quite a few. That's obviously a lot of updates for you. But I think those specific commitments are really important to understand where investments are going over the next three to five years with some pretty big money coming out of not only the federal government, but the private sector as well. More coordination across those sectors and very, very interesting updates there.

Brian Selfridge: [00:14:18] In other news this week, a new report was released by a firm called Critical Insight, titled The 2021 Health Care Data Breach Report. There are admittedly not a ton of new insights here that are loyal CyberPHIx audience isn't already aware of, but there are few data points in the report that I found intriguing and will share with you here and see if if you agree. One of them was that they looked at the HHS reported breach data, which is really the primary source for their report was was a review of the the wall of shame, so to speak. And they noted that breaches are increasing in twenty twenty one in particular, specifically for outpatient organizations and third party business associate organizations versus hospital breaches. So that that's kind of interesting. And my analysis here is that, you know, the attackers have always follow the path of least resistance to get paid.

Brian Selfridge: [00:15:07] Right. And the least resistant path, you know, right now is using third party business associates in the supply chain, as well as smaller health care organizations like outpatient facilities, specialty practices that have less sophisticated IT and cyber capabilities. Now, this doesn't mean that hospitals are off the hook. They're still seeing strong numbers around that. But there seems to be a bit of a catch up in almost who are coming, even with the volume of breaches for health systems and hospitals versus these ancillary third party business associates and other providers are kind of 50/50 between the two groups. And part of this trend, I think, is due to the efficiency and effectiveness of new. Ransomware attack methods that are better and faster than ever at exploiting unpatched systems. Attackers used to focus primarily on human intervention like phishing and social engineering, to gain their initial footholds into health care systems and other organizations that they're looking to breach. They're very much still doing that. So they're still having their phishing attacks are still getting in that way. But as we've noted in prior CyberPHIx interviews and overviews, things are shifting now to where there's more of a technically focused attack, network based attack, IoT based attacks. As the health care workforce moves remotely and the sprawl of our systems and applications is increasing and adding more vulnerabilities to manage and patch every day. So the bad guys are aware of that and they are taking advantage and doing more technical exploits.

Brian Selfridge: [00:16:33] And I think that's part of the reason why the business associates and smaller organizations are just outmatched and not if they're not patching where they may have flown under the radar before, they're now just getting beaten up by the fact that they have missing patches that are sort of more automated and exploited by the malicious actors.

Brian Selfridge: [00:16:52] Now for our last update today and switching gears here a bit, let's move off of some of the federal and macro trends and talk about a story this week out of California around breach notification. Apparently, some California based organizations have been reporting breaches of more than 500 records to HHS, but have failed to report those same breaches to the state of California as required by the state law. California Attorney General Rob Banta recently issued a bulletin reminding all entities that that has the confidential health related information of California residents of their data breach reporting responsibilities under California law. Civil code one seven nine eight point eight two. I'm sure you've all memorized that, but he reminded us of that. And whenever there has been a breach of health, that of 500 California residents, a breach report must be submitted to the office of the attorney general as he reminds everybody. So basically, don't forget about your state laws, folks, right. There are many of them. And they apply to both organizations based in the state where the laws are enacted, as well as any states or organizations that serve as patients from those states.

Brian Selfridge: [00:17:59] Very often they're kind of written that way. Massachusetts, California, others are all about following the data of the residents similar to GDP's are in the in the EU. So keep an eye on your neighboring state regulations as well as your own to understand if you have patients that that may be sort of traversing borders. And once you report any breaches to HHS, make sure that those state breach reporting requirements are also taken into consideration so you don't get these attorneys general knocking on your door and enforcing their own penalties in addition to whatever HHS and OCR will desire to do to penalize folks with big breaches.

Brian Selfridge: [00:18:38] So that's all for our session of the CyberPHIx Health Care Security Roundup today. We hope this has been informative for you and we'd love to hear from you if you want to talk about any of this. Just reach out to us at [email protected]. And so long. And thank you for everything you do to keep our health care systems and organizations safe.