Healthcare Best Practices for Securing Email

From training / testing staff to implementing DMARC

Special thanks to Justin Armstrong, CISSP, MEDITECH Product Security, for sharing this article in the spirit of helping other H-ISAC member organizations implement DMARC. MEDITECH has been doing DMARC in reject mode for some time.

Email continues to be a major vector of attack. Frequently InfoSec professionals use the analogy that an organization and its defenses are like a castle. It has multiple walls, and perhaps a moat, and this represents the various defenses that are in place. Defense in depth — multiple layers of defenses which overlap — is an important approach to security since security controls can fail, and individual security controls do not protect against every attack. read more…

Information Sharing as a Mitigation Strategy

How Health Sector Organizations Share Cybersecurity

With the growing amount of data that organizations must process on a daily basis, cybersecurity has become a top concern. Current cyber threats are becoming more sophisticated, complex, and widespread. In particular, organizations in the health sector are faced with a larger volume of attempted cybersecurity breaches. This is due to the high value of healthcare information as compared to other types of data under threat and also the necessity for operations to remain up and running for patient safety.

Achieving optimum cyber resiliency is an ongoing and comprehensive process that involves a certain level of information sharing. Sharing of information across organizations is an easy, cost effective way to understand the threats that are present and provide situational awareness to stakeholders on current tactics, techniques and procedures that are being used by threat actors against the industry.

read more…

Tactical Tips for CISO Reporting to the Board

Healthcare Cybersecurity Posture

Just a few years ago, the thought of a Chief Information Security Officer (CISO) having an audience with the board sounded more like a dream come true than reality. Indeed, cybersecurity was not a top priority for most management teams, until the true damage of security breaches started being revealed. Threats such as Spectra made management teams put more focus on healthcare cybersecurity in order to prevent themselves from becoming vulnerable to threats that can cause millions of dollars in damages.

Nowadays, CISOs are having an opportunity to make presentations to the board, whether annually, bi-annually, or quarterly. These presentations are an excellent opportunity for CISOs to advance their agenda within the organization and to strengthen their overall efforts. However, for such a presentation to be successful, CISOs need to be adequately prepared. Many people tend to struggle with the structure of how such a presentation should be conducted and what information should be included. read more…

H-ISAC Collaboration and the MITRE ATT&CK Model

Using Analytics for Proactive Cyber Defense

As the various ISAC’s continue to rally their defenses against the growing number of cyber threats, MITRE has revolutionized the tracking of cyber threat intelligence. The MITRE ATT&CK Model has become the globally recognized knowledgebase for adversarial tactics used by today’s high tech cyber criminals.

While this framework is an excellent start to collecting cyber threat intelligence, it is by no means complete. Because cyber criminals are constantly developing new tactics. The future of this framework and its value to the various Information Sharing and Analysis Centers (ISAC) is fully dependent on a collaborative approach to continuous improvement. As William Barnes, Director of Security Solutions for Pfizer stated recently, “We’re all in this together.” read more…

Significance of Healthcare Delivery Organization & Medical Device Manufacturer Collaboration

Special thanks to the H-ISAC member, a Senior Principal Cyber Security Engineer, R&D, who wrote this article
and in the spirit of information sharing, agreed to let us post it in our Finger on the Pulse blog. 

The number of companies that comprise the current healthcare system is staggering. They range in size from quite small to immensely large and they all are interconnected in one way or another. Their collaborative efforts stretch across the entire continuum of healthcare practices and are immensely efficient. One of the most notable of these efforts is the partnership between health delivery organizations (HDOs) and medical device manufacturers. Together, they provide their patients with the best of the best medical care in the world at a truly affordable cost. According to Senior Principal Cyber Security Engineer, Bill Hagestad, a noted expert on the subject, “the taxonomy of competitiveness has developed into a true collegial cyber cooperative. MDMs now share immense amounts of information with each other about the latest cybersecurity issues.” read more…

The Challenge of Data Security in a Large Enterprise Network – TLP White

The Challenge of Data Security in a Large Enterprise Network

Globally, hundreds of thousands of companies employ “big data” in one way or another. With millions of devices connected to their respective enterprise servers, threat analysis and cyber security become a major challenge. In fact, most major companies have a team dedicated to the threat intelligence process. Here are a few insights into how these computer experts in some instances more formally known as data scientists do what they do with cyber threat intelligence.

Intelligence gathering Identifying the risks associated with an enterprise level asset is the first step in a structured threat intelligence process. On a strategic level, this means producing a long-term overview of the enterprise’s cyber threat landscape. Secondly, on an operational level, it means proactively assessing potential threats associated with ongoing events, incidents and other activity. Lastly, on a tactical level, it means responding to specific real-time events associated with malware, phishing campaigns and other malicious activities. A simple example is the investigation of suspicious emails and the determination of what specific information the sender is seeking.

read more…

Third Party Risk Governance

Third Party Risk Governance
Over the past decade, the number and range of affiliate companies serving the healthcare industry has risen dramatically and become significantly more diverse. In addition, these companies find themselves so interconnected that there are essentially no parties in this industry sector that do not outsource at least some of their data management process. While there are significant benefits to this arrangement, it also poses a problem.
Third party vendors – as well as their own subcontractors – are subject to a variety of disruptive events such as cyber attacks, natural disasters and other data breaches. In fact, in many cases, the subcontractors are actually a more attractive target than the host company. For this single reason, it is essential that a healthcare company develop a Third Party Risk Governance (TPRG) strategy that addresses this specific problem. This article has been compiled from an interview with Maria Spano, Information Security Advisor at Aetna. Here are a few things to consider before implementing a strategy:

read more…