The CyberPHIx: Meditology Services Podcast

Join us for this episode of The CyberPHIx podcast, where we hear from Morgan Hague.   Morgan is the manager of IT Risk Management at Meditology Services and has been in the industry for nearly a decade. He has worked with hundreds of organizations in an advisory capacity helping to assess or audit security functions to drive program maturity. He also leads Meditology's strategic risk management consulting service line and is a subject matter expert in threat mitigation and risk program development.  Topics covered in this session include:   A deep dive into the emerging use cases for AI in the healthcare setting The risks related to AI that defenders need to be aware of and how real and relevant those risks are in the current state Data Poisoning, Input Manipulation, Membership Reference & Model Inversion AI-driven attacks and human security risks Privacy concerns with the use of AI New regulations coming online that directly affect the use of AI Controls we should be considering for AI Frameworks that already exist to help us understand the control options And some practical tips on where to get started 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month:  The Changes to HHS 405(d) HICP publication on the top 5 threats and top 10 security practices for healthcare  The NIST Cyber Security Framework 2.0 Discussion Draft   The riskiest connected medical devices and IoT (including nurse call, infusion pumps, and IP cameras)  Some free security awareness resources for clinicians from Health Sector Coordinating   Moody's report on healthcare lagging behind other industries in implementing cybersecurity practices  OCR regulatory focus on pixel tracking technologies on HIPAA-Covered-Entity websites  Some fascinating numbers on the increase in lawsuits after breaches and ransomware payment averages  A new ally for security leaders in the Chief Supply Chain Officer (CSCO)  And Apple's new Rapid Security Response updates for iOS, iPadOS, and macOS 

Join us for this episode of The CyberPHIx podcast where we hear from Ryan Patrick, Vice President of Adoption at HITRUST.   Ryan works with clients to understand and implement the HITRUST-validated assessments that best suit their organization's risk profile. Prior to this role, he spent many years as a security practitioner and IT lead in a wide range of organizations from the US Army to Covered Entities to healthcare cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion about security or HITRUST.   Topics covered in this session include:   The new HITRUST v11 and what it means for organizations who are considering the HITRUST journey HITRUST's traversable levels of assurance from e1 to i1 to r2 A newly created threat adaptive control selection process they use How broken and unsustainable TPRM (Third Party Risk Management) is today How HITRUST services fit into the third-party risk landscape A discussion about the new Health Third Party Trust (H3PT) council and what that group is trying to do to solve TPRM An invitation to meet either of us in person at HIMSS in Chicago April 17 – 21 And a cool update on HITRUST's Results Distribution System (RDS) and the automation opportunities it will provide 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  Our host Britton Burton spends this entire episode reviewing and analyzing the recently released National Cybersecurity Strategy, including:  Summarizing, and in some cases quoting, the key points from the document that are most relevant to healthcare security pros who may have time to listen but not read  Analyzing how those key points will affect the healthcare industry in the coming months and years  Explaining how (and when) the rulemaking process might play out  The impact this could have on cloud and third-party risk  Implications of incident reporting and the positive side of the emphasis on it  An interesting wrinkle in the cyber insurance space  Increased scrutiny on IoT manufacturers  How the technology and software industry is similar to the automotive industry 50 years ago  And much more! 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month:  The Federal Trade Commission's (FTC) first Health Breach Notification Rule Enforcement action against GoodRx  An unsurprising report from OCR on security rule compliance areas that HIPAA-regulated entities need improvement plus the most common remediation actions taken by breached entities  Semi-definitive information about the date and final rule content of the SEC's looming rule for publicly traded companies on Cybersecurity disclosures and risk management  NIST's announcement on a new lightweight cryptography algorithm that can be used by IoT and Medical Devices  The disheartening cyber attack on the 988 suicide and mental health helpline  Interesting new trend data on the lower volume of healthcare breaches but higher count of individuals affected by those breaches  A recent surge in Wiper malware attacks, thanks in large part to the Russia/Ukraine war  A fascinating narrative on cyber insurance involving exclusion of nation-state attack vectors from policies, sharper focus on TPRM programs, and a ransomware gang's unusual request to its victims

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month:  A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks  Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of 1Q  More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner  A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing  The new Rural Emergency Hospital rule for struggling critical access and rural facilities  The impact of travel nursing on cybersecurity  FBI and Hive ransomware + why FBI wants more victims to call them  Microsoft OneDrive takes first place for cloud app malware distribution  A new DDoS threat from KillNet against healthcare and what to do about it  An interesting update from the Russian/Ukraine war  A call for community help on the evolution of NIST CSF and CSA CCM     

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month:  New FDA authority granted by December's omnibus bill is a big step towards better medical device security  HITRUST teases their new CSF v11 release  CommonSpirit Health class action lawsuit  The fallout from the LastPass follow-on breach  The possibly similar situation that might be occurring at Okta   JAMA Health Forum's outstanding metrics study on ransomware attacks in healthcare from 2016 – 2021  The nefarious use cases of OpenAI's ChatGPT  Clop ransomware group's tactics for taking advantage of Telehealth appointments to deploy malware  An apology from LockBit ransomware group for an attack on a children's hospital (really!)  Healthcare CISOs collaborating thru Healthe3PT to solve the third-party risk problem  A major precedent-setting breach settlement order from FTC against Drizly and its CEO     

The CyberPHIx is your source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights some bold, and some not so bold, predictions for healthcare cybersecurity in 2023. Topics covered include:  Continued escalation and evolution of ransomware attacks  Our growing dependency on cloud platforms and vendor solutions shifting the attacker's focus and changing breach trends  New baseline expectations for critical infrastructure cybersecurity that could lead to increased federal or state level rule making  Remote work and Zero Trust  Medical devices, IoT, OT, & IoMT (oh my!)  The rise of the class action lawsuit  The continued expansion and cool solution ideas for 3rd and 4th party risk  The importance of security assurances and validated assessments / certifications  The curios case of cyber liability insurance  A new emphasis from the board on cyber resilience and TPRM     

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry.  In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week:  OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities  A cool new tool from the FTC for mobile health app developers to quickly determine which security and privacy regulations are in scope for their app  Trends in the consumerization of healthcare with some interesting technology announcements from Amazon and Epic  The next step in the Meta Pixel story, including some interesting guidance from OCR in how Covered Entities need to handle these tracking technologies  A new Medical Device Security Playbook from a MITRE and FDA collaboration  A Moody's report on how inflation is hindering health systems' ability to bolster cybersecurity  An interesting impact you may not have expected in the CommonSpirit ransomware story  A landmark decision in the realm of cybersecurity insurance in the T-Mobile / Zurich American Insurance case  A report from Senator Mark Warner that gives us a glimpse into some regulatory activity we might see in 2023     

Change is on the horizon for The CyberPHIx! Join us as your new host, Britton Burton, interviews your favorite host, Brian Selfridge to discuss it.   This episode is a little different flavor than normal as your beloved host takes some time to explain what's next for him and to reflect on some really interesting experiences he's enjoyed in his cybersecurity career.  Topics covered in this session include:   The transition of the podcast hosting duties from Brian to Britton   What it actually means to be an OCR HIPAA expert witness  What interesting trends Brian has seen and knowledge he's gained serving in that role  Awesome advice and lessons he's learned from a multi-faceted cybersecurity career journey    

Healthcare cybersecurity has seen major game-changing risk management models and companies emerge in the last several decades. These include the introduction of the HITRUST Common Security Framework (CSF) and certification model and the emergence of companies like Meditology Services and CORL Technologies that are dedicated to solving big, complex challenges facing the healthcare industry.  At the center of these innovative models and new paradigms is one leader in particular: Cliff Baker. Cliff has a long list of accomplishments envisioning and delivering game-changing solutions for healthcare cybersecurity. He began his notable career with PricewaterhouseCoopers (PwC), where he led the organization's national healthcare security practice. Cliff later went on to architect the HITRUST CSF and certification model and founded two industry-leading cybersecurity companies, Meditology Services and CORL Technologies.  Join us for this episode of the CyberPHIx podcast where we hear from Cliff Baker, CEO for Meditology Services and CORL Technologies.  Topics covered in this session include:   Leading practices and new models for measuring and reporting cyber risks  How to measure the effectiveness of healthcare cybersecurity programs  Insights into the inception of the HITRUST certification model and the HITRUST CSF  The current state of HITRUST adoption and use cases for the industry  Perspectives on the role that HITRUST will play in the next decade for healthcare cybersecurity and third-party vendor risk management (TPRM)  The process for envisioning, designing, and implementing game-changing cybersecurity models and companies  Solutions and innovations that Cliff is cooking up in the lab to solve the next wave of large, complex challenges facing healthcare cybersecurity  How leaders can move from idea to reality for delivering game-changing solutions and companies   

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Deep dive into new CISA Cybersecurity Performance Goals (CPGs) for healthcare and critical infrastructure  NSA releases new “hacker's playbook” for operational technology (OT) cyberattacks  American Hospital Association (AHA) endorses the Healthcare Cybersecurity Act draft bill  Gramm-Leach-Bliley Act (GLBA) amendments become effective this December that may bring healthcare into scope for GLBA security requirements and enforcement  Massive ransomware outage for CommonSpirit Health impacting over 142 hospitals and the Epic MyChart EHR platform  Advances in quantum computing for encryption and the potential for “Q-day” events that could expose all encrypted data to unauthorized decryption  HHS warns of abuse of common security and system administration tools that are being abused by attackers  CISA alert about Daixin Team ransomware gang targeting healthcare PACS environments via VPN and RDP attacks  New stats and guidance on public cloud security trends and recommendations   

The last few years third-party vendor risk management (TPRM) has transitioned from being a relatively minor part of security and compliance programs for healthcare entities into a massive undertaking with potentially dire consequences if not managed properly. This is one of those topics that seems to really have CISOs shaking in their boots.  What makes third party vendor risk so scary? Why are security leaders having nightmares?  Join us for this episode of the CyberPHIx podcast where we hear from James Ballou, Chief Information Security Officer for North American Partners of Anesthesia.  James shares insights from his extensive experience managing security teams and third-party risk management programs for leading healthcare organizations.  Topics covered in this session include:   What makes third-party vendor risk management so scary for healthcare cybersecurity and risk professionals?  Regulatory requirements related to third-party vendor risk management including HIPAA and state laws OCR enforcement of third-party business associate compliance mandates  Third-party vendor risk governance best practices and models  The implications for vendors that acquire certifications including HITRUST, SOC 2, and ISO  The limitations of questionnaire-based vendor assessment models Best practices for strategic and operational management of third-party vendor risk management programs in healthcare The future of third-party vendor risk management 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  New Ponemon study that links increased mortality rates and poorer patient outcomes following cyber attacks Massive third-party breach cripples Britain's National Health Service (NHS) via ransomware breach that takes down 111 services (akin to 911 services in the US) FBI warning and increased reporting of financial processing attacks against healthcare providers via phishing and social engineering Ambry Genetics settles class action lawsuit for $12.5m following 2020 breach of over 230,000 patient records OCR announces $300k settlement related to improper disposal of specimen containers with PHI on labels New FBI report on medical device security vulnerabilities and recommendations for healthcare organizations Updates on cyberwarfare trends stemming from the Russia/Ukraine conflict; Ukraine issues warning to allies of potential new cyberattacks from Russia President Biden signs new cybersecurity guidelines following CISA recommendations New federal cybersecurity requirements from the Office of Management and Budget (OMB) and NIST accreditation for third-party vendor risk management Healthcare sector leads all industries in fixing software security flaws; report highlights and analysis

Engaging IT and other technical stakeholders to support cybersecurity initiatives can be a daunting task for security professionals. We are often the bearers of bad news or can be perceived as adding to the workloads of already overburdened IT teams. In short, it can be hard to make friends.  Join us for this episode of the CyberPHIx podcast where we hear from David Jones, Director of Information Security for RxBenefits, Inc.   David has held leadership roles in security, infrastructure, engineering, and networking for a variety of organizations inside and outside of healthcare. He has lived through security program implementations and learned how to work across IT functional groups to break down barriers and achieve mutual objectives.   David provides practical insights and guidance for making friends with various IT groups and teams to reduce cybersecurity risks while advancing IT objectives.  Topics covered in this session include:   Explanation of the different technical stakeholder groups that security most commonly needs to engage in support of the delivery of security programs  How to prevent and resolve tension between security teams and server admins, network engineers, help desk, development teams, and more Best practices for engaging server admins and engineers through common security functions such as patching and configuration management  Network administrator touchpoints with security and ways to communicate effectively  Strategies for embedding security resources with infrastructure teams and vice versa to improve collaboration  Leading practices for engaging software development, DevOps, and helpdesk teams  How to manage audit fatigue and coordinate efficient audits with IT groups   Industry resources including conferences and training sources for emerging security and IT personnel     

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Historic breach levels reached for healthcare between 2020-2022; trends and analysis  Attackers shifting focus to target small hospitals, clinics, and vendors  Cisco breach and related impacts on healthcare organization networks  Stats from SecureLink's new report on third-party data breaches and analysis of healthcare-specific takeaways  LastPass source code breach and potential exposures to individuals and centrally-managed healthcare organization passwords  Cyberliability trends and criteria required to obtain and maintain coverage NIST CSF 2.0 workshop highlights and industry feedback  TEFCA selects HITRUST's r2 certification for Qualified Health Information Network organizations to prove compliance with security practices  Health ISAC (H-ISAC) guidance on zero trust implementation for healthcare entities  Guidance from federal agencies on emerging cloud security threats and recommended practices  FBI warns of new sophisticated scam targeting the healthcare workforce  New federal advisory related to attacks from “Evil Corp” on the healthcare industry       

Breaches continue to balloon for healthcare applications as the industry continues to drive innovations in virtual care, personalized medicine, and digital healthcare. Organizations that deploy robust application development security programs create the opportunity to identify and correct security weaknesses before products hit the market.  Software Development Lifecycle (SDLC) security programs provide the tools, processes, and training required to design products with security in mind to reduce the likelihood of breaches of sensitive information.  Join us for this episode of the CyberPHIx podcast where we hear from Ed Adams, CEO for Security Innovation. Security Innovation provides application security services, training, testing, and consulting to healthcare and other industries.  Topics covered in this session include:   Application development security trends  The latest threats and vulnerabilities impacting healthcare application development  Best practices for securing AppDev, DevOps, and DevSecOps teams and processes  Common development misconceptions and missteps that lead to security exposures Security training approaches for healthcare app developers  Frameworks and external resources for SDLC security including OWASP and others  Healthcare-specific vulnerabilities and risk exposures identified during application development  Third-party and fourth-party risks including open-sourced code and IoT devices Budget priorities for SDLC security investments 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  IBM's and Ponemon's annual Cost of a Data Breach Report summary, analysis, and implications for healthcare Updated NIST guidance on HIPAA compliance approaches and expected practices Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks $100m cost reported for Tenet Healthcare's 2022 cyberattack Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people Cloud Security Alliance weighs in on third-party risk management in healthcare Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector New ransomware task force report targeting government interventions to disrupt ransomware attacks OCR issues 11 new financial penalties over HIPAA Right of Access failures

Healthcare organizations are ramping up the adoption of enterprise security certifications to provide assurance of their security program and control effectiveness to their customers and partners. Some of the most common security certifications and attestations in healthcare include HITRUST and SOC 2 Type II.   Join us for our 100TH EPISODE of The CyberPHIx as we hear perspectives from healthcare security leaders on best practices for selecting and acquiring enterprise security certifications.  This special symposium is a collection of interviews with stakeholders on all sides of the certification including healthcare CISOs, assessor and certification specialists, healthcare vendors, healthcare delivery organizations, and certification bodies.  The Certification Symposium includes highlights from the following healthcare cybersecurity leaders:  Michael Parisi - Vice President of Adoption, HITRUST  Ed Dame - CISO, Dasher Services  Angela Fitzpatrick - Managing Director, Meditology Services  Paul Gray - CISO, Meditology Services  Bethany Ishii - Director, Meditology Services  Deana Fuller - Senior Manager, Meditology Services  Ryan Freeman-Jones - Leader, Meditology Services  Brandon Weidemann - Manager, Meditology Services  Jonathan Elmer - Manager, Meditology Services  Derek Vorpahl - Director of Information Security and Risk Management, Davis Vision  Topics covered in this session include:   What are HITRUST and SOC 2 Type II certifications?  Business drivers for healthcare organizations to acquire HITRUST & SOC 2 certifications  Which certification should we adopt? Comparing and contrasting certification options including HITRUST bC, HITRUST i1, HITRUST r2, SOC 2 Type II, and ISO  Common pitfalls for HITRUST certifications  Common challenges and pitfalls for SOC 2 Type II examinations  Debunking certification myths and misunderstandings  Accelerators and best practices for achieving HITRUST and SOC 2 certifications in a timely and cost-effective manner  The role that certifications play in supporting HIPAA and OCR compliance  Tips for selecting an assessor organization for HITRUST and SOC 2 certifications

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Bombshell report of hospitals sharing PHI with Facebook HIPAA compliance analysis for covered entities sending PHI to Facebook Legal exposures for sending sensitive information to social media and other website tracking vendors Recommendations for healthcare organizations to assess and respond to patient concerns about unauthorized PHI disclosures to Facebook HHS issues new guidance for healthcare organizations to improve their cyber posture New HIPAA Security Risk Analysis (SRA) tool from OCR New OCR guidance and industry feedback related to “recognized security practices” for healthcare organizations (i.e. safe harbors for OCR enforcement)  HHS issues warning to healthcare entities about dangerous Emotet malware proliferation CISA is developing new guidance for helping organizations overcome supply chain risks FBI prevents “despicable” Iranian cyber attack on Boston Children's Hospital DOJ shuts down SSNDOB dark web marketplace Massive arrests and seizures of social engineering attack infrastructure across 76 countries OCR issues guidance on the upcoming expiration of COVID-19 enforcement exemptions for telehealth HIPAA security mandates

Join us for this episode of The CyberPHIx podcast where we hear from Bart Layton, VP of Product for CORL Technologies, who was also a leader on the team that overhauled and secured healthcare.gov.  In this two-part conversation, we discuss Bart's insights into the deployment and security of healthcare.gov as well as his perspectives on third- and fourth-party cyber risks for healthcare organizations.  About Healthcare.gov  Healthcare.gov is the nation's federal exchange for health insurance coverage that was created from the passing of the Patient Protection and Affordable Care Act (ACA). The initial launch of the website was fraught with challenges and was ultimately "rescued" by a large team contracted to get the site operating in tip-top shape.  About Fourth-Party Vendor Risks  Cybercriminals and nation-states have also unleashed relentless cyber-attacks on the U.S. healthcare industry and its suppliers this year. Unfortunately, cyber risk exposures have not been limited to third-party vendors, and risks to sensitive data and systems often extend across the full supply chain including fourth-party vendors and open-sourced products.  Topics covered in this session include:   What is healthcare.gov?  How and why was healthcare.gov overhauled in the early stages of its development?  Security challenges and solutions for healthcare.gov that arose during implementation  Cloud security considerations for hosted healthcare applications including healthcare.gov  What is fourth-party vendor risk and how is it impacting healthcare organizations? Examples and case studies of prominent fourth-party vendor breaches in healthcare Emerging solutions and innovations in third- and fourth-party vendor risk management New federal regulations and standards for managing supply chain risks 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Highlights from the US Senate HELP hearing discussing the threat of cyberattacks on the healthcare industry  Healthcare and Public Health Sector Coordinating Council (HSCC) releases new incident response checklist  Ransomware growth causes cyber liability insurance costs to skyrocket  Cardiologist charged with designing and selling ransomware  BakerHostetler data security incident response report highlights and analysis  Vendor risk management trends and associated healthcare breaches Solara Medical Supplies proposes a $5 million settlement to resolve class action data breach lawsuit CISA Alert: Weak Security Controls and Practices Routinely Exploited for Initial Access CISA alerts organizations not to install May security patches on Microsoft domain controllers US Department of Health and Human Services (HHS) warning healthcare entities about the aggressive Hive ransomware group A look back on the Conti ransomware group's attacks on 200+ healthcare entities over the last two years HHS information on Russian Advanced Persistent Threat (APT) groups and associated analysis 

Major shifts in the delivery of healthcare are introducing new and unforeseen cybersecurity and privacy risks. Cybersecurity and risk leaders in healthcare must rapidly adapt their programs and protection mechanisms to avoid adverse impacts from evolving cyber threats.  Any one of these emerging risk areas can cut deep and have material impacts to patient safety, financials, reputation, and more. In this session, we provide an overview of new cyber threats and solutions through the lens of Ron Belfont, Information Security Officer and Director of Security & Support Services for Bayhealth Medical Center, and his years of experience safeguarding patient information and systems.  Topics covered in this session include:   Internet of Things (IoT) & Internet of Medical Things (IoMT) challenges and solutions  Securing health apps and wearables Emerging regulatory changings including HIPAA  Cybersecurity approaches for the remote workforce Fourth-party vendor risks and securing the healthcare supply chain Cyberwar and changes to the threat landscape

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Healthcare Cybersecurity Act introduced in the U.S. Senate; details and analysis about the proposed regulation HHS and OCR seek feedback on new HITECH safe harbors for the adoption of cybersecurity best practices including NIST and HITRUST OCR requests feedback on how HIPAA civil monetary penalties should be shared with individuals that have been victims of breaches University of Pittsburgh Medical Center is required to make payments to 66,000 employees that were victims of a 2014 cyber breach as part of legal settlement Proposed PATCH Act that would see the FDA require cybersecurity measures for medical device manufacturers; details and analysis New NIST standards for enterprise patching management including NIST SP 800-40 and NIST SP 1800-31 FDA releases updated guidance on medical device cybersecurity (in addition to the PATCH Act) Lapsus$ cyber threat group alerts from the Health Sector Cybersecurity Coordination Center (HC3) as well as prominent arrests of the Lapsus$ gang's teenage leader  Arrest of ransomware leader responsible for 13 ransomware attacks; details of attacks and sentencing Germany and the U.S. shut down the world's largest illegal darknet marketplace CISA warns of Uninterruptible Power Supply (UPS) device cyberattacks Urgent security alert for Philips MRI monitoring software A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell' S State Department announces Bureau of Cyberspace and Digital Policy (CDP)

President Biden issued an alert recently that U.S. companies must ramp up their readiness to anticipate potential cyberattacks from Russia stemming from the conflict in Ukraine.   What role do end-users play in protecting healthcare organizations during this ongoing cyberwar? Is the workforce our best defense on the front lines of cyber combat?  Join us for this episode of the CyberPHIx podcast where we hear from Eric Bielski, Director of Information Security for Benefit Resource.  Eric provides insights into leading practices for cybersecurity awareness programs for healthcare entities.   Topics covered in this session include:   How to make cybersecurity important for the average workforce member  Effective deployment vehicles for awareness training  Maintaining cybersecurity awareness for hybrid and remote workforce  Free resources for security awareness and HIPAA compliance content  Top messages for the workforce to combat cyberwar attacks  Measuring effectiveness of awareness programs via KPIs  Phishing testing and training best practices 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: President Biden's cybersecurity warning about Russian cyberattacks on U.S. companies New cybersecurity legislation signed that mandates breach reporting within 72 hours SEC proposes new cybersecurity disclosure requirements New FBI & CISA alert on Russian exploitation of multi-factor authentication and “PrintNightmare” vulnerability Hactivists attacks on Russia databases, TV broadcasts, weapons manufacturers, websites, and the Russian Roskomnadzor censorship agency Russia's creation of their own TLS Certificate Authority (CA) and implications for Internet accessibility in Russia FBI alert and guidance on the new RagnarLocker ransomware and implications for healthcare entities Details of the new Israel/US collaboration on cybersecurity Analysis of the Access:7 vulnerabilities affecting medical devices and IoT systems OCR / HHS publication and recommendations for healthcare organizations to improve cybersecurity defenses Analysis of the new HIMSS Healthcare Cybersecurity Survey New attacks emerge against Microsoft Teams

Who can be trusted to protect sensitive healthcare information and systems amidst a daily barrage of breach events? Healthcare cybersecurity and risk leaders must identify innovative ways to establish and maintain trust in the healthcare ecosystem through cybersecurity programs and functions. This includes being transparent about risk exposures, building relationships internally and externally, responding effectively to breaches, and adopting certification models like HITRUST and SOC 2. In this episode of The CyberPHIx, we hear from Ed Dame, Chief Information Security Officer for Dasher Services, Inc. Ed provides insights and wisdom from his years of experience as a CISO in building relationships and establishing trust. Questions covered in this session include: Why is trust important in healthcare settings? How can cybersecurity programs support and sustain trust? What role does transparency play in building or eroding trust? What are the boundaries of accountability for trust for healthcare CISOs including third- and fourth-party vendors? What role do cybersecurity certifications like HITRUST play in establishing trust with the market? What happens when trust is lost or damaged? Is there a right and wrong way to respond to breaches that impacts trust? What is the different between reacting and responding to cybersecurity incidents? What is the role of emerging “zero trust” models and terminology in healthcare?

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyber-attacks stemming from the ongoing conflict between Russia and Ukraine.  Meditology has been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches.   This special edition of the CyberPHIx podcast provides guidance for US-based healthcare entities for preparing and responding to cyberattacks and cyberwar tactics deployed as part of this ongoing conflict. We also cover a few other news items trending in healthcare cybersecurity and compliance.  In this episode, our host Brian Selfridge highlights the following topics:  Russia-Ukraine cyberwar overview Russia's cyberwar capabilities & attack methods Analysis of darknet cyberwar activity Guidance from the CISA, FBI, & NSA on the Russia/Ukraine cyberattacks Recommendations for healthcare cybersecurity leaders to prepare and respond to cyberwar activities Upcoming deadline for HIPAA breach reporting to HHS Details on a new bill introduced to modernize HIPAA Analysis of the HHS report on securing Electronic Health Records (EHR)

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Lessons learned from a ransomware attack that encrypted 80% of systems across a 54+ hospital health system  HHS publishes a detailed report about ongoing Log4J exposure and recommendations for the healthcare industry REvil ransomware gang shut down and arrested in Russia following US diplomatic pressure and Russian crackdown Settlement reached in Excellus class action data breach lawsuit Kaspersky publishes report on telehealth adoption and cyber risks escalation Homeland Security launches cyber safety review board to combat supply chain risks NIST releases automation-friendly security and privacy assessment procedures NIST launches new international privacy resources website

Cyberattacks against healthcare organizations and their business associate vendors have begun to threaten patient safety and fundamental business operations. As a result, SOC 2 audit reports have become one of the most common and cost-effective vehicles for healthcare organizations to demonstrate the adoption of controls relevant to security, availability, confidentiality, processing integrity, and privacy.  However, acquiring a SOC 2 audit report can be a challenge for many organizations and there are often questions that arise about how to achieve SOC 2 compliance with the least amount of cost, effort, and time.   Join us for this episode of The CyberPHIx where we hear from Paul Gray, Chief Information Security Officer for Meditology Services.   Paul provides insights from his decades of experience with SOC 2 best practices including answering some frequently asked questions including:   What is SOC 2 compliance? What are the different types of SOC audits including SOC 1, SOC 2, and SOC 3? Why do healthcare organizations obtain SOC 2 audit reports? Are healthcare vendors required to obtain SOC 2 reports? What are the AICPA Trust Criteria? What other certifications are available for healthcare organizations? What should healthcare organizations do to prepare for a SOC 2 audit? What are critical success factors for a successful SOC 2 engagement? What are some common pitfalls for healthcare organizations seeking to obtain a SOC 2 audit report?

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Microsoft issues updates on the critical Apache Log4j vulnerability and active exploits  HR and payroll giant Kronos experiences weeks-long ransomware outage  EHR vendor QRS has been sued for insufficient cybersecurity protections in the wake of a major breach  Healthcare provider settles for $425,000 cybersecurity enforcement from NJ state attorney general  OCR issues guidance on Extreme Risk Protection Orders  HIPAA Privacy Rule and OCR enforcement changes due to come into effect in 2022  EHR giant Cerner is acquired by Oracle; implications for healthcare organizations  NIST launches new international cybersecurity and privacy resources website  Norton antivirus discovered to be pre-loaded with crypto mining software 

Meditology provides cybersecurity, privacy, and risk support for hundreds of healthcare entities across the country. We have been tracking macro trends in threats, risk exposures, regulations, enforcement, and best practices for healthcare cybersecurity and compliance programs.  We have compiled the top cyber risk exposures trends and predictions for 2022 to help you map out your defensive strategy heading into the new year.   Join us for this special episode of The CyberPHIx podcast where we discuss:  A look back at prior healthcare cybersecurity predictions: did we get it right?  Trends and predictions for healthcare threat actors, attacks, and methods Healthcare-specific vulnerabilities and risk exposures Regulatory predictions including HIPAA, OCR enforcement, and emerging federal and state laws  Legal predictions including cyber liability and class action lawsuits  Cybersecurity program investments and constraints including automation and talent shortages  

Meditology Services hosts the healthcare industry's leading podcast, The CyberPHIx, and has produced over 85 episodes to date. We have had the pleasure and honor of conversing with many of the nation's leaders in healthcare cybersecurity, privacy, and compliance. Join us for this main stage event where we hear from over 20 CISOs and cybersecurity rock stars from the nation's premier healthcare organizations on some of the toughest challenges we face as an industry. Listen in as we hear practical guidance and seasoned insights from CISOs in their own words as they guide us through their thought process and lessons learned. This special CyberPHIx episode features a curated collection of highlights as we hear directly from the following industry leaders: HCA Healthcare - Britton Burton, Director of Risk Management Molina Healthcare - Mike Wilson, SVP & CISO Sentara Healthcare - Dan Bowden, VP and CISO Premise Health - Joey Johnson, CISO Children's Healthcare of Atlanta - Stoddard Manikin, CISO Horizon Blue Cross Blue Shield of NJ - Chris Golden, Director of Information Security Children's Mercy Hospital - TJ Mann, CISO Healthix - Nick VanDuyne, SVP/CIO Solution Health – Andrew Seward, CISO CORL Technologies - Devon Wijesinghe, Chief Transformation Officer Risk Recon - Kelly White, CEO Lehigh University - Eric Zematis, CISO Imprivata - Wes Wright, CTO Spiritus – Susan Ramonat, CEO Health Partners Plans - Mark Eggleston, CISO NYC Healthcare - John Jessop, Associate Director of Information Security Programs NASCO - Lauret Howard, Chief Risk Officer Meditology Services - Nadia Fahim-Koster, Partner & Bethany Page, Director This session covers the gamut of major cybersecurity and risk trends for healthcare including: HIPAA Compliance and Risk Management Ransomware & Incident Response Third-Party Vendor Risk Management Risk Reporting & Engaging with the Business Cloud Security Risk Management Medical Device & IoT Security Security Certification Options in Healthcare (HITRUST, SOC 2, ISO) Grab your leather jacket and dial your headphones' volume up to ‘11' - you won't want to miss the opportunity to listen in to this many security rock stars in a single session.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: FTC Final Rule released: mandatory penetration testing, MFA, vendor risk management, risk assessments, and more implications for healthcare entities New report on healthcare IoT security operations from CrowdStrike and Medigate CHIME report on the state of cybersecurity for ambulatory and long-term care facilities CISA issues a critical cybersecurity alert related to the holiday season US warning of Iranian government-sponsored attacks underway leveraging Microsoft and Fortinet vulnerabilities HHS issues alert and guidance on uptick of zero-day attacks for healthcare 2022 trends in advanced persistent threats from Kaspersky

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Details and analysis of the new CISA incident response and vulnerability response playbooks  Cloud Security Alliance (CSA) and healthcare CISOs publish a detailed medical device security playbook Medical device security best practices and program development High-risk alert for Siemens medical device vulnerabilities impacting thousands of devices Emerging trends on healthcare Application Programming Interface (API) adoption, attacks, and mitigation recommendations Ohio hospital diverts ambulances and patients due to ransomware outage International partnerships and agreements with the US, EU, France, and Israel are enacted to address cyberattacks and ransomware US charges two major ransomware operators in continued takedown of REvil ransomware gang and other international prosecutions of cybercriminals 

HITRUST provides a range of cybersecurity and privacy certification and accreditation solutions including their flagship HITRUST CSF certification, which is one of the most widely-adopted security frameworks for healthcare organizations. The demand for cybersecurity certifications and assurances like HITRUST is at an all-time high due to escalations in breaches at healthcare entities and their vendors in the supply chain. However, not all certifications are created equal, and the industry is outgrowing the one-size-fits-all certification model.  HITRUST has announced new security certification models including the new HITRUST i1 certification. The new HITRUST options are designed to provide more flexibility and speed for HITRUST certifications while reducing the cost and effort to achieve certification.  Join us for this episode of The CyberPHIx as we hear from Michael Parisi, Vice President of Adoption for HITRUST. We discuss hot-off-the-presses details of HITRUST's new security certification and solutions including: Market trends and demand for security certifications for healthcare entities  The history and evolution of security certifications including the HITRUST CSF (now called HITRUST r2), SOC 2, ISO, and others  Detailed overview of the new HITRUST i1 certification option  HITRUST i1 security controls requirements including focus on implementation of controls  HITRUST i1 certification requirements, timing, level of effort, release schedule, impact to HITRUST CSF (HITRUST r2) certified entities  Breaking news on changes to the Cybersecurity Maturity Model Certification (CMMC) security certification program  Details of the HITRUST Basic, Current State Assessment (bC)  HITRUST privacy certification updates  Details of HITRUST's new Results Distribution System (RDS) 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  Highlights of 25+ Cyber Breaches to Payers, Providers, & Healthcare Vendors in the Last Two Weeks  UPMC Hacker Gets 7 Years in Prison  HITRUST Deploys a New Certification Option  Google Launches AI Pilot with NJ Healthcare Provider  Microsoft Launches New Privacy Management Framework for Office365  Tips for Managing Remote and Hybrid Security Teams  Russians Continue Aggressive Attacks Despite US Sanctions and Intervention  State Department's Plans for New Cybersecurity Office  Ransomware Disclosure Act Bill Introduced with 48-hour Reporting Timeframe 

Breaches and ransomware infections are hitting healthcare hard alongside the critical supply chain that helps keep healthcare operations running. The federal government has been issuing a flurry of guidance, executive orders, draft regulations, diplomacy, and more to try to kickstart our national response to the cyber crisis. We are calling in the cavalry, but will it help?  In this episode of The CyberPHIx, we hear from Steve Dunkle, Chief Information Security Officer for Geisinger Health System.   Steve is one of the country's leading cybersecurity healthcare leaders and we get his perspective on some of these federal updates and proposed changes to see how they fare in terms of providing meaningful support and guidance for healthcare organizations.  We discuss new federal and standards guidance and related trends including:  NIST's “Bad Practices” cybersecurity guide for end-of-life devices, default passwords, and single-factor authentication  Ransomware guidance from the NSA, FBI, and CISA on stopransomware.gov  Third-party risk and supply chain risk guidance and pending regulations  Strategies for CISO executive success include a focus on customer service, strategic thinking and planning, networking, and continuous learning Incident response and cyber-resilience guidance  OCR enforcement focus areas and HIPAA Security Rule compliance 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Key takeaways from The Annual Cybersecurity Attitudes and Behaviors Report 2021 US Securities and Exchange Commission (SEC) fines for breaches and related news on the focus of third-party risk in stock exchange investments Analysis of a new report from RiskRecon and Cyentia on measuring the ongoing impact of multi-party breaches Discussion of Mandiant's detailed report on the FIN12 criminal gang that is actively targeting the healthcare industry The latest FBI and CISA alerts on the Conti ransomware attacks and recommendations for protecting healthcare organizations

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry.  In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:  OCR's announcement of new director, Lisa J. Pino  FTC expands the Healthcare Breach Rule; implications for healthcare entities and enforcement  Healthcare breach highlights including Apple Healthkit, FitBit, GoogleFit, Walgreens, Fortinet, and more  Details on “irrecoverable” EHR ransomware event for an Arizona-based healthcare provider  Summary of new Cloud Security Alliance guidance on ransomware protections  U.S. Treasury takes action against cryptocurrency in a counter-ransomware initiative 

Cyber hurricanes have been coming in fast and furious for healthcare organizations over the last several years. Their destructive force has left organizations with operational disruptions, financial loss, and reputational damage that may take years to clean up. It is incumbent upon healthcare entities to take advantage of the tame periods between cyber incidents to make investments in preparation and response capabilities. In this episode of The CyberPHIx, we tap into the extensive emergency management experience of Patrick Hinnant, Director of IT Operations, Facilities, and Emergency Management for Trillium Health Resources. We discuss approaches for cyber emergency preparedness and several other topics including: Incident response and continuity from the ground level staff perspective all the way up to the executive level IT help desk and support best practices for incident response Common pitfalls and best practices for emergency response programs IT-specific challenges and approaches to emergency response including dealing with hybrid and cloud hosted infrastructures Grappling with cyber incidents and outages involving third-party vendors in the supply chain Evolving models of behavioral health and how to maintain these critical services during the pandemic External resources and guidance for cyber emergency management best practices and standards

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Details of 15+ breaches of business associate vendors servicing healthcare organizations that occurred in the last two weeks alone Evolving cybercrime business models and the emergence of Initial Access Brokers (IABs) Top cybersecurity and IT certifications that drive the highest salaries for security professionals in the industry Recent OCR enforcement activity and fines for HIPAA Privacy Rule violations Analysis of the cybersecurity “Bad Practices” catalog from the CISA and implications for healthcare entities

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Big tech firms including Google and Apple make major moves to exit the healthcare industry Amazon moves full steam ahead into healthcare, but is struggling to scale solutions due to IT and cyber staffing skill set shortages Cybersecurity staffing and talent shortage trends and new initiatives from the White House and CISA designed to build the cyber workforce Details of $30b+ cybersecurity investment commitments from President Biden's summit with ADP, IBM, Apple, Google, Microsoft, Amazon, and other big tech firms New targeting of healthcare business associates and outpatient practices by cyber criminals California breach notification bulletin details from California's Attorney General and implications for state regulatory enforcement across the country

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Suing the CISO: analysis of a lawsuit against SolarWinds CISO Details of Scripps Healthcare's $113m reported revenue loss due to ransomware Cyber liability protection cost increases Analysis of a new report citing $47k per hour downtime costs for breaches Cyber security highlights from the HIMSS 2021 conference Newly updated guidance from NIST on developing cyber resilient systems CSO Magazine's 15 top strategic priorities for CISOs Universal decryption key for Kaseya ransomware leaked in hacker forum Accenture's breach of 6 terabytes of data and $50m ransom demand from hackers

New cybersecurity and privacy regulations have recently come into effect in the United Arab Emirates (UAE). These laws are coming at a time when the US, EU, and other countries are poised to introduce new regulations of their own designed to combat the global epidemic of cyber-attacks. Listen in to this episode of The CyberPHIx as we speak with Mohammed Fadlalla, Co-Founder and Privacy Practice Leader for Archlight, the premier provider of healthcare cybersecurity and privacy consulting services in the UAE, Middle East and North Africa regions. In this episode, we discuss details of the emerging cybersecurity regulations and risks in the UAE, as well as their impact to healthcare organizations locally and globally.   Highlights of the discussion include:   Overview of the new UAE cybersecurity and privacy regulations Scope and reach of the regulations and enforcement models Comparison of UAE regulations to HIPAA requirements Details of the healthcare ecosystem in the UAE Implications for vendors, payers, and other players operating in the UAE Privacy expectations for patients in the UAE and healthcare tourism Guidance for getting started with compliance and prioritizing remediation efforts

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Analysis of IBM's new 2021 Data Breach Report including: Impacts to healthcare organizations Healthcare's breach costs and benchmarks against other industries HIPAA compliance implications for breach costs Cloud security breach trends Top sources of breaches and highest risk security domains Ways to reduce breach costs with targeted investments Nine critical vulnerabilities identified for the “Pwned Piper” medical device vulnerability issue and related recommendations Details of President Biden's proposed $9.8b cybersecurity budget President Biden's commentary on the likelihood of cyberwars leading to physical wars The new cybersecurity memorandum released by the White House this week Trends and predictions for new federal and state cybersecurity regulations targeting healthcare

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: The new DHS CIO speaks out on plans for supply chain risk management        PracticeFirst healthcare vendor breach impacting 1.2 million individuals U.S. government launches one-stop shop for ransomware guidance (StopRansomware.gov) CISA publishes cybersecurity guidance for managed services providers in the wake of the Kaseya breach Former NSA director's preview of HIMSS21 presentation on ransomware and cyber risks China formerly accused by the EU, UK, US, and others of attacks against Microsoft Exchange New SolarWinds zero-day exploit being used by attackers (second SolarWinds incident) Urgent security warning for SonicWall supply chain solution and patching details HITRUST announces the timing for release of HITRUST CSF version 10 Class action lawsuit updates against a PACs vendor, Kroger pharmacy, and Blackbaud

Another colossal cyber-attack on the global supply chain took place this month, which saw over 1,500 businesses infected with ransomware via a breach of a third-party vendor, Kaseya. The breach comes on the heels of other large-scale supply chain attacks against SolarWinds, Microsoft, and other major third-party vendors. This brings critical questions to the forefront for our industry: who is accountable for supply chain breaches and who owns the risk? In this CyberPHIx episode, we attempt to answer these questions during this engaging podcast interview with Eric Zematis, Chief Information Security Officer of Lehigh University. Eric discusses approaches for managing liability for supply chain attacks including business accountability and communication, cyber liability insurance, third-party vendor obligations, and government intervention. Highlights of the discussion include: Managing and communicating third party risk with the business Accountability for the business in oversight and management of vendor risk The history and evolution of cyber liability insurance Cyber liability policies and coverage considerations Supply chain vendor accountability before, during, and after breach events Government accountability and roles in combatting supply chain cyber attacks Standards organizations and resources for managing supply chain risks

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Largest ransomware attack on record impacts 1,500 businesses via third-party Kaseya supply chain breach over the holiday weekend Several large ransomware providers call it quits due to increased scrutiny and pressure Ransomware attack on Ireland health system exceeds $600m in costs and remains active six weeks into the attack Ukrainian police arrest members of CLOP ransomware gang NIST releases draft guidance for Ransomware Risk Management & CISA releases a ransomware self-assessment tool President Biden's summit with Vladimir Putin and directive for a “no hack” list of US critical infrastructure DOJ charges network security executive with hacking a Georgia health system for personal gain One billion CVS records exposed in cloud configuration error breach Details of the Ponemon Institute's new third-party cloud compromise report OIG and FDA updates on medical device security guidance and new GAO cybersecurity recommendations Bipartisan data breach notification bill drafted which includes a 24-hour breach notification requirement Meditology Services was ranked the #1 healthcare security and privacy consulting firm according to a new survey reported by Becker's and Healthcare IT Security magazines

“Digital identity is the new control fabric,” says our CyberPHIx guest Wes Wright, CTO at Imprivata. Wes is one of the healthcare industry's most experienced technology leaders and has held prior roles as CTO for Sutter Health in California, CIO for Seattle Children's, Executive Director of Information Services for Scripps, and much more. The healthcare industry is moving headlong into digital healthcare models that rely on one common factor: Identity Management. In this episode, Wes shares his thoughts on industry challenges with patient identification and access control models as they relate to our rapid move into a digital healthcare model.   We also discuss trends for processes, standards, and technology to address emerging patient and workforce identity challenges as well as the implications for patient privacy, identity fraud, enterprise security, and much more. Highlights of the discussion include: Patient identification challenges and risk impacts 21st Century Cures Act implications for patient identification Updates to trends in national patient identification HIPAA and regulatory compliance drivers for digital identity management Technology and automation advances in identity and access management The evolution identity technology and current capabilities Identity and access control models for cloud-hosted and third-party solutions Practical operational guidance for identity management programs to address emerging digital health models

The CyberPHIx Roundup is your quick source for keeping up with the latest in cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Major shifts in cyber liability coverages and protections and results from a recently released U.S. Government Office of Accountability (GAO) report Scripps Health system network outage continues a month after initial cyberattack Russian SolarWinds attackers are back at it with a large spear phishing campaign following a compromise of USAID systems Security firm Rapid7 becomes a victim of a software supply chain breach targeting source code OCR's latest settlement details and analysis on the resolution agreement with Peachstate Health Management OCR and HHS “wall of shame” aggregate reporting trends for 2021 and analysis of major reported breaches this past month U.S. House Committee on Homeland Security advances five new bills to improve cyber defenses