The CyberPHIx: Meditology Services Podcast

Join us for this episode of The CyberPHIx podcast, where we hear from Morgan Hague. Morgan is the manager of IT Risk Management at Meditology Services and has been in the industry for nearly a decade. He has worked with hundreds of organizations in an advisory capacity helping to assess or audit security functions to drive program maturity. He also leads Meditology’s strategic risk management consulting service line and is a subject matter expert in threat mitigation and risk program development. Topics covered in this session include: A deep dive into the emerging use cases for AI in the healthcare settingThe risks related to AI that defenders need to be aware of and how real and relevant those risks are in the currentstateData Poisoning, Input Manipulation, Membership Reference & Model InversionAI-driven attacks and human security risksPrivacy concerns with the use of AINew regulations coming online that directly affect the use of AIControls we should be considering forAIFrameworks that already exist to help us understand the control optionsAnd some practical tips on where to get started

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: The Changes to HHS 405(d) HICP publication on the top 5 threats and top 10 security practices for healthcare The NIST Cyber Security Framework 2.0 Discussion Draft The riskiest connected medical devices and IoT (including nurse call, infusion pumps, and IP cameras) Some free security awareness resources for clinicians from Health Sector Coordinating Moody’s report on healthcare lagging behind other industries in implementing cybersecurity practices OCR regulatory focus on pixel tracking technologies on HIPAA-Covered-Entity websites Some fascinating numbers on the increase in lawsuits after breaches and ransomware payment averages A new ally for security leaders in the Chief Supply Chain Officer (CSCO) And Apple’s new Rapid Security Response updates for iOS, iPadOS, and macOS

Join us for this episode of The CyberPHIx podcast where we hear from Ryan Patrick, Vice President of Adoption at HITRUST. Ryan works with clients to understand and implement the HITRUST-validated assessments that best suit their organization’s risk profile. Prior to this role, he spent many years as a security practitioner and IT lead in a wide range of organizations from the US Army to Covered Entities to healthcare cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion about security or HITRUST. Topics covered in this session include: The new HITRUST v11 and what it means for organizations who are considering the HITRUST journeyHITRUST’s traversablelevels of assurance from e1 to i1 to r2A newly created threat adaptive control selection processtheyuseHow broken and unsustainable TPRM (Third Party Risk Management)istodayHow HITRUST services fit into thethird-partyrisk landscapeA discussion about the new Health Third Party Trust (H3PT) council and what that group is trying to do to solveTPRMAn invitation to meet either of us in person at HIMSSinChicagoApril 17 – 21And a cool update on HITRUST’s Results Distribution System (RDS) and the automation opportunities it will provide

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. Our host Britton Burton spends this entire episode reviewing and analyzing the recently released National Cybersecurity Strategy, including: Summarizing, and in some cases quoting, the key points from the document that are most relevant to healthcare security pros who may have time to listen but not read Analyzing how those key points will affect the healthcare industry in the coming months and years Explaining how (and when) the rulemaking process might play out The impact this could have on cloud and third-party risk Implications of incident reporting and the positive side of the emphasis on it An interesting wrinkle in the cyber insurance space Increased scrutiny on IoT manufacturers How the technology and software industry is similar to the automotive industry 50 years ago And much more!

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: The Federal Trade Commission’s (FTC) first Health Breach Notification Rule Enforcement action against GoodRx An unsurprising report from OCR on security rule compliance areas that HIPAA-regulated entities need improvement plus the most common remediation actions taken by breached entities Semi-definitive information about the date and final rule content of the SEC’s looming rule for publicly traded companies on Cybersecurity disclosures and risk management NIST’s announcement on a new lightweight cryptography algorithm that can be used by IoT and Medical Devices The disheartening cyber attack on the 988 suicide and mental health helpline Interesting new trend data on the lower volume of healthcare breaches but higher count of individuals affected by those breaches A recent surge in Wiper malware attacks, thanks in large part to the Russia/Ukraine war A fascinating narrative on cyber insurance involving exclusion of nation-state attack vectors from policies, sharper focus on TPRM programs, and a ransomware gang’s unusual request to its victims

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of 1Q More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing The new Rural Emergency Hospital rule for struggling critical access and rural facilities The impact of travel nursing on cybersecurity FBI and Hive ransomware + why FBI wants more victims to call them Microsoft OneDrive takes first place for cloud app malware distribution A new DDoS threat from KillNet against healthcare and what to do about it An interesting update from the Russian/Ukraine war A call for community help on the evolution of NIST CSF and CSA CCM

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: New FDA authority granted by December’s omnibus bill is a big step towards better medical device security HITRUST teases their new CSF v11 release CommonSpirit Health class action lawsuit The fallout from the LastPass follow-on breach The possibly similar situation that might be occurring at Okta JAMA Health Forum’s outstanding metrics study on ransomware attacks in healthcare from 2016 – 2021 The nefarious use cases of OpenAI’s ChatGPT Clop ransomware group’s tactics for taking advantage of Telehealth appointments to deploy malware An apology from LockBit ransomware group for an attack on a children’s hospital (really!) Healthcare CISOs collaborating thru Healthe3PT to solve the third-party risk problem A major precedent-setting breach settlement order from FTC against Drizly and its CEO

The CyberPHIx is your source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights some bold, and some not so bold, predictions for healthcare cybersecurity in 2023. Topics covered include: Continued escalation and evolution of ransomware attacks Our growing dependency on cloud platforms and vendor solutions shifting the attacker’s focus and changing breach trends New baseline expectations for critical infrastructure cybersecurity that could lead to increased federal or state level rule making Remote work and Zero Trust Medical devices, IoT, OT, & IoMT (oh my!) The rise of the class action lawsuit The continued expansion and cool solution ideas for 3rdand 4thparty risk The importance of security assurances and validated assessments / certifications The curios case of cyber liability insurance A new emphasis from the board on cyber resilience and TPRM

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities A cool new tool from the FTC for mobile health app developers to quickly determine which security and privacy regulations are in scope for their app Trends in the consumerization of healthcare with some interesting technology announcements from Amazon and Epic The next step in the Meta Pixel story, including some interesting guidance from OCR in how Covered Entities need to handle these tracking technologies A new Medical Device Security Playbook from a MITRE and FDA collaboration A Moody’s report on how inflation is hindering health systems' ability to bolster cybersecurity An interesting impact you may not have expected in the CommonSpirit ransomware story A landmark decision in the realm of cybersecurity insurance in the T-Mobile / Zurich American Insurance case A report from Senator Mark Warner that gives us a glimpse into some regulatory activity we might see in 2023

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities A cool new tool from the FTC for mobile health app developers to quickly determine...

Change is on the horizon for The CyberPHIx! Join us as your new host, Britton Burton, interviews your favorite host, Brian Selfridge to discuss it. This episode is a little different flavor than normal as your beloved host takes some time to explain what’s next for him and to reflect on some really interesting experiences he’s enjoyed in his cybersecurity career. Topics covered in this session include: The transition of the podcast hosting duties from Brian to Britton What it actually means to be an OCR HIPAA expert witness What interesting trends Brian has seen and knowledge he’s gained serving in that role Awesome advice and lessons he’s learned from a multi-faceted cybersecurity career journey

Healthcare cybersecurity has seen major game-changing risk management models and companies emerge in the last several decades. These include the introduction of the HITRUST Common Security Framework (CSF) and certification model and the emergence of companies like Meditology Services and CORL Technologies that are dedicated to solving big, complex challenges facing the healthcare industry. At the center of these innovative models and new paradigms is one leader in particular: Cliff Baker. Cliff has a long list of accomplishments envisioning and delivering game-changing solutions for healthcare cybersecurity. He began his notable career with PricewaterhouseCoopers (PwC), where he led the organization’s national healthcare security practice. Cliff later went on to architect the HITRUST CSF and certification model and founded two industry-leading cybersecurity companies, Meditology Services and CORL Technologies. Join us for this episode of the CyberPHIx podcast where we hear from Cliff Baker, CEO for Meditology Services and CORL Technologies. Topics covered in this session include: Leading practices and new models for measuring and reporting cyber risks How to measure the effectiveness of healthcare cybersecurity programs Insights into the inception of the HITRUST certification model and the HITRUST CSF The current state of HITRUST adoption and use cases for the industry Perspectives on the role that HITRUST will play in the next decade for healthcare cybersecurity and third-party vendor risk management (TPRM) The process for envisioning, designing, and implementing game-changing cybersecurity models and companies Solutions and innovations that Cliff is cooking up in the lab to solve the next wave of large, complex challenges facing healthcare cybersecurity How leaders can move from idea to reality for delivering game-changing solutions and companies

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Deep dive into new CISA Cybersecurity Performance Goals (CPGs) for healthcare and critical infrastructure NSA releases new “hacker’s playbook” for operational technology (OT) cyberattacks American Hospital Association (AHA) endorses the Healthcare Cybersecurity Act draft bill Gramm-Leach-Bliley Act (GLBA) amendments become effective this December that may bring healthcare into scope for GLBA security requirements and enforcement Massive ransomware outage for CommonSpirit Health impacting over 142 hospitals and the Epic MyChart EHR platform Advances in quantum computing for encryption and the potential for “Q-day” events that could expose all encrypted data to unauthorized decryption HHS warns of abuse of common security and system administration tools that are being abused by attackers CISA alert aboutDaixin Teamransomware gang targeting healthcare PACS environments via VPN and RDP attacks New stats and guidance on public cloud security trends and recommendations

The last few years third-party vendor risk management (TPRM) has transitioned from being a relatively minor part of security and compliance programs for healthcare entities into a massive undertaking with potentially dire consequences if not managed properly. This is one of those topics that seems to really have CISOs shaking in their boots. What makes third party vendor risk so scary? Why are security leaders having nightmares? Join us for this episode of the CyberPHIx podcast where we hear from James Ballou, Chief Information Security Officer for North American Partners of Anesthesia. James shares insights from his extensive experience managing security teams and third-party risk management programs for leading healthcare organizations. Topics covered in this session include: What makes third-party vendor risk management so scary for healthcare cybersecurity and risk professionals? Regulatory requirements related to third-party vendor risk management including HIPAA and state lawsOCR enforcement of third-party business associate compliance mandates Third-party vendor risk governance best practices and models The implications for vendors that acquire certifications including HITRUST, SOC 2, and ISO The limitations of questionnaire-based vendor assessment modelsBest practices for strategic and operational management of third-party vendor risk management programs in healthcareThe future of third-party vendor risk management

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: New Ponemon study that links increased mortality rates and poorer patient outcomes following cyber attacksMassive third-party breach cripples Britain’s National Health Service (NHS) via ransomware breach that takes down 111 services (akin to 911 services in the US)FBI warning and increased reporting of financial processing attacks against healthcare providers via phishing and social engineeringAmbry Genetics settles class action lawsuit for $12.5m following 2020 breach of over 230,000 patient recordsOCR announces $300k settlement related to improper disposal of specimen containers with PHI on labelsNew FBI report on medical device security vulnerabilities and recommendations for healthcare organizationsUpdates on cyberwarfare trends stemming from the Russia/Ukraine conflict; Ukraine issues warning to allies of potential new cyberattacks from RussiaPresident Biden signs new cybersecurity guidelines following CISA recommendationsNew federal cybersecurity requirements from the Office of Management and Budget (OMB) and NIST accreditation for third-party vendor risk managementHealthcare sector leads all industries in fixing software security flaws; report highlights and analysis

Engaging IT and other technical stakeholders to support cybersecurity initiatives can be a daunting task for security professionals. We are often the bearers of bad news or can be perceived as adding to the workloads of already overburdened IT teams. In short, it can be hard to make friends. Join us for this episode of the CyberPHIx podcast where we hear from David Jones, Director of Information Security for RxBenefits, Inc. David has held leadership roles in security, infrastructure, engineering, and networking for a variety of organizations inside and outside of healthcare. He has lived through security program implementations and learned how to work across IT functional groups to break down barriers and achieve mutual objectives. David provides practical insights and guidance for making friends with various IT groups and teams to reduce cybersecurity risks while advancing IT objectives. Topics covered in this session include: Explanation of the different technical stakeholder groups that security most commonly needs to engage in support of the delivery of security programs How to prevent and resolve tension between security teams and server admins, network engineers, help desk, development teams, and moreBest practices for engaging server admins and engineers through common security functions such as patching and configuration management Network administrator touchpoints with security and ways to communicate effectively Strategies for embedding security resources with infrastructure teams and vice versa to improve collaboration Leading practices for engaging software development, DevOps, and helpdesk teams How to manage audit fatigue and coordinate efficient audits with IT groups Industry resources including conferences and training sources for emerging security and IT personnel

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Historic breach levels reached for healthcare between 2020-2022; trends and analysis Attackers shifting focus to target small hospitals, clinics, and vendors Cisco breach and related impacts on healthcare organization networks Stats from SecureLink’s new report on third-party data breaches and analysis of healthcare-specific takeaways LastPass source code breach and potential exposures to individuals and centrally-managed healthcare organization passwords Cyberliability trends and criteria required to obtain and maintain coverageNIST CSF 2.0 workshop highlights and industry feedback TEFCA selects HITRUST’s r2 certification for Qualified Health Information Network organizations to prove compliance with security practices Health ISAC (H-ISAC) guidance on zero trust implementation for healthcare entities Guidance from federal agencies on emerging cloud security threats and recommended practices FBI warns of new sophisticated scam targeting the healthcare workforce New federal advisory related to attacks from “Evil Corp” on the healthcare industry

Breaches continue to balloon for healthcare applications as the industry continues to drive innovations in virtual care, personalized medicine, and digital healthcare. Organizations that deploy robust application development security programs create the opportunity to identify and correct security weaknesses before products hit the market. Software Development Lifecycle (SDLC) security programs provide the tools, processes, and training required to design products with security in mind to reduce the likelihood of breaches of sensitive information. Join us for this episode of the CyberPHIx podcast where we hear from Ed Adams, CEO for Security Innovation. Security Innovation provides application security services, training, testing, and consulting to healthcare and other industries. Topics covered in this session include: Application development security trends The latest threats and vulnerabilities impacting healthcare application development Best practices for securing AppDev, DevOps, and DevSecOps teams and processes Common development misconceptions and missteps that lead to security exposuresSecurity training approaches for healthcare app developers Frameworks and external resources for SDLC security including OWASP and others Healthcare-specific vulnerabilities and risk exposures identified during application development Third-party and fourth-party risks including open-sourced code and IoT devicesBudget priorities for SDLC security investments

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Cost of a Data Breach Reportsummary, analysis, and implications for healthcareUpdated NIST guidance on HIPAA compliance approaches and expected practicesFacebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practicesGAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks$100m cost reported for Tenet Healthcare’s 2022 cyberattackMajor breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m peopleCloud Security Alliance weighs in on third-party risk management in healthcareLarge-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud schemeHHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sectorNew ransomware task force report targeting government interventions to disrupt ransomware attacksOCR issues 11 new financial penalties over HIPAA Right of Access failures

Healthcare organizations are ramping up the adoption of enterprise security certifications to provide assurance of their security program and control effectiveness to their customers and partners. Some of the most common security certifications and attestations in healthcare include HITRUST and SOC 2 Type II. Join us for our 100TH EPISODE of The CyberPHIx as we hear perspectives from healthcare security leaders on best practices for selecting and acquiring enterprise security certifications. This special symposium is a collection of interviews with stakeholders on all sides of the certification including healthcare CISOs, assessor and certification specialists, healthcare vendors, healthcare delivery organizations, and certification bodies. The Certification Symposium includes highlights from the following healthcare cybersecurity leaders: Michael Parisi- Vice President of Adoption, HITRUST Ed Dame- CISO, Dasher Services Angela Fitzpatrick- Managing Director, Meditology Services Paul Gray- CISO, Meditology Services Bethany Ishii- Director, Meditology Services Deana Fuller- Senior Manager, Meditology Services Ryan Freeman-Jones- Leader, Meditology Services Brandon Weidemann- Manager, Meditology Services Jonathan Elmer- Manager, Meditology Services Derek Vorpahl- Director of Information Security and Risk Management, Davis Vision Topics covered in this session include: What are HITRUST and SOC 2 Type II certifications? Business drivers for healthcare organizations to acquire HITRUST & SOC 2 certifications Which certification should we adopt? Comparing and contrasting certification options including HITRUST bC, HITRUST i1, HITRUST r2, SOC 2 Type II, and ISO Common pitfalls for HITRUST certifications Common challenges and pitfalls for SOC 2 Type II examinations Debunking certification myths and misunderstandings Accelerators and best practices for achieving HITRUST and SOC 2 certifications in a timely and cost-effective manner The role that certifications play in supporting HIPAA and OCR compliance Tips for selecting an assessor organization for HITRUST and SOC 2 certifications