The CyberPHIx: Meditology Services Podcast
The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.
info_outline
Artificial Intelligence: Use Cases and Cybersecurity & Privacy Implications in Healthcare
07/31/2023
Artificial Intelligence: Use Cases and Cybersecurity & Privacy Implications in Healthcare
Join us for this episode of The CyberPHIx podcast, where we hear from Morgan Hague. Morgan is the manager of IT Risk Management at Meditology Services and has been in the industry for nearly a decade. He has worked with hundreds of organizations in an advisory capacity helping to assess or audit security functions to drive program maturity. He also leads Meditology’s strategic risk management consulting service line and is a subject matter expert in threat mitigation and risk program development. Topics covered in this session include: A deep dive into the emerging use cases for AI in the healthcare setting The risks related to AI that defenders need to be aware of and how real and relevant those risks are in the current state Data Poisoning, Input Manipulation, Membership Reference & Model Inversion AI-driven attacks and human security risks Privacy concerns with the use of AI New regulations coming online that directly affect the use of AI Controls we should be considering for AI Frameworks that already exist to help us understand the control options And some practical tips on where to get started
/episode/index/show/cyberphix/id/27613377
info_outline
The CyberPHIx Roundup: Industry News & Trends, 5/8/23
05/09/2023
The CyberPHIx Roundup: Industry News & Trends, 5/8/23
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: The Changes to HHS 405(d) HICP publication on the top 5 threats and top 10 security practices for healthcare The NIST Cyber Security Framework 2.0 Discussion Draft The riskiest connected medical devices and IoT (including nurse call, infusion pumps, and IP cameras) Some free security awareness resources for clinicians from Health Sector Coordinating Moody’s report on healthcare lagging behind other industries in implementing cybersecurity practices OCR regulatory focus on pixel tracking technologies on HIPAA-Covered-Entity websites Some fascinating numbers on the increase in lawsuits after breaches and ransomware payment averages A new ally for security leaders in the Chief Supply Chain Officer (CSCO) And Apple’s new Rapid Security Response updates for iOS, iPadOS, and macOS
/episode/index/show/cyberphix/id/26780049
info_outline
HITRUST v11 and Third-Party Risk: Insights from HITRUST Leadership
04/10/2023
HITRUST v11 and Third-Party Risk: Insights from HITRUST Leadership
Join us for this episode of The CyberPHIx podcast where we hear from Ryan Patrick, Vice President of Adoption at HITRUST. Ryan works with clients to understand and implement the HITRUST-validated assessments that best suit their organization’s risk profile. Prior to this role, he spent many years as a security practitioner and IT lead in a wide range of organizations from the US Army to Covered Entities to healthcare cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion about security or HITRUST. Topics covered in this session include: The new HITRUST v11 and what it means for organizations who are considering the HITRUST journey HITRUST’s traversable levels of assurance from e1 to i1 to r2 A newly created threat adaptive control selection process they use How broken and unsustainable TPRM (Third Party Risk Management) is today How HITRUST services fit into the third-party risk landscape A discussion about the new Health Third Party Trust (H3PT) council and what that group is trying to do to solve TPRM An invitation to meet either of us in person at HIMSS in Chicago April 17 – 21 And a cool update on HITRUST’s Results Distribution System (RDS) and the automation opportunities it will provide
/episode/index/show/cyberphix/id/26496051
info_outline
The CyberPHIx Roundup: National Cybersecurity Strategy, 3/22/23
03/22/2023
The CyberPHIx Roundup: National Cybersecurity Strategy, 3/22/23
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. Our host Britton Burton spends this entire episode reviewing and analyzing the recently released National Cybersecurity Strategy, including: Summarizing, and in some cases quoting, the key points from the document that are most relevant to healthcare security pros who may have time to listen but not read Analyzing how those key points will affect the healthcare industry in the coming months and years Explaining how (and when) the rulemaking process might play out The impact this could have on cloud and third-party risk Implications of incident reporting and the positive side of the emphasis on it An interesting wrinkle in the cyber insurance space Increased scrutiny on IoT manufacturers How the technology and software industry is similar to the automotive industry 50 years ago And much more!
/episode/index/show/cyberphix/id/26297589
info_outline
THE CYBERPHIX ROUNDUP: INDUSTRY NEWS & TRENDS, 2/7/23
03/01/2023
THE CYBERPHIX ROUNDUP: INDUSTRY NEWS & TRENDS, 2/7/23
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this month: The Federal Trade Commission’s (FTC) first Health Breach Notification Rule Enforcement action against GoodRx An unsurprising report from OCR on security rule compliance areas that HIPAA-regulated entities need improvement plus the most common remediation actions taken by breached entities Semi-definitive information about the date and final rule content of the SEC’s looming rule for publicly traded companies on Cybersecurity disclosures and risk management NIST’s announcement on a new lightweight cryptography algorithm that can be used by IoT and Medical Devices The disheartening cyber attack on the 988 suicide and mental health helpline Interesting new trend data on the lower volume of healthcare breaches but higher count of individuals affected by those breaches A recent surge in Wiper malware attacks, thanks in large part to the Russia/Ukraine war A fascinating narrative on cyber insurance involving exclusion of nation-state attack vectors from policies, sharper focus on TPRM programs, and a ransomware gang’s unusual request to its victims
/episode/index/show/cyberphix/id/26087004
info_outline
THE CYBERPHIX ROUNDUP: INDUSTRY NEWS & TRENDS, 3/1/23
03/01/2023
THE CYBERPHIX ROUNDUP: INDUSTRY NEWS & TRENDS, 3/1/23
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this month: The Federal Trade Commission’s (FTC) first Health Breach Notification Rule Enforcement action against GoodRx An unsurprising report from OCR on security rule compliance areas that HIPAA-regulated entities need improvement plus the most common remediation actions taken by breached entities Semi-definitive information about the date and final rule content of the SEC’s looming rule for publicly traded companies on Cybersecurity disclosures and risk management NIST’s announcement on a new lightweight cryptography algorithm that can be used by IoT and Medical Devices The disheartening cyber attack on the 988 suicide and mental health helpline Interesting new trend data on the lower volume of healthcare breaches but higher count of individuals affected by those breaches A recent surge in Wiper malware attacks, thanks in large part to the Russia/Ukraine war A fascinating narrative on cyber insurance involving exclusion of nation-state attack vectors from policies, sharper focus on TPRM programs, and a ransomware gang’s unusual request to its victims
/episode/index/show/cyberphix/id/26087007
info_outline
The CyberPHIx Roundup: Industry News & Trends, 2/7/23
02/07/2023
The CyberPHIx Roundup: Industry News & Trends, 2/7/23
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this month: A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of 1Q More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing The new Rural Emergency Hospital rule for struggling critical access and rural facilities The impact of travel nursing on cybersecurity FBI and Hive ransomware + why FBI wants more victims to call them Microsoft OneDrive takes first place for cloud app malware distribution A new DDoS threat from KillNet against healthcare and what to do about it An interesting update from the Russian/Ukraine war A call for community help on the evolution of NIST CSF and CSA CCM
/episode/index/show/cyberphix/id/25848384
info_outline
The CyberPHIx Roundup: Industry News & Trends, 1/16/22
01/16/2023
The CyberPHIx Roundup: Industry News & Trends, 1/16/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this month: New FDA authority granted by December’s omnibus bill is a big step towards better medical device security HITRUST teases their new CSF v11 release CommonSpirit Health class action lawsuit The fallout from the LastPass follow-on breach The possibly similar situation that might be occurring at Okta JAMA Health Forum’s outstanding metrics study on ransomware attacks in healthcare from 2016 – 2021 The nefarious use cases of OpenAI’s ChatGPT Clop ransomware group’s tactics for taking advantage of Telehealth appointments to deploy malware An apology from LockBit ransomware group for an attack on a children’s hospital (really!) Healthcare CISOs collaborating thru Healthe3PT to solve the third-party risk problem A major precedent-setting breach settlement order from FTC against Drizly and its CEO
/episode/index/show/cyberphix/id/25621110
info_outline
Top 10 Cyber Risk Exposure Trends and Predictions for 2023
12/28/2022
Top 10 Cyber Risk Exposure Trends and Predictions for 2023
The CyberPHIx is your source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host highlights some bold, and some not so bold, predictions for healthcare cybersecurity in 2023. Topics covered include: Continued escalation and evolution of ransomware attacks Our growing dependency on cloud platforms and vendor solutions shifting the attacker’s focus and changing breach trends New baseline expectations for critical infrastructure cybersecurity that could lead to increased federal or state level rule making Remote work and Zero Trust Medical devices, IoT, OT, & IoMT (oh my!) The rise of the class action lawsuit The continued expansion and cool solution ideas for 3rd and 4th party risk The importance of security assurances and validated assessments / certifications The curios case of cyber liability insurance A new emphasis from the board on cyber resilience and TPRM
/episode/index/show/cyberphix/id/25449882
info_outline
The CyberPHIx Roundup: Industry News & Trends, 12/15/22
12/15/2022
The CyberPHIx Roundup: Industry News & Trends, 12/15/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities A cool new tool from the FTC for mobile health app developers to quickly determine which security and privacy regulations are in scope for their app Trends in the consumerization of healthcare with some interesting technology announcements from Amazon and Epic The next step in the Meta Pixel story, including some interesting guidance from OCR in how Covered Entities need to handle these tracking technologies A new Medical Device Security Playbook from a MITRE and FDA collaboration A Moody’s report on how inflation is hindering health systems' ability to bolster cybersecurity An interesting impact you may not have expected in the CommonSpirit ransomware story A landmark decision in the realm of cybersecurity insurance in the T-Mobile / Zurich American Insurance case A report from Senator Mark Warner that gives us a glimpse into some regulatory activity we might see in 2023
/episode/index/show/cyberphix/id/25340496
info_outline
Who’s the new guy??
11/29/2022
Who’s the new guy??
Change is on the horizon for The CyberPHIx! Join us as your new host, Britton Burton, interviews your favorite host, Brian Selfridge to discuss it. This episode is a little different flavor than normal as your beloved host takes some time to explain what’s next for him and to reflect on some really interesting experiences he’s enjoyed in his cybersecurity career. Topics covered in this session include: The transition of the podcast hosting duties from Brian to Britton What it actually means to be an OCR HIPAA expert witness What interesting trends Brian has seen and knowledge he’s gained serving in that role Awesome advice and lessons he’s learned from a multi-faceted cybersecurity career journey
/episode/index/show/cyberphix/id/25152816
info_outline
The Game Changer: Envisioning & Delivering Innovations in Healthcare Cyber Risk
11/16/2022
The Game Changer: Envisioning & Delivering Innovations in Healthcare Cyber Risk
Healthcare cybersecurity has seen major game-changing risk management models and companies emerge in the last several decades. These include the introduction of the HITRUST Common Security Framework (CSF) and certification model and the emergence of companies like Meditology Services and CORL Technologies that are dedicated to solving big, complex challenges facing the healthcare industry. At the center of these innovative models and new paradigms is one leader in particular: Cliff Baker. Cliff has a long list of accomplishments envisioning and delivering game-changing solutions for healthcare cybersecurity. He began his notable career with PricewaterhouseCoopers (PwC), where he led the organization’s national healthcare security practice. Cliff later went on to architect the HITRUST CSF and certification model and founded two industry-leading cybersecurity companies, and . Join us for this episode of the CyberPHIx podcast where we hear from Cliff Baker, CEO for Meditology Services and CORL Technologies. Topics covered in this session include: Leading practices and new models for measuring and reporting cyber risks How to measure the effectiveness of healthcare cybersecurity programs Insights into the inception of the HITRUST certification model and the HITRUST CSF The current state of HITRUST adoption and use cases for the industry Perspectives on the role that HITRUST will play in the next decade for healthcare cybersecurity and third-party vendor risk management (TPRM) The process for envisioning, designing, and implementing game-changing cybersecurity models and companies Solutions and innovations that Cliff is cooking up in the lab to solve the next wave of large, complex challenges facing healthcare cybersecurity How leaders can move from idea to reality for delivering game-changing solutions and companies
/episode/index/show/cyberphix/id/25025085
info_outline
The CyberPHIx Roundup: Industry News & Trends, 11/7/22
11/07/2022
The CyberPHIx Roundup: Industry News & Trends, 11/7/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Deep dive into new CISA Cybersecurity Performance Goals (CPGs) for healthcare and critical infrastructure NSA releases new “hacker’s playbook” for operational technology (OT) cyberattacks American Hospital Association (AHA) endorses the Healthcare Cybersecurity Act draft bill Gramm-Leach-Bliley Act (GLBA) amendments become effective this December that may bring healthcare into scope for GLBA security requirements and enforcement Massive ransomware outage for CommonSpirit Health impacting over 142 hospitals and the Epic MyChart EHR platform Advances in quantum computing for encryption and the potential for “Q-day” events that could expose all encrypted data to unauthorized decryption HHS warns of abuse of common security and system administration tools that are being abused by attackers CISA alert about Daixin Team ransomware gang targeting healthcare PACS environments via VPN and RDP attacks New stats and guidance on public cloud security trends and recommendations
/episode/index/show/cyberphix/id/24928461
info_outline
Horror Stories: Why Third-Party Vendor Risk Management is So Scary
10/19/2022
Horror Stories: Why Third-Party Vendor Risk Management is So Scary
The last few years third-party vendor risk management (TPRM) has transitioned from being a relatively minor part of security and compliance programs for healthcare entities into a massive undertaking with potentially dire consequences if not managed properly. This is one of those topics that seems to really have CISOs shaking in their boots. What makes third party vendor risk so scary? Why are security leaders having nightmares? Join us for this episode of the CyberPHIx podcast where we hear from , Chief Information Security Officer for . James shares insights from his extensive experience managing security teams and third-party risk management programs for leading healthcare organizations. Topics covered in this session include: What makes third-party vendor risk management so scary for healthcare cybersecurity and risk professionals? Regulatory requirements related to third-party vendor risk management including HIPAA and state laws OCR enforcement of third-party business associate compliance mandates Third-party vendor risk governance best practices and models The implications for vendors that acquire certifications including HITRUST, SOC 2, and ISO The limitations of questionnaire-based vendor assessment models Best practices for strategic and operational management of third-party vendor risk management programs in healthcare The future of third-party vendor risk management
/episode/index/show/cyberphix/id/24710778
info_outline
The CyberPHIx Roundup: Industry News & Trends, 10/5/22
10/05/2022
The CyberPHIx Roundup: Industry News & Trends, 10/5/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: New Ponemon study that links increased mortality rates and poorer patient outcomes following cyber attacks Massive third-party breach cripples Britain’s National Health Service (NHS) via ransomware breach that takes down 111 services (akin to 911 services in the US) FBI warning and increased reporting of financial processing attacks against healthcare providers via phishing and social engineering Ambry Genetics settles class action lawsuit for $12.5m following 2020 breach of over 230,000 patient records OCR announces $300k settlement related to improper disposal of specimen containers with PHI on labels New FBI report on medical device security vulnerabilities and recommendations for healthcare organizations Updates on cyberwarfare trends stemming from the Russia/Ukraine conflict; Ukraine issues warning to allies of potential new cyberattacks from Russia President Biden signs new cybersecurity guidelines following CISA recommendations New federal cybersecurity requirements from the Office of Management and Budget (OMB) and NIST accreditation for third-party vendor risk management Healthcare sector leads all industries in fixing software security flaws; report highlights and analysis
/episode/index/show/cyberphix/id/24583419
info_outline
CISO's Guide to Making Friends: How to Engage IT for Cybersecurity Initiatives
09/21/2022
CISO's Guide to Making Friends: How to Engage IT for Cybersecurity Initiatives
Engaging IT and other technical stakeholders to support cybersecurity initiatives can be a daunting task for security professionals. We are often the bearers of bad news or can be perceived as adding to the workloads of already overburdened IT teams. In short, it can be hard to make friends. Join us for this episode of the CyberPHIx podcast where we hear from , Director of Information Security for . David has held leadership roles in security, infrastructure, engineering, and networking for a variety of organizations inside and outside of healthcare. He has lived through security program implementations and learned how to work across IT functional groups to break down barriers and achieve mutual objectives. David provides practical insights and guidance for making friends with various IT groups and teams to reduce cybersecurity risks while advancing IT objectives. Topics covered in this session include: Explanation of the different technical stakeholder groups that security most commonly needs to engage in support of the delivery of security programs How to prevent and resolve tension between security teams and server admins, network engineers, help desk, development teams, and more Best practices for engaging server admins and engineers through common security functions such as patching and configuration management Network administrator touchpoints with security and ways to communicate effectively Strategies for embedding security resources with infrastructure teams and vice versa to improve collaboration Leading practices for engaging software development, DevOps, and helpdesk teams How to manage audit fatigue and coordinate efficient audits with IT groups Industry resources including conferences and training sources for emerging security and IT personnel
/episode/index/show/cyberphix/id/24434772
info_outline
The CyberPHIx Roundup: Industry News & Trends, 9/8/22
09/08/2022
The CyberPHIx Roundup: Industry News & Trends, 9/8/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Historic breach levels reached for healthcare between 2020-2022; trends and analysis Attackers shifting focus to target small hospitals, clinics, and vendors Cisco breach and related impacts on healthcare organization networks Stats from SecureLink’s new report on third-party data breaches and analysis of healthcare-specific takeaways LastPass source code breach and potential exposures to individuals and centrally-managed healthcare organization passwords Cyberliability trends and criteria required to obtain and maintain coverage NIST CSF 2.0 workshop highlights and industry feedback TEFCA selects HITRUST’s r2 certification for Qualified Health Information Network organizations to prove compliance with security practices Health ISAC (H-ISAC) guidance on zero trust implementation for healthcare entities Guidance from federal agencies on emerging cloud security threats and recommended practices FBI warns of new sophisticated scam targeting the healthcare workforce New federal advisory related to attacks from “Evil Corp” on the healthcare industry
/episode/index/show/cyberphix/id/24310461
info_outline
Securing the Software Development Lifecycle (SDLC) in Healthcare
08/22/2022
Securing the Software Development Lifecycle (SDLC) in Healthcare
Breaches continue to balloon for healthcare applications as the industry continues to drive innovations in virtual care, personalized medicine, and digital healthcare. Organizations that deploy robust application development security programs create the opportunity to identify and correct security weaknesses before products hit the market. Software Development Lifecycle (SDLC) security programs provide the tools, processes, and training required to design products with security in mind to reduce the likelihood of breaches of sensitive information. Join us for this episode of the CyberPHIx podcast where we hear from , CEO for . Security Innovation provides application security services, training, testing, and consulting to healthcare and other industries. Topics covered in this session include: Application development security trends The latest threats and vulnerabilities impacting healthcare application development Best practices for securing AppDev, DevOps, and DevSecOps teams and processes Common development misconceptions and missteps that lead to security exposures Security training approaches for healthcare app developers Frameworks and external resources for SDLC security including OWASP and others Healthcare-specific vulnerabilities and risk exposures identified during application development Third-party and fourth-party risks including open-sourced code and IoT devices Budget priorities for SDLC security investments
/episode/index/show/cyberphix/id/24075030
info_outline
The CyberPHIx Roundup: Industry News & Trends, 8/11/22
08/11/2022
The CyberPHIx Roundup: Industry News & Trends, 8/11/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: IBM’s and Ponemon’s annual Cost of a Data Breach Report summary, analysis, and implications for healthcare Updated NIST guidance on HIPAA compliance approaches and expected practices Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks $100m cost reported for Tenet Healthcare’s 2022 cyberattack Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people Cloud Security Alliance weighs in on third-party risk management in healthcare Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector New ransomware task force report targeting government interventions to disrupt ransomware attacks OCR issues 11 new financial penalties over HIPAA Right of Access failures
/episode/index/show/cyberphix/id/24020238
info_outline
Certification Symposium: HITRUST & SOC 2 Leading Practices
07/15/2022
Certification Symposium: HITRUST & SOC 2 Leading Practices
Healthcare organizations are ramping up the adoption of enterprise security certifications to provide assurance of their security program and control effectiveness to their customers and partners. Some of the most common security certifications and attestations in healthcare include HITRUST and SOC 2 Type II. Join us for our 100TH EPISODE of The CyberPHIx as we hear perspectives from healthcare security leaders on best practices for selecting and acquiring enterprise security certifications. This special symposium is a collection of interviews with stakeholders on all sides of the certification including healthcare CISOs, assessor and certification specialists, healthcare vendors, healthcare delivery organizations, and certification bodies. The Certification Symposium includes highlights from the following healthcare cybersecurity leaders: Michael Parisi - Vice President of Adoption, HITRUST Ed Dame - CISO, Dasher Services Angela Fitzpatrick - Managing Director, Meditology Services Paul Gray - CISO, Meditology Services Bethany Ishii - Director, Meditology Services Deana Fuller - Senior Manager, Meditology Services Ryan Freeman-Jones - Leader, Meditology Services Brandon Weidemann - Manager, Meditology Services Jonathan Elmer - Manager, Meditology Services Derek Vorpahl - Director of Information Security and Risk Management, Davis Vision Topics covered in this session include: What are HITRUST and SOC 2 Type II certifications? Business drivers for healthcare organizations to acquire HITRUST & SOC 2 certifications Which certification should we adopt? Comparing and contrasting certification options including HITRUST bC, HITRUST i1, HITRUST r2, SOC 2 Type II, and ISO Common pitfalls for HITRUST certifications Common challenges and pitfalls for SOC 2 Type II examinations Debunking certification myths and misunderstandings Accelerators and best practices for achieving HITRUST and SOC 2 certifications in a timely and cost-effective manner The role that certifications play in supporting HIPAA and OCR compliance Tips for selecting an assessor organization for HITRUST and SOC 2 certifications
/episode/index/show/cyberphix/id/23746403
info_outline
The CyberPHIx Roundup: Industry News & Trends, 6/30/22
06/30/2022
The CyberPHIx Roundup: Industry News & Trends, 6/30/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Bombshell report of hospitals sharing PHI with Facebook HIPAA compliance analysis for covered entities sending PHI to Facebook Legal exposures for sending sensitive information to social media and other website tracking vendors Recommendations for healthcare organizations to assess and respond to patient concerns about unauthorized PHI disclosures to Facebook HHS issues new guidance for healthcare organizations to improve their cyber posture New HIPAA Security Risk Analysis (SRA) tool from OCR New OCR guidance and industry feedback related to “recognized security practices” for healthcare organizations (i.e. safe harbors for OCR enforcement) HHS issues warning to healthcare entities about dangerous Emotet malware proliferation CISA is developing new guidance for helping organizations overcome supply chain risks FBI prevents “despicable” Iranian cyber attack on Boston Children’s Hospital DOJ shuts down SSNDOB dark web marketplace Massive arrests and seizures of social engineering attack infrastructure across 76 countries OCR issues guidance on the upcoming expiration of COVID-19 enforcement exemptions for telehealth HIPAA security mandates
/episode/index/show/cyberphix/id/23579213
info_outline
Securing Healthcare.gov & Tackling Fourth-Party Vendor Risks
06/15/2022
Securing Healthcare.gov & Tackling Fourth-Party Vendor Risks
Join us for this episode of The CyberPHIx podcast where we hear from , VP of Product for CORL Technologies, who was also a leader on the team that overhauled and secured healthcare.gov. In this two-part conversation, we discuss Bart’s insights into the deployment and security of healthcare.gov as well as his perspectives on third- and fourth-party cyber risks for healthcare organizations. About Healthcare.gov Healthcare.gov is the nation's federal exchange for health insurance coverage that was created from the passing of the Patient Protection and Affordable Care Act (ACA). The initial launch of the website was fraught with challenges and was ultimately "rescued" by a large team contracted to get the site operating in tip-top shape. About Fourth-Party Vendor Risks Cybercriminals and nation-states have also unleashed relentless cyber-attacks on the U.S. healthcare industry and its suppliers this year. Unfortunately, cyber risk exposures have not been limited to third-party vendors, and risks to sensitive data and systems often extend across the full supply chain including fourth-party vendors and open-sourced products. Topics covered in this session include: What is healthcare.gov? How and why was healthcare.gov overhauled in the early stages of its development? Security challenges and solutions for healthcare.gov that arose during implementation Cloud security considerations for hosted healthcare applications including healthcare.gov What is fourth-party vendor risk and how is it impacting healthcare organizations? Examples and case studies of prominent fourth-party vendor breaches in healthcare Emerging solutions and innovations in third- and fourth-party vendor risk management New federal regulations and standards for managing supply chain risks
/episode/index/show/cyberphix/id/23425937
info_outline
The CyberPHIx Roundup: Industry News & Trends, 5/26/22
05/26/2022
The CyberPHIx Roundup: Industry News & Trends, 5/26/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Highlights from the US Senate HELP hearing discussing the threat of cyberattacks on the healthcare industry Healthcare and Public Health Sector Coordinating Council (HSCC) releases new incident response checklist Ransomware growth causes cyber liability insurance costs to skyrocket Cardiologist charged with designing and selling ransomware BakerHostetler data security incident response report highlights and analysis Vendor risk management trends and associated healthcare breaches Solara Medical Supplies proposes a $5 million settlement to resolve class action data breach lawsuit CISA Alert: Weak Security Controls and Practices Routinely Exploited for Initial Access CISA alerts organizations not to install May security patches on Microsoft domain controllers US Department of Health and Human Services (HHS) warning healthcare entities about the aggressive Hive ransomware group A look back on the Conti ransomware group’s attacks on 200+ healthcare entities over the last two years HHS information on Russian Advanced Persistent Threat (APT) groups and associated analysis
/episode/index/show/cyberphix/id/23225852
info_outline
The Bleeding Edge: Healthcare Cyber Threats That Cut Deep
05/19/2022
The Bleeding Edge: Healthcare Cyber Threats That Cut Deep
Major shifts in the delivery of healthcare are introducing new and unforeseen cybersecurity and privacy risks. Cybersecurity and risk leaders in healthcare must rapidly adapt their programs and protection mechanisms to avoid adverse impacts from evolving cyber threats. Any one of these emerging risk areas can cut deep and have material impacts to patient safety, financials, reputation, and more. In this session, we provide an overview of new cyber threats and solutions through the lens of , Information Security Officer and Director of Security & Support Services for Bayhealth Medical Center, and his years of experience safeguarding patient information and systems. Topics covered in this session include: Internet of Things (IoT) & Internet of Medical Things (IoMT) challenges and solutions Securing health apps and wearables Emerging regulatory changings including HIPAA Cybersecurity approaches for the remote workforce Fourth-party vendor risks and securing the healthcare supply chain Cyberwar and changes to the threat landscape
/episode/index/show/cyberphix/id/23156975
info_outline
The CyberPHIx Roundup: Industry News & Trends, 4/21/22
04/21/2022
The CyberPHIx Roundup: Industry News & Trends, 4/21/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Healthcare Cybersecurity Act introduced in the U.S. Senate; details and analysis about the proposed regulation HHS and OCR seek feedback on new HITECH safe harbors for the adoption of cybersecurity best practices including NIST and HITRUST OCR requests feedback on how HIPAA civil monetary penalties should be shared with individuals that have been victims of breaches University of Pittsburgh Medical Center is required to make payments to 66,000 employees that were victims of a 2014 cyber breach as part of legal settlement Proposed PATCH Act that would see the FDA require cybersecurity measures for medical device manufacturers; details and analysis New NIST standards for enterprise patching management including NIST SP 800-40 and NIST SP 1800-31 FDA releases updated guidance on medical device cybersecurity (in addition to the PATCH Act) Lapsus$ cyber threat group alerts from the Health Sector Cybersecurity Coordination Center (HC3) as well as prominent arrests of the Lapsus$ gang’s teenage leader Arrest of ransomware leader responsible for 13 ransomware attacks; details of attacks and sentencing Germany and the U.S. shut down the world’s largest illegal darknet marketplace CISA warns of Uninterruptible Power Supply (UPS) device cyberattacks Urgent security alert for Philips MRI monitoring software A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell' S State Department announces Bureau of Cyberspace and Digital Policy (CDP)
/episode/index/show/cyberphix/id/22854647
info_outline
Arming the Citizens: Awareness Strategies for Cyber War
04/13/2022
Arming the Citizens: Awareness Strategies for Cyber War
President Biden issued an alert recently that U.S. companies must ramp up their readiness to anticipate potential cyberattacks from Russia stemming from the conflict in Ukraine. What role do end-users play in protecting healthcare organizations during this ongoing cyberwar? Is the workforce our best defense on the front lines of cyber combat? Join us for this episode of the CyberPHIx podcast where we hear from , Director of Information Security for Benefit Resource. Eric provides insights into leading practices for cybersecurity awareness programs for healthcare entities. Topics covered in this session include: How to make cybersecurity important for the average workforce member Effective deployment vehicles for awareness training Maintaining cybersecurity awareness for hybrid and remote workforce Free resources for security awareness and HIPAA compliance content Top messages for the workforce to combat cyberwar attacks Measuring effectiveness of awareness programs via KPIs Phishing testing and training best practices
/episode/index/show/cyberphix/id/22765289
info_outline
The CyberPHIx Roundup: Industry News & Trends, 3/24/22
03/24/2022
The CyberPHIx Roundup: Industry News & Trends, 3/24/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: President Biden’s cybersecurity warning about Russian cyberattacks on U.S. companies New cybersecurity legislation signed that mandates breach reporting within 72 hours SEC proposes new cybersecurity disclosure requirements New FBI & CISA alert on Russian exploitation of multi-factor authentication and “PrintNightmare” vulnerability Hactivists attacks on Russia databases, TV broadcasts, weapons manufacturers, websites, and the Russian Roskomnadzor censorship agency Russia’s creation of their own TLS Certificate Authority (CA) and implications for Internet accessibility in Russia FBI alert and guidance on the new RagnarLocker ransomware and implications for healthcare entities Details of the new Israel/US collaboration on cybersecurity Analysis of the Access:7 vulnerabilities affecting medical devices and IoT systems OCR / HHS publication and recommendations for healthcare organizations to improve cybersecurity defenses Analysis of the new HIMSS Healthcare Cybersecurity Survey New attacks emerge against Microsoft Teams
/episode/index/show/cyberphix/id/22544645
info_outline
Cyber Trust Falls: How Cybersecurity Enables Trust in Healthcare
03/15/2022
Cyber Trust Falls: How Cybersecurity Enables Trust in Healthcare
Who can be trusted to protect sensitive healthcare information and systems amidst a daily barrage of breach events? Healthcare cybersecurity and risk leaders must identify innovative ways to establish and maintain trust in the healthcare ecosystem through cybersecurity programs and functions. This includes being transparent about risk exposures, building relationships internally and externally, responding effectively to breaches, and adopting certification models like HITRUST and SOC 2. In this episode of The CyberPHIx, we hear from , Chief Information Security Officer for Dasher Services, Inc. Ed provides insights and wisdom from his years of experience as a CISO in building relationships and establishing trust. Questions covered in this session include: Why is trust important in healthcare settings? How can cybersecurity programs support and sustain trust? What role does transparency play in building or eroding trust? What are the boundaries of accountability for trust for healthcare CISOs including third- and fourth-party vendors? What role do cybersecurity certifications like HITRUST play in establishing trust with the market? What happens when trust is lost or damaged? Is there a right and wrong way to respond to breaches that impacts trust? What is the different between reacting and responding to cybersecurity incidents? What is the role of emerging “zero trust” models and terminology in healthcare?
/episode/index/show/cyberphix/id/22442687
info_outline
The CyberPHIx Roundup: Russia/Ukraine Cyberwar Special Edition
03/03/2022
The CyberPHIx Roundup: Russia/Ukraine Cyberwar Special Edition
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyber-attacks stemming from the ongoing conflict between Russia and Ukraine. Meditology has been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches. This special edition of the CyberPHIx podcast provides guidance for US-based healthcare entities for preparing and responding to cyberattacks and cyberwar tactics deployed as part of this ongoing conflict. We also cover a few other news items trending in healthcare cybersecurity and compliance. In this episode, our host highlights the following topics: Russia-Ukraine cyberwar overview Russia’s cyberwar capabilities & attack methods Analysis of darknet cyberwar activity Guidance from the CISA, FBI, & NSA on the Russia/Ukraine cyberattacks Recommendations for healthcare cybersecurity leaders to prepare and respond to cyberwar activities Upcoming deadline for HIPAA breach reporting to HHS Details on a new bill introduced to modernize HIPAA Analysis of the HHS report on securing Electronic Health Records (EHR)
/episode/index/show/cyberphix/id/22315187
info_outline
The CyberPHIx Roundup: Industry News & Trends, 2/11/22
02/11/2022
The CyberPHIx Roundup: Industry News & Trends, 2/11/22
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host highlights the following topics trending in healthcare cybersecurity this week: Lessons learned from a ransomware attack that encrypted 80% of systems across a 54+ hospital health system HHS publishes a detailed report about ongoing Log4J exposure and recommendations for the healthcare industry REvil ransomware gang shut down and arrested in Russia following US diplomatic pressure and Russian crackdown Settlement reached in Excellus class action data breach lawsuit Kaspersky publishes report on telehealth adoption and cyber risks escalation Homeland Security launches cyber safety review board to combat supply chain risks NIST releases automation-friendly security and privacy assessment procedures NIST launches new international privacy resources website
/episode/index/show/cyberphix/id/22092509