Skip to main content

Post Topic: Media Mention

EU Commission Calls for Health Sector ‘Cyber Action Plan’

Written by Julia Annaloro on . Posted in European News, In The News.

Initiative Aims to Bolster Security of EU Member Hospitals, Healthcare Providers

Errol Weiss, chief security officer of the Health-ISAC in the U.S., said the EU commission’s action plan comes at a time when healthcare organizations still struggle to obtain enough funding to defend their networks properly.

“The problem is seen in the EU, the U.S. and globally. Healthcare organizations need resources – not only the technology needed to protect those networks but also the experienced infosec professionals to run those systems,” he said. “I’m glad the commission recognizes the value that ISACs bring to protecting organizations and improving security through information sharing and collaboration,” he said.

Those charged with protecting their digital infrastructures understand that by sharing information, they are not only protecting themselves but also strengthening the security of the entire digital ecosystem, Weiss said.

In 2023, the Health-ISAC partnered with the European Health ISAC to leverage “the global strength” of Health-ISAC’s membership through the visibility of threats in over 140 countries with the European Health ISAC’s strength of community and local perspectives, he said.

“We need to unite and stay vigilant against cyberthreats,” he said. “With Health-ISAC and European Health ISAC operating together in the EU, we can create a safer community where healthcare organizations benefit from improved visibility of threats and vulnerabilities, plus they benefit from sharing of best practices and other key insights that ultimately improve patient safety.”

Read the full article in Data Breach Today. Click Here

How to Manage Cyber Risk of Medical Devices – for Life

Written by Julia Annaloro on . Posted in In The News, Medical Device Security.

Experts Offer Advice for Managing Growing Inventories, Resources for Providers

The HSCC’s “Health Industry Cybersecurity – Managing Legacy Technology Security” – or HIC-MaLTS – guidance offers organizations best practices that can be used to manage cyber risks of legacy medical technologies, said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center.

HIC-MaLTS takes on common healthcare cybersecurity challenges. For example, “many different types of medical devices and the diverse locations in which they are used possess unique risk profiles and include diagnostic, therapeutic, wearable, implantable and software-as-a-medical device features, among others, that can be used in hospitals, clinics, and other non-clinical and home healthcare settings,” he said.

Also in this article:

  • four life cycle phases of medical devices
  • “system-view” inventories combined with segmentation and network access controls
  • HSCC’s Model Contract-Language for Medtech Cybersecurity 

Read the article in Healthcare Infosecurity here. Click Here

Securing Health Data in 2025: The Rising Cybersecurity Challenges

Written by Julia Annaloro on . Posted in In The News, Special Updates.

Understanding two U.S. bills introduced aimed at modernizing protections for sensitive health data.

By   6 Mins Read

 

Read the full article in Information Security Buzz. Click Here

Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone of patient privacy. The act established standards for how healthcare organizations handle and share patient data, creating a framework for ensuring confidentiality. 

But the healthcare landscape has transformed dramatically, and with it, the risks have multiplied. Emerging cyber threats and complex vulnerabilities have exposed critical gaps in HIPAA’s protections. In response, lawmakers are advancing new legislation aimed at fortifying healthcare organizations against the escalating tide of cyberattacks.

Last year, lawmakers introduced two bills – the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA) – aimed at modernizing protections for sensitive health data. While these measures represent an important step forward, they remain stalled in the legislative process and have yet to become law. 

And, even if they are enacted, the limited scope and enforcement mechanisms outlined in these bills may fall short of addressing the escalating cyber threats plaguing our increasingly digital healthcare system. Without a more comprehensive and aggressive approach, these initiatives risk being seen as symbolic gestures in a fight that demands urgent and decisive action.

Read further to gain a full understanding of both bills, including

  • Protecting non-traditional health data

  • Addressing the challenges

  • Strengthening leadership

  • HIPAA Updates on the Horizon

  • A future of resilience

 

Read the full article here. Click Here

Software Supply Chains and ISACs – The Inevitability Curve Podcast EP14

Written by Julia Annaloro on . Posted in In The News.

January 15, 2025

 

Phil Englert and our host Chris Blask have been co-chairing a CISA working group on software bill of materials (SBOM) sharing. The working group has developed a process to help ISACs and similar organizations determine the control architecture necessary to manage the distribution of SBOMs among their members.

Listen to the Inevitability Curve podcast EP14 here. Click Here

Health-ISAC logo and Dark Reading logo Image of a computer screen with the headline New HIPAA Cybersecurity Rules Pull No Punches

New HIPAA Cybersecurity Rules Pull No Punches

Written by Julia Annaloro on . Posted in In The News.

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”

HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.

“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.

“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”

Read the full article in Dark Reading. Click Here

 

What’s in HHS’ Proposed HIPAA Security Rule Overhaul?

Written by Julia Annaloro on . Posted in Health-ISAC, In The News.

Experts: New Mandates Could Be Difficult, Costly for Many Entities

A proposed overhaul of federal cybersecurity regulations for the healthcare industry could mean difficult and expensive heavy lifting for many organizations, said experts.

“The costs to fulfill these provisions will be enormous,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. “Where is the money coming from to pay for all this? It can’t be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don’t have the resources to support these new proposals,” he said.

Any regulatory requirements like this will need to come with funding assistance so that healthcare providers can acquire the proper technology and, more importantly, recruit and retain experienced cybersecurity professionals to adequately protect their networks, Weiss said.

 

Read the full article in Bank InfoSecurity. Click Here

Google’s rural healthcare cybersecurity initiative

Written by Julia Annaloro on . Posted in Health-ISAC, In The News.

Google is partnering with Health-ISAC to deliver innovative training programs, cybersecurity intelligence programs, and other resources for rural health systems.

Cyberattacks on healthcare organizations disrupt their ability to operate and jeopardize patient care. Rural healthcare systems in the US serve 60 million people and are at the heart of countless communities. The safety of everybody in a community is threatened when critical healthcare information systems are unavailable due to cyber incidents.  

Google is committed to helping vulnerable health systems strengthen their resilience to cyberattacks. We are partnering with government and industry to offer our services, support, and technologies, enabling systems to focus on patient care.

 

A tailored initiative to improve security

Designed for rural hospitals

Rural health systems and hospitals reflect the uniqueness of the communities they serve, and so does our offer. It delivers a growing set of secure-by-design Google technology for access and collaboration, consulting and support services, and security training resources at a discount or no cost. The solution is adapted to the needs of each rural health entity. The health facility should be located in a county or region designated as rural by the Health Resources and Services Administration (HRSA).

Learn more Click Here

Leveraging the power of industry collaboration

Effective collaboration to defend against and respond to cyber attacks is vital to securing healthcare. Google is an ambassador partner to the Health Information Sharing and Analysis Center (Health-ISAC). Health-ISAC’s mission is to empower trusted relationships in the global healthcare industry to help prevent, detect, and respond to cybersecurity and physical security events so that members can focus on improving health and saving lives. Google is partnering with Health-ISAC to deliver innovative training programs, cybersecurity intelligence programs, and other resources for rural health systems.

Program offerings

Most of these will be offered at no cost or with significant discounts, acknowledging the financial constraints faced by many rural healthcare systems. Additionally, we will provide implementation services and support to eligible organizations. These offerings are only available in the US at this time.

 

Left to Our Own Devices Podcast #71: Errol Weiss

Written by Julia Annaloro on . Posted in Health-ISAC.

From Banking to Healthcare Cybersecurity

 

We sat down with Health-ISAC Chief Security Officer Errol Weiss to discuss his 25-year career spanning banking, government, and healthcare and identify the biggest cybersecurity threats and trends impacting the healthcare industry in 2025 and beyond.

Listen to episode #71 here: Listen Here

 

Unique Challenges in Healthcare Cybersecurity

Weiss described the unique challenges faced by healthcare organizations compared to financial services. Healthcare systems often manage complex infrastructures, including modern cloud-based systems, legacy devices (like MRI machines with outdated operating systems), and diverse medical device ecosystems. This complexity is compounded by a longstanding underinvestment in cybersecurity, with resources historically allocated toward privacy and compliance (e.g., HIPAA regulations) rather than robust security measures.

He stressed that underfunding and a lack of dedicated Chief Information Security Officers (CISOs) in healthcare make it challenging to protect these environments effectively. However, incidents such as ransomware attacks have driven increased awareness and investment in healthcare cybersecurity over the past decade.

In the New Year, Can Legislation Protect Patient Data?

Written by Julia Annaloro on . Posted in In The News.

By Errol Weiss, chief security officer, Health-ISAC.

Healthcare data breaches are reaching unprecedented levels, with attacks that target the industry surging in both frequency and sophistication. Cybercriminals are zeroing in on vulnerabilities across healthcare systems, exploiting outdated and unpatched systems to steal and manipulate sensitive patient data.

From medical histories to genomic information, this data has immense value, making it a lucrative target for ransomware, phishing schemes, and insider threats. As healthcare organizations scramble to shore up defenses, the risks extend beyond financial losses to jeopardize patient safety and trust.

The urgency is exemplified by two landmark pieces of legislation—the Healthcare Cybersecurity Act of 2024  and the Health Infrastructure Security and Accountability Act of 2024 (HISAA). These laws aim to confront the mounting threats, but they also raise critical questions: Can they outpace the rapidly evolving tactics of cybercriminals? Are they enough to close the gaps left by outdated regulations like HIPAA? 

Topics covered in this article include:

  • Limitations of existing legislation
  • A new era of protection
  • Future opportunities
  • Final thoughts

Read the article in  Electronic Health Reporter. Click Here

 

The Year Ahead: What Can We Expect Within the Cybersecurity Landscape?

Written by Julia Annaloro on . Posted in Health-ISAC, In The News.

Cybersecurity experts predict cybersecurity attacks will continue to happen with more sophistication

2024 was a year that saw several blows to the healthcare industry when it came to cybersecurity. Data breaches and ransomware attacks caused major disruptions in the daily operations of healthcare organizations with significant monetary implications.
 

Read the full article in Healthcare Innovation Click Here

 

Errol Weiss, chief security officer at Health-ISAC, confirms that this year, a higher number of cybersecurity events were observed than the year prior. What’s happening now, he says, is that not only are hospitals victims of ransomware attacks but now patients as well. Criminals will threaten to release private patient data if a ransomware sum is not being paid. The ransomware group BlackCat attacked Leigh Valley Health, for example, and threatened to release nude pictures of its cancer patients. The class action suit was settled for $65 million. Weiss expects to see more of these types of attacks in the year ahead. “They will go after whatever they can,” Weiss says about the cybercriminals.

To the question of whether he thinks federal legislation on cybersecurity measures within healthcare will be helpful, Weiss responds, “Hospitals are operating on razor-thin margins as it is, and it is very difficult for them to invest in things that aren’t directly related to patient care. If we’re going to talk about any kind of legislation moving forward, especially in the new administration, it needs to come with the adequate resources to make sure that that happens.”

Weiss doesn’t believe in throwing money at the problem. He advocates getting the right people into organizations to address issues. He believes a virtual CISO program is a way to get additional help in. Weiss says there are a lot of cybersecurity vendors and point solutions. “The market is very confusing…. So if you had $100 to spend on cyber security, where would you spend that?”

As to what to expect in 2025, Weiss points to the issue of attacks on the supply chain, where the level of sophistication is increasing. In this area, Weiss says, the attacks don’t seem so random, “where many of these malware attacks, the ransomware gang will send out millions of malicious emails and hope that they get somebody somewhere to click on something and install the ransomware.” The attacks this past year seem to be more targeted.

Weiss anticipates artificial intelligence (AI) will also be part of more attacks. “We’ve already seen the talk about malicious actors leveraging AI to develop zero-day attacks, which is absolutely mind-boggling because you leverage AI to help develop some new attack technique.” Weiss adds, “If the bad guys can use AI to develop a new zero-day, I think we’ve got to also be proactive, finding out those zero-days, and then defending against those.”

HHS Urges Health Sector to Beef Up OT, IoMT Security

Written by Julia Annaloro on . Posted in Health-ISAC, In The News.

Feds Warn That Connected Devices Are Prey for Cyberattackers

HHS is urging healthcare entities to enhance security of OT, IoMT and other devices used in their environments

The security of medical devices has been getting most of the attention from regulators in recent years, but other devices that make up the medical internet of things and operational technology systems are also vulnerable to cyberattacks, federal authorities warned in a new advisory.

Recent analysis by Health Information Sharing and Analysis Center (Health-ISAC) found that 12 medical devices from five different manufacturers had vulnerabilities that were top targets of exploitation by malicious cyber actors, said Errol Weiss, chief security officer at Health-ISAC.

“What strikes me is that we now know that attackers are actively exploiting known vulnerabilities that also exist in medical devices – if anything that should raise the priority to patch these devices before they are compromised,” he said.

Click Here

Defending Healthcare Facilities Against Ransomware Attacks

Written by Julia Annaloro on . Posted in Health-ISAC, In The News.

As ransomware attacks and tactics evolve, healthcare facilities must be aware of what threats exist and how to stay secure.

Cybersecurity in the healthcare space is a prominent topic as cyberattacks continue to assault healthcare organizations daily. Worse, cybercriminals are constantly changing how they operate and execute their attacks, making adapting to their methods difficult.  

The biggest change in their tactics is the increasing use of ransomware, according to Errol Weiss, chief security officer at Health-ISAC. Not only that, but Weiss says healthcare organizations are also becoming more vulnerable to cyberattacks due to a lack of investment in cybersecurity and IT in general.  

“I think there’s a perfect storm in healthcare where we’ve got an already cyber vulnerable population out there because of the lack of cybersecurity investment,” says Weiss. 

Read the full article in Healthcare Facilities Today.

Click Here

This site is registered on Toolset.com as a development site.