Resources tagged with:
Errol Weiss

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”

HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.

“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.

“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”

Read the full article in Dark Reading. Click Here

Experts: New Mandates Could Be Difficult, Costly for Many Entities

A proposed overhaul of federal cybersecurity regulations for the healthcare industry could mean difficult and expensive heavy lifting for many organizations, said experts.

“The costs to fulfill these provisions will be enormous,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. “Where is the money coming from to pay for all this? It can’t be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don’t have the resources to support these new proposals,” he said.

Any regulatory requirements like this will need to come with funding assistance so that healthcare providers can acquire the proper technology and, more importantly, recruit and retain experienced cybersecurity professionals to adequately protect their networks, Weiss said.

Read the full article in Bank InfoSecurity. Click Here

Completing the Global Cybersecurity Puzzle through international cooperation

In the digital age, where information flows across borders with the speed of light, cyber threats are no longer confined to a single nation. Cyber attacks and data breaches transcend geopolitical boundaries and negatively impact nearly everyone, regardless of nation, political views, or economic position. Recognizing this reality, a powerful force emerged: the private sector’s drive to share cyber threat information. Information Sharing & Analysis Centers (ISACs), a concept that started in the 1990s and now operating globally, are a proven forum for collaboration driven by the self-interest of organizations to protect their networks and the shared concerns across the communities they serve.  Over the past 25 years, information sharing has grown on its own merits and the hard work put in by thousands of committed individuals and organizations working together to protect critical infrastructure.  Voluntary information sharing is a more potent force than any government mandate when it comes to sharing cyber threat intelligence, incident details and best practices.

Organizations understand that by sharing information, they are not only protecting themselves but also strengthening the overall security of the digital ecosystem. A shared sense of responsibility, collaboration and learning leads to the formation of information-sharing trust communities, where organizations across industries and country borders can securely and reliably share threat intelligence.

Read the full blog on LinkedIn: Click Here

Topics covered include:

• Cyber threats have global impacts

• The cavalry is not coming to help

• Information sharing and collaboration is a team sport

A new wave of cybercriminals, dubbed “advanced persistent teenagers,”^[1] is putting healthcare organizations in their crosshairs. Armed with social engineering tactics and a hunger for data—and ransom—they’re breaching systems, disrupting care, and leaving lasting damage.

Read the article in MDLinx  Click Here

Health-ISAC pulled quote:

Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center (Health-ISAC), tells MDLinx that while there’s certainly some truth to fears about the growing base of younger hackers motivated by the thrill of the attack, “I do ultimately feel that, largely, there’s a monetary goal that they’re really after.”

Weiss agrees that “there could be very negative consequences to human life” with cyberattacks, especially if patients end up forgoing needed care due to the issue. “People may sit at home and say, well, I’ll just deal with this later and get care at some other time,” he says. “And we all know delaying needed medical care could be a contributing factor for further complications later.”

From Banking to Healthcare Cybersecurity

We sat down with Health-ISAC Chief Security Officer Errol Weiss to discuss his 25-year career spanning banking, government, and healthcare and identify the biggest cybersecurity threats and trends impacting the healthcare industry in 2025 and beyond.

Listen to episode #71 here: Listen Here

Unique Challenges in Healthcare Cybersecurity

Weiss described the unique challenges faced by healthcare organizations compared to financial services. Healthcare systems often manage complex infrastructures, including modern cloud-based systems, legacy devices (like MRI machines with outdated operating systems), and diverse medical device ecosystems. This complexity is compounded by a longstanding underinvestment in cybersecurity, with resources historically allocated toward privacy and compliance (e.g., HIPAA regulations) rather than robust security measures.

He stressed that underfunding and a lack of dedicated Chief Information Security Officers (CISOs) in healthcare make it challenging to protect these environments effectively. However, incidents such as ransomware attacks have driven increased awareness and investment in healthcare cybersecurity over the past decade.

Cybersecurity experts predict cybersecurity attacks will continue to happen with more sophistication

Read the full article in Healthcare Innovation Click Here

As ransomware attacks and tactics evolve, healthcare facilities must be aware of what threats exist and how to stay secure.

The biggest change in their tactics is the increasing use of ransomware, according to Errol Weiss, chief security officer at Health-ISAC. Not only that, but Weiss says healthcare organizations are also becoming more vulnerable to cyberattacks due to a lack of investment in cybersecurity and IT in general.  

“I think there’s a perfect storm in healthcare where we’ve got an already cyber vulnerable population out there because of the lack of cybersecurity investment,” says Weiss.

Read the full article in Healthcare Facilities Today. Click Here

Feds Warn That Connected Devices Are Prey for Cyberattackers

HHS is urging healthcare entities to enhance security of OT, IoMT and other devices used in their environments

The security of medical devices has been getting most of the attention from regulators in recent years, but other devices that make up the medical internet of things and operational technology systems are also vulnerable to cyberattacks, federal authorities warned in a new advisory.

Recent analysis by Health Information Sharing and Analysis Center (Health-ISAC) found that 12 medical devices from five different manufacturers had vulnerabilities that were top targets of exploitation by malicious cyber actors, said Errol Weiss, chief security officer at Health-ISAC.

“What strikes me is that we now know that attackers are actively exploiting known vulnerabilities that also exist in medical devices – if anything that should raise the priority to patch these devices before they are compromised,” he said.

Click Here

Bulletin Comes in Wake of Recent Attacks Disrupting Blood Collection, Supplies

The Food and Drug Administration is urging blood suppliers to bolster their cybersecurity practices to prevent and mitigate cyber incidents that could affect the supply and safety of critical blood and blood components used for transfusions and other patient care.

“The trio of ransomware attacks starting in April 2024 on OneBlood, Synnovis, and Octapharma Plasma by Russian cybercrime ransomware gangs caused disruption to blood and plasma supplies in regions across the U.S. and U.K., ultimately causing major impacts to patient care,” said Errol Weiss, chief security officer at Health-ISAC.

Read the full article in Healthcare Infosecurity Click Here

As Health-ISAC and AHA warned in August, the attacks on those three critical third-party suppliers significantly affected healthcare delivery, Weiss said. “It should serve as a wake-up call across the industry to address supply chain resilience. It’s not just about ensuring IT systems are secure, but also making sure critical hospital operations can continue to function in the face of widespread IT system outages,” Weiss said.

A focus on cyber resilience is essential for mitigating the risk of healthcare supply chain attacks, which have the potential to cause widespread disruptions.

Read the full article in TechTarget Extelligent Healthcare here:

Click Here

Healthcare supply chain attacks have the potential to disrupt care and operations across the healthcare system through just one successful infiltration. The single points of failure that exist across the sector make the risk of supply chain attacks even greater.

“The bad guys have figured out that if they can hit this small supplier who’s a single-source supplier in a particular region, they could cause a lot of impact to the healthcare sector more broadly and maximize their payoffs downstream,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC).”It’s definitely different from what we were seeing before.”

Experts on Potential Data Security and HIPAA Privacy Changes in Trump’s Second Term

With Donald J. Trump set to return to the White House in January to serve another four-year term as U.S. president, what might the healthcare sector expect to see when it comes to his next administration’s cybersecurity priorities and HIPAA regulations and enforcement?

Excerpt from the November 6th article in BankInfo Security

“Any cybersecurity mandates for hospitals need to be accompanied by funding to support those programs,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.

“Historically, hospitals have been underfunded in cybersecurity, leaving organizations without the technology, and more importantly, the experienced cybersecurity people to properly protect those networks,” he said.

Read the full article here.

Click Here