Resources tagged with:
H-ISAC Media mention

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”

HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.

“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.

“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”

Read the full article in Dark Reading. Click Here

Experts: New Mandates Could Be Difficult, Costly for Many Entities

A proposed overhaul of federal cybersecurity regulations for the healthcare industry could mean difficult and expensive heavy lifting for many organizations, said experts.

“The costs to fulfill these provisions will be enormous,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. “Where is the money coming from to pay for all this? It can’t be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don’t have the resources to support these new proposals,” he said.

Any regulatory requirements like this will need to come with funding assistance so that healthcare providers can acquire the proper technology and, more importantly, recruit and retain experienced cybersecurity professionals to adequately protect their networks, Weiss said.

Read the full article in Bank InfoSecurity. Click Here

A new wave of cybercriminals, dubbed “advanced persistent teenagers,”^[1] is putting healthcare organizations in their crosshairs. Armed with social engineering tactics and a hunger for data—and ransom—they’re breaching systems, disrupting care, and leaving lasting damage.

Read the article in MDLinx  Click Here

Health-ISAC pulled quote:

Errol Weiss, chief security officer for the Health Information Sharing and Analysis Center (Health-ISAC), tells MDLinx that while there’s certainly some truth to fears about the growing base of younger hackers motivated by the thrill of the attack, “I do ultimately feel that, largely, there’s a monetary goal that they’re really after.”

Weiss agrees that “there could be very negative consequences to human life” with cyberattacks, especially if patients end up forgoing needed care due to the issue. “People may sit at home and say, well, I’ll just deal with this later and get care at some other time,” he says. “And we all know delaying needed medical care could be a contributing factor for further complications later.”

From Banking to Healthcare Cybersecurity

We sat down with Health-ISAC Chief Security Officer Errol Weiss to discuss his 25-year career spanning banking, government, and healthcare and identify the biggest cybersecurity threats and trends impacting the healthcare industry in 2025 and beyond.

Listen to episode #71 here: Listen Here

Unique Challenges in Healthcare Cybersecurity

Weiss described the unique challenges faced by healthcare organizations compared to financial services. Healthcare systems often manage complex infrastructures, including modern cloud-based systems, legacy devices (like MRI machines with outdated operating systems), and diverse medical device ecosystems. This complexity is compounded by a longstanding underinvestment in cybersecurity, with resources historically allocated toward privacy and compliance (e.g., HIPAA regulations) rather than robust security measures.

He stressed that underfunding and a lack of dedicated Chief Information Security Officers (CISOs) in healthcare make it challenging to protect these environments effectively. However, incidents such as ransomware attacks have driven increased awareness and investment in healthcare cybersecurity over the past decade.

Cybersecurity experts predict cybersecurity attacks will continue to happen with more sophistication

Read the full article in Healthcare Innovation Click Here

As ransomware attacks and tactics evolve, healthcare facilities must be aware of what threats exist and how to stay secure.

The biggest change in their tactics is the increasing use of ransomware, according to Errol Weiss, chief security officer at Health-ISAC. Not only that, but Weiss says healthcare organizations are also becoming more vulnerable to cyberattacks due to a lack of investment in cybersecurity and IT in general.  

“I think there’s a perfect storm in healthcare where we’ve got an already cyber vulnerable population out there because of the lack of cybersecurity investment,” says Weiss.

Read the full article in Healthcare Facilities Today. Click Here

Feds Warn That Connected Devices Are Prey for Cyberattackers

HHS is urging healthcare entities to enhance security of OT, IoMT and other devices used in their environments

The security of medical devices has been getting most of the attention from regulators in recent years, but other devices that make up the medical internet of things and operational technology systems are also vulnerable to cyberattacks, federal authorities warned in a new advisory.

Recent analysis by Health Information Sharing and Analysis Center (Health-ISAC) found that 12 medical devices from five different manufacturers had vulnerabilities that were top targets of exploitation by malicious cyber actors, said Errol Weiss, chief security officer at Health-ISAC.

“What strikes me is that we now know that attackers are actively exploiting known vulnerabilities that also exist in medical devices – if anything that should raise the priority to patch these devices before they are compromised,” he said.

Click Here

Collecting Cyber Vulnerability Metrics is Critical, But Communicating Them to Stakeholders in a Clear & Compelling Way is Key, Says H-ISAC Report

As the healthcare industry becomes more reliant on interconnected digital systems the importance of robust vulnerability management has never been more pronounced. A recent report by Health-ISAC, Vulnerability Metrics and Reporting, sheds light on best practices and strategies to strengthen cybersecurity in health systems.

Read the full article in HealthSystemCIO.com Click Here

Bulletin Comes in Wake of Recent Attacks Disrupting Blood Collection, Supplies

The Food and Drug Administration is urging blood suppliers to bolster their cybersecurity practices to prevent and mitigate cyber incidents that could affect the supply and safety of critical blood and blood components used for transfusions and other patient care.

“The trio of ransomware attacks starting in April 2024 on OneBlood, Synnovis, and Octapharma Plasma by Russian cybercrime ransomware gangs caused disruption to blood and plasma supplies in regions across the U.S. and U.K., ultimately causing major impacts to patient care,” said Errol Weiss, chief security officer at Health-ISAC.

Read the full article in Healthcare Infosecurity Click Here

As Health-ISAC and AHA warned in August, the attacks on those three critical third-party suppliers significantly affected healthcare delivery, Weiss said. “It should serve as a wake-up call across the industry to address supply chain resilience. It’s not just about ensuring IT systems are secure, but also making sure critical hospital operations can continue to function in the face of widespread IT system outages,” Weiss said.

Rachel James received the cybersecurity threat sharing award

ORMOND BEACH, Fla., Dec. 10, 2024 (GLOBE NEWSWIRE) — Health Information Sharing and Analysis Center (Health-ISAC), the non-profit world-class, industry-led sharing organization that provides the global health sector with a trusted community for sharing cyber and physical security threats, has announced the 2024 recipient of the Steve Katz Hero Award.

Since 2021, Health-ISAC annually recognizes one individual who has gone above and beyond on behalf of the membership community and the greater health sector. This year, in honor of Steve Katz, the world’s first CISO, and his valuable contributions to the health security community, Health-ISAC has renamed the annual Hero Award to the Steve Katz Hero Award.

At the recent Fall Americas Summit, Health-ISAC awarded Rachel James, Principal AI ML Threat Intelligence Engineer at AbbVie, the prestigious Steve Katz Hero Award, recognizing her unwavering commitment to cybersecurity excellence, education, and collaborative leadership across the health sector and cybersecurity communities. Rachel has many years of experience in health sector security and is currently serving as the Lead for the Prompt Injection entry for the OWASP Top 10 for Large Language Model Applications and Generative AI.

Known for her dedication to elevating the field and creating educational opportunities, Rachel embodies the spirit of this award through her exceptional contributions, exemplified by her active chair roles in multiple Health-ISAC working groups. Notably, Rachel led the development of the CTI in a Box whitepaper for the Cyber Threat Intelligence Program Development (CTIPD) Working Group, a resource designed to assist organizations in developing and enhancing cyber threat intelligence capabilities. She also led a workshop for the Artificial Intelligence Working Group (AIWG), offering valuable insights and practical guidance to attendees at the Fall Americas Summit on the evolving role of AI in cybersecurity.

“Rachel is always willing to help, educate, and inspire others in the cybersecurity field. Her leadership and commitment to our mission make her an exemplary Steve Katz Hero Award recipient, and we are grateful for her continued service,” says Denise Anderson, Health-ISAC President and CEO.

Rachel has dedicated her time to raising awareness about cyber threats and building resilience in the healthcare sector, reinforcing her reputation as a trusted resource and a guiding force within Health-ISAC and cybersecurity communities. She exemplifies the values of the Steve Katz Hero Award, making her a fitting honoree.

Privileged Access Management a Critical Tool in CISO Arsenal, Health-ISAC Report Says

In a healthcare ecosystem where data protection and access control are paramount, Privileged Access Management (PAM) emerges as a critical line of defense. According to the Health-ISAC report, “Privileged Access Management: A Guide for Healthcare CISOs,” PAM isn’t just another identity management tool; it’s the “bank vault” safeguarding an organization’s most sensitive information.

Read the full article in HealthSystemCIO.com. Click Here