Cybersecurity Costs

 

I have consulted with a company recently. They were reviewing the ISO27001:2022 certification. This, depending on the circumstances, could be a heavy lift or not too bad. This is entirely dependent on the environment. After the initial review and recommendation, the first comment was the business didn’t have the budget for the tools, staffing or anything. This left me a bit confused, as the certification process is not inexpensive.

This reminded me of the budget process. The C-level and senior management don’t at times understand security’s role. They instead think like an accountant and try to arrive at an ROI (Return on Investment). This has the propensity to be very difficult. When you try to commoditize this, there are problems.

When I hear this, my thoughts run to how much would a network compromise cost with the additional ransomware thrown in for good measure, even with cybersecurity insurance? How much would it cost for your connected medical devices to be breached and malicious code put in the firmware, with three or four patients feeling the effects?

There are the direct costs, of course, but also the indirect cost of reputational risk. These are a few things to think through. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

Security by Obscurity

 

During the budgeting cycle, departments may ask for increases in their respective budget, padding it or to accommodate capital purchases. When the senior management does not recognize the importance of security, the thought may float through their mind of what if we do nothing? After all, nothing has happened.

Well, nothing has happened…yet. The healthcare industry is targeted for many reasons and there are many options as to the individual targets, methods of attack, and other facets. A breach in this environment is horrific operationally with systems shut down for days or weeks, ERs shut down, patient data exfiltrated, etc. There is also the potential for patient mortality being directly attributable to the breach. Financially this can be a nightmare as the healthcare provider has to quickly address the issues and contract with a forensic firm to review the breach, what was accessed, and everything else with the issue. This is not cheap.

By ignoring cybersecurity and thinking you can get through the next cycle without adequately addressing this, the healthcare provider is doing everything they can to set themselves up for failure on the business, functional, and patient care side.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

Targeted Hospitals

 

Hospitals have a prolific amount of data. This isn’t one type of data but covers the patient’s visit and includes all their information for their insurance and diagnosis. This is collected every single day. The mountain of the data warehouse is coveted by attackers, hospital peers due to its value.

The data’s value has drawn numerous attacks over the years with most thankfully being unsuccessful. The successful attacks have proven to be somewhat disastrous affecting already stretched finances and patient care. To support cybersecurity in hospitals, and by extension decrease the number of compromises and breaches, the Biden administration has a new plan. This would force the hospitals to put more effort and resources into cybersecurity. Within the next few months, they plan on pushing a proposal requiring hospitals to put in place basic cybersecurity defenses. Without this in place, the hospitals would no received federal funding.

One area not detailed is the definition of basic digital security defenses. There is an idea in play now for this. One would think these would already being place, especially the present federal statutes in place. This will be interesting from the aspect of what the final definition will be for the cybersecurity tasks and the implementation. This assuredly won’t be cheap. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

We Certainly Live in Interesting Times

The only constant in this industry is change. There are constantly new tools and methods available for offensive and defensive teams. One new technology that has been used and growing in popularity in social media and the industry. This is AI. The usage for AI will only continue and increase in total and the different applications.

AI has many uses and applications. AI is perfectly adept at cybersecurity. The uses are numerous. Leveraging AI and its processing power brings the application to new levels. AI may be used to assist with phishing. This would be able to manage the phishing tests and reporting. With the available processing capabilities, this could show the weak points with the staff in a much clearer and quicker way.

Likewise, this could be used for ransomware testing. This, on the attack side, has proven to be a devastating attack. Using AI to simulate a ransomware attack through the various channels would indicate vulnerabilities. This would also clearly show if the internal tools designed to detect and protect the systems from ransomware worked or not.

Supply chains offer a whole new way to compromise a system. Defending against this has proven to be a chore, much like defending against internal threats. AI has the astute ability to provide the thorough simulation for this attack. This would show if this were a vulnerability for this attack is viable. If so, the company can plan for the project for correcting this.

There are also other tests available in leveraging AI. This is a valuable tool to use.

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

SBoMs

 

SBoMs (Software Bill of Materials) are an inventory of the software in the product or service. This lists the software packages, versions, and other data. This is a useful tool in that you have a current list of software components. This can be used for checking for vulnerabilities and new attacks, along with verifying client questions. There have been new attacks and vendors have called to verify if the affected components are included in the product or service purchased.

In addition, the FDA has published their new mandate requiring medical device manufacturers to provide the SBoM. The FDA mandate is clear and allows manufactures to produce this. The new standard for the data presentation is ready and clear. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511

Human Cost in Healthcare Increases Criticality

 

The healthcare industry is interesting. This appears to be relatively straight-forward with the patient care staff and patient interactions. When you think through the full operation, there is much more involved through the entirety. Each step isn’t mainstream within the operations and is diverse. With all these attack points, the healthcare CISOs have their work cut out for them every day. This could include all the usual suspects (e.g., ransomware, phishing, supply chain compromises, data breaches, and social engineering).

One area gaining more traction and attention is IoMT. We’ve heard of IoT, especially with refrigerators, coffee makers, thermostats, and light bulbs. IoMT is differentiated from these as the focus are the medical devices. These may include the medical operational technology (OT) with wearable blood pressure devices, insulin pumps, ingestible sensors, remote patient care devices, and other monitoring devices.

The security has gotten better with these with the various technological improvements, e.g., BLE versus Bluetooth. This is a product of security starting to be built into the product sooner than later. There are still issues with misconfigurations, web app code the Dev Team thought was removed, and other issues.

As these devices interact more with patients, the risks increase substantially. Any security issues are amplified with the potential loss of life. This amplifies the need for security to be implemented early on with the Dev Team, and applied with the current version, not two or three versions down the line. A concentrated, thorough application of security with the software and hardware will significantly reduce the potential for incidence, which will allow your CISO to get a better night’s sleep. 

Services 

Enterprise and Embedded System Cybersecurity Engineering & Architecture

Red Team Pentesting   |   HW & SW BoMs  |   CBoM  | 

Vulnerability Management   |   Tabletop Exercises (TTX)   | 

Embedded Systems Architecture   |   Threat Intelligence   | 

TARA (Threat Assessment and Remediation Analysis) 

 charles.parker@mielcybersecurity.net 810-701-5511