IT Support and Hardware for Clinics
35.9K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

How Serious is the Cybersecurity Talent Shortage? 

How Serious is the Cybersecurity Talent Shortage?  | IT Support and Hardware for Clinics | Scoop.it

Across all industries worldwide, cybersecurity has become a top priority. Hackers keep pumping out new types of malware, and data breaches keep occurring. As of April 8, there were already 281 breaches exposing nearly 6 million records in 2019 so far, according to the Identity Theft Resource Center. Businesses can’t afford to sit back and wait until they’re attacked to defend themselves against cybercriminals.

 

With the average cost of a data breach globally totaling $3.86 million according to IBM and the Ponemon Institute, the wisest course of action is to proactively protect your organization with a comprehensive cybersecurity strategy.

 

However, everyone looking to effectively combat IT security threats faces a significant obstacle: a cybersecurity talent shortage. If you’re a business leader seeking to minimize your data breach risk, consider the following information on the extent of this issue and what you can do to overcome it.

 

The Cybersecurity Workforce Gap by the Numbers (ISC)² – an international, nonprofit association for information security professionals – released a report on the cybersecurity workforce gap in 2018. The report draws on a survey of nearly 1,500 cybersecurity pros and IT pros who spend at least 25 percent of their time on cybersecurity tasks.

 

Here are a few key statistics from the report that illustrate the extent of the talent shortage: The global shortage of cybersecurity professionals is approximately 2.93 million. 63 percent of survey respondents said their organizations have a shortage of IT staff focused on cybersecurity. 59 percent also say their organizations have a moderate or extreme cyberattack risk level because they lack sufficient cybersecurity talent. “Awareness of the cybersecurity skills shortage has been growing worldwide,” the report’s introduction states.

 

“Nevertheless, that workforce gap continues to grow, putting organizations at risk. Despite increases in tech spending, this imbalance between supply and demand of skilled professionals continues to leave companies vulnerable.” What’s Behind the Cybersecurity Talent Gap?

 

The increasing popularity of e-commerce and the rise of new technologies like mobile devices and the Internet of Things has created more opportunities for cybercrime. In the past few years, in particular, the demand for cybersecurity talent has surged, according to Verizon. Basically, the supply hasn’t had time to catch up to the skyrocketing demand. Universities and training programs need time to develop the right courses so that job candidates have the cybersecurity skills companies are searching for, Verizon explains.

 

However, it will take a while for college students to complete the new coursework and find their way into the workforce. Another, faster answer to the talent shortage is for workers to learn through on-the-job training.

 

What Can Businesses that Need IT Security Expertise Do to Overcome the Talent Gap? There are several ideas out there already concerning how to remedy the growing and highly concerning cybersecurity skills shortage.

 

Here are a few notable proposals: Form an industry-wide alliance: If large enterprises in the IT world (e.g., Dell, Cisco, Microsoft, Google and so on) join forces, they could put cybersecurity training programs in motion to address the talent shortage, according to the CSO opinion piece “The cybersecurity skills shortage is getting worse” by Jon Oltsik, a principal analyst at Enterprise Strategy Group. Broaden the job search to include candidates with the potential to learn.

 

Companies shouldn’t necessarily rule out professionals who don’t have the ideal qualifications in terms of degrees, certifications, and experience, Arctic Wolf Networks CEO Brian NeSmith advises in the Forbes article “The Cybersecurity Talent Gap Is An Industry Crisis.” Be open-minded and consider that intelligent candidates with great problem-solving skills might do well in the role, even if they don’t have all the prerequisites.

 

Turn to a third-party provider for assistance. A managed security services provider like Stratosphere Networks can help you gain access to high-level cybersecurity expertise while still containing costs. Services such as virtual CISO and CSO can give you all the benefits of having a security pro on staff without drawbacks like the price of training and hiring an in-house executive.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Ransomware:
 How we can climb out of this mess

Ransomware:
 How we can climb out of this mess | IT Support and Hardware for Clinics | Scoop.it

Computer malware seriously disrupted the continuity of clinical operations when WannaCry struck. The Department of Homeland Security began issuing warnings of ransomware vulnerabilities affecting dozens of medical products ranging from radiation oncology and mobile x­rays to ultrasound and anesthesia. Saved by a curious 22­ year ­old who spent $11 to register a domain name that accidentally disabled the spread of the buggy malware (not a joke), the world can rest briefly until the next attack — which could happen again without warning.

Ransomware itself is not the cause of our problems. Ransomware is symptomatic of design flaws baked into the fabric of our healthcare infrastructure. The root cause is a fragile infrastructure filled with legacy medical device software.

When we know about a disease, do we read about it and hope never to get it? No, we vaccinate, avoid risky areas, wash our hands, and seek immediate help after coming in contact with a carrier. In short, we plan ahead for risk management.

So, what's an effective strategy to mitigate the medical device security risks that can disrupt clinical operations?

Simply deploying new technology is not the answer. Replacing old unmaintainable computers with new unmaintainable computers is not the answer either. An effective approach must address five core parts of the healthcare delivery supply chain: manufacturing, procurement, regulation, training and governance.

First, medical device manufacturers must design medical devices to remain safe and effective despite cybersecurity risks. The U.S. Food and Drug Administration already recognizes community standards and best practices such as the AAMI TIR57 for building security into the design of medical devices. Microsoft warned manufacturers from day one of the scheduled obsolescence of Windows XP. The operating system “end of road” hazard signs were unambiguous and forewarned years before reaching the cliff. While manufacturers may have sold the unmaintainable products, hospitals made the mistake of buying them. Hospitals accumulate legacy devices for decades without a financial model to sunset unsecurable products.

With procurement practices such as the cybersecurity “vendor book” from the Mayo Clinic, hospitals should factor meaningful cybersecurity into purchasing decisions. Medical devices should come with a bill of software materials to enable risk­based purchasing decisions. Hospitals need to buy and maintain better equipment with better service contracts — and they need to keep track of their inventory down to the port numbers, ethernet MAC addresses, and software versions so they can better manage risk. Manufacturers should give providers a database that maps medical device serial numbers to MAC addresses to make network-based inventory tracking feasible.

Governments should consider construction of a test hospital for national cyber crashworthiness trials of healthcare infrastructure. The automotive manufacturing community performs crashworthiness testing so consumers can know the risk. Although patients prescribed a medical device are far safer with the device than without, patients and hospitals deserve to know what risks they are accepting when receiving or purchasing a medical device.

Regulators must take into account the geographic problem that malware does not respect international boundaries. The same core cybersecurity problems exist everywhere, and healthcare IT cultures in different countries suffer from surprisingly similar computing problems. Medical device regulators such as FDA, MHRA in the UK, and CFDA in China need informed authority and legislative remit to ensure that medical devices remain safe and effective despite cybersecurity threats.

Who is liable for problems? Who feels any economic incentive to fix things? Unfortunately, not the entities with the most capability to address the causes, as the recent ransomware fiasco illustrates. Governments could mandate a phasing out of unsecurable devices and operating systems with penalties assessed by the HHS Office for Civil Rights, for the case of the U.S.

Fighting international criminals with considerable economic incentive will remain a continually losing battle without a coherent and fair regulatory strategy. For instance, the Criminal Justice Act in the UK assumes that information technology makes no security mistakes. Such poorly designed laws open the door to misguided prosecution of well­intentioned doctors and nurses for shortcomings in the medical systems and devices themselves. Legislation ought to incentivize cybersecurity and safety for manufacturing medical devices rather than penalize innocent healthcare delivery professionals and patients who make fair and reasonable attempts to report problems to manufacturers or regulators.

Workforce shortfalls remain a great barrier to cybersecurity. Few of our computer science students choose to work in healthcare. We need to focus attention on the great opportunity for computer science students to help improve healthcare. Double major in biomedical engineering! Manufacturers and governments should offer prestigious graduate fellowships to attract the best students to the field so that manufacturers, hospitals, and regulators can fill their open cybersecurity positions.

Finally, hospitals need effective governance structure for controlling software safety risks in medical device. A hospital should designate a top­level executive with the authority, responsibility, accountability, and budget for cybersecurity in the pursuit of healthcare safety that covers both the biomedical engineering and IT departments.

No medical device is perfectly secure, but a hospital should gracefully recover from cyberattacks rather than suffer system­wide outages for days. Patients should never be forced to doubt in the availability and integrity of healthcare delivery. Security is a means to an end, and that end goal is safe and effective delivery of healthcare.

The recent global outbreak of ransomware is just the symptom du jour, and it’s time to act on recommendations to improve cybersecurity in manufacturing, procurement, regulation, training, and governance. Until cybersecurity becomes as second nature as hand washing, we should expect the cybersecurity problems to increase in frequency and consequence.

If there’s any silver lining, perhaps manufacturers, healthcare delivery organizations, and governments will begin to think more strategically rather than reactively to improving healthcare cybersecurity.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Cybersecurity: How can it be improved in health care?

Cybersecurity: How can it be improved in health care? | IT Support and Hardware for Clinics | Scoop.it

It has become increasingly clear that cybersecurity is a risk factor in health care data. Data breaches cost the health care industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

 

In a whitepaper entitled The Rampant Growth of Cybercrime in Healthcare, health IT advisor organization Workgroup for Electronic Data Interchange (WEDI) reported that these attacks are becoming increasingly difficult to identify, prevent and mitigate.

“Chronic underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” the report stressed. “While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.”

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in health care is on the rise.

Cybersecurity challenges in health care

The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Verizon’s 2016 Data Breach Investigations Report found that most breaches are about money and attackers usually take the easiest route to obtain the information they need. Consequently, many common threats continue to be problematic in health care, including:

●  Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
●  Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of health care organizations.
●  Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
●  Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users.
●  Encryption blind spots: While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
●  Employee error: Employees can leave health care organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in health care security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems. To ensure patient safety, the U.S. Food & Drug Administration recommended that both the manufacturer that creates the device and the health care facility that implants it take preventive security measures.

Strategies for improving cybersecurity

Due to the significant financial impact of data breaches in health care, health informatics and other professionals are playing an important role in ensuring that medical organizations remain secure.
According to HealthIT.gov, individual health care organizations can improve their cyber security by implementing the following practices:

1. Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.

2. Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.

3. Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.

4. Use a firewall: Anything connected to the internet should have a firewall.

5. Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.

6. Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible.

7. Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.

8. Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Health care employees should not only use strong passwords, but ensure they are changed regularly.

9. Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.

10. Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

In addition to these recommendations, health data professionals are continually developing new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.

Working in health care cybersecurity

To improve cybersecurity in health care, organizations need to hire informatics professionals who can not only collect, manage and leverage data, but protect it as well. If you are interested in contributing to this field through a career in health informatics, consider taking the next step in your health informatics (HI) career by pursuing a master’s in Health Informatics. In UIC’s online program you will complete courses in health care information systems that can help you manage the sensitive patient data at risk from cyberattack.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

President Signs Executive Order for Unity in Cybersecurity

President Signs Executive Order for Unity in Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Executive Order to Promote Cyberthreat Info Sharing

Key Takeaway: President Obama, last Friday, signed an executive order to promote more information sharing about cyberthreats – both within the private sector and between the government and private sector.

Why it Matters: This is the latest in a series of steps taken by the Obama administration to focus on cybersecurity, going back to February 2013. When viewed alongside congressional efforts, there appear to be consensus on a number of items – including the need to bolster information sharing organizations and develop information sharing protocols.

Last week, President Obama signed an executive order (EO) promoting private sector cybersecurity information sharing during the first White House summit on Cybersecurity and Consumer Protection at Stanford University.  According to the EO, “The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”

The main provisions of the EO include provisions directing the Department of Homeland Security to encourage development and formation of private-sector or non-profit sector Information Sharing and Analysis Organizations (ISAOs) and tasks the National Cybersecurity and Communications Integration Center (NCCIC) with coordinating ISAOs.  A second provision of the EO tasks the Secretary of Homeland Security with entering into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization which “shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order.”  The Standards Organization is tasked to develop:

  • Standards to further robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs and to foster development and adoption of automated mechanisms for information sharing;
  • Baseline standards that ISAOs should possess and be able to demonstrate;
  • The standards will also touch on contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.


more...
No comment yet.