Matthew Smith
Seattle, Washington, United States
735 followers
500+ connections
About
I live, sleep, eat, and breath cybersecurity risk management. As a vCISO I provide my…
Services
Articles by Matthew
-
NIST Releases Cybersecurity Framework DRAFT V1.1
NIST Releases Cybersecurity Framework DRAFT V1.1
As part of my daily job, I work with the NIST Cybersecurity Framework team. It is my pleasure to share with you that…
1 Comment -
Threat Informed Risk Management
Threat Informed Risk Management
Over the last few years, I've been working with the G2 Commercial team and NIST to understand applications of the NIST…
-
NIST Releases Guidance for Public Comment on Cyber Incident Recovery
NIST Releases Guidance for Public Comment on Cyber Incident Recovery
In October 2015, after applying lessons learned from the 30-day Cyber Sprint, President Obama released the…
1 Comment
Activity
-
Big week for cybersecurity workforce development at the National Institute of Standards and Technology (NIST)! We've got: 📝 Updates to the NICE…
Big week for cybersecurity workforce development at the National Institute of Standards and Technology (NIST)! We've got: 📝 Updates to the NICE…
Liked by Matthew Smith
-
What goes through my head when writing an email.
What goes through my head when writing an email.
Liked by Matthew Smith
-
NICE is excited to announce the release of Version 2.0.0 of the #NICEFramework Components. This update adds a new Work Role focused on Operational…
NICE is excited to announce the release of Version 2.0.0 of the #NICEFramework Components. This update adds a new Work Role focused on Operational…
Liked by Matthew Smith
Experience
-
Seemless Transition LLC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Education
-
-
-
Activities and Societies: Founder and 1st President of the Nano and Emerging Technology Club (NExT), UPC Greeter Glee Club Member, Intra Mural Sports Participant
Publications
-
ISO/IEC 27110 - Cybersecurity framework development guidelines
International Standards Organization
See publicationThis document specifies guidelines for developing a cybersecurity framework. It is applicable to cybersecurity framework creators regardless of their organizations' type, size or nature.
-
NIST SP 181r1 - Workforce Framework for Cybersecurity (NICE Framework)
National Institute of Standards and Technology
This publication from the National Initiative for Cybersecurity Education (NICE) describes the Workforce Framework for Cybersecurity (NICE Framework), a fundamental reference for describing and sharing information about cybersecurity work. It expresses that work as Task statements and describes Knowledge and Skill statements that provide a foundation for learners including students, job seekers, and employees. The use of these statements helps students to develop skills, job seekers to…
This publication from the National Initiative for Cybersecurity Education (NICE) describes the Workforce Framework for Cybersecurity (NICE Framework), a fundamental reference for describing and sharing information about cybersecurity work. It expresses that work as Task statements and describes Knowledge and Skill statements that provide a foundation for learners including students, job seekers, and employees. The use of these statements helps students to develop skills, job seekers to demonstrate competencies, and employees to accomplish tasks. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework is a reference source from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of cybersecurity education, training, and workforce development.
Other authors -
-
NISTIR 8278 National Cybersecurity Online Informative References (OLIR) Program: Guidelines for OLIR Users and Developers
National Institute of Standards and Technology
In a general sense, an informative reference indicates how one document relates to another document. The National Cybersecurity Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts defining standardized online informative references (OLIRs) between elements of their documents and elements of other documents like the NIST Cybersecurity Framework. The OLIR Program provides a standard format for expressing OLIRs and a centralized location for hosting…
In a general sense, an informative reference indicates how one document relates to another document. The National Cybersecurity Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts defining standardized online informative references (OLIRs) between elements of their documents and elements of other documents like the NIST Cybersecurity Framework. The OLIR Program provides a standard format for expressing OLIRs and a centralized location for hosting them. This report describes the OLIR Program, focusing on explaining what OLIRs are and what benefits they provide, how anyone can search and access OLIRs, and how subject matter experts can contribute OLIRs.
Other authors -
-
NISTIR 8259 Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline
National Institute of Standards and Technology
Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are, meaning the devices provide functionality that their customers need to secure them within their systems and environments, and manufacturers can also help their customers by providing them with the cybersecurity-related…
Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are, meaning the devices provide functionality that their customers need to secure them within their systems and environments, and manufacturers can also help their customers by providing them with the cybersecurity-related information they need. This publication describes voluntary, recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These activities can help manufacturers lessen the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices.
Other authors -
-
NISTIR 8204 Cybersecurity Framework Online Informative References (OLIR) Submissions Specification for Completing the OLIR Template
National Institute of Standards and Technology
See publicationThis document provides instructions and definitions for completing the Cybersecurity Framework (CSF) Online Informative References (OLIR) spreadsheet template available for download at https://www.nist.gov/cyberframework/informative-references. This document is intended to assist developers of References as they complete the spreadsheet template. Definitions are provided for column and row headings in addition to a discussion of expected values.
-
Using the NIST Cybersecurity Framework in an International Setting
CISO Compass
See publicationMatthew is a featured author among the top 75 CISOs and cybersecurity leaders. The article highlights how companies, national governments, and international bodies use and leverage the NIST Cybersecurity Framework to organize and communicate cybersecurity activities.
-
SP 800-184 Guide for Cybersecurity Event Recovery
National Institute of Standards and Technology
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning…
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of information systems.
Other authors -
-
A Brief Look into the Cybersecurity Framework
AFCEA Signal Magazine Online
See publicationAn overview of the Cybersecurity Framework as well as a look towards implementation.
More activity by Matthew
-
On Tuesday, March 4th, the Right to Repair (HB 1483) was successfully voted out of Washington’s House of Representatives by a near-unanimous vote of…
On Tuesday, March 4th, the Right to Repair (HB 1483) was successfully voted out of Washington’s House of Representatives by a near-unanimous vote of…
Liked by Matthew Smith
-
DDoS attacks almost always originate from hacked devices. The country/countries that the traffic originates from has never been an indicator of who's…
DDoS attacks almost always originate from hacked devices. The country/countries that the traffic originates from has never been an indicator of who's…
Liked by Matthew Smith
-
As an introvert in the design industry, self-doubt can be a constant companion. Even with two decades of experience, questions like "Am I good…
As an introvert in the design industry, self-doubt can be a constant companion. Even with two decades of experience, questions like "Am I good…
Liked by Matthew Smith
-
I wondered if this would be possible and it turns out it is! 1. Downloaded 360GB of elevation data from NASA Earth Data, utilizing the ASTER…
I wondered if this would be possible and it turns out it is! 1. Downloaded 360GB of elevation data from NASA Earth Data, utilizing the ASTER…
Liked by Matthew Smith
-
I suspect the reason a lot of people support DOGE is due to the flawed logic of trying to approach government as if it were a business. When a…
I suspect the reason a lot of people support DOGE is due to the flawed logic of trying to approach government as if it were a business. When a…
Liked by Matthew Smith
-
Anybody interested in Cybersecurity Risk Management? In #NIST's latest blog post celebrating 1-year of #CSF 2.0, they highlighted updates to their…
Anybody interested in Cybersecurity Risk Management? In #NIST's latest blog post celebrating 1-year of #CSF 2.0, they highlighted updates to their…
Liked by Matthew Smith
-
Huge congratulations, Reva! This kind of approach is needed more than ever!
Huge congratulations, Reva! This kind of approach is needed more than ever!
Liked by Matthew Smith
-
I’m so delighted to see that one of the last publications I worked on at NIST – SP 800-226, Guidelines for Evaluating Differential Privacy Guarantees…
I’m so delighted to see that one of the last publications I worked on at NIST – SP 800-226, Guidelines for Evaluating Differential Privacy Guarantees…
Liked by Matthew Smith
Other similar profiles
Explore more posts
-
Michael Tchuindjang
The Cybersecurity and Infrastructure Security Agency (CISA) called for companies and organizations in the healthcare sector to report cyberattacks within 72 hours and ransoms paid within 24 hours. The proposed rule that would require the nation's most critical industries to more quickly report cyberattacks is raising the ire of the health care industry, which claims the new directives could actually hinder its response in a crisis. CISA says the agency isn't learning about many cyberattacks in a timely way, making it difficult to not only quickly help victims but also spot trends and warn other companies about known vulnerabilities. Cyberattacks have sent shockwaves across the health care industry, but regulators and providers don't agree on how to get a handle on the problem. Groups also raised particular concerns about the proposed enforcement mechanism included in the proposal to penalize organizations that don't comply with the law in a timely fashion... #informationsecurity #cybersecurity #security #healthcare #cisa #regulations #hipaa #healthcare #ransomware
5 Comments -
John Telyea
The Power of Boring: The Unseen Virtue of Cybersecurity In the ever-evolving world of technology, where cutting-edge innovations and flashy new gadgets capture headlines, cybersecurity often appears to be the quiet, unnoticed sibling. Yet, for an industry that's increasingly critical in protecting our digital lives, "boring" is a badge of honor it should wear proudly. The Allure of the Mundane The notion that cybersecurity should be boring might seem counterintuitive. After all, cybersecurity incidents often make for sensational news—data breaches, ransomware attacks, and high-profile hacking scandals. These events capture public attention precisely because they are dramatic and disruptive. However, the ideal state for cybersecurity is one of calm, predictability, and uneventful operations. In a well-secured environment, there should be nothing exciting to report. Systems should run smoothly, data should be securely stored and transmitted, and breaches should be a rare occurrence, swiftly dealt with before they can cause damage. The goal is a seamless experience for users, where security measures are effective yet unobtrusive. Routine as the Backbone of Security The backbone of effective cybersecurity lies in routine. Regular software updates, consistent monitoring, frequent security audits, and meticulous patch management are the cornerstones of a robust security posture. These tasks, while repetitive and often seen as mundane, are crucial in maintaining the integrity and security of systems. The Quiet Success of Prevention One of the most overlooked aspects of cybersecurity is that success often goes unnoticed. If a security team is doing its job well, users and stakeholders should see nothing out of the ordinary. No news is good news. The absence of security incidents or breaches is a testament to the effectiveness of the preventive measures in place. Preventive cybersecurity measures, such as multi-factor authentication, encryption, and network segmentation, are not glamorous. They don’t make headlines, but they create a formidable barrier against would-be attackers. These measures quietly work in the background, ensuring that systems are secure and data is protected. Conclusion In the world of cybersecurity, boring is not a pejorative term. It signifies stability, reliability, and a proactive approach to security. While the excitement of thwarting a high-profile attack might appeal to some, the true measure of success is a quiet, uneventful landscape where systems are secure, data is protected, and users are safe. The next time you find yourself yawning at the routine tasks of cybersecurity, take a moment to appreciate the underlying significance. Embrace the boring. It's a sign that everything is working as it should.
-
Vatsal Desai
The disconnect between security and tech teams has become increasingly evident, hindering progress toward agility, meaningful metrics, and Zero Trust goals. With a shift in reporting lines and strained relationships, it's clear that understanding each other's challenges is crucial. By breaking down these silos and fostering open communication, we can bridge the gap, enhance collaboration, and drive effective solutions together. It’s time to recognize that we’re on the same side—let’s work towards a stronger, unified approach to security and technology. #Uniclan #Uniclanhealthcare #Uniclanhealthcarepvtltd #DomsWopwer #CyberSecurity #ZeroTrust #TechCollaboration #AgileSecurity #BreakingSilos #SecurityLeadership #UnifiedApproach #TechInnovation #CollaborationMatters #StrongerTogether #SecurityAndTech #EffectiveSolutions #DigitalTransformation #OpenCommunication #TeamworkForSuccess https://lnkd.in/g9YmmSCJ
-
Bob Monroe
Move on over HIPAA, there is a new bill working its way through the Washington red tape machine called "Health Infrastructure Security and Accountability Act". Since pretty much all of our health and personal data has already been leaked by inadequate data collectors, some lawmakers decided it was time to act. They are 20 years too late but it's election season so they need to pull out all the stops. HISAA (sounds 'gangsta' doesn't it) has civil penalties for all those health data grabbers out there who don't comply (and get caught) with HISAA requirements. These include: No knowledge – Minimum of $500 Reasonable cause – Minimum of $5,000 Willful neglect (Corrected) – Minimum of $50,000 Willful neglect (Uncorrected) – Minimum of $250,000 Yes, one "reasonable cause" will cost them a month's mortgage payment (4 bedroom, 2 bath, detached garage), which will be passed down to you, the patient, in one form or another. You can compare this bill to the ole SOX Act but for health care. The bill includes checklists, audits, stress test (pen test sorta) and someplace where the CEO has to sign off on the compliance thingy. Health care organizations have 3 years to figure out ways around the bill before they need to worry, once this bill is passed (if it is passed). $800 million of taxpayer cash will be given to Medicare safe providers to help them figure out how data security works. Then there is another $500 million of TaxO'Cash to " incentivize all hospitals" to adopt data security. I've attached a two page summary of HISAA so you too can gasp in horror at how our government thinks. Happy Halloween https://lnkd.in/gmyyCxhe
1 Comment -
John Telyea
Before I became a cybersecurity expert, I thought that hackers only went after "big companies," yet this is not the case. Seattle's Public Library was just the victim of a ransomware attack which shut down multiple services and potentially leaked highly personal information. All companies are protentional targets if they don't have the correct system in place for data management. All companies are different so working with a cybersecurity professional that can tailor a security plan to your needs is extremely important. If your company is looking for an experienced cybersecurity analyst, then let’s connect! I bring a plethora of transferable tools (crisis management, data analytics, communication, collaborating with diverse teams and people) as well as a solid foundation of technical cybersecurity skills (SQL, SIEM, Linux). #cyberattacks #cybersecuritytips #cybersecuritythreats #employeeengagement
-
Chad Holmes
👿👨🏫 The Dark Side of Brilliance👨🏫👿 How Hackers are Exploiting Real Estate Transactions and Small Businesses One of my perverse cybersecurity joys is appreciating the evil genius of hackers. Many of their attacks are so effective. So patient. So financially rewarding. It’s hard to not see the brilliance in their simplicity. In the last month I’ve stumbled upon a new favorite that goes something like this: ***The Scheme*** 🎯 Breach: Hackers infiltrate a network processing large financial transfers (think mortgages or business deals). 🕶 Lurk in the Shadows: They spend months studying the system, communication styles, and payment methods. Basically, they become silent observers. ❗ Strike Time: They identify high-value, time-sensitive transfers - every minute counts for them. 👩🏫 Fake Customer Service: These cyber-cons then impersonate real customer service, mimicking communication styles down to a tee. They "verify" details like service, name, and payment dates. 💸 Wire Fraud: The unsuspecting victim, trusting the "verification," sends the money (often around $100k) straight to the fraudster's account. 🤦♀️ Confusion Reigns: The real vendor starts asking for the actual transfer, and guess what? The fake vendor does the same! This double request creates chaos, leading to even more misplaced funds. 💔 Fallout: Home sales fall through, businesses are crippled, and hackers walk away with millions - all thanks to a simple hack, patience, and some basic social engineering. Here's the Shocker: This happens THOUSANDS of times a month, and most go unresolved! **How to Fight Back? ** ✅ Never Trust, Always Verify: Don't respond to calls or emails claiming to "verify" transfers. Reach out directly to your authorized contact using previously established methods. 📂 Old School is Cool: Paper checks are a pain, but way harder to hack than wire transfers. Consider them for extra security (yes, it might take longer). 🏦 Think Local: Whenever possible, work with local sales reps or lenders. Building a face-to-face relationship can be a powerful defense. By staying vigilant and implementing these simple steps, you can protect yourself from falling victim to these elaborate scams. Let's outsmart the cybercriminals together! #cybersecurity #realestatescam #informationsecurity #staysafe Check out this article for a deeper dive into this specific scam. https://lnkd.in/gRmTPWKM
-
Wade Baker, Ph.D.
I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk
8 Comments -
Jennifer Clark
As most of these threats do, they aim to trick targets into running malicious code. It is crucial to train all employees and provide refresher training. These types of exploits catch us when we multitask and do not pay attention. If you need help with Security, Risk, or Compliance, SEI can help. Please reach out if you would like to brainstorm ideas.
-
Sheikh Ahmad
An ID #verification service that works with #TikTok and #X left its credentials wide open for a year 😱 This means that hackers could potentially have accessed sensitive data, like driver’s licenses 😬. An ID verification company that works on behalf of TikTok, Twitter, and Uber, among others, has left a set of administrative credentials #exposed for more than a year, as reported by 404 Media 📰. The Israel-based AU10TIX verifies the identity of users by using pictures of their faces and driver’s licenses, potentially opening up both to #hackers 🕵️♂️. The set of admin credentials that were left #exposed led right to a logging platform, which in turn included links to identity documents 🔗. There’s even some reason to suspect that bad actors got ahold of these credentials and used them 🕶️. They appear to have been #scooped up by #malware in December 2022 and placed on a Telegram Messenger channel in March 2023, according to timestamps and messages acquired by 404 Media 🕵️♀️. The news organization downloaded the credentials and found a wealth of passwords and #authentication tokens linked to someone who lists their role on LinkedIn as a #Network_Operations_Center_Manager at AU10TIX 🔑. If hackers got ahold of customer data, it would include a user’s name, date of birth, nationality, ID number and images of uploaded documents 🆔. It’s pretty much all an internet #Gollum would need to steal an identity 🏴☠️. All they would have to do is snatch up the credentials, log in, and start wreaking havoc 🔓. Yikes 😱. AU10TIX has issued a statement on the matter, writing that the “data was potentially accessible” but that it sees “no evidence that such data has been exploited” 📝. The company said that impacted customers have been notified and that it’s decommissioning the current operating system in favor of a new one that focuses more on #security 🔒. Some of its #partners switched #verification companies before this issue popped up. A spokesperson for Upwork said that it has “been working with a different service provider for some time now” 🤝. Twitter, however, just signed up with AU10TIX back in September and it uses government-issued IDs to verify premium users 🆔. Others, like Fiverr and Coinbase, have said they aren’t aware of any data exposure, though they still work with AU10TIX 💼. Dumping customer data on Telegram Messenger or the #dark_web has become the most popular way for hackers to do their thing 📲. Back in late March, over 73 million AT&T passwords were leaked onto the dark web 🕵️♂️. LoanDepot experienced a similar issue this year, as did the US Department of Defense 🏛️.
-
Bob Chaput
UnitedHealth Group, Optum, and Change Healthcare...just a thought... I'm pretty sure a comprehensive, enterprise-wide risk analysis (required at 45 CFR §164.308(a)(1)(ii)(A)) followed by the development and execution of good old-fashioned risk management (required at 45 CFR §164.308(a)(1)(ii)(B)) would have come in less than $2.5B. Obviously, the controls checklist approach didn't work... https://lnkd.in/ehsRAdKs
5 Comments -
Michael Montecillo
Last night I spent some time talking to a few dear friends calming them down, helping them to sanity check, and navigate evacuating the fires in SOCAL. Though they don't work in our industry, several of you have met these friends over the years. It reminded me of the principles that I keep in working incident response. I leaned on: 1. Being the most calm. 2. Being empathetic. It's ok for people to feel negative emotions, especially during events, I lean on understanding and channeling those emotions. 3. Assist in making action-oriented decisions smaller and more numerous. People, including you, make mistakes in responding to events, making decisions smaller and incremental gives people the opportunity to make smaller mistakes. In this case this meant asking questions about their driving, their speed, their gas situation, their fog lights, etc. Each of these are small decisions that can help people calm down and focus, as well as keep them safe. 4. Helping them avoid pitfalls. 5. Being honest. If I didn't know things I told them. If I knew things, I told them why (experience, news article, whatever). I also follow a mantra of: 1. Manage safety first. 2. Manage convenience second. 3. Manage emotions third. Getting folks to a safe spot is obvious, managing convenience to reduce the immediate challenges is important, but people often confuse this for the first priority. Knowing that it comes second enhances the first priority. Having emotions come last allows people to feel but also let's them know that their feelings don't influence what keeps them safe and what is most convenient. Always remember to communicate, even over communicate, your thoughts and focus on a mantra, your underlying focus is on their long-term well-being. Be flexible for people, but stringent on your principles. I remind folks that this is what I do. For 20+ years now, helping folks in situations, at it's core, is what I do. In professional terms since Blaster and MyDoom. Over that time, it became ingrained in who I am. Let them know that you're honored you could be on the other end of the phone in that situation with them. You're there for it. And lastly, maybe the most important. When everything is all said and done, whether it's a week, a month, whatever. Ask if they're ok. Over the years I've played virtually every role in industry in events (interim CISO, response commander, responder, SME, whatever), as I reflect on that, I recognize that these principles and steps have helped from all of those angles. My heart goes out to everyone affected by the fires in SOCAL. Be safe and take care of each other.
-
Richard Staynings
"Something Better Change" in the words of 70s New Wave band 'The Stranglers' and plainly today something had better change to the cybersecurity of healthcare across the USA, which has become a near constant victim of rising cybercrime. The healthcare industry simply wasn't designed to be a secure industry like banking or defense - it was designed to save lives and treat patients. It lacks so many things to be secure, including the resources to become so, and that's why new proposed US government regulations are a mixed bag. Tying Medicaid or Medicare reimbursements to new security requirements under a federal rule due to be proposed in the coming weeks may sound like a good thing, but without direct assistance from government (other than some minimalist security training), its not going to move the needle. While many healthcare organizations especially the payers and payviders are raking in billions in profit like UHG ($22 bn in 2023) others, especially small and rural healthcare providers, are being drowned by high costs, staff shortages and declining reimbursement rates. Small hospitals also lack cybersecurity capabilities and teams. Meanwhile out of control medical bills, cost-shifting to the insured, and static insurance limits, place more medical costs on patients who cannot afford them, don't pay, or decline services even with insurance. US healthcare is inextricably broken, and moving the needle on healthcare cybersecurity requires so much more than tweaking the regulations and expecting a different outcome. It requires a whole system approach to reform - one that is politically risky for politicians when lobbyists have so much power and who want to keep things just they way they are - broken but lucrative for their clients. Keeping patients and their medical data safe and secure should be a core mission of healthcare providers, as should the availability of healthcare systems to provider care when under attack. Yes, resiliency to cyberattack is entirely missing in this industry. Lack of segmentation means a single compromised system can take down an entire hospital, or in Change Healthcare's case nearly half of the country! Governments should be fostering and paying for highly resilient healthcare shared infrastructure that is secured to military standards. Healthcare is after all part of Critical National Infrastructure (CNI). In times of rising geopolitical tensions CNIs are coming under increasing levels of attacks from adversaries and their criminal proxies and it is the constitutional duty of the federal government to protect its citizens from harm, especially in times of war. And if you look out there, we are most definitely in a hybrid cyber war. While sticks are required to convince some healthcare CEOs and boards to make cybersecurity a priority and a core mission, so too are meaningful and substantial carrots that encourage cyber-safe behavior and investments in cybersecurity people, process and technologies. .
7 Comments -
David (Dave) Hawkins🎖
👉🏽 The FBI suggests four actions “to protect yourself from putting yourself at risk: ✔ Regularly clear your cookies from your Internet browser. ✔ Recognize the risks of clicking the ‘Remember Me’ checkbox when logging into a website. ✔ Do not click on suspicious links or websites. Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission. ✔ Periodically monitor the recent device login history from your account settings.” “Cybercriminals are gaining access to email accounts,” the FBI warned this week, even when accounts are protected by multifactor authentication (MFA). Attacks begin when users are lured into “visiting suspicious websites or click on phishing links that download malicious software onto their computer.” Email access itself comes by way of cookie theft. Not the devilish tracking cookies that we read so much about, and which caused havoc when Google reversed its promise to eradicate them from Chrome. These are session cookies or security cookies or “remember me” cookies. They store credentials to stop you having to log in every time you visit a website or access one of your accounts. The threat affects all email platforms providing web logins, albeit Gmail, Outlook, Yahoo and AOL are by far the largest. The same threat clearly impacts other accounts as well, including shopping sites and financial platforms, albeit there are now often additional protections in place, especially with financial accounts. MFA is not usually stored in the same way, and criminals use other means to steal live codes. “Many users across the web are victimized by cookie theft malware,” Google has warned, “giving attackers access to their web accounts.” While “fundamental to the modern web... due to their powerful utility,” Google describes security cookies as “a lucrative target for attackers,” and that problem is getting worse. #fbi #cookies #hackers #malware #mfa
1 Comment -
Bob Chaput
Cyber threats are increasing—especially in the healthcare sector. Risks to patient safety are rising exponentially, yet most healthcare organizations are underprepared to deal with these threats. Safeguarding today’s patients and your organization is not just an IT problem—it's a critical priority for everyone involved. With comprehensive strategies and proactive measures, we can protect patient data and ensure the continuity of care. Order the book here: https://lnkd.in/eYaHdGAw #Cybersecurity #DataProtection #RiskManagement #PatientCare
-
Hanno Ekdahl
For many hospital and health system leaders, moving data from old systems often feels like a tick-the-box exercise—transfer the data in any way possible and let it gather dust until it's required for compliance, regulation, billing, clinical reports, or information release requests. This approach severely limits the potential of that data. However, forward-thinking executives see the hidden value in their software systems. When done correctly, archiving can unlock and normalize legacy data, enabling workflows that are easily accessible through today's advanced and secure interoperability channels. With the rise of industry standards and AI, there's newfound hope that data from over a decade ago can be just as valuable now as it was when first created.
-
Chenxi Wang, Ph.D.
Impactful cyber news today -- An important step in the direction that CISOs are treated more like a CFO, with the right level of accountability, transparency, as well as protection. Senator Wyden and Warner just proposed a new healthcare cybersecurity bill. This bill might be a watershed moment for the cybersecurity industry, an important step in codifying the practice of cyber security. It aims to regulate and document the official responsibilities of Cybersecurity leadership for a healthcare entity. This bill might do for the CISO what Sarbanes-Oxley did for the role of the CFO. If this bill passes, other industries may follow suit. The bill specifically calls out the - Establishment of a minimum cybersecurity standard for the health care industry - Public certification of compliance (The CISO must certify) - Annual security audit and stress test of incident recovery - No Cap in Health and Human Services fine authority - Provides financial help to small and safety net hospitals Press release: https://lnkd.in/gqRS_ZMD One page summary: https://lnkd.in/gQpszBrm For public companies today, the CFO and the CEO must certify the company's financial statements every quarter. This bill would have the CISO (and presumably the CEO) publicly certify its cybersecurity compliance annually. This step will allow the CISO to gain appropriate resources, take on proper accountability, and also receive much-needed protection for his/her job. Thank you to Joe Sullivan who brought this to my attention. Jim Higgins, Vitaly Gudanets, Kirsten Davies, Lakshmi Hanspal, Ariel Litvin, Confidence Staveley, Catherine A. Allen, Karissa A. Breen (KB), Jackie Bow, Gary Hayslip, Rinki Sethi, Matthew Rosenquist, Stephanie M. Shorter, PhD, Ross Haleliuk, Stephanie Domas, Heather Hinton, Chris Hughes, Tal Mozes
10 Comments
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore MoreOthers named Matthew Smith in United States
-
Matthew Smith
-
Matthew Smith
-
Matthew Smith
Vice President of Forest Operations at Finite Carbon
-
Matthew Smith
-
Matthew Smith
9602 others named Matthew Smith in United States are on LinkedIn
See others named Matthew Smith