Ransomware targets endpoints creating new healthcare cybersecurity challenges

If the idea of ransomware only conjures up thoughts of email or malicious websites, a new wave of attacks might grab your attention—especially in light of ransomware’s role in healthcare cybersecurity.

According to Anomali, eCh0raix—a new strain of file-locking malware—reared its head in June 2019 and is standing out for one reason in particular: it’s targeting endpoints, specifically, QNAP network-attached storage (NAS) devices. The brute-force attacks on NAS devices have been a particularly attractive method for cybercriminals, because the storage devices house critical data and backups but often aren’t outfitted with proper security software.

What does all this mean? Mostly, that healthcare needs to evolve its malware prevention, and quickly.

Healthcare cybersecurity’s sordid past with ransomware

When you look at healthcare’s history with ransomware, the speed at which attacks are escalating is even more striking. Healthcare News IT reports that, before 2016, healthcare organizations weren’t a primary ransomware target. But that all changed with the Hollywood Presbyterian attack and subsequent media coverage. Now, ransomware is ranked as a “major information security threat” to the industry, as Healthcare News IT notes.

For example, in 2018, the attack on the medical billing company Wolverine Solutions Group left thousands of patients being warned that sensitive medical information had been breached, as TripWire reports. There were also the SamSam attacks that, according to Healthcare Dive, hit 67 organizations in 2018, with almost a quarter being in the healthcare vertical.

These are just two of the prolific examples that demonstrate a challenging new reality in healthcare. In 2018 alone, ransomware attacks tripled, with healthcare shouldering the brunt of the increase. The previous year’s Cylance Threat Report highlighted not only the rapid growth but also the ease of deployment of malware, especially for legacy security solutions that depend on signatures for detecting attacks and shortening their lifespan.

Endpoint protection at the center of malware prevention

If you breathed a sigh of relief earlier because you don’t deal with QNAP devices, you might be relaxing a little too early. This shift in threat vectors means that healthcare cybersecurity professionals need to expand the scope of their concerns.

Healthcare CMOs and their teams should want to know everything, including the security of endpoints such as NAS devices, printers, IoT devices, and your imaging suite.

While ransomware is commonly associated with emails disguised as trustworthy files, things have changed. To adapt to next-generation ransomware, you’ll need to take a new approach—one that’s mindful of endpoint protection. Keep these four tips in mind when you build your plan to tackle this new breed of threats:

1. Accept that healthcare is vulnerable.

Ransomware is a big business, and healthcare organizations make ideal targets. Estimates from the Beazley 2018 Breach Briefing show that 45 percent of ransomware attacks are aimed at healthcare organizations. Attackers know that lives are at stake and most organizations are likely to pay the ransom just to avoid any issues, especially if the amount is relatively low. All this adds up to a situation in which prevention is the best posture.

2. Segment networks.

Compartmentalize systems and data wherever you can do so without interrupting operations. By segmenting your networks, you’ll make it more difficult for ransomware to spread between systems. This is a basic step, but it can go a long way to improve your security posture.

3. Keep up with patches.

Make sure you’re patching known vulnerabilities in your applications and operating systems as soon as they’re discovered. In light of the new focus on endpoints, pay special attention to keeping endpoint anti-malware software updated. Advanced endpoints, such as smart, secure printers, offer automatic updates and self-monitoring, which makes this job easier.

4. Don’t forget backups.

If you haven’t revisited your backup regimen, now might be the time. Keeping multiple copies of patient and critical business data in diverse locations (offsite, in the cloud, and locally) increases your ability to restore systems post-incident. As an added bonus, this step also aids in supporting a HIPAA Security Rule–compliant contingency plan.

Stay alert and keep up with the times. Endpoint security awareness is becoming ever more important in the modern cybersecurity environment, so make a habit of checking in on tech news and developments as they emerge—it may just save your skin.

Staying secure as healthcare compliance risks rise

Some healthcare entities are breathing a slight sigh of relief at the DHHS decision to reduce the annual limit on civil penalties for HIPAA violations, but the cost of violating healthcare compliance has always been about more than fees. Hospitals spend 64 percent more on marketing and image repair after a data breach, and in some cases, the damage done to the organization’s reputation is irreparable.

Patients care about the security track records of their hospitals, and as consumers, they’re becoming much savvier, just as healthcare’s reliance on online platforms is exploding. An online world that was once limited to portals and email now includes smartphone apps, wearables, consumer data platforms, and the Internet of Medical Things (IoMT).

This shift may cause disruptions, but it also poses an opportunity for healthcare IT professionals, who are now positioned to be champions of PHI security and innovators who identify services and solutions to enhance patient relationships.

The new scope of PHI

Formally, under HIPAA, PHI includes any identifiable information connected to the health status of an individual in the past, present, or future that is handled by a HIPAA-covered entity in the course of healthcare services, payment for services, or use in operations.

The formal list of protected identifiers is almost twenty items long and includes names, geographical identifiers smaller than the state, non-year dates related directly to the individual, biometric identifiers, device identifiers, serial numbers, and email addresses.

This information is covered at the federal level under the HIPAA Privacy Rule, but for many organizations, this is just the beginning of their healthcare compliance concerns. Multiple states have enacted laws and policies that govern patient consent for the exchange of PHI and standards for the disclosure of mental health information. This interactive application from HIT.gov allows you to view a map that displays Health Information Exchange (HIE) consent policies, state-sponsored HIE consent policies, and additional laws by location.

New measures for modern healthcare compliance

We’re transitioning into an age of healthcare compliance where HIT professionals are tasked with managing the complexities of changes like HIEs, increased patient creation of and access to PHI, and growing cybersecurity threats. Rising to these challenges will require a new perspective on security and organizational protection.

Start with holistic frameworks that balance risk

PHI security is now a big-picture problem. This means that piecemeal approaches will leave your organization—and your patients—subject to unnecessary risk.

Organizations like The Health Information Trust Alliance (HITRUST) have created a framework designed to meet your organizational needs, allowing leaders to manage both risk and security. Perhaps most importantly, it joins multiple requirements and standards from the payment card industry, HIPAA, and the International Organization for Standardization (ISO) in an effort to improve organizational cybersecurity considerably.

Talk to your employees

A holistic framework is just the start. Your people are going to be major players in your efforts to maintain healthcare compliance and keep PHI safe.

The vast majority of healthcare breaches come from inside healthcare organizations, with insider attacks being responsible for 50 percent of 2018 breaches, a statistic that’s unique to healthcare, according to a Verizon analysis of more than 20 industries.

But it’s not just about internal malefactors. Phishing has become a preferred method for hackers. Last year’s Verizon report revealed that phishing and financial pretexting represented 93 percent of all breaches, and email was the main entry point, being involved in 96 percent of investigated incidents. If you haven’t already, consider launching a threat awareness campaign across your organization to account for this.

Customize your security strategy

Healthcare is finally picking up momentum in line with the transition into the digital era, but it still relies heavily on analog processes. For example, a full 90 percent of providers rely on paper and manual processes for collections.

While this might be a comfortable or even preferred method for your patients, it requires a secure, well-managed approach that enables your staff to secure the devices they use and focus on innovating within the scope of your organization’s core service to provide care that ensures the satisfaction and wellbeing of all patients. For example, consider partnering with a Managed Print Services (MPS) provider to offload some of the IT burden of printer maintenance, uptime, and security.

As healthcare compliance standards continue evolving to meet emerging risks and opportunities across the industry, smart healthcare IT professionals will stay on top of security management trends as a core element of their professional growth.

What we can learn from controversial government security practices

Government security is pretty serious business. And that’s really how it should be when it comes to protecting an entire nation from relentless terrors at home and abroad. However, things get a bit less cut and dried when the discussion turns to the digital realm. In the current climate, the topics of internet blacklisting and the line between protective tactics and harmful censorship remain contentions.

What’s internet blacklisting? It’s a bit like the parental restrictions you place on your Netflix account: You put those in place to protect your kids from content you deem unfit. Internet blacklisting is simply a government doing the same thing for its country’s citizens. But who’s to say what internet content is fit for adults who could otherwise make that decision for themselves? Therein lies the conflict between IT security and censorship.

Is there such a thing as too much security?

Blacklisting can seem like a good idea on its face, but its use has also opened the door to ethical debates. Forbes recently described the realities of this kind of government security and the greater implications it can have. The article uses as an example the case of New Zealand’s government blacklisting graphic video and sensitive details related to the Christchurch mosque shootings.

Despite the unquestionable horror of the attacks, citizens are divided on whether the blocking of such material is appropriate. Many have based their stances on the need for increased awareness around violence and hatred, immediate security concerns, respect for the victims, and fear of spreading what could become extremist propaganda.

There’s no doubt that some web content belongs on a blacklist—nobody should have access to dangerous sites that enable terrorist activity or facilitate the trafficking of drugs, weapons, and humans. But where do we draw the line? This is a tough question that should be distilled down into a few more approachable ones:

  • How can we ensure that bad actors don’t get unwarranted publicity?
  • How can we keep society appropriately informed?
  • How can we make sure that the government isn’t hiding its own corruption?

These questions are certainly worth considering, and while they don’t yield easy answers, they can inspire some insightful discussions if they are applied to your own IT environments.

What blacklisting arguments can teach us

Have you ever considered how government security issues like blacklisting could apply to your own organization? If you’ve ever had users visit dangerous or inappropriate websites and spread malware or cause a disruptive workplace scandal, you probably already have a pretty good understanding of why blacklisting is taking off.

You may be thinking, “But wait! Content filtering and blacklisting are two very different things.” In one practice, the government removes access to information it deems unsuitable for its citizens, and in the other, users are blocked from known malicious or inappropriate content—or even benign, time-wasting sites like social media.

Look closely, however, and you may find that they really aren’t that different. Both are instances of governing bodies attempting to protect their assets by limiting access. With that in mind, how can you keep your device security measures from crossing the line into oppression?

Step 1: Consider your motives

As an IT decision maker, your sensibilities are among the most critical checks and balances in this case. Every security decision you make should not only be run through the usual gauntlet of budget and integration considerations, but also a healthy degree of introspection.

“Why?” is the first question you should ask before you deploy any security measure. If you find that the answer boils down to anything outside your core mission values, you might be in danger of inhibiting the creative and productive freedom of your users.

Step 2: Seek outside perspective

The above advice is a great way to think about your IT security decisions during implementation, but what if your internal compass has gradually drifted off course? What you need is a team of people to provide outside perspectives on difficult security decisions.

Ideally, this team would be mostly comprised of folks with relatively little technical aptitude. The reasoning behind this is that your viewpoint as an IT professional is likely focused on the technology first. You need to balance this with viewpoints that center on how humans will actually interact with technology rather than how tech should work or what it can do for us. A panel sourced from all departments and levels of the company could grant some valuable insight into what access employees need to stay safe, productive, creative, and happy.

The emergence of internet blacklisting as a government security measure presents an opportunity to examine our own security practices and improve. To that end, strive to insulate your environment from short-sighted and potentially detrimental security decisions while still seeking to encourage and preserve a healthy workplace culture.

Patching Medical Device Cybersecurity Cracks at Private Practices

Medical device cybersecurity isn’t just a concern for massive hospital systems.

According to Becker’s Hospital Review, healthcare data breaches cost an alarming $6.2 billion annually—but the financial stakes for your own practice can be hard to perceive on that scale.

A low-level hacker weaseling their way into your reasonably-defended systems could easily end up costing over $100 in HIPAA fines per violated record. Even smaller practices stand to lose big, as breaches that affect over 500 patients within a given jurisdiction must be reported to the U.S. Department of Health and Human Services (HHS), the individuals affected, and even the media.

In terms of fines, you’ll be on the hook for anywhere from $25,000 up to $1.5 million, according to Healthcare Dive, depending on how neglectful HHS deems your conduct to be—and these figures don’t even factor the cost of notifying state authorities or the damage to your reputation.

But what does all that have to do with electronic medical device security? Well, devices are prime launching points for attacks, and the new generation of entrepreneurial hackers is catching on. Why should they fight with heavily protected servers and laptops when connected medical devices are sitting right there, out in the open?

Devices such as glucose monitors or handheld ultrasounds are often connected directly to the same networks that house and process your most sensitive PHI, with many of them automatically collecting data and boosting the value of targeted files. This growing level of risk means that it’s time for healthcare to catch up, and for practice leaders to take action by patching unnecessary security gaps and vulnerabilities.

The current state of medical device protections

It’s no revelation that healthcare is years behind other industries in terms of cybersecurity protections, with some experts claiming as much ten to fifteen years, according to The Telegraph. Still, that doesn’t mean that nothing is being done.

In response to the industry seeing more devices being shut down and causing major disruptions and treatment delays at hospitals, the Medical Device Cybersecurity Act of 2017 was created. This act aims to tackle the safety of confidential medical information of patients requiring medical devices and zeroes in on making the devices more resistant to hacking. It provides clear standards for medical device manufacturers to uphold in order to better counter these threats that, as HIPAA Journal predicts, are only going to become more common.

At the end of 2018, the FDA also announced a proposal to update cybersecurity recommendations for device manufacturers in light of this growing threat. The draft guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, provides recommendations on device design, labeling, and documentation to be included in premarket submissions for devices that carry cybersecurity risks.

Strengthening your medical device cybersecurity posture

Even with the FDA taking action on the front end, individual practices and healthcare IT professionals need to be ready with a device security strategy that keeps up with growing threats.

Assess vulnerabilities

Every practice has vulnerabilities around medical device cybersecurity, and they’re all unique. As the HHS notes, make sure you’re implementing recommended vulnerability management practices, including:

  • Scheduling and conducting vulnerability scans on servers and systems

  • Remediating flaws based on the severity of each identified vulnerability

  • Conducting web app scanning of internet-facing web servers

  • Conducting routine patching of security flaws in servers, third-party software, and applications (including web applications)

Be sure to include a focus on endpoints including laptops, tablets, and printers, which also offer opportunities for creative hackers. Most importantly, make sure you’re working with healthcare IT partners that can help you best secure your devices and networks.

Assemble your resources

Getting your strategy up to date doesn’t have to be daunting. Even in considering the relatively emergent field of medical device security, healthcare IT professionals have quite a few resources at their disposal, including the HHS Health Industry Cybersecurity Practices, which establishes best practices for the industry and can be a useful foundation for your own efforts.

The “Where do I fit?” section of this resource is especially useful as a starting point. It includes advice on selecting the best size tier for your organization based on factors such as HIE relationships, cybersecurity investment, and complexity. The process might seem straightforward, but multiple factors can influence where you fall.

Talk to manufacturers and vendors

Even with growing awareness and protections, no medical device manufacturers—which tend to have one, highly-focused core competency—is going to completely understand the role its product plays in creating or exacerbating security gaps at your organization.

Still, manufacturers and vendors should be open about device security and be able to address any questions you may have, such as those around FDA guidance, how their products will work in your environment, and their role if there’s a cybersecurity emergency.

Ultimately, you’re working toward building a healthy and resilient security posture that keeps your practice humming along with minimal risk. Closing security gaps today will pay off exponentially in the long term.

Next top model: why HP DaaS is turning IT heads industry-wide

From banking to health care, HP’s innovative new Device as a Service model is revolutionizing how enterprises deploy and manage hardware— saving money, streamlining and simplifying.

Empowering IT teams across industries

No IT team faces the exact same challenges, especially those in different industries. But what does unite them are concerns around security and device management.

According to Spicework’s 2019 State of IT Report, the need to upgrade outdated IT infrastructure is the biggest driver of budget increases in 2019. When they deconstructed hardware budgets, desktops, laptops, servers, and power and climate hardware topped the list. In fact, according to their recent study on the lifetime of tech in the workplace, desktops are the primary computing device in 68 percent of organizations, compared to only 29 percent of organizations using laptops and 1 percent using tablets as the primary device for employees.

This is where Device as a Service (DaaS) comes in. Choosing a partner like HP for DaaS gives you a one-stop solution to all your hardware and lifecycle services. By offloading the time-consuming tasks of device support, security, and lifecycle management, your team is freed up to focus on other priority projects that benefit your bottom line. On top of this, one price per device brings cost predictability and optimized cash flow, and fleet flexibility enables you to scale up or down to meet changing workforce needs.

DaaS has far-reaching benefits across all industries, simplifying IT and maximizing resources. Here we take a look at how it could optimize operations in the finance, health care and retail industries.

Financial professionals

Supports banking and finance industry priorities

Facing the two-headed challenge of increased security demands from consumers and a call for more convenient products and services, a new approach to IT banking leadership is all but mandatory.

In EY’s “Global Banking Outlook 2018: Pivoting Toward an Innovation-Led Strategy,” 85 percent of banks named implementation of a digital transformation program a top priority. But financial institutions face legacy hurdles in transforming their internal processes. The EY report then goes on to identify the successful mix of elements required for internal transformation. “Leading organizations will seek

internal simplification aggressively and increase their use of external utilities, platforms and managed services where possible.”

DaaS helps address these challenges by giving banking organizations room to boost their efficiency and free up IT resources to work on initiatives that benefit their customers. Opting for standardized devices also makes managing multiple operating systems easier and more secure. This way, banking organizations—from corporate to retail locations— can operate at their full potential without worrying about unmanaged devices or unsecured endpoints.

HP DaaS, in particular, aligns with the finance industry’s best practices for institutions in today’s security-conscious environment, including customizability, a customer-oriented focus, and the 24-hour, 7-days-a-week, 365-days-a-year availability that will be a requirement as the vertical continues to evolve. Specifically, HP DaaS can provide:

  • Predictable monthly costs and optimized cash flow – thanks to one price per device
  • Business continuity and asset protection
  • Visibility at the device level through proactive endpoint management services and actionable analytics, allowing IT to address device health concerns before they become larger issues
  • Greater IT support for remote and branch offices, without needing an IT person on-site at all times
  • Automation of software downloads and updates across devices from a single control unit, which can improve internal productivity and end user experience
  • Flexibility through simple adjustable plans that scale up or down to meet your changing IT environment and workforce

Assists with health care regulatory requirements

Of all the DaaS industries, health care might face the most unique challenges. Its leadership is on an eternal quest to lessen the impact on IT and optimize infrastructure, even as demands for quality patient outcomes and technology grow. This leaves IT staff facing device-based challenges that directly impact patient well-being, data security, and finance. The recent Legacy Applications: A Healthcare Cybersecurity Nightmare report states that health care is now the new frontier of cybercrime. The report reveals that, due to legacy devices, 90% of hospitals currently have to keep old applications running to preserve data when an application is replaced or retired, leaving them open to exploits and attacks.

Health care organizations clearly require enterprise-class, multi-layered security solutions – but it’s not an easy problem to solve. They have to avoid overspending on device management while controlling an increasingly complex device infrastructure that comprises clinical devices, IoT technology, and expanding geographic locations owing to telemedicine innovation.3

With its proactive endpoint management services and analytics—as well as enterprise-class security that covers everything from malware protection to policy violation—DaaS offers the flexible security solutions the health care industry needs. This is on top of simplified budgeting, predictable expenses, and infrastructure solutions that can be customized for any facility or organization’s demands.

Health care IT teams can move on to more strategic priorities by handling management of security policies and enforcement while taking advantage of automatic parts replacement and remote help.

HP also provides a more efficient way to manage and monitor health care device fleets, so end users can enjoy more uptime—and more reliable access to the devices and information they need to help care for patients. For instance, DaaS can support the mobile devices needed to check in patients, verify forms, and update patient information. And if your hospital systems merge together with another organization’s fleet, DaaS can flex up or down according to your new device needs.

healthcare professionals collaborating

Releases the pressure on retail IT leaders

Consumer demand is probably the highest in retail. According to ZDNet, digital transformation is affecting all aspects of our lives, but the retail sector is experiencing particularly severe turbulence at the moment. Today’s retail associates are often expected to be high-tech hubs, with immediate access to the latest information, ranging from consumer buying preferences to recent purchases and online shopping histories. Between these demands and the need for a seamless mobile payment user experience, the pressure on retail IT leaders is rising to keep both devices and infrastructure up to date while also giving associates and staff the options to optimize their effectiveness and consumer interaction.

For instance, consider when your point-of-sale system goes down in the world of retail: money immediately starts going with it. DaaS helps retail IT leadership stay on top by ensuring the right devices for every job and also delivers the uptime and scalability that today’s agile retail organization needs. Specifically, a solution like HP DaaS can offer retail:

  • Quick deployment with easy transition from old systems to new, updated solutions
  • Maximum system uptime supported by HP’s 60,000 installation locations, which enable simple and immediate on- site attention for repairs and replacement
  • Round-the-clock access to HP Service Agents
  • Proactive endpoint management services and analytics that identify issues before they occur
  • Better device lifecycle management that releases your IT department from the “wait until it breaks” mentality

Whatever the industry, HP has broad standard service capabilities across the globe that align to organizations with large geographic footprints. This presence upholds a support model based on your location and end user site population, so troubleshooting is efficient, effective, and easy for you and your staff. Across all industries, SLAs are tailored to your vertical’s best practices, bringing you smart, simplified computing that supports a forward-thinking IT strategy.

As the number of devices to manage continues to rise, the workforce becomes more mobile and cybercrime grows more sophisticated, there has never been a better time to offload your device management and jump on board with DaaS. Whatever your organization, whatever your industry, you and your enterprise could reap some truly transformative rewards.

For more information on how HP DaaS can make your organization more efficient, save you money, improve the employee experience and free up IT resources—whatever your industry— watch this video or get in touch with us today.

Practical tips for building an IT strategy from the ground up

The modern CIO or CTO role is evolving quickly, and it is now more crucial than ever to create an IT strategy that enables your team to keep up with the breakneck pace of digital transformation—and starting out is often the hardest part. Whether you’re a new CIO looking to get your house in order or a seasoned vet whose organization has recently outgrown your ability to forge an IT path as you go, you may find value in these practical tips for CIOs on building an IT strategy from the ground up.

1. Set goals for your IT strategy

Every IT strategy begins with a vision. Depending on your organization’s level of digital maturity, the industry in which it operates, and the unique business model it is pursuing, you will want to prioritize specific goals in the near and long term. Doing so can enhance the effectiveness of your IT strategy and help to ensure its alignment with the outcome you aim to achieve. With this in mind, consider creating a combination of short and long-term goals and tracking your progress against the goals over time.

For example, do you want to create greater agility within your team through IT automation? Then you may want to define this as a strategic goal and then outline ways of achieving that goal. One method could be to use AI-powered solutions to button up print security and other commonly overlooked aspects of endpoint security. If you’re concerned about the IT skills crunch affecting your IT team’s ability to deliver on its priorities, then you’ll want to set a goal related to overcoming that obstacle with effective professional development and recruitment strategies to match.

2. Conduct an IT audit

You must also conduct a comprehensive assessment of your environment before you can begin to build an IT strategy in earnest. With that in mind, it’s wise to perform a full IT audit of your current IT environment that spans everything from on-premises infrastructure to cloud services. An IT audit is admittedly not the most glamorous of tasks, but you will absolutely need one to confirm that you’re correctly prioritizing your IT initiatives.

An IT audit can highlight security vulnerabilities lurking in legacy systems like unpatched printers that hackers could exploit to gain entry into your network, potentially opening the door to a devastating data breach. Depending on your industry, you may be required to adopt a specific security framework, such as ISO 27001, that involves a regular security audit for purposes of demonstrating compliance. Even businesses that are not required to obtain certification will find that doing so can give them a competitive advantage over companies that have not, as it can increase customer confidence substantially.

Once you have completed an IT audit, you can create an action plan that identifies the chief security gaps in your environment and maps out a series of steps for addressing them on a reasonable timeline. With this plan established, you can focus on more exciting IT priorities like digital transformation initiatives.

3. Tap the power of IT analytics

Just as an IT audit can give you a better handle on what’s going on in your environment, IT analytics can point the way toward optimizing it. You can use analytics to manage aspects of the IT environment better, from power consumption to bandwidth tracking to software version control. If you’ve been frustrated because your team has been stuck firefighting unplanned system downtime when it could be making serious progress on innovative advancements for the company, then you may want to take advantage of predictive analytics that can forecast outages and help you plan for future infrastructure investments.

CIOs may enjoy a rare win-win with analytics insights, as they can enable greater capacity within the IT team to take on higher-level strategic priorities and develop a data-backed, numbers-driven IT strategy. As CIO Magazine notes, businesses are already using predictive analytics for everything from enhancing the customer experience to fraud prevention. Some intrepid IT leaders are even fighting back against hackers using predictive analytics—and there is no better time for IT to develop internal proficiency in this mission-critical capability.

The CIO role is only growing more complex, and building an IT strategy is becoming steadily more essential to success. With these tips for CIOs in hand, you can successfully kick off the big picture strategic planning that meaningfully advances your IT priorities.

How Hospitals Are Crushing Healthcare Sustainability

Healthcare isn’t exactly known to be the most environmentally conscious industry, but some hospitals are taking the healthcare sustainability game to a new level.

Take Ohio’s Miami Valley hospital for example, which recently earned the EPA’s ENERGY STAR certification for superior energy performance. To win this distinction, certified buildings have to perform in the top 25 percent of buildings nationwide.

Building a sustainable brand

In the age of healthcare consumerism, certifications like these are more than just awards—especially for hospitals and health systems looking for new ways to win over challenging demographics and increase patient lifetime value. Just take a look at these statistics:

  • 68% of millennials have purchased a product with a social or environmental benefit in 2018

  • 87% of consumers have a more positive image of a company that supports social or environmental issues

  • 88% of those same consumers will be more loyal to a company that supports social or environmental issues

  • 92% will be more likely to trust a company that supports social or environmental causes

Healthcare sustainability initiatives can be powerful tools in building a brand that keeps up with patient values and solves pressing challenges. Still, branding is just the tip of the iceberg.

Hospitals struggling to get the most out of every dollar stand to see real benefits from investing in healthcare sustainability. Electric Energy Online has stated that a modest 50-bed, 200,000-square-foot medical facility spends nearly $700,000 per year on energy costs alone, and even small changes have the potential to make a significant impact on an organization’s bottom line.

Getting in front of the healthcare sustainability wave

Ensuring progress toward real healthcare and office sustainability requires a plan that will help you optimize your investments in sustainability initiatives and technology. The U.S. Department of Energy’s Better Buildings Initiative offers useful resources to help you along a more sustainable path. Such resources may be helpful as you take on the following tasks:

  • Assessing the current energy performance of your facilities and creating savings goals

  • Developing energy-saving solutions tailored to your organization’s needs

  • Constructing a business case to help win executive buy-in

Practical tips

In many ways, sustainability looks the same in healthcare as it does in other industries, but there are a few particular pieces of advice to keep in mind as you develop your initiatives.

Reduce heat gain

Focusing on lowering heat gain can lead to lower cooling cost, which constitutes a significant expense for hospitals, especially those located in warmer climates. This initiative starts may involve enacting common office sustainability measures like lighting evaluations, supplemental load reductions, upgrades to your air handling system, and retro-commissioning your operations.

Look for complex energy waste

Cooling and heating your facility to account for weather can be a big expense, and sneaky factors like body heat, running computers, and other technology can push air conditioning systems as well, especially in buildings like hospitals where temperature control is a matter of health and safety.

Keep things current

Environmentally conscious manufacturers are mindful of sustainable impact and are continually producing equipment models that can enhance your progress toward sustainability. For example, newer models of power-intensive devices like MRI and CT scanners use far less energy and operate with greater speed than older models. Small, portable solutions like handheld ultrasound machines can provide portability and accuracy and produce very little heat compared to traditional models.

Keep up with the green hospital movement

Modern hospitals are incorporating sustainability concepts from the ground up. Their designers are building the infrastructure to operate efficiently and sustainably, even with limited budgetary resources. Many are pushing sustainability standards to new levels. Kaiser Permanente, for example, has a target of becoming carbon neutral by 2020 and ‘carbon net positive’ by 2025. Even if you aren’t launching any new building projects, keeping pace with the direction of green hospitals can be a source of ongoing inspiration.

For most hospitals, sustainable IT and operations require shifts in perspective, purchasing practices, and even workplace culture. Ensure that you connect with resources like ENERGY STAR Score for Hospitals and the Better Buildings Alliance to give your sustainability initiatives the best chance for success.

Keeping your IT career out of jeopardy through digital upskilling

When it comes to the IT world, the meaning of the term “security” can vary. On one hand, you’ve got the most obvious sense: technology security—the management of which has quickly become one of the most important aspects of being a CIO or IT manager. On the other hand, there’s job security.

In a fluctuating tech market, new threats to your value as an employee are springing up every day. If you’ve ever felt a sense that you should take up some professional development opportunities, read on for a few tips on digital upskilling that will help you stay a step ahead of the competition in a field where continuous learning and adapting are essential.

What’s putting your job at risk?

Assuming you don’t make a habit of showing up to work in your pajamas at 11 AM, threats to your job as an IT professional can be classified into one of two types: internal and external.

Internal threats are probably the easier of the two to spot. These could come in the form of fresh talent—that hot-shot new hire with a shiny new, ultra-specific tech degree that didn’t even exist back when you were in college. Perhaps you’ve already seen a changing of the guard taking place in your office. If you haven’t, it’s only a matter of time.

External threats to your career are likely coming from less organic sources—think new technology with the ability to do certain aspects of your job with inhuman speed and efficiency. Automation ring a bell? Maybe IoT? Sure, these fancy configurations of silicon might never be able to single-handedly do your job, but you’re probably already watching them erode it one task at a time.

Don’t feel down, though. The simple fact of the matter is that there will always be someone or something younger and newer than you waiting in the wings. And you know what? That’s okay, because everyone is either in the same boat or will be in a few short years.

Staying valuable

What you need to prevent a pink slip is the opportunity to remind your employer why they hired you in the first place. Chances are good that it had something to do with intelligence, personality, and discipline. The great thing about those qualities is that no amount of new grads or trendy silicon can take them away. Here’s how you can put these traits to use:

Flex your industry knowledge and stay hungry for more

When it comes to knowledge, you may be at a slight disadvantage compared to those who are fresh out of a formal CISO education. With that said, you’ve got one distinct advantage: industry experience. You’ve already got your finger on the proverbial pulse of your industry, and all that’s needed is a little sharpening of the sword, so to speak.

Combine your industry knowledge with digital upskilling initiatives within your organization to continue innovating and proving your exceptional worth. Turn the tide on impending job takeover from new technologies by leveraging that tech in creative ways. Spearheading the deployment of new connected tech like smart lights and thermostats, secure printers, or other devices with embedded security can impress and free up your time to pursue new areas of education.

Stay personable and approachable

The personality side of this is easy. Keep being the flexible, approachable, and humble person that first interested your hiring team. Everyone loves to have a friend in IT who can ward off their tech gremlins, so beware the “us versus them” mentality when it comes to the non-technical people at your office. They really do appreciate your assistance.

Be ready to impart your years of experience and knowledge to those who are open to receiving it—hot-shot new hires included. Extending an olive branch can foster an environment of continuous learning, and you may even pick up a thing or two from them. A little kindness can go a long way in today’s business world; just ask Mark Cuban.

Focus on business needs

Finally, be disciplined in your professional approach to tech in business. It’s easy to become distracted if you try to “keep up with the Joneses,” but you know the areas in which you excel and the ones in which you face difficulties. Don’t be afraid to reach out to experts who offer device as a service (DaaS) assistance when you need a little extra help. You might even be applauded for streamlining document workflow throughout your organization.

Keep in mind, too, that despite the edge others might have on you when it comes to the newest innovations, you know the people, culture, successes, and failures of the company, so try to make yourself as much of a business consultant as a tech consultant to those above and around you. Consider letting the new guy handle the buttons and switches while you make your digital upskilling efforts manifest by stepping into a more managerial role and determining the mission and strategy of IT at a higher level. Keep your focus on tasks within your wheelhouse; you’ll be adding more with your continuous learning anyway!

Remember that in this industry, complacency kills. Stay on your toes and put these tips for staying relevant in an ever-changing IT landscape to good use.

An IT Manager’s Guide: Cryptojacking, the Threat to Business and How to Protect the Network

While Bitcoin took a bit of a beating in August 2018, it did little to dampen interest in the obviously volatile cryptocurrency market. Bitcoin lost 20 percent of its value in just two weeks in August, according to some reports, and yet there appears to be substantial optimism in the currency. According to one report, there were 96 new crypto hedge funds launched in the first seven months of 2018 and when the Turkish Lira plummeted 20 percent in August 2018, there was a surge in Bitcoin trading. Cryptocurrency is clearly here to stay and while that may whet the appetite of brave investors, it’s also a magnet for crime.

Unsurprisingly perhaps, hackers are targeting cryptocurrency exchanges but what many businesses and individuals may not realize is that there is serious money to be made in actually performing admin functions for the currencies themselves. Called cryptomining, it can be big business. Some reports have suggested that profits from mining have hit over $4 billion between 2017 and 2018. It is an industry in itself that has spawned a range of applications dedicated to the process.

What is cryptojacking?

Cryptojacking is a form of cyberattack in which a hacker hijacks a target’s processing power in order to mine cryptocurrency. Anyone who mines successfully receives cryptocurrency as a reward. The current reward is 12.5 bitcoins, which has an approximate value of $100,000 and can be used to buy flights and hotels through Expedia and games and apps through Microsoft, download music and even buy gold.

Not everyone who tries to mine cryptocurrency will actually get this reward, however, because not everyone can successfully mine bitcoin. Mining is essentially verifying bitcoin transactions, such as a bitcoin trade or where someone has used bitcoin to purchase a product or service. Every transaction needs verifying and writing to the blockchain. How this is achieved is complex but in simple terms, it’s a guessing game.

Mining software ‘reads’ the transaction on the network and then guesses the number required to write it to the block. A multitude of cryptominers will be trying to achieve this at the same time. The more computing power, memory and storage you have the more likely you are to succeed. This need for computing power can be expensive but by infecting popular web sites and computers, hackers can essentially bypass this problem and mine cryptocurrency for free. The effects of this can range from minor nuisances, such as a slower internet browsing experience to grinding networks to a halt.

Essentially this means pretty much anyone can do it and get rewarded with cryptocurrency for their efforts. For serious money making, it’s a volume game but that would demand considerable resources too. You need computing power and that comes at a cost and then there is the electricity. If you are running servers 24/7 those bills are going to be big.

“Computing power is expensive and also uses a lot of electricity which in turn ends up costing a miner a chunk of their profits, so how can an attacker make money and not have to pay any fees?” asked Alex Archondakis, a member of the BCS Internet Specialist Group. “The answer is cryptojacking, which involves embedding malware into popular sites that get thousands of visitors per day. The infected computers of those browsing the sites will silently mine cryptocurrencies without the user’s knowledge and deposit the earnings into the attacker controlled, anonymous wallet. No costs for hardware, no costs for electricity and the malware can often go undetected for long periods of time.”

In April 2018 the UK’s National Cyber Security Centre reported that cryptojacking is one of the biggest cyber threats facing businesses today. Just a few weeks earlier, the UK’s Information Commissioners’ Office (ICO), Manchester City Council, the US Government Courts website and some UK NHS sites were all hit with a compromised version of the Texthelp plugin Browsealoud. Reports revealed that the plugin was actually injecting Coinhive’s cryptominer onto the sites, using JavaScript code to steal computing power for creating the cryptocurrency Monero.

It’s far from an isolated incident. In May 2018, a study by The Conversation in the US found 212 websites involved in cryptojacking. Ads it seems are the most common point of entry. According to Trend Micro, the company saw a 108 percent increase in unique web miner detections from March 24 to 25 (2018) – “a significant jump that showed the effectiveness of the compromised advertising platform,” it said.

And the boom shows no signs of slowing down. Cryptomining malware soured by 4000% in 2018, McAfee found,12 while Symantec reported to have blocked almost 5 million coin mining events in July 2018 alone.

It’s not just websites that are being hacked either. There are instances of more intrusive mining. “Cryptojacking is a rising threat to cyber and personal security,” said Mike Fey, president and COO, Symantec in a statement in March 2018. “The massive profit incentive puts people, devices and organizations at risk of unauthorized coin miners siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers.”

Fey was alluding to the growing trend of hijacking cloud-based networks in particular and he has a point. In February 2018, hackers used Tesla’s public cloud network to mine cryptocurrency and in March 2018, GitHub was used to host cryptocurrency mining malware. In fact, 25 percent of organizations have experienced cryptojacking activity within their cloud environments in 2018, according to a recent RedLock report.

What is the risk to business?

There are some fundamental risks to cryptojacking. Think of it in the same terms as botnets. For one, it forces victims to waste energy. Digiconomist reports that the electricity consumed for a single bitcoin transaction could power 15 US households for a day.18 If you multiply this by the number of machines in a business or a data center, you can start to get an idea of how much energy is being used and how much this could cost a business in electricity alone. In fact, according to research at PwC, bitcoin miners consumed as much energy in 2018 as Hungary.

There is also the additional issue of network performance impairment. Cryptojacking is basically stealing your processing power, leading to spikes in load. Inevitably, this means that everything else on the network will run slowly or not at all. For most businesses, this is a disastrous scenario. As Mursch pointed out in his blog, “cybercriminals look to enslave as many devices as possible to maximize their profits. This is why you need operational awareness on how your resources are being consumed.”

According to Fabian Libeau, EMEA VP at RiskIQ, “it’s the soft underbelly, the forgotten assets that attackers are looking for,” he said in a report in July 2018. “We found a global bank with two or three [obscure] servers in the Netherlands that nobody really looked into, but they were mining in the background.”

This indicates that cryptojacking is in fact highlighting site and network vulnerabilities to other attacks. Libeau went onto say that it’s a privacy issue but also shows a lack of visibility of business networks and resources. “There’s a whole bunch of stuff that people internally never see because it’s not sitting on the site, it’s called dynamically from third-party servers,” he said. “The world looks like a different place when we take the attacker’s point of view and look in from the outside.”

Securing devices

What can companies do about it?

Awareness of the issue is essential. As with most security threats, an understanding of how it operates will help determine next steps. Here we have outlined seven key actions to help prevent cryptojackers taking over your network.

1) Implement the basics – keep software up to date with the latest operating system and hardware patches. Keep security applications up to date and measure usage across the organization. It’s about prevention as much as detection.

2) Make training a priority – add cryptojacking to security awareness training and policies – this should help with ensuring any bring your own device (BYOD) policies do not lead to intentional or inadvertent ‘infection’ of the company network resources. Awareness is everything.

3) Use an adblocker – the NCSC recommends using an adblocker, or anti-virus program with the capacity to block browser mining.22 Adblockers offer the most accessible and cost-effective solutions to businesses. Users of ad blockers can also employ features to block cryptomining scripts that reside on certain websites (and aren’t embedded in ads)

4) Block destructive domains – insider threats are a potential problem, particularly given the ability to make money. Security researcher Troy Mursch recommends “blocking known domains and IP addresses tied to illicit cryptomining. A frequently updated list of these domains is available via the open source CoinBlockerLists.”

5) Manage your devices – ensure the business has the latest devices with up-to-date software and state-of-the-art device-level protection. This can include hardware-enforced self-healing, fingerprint readers, features that only allow the viewer to read the screen and fully containerized browsing. Asset management is essential to keep track of the complete hardware inventory.

6) Assess third-party code – “Make a risk-based decision on including third-party JavaScript in your site,” says the NCSC. This will vary depending on the size of the website you manage and who is supplying the code. Consider whether the code you are including could compromise your users, and balance this against the risk of this happening for your site.

7) Host JavaScript locally – the NCSC also says if it’s practical to do so, consider hosting the JavaScript locally on your own server rather than linking to code hosted elsewhere. This means changes to the libraries require access to your server, although this will mean you will need to install security patches yourself.

For most people, just browsing away from infected websites may be enough to stop the cryptojacking process but IT managers need to be aware of all the possibilities. We are still at the start of the curve on this, and as the reports have all suggested, cryptojacking is a growing problem.

Staying one step ahead will always be a better policy than reacting to infection. Proactive measures across all security threats are increasingly essential and cryptojacking is no different. This is not going to go away either. As long as there are significant rewards for mining cryptocurrency, the hackers will find clever ways to get around the security measures. If IT managers and users recognize the tell-tale signs, at least the problem is less likely to go undetected.

As more business networks shift towards the cloud, cryptojacking could become an even greater threat to network and device stability. It’s essential that IT managers act now to put measures in place to secure devices and educate organizations of the growing threat.

As Stan Gibson, technical writer at security firm Symantec pointed out in a blog, cryptojacking is here to stay. “Annoyance or Crime? It’s both but either way, don’t expect the phenomenon to disappear quietly into the night.”

Managing your devices can help deter jackers

HP Device as a Service (DaaS) delivers a modern service model that simplifies how organizations source, support, and manage IT with insightful analytics and reports from HP TechPulse. With DaaS, HP partners with customers to increase user productivity, operational efficiency, and cost predictability. The model is transformative in nature, enabling increased and centralized security that’s much easier to keep up to date. As regulations change or threats increase, devices can be easily kept current with patch management, to meet requirements.

While helping to manage volatility and fast-changing business needs, HP Proactive Security Service enhances secure management capabilities with real-time malware protection through isolation technology, security and threat analytics and specialized expertise. With support from Service Experts, security positions are strengthened, and attacks are anticipated – preventing a negative impact on business.* **

Plus, HP Service Experts can enforce security policies for your Windows, Android or Apple devices. With HP TechPulse, Service Experts can implement these policies and help protect data if devices are lost or stolen, as well as getting a holistic view of device protection status and detailed findings on attempted and blocked attacks. For further device protection, consider HP Elite products, the world’s most secure and manageable PCs.*

It’s about being proactive to identify and mitigate issues, optimizing and securing your multi- OS devices before they are subjected to threats.

*System requirements for HP DaaS Proactive Security are: multi-vendor client devices running Windows 10 1703 or later with a minimum of 8 GB memory and 6 GB of free hard disk space to install the software client. HP DaaS Proactive Security requires HP TechPulse, which is included in any HP DaaS or HP DaaS Proactive Management plan. The HP DaaS Proactive Security Enhanced plan requires customers to be enrolled in an Enhanced or Premium HP DaaS or HP DaaS Proactive Management plan.
**HP Sure Click Advanced technology is included with HP DaaS Proactive Security and requires Windows 10. Microsoft Internet Explorer, Google ChromeTM, and ChromiumTM are support- ed. Supported attachments include Microsoft Office (Word, Excel, PowerPoint) and PDF files, when Microsoft Office or Adobe® Acrobat are installed.

***Based on HP’s unique and comprehensive security capabilities at no additional cost and HP Manageability Integration Kit’s management of every aspect of a PC including hardware, BIOS and software management using Microsoft System Center Configuration Manager among vendors with >1M unit annual sales as of November 2016 on HP Elite PCs with 7th Gen and higher Intel® Core® Processors, Intel® integrated graphics, and Intel® WLAN, and on HP Workstations with 7th Gen and higher Intel® CoreTM Processors as of January 2017.

The 10 biggest hacking trends of 2019 so far may surprise you

2019 is shaping up to be the most challenging year ever for cybersecurity.

There were 1,903 publicly disclosed breaches and 1.9 billion exposed records in Q1 alone, according to RiskBased Security. A company’s chances of getting hacked are greater than ever, and the wolves are constantly reinventing. Fortunately, digging into the latest research on 2019 data breaches can reveal some surprising—and some not-so-surprising—patterns of cybersecurity risks.

10 hacking trends dominating 2019

1. Hackers love misconfigurations

Misconfigurations were linked to 43 percent of data breaches analyzed by X-Force. That’s 990 million records lost via human error, resulting in unsecured cloud databases, open device ports, and exposed backups.

2. We’re still talking about phishing

29 percent of cybersecurity attacks used phishing, according to go X-Force. Nearly half of the latest phishing attacks involve hackers compromising business emails or engaging in whaling scams.

3. Coin-mining malware matures

Cryptojacking attacks grew a staggering 450 percent last year, according to Proofpoint. Professionals should be concerned about infected devices because the risks associated with crypto-malware go beyond the theft of computing resources—when threat actors infect a PC or mobile device, they could gain access to your network and mine Bitcoin or other cryptocurrencies on your devices.

4. Extortion is the new ransomware

Ransomware comprised just 1 percent of malicious emails in Q4 2018, per Proofpoint. This tactic has been replaced by credential theft, downloaders, and infected attachments. There has also been a remarkable increase in direct attempts to blackmail executives.

5. Passwords are going missing

Nearly three-quarters of the records lost in Q1 2019 included email addresses and passwords, per RiskBased Security. 10 percent contained credit card or social security numbers. Stolen passwords can also be used in extortion attempts, so think twice about sharing and reusing your credentials in 2019.

6. Everyone has endpoint device security vulnerabilities

Two massive computer chip hardware vulnerabilities called Meltdown and Spectre were discovered in late 2018. This discovery revealed that virtually every computer chip manufactured since 2000 was vulnerable to side-channel attack. It’s officially time to do an endpoint device security assessment, patch your hardware, and update your office equipment vendors if necessary.

7. Malicious domains proliferate

An average of 10 million DNS requests to malicious sites are blocked each day, according to X-Force. A significant percentage of blocked domains attempt to distribute malware via DNS request, and hackers generally solicit the necessary clicks via spam email.

8. RATs are everywhere

Remote Access Trojans are having a moment of prominence. In Q4 2018, RATs comprised 8 percent of the malicious payloads analyzed by ProofPoint. From a hacker’s perspective, RATs are a versatile way to get almost anything done, including gaining total control over endpoints and exfiltrating all your data.

9. Smishing leads to malware

Android malware called TimpDoor soared to prominence in early 2019. When an attack commences, users are generally prompted to download a malicious app via SMS phishing, or “smishing,” according to McAfee. These apps install a nearly invisible backdoor that gives hackers covert access to corporate and home networks.

10. Most incidents are tiny

72 percent of security incidents in Q1 2019 involved the loss of just 1-10,000 records, RiskBased Security notes. Instances where physical devices are tampered with or emails being compromised are most often linked to smaller breaches.

What to do now

Before looking forward, let’s take a second to review some action items to help address 2019 hacking:

  • Patch or upgrade your hardware for endpoint device security
  • Consider your passwords leaked; it’s time to explore smarter authentication
  • Network segregation and detection can help you trap RATs and cryptojackers
  • It’s officially time to assess your network configurations and endpoint vulnerabilities

What’s next?

Hacking trends are tricky to predict, as evidenced by the rapid death of ransomware last year. With that said, there are a few ways you can innovate faster than hackers and respond to emerging threats in 2019 and beyond.

Endpoint protection starts now

Hardware vulnerabilities are everywhere, your attack surface is expanding, and recent regulations have made securing your systems even harder. Organizations that are subject to the GDPR are required to seek work council approval for endpoint protection tools after a breach, which means hackers can keep harvesting data in the meantime. Regardless of your compliance obligations, the time to address device vulnerabilities is before data loss.

Assume human error

Hackers know that people can be vulnerable, and they’re going to continue targeting the weakest link in your network. You can expect sophisticated social engineering and whaling attacks as well as less-sophisticated blackmail attempts. Some of your users may click on spammy attachments, even after tons of training. You should keep promoting awareness, but you also need to go further. Invest in smarter spam filters and devices that can quarantine and eliminate threats before they infect your network.

Visibility is a security advantage

The number of misconfigured endpoints is on the rise, and hackers love it when you make their job easy with an unsecured cloud database or printers protected with a password like “admin.” The solution here is increasing your visibility around your systems with management tools that enable you to understand risks across multiple cloud environments and multi-vendor printers.