The CyberPHIx: Meditology Services Podcast

Join us for this episode of The CyberPHIx podcast, where we hear from Morgan Hague.  

Morgan is the manager of IT Risk Management at Meditology Services and has been in the industry for nearly a decade. He has worked with hundreds of organizations in an advisory capacity helping to assess or audit security functions to drive program maturity. He also leads Meditology’s strategic risk management consulting service line and is a subject matter expert in threat mitigation and risk program development. 

Topics covered in this session include:  

• A deep dive into the emerging use cases for AI in the healthcare setting
• The risks related to AI that defenders need to be aware of and how real and relevant those risks are in the current state
• Data Poisoning, Input Manipulation, Membership Reference & Model Inversion
• AI-driven attacks and human security risks
• Privacy concerns with the use of AI
• New regulations coming online that directly affect the use of AI
• Controls we should be considering for AI
• Frameworks that already exist to help us understand the control options
• And some practical tips on where to get started 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: 

• The Changes to HHS 405(d) HICP publication on the top 5 threats and top 10 security practices for healthcare 

• The NIST Cyber Security Framework 2.0 Discussion Draft  

• The riskiest connected medical devices and IoT (including nurse call, infusion pumps, and IP cameras) 

• Some free security awareness resources for clinicians from Health Sector Coordinating  

• Moody’s report on healthcare lagging behind other industries in implementing cybersecurity practices 

• OCR regulatory focus on pixel tracking technologies on HIPAA-Covered-Entity websites 

• Some fascinating numbers on the increase in lawsuits after breaches and ransomware payment averages 

• A new ally for security leaders in the Chief Supply Chain Officer (CSCO) 

• And Apple’s new Rapid Security Response updates for iOS, iPadOS, and macOS 

Join us for this episode of The CyberPHIx podcast where we hear from Ryan Patrick, Vice President of Adoption at HITRUST.  

Ryan works with clients to understand and implement the HITRUST-validated assessments that best suit their organization’s risk profile. Prior to this role, he spent many years as a security practitioner and IT lead in a wide range of organizations from the US Army to Covered Entities to healthcare cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion about security or HITRUST.  

Topics covered in this session include:  

• The new HITRUST v11 and what it means for organizations who are considering the HITRUST journey
• HITRUST’s traversable levels of assurance from e1 to i1 to r2
• A newly created threat adaptive control selection process they use
• How broken and unsustainable TPRM (Third Party Risk Management) is today
• How HITRUST services fit into the third-party risk landscape
• A discussion about the new Health Third Party Trust (H3PT) council and what that group is trying to do to solve TPRM
• An invitation to meet either of us in person at HIMSS in Chicago April 17 – 21
• And a cool update on HITRUST’s Results Distribution System (RDS) and the automation opportunities it will provide 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

Our host Britton Burton spends this entire episode reviewing and analyzing the recently released National Cybersecurity Strategy, including: 

• Summarizing, and in some cases quoting, the key points from the document that are most relevant to healthcare security pros who may have time to listen but not read 

• Analyzing how those key points will affect the healthcare industry in the coming months and years 

• Explaining how (and when) the rulemaking process might play out 

• The impact this could have on cloud and third-party risk 

• Implications of incident reporting and the positive side of the emphasis on it 

• An interesting wrinkle in the cyber insurance space 

• Increased scrutiny on IoT manufacturers 

• How the technology and software industry is similar to the automotive industry 50 years ago 

• And much more! 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: 

• The Federal Trade Commission’s (FTC) first Health Breach Notification Rule Enforcement action against GoodRx 
• An unsurprising report from OCR on security rule compliance areas that HIPAA-regulated entities need improvement plus the most common remediation actions taken by breached entities 
• Semi-definitive information about the date and final rule content of the SEC’s looming rule for publicly traded companies on Cybersecurity disclosures and risk management 
• NIST’s announcement on a new lightweight cryptography algorithm that can be used by IoT and Medical Devices 
• The disheartening cyber attack on the 988 suicide and mental health helpline 
• Interesting new trend data on the lower volume of healthcare breaches but higher count of individuals affected by those breaches 
• A recent surge in Wiper malware attacks, thanks in large part to the Russia/Ukraine war 
• A fascinating narrative on cyber insurance involving exclusion of nation-state attack vectors from policies, sharper focus on TPRM programs, and a ransomware gang’s unusual request to its victims

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: 

• A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks 
• Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of 1Q 
• More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner 
• A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing 
• The new Rural Emergency Hospital rule for struggling critical access and rural facilities 
• The impact of travel nursing on cybersecurity 
• FBI and Hive ransomware + why FBI wants more victims to call them 
• Microsoft OneDrive takes first place for cloud app malware distribution 
• A new DDoS threat from KillNet against healthcare and what to do about it 
• An interesting update from the Russian/Ukraine war 
• A call for community help on the evolution of NIST CSF and CSA CCM 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: 

• New FDA authority granted by December’s omnibus bill is a big step towards better medical device security 
• HITRUST teases their new CSF v11 release 
• CommonSpirit Health class action lawsuit 
• The fallout from the LastPass follow-on breach 
• The possibly similar situation that might be occurring at Okta  
• JAMA Health Forum’s outstanding metrics study on ransomware attacks in healthcare from 2016 – 2021 
• The nefarious use cases of OpenAI’s ChatGPT 
• Clop ransomware group’s tactics for taking advantage of Telehealth appointments to deploy malware 
• An apology from LockBit ransomware group for an attack on a children’s hospital (really!) 
• Healthcare CISOs collaborating thru Healthe3PT to solve the third-party risk problem 
• A major precedent-setting breach settlement order from FTC against Drizly and its CEO 

The CyberPHIx is your source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights some bold, and some not so bold, predictions for healthcare cybersecurity in 2023. Topics covered include: 

• Continued escalation and evolution of ransomware attacks 
• Our growing dependency on cloud platforms and vendor solutions shifting the attacker’s focus and changing breach trends 
• New baseline expectations for critical infrastructure cybersecurity that could lead to increased federal or state level rule making 
• Remote work and Zero Trust 
• Medical devices, IoT, OT, & IoMT (oh my!) 
• The rise of the class action lawsuit 
• The continued expansion and cool solution ideas for 3rd and 4th party risk 
• The importance of security assurances and validated assessments / certifications 
• The curios case of cyber liability insurance 
• A new emphasis from the board on cyber resilience and TPRM 

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: 

• OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities 
• A cool new tool from the FTC for mobile health app developers to quickly determine which security and privacy regulations are in scope for their app 
• Trends in the consumerization of healthcare with some interesting technology announcements from Amazon and Epic 
• The next step in the Meta Pixel story, including some interesting guidance from OCR in how Covered Entities need to handle these tracking technologies 
• A new Medical Device Security Playbook from a MITRE and FDA collaboration 
• A Moody’s report on how inflation is hindering health systems' ability to bolster cybersecurity 
• An interesting impact you may not have expected in the CommonSpirit ransomware story 
• A landmark decision in the realm of cybersecurity insurance in the T-Mobile / Zurich American Insurance case 
• A report from Senator Mark Warner that gives us a glimpse into some regulatory activity we might see in 2023 

Change is on the horizon for The CyberPHIx! Join us as your new host, Britton Burton, interviews your favorite host, Brian Selfridge to discuss it.  

This episode is a little different flavor than normal as your beloved host takes some time to explain what’s next for him and to reflect on some really interesting experiences he’s enjoyed in his cybersecurity career. 

Topics covered in this session include:  

• The transition of the podcast hosting duties from Brian to Britton  
• What it actually means to be an OCR HIPAA expert witness 
• What interesting trends Brian has seen and knowledge he’s gained serving in that role 
• Awesome advice and lessons he’s learned from a multi-faceted cybersecurity career journey