Compromised Health Records
Due to Hacking Attacks (%)
Cybersecurity impacts business risk, patient safety, & privacy
Virtual Cyber Security Office (vCSO)Clients receive fixed number of consulting hours per month with seasoned executives and technical specialists to help assess, prioritize, plan, and/or execute their security program.
Managed DeceptionGridInstead of sifting through mountains of data and numerous false positives to detect cyber intruders within your enterprise, our ethical hackers, who understand their methods and tactics, deploy and monitor a grid of virtual traps, effectively making the intruders unknowingly reveal themselves so we can help you contain and root them out.
Threat EmulationProfessional ethical hackers lead customers through “War Games” that cover likely enterprise cyber incident scenarios. This two to three day program begins with training, follows the next day with realistic field simulations, and wraps up with an assessment of the customer’s operations regarding the simulations.
Secure Product TestingEthical hackers from Tangible Security determine what harm can be done to your business interests when cyber criminals, hacktivists, and/or nation-state actors target your new or existing product. We provide you a prioritized, detailed findings report with recommendations.
SDLC ServicesWe help clients overcome the challenges of implementing secure development lifecycle (SDLC) best practices as well as provide professional services that supplement your development teams with hard-to-find special skills and 3rd party independent reviews.
PCI ServicesA certified QSA and cyber security engineers help small and larger retailers navigate the complexities of PCI, find the most cost-effective means to achieve and maintain PCI compliance, and secure their earnings and reputation.
SIEMFrom the team that wrote the first major book on Security Information Event Management (SIEM) systems, our engineers help clients with selection, integration, tuning, and operation of a SIEM best suited to their needs.
Cyber crime & digital complexities
elevate patient safety & privacy issues to ever higher risk levels
Patient electronic health records are worth ten times more than credit card numbers
Ransomeware extortionists are targeting healthcare providers
IT & Operational Security
Complexity, scale, and constant-change amplify cyber risks for interconnected healthcare systems.
Skilled and experienced cybersecurity personnel are scarce and costly
Healthcare cybersecurity programs are complex
Seemingly avoidable data breach causes continue to plague the industry
Mobility in healthcare increases attack surface
Identification, containment, & response to incidents must be rapid and decisive
Patient safety, privacy, & data security are often at odds
Ongoing infrastructure tests to identify vulnerabilities seldom find nothing
IoT & ICS Security
Network-connected medical devices deployed in clinical environments greatly increase the attack surface.
Medical device manufacturers need to add security testing into development lifecycle
Hospitals need to identify vulnerabilities of connected devices
Responsibility falls on both the device manufacturer and the healthcare providers
Hospitals are subject to ICS and SCADA mandates
Providers must ensure security throughout their supply chain
Regulatory Requirements and Mandates
Regulations as well as legal and financial penalties never seem to stop evolving.
HIPAA mandates that providers maintain adequate and up-to-date risk assessments
The entire supply chain of business associates & suppliers falls under OmniBus Rule
The HITECH Act mandates timely reporting of protected health information (PHI) breaches of 500 records or more
Compliance does not equate to security
Failure to comply with HIPAA and PCI requirements results in fines, legal entanglements, loss of patient trust, & more
The FDA views cybersecurity risks just as seriously as defective product risks
The Threats and Consequences are Real
Anthem — 78.8 million records — February 4, 2015 — Unauthorized database access, attacks may be linked to a state-sponsored attack out of China
Anchorage Community Mental Health Services (ACMHS) — December 2014 — 2,743 records — $150,000 fine — Due to malware compromising the security of its information technology resources, failing to regularly implement available patches and for running outdated, unsupported software
New York Presbyterian Hospital and Columbia University — May 2014 — 6,800 records — $4.8 million fine — Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google
Premera — 11 million records — January 29, 2015 — Attacks may be linked to a state-sponsored attack out of China
Parkview Health System, Inc. — June 2014 — 5,000 to 8,000 records — $800,000 fine — Cardboard boxes of these medical records left unattended on the driveway of a physician’s home
Concentra Health Services — April 2014 — 870 records — $1.73 million fine — Failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases