Stepping up security with speed during the Covid-19 crisis

We are witnessing unprecedented times. Times that test our aptitude, abilities, and resilience. It’s during these critical times that organizations need to lean on cybersecurity innovation to help them confidently navigate uncharted waters. And they need a partner they can rely on to help them do that quickly and efficiently.

At Merlin, we bring best-in-class cybersecurity brands together with emerging technologies to deliver groundbreaking solutions purpose-built to help you tackle your most vexing cybersecurity challenges. Whether you need to secure remote workers or gain greater visibility and control across your enterprise, we are here to help you get it done. We are fortunate to work with amazing partners who are pitching in during this time of crisis to support your security needs with speed and flexibility. Here is an overview of just a few of our partners and how we can help you quickly meet cybersecurity needs:


Time is essential. If you need to ensure the security of remote collaboration in light of mandatory work-from-home requirements, Wickr’s end-to-end encrypted enterprise collaboration platform helps you create and manage secure networks in hours.

Wickr is designed from the ground up to act as the foundational secure collaboration platform for security operations. Wickr has taken battle-tested secure communications and collaboration and built deep integrations with productivity and security tooling. The result is a communications and collaboration platform which allows network defenders and mission owners to ensure that they are able to securely carry through with their communication and response processes during incidents.

Protecting credentials is essential to maintaining a solid security posture. CyberArk’s Privileged Access Management (PAM) solution does just that.

CyberArk is the global leader in privileged access management, a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk delivers the industry’s most complete solution to reduce the risk created by privileged credentials and secrets.


As employees work remotely, now is the time to implement and modernize your identity and access management with Zero Trust — an essential security control during this COVID-19 crisis.

The Okta Identity Cloud is a secure, reliable and scalable platform that provides comprehensive identity management, enabling customers to secure their users and connect them to technology and applications, anywhere, anytime and from any device.


Remote workers need a VPN or a smart, secure alternative. Netskope Private Access can be implemented very quickly to help ensure users are securely accessing essential apps and other resources.

Netskope Security Cloud enables enterprises to extend their data security and threat protection policies to users and data, wherever they may be. Including approved and unapproved cloud apps, public cloud infrastructures, websites, and private apps in data centers or in the cloud.

Eliminate the Strain

Fundamental health hygiene is more important now than ever before. The same holds true for cyber hygiene – this is your foundation for proactive cyber defense. We’re already seeing cyber criminals, as well as nation state sponsors, taking advantage of the COVID-19 situation by attacking hospitals, corporate enterprises, supply chains, as well as senior executives with a variety of phishing scams, malware deployments, and attacks designed to penetrate vulnerabilities in the network.

The strain being put on your remote employees to access your network is immense. In order to ensure the security of your enterprise infrastructure and to step up to ensure business continuity, you need to understand and maintain pristine cyber hygiene on your existing network VPN, firewalls, endpoints as well as remote access.

Implementing a cyber hygiene monitoring tool like Cyber Observer enables you to track and score cybersecurity in near real time. By continuously measuring the status of your security environment with Critical Security Controls from relevant security tools, Cyber Observer empowers you to make insightful decisions to help you ensure the security you have in place is doing what it is intended to do while equipping you with the data and knowledge you need to make the right risk-based decisions. The platform provides a comprehensive view of enterprise Cyber Readiness to improve your ability to prevent and detect cyber-attacks.

As important as it is to assess personal health, now is the time to also assess your cybersecurity health. Doing so with Cyber Observer gives your security team confidence and control, and enables them to concentrate their time on mission- and business-critical priorities.

Contact us to learn more about our special offer.

The Key to Reducing Cybersecurity Risk

During the first three months of 2019 there were 1,903 total breaches, 85% were the result of unauthorized access into services or systems (i.e. hacking). It’s not that companies aren’t safe guarding their data, the opposite is actually true. We’ve seen a trend in increasing cybersecurity across all industries (mo money, mo [cyber] problems), but hackers are still finding ways to gain access to “secure” systems. Reviewing more recent articles on data breaches the cause gets sited as vulnerabilities or misconfigurations of specific cybersecurity tools. It’s not that something was missing, it just wasn’t working. Even if your tools are installed perfectly constant changes to your systems and tool updates or patches can expose you to threats you’re not even aware of.  A recent Ponemon Study found that 53 percent of IT leaders have no idea how well the tools and software implemented in corporate networks are performing. A cybersecurity tool is only as effective as your process for keeping it in good working order, also known as Cyber Hygiene.

The key to reducing cybersecurity risk is awareness and visibility. However, gaining this insight through the complexity of your security is no small task. Organizations need to unite the silos of their security teams, processes and technologies all in one place. After referencing security complexity as a major pain point it may seem counterintuitive to add another tool on your already complex security system but automating your monitoring is the most effective route to continuous awareness and visibility. While hiring additional security staff continues to be an industry crisis leaning into solutions that can automate the process will deliver rapid and actionable information so proactive steps can be taken remediate issues. To learn more about Cyber Hygiene monitoring check out Cyber Observer and it’s four layers of cybersecurity.

Mo Money, Mo [cyber] Problems

Stop spending, use cyber hygiene…

Gartner reports that average annual cybersecurity spend per employee has doubled, from $584 in 2012 to $1,178 in 2018. With increased spend you might infer that companies have newer more effective cybersecurity tools and are therefore safer, but we aren’t seeing that increased spend necessarily equals increased safety. Large scale data beaches are still happening, and the stakes are high with fines for these breaches costing some over half a billion. Simply throwing money (i.e. more cyber security tools) at the problem won’t solve it. Companies have created a fog of too many tools and a challenge of how they manage those tools to ensure they are configured and running properly. That’s where Cyber Hygiene can help.

The term Cyber Hygiene was first used by Vint Cerf in 2000, he referenced it as the “steps we know can be taken to improve security and resilience.” More recently the Center for Internet Security (CIS) and Council on CyberSecurity (CCS) launched a Cyber Hygiene Campaignand broke down those steps into the “5 top priorities.”

  1. Count: Know what’s on your systems and what you need to protect
  2. Configure: Continuously manage systems using “known good” configurations
  3. Control: Know and limit who has administrative privileges of security settings
  4. Patch: Keep software and hardware up-to-date to protect against known vulnerabilities
  5. Repeat: Cybersecurity is an iterative process with no finality

A great place to get started is prioritizing what you are trying to protect and deciding how you will measure your success. Aligning to an industry recognized framework (such as NISTor CIS Critical Security Controls) will help guide you during both implementation and assessment. Once critical security controls have been implemented, which is no small task, adherence to your chosen framework(s) through Cyber Hygiene will ensure the health and effectiveness of your cybersecurity ecosystem. If you’re looking for ways to measure your success doing an audit assessment or penetration test will be helpful in showing the state of your environment at that given time. If you’re interested in continuous metrics and measuring, implementing a Cyber Hygiene monitoring tool, like Cyber Observer, will enable you to track your improvement and score cybersecurity in near real time.

Comfort, not Chaos: How to Reduce the Cyber Risk of Healthcare Operational Technology (OT) Solutions

In a hospital at night, a patient wants to read a book, so she turns up the lights through her room’s dimmer switch. When she’s finished, she prepares for bed by turning off the lights, and closing the window blinds. Shortly after, she feels too warm, so she lowers the temperature on the thermostat.

What’s more, she’s able to do all of this from the comfort of her bed, by using a hospital-supplied remote-control device. Elsewhere, patients do the same using apps on their phones.

This illustrates how healthcare organizations are investing into what’s called Operational Technology (OT) – solutions which monitor or alter physical systems – to improve the patient experience and run their buildings. Whether the solutions control lighting, thermostats, security cameras, elevators, power management or additional systems via wired or wireless configurations, the healthcare industry is increasingly dependent upon them. And this dependence is helping drive worldwide demand for OT, which is expected to grow to a $40.42 billion market by 2022, up from $27.2 billion two years ago, according to a forecast from MarketsandMarkets.

However, as is the case with biomedical devices, security has emerged as a concern. Internet of Things (IoT) innovation supports a great deal of OT solutions, which, of course, creates issues: Nearly nine of ten healthcare organizations have experienced an IoT-related security breach, and one-half have encountered malware within IoT-connected systems, according to research from Hewlett Packard Enterprise’s Aruba Networks. The healthcare and life science sectors now account for 6 percent of all global OT incidents– up from zero percent three years ago, according to the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In the modern era of cyber threats, hospital CIOs cannot prevent 100 percent of OT-linked attacks. But they can significantly reduce their risk exposure by taking the following steps:

Inventory every endpoint.

As indicated, certain OT products are wired in, and others are wireless. Either way, CIOs must gain total visibility of where they are, and what they do.

Beyond the pure volume of endpoints here, the various parties which implement OT solutions will introduce complications. CIOs don’t order lights and thermostats, after all. Building maintenance supervisors do. In addition, those supervisors may hire a third-party contractor to install, say, an OT-enabled speaker system without the CIO knowing about it. (Or knowing whether the contractors evaluate the security features of the products they offer.) Still, once these products connect to the IT network, their continued connectivity becomes IT’s responsibility. Thus, it’s essential for CIOs and their teams to conduct a complete inventory – and take at least partial ownership – of their organization’s OT “threatscape”.

Segment the environment.

The best way to keep OT-triggered threats from damaging or disrupting the network is to, well, remove them from the main network. That’s what segmentation does, by creating an entirely separated IT environment for OT products. With this, if bad guys exploit an OT vulnerability, they can only cause a limited amount of chaos, because OT is no longer part of the core network.

Even better, IT teams can more effectively monitor OT performance within a segmented environment, because everything is clustered within the same place. So when those in-room lights fail to dim, the teams will see this, and take corrective action to keep patients (and hospital supervisors) happy.

Set standards.

OT doesn’t work like other technologies and, subsequently, can’t be “fixed” like other technologies. (You can’t patch that thermostat, can you?) Given this, CIOs must get with building managers and anyone else who acquires these solutions to develop cybersecurity standards for OT vendors. If the vendors fail to comply with the standards, then they don’t get the hospital’s business.

Like any other developing technology, OT will usher in a new wave of risks. Therefore, as with all cyber systems, IT should apply optimal visibility, accountability, oversight and action from implementation to monitoring to – if needed – mitigation. That’s how to, ahem, “keep the lights on” and otherwise ensure a pleasant patient experience while still protecting the network.

Risky Business: How Enterprise Mobility is Transforming the Government – and Introducing New Cyber Threats

White House Chief of Staff John Kelly had a problem with his smartphone in the summer of 2017. It wasn’t working or updating software properly for months, so he turned the device into White House tech support.

The support team learned, however, that Kelly’s phone was compromised – as early as December 2016 – with the suspected breach possibly launched by hackers or even operatives from a foreign government seeking access to Kelly’s data while he served at his prior post as the Secretary of Homeland Security.

As mobile devices emerge as ubiquitous in government today, the incident illustrates how security vulnerabilities leave these devices – and, in turn, federal agencies – exposed.

In terms of adoption, there certainly appears to be no turning back, as enterprise mobility – which empowers people to do their jobs from anywhere using a variety of devices and applications – is driving digital transformation in government. Whether deployed by a FEMA response team assessing a disaster scene, an Education Department supervisor writing a report from home or military/Intelligence Community operatives pursuing missions, agencies now depend upon mobile technology to perform duties and achieve objectives. To cite two real-life examples: The Navy’s Sea Warrior Program (PMW 240) offers 70+ apps in its Navy App Locker, with thousands of downloads a month. The Navy has successfully created a framework that accelerates acquisition, development and deployment of mobile solutions across the Navy. VA Mobile from the U.S. Department of Veterans Affairs allows military veterans to access their electronic health records (EHRs), schedule appointments and connect with care providers from their devices from the comfort of their homes.

In fact, 86 percent of federal decision-makers believe mobile devices play a critical role in their jobs and nearly all use these devices to check email during the workday, according to research from Market Connections. By 2021, the U.S. government will spend $20.7 billion on these solutions, up from $14.1 billion two years ago, according to a forecast from IDC Government Insights. In addition, Bring Your Own Device (BYOD) is further expanding mobile adoption, as one-half of federal employees rely upon personal smartphones to do their jobs and three-quarters use personal tablets for work purposes, according to research from FedScoop.

Yet, beyond the practical uses and bigger picture benefits, few agencies truly understand the inherent and growing risks that these devices bring.

Mobility now spans government IT, from end users accessing applications in on-premise data centers to software as a service in public clouds. In the process, attack vectors are proliferating as more and more endpoints access the network, resulting in agencies often struggling to defend people, devices and data, whether on-premise or in the cloud. According to the FedScoop research, three of five federal IT/security officials are concerned about the protection of government-issued devices – as well as the potential for mobile usage to trigger a network attack. When asked to name their top mobile security priorities for the next 12 to 18 months, 64 percent of these professionals said they are primarily focused on preventing breaches caused by endpoint connectivity, and 46 percent cited the need to more quickly identify mobile security incidents, and recover from them.

However, despite their employees’ widespread use of personal devices for work, less than three of ten agencies support secure mobile access for functions such as email, collaboration/chat, document management, business systems and agency-specific mission systems.

The lack of protection could create major privacy issues, as devices “represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions, (systems that) hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise citizen financial wellbeing, privacy, or identity,” according to last year’s “Study on Mobile Device Security” from the Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST).

In response, as part of its Mobile Device Security for Enterprises (MDSE) project, NIST is developing repeatable reference architectures to build in security for mobility programs. The project includes guidance about protecting device configurations, the cloud and enterprise systems.

Such guidance proves essential in the modern era, because enterprise mobility has disrupted the entire concept of cyber defense: Agencies that once relied on perimeter-based security, IT-provisioned/controlled standardized devices with a handful of on-premise applications, now need to support largely user-centric and (because of BYOD) user-determined environment defined by heterogeneous endpoints and thousands of applications in public clouds.

To secure all of this, agencies must implement a strategy that incorporates a holistic view of the enterprise. To find out how, please look for Part II of this blog in this space in the near future.

IGA Tools Ensure that Healthcare Employees Get the Job Done While “Staying in Their Lane”

It takes a wide variety of employees accomplishing a vast range of tasks to make a healthcare organization work. But, today, these organizations face challenges in ensuring their staffers “stay in their lane” by not overstepping the boundaries of their roles.

Research nurses, for example, can write up orders for blood tests, but they’re not authorized to release the orders. That is the physician’s job.

A billing administrator may write up charges for a patient’s visit, but cannot actually receive the payment. Otherwise, the administrator could conceivably commit financial fraud by falsifying charges and pocketing the money.
For IT managers and teams overseeing electronic medical record (EMR) and other systems, enforcing the limitations of authorized activity for these and countless additional roles creates confusion and frustration. It amounts to monitoring in piecemeal fashion one siloed system after another, without a cohesive, unified way to “see” everything and respond accordingly.

The constant threat of cyber attacks linked to the employees’ behaviors – whether they intend to cause a hacking incident or not – makes the situation all the more foreboding. In the absence of an entirely integrated “eye” over all activity that is acceptable and that which is not, the healthcare enterprise remains highly vulnerable.

This is where Identity Governance and Administration (IGA) can step in to help. As defined by Gartner, IGA tools manage digital identity and access rights throughout multiple systems by aggregating, correlating and distributing related data to better control user access. Areas of focus include identity lifecycle/ entitlements management, access requests/certification, workflow orchestration and reporting.

Overall, the global IGA market is expected to increase to $5.8 billion in 2021, up from $3.2 billion last year, according to projections from IHS Markit. Clearly, significant concerns expressed by healthcare security and IT professionals make a strong case for across-the-board industry adoption, with the rising risk of employee-linked cyber attacks keeping them up at night: More than three of five healthcare organization IT and IT security practitioners rank malicious insiders as a top security threat, and 64 percent say the same about employee negligence or error, according to survey research conducted by the Ponemon Institute and sponsored by Merlin International.

In attempting to respond, organizations are most challenged by a lack of tools to monitor employees and other insiders (as cited by 27 percent of healthcare IT leaders), according to additional survey research from Imperva. Other challenges include inadequate staffing to analyze permissions data when employees seek to call up files, information, systems, etc. (as cited by 25 percent of survey respondents); the growing number of employees, contractors and business partners connecting to the network (24 percent); and the abundance of company assets stored within the network or in the cloud (24 percent).

IGA products tackle these issues head-on, allowing IT teams to “see” in real-time who is accessing what data and critical workloads – and whether that person’s job function is cleared for such privileges. IGA helps the teams flag behaviors on the part of users who may unintentionally invite risks, in addition to alerting them to when a malicious insider could be stealing or destroying data. It provides access control and audit log management, as well as privacy- and breach-management maps to satisfy security requirements of the Health Insurance Portability and Accountability Act (HIPAA) Audit Protocol. In fact, identity management/authentication is considered among healthcare IT and IT security practitioners as the most effective step in achieving security objectives, as cited by 71 percent of respondents in the Ponemon/Merlin International survey.

Beyond enhanced cybersecurity monitoring and mitigation, IGA solutions empower organizations to address the following, key needs:

Segregation of Duty (SoD) rules

This refers to the previously described scenarios involving the nurses, billing administrators and everyone else on staff who must “stay in their lane.” For starters, it’s simply the best way to run a healthcare organization. What’s more, HIPAA and other regulations require the enforcement of SoD.

Fortunately, with IGA-level visibility in place, leadership and IT teams acquire a “single pane of glass” perspective of their entire infrastructure access ecosystem (including cloud environments like Amazon Web Services and Microsoft Azure), file sharing/collaboration activity (such as the usage of Dropbox and SharePoint), EMR usage and enterprise resource planning (ERP)/business functions (Salesforce, PeopleSoft, etc.) Thus, when the annual audit comes around, IT won’t have to gather endless records from many siloes to demonstrate appropriate role/access authorizations and controls. Instead, it will collect the information from a single source.

Provisioning automation

Too many healthcare organizations are still saddled with traditional, time-consuming manual processes when bringing in new employees (or contractors) and configuring their user access authorizations. In this case, HR typically sends a notice to various managers about who’s coming in, and what they’re allowed to do, and IT manually sets up provisioning. If the users’ roles change, then the authorizations require (manual) updating. If they leave the company, then their access rights must be removed (again, manually).

IGA eliminates these tedious inefficiencies by automating all provisioning – from onboarding-stage authorizations to promotions/role expansions to the end of a user’s association with the organization. The solutions do this for temporary hires too: If a contractor is only supposed to work on-site for three months, IGA will automatically grant allowable access for those three months, and shut it off when the job is done.

Ultimately, that’s what IGA is about – users getting their jobs done, without going beyond any authorized activity. Managers and IT teams are no longer stretched from silo to silo attempting to track who’s doing what, nor do they spin into a mad scramble come compliance-time to prove that they’re in good standing. Everything is “all there … in one place.” As a result, healthcare organizations boost efficiencies and save on operating costs while focusing more on what they do best: improving the lives of their patients.

Electronic Health Records: It’s the Data. Not the App.

Organizations get locked into vendors’ apps

In seeking ways to gather and analyze – and hopefully act upon – electronic health records (EHRs), organizations are following a familiar path: They assess their needs, and then hire a vendor to support them. At this point, they’re locked into the selected vendor’s app, in terms of how they input, review and analyze data.

However, we now exist in an age in which data is delivering endless possibilities; when we pursue information discovery and seek to make good decisions from the resulting, newly acquired knowledge, we’re really only limited by our imaginations. Which is why traditional, vendor-centric approaches are no longer relevant.

In other words, it’s about the data. Not the app. Given that the EHR market is expected to grow to $33.41 billion in value by 2025, according to a forecast from Grand View Research, the stakes are too high to cling to antiquated models.

The limitations of vendors’ apps

Let’s illustrate with a realistic scenario: A patient encounters blood pressure issues, even though he’s already taking medication for his condition, so a hospital doctor writes up a new prescription. Because it’s new, the doctor wants the patient to take daily blood pressure readings with an at home monitor and report back. Steady information over a stretch of time, after all, provides more value than that observed during occasional office visits.

The data isn’t difficult to collect. The patient can do it on his own, and call it into the doctor’s office. But what if the existing vendor tool doesn’t allow for the inputting of daily blood pressure readings? What if it caps this inputting to, for instance, four readings a year? In this case, both the doctor and patient are stuck with what the vendor has to offer. Sure, the doctor can work through higher-ups at the hospital to see if the vendor would upgrade the app so it’s configured for daily blood pressure readings. But the vendor may have other upgrades they need to address first, putting new requests on the back burner for months or longer.

You can apply the same sort of scenario to a patient’s weight, heart rate, blood-sugar level, cigarette/alcohol usage or any one of a number of other components which lend insights into someone’s state of health. The information is ready and available. But if the solution isn’t configured to incorporate it into a data capture/analysis program, the information will end up in limbo.

Tailoring apps to organizations’ needs

So what’s the solution?

Again, it’s about the data. Or, more precisely, thinking “data first” and then app.

Organizations should initially consider what exactly they want to capture, whether it’s blood pressure readings, cancer screenings, cholesterol checks, smoking cessation success rates, etc. Then they can figure out what kind of app will work best. Tech innovation is driving swifter and greater adoption of agile practices. IT departments are now positioned to more readily and easily develop (or pay to have developed) mini-apps to perform specialized functions – further rendering obsolete the monolithic, rigid, “our way or no way” mega-vendor tools.

All that’s required is a secured, indexable database. With this, organizations and users input whatever they wish into the database, and then build mini-apps accordingly so teams create chart visualizations, analytics tools, treatment plans, etc.

Problems with the traditional model

To cite another scenario, let’s say that same hospital doctor from before would like to know if her patients were picking up their prescriptions in a timely manner. Obviously, her local drug stores would have to compile and report this information to her. They could even work together to set up an alert notification system should patients fail to pick up their prescriptions within two weeks. Sounds simple, right?

Not if we’re still talking about the traditional model: The doctor might tell the vendor what she plans to do, and the vendor could respond that their product isn’t configured for data related to prescription pickups. Further complicating things, the app may need to be work with multiple reporting systems used by the various drugstore companies with no way to determine if compatibility. Setting up a workable solution might take a year – or longer.

The modern approach

But through a modern, agile approach, the doctor simply comes up with a data collection/notification alert plan with the drug stores, has IT construct a secure, indexable database, and then design (or, again, hire someone to design) a mini-app to monitor prescription transactions, send alerts for late pickups and otherwise enable the doctor and her team to analyze various patterns within.

Or take another example: two or more unrelated entities (like a pharmacy and a diagnostics lab and a hospital) are all trying to get data into the same EHR, but if they don’t share the same EHR for the same patient (and they don’t) then they can’t do it directly. With a standard data-based health model they could throw transactions into the same pot to be discovered by relevant applications later.

A data-first strategy

The upshot: For too many years, organizations dependent upon EHRs have resigned themselves to an “If we build it, you will come” arrangement with their vendors, i.e., the vendor builds the tool, and organizations buy in and adjust to its quirks and limitations. And being that other hands-on health care priorities often take precedence, who could blame them?

But today, those same organizations can advocate for a “Let the data come first, and then we’ll build it …” strategy. By determining the intent of their discovery initiatives and data models, they necessitate COTS vendors and Open Source developers to build functionality around them. Subsequently, the market ultimately provides a better solution and HCOs end up with information that is more comprehensive, immediate, insightful and actionable – empowering them as more effective healthcare practitioners and better “custodians” of EHRs.

What Healthcare Organizations Should Consider Before Migrating to the Cloud

Limited cloud adoption

On the surface, findings from a Healthcare Information and Management Systems Society (HIMSS) research convey a sense that healthcare organizations are universally embracing the cloud. According to the study, an estimated 84 percent currently use cloud services.

But dig a little deeper and you discover that adoption is limited, especially for critical functions related to electronic medical records (EMRs) and enterprise resource planning (ERP). Only 34 percent of healthcare organizations have migrated clinical applications and data to the cloud, and just 32 percent use the cloud for archived data and Health Information Exchange needs. In addition, less than one-quarter are turning to the cloud for back office apps and data.

Key considerations before migrating

In my interactions with industry executives, many say they’re testing the waters, with email, file storage and the like. Even so, they’re reluctant to wholly replace in-house data centers with public cloud versions. Use of EMR, ERP and analytics vendor hosting is popular, however. But this should generally be considered as private cloud hosting in a geographically separate data center.

Yet, given the vast and often-reported benefits of the cloud – including the improvement of workflows through greater flexibility, collaboration, efficiency, rapid scalability, and productivity – many of these same executives are seeing advantages in an increased presence. In determining whether the cloud is right for an organization, I stress four key considerations:

1. Security remains the greatest concern

Indeed, security ranked #1 among adoption barriers in the HIMSS study, as cited by 54 percent of study participants. While the sentiment is understandable, I believe the issue is somewhat overblown. Cloud vendors have more security measures in place, with more infrastructure and power. If breaches do occur, they’re usually the result of employees not adopting proper guidelines and security best practices. In my experience, following a reputable cloud vendor’s rules will keep you as or even more protected than would keeping everything on-premise.

2. Network reliability can be uncertain

If you use a private host for your network, you likely have strong datacenter redundancy for maximum uptime. But if you’re running your network on a public cloud, you’re entirely dependent upon the internet. If your connection to the Internet goes down, you will lose access to business-critical resources until connectivity is restored. That’s a big gamble. You could reduce risk by paying for two or three regional internet services– but this may prove too costly for some organizations. And for those in rural areas, it’s not even feasible.

3. Speaking of costs…

If you’re planning to store massive volumes of data in the cloud, you’re looking at a hefty monthly bill – one that will typically exceed what you’d pay with an on-premise datacenter. That said, if you have a large amount of infrastructure which has to be replaced, it could make sense. You eliminate the “short-term pain” of a huge capital investment by rolling it into a monthly, operational expense. For some organizations, this approach may be more fiscally realistic.

4. “So what if we simply ‘dip our toes’ into the waters with a hybrid model?”

This comes up in my conversations all the time. Healthcare executives want to put “safe” data assets in the public cloud, and keep more sensitive/mission-critical ones closer at hand. However, hybrid models elevate the complexities of ID management. If you extend the network over a combination of on-premise, private hosted, private cloud and/or public cloud options, you create ID management issues which could result in operations disruptions and potential employee backlash over the inability to access the data, files and apps that they need to do their jobs. HIPAA data access logging and auditing become a larger and more diverse challenge.

Currently, there are few tools available which would help IT teams resolve these problems. We have experience at Merlin with a very powerful tool that provides a single “pane of glass” to manage identities across all environments and many key applications regardless of where they are hosted.

Weighing the pros and cons

As you can see, deciding whether to migrate significant IT functions to the cloud isn’t a “one size fits all” proposition. You must measure the pros and cons based upon your organization’s size, location, industry niche and other relevant factors, while also assessing the various comfort levels with any changes the cloud may bring. Finally, calculate expected ROI comparing it against the financial impact of not making the switch.

In other words, cloud migration is as much a business proposition as it is a “tech thing.” Proceed accordingly.

How Healthcare Organizations Can Reduce the Cybersecurity Risks of IoT

The increasing adoption of IoT

If you walk through the corridors of a hospital today, you will inevitably be surrounded by the Internet of Things (IoT). From X-ray machines to heart monitors to even HVAC units and refrigerators, healthcare organizations are turning to connected devices and machines to provide not only better care but an improved “patient experience.”

Because of this, the IoT’s presence within the industry is expected to increase rapidly for the immediate future: The IoT healthcare market is growing 30.8 percent every year and is projected to reach just over $158 billion by 2022, up from $41.22 billion this year, according to research from MarketsandMarkets.

By 2018, 87 percent of healthcare organizations will have adopted IoT technologies, as three-quarters of executives believe IoT will transform the industry, according to research from Hewlett Packard Enterprise’s Aruba Networks. Patient monitors have emerged as the most common use of IoT (currently present within 64 percent of organizations) followed by energy meters (56 percent) and X-ray/imaging devices (33 percent). Four of five executives expect IoT to encourage more innovation, while about three-quarters anticipate that it will expand organization-wide visibility and boost cost-savings.

Proactive steps to prevent security breaches

Yet, there are concerns about the technology, as 89 percent of healthcare organizations have suffered from an IoT-related breach, according to the Aruba research. Hackers are well aware, of course, that IoT brings new vulnerabilities, and they are eager to exploit them. In April, testimony from a top Merck & Company cybersecurity executive before the House Committee on Energy and Commerce’s Oversight and Investigations Subcommittee validated the concerns.

“In just the last few years … we’ve seen more than a hundred million health records of American citizens (compromised or threatened) in a couple of well-publicized incidents,” said Terry Rice, vice president of IT risk management and chief information security officer (CISO) at Merck. “We have seen how software vulnerabilities in insulin pumps and pacemakers can be exploited to cause potentially lethal attacks. And we have witnessed entire hospitals in the United States and the U.K. shutting down for multiple days to combat ransomware infections in critical systems. Unfortunately, I believe these incidents underrepresent the risk we are facing.”

Given the developments, healthcare CISOs and their teams should consider the following proactive steps to prevent horror movie-like “Attack of the Connected, Wild Things” scenarios – steps that respond to both the technological and human-focused elements of this emerging technology:

Segment everything

You should create a dedicated, separate network for IoT. With a segmented architecture entirely fortified by its own firewalls, you ensure that IoT devices will never interact with the rest of your enterprise network environment – including patients’ personal information, fiscal reports, HR records, etc. Connected devices and machines will strictly communicate with the servers which support them, and the ports and destinations they serve. Thus, if attackers compromise them, there’s only so much damage they can do, because their activity and malware is sealed off from everything else.

Establish controls over implementation

Frankly, organizations are taking an “anything goes” approach with IoT – one that undermines their ability to properly oversee and control it. A facilities manager, for example, could decide to install a connected alarm system in the elevators. An anesthesiologist may plug in a new product to see how it works. Hospitals win research grants all the time, and these grants often arrive with IoT-enabled technologies to assess.

In too many cases, however, all of this takes place without bringing in the CISO. Non-IT executives approve of an acquisition, and their staffers simply “plug in” without thinking of whether they’re introducing new vulnerabilities. So, clearly, CISOs must work with C-suite leaders to come up with policies which will require the involvement of security teams with any IoT initiative, large or small, with threat vigilance always incorporated into the process.

Expanding visibility

The CISO’s mantra, “You can’t protect what you can’t see,” is more relevant than ever. It’s difficult to protect the enterprise, after all, if you don’t know who is plugging in what, and where. Through the effective, organization-wide visibility of all systems activity, you will receive notifications every time new IP addresses show up. When they do, you can verify whether they are properly sealed off within your segmented, IoT network. If they aren’t, you can shut them down until IT can locate them and redirect them to the segmented network.

Maximizing the benefits of IoT

As always, hospital executives, doctors, nurses and additional staffers are dedicated to delivering the best care available for their patients. More than ever, they’re discovering that IoT is making this possible. But to maximize the benefits of these innovations without placing the network, systems, and data at risk, IT must collaborate closely with operations/business units so IoT is sufficiently segmented, and nothing is introduced which can harm anything outside of its own, contained ecosystem. In other words, you can take advantage of many “good things” through these devices without unleashing an army of “wild things.”