Here’s a conversation I had with Cylance’s Matt Stephenson on the widely-followed Threat Vector InSecurity podcast.

Matt’s a high-energy and colorful interviewer. He took our conversation off in several directions - the hidden life of connected devices, basics of DLT/blockchain, and what Spiritus is doing to improve medical device safety at the point of care.

A recent Garner survey of 500 companies determined over 85% of those with plans to implement blockchain have targeted IoT integration as a near-term goal.

63% indicated that the top benefit of their combined IoT/blockchain projects is increased security and trust in shared multiparty transactions and data. 56% said the top benefit is an increase in business efficiency and lower costs. 

Research and commentaries about AI ethics in healthcare are everywhere. This recent article by Oxford University researchers stands out for its quality, relevance and applicability.

The researchers provide a well-designed framework for analyzing and acting on the legal, ethical and compliance issues raised by AI. The framework establishes three categories of issues (e.g. epistemic, normative and overarching) and closely examines AI’s legal and ethical implications across six domains: individual, interpersonal, group, institutional, sectoral, and societal.

If you’re interested, set it aside for reading and reflection.

Add New Jersey’s largest health system to the list of healthcare providers hit by ransomware attacks in 2019 - Hackensack Meridian, which operates 17 acute care and specialty hospitals, nursing homes, outpatient centers, and a psychiatric facility.

Over 90 US healthcare facilities have been hit so far this year, making business continuity planning and routine resilience exercises a must for providers.

What’s alarming about the attack on Hackensack Meridian is the size of the target and what such attacks forebode for 2020 and beyond:

(1) Attackers could begin demanding substantially higher payouts;

(2) As in other sectors, attackers could threaten to publish protected and other sensitive data to gain more negotiating leverage, making good on those threats should their demands not be met;

(3) Attacker could stage coordinated attacks against neighboring hospitals, first responders and law enforcement agencies, greatly complicating attempts to divert patients and services, particularly for emergency surgery and ICU-based interventions; and

(4) Commercial insurers could (a) insist on evidence of stronger cybersecurity controls and operational resilience planning, (b) tighten their underwriting practices more generally, and (c ) raise premiums for coverage, while also carving out key provisions.

Last week’s HIMSS Healthcare Security Forum in Boston highlighted the lack of third-party cybersecurity standards for hospital-vendor partnerships.

This interview with a St. Luke’s Health System executive brought to mind the Standardized Information Gathering (SIG) assessments widely used by financial services firms. Paired with vendor ratings like those offered by BitSight and others, standardization could significantly streamline due diligence and ongoing monitoring of third parties by healthcare providers.

Year’s end is a time for respite and reflection. As in many years past, I’m drawn to Robert Frost’s “The Trial by Existence”:

‘Tis of the essence of life here,

Though we choose greatly, still to lack

The lasting memory at all clear,

That life has for us on the wrack

Nothing but what we somehow chose.

Blessings to you and yours,

Susan

@susan_ramonat

P.S. - If you like what you read, please forward to a friend so they can sign up.