Do No Harm

Preface xviii Introduction xxi Part I Defining the Challenge 1 Chapter 1 The Darker Side of High Demand 3 Connected Medical Device Risks 4 Ransomware 4 Risks to Data 7 Escalating Demand 10 Types of Internet-Connected Medical Devices 11 COVID-19 Trending Influences 12 By the Numbers 13 Telehealth 15 Home Healthcare 15 Remote Patient Monitoring 16 The Road to High Risk 16 Innovate or Die 19 In Summary 26 Chapter 2 The Internet of Medical Things in Depth 27 What Are Medical Things? 28 Telemedicine 29 Data Analytics 30 Historical IoMT Challenges 31 IoMT Technology 36 Electronic Boards 36 Operating Systems 37 Software Development 38 Wireless 39 Wired Connections 43 The Cloud 43 Mobile Devices and Applications 46 Clinal Monitors 47 Websites 48 Putting the Pieces Together 48 Current IoMT Challenges 48 In Summary 50 Chapter 3 It is a Data-Centric World 53 The Volume of Health Data 53 Data is That Important 55 This is Data Aggregation? 57 Non-HIPAA Health Data? 59 Data Brokers 60 Big Data 63 Data Mining Automation 68 In Summary 70 Chapter 4 IoMT and Health Regulation 73 Health Regulation Basics 73 FDA to the Rescue? 77 The Veterans Affairs and UL 2900 81 In Summary 83 Chapter 5 Once More into the Breach 85 Grim Statistics 86 Breach Anatomy 89 Phishing, Pharming, Vishing, and Smishing 90 Web Browsing 92 Black-Hat Hacking 93 IoMT Hacking 94 Breach Locations 95 In Summary 95 Chapter 6 Say Nothing of Privacy 97 Why Privacy Matters 98 Privacy History in the United States 101 The 1990s Turning Point 103 HIPAA Privacy Rules 104 HIPAA and Pandemic Privacy 104 Contact Tracing 106 Corporate Temperature Screenings 107 A Step Backward 107 The New Breed of Privacy Regulations 108 California Consumer Privacy Act 108 CCPA, AB-713, and HIPAA 109 New York SHIELD Act 111 Nevada Senate Bill 220 111 Maine: An Act to Protect the Privacy of Online Consumer Information 112 States Striving for Privacy 112 International Privacy Regulations 113 Technical and Operational Privacy Considerations 114 Non-IT Considerations 115 Impact Assessments 115 Privacy, Technology, and Security 115 Privacy Challenges 117 Common Technologies 118 The Manufacturer’s Quandary 119 Bad Behavior 121 In Summary 122 Chapter 7 The Short Arm of the Law 123 Legal Issues with Hacking 124 White-Hat Hackers 125 Gray-Hat Hackers 125 Black-Hat Hackers 127 Computer Fraud and Abuse Act 127 The Electronic Communications Privacy Act 128 Cybercrime Enforcement 128 Results of Legal Shortcomings 131 In Summary 132 Chapter 8 Threat Actors and Their Arsenal 135 The Threat Actors 136 Amateur Hackers 136 Insiders 136 Hacktivists 137 Advanced Persistent Threats 138 Organized Crime 138 Nation-States 139 Nation-States’ Legal Posture 140 The Deep, Dark Internet 141 Tools of the Trade 143 Types of Malware 144 Malware Evolution 146 Too Many Strains 147 Malware Construction Kits 148 In Summary 148 Part II Contextual Challenges and Solutions 151 Chapter 9 Enter Cybersecurity 153 What is Cybersecurity? 154 Cybersecurity Basics 154 Cybersecurity Evolution 156 Key Disciplines in Cybersecurity 158 Compliance 158 Patching 160 Antivirus 161 Network Architecture 161 Application Architecture 162 Threat and Vulnerability 162 Identity and Access Management 163 Monitoring 164 Incident Response 165 Digital Forensics 166 Configuration Management 166 Training 168 Risk Management 168 In Summary 169 Chapter 10 Network Infrastructure and IoMT 171 In the Beginning 172 Networking Basics: The OSI Model 173 Mistake: The Flat Network 175 Resolving the Flat Network Mistake 177 Alternate Network Defensive Strategies 178 Network Address Translation 178 Virtual Private Networks 179 Network Intrusion Detection Protection Tools 179 Deep Packet Inspection 179 Web Filters 180 Threat Intelligence Gateways 180 Operating System Firewalls 181 Wireless Woes 181 In Summary 182 Chapter 11 Internet Services Challenges 185 Internet Services 186 Network Services 186 Websites 187 IoMT Services 189 Other Operating System Services 189 Open-Source Tools Are Safe, Right? 190 Cloud Services 193 Internet-Related Services Challenges 194 Domain Name Services 195 Deprecated Services 197 Internal Server as an Internet Servers 197 The Evolving Enterprise 198 In Summary 199 Chapter 12 IT Hygiene and Cybersecurity 201 The IoMT Blues 202 IoMT and IT Hygiene 202 Past Their Prime 203 Selecting IoMT 203 IoMT as Workstations 204 Mixing IoMT with IoT 204 The Drudgery of Patching 206 Mature Patching Process 207 IoMT Patching 208 Windows Patching 208 Linux Patching 209 Mobile Device Patching 209 Final Patching Thoughts 210 Antivirus is Enough, Right? 210 Antivirus Evolution 211 Solution Interconnectivity 211 Antivirus in Nooks and Crannies 212 Alternate Solutions 213 IoMT and Antivirus 214 The Future of Antivirus 215 Antivirus Summary 215 Misconfigurations Galore 215 The Process for Making Changes 216 Have a Configuration Strategy 217 IoMT Configurations 218 Windows System Configurations 218 Linux Configurations 219 Application Configurations 219 Firewall Configurations 220 Mobile Device Misconfigurations 220 Database Configurations 221 Configuration Drift 222 Configuration Tools 222 Exception Management 223 Enterprise Considerations 224 In Summary 224 Chapter 13 Identity and Access Management 227 Minimal Identity Practices 228 Local Accounts 229 Domain/Directory Accounts 229 Service Accounts 230 IoMT Accounts 230 Physical Access Accounts 231 Cloud Accounts 231 Consultants, Contractors, and Vendor Accounts 232 Identity Governance 232 Authentication 233 Password Pain 233 Multi-factor Authentication 236 Hard Tokens 236 Soft Tokens 237 Authenticator Applications 238 Short Message Service 238 QR Codes 238 Other Authentication Considerations 239 Dealing with Password Pain 239 MFA Applicability 240 Aging Systems 240 Privileged Access Management 240 Roles 241 Password Rotation 242 MFA Access 242 Adding Network Security 242 Other I&AM Technologies 243 Identity Centralization 243 Identity Management 244 Identity Governance Tools 244 Password Tools 244 In Summary 245 Chapter 14 Threat and Vulnerability 247 Vulnerability Management 248 Traditional Infrastructure Vulnerability Scans 248 Traditional Application Vulnerability Scans 249 IoMT Vulnerability Challenges 249 Rating Vulnerabilities 250 Vulnerability Management Strategies 251 Asset Exposure 251 Importance 252 Compensating Controls 252 Zero-Day Vulnerabilities 252 Less-Documented Vulnerabilities 253 Putting It All Together 253 Additional Vulnerability Management Uses 254 Penetration Testing 254 What Color Box? 255 What Color Team? 255 Penetration Testing Phases 256 Scope 256 Reconnaissance 256 Vulnerability Assessments 257 The Actual Penetration Test 257 Reporting 258 Penetration Testing Strategies 258 Cloud Considerations 258 New Tools of an Old Trade 259 MITRE ATT&CK Framework 259 Breach and Attack Simulation 259 Crowd Source Penetration Testing 260 Calculating Threats 260 In Summary 261 Chapter 15 Data Protection 263 Data Governance 264 Data Governance: Ownership 264 Data Governance: Lifecycle 265 Data Governance: Encryption 265 Data Governance: Data Access 267 Closing Thoughts 268 Data Loss Prevention 268 Fragmented DLP Solutions 269 DLP Challenges 270 Enterprise Encryption 270 File Encryption 271 Encryption Gateways 271 Data Tokenization 272 In Summary 273 Chapter 16 Incident Response and Forensics 275 Defining the Context 276 Logs 277 Alerts 278 SIEM Alternatives 279 Incidents 280 Breaches 281 Incident Response 281 Evidence Handling 282 Forensic Tools 283 Automation 283 EDR and MDR 284 IoMT Challenges 284 Lessons Learned 285 In Summary 285 Chapter 17 A Matter of Life, Death, and Data 287 Organizational Structure 288 Board of Directors 288 Chief Executive Officer 289 Chief Information Officer 289 General Counsel 290 Chief Technology Officer 290 Chief Medical Technology Officer 290 Chief Information Security Officer 291 Chief Compliance Officer 291 Chief Privacy Officer 291 Reporting Structures 292 Committees 293 Risk Management 294 Risk Frameworks 294 Determining Risk 295 Third-Party Risk 296 Risk Register 297 Enterprise Risk Management 297 Final Thoughts on Risk Management 298 Mindset Challenges 298 The Compliance-Only Mindset 298 Cost Centers 299 Us Versus Them 300 The Shiny Object Syndrome 300 Never Disrupt the Business 301 It’s Just an IT Problem 301 Tools over People 303 We Are Not a Target 303 The Bottom Line 304 Final Mindset Challenges 304 Decision-Making 304 A Measured View 305 Communication is Key 306 Enterprise Risk Management 307 Writing and Sign-Off 308 Data Protection Considerations 308 In Summary 309 Part III Looking Forward 311 Chapter 18 Seeds of Change 313 The Shifting Legal Landscape 314 Attention on Data Brokers 314 Data Protection Agency 316 IoT Legislation 317 Privacy Legislation 318 A Ray of Legal Light 318 International Agreements 319 Public-Private Partnerships 319 Better National Coordination 320 International Cooperation 322 Technology Innovation 323 Threat Intelligence 323 Machine Learning Revisited 323 Zero Trust 324 Final Technology Thoughts 325 Leadership Shakeups 325 Blended Approaches 326 In Summary 327 Chapter 19 Doing Less Harm 329 What IoMT Manufacturers Can Do 330 Cybersecurity as Differentiator 332 What Covered Entities Can Do 332 Cybersecurity Decision Making 333 Compliance Anyone? 334 The Tangled Web of Privacy 335 Aggregation of Influence 335 Cybersecurity Innovators 337 Industrial Control Systems Overlap 338 What You Can Do 339 Personal Cybersecurity 339 Politics 341 In Summary 342 Chapter 20 Changes We Need 343 International Cooperation 344 Covered Entities 344 Questions a Board Should Ask 345 More IoMT Security Assurances 346 Active Directory Integration 347 Software Development 347 Independent Measures 348 In Summary 348 Glossary 351 Index 367