Categories

Tag: Cybersecurity

Google Hopes Nobody Beats This Wiz

By KIM BELLARD

When I saw the Wall Street Journal article about Alphabet being in “advanced talks” to buy cybersecurity firm Wiz for an eye-popping $23b, I must confess that – never having previously heard of the company – my thoughts flashed back to the Seinfeld episode (“The Junk Mail”) where Elaine dates a man whose job turns out to be an outlandish mascot for electronics store The Wiz, whose motto he gleefully repeats: “Nobody beats The Wiz!”  That firm is long gone but this Wiz is alive and well, enough so that the acquisition would be Alphabet’s largest ever.

The Wiz was only founded in 2020, by four ex-Israeli military officers (they reportedly all originally worked together at Israel’s equivalent of the NSA). They had previously founded cloud cybersecurity firm Adallom in 2012, which they sold to Microsoft in 2015 for its Azure cloud computing firm. Wiz also specializes in cloud cybersecurity, and, according to WSJ, its clients include 40% of the Fortune 500 companies as customers, including Barclay’s, Mars, Morgan Stanley, and Slack. Other notable customers include BMW, DocuSign, EA, and Salesforce.

Pretty impressive for a four-year-old start-up.

Alphabet’s cloud business – Google Cloud Platform (GCP) — badly trails leaders AWS (Amazon) and Azure (Microsoft), although last year GCP’s revenue’s rose 26% and it recorded its first operating profit. It’s Q1 2024 revenue was up 28%. By the way, Wiz lists both AWS and Azure as partners, along with GCP, Oracle Cloud Infrastructure, VMware, and Alibaba Cloud. 

Alphabet had bought security company Mandiant two years ago for $5.4b, as well as Siemplify, another Israeli cloud cybersecurity company, that same year, and evidently sees these acquisition as a way to bolster its cloud business.

For some perspective, just this past May Wiz raised $1b in a funding round that gave it a $12b valuation. Its annual recurring revenues are estimated at $500 million, so Alphabet’s offer is a 46 multiplier. By contrast, WSJ notes that competitor CrowdStrike has a market capitalization that is 25 times annual recurring revenues. “This could be one of the largest and fastest returns ever for a private security company in tech history,” Alex Clayton, a general partner at Meritech Capital, told WSJ.

“There are two advantages of Google acquiring Wiz,” Ray Wang, principal analyst and founder of Constellation Research, told CSO. “One, cloud security is hot and allows Google to cut into AWS and Azure clients, and two, having Wiz would give them some consistently large workloads to monetize.”

If you’re wondering why cloud security is hot, I need only mention AT&T, which recently disclosed that the records of “nearly all” of its cellular customers had been breached. Well, those records came from its cloud provider Snowflake — and that was not the first time Snowflake has been attacked and possibly breached. Azure has also suffered some serious breaches, and has been accused of “repeated pattern of negligent cybersecurity practices.” AWS has had its share of data breaches as well.

So, yeah, a cloud service better have good cybersecurity.

Continue reading…

What We Can Learn From the Change Healthcare Hack

By ZACHARY AMOS

The health care sector is no stranger to cyberattacks. Still, large incidents like the February 2024 ransomware attack on Change Healthcare are enough to shake up the industry. In the wake of such a massive breach, medical organizations of all types and sizes should take the opportunity to review their security postures.

What Happened in the Change Healthcare Cyberattack

On February 21, Change Healthcare — the largest medical clearinghouse in the U.S. — suffered a ransomware attack, forcing it to take over 100 systems offline. Many of its electronic services remained down for weeks, with full restoration taking until early April.

A week after the attack, the infamous ransomware-as-a-service gang BlackCat claimed responsibility. BlackCat was also responsible for 2021’s Colonial Pipeline shutdown and several attacks on health care organizations throughout 2023. This latest act against Change Healthcare, however, stands as one of its most disruptive yet.

Because Change and its parent company — UnitedHealth Group (UHG) — are such central industry players, the hack had industry-wide ripple effects. A staggering 94% of U.S. hospitals suffered financial consequences from the incident and 74% experienced a direct impact on patient care. Change’s services affect one in every three patient records, so the massive outage created a snowball effect of disruptions, delays and losses.

Most of Change’s pharmacy and electronic payment services came back online by March 15. As of early April, nearly everything is running again, but the financial fallout continues for many enterprises reliant on UHG, thanks to substantial backlogs.

What It Means for the Broader Health Care Sector

Considering the Change Healthcare cyberattack affected almost the entire medical sector, it has significant implications. Even the few medical groups untouched by the hack should consider what it means for the future of health care security.

1. No Organization Is an Island

It’s difficult to ignore that an attack on a single entity impacted almost all hospitals in the U.S. This massive ripple effect highlights how no business in this industry is a self-contained unit. Third-party vulnerabilities affect everyone, so due diligence and thoughtful access restrictions are essential.

While the Change Healthcare hack is an extreme example, it’s not the first time the medical sector has seen large third-party breaches. In 2021, the Red Cross experienced a breach of over 515,000 patient records when attackers targeted its data storage partner.

Health care enterprises rely on multiple external services and each of these connections represents another vulnerability the company has little control over. In light of that risk, it must be more selective about who it does business with. Even with trusted partners like UHG, brands must restrict data access privileges as much as possible and demand high security standards.

2. Centralization Makes the Industry Vulnerable

Relatedly, this attack reveals how centralized the industry has become. Not only are third-party dependencies common, but many organizations depend on the same third parties. That centralization makes these vulnerabilities exponentially more dangerous, as one attack can affect the whole sector.

The health care industry must move past these single points of failure. Some external dependencies are inevitable, but medical groups should avoid them wherever possible. Splitting tasks between multiple vendors may be necessary to reduce the impact of a single breach.

Regulatory changes may support this shift. During a Congressional hearing on the incident, some lawmakers expressed concerns over consolidation in the health care industry and the cyber risks it poses. This growing sentiment could lead to a sector-wide reorganization, but in the meantime, private companies should take the initiative to move away from large centralized dependencies where they can.

Continue reading…

Your Water, or Your Life

By KIM BELLARD

Matthew Holt, publisher of The Health Care Blog, thinks I worry too much about too many things. He’s probably right. But here’s one worry I’d be remiss in not alerting people to: your water supply is not as safe – not nearly as safe – as you probably assume it is.

I’m not talking about the danger of lead pipes. I’m not even talking about the danger of microplastics in your water. I’ve warned about both of those before (and I’m still worried about them). No, I’m worried we’re not taking the danger of cyberattacks against our water systems seriously enough.

A week ago the EPA issued an enforcement alert about cybersecurity vulnerabilities and threats to community drinking water systems. This was a day after EPA head Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. governors warning them of “disabling cyberattacks” on water and wastewater systems and urging them to cooperate in safeguarding those infrastructures.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter warned. It specifically cited known state-sponsored attacks from Iran and China.

The enforcement alert elaborated:

Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.

Next Gov/FCW paints a grim picture of how vulnerable our water systems are:

Multiple nation-state adversaries have been able to breach water infrastructure around the country. China has been deploying its extensive and pervasive Volt Typhoon hacking collective, burrowing into vast critical infrastructure segments and positioning along compromised internet routing equipment to stage further attacks, national security officials have previously said.

In November, IRGC-backed cyber operatives broke into industrial water treatment controls and targeted programmable logic controllers made by Israeli firm Unitronics. Most recently, Russia-linked hackers were confirmed to have breached a slew of rural U.S. water systems, at times posing physical safety threats.

We shouldn’t be surprised by these attacks. We’ve come to learn that China, Iran, North Korea, and Russia have highly sophisticated cyber teams, but, when it comes to water systems, it turns out the attacks don’t have to be all that sophisticated. The EPA noted that over 70% of water systems it inspected did not fully comply with security standards, including such basic protections such as not allowing default passwords.

NextGov/FCW pointed out that last October the EPA was forced to rescind requirements that water agencies at least evaluate their cyber defenses, due to legal challenges from several (red) states and the American Water Works Association. Take that in. I’ll bet China, Iran, and others are evaluating them.

“In an ideal world … we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,” Alan Roberson, executive director of the Association of State Drinking Water Administrators, told AP. “But that’s a long ways away.”

Tom Kellermann, SVP of Cyber Strategy at Contrast Security told Security Magazine: “The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targetingthese critical infrastructures, and soon we will experience a life-threatening event.” That doesn’t sound like a long ways away.

Continue reading…

Where’s Our National Health Tech Academy

By KIM BELLARD

It has been said that if your company has a Chief Innovation Officer or an Innovation Department, it’s probably not a very innovative company. To be successful, innovation has to be part of a company’s culture, embraced widely, and practiced constantly.  

Similarly, if your company has a Chief Digital Officer, chances are “digital” is still seen as a novelty, an adjunct to the “real” work of the company. E.g., “digital health” isn’t going to have much effect on the healthcare system, or on the health of those using it, until it’s a seamless part of that system and their lives.

What got me thinking about this, oddly enough, was a report from the U.S. Government Accountability Office (GAO) as to the advisability of a Federal Academy – “similar to the military academies” – to develop digital expertise for government agencies.  As the GAO noted: “A talented and diverse cadre of digital-ready, tech-savvy federal employees is critical to a modern, efficient government.”

Boy, howdy; you could say that about employees in a “modern, efficient” healthcare system too. 

Continue reading…

You Need a Cyber Team

By KIM BELLARD

Maybe you, like me, are an Olympics fan (in my case: Summer Games, track & field).  Most Americans look forward eagerly to the Super Bowl, while the rest of the world (and, increasingly, many in the U.S.) are waiting for the World Cup.  But too few of us are aware that next summer will be the inaugural International Cyber Security Challenge, an esports event that pits teams from multiple countries against each other in cybersecurity skills.  The U.S. is sending a 25 person team.  

So what, you might say?  Well, if you work in healthcare (or any industry, for that matter), or use any kind of digital device, you should care.  Ransomware attacks on healthcare organizations continue to proliferate. The Colonial Pipeline cyberattack this past spring illustrated the weakness of other parts of our critical infrastructure, and we’ve all almost certainly had some of our personal data exposed in data breaches.    

We’re in a war, but it’s not clear that we have the right army, with the right weapons, ready to fight it. Thus the U.S. Cyber Games.

Continue reading…

The Year of the Hacker

flying cadeucii2015 was the year health care got serious about cyber security.

Hackers gave the industry no other choice.

The year started with a massive data breach at Indianapolis-based Anthem Inc., which the health insurer revealed on Feb. 4. Hackers roamed around in Anthem’s computers for six weeks and stole personal and financial information of 78.8 million customers, as well as the information of 8.8 million customers at Blue Cross and Blue Shield plans not owned by Anthem.

There have been 269 data breaches at health care organizations this year, according to statistics collected through Dec. 22 by the Identity Theft Resource Center. That’s actually down from 2014, when health care organizations suffered 333 breaches.

But the number of records stolen has soared to 121.6 million records stolen, up from less than 8.4 million records in 2014. Even without the Anthem breach, there were still 34 million records stolen this year from health organizations.
The health care industry accounted for one out of every three breaches recorded by the Identity Theft Resource Center.

“They can and are trying to break into everything,” Doug Leonard, president of the Indiana Hospital Association, said of hackers. He added, “It’s really on everybody’s radar screen in the health care industry.”

In a survey released in August by consulting firm KPMG, 81 percent of health care executives said their organization had suffered a cyber attack in the previous two years and 13 percent said they were being attacked daily.

Continue reading…