One of the only collections that has moved with me through the years has been a number of old 5.25” floppy disks and several floppy drives. For those of you who have not used these, they are bigger than the disk the Save icon is modeled after, which is 3.5”. Even though the bulk of what I use on my Commodore 64 now sits on SD cards, there are still some old files I want to convert and use again. I also want to free up some space in my now-packed home office.
To convert my old personal collection, I found a device called a Kryoflux, which is a USB device that plugs between a computer and one or two floppy disk drives. It allows you to read these disks and convert them into formats that emulators of older computers can use. It also allows you to write them out to actual floppy disks if you want to use them on real hardware. It is only available from Germany.
I ordered this device online, paid the shipping, and waited 2-3 weeks for this device to arrive at my house. It did not arrive. However, an email from a former CISO who lived in my neighborhood did, complete with a picture of the package. For some reason, the package arrived at his house instead. He drove it over later that day and dropped it off. We talked for a few minutes about his new job and what city he and his family will be living in next.
He did not need to do this. He could have done any number of things that would have led to the package disappearing into the Dead Letter Office, never to be seen again. I am thankful for him doing so.
It is times like this that I value the security community and the great people in it. While much has been said about its divisiveness, there is not enough said about the quiet collaboration that happens daily.
One of the highlights of the past year has been the work within the security community to collaborate, identify, and address threats. Healthcare has not been known for this. However, over the past year, through the efforts of many, we are changing this. Today’s article is for the CIOs that have not fully embraced this yet. We will cover several tips you can use to improve your organization.
Encourage Social Media Use by Your CISO and CIO: I know this sounds like the diametric opposite of security, however it is not. We have been contacted by security researchers over Twitter and LinkedIn. It is also one of the only ways that we can reach out to contact organizations when we find information. A significant amount of traffic on the Healthcare Information Sharing and Advisory Center (H-ISAC) and Research, Education, and Networking Information Sharing and Advisory Center (REN-ISAC) mailing lists is about how to contact organizations that have been affected by attacks and may not be aware. I have had to resort to contacting non-security team members on social media to find security contacts to address threats. In one case, this involved contacting a doctor I worked for at a previous employer on Facebook. It does not matter if you have a large security team if no one can reach them over emergent threats.
Send Your Team To Conferences: There are many security conferences out there that provide excellent content. Invest in sending your team members to DEFCON, Black Hat, and smaller conferences like BSides. The information they will learn and relationships they will build are worth it.
Take Advantage of the American Hospital Association’s Guidance and Resources: In a short time, John Riggi, who is the Senior Advisor for Cybersecurity and Risk for the American Hospital Association (AHA), has put together significant cybersecurity resources for hospitals and healthcare systems of all sizes. The guidance they put out is timely, valuable, and provides useful information for C-suites to use to make critical decisions regarding security. As most hospitals are AHA members, it is a benefit that you cannot pass up. Their conferences and publications also now have cybersecurity components, and can help you educate everyone from the board down to your individual contributors. In addition, if you need to reach someone regarding an issue, it helps to have their credibility behind you in trying to make contact.
Join H-ISAC and/or REN-ISAC: These organizations provide incredibly valuable advice to organizations. This includes significant information on emerging threats. They also have valuable discussions and collaborations through their mailing lists, conferences, and webinars. Both groups provide valuable information we utilize in organizational and leadership communication. They are excellent resources.
Leverage HIMSS Resources: HIMSS has a bi-annual Security Forum and a Cybersecurity Forum that is held the day before the main annual conference. They also provide numerous webinars and publications available throughout the year. Their leadership emphasizes security. They have consistently provided excellent cybersecurity resources for the community. Their forums provide excellent networking opportunities to meet peers and exchange information. We have also used them to share security information with our peers.
Leverage CHIME/AEHIS Resources: CHIME, the College of Healthcare Information Management Executives, provides networking and numerous events for CIOs. Their events, which are held throughout the year, provide excellent resources for networking and collaborating on cybersecurity. They also have a focus on addressing the numerous management challenges faced by CIOs, especially with the numerous emergent threats.
AEHIS, their organization for CISOs, is relatively new. However, many organizations that do not participate in HIMSS do participate in this one. I have used the membership lists to find CISOs and CIOs for organizations that I need to contact. CHIME and AEHIS also provide excellent programming for their members. The membership fee is completely worth it.
Given the threat ransomware posed five years ago, this is a grave statement. This is also something that CIOs need to put front and center, especially with COVID-19 increasing the use of Internet of Things, remote work, and telemedicine. We have more and newer risks, and proportionally less resources to address them if we don’t collaborate.
Join Infragard if you Haven’t Already: Infragard, the non-profit partnership between the FBI and members of the private sector for the protection of critical US Infrastructure, has a significant number of healthcare members. Their portal and mailing lists provide ways to collaborate between organizations, and also information you can use. The opportunities to participate in tabletop exercises, conferences, and forums between members is of significant benefit.
Make it Easy to Contact Information Security: You don’t need to go as far as publishing info on the web site, even though that would be very nice. Even if your Help Desk system has workflows for addressing external security issues, that is of greater benefit than having to explain to a very confused Service Desk associate why someone else from another organization is calling. The number of times I have had to call service desks directly to warn them that team members have had compromised accounts or have had compromised machines attacking networks bears witness to this.
Conclusion:
The only reason why I was able to make backup copies of disks that still work is because someone I knew from the security community had my info from previous collaborations and drove that package over to me. Extrapolating this to our organizations, the only way we can protect ourselves against numerous emergent threats is also through collaboration. We can prevent information about threats from going to the Dead Letter Office, bit bucket, if you like Linux or UNIX, /dev/null, or if you’re like me with old Commodore systems, NIL:. With the continued and increasing existential threats to our business, we need to open up to protect ourselves. The old method of standing isolated just doesn’t work anymore for us. Before, the CIO was the only person who really interfaced outside the organization. In the words of the GZA from the Wu-Tang Clan, we need to form like Voltron to build depth and collaborate together, and include Security.
