The Economics of Cybersecuritys3.amazonaws.com/rdcms-aami/files/production/public/FileDownloa… · strategy includes more than just technical elements. It must also include aspects

52 Horizons Fall 2017

Commentary

The world is facing a growing prevalence of increasingly sophisticated, targeted, and malicious cyberattacks. This new reality forces us to continually evolve our understanding of our cyberenvironment and to re-evaluate and update our security posture in ways that minimize the growing cyberrisks to ourselves, our infrastruc-ture, and our businesses. In doing so, we must recognize that any comprehensive cybersecurity strategy includes more than just technical elements. It must also include aspects of leadership, societal, and corporate culture and encompass larger economic and even sociopo-litical elements (e.g., national security).

The annual global spend on cybersecurity is approaching $100 billion while global losses to businesses due to cyberincidents are nearing $1 trillion.1 We are clearly underspending on security, but do we need to spend $1 trillion to avoid the loss of $1 trillion? The truth probably lies somewhere in between, and the right approach may not be to just spend more, but also to spend smarter.

This opens up the larger question on “cybersecurity economics,” which in turn breaks down into three main themes and their associated questions:1. The underground economy. What does today’s

underground marketplace look like, and how do financially motivated cybercriminals actually make money? How does the hacker economy work and what are the goods, tools, and services being traded? Who are the actors and what are their motivations and interests? Who do they include besides nation-states, cyberactivists, hackers-for-hire, and individu-als of varying motivation and interests?

2. Cybersecurity impact. How do cybercompro-mises affect our businesses and society?

How much are we investing in cybersecurity, and relative to that, what are the resulting losses (or risks of loss) to businesses, communities, and individuals? How do we quantify and estimate the actual and potential financial consequences of a cyberincident?

3. Leadership and business decision making. How does an executive leader make sure they are investing enough in cybersecurity? How do they know how much risk reduction or transfer is appropriate to protect their business from losses due to a cyberincident? What is the right level of budgeting, technol-ogy, staffing, and insurance? And how do they justify an investment in cybersecurity when the costs are hard but it is difficult to demonstrate the resulting soft benefits?This article will provide the reader with a

deeper understanding of their security and business risks relative to the ever-changing threat landscape. Understanding how the underground economy operates, the potential financial implications of a cyber incident, and the role of executive leadership is critical to addressing cyber risks and minimizing any potential harm. The healthcare industry must be especially vigilant due to the high value of protected health information (PHI), the relative vulnerability of its systems, and the need to maintain clinical operations and ensure care delivery and patient safety.

Today’s Underground EconomyTo understand the sheer size of the under-ground economy, we can look at the very basic metrics of malware production. In 2008, more than 1 million new viruses were produced in a year. That number grew to more than 1 million every day by 2016.2 Malware production is now

About the Author

Axel Wirth, CPHIMS, CISSP, HCISPP, is distinguished technical architect at Symantec in Cambridge, MA.

Email: [email protected]

The Economics of CybersecurityAxel Wirth

© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.

53Horizons Fall 2017

Commentary

run as a business that includes tools to build, test, obfuscate, deliver, and manage malware.

The sheer volume of malware presents a challenge as well as an increase in sophistica-tion and ability to target unique applications at specific organizations to reach very specific goals. Even though Windows and Android operating systems are the most common and take much of the heat, any other operating system, database software, application, runt-ime environment, or website platforms is a potential target.

In addition to malware, the underground economy includes a market for everything of value: information (e.g., stolen identities, intellectual property), hacking tools and services, vulnerabilities (especially the highly prized and priced “zero-day” vulnerabilities3), attack hosting services, distributed denial-of-service attacks, and services provided by hackers-for-hire (i.e., cybercrime as a service [CaaS]4). CaaS has fundamentally changed the underground economy and cybercrime. Today, anybody with money and malicious intent, no matter what

the motivation, can hire a “smart guy” or rent the tools to get the deed done.

Reports published over the past few years indicate that stolen health records sell for 10 to 20 times the value of a credit card number.5 In reality, underground market pricing is a bit more complex than that. Recently, stolen Australian Medicare card details were priced at 0.0089 bitcoin per patient, or about $22.6 But mass patient data dumps have also offered discounted prices as low as $1 to $2 per record 7 and we have even seen free data dumps used to support extortion schemes.8 In summary, medical record pricing varies widely based on the intent of the seller and the type of data available. Supply and demand applies all the same to the underground economy.

Table 1 demonstrates additional complexity in this underground economy. The value for simple credit card numbers may indeed be priced below $1, but more complete card information (i.e., full details, magnetic strip information, personal identification number) may price up to $100.

The sheer volume of

malware presents

a challenge as well

as an increase in

sophistication and

ability to target unique

applications at specific

organizations to reach

very specific goals.

Get the Most Out of Your CMMSComputerized Maintenance Management Systems for Healthcare Technology Management3rd Edition

Ted Cohen, MS, FACCE Matthew F. Baretich, PE, PhD

Just Published!

Computerized Maintenance Management Systems for Healthcare Technology Management, 3rd EditionTed Cohen, MS, FACCE Matthew F. Baretich, PE, PhD

Computerized Maintenance Management Systems for Healthcare Technology Management3rd Edition

Ted Cohen, MS, FACCE Matthew F. Baretich, PE, PhD

To purchase your print or PDF copy, visit www.aami.org/store.

...



Commentary

Medical data are generally recognized as having a higher value than other types of data because they are typically:• Very comprehensive. Medical data may

include the victim’s name, address, date of birth, payment and financial account data, health insurance data, medical history, and sometimes even next of kin or photos.

• Long living. Unlike credit card numbers, medical records and insurance numbers are more difficult to change and often have a lifetime value.

• Can be monetized in a variety of ways. Medical records can be used for traditional identity theft, medical insurance theft, fraud, drug abuse, blackmail, and extortion.9

• Are valuable for political espionage. Combin-ing vaccination information with government employment data may indicate upcoming foreign travel, or state actors may identify government employees with high medical bills who could be open to compromise.Attractive data held by healthcare organiza-

tions are not limited to PHI. They also include

personally identifiable information, human resource data (e.g., contracts and salaries), financial and business information, research and intellectual property, and network and system credentials.

The value of medical data is generally believed to be high. However, it can be difficult to benefit from that value. The complexity and effort required to monetize medical data may discourage hackers as many of them tend to be opportunistic.

Ransomware provides a useful example of the evolution of cybercrime trends and how opportunity drives the market. Ransomware is following several trends10:• Attacks are moving from being largely indis-

criminate to more targeted.• Hackers are using advanced attack techniques

similar to those used in cyberespionage attacks.• The size of ransom demands is increasing.

The average ransom demand is now to $1,077, up from $294 in 2015.

• More ransomware programs are being released. A record high of 98 new ransomware families were discovered in 2016, up from 30 in previous years.

• The advent of CaaS-based ransomware means that a larger number of cybercriminals will participate, including those with relatively low levels of expertise.

• Cryptoransomware software is becoming more advanced.

• Hackers are developing new models (e.g., encrypting over already ransomed files, fake ransomware that hides a more destructive cyberattack).11

Ransomware attacks have affected the healthcare industry in particular due to its fairly low security posture, the prevalence of legacy or unpatched systems, the relatively high value of data to the organization, and the pressure to restore interrupted operations.

Beyond the confidentiality of health data (e.g., a breach) and its availability (e.g., ransom-ware), we must also consider its integrity (i.e., accuracy of data). Falsified data could be used to harm a patient, ruin the reputation of a healthcare provider, or reach certain political goals (e.g., the publication of falsified medical records of 2016 presidential candidate Hillary Clinton).12 The tricky part about data integrity is that an attacker may not have to actually manipulate the data. To create uncertainty and

Type of Data Price ($)

Single credit card 0.5–30

Single credit card with full details (Fultz) 20–60

Magnetic strip track and personal identification number 60–100

Banking trojan (with support) 100

Password trojan 25–100

Android banking trojan 200

Malware crypter service 20–40

Ransomware kit 10–1,800

Media streaming service 0.10–10

Hotel award program (100,000 points) 10–20

Frequent flyer program (10,000 miles) 5–35

Denial of service attack (<1 hour) 5–20

Denial of service attack (>24 hours) 10–1,000

Bank accounts 0.5–10% of balance

Cloud service account 6–10

Identity (name, social security number, date of birth) 0.1–1.50

Scanned documents (passport, utility bill) 1–3

Table 1. Common underground market pricing as observed in 2016. Source: reference 2.



Commentary

even disruption, they just need to create doubt in the accuracy of information.

The Financial Impact of CyberincidentsIn the past, the main cybersecurity items of concern were workstations and servers. Our understanding has evolved and we now focus on the business value of data itself (due to ransom-ware threats) and also start to consider more complex risk scenarios such as cyber-physical systems (e.g. medical devices, building systems), business operations (i.e., in healthcare, the ability to deliver care), and supply chains (e.g. the Petya ransomware attack on shipping giant AP Moller-Maersk13). Global cybersecurity events have greatly affected businesses (e.g., FedEx’s TNT unit may never fully recover from a June cyberattack, and the revenue lost could materi-ally affect financial results14).

The Ponemon Institute is a leader in the in-depth study of the costs of cybersecurity incidents and breaches. Summarizing an editorial by Larry Ponemon, organizations need to realize that15:• Data breaches are now a cost of doing business,

and that cost needs to be incorporated into an organization’s data protection strategies.

• The biggest financial consequence of a data breach is lost business.

• Most data breaches are now caused by crimi-nal and malicious attacks. These breaches also take the most time to detect and contain.

• The longer it takes to detect and contain a breach, the more costly it becomes.

• Highly regulated industries such as healthcare and financial services have the most costly data breaches.

• Improvements in data governance and incident response plans will reduce the cost of a breach.

• Investments in certain security technologies are important for preventing and reducing the cost of data breaches.

The Ponemon Institute’s 2017 Cost of Data Breach Study (United States) reports summarizes financial effects of cybercrime16:• The average cost of a breach has reached an

all-time high of $225 per record.• Healthcare organizations had the highest cost

of $380 (increased from previous years).• Healthcare has the third-highest churn rate

(abnormal customer loss) after a breach (5.5%).• Across all industries, malicious attacks

(as compared with a system glitch or human error):

– Remain the largest category of breaches (52%).

– Have the highest cost ($244 per record). – Take the longest to identify (235 days, on average) and to contain (68 days).

Table 2 details the costs that need to be consi- dered when estimating the effects of a breach.17

Assessing how a cyberincident affects an organization’s finances is complex, and it can be costly to many facets of an organization. In addition to actual hard costs (e.g., information technology [IT] remediation efforts), there are legal and regulatory costs (e.g., fines, lawsuits) and indirect costs resulting from loss of busi-ness and effects on reputation.

Studies of the costs related to a security incident examine cyberinsurance claims18 and demonstrate the major financial risk of a security incident (Table 3). Other helpful online tools are available to estimate the likelihood and/or financial effects of a security incident.19–21

Reputational Financial Legal/Regulatory Operational Clinical

Loss of patients, customers, partners, and/or staff

Recovery, remediation, communication, insurance, changing vendors, business distractions

Federal fines and penalties, state fines and penalties, lawsuits, accreditation

New hires, recruiting and training, reorganization

Claims processing, lost billing, delayed or inaccu-rate diagnosis, impact on research

Table 2. Potential effects of a protected health information breach. Source: reference 17.

The tricky part about data integrity is that an attacker may not

have to actually manipulate the data. To create uncertainty

and even disruption, they just need to create doubt in the

accuracy of information.



Commentary

Leadership and Business Decision MakingCybersecurity awareness has not fully reached the executive and board level of the majority of businesses. Many remain stuck in “denial” or “worry” phases. Or, even worse, they may take on a position of false confidence.22 Many may not perceive cybersecurity as a value-add component

to their business.23 Cybersecurity requires hard costs but yields soft benefits. This makes it difficult to demonstrate a cybersecurity-related return on investment. Considering those cybersecurity-related investments requires sound judgment in the absence of hard data.24

Yet, many executives are at least aware of the problem. A recent study by the Global Business Council25 examined business executives’ views of developments that could affect the global business operating environment. Their number-one concern was that that cyberattacks will become more frequent and costly, with 85% believing it to be a likely disrupter over the next 12 months (ahead of concerns around Brexit, political populism, economic and financial volatility, or global commodity pricing). Further-more, executives rated cybersecurity risks as their leading operational challenge, well ahead of concerns about innovation, business efficiency, and technology adoption. Clearly, cyber risks are becoming an executive and boardroom concern. But is the appropriate action being taken?

The effects of a large cybersecurity incident can reflect a failure of board members to uphold their fiduciary duties. Although techni-cal details about security architecture and day-to-day security decisions should not be a board’s concern, enabling a strong cybersecurity posture and being informed about an organiza-tion’s current state should be. Similarly, technical security leadership (e.g., a chief information officer or chief information security officer) bears the responsibility for communicating cybersecurity issues in the context of what is relevant to the board.

A study by the Health Information and Management Systems Society and Symantec26 from March 2017 revealed that healthcare security budgets are trending up, with 25% now spending 7% to 10% of their IT budgets on security (up from 10% in 2015). Still, 65% of organizations are spending 6% or less. Although the distribution of employees allocated to IT security also increased in 2016 (with 13% of organizations now reporting 6–10 employees and 11% reporting 11–20) budget and staffing were still ranked as the biggest barriers to higher levels of confidence in respondents’ security programs (Figure 1).

Cybersecurity Resources for Board MembersThe Department of Justice provides guidelines to improve the cybersecurity awareness of organizations.27 The guidance includes understanding how a business could be affected by a security incident, establishing a plan for emergency decision making (technical and nontechnical), and assessing the potential legal, regulatory, and compliance impacts of an incident.27 The Information Systems Audit and Control Association provides further cybersecurity guidance for board members,28 and the National Association for Corporate Directors, lays out five key cybersecurity principles29:1. Understand and approach cybersecurity as an enterprisewide risk manage-

ment issue, not just an IT issue.2. Understand the legal implications of cyber risks as they relate to their

company’s specific circumstances.3. Boards should have adequate access to cybersecurity expertise, and

discussions about cyberrisk management should be given regular and adequate time on the board meeting agenda.

4. Directors should set the expectation that management will establish an enterprisewide cyber risk management framework with adequate staffing and budget.

5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

Table 3. Example costs due to security incidents in a 2016 NetDiligence study. Source: reference 18.

Category Subcategory Mean Cost ($) No.

Crisis service costs Forensics 179,091 106

Notification 168,729 53

Credit/identity monitoring 280,529 57

Legal guidance/breach coach 101,029 109

Public relations /other 54,218 34

Legal damages Legal defense 129,515 17

Legal settlement 814,700 9

Regulatory action Defense 2,908,082 2

Payment card industry fines Payment card industry 461,661 8



Commentary

Figure 1. Information technology (IT) security budgets as part of total IT budget

The Challenges of Healthcare CybersecurityAll must understand that compliance and cybersecurity are two related-yet-separate objectives. For too long, we have equated compliance with cybersecurity. Too many organizations were perfectly compliant yet still incurred breaches (e.g., Target and Heartland Payment Systems, which were both PCI [payment card industry] compliant30).

In healthcare, we have more than a decade of Health Insurance Portability and Accountability Act Security Rule compliance behind us. Yet, the annual number of breach events stays fairly constant.31 The hard truth is that “compliance” only works if your enemy is the compliance auditor.32 In the real world of security, it is a different battle against a highly skilled, unfor-giving, and mostly unknown enemy.

One common conflict is between the need to share security information and best practices (potentially even with competitors) and the perceived business and legal conflicts. The Cybersecurity Sharing Act of 2015 protects and encourages such information sharing.33 Information sharing is a vital resource for critical infrastructure security and resilience, and it is essential to the protection of critical infrastructure (e.g., healthcare).34 For the

healthcare industry, the nonprofit National Health Information Sharing and Analysis Center was established in 2010 to share information and intelligence on cyberthreats and vulnerabilities.35

Although technology is the foundation of any good security program, cybersecurity profes-sionals should not fool themselves into thinking that they can win an arms race between attack and defense tools. What is much more important is assembling the right teams, establishing processes that are nimble and adaptable, and developing and implement-ing a tested incident response plan. Note that incident response is not only a technical process. It also includes business decision making around regulatory reporting, public statements, operations, and care delivery decisions.

Business cybersecurity risks represent both a problem to the individual organizations as well as a concern to our national and global econo-mies. According to a recent study by Lloyds of London, a major, global cyberattack could cause $53 billion in economic losses, which is comparable to catastrophic natural disaster such as Superstorm Sandy in 2012.36 The effects of major global cyberevents (e.g., WannaCry, estimated cost $8 billion; Petya, estimated cost $850 million) are relatively small compared with a potential catastrophic global event.

The hard truth is that

“compliance” only

works if your enemy is

the compliance auditor.

In the real world of

security, it is a different

battle against a highly

skilled, unforgiving,

and mostly unknown

enemy.



Commentary

A hospital executive, board member, or other business decision maker and his or her peers on the IT and technology side need to think about cybersecurity in business risk terms, not just technical terms. He or she must be willing to accept cybersecurity responsibility by defining the business’s risk tolerance, establish-ing governance, determining the appropriate risk metrics, the right processes, and enabling the technical teams to do their jobs through empowerment, budgeting, and staffing, as well as education and workforce development. Most importantly, decision makers in all organiza-tions must establish a culture that values and practices cybersecurity. n

References1. FAIR Institute Blog. Cyber Economics: Smarter

(vs. More Expensive) Cybersecurity, May 30, 2017.

Available at: www.fairinstitute.org/blog/

cyber-economics-smarter-vs-more-expensive-

cybersecurity. Accessed July 14, 2017.

2. Symantec Corp. 2017 Internet Security Threat

Report. Available at: www.symantec.com/

security-center/threat-report. Accessed July 14, 2017.

3. PC Tools. What is a Zero-Day Vulnerability?

Available at: www.pctools.com/security-news/

zero-day-vulnerability. Accessed Sept. 15, 2017.

4. Khandelwal S. Two New Platforms Found Offering

Cybercrime-as-a-Service to ‘Wannabe Hackers’,

July 14, 2017. Available at: http://thehackernews.

com/2017/07/cybercrime-as-as-service.html.

Accessed July 17, 2017.

5. Humer C, Finkle J. Your Medical record Is Worth

more to Hackers Than Your Credit Card. Available

at: www.reuters.com/article/us-cybersecurity-

hospitals-idUSKCN0HJ21I20140924. Accessed

July 14, 2017.

6. Farrell P. The Medicare Machine: Patient Details

of ‘Any Australian’ for sale on Darknet. Available at:

www.theguardian.com/australia-news/2017/jul/04/

the-medicare-machine-patient-details-of-any-

australian-for-sale-on-darknet. Accessed July 14, 2017.

7. Doe D. 655,000 Patient Records for Sale on The

Dark Net after Hacking Victims Refuse Extortion

Demands. Available at: www.dailydot.com/

layer8/655000-patient-records-dark-net. Accessed

July 14, 2017.

8. DataBreaches.net. TheDarkOverlord Dumps

180,000 Patients’ Records from 3 Hacks. Available

at: www.databreaches.net/thedarkoverlord-

dumps-180000-patients-records-from-3-hacks.


9. Cerniauskas S. Lithuania: Cybercriminals Blackmail

Plastic Surgery Clinic with Stolen Photos. Available

at: www.occrp.org/en/daily/6387-lithuania-

cybercriminals-blackmail-plastic-surgery-clinic-

with-stolen-photos. Accessed July 14, 2017.

10. Symantec. Ransomware and Businesses 2016.

Available at: www.symantec.com/content/dam/

symantec/docs/security-center/white-papers/

ransomware-and-businesses-16-en.pdf. Accessed

Oct. 1, 2017.

11. Krebs B. ‘Petya’ Ransomware Outbreak Goes

Global. Available at: https://krebsonsecurity.com/

2017/06/petya-ransomware-outbreak-goes-global.


12. Farley R. Fake Clinton Medical Records. Available

at: www.factcheck.org/2016/08/fake-clinton-

medical-records. Accessed July 17, 2017.

13. Roberts P. Dear SEC: More Companies Warn on

Financial Impact from Petya Infection. Available

at: https://securityledger.com/2017/07/dear-sec-

more-companies-warn-on-financial-impact-from-

petya-infection. Accessed July 14, 2017.

14. Schlangenstein M. FedEx Says TNT Systems May

Never Fully Recover From Cyberattack. Available

at: www.bloomberg.com/news/articles/2017-07-17/

fedex-says-tnt-systems-may-never-fully-recover-

from-cyberattack. Accessed July 17, 2017.

15. Ponemon L. Lessons Learned From 11 Years of

Cost of Data Breach Research. Available at:

https://securityintelligence.com/cost-of-a-data-

breach-2016. Accessed July 14, 2017.

16. The Ponemon Institute. 2017 Cost of Data Breach

Study. Available at: www.ibm.com/security/

data-breach. Accessed July 14, 2017.

17. American National Standards Institute. The

Financial Impact of Breached Protected Health

Information: A Business Case for Enhanced PHI

Security. Available at: http://webstore.ansi.org/phi.


18. NetDiligence. 2016 Cyber Claims Study. Available

at: https://netdiligence.com/wp-content/

uploads/2016/10/P02_NetDiligence-2016-Cyber-

Claims-Study-ONLINE.pdf. Accessed July 17, 2017.

19. ServiceNow. Security Incident Calculator.

Available at: https://docs.servicenow.com/bundle/

istanbul-security-management/page/product/

A hospital executive,

board member,

or other business

decision maker and

his or her peers on

the IT and technology

side need to think

about cybersecurity

in business risk terms,

not just technical terms.



Commentary

security-incident-response/concept/c_SecIncCalculators.html.


20. TokenEx. Risk Calculator. Available at: https://tokenex.com/

resource-center/risk-calculator. Accessed July 17, 2017.

21. Stratus. Cost of Downtime Calculator. Available at: www1.stratus.

com/cost-of-downtime-calculator. Accessed July 17, 2017.

22. Burkitt-Gray A. Executives ‘in Denial’ about Cyber Security Threat.

Available at: www.globaltelecomsbusiness.com/article/

b13rsw1zvm8mnw/executives-39in-denial39-about-cyber-security-

threat#/.WWeLiBIJgqU.linkedin. Accessed July 17, 2017.

23. Magee K. Why Cybersecurity Is Financially Undervalued. Available at:

ww2.cfo.com/cyber-security-technology/2017/06/cybersecurity-

financially-undervalued. Accessed July 17, 2017.

24. Blau A. The Behavioral Economics of Why Executives Underinvest in

Cybersecurity. Available at: https://hbr.org/2017/06/the-behavioral-

economics-of-why-executives-underinvest-in-cybersecurity.


25. ATKearny Global Business Policy Council. 2017 Views from the

C-Suite, an Annual Survey of Global Business Executives: Adapting to

Disruption. Available at: www.atkearney.com/documents/10192/13419

412/2017+views+from+the+c+suite.pdf. Accessed July 17, 2017.

26. HIMSS Analytics, Symantec. Operationalizing Cybersecurity in

Healthcare Organizations. Available at: www.symantec.com/content/

dam/symantec/docs/other-resources/ha-it-security-2017-study-ebook.

pdf. Accessed July 17, 2017.

27. U.S. Department of Justice Cybersecurity Unit. Best Practices for

Victim Response and Reporting of Cyber Incidents. Available at:

www.justice.gov/sites/default/files/opa/speeches/attachments/2015/

04/29/criminal_division_guidance_on_best_practices_for_victim_

response_and_reporting_cyber_incidents2.pdf. Accessed July 17, 2017.

28. Information Systems Audit and Control Association, Institute of

Internal Auditors Research Foundation. Cybersecurity: What the Board

of Directors Needs to Ask. Available at: www.isaca.org/Knowledge-

Center/Research/ResearchDeliverables/Pages/Cybersecurity-What-

the-Board-of-Directors-Needs-to-Ask.aspx. Accessed July 17, 2017.

29. National Association of Corporate Directors. NACD Director’s

Handbook on Cyber-Risk Oversight. Available at: www.nacdonline.org/

Store/ProductDetail.cfm?ItemNumber=10687. Accessed Sept. 15, 2017.

30. Litan A. How PCI Failed Target and U.S. Consumers. Available at:

http://blogs.gartner.com/avivah-litan/2014/01/20/how-pci-failed-

target-and-u-s-consumers. Accessed July 14, 2017.

31. Yaraghi N. Hackers, Phishers, and Disappearing Thumb Drives:

Lessons learned from Major Health Care Data Breaches. Available at:

www.brookings.edu/research/hackers-phishers-and-disappearing-

thumb-drives-lessons-learned-from-major-health-care-data-breaches.


32. Harrington T. Connected Medical Device Security: The Usefulness of

Unenforceable Guidance. Available at: https://blog.securityevaluators.

com/connected-medical-device-security-the-usefulness-of-

unenforceable-guidance-e399b7a98374. Accessed July 14, 2017.

33. Karp B. Federal Guidance on the Cybersecurity Information Sharing Act

of 2015. Available at: https://corpgov.law.harvard.edu/2016/03/03/

federal-guidance-on-the-cybersecurity-information-sharing-

act-of-2015. Accessed July 17, 2017.

34. Kim L. Information Sharing: What Is It? How to Do It? Why Does

It Matter? Available at: www.himss.org/news/information-sharing-

what-it-how-do-it-why-does-it-matter. Accessed July 17, 2017.

35. NH-ISAC. About National Health Information Sharing and Analysis

Center. Available at: https://nhisac.org/about-nhisac. Accessed

Sept. 25, 2017.

36. Barlyn S. Global Cyber Attack Could Spur $53 Billion in Losses.

Available at: www.reuters.com/article/us-cyber-lloyds-report-

idUSKBN1A20AB. Accessed July 17, 2017.

Index of AdvertisersBlADDERSCANNINgEqUIPMENT

Verathon Ph: 800-331-2313https://verathon.comPAGE 13

CYBERSECURITY

AsimilyPh: 408-627-4097www.asimily.comPAGE 15

EqUIPMENTMANAgEMENTSOFTWARE

MediMizerPh: 888-838-4440https://medimizer.comPAGE 21

INFECTIONPREVENTIONDEVICES

O2COOLPh: 312-951-6700www.o2-cool.com/hospital-healthcareOUTSIDE BACK COVER

UlTRASOUNDEqUIPMENT& SERVICE

Summit ImagingPh: 866-586-3744www.mysummitimaging.comPAGE 2


Documents

The Economics of Cybersecuritys3.amazonaws.com/rdcms-aami/files/production/public/FileDownloa… · strategy includes more than just technical elements. It must also include aspects