Get My Score




That’s all I can say after last week’s very successful (in the eye of the writer), very crowded (50,000 in a construction zone?), and sometimes overwhelming (parties?) RSA. Anyone in attendance would agree that the intensity, the depth of conversation, and even the innovation was a step up from previous years.  But so was the angst.  Read on!

At Cavirin, we introduced CyberPosture Intelligence to the world, along with an accompanying survey on hybrid cloud security that speaks to the necessity and timeliness of our approach.  As a reminder, CyberPosture Intelligence:

  • Provides actionable intelligence for the CISO and stakeholders to take control by delivering continuous risk, cybersecurity, and compliance management across hybrid environments.
  • Offers continuous compliance for the hybrid cloud and eliminates the gaps and risks inherent with current approaches.
  • Secures both the public cloud control plane as well as target hybrid cloud workloads (servers), on-premise, within the public cloud, and within containers.

This last point is especially important, given the need to protect critical workloads in the cloud. Having a solution that only looks at the servers, or the cloud account itself, leaves you half-blind, half-protected. You need real ‘situational awareness’ where you’re immediately made aware of any drift from your ‘golden posture’ and, from there, can take appropriate action. 

At the same time, you need a simple deployment based on a technology-agnostic solution that delivers as close to single click scoring as practical, contrasting with multiple stove-piped tools, manual processes, and point-in-time assessments.  An approach that cuts through the noise to offer real, actionable guidance to protect the hybrid cloud, 24x7.

Similarly, a well-developed GDPR plan should be put in place for implementation. On May 25, the GDPR regulation will officially take effect in the EU, inevitably impacting companies beyond those borders.  According to a recent survey released by Cloud Security Alliance at RSA “31 percent of companies have well-defined plans for meeting GDPR compliance, 85 percent have something in place, and 73 percent have begun executing that plan.”

Ultimately, we want the CISO to achieve business outcomes that reverse what is a disturbing trend, where additional security investments don’t necessarily make things better. Reversing a reality that had Cisco’s SVP of security, John Stewart, lamenting the fact that 3.5 million security jobs will go unfilled in the coming years.  He concluded with the statement ‘we are completely screwed.’   Well, let us help un-screw things!

Check here for some of the great coverage we’ve received on our CyberPosture strategy and how it fits into current security conversations across different verticals and geos.


Healthcare IT Blog Series - 2 of 6

(This is the second post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)

As we presented in the opening message in our ‘Moving Healthcare to the Cloud’ blog series, healthcare IT is in a crisis. The good news is, help is available to address the issues healthcare organizations, and their third-party vendors face—and it comes in the form of cloud computing. From the perspective of enhancing patient services as well as internal and patient communications, the future of healthcare is definitely in the cloud.

Nemi George, the Senior Director of Information Security & IT Governance for Pacific Dental Services, provides one specific example:“A key area in which we see the cloud helping us is with our medical imaging,” says George. “Today, a local server is used to capture images and then synchronizes nightly to the data center. Using a cloud service for imaging significantly reduces the cost and the speed to retrieve image files while also allowing access across multiple platforms without the dependency on location.”

As your organization begins its journey to the cloud, the planning should first involve a close look at the top-level ROI. It’s important to know why it makes sense to move to the cloud.

“In line with our risk methodology and cloud strategy, we are comfortable moving applications to the cloud,” George says. “Our focus is on applications that require a high level of resilience and also general business apps that we seek to mobilize, such as Workday and Box, that offer a mobile experience without the dependency of a VPN.”

Cloud Value Goes Beyond Reduced Cost

Most think of the cost savings first, but that’s not the top benefit of the cloud. Other returns will prove to be much more valuable:

  • Improved system and app availability—allowing doctors, nurses and support staff to work more efficiently so they can spend more time focused on patient care.
  • Enhanced ability to manage risk—with system protections that secure sensitive medical records and personal patient data.
  • Increased ability to employ compensating controls and governance—to ensure compliance with regulations and to avoid costly fines.

After considering the top-level benefits, the next things to consider for moving to the cloud are the tactical measures. Here, the objective is to reduce the number of on-premises data center systems required to run the organization.

Not all healthcare apps are ready to be moved to the cloud. You will likely decide to keep one or two on-premises. Perhaps it will make sense to set up an integrated hybrid IT infrastructure with a mix of cloud apps and on-premises apps.

“There are a number of applications such as our core practice management and finance applications that will remain on premises for a number of reasons,” George points out. “These include our legacy application architecture and applications already billed for decommissioning as well as applications that rely on a VPN or sit behind a corporate firewall for security reasons.”

Most Apps Now Safe to Run in the Cloud

For years, availability, privacy and security were cited by healthcare organizations as the reasons for delaying or jettisoning the idea of moving their apps to the cloud. But AWS, Microsoft, Google, IBM and other cloud providers are all proving this premise wrong. In 99% of the cases, apps can and should run in the cloud!

As we saw in our first post, the inability to hire sufficient technical resources is a critical factor in healthcare organizations deciding to move to the public cloud. Hiring internal technical resources with the expertise to design, deploy and support an on-premises infrastructure is costly, and keeping them on-board is difficult. They need constant training to keep up with the latest technologies, and those that are really good will likely grow bored working on just one infrastructure.

It’s also important to note that the rate of innovation in the public cloud is unmatched. For instance, AWS ECS (Elastic Container Service) was launched in 2015. A short time later, the AWS Lambda Computing function-as-a-service offering was made available. These lightweight, yet powerful services are proving to be a big ally for organizations seeking to increase IT agility and decrease IT costs.

Here are two recent examples:

  • The Centers for Medicare & Medicaid Services created a cloud-based analytics platform that eliminated $5M in underutilized infrastructure spending, according to Jessica Kahn, the director of the data and systems group at CMS.
  • Children's Mercy in Kansas City uses Microsoft's Azure cloud services to host an app and data that save lives of at-risk pediatric patients by tracking them after they leave the hospital, according to Richard Stroup, Children's Mercy director of informatics.  

The success of the cloud for these two organizations echoes the success of George and Pacific Dental Services. “The cloud in itself will not impair our security or our compliance,” says George. “And if managed appropriately with the right level of monitoring, oversight, and governance, migrating to the cloud should reduce our costs.”

With results like this, it’s time for other healthcare organizations to dive in!

In our next ‘Moving Healthcare to the Cloud’ blog, we will examine how to define a cloud migration project. This includes identifying who needs to be involved, what applications should make the short list to move to the cloud, and where’s the best place in the cloud for your organization.

Read about how Cavirin can protect your ePHI.


Healthcare IT Blog Series - 1 of 6 

(This is the introduction post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)

One of the key themes of the recent HIMMS18 conference in Las Vegas is that healthcare IT leaders need to embrace the power of change to transform how doctors, nurses, staff and patients consume IT. This approach may be more important than ever, given that the industry is in the midst of an IT crisis.

Threats are coming in from several fronts. Here are a few reasons why many CIOs and CTOs are finding it hard to get a good night’s sleep:

The fallacy of thinking compliance = a strong security posture

Some organizations think that abiding by regulations such as HIPAA makes them safe, but this has been proven to be incorrect. Let’s take a real public example. In February 2015, Anthem disclosed that criminal hackers had broken into its servers and had potentially stolen more than 37.5 million records that contained personally identifiable information. 20 days later, Anthem raised the number to 78.8 million records. According to Anthem, the data breach extended into multiple brands that Anthem uses to market its healthcare plans, including Anthem Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare. The security breach occurred even though Anthem was HIPAA compliant.

Vulnerable legacy equipment

For decades, manufacturers like Siemens, Bosch, Honeywell and others have built embedded systems that run on operating systems from the Stone Age—unpatched, insecure and vulnerable. An example of this includes Siemens medical scanners. Hackers can exploit trivial flaws in the network-connected devices to run arbitrary malicious code on the equipment. These remotely-accessible vulnerabilities lurked in all Siemens positron emission tomography and computed tomography scanners running Microsoft Windows 7.

Too many compliance mandates

It’s hard to keep up with changing mandates because healthcare organizations have patient data dispersed in many databases across the cloud, the network, and a multitude of endpoints. Sometimes they rely on paper as well. This makes it difficult to comply with the stringent regulatory requirements of HIPAA and HITECH and to safeguard PHI, PII and EHR. In addition, medical teams need to access this information quickly in order to meet the demands of timely care. Security teams are thus challenged to find a balance between patient data security and providing easy access to the information.

Modern-day attacks

Ransomware continued to make the news in 2017 and the healthcare industry was not immune; in fact, it was a leading victim—Hollywood Presbyterian declared a state of emergency over a ransomware attack in February last year. The hospital isn't saying exactly when it paid the ransom, but it looks like they waited at least a week to end the file-hostage situation. The hospital said the payment was 40 Bitcoin, which was worth around $17K at the time. An unnamed doctor told the press that the systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications were out of commission. Email was also down, so the staff relied on pencil and paper. It was also reported that radiation and oncology were temporarily shut down.

Severe shortage of IT security personnel

According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs by 2021. And for qualified security personnel, healthcare IT is not the preferred destination of choice: Facebook, Google, AWS and other high-tech innovators are more attractive. 

New age disruptors

Healthcare organizations have to manage insanely large data sets to make their training algorithms better and more robust. But an even bigger and more disturbing challenge is that non-health entities can now play ‘doctor.’ Findings of the research conducted by the Computational Story Lab, a group led by Chris Danforth and Peter Sheridan Dodds of the University of Vermont, show that Instagram knows if you’re depressed, Twitter can indicate PTSD, and Facebook posts can describe a region’s relative public health.

Identifying the Right Steps to Take in the Cloud Journey

So, with all these developments as a backdrop, and as healthcare organizations look to the cloud as a panacea for everything, there needs to be a reality check on how to look at the cloud in the context of the current state and where healthcare is headed. To help organizations take on this challenge, this blog series will walk readers through the why, the what, and the how of ‘Cloud and Healthcare.’

The series will show how to identify what steps to take in the cloud journey. It starts with the next blog, which will focus on the why—Making the Business Case for the Cloud. The following chapter will delve into understanding what systems are ready for this journey, and frankly, which aren’t. We’ll also look at how you can make that distinction without bias.

The next blog will address the issue of how to assess the appropriate levels of risk for all the assets you are moving (or will be moving) to the cloud to ensure confidentiality, integrity, and availability. The fifth installment will focus on how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to any indications of breaches or potential breaches. It’s a team effort, so make sure you know who the players are and get your team ready!

Finally, we will look at the advent of artificial intelligence and machine learning, and how there is going to be an opportunity to gather more and do more with patient data, research, and analysis. But all of this should be backdropped with a clear ‘Code of Ethics.’ If you fail in the ethics arena, the fallout could be cataclysmic.

The Need to Embrace Education

The cloud provides an amazing path for your healthcare organization to take a leap forward. You can not only address the security sins of the past in a comprehensive manner, but also set yourself up for success in this new age of healthcare IT that includes the Internet of Things, artificial intelligence and predictive medicine

But, to use the cloud effectively, securely and consistently—truly understanding what the cloud can do for your organization and your patients and to set your organization up competitively—requires you to embrace the need for education without bias. Hopefully, these blog series did just that! 

Read about how Cavirin can protect your ePHI.



Today we’re announcing the next phase in Cavirin’s evolution, with an approach and product offerings that will truly provide organizations with the visibility and control they require across their hybrid infrastructures, an approach that provides the CISO with actionable insights to minimize the attack surface while meeting the reporting requirements of his or her board.  We call this ‘CyberPosture Intelligence for the Hybrid Cloud.”  Read on!

The hybrid cloud is real, and in fact, 81% of enterprises are adopting a multi-cloud architecture, spanning on-premise and one or more public cloud providers.  And this won’t go away anytime soon, with about 1/3 of workloads remaining on-premise in 2025, sometimes the most critical.  But there is a problem.  A good 77% of IT personnel identify security as still a barrier to adoption, and almost the same number, 75% lack visibility across their hybrid cloud.

So what is CyberPosture, a word that you’ll be seeing more of in the future?  It is verifying that your slice of the public cloud is secure, be it IaaS, PaaS, SaaS, or even FaaS.  It is confirming that your workloads (servers) in the cloud are secure as well, be they VMs or containers.  It is ensuring that sensitive data if in the cloud, is secured, being able to pass your periodic security audits, and not only securing your own infrastructure but those of your critical suppliers and partners.  Finally, it is an architecture to help you truly understand the risks and deficiencies that are part of any hybrid cloud infrastructure.  One that permits you to effectively balance your risk tolerance with skills and budgets.

CyberPosture is closely aligned with the rise of DevSecOps, the automation of security within DevOps to ensure a more secure cloud infrastructure and to offer more automated remediation when issues are discovered.  In a break from the past, SecOps will no longer be held as a barrier to agile development.  They will regain their place at the table as an enabler.  Who manages this?  The ‘Cloud Security Architect’ runs point, bringing together skillsets from across the organization in a ‘Cloud Center of Excellence.’ 

How do you achieve CyberPosture?  As with any type of posture, it doesn’t just come to you.  You actively set off to achieve it.  We help you instrument your public cloud accounts, your cloud security posture.  We offer the tools to enable continuous compliance across regulations that include GDPR, PCI, HIPAA, SOC, ISO, CIS, and others.  We help you apply these tools across critical verticals and use cases, such as cyber-insurance risk assessment or supply chain risk management.  We integrate these tools with your agile development processes. And, we package up this intelligence in the form of a ‘CISO Dashboard’ or as reports for your audit committee, providing you with a consolidated ‘Cavirin Risk Score’ that combines elements of security and compliance, for your cloud, and for your workloads.

The next step?  Visit us at RSA to learn more about Cavirin’s CyberPosture Intelligence, and while there challenge your existing cybersecurity partner on how to solve this hybrid cloud security and visibility challenge.  Then drop by booth N4439 and share your thoughts with us!


A Catch-up Plan for Technical Controls

In under 60 days, the GDPR regulation officially takes effect in the EU, and will impact companies well beyond Europe’s borders.  As a reminder, on May 25 the GDPR will replace the EU’s existing privacy regulation, and in a nutshell, data protection is now by design and by default.  And, data includes both personal and professional information.  A major point is the ‘right to be forgotten,’ and some of the controversies around Google and Facebook is a result of this intent.

By now, organizations should have a well-developed plan in place for implementation, including the assignment of a Data Protection Officer and coordination across all impacted business functions.  An issue is that this planning is not universal, and in fact, many US companies don’t realize their exposure.  In a recent study, less than 25% of US Firms consider themselves to be GDPR-ready.   Not a good place to be in, given that a just-released ESG survey shows GDPR-subject data as the most widely deployed in the cloud.

GDPR ready

Digging further, the GDPR defines three elements of compliance – people, process, and technology.   Cavirin can’t directly address the first two, but we can help with plugging holes in the third.  In a four-phase process that includes discover, manage, protect, and report, the third – protect – closely aligns with Cavirin’s capabilities.  We’ve created a policy framework that helps to automate the following across cloud providers and operating systems: 

  • Auditing Personal Data Processing Systems: Ensuring that all user and admin activities in personal data processing systems are traceable at all times.
  • Monitoring Personal Data Processing Systems: Ensure they are safe from software vulnerabilities
  • Personal Data Access controls: Ensure that access to systems storing or processing personal data is restricted to only users or programs that need it
  • Personal Data Security controls: Monitoring configuration settings for systems storing or processing personal data to prevent breaches and disclosure
  • Personal Data Transfer Security: Monitoring usage of encryption and network configuration to detect and/or prevent unauthorized transfers of personal data

So how to get started?  In under 30 minutes (really), you can deploy the solution on-premise or within your public cloud provider.  The deep discovery of the critical workloads, you identified in the steps above, then commences, and in a short amount of time, you’ll have actionable reports that identify your top risks.  The assessment delivers remediation guidance, and even for the largest of infrastructures, you’ll have plenty of time to take action before the deadline.  But don’t stop there!  Configure the platform for continuous assessment, so if the configuration of any of your servers changes, or new ones are added, you’ll be immediately notified and can then take action.

Download the linked infographic for more on the above!  And listen to the on-demand webinar for further information on putting your own plan in place for GDPR enforcement day, May 25th, 2018.




This last week, the US Centers for Medicare & Medicaid Services (CMS) announced MyHealthEData, a federal initiative that for the first time will provide patients with full and secure control over their healthcare data, no longer locking it to a single healthcare system or provider.

When announcing the program, CMS Administrator Verma related an experience where her husband was in the hospital for a week due to heart failure. Upon discharge, Verma asked for her husband’s records, and was presented with a CD-ROM, itself incomplete. This brought up memories of my wife’s experience in Taos where she came down with a bad case of pneumonia and upon discharge was presented with a large folder containing X-Rays. Very useful. Verma then went on to question the $30 billion spent to-date by the US government on EHR implementation, and whether the patient experience has improved.

Key stakeholders in MyHealthEData include the White House, the NHS, the VA, and the NIH. The intent is to completely revamp the way patients interact with the healthcare system, making them the center of control and permitting them to better compare providers based on cost and capabilities. Other impacts of greater data sharing should be better diagnosis and less duplication of care, outcomes that will hopefully drive down the cost and raise the quality of care for everyone.

Note that the data ‘ownership’ aspect of MyHealthEData is much like the intent of GDPR within the EU, placing people and privacy first. It reflects a growing trend given the pervasiveness of personal data hosted across the Internet and especially within healthcare. And paralleling the EU, we’ll see the rise of the Data Protection Officer (DPO) within US enterprises and other organizations, a role integral to privacy.

But with portability comes additional requirements for security. No longer confined to the network of a single provider, records will be ‘borderless,’ accessible by almost every healthcare provider and across multiple devices including smartphones. To encourage security, MyHealthEData will leverage the Merit-based Incentive Payment System (MIPS) which includes penalties for security breaches. This is where Cavirin can help.

With data spread across a much larger and interconnected threat, there are many more chances for breach, both intentional and non-intentional. The workload and cloud account protection provided by Cavirin will be even more critical, and since security is a function of its weakest link, the ease of implementation and automation we provide will permit the adoption of best practices by anyone within the healthcare value chain.

Cavirin as a company is not new to healthcare, with customer use cases spanning the OS hardening of servers used in medical device manufacturing, HIPAA compliance on-premise and within AWS, including the application of the AWS HIPAA Quickstart, and use of our open APIs to connect to other security platforms within a genomic research environment.  We also have multiple deployments within the largest dental benefits provider in the United States.  Learn more at


© 2018 Cavirin Systems, Inc. All rights reserved.