|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Seminar Sneak Peek: Machines, People, and Decisions0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Eyes on Minneapolis|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Industry News July 2016|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Patient Zero|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465It Takes Teamwork|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Hide. Hide. Hide.2016-07-01T04:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ASIS News July 20162016-07-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Power of Physical Security2015-05-07T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Organizations Ask Pokémon Go Users To Refrain From Catching Them All2016-07-13T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Failure to Communicate2016-07-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Hide. Hide.GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>When Michael D’Angelo, CPP, was tasked with creating an active shooter response plan for six Miami-area hospitals, he turned to the U.S. Department of Homeland Security’s (DHS) “Run. Hide. Fight.” training. At the time, D’Angelo was the manager of emergency preparedness and security for Baptist Health South Florida, which has hospital facilities in three counties. But when D’Angelo and a team of stakeholders looked at the verbiage of the DHS active shooter response program, they realized it didn’t suit the hospital environment.</p><p>The “Run. Hide. Fight.” training instructs people who find themselves in an active shooter scenario to flee the threat if possible. If not, they should take cover. As a last resort, they should be prepared to fight the gunman. “Most of the hospitals around the country are writing their active shooter policies based on the DHS guidelines, which have been out for three or four years now, but the problem is those are very cookie cutter,” explains D’Angelo, who is now the director of security at one of Baptist Health’s hospitals. “They give it to school systems, healthcare systems, everybody. It’s kind of that one-size-fits-all response plan to an active shooter.”</p><p>The recommendation to flee the shooter isn’t logical in Baptist Health’s multistory hospitals, D’Angelo notes. Complicated layouts combined with areas designed to provide clear line-of-sight create a dangerous environment for those attempting to flee a shooter.</p><p>Likewise, D’Angelo and his team agreed that telling hospital staff to fight an active shooter was too much of a risk. “Even though it’s prescribed as a last resort, we had that feeling that by talking about it, you almost plant this subconscious belief in the staff that they have some kind of obligation to end the incident, which is a difficult thing when it comes to clinical caregivers, because they’re taught to put the patient first for everything. So now you’re going to empower them with this belief that they are going to have to stop the shooter to protect the patient. And this is the one scenario where they have to put their own life before the life of their patient.”</p><p>In fact, D’Angelo says convincing staff to put themselves first in an active shooter scenario has been one of the most challenging aspects of creating a response plan. Staff can’t help patients if they themselves are injured, and tak­ing the time to hide slow-moving patients imperils everyone.</p><p>Ultimately, D’Angelo and his team agreed that the only applicable aspect of DHS’s recommendation was to instruct the staff to lock the doors, turn off lights and any unnecessary machines, and shelter in place until police arrive. They call it the “Cease to Exist” approach, and it has received buy-in from local law enforcement.</p><p>Baptist Health’s six hospitals sit in five different police jurisdictions, so D’Angelo and his team had to meet with each police department to make sure the plan fit in with each department’s active shooter response strategy.</p><p>“From law enforcement’s perspective, our plan seems to fit because their point of view is, we need you and your staff to be out of the way, not in the hallway, not running and distracting us, so we have as empty and clear a path to getting to the shooters as fast as we possibly can,” D’Angelo explains. “If anything, our response program speeds up their plan and effectiveness of ending the incident as quickly as possible.”</p><p>D’Angelo notes that local law enforcement has changed its active shooter response to provide more immediate assistance to shooting victims. In the past, fire rescue and paramedics would not enter the area until police had cleared the entire building, but the wasted time turned casualties into fatalities. Now, emergency response is coordinated so that fire rescue and paramedics follow behind police as they move from room to room, so that the police can focus on finding the shooter while rescue teams can safely attend to casualties. </p><p>“We’re doing our best to get that point across to our staff that fire rescue is go­ing to come onto the scene with law enforcement as soon as possible,” D’Angelo explains. </p><p>The discussion about having a proactive versus passive response to an ac­tive shooter goes hand-in-hand with the debate over whether hospital staff or security officers should be armed, D’Angelo notes. Baptist Health does not arm its security staff based on data: 50 percent of emergency room shootings in the U.S. involved a police or security officer’s firearm, which was either stolen to shoot victims or used by security to fire at an assailant, according to a Johns Hopkins report. “If I can guarantee a 50 percent less chance of a shooting taking place in my ER by not arming my security staff, then why would I do it? Based on raw data, I can’t see how having armed security forces is going to be the answer,” D’Angelo says.</p><p>Within the hospitals, there has been mixed response to the “Cease to Exist” approach. Some departments want to see more in the way of training and education, because they feel the staff should take a more proactive approach to a potential active shooter. D’Angelo reiterates that staff should help protect patients only if they can simultaneously protect themselves. “I guess nobody wants to address that real gray area of saying we leave the patients on their own, because some of them can’t help themselves, but you do the best you can to protect both of you if it’s realistic to do so,” he says. </p><p>But for nurses with three or four patients, running from room to room and concealing each of them may be counterproductive.</p><p>There has been significant dialogue between Baptist Health leaders and staff about the “Cease to Exist” response, but D’Angelo says that Baptist Health prohibits active shooter drills. He describes one “disastrous” active shooter exercise a few years ago where, instead of causing chaos throughout the hospital, the code elicited almost zero response from the staff. </p><p>“We quickly learned that the staff is alarm fatigued,” D’Angelo says. Infant abduction drills, fire drills, and [other mandated exercises] mean that every code is a drill until proven other­wise. “With something as significant as an active shooter, we absolutely couldn’t have that attitude. There’s only one way to guarantee that when staff hear that code, they will know that someone is actually shooting—and that is to prohibit exercising the code.”</p><p>D’Angelo acknowledges that Baptist Health is taking an unusual approach by not following DHS’s “Run. Hide. Fight.” program, but he notes that even DHS says it’s not a one-size-fits-all policy. “We took the time to look at it,” he explains. “If you automatically adopt the DHS policy and turn that into your in-house policy, you may be prescribing something to your staff that may be doing more harm than good.”​ ​</p> News July 2016GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Active Shooter White Paper Released</h4><p>The ASIS International School Safety and Security Council has released a highly-anticipated white paper, Active Shooter. The 60-page document consists of 13 chapters written by members of the council who hold security and safety positions at colleges, universities, and elementary and secondary schools, or are consultants to these institutions. </p><p>Each author addresses a different proactive approach to preventing and responding to active shooter situations. After an introduction to active shooter programs, the following topics are among those covered in subsequent chapters: The six phases of an attack; pre- attack indicators; on-site training programs; behavioral threat assessment teams; hardening the target; primary and secondary schools as soft targets; and lessons learned</p><p>The last chapter, “To Arm or Not to Arm…Teachers,” examines both sides of this heated debate and offers advice on teacher training and the consequences of each strategy. The author concludes, however, “that both sides have the same goal, which is to keep our schools, students, and teachers safe.”</p><p>Active Shooter ends with five append­ices, which include articles from Secu­rity Management, “A Guide to Safe Schools” from the U.S. Department of Education, and conclusions from the ASIS Workplace Violence Prevention and Response Guidelines.</p><p>The white paper is available to download for ASIS members at <a href="">​</a>. </p><p><br></p><h4>Executive Protection Council Launched</h4><p>The ASIS International Executive Protection Council, the newest addition to the ASIS International roster of 34 councils, has been approved by the ASIS Board of Directors. </p><p>Members of the council work in executive protection (EP) full time, oversee EP departments, or advise clients on EP concerns, according to the council’s chair, Robert Oatman, CPP. Senior managers from Fortune 500 companies as well as from privately-held companies that provide EP services to the private and government sectors serve on the council.</p><p>Impetus to form the council began in 2013, when ASIS offered a Certificate in Executive Protection. While Oatman had been teaching a two-day program for ASIS on executive protection since 1998, growing interest in the course and the certificate led to the formation of an ad hoc council in 2014.</p><p>With its formal status now secured, council members will focus in earnest on their mission and goals, which in­clude providing education and re­sources on professional executive protection and establishing EP as a business enabler to keep protectees safe and productive. In the short term, the council will foster its active leadership, add new members, enhance content to the council’s website, and present a webinar. Longer term, the council hopes to develop an executive protection standard, and has formed a subcommittee to look into that possibility.</p><p>International interest in EP is evident by the diverse backgrounds of the students that attend the ASIS EP programs. Many are currently working in the field, but all want to learn more about the art of executive protection. In addition, says Oatman, corporations have realized the value of EP services. As a result, EP has become a viable career path for individuals transitioning from law enforcement or government positions.    </p><p> To learn more about the council and its programs, visit the council’s website, <a href=""></a>.</p><p><br></p><h4>ASIS 2015 Earns spot on Top Trade Show list</h4><p>The ASIS International 61st Annual Seminar and Exhibits (ASIS 2015), which took place September 28 to October 1, 2015 at the Anaheim Convention Center in Anaheim, California, has placed 100th on the 2015 Trade Show News Network’s Top 250 U.S. Trade Shows list. The Trade Show News Network (TSNN) is the world’s leading online resource for the trade show, exhibition, and event industry since 1996. TSNN began its list of top U.S. trade shows in 2010 based on net square footage.</p><p>“Our Annual Seminar and Exhibits is the premier education and networking event for those charged with the protection of life, property, and information in our world today,” says ASIS President David C. Davis, CPP. “It is a critical time for our industry, which is reflected in the size and scope of our conference and exhibition. We are honored to be recognized by Trade Show News Network.”  </p><p>ASIS’s Annual Seminars and Exhibits draw approximately 20,000 security professionals from around the globe each year. The event presents more than 250 educational sessions and typically features more than 225,000 net square feet of the latest security technology and innovations in traditional and logical security, providing a showcase for more than 500 companies demonstrating cutting-edge solutions.</p><p>The 62nd Annual Seminar and Exhib­its will take place September 12 to 15 at the Orange County Convention Center in Orlando, Florida. For the sixth consecutive year, (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, will colocate its Annual Security Congress with the ASIS Annual Seminar and Exhibits. Registrants of either event may gain access to each event’s education sessions and the exhibit hall. Both organizations also will offer review courses for their respective certifications, as well as separate, members-only activities.</p><p>For complete event, registration, and housing information, visit</p><p><br></p> Failure to CommunicateGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">“More than 10 years after the bipartisan 9/11 Commission reported that improvements to interoperable communications at all levels of the government need to be addressed, the National Capital Region continues to face challenges in achieving emergency communications interoperability within and among federal, state, and local agencies, despite substantial investment by the federal government to improve interoperability,” the U.S. Government Accountability Office (GAO) found in a recent report, Emergency Communications: Actions Needed to Better Coordinate Federal Efforts in the National Capital Region. </span></p><p>Crisis response experts say it is critical for first responders and officials to have emergency communications interoperability, or the ability to communicate across agencies and jurisdictions. The lack of interoperability can hamper mission operations and put first responders and the public at risk during a response.    </p><p>The 9/11 Commission, in its report issued in 2004, examined the communications failures first responders experienced after the 9-11 attacks. The commission recommended allocating radio spectrum to public safety to create an interoperable public safety communications network. </p><p>However, the effort to create such a network did not begin in earnest until 2012, when Congress created the First Responder Network Authority (FirstNet) to provide the first nationwide public safety broadband network for public safety entities. </p><p>Earlier this year, FirstNet issued a Request for Proposals (RFP) for the deployment of this public safety broadband network. In April, FirstNet officials indicated that interest was high, and so it extended the deadline for proposals through May.  </p><p>“Our decision to extend the deadline for final proposals was driven by both the volume and nature of the capability statements, as well as requests for extensions we’ve received from interested parties,” FirstNet CEO Mike Poth said in a statement. “We remain on track to award by November 1.”</p><p>In addition, the FirstNet Board of Directors has updated its strategic roadmap, which sets out a timetable for the establishment of the new network. The updated roadmap sets an August 2018 goal for the network to have its initial markets installed, and to be ready for live testing and activation of power sourcing equipment devices on the network. </p><p>And for some, August 2018 can’t come soon enough. Several major crisis situations that have occurred since 9-11 have demonstrated the pressing need for such a network, especially in light of the communications problems experienced by responders. </p><p>For example, the response to Hurricane Katrina in 2005 was hampered by “a complete breakdown in communications that paralyzed command and control and made situational awareness murky at best,” according to A Failure of Initiative, a bipartisan report on the disaster issued by the U.S. House of Representatives. During that response, agencies could not communicate with each other due to equipment failures and a lack of system interoperability, the report found. </p><p>Given the failings of the Katrina response, Congress went on to establish the Office of Emergency Communications (OEC) in the Post Katrina Emergency Management Reform Act. The OEC is designed to coordinate federal interoperable communication programs and conduct outreach to and support for emergency response providers. In 2008, the OEC issued the first National Emergency Communications Plan, which included goals for improving communications capabilities at the state and local levels.</p><p>Then, in September 2013, communication problems hindered the response to the Navy Yard shooting, which resulted in 13 fatalities. In an afteraction report on the shooting issued in July 2014, the Washington, D.C., Metropolitan Police Department identified interoperability communication problems among first responders.</p><p>The report found that some federal responders experienced communication problems that hindered interoperability during the response. It also found that interoperability would have been enhanced if all responders had access to the same designated radio channel.</p><p>Moreover, another report on the Navy Yard response, issued by the U.S Department of the Navy, found that the Navy responders did not have interoperable communication with other agencies because of a lack of understanding of equipment capabilities and incorrectly programmed radios. The reports attracted critical feedback from Congress. </p><p>“Interoperable communications continues to be a challenge during disaster response, as evidenced during the response to Hurricane Sandy and the Navy Yard shooting,” U.S. Rep. Susan W. Brooks (R-IN) said at a recent Capitol Hill hearing. “We must continue to work to ensure first responders have the tools they need to communicate.”</p><p>Besides unsuccessful interoperability, inadequate interagency coordination is another issue that has hindered federal emergency communication, the GAO’s Emergency Communications report found.   </p><p>In the Homeland Security Act of 2002, Congress created the Office of National Capital Region Coordination (ONCRC) to coordinate homeland security activities in the National Capital Region. But ONCRC does not currently have a formal mechanism in place to coordinate such activities, according to the GAO. Previously, the Joint Federal Committee (JFC) was the means ONCRC used to coordinate with federal agencies. But the JFC has not convened since 2014, and the ONCRC plans to restructure it. </p><p>“Officials explained that the JFC was not efficient and effective as a coordinating body and that they plan to strengthen its coordination capabilities. However, written plans were not available,” the GAO wrote. </p><p>As a result, GAO recommended that when ONCRC restructures the JFC, it clearly specifies in a written agreement how agencies will work together, and what their roles and responsibilities will be. </p><p>“ONCRC concurred with the recommendation,” the GAO wrote. “No timeline for the restructuring was offered, however.”</p><p>​<br></p> on MinneapolisGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>The annual Saint Patrick’s Day Parade in downtown Minneapolis, Minnesota, draws large crowds every year, consistently numbering in the tens of thousands. So when a disruptive group of teenagers caused problems at last year’s event, the police department was glad to have critical video evidence to help apprehend the suspects.</p><p>“We were able to reach out to a number of businesses and get information that led us to help identify some of the individuals that were causing problems in the downtown area,” says Commander Scott Gerlicher of the Minneapolis Police Department. </p><p>What started as rabble rousing, intentionally blocking traffic, and getting into fights eventually turned into an all-out brawl. Two people were injured and six arrests were made. </p><p>With the help of Securonet’s Virtual Safety Network, a cloud-based tool that allows law enforcement to communicate with the business community, police were able to identify which cameras would likely show footage of the brawl and contact the owners of those devices. They ultimately leveraged resources from 32 cameras. </p><p>“Securonet has allowed us to enhance some of that collaboration with the business community that was already going on,” Gerlicher says. “We have many security cameras and police public safety cameras in downtown Minneapolis and throughout other areas of our city, but what we haven’t been able to do is tap into all those privately held cameras.” </p><p>While the relationship between the business community and law enforcement in Minneapolis is long-established, the initiative for a public safety camera network began with the Major League Baseball All-Star Game in 2014, hosted at Target Field. </p><p>Securonet’s founder, Justin Williams, had a working relationship with both the police department and the Minneapolis Downtown Improvement District (MDID) and approached both entities about the Virtual Safety Network when security plans for the game were underway. </p><p>“We looked at models, and looked at what other cities were doing” as far as camera programs, says Shane Zahn, director of safety initiatives with MDID. “There weren’t a lot of other cities doing this, so that’s when we partnered with Securonet to see if they could custom build us something here that we were looking for.” </p><p>Leading up to the game, MDID created a website that allowed business users to register their cameras on Securonet. In addition to the police’s monitoring station, MDID has a fusion center located within the city’s First Precinct where a team of police and private security monitor the cameras. </p><p>After the All-Star game, the law enforcement community wanted to expand the camera initiative throughout the rest of the city. In early 2015, the city began opening up the registration to businesses located outside the downtown area.</p><p>Securonet is hosted on a Web-based portal where businesses can register cameras that may capture incidents of interest to law enforcement. These cameras usually face public areas, or are mounted on building exteriors. </p><p>Authorized police officers can log in to the portal and view these cameras on a map to see which devices may be related to what they’re investigating. </p><p>“We have a team of intelligence analysts at a central location, and there’s about 15 of us up here that have access to the Securonet portal,” notes Gerlicher, referring to the Minneapolis Police Department’s Strategic Information Center. There are additional analysts at the MDID fusion center. If they so choose, businesses can also publish the live feed of certain cameras on the portal so law enforcement has a real-time view. </p><p>The cameras are geo-located on a live map view of existing cameras. A security official or law enforcement officer then simply types in an address, and all the cameras on the site surrounding the area of interest appear. </p><p>Law enforcement can then send a message over the portal that lets the camera owner know exactly when the incident occurred and what it’s looking for. As of mid-2015, there were approximately 400 cameras registered to the system. </p><p>Police or operators can also send out a mass message to several affected camera owners at once. </p><p>“We can query the people who have signed up through Securonet,” Gerlicher explains, “and send out a mass notification saying, ‘We had this incident take place…and the suspect was seen wearing a red top and black jeans, at this date and time. Let us know if you have anything on video.’” </p><p>The business can reply affirming that a suspect does, in fact, appear on the video, or that the suspect does not. In the past, law enforcement would have someone go knock on the door of that company to inquire about the footage, a time-consuming process that kept police tied up. </p><p>Investigators then go to the business and pick up a digital copy of the footage. “Once businesses turn it over to us, they understand it will be part of the case file,” he says. </p><p>Businesses appreciate the fact that it’s an e-mail-based tool, notes Zahn, and that the communication with law enforcement is in a familiar, unobtrusive format. “What the businesses are saying is, one, it’s easy to register; and two, they are getting more specific communications than just a general e-mail blast.” </p><p>He adds that the city tries to limit its communication with business owners on issues unrelated to investigations to about once a week, so that they aren’t oversaturated with e-mails. The city also strives to keep communications to a simple format that is consistent throughout each message. </p><p>“You get familiar with the requesters and vice-versa,” Zahn says. “You build a relationship—this virtual relationship—through the tool.” </p><p>Evidence obtained via Securonet often helps the First Precinct solve property crimes, Gerlicher adds, and the technology also helps rule out any frivolous or erroneous leads in an investigation. “If we don’t see the suspect in that footage, we can determine, ‘well he must not have gone that way.’” </p><p>And the business community has kept up its end of the bargain. Gerlicher says law enforcement has experienced a 100 percent response rate of camera owners replying when there is an inquiry. </p><p>Securonet is developing another application called Helplink (911), which will allow businesses to turn on access to cameras both outside and inside a building during an emergency. Minneapolis is currently testing the technology, and Gerlicher says the city hopes to roll it out soon. </p><p>“That would give incredible situational awareness to those officers responding or a SWAT team so they can see exactly what’s happening and they are not going into that building blind,” notes Gerlicher.</p><p>For more information: Greg Boosalis, <a href="">greg@securo­</a>, <a href=""></a>, 612/930-4632 ​  ​</p> ZeroGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​</p><p>It was like going back in time. Instead of using an electronic records system to access patient data and update charts, MedStar Health staff did medical rounds using good, old-fashioned paper and pencil.</p><p>The reason? Ransomware had compromised the $5 billion health-care provider that operates 10 hospitals and more than 250 outpatient facilities in the Washington, D.C., region, serving thousands of patients and employing more than 30,000.</p><p>While exact details were not released before Security Management’s press time, attackers hit MedStar on the morning of March 28, launching an attack that prevented certain users from logging in to its systems.</p><p>“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” MedStar spokesperson Ann Nickels said in a statement. “We are working with our IT and cybersecurity partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”</p><p>MedStar also reassured stakeholders that it believed no patient data had been compromised, and that it was working with its cybersecurity partner—Symantec—and the FBI to find out exactly how attackers gained access to its systems. </p><p>Through this effort, MedStar was able to keep its doors open and bring its systems back up “in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners,” it said in a statement.</p><p>The ransomware attack on MedStar is just one of a string of recent attacks on the healthcare industry. In March, attackers took the computers of Hollywood Presbyterian Medical Center in Los Angeles hostage for more than a week until officials paid the ransom, approximately $17,000 in Bitcoin.</p><p>“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Hollywood Presbyterian President Allen Stefanek in a statement. “In the best interest of restoring normal operations, we did this.”</p><p>Ransomware is a form of malware that attackers use to infect a computer or network, encrypt its data, and then demand payment—the ransom—from victims to decrypt the data. If victims don’t pay up, the data will remain encrypted or may be deleted.</p><p>Attackers have been using it to compromise healthcare systems in the United States, Germany, Canada, and France, according to research by Security Management. This raises the question: Why are hospitals such lucrative targets for ransomware?</p><p>James Carder, CISO of LogRhythm and former director of security information for the Mayo Clinic, says he thinks it’s because healthcare is “so far behind the times” when it comes to cybersecurity. </p><p>“If you just think about the core business of what a hospital does, they are there to treat sick people—treat patients,” he explains. “They think of security from a physical security perspective…the cybersecurity world is nothing that they’ve actually planned for. If you look at their IT infrastructure, they’re all built around supporting patient care and they have never made that connection with cybersecurity being directly connected to patient care.”</p><p>Instead, an emphasis is placed on making patient data available at all times and on remaining compliant with the Health Insurance Portability and Accountability Act (HIPAA). “The focus is on patient care and having access and availability of records, more so than securing the records,” Carder adds.</p><p>Couple this attitude towards cybersecurity with the large amounts of data that healthcare institutions use on a daily basis and the large resources most hospitals have, and you have a prime target for a ransomware attack, says Dan Holden, director of Arbor’s Security Engineering and Response Team (ASERT).</p><p>For attackers, “the great part about these commercial entities is they can get so much more,” Holden explains. “Rather than carrying on a campaign for $25, if you go through the investment to find serious targets in hospitals…the likelihood that you’re going to get paid is likely to be higher.”</p><p>This incentivizes hackers to go after hospitals because they are “the soft underbelly in terms of market,” Holden explains, giving them a high return on investment (ROI) for their efforts. And it doesn’t matter if the hospital is in the United States or in Europe, because all of them depend on having access to their data to serve their patients.</p><p>“The financial state of the country doesn’t necessarily matter,” Holden says. “You know they are going to have to depend on that data. From an ROI standpoint, it’s a good investment.”</p><p>Ransomware itself is also becoming more sophisticated, allowing it to infect a victim’s network more easily than in the past, according to Craig Williams, senior technical leader and security outreach manager for Talos, a threat intelligence organization owned by Cisco.</p><p>“Earlier ransomware required a human to spread,” he explains. “They had to have someone go to the website, see a malicious ad, or get an e-mail and click on it and run the e-mail attachment; they all required user interaction.”</p><p>SamSam, a new type of ransomware, however, does not. Instead, it combines network-based vulnerabilities with a ransomware payload. This means that the ransomware can target and penetrate a network when no one’s there.</p><p>SamSam works by exploiting well-known vulnerabilities—some up to nine years old—on unpatched systems. During the initial compromise, attackers conduct manual reconnaissance to locate systems they’d like to target with ransomware. They program what they would like the malware to perform, and it works without requiring an active command and control.</p><p>In plain English, “the way you can think of ransomware operating previously is they needed someone to unlock the door,” Williams says. “SamSam is the first piece of ransomware that can open the door for itself.”</p><p>SamSam first came on the scene in December 2015 when it was used in a gaming industry campaign. Williams says he thinks this was a trial run to make sure it was an effective form of ransomware. </p><p>However, it wasn’t until mid-February 2016 that Talos began seeing significant growth of the use of SamSam, with an “explosive growth period” in April. And Talos is continuing to see those high numbers, Williams adds.</p><p>“Talos did a small scan of the Internet, and, based on our preliminary findings, it appears that there are around 2.1 million vulnerable servers on the Internet right now,” he explains. “That’s a bad number.”</p><p>The FBI has also acknowledged the rise of SamSam, sending out a confidential “Flash” advisory on March 25, obtained by Reuters, requesting help from businesses and software security experts in investigating the new form of ransomware. </p><p>“Friday’s FBI alert was focused on ransomware known as [SamSam] that the agency said seeks to encrypt data on entire networks, an alarming change because typically, ransomware has sought to encrypt data one computer at a time,” Reuters reports.</p><p>Security Management reached out to the FBI to discuss the advisory, but the Bureau declined to be interviewed for this article.</p><p>And while the healthcare industry is on high alert and beefing up its cybersecurity due to the string of recent ransomware attacks, Williams says he’s concerned that the attacks aren’t going away anytime soon. This is because attackers have built SamSam to make use of several different vulnerabilities that require companies to complete a variety of patches on their systems.</p><p>“The reality is, once people do start applying these patches the attackers will simply rotate in a new vulnerability to exploit,” Williams says. </p><p>Also aiding the attackers is that they are implementing best practices in customer service to make sure their victims pay the ransom, instead of just using a back-up or losing their data.</p><p>With SamSam, attackers are offering bulk discounts to decrypt data. In a case documented on Talos’s blog, a ransomware victim bought one key to decrypt his data and then came back and bought a second key for a lower price. The victim did this because the ransomware encrypted multiple machines, requiring separate decryption keys for each machine to decrypt the data.</p><p>“What’s really interesting about this is that the attackers apologized for delaying posting the key, which goes back to the problem these ransomware authors have of gaining victims’ trust,” Williams explains.</p><p>Also unique to the recent rise of SamSam is that attackers appear to be continuously upping the amount that they are charging victims to get their data back. </p><p>“We don’t see that normally,” Williams says. “What that tells me is they don’t fully understand the value of their data, and they’re trying to experiment to see exactly how much people will pay them.”</p><p>This presents a problem for customers because the more people who pay the ransom, the higher the ransom will go until the attackers reach a period of diminishing returns, he adds. </p><p>Additionally, Williams says he’s concerned when he hears reports of businesses paying the ransom—as Hollywood Presbyterian did—because there’s no way to know if their data’s integrity is intact.</p><p>“There’s no reason an attacker couldn’t have tampered with medical records or engineering design documents, or other things that could have a very significant impact to the world when they release the files to you,” he explains. “Without the ability to verify your data’s integrity, users need to be very cautious when trusting that data.”</p><p>Despite the bleak outlook for the healthcare industry, the best ways to prevent a ransomware attack continue to be patching systems regularly to keep them up to date, creating cybersecurity awareness training for employees, and having reliable back-ups that are tested, says Lysa Meyers, security researcher at ESET.</p><p>“You test it and make sure that it’s actually functioning,” she explains. “If you have a back-up and it’s not functional, that’s not a good back-up…this trend of ransomware could disappear in a short period of time if more businesses started doing back-ups.”</p><p>And having a good back-up system is something hospitals tend to do well, Carder says, because of their crisis management planning. </p><p>“Hospitals do things around: what if a core infrastructure goes down, how would you actually respond?” he says. For MedStar, it responded by using paper and pencil instead of its electronic systems to provide service. </p><p>“It kind of takes it back a number of years, but the good news is—at least for MedStar—that they had some type of plan that they could go to if the IT infrastructure went down,” Carder explains. “They could revert back to that, if needed, to treat patients.”  ​  ​</p> Takes TeamworkGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Lea</span><span style="line-height:1.5em;">ding effective teams is a perpetual challenge for leaders such as CSOs, CISOs, and all types of security managers. In some ways, building an effective team is similar to conducting a risk, threat, and vulnerability assessment: the essential task is to gather and join together all the appropriate skill sets—often spread out over several departments within the organization—to ensure that every business risk is addressed, so that the organization’s bottom-line objectives can ultimately be achieved. </span></p><p>But to build and lead an effective team, leaders must first understand the immediate environment in which the organization is trying to accomplish its objectives. Often, this immediate environment, which is usually the specific market that the company operates in, exists within a larger complex ecosystem of regulatory requirements, standards, economic pressures, ongoing business processes, customer-vendor interactions, and security threats and vulnerabilities, with all components interacting via a throng of technologies.</p><p>This complex ecosystem can be difficult to navigate, so for a team to succeed, the different levels of the organization must be on the same page. Executive management must be willing to listen and participate in the process. Team members must be willing to adopt a different approach to achieving success. And all stakeholders must realize that, while not every effort will be prosperous, setbacks provide a valuable opportunity for learning and improvement.  </p><p>Throughout my career, I have been fortunate enough to manage and direct diverse teams in both the private and public sectors. In the federal government, I led teams with the U.S. Secret Service and the National Nuclear Security Administration (NNSA), a semi-autonomous agency within the U.S. Department of Energy (DOE) that is responsible for enhancing national security. In the corporate world, I led teams at two multinational professional service firms, Deloitte and CACI International, and also served as CSO of a telecommunications company. </p><p>The concept and practice of leading teams can be broken down in several ways. First, there are the cornerstone principles that underlie many, if not most, effective teams. Second, there are specific elements to focus on when putting those principles into practice. Third, there are processes that are critical to building a team, from identifying needs to developing roles to measuring effectiveness. Fourth, there are the individual components of the process that leaders can focus on during the team’s operations, to maximize the chances of success.  </p><p>This article will elucidate these principles and practical components of team building and team leading. It will also use real-life examples to sketch out some best practices that illustrate how key principles often come into play.​</p><h4>THE CORNERSTONES</h4><p>A leader who wants to build an effective team can learn from leaders who have already done so. Mentorships, therefore, were key to my success. When I met with challenges in trying to build a successful team and a security program, I turned to trusted peers such as Mike Howard at Microsoft; Peter Dowling at AXA Equitable; Tim Janes, CPP, at PayPal; and Brian Allen, CPP, at Time Warner Cable. These leaders divulged that three factors form the cornerstones of successful teams—leadership, communication, and collaboration.</p><p>Lead. These accomplished professionals all had established track records in building effective teams. And they also demonstrated through example that the key driver of team building is leadership. Effective teams have great leaders. What makes these leaders great is their ability to craft and hone a vision, express that vision and own it enthusiastically at all times, and continuously drive it to complete realization.</p><p>Even more important, these individuals cultivate support for their mission by maintaining an open leadership style that touches on every function within their organizations. In this way, they ensure a culture of empowerment, in which others are encouraged to use their talents to contribute to the effort. In addition to vision and an empowering leadership style, these leaders possess another key asset: a facility for masterful communication.  </p><p>Communicate. The link between superior communication and superior business results is a well-established one. For example, in Towers Watson’s 2010 communication ROI study, Capitalizing on Effective Communication, researchers found that firms considered the most effective communicators had total shareholder returns over a five-year span that were 47 percent greater than firms considered the least effective communicators. “Companies that communicate with courage, innovation, and discipline, especially during times of economic challenge and change, are more effective at engaging employees and achieving desired business results,” the study found.  </p><p>Communication is crucial in building teams because it fosters team chemistry. The act of successful communication builds connections between teammates by building trust and respect. Communication is about more than just trading knowledge—it’s about appreciating the emotion and intentions behind the information. In essence, effective communication is the glue that connects all members of a team. It promotes interdependencies among team members, which leads to a tighter-knit and more efficient working group. This facilitates decision making and allows for better problem solving. </p><p>However, effective communication is difficult. It is always a work in progress, takes constant effort, and requires more than simply listening and sending clear messages. For example, when I was CSO of a telecommunications company, communication was initially a struggle; the biggest obstacle was understanding the varying viewpoints among employees. </p><p>This was evident, for example, when we launched our crisis management operation. The project was challenged by various groups within the organization. Security won over naysayers by effectively talking through all the operational challenges. While not every discussion was smooth, we did manage as a team to come to a level of understanding and put together a comprehensive and effective crisis management plan.</p><p>Collaborate. Another quality on the list of attributes of a successful team leader is collaboration. Security leaders and their respective teams are frequently unaware of the business component of their efforts, and how the work that their team accomplishes advances the overarching objectives of the organization. Fortunately, this is becoming less common in the current business climate. The notion of security as a cost center has begun to change in light of two continuing developments: the emergence of the CSO as an influential player in the C-suite, and the growing understanding and acceptance that security touches every aspect of organizational operations.</p><p>In this context, collaboration is essential for security to be perceived as an integral part of an organization’s business objectives. Through collaboration, the team can effectively share relevant safety and security information throughout the organization. But for this collaboration to take place, team members must understand the obstacles that are blocking, or may potentially block, any channels of communication involving stakeholders. </p><p>For instance, while on an assignment with the federal government, certain officials failed to pass along the correct information needed for successful implementation of some programs. I approached the officials in question and diplomatically discussed who needed information in a timely manner, including the short- and long-term political and budgetary benefits. This collaborative approach succeeded in establishing rapport and bridging a communication gap. It also cemented a clear understanding that nothing would be compromised in implementing the program.​</p><h4>PRINCIPLES INTO PRACTICE</h4><p>A leader can build and expand upon these cornerstone principles in assembling and leading teams. In practice, I have found it imperative to ensure that my teams focus on four key elements: communication, listening, motivation, and reason-based conflict resolution. </p><p> The importance of these elements was highlighted when I led a team with the NNSA in the DOE’s Office of Defense Nuclear Security. Our team included engineers from different laboratories, and we were charged with completing a complex project that would assist in the protection of certain national assets. In practice, this meant an intense four days of dialogue and problem solving. </p><p>During this process, the team measured threats, initiated mitigation plans, recognized risk acceptance practices, managed incidents, and directed risk owners in developing their own remediation efforts. The other directors and myself were able to play to the strengths of each member of our team to overcome any obstacles, eventually leading to solutions that benefited the agency. </p><p>When the project was concluded, the leaders held a “lessons learned” debriefing in which we considered the success of the project and the attributes of the team, so that we could evaluate and pass along what we learned from the experience and enhance our teamwork in future projects. Key to the success of the project, we found, was the diversity of the team and the varying experiences and subject matter expertise that members brought forth. Another crucial factor was the desire and motivation among team members to do something that at that time had never been done before. We learned that this resolve and type of project could be replicated.</p><p>Effective communication and listening were also essential to the project’s flow and focus, especially given the condensed time frame. Furthermore, in an effort to resolve conflict efficiently, we concentrated on leaving emotion out of the discussion, even though passion for the success of the project was high.​</p><h4>BUILDING A TEAM</h4><p>Following cornerstone principles and focusing on key practice areas usually results in effective teams. Diving in deeper, I would also like to discuss the process that can be thought of as the roots of team leadership—assembling and establishing a team, in the context of a common professional goal of developing an effective team within 180 days. </p><p>In accomplishing the 180-day goal, I have found that the process of building a team can be broken down into eight components. They are sketched out below. </p><p><br></p><p><strong>1. Identifying needs. </strong>This starts the entire process: identifying that a certain situation in your organization can be best addressed or resolved by a team, rather than an individual leader or a consultant, and that effective work by such a team will facilitate the success of the organization.</p><p><strong>2.  Framing the drivers.</strong> Setting expectations and parameters is crucial. Teams may specialize in day-to-day problem solving such as working through complications, overcoming challenges, and discovering solutions. Keep in mind that more fundamental issues—where to begin, what systems to use, what exactly will constitute success—may also be problems in need of solving. These may call for strategic decisions that require a deep understanding of your organization’s competencies and weaknesses.</p><p><strong>3. Developing roles and responsibilities.</strong> Understand that your team needs both leaders and doers. Some members may focus on developing strategy, others on raising awareness of the team’s efforts, others on cultivating trusted partnerships and ensuring that security has a seat at the table in all areas of the organization.</p><p><strong>4. Gaining executive management acceptance</strong>. Executive management must be willing to listen, and then commit to the team’s mission and goals. Given this, attention must be paid to how the effort can be framed and presented to senior management, so that it is clear how it will add value to the organization.</p><p><strong>5. Identifying ideal candidates.</strong> Composing the team is one of the hardest challenges because of all the qualifications that might be factored in, including general knowledge, expertise and experience, ability to learn, willingness, and drive. Sometimes, what works best is not selecting the most experienced or knowledgeable people available, but choosing those with the greatest capacity to collaborate and work together to accomplish a greater good. </p><p><strong>6. Developing and delivering training. </strong>Critical to a team’s success is its collective knowledge, which is supported by continuous training. A leader must ensure that team members have good technical and process knowledge, and are receiving enough training to keep it current.</p><p><strong>7. Measuring effectiveness. </strong>As the saying goes, you can’t manage what you don’t measure. Metrics should be developed and progress recorded.</p><p><strong>8. Cultivation and growth.</strong> Once metrics are measured, they should be evaluated so that they point toward ways in which the team can be more effective and efficient. This is the basis for further development and growth.   </p><p>These components come into play in assignments where the focus is on establishing and formulating security design, integration, and maintenance for commercial, industrial, and government high-security facilities, through the use of state-of-the-art hardware and software. These assignments require a team with members who have the ability to be cross-functional—strong in their particular area of expertise, but also able to jump in and cover other aspects of the project if necessary. </p><p>By emphasizing the key elements and principles of effective teamwork, security managers can build teams that are committed to achieving a common goal and mission. These successful teams will work together and share responsibilities, holding each memeber accountable for attaining the desired results. </p><p>--</p><p><em>J. Kelly Stewart is Managing Director & CEO of Newcastle Consulting, LLC, an enterprise risk and in­formation management consultancy. ​</em></p>