Preface xviiiIntroduction xxiPart I Defining the Challenge 1Chapter 1 The Darker Side of High Demand 3Connected Medical Device Risks 4Ransomware 4Risks to Data 7Escalating Demand 10Types of Internet-Connected Medical Devices 11COVID-19 Trending Influences 12By the Numbers 13Telehealth 15Home Healthcare 15Remote Patient Monitoring 16The Road to High Risk 16Innovate or Die 19In Summary 26Chapter 2 The Internet of Medical Things in Depth 27What Are Medical Things? 28Telemedicine 29Data Analytics 30Historical IoMT Challenges 31IoMT Technology 36Electronic Boards 36Operating Systems 37Software Development 38Wireless 39Wired Connections 43The Cloud 43Mobile Devices and Applications 46Clinal Monitors 47Websites 48Putting the Pieces Together 48Current IoMT Challenges 48In Summary 50Chapter 3 It is a Data-Centric World 53The Volume of Health Data 53Data is That Important 55This is Data Aggregation? 57Non-HIPAA Health Data? 59Data Brokers 60Big Data 63Data Mining Automation 68In Summary 70Chapter 4 IoMT and Health Regulation 73Health Regulation Basics 73FDA to the Rescue? 77The Veterans Affairs and UL 2900 81In Summary 83Chapter 5 Once More into the Breach 85Grim Statistics 86Breach Anatomy 89Phishing, Pharming, Vishing, and Smishing 90Web Browsing 92Black-Hat Hacking 93IoMT Hacking 94Breach Locations 95In Summary 95Chapter 6 Say Nothing of Privacy 97Why Privacy Matters 98Privacy History in the United States 101The 1990s Turning Point 103HIPAA Privacy Rules 104HIPAA and Pandemic Privacy 104Contact Tracing 106Corporate Temperature Screenings 107A Step Backward 107The New Breed of Privacy Regulations 108California Consumer Privacy Act 108CCPA, AB-713, and HIPAA 109New York SHIELD Act 111Nevada Senate Bill 220 111Maine: An Act to Protect the Privacy of Online Consumer Information 112States Striving for Privacy 112International Privacy Regulations 113Technical and Operational Privacy Considerations 114Non-IT Considerations 115Impact Assessments 115Privacy, Technology, and Security 115Privacy Challenges 117Common Technologies 118The Manufacturer's Quandary 119Bad Behavior 121In Summary 122Chapter 7 The Short Arm of the Law 123Legal Issues with Hacking 124White-Hat Hackers 125Gray-Hat Hackers 125Black-Hat Hackers 127Computer Fraud and Abuse Act 127The Electronic Communications Privacy Act 128Cybercrime Enforcement 128Results of Legal Shortcomings 131In Summary 132Chapter 8 Threat Actors and Their Arsenal 135The Threat Actors 136Amateur Hackers 136Insiders 136Hacktivists 137Advanced Persistent Threats 138Organized Crime 138Nation-States 139Nation-States' Legal Posture 140The Deep, Dark Internet 141Tools of the Trade 143Types of Malware 144Malware Evolution 146Too Many Strains 147Malware Construction Kits 148In Summary 148Part II Contextual Challenges and Solutions 151Chapter 9 Enter Cybersecurity 153What is Cybersecurity? 154Cybersecurity Basics 154Cybersecurity Evolution 156Key Disciplines in Cybersecurity 158Compliance 158Patching 160Antivirus 161Network Architecture 161Application Architecture 162Threat and Vulnerability 162Identity and Access Management 163Monitoring 164Incident Response 165Digital Forensics 166Configuration Management 166Training 168Risk Management 168In Summary 169Chapter 10 Network Infrastructure and IoMT 171In the Beginning 172Networking Basics: The OSI Model 173Mistake: The Flat Network 175Resolving the Flat Network Mistake 177Alternate Network Defensive Strategies 178Network Address Translation 178Virtual Private Networks 179Network Intrusion Detection Protection Tools 179Deep Packet Inspection 179Web Filters 180Threat Intelligence Gateways 180Operating System Firewalls 181Wireless Woes 181In Summary 182Chapter 11 Internet Services Challenges 185Internet Services 186Network Services 186Websites 187IoMT Services 189Other Operating System Services 189Open-Source Tools Are Safe, Right? 190Cloud Services 193Internet-Related Services Challenges 194Domain Name Services 195Deprecated Services 197Internal Server as an Internet Servers 197The Evolving Enterprise 198In Summary 199Chapter 12 IT Hygiene and Cybersecurity 201The IoMT Blues 202IoMT and IT Hygiene 202Past Their Prime 203Selecting IoMT 203IoMT as Workstations 204Mixing IoMT with IoT 204The Drudgery of Patching 206Mature Patching Process 207IoMT Patching 208Windows Patching 208Linux Patching 209Mobile Device Patching 209Final Patching Thoughts 210Antivirus is Enough, Right? 210Antivirus Evolution 211Solution Interconnectivity 211Antivirus in Nooks and Crannies 212Alternate Solutions 213IoMT and Antivirus 214The Future of Antivirus 215Antivirus Summary 215Misconfigurations Galore 215The Process for Making Changes 216Have a Configuration Strategy 217IoMT Configurations 218Windows System Configurations 218Linux Configurations 219Application Configurations 219Firewall Configurations 220Mobile Device Misconfigurations 220Database Configurations 221Configuration Drift 222Configuration Tools 222Exception Management 223Enterprise Considerations 224In Summary 224Chapter 13 Identity and Access Management 227Minimal Identity Practices 228Local Accounts 229Domain/Directory Accounts 229Service Accounts 230IoMT Accounts 230Physical Access Accounts 231Cloud Accounts 231Consultants, Contractors, and Vendor Accounts 232Identity Governance 232Authentication 233Password Pain 233Multi-factor Authentication 236Hard Tokens 236Soft Tokens 237Authenticator Applications 238Short Message Service 238QR Codes 238Other Authentication Considerations 239Dealing with Password Pain 239MFA Applicability 240Aging Systems 240Privileged Access Management 240Roles 241Password Rotation 242MFA Access 242Adding Network Security 242Other I&AM Technologies 243Identity Centralization 243Identity Management 244Identity Governance Tools 244Password Tools 244In Summary 245Chapter 14 Threat and Vulnerability 247Vulnerability Management 248Traditional Infrastructure Vulnerability Scans 248Traditional Application Vulnerability Scans 249IoMT Vulnerability Challenges 249Rating Vulnerabilities 250Vulnerability Management Strategies 251Asset Exposure 251Importance 252Compensating Controls 252Zero-Day Vulnerabilities 252Less-Documented Vulnerabilities 253Putting It All Together 253Additional Vulnerability Management Uses 254Penetration Testing 254What Color Box? 255What Color Team? 255Penetration Testing Phases 256Scope 256Reconnaissance 256Vulnerability Assessments 257The Actual Penetration Test 257Reporting 258Penetration Testing Strategies 258Cloud Considerations 258New Tools of an Old Trade 259MITRE ATT&CK Framework 259Breach and Attack Simulation 259Crowd Source Penetration Testing 260Calculating Threats 260In Summary 261Chapter 15 Data Protection 263Data Governance 264Data Governance: Ownership 264Data Governance: Lifecycle 265Data Governance: Encryption 265Data Governance: Data Access 267Closing Thoughts 268Data Loss Prevention 268Fragmented DLP Solutions 269DLP Challenges 270Enterprise Encryption 270File Encryption 271Encryption Gateways 271Data Tokenization 272In Summary 273Chapter 16 Incident Response and Forensics 275Defining the Context 276Logs 277Alerts 278SIEM Alternatives 279Incidents 280Breaches 281Incident Response 281Evidence Handling 282Forensic Tools 283Automation 283EDR and MDR 284IoMT Challenges 284Lessons Learned 285In Summary 285Chapter 17 A Matter of Life, Death, and Data 287Organizational Structure 288Board of Directors 288Chief Executive Officer 289Chief Information Officer 289General Counsel 290Chief Technology Officer 290Chief Medical Technology Officer 290Chief Information Security Officer 291Chief Compliance Officer 291Chief Privacy Officer 291Reporting Structures 292Committees 293Risk Management 294Risk Frameworks 294Determining Risk 295Third-Party Risk 296Risk Register 297Enterprise Risk Management 297Final Thoughts on Risk Management 298Mindset Challenges 298The Compliance-Only Mindset 298Cost Centers 299Us Versus Them 300The Shiny Object Syndrome 300Never Disrupt the Business 301It's Just an IT Problem 301Tools over People 303We Are Not a Target 303The Bottom Line 304Final Mindset Challenges 304Decision-Making 304A Measured View 305Communication is Key 306Enterprise Risk Management 307Writing and Sign-Off 308Data Protection Considerations 308In Summary 309Part III Looking Forward 311Chapter 18 Seeds of Change 313The Shifting Legal Landscape 314Attention on Data Brokers 314Data Protection Agency 316IoT Legislation 317Privacy Legislation 318A Ray of Legal Light 318International Agreements 319Public-Private Partnerships 319Better National Coordination 320International Cooperation 322Technology Innovation 323Threat Intelligence 323Machine Learning Revisited 323Zero Trust 324Final Technology Thoughts 325Leadership Shakeups 325Blended Approaches 326In Summary 327Chapter 19 Doing Less Harm 329What IoMT Manufacturers Can Do 330Cybersecurity as Differentiator 332What Covered Entities Can Do 332Cybersecurity Decision Making 333Compliance Anyone? 334The Tangled Web of Privacy 335Aggregation of Influence 335Cybersecurity Innovators 337Industrial Control Systems Overlap 338What You Can Do 339Personal Cybersecurity 339Politics 341In Summary 342Chapter 20 Changes We Need 343International Cooperation 344Covered Entities 344Questions a Board Should Ask 345More IoMT Security Assurances 346Active Directory Integration 347Software Development 347Independent Measures 348In Summary 348Glossary 351Index 367

MATTHEW WEBSTER is a Chief Information Security Officer with 25 years of IT and information security experience. During that time, he has worked with many sizes and sectors of organizations including Fortune 100. Matthew has built several security programs from the ground up, significantly reduced risk, and helped companies pass multiple types of security audits.