Tasman Cybersecurity Logo Full Final1280x600.png

Learning Organization

By Randy Rose, Directer of Cybersecurity, Tasman Global

To keep pace with the rapid change of technology, particularly the threats that face us, we must become learning organizations. Staying ahead of the curve involves a culture shift toward focusing efforts on adapting for the future. This is a lot easier said than done, especially for larger organizations.

Adaptation is innately human, but that doesn’t mean it’s easy. Especially when we consider that other human characteristics are in stiff competition with adaptation. We humans are inherently lazy, and I don’t mean that in a negative way. We’re meant to conserve energy not expend it on things that do not put food into our bellies.

Our ancestors evolved in an environment where resources weren’t always easy to come by. They hunted, foraged, and scavenged for millennia before inventing agriculture. It is during this time that so much of our brain development occurred, and many of those biological mechanisms that drove our ancestors continue to exist today.

 A non-technical example is dieting. It is extremely challenging to change our diets to eat healthier. Especially with so much junk food surrounding us and being constantly thrust into our faces on TV, in web ads, and even in the checkout aisles at our local grocery store. But what makes it even harder to say no to sweets is that sugar equals calories which equals energy, and somewhere deep in our psyche is a hungry paleolithic person scrounging for every sweet bit of energy available.

So, how do we convince ourselves that spending seemingly precious resources on building a culture of learning is the way to go? Well, we have to look beyond the windshield. Americans are especially good at focusing on the windshield. But if we are to match or exceed the pace of technological growth, as the world races rapidly toward the singularity, we must be future-focused, and willing to take chances.

What are some things you can do today to help set yourself up for success? Only your organization will know exactly what works for you, but here are some things that have worked for others:

  • Develop learning plans for the organization, teams, and individuals;

  • Many organizations, including Starbucks and Google, offer employees tuition reimbursement;

  • Strategically allocate a percentage of your budget for learning and professional development;

  • Relax traditional views of the work environment; many employees, particularly in tech fields, are more productive when allowed to work remotely;

  • Pilot programs to encourage outside of the box creativity, such as allowing employees 10% or more of their time for innovation, allowing some teams to have a Results-Oriented Working Environment (ROWE), and building makerspaces or other creativity—boosting environments; and

  • Make your organization a place where people want to come to work, because it is rewarding and fulfilling.

Sometimes the change needs to happen at the top and trickle down. In this case, it is important for those leading the organization to know that there is a very specific difference between learning and training. Training is about instruction. Learning is about wisdom.

A true learning organization does not make the same mistakes over and over. A learning organization doesn’t punish failure, but rather encourages failing in the right way, and failing better every time. A learning organization promotes collaboration, innovation, experimentation, risk taking, and information sharing. A learning organization withstands the test of time. 

Contact Tasman Global if you would like to turn your organization into a learning organization.

“The illiterate of the 21st Century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.” ― Herbert Gerjuoy, psychologist



Greg Jenkins, one of our advisors working in the Netherlands, is celebrating his two-year anniversary here at Tasman. We felt that this was a great opportunity to talk to him about his experience at Tasman and working abroad. Without hesitation, Greg took the time to discuss his time with us.

Where are you from?

Laconia, New Hampshire, United States

Is this your first experience working abroad?

No - I worked in London for two years prior. 

What is the most enjoyable thing about being in the Netherlands?

I’ve cycled everywhere my entire life. It’s extremely nice to live in an area where this is so integrated into the culture. Additionally, being in Amsterdam, there’s always a lot going on in terms of music, food, festivals and activities. 

Where have you found your biggest challenge?

Learning to speak Dutch certainly takes a lot of work and practice. It’s coming along fairly well though. 

How would you compare the Dutch work culture to that of the United States?

More personal. There’s less direct management involvement in structuring your day to day routine. It feels more like a family than a company. 

Can you describe a quintessential Dutch moment you’ve had?

I ate guacamole mixed with mayonnaise the other day. I wouldn’t recommend it, but adding mayo to everything is pretty Dutch.

If you could put into words the intangibles of being here, what would they be?

There’s a really nice vibe to the cities here. I feel completely comfortable and at ease in Amsterdam and have since I arrived.

Have you traveled much since being here? Where have you gone?

I’ve traveled extensively over western and central Europe. I met my girlfriend here and had the opportunity to go down to South Africa with her to visit her friends and family.

How would you like to describe your experience to future Tasman advisors?

It has been wonderful. Working with a small company you have a personal relationship with everyone in it. You feel genuinely heard.

What advice would you give to future Tasman advisors?

Working and living in another culture is great. It will help you realize how little most changes matter. You can succeed anywhere as long as you embrace it. 

Who would you recommend this experience to?

I’d recommend it to anyone considering it. It’s one of the better decisions that I’ve ever made.


If you’re interested in learning more about the opportunities available at Tasman, do not hesitate to reach out or send along your resume. We are always looking for individuals who are ready to make the move into international consulting.



By Adrienne Flatland, Managing Director, Tasman Global

Welcome to our first of a series of posts focusing on how to better handle the complexity of international implementations.  In this article, we look deeper at the first of those areas and how you can produce workflows and build that focuses on the core goals of your implementation.

Designing and driving an implementation towards success is always a challenge. International implementations are no exception.  However, we often see that methodologies and what constitutes success can differ dramatically between countries.  This makes defining the requirements, the expectations of the system, and the goals of the implementation much more critical.  Handling this process well can make your implementation straight-forward and a success.

Let us look at a few things you can do during the scope definition phase that will set you up for success.


Workflow Definition:

Today, your organization likely has workflows that your staff knows well and are comfortable following.  Often, there is temptation to simply replicate these workflows in your new system - resist the temptation to copy what’s been done before outright.

Take a moment to reflect and ask the following questions:

  • What is the desired outcome?
  • What are the necessary steps to achieve that outcome?
  • Are some steps redundant or unnecessary?

By establishing the core requirements of a workflow, you can design new workflows that are more efficient and manageable.


Information Documentation:

Core requirement documentation extends beyond workflows to individual pieces of information.   Often, there are multiple ways to handle pieces of information in the system. Some are very intensive for the user, but highly accurate.  Sometimes there is an option that is automated but may have limitations. Which will serve your users and patients better?

Some items to consider when determining why information needs to be available or how it should be stored:

  • What benefit are you trying to get from the system by including a particular piece of data in your processes?
  • What is the reporting need for this piece of data?
  • Who needs to be able to access this later?
  • Does a user need to document this information, or could the system calculate it for them?
  • Does this information need to be present for regulatory reasons?
  • If we decide to include this now, is it still going to be necessary in the future?


Engage End Users:

The project team often knows there are multiple ways to handle certain processes; however, it’s often hard for stakeholders to know what the project team could build.  Keep these individuals engaged in the conversation with the project team. Ensuring the users of the software are comfortable with redesigning what is required for them in the system is critical.  Making sure everyone feels comfortable concentrating on the core requirements will lead to a workflow that helps supplement the user’s documentation process, rather than one that requires more work.

Finally, make sure you start this process early.  The sooner you concentrate on the core requirements, the easier it will be in the future.  Start as soon as your team is certified. So much information is collected during the Discovery Phase and validated only a month or two later.  This validation ultimately is the template of the final product for go-live. Making sure you have all the information required, and only the information required, early can save you from having to re-do validation sessions and build. It will make the months of build and testing go much smoother, saving you time and money.

Need help clearly defining your scope?  Want to have experienced implementation advisors come alongside your teams to help them through this process?  We’re ready to help with skilled application managers who know what questions to ask and what common pitfalls to watch out for.  We’ll audit your scope decisions and workflows to make sure your scope is sufficiently defined up front, making you more likely to hit your build milestones and have satisfied end users.



By Randy Rose, Director of Cybersecurity, Tasman Global

The world is a complex thing. When you break it down, it’s a seemingly infinite and complex system of systems. There are personal relationships, business environments, traffic laws, advancements in communications platforms, weather patterns, social structures, and on and on. We, as individuals existing in these systems, must figure out how to navigate them each and every day.

The realms of Information Technology and Cybersecurity are no different than other systems. They just have their own language. And it is incumbent on each of us, as business leaders, technical professionals, and providers of healthcare services for millions of people around the world to know how to speak this language.

And for this reason, it’s important to understand the power of the metaphor.

I was in a leadership class recently focused on navigating change during turbulent times. I was well familiar with most of the content, but what struck me as unique and interesting was a section focused on using metaphors as a conscious element in leadership communication. As a fan of metaphor in my writing and daily communication, I see a lot of value in the idea of training others to use metaphors more deliberately, especially in such a complex and technical field as IT.

Metaphor, simply put, is the direct comparison of two unlike things that encourage the understanding of more complex ideas through connection with familiar concepts. Metaphor is quite similar to simile, but not as explicit. Simile requires the use of the words “like” or “as” when drawing a comparison, which is great for description, but does not drive connection in the same way.

“It’s as if we all wear masks from time to time,” versus “We all wear masks from time to time.”

The former is a simile; the latter a metaphor. While they both essentially say the same thing, the first has a layer of separation to it. It is not as personal.

And we see this in creative writing quite frequently. “All the world’s a stage, and all the men and women merely players. They have their exits and their entrances.”1 “All our words are but crumbs that fall down from the feast of the mind.”2 “I shall be telling this with a sigh/Somewhere ages and ages hence: Two roads diverged in a wood, and I—I took the one less traveled by, And that has made all the difference.”3 “Out of the frying-pan, into the fire.”4

I find that I use both simile and metaphor every day as I translate technical concepts to non-technical audiences. “We are in the early days of aviation, still figuring out how to fly these things.” “Routers are airplanes; switches are city buses. You wouldn’t fly a 747 to get across town.” “Russian cyber actors are stealthy and fast, attacking like ninjas under the cover of darkness, taking what they want, and covering their tracks. If they want to steal your beach, they show up one night and take as much as they can and you never see them again. Chinese cyber actors are much different; they get your beach one grain of sand at a time over a period of 30 years. You don’t even notice they’ve stolen it until your exact beach is on their coastline.” “Cyber is a neighborhood: there are good and bad people living there, many just want to be left alone, and almost everyone thinks no one is looking in their windows.”

I was recently explaining a polymorphic malware sample my team had been analyzing to some military leaders and found myself saying something to the effect of, “You’re looking at a bad guy who can change his DNA after every crime he commits using information he collects from the scene of the crime. It’s going to be tough to catch this guy. But, luckily for us, bad guys order pizza, too. We just need to adjust what we’re looking at, and we’ll get him.”

I could have launched into a 20-minute dissertation on the specifics of the code we analyzed, the precise host values the malware uses to modify its code as it replicates and spreads, and how looking at a signature for the malware would likely lead us down the wrong path, so we should rather look at specific memory locations or application hooks for suspicious activity. But that would likely not have had the same impact to the audience as most of the language I would have had to use would have been confusing. I might as well speak in tongues.

Through the use of metaphor, I can connect in a meaningful way to audience members across a wide range of technical skills. Each of us shares so many experiences on a daily basis that there is no shortage of examples for comparison.

If you’re a Technical leader or expert, I challenge you to speak in metaphors as you communicate up and out. Gauge the difference in impact it has.

If you’re an Executive, I leave you to ponder what lexicon your technical staff or your vendors are using on you. Challenge other to use metaphors to ensure everyone is speaking the same language.

Lastly, if you think you’re being bombarded with technical mumbo-jumbo, contact us at Tasman Cybersecurity. We can help de-fog the dark cloud of technical jargon.

“I can see clearly now, the rain is gone.” ― Johnny Nash

1 - William Shakespeare, As You Like It

2 - Khalil Gibran, Sand and Foam

3 - Robert Frost, The Road Not Taken

4 - J.R.R. Tolkien, The Hobbit



By Steve Lewis, Account Management, Tasman Global

Last week, a few of us at Tasman were able to attend the European UGM at UMCG in Groningen. It was a fantastic opportunity to see the Epic transformation happening across Europe. Being able to connect with such a diverse group of healthcare organizations was a great experience. Everyone was united in their goal to create safer, healthier, and happier patients with Epic. So much experience exists across these organizations. Forums like this exist as a valuable tool to share stories and lessons learned – to the benefit of all.

A number of amazing topics were presented. Organizations shared valuable lessons learned like how to make an ongoing training program successful (Spaarne Gasthuis), how to harness SmartTools for efficient nuclear medicine reporting (UMCG), and how physician builders can help shape a better system (MCL). The great part about each of these initiatives is how many options are out there to better your own system. Taking even one of these examples can make a huge difference at your organization.

Additionally, three hospitals shared their journey and the value they saw in achieving HIMSS stage 7. The most important part these presentations highlighted was how the goals of HIMSS align with their hospitals' overall safety and quality goals. Stage 7 became another lens through which to review their processes and was good value for minimal investment.

One of the great developments this year was how this forum became all-European. While there was still a dominant Dutch feel, the group was able to appreciate and learn from the differences that each country and culture brought to the table. One particularly interesting presentation was from Apotti (Finland), which is the first organization to support a population's wellbeing using Epic for both health care and social care. While some of these learnings may not be immediately relevant in all countries, as the newer implementations go-live and mature, the learning and sharing opportunities will grow significantly.



By Randy Rose, Director of Cybersecurity, Tasman Global

It’s critical to your business to think critically. You must especially think critically about risk and what it means to your mission.

Cybersecurity risk is no different. Yet most vendors would have you think otherwise. The business of cybersecurity, like every other business, is driven by profit, and few things result in bigger profits than fear. Nearly every vendor today uses fearmongering tactics to increase the chances that gullible customers will fork over loads of money toward their “state-of-the-art” solution. They use spooky language like ransomware, advanced persistent threats, privilege escalation, lateral movement, data exfiltration, and cybergeddon.

In fact, some friends of mine (who shall remain nameless) from another cybersecurity organization (which shall also remain nameless), went through tremendous effort to call attention to this in the most beautiful way: they set up a booth at this year’s RSA Conference masquerading as old-timey snake-oil salesmen, offering old fashioned tinctures, salves, and liniments for the “good people of the world wide web [to save them] from cyber outlaws, APT bandits, virtual pirates, malware hoodlums, and the sort.”

F.A.K.E. Security1 did more than just poke fun at other vendors and rattle some feathers2. They highlighted a significant problem in this industry: customers do not know what they need and do not have the requisite knowledge to apply key critical thinking to the data being thrown their way. This results in vendors using flashy displays, fancy language, and scare tactics to convince customers they need to buy, buy, buy!

Fortunately for all of you, a little bit of critical thinking can go a long way.

Critical thinking is broadly defined as “the objective analysis and evaluation of an issue in order to form a judgment.” The Foundation for Critical Thinking offers a more specific definition: “Critical thinking is the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action. In its exemplary form, it is based on universal intellectual values that transcend subject matter divisions: clarity, accuracy, precision, consistency, relevance, sound evidence, good reasons, depth, breadth, and fairness.”

Whoa. What a mouthful.

You may ask yourself how someone can think critically when they don’t have the right information to think about. Luckily for everyone, the one thing we have in great abundance today is information. We have loads of information; we’re just missing the piece where we turn that information into knowledge (and, in turn, knowledge into wisdom).

Of course, there are tools for that. But we don’t necessarily need tools to think critically about the data. What we need is simply to ask the right questions.

Indeed, this is the basis for data science! Data science provides the means to make precise, reliable, and quantitative arguments about any set of observations. Those means often come in the form of statistical queries, which you can almost certainly do today with the tools you already have in place. But often, those kinds of queries don’t even require tools; they require imagination and resolve.

What kinds of questions are you asking your data?

Let’s assume you’re the CIO or CISO of a hospital. What kinds of data do you have? Certainly you should have network and host data, user access logs, email header data, and, perhaps, logs from boundary devices (e.g., firewalls). You have data related to your mission, vision, and values, your strategic plan, your internal policies, your budget, and your work culture.

Questions you can, and should, be asking are:

  • What are my users doing?
  • What risk(s) does that present?
  • What other internal risks am I accepting?
  • What are the external risks to my organization (threats x exposures/vulnerabilities)?
  • What mitigations/controls/countermeasures am I currently employing?
  • Am I meeting the requirements (i.e., legal/regulatory, internal, accepted best practice, etc.) of my organization? And how?
  • Am I collecting the right data to answer tough questions if and when I need to respond to an incident?
  • Is anyone reviewing the data we’re currently collecting?

Nearly every decision you make as a leader in your organization can and should be done in the context of the organization’s mission, vision, values, and strategic plan. When you keep these in your pocket at all times, it’s easy to see through the nonsense.

When a vendor tries to sell you something fancy, whiz-bang cure-all in a box, immediately ask yourself the following:

  • Who benefits from this interaction?
  • Who can provide a second opinion (particularly an impartial or even opposing one)?3
  • What is the alternative (especially a non-tool-specific alternative) to this solution?
  • What problem does this solution solve and is it truly a problem for me?
  • Where else has this product been deployed (and is that comparable to my organization)?
  • When would it be most beneficial/practical to deploy a solution such as this?
  • When might it be problematic?
  • Why is this relevant to me?
  • Why would I need this today?
  • How is this different than what I currently have in place?
  • How does this make my organization better?
  • How is this disruptive (if at all)?

Always be mindful of anyone trying to tell you their solution is the solution. No solution is the solution. Like the old adage says, “If it sounds to good to be true, it is.”

And if you feel like you’re in over your head, give us a call. We don’t sell any products and we certainly are not in the process of selling snake oil. We do provide consulting services, but the critical thinking is free of charge.

“No problem can withstand the assault of sustained thinking.” ― Voltaire

1 - You can see their amazing videos and read about their “company,” named for their founder Francis Archibald Keyes, Esquire, at https://www.fakesecurity.com/

2 - And, believe me, they did rattle some feathers. It turns out that fearmongering, overpromising, and under-delivering vendors do not like being called out for their misleading representations of their own products and capabilities, even when it’s in jest.

3 - Abraham Lincoln chose his Cabinet members specifically from those who opposed him politically because he separated his personal convictions from what he knew was necessary for the country at the time. He compared his selectees strengths and weaknesses against his own, and chose four individuals who would challenge each other while at the same time complement each other’s capabilities. This is not only a great representation of critical thinking applied practically, but it also says incredible things about President Lincoln’s emotional intelligence and psychological fortitude.



By Randy Rose, Director of Cybersecurity, Tasman Global

The European Union General Data Protection Regulation (GDPR) took effect last Friday, and it has been a long time coming. Many organizations in Europe (and beyond) feel ill-prepared to meet the requirements which, 2 years after approval1, is now officially enforced.

We’ve prepared a quick snapshot of the basic facts you need to know to be “smart” on GDPR.

What is GDPR?

GDPR is a new comprehensive data protection law that requires businesses (not just healthcare providers2) to protect the personal data and privacy of citizens for transactions that occur within EU member states. Personal data, in the context of GDPR, is any information relating to an identifiable person3 who can be directly or indirectly identified by reference to an identifier. An individual is referred to as a data subject within the construct of the regulation.

What was the impetus for GDPRs creation?

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Historically (at least, in the context of the last few decades), European governments have been much more concerned over the privacy rights of individuals than their American counterparts. Europe has had more stringent rules over the use of personal data by governments and private companies compared to economies elsewhere in the world. GDPR updates the EU’s Data Protection Directive which went into effect in 1995 which, as you are aware, was before widespread use of the Internet and, therefore, does not address many of the ways in which customer data is collected, stored, transmitted, used, and shared today.

Does GDPR only apply to EU member states?

No; GDPR applies to all organizations that sell goods or services, or monitor the behavior of, EU data subjects. This means U.K., U.S., and other non-EU companies that partner with and/or provide services for organizations within EU member states where there is any data sharing is likely required to comply with GDPR. Many healthcare and technology companies fall into this category. GDPR applies to all companies processing, transmitting, and holding personal data related to any data subjects residing in the European Union, regardless of the company’s location.

What are the key concepts of GDPR?

GDPR applies to privacy data that includes standard personally identifiable data such as name, address, and national ID numbers, as well as web data (location, IP address, web cookies, RFID tags), health data, genetic data, biometric data, sexual identity data, and even political affiliations.

Companies required to comply are those that have a presence in an EU country OR process personal data of EU citizens despite not being located in the EU. Additionally, companies with 250 employees must comply. Companies with fewer than 250 employees that process specific types of personal data or that perform data processing on data subjects on more than an occasional basis must also comply.

GDPR defines several roles responsible for ensuring compliance:

  • Data controller—defines how personal data will be or is processed within an organization and the purposes for which it is processed
  • Data processor—groups that maintain and process personal data records (which can include outsourced firms, such as cloud service providers)
  • Data protection Officer—designated by the DC and the DP to oversee GDPR compliance

Of note, GDPR holds data processors responsible for breaches as well as for non-compliance concerns.

What are the Penalties associated with non-compliance?

Your organization may face fines as high as the greater of 4% of annual global turnover or 20 Million Euros. Granted, this steep of a fine is reserved for the most egregious infringements, which includes violations of customer consent to process data and violating the core of Privacy by Design4 concepts. GDPR favors a tiered approach to fines; an organization can be fined for violations across a wide range of actions, including direct violations of data subject data and problems with notification as well as policy and records management violations.

What else do I need to know?


Many have raised concerns with the vagueness of the new regulations, including language that requires organizations to provide a “reasonable” level of protection without defining what constitutes “reasonable.”

One of the more interesting components of GDPR is the Data Subject’s Right to be Forgotten. Captured in the law as Data Erasure, this provides data subjects with the right to request, under certain conditions5, that the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data, of which the data controller must comply or face penalties.

Others have raised concerns with the costs believed to be required to comply with the law. Many companies believe it will cost them between $1M and $10M USD to get their organization into compliance. Approximately 9% of US-based companies surveyed by the firm PriceWaterhouseCoopers claimed it would cost them more than $10M USD.

The numbers can be scary and that’s where we can help.

Tasman Cybersecurity can keep you well within GDPR requirements all while providing the best possible security mechanisms at the lowest cost to your organization. We use a unique risk buy-down approach to help you eliminate the most risk using the least resources so you can provide the services that best meet your unique mission and vision.

For more information on GDPR, visit https://www.eugdpr.org/

Contact us for more information about how Tasman can help you.

1 - GDPR was formally approved by EU Parliament on 14 April 2016

2 - GDPR extends to any and all organizations that opperate in Europe

3 - Sometimes described as a “natural person”

4 - Privacy by design requires the inclusion of data protection from the earliest stages of the systems design lifecycle, rather than being added later. 

5 - The conditions are outlined in article 17 and include the data no longer being relevant to original purposes for processing as well as a withdrawal of consent by the data subject.



By Randy Rose, Director of Cybersecurity, Tasman Global

“Time flies like an arrow; fruit flies like a banana.” This stunning example of both antanaclasis1 and double entendre2 is a good scene setter. The first part will be obvious in the next sentence; the second is just a testament to how my own brain works: bananas are delicious, and they’re also good for health, and, naturally, “health” reminds me of healthcare. Thus, we arrive at the point of this post: it has been a year since the large-scale, multinational ransomware attack that crippled the UK’s National Health System (NHS); what have we learned?

Let’s start with what we know of the attack:

  • The principle ransomware was dubbed WannaCry by the security community;
  • WannaCry is a worm that spread rapidly across interconnected computer systems worldwide, estimated to have impacted over 200,000 systems in 150 countries;
  • Ransomware is a specific type of malicious file that encrypts files on a system and/or connected storage locations and holds them for ransom;
  • Ransomware ransom is typically paid in cryptocurrency;
  • WannaCry has been attributed to actors in North Korea (Lazarus Group), believed to be sponsored by the nation-state itself;3
  • WannaCry exploited a Windows vulnerability that is suspected to have been discovered by the United States National Security Agency;
  • The vulnerability that was exploited lies in the Windows implementation of the Server Message Block (SMB) protocol, which is used for network communication on a Windows domain;
  • The NSA is believed to have discovered this vulnerability and to have developed an exploit called EternalBlue, which was in turn stolen and released to the public by the hacking firm Shadow Brokers;
  • Microsoft had also discovered this same vulnerability over a month earlier and released a patch for it, yet many systems remained unpatched at the time of the attack;
  • WannaCry is comprised of multiple components that include a dropper file, an encryptor/decryptor, files containing encryption/decryption keys, and a copy of the Onion Router;4
  • The program code was not obfuscated, thus it was easy for experts to analyze;
  • Analysis led to the discovery of a kill switch domain hard-coded into WannaCry that ultimately led to thwarting the attack (after British researcher Marcus Hutchins registered the domain and created a site);
  • The four most affected countries were Russia, Ukraine, India, and Taiwan; and
  • One of the largest single victims was the UK NHS; more than one-third of health trusts in England were affected by the attack with upwards of 70,000 devices, including computers, MRI scanners, and blood-storage refrigerators, impacted

These bullets represent different observations, but to progress, we must turn those observations into lessons learned. In other words, we must turn data into knowledge into wisdom. So, what have we actually learned from all of this?

You may have noted that there was a bullet in the middle stating that Microsoft had discovered the vulnerability before the attack. Indeed, Microsoft released Security Buletin MS17-010 on 14 March 2017, nearly 2 months before the attack crippled systems around the world. Microsoft had also flagged the patch associated with MS17-010 as critical, yet administrators the world over failed to deploy the patch.

Of note, the initial patch deployed by Microsoft was only available for supported operating systems, which no longer includes Windows XP. However, since many networks still employ XP devices, particularly within the UK’s NHS, Microsoft eventually made an SMB patch available for those systems.5

So, that’s it. We just need to keep systems patched and updated.

Not so fast. Yes, patching and updating is critical. But this is part of a bigger problem with the cybersecurity culture across the board. And nowhere is it more critical than in healthcare.

At this point, the UK has failed to solidify a real action plan. Think about that for a minute. It has been a year since a malware infection—one that did not impact other critical sectors, such as US DoD or UK Defence systems—and the UK still has no solid plan to fix the culture. Indeed, every single one of the 200 NHS trusts in the UK audited for cyber security purposes has failed their on-site assessment6, yet not a single one has agreed to an action plan.

Yes, NHS has signed a ₤150M agreement with Microsoft to upgrade all systems to Windows 10 (which has an auto-patch feature to ensure systems are not left unprotected). Yes, this new agreement is suppose to bring new threat intelligence capabilities to the NHS. But it still does not address the basic culture.

The UK’s National Audit Office reported that the attack, which they consider unsophisticated, could have been easily prevented if NHS followed basic security best practices.7

Ransomware is small apples. The looming threat of truly sophisticated, nation-state sponsored8, or advanced criminal attacks, or even unwitting internal mistakes9 requires a lot more than regular patches and backups. It requires a culture change.

We at Tasman Global are poised and ready to lead that change. Our mission is to enhance the cybersecurity landscape for all patients around the world through customized, risk-based, and strategic solutions. Regardless of where you are on your journey, we can help you navigate. Let Tasman Global be your compass for changing the cyber culture.

“Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day.”  ― Frances Hesselbein

1 - A rhetorical device in which a phrase or word is repeatedly used, though the meaning of the word changes in each case.

2 - A word or phrase open to two interpretations, one of which is usually risqué or indecent.

3 - Kaspersky Labs and Symantec both performed code analysis and have identified similarities with earlier identified Lazarus Group code; Microsoft, UK National Cyber Security Centre, and the US Government (with concurrence from Canada, New Zealand, and Japan) all assess the attack originated in North Korea

4 - The Onion Router is a free software that enables anonymous communication through complex routing across a network of systems and relays using the service.

5 - Later analysis found that the great majority (~98%) of affected systems were running Windows 7, which is currently supported by Microsoft.

6 - https://www.theregister.co.uk/2018/02/06/200_hospitals_failed_cyber_security_assessment/

7 - https://www.independent.co.uk/news/uk/home-news/health-department-it-security-wannacry-nhs-hack-report-jeremy-hunt-funding-national-audit-office-nao-a8021881.html

8 - https://www.independent.co.uk/news/uk/home-news/russian-hackers-target-millions-devices-cyber-attacks-us-uk-intelligence-warn-a8307696.html;

9 - https://www.theregister.co.uk/2018/05/02/computer_algorithm_blamed_for_450k_women_failing_to_receive_breast_screening_invite/



By Adrienne Flatland, Managing Director, Tasman Global

European UGM is coming up this Friday and we at Tasman are getting excited. Conferences like this are the best way to spread knowledge across the broader Epic community. So many conversations start here and they can have a huge impact on you and your organization’s Epic journey. In celebration of that learning, we have put together some ways to make this a great event:

1. Meet other Epic customers who are similar to you.

It’s important to develop a network within the Epic customer community. EU UGM is the perfect place to meet people from other European hospitals - who face similar challenges, have similar questions and similar opportunities. Unlike UGM in the states, there is no need to sort through 100s of customers in a massive conference hall. EU UGM is smaller and more personal, which means you can actually meet the people you can learn from most.

Academics will likely seek out other academics and nationalized healthcare organizations will look for other nationalized healthcare groups - but have you also thought of looking for organizations who have similar goals? What about finding one that has handled one of your pain points very well?

2. Continue the conversation after UGM.

The opportunities for collaboration only start at EU UGM. Maintaining communication with the organizations you meet allows you to continue to benefit from what they have learned, while sharing what you have learned. Everyone attending is within similar time zones - you don’t need to cross an ocean to visit each other. This means you can easily arrange a call or site visit after the conference to follow up on a topic that sparked your interest. You can also become friends on the UserWeb, share content, and negotiate for Epic development together.

3. Learn from others so you don’t waste your time trying to do it the hard way.

We all know someone who spent weeks trying to figure out how to address a problem only to hear later that another Epic customer put together a solution 6 months ago. Don’t be that guy. Save time and agony by learning from those around you before you start. Both in presentations and discussions, you’ll get to hear what others are doing to address your challenges. Then you can take that newfound knowledge back to the office on Monday and impress your team.

4. See what others are doing so you stay fresh.

Technology moves quickly. How do you keep your environments in sync? Do you use spreadsheets or are you utilizing Content Management? How do you track your build? In spreadsheets or the new Orion? Have you kept your system up to date with the latest functionality?

If you aren’t staying ahead, it’s easy to fall behind. Stay informed by learning from others who are both a few steps ahead of you or newer to the Epic journey. Often times the veterans can get behind because they don’t know what’s new or recommendations have changed. New customers tend to have more, and newer, functionality turned on at go-live. They’ll be able to teach you about the functionality or tools they used to make it all happen. Picking up some of the new functionality and tools could bring big benefits to your team!

5. It’s only one day - making it more efficient than other Epic-related conferences you could attend.

No need to fly for 12 hours and waste two days with travel for XGM in the states. European UGM is one day so you don’t miss out on a week’s worth of meetings and emails and it’ll be easier to get approval from your manager. As an added bonus, you won’t be jet lagged and exhausted from a week’s worth of sessions. It’s a 12-hour jump-start. After EU UGM you’ll be re-energized and ready to tackle those emails and build tasks on Monday morning.

6. You have many opportunities to present the cool things you do.

Sure, you can present at XGM or UGM in the States, but then your presentation needs to appeal to a global audience and pass review by Epic application committees. Not to mention you’re competing with 100s of other Epic customers for a chance at the podium. European UGM is your chance to share regional or EU-specific workflow solutions that really matter but get less focus in the States. It’s also a great way to test out a presentation you want to share next year at UGM in Verona, but don’t feel quite ready for yet.

7. Meet experts who have done it before who can help you achieve your goals.

Come talk with us. Are you looking to see who has implemented certain functionality before? Are you thinking about implementing a new module, and want to talk to someone who has done it? There will be plenty of people with previous Epic expertise, including some of our very own Tasman advisors.

Discussing your challenges and opportunities with a range of people who have implemented Epic before gives you a broader sense of your options. People with implementation expertise across a number of organizations, like our Tasman advisors, often can tell you the impacts of some of your most difficult problems. We’re happy to share our lessons learned or connect you with the people who have the answers you need.



By Randy Rose, Director of Cybersecurity, Tasman Global

Happy Spring! It’s hard to believe it’s already Spring and already a quarter of the way through the New Year. Tasman Cybersecurity has already had a productive year creating new partnerships, scoping mission areas for customers, and designing new eLearning solutions for healthcare providers focused on improving cybersecurity at all levels within their organizations.

In early March, we attended HIMSS ’18 in Las Vegas. It was my first time at a HIMSS conference and I was amazed—and even quite overwhelmed—at the breadth, size, and sheer amount of technology solutions marketed at the event. It was too much for me, and having been in the fields of Information Technology and Cybersecurity for nearly 20 years—I can’t imagine what impact the same spectacle had on those who are new to the field!

But more than the gigantic banners filled with tech buzzwords, interactive displays, and free vendor swag, I was most surprised by the content of most of the cybersecurity presentations. Unfortunately, it was not a pleasant surprise.

As I mentioned above, I have been in this sector for a long time, and it shocked me that the bulk of the presentations were about topics that we, as a community, were discussing at similar conferences 15 or more years ago. I was left thinking: Has so little changed in 2 decades? How are healthcare providers still operating without basic understanding of cyber risks? How can they function without solid business continuity plans, asset inventories, and established security policies, not to mention coverage over the more fringe areas like workforce development, identity management, and data loss prevention?

At one point, a presenter mentioned the significance of conducting regular audits to determine whether your organization is maintaining compliance, meeting regulatory requirements, and ensuring the effectiveness of established controls, and at least a half dozen different people seated around me turned to colleague and asked if their organization conducts audits. Most healthcare representatives I spoke with did not even know if their organizations had a Chief Executive responsible for cybersecurity, such as a Chief Information Security Officer!

It’s not all bad, of course. There were several presenters from within the community that shared their lessons learned from their own experiences building security in their organizations. Some of the lessons learned included items close to my own heart, such as leading through trust and delegation rather than micromanagement, focusing on people over technology, and capitalizing on crisis.

We’re the most targeted and most breached sector. We experience higher customer turnover related to information breaches compared to all other sectors. The average cost of breaches of health information is growing. Millions of patient records are compromised every year. And our data is amongst the most valuable on the black market. And yet, I have hope for this sector. Executive leaders in healthcare recognize that cybersecurity is a priority. We’re going to see rapid change in the right direction in a very short span of time. And we’re going to become leaders in information protection in ways that we cannot even fathom today.

We at Tasman Global are ready to help lead that change. Our mission is to enhance the cybersecurity landscape for all patients around the world through customized, risk-based, and strategic solutions. Regardless of where you are on your journey, we can help you navigate. Let Tasman Global be your compass.

“It takes 20 years to build a reputation and few minutes of cyber incident to ruin it.” ― Stephane Nappo



By Randy Rose, Director of Cybersecurity

A multitude of news stories within the last several months have revealed numerous businesses and products that are not as trustworthy as we, collectively, had previously thought. The first is CCleaner, a computer utility used to clean malicious and potentially unwanted files, such as temporary Internet files, which is, according to developer Piriform, “trusted by millions” for its “award-winning PC optimization 1 .”

So what’s the problem? It was compromised by hackers in August who redirected users to malicious servers hosting their own code rather than Piriform’s servers. According to Reuters, more than 2 million users downloaded a malicious version of CCleaner (CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191) and may have exposed their computers and attached networks to a wide variety of threats, including ransomware 2. While Piriform claims that law enforcement helped mitigate any infections proactively, the fact remains that a trusted organization had their supply chain disrupted by a capable cyber adversary.

It was also recently revealed that another trusted software vendor, Hewlett-Packard Enterprises (HPE), allowed a Russian company associated with Russian Defense Services and at least one Russian Intelligence Service access to the source code for ArcSight3. ArcSight is a security information and event management (SIEM) tool which is used to correlate event logs and other alerts for cyber threat detection, analysis, and triage response, as well as monitor system compliance and similar basic security functions. The United States Department of Defense and many other government agencies in the U.S. and Europe as well as an alarming number of Fortune 500 companies employ ArcSight on their networks.

Okay, okay – what’s the big deal with showing them the source code? The problem is two-old. First, a program’s source code is the secret sauce that makes the program work. Source code is the human- readable back-end programming that contains all the instructions that the software gives to the computer on which it is running. Revealing a program’s source code creates the potential for someone to find a vulnerability, or flaw, in the code which allows that person or others to leverage it for their own purposes. And those purposes are usually not in the name of public good, which brings us to the second problem: the Russian Intelligence Service that may have been granted access to the code or to discovered vulnerabilities within the code is the Russian Federal Security Service, or FSB as it is more widely known.

The FSB was born of the ashes of the KGB and has two principle focuses: internal security and counterintelligence 4. The FSB has been loosely attributed by multiple threats intelligence firms to malicious cyber activity aimed at a number of commercial and government organizations around the world. In the cybersecurity domain, they are known by the monikers Advanced Persistent Threat (APT) 29, Cozy Bear, CozyCar, and Office Monkeys, and are associated with a wide array of malware campaigns containing the word “Duke” (e.g., CozyDuke, CosmicDuke, OnionDuke, etc.). The Cozy Bear group is assessed by FireEye to be behind the HAMMERTOSS malware which obfuscates malicious commands through commonly used websites Twitter and GitHub 5. In other words, it is well within the realm of possibility that the most sensitive inner workings of a major security tool used by healthcare organizations the world over allows remote access to a very capable cyber adversary which may now be able to easily disguise its attacks.

It was also recently revealed that the 2013 breach of 1 billion Yahoo! email accounts, which was the largest records breach of all-time, was not reported properly. In reality the number of records breached was 3 times as high at 3 billion 6! While most healthcare organizations shy away from using personal email services for business, they typically allow employees to access their personal mail from business networks which could well have exposed those networks to compromise. This risk is significantly increased when coupled with other poor security practices such as giving users local administrator privileges, lack of network segmentation, and not enforcing multi-factor authentication.

While ransomware remains a top threat facing health systems worldwide 7, it is important to remember that cybersecurity must address risk at all levels. Good cybersecurity requires a whole-of-business approach. When you lose faith in the applications and services you have trusted for years, it’s easy to feel frustrated and to wrestle with the next decision. Tasman Global can help you design a security program that reduces the most risk without depleting your IT budget because it’s tailored just for you.

If you are interested in learning more about cybersecurity mitigation and custom solutions please drop us a line because we’d love to chat!



By Randy Rose, Director of Cybersecurity, Tasman Global

Being connected to the Internet is a tremendous thing: it provides global communication opportunities, access to seemingly endless resources, and allows companies and individuals to extend their influence and impact in ways humanity couldn’t have dreamed of even 30 years ago. But being connected to the Internet also comes with a lot of risk, especially for business owners.

Most organizations have an Acceptable Use Policy (AUP) which stipulates general guidelines and rules that employees must abide by when using corporate network information technology assets, particularly those that access the Internet. Once an employee signs such an agreement, the organization’s leadership, from the employee’s direct supervisor up to the Senior Executives, assumes the employee will abide by the policy. Most policies provide for incidental use of corporate assets for personal use as long as they are not used for illegal, immoral, or other questionable activity (to include personal business).

Unfortunately, due to the unregulated nature of the Internet, even employees who operate within the bounds of an AUP can sometimes introduce corporate networks to dangers unwittingly. A common example is ransomware. Many ransomware campaigns leverage the capabilities of exploit kits, which essentially function as pre-packaged combinations of attack techniques along with additional functions to detect which techniques are likely to work against a given victim, delivered through standard web-based advertisements. This attack vector is commonly referred to as malvertisements, which is cybersecurity slang for malicious advertisements. Due to the business model for web-based adverts, many advertising firms sell ad space to buyers who resell multiple layers down. Sometimes bad dudes buy up that ad space and serve up some unpleasant code.

Ransomware can hit you from any site that hosts ad banners. Employees checking the news, weather, or recent sports scores could potentially introduce malicious code, unwittingly, that could take down your entire network.

And that’s the well-meaning employees.

On February 15, 1995, Kevin Mitnick was arrested in Raleigh, North Carolina. He was a fugitive computer hacker—arguably the most famous hacker in the world—who was now being indicted on 23 counts of computer fraud wherein he stole private company data worth more than $1 million dollars (about $1.6 adjusted to 2017). I know Kevin Mitnick and he’s a very interesting man who is well-respected in the cybersecurity community today. Yet few, including me, doubt that what he did in his younger days was wrong.

Several years ago, a co-worker and I wrote a white paper for the US Navy called Pretending Our Network is a Weapons System. This paper, and subsequent briefs, focused on the problem of end users not treating Navy networks with the proper care they deserved, the associated risks introduced by users, and the overall costs from such behavior. What we found in our research was that the Navy spent over $160 million per year cleaning up incidents on Navy networks, with nearly half being the result of negligent security practices by trusted users. We also found that over half of all Navy network browsing data was associated with non-mission use for a total cost of nearly $60 million dollars per year ensuring sailor and civilians were well-entertained while at work.

The paper also introduced a solution we dubbed Transfer Risk Off Network, or T.R.O.N.

It is the essence of T.R.O.N. that I ask you to think about today. What are you doing to transfer risk off your network?

A long held belief is that the best way to mitigate cyber related risk is to limit users’ exposure to it. Yet, in many cases, mitigating risk is unobtainable or impractical. There are several alternate solutions and the utmost one available is risk transference.

Most folks are familiar with transferring risk without realizing it. Risk transference is the basis for the insurance industry. In cybersecurity, insurance may help. But a technical solution will also help.

Transferring all non-mission related web traffic through a third party service provider via a secured virtual private network connection and white listing all other network traffic allows an organization to operate their network with such a reduced attack surface as to nearly eliminate all Internet-related risks.

Tasman has close relationships with some of the best in the business at providing such a service and can help you reduce your attack surface overnight. Ransomware and other threats need not be threats anymore.

If you are interested in knowing more about how you can set this up at your organization, please send us a message. We'd be happy to talk .



By Randy Rose, Director of Cybersecurity, Tasman Global

In June 2017, Alex Blau of ideas42, a behavioral science research firm, wrote a compelling piece for Harvard Business Review on the behavioral economics behind the continued underinvestment into cybersecurity by business executives1. His article sums up four principle findings of a year-long research project conducted by his team, and recommends the following strategies for Information Security Officers and teams to overcome these findings: appeal to the emotions of financial decision makers; replace your CEO’s mental model with new success metrics; survey your peers to curb overconfidence; and focus on breaking into your own system.

Interestingly, these four recommendations are precisely in line with the philosophy of Tasman Global’s Cybersecurity Division. Alex’s team spent a year gathering data and identified direct connections between the lack of serious investment in cybersecurity and commonly identified patterns of human behavior as studied by psychologists. Our team is comprised of industry experts who have been gathering similar metrics over the course of many, many years while crafting their skills in mission critical defense and intelligence environments. While digesting Alex’s article, we recognized that the same general findings were pervasive across all sectors, including government, military, and healthcare, when it came to investing in highly technical areas, especially cybersecurity. Executives make decisions based on risk, not on technical data tucked away in a network packet or the changes made to a system registry following an upgrade. Therefore, our team specializes in translating the technical detail to business risk, tailored to your organization’s specific strategic objectives, buying down overall risk using the tools and people that are already on your team.

Much like ideas42, we have interviewed executives, engineers, IT and network administrators, security staff, end users, and even patients to gather their perceptions of the state of cybersecurity in healthcare systems. We identified the following cultural concerns that impact an organizations security posture:

  • Key leaders are not educated in the basics of cybersecurity;
  • Key leaders are uninformed about cybersecurity processes, procedures, and technology within their own organizations;
  • Data supporting key decision making is often too verbose, laden with jargon, and does not connect the issues to operational impact;
  • There is a lack of understanding in what is important (i.e., if everything is a priority, nothing is a priority);
  • There is a lack of clarity in how the technical data ties to actual risk;
  • Key leaders overestimate their security posture;
  • Cybersecurity is seen as the IT Department’s problem (i.e., the CISO works for the CIO rather than at the same level as the CIO);
  • There is a lack of understanding of cyber threats and their impact;
  • Cybersecurity is not recognized as a continuous process;
  • Executive leadership has difficulty justifying the provision of funds for such an intangible phenomenon; and
  • Cybersecurity is viewed as a technology problem, when, in reality, it is much more.

Chances are your organization suffers from one or more of these problems. In many cases, even organizations that recognize they have a problem are unable or unwilling to invest in fixing the problem. Indeed, the 2016 HIMSS Cybersecurity Survey revealed that respondents ranked the importance of a an organizational cybersecurity strategy as high, while ONLY 23% of healthcare organizations have an ongoing, consistent risk-management program.

We believe in a wholistic approach to cybersecurity that accounts for the misconceptions of executives and the many others who have an impact on the plethora of factors impacting a good cybersecurity strategy. Our solutions are tailored to each organization, based on a business risk analysis, unique budget constraints, pre-existing information and security technology and processes, personnel, and organizational priorities. Cybersecurity is not a technology problem; it’s a multi-disciplinary one.


Happy New Year! I’m excited to be a part of the Tasman team, joining the best Epic consultants in the world in providing you ever increasing services. The entire team at Tasman has worked diligently to earn the reputation we currently hold, and the Cybersecurity team will be no different. I guarantee you’ll be amazed at the technical knowledge, subject matter expertise, and professionalism we can bring to your organization to help you navigate the stormy seas of the cyber world.

Our Mission at Tasman Cybersecurity is To enhance the cybersecurity landscape of healthcare systems worldwide through the delivery of personalized, strategic, and risk-focused solutions.

And we take this mission seriously. We are not interested in reselling technology from vendors. And we’re not interested in giving you the same service we gave any other client. You’re not any other client; you have your own strategic priorities, critical assets, and unique risks. This is where we differ from other firms: we want to tailor a sustainable security solution for you and you only.

Our Vision is that no patient experiences a breach of their private health or other sensitive information on our watch.

We do that through 3 principle service offerings:

  • Executive Consulting
  • Protect & Defend Services
  • Workforce Development/E-Learning

I will be using this blog to personally help demystify scary concepts related to the technical aspects of cybersecurity. I will also use it as a means to communicate future trends, growth of services, and other critical information to Tasman clients. Stay tuned for weekly updates on a wide array of cyber-related topics.

I will leave you with an overview of our stated Values and a quote from President John Quincy Adams that summarizes our leadership philosophy. I look forward to working with each one of you in the coming months.

We value PARTNERSHIPS, AUTONOMY, and PURPOSE. We focus on POSITIVE, CREATIVE OUTCOMES and strive for SIGNIFICANT, SUSTAINABLE IMPACT. We take RESPONSIBILITY and embrace ACCOUNTABILITY. We RECOGNIZE the accomplishments of our teammates. We aim for personal MASTERY and provide MENTORSHIP to others. We take RESPONSIBLE RISKS. We INNOVATE and ENCOURAGE others to do the same. We are PROACTIVE, take INITIATIVE, and FOCUS on EFFECTIVENESS.

“If your actions inspire others to dream more, learn more, do more, and become more, you are a leader.” – John Quincy Adams



Happy New Year, everyone! Welcome to the first installment of the Tasman blog. This year we are launching new services for our healthcare partners and we want a forum where we can share some of our expertise on different healthcare IT topics; this is that place. It is always our intention to share knowledge and spur discussion, so please feel free to jump right in with us.

Here are some things we are looking forward to in this next year:

International Epic Installs

Epic continues to expand internationally, and the outcome of these installs vary wildly. It has always been our contention that you can have a successful Go-Live without breaking the bank, but you need experienced Epic operators on your team to help lead the way. Tasman’s Epic consultants have the most experience on the international market and this year they’ll be sharing some of that experience right here at the Tasman Group blog.


It is no secret that cybersecurity is the hot topic in today’s IT world and that certainly applies to healthcare IT. While over 90% of hospital CEOs intend to invest heavily in cybersecurity this year1, the main question they have is, “Where do we find people who actually know what they are talking about”. Well, we are applying our EMR philosophy to cybersecurity and are bringing in the best minds and talent to provide their experience to our healthcare partners.

Leading our Cybersecurity Group is Randy Rose, a 15-year veteran of the cybersecurity industry, most recently as the Deputy Intelligence Officer for the US Navy Cyber Defense Operations Command (NCDOC). In this space, he will be highlighting ways in which healthcare organizations, both large and small, can manage and mitigate their security risks without the need to blow up their budgets with expensive “one-size-fits-all” solutions.

Big data. Too much data?

One of the valuable by-products of having a world-class EMR is all that beautiful data at your fingertips. However, it is very easy to succumb to data overload. We will be exploring different strategies and tools which our healthcare partners can use to leverage all that data to improve care and maximize budgets.

2017 was a wonderful year for our industry and we hope you’ll join us in helping to make 2018 even better. See you next time!