June 16, 2021: Email is the number one cyber attack vector within healthcare. And these days it’s also a patient safety issue. Does your healthcare system have a sound email cybersecurity plan in place? Here to discuss the problem and of course the solution is Julie Hubbard, VP, Enterprise IT & Information Security at AMN Healthcare and Ryan Witt, Managing Director and Resident CISO at Proofpoint. The threat actors are getting more sophisticated. What is the evolution of the threat landscape? Why is the supply chain such a ripe target for these hackers? How far can health systems get on training alone? How has the Proofpoint solution evolved to meet the current threats? How do they use AI and analytics to deter these multi-staged attacks?
Addressing Supply Chain Cybersecurity Risk and Patient Safety with Proofpoint
Episode 415: Transcript – June 16, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] [00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT. This is a Solution Showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and the creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:20] Today we are joined by Julie Hubbard, VP of Enterprise IT and information security at AMN Healthcare and Ryan Witt, Managing [00:00:30] Director and Resident CISO and Healthcare Industry Practice at Proofpoint. If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:41]Just a quick note, before we get to our show, we launched a new podcast Today in Health IT. We look at one story every weekday morning and we break it down from a health IT perspective. You can subscribe wherever you listen to podcasts. Apple, Google, Spotify, Stitcher, Overcast. You name it, we’re out [00:01:00] there. You can also go to todayinhealthit.com. And now onto today’s show.
[00:01:05] Today we are joined by Julie Hubbard, VP of Enterprise IT and information security at AMN Healthcare and Ryan Witt, Managing Director and Resident CISO and Healthcare Industry Practice at Proofpoint. Good morning, you guys, and welcome to the show. I’m looking forward to this.
[00:01:26] Ryan Witt: [00:01:26] Thank you. Great to be here.
[00:01:28] Bill Russell: [00:01:28] Yeah. So we’re [00:01:30] going to …. this is probably going to be one of the most abrupt openings I’ve ever done on one of these shows. But I was thinking about this. We had a conversation earlier and I was thinking about this and email is clearly the number one attack vector in healthcare. We see it in all the surveys. It comesup over and over again. It has been since the advent of email, really in 1971 I believe. Now in fairness, it didn’t affect healthcare, all that much. Prior to meaningful use, and that would be [00:02:00] in around the nineties. But if you take that date, it’s been about 20 years where email has been the number one attack vector within healthcare.
[00:02:07] So I want to start with this question. Does every healthcare system in the country have a sound, email cybersecurity plan or foundation in place? And I guess Ryan, we’ll start with you and Julia, I’d love to hear you comment on it after we hear from Ryan.
[00:02:22] Ryan Witt: [00:02:22] God, we’re going to go right away. I’m going to go right to the, to the key point aren’t we? I would think, unfortunately that’s not the case. That not [00:02:30] every health system in the country does have this level of resilience built into their defenses. In fact HIMS put out their survey, their most recent survey in December. And they asked that very question to what degree, various security categories had adoption within healthcare.
[00:02:49] And it’s survey data, so you have to take that always with a little bit of grain of salt, but there was a significant number of health care organization who didn’t have what we would consider to [00:03:00] be rudimentary security controls in place. When I say rudimentary, like they didn’t even have antivirus protection, they didn’t have a firewall.
[00:03:08]There’s like 10% of those surveyed didn’t have a firewall or certainly didn’t have no knowledge about firewall. So yeah and I’m sure those are the smaller institutions. Maybe the practices that needs potential practices, et cetera, but just highlights the challenge just from a basic technology investment, that, that is lacking in healthcare [00:03:30] in terms of why is this industry so under attack and why do we have so many problems with regards to protecting patient data, protecting our health systems and really, as we’re now seeing protecting patients because there is now a linkage between cybersecurity and an institution’s ability to actually protect patients.
[00:03:50] Bill Russell: [00:03:50] Yeah. Julie, I mean, VP of enterprise IT I would think this would be the starting point. Like it has been the number one attack vector for the last 20 [00:04:00] to 30 years. This is where you would start. Why are we struggling to get this in place across the board?
[00:04:05] Julie Hubbard: [00:04:05] Right. You’re you’re absolutely right. You would think that would be where we’re folks would start. And I have some insight from participating in some local and some national CISO groups that are focused on healthcare and we’ve seen all ranges, right? Some of the biggest healthcare companies are part of these forums and as well as some some newer, I would say, smaller companies.
[00:04:28] And we’re [00:04:30] often finding ourselves as a community, trying to help them the new ones that are clearly asking questions about where do I start with this? So I think probably they just haven’t had the right investment and visibility on security and the right resources to know and understand, right.
[00:04:47] That this is the number one threat vector. And then how do you go about protecting that? So a simple investment with a peer group that can help you and or calling in a security firm would [00:05:00] most certainly point this out as being one of the number one areas that that they should protect.
[00:05:04]Bill Russell: [00:05:04] Again, I’d like to hear from both the you. I mean are we at an inflection point and you had the the attacks in the fall on healthcare, and now you have the Scripps attack, which took them really offline for the better part of three and a half to four weeks.
[00:05:18]Has the conversation shifted in all the under industries for that matter, we had the meat industry this past week. We had the pipeline as well. Is the conversation shifting? Is this an inflection point [00:05:30] where this is finally going to get on the CEO’s table. And they’re going to go they’re going to demand a plan and say, look, we can’t afford to be shut down or board saying we can’t afford to be shut down. Are we feeling that kind of inflection point happening here?
[00:05:46]Julie Hubbard: [00:05:46] Well, I think with the new rules that have come down from the Biden administration that certainly cascaded into the healthcare and all, all the communities but certainly that’s transition there. So that will spark some conversation.
[00:05:59]But I also have [00:06:00] seen a change particularly in healthcare in the last year or so where, because of some of these attacks, maybe even starting back with WannaCry and 2017, that did such damage to the NHS. I’m now seeing a change where people are starting to talk about security and patient safety in the same conversation, patient care.
[00:06:19] Right. And they’re now realizing they have to go hand in glove. And all of the investment used to just go towards medical things that were pertaining to patient [00:06:30] care. So I do think things are changing a bit and something like the recent gas one was something that really, I think everybody can relate to that one a little bit more maybe than some of these, they heard another hospital has been attacked or another bank, but when it starts to be the the west coast or the east coast, all of a sudden can’t get back and forth to work or get critical equipment transported to their place of business, simply because we can’t get gas. [00:07:00] It brings it closer to home.
[00:07:01]Ryan Witt: [00:07:01] Gosh. I like to think we’re at that inflection point, but I guess the cynic in me says we probably aren’t. I mean WannaCry should have been an inflection point. I mean, it was a tremendously significant ransomware attack. It’s the ransomware attack that took down hospitals.
[00:07:18] Okay. I’ll albeit in the UK but you know, they had to stop surgical procedures kind of mid operation, right. They had to close down EDS and ship people to other hospitals. I mean, [00:07:30] this was up at that point, kind of like the poster child of like what could go wrong in a health system from a ransomware sort of attack.
[00:07:40] And we didn’t heed that warning then. So I guess the cynic in me and says, well what happened to Scripps is it’s very noteworthy because it’s a significant institution that had this, this attack. I hope healthcare learns from it. I suspect [00:08:00] maybe we have to go through this cycle a couple more times before we truly get it.
[00:08:04] And the pipeline incident. And I guess the supply chain with regards to the food supply chain into there earlier this week are noteworthy. But I think more if those are deemed to be nation state attacks and they might be then maybe health systems still kind of have these blinders on that says, you know what, I’m not the subject of nation, state sort of activities.
[00:08:28] So it won’t happen to me. [00:08:30] Now I would caution them to not think that way. And I would say, particularly if you have any sort of research component to your institution, you definitely will be a possible target for each daynature of that activity because that’s a lot of data, a lot of IP that is very desirable from those bad actors.
[00:08:49] Bill Russell: [00:08:49] Yeah. And just to be clear, we don’t really know much about Scripps at this point. We know that it was ransomware because the president, a CEO came out and said that it was a ransomware attack but [00:09:00] we don’t have a lot of details per se. And so we don’t want to speculate, but we do know that they were on diversion.
[00:09:05] I mean, they were diverting patients for the better part, but three weeks, the EHR to three and a half weeks come back online and the portal as well. Those are significant incidents.
[00:09:14] Ryan Witt: [00:09:14] That’s an important point important point that we should emphasize, right? Because the amount of information about that event is is very scarce. So we don’t want to draw any conclusions, but we do know the things we’ve already highlighted and we do know the promise of that [00:09:30] institution. So it’s something that we should all be concerned about in terms of what could happen or what will likely happen again in the near future in this industry.
[00:09:41] Bill Russell: [00:09:41] Yeah. All right. So Ryan, I’d like for you to walk us through a little bit the innovation that’s happening on the attack side. And I was looking at some of the some of the slides that were sent over to me. I’m one of those guys who reads the slides and then finds this little one point that I sort of blob on to and it was [00:10:00] interesting to me to find that the slide showed that 53.7% of malicious URLs originate from legitimate file shares from Microsoft, meaning that people have already gotten into your network. They somehow puts file shares or files on your SharePoint site or on your Microsoft team site or wherever they happen to be. And that’s where people are actually downloading the malicious code from.
[00:10:25] I Have the attackers gotten that sophisticated that they, they can even [00:10:30] be attacking us from within?
[00:10:32] Ryan Witt: [00:10:32] 100%. They have. I think the way to look at this is, think about how attacks occurred in yesteryear. In yesteryear and that might be five years ago or whatever, there was a significant focus on network architecture, network engineering. And you had these bad actors had people who were steeped in security knowledge, and they went and tried to discover whether it was vulnerabilities in a network design or [00:11:00] wear patches that should have been deployed, were deployed, or they found zero day attacks that wasn’t very detailed investigative sort of approach they had to take to discover those vulnerabilities. They take the same sort of methodology. Okay. But now they apply that to social engineering. Now they apply that, that to trying to understand your institution, trying to understand your hierarchy, try to understand your mission, your location, church [00:11:30] geography your email addresses how the job functions work.
[00:11:35] And now they can deploy, not just a small number of people because people cause finding resources who have deep security knowledge is pretty hard finding resources. I can go mine, LinkedIn or Google is pretty straightforward and they will use these profiles to go build very, very compelling emails and learners that are pretty hard [00:12:00] to spot from a user sort of standpoint. And so once they finally break in and they get into your, one of your file shares like teams or whatever, actually you mentioned they will then park and stay there and find a way to get, navigate your network, navigate your organization, to try to figure out how they best want to attack you.
[00:12:21] And Tony Mon brings up some of the very important data on this point, essentially those bad actors are in your network for up to about [00:12:30] six months before they get discovered. So they’re hanging out on one of your fellow chairs for six months. They’re observing your activity. They’re reserving your organization before they decide they want to strike.
[00:12:43] Bill Russell: [00:12:43] That’s amazing. On average, it’s about six months that they are in your network, all the undetected, all the, while they’re in your network there, they’re looking at the social media accounts of major players Newark, and that, and that’s where we’re going to go with this conversation. We’re going to talk about why [00:13:00] supply chain has specifically become a significant thread back there in healthcare. But they’re looking at all those things. And who are you, what information is publicly available about your health system? Who are you doing business with? Are you doing new buildings? Are your people sharing information about your successes as a health system and those kinds of things. Are you sharing personally about your vacation and those kinds of things, all that kind of stuff sort of comes together and creates a perfect storm here.
[00:13:25] Ryan Witt: [00:13:25] It does. And they, if all of a sudden you now receive an [00:13:30] email and it comes from what appears to be, or actually is a legitimate email source because it’s within your organization and they talk about your project or your current business plan, your operation, your organization. You would not really deem that to be a threatening email.
[00:13:48] So you’re more inclined to respond and you’re more reclined or inclined to give over information and they’re not so absurd to say, okay, [00:14:00] now I’m in, can you tell me your password? They’re not asking those sorts of ridiculous. Questions, but there are asking for questions that will start to unlock the kingdom or give them jigsaw puzzle pieces that they can over time assemble a picture of what they’re trying what they’re trying to attack.
[00:14:20] And I think that’s what, that’s how we need to think about that these days.
[00:14:24] Bill Russell: [00:14:24] So, Julie, why is supply chain such a ripe target for hackers?
[00:14:30] [00:14:30] Julie Hubbard: [00:14:30] Right. I think particularly in health care but it certainly applies to all industries is bigger bang for the buck. Right? You can go after a hundred different hospital systems one at a time or you can go after the Epic system hack that you know happened or I mean, solar winds, isn’t obviously specific to healthcare, but think about the foothold that solar winds was actually able to get by compromising one vendor. Right. [00:15:00] Which led to many, many, many of us that used that. So I think part of it is is definitely the bigger bang for the buck. I think also that the supplier risk management is probably one of the areas that is most neglected. Probably has the maybe baseline controls if you were, if you were lucky even over the last four or five years, I’ve seen the types of questionnaires that we’re getting from [00:15:30] companies that we’re doing business with it, they are maturing, but in many cases I’m very surprised right at the low level of information that they’re asking for about how we’re protecting our, our systems. So I think that’s a, that’s an area that needs a lot of, a lot of investment.
[00:15:49] Ryan Witt: [00:15:49] If I could add one, one point. I think the other factor to bear in mind here is successful attacks, phishing attacks of this nature, imposter [00:16:00] style attacks is very reliant on sending emails that don’t appear to be suspicious.
[00:16:06] Okay. And if you have an email which purports to come from your supply chain, they are okay, they don’t have the status of being an internal employee but they have much better status than an email coming from outside the organization from an unknown source. And so you can’t penetrate your actual health system, but you could penetrate one of your business associates or one of your [00:16:30] partners and pretend to have that sort of business relationship. The guard just goes down a little bit. Right. And that’s all they need and they kind of like as the old saying goes, they just need to be right one time the defender has to be right every single time where that guard goes down, they have an ability to attack more aggressively.
[00:16:49] And that’s why supply chain, in addition to the points that Julie already mentioned is a huge threat factor.
[00:16:56] Bill Russell: [00:16:56] How do they get me to send them a check. [00:17:00] Right? So somehow I’m the one who sending out checks or I’m the one who has some sort of asset that’s worth going after. How are they going to get me to do that?
[00:17:08]I mean, they would have to know a lot about me in order to get me to do that.
[00:17:11]Ryan Witt: [00:17:11] Sure. And it happens in multiple ways. I can give you a couple of examples. So they would befriend you over time. Okay. So they would build up a relationship with you over time on email. They might even build up a phone call with internship with you.
[00:17:30] [00:17:29] So to the point in time, when they’re gonna going to essentially attack and that attack could be. Yeah, send me a check or whatever. By the time that they ask you that question, which would be. Hey, by the way, I know you’re about to send out the checks for these projects. We’ve been working on the construction example.
[00:17:51] If you want to use that one just before you do so I wanted to alert you that we’ve changed banks. So can you actually do the wire [00:18:00] transfer to this bank instead? Now I, I probably forgot to mention that to you. Just wanted to give you kind of a heads up, right. And that befriending process.
[00:18:10] And by the time that that sort of email or that request comes through, it appears to be natural because the person you’re talking to, you think works with the supplier you’re working with. And, it’s a very, it appears to be a very natural sort of requested conversation. So in many cases you just don’t think anything of it and you just, you just do it. Now of [00:18:30] course, we’re wising up our time and we’re thinking, okay, you know what? I’m just going to call it organization and I’m going to, I’m going to double check, but they, they capture a lot that way. The second way is just spinning up, look alike domains. I mean, that’s fortunately, there was a pretty heinous activity over the holidays where we saw an example of a health systems foundation there was a lookalike domain who purported to be their foundation, their charitable raised fundraising sort of [00:19:00] function. And they were soliciting donations from their local citizen phase. And those citizen base, like I’m doing the good thing for the holidays.
[00:19:09] I’m going to give money to this needy cause and you’re giving money and you think it looks like their website, all the verbiage sounds like their website, the logos are all right, but you’re just on wittingly gave money to a bad actor. So there are lots of sort of techniques that they could, they could use to do people.
[00:19:28] Bill Russell: [00:19:28] Wow. Are they in [00:19:30] far enough to be reading my email or somebody else’s they’re clearly in far enough to be impersonating a valid email address.
[00:19:36]Ryan Witt: [00:19:36] If they have the credentials they can read your email. This is why they’re so patient and why they are able to go undetected for up to six months because they know that once they are in, that’s a very, very valuable foothold.
[00:19:49] And so yes, they could immediately go explore your calendar and explore your contact base, read your email but that would be wasting this sort of foothold. So they want much rather go [00:20:00] dormant, go dark. Observe and figure out where they want to attack. I think just to emphasize the point, cause sometimes it’s good to use an analogy here in a physical security sort of standpoint.
[00:20:11] If somebody is in your network undetected for six months, this is essentially the equivalency of them living in the closet of your spare bedroom for six months and observing your family, how they operate, what they do when they go out, when they That’s I know [00:20:30] that’s really creepy, but that from a cyber standpoint is essentially what is happening.
[00:20:34] Right. And you could imagine the impact that would be to your household. Well, there’s a similar impact happening to your Institution.
[00:20:42] Bill Russell: [00:20:42] All right. Talk about the Proofpoint solution and because I assume that the best way to make sure that this happened is I never even see those emails or they have no way of getting those emails in front of me. That would be the first line of defense. Second would be a set of controls. I, again, I would assume. And then [00:21:00] training, obviously the part of that as well. So I’d like to talk about all three of those. Let’s start with the technology. Talk to me about Proofpoint and how have the Proofpoint solutions evolve around this?
[00:21:10] Ryan Witt: [00:21:10] Sure. I mean there are lots of starting points. I would argue the starting point would be your email gateway. I mean, people are essentially being attacked. They’re largely being attacked, almost always on email or other sort of messaging channels.
[00:21:24] So you need to have the sophisticated sort of gateway that blocks [00:21:30] whatever 90 up to 95% of the email that comes your way. So you’re keeping almost all of the bad email away from your user immediately. So they’re not, you’re not forcing them to make a judgment call at all. That would be kind of like your step number one.
[00:21:45] Number two would be to introduce some sort of DMARC capabilities. So you can authenticate who is sending you an email. So if this person purports to come from your business associate, you can actually unmask that to say, are they [00:22:00] actually coming from my business associates? So that’s DMARC mark sort of take a technology to guard against sort of fraud, defense.
[00:22:08]Those would be important sort of security components. Then you kind of get into things like isolation. So if you have a portion of your organization who just by the nature of their job, they work in a vulnerable way. So they’re in a department like bigger supply chain where they have to download documents. They have to click on links. They have to go on to [00:22:30] third-party cloud applications. You can put isolation technology so they can have all those interactions in a containerized sort of environment. So you kind of de-risk it. You can use like, DLP so if you do get breached, you can at least prevent the exfiltration of some, some of that data.
[00:22:48] And I think I’m gonna borrow Julie’s line here and I’m sorry, Julie, but I think it’s important to note that the technology is an important part of the component. Training’s also important, but you can’t train your way out [00:23:00] of this. I think your best sort of safeguard here is to make sure that as much of this traffic does not get through to users. So you’re not forcing them to make a judgment call.
[00:23:12] Bill Russell: [00:23:12] Yeah. And Julie, I want to come back to you on the other two controls and training. Let’s, let’s start with controls. I would assume that organizations can put a set of controls in here that even if, even if you are compromised and you’re trying to do this, that you’re going to, you’re going to keep the [00:23:30] money from being transferred or whatever the event is going to be. And it gives us an idea of what are some of the controls that people put in place.
[00:23:37] Julie Hubbard: [00:23:37] Yeah. Well, a couple of things we did specific to finance that was really kind of the, the top area for us that we were being attacked on looking for whether or not they were targeting the CFO directly, or what we really saw was that they were attacking people that worked within his organization and asking for wire transfers.
[00:23:57] And we came close one time to something [00:24:00] happening and we put a new control in place that basically said that no wire transfer would ever be approved in the email, right. That had to be verbal approval from him. And that and we’ve had several attempts since then. And that has worked very well for us.
[00:24:16]We’ve had a legitimate need, right that we’d need to send something. We also have the scenario that Ryan spoke about where it was actually, our bank had initially been compromised at one point. And [00:24:30] we thought we were communicating with somebody that we had always been communicating with and it turned out that there was kind of a bad actor behind there.
[00:24:36] And it was that scenario of, oh, by the way, we’ve changed the the bank routing information. So we put controls in place that any time that there’s ever a request from a supplier to change or set of new banking information, that it doesn’t happen over email. It’s a phone call that we actually generate to them so that we make sure right. That we’re calling the contacts that we’ve [00:25:00] always worked with to validate that the information that we’ve received right is actually legitimate. So take taken it out of the digital communications and literally picked up the phone.
[00:25:12]Bill Russell: [00:25:12] Interesting. You can’t train your way out of this so that’s an interesting phrase to me because I talked to a lot of CISOs. I talked to a lot of different people in organizations and one of the first areas they go to is training because their thought is we’re going to train all [00:25:30] 15,000, 20,000, whatever in healthcare, it can be some fairly large organizations.
[00:25:35] Well, we’re going to train all these people because we want them to be aware of what they’re looking at clearly. That’s good. What do you mean by you can’t train your way out of it. Does that mean you just can’t get to a hundred percent?
[00:25:45] Julie Hubbard: [00:25:45] Right. You can’t get to a hundred percent of that. As Ryan said, it only takes one.
[00:25:49] So I’ve, I’ve seen various numbers. I’ve worked in various companies and industries and the goals, right to get below a certain amount even on phishing campaigns. [00:26:00] Even if your goal was to get to that a five or 8%, which is probably a bit elusive these days think about right based on the size of your company, right?
[00:26:08]What that risk is. Companies also have turnover, so it’s just, it’s kind of constant. So not here to say that it’s not table stakes, you have to do it and it will absolutely reduce your risk. One of the things that Proof point brings to the table is that it gives us more intelligence on kind of who’s being attacked on our company and kind of how they’re [00:26:30] being attacked.
[00:26:30] And then we can customize training for those individuals. That’s certainly provides a lot of value and reduces risk. In addition to, there are certain subsets of users in all industries and healthcare no exception that you should probably do additional training anyway, any anybody in in it with administrative rates, right.
[00:26:53] You’re definitely gonna want to have more, more controls and training around those folks, people that are developing software for [00:27:00] your company, right. That might be used at outside organizations. And so there’s a couple of teams, I would say, or job functions where that should just be an automatic, that you would do training, but don’t underestimate the power of what a Proof Point can bring to the table, which was very helpful to us about people that we would not have thought would have been targets in our company. And they are, so now we’re putting extra training in place to [00:27:30] to protect those individuals.
[00:27:31]Bill Russell: [00:27:31] So if Proofpoint is telling you that essentially. This group within the financial organization or this group within IT or this group that these, these are getting more hits and more targets. Is that,
[00:27:44]Do you have an idea of why they’re targeting those groups? Is it because that’s where they can get to the money? I assume.
[00:27:49] Julie Hubbard: [00:27:49] Well, I mean, I think you’d go after it people because they tend to have credentials that could lead into multiple systems. But finance obviously follow the money. I think they’ve [00:28:00] been they’ve been a top target for years and years with no exception. But other departments in the organization where we might have gotten surprised regard like our recruiting teams right. Happened to be a, a top target. We also do a lot of credentialing right. We employ clinicians.
[00:28:17] So we do a lot of credentialing. So if you think about the information that would be gained to there what I also like about the visibility that comes from a group point is that I can also see how they’re being attacked right. The types of [00:28:30] emails that they’re sending in.
[00:28:31] And sometimes it’s the casual email that that Ryan mentioned where they’re just trying to strike up a simple conversation. It doesn’t look like anything nefarious. And then others times it’s the plain old things we see everyday about click here and find something in Dropbox or whatever for for example. So that extra intelligence has been really valuable to us.
[00:28:52] Bill Russell: [00:28:52] Well, and that’s the thing that I think is more sophisticated than it used to be. It used to be that they’d attach a PDF with some sort of code in it [00:29:00] and they’d send it out to a million users and just law of averages, somebody would click up, click on it and the way, away they went.
[00:29:06] Now it seems like and I come back to this conversation where I would trust them. And it starts with, Hey bill, welcome back from vacation. It’s great to have you back because they were looking at my Facebook account or my family’s Facebook account. And they saw that we were on vacation. They knew we were coming back next week.
[00:29:23] Hey, the building project is moving along and the building products are moving along as planned because [00:29:30] they they’re looking at our press releases on our website, which says, Hey, we started building projects. And they’re reading updates and things. Cause there’s a lot of information out there.
[00:29:39] So they’re just patient, they’re getting more sophisticated in how they interact with us. So just, it feels so natural. I think people are wondering, it’s like, how could I possibly get duped in this way? But it’s probably not all that hard to get duped in this way when they have that much information about you.
[00:29:58]Julie Hubbard: [00:29:58] We’ve definitely seen that. [00:30:00] But, and I also think in the era where social media is just there are, there are people that go to bed with their phone. I mean they are so addicted in their personal lives, right. They’re much more casual about that.
[00:30:10] Right? So if you’re doing that 20 hours a day, right. That you’re staying very in touch with social media as much more collaborative and natural. It’s hard that if you come into work right, that you’re trying to wear a different hat. And you’re trying to think of all things security in mind.
[00:30:24] So we’ve definitely seen that and even correlated, I almost hate to say this but have correlated [00:30:30] a little bit into age groups, right? Where we can see that there might be a little higher risk. And it might be with those that are much more comfortable with mobile social technology.
[00:30:40] Ryan Witt: [00:30:40] Right. I almost loathe to bring up this example because it’s, it’s just so heinous, but it, it, it illustrates the challenge that we’re facing in the industry. So yes, there’s really strong insight and research into very precisely who is [00:31:00] being attacked down to the person level or down to the departmental level. We think the departmental level is a really good way because you could get put controls against department.
[00:31:09] And it also this example, all it also illustrates how closely the bad actors followed the news cycle. Well, we were watching how COVID and the early stages of COVID, how that was impacting the threat vector and what, whether there was a change in who [00:31:30] was being attacked or whether it was geographical differences and who was being attacked.
[00:31:34] And did you capture mine back to kind of the March, April timeframe of last year where co you know, ground zero for COVID was like the New York Metro, right. They were being just huge impact. And those hospitals are really, really struggling to to, to to cope with what was happening.
[00:31:54]We found that in that April sort of timeframe one of [00:32:00] the most attacked departments in the New York Metro was the Hafez organization. I mean, we don’t talk to cyber criminals. We don’t know why they were doing that. We’ve spoken with some health systems and we got their sort of point of view about why that might be the case.
[00:32:19] But you know, we were able to alert these institutions to say, Hey, we think there is a real pronounced shift toward attack to your so they were able to [00:32:30] then decide what controls they wanted to put in place accordingly. So whether that’s training or whether there’s other sort of procedurals procedures that can put in place to try to mitigate against that attack, but it I guess the lower of the access to controlled substances, Laura, maybe be able to get access to patient data was, was so compelling they decided to attack that. But having that insight is a great way for health systems to figure out where they want to put their defenses. And I’ll be, I’m a realist here. [00:33:00] We’re not going to achieve the gold standard cyber cybersecurity for all parts of your organization. That’s just, just not practical from a budget standpoint or from a resources standpoint. But if you can figure out what 10% of your organization is more vulnerable because of their job functions, then you can layer in extra controls and have a much more reasonable approach from a budgetary resources dashboard.
[00:33:26] Okay. I’m going to defend these particular places.
[00:33:30] [00:33:30] Bill Russell: [00:33:30] Yeah. You were talking about going after hospitals and I was reminded of some of the conversations we had last year. It was like the attacks started in one place. And then with each new cycle they shifted. Right. It went to vaccinations, it went to a tax reimbursement checks, it went to … so they’re definitely up on current events and that’s how they stay current and, and go after those places. All right. So we’ve established, this is where they’re going to come in. This has been where they’ve been coming in for a significant period of time.
[00:34:00] [00:34:00] So where do we start? Which one of you wants to take this? Where, where are we going to start? to really put in the things that we need to do to put the foundation in to protect from an an entry through our email and through that, that attack vector?
[00:34:18] Ryan Witt: [00:34:18] Julia you live this day in, day out. I’m gonna let you start. Okay.
[00:34:22] Julie Hubbard: [00:34:22] I was going to start with a technology like yours. I do think that if companies aren’t sure what to do, right? The one thing that I would say is work [00:34:30] with those cyber security vendor that can, that can help with this. Cause it sounds overwhelming. But the reality is is that Ryan detailed out just some simple things that you, that you need to do, but if you don’t have the right resources working in your company, if you’ve got an outsourced IT team let alone a security team, it could feel pretty overwhelming. So that would be the first thing, right. That I would what I would tell folks to do. But then it is to find the right partner that is going to protect the email. [00:35:00] One of the things that’s, I think a value prop for Proofpoint, I didn’t really come on here to necessarily be a big showcase for Proofpoint but one of the things that I really like about being able to partner with someone that, that slowly but surely you’re building out your product line also. So now it’s, it’s actually easier for me that I have a lot of capabilities within one vendor. Not only do I have my email being protected right before it’s even getting to my users.
[00:35:28] I have the insight on [00:35:30] what those targets were that were deflected, the ones that actually made it through. I have training, that’s actually built into the to the program. And I have phishing campaign management. Right. And there’s other tools that we don’t even have yet that as we start to mature, that you could add it into to one vendor, right that builds this ecosystem around old things that are associated with them, the email, right. They cascade into other parts of the company. So I would definitely start making [00:36:00] sure that you were partnered up with with the leading provider in this area. This wouldn’t be where if I was given the gold, silver, bronze, I wouldn’t choose the bronze if I, if I had,
[00:36:13] Bill Russell: [00:36:13] But look we saved a bunch of money. There’s certain things you want to make sure are right. I actually talked to a Proofpoint client this morning is have happened to be one of my coaching clients. I asked him just about this solution and his comment was some of these that this [00:36:30] solution particularly was not as hard to implement as what they thought it was going to be.
[00:36:34] So yeah, it is probably daunting if you’re starting from scratch but if you have some knowledge in house and you have some things in place we’re familiar with gateways, we’re familiar with thresholds and we’re familiar with setting controls and those kinds of things.
[00:36:50]It sounded to me like it was pretty, pretty logical solution to put in place for them. My understanding of it.
[00:37:00] [00:36:59] Julie Hubbard: [00:36:59] I guess one thing I would add to that also is that I think companies sometimes fall short that they’ll actually do the training, but it’s a compliance checkbox training, right? It’s the annual training that’s maybe 20 minutes a year and companies definitely have to evolve past that. So if you, if you partner with the right vendor, there’s all sorts of training that not only. Meets the annual training requirement that most companies probably have, but there’s just all this more robust training for for targeted [00:37:30] users. So I think, I think that’s an important piece to, to highlight
[00:37:34] Bill Russell: [00:37:34] Well to close this out, I’d like to hear from the two of you on this one question, which is take us out five years in this area. What would the best case scenario would be, what would the solution look like? What would the best case scenario be from a security standpoint, specifically around the attack vector of the supply chain through email and those kind of things. What would it look like? What [00:38:00] would we have in place across all of healthcare within five years?
[00:38:03]Ryan Witt: [00:38:03] Right. I’ll start with, by saying best case scenario is we’re not having this conversation anymore. Right. And it’s achievable, right? If you think about again, where we used to have dialogue, it was around network vulnerability. We don’t really have firewall conversations anymore. We don’t, I mean, we don’t talk about zero day attacks anymore. They occur occasionally, [00:38:30] but we really don’t hear talk about those.
[00:38:33] And so, we talk, we don’t because the investment has been made and we need to make that similar sort of investment in email but it’s achievable. We’re not, it’s not like other industries where we’re waiting for roadmap developments to go bring next-generation solutions to the marketplace. What healthcare needs to acquire is readily available today.
[00:38:52] So I think that would be our best case scenario. And then I can turn to where we’re going to be going. I mean it’s more and more moving to [00:39:00] the cloud, so we’re going to need to make sure we’re putting in the right sort of defenses and that sort of arena, because that will be undoubtedly, if not the next sort of attack area, it’d be one that we have to be mindful of.
[00:39:14] And of course medical devices are, I think they’re a lot harder to not only attack but to monetize. It’s why we don’t see as much activity there but that’s a looming challenge because we know they’re vulnerable. Yeah. So I think you’re kind of [00:39:30] like the near-term future.
[00:39:31] Hopefully we’re not talking about that anymore because we’ve solved that problem. But we need to think about cloud and medical devices.
[00:39:37] Bill Russell: [00:39:37] Yeah that makes sense, Julie, any last words?
[00:39:40]Julie Hubbard: [00:39:40] I basically agree with the comments there. I think the one challenge will be is that if we are successful through technology process people altogether, really kind of defending this front where are they going to move to? Right. There’s going to be a new avenue that’s going to be a new foothold. And that’s, that’s always the challenge of [00:40:00] sitting in this chair also is that they’re not just coming at you from one angle. And even though that’s the number one angle you’ve gotta, you gotta keep your eyes on the ball and on all of that.
[00:40:09] And I wouldn’t underestimate the, the comments on cloud, right? I think healthcare has been slow to come to the cloud. And then when it sort of happened, it started happening so fast that. I’m fairly certain that for many companies, they didn’t have the opportunity to get the controls in place so that they they would’ve liked to.
[00:40:27]Bill Russell: [00:40:27] Yeah, absolutely. I think one of you [00:40:30] mentioned the earlier conversation that for those listening who are in college if you want a job coming out of college get a degree in it and technology. But if you want a career gGet a degree in cybersecurity because this is going to keep evolving.
[00:40:47] That’s what I heard from you guys. Yeah, we’re going to plug this hole and we’re going to get it across the board but you know, then something else is going to pop up and it’s going to keep going for as long as we can envision. So there’s always going [00:41:00] to be the need to stay ahead of this. So, Hey, thank you. Thanks again for your time. I really appreciate it. Great topic and great conversation.
[00:41:09] Ryan Witt: [00:41:09] Thank you.
[00:41:11]Bill Russell: [00:41:11] What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website [00:41:30] thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now. [00:42:00]