October 1, 2021: Cyberattacks are getting more sophisticated. It’s no longer a matter of WILL they get in but WHEN? Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint and Gary Gooden, Chief Technology and Security Officer at Seattle Children’s run us through scenarios to watch out for. Did you know that 81% of emails are being identified as malicious and getting blocked at this point? And Proofpoint stops roughly 450 million threats of all types on a daily basis. When it comes to people, process and technology, where do you allocate your resources and time? Have you embarked on a zero trust journey? Is your endpoint detection service 24/7 365? And what is isolation technology?
Building a Security Framework for 2022 and Beyond with Seattle Children’s and Proofpoint
Episode 448: Transcript – October 1, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Today on This Week in Health IT.
[00:00:01] Ryan Witt: Day in, day out we see focus on fraud, on phishing attacks, to the point now where it feels like credentials is the nirvana state of any sort of would be actor or cyber criminal organization. They get your credentials. They have incredible ability to decide what sort of exploit they want to launch against your institution.
[00:00:29] Bill Russell: This is a [00:00:30] solution showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and creator of This Week in Health IT. A channel dedicated to keeping health IT staff current and engaged.
[00:00:40] If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:47] I want to take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally Bill J Russell on LinkedIn. I engage almost every day in a conversation with the community around some health [00:01:00] IT topic. You can also follow the show at This Week in Health IT on LinkedIn. You can follow us on Twitter Bill Russell HIT. You can follow the show This Week in HIT on Twitter as well.
[00:01:14] Each one of those channels has different content that’s coming out through it. We don’t do the same thing across all of our channels. We don’t blanket posts. We’re actually pretty active and trying to really take a conversation in a direction that’s appropriate for those specific channels. We really [00:01:30] want to engage with you guys through this. We are trying to build a more broad community. So invite your friends to follow us as well. We want to make this a dynamic conversation between us so that we can move and advance healthcare forward.
[00:01:43] Today we have a great presentation that was done at HIMSS. Protecting people, addressing healthcare, human factors. We have Ryan Witt, Managing Director in Healthcare, CISO at Proofpoint and Gary Gooden, Chief Technology and Security Officer at Seattle Children’s. Gentlemen, welcome to the show. I appreciate you coming on.
[00:01:59] Ryan Witt: [00:02:00] Thank you.
[00:02:01] Bill Russell: All right. We’re going to jump right into this. I love your presentation. What we’ve been doing is looking at the presentations that went on at HIMSS. I pulled a couple of them out and invited some people on. So Ryan and Gary, you guys had the opportunity to talk about what’s going on with regard to cybersecurity in the industry.
[00:02:17] So let’s start with the challenges facing the industry and some statistics of what’s going on, Ryan. We’ll start with you. Who’s attacking healthcare?
[00:02:26] Ryan Witt: Yeah, I think I probably this conversation has to start with ransomware. [00:02:30] What’s certainly top of mind with almost everybody that we speak with presentations like HIMSS, there’s a lot of attention and focus on ransomware but I think that’s really born out of a couple of noteworthy events within the industry, both around the fall of last year on an east coast institution. And then in the early part of, or mid part of this year from a west coast institution who essentially had, these are both noteworthy institutions who had their ability to provide patient care [00:03:00] fairly compromised for the best part of a month.
[00:03:02] So those have, those become kitchen table sort of conversations with regards to what’s happening in the industry. The reality is at least what we see from a data standpoint is ransomware though hugely impactful when it hits in the way it has, is something to focus on. Day in, day out we see a lot more focus on fraud, on phishing attacks, to the point now where it feels like credentials is the [00:03:30] nirvana state of any sort of would be actor or cyber criminal organization. They get your credentials. They have incredible ability to decide what sort of reconnaissance they want to have against your institution and then what sort of exploit they want to launch against your institution. What would make the best form of attack. But the starting point for all that is the ability to get your credentials, which is normally around email and around some sort of phishing type thing.
[00:03:58] Bill Russell: Yeah. Gary, perhaps [00:04:00] you can add to this. One of the things we saw with Sky Lakes which is the one that we’ve looked at pretty closely, and we were having a webinar with this Sky Lakes CIO and the Asante CIO to talk through that event in detail. But it started with just a basic email that went out with a bunch of links that, that compromise the system. Is that what you’re seeing at Seattle Children’s. Is that the primary attack?
[00:04:24] Gary Gooden: Yeah, well the primary attack vector as Ryan stated is email. And [00:04:30] specifically in the form of phishing campaign of one form or another. That has been the threat since the pandemic, before the pandemic where recurrent said today, and what I seen the foreseeable future.
[00:04:47] Bill Russell: Well, that’s been a threat since the dawn of email for the most part. It would seem to me that this would be the area we would start to really establish our security boundary. Obviously with [00:05:00] identity. Identity being key. But also around email. Emails still seems to be the way that people are attempting to to get in, to disrupt supply chains and other things.
[00:05:10] They’re just coming straight through through that basic email and really counting on the fact that at least a handful of people are going to click on those emails.
[00:05:20] Gary Gooden: That is correct. What I will say is that I mean, since June of 2020, 2019, rather till now we have [00:05:30] literally received just from corporate email, 114 million email of which 81% has been blocked has been some sort of malicious variation there. And about 40% of that would be a business email compromised types of emails.
[00:05:50] Bill Russell: So 80, 80% of emails are getting blocked there. They’re getting identified as malicious and getting blocked at this point.
[00:05:58] Gary Gooden: Yeah. I mean, on average, it’s [00:06:00] usually about an a month to basis is about 85%. But for that year plus duration, it’s roughly 81%.
[00:06:06] Bill Russell: Wow. Ryan, some specifics here. Who are they going after? Are they just going after anyone? Are they going after clinicians? They’re going after administrators. Who are they targeting with these email campaigns?
[00:06:18] Ryan Witt: Yeah, I’ll address that in a second, but I kind of first want to use an analogy going back to the, what we were saying a little bit here. We just started a football season and this is like email based attacks is [00:06:30] like the equivalent of running the ball.
[00:06:32] They’re going to keep running the ball until you stop the run right to use until you force them to do something differently. Healthcare hasn’t stopped the run game unfortunately for many years now. And so it is easiest way to move the ball down the field from football team. And it’s the easiest way for a bad actor to engage with a health institution.
[00:06:54] So to your question and your point, why what are they doing? And the emails were [00:07:00] becoming far more sophisticated. So yes the type of blocking that Gary’s talking about, the 80%, those are the ones that. Sophisticated gateways will capture for all sorts of reasons. I have malicious links in there.
[00:07:16] They have reputational, they come from questionable IP addresses, et cetera. So there’s lots of techniques that, that sift out those sort of emails, but what we’re seeing more and more as a very, very targete d sort of campaign. So yes, you’re [00:07:30] hitting someone very specifically within the institution.
[00:07:32] You’re hitting them on a topic that is very akin to what their job function is. So the level of research and due diligence is being taken by the cyber criminal gangs organization so that they know how to write an email that will get through the common filters, that will engage you in a conversation, that that conversation over time will lead to pieces of the puzzle being dropped [00:08:00] into their sort of research or Intel gathering on you.
[00:08:04] So you might not be handing over anything that appears to be that important. Cause like, they’re not asking you, Hey, what’s your, what’s your login credentials, right? They’re not asking you that but they’re asking you pieces of information that they can help go build a profile. And, and over time the can ask that pivotal question in a way that allows them to go extract something really important that [00:08:30] makes that kind of like a big leap forward. And they do gain a password or access into a system that, that they wouldn’t be able to gain if they didn’t have some form of trust established. And that established, that trust was established because they maintain this sort of conversation with you on email over time.
[00:08:50] And they fraudulently have convinced you, they are somebody that they’re, that they’re not but that has been compelling enough to make you want to keep [00:09:00] engaging with them.
[00:09:00] Bill Russell: It’s interesting. When I was a CIO, we had a firm come in from the outside and we essentially what we were trying to do is broadly have them attack our system from a lot of different vectors and give us feedback.
[00:09:14] And they went through the report and how they got in and kind of thing. And they were like, look, we stood up this website. We had 15 credentials within the first 24 to 48 hours. With those credentials. We were able to go here, here, here, and here. Is that still what they’re [00:09:30] looking for as credentials? Or can they compromise even without credentials at this point?
[00:09:34] Gary Gooden: I mean, I think it’s a smorgasbord right. So to kind of read off of what Ryan said a while ago, recently we did a targeted phishing campaign against our population. And we specifically targeted them using a tool that you’re custom to using. That specific tool in this case was DocuSign. And roughly 34% over end-user population within that meant. Now we were secretly [00:10:00] training, awareness training all the time, but the way in which that had that particular phishing campaign was orchestrated by us kind of proves the point that Ryan is making about the sophistication of how emails are constructed in such a way that made them look extremely legitimate.
[00:10:19] So for the 81% that we’ve block, for the 85% that we block, I would say maybe 3 to 5% of those emails are probably have some [00:10:30] sort of malicious nature that will get through. So you expect to have a situation like that. And then what do you need to do after that is it puts in your layer of defense structure.
[00:10:41] But that, that being said, almost roughly 45% of what we see is around business email compromised. Where they’re trying to redirect it to change of payment information so you can route funds differently. So that’s that one bit. Yes credentials skimming and credential gathering is a big [00:11:00] deal, but it’s just the general nature of throwing the spaghetti on the wall and seeing what sticks.
[00:11:06] Right. So you’ll have the situation where, oh, we dropped the payload in this device and it’s not much diversity in Burlington encrypted. So what I’m seeing is that they’re coming at us with multiple types of campaigns from various advanced, persistent threat groups. And it’s really more about, in many cases, a shotgun approach and in some cases, especially with the BEC stuff, [00:11:30]very specific. That said, on a daily basis, we stop roughly 450 million threats per day of all types. Email, drive by, brute force attempts. Everything in between.
[00:11:46] Bill Russell: Let’s talk about ransomware for a minute. So we look at defense systems and if I just rewind a couple of years, we were talking a lot about education putting the right tools in place, educating our people. And we were going to be able to [00:12:00] address a significant portion through that. Now when I hear people talk about ransomware, they’re talking about it’s not if they’re going to get in, but when and they’re saying, all right, so if that’s the case, we have to really focus in on the recovery aspect. I’m hearing a lot of different things. I’d love for the two of you to sort of lay out what a good plan for building a defense posture against ransomware might look like. Ryan, do you want to, do you want to start with that one?
[00:12:26] Ryan Witt: Sure. I think maybe one thing, at one place, I was hard as a [00:12:30]recommendation that they will do the level of due diligence to understand who within your organization has a job function that means I have to go download files or they have to click on links. So based on the job role you have within the organization, we work in more vulnerable ways.
[00:12:51] Entirely legitimate with regards to what our job function requires of us but you know, we have to go interact with third-party suppliers. We have [00:13:00] to take in and resumes for would be candidates. We have to go review and download invoices. We have to go interact with third party apps or whatever but
[00:13:11] Bill Russell: You’re also defining clinicians at this point too right? They’re they’re moving images around. They’re downloading files from patients potentially through email as well.
[00:13:21] Ryan Witt: Right? Exactly. So they’re understanding exactly the type of work that people are doing. That means that have to click that link, [00:13:30] download that file, et cetera. So they know your job, they know your, who you are within your organization. They know what your job title requires you to do. They know the type of work you’re working on, and then they’re going to send you a link or a file that’s aligned to that. So that’s the challenge. I think the first part of the equation I’ll let Gary build from here is understanding who is more likely to be attacked within your organization for these sorts of exploits, because I think [00:14:00] most healthcare institutions are resource constraint, they’re budget constraint. They can’t put the gold standard of security right across their organization. And it wouldn’t even make sense necessarily to do that. So they have to go, as I say kind of place your security bets. And you got to go figure out, okay, where am I more likely to see this sort of activity and then what are the, what are my control options I can put in place to mitigate against that?
[00:14:23] Bill Russell: Interesting. So Gary we’ve identified the people and the roles. And as you guys say, the attacks [00:14:30] are getting more sophisticated. So the emails are literally to the clinicians will address something clinical and to the HR representative, something around HR and to, I mean, we’re not just seeing a single email go out 10,000 users. We’re seeing very specific emails to very specific people that are I mean, they’re lures. So they they’re literally designed to get them to click or download something. What do we do next? So we’ve identified those [00:15:00] people. What’s the next layer of security that we’re putting in place if we’re specifically worried about ransomware?
[00:15:06] Gary Gooden: So in our environment we’re not just a clinical environment, we’re a research environment. We’re one of the largest pediatric research institutions in the country. So yes, the lures are getting more sophisticated. About a year ago, we embarked on a zero trust journey.
[00:15:25] So we’re a zero trust shop in terms of concept and philosophy. We [00:15:30] converged for a security program with our infrastructure program. So I lead both. So security is actually used as what I refer to as the tip of the spirit, the innovation and not security for the sake of creating friction.
[00:15:47] Right. If I can’t secure it in ground then clinicians can do their jobs faster. Researchers can find cures faster. It’s very much tied to the mission but just from a zero trust perspective [00:16:00] it’s all about the layering of the fence. It’s all about identity and entitlements in terms of who you are and what you’re entitled to do.
[00:16:08] It’s also about the whole notion of automation of provision. It’s also about the separation of your credentials from your elevated rights as it were. It’s also about the removal of local administrative controls and an end point. Using that same profile. So let’s say you abstracted [00:16:30] and you apply the admin credentials to a service, not the entity.
[00:16:34] And then if for any reason, all that fails, then you have to look at anomaly detection for east-west traffic to look up to that stuff. Then you also have to ensure that your endpoint detection service is 24/7 365. If you do those things and continue to up armor that way, because it’s really an arms race, then you’ll stay ahead of the curve.
[00:16:56] Obviously the whole idea of the data center is the center of the [00:17:00] universe has gone. With the pivots as a lead student what happened in COVID-19 last year remote work is here to stay. In our environment today, we have a hybridized model. We also have a permanent remote model and then will have a permanent on-prem model because we’re clinical research.
[00:17:17] So we have all three different types of knowledge workers and they are either a hundred percent remote they’re hybridized, meaning on-prem off-prem or their on-prem based on your job roles. And[00:17:30] in addition to which, our data can be almost anywhere. So from a route, from a edge perspective, the home route is a new edge from a where the data lives perspective because we’re distributed in driving or data is everywhere.
[00:17:44] So for us attestation or efficacy as relates to get into the data is as important as where the data lives itself. So if, for example you use email vectors as a way to compromise our infrastructure then the leering of the defense [00:18:00] will prohibit you from ending up in a situation where you have an encrypted set of infrastructures and they have a problem.
[00:18:05] If we’re talking about credential skimming for example, credential compromise, then anomalous behavior technology, which is what you need to have in place is your essentially canary in the coal mine, if you do those things. And if you do things like security in the cloud, which is what we do remotely for anybody connecting in, it’s literally a secure web gateway to technology to do security at the station of you as an entity, [00:18:30] your entitlement, the health of your device and then based on those entitlements, we IP tunnel you to where you need to go. So those things have to be in my mind incorporated as a wrap up. From a funding perspective, it’s interesting. I just came out to a meeting with a subset that were boarded our executive suite. You’ll typically get the question if you need additional funding just come to us.
[00:18:55] And my response is it’s not really about that. Funding is not an [00:19:00] issue in our specific environment. It’s the speed at which you can implement an immature processes around the technology and then mature the people side of the business, whether it’s internal resources or managed services providing these services. So hopefully that provides some context.
[00:19:17] Bill Russell: No, that’s phenomenal. And I want to tear that apart a little bit. The thing we’ve been using in these products for a long time. People, process, technology. Give us an idea of, so from a security standpoint, you’re looking at [00:19:30] this. How much effort is, is put into each?
[00:19:32] Cause it would seem to me when we’re talking security you don’t have unlimited people to monitor all the alerts and things that are coming through. So you have to put in some technology, you have to have some automation. The processes have to be sound so that the, that the handouts are happening and the right things are happening at the right time.
[00:19:53] But we’re struggling to find really good cybersecurity people to keep all this, all this functioning. [00:20:00] So give us an idea of what the breakdown is in terms of how you think about where you really allocate your resources and your time based on those three areas.
[00:20:09] Gary Gooden: So for us we don’t manage a SOC at all. To your point, that to me is a loss leader in terms of having the wherewithal to extend services like an accordion. Alright. So we don’t want to do that. So we have a managed service for, for a SOC or same and our soar technology. [00:20:30] We use machine learning to help automate the speed at which we can do event correlation.
[00:20:35] We have 24 by 7, 365 end-point management and oversight, which again is a service because I can scale for that. The speed at which we need to attend to potential threats whether it email back those are brute force, it’s all down to machine speed. So what I spend my time doing is ensuring that we have the right level of engineers in place, which we do, [00:21:00] to help to not just interpret cause the river don’t, but more to ensure that they handle exceptions, even when exceptions occur. And for the most part, they take and tying of the daily operations and the speed at which directed. These are all managed services.
[00:21:17] If I were to try to build out the people piece of this to compliment that, given where we are in terms of to your point, the difficulty in acquiring the right level of technical, skilled workers, it would [00:21:30] simply not work. It would fall on its face. And then the anvil to that to me is really more of a process maturity that really comes from you having implemented the right technology stack.
[00:21:41] So if I implement a bunch of technology stacks, which I would have done, mature the process, but then don’t reinvest in the technology stack then yes, I will have mature processes but then went to have steel technology. Unfortunately it’s an arms race today. And then there [00:22:00] is a, there is a tight interlinkage with infrastructure as well. So I see core infrastructure pieces are adjuncts to the security program, which would also then include our cyber physical stack ’cause you can’t forget the send cyber physical stack.
[00:22:15] Ryan Witt: I wanted to build a bond, something that Gary said a little bit earlier and just give you one impression of what we see from a sophistication sort of standpoint.
[00:22:24] So we were analyzing, we were working with a teaching hospital. And this [00:22:30]particular teaching hospital had significant research sort of reputation they had about how they had five main institutes within their research function. And at first plan to, it’s not surprising to us that research was one of the most heavily attacked function within their hospitals, but actually what we realized was one of their institutes made up of about 55% of the overall attacks. So although they had multiple research strands, it was really [00:23:00] just one institution that was getting the lion’s share of those attacks. And then you dug a little bit deeper and there was actually one department within that institution that was getting about 40% of those attacks.
[00:23:12] So you have this very large teaching hospital 30,000 plus email aAddresses and then really you boil it all down and like a significant portion of the malicious traffic and very sophisticated traffic going to a very small number of individuals. And all I can really [00:23:30] say from how do they figure this out is this particular institution was, I mean, they, they were very noteworthy about this particular level of research. And so anybody who was a casual observer, even if you had a very sophisticated, very technical level of research, but anybody who just browsed that institution and dug a little bit deeper on what they were about to figure out, that’s probably where the money is because there’s always a monetization angle of these attacks. But it got down to like, they were very, very [00:24:00] pointed into these small number of people because that’s where the perception was, where the crown jewels were. A monetization angle.
[00:24:07] From a technology standpoint, I wanted to also bring into the equation is, and it’s not like it’s new technology, but it’s isolation capability.
[00:24:16] And I mentioned isolation because it’s readily available. It’s mature technology, but it’s not that well deployed within healthcare. And what isolation technology does is essentially containorize you’re sort of email traffic for whoever [00:24:30] has that capability rolled out against their sort of email address.
[00:24:33] And that then allows people basically to interact with their email traffic in a kind of a safe environment. Because it’s containerized the ability for them to exfiltrate data beyond that or them to send anything that’s going to bring data into that container is much, much more limited.
[00:24:52] So if you have somebody who has that vulnerable sort of way of working, or as you would call like a habit, they’re happy clickers. [00:25:00] Cause they just tend to click on lots of things. There are lots of use cases where that containerization technology or isolation technology I think would, would be really useful, particularly when very precisely as an example I just cited, like who is being attacked?
[00:25:14] Bill Russell: Yeah. One of the things we did is, and all of our clinical workstations were virtual. It’s a form of containerization. If you will, it’s a form of breaking it down because you can tear down those sessions and rebuild them back up and potentially [00:25:30] isolate any incidents you’re going to have within that environment. That’s one way to address the endpoint. But what I wanted to do is I wanted to go back to, so we’re sort of looking at this people process technology. We got to this level. I want to go one step further and to just give it more color, talk about phishing.
[00:25:46] So we have people, process, technology. So getting to this operating at machine speed and being able to have the right processes in place. I want to take it down to just this one aspect of the [00:26:00] protection layer and talk through it, just to give people an idea of where you’re spending your time. What does it look like to operate at machine speed with regard to phishing attacks, having the right processes and having the right people in place to address that?
[00:26:12] Gary Gooden: A loaded question. Let me take it. So we employ a lot of technology from a particular company.
[00:26:24] And one of the things that Ryan made mention of is something that we also utilize as well, [00:26:30] relative to isolation. What we also do is that we look at what we refer to as a very attack people profile. So those are individuals who based under a job role. And you alluded to that earlier, the job type, they see the preponderance, they’re in our top 10 in terms of individuals who get phishing attacks based specifically on them.
[00:26:56] And again, roughly 85% of whatever comes [00:27:00] comes in from a corporate you know prospective is filtered out. And of the 15% that’s led through I would say again, between 3 to 5% would still be malicious in some way, shape or form. It just wasn’t obvious. But that being said, we spend quite a fair bit of time specifically with our analyst looking at the 3 to 5%.
[00:27:25] The 3 to 5% is also looked at [00:27:30] by or managed service. Why? Because if something looks anomalous on the end it’s detected immediately. Why? Because we use machine algorithms or EDR end points. We use machine algorithms relative to our managed SIM environment and those services. So from an analytics perspective, we utilize your analyst on a look at the exceptions.
[00:27:55] Some things already quarantine. Then we go and figure out, well what happened? So it’s [00:28:00] not as if this is the end point is compromised because of the phishing campaign, because they clicked on some malicious link. They drop the payload and the payload was able to call back, come in and detonate. None of that’s occurrence because our firewalls have URL filters on them.
[00:28:14] So you cannot even call back home. So let’s say for example, we didn’t have to call back home and it was a self detonating package, it still wouldn’t work on the big EDR technology and end point is already isolating it. So a lot of the time we do spend on the [00:28:30] analysis of what happened as opposed to stopping the event, because event is already stopped.
[00:28:35] Now I think of, I think of this, as you would say, for example, an IED where you have an IED charge and you have a truck and it would get blown up when we kept up armory. So everything I said just said, trying to build a better mouse trap. At some point something will get through. It’s a question of not if but when. Which is [00:29:00] why the east-west traffic or deep packet inspection technology is so critical for us.
[00:29:05] Because that allows us to look at anything anomalous moving east west. That also has looked at 24 by 7. If anything we see is a as anomalous, that’s also shut. So that’s how we look at the, we do our own phishing, but it really comes down to how we use the different technologies to stop things from getting to where we considered to be our crown jewels whether its our data centers or, [00:29:30] or EMR that’s hosted somewhere else.
[00:29:33] Bill Russell: Ryan you work with a lot of different clients on this kind of stuff. What are you seeing across the industry. By the way, Gary, thank you for sharing those things. I’m learning a ton here, so I really appreciate you going in depth with me. Ryan what, what are you seeing as you look across the industry in terms of, and again, we’re focusing on people, process, technology around phishing specifically.
[00:29:53] Ryan Witt: I think one of the noteworthy trends that we’ve seen is the amount of [00:30:00] phishing attacks that point people to legitimate fileshares. So now more than 50% of the files or the links the people are being phisher act are asked to interact with, are actually a legitimate fileshare. Being a SharePoint account, a Box account, Dropbox account, et cetera. So it’s no longer pointing you to some nefarious server in the middle of [00:30:30] Central Europe or whatever it’s pointing you to a legitimate file share that you would expect to go to. And I think that’s a big, a big step change. It’s makes it more difficult for the technology to filter those things out because they’re coming from these legitimate file share sources and it makes it harder for the clicker to not want to interact with that sort of phishing exploit because it like looks even more legitimate because on the surface of it, the source of it is, [00:31:00] is legitimate. So that’s a significant change that we have seen in addition to what we talked about a little bit earlier, which is a much more targeted nature of those attacks and the language that’s being used to interact with those facts.
[00:31:12] The other point I would say, I think Gary touched on this a little bit is there is always this monetization angle. So yes, if anybody who deals with money, your accounts payable, team, your people who are dealing with your business, associates, anybody who has a role directly or indirectly with approving [00:31:30] invoices or redirecting payments or changing bank account details.
[00:31:35] Those people are going to be very heavily targeted and those are just a natural candidate, always for additional layers of security controls.
[00:31:46] Bill Russell: We know how they’re monetizing ransomware. They, they shut you down and they asked for ransom. Some of these others are a little bit more sophisticated. They are essentially inserting themselves somehow in the [00:32:00] middle of a process and extracting money in what would appear to be a pretty straightforward way, right. The promise of goods for services, Hey, you’ll get this PPE, transfer this money or even changing an employee’s information. And then money goes that way or a vendor’s information that goes that way. What are some of the other ways that they are trying to monetize this?
[00:32:25] Ryan Witt: I mean, we’ve seen examples where at points in time, pharmacy [00:32:30]functions were heavily hit. So we don’t have coffee with the bad actors. We don’t necessarily know what their motivations are, but it would seem to me like they know that controlled substances have value in the black market. So they’re trying to redirect those controlled substances. One of the more heinous things we saw at a point in time, elongated point in time was the hospice organization within a large, well several large institutions were heavily targeted. Again, we don’t know why. The [00:33:00]working theory, where there was that they’re preying upon the good nature of the people who do those roles and the people those are, people are so obsessed with the comfort of that patient, that they tend to have access again, to control substances.
[00:33:16] They have access to the patient record and maybe they’re not as well protected as other parts of the institution. So not as many controls in place and so the combination of fewer controls and a very caring, [00:33:30] giving sort of nature means that they can eat more easily, fall prey to an attack.
[00:33:34] I mean, that’s just a theory we kind of worked out without knowing exactly why they were being targeted. But yeah, the point being is whether it is controlled substances, whether it is the value of patient data. And then if you ever see nation state sort of actors, they generally are focused on IP theft. That’s valuable for them to be able to bring that intellectual property back into their countries. So there are multiple monetization angles beyond just [00:34:00] payment, sort of redirecting payment.
[00:34:02] Bill Russell: So as Gary was talking about as a research institution, they would be targeted for their intellectual property. Gary, is there anything you have to do specifically around IP to try to protect it?
[00:34:13] Gary Gooden: You know we make reference to people processing technology. Right? So you know, we’re speaking more specifically about phishing emails and what have you. But as it relates to IP, there’s also the social engineering side of it.
[00:34:26] There is a situation that occurred where it’s [00:34:30] been occurring, not necessarily at Children’s, but this generally with the research industry where they’re lowering this part of the case as having researchers slash PI as being invited to conferences wined and dined and lots of researchers that are very proud of what they do. And so they will talk. And just by virtue of talking, they’re literally compromising them. Cause this has happened over and over and over again in different [00:35:00] institutions. We have seen the threat in our institution as well. And so there is the people side of it, right above and beyond just the normal security readiness training that you do.
[00:35:13] There is a social engineering training, has nothing to do with technology specifically and also if you’re looking at, say for example, business emails compromised we have a manual process in place to ensure that no ACH or payment information has changed unless it’s verified [00:35:30]manually human to human. So it literally sits outside of the technology process. It’s a manualized process to ensure that that technology requests is actually legitimate. So there are two different things to do in social engineering, relative to intellectual property and also on accounts payable.
[00:35:50] Bill Russell: So I’m going to ask you guys what the next five years, what do you want to get in front of? But I will share this story again as CIO our internal auditor said, Hey, we’re going to do a social [00:36:00] audit of our executives. And they came back to me with my social audit. They had almost my entire family tree. Cousins. I mean, just because I connected here with this person, oh, that’s your mother. My mother had a Facebook account. Pictures, kids. I mean, they’ve literally had the whole family tree and then they had just information about each one of the things. And they’re showing me this thing, they’re going, that’s how much information is available about you.
[00:36:27] And you’re fairly, I’m fairly [00:36:30] savvy and fairly cognizant of what I’m putting out on the internet. But just those one or two connections gave them access to people who are in my family, who are sharing an awful lot. And that information does create some holes I guess, is what they were trying to communicate to me with this, with this social engineering.
[00:36:50] So let me ask you this, give you a little time to think about this. Next five years. What do we want to get in front of? I don’t want to say 10 years because then we have quantum computing and who knows what’s going to be going on [00:37:00] in 10 years. Five years even seems kind of long in this industry doesn’t it? I mean is long to think, let’s so maybe let’s, let’s look at three years. What do we want to get in front of and stay in front of?
[00:37:11] Ryan Witt: I would like to give you some sort of very profound, prophetic sort of answer, but I think really in healthcare, we are still talking about basic blocking. The HIMSS cybersecurity survey, which came out of the back end of last year. And it’s the most recent cybersecurity survey that HIMSS have put out. The data [00:37:30] on that survey was pretty remarkable cause they survey the amount of, they went through a number of security categories and say, what was the level of implementation of these technologies right across the healthcare industry.
[00:37:42] And they went pretty basic. Do you have a firewall in place? Do you have multifactor in place etc? It went to about, I don’t know, 15 to 20 categories and even if HIMSS data is inaccurate because it’s survey data. So it’s surveys, we have to take a little bit of a pinch of salt, but it was pretty [00:38:00] remarkable.
[00:38:00] So all the things that we’re talking about that we would consider to be, I think relatively standard sort of capability technology is just not still deployed in healthcare. So multifactor is still below 50% utilization. Even firewalls, HIMSS reported that only at 90% utilization. Now I’m sure it’s the much smaller institutions that don’t are the ones who don’t have those things in place.
[00:38:25] Bill Russell: Right. Well that’s, that’s what I was going to ask you. [00:38:30] I talk to a lot of health systems. And one of the ones the CIO was saying to me, look, what can I do around security? Cause I have outsourced the the operation center or whatnot but I have two headcount. I have a policy person and I have a engineer has security engineer. And then I have this. It’s not a small hospital. It’s not a huge hospital, but how do you secure it with two people and an operations center?
[00:38:56] Gary Gooden: You don’t.
[00:38:57] Ryan Witt: It’s not a direct answer to the question, but one of the answers to that question [00:39:00] is you point them to the two most recent ransomware events in healthcare and you say to them, there’s a direct correlation between one’s ability to have the right sorts of security posture in place and the institutionals ability to meet its mission. And if you don’t have the right sorts of security posture in place, you cannot, in many cases provide patient care.
[00:39:21] You cannot adhere to your patient safety sort of mission statements iIf you have a compromise. Like you are essentially, if you have the rent or right for that sort [00:39:30] of an event, you’re out of business for a month or whatever. And it’s, this is no longer a compliancy discussion. It’s not a brand discussion. It’s not a fine discussion. Yes. Those are all part of the equations. It’s a patient safety discussion. I think if you need to get access to resources or funds trying to frame it that way with your board might move the needle a little bit.
[00:39:51] Bill Russell: Alright, Gary. I’m going to put you in that spot. I just promoted you. You’re CIO. Well, it might be a promotion. It might not be a promotion, but I just made you a CIO. It’s a [00:40:00] $750 million hospital right now. You’re looking at, you have an outsource SOC and you have an engineer and you have a policy person. What are you going to do when you go in there?
[00:40:11] Gary Gooden: So I was going to respond to what Ryan was saying with the comment that it’s a little, I find it to be it’s a little more nuanced. Okay. So let’s say for example, you look at the operating expense. And so I’m now this new CIO, I go and present to the board and to [00:40:30] the C suite and they get it. But from an operational expense perspective, they cannot afford to implement the technology stack required to run their operation because there was no just done as a security risk assessment in terms of what can we actually bear to suffer in the event of. And you talk about future state threats and things that you need to get ahead of in the next three years.
[00:40:55] One of the biggest problems you have today is that we don’t treat cyber threats [00:41:00]as a national emergency issue. National. So let’s say for example, that the state of Washington, the state of California had a disaster, earthquake, fire, whatever it is you declare, and that you declare as a disaster within the state, the federal government would then declare a national disaster specific area.
[00:41:17] And then you would get a FEMA response. A FEMA response then brings on a whole slew of additional things, resources, funding, et cetera, et cetera. What is really required is something very similar on [00:41:30] the cyber security side that does not exist today. Because you have all kinds of different healthcare providers have different levels of sophistication and their ability to have what I consider to be the baseline level of security controls, which cost money, is something that some of them simply cannot afford to do. Even if they were to factor in the risk of being compromised, it’s almost easier for them to be compromised, take a hit, and then go and pay. Because they just can’t afford it. So that to me [00:42:00] is a big issue that obviously falls outside of our control.
[00:42:03] But to your point, the issue of the health care organization in San Diego who shall remain nameless. Their physical security is stacked. It is obvious from how that threat occurred that that security stack was not at a level where it should have been, which speaks to a situation where either a C suite or board did not understand the threat landscape or by approach of them not caring or not on this, that [00:42:30] it was presented to them. Or didn’t have the right way to present an information threat. Either way, they were, they were probably in a situation where they could have funded that and accelerated their progress to not be as compromised as they probably were. And be back to what Ryan is saying. This is probably down to basic ticking in time, which is not that sophisticated, but they at least had to have the basic, what I considered to be the starter kit implemented.
[00:42:59] So [00:43:00] that’s also not a part of the issue. Then you have the problem that I am worried about where there’s no public private partner between government and private enterprise on the cyber threat landscape. And I’m seeing three years because these things are emerging. And the other thing that really concerns me well, there are two other things is there’s no global currency which is still their form of legal tender for said bad actors. And the fourth thing that really is concerning to [00:43:30] me is a rise of 5G and how we are going to have to adapt to 5G. That’s unclear to me as well, but it’s just something I said, I mean, talk about three years. Because we didn’t want to talk about five-year-olds because it’s highly speculative and three years is still grand but it’s still somewhat of a bit of a crystal ball.
[00:43:48] Bill Russell: It’ll be interesting 5G with the bandwidth that’s going to be available through 5G in three years. You, you sort of look at that and go well a lot of our traffic could come in through 5G [00:44:00] in three years. That is not really possible over 4G LTE today. That could create some clearly not there today, but a place like Seattle could be there in three years for sure. Would be very interesting.
[00:44:13] Well, gentlemen, I appreciate you coming on and talking about this presentation. I will say this the next time you come on, I’m going to throw out any agenda and we’re just going to start right where we left off. And we’re going to, we’re going to just attack what can we do? I’ve just probably just give you a couple [00:44:30] scenarios and say small health system, big health system, midsize health system, academic medical center.
[00:44:35] And we’ll just tear it apart and see where it goes. Cause I learned a ton in this conversation and I appreciate you sharing for the benefit of our community. Thanks again for coming on.
[00:44:45] What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this [00:45:00] show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. [00:45:30] Thanks for listening. That’s all for now.