December 1, 2021: Cyber attacks are more sophisticated, more frequent and the potential outcomes are far more devastating. What technology tools can help us detect the presence of those malicious threats within our environment, both in the cloud and on-prem? Jim Brady, VP, Information Security & Infrastructure/Operations and CISO at Fairview Health Services and Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint share crucial security strategies to survive phishing, imposter threats, ransomware, and supply chain attacks. What areas should CIOs focus on to deter risk? How can they address cyber with their Board? And what would you say to those who say “it won’t happen to us”?
00:00:00 – Introduction
00:05:40 – Credentials are the Nirvana state for cybercriminals
00:06:50 – A strong number of attacks are being launched from well-known established data repository sites like Microsoft Office 365 and SharePoint.
00:08:12 – Every email that’s coming in is technically eligible to be a bad email
00:22:35 – Research shows that bad actors are in your environment for up to 6 months before being detected
How Can Healthcare Reduce Cyber Risk and Maintain Patient Safety with Proofpoint & Fairview Health,:
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.Bill Russell: [:o when they need my care and [:
Bill Russell: This is a solution showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and creator of This Week in Health IT. A channel dedicated to keeping health IT staff current and engaged.eek in Health IT. Starting in:
We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.el, the one you're listening [:n subscribe visit us at this [:room with everybody to have [:
Jim Brady: Yeah. It was a bit surreal thinking wow, we're finally back. And these are all the folks that we've been seeing year in and year out. It's good to see everybody in person and to hear kind of what's going on. It was awesome.
Ryan Witt: Was great to re-engage and it's a really good indication of we're all products of our environment. Right? So the attitude towards, how do you engage in these sorts of conferences? What the right sort of COVID protocols ought to be were very much colored by where you traveled from.Right? And [:to me. There was really very [:
Jim Brady: You'll have to go up to Northern California Bill. Southern California. We're a little bit relaxed.
Ryan Witt: I'm based in Silicon valley and we are essentially, we are mask central. Masks are everywhere. So when I went to CHIME it was complete opposite sort of experience.Bill Russell: It was [:hat's top of mind right now, [:y. But if you just go beyond [:
Bill Russell: It's interesting we're getting close to Christmas time and I started getting these emails, Hey, you've ordered this and blah, blah, blah. And I got three of them this week and I looked at it and they're getting more sophisticated.e sophistication of what the [:
And I assume if I start clicking on those things or calling that phone number, it's not long before they're asking me for information they're going to use against me. Is that essentially, how is it working the same way within healthcare?SharePoint. Those are things [:efforts. And, that's kind of [:your health institutions are [:s in a legitimate file share [:de this far more complicated [:, then it sends out a signal [:need additional support and [:y on prem, but also into the [:
So I want to go about this in two directions. One is Jim, I'm going to ask you about how we quantify the risk and where we get the money to do some of these things. And Ryan, I want to start with you on the, if the tools are getting more sophisticated, the attacks are getting more sophisticated.on education. I used to hear [:ee in terms of technology to [:this technology is tried and [:D mark [:
And when an institution can make a direct correlation to, I need to invest in my cyber security defenses so that I can meet my institution's mission of patient care, patient safety. I can adhere to the Hippocratic oath of do no harm. How do I do that if I cannot protect someone's data?at? If I cannot safeguard my [:
Jim Brady: So I think we need a combination of, we need the technology, but as everybody knows, technology is not the answer, just technology alone.to shut their hospital down [:ren't experienced one of the [:think it's, just helping the [:
And so just being aware of that. It's just kind of like having the neighborhood watch, in your neighborhood somebody can break in, maybe you live in a safe neighborhood, but it's possible. And so it's just being aware of it. I've already seen an increase in reported malicious activity.ot that we need to do on the [:, [:k about firewalls and packet [:e state of your organization [:? A [:
They'll be able to relate to that because they are seeing in the news that there's health systems that can't collect revenue because their businesses impact.million in loss for [:
You sorta look at that and you go, okay. They're roughly a $3 billion health system, 30 day outage, roughly a diversion and whatnot. That's $110 million. It's that kind of quantification, isn't it?
Jim Brady: Yeah. So if you have the ability to engage a firm that can help you get those numbers. Either add up all of the individual ones to come up with a big number or just, maybe take the top five and say, Hey, we want to do these top five.u can also just take a rough [:he leadership the tools, the [:
And that's good, so there, there is Monte Carlo simulations, there's Bayesians and Alice's model. So we're not getting into all the details. I'm not a statistics person, but insurance companies have this down. They do this, they've been doing this for many years. So it is possible to engage, to get that level.
And I think if we could start, just approaching in that direction, I think we would have a lot more support, and we get more business bylike in cybersecurity is in [:ight. If you're fighting the [:
Okay. I mean, Punymon has some data around this saying that bad actors in your environment or in your network for up to six months before being detected. Let's say, Punymon data's wrong. Let's say they're wrong by 50%. Let's say it's only three months, but they're still in your network for three months, right?That's [:ple out of your environment, [:So. [:ntication and is that enough [:m and they never changed the [:focusing on maybe the cloud [:ll, you've lived in Southern [:said, they're going to sneak [:
They could probably get a high elevated domain access if they're, if you're not using that privileged access management. So, so anyway, lots of things you can do, but I think just those two things kind of popped up.the board for health care, I [:nment, maybe you're in an IT [:icated and far more targeted [:
And I would think that's the kind of usable sort of action that somebody could take away from this sort of conversation and say, yeah. Okay. I can, I can work with that.nt to, to really focus in on [:nology in place where we can [:
And so, having the CFO see that, understand it, and then we realized that, that, Hey, there's some things on the process side that the business needs to look at to also participate in a secure things and reduce the risk. So in other words, what's the process to change a routing number and bank account, et cetera.hat. So what they've done on [:tions, they've changed their [:ntually you're going to have [:But then we have the much [:dozen or so sort of research [:
I don't want to go into the detail, but they were world renowned in one of these areas of study. So once you actually looked at the detail and who was being attacked, sure the resource organization was particularly being attacked by bad actors, but this one Institute, one of their six had like five times more attacks than all the other research institutions combined.And it [:ust about say research sure. [:
But in this example, there was actually one particular Institute that was getting exponentially way more activity. So when you have that level of insight about what is the threat landscape for your institution, it helps you a lot to go place your controls.and whatnot, but focusing on [:
Ryan Witt: Not to be in a really provocative at the end of the conversation but I'm, I'm glad the meaningful use era from a cyber standpoint is consigned to the dustbin because they pointed us in the wrong direction from a compliancy standpoint. And we didn't allow us to go tackle the security. problem.ow ransomware events while I [:contained. It was contained [:the lights on. And we don't [:
How many of us can say that we have all of the security systems that we spend a lot of money on that they're running at a hundred percent or 95%. So there's so many basic things. All, I think that that we are not there, we could just look internally and not spend another dime and just get what we've got fully utilized.their bidding. They buy the [:
They're focused, they're targeted, as Ryan mentioned, they're doing their research, but we're not, we're not in healthcare you know we're underfunded in many cases. We're not doing any research. We're not even using what we've got. So I think looking at a, there's a thing called the MITRE kill chain, there's concepts called the red team blue team purple team.of your security team. This [:So I [:p correctly because you are, [:
Bill Russell: It's interesting. I Interviewed a CIO for a health system that did go through a ransomware event. And he said in order to get reconnected to his community connect partner and whatnot, he had to get a hundred percent patched. He had to verify he was a hundred percent patched. He said, it's the first time as a CIO for the health system, that he thinks that they were a hundred percent patched.ple of months away. He goes, [:
And I guess is there, let me ask you this way. We always talk about people, process and technology. It's the age old where should I, if I gave you, I dunno, a million dollars. What percentage am I spending on people? Process and technology. I mean, is it, is it 30, 30, 30? Is it 30, 20 10? So people, process, technology.gger team. I know we need to [:rates for, let's say a cyber [:
So I would say it's about over 50% for sure on the staffing component. This is from an operational, like all of the money that you spend, operationally, of course.
Those of you guys that are in health systems that have to go through the CapEx optics dance. There may be some technologies that you have to put in that will bump up and exceed your staffing.u'd want to reserve for that [:
If somebody slips through one tool, then you should be able to catch them with another. But if you don't have time to be looking detecting in your you're busy, just fighting fires, and most likely you're going to, get hit and chances are you maybe like I listened to the Sky Lakes YouTube video.y can go after your backups. [:
So there's things that, there's things that we just have to be spending a little bit of time on to protect. We can't assume that we can just go to backups because there isn't a way to get around those. So, yeah. So that's my thoughts.
Bill Russell: Wow. Ryan, people, process, technology. Where are you investing the million dollars I just gave you?you can't get people at all. [:
Bill Russell: There's a lot of truth to that.ink you're absolutely right. [:
So I'm not trying to say it's all about technology, but there are some easy wins out there. A multi-factor is still not as broadly deployed as we like it to see it be. Micro-segmentation which is something I think maybe you referenced a little bit earlier, bill about they were able to containerize that ransomware event.ably use that. I don't know. [:I just want to, [:as, was just right after the [:
Ryan Witt: You know, I've heard a few, a few CIOs say to me very recently, like we're seriously considering self-insurance right now because of the the level of work we have to do to, just to adhere to the, to the policy sort of questionnaire.sed to be like a, an hour or [:, they read their policy and [:or insurance, if you did all [:
Anyway, because they're talking about doing all the things that Jim and I had been talking on this call, like making sure you have your investments in your, in your technology and your processes, you have the people in place. And if you did all that stuff, you probably, I'm not saying you don't need cyber insurance, but it goes a long, you would have solved a lot of your problems anyway. Cyber insurance would kind of there to address.just had this conversation. [:
Ryan Witt: I think don't let up. I mean we are at a long sort of runway of unprecedented level of cyber attacks that just not going to dissipate until we as industry find a way to keep the bad actors that day. For the most part, they are attacking your people, your people, your most vulnerable sort of asset in your environment.They have the [:
Not because it's good for your brand. Not because OCR says you have to, you don't want to be on their wall of shame but because it helps you deliver against your mission.
Bill Russell: Absolutely. Jim, you get the last word.ngs, topics, people, process [:ve it some focus from a risk [:
So I think that's key to doing it from the bottom up. This is going to be really difficult or we'll s ruggle and so I think, the best way is to get, get that top level buy-in. Second thing, we didn't talk about a ransomware readiness assessment. So those are things that you can do to say, Hey, I I've done my risk analysis.I've done my HIPAA risk [:n, like the case of that one [:
That's called mayhem. And, we can be prepared. So it's just doing a little bit of emergency preparedness. So I think that's important. We didn't talk much about third party risk management. A large percentage of our breaches, et cetera compromises do come from our, our business associates.rge or medium sized, complex [:
They're using our systems, et cetera. So it really looking at those entities and assessing the risk and then making an intelligent decision I think would be helpful. So there's a lot of organizations I think that, that are like that. That could, that could stand to get that improved.topic for a future podcast, [:
Jim Brady: To your point though, there, in addition to M and A's many organizations are constantly adding new organizations or they're selling or doing various things. So I think it's, there's the big mergers. And then there's the small, the spring of this home health organization lets get rid of half of them whatever. And so I think that, but I think those are areas we can focus on also.and sharing your experience. [:
Jim Brady: Thanks Bill. Appreciate it.t. We're out there. They can [: