UnHack the News: The Ascension Breach and Vendor Accountability with Wes Wright
Episode 1053rd June 2024 • This Week Health: Newsroom • This Week Health
00:00:00 00:18:58

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Today on Unhack the News. (Intro)

If there's anything that's emblematic of how healthcare doesn't get security, I think this may be it.

We want to put rules in place. So your. Hospital associates, the people that are members of your club, are more safe. We don't want you to do that. Why?

  📍   📍

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

📍 We want to thank our Unhack the News partners, CrowdStrike, Fortified Health, Enterprise Health, Island, and ordr for their support. And now, this episode of Unhack the News.

(Main)   📍

hey, I'm Drex, and this is brand new show, Unhack the News. This is Bill Russell's original version of this was Newsday. It's still running, of course. We both have done Newsday. We've done Newsday together. This is sort of the cybersecurity version of Newsday. We're calling it Unhack the News, and my guest today is Wes Wright, Chief Health Officer.

do you call yourself? Chief Healthcare Officer?

That's correct. Completely made up title by moi, but I just wanted to let ordr customers and ordr potential customers know there is somebody at ordr that does nothing but focus on the healthcare community. So that's why I went that way and didn't want to be like chief health officer because then people would have thought I was like an MD or something like that.

So I didn't want to do that. They're already confused. They think I'm an OR

doctor. That's always a good time too. You don't want to be on an airplane with that jacket on and then No, is there a doctor on board? There's an OR

doctor back there. I just saw one.

Yeah. Oh, man. There's a lot of stuff happening in the news when it comes to cyber security and privacy and ransomware and everything else.

You actually posted a really interesting story, especially given the amount of legacy stuff that we have in healthcare. You want to talk about that? The XP story? Yeah, I

I was just trolling around doing my regular newsfeed kind of stuff. And this thing pops up in my newsfeeds.

Hey. We put XP on the network for 10 minutes and things didn't go well. I can just imagine All they did was put it on the network, didn't have it go 📍 connect to anything like that, just put it on the network. Exposed to the internet. Always.

to me, mental picture that came in was, when you throw the chum and the sharks come in, that's, you were throwing some XP chum there and every one of those hacker sharks came in there and Tried to hit that sucker. I'm, shoot, if you want to set up a honeypot and distract people at your healthcare, just put an XP out there on the box.

Don't connect it to your network. Connect it to somebody else's network and let it get hacked.

it's interesting because the perspective on that is that anything that you have on your network that faces the internet, And this is for, all the security folks, know this, but for everyone else, anything that you have that faces the internet is being scanned constantly.

So when there's one of these new zero days or a new patch has been released for something, until it gets patched, it can be attacked. The bad guys immediately put that in their inventory and they start scanning every box that's on the internet to see, do they have this application or do they have this particular protocol or this thing that's open, and then they attack it and they do it literally within a few seconds.

of these announcements being made.

that's what's your old gig at CrossRite. That's what's so important about the attack service management it's everywhere, but man, everything that it faces, the internet has just got to be locked and loaded. And Ready to roll if you're facing the internet, man.

not for the faint of heart.

Oh Scary.

Yeah. Hey nice spider man cup, by the way,

I'm big fan

Let's see, what else can we talk about? The Ascension Breach is going, and I'm imagining that you probably can't talk a lot about that specifically because most people just don't want to talk about that stuff specifically. But the non specific part of it is that the lawsuits are already underway.

Another great reason not to get involved in something like this.

Exactly. And I have to clear something up. ordr, my company, ordr, posted an interview I did with somebody, I can't remember who but in the paragraph they said come hear Wes describe exactly what happened on the Ascension.

And I went, wait a second, time out, guys. I reposted it and just said, Hey, see, Wes guess and assume a lot of stuff. Thankfully, I got them to change that really quick. Cause there's no way we know. I don't know for a hundred percent sure Have they said that the, it's actually Black Bomba that took them down?

Black Basta, yeah. I think they're making Bomba's better. I think there's been some attribution made, but this is another one of those things that takes a long time. Once you start to take the logs, pull everything apart, understand how they were attacked and what the progressions were.

And then you start to. match those fingerprints to adversaries and how they work and what they do. That's when attribution starts to be made. And sometimes, obviously the adversary will just come right out, to you too, as part of a ransomware event because they want to be paid. And so they tell you who they

were, but I was talking to JD Whitlock, a friend of ours, ex Air Force pal as well.

He's a CIO at Dayton Children's. I was talking to him this last week, and I told him, and I might be wrong, but at the time I thought it was right, otherwise I wouldn't have said it I said, I think the Ascension hack is going to be more impactful from a regional perspective than the change healthcare hack was.

And I think that's true from a regional eye, like the person to West right could be affected pretty bad if I'm in an Ascension, if I'm on the Ascension plan and stuff like that. It's not going to get the national news coverage that Change Healthcare got, but I think it's going to be even more disruptive than the change.

And I guess that's why people are filing lawsuits. I think that's ridiculous slash about time, kinda? I think if we would have had people filing lawsuits actually we did. Didn't some California place, the board was sued by somebody.

Huh.

But I think if we would have had lawsuits five, ten years ago popping up on these hacks.

We probably would have got a lot tighter than we are right now.

Yeah, there's, and obviously there's still a lot of work to do for a lot of places, but even the places that are tight, this gets into another whole conversation that you see starting to open up now. Are health systems victims, or are health systems somehow, accountable for not locking the doors?

It's the, if you get robbed, is it your fault? And I'm not big on victim blaming, but at the same time, I understand there should be a certain, base level of standards that kind of have to be in place so that you don't get where you got to lock the front door when you leave, that kind of stuff.

Yeah. Somebody stole my car. I left the keys in it and it was running. Somebody stole it. Come on. Yeah. I can be a victim blamer at that point. And in some of these cases, especially the vendor ones. being a vendor, we are in existence to do what we're doing.

The healthcare IT people are, there's just a millions of things that they have to concentrate on and do. So if I'm going to blame the victim, it won't be an Ascension. It would be a change healthcare. It would be a Kronos. It would be a Dragon, naturally speaking.

Those were your only jobs is to provide that service and provide it securely. And you failed at that. I'm going to victim blame the vendors. Maybe 📍 not the health systems.

The third party part of this is obviously incredibly high profile attack surface now too, because instead of attacking a hundred health systems, you only have to get into one change healthcare to get all of that data.

So the bad guys have figured that out too. And they are really targeting third parties now. And of course, as health systems, we're trusting those organizations to protect us. Just like patients are expecting health systems to protect them. Yeah.

I think I just read that Australia has their own change healthcare situation going right now.

Oh, really?

Yep, that's almost the exact same scenario. So I think whoever attacked change went up and said, is there anybody else that does this centralized scripting thing? Oh, Australia. Yeah. Let's go attack them. That's going on right now.

Yeah. So sort of speaking of all of this too Ann Neuberger, who's the Deputy National Security Advisor for Cyber has at RSA and in some other places.

I know going to hear more about this next week because one of our chairs for the Philly 229 City Tour dinner, Next week, one of our chairs is going to actually be speaking to her directly. I think she talks to her this week or maybe the beginning of next week. So she's going to come to dinner and be able to sort of talk, talk about this.

Yeah. But, Ann Neuberger's been talking about the backlash that they feel now over regulations that they're talking about issuing for healthcare organizations to get to this kind of base, you have to be this tall to ride the ride kind of security.

You sent me that.

I hadn't seen that before, so thanks for sending that to me. And that's what the 229 community is good for, actually. Hey here's some news and thanks for your two minute drills.

Yeah,

sure. Loving sponsoring those, but. Yeah.

Thank you for being the exclusive sponsor of the two minute drill.

I'm really blown away. I started doing that on a whim.

Yeah,

and right when I first started, because it was like I have to get some material out and it's turned out to work out pretty okay. A lot of people are following. So thanks for sponsoring. I really appreciate that.

Oh, absolutely.

Absolutely. Hopefully a long and prosperous relationship. That'd be

great.

For both of us. But yeah, you sent that to me and I saw at the bottom, it said, and the AHA is pissed about this. And I'm going, why the hell would the AHA be angry about somebody enforcing some minimum security standards? If there's anything that's emblematic of how healthcare doesn't get security, I think this may be it.

We want to put rules in place. So your. Hospital associates, the people that are members of your club, are more safe. We don't want you to do that. Why? Yeah, I didn't read the rationale. I would think it's something like, our healthcare systems have enough mandates right now, and we don't need to pile more mandates on them.

Even, turns out, it looks like it's going to be a funded mandate for some people, unlike the unfunded mandates that we've had to deal with. Yeah, so I'm not understanding why there's any pushback at all.

No, I think you've hit it on the head, right? The position that they're taking is.

If there aren't resources to go along with these mandates, then, this isn't going to work. The challenge with resources are, multi pronged here. There's a lot of states that are doing work individually now to New York. Offer kind, yeah, some incentives to some organizations to do some of these security things.

Others are going to mandate that, some of these security standards are just, you have to do them. And they're coming with unfunded mandates. I think there's a lot of conversation now about how does it get tied to Medicare or Medicaid reimbursements. If you're not this tall to ride the ride,

How is this going to interact with the HHS strategic plan? Remember that laid out also that there's going to be a minimum bar and there's, we're going to find some way to fund this for small the CPGs.

Yeah. those tied together? Are the CPGs what she's talking about,

Yes in many ways these things are tied together. It's also, I think, a little bit of the confusion this is a bit discombobulated right now, right? When we have stuff like this happens over and over again, ransomware, all of the stuff that's been happening in healthcare the government loves to help.

Yeah. But the help sometimes is not. completely well coordinated and it's, it varies from state to state. The federal government gets involved, sometimes different departments, and the federal government gets involved. And so I think part of what everyone is asking for too is just give us a coordinated effort, and in the coordinated effort, ideally give us some resources to be able to make that Work because a lot of rural health systems, a lot of health systems have to make hard decisions about do we repair the roof over the emergency department, which is leaking?

Or do we make investments in cybersecurity? And these are not easy decisions that a lot of those folks are dealing with.

I agree. Yeah. The health sector coordinating council. , hopefully that can help you're a member for sure.

Actually, so am I now. Are. You are. That's great. Yeah. I had my conversation with Greg. And now I can discuss the CPGs from an internal perspective because as we've talked about I'm in I wouldn't say vehement disagreement, but strong, fervent disagreement with what's been tagged, expanded, and what's essential.

yeah, you and I have talked about it, and it was the it's okay to, not like something and complain about it. It's a whole different thing to be in the inside baseball and say Oh, I see why this decision was made or that decision was made.

I've talked to you, I've talked to several people on the HSCC.

And I think what really happened and why the things that I think should be on essentials got on expanded Was at the time that these were getting put together. Yeah, Full asset inventory. We didn't have the technology. We just released chasm Yeah, which can do a full inventory in an hour or not an hour if you had everything set up right it could do it in an hour But you can get a full inventory in a day and not have to send out armies and stuff like that When these documents were being made, , it was not in existence.

The thing, it said medium impact on doing this, which I disagree, I think is high. But also, effort was high, and I went, ah, that's probably why it made, went to the expanded versus the essentials. Because, pick your low hanging fruit as fast as possible is what they're trying to say with the MFA.

Okay. Not sure I still agree with it, but I can understand the logic of it now.

And I think the reality of it is too, is that as tech advances. Yeah. And as the bad guys continue to change tactics and do things differently the plan and the priorities have to be agile and change. Yes. And I'm glad you're on the inside now because you'll help drive some of that.

looking forward to it. I know quite a few of the folks on the HSCC. If nothing else, it'd be great conversation with some great people.

Yeah. Yeah, for sure. Okay. We're going to wrap up, but there's a few things I want to talk about. We were in Nashville last week.

And we had the very first inaugural 229 City Tour dinner. And what do you think? How'd it go? Thanks for sponsoring that too, by the way.

Oh, for sure. Of course. Where 229 is, ordr is too. Not true, but it sounds like a great slogan. I thought it was great. Again, Steve Ramirez CTO at Renown.

Thank you for hosting us out there in Nashville. But what it is, it's take the cool, fun part of the conferences that you go to, and that's what a 229 dinner is. A 229 supper club, that's what I call it. I know you've got an official title for it, but I call it supper.

I

like supper club. I think supper is still a word that people use, but,

but you take, when I'm at CHIME or HIMSS or VIVE or something like that, Yeah, you get through the day's grind through the show and meetings and stuff like that. What you really look forward to is, hey, you going to have drinks?

Where are you going for dinner? And you go there and you talk about what's going on. And that's what the 229 Supper Club is. It is

a mix of a sort of misery loves company and, Oh, you guys are doing that.

can I talk to you later about that? it is a great place to sort of make those connections.

Yeah. Yeah. So I thought it was great. I'm really looking forward to the one that you referenced earlier with with my next weeks in Philly.

a Santiago is moderating hosting, I guess is the right word next week.

It's always good to see her. There's a lot going on in Philadelphia and that market. And so that'll be a really good one to hang out see folks there.

actually good to see a few friends from the past, come to that too.

I haven't seen in probably two or three years personally haven't seen some of these folks. So really looking forward to it. And

My job at these is just to sit there and listen sponsor, of course, but it's just fascinating for me to listen to what the issues are, that CISOs and CIOs, depending on which 229 event are. Experiencing, and it's a little depressing to hear those issues and realize, I was sitting around a table somewhere 20 years ago, and half of these issues were the same issues then too.

And it's, it's the normal business stuff. It's budget and resource and op tempo. And, it's the same thing. It just. Like gravity, maybe there's some constants in health IT.

I think it's for me, the great thing is to when somebody like you is there, at it with a lot of real world operations experience as a CIO and a CTO yourself for years and years.

Yes. Health care too. You have a lot of perspective. You're seasoned, as we say. I'm seasoned.

Thank you, Drex. Not old seasoned. much of the time when they are having those discussions that I have to hold myself back from jumping in there. Nope. Just listen to what they have to say.

Yeah. Yeah. Hey, thanks for being on the show today. Unhack the News. How about that?

Unhack the News.

I'll see you around the Philly campus next week. That's right. See you around the Philly campus, Drex. All right. Thanks.    📍 📍

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. 📍 Thanks to our Unhack the News partners CrowdStrike. Fortified Health, Enterprise Health, Island, and ordr. You can learn more about these great partners at thisweekhealth. com slash partners. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.

Chapters

Video

More from YouTube