The Incident Responder’s Guide to Defending Health Systems from Cyberattacks
Episode 5131st June 2022 • This Week Health: Conference • This Week Health
00:00:00 00:31:00

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

We have so many threat analysts and investigators who spent their days and nights and weekends on the dark web. And because we do so many incident response engagements and look at the forensics after the fact, we know that it takes an adversary about an hour and 38 minutes from the time they're on the first machine, till they move to the next machine. And once they moved to that second machine and the third machine and the fourth machine along the way, they're picking up new credentials and new passwords and new capabilities.

This is a Solution Showcase. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. A channel dedicated to keeping health IT staff, current and engaged. You can subscribe wherever you listen to podcasts, Apple, Google, Spotify, Stitcher, Overcast. You name it. We are there. You can also go to this weekhealth.com and subscribe there as well. And now onto our show.

All right. Today, we have a solution showcase. I'm really excited about this. These three gentlemen got together on a panel recently at an event I was at and they talked about how CIOs can keep their jobs. And I thought it was relevant for our community to listen to this.

It's really about incident response, recovery and those kinds of things. And I wrote an article a while back. And I said there's, there's a handful of things that are really fun at the CIO job. You get to innovate, you get to do digital, you get to do all those things. But at the end of the day, if you can't keep your data center running and you lose that that connectivity and all those things.

To the endpoint devices, it's not long before that's the basic blocking and tackling of the job. And you've got to make sure that you do that. And this is about making sure that those systems are available. Today we have Marty Momdjian with a serious health care part of their health care strategy.

Now a CDW company, we have Mickey Bresman, who is the CEO. Of Semperis and we're excited to have him here and Drex Ford, which everyone's familiar with executive strategists with CrowdStrike Mickey big day for Sampras, by the way, we've got to start. You guys just announced a significant fundraise for Sempras.

So congratulate, you, you want a couple of comments on that? You've been talking about it all day to the press. So minus, well, give you, give your 2 cents here for this before we get going.

Sure. And I just wanted to say that that from the introductions. Was that the only one who felt the need to say everybody loves Drex.

He's one of the most likable guys in healthcare. It's true.

I could not agree more. Yeah. So we have announced today our round C of 200 plus million round that was led by KKR, which is. One of the leading cyber investors. And not only did they have a huge entity, as you guys probably know, they're also joined by several other cybersecurity leading companies like 10, 11, and and.

t growing sector in the last.:

Yeah, that's exciting. It's great to have a strategic investor, right? Not only they're putting the money in, but they're also utilizing the product and that, that means a lot. Marty, you're going to tie all this together. CrowdStrike's here. Semperis is here. Why are these two companies here together? And what are you doing with them with regard to the it's a Sirius

Yeah. So this all started about two and a half years ago with the whole ransomware threat, all the looming advanced, persistent threats, the bad actors.

Really, every time we had a breach, it's a cause for chaos, right? It's healthcare. It's not in the It industry, you're taking care of patients. And every time we had a major incident and the customer called us and said, Hey, help, we need extra hands. We need extra minds. We just need support to keep clinical systems online.

Usually our first two phone calls were CrowdStrike and Semperis right off the bat after. about 10 times of doing incident response. We kind of sat down and said, Hey, what are the commonalities? What do we need to do to keep clinical systems online? So caregivers, clinicians bedside staff can do what they do best and take care of the patients.

And we just came back to. Let's call the experts, right? Let's call CrowdStrike to do remote incident response and protect the endpoint systems or protected data center. Let's call Semperis to protect active directory because that's a key component of everything identity related so we can keep clinical systems online.

Yeah. So that's, that's essentially the foundation there. Right? You can't do any if directories gone. You're you're out of the water because so many of our systems are tied to active directory, and then we need to have those endpoint devices working from the get-go plus the incident response services that CrowdStrike offers going in Drex You and I have talked about this, how critical it is to address these things. Quickly, because there's sort of a timeline that we've seen over over the last couple of years for these ransomware attacks. And it's like once this happens, then this happens, then this happens. And if you can somehow get in the middle there, you can protect some things from going down.

But if you wait too long, And you have to, you have to go into that that recovery phase. Talk a little bit about that timeline. Yeah, sure.

I mean, we know just because we have so many threat analysts and investigators who spent. Kind of their days and nights and weekends on the dark web. And because we do so many incident response engagements and look at the forensics after the fact, we know that it takes an adversary about an hour and 38 minutes from the time they're on the first machine, till they move to the next machine, we call it breakout time.

Or you may sometimes hear that referred to as lateral moves. That within an hour and 38 minutes, they're moving to the next machine. And once they moved to that second machine and the third machine and the fourth machine along the way, they're picking up new credentials and new passwords and new capabilities.

And so once they have that first breakout time, your odds of getting ransomware or having data exfiltrated really goes up astronomically. So the goal and all of this has to be. To be able to find the bad guy and kill them off within an hour and 38 minutes. And so the, the strategy that we use at CrowdStrike is something called 1 10 60 within a minute.

We can get an alert on that end point that something nefarious may be going on. And within about 10 minutes, we can confirm that. And then. At that point, we're so far ahead of the bad guy, we can actually kill them off. And in many cases with a service, we call Falcon complete. We can actually recover that machine and put it back in service.

So it gives you a lot of resiliency, right? To end users. It feels like nothing ever happened. And that. Kind of, if you get ahead of the game, you can do that when it comes time to come in for an incident response, if you're not a CrowdStrike customer, the incident response, part of that uses exactly the same sensor deploy to endpoints.

But it's a little bit more of a challenge than obviously, because you've already got a problem on your hands and we're, we're coming in with really, really smart people to help you recover those end points, get them back in service and get back in the game.

But if they get to active directory and policy manager, I mean, this thing is a, is the crown jewels, isn't it? I mean, we can, we can unlock an awful lot if we, if we get to active directory can't can we. Yeah, for sure.

I was asked about it, not that long ago. And my general thinking is that in the last several years, cyber criminals, have actually discovered active directory before the IT world really was paying attention.

ld say going back at least to:

In terms of how we approach it our incident response services are only focused on the active directory. and Azure AD those are the two systems that we are covering. And we have kind of the same as in the CrowdStrike story, but focusing on the identity side, we have the biggest number of identity experts worldwide.

Which allows us to come in with a lot of experience in terms of how to go about recovering the AD environment. How do you go about recovering Azure AD environment and how you get the organization back to the point they're up and running and they can trust their environments again.

And then of course, everything that we learned out of those incident response engagements goes back into the product to make the next engagement, even. better And to help the customers to be able to do those things in, in as much automated way as possible. That's kind of how we look at it. And from my perspective, and I know that this is also how many of our partners, like multi for instance, are thinking about.

When it comes to the recovery stage of a ransomware attack, there will be two things that you will need to recover. First. You will have to get the control over the AD you will need to have it up and running. You will then need to go ahead and recover the critical applications and the end points. And only then you can have the experts like MALDI coming in and helping you with the critical applications that you have for the, if it's the epic and similar.

Yeah. So Marty bring this altogether. Is this really about incident response? I mean, cause we've talked to Matt Sickles, we've talked to others. In fact I just talked to serious Sampras together and we were talking about. Early days when you get those phone calls, it was actually a fun conversation that we had.

But those are dark days in some cases, I mean, where all you have left is a command line to a terminal, and you're trying to do some things and figure out what's going on. That's that's the worst case they were sort of sharing. Is this a, is this an incident response or recovery play or when you get that phone call from from a health system, what is, what is serious to.

It's all of it, right? Our engagement, methodology, knowledge engaged with our really closest customers and any customers in general and say, Hey, let's tie, incident response, major it, incident management and emergency management together. Because at the end of the day, it is a business partner. That should keep clinicals online at all times.

So the way that we have our engagement methodology built out now is that's bringing the experts, bringing Caltrain, bringing Sempra is bringing our incident response team and bringing our clinical support teams and say, what does your healthcare system need? And what does clinical need to continue taking care of patients?

And the way that we've structured things is let's take all the lessons that will. And provide you a retainer that you need for construct to come in and do a, B and C on remote incident response, provide your retainer to have Sempras come in and make sure that you have a secure and fully backed up and resilient copy of active directory.

And if you do have an incident now, when you make the call, we engage with all three parties and say, You know what, let Crosstrek do what they're best at let's temperance. Do what they're best at because they are the I don't like the term market leader, but they are very good at what they do, which is why we rely on them.

And we can now focus on keeping clinical systems online, getting ADT online, getting census up and available, getting the beds satisfied. And just getting patient registration online while our security partners focus on detection, isolation, eradication, and that's really the approach that we took was every time we had a major incident, we rely on.

These guys to do what they do best, but anybody else.

So when the chaos sets in, it's one phone call, you just, it calls serious, you coordinate the activities, make, bring it, bring everybody to, to the table and help in the response. But I like part of that, that you were talking about because there's both.

CrowdStrike and Sempras have preventative things that help the restore go so much easier. Mickey we'll, we'll start with you. The, I mean, if they have Sempra's actually installed and the various aspects of the Sempras tool and installed, it does make that response and that restore a lot easier.

For sure. And one of the things that we will have discussion with customers, if it's ahead of time, is what we refer to as the breach, preparedness and response. So this is the side of it. And one of the things that we encourage customers to think about, if you think about BCP is to take the. Cyber first approach to BCP, which basically means I have to 10 years ago, when we were thinking BCP, we were thinking flawed.

We were thinking fire. We were thinking energy or power outage or something like that. This is still potentially it can happen, but the frequency of the cyber attacks and the damage that they cause is very. It's not thinking about one of the four data centers that I have is now down on invadable it's all of them, including the workstations.

And so on that, that are Dutch. All of it is being encrypted in a matter of minutes. And I'm sure that Draxxin, and MALDI, I've seen the same thing over and over again in the matter of an hour, that's it, there is nothing else to work with. And if you are lucky, then you have a backup copy of your w 80 environment somewhere.

And being lucky is definitely not the strategy, but then you're also going to have the concern of what if this backup has been infected. What if there is already a malware inside of the. Cause this download backup and recovery solutions are all relying on methods like system state or bare metal recovery, which basically includes the malware in the backup.

And then the thing with the idea, it also takes a while to understand because of the nature of the active directory being disabled. The fact that you have a backup and the orchestration of the recovery, very different things. And then it takes a while to truly understand what the recovery process is going to look like.

So those are the things that we would love to have a chat with the customer before they actually need to deal with the incentive response and not during when everything is on fire and everybody's running around. Things that sometimes sound obvious, but you'll be surprised. What is your offline offsite policy?

How do you store backups? Another question can be who is the authority that you need to go to in order to get an approval, to start the recovery process. If you are a globally distributed company and you have. And which is a relatively common scenario, but you have some idea in the U S as an example, in some, it is in the UK who have the ability to say, okay, we are good to go.

All of those things needs to be thought ahead of time. And especially when it comes to active directory, because it's so much in the heart of everything you want to make sure that the different pieces that are involved in the recovery process are not part of your recovery plan. So if your storage device is authenticated to the.

Can only be part of your recovery process. If your network device is attenuating against active directory can not be part of your recovery process. All those, those things. It's way better. If you think of those ahead of time, otherwise you end up with people trying to get from a window into a data center because the door is also authenticated against active directory. And I'm not kidding. That's a real story.

So my point there is as much oppression you do ahead of. The less painful was going to. And then instead of wasting days or weeks on the recovery process, try to get to point away can contain the whole thing. In a matter of few hours, it's a very different type of steel, unpleasant experience, but it's definitely very different.

Yeah. And your, your tools have a lot of detect capabilities as well, that you can detect things as they're happening, roll them back within active directory. So if, if there's malicious activity and whatnot, which directs that's w w I want to get to you. You guys have a lot of, a lot of those kinds of tools as well, that are going to detect things as they're happening and say, yeah, that's that doesn't look.

Yeah, there's a, there's a lot of similarity, I think in thinking between Mickey's company and, and CrowdStrike, right. This idea that there's almost like a back button or an undo button that ha that you have access to, to be able to move back to before the bad event happened so that you can kind of then continue on from there.

The thing I love about the trio that we have here is. What's the saying like the first best time to plant a tree was 40 years ago. And the second best time to plant a tree is today. There's this situation I think here of, if you don't do anything else, do an incident response retainer with Marty and the guys serious, right.

That will be the incident response retainer. That will also include CrowdStrike. And Sempras, that's the best situation that you can have. If you don't have an incident response retainer today, or if you have an incident you can get to us right away. But the best situation actually is to have these conversations now.

Run the exercises, let serious command and understand how your systems work and what systems you have. And what's dependent on what let Mickey and the Sempras guys come in and do the same thing around active directory. Let us come in and make sure that we can look at the whole network, look at all the end points and that we understand where they're at and what they're doing today.

In those cases, when you've done that when an incident starts to happen. We just cut it off at the past. It's like, it it's almost like it never even happened. And that's the resiliency that you need today in healthcare. If you're going to provide. Better cheaper, faster, safer care for patients and families.

We just can't take that risk anymore. Patients need those systems to be up doctors and nurses. In many cases today, I did a presentation in new Orleans a couple of weeks ago. And when I asked how many people had. Trained in medical school when they didn't have access to an electronic health record, there were only a few hands, right.

Everyone there, their training has been done with it. Systems is the only way they know how to provide good, safe care. So we just can't let them go down. We have to protect them.

let me hit the proverbial soft spot right now for health system leaders. And that is cyber insurance and whatnot. And this, this is an interesting retainer and it's an interesting concept. One of the challenges we're having is where we're doing these things at rates that are they don't make fiscal sense anymore. To, to renew these things. And even, even if you want to renew them fiscally, they come in with this arduous process and then they dictate in the contract.

Hey, here's who you're going to deal with. Are you guys talking to you? And I guess Marty I'll come to you. Are you talking to clients about how they're thinking about their cyber liability moving forward and how they can I don't know, work to make it more manageable from a financial stand.

We are, I think one of the hottest topics has been some healthcare systems are looking at her and saying, let's go self-insured right through the board, which he needed a big bucket of money sitting somewhere to make sure that you have some kind of guarantee if there is a financial impact, but it's also very, very, very complex.

And what I. Having a conversation with CSOs and CIOs and CTOs is why am I spending that kind of money on cyber liability insurance? When I can spend that to hire staff, when I could go get CrowdStrike and go get Sampras and go get incident response teams and protect my systems. I think it's a lot more complex than that because there is no vendor that's going to show up and say, I'm going to reduce your costs.

And th this is something we learned. I learned from Drex right after a lot of conversations There is no right or wrong. And how do we lose side? Which it's about a lot of executives from the technical point of view and security point of view are saying, why am I spending this type of money? What I can invest this money in solutions and partners and hiring staff and get a much better result than relying on cyber insurance.

We've seen this. With health insurance companies that have the wherewithal, we'll say we're gonna, we're going to self-insure. We need a an entity over here to do the processing and the insurance cards and all that other stuff. But at the end of the day, we're going to self-insure cause the cost of healthcare has gotten to be ridiculous and it becomes even more are the two of you Drax and, and Mickey, are you guys hearing this same kind of thing in the industry?

I think that one interesting aspect non-graded to us, but just in general they have been publishing about the cost of, of cyber insurance to be to the insurers, to the insurance companies, basically. And while the cost of cyber insurance, it constantly goes up. They keep on losing.

And the thing that if, if you think about what it actually means is that the cost of downtime for most of those organizations is, is so high that the fact that you are insured, if you are, if you stay down for a long period of time, That potentially might mean even going out of business and then no insurance is going to help you with that.

Yes, you will be paid something, but it's kind of, I have a life insurance it's okay to jump from the window. Probably not the best idea. So yes, I think that we are seeing more and more companies thinking in terms of, can I use the same. In order to be able to better protect myself, to prevent the incident.

And then if the incident does happen to be able to bounce back, I even had discussion with some of the cyber insurance companies, and I'm sure that that directs and his company is the same story there, but they are now actively looking, what can they do to reduce the downtime of their customers so that the cyber insurance cost will, will not be going completely out of whack.

Yeah. So Marty, you should be talking to those guys and going in directs, we talked about this, I think on the new state show the script's costs was pretty public because they came out and just said, Hey, here's, here's our financials. And I, I think it was a hundred. If I remember correctly, there's somewhere around 120 million give or take.

And that's that's just the downtime. I mean, if there's an actual breach of information, then you have the penalties coming after the fact that I don't know that there was in this case, but the downtime alone was, was pretty pretty harsh. Are you finding that health systems now are starting to have the conversation taking it more seriously?

We had those other incidents. We had one a cry. We had all those things, but still I heard CISOs saying, yeah, it's still hard to get people's attention of how serious this is and what can happen. But now we've had big systems come offline and we have numbers to back it up and we have stories to back it up.

Is this now a board level. We're having the conversation that they're ready to make these investors.

Yeah, I think there's, I think we're closer to that now than ever before. I think there's still a lot of there's a lot of focus and convincing that may need to be done in, in some places back to the cyber liability insurance.

Comment the idea that health systems now more than ever as I have conversations I have in the last year, I've never heard somebody, healthcare organizations say that they're going to build their own captain. Then they're going to self-insure and they're going to sort of create these programs to take care of themselves.

And like you said, it's because the rates have gone up, the deductibles have gone up and the limitations of liability coverage have really, really narrowed. We're on the panel for probably 95% of the cyber liability insurance carriers, which means that if you have an incident and you call CrowdStrike and we come in and help you with it, your cyber liability insurance carrier will cover that.

But in:

Sounds like great profit margins and healthcare, but it's not a program that works for insurance companies. So we saw a lot of cyber liability insurance companies pull out and just say, we're not going to do that kind of insurance anymore. And we saw others, as you said, who continued to stay involved with cyber liability insurance?

Do all those other things. Generate a huge list of questions and really want to be involved in how your program works and what tools you're using and, and, and the bottom line, and that ultimately came down to, or has come down to today. There's no good driver discount. You just have to have a good program, or you're not going to get insurance, or if you don't have a good program, you're not going to get insurance.

And now what are your options? It's a, it's a tough landscape out there. I think boards are definitely more involved than ever before. Executive leaders are involved more than ever before, but but it's still, it's still a tough conversation in a lot of places. Yep.

One thing I will add to that bill is when we've been engaging with customers, helping build an incident response plan, emergency management plan, major incident management.

A couple of years ago, the conversation was always patient safety. Right. And I'll be the one to say it. When we get engaged at the board level, there is somebody a lot smarter than us that is in charge of patient safety and knows what to do when clinical systems are not available. We've learned that over and over and over now it's coming down to the CIO, the CTO CMI, or especially the CFO say.

We got patient safety we will handle downtimes, hospitals, know what to do. They have the Hicks process. We take EMR downtimes. Now you the incident response team, it applications teams. You're responsible to get revenue cycle online, get charged, capture online, get billing online, keep clinicals online because that is very important.

For their downtime process and for healthcare system managing revenue cycle, because at the end of the day, how does a CSO go through a cyber insurer to make a claim and have that conversation of how complex healthcare is and justify the cost of downtime, whether it's one day or 30 days, right? Most cyber insurers.

When we do the after action report in a post. They look at us. Like we have 10 eyes when somebody in clinical revenue cycle is walking him through the process of what it actually costs for the healthcare system to be offline because of how complex it is. Yeah.

It's amazing how interconnected it is now. We did a a webinar with a company that went through a ransomware attack and they were there talking. Yeah, we lost our EHR and your. Every health system is trained to go without the EHR for a day, maybe even two to three and four. And it gets to how do we schedule these people again? And Drex you made the.

That they're all trained on, on electronic systems now, and some have never done paper. You have to train them how to use paper. And sometimes when they're tied up with active directory, your imaging systems stop working and some other things stop where your Pyxis system stops working or

pharmacy equipment.

And now, now you're like it to, to, to a whole new level. I want to thank the three of you for working together on this. It's such a great problem. This week health has 24 sponsors. You are three of them, CrowdStrike Sempras and serious health care CDW company. And people often ask me, how do you come up with the 24 companies? And I said so for the most part, they're handpicked they're companies that I respect companies that do great work and and I really appreciate being, having the opportunity to highlight some of the work that you guys are doing together. So thank you again for your time and thank you again for sharing your expertise with the community. Really appreciate it.

Thanks bill. Thank you.

What a great discussion we want to thank our sponsors for today, Sirius Healthcare who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube