UnHack (the News): Remote North Korean Scam Bust and Smishing Scam Hero with Christian Boucher
Episode 16426th August 2024 • This Week Health: Newsroom • This Week Health
00:00:00 00:21:56

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is brought to you by Island.

Today's healthcare staff needs safe, convenient, and dependable access to patient data across various applications. Island, the enterprise browser, simplifies and secures healthcare data access. It's a new take on the most common application we use every day, the web browser, tailored for the unique demands of healthcare.

Clinicians can safely log in from any device to interact with HealthSystem applications and PHI. Built in last mile controls keep data where it belongs, so access is simple, data is safe, and patient care is smooth. Visit ThisWeekHealth. com slash Island to see Island for yourself.

Today on Unhack the News. (Intro)

Christian Boucher: what is the worst possible thing that could go wrong in this scenario, where that's it's delivering an app, or delivering services, or something that could impact our clinicians and then you can move back down the line. So you're almost working backwards from the problem to the solution.

Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

(Main) Hey, everyone. Welcome to Unhack the News. I'm Drex, and with me today from Island is Christian Boucher.

Welcome to the show.

Christian Boucher: Thank you very much, Drex, for having me.

Drex DeFord: How's it going?

Christian Boucher: Can't complain. Another beautiful day up here in New England.

Drex DeFord: Oh, that's awesome. Tell me a little bit about yourself. Introduce yourself to the folks who are listening.

Christian Boucher: Absolutely. So I'm like Drex said, I'm Christian Boucher.

a new member of Island. been here about a month where I'm responsible for overall Healthcare, Solution Architecture, and Strategy. I've been working here for several weeks just trying to get my feet on the ground, meeting all the new teams, and my role spans across multiple facets of the organization, product, engineering go to market with some of our sales teams, but also just trying to bring my, two decades of experience in the healthcare arena to Island and help them build out, more specific practices that are focused on the needs of healthcare.

Drex DeFord: Yeah. And will get to the news here in a minute. Tell me a little bit about your background because you actually have a really interesting background.

Christian Boucher: about a little over 20 years ago, I joined healthcare organization in New England, where I started out as an engineer and kind of moved into architecture, then gradually moved into the leadership team to oversee these large projects.

Whether it was, bringing in new, infrastructure, moving off of mainframe systems into, Windows based solutions, gradually into security, into, workspace, and how that all combined, finally working out of the office of the CIO, focusing on large scale initiatives, and being that conduit between our clinical leadership and IT, being that solutions architecture well before that term was, You know defined.

I was there for quite a few years matriculating through leadership. And then maybe about 10 years ago, I, jumped to the dark side and moved over to Citrix for about 9 years, overseeing a lot of there. A lot of the same things I'm doing here in Island. So I. was the lead strategist for them on the healthcare side, doing everything from product integrations and trying to better understand the customer demand on how they were utilizing both our products, on the dark side, but also all of our partners and how we can better integrate our solutions to solve larger problems.

Drex DeFord: Yeah. I love that, background because you have the real life healthcare operator experience, and then you also have the real life working for. A partner and all of the challenges new experiences that come from doing that too. So again, thanks for being on the show.

Okay. We're going to hit a couple of news stories, a few news stories for you and I talked about in advance. One of them comes from bleeping computer and it's, about the U. S. dismantles a laptop farm used by undercover North Korean IT workers. And it's an interesting story about a guy in Nashville who gets jobs with companies in the United States, and they ship that guy a laptop, and then he loads some remote desktop kinds of software on those computers so that North Koreans then can do the work and make the money and also get access to files and material and other stuff from those companies that those laptops are attached to.

And from the company's perspective, it looks like somebody in Nashville is working on that computer, so they don't think anything about it. I don't even know what to say. It's just one of those things. And there's more and more of this kind of stuff apparently happening, because, you Let me find the part of the article.

The National Security Division of the FBI Cyber and Counterintelligence Divisions have launched the Domestic Enabler Initiative specifically to fight this kind of crime. I knew this was going on, but it seems like it's a way bigger deal than I ever imagined.

Christian Boucher: Yeah, I agree, and it definitely takes the concept of multitasking to a whole new level, so hats off to him for coming up with this creative way.

Yeah. Get more stuff done. But I think it's one of those things that as industry itself and not specifically just healthcare, but, remote work has become almost a necessity, being able to cast a larger net for talent. We know the challenges that healthcare systems have with just, recruiting and retaining talent.

So how does, when something like this happens, does it put the brakes on some of that hiring process? Or are there opportunities? For technology providers to bring in solutions, enterprise browser side of the house, there are a lot of capabilities that are built into some products that kind of can allow you to control some of that disabling the ability for, Your enterprise applications to be shared via RDP or via Zoom for a matter of fact.

So it you can put some, I don't want to say roadblocks, but you could put some gates in place to allow a little bit more granular control on how that happens. And, we've seen some of that just in. clinical workflows in the hospital, never mind, the remote stuff. But if I'm on a Zoom with you and I wanted to pop up a screen to show you something, you can actually put controls in the way, these specific applications or these screens within applications are considered, very sensitive data be on them.

So we could actually block those screens are actually showing, but also give you the ability to gate it, where it's I need to show this. For a tech support section, because I'm having trouble navigating through the screen. As we start looking at some of these, newer breach opportunities for these threat actors, I think it's great to start looking at the, the industry to see if there are ways to help control some of that stuff.

Drex DeFord: so as I read that story and obviously I've done some digging on island too, but this idea of the model of we've hired a new worker and we're going to send that worker a laptop. Is that kind of like an old school model now? Is it, I know a lot of organizations still do that and there's probably great reasons to do it, but I think with, I just wonder, do we have to do that anymore?

Christian Boucher: I think, there's no one right answer for any use case, because I think sometimes there may be some additional requirements or maybe they're leveraging, we'll call it legacy architecture that kind of requires that type of access, but, with the emergence of, Enterprise browsers that gives them another opportunity to look at ways to deliver things, especially critical apps in a different way, which can layer on additional security, can improve user experience, can allow a lot more granular control of how things are, data, for instance, is matriculating in and out of these browsers.

So I think, as we start seeing these stories, hit the news, there's going to be opportunities for executives across industries to start looking at, do we have other options in order to deploy or deliver solutions and, it gets into some of the other pieces where, we'll probably get into it into one of the other stories, but.

What do we do if something like CrowdStrike takes out all of our PCs in our organization, what is our mechanism to, continue operations moving down the line? Are you ready to get insider access to the latest health IT innovations? I'm Drex de Voort, and I want to personally invite you to one of our upcoming webinars, Fireside Chat, Cutting Edge Conversations with Top CMIOs, sponsored by Dr. First. This is your chance to hear directly from some of the brightest minds in health IT as they share groundbreaking insights.

from one of our 229 executive summits. We'll cover the transformative power of AI, strategies for optimizing healthcare operations, tackling physician burnout, and the latest in population health management. Don't miss this opportunity to Stay ahead of the curve and bring these cutting edge ideas back to your organization.

Register now at ThisWeekHealth. com slash Fireside Chat. That's Fireside dash chat. ThisWeekHealth. com slash Fireside dash chat. Thanks. See you there.

Drex DeFord: That is the next story I wanted to talk about. There's a story in chief Healthcare Executive.

r podcasts, but it feels like:

And then at some point, there's just a box that says something happens, but it's the details in the box that turns out to be the really important part of the business continuity plan. They just not really necessarily thought. that deeply through the process. So in Chief Healthcare Executive, there's a story that is tech outage, fallout, hospitals need a strong response plan when systems go down.

And a lot of that is around business continuity, but obviously disaster recovery too. So I would just say, keep going. You are on a roll. Talking about dealing with business continuity and disaster recovery when you lose those systems. what are you seeing out there as you talk to customers and partners?

Christian Boucher: I think, I've been lucky enough to have some great mentors and leaders throughout my careers. And one of the things I picked up very early on from a friend of mine, who's not a longtime friend, but was former CIO, was like this inversion thinking process. It's what is the worst possible thing that could go wrong in this scenario, where that's it's delivering an app, or delivering services, or something that could impact our clinicians on the floor and work your way back and start ticking off boxes.

First of all, how do we stop this from happening? And then you can move back down the line. So you're almost working backwards from the problem to the solution. So that's how I've thought about it. And that's how I've always taught my teams to think about, how do we stop these bad things from happening?

And sometimes it's technology, sometimes it's process, and sometimes it's people in training. So how do we get those things? In front and center, but I think technology wise we've always had, and I don't want to call out, any specific EHR, but there are certain platforms where you have to plan for these things and they give you a run book on how they require certain technologies to be built in a secure enclave.

For instance, for DR, so you have these opportunities, but I think as we see newer technologies like enterprise browser come in, I think there's opportunity to even go a step further. Read only environments, say like you do have a major, whether it's a weather emergency or it's a security emergency,

or it could be a patch like we saw, in the last few weeks where something takes out of your systems. How can we segment our solutions to remove as many factors as possible? Like in read only environments where if something really bad happens, you don't have to worry about, normal operating procedures.

You are there just to make sure that you can get to this data. Now, in many scenarios we've seen, VDI take that place of. Deploying solutions to end users.

But

what happens if it's, a Microsoft patch that takes something down or it's a ADI solution that could do the same thing. Now, if you have that production environment replicated in your DR environment, unless you have very, Kind of canary and coal mine deployment solutions as far as Windows patches, security patches, all those things where you're staging it, it can turn into that same amount and you could be affecting your DR.

Drex DeFord: Except the DR system too, yeah, good point.

Christian Boucher: So how do you start thinking about, if I know what we need to do, in if this scenario would happen? How do I remove as many variables as possible? I think there's opportunities for, again, browser based access into these environments where you're essentially subtracting as many common denominators as you can across those environments.

There's a lot of different ways to think about it, but I think you start looking at your stack, it's important to understand that if you have one common link across your DR strategies, that could be the weak link. So how do you separate as many of those common links as possible in those environments?

also allows you to be able to say our production PCs across our organization are affected. how can I That same environment to non production, like non enterprise owned devices. Being able to log into BYO programs or your own personal workstation and get the same access that you require.

Maybe you ramp down the permissions a bit because they're untrusted, but, Enterprise browser gives you a lot of that flexibility as well, where you could just send the end user an email. They download the enterprise browser and all of a sudden all those apps that are in your enterprise in your data centers or your DEI data centers are now fully accessible and you don't have to worry about the endpoint as being, that common link that breaks.

Drex DeFord: this whole last few months has definitely I think caused a lot of people to think and rethink the whole process behind disaster recovery. How are they more resilient? How to recover more quickly? And certainly the whole business continuity part of the how do you operate You When the machines are down, how are we going to continue to provide great care to patients and families?

The last story, maybe the last story, we'll see. The last story I wanted to talk about, this one's kind of fun. I don't know if it's fun. It's different and interesting. It's from Wired and it talks about a U. S. Postal Service text scammer who , we all get those texts, the texts that say Hey, by the way you've got a package.

We've had a really hard time delivering it. Can you click this link? We need to get some more information from you. If you click the link, I'm just telling you right now, don't click the link when you get those text messages. But if you click the link, it may ask you for a lot of information, personal information.

It may ask you for a credit card number, those kinds of things. In this particular case, there was a guy. Grant Smith, who his wife clicked the link and put information into that browser, and then immediately regretted it and told her husband. And as it turned out Grant was a red team guy.

He was actually a A cybersecurity guy. And so the story just goes on from there. I think you've read it too. What do you think about how this all plays out?

Christian Boucher: It's amazing because I just had this conversation with my kids are all, teens now and they're getting constantly spammed with text messages, with phone calls, emails.

And we had this conversation maybe about a month ago about some of this, because my son came up to me regarding an Amazon Prime account. Texting had gotten. And it's amazing how, even in those scenarios, because we had this conversation before, my oldest son and actually both now are going into, my first son's a sophomore, my second son's a freshman in college for cybersecurity.

Drex DeFord: So

Christian Boucher: they've got some history. They've sat with me and had conversations about some of the classes that they're taking and some of the technologies behind it. But it's a make, and we're so busy, all of a sudden you get this email or you get this text message or you get a link pop up in Slack, for instance, especially if you have a public, Slack, and You just, out of habit, start running through, you think it's a challenge.

On the consumer side it's very difficult. I've had a elderly family member fall into this where they thought it was a, actually a request from a nephew.

Drex DeFord: Yeah. They're so well written. They're so well done now. And ChatGPT and other things help with that.

English as a second language, make it sound like somebody that they actually know. It's incredible. It's incredible. It

Christian Boucher: is, and I think we know, on the consumer side, I think it's a bit more challenging, but even, one thing that's really interesting about the enterprise browsers is even if I use IoT, In enterprise browser in these situations, there's actually, again, you can gate what goes in and out of that.

Even if I'm clicking on a link from my email, if I start typing in, and again, it's all dependent upon how you as an organization want to deliver security. But if I start typing in a social security number or a credit card number, you can actually put in gates again to say, this website doesn't look like it's on the up and up or it, this data that you're actually typing into this is pretty, pretty sensitive.

Are you sure that you want to do this?

Drex DeFord: And that

Christian Boucher: goes along lines, the same thing. If you click on a link and it goes to a site that may not have, Checks and balances. Or if there seems to be some, if you're using any type of web filtering, you could tie that into it.

So things that look off. And I think that's one of the other things is you click on these links and it could be USPS with a little dash in there or using what do you call it? a different language U for it, so it looks a little bit different. So those sites, I've been surprised at some of the stuff that I've seen where the site looks totally legit and you look at the actual link in it and it's just that letter is using, A Cyrillic O or something.

Yes, exactly. So it's, diligence. And I think, one thing that we can share is that, most of these sites, and I would say all of them, legitimate sites, should not be asking for that information. So if you ever get one of those, please make sure that you Think twice because most vendors should not be asking you for that stuff.

Drex DeFord: This is good education for patients and families too and your own family and your own aunts and uncles and grandma and grandpa. This is a thing that I know you hear about it here and we talk about it mostly in the context of work but it is the kind of thing that We know sometimes when adversaries are attacking an organization, they have a particular person that they want to try to distract from resolving that problem, that they actually will do these kinds of things to them and their family to get them off track from whatever, saving the ship.

And so it's just good education in general to tell your family and tell others about the challenges that come with these kind of smishing attacks.

Christian Boucher: it used to be the old, some would call your landline and say that from the, it's just become now another avenue for bad actors to.

Leverage a medium what we see more and more is that they, again, they're getting much more complex where they're embedding these links or changing the way sites look, but. The important thing is to, to again, continue to have those conversations because technology is a part of pretty much everyone's life now.

Everyone's got a cell phone. Everyone's got an email address. Everyone gets text messages for the most part. become, again, a gateway to, opportunities for bad actors.

Drex DeFord: Yeah, it's so easy to make. A mistake too. And the other lesson in all of this is be like Grant's wife, right?

The red team guy here who wound up hacking the Chinese organization that was behind that smishing attack that his wife took part in. Be like Grant's wife because as soon as she realized that she had done something wrong, she told her husband that she thought maybe she had done something wrong.

The same thing should apply in your organization, right? That if you think you clicked on something and you shouldn't have and you've made a mistake, you should tell somebody like right away, immediately, because it doesn't take long for that one mistake to turn into somebody owning the whole domain.

Christian Boucher: Absolutely. And I think, again, it gets back into just overall, what is your educational program around cybersecurity looks like, and we actually did this, when I was back in, , we would create our own fake addresses and send emails and even spoof tech support.

And we would, actively, so besides just the general training that we all do once a year, we know we just click through it and watch the videos, but. Now, you need to take an active role in how you are engaging with your end users on a regular basis to make sure that either the training you're doing is working or maybe there's some, slight adjustments you need to make to fully protect your organization.

Drex DeFord: Hey, Christian, thanks for being on the show today. I really appreciate it. It was a lot of fun talking to you and going through the news. We have not met in person, but I hope our paths cross sometime soon in person.

Christian Boucher: I hope so, too. It's been a while since we've spoken and I think there will be some opportunities forthcoming that we'll be able to finally get to meet in person.

Drex DeFord: Sounds good. All right. Thanks for being on.

Christian Boucher: Thank you,

Drex DeFord: sir.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.

Chapters

Video

More from YouTube