This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack Rewind '25
): [:We saw outages that shut down critical services.
Deepfakes so realistic you couldn’t trust your eyes.
And attackers who behaved more like businesses than criminals.
But we also saw something else, — something stronger:
People. Teams. Leaders.
Showing up for each other.
Learning, adapting, building resilience one decision at a time.
This is UnHack Rewind:Because in the end, cyber-safety is patient-safety.
Let’s get into it.
We start where so many of this year’s stories began, — with outages.
Not abstract ones.
Not hypothetical tabletop scenarios.
Real outages.
Real clinics.
Real patients waiting for scans, treatments, appointments.
When systems go dark, the [:Heather Costa: Disaster recovery has historically been About physical disruption. It's been an all or nothing approach The problem is that more traditional approach to disaster recovery doesn't serve us in the new threat landscape So, within a, I'd say, a month or 2 of being with Mayo, I rebranded so we went from being disaster recovery operations to being technology resilience operations.
So it's no longer this all or nothing approach.
Drex DeFord (2): When the culture is right, your people shift gears.
Shawna Hofer: Culture is huge. The idea of cybersecurity as a shared responsibility is something we've always said for years, right?
They started this concept of a cyber minute video. They're one minute videos from people in the health system.
acts my job, right? So these [:Drex DeFord (2): And it’s not just big health systems on the front lines.
Rural communities feel these disruptions in a completely different way.
Aaron Heath: we've got quite a few clinics Freestanding emergency departments some rural hospitals that, they do not have the greatest network connectivity in the world. And so we're working on a project to look at different things like satellite connectivity, to be able to maintain connectivity. If they have an outage, somebody digs up
a fiber cable or something like that because there's generally not much infrastructure out there that can run out to them. And with how, dependent, we are on all of our technology today.
): And in:educate your workforce. A phone call or a [00:03:00] video meeting isn't necessarily proof of identity anymore. And for healthcare, the risk isn't just dollars, it's also patient safety.
Drex DeFord (2): Even MFA — the thing we all thought was “good enough” — got outmaneuvered.
Drex DeFord: The crooks just learned how to trick it. They build fake websites that look identical to the real login page so that when you type in your info and approve that pop-up, you're giving them everything they need.
They just reuse your login session before it expires. So even that extra MFA security step doesn't really save you.
Drex DeFord (2): The takeaway of lesson one?
Cyber incidents aren’t Eye Tea problems.
They’re clinical problems.
Operational problems.
Community problems.
And when things break, your people, — not your tech, — determine how the story ends.
Act 2
Drex DeFord (2): So if people are at the center of the impact…
they’re also at the center of the solution.
This year’s conversations made one thing crystal clear:
Users aren’t the “weak link.”
They’re the [:Chase Franzen: inevitably they go, oh, you guys are the ones that send me the phishing emails. Right. And I think all too long we've kind of, we've laughed about that as you know, as cyber practitioners, but. That's not what they should be saying, right? That's one like itty bitty tiny piece of what we do.
Cyber education should be way bigger than phishing campaigns and teaching folks not to click bad links. So it should be fun. It should be year round. And it should be attention getting.
Drex DeFord (2): Security isn’t a blockade.
It’s a partnership.
Jim Bowie: one thing I wanted to focus on, to rebuild the image of the cybersecurity team where we're at and there were great people is add a little more empathy into the situation. Add a little more, Hey, we're here for you.
We're not just here to tell you can't do things. We're here to help you be better at home, be better here, and just be safer all around.
tch. The tools don't replace [:if your cyber awareness strategy still looks like a once a year slide deck and some gotcha phishing. You're maybe not really building resilience, you're just checking a compliance box. So start small, go continuous, make it personal.
Drex DeFord (2): If we want to build resilient organizations, we need resilient people.
And that means empowering them — not scaring them.
Act 3
Drex DeFord (2): This year, one theme rose above the rest:
Identity is the new perimeter.
o identity as our perimeter. [:That's the first thing that we look at, in our research environments to make sure we do have, things secure
Drex DeFord (2): And the attackers?
They aren’t hobbyists in a basement.
They behave like coordinated, well-funded organizations.
Sahan Fernando: a threat actor actually wrote, this is how I hacked into a spyware company. And they walked through, kind of a multi-week approach of well.
They started with something very esoteric where they put in a zero day on the external router. But then from there it was, well, here's where I looked at first from Reconnaissance standpoint. And then I found identities that I could compromise.
Drex DeFord (2): Modern compromise doesn’t look like someone smashing a window.
It looks like someone quietly adjusting your access behind the scenes.
Sahan Fernando: I think we really embrace the idea of we need to secure identity when we read forensics reports.
l all identity based attacks [:Drex DeFord (2): And sometimes, they just sit in your collaboration tools…
listening.
Once you're in the middle of a cyber incident. Organizations often take to slacker teams or conference calls to help manage that incident, but in this case, scattered spider. Creates new identities in those apps so they can participate in those calls.
They're quietly listening to your remediation activities so they can figure out how to sidestep your actions.
ble that you've onboarded an [:Drex DeFord (2): Identity is fragile.
Trust is fragile.
And this year reminded us that without strong identity controls, nothing else matters.
Act 4
Drex DeFord (2): And now we reach the part of the story where everything gets weird.
Because in:you couldn’t trust your own senses.
We live in this world now where anyone from a board teenager to a nation state can spin up hyperrealistic video content in just minutes. No studio, no camera, just a prompt like. Hospital, CEO, addresses staff about a cyber incident, and then boom, a fake video message that looks real enough to fool most people.
Drex DeFord (2): And AI hallucinations?
They weren’t glitches.
They were the model doing exactly what it was built to do.
the way that you and I know [:They've been trained to predict the next word in a sentence based on patterns from billions of words on the internet. So it's like the world's most advanced auto complete. And if the training data didn't have the right information, or if the prompt leads into a corner, it will usually still generate something and that something might be totally fabricated
The problem is that with these new browsers, we're basically training digital interns to do work for us, and we're giving them the keys to the kingdom, and we're not giving them a lot of supervision.
The top white hat hacker in the world is, for the first time ever, an AI bot from a company called Expo Expo is a fully autonomous, AI driven pen testing system.
The winning stats from Hacker One are pretty crazy. Expos submitted over a thousand vulnerabilities. 54 of those were classified as critical. 242 were high. All of them, virtually all of them were actually accepted.
): You [:unless you rethink everything.
Act 5
Drex DeFord (2): And that brings us to the part of the story a lot of people miss:
Why we do this work.
Because for everyone in healthcare cybersecurity,
this isn’t just a job.
It’s a mission.
Mary Dickerson: \ It's neat to serve your community and there are an awful lot of parallels between.
Incident response that we do on an emergency management side and incident response that we do on a cyber side. So it's been fun to see the crossover between those two disciplines. They each have their adventures.
Drex DeFord (2): Leadership matters.
The tone comes from the top. But the community matters too —
Sahan Fernando: that idea of information sharing the community aspect is so, so critical in our sector, right? And we don't, we're not competitors. At the end of the day. We are all in this together for our patients.
sport. It's a business risk, [:Drex DeFord (2): And finally, a moment that captured the feeling of 2025:
Drex DeFord: One of the things about Health-ISAC and obviously the 229 project too is this concept of community and that, we're all stronger if we work together and so The importance of those kinds of alliances and partnerships, those friendships really like this whole fraternity, sorority, whatever we've got going on here, that, you've got somebody that you can call in and lean on and learn from and work with when times are rough.
Drex DeFord (2): Yeah… sometimes it feels like we’re on our own.
But the truth is, we’re not.
We get through this by leaning on each other — by learning, sharing, and staying connected.
Because at the end of the day…
Cybersecurity is patient safety.
And the work you do every single day?
It saves lives.
Outro
ning to this year’s UnHack [:And as always —
Take care of yourselves.
Take care of each other.
Drex DeFord (2): And stay safe out there.