This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
📍 Today in Health IT, we are discussing hackers Zoom bombing and printing political propaganda at a hospital. Today's episode is brought to you by Omnisa, the first AI-driven platform enabling seamless, secure, personalized work experiences. Discover more at thisweekhealth.com backslash Omnisa. My name is Sarah Richardson. I'm a former CIO for several healthcare systems, most notably within HC and Optum, and now president of the This Week Health 229 Executive Development Community, where we host a set of channels and events dedicated to transforming healthcare one connection at a time. We have once again partnered with Alex's Lemonade Stand, and we've raised over $172,000 from our community in the fight against childhood cancer. Join us by visiting our website, and in the top right-hand corner, you will see the logo for our lemonade stand. Click on that and give today. For $500, you can join the exclusive Yellow Hat Club, which has over 80 members and is growing. Remember to share this podcast with a friend or a colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and the industry. They can subscribe wherever you listen to podcasts.
Okay, today, once again, we are discussing hackers Zoom bombing and printing political propaganda at a hospital. I'm joined by Drex DeFord, president of our 229 Cyber and Risk Community. Drex, happy Friday, welcome to the show. It's always so much fun, and I listened to you talk about Alex's Lemonade Stand and the Yellow Hat Club. For those of you who don't know, and this is funny, there was a bet that was placed, actually, we won't necessarily talk about why or what the bet was. We'll leave that as a mystery, and you'll be able to ask Sarah about that when you see her, but there was a bet that was placed, and it was said, "If you do that, I'll buy a yellow hat." And you already had a yellow hat. I have a yellow hat, but you bought a yellow hat for somebody else as part of that bet. It was a terrible bet. It wasn't an appropriate bet. This wasn't like midnight shenanigans around the White House when we were in DC, it was a moment. I'm like, "If I'm going to do wagers, I really need to consult Drex before I do that."
Or security lines. Maybe that wasn’t your best choice. However, the win was that somebody has a hat, and the lemonade stand has another $500. Our community is so incredibly generous. It's been an amazing thing to see. We just went to the St. Louis city dinner, the St. Louis city tour dinner, and then you did the Atlanta city tour dinner last night. And then, of course, the summit over the weekend. The amount our community has donated is just super generous. I'm blown away by how willing they are to be a part of this with us, and the great things that are happening with those donations to support research in childhood cancer.
I agree, and it's nice to have something so positive to talk about, especially when the news is less than fun, like hackers Zoom bombing your organization. This is not an old phenomenon. This is actually something that has been happening in organizations, and it’s getting press again. Organizations are increasingly reliant on digital platforms for community engagement. But a recent Zoom bombing at a hospital underscored the significant vulnerabilities that online communications introduce. It was a virtual health event, and hackers infiltrated the meeting, projecting offensive political propaganda instead of facilitating the discussion. The hospital administration condemned the attack and initiated enhanced cybersecurity measures to secure their platforms. What was interesting was the hackers also hacked into their printers and started printing political propaganda.
How do organizations keep up with the constant need to adapt their cybersecurity measures? Wow, that is like the most amazing question ever. It is difficult to keep up because part of the challenge is that the bad guys have an army of people working overtime. They’re highly motivated, usually financially, and there's a lot of money for them to make. On the downside, they're not necessarily held accountable for any of the bad work they do, so it’s a great ROI for them. We often find out after the fact, as investigations unfold, that some folks involved with ransomware organizations are perfectly nice individuals. They might have regular jobs, maybe even as cybersecurity professionals, and they have this side hustle. They're being paid in fractional Bitcoin, and they don’t ask too many questions. It turns out that the work they’re doing, like building some of the encryption code, is actually contributing to a ransomware product.
When it comes to Zoom bombing, this is a phenomenon that really kicked off during the pandemic. It’s an annoyance, and it's embarrassing. Some basic things to avoid Zoom bombing are using passwords and ensuring folks log in securely. Sometimes, it’s just about having someone with their finger on the button, ready to end the meeting or kick out the offending individual. This is often done just to disrupt and annoy. I don’t know if you’ve ever watched The Simpsons, but remember when Bart would call Moe’s bar and ask for names like "Seymour Butts?" This is like the Zoom version of that, although it can get bad quickly.
Here’s what’s so interesting about your reference to Bart Simpson and the prank calls. In conversations I’ve had over the last few weeks during these intensive events, often when doing cybersecurity readiness or incident response exercises, we tend to think of the most extreme scenarios. But maybe organizations should prepare for simpler scenarios, like a Zoom bomb of Bart Simpson asking for a prank name. That way, people can get comfortable with handling these smaller issues and build up their muscle memory for incident response. Most of the organization isn’t thinking about this all the time, so it’s a fun way to introduce training and protocols.
Odds are, it’s someone in marketing or communications dealing with it, not cybersecurity professionals. They’re probably not consulted before setting up these events. A lot of organizations put public announcements for community events on their Facebook page, inviting anyone to join with a link. Being more thoughtful about the process for public events is key. Helping individuals learn and practice better security at home will translate into better security practices at work. When people secure their own privacy and machines, it becomes second nature to notice potential threats at work too.
Exactly, and it’s also about managing the organization’s reputation. Helping your team strengthen vendor contracts and review protocols regularly, so they are prepared when real action is needed, is crucial. Staying a little paranoid can be healthy, as long as it's done with the right lens. It’s always good to go to folks outside your immediate team and ask, “What are we missing here? What’s the worst-case scenario?” That kind of preparation is just smart planning. It’s something I learned in my military days—bringing in people from the outside to point out what could go wrong is invaluable. Sometimes things went wrong, often they didn’t, but either way, you were more prepared.
Absolutely. Thank you, as always, for joining the show. You’re heading into the weekend with a 2-0 record for the Seahawks, which I wouldn’t have guessed. Unbelievable! I would’ve never guessed that we’d be leading the NFC West right now. Just remember, it’s only week two, but I’ll take it. This isn't going to go on forever, so let me enjoy it while it lasts.
📍 Don’t forget to share this podcast with a friend or colleague. Thanks for listening. That’s all for now.