How Can Healthcare Reduce Cyber Risk and Maintain Patient Safety with Proofpoint & Fairview Health

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Ryan Witt: When an institution can make a direct correlation to, I need to invest in my cyber security defenses so that I can meet my institution's mission of patient care, patient safety. I can adhere to the Hippocratic oath of do no harm. How do I do that if I cannot protect someone's data? How do I do that if I cannot safeguard my systems so when they need my care and [00:00:30] attention, they're there and available and ready to access.

Bill Russell: This is a solution showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and creator of This Week in Health IT. A channel dedicated to keeping health IT staff current and engaged.

We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.

And we will be augmenting that with Solution Showcases and briefing campaigns that introduce exciting solutions in more detail. For more information on our other channels and where you can subscribe visit us at this [00:02:30] weekhealth.com/shows - S H O W S. Now onto the show.

Jim Brady: Yeah. It was a bit surreal thinking wow, we're finally back. And these are all the folks that we've been seeing year in and year out. It's good to see everybody in person and to hear kind of what's going on. It was awesome.

Ryan Witt: Was great to re-engage and it's a really good indication of we're all products of our environment. Right? So the attitude towards, how do you engage in these sorts of conferences? What the right sort of COVID protocols ought to be were very much colored by where you traveled from.

Bill Russell: I went from Boston to Philadelphia, to Florida, to San Diego and then up to Montana. So I think I did pretty much the entire cross section and it's interesting how vastly different we're still treating the pandemic across the country. I mean, even California was kind of surprising to me. There was really very [00:04:00] little in the way of mask wearing. Now everybody had to show proof of vaccination and whatnot but I, I expected California to be a little bit more like Boston. Boston was very a lot of mask wearing a lot of a lot of safety protocols still in place in the Boston market. So, very fascinating.

Jim Brady: You'll have to go up to Northern California Bill. Southern California. We're a little bit relaxed.

Ryan Witt: I'm based in Silicon valley and we are essentially, we are mask central. Masks are everywhere. So when I went to CHIME it was complete opposite sort of experience.

Ryan Witt: Yeah, I want to say it to your things hunky dory, and we have it licked, but it is the exact opposite of that. This is, I think maybe if I want to use an analogy, I'll use a sporting analogy and maybe you can reference, football as that is the sport that's top of mind right now, [00:05:00] given the season. Cyber criminals are essentially running the ball right now and they're going to keep running the ball until healthcare institutions can stop the run.

Bill Russell: It's interesting we're getting close to Christmas time and I started getting these emails, Hey, you've ordered this and blah, blah, blah. And I got three of them this week and I looked at it and they're getting more sophisticated.

And I assume if I start clicking on those things or calling that phone number, it's not long before they're asking me for information they're going to use against me. Is that essentially, how is it working the same way within healthcare?

Obviously there's a lot coming from Microsoft, some of the Microsoft exchange sites that are on at Dasher. So I think that the attackers are getting more sophisticated. One thing I do want to put a plug in for us, if an organization is not considered email isolation technology, I think that's really helpful because I know in my organization, you know, we're trying to get our users to not click as much on our simulated phishing efforts. And, that's kind of [00:07:30] like a never-ending battle. Cause they're, they're really busy. I mean, at this point, right now, we're in the middle of a mini surge so all hands on deck. We're in command center mode. And so, isolation technology, what it does is it allows you to open up any link or attachment in a incoming external email. If you can have that routed when the user clicks on it. So maybe it's a bad link. Like you're just talking about Bill, it'll open up container. So if it does get weaponized or something of that nature, it doesn't spread through the organization. I [00:08:00] think things like that are going to really help us out because we need to keep working on security awareness, but it's so difficult. There's so many emails, there's so much going on. It's really challenging to get people to realize that, hey, every email that's coming in is technically eligible to be a bad email. And so, people just are not thinking like that. So I think that's, something that we need to just be more aware of.

And that's a marked change from where we were just a couple of years ago, where for the large part, those were coming from spirious kind of URLs that were out in the wild are being generated by bots. And that still happens of course, but when you're being pointed to an exploit that lives in a legitimate file share [00:09:00] it's a lot more difficult for a couple of things. One is for your, your email gateway to make the determination that says this is a bad, malicious sort of, activity. Number two, it makes it much more difficult for your users to spot it's a malicious activity. So that is a way that the bad actors have compromised these fileshares into something that should be significantly concerning for us. And back to your point, Bill, when you think about what is the level of sophistication to the emails are coming in with. So, think [00:09:30] about what you received. Think about that in a business context. Think about that now, coming from a trusted partner, maybe a business associate, somebody you're used to dealing with thinking about the quality of that email being reflective of what you would normally have in your conversation with that partner.

Jim Brady: Yeah. And it's kinda subposition that it's almost impossible for a human that's doing regular work to, to be held responsible, to not click on a potentially malicious link because it's just, they're very sophisticated and to add to it many links and attachments will pass through the email filters because they have not been weaponized yet. So when they do come in and you click on that link, then it sends out a signal [00:10:30] to what's called a command and control. And then it downloads the malicious payload. So, how can you stop that? So I think that's where the isolation technology might be really helpful, but it's very difficult. We're doing phishing simulation testing. If I wanted to fool 90% of the users with a very sophisticated email, I can do it easily. So we're doing like basic obvious phishing efforts that are pretty easy give aways just to get people to start kind of at the foundational levels.

Bill Russell: So the tools on the one side are getting more sophisticated. Let's talk about the tools on the other side. And that is kind of a scary concept that I get an email with a link to our Office 365 fileshare. Which is valid, right? It's within our technically it's within our four walls cause it's within our cloud environment. And so now I need tools that are going to be able to look at not only on prem, but also into the [00:11:30] cloud, protect me from things that normally are trusted locations trusted in the cloud, trusted internally, trusted fileshares internally, and those kinds of things.

So I want to go about this in two directions. One is Jim, I'm going to ask you about how we quantify the risk and where we get the money to do some of these things. And Ryan, I want to start with you on the, if the tools are getting more sophisticated, the attacks are getting more sophisticated.

Some of these things are not going to be identifiable. So we need the technology. What are we starting to see in terms of technology to [00:12:30] detect the presence of those malicious threats within our environment, both in the cloud and on-prem?

D mark [00:13:30] protocols, et cetera. So the solutions are available. And I don't want to make this only about technology sort of solution, but technology is a big part of the step forward, because I think you just can't train your way out of this, or you can't put enough processes in place to get yourself out of this? The technologies are available. Healthcare has got to make much more focus on putting those technologies and in place. And I know you're going to go on to where do you get that money? How do you get that funding? And I think Jim's got a [00:14:00] point of view here that I want to get to, but where we see their success from that.

And when an institution can make a direct correlation to, I need to invest in my cyber security defenses so that I can meet my institution's mission of patient care, patient safety. I can adhere to the Hippocratic oath of do no harm. How do I do that if I cannot protect someone's data?

Jim Brady: So I think we need a combination of, we need the technology, but as everybody knows, technology is not the answer, just technology alone.

So now we're seeing major health systems down for a month or three weeks or something and millions of dollars daily being lost, that's sitting in the bottom line. So, so I think it's really important that, that the top down from the leadership, the board, the executives, that there's ownership, that this is a problem. It needs to be imperative. And so my organizations aren't experienced one of the [00:15:30]strategic imperatives that's woven in there.

And so just being aware of that. It's just kind of like having the neighborhood watch, in your neighborhood somebody can break in, maybe you live in a safe neighborhood, but it's possible. And so it's just being aware of it. I've already seen an increase in reported malicious activity.

Bill Russell: So, so Jim it's interesting being at CHIME and hearing the number of stories. So we, we heard the big brief stories we hear about. They're the news they're written about. And I think that has breached the board. It's reached the CEOs. And as you, as you mentioned, I mean, shutting down the health system is something that catches everybody's attention for 30, [00:17:00] 60 days, ish when these kinds of ransomware attacks happen. How do you, if you're going into the board, let's say next week, how do you quantify the cyber risk in order for them to understand it, get their arms around it, maybe even quantify for your team so they can get their arms around it so that you can, you can ask for the right amount of funds to do the things that you need to do.

So, it all starts in my opinion with getting that risk assessment. That's going to give you your foundation, your baseline, w so we're using the NIST cybersecurity framework. They have a, they have a maturity scale on one to five. And so, if you don't know the state of your organization [00:18:00] from that perspective, and that looks at people, process technology, then you really just, you're going to be talking to hot air so you want to make sure you have that assessment. And then it is possible to look at the high priority gaps that you're going to find. And then what's the likelihood of them occurring. What's the impact? What's the all that financial volatility that if that does happen from an actuarial perspective, like what the insurance companies do.

They'll be able to relate to that because they are seeing in the news that there's health systems that can't collect revenue because their businesses impact.

You sorta look at that and you go, okay. They're roughly a $3 billion health system, 30 day outage, roughly a diversion and whatnot. That's $110 million. It's that kind of quantification, isn't it?

Jim Brady: Yeah. So if you have the ability to engage a firm that can help you get those numbers. Either add up all of the individual ones to come up with a big number or just, maybe take the top five and say, Hey, we want to do these top five.

Then there is money. Otherwise we're not going to be able to cap labs are going to have to stop a lot of the things that are going to generate revenue. So it said balance. But I think it's just given. The board and the leadership the tools, the [00:21:00] details so that they can make the right decision on how much should we invest in cybersecurity to address a potential loss versus not knowing it and all you give them it's like, well, we're a 2.5 on a one to five scale that, that doesn't necessarily resonate with them. And then I often get asked at every board meeting Jim what percentage of risk are you reducing each quarter? So, how do you, as a leader, come to your senior management and be able to quantify that, [00:21:30] Hey, we've just reduced it 10%.

And that's good, so there, there is Monte Carlo simulations, there's Bayesians and Alice's model. So we're not getting into all the details. I'm not a statistics person, but insurance companies have this down. They do this, they've been doing this for many years. So it is possible to engage, to get that level.

And I think if we could start, just approaching in that direction, I think we would have a lot more support, and we get more business by

Ryan Witt: I f you want to use your phrasiology, if you're fighting the ransomware battle, you're fighting the wrong battle. Okay. All right. If you're fighting the [00:22:30] ransomware battle, the likelihood of, of a bad actor being in your network, having an understanding of your environment setting up some sort of command control sort of environment is, is pretty high.

Okay. I mean, Punymon has some data around this saying that bad actors in your environment or in your network for up to six months before being detected. Let's say, Punymon data's wrong. Let's say they're wrong by 50%. Let's say it's only three months, but they're still in your network for three months, right?

Or in this case, your network. So you need to work, my argument would be, you need to work in very, very strongly to keep people out of your environment, [00:23:30] to keep people away from getting credentials. User credentials is the Nirvana state. It's what everybody is trying to get to. And they's so valuable because it offers, it unlocks parts of your sort of network and your environment, your kingdom, that they do not use that data lightly. They want to make sure they are able to exploit it when it's most beneficial for them to exploit it. So when they can maximize their ROI.

Bill Russell: Jim, are you finding that a majority of people have dual factor authentication and is that enough [00:24:30] protection or is it, do we need more than that at this point?

That's very high priority. So I think I think we're okay in it but I don't think we're anywhere near, like our internal applications cause many of them are legacy. They don't support MFA. A lot of us do not have MFA on all of our applications. We're just, we're kind of focusing on maybe the cloud [00:25:30]based ones like Office 365 or you know G suite etc. So I think that's a big area of opportunity, there's a, I'm trying to think of the animal, but let's say a turtle. I'm not sure if a turtle has a soft underbelly, but you know, it we want to make it difficult for people to not get in, but it's like ants in my house.

We can't just think that we can just block everybody from coming in because they're, as Ryan said, they're going to sneak [00:26:30] in. And then once they get in, if they're allowed to have stayed for a couple of months, they have the ability, I guarantee you at most organizations to go undetected, get with a regular account.

They could probably get a high elevated domain access if they're, if you're not using that privileged access management. So, so anyway, lots of things you can do, but I think just those two things kind of popped up.

But like if you have any sort of connection to your credential and environment, maybe you're in an IT [00:27:30] support function likely to have you being attacked. That's been exponentially higher. If you at all work in your supply chain, if you're working with your business associates, you have access to, to funds or you could approve funds, or you can help authorize who gets funds. You're being attacked.

And I would think that's the kind of usable sort of action that somebody could take away from this sort of conversation and say, yeah. Okay. I can, I can work with that.

Jim Brady: Yeah, and actually that's what happened to my organization. We had meetings with the CFO because of some of our third party portals, that there were attempts to phish and get their credentials or just use social engineering. We even had an attempt to call the help desk, see if they could change our multi-factor authentication number so somebody could get in. So, we're definitely. We're definitely seeing the attacks so just sharing that, sharing the attempts that we we do have some technology in place where we can [00:29:30] proactively look for fraud.

And so, having the CFO see that, understand it, and then we realized that, that, Hey, there's some things on the process side that the business needs to look at to also participate in a secure things and reduce the risk. So in other words, what's the process to change a routing number and bank account, et cetera.

And so those are things because, you know, you're, you're subject to losing thousands, if not millions of dollars, because it's really easy to just click a button, but we can't trust, it's a little bit like the zero trust. You really have to not trust everything and not trust, but verify. I think some folks have said. So anyway, so we're having those conversations, they've changed their [00:30:30] processes so that so that we can be more secure and have more gates in place to check to make sure that things don't happen.

But then we have the much [00:31:30] smaller health systems which have to protect against those same areas. Maybe not research, but they have to definitely protect supply chain and the security credentials, and they can be shut down just like a large health system actually, as we've seen over the last year.

I don't want to go into the detail, but they were world renowned in one of these areas of study. So once you actually looked at the detail and who was being attacked, sure the resource organization was particularly being attacked by bad actors, but this one Institute, one of their six had like five times more attacks than all the other research institutions combined.

And like that's where their attacks were. We see this time and time again. It's not a coincidence, right. They understand where the monetizeable activity is and they're putting their efforts there. And so that's, it's not only just about say research sure. [00:33:00] That's one of your four houses would be the research.

But in this example, there was actually one particular Institute that was getting exponentially way more activity. So when you have that level of insight about what is the threat landscape for your institution, it helps you a lot to go place your controls.

Ryan Witt: Not to be in a really provocative at the end of the conversation but I'm, I'm glad the meaningful use era from a cyber standpoint is consigned to the dustbin because they pointed us in the wrong direction from a compliancy standpoint. And we didn't allow us to go tackle the security. problem.

So human error, human error but they're getting in, but their architecture was such that the the incident was contained. It was contained [00:34:30] within a, within a spot. And so the two things I'd love to hear you comment on is how do we minimize the human error potential? And then the second is how big of a role does architecture play to minimizing our exposure to a full-blown ransomware attack?

How many of us can say that we have all of the security systems that we spend a lot of money on that they're running at a hundred percent or 95%. So there's so many basic things. All, I think that that we are not there, we could just look internally and not spend another dime and just get what we've got fully utilized.

They're focused, they're targeted, as Ryan mentioned, they're doing their research, but we're not, we're not in healthcare you know we're underfunded in many cases. We're not doing any research. We're not even using what we've got. So I think looking at a, there's a thing called the MITRE kill chain, there's concepts called the red team blue team purple team.

So I [00:37:00] think it's being smarter, looking at those basic requests that we have to do. And then taking the team that you do have left and then making them a little bit more like the attackers where you have the red team you're hunting, you're looking every day for anomalies, where you've got the blue team, that's looking at making sure all the systems are up and running.

Bill Russell: It's interesting. I Interviewed a CIO for a health system that did go through a ransomware event. And he said in order to get reconnected to his community connect partner and whatnot, he had to get a hundred percent patched. He had to verify he was a hundred percent patched. He said, it's the first time as a CIO for the health system, that he thinks that they were a hundred percent patched.

And I guess is there, let me ask you this way. We always talk about people, process and technology. It's the age old where should I, if I gave you, I dunno, a million dollars. What percentage am I spending on people? Process and technology. I mean, is it, is it 30, 30, 30? Is it 30, 20 10? So people, process, technology.

Jim Brady: We're going over our budget now anyways, so timely question. So I'm just thinking of our numbers that staffing with FTEs, it's a little expensive if you're going to, you want to keep the higher end people on your staff and manage services and particularly if you're looking at outsourcing or strategic sourcing. That actually is very valuable. You can get lower rates for, let's say a cyber [00:39:30] security operations center where they're kind of looking at everything.

So I would say it's about over 50% for sure on the staffing component. This is from an operational, like all of the money that you spend, operationally, of course.

Those of you guys that are in health systems that have to go through the CapEx optics dance. There may be some technologies that you have to put in that will bump up and exceed your staffing.

If somebody slips through one tool, then you should be able to catch them with another. But if you don't have time to be looking detecting in your you're busy, just fighting fires, and most likely you're going to, get hit and chances are you maybe like I listened to the Sky Lakes YouTube video.

So there's things that, there's things that we just have to be spending a little bit of time on to protect. We can't assume that we can just go to backups because there isn't a way to get around those. So, yeah. So that's my thoughts.

Bill Russell: Wow. Ryan, people, process, technology. Where are you investing the million dollars I just gave you?

Bill Russell: There's a lot of truth to that.

So I'm not trying to say it's all about technology, but there are some easy wins out there. A multi-factor is still not as broadly deployed as we like it to see it be. Micro-segmentation which is something I think maybe you referenced a little bit earlier, bill about they were able to containerize that ransomware event.

I just want to, [00:43:00] maybe we need to rethink our expectations, our attitudes towards the whole way we look at our, our IT architectures with the idea of getting much closer to that hundred percent sort of patching.

Ryan Witt: You know, I've heard a few, a few CIOs say to me very recently, like we're seriously considering self-insurance right now because of the the level of work we have to do to, just to adhere to the, to the policy sort of questionnaire.

Bill Russell: And that, that makes sense. I mean, one of the people told me when the event happened, they read their policy and [00:44:30] the insurance company came in and essentially, put the tape around the site and said, do not disturb touch their systems for I think it was 48 hours while everybody's sort of descended, looked at the environment and determined all the things that they were going to do. So they, I mean, just flat out we're down for 48 hours before they could do anything.

Anyway, because they're talking about doing all the things that Jim and I had been talking on this call, like making sure you have your investments in your, in your technology and your processes, you have the people in place. And if you did all that stuff, you probably, I'm not saying you don't need cyber insurance, but it goes a long, you would have solved a lot of your problems anyway. Cyber insurance would kind of there to address.

Ryan Witt: I think don't let up. I mean we are at a long sort of runway of unprecedented level of cyber attacks that just not going to dissipate until we as industry find a way to keep the bad actors that day. For the most part, they are attacking your people, your people, your most vulnerable sort of asset in your environment.

Not because it's good for your brand. Not because OCR says you have to, you don't want to be on their wall of shame but because it helps you deliver against your mission.

Bill Russell: Absolutely. Jim, you get the last word.

I think we're kind of having to go back to that. So I think we can because now cybersecurity is an organizational risk. It should be an imperative. I think we need to give it some focus from a risk [00:47:00] management perspective. You know, it talked about if you can quantify it, that's great where there's we've got to get the board and the senior leaders to buy in to own the success or failure of risk management.

So I think that's key to doing it from the bottom up. This is going to be really difficult or we'll s ruggle and so I think, the best way is to get, get that top level buy-in. Second thing, we didn't talk about a ransomware readiness assessment. So those are things that you can do to say, Hey, I I've done my risk analysis.

They need to know what they're supposed to do. What does the CEO is supposed to do in the first 24 hours. Or about the next 48 hours. So you have to have a run book. Many organizations have not gotten this far, so if something catastrophic was going to happen, like the case of that one [00:48:00]organization that all they had were cell phones and Cisco WebEx, I think that was all they had to communicate.

That's called mayhem. And, we can be prepared. So it's just doing a little bit of emergency preparedness. So I think that's important. We didn't talk much about third party risk management. A large percentage of our breaches, et cetera compromises do come from our, our business associates.

They're using our systems, et cetera. So it really looking at those entities and assessing the risk and then making an intelligent decision I think would be helpful. So there's a lot of organizations I think that, that are like that. That could, that could stand to get that improved.

Jim Brady: To your point though, there, in addition to M and A's many organizations are constantly adding new organizations or they're selling or doing various things. So I think it's, there's the big mergers. And then there's the small, the spring of this home health organization lets get rid of half of them whatever. And so I think that, but I think those are areas we can focus on also.

Jim Brady: Thanks Bill. Appreciate it.