Prevent Email Attacks and Gain Visibility into Threats Targeting Your Healthcare Organization
Episode 5233rd August 2022 • This Week Health: Conference • This Week Health
00:00:00 00:36:15

Share Episode


This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health. I think that we are uniquely positioned in healthcare to just see a wide variety of attacks Phi is among the highest, if not the highest valued record on the dark web. healthcare is a virtual treasure trove. it attracts the full gamut of attackers. And we certainly see that every day.

Welcome to a solution showcase. We're gonna have a cybersecurity conversation today with Sharp Healthcare and Proofpoint, and we're gonna be talking about the increasing sophistication of these attacks and how personal and pointed they are getting. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creative of This Week Health, a channel dedicated to keeping health it staff, current and engaged.

You can subscribe wherever you listen to podcasts, Apple, Google, Spotify, Stitcher. Overcast, you name it. We are there. You could also go to this and subscribe there as well. And now on 📍 our show.

All right here we are today. We're gonna do a solution showcase and I'm excited. We're gonna talk cybersecurity and specifically about some of the some of the challenges that are facing health systems and to go in depth with that, we have chase Fran CSO for sharp healthcare and Ryan wet Proofpoint healthcare strategist, and all around cybersecurity expert gentlemen, Welcome to the show.

Hello. Thanks. Feel free to be

I'm looking forward to this conversation and we will get into the topic. Don't worry, but chase, I, I, do want to come back to something we talked about just prior to the show. I was, looking up some information on you and saw that you're an avid pilot. I assume that backdrop we're looking at, you've already flown over that backdrop. Probably a handful of times.

ent airplanes, but I've got a:

yes. So cybersecurity and flying they go together or.

I think they kind of go together. I will say that flying is an it's an art and it's a science together, right. An intersection of the art and science is, is kind of what I think is really fascinating. So cybersecurity, I think to the extent that we can boil it down to a science it's prudent to do so and flying there's a piece. You just can't get to science. It's all about feel, especially in the older airplanes that I like to fly the kind of water time airplanes.

And so I think there's a lot of similarities, but I think it's also a really cool respite from the super busy, crazy zany. Yeah. Stressful, any stressful cybersecurity world, it's you get up in the air and nobody can really bother you up there.

One of the similarities I saw. You're a flight instructor. So I saw one of your videos and it was a tabletop exercise. Essentially. You had set up the whole cockpit right there and it was like, all right, we're climbing and what are you gonna do? And it's, I'm gonna do this. I'm gonna do this. And it was essentially a tabletop exercise.

You're gonna lose. Altitude, this engine went out, what are you gonna do? That kind of stuff. So I can see the similarities. I can see how it comes together, I just wanted to talk about that. cause it's, it's just fascinating to be. Ryan, I'm gonna start with you we've talked about this, you and I have been on the show a couple times and it's hard to imagine a more complex and dense information ecosystem than than he.

At this point pet petabytes of data flying around. We have many, many applications we're moving to the cloud. We have regulatory, environment, sometimes vague in its definition of things, we have an M and a environment. We have so many things going on. What would you say are the key vulnerabilities in a large healthcare system?

I mean, I think a couple of things here. One is the fact that it is so complex is not lost on us. It's not lost people are on this call, but unfortunately it's not lost on the cyber criminal community either. Right? So they're used to this operating this environment and they maximize that or exploit that to their advantage.

And this is where we really see a lot of social engineering come to the fore. So by the time. You are your team or somebody on this call, their team receives those sort of phishing type emails. There's a lot of reconnaissance and investigation and due diligence kind of gone on behind the scenes, making sure that they know the right type of email to go interact with to make you interact with their exploit.

And I, don't mean to. Quickly, so much like to email being the threat vector, but the reality is credentials is kind of the Nirvana state. If you can get somebody's credentials you have a foothold into the health system. You have. In most cases, strong amount of discipline from cyber criminal community to say, okay, I now have this foothold, I'm gonna be patient.

I'm gonna make sure I understand the lie of the land. And I wanna understand how to best maximize or optimize these credentials. And so they will do their best to go figure out where this person sits in the hierarchy, how they can move laterally to get into other systems. What type of center systems might be most vulnerable?

To attack what types of attacks or exploit should be sent their way. And so boiling all that up. And then going back to the question, the most vulnerable part are people are being attacked and generally the motivation is to get the credentials into the environment. That's that is the, kind of like the number one focus of most cyber criminal organizations.

I was kinda surprised. I have an eight person company. These people aren't lazy. The cyber criminals are not lazy. And we shouldn't put 'em in that category of some slacker sitting in whatever they're they're well funded. They're extremely smart. Eight person company and we had a series of emails all across two day period of time to each one of my employees. It was a different email targeting different aspects. Some were looking for credentials, some were looking for them to transfer money. Some were looking and they all. Originate, they spoofed my email address, right.

It didn't actually come from me, but my staff saw it as it came from me and they are getting much more sophisticated chase, as we look at this, are you seeing a growing level of sophistication or are you seeing the same attacks still coming that we saw a couple years?

So I think it's both actually I'll preface kind of this whole conversation with a little bit of context that I think is important. This is the only healthcare job I've ever had. So I came from mostly a banking and finance background, and I think that's kind of an interesting perspective to have coming into healthcare. it is not a trade secret to talk about the fact that healthcare is Behind other industries in the world of cybersecurity. In many places far, far behind.

So I think that we see both types of threat actors. We see the ones that are growing in sophistication that research the heck out of our organization. That know exactly who they're going to target, who they're gonna attack, how they're gonna attack, who this person is in the organization hierarchy to Ryan's point.

They they do more reconnaissance and research than our HR department does on hiring somebody. But then we also see the spring and play attacks. I think primarily because again healthcare. Historically just has a fairly low sophistication with fighting cyber activity.

So I think that we are uniquely positioned in healthcare to just see a wide variety of attacks Phi is among the highest, if not the highest valued record on the dark web. So we see hackers that try to take advantage of that. We have Phi, we have PCI, we have loss of disparate legacy system. There's just healthcare is a virtual treasure trove. And so I think it attracts the full gamut of attackers. And we certainly see that every day

plus they're billion dollar companies as well. Right? So there's, there's money flowing in and out from business associates and whatnot. as I think about this the attacks are getting more personal. I, I guess we're calling it people-centric, but they're getting more personal. It's like, Hey, chase just saw you got back from vacation and this is coming from a hackers that what you think. Hey this is somebody who knows I was on vacation.

Now they just did their research. They called your phone, got your out of office email or that kind of stuff. And now they're coming back with a much more personal email and addressing things. Or, Hey, I saw you at a conference because they're reading those articles where you speak at a conference and those kind of things.

And that's happening across the board. Isn't it are we seeing certain departments? More targeted with this kinds of thing, or is it broadly applied?

I mean, from my perspective, yeah, heck yeah. We are seeing the, the obvious departments get targeted. So the accounts payable department HR other areas in finance. And I think bill to your point, I have seen attacks in the last month where it's not just. Reading LinkedIn and seeing that you were at RSA or seeing that you were at chime or whatever. But you know, the attackers are going to Twitter, going to Instagram, going to social media going not unlike you did.

Hey, chase. You're a flight instructor I saw this posting that you did on this social network. So certainly I think the attackers are getting not only more sophisticated, but I agree more personal and are using all available means that they can to to appeal to kind of those. I don't know if you call 'em heartstrings, but the personal side of, interaction and, and yeah, absolutely. To the extent that they can figure out that certain areas in our organization hold certain keys to the kingdom. Absolutely those, those groups are targeted.

So, Ryan, I, I wanna come back to you and say what are the key data threats? What are the key threats right now to the patient data today? Where are they coming from?

I think I look at a couple of things. One is we're moved into a realm where. These are for the most part cyber criminal organizations who are launching the attacks. And so there for the most part financially are oriented.

So they want to focus on their attacks and their efforts on anything that can be monetized. Okay. Doesn't mean there's not hacktivists out there, people with an agenda or whatever, disgruntled employee or whatever, but for the most part, the line share of the energy is about something that could be monetized.

And then. Building on Chase's point a little bit here. We definitely see various job functions or various departments being much more heavily attacked. And I think the attributes I would point to to look out for within with someone's maybe listening this, this webinar and say, okay, how can I, it to my organization is if you have somebody in your organization that has a high profile nature of their job, either on your board, they're act on LinkedIn, there are noteworthy oncologist.

Surgeon, whatever their discipline might be, but anything that puts 'em in a public profile, that means that person is probably much more heavily attacked. Even if that thing is maybe somewhat obscure, like a CISSO who also is a flight instructor, right. That's not necessarily a, a connection you would make, but that job or that hobby puts in this instance, more broadly in the public spectrum. So that's number one. If you're in the public profile, you're gonna be more attacked. Number two is if it's deemed that you work in a vulnerable way, So just the nature of your job means you have to go download files or you have to interact with third party suppliers.

You have to interact with the cloud. You have to authorize payments, download resumes, whatever it is in your job means you have to go interact with the, with with the, the web you're going to be more heavily attacked. And then lastly, if you're somebody who is deemed to have access to.

Valuable resources. You have access to passwords network, credentials, network systems, banking codes, banking, authorization, bank accounts, etcetera. If you have any of those things in your makeup of your employee, of your department, you're more heavily attacked. If you have more than one of those, then you are definitely much more heavily attacked.

and chase, I'll come back to you and say, how can you protect your organization? When the attacks are focused on specific people, I was at an event. I think it was a chime event and a bunch of security officers were up front and they, they leaned really heavily on education.

And I remember leaning over to my sister was sitting next to me and I'm like, if that's their only if that's their only strategy, we're in trouble because people are flawed and we make mistakes all the time. So I mean, how do you protect your organization?

Yeah. I mean, it might seem a little bit obvious, but defense and death. I mean, I think education is super important. It always has been, it always will be. But to your point, bill, I think you, you run a phenomenal education training and awareness department. If you can reduce the amount of inappropriate activity measured by maybe clicks on a, phishing email simulation from 20% to 5 right.

That'd be phenomenal, but 5% is still a crap ton right? That's a, that's a lot of clicking. So. You've gotta have a defense and death strategy. it's people, it's process it's tools. There are certainly tools out there, like Proofpoint that that do a phenomenal job of calling the amount of junk that, that people see the amount of.

And I agree with Ryan's point that he made earlier email. Is our number one threat vector. That that is no secret. So if we think about email specifically a product, a tool, like, like Proofpoint does a phenomenal job of the inbound email attack, surface, reducing that. And then if something get. Through it's a great incident response department, right? It's being able to pick up on anomalous activity. It's relying on users. Maybe you still have that 5% click rate where you've still got users that whatever they're, they're busy or they're not trained well, or they inadvertently click well.

If, if somebody recognizes a bad email for instance and reports that. Well, that is a metric that we care more about than somebody clicking on a bad email, because the more people that report a bad email, the better telemetry that we have, the quicker that we in our security operation center can respond.

Look at the threat and remove it from everybody else's inbox, hopefully before somebody clicks on. it Again, back to kind of Proofpoint or tools like Proofpoint being able to sandbox threats or potential threats come back and say, Hey, that, that actually was deemed malicious. Oops.

We missed it by the way. These folks had the message delivered. These folks clicked on it and go do something about it. So I think it's, it's perhaps obvious, but this is a a problem that we obviously need to solve with not only training, not only tools.

Right. It's also incumbent upon us to have really, really good playbooks that we can execute on in our incident response program to very, very quickly triage events and hopefully mitigate these things before it becomes an eviction process.

so Ryan, how is a people-centric approach to cybersecurity different than existing approaches today?

The big difference is having the knowledge and the understanding. Very precisely who is being attacked. So having some data or a tool chase convoluted this already a little bit, but that gives you insight that very clearly understands who within your environment, who within your departments are more heavily attacked.

Most healthcare Institute, both healthcare institutions. I, I engage. Cannot plug all their security holes they would love to. But as chase kind of already alluded to healthcare is way far behind, again, not a, not a trade secret. I think you refer to this as, so you have to go, there are some trade offs.

You have to place your security bets. I would argue that one of the places that you should very much focus on is. Understanding on where the attackers are attacking. This is there's a lot of sporting analogies here. We just concluded the NBA playoff for, and the lawyers are really good at three, the three point shot.

So if you wanna beat the lawyers, you gotta defend against three point shot. If you wanna defeat cyber criminals, you have to done, you have to defend against where they're attacking. So if you have insight about where they're attacking, so the attacks are going into, let's say you have a strong Research component to your institution that there's, that the nation state actors want that sort of IP.

And those people are being attacked. That's where you need to layer in your defenses and you need to put in things like, like sandboxing or what we call trap trap threat auto pool. So Re recognizing that a much just email was delivered, but pulling that back out or isolation technology that says, you know what, we're gonna containerized everyone's email or web engagement within, within this isolation or containerized environment.

So there is no sort of risk of Sea pitch at all. Nothing can link out or we need to put together a data loss prevention sort of strategy for these people, because we know that they're much more vulnerable to attack. So you probably can't do that for all your institution. You probably would make sense to do that for, for everybody.

You probably don't have the budget or the resources do that for everybody, but you can make. You can make those layers much more pronounced, but you have to understand where the people were, who's being attacked. And I think that goes back to your how's, people-centric different. It's like having that knowledge and understanding of very precisely where the cybercriminals are active.

In healthcare, we keep talking about personalizing healthcare delivering based on genomics and that kind of stuff, but that you're almost giving us the DNA of the attacks. So we're able to go, Hey, you know what, for research, we're gonna do this education. What we used to do is we used to just have this broad level computer based training for cybersecurity and there's level one, level two level three, and we would just push it out across the entire organization.

But now we can get very specific with the education and the tools that we're going to layer into different departments. So we don't necessarily have to buy an enterprise tool for, for everything. We can actually be more targeted. Am I, am I getting close? Am I understanding this.

think so. Yeah. And I just let chase play in here, but yeah, if you're someone, like, if you're a CISO, like chase, did you have this whole menu of options available to you from what are the right layers? And so you have to make that selection about what is the right layer versus what the attack is facing somebody. I mean, Proofpoint would, prefer. Proofpoint menu items are chosen, but you have to make the ones the best options for, for that environment and question. So I think that kind of that personalized healthcare, our personalized cybersecurity defense is maybe not a bad analogy.

I totally agree. I mean, we've already said it here, but you know, we have an incredibly limited budget that we get to play with. I unfortunately can't go out and purchase the best point tools across the entire ecosystem and an army of. Engineers and analysts to support it. And the architects to put it all together.

I wish we could. But the reality is we just, we don't have that capability. So like anything else, we have to analyze our environment, our business, our departments, our people to figure out where. We have vulnerability where the attackers are going after, and then we plug those holes in the Dyke and, and have that be part of our kind of broader information security program maturity.

So as, as a specific, for instance back to kind of. Departments that attackers aren't stupid. They're gonna go after, right. Are accounts payable departments. We know that attackers are gonna go find people with specific job titles on LinkedIn or zoom info or whatever.

And we'll go after those folks. Usually a again I agree with Ryan that these are usually financially motivated attackers, but they're gonna go after them via a lot of business, email compromise types of attacks. Like you talked about bill somebody that, that. We'll come in and attacker that'll come in, figure out maybe some of the supplier relationships that sharp has, because by the way, that's not hard to find either you can go look at some of our philanthropic partners, some of the foundation events that we've had and see who and what companies, what suppliers are, are donating to.

Just go to the, yeah. The golf tournament and look at

that's right. Go to the golf tournament and all of a sudden, you've got as an attacker, you've got a hundred different targets that, that do business with us that you can go after and try to maade as, or find a vulnerability in their system.

And then come in via a third party compromise or a business, email compromise attack and, and change one letter in the email. And mass grade is the president of this company. And, oh, by the way, could you cut that $25,000 invoice that, that you IoT us. So totally agree that we have to use our dollars in the best kind of highest use position that we possibly can.

And I agree. I mean, it, it. Starts with understanding our attack surface from a people perspective and applying our investments at that level.

All right. So one of the questions I talk about is exfiltration. So. Ryan I'll come back to you. at some point they're actual trading, some aspect of data or some information that's gonna help them to either get money ransom, you name it, whatever their attack happens to be. How are they exfiltrating the data and how can we protect against that?

I mean, it kind of depends based on what their, what their motivation might be. if they're trying to go steal IP, that's one form of exfiltration. If they're just trying to redirect. payments trying to intercept the payment or trying to a different form exaltation. If we're trying to go steal Phi, I'm not sure that's the motivation these days, as much as it used to be. But that's, you have to kind of there's a situation that will depend it Then I think you look at what are the tools you could put in place to mitigate against that.

And then data loss prevention technology is the one that we would favor a lot here for exfiltration, because it can start looking at Behaviors that are not associated normally with that person in that job role, or can look for key words, key phrases, key numbers, etcetera. A whole range of triggers that can set off an alarm or a policy not policy then can to do something.

Do something can be monitored that do something can be stopped and blocked that, that, that policy could be removed. That, that piece of data, that file from the from email cetera. But the point being is having that ability to, to survey the environment, draw some conclusions about what might be happening and then have those policies in place that, that essentially stop that behavior.

It's interesting to me. I mean, we talked about sophistication of the attacks and how they're getting personalized. But the attacks are getting different in their approach. And we used to measure the attacks by how, how many records were lost and that kind of stuff.

But the. The attacks can be measured in a lot of, lot of different ways now. And we have these, these tools that we think are. Essentially for us and our teams to function from the SharePoint being one of those. Right? So you have SharePoint sites and you're sharing information amongst the team and whatnot, but if they get credentials, they get into those SharePoint sites and that's sometimes where information is being stored to facilitate transactions and facilitate communication in certain workflows.

It's weird, but it's even worse than that. Actually. It's hard interrupt, but it's even worse than that. That becomes a place where they launch a tax.

they can launch attack from like the, the centralized portal.

Yeah. And those are the ones that tend to. Pretty impactful. I mean, chase correct me if I'm wrong here, but if you are an employee of a given health institution you see some sort of communication coming from your legitimate share, let's just pick on your SharePoint here for a second SharePoint. Instance, and it's asking you to do something or asking you for credentials or sending you a document with these malicious links outta it. You're much more inclined to interact with that document because it, it came from your official SharePoint portal. So yeah, that's where it really starts to have a huge adverse impact on a institution.

shared a file with you. The:

let's close this out by looking into the future. And the future could be six months to a year away in the cybersecurity world, cuz things were Ryan, you and I had a conversation during the well it's still during the Ukraine conflict and war as we would call it. Man, the escalation, the things that were happening early on in that in that event around in and around the Ukraine, but then eventually into the us were pretty significant. So I'm not discounting that things could change within the next week or two weeks. But when you look out, what are you most concerned about? That's next from a cybersecurity perspective and what do you think the approach might be to dealing with those threats.

I've got some thoughts.

we'll start with you chase.

Yeah, so, I mean, I think that on the horizon for me, the attacks are only gonna become more and more sophisticated as healthcare has been a follower with the move to complete kind of cloud enablement cloud first as we move as an industry to more and more cloud to more and more kind of. Platform plays. I think it, to the point that we just made it gives attackers a, platform to operate from they're only gonna become more and more sophisticated.

So I think there are some, some obvious things we keep talking about. Attackers getting credentials and then being game over. Well, that shouldn't be possible. There should not be anything that is accessible to the internet without multifactor authentication, but then speaking of authentication this idea of zero trust and the security truly being at the identity of an individual, we've got to get our IAM correct. We've got to get identity. Correct. So I'm thinking right now about what is the future of password lists How do we get passwords out of the hands of users? Passwords are just they're crap. I mean, nobody likes them.

It's kind of archaic. It goes back so far. You would think it would've been replaced by now.

It's. Yeah. So how do we enable a beautiful elegant solution for our users, for our employees for our customers that don't depend on passwords that are easier used that are more secure and that so we can ensure that as somebody joins our ecosystem, they are kind of who they say they are. And then. As a person is inside of our ecosystem, we need to ensure that their posture doesn't change ever. So if the user gets in and all of a sudden starts doing weird things that they've never done before they come to work at the same time, same place every day.

Same IP Open up their email and then Google Chrome and go to these three websites. And all of a sudden they come in and they open up SharePoint and download gigs of data. Well, that's weird. We gotta be able to pick up on that and do something about it very, very quickly. So I think that to bring it back to concept that we opened with. The attackers are only becoming more patient. I think what we've been seeing is very, very financially motivated attackers that want their payday immediately or very, very quickly. So a lot of times they have a propensity to screw up and give us tell tales because they wanna operate quickly.

They want their payday quickly. I think we're seeing that change to. A lot more patient attackers that might go get some creds from the dark web or a phishing attack. And then may try to figure out what MFA systems do you have? Where do you not have MFA deployed? Try to get a foothold and be very, very patient.

And I think that's where. I see the future of healthcare cybersecurity is we're never gonna patch all the holes. We just aren't. And if you think about healthcare, our job is to have open doors to the public, to come in and be served. So we've got holes. We can't just have a a castle and Mo strategy. So we've got to be able to detect threat actors anywhere in our ecosystem via things like anomalies and being able to pick up to Ryan's point, somebody doing something that they've never done. For so those are really the areas that, that I would lean in on kind of, I'm not a fan of zero trust. The word I don't like that flashy kind of consulting buzzword, but you know, the principles of it identity being really the future of security. I think we've got to embrace that completely.

Fantastic ryan. How about you give you the last word?

Yeah, I would agree with what she just said. We're probably not gonna see a whole lot of new threat vectors being explored until we plug the current threat vectors. Right. So I mean, fishing is as old as cybersecurity is for the most part and still is the most effective tool used against health systems. So until we plug that, I don't know, we're gonna see a lot of difference.

I am concerned about collaboration tools. We talked about that a little bit already but we're seeing more and more. Let's just pick on teams here for a second. Teams is more and more being used as an email engine. Like a lot of email style engagements happening on teams. But the one difference between teams and say office 365 or other email environments is email environments.

Traditionally environments do have some protection and layers and depth in place. Teams and other collaboration tools don't really yet. So you're, you're using those systems in a way that maybe they weren't hundred percent intended to do. So they're convenient. And a lot of the employees like using those tools for all sorts of understandable reasons, but they don't have the controls in place. And so I'm concerned about that being a significant area, seepage going forward.

Ryan Chase. I wanna thank you for sharing your wisdom and experience with the community that this is fantastic. The good news on this one is usually when I leave a cybersecurity discussion. I like, I wanna log off my computer and I'd never want to I just, I never wanna bank online again or anything. At least with this, I feel hope that we are looking at these things that we're looking at the future, that we are layering technology and we're making progress and getting ahead of some of these people centric attacks. So I wanna thank you again for your time.



What a great conversation with chase and with Ryan, I love getting their perspective. They spend so much time on the front lines where things are happening and to be able to capture and share that that wisdom and experience, as I said with the community is so valuable and I really appreciate them being able to do that for you. We wanna thank our sponsor Proofpoint for this 📍 episode, they are investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.



More from YouTube