Building a Security Framework for 2022 and Beyond with Seattle Children’s and Proofpoint
Episode 4481st October 2021 • This Week Health: Conference • This Week Health
00:00:00 00:45:36

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Today, on this week in health it, day in, day out, we see a focus on fraud, um, phishing attacks. To the point now where it feels like credentials is the nirvana state of any sort of, would-be actor or cyber criminal organization. They get your credentials. They have incredible ability to decide. What sort of exploit they wanna launch against your institution.

This is a solution showcase. My name is Bill Russell, former Healthcare CIO for a 16 hospital system and creator of this week Health IT at Channel, dedicated to Keeping Health IT staff current and engaged. If you wanna be a part of our mission, you can become a show sponsor as well. The first step is to send an email to partner at this week in health it.com.

I wanna take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally, bill j Russell, on LinkedIn. I engage almost every day in a conversation with the community around some health IT topic. You can also follow the show at this week in health IT on LinkedIn.

You can follow us on Twitter, bill Russell, HIT. You can follow the show this week in HIT on Twitter as well. Each one of those channels has different content that's coming out through it. We don't do the same thing across all of our channels. We don't blanket posts. We're actually pretty active in trying to really take a conversation in a direction that's appropriate for those specific channels.

We really want to engage with you guys through this. We are trying to build a more broad community, so invite your friends to follow us as well. We want to make this a dynamic conversation between us so that we can move and advance healthcare forward. Today we have a great presentation that was done to himss protecting people, addressing healthcare human factors.

We have Ryan Whitt, managing Director in healthcare, CISO at Proofpoint and Gary Gooden, chief Technology and Security Officer at Seattle Children's. Gentlemen, welcome to the show. I appreciate you coming on. Having, having us. Alright, we're gonna jump right into this. I, I love your presentation. What we've been doing is looking at the presentations that went on at hims.

I pulled a couple of 'em out and invited some people on. So Ryan and Gary, you guys had the opportunity to talk about what's going on with regard to cybersecurity in the industry. So let's start with the challenges facing the industry in some statistics of what's going on. Ryan, we'll start with you.

Who's attacking healthcare? Yeah, I think probably this conversation has to start with ransomware. What's certainly top of mind with almost everybody that we speak with. Presentations like hims, there's a lot of attention, a focus on ransomware, but I think it's really borne out of a couple of noteworthy events within the industry, both around the fall of last year on a east coast institution.

Then in, uh. Early part of, or mid part of this year from a, a West coast institution who essentially had, these are both noteworthy institutions who had their ability to provide patient care fairly compromised for the best part of a month. So those have those become kitchen table sort of conversations with regards to what's happening in, in the industry.

The reality is, at least what we see from a data standpoint is ransomware, though hugely impactful when it hits in the way it. Is is something to focus on day in, day out we see a lot more focus on fraud, um, phishing attacks to the point now where it feels like credentials is the nirvana state of any sort of, would-be actor or cyber criminal organization.

They get your credentials. They have incredible ability to decide. What sort of reconnaissance they wanna have against your institution, and then what sort of exploit they wanna launch against your institution, what would make the best form of attack. But the, the, the starting point for all that is the ability to get your credentials, which is normally around email and around some sort of phishing type attack.

Uh, and Gary, perhaps you can add to this one. One of the things we saw with Sky Lakes, which is the one that we've looked at pretty closely, and we we're having a webinar with the Sky Lakes, CIO and, and the Asante CIO to talk through that event in, in detail, but it started with just a basic email that went out with a bunch of links that, that compromise the system.

Is, is that what you're seeing at Seattle Children's? Is that the primary attack? Yeah, well, the premier type vector, as Ryan stated, is email, and specifically in the form phishing campaigns of one former another. that has been the threat since the pandemic before the pandemic where we currently sit today, and what I see in the foresee foresee of the future, well, that's been the threat since the dawn of email.

For the most part. It would seem to me that this would be the area we would start to really establish our security boundary. Obviously with identity, identity being key, but . But also around email. Email still seems to be the way that people are attempting to, to get in to disrupt supply chains and other things.

They're just coming straight through through that basic email and really counting on the fact that at least a handful of people are, are gonna click on those emails. That is correct. What I will say is that, I mean, since, was it June of 20 20, 20 19 rather. Now we have literally received just from corporate email, 140 million email, of which 81% has been blocked, has been of some sort of malicious variation there on.

Wow. And about 40% of that would be business, email and compromise types of emails. So 80, 80% of emails. Are getting blocked, they're They're getting identified as malicious and getting blocked at this point? Yeah, I mean, on average it's usually about, on a monthly basis, about 85%, but for that year plus duration, it's roughly 81%.

Wow. Ryan, some specifics here, who are they going after? Are they just going after anyone? Are they going after clinicians? They going after administrators? Who are they targeting with these email campaigns? Yeah, I, I'll, I'll address that in a second, but I kind of first want to use an analogy going back to the, what we were saying a little bit here.

We just started football season and this is like email based attacks is like the equivalent of running the ball. They're gonna keep running the ball until you stop the run, right? To use till you force them to do something differently. Healthcare hasn't stopped the run Game U unfortunately, for many years now, and so it is the easiest

Way to move the ball down the field from football team. And it's the easiest way for a bad actor to engage with a health institution. So to your question and to your point, why, what are they doing? And the emails are becoming far more sophisticated. So yes, the type of blocking that Gary's talking about, the 80%.

Those are the ones that, you know, sophisticated gateways will capture for all sorts of reasons. They have malicious links in there, they have reputational, they come from questionable IP addresses, et cetera. So there's lots of techniques that that sift out those sort of emails. But what we're seeing more and more is a very, very target sort of campaign.

So yes, you are hitting someone very specifically within the institution. You're hitting them on a topic that is very. Akin to what their job function is. So the level of research and due diligence is being taken by the Cybercriminal Act gangs or organizations so that they know how to write an email that will get through the common filters that will engage you in a conversation.

That conversation over time will lead to pieces of the puzzle being dropped into. They're sort of research ortel intel gathering on you. So you might not be handing over anything that appears to be that important 'cause, like they're not asking you, Hey, what's your, what's your login credentials? Right?

They're not, they're not asking you that, but they are asking you pieces of information that they can help go build the profile and, and over time they can ask that pivotal question away. That allows them to go extract something really important that makes that kind of like that big leap forward. And they do gain a password or access into a system that you, that they wouldn't be able to gain if they didn't have some form of trust established.

And that established that trust was established because they maintained this sort of conversation with you on email over time. And they fraudulently have convinced you they are somebody that they're, that they're not. That has been compelling enough to make you want to keep engaging with them? It's interesting.

When I was ACIO, we had a firm come in from the outside and we essentially, what we were trying to do is broadly have them attack our system from a lot of different vectors and give us feedback. And they went through the report and how they got in and I think, and they were like, look, we stood up this website.

We had 15 credentials within the first 24 to 48 hours with those credentials, we were able to go here, here, here, and here. Is that still what they're looking for as credentials or can they compromise even without credentials at this point? I mean, I think it's a SSM board. So to kinda read off of what Ran said a while ago, recently we did a targeted phishing campaign against our population and we specifically, um, targeted them using a tool that you're accustomed to using.

And that specific tool in this case was DocuSign and roughly 34%. End user population clicked on that link. Now we do secretive training, awareness training all the time, but the way in which that that particular phishing campaign was orchestrated by us kinda proves that the point that Ryan is making about the sophistication of how emails are constructed in such a way that make them look extremely legitimate.

So for the 81% that we block. Or the 85% that we block, I would say maybe three to 5% of those emails are probably of some sort of malicious nature that will get through. So you expect to have a situation like that and then what you need to do after that is in put in your layer defense structure. But that, that being said, almost roughly 45% of what we see is around business email compromise.

Where they're trying to redirect it to change your payment information so you can route funds differently. So that's that one bit. Yes. Credentials, skimming and, and, and credential gathering is a big deal, but it's just the general nature of throwing the spaghetti on the wall and seeing what sticks. So you'll have the situation where, oh, we dropped the payload on this device and it's now gonna traverse or encryption.

So what I'm seeing is that they're coming at us with multiple types of campaigns from various advanced persistent threat groups. And it's really more about a, in, in many cases, a shotgun approach and in some cases, especially with the BEC stuff, very specific. That said, on a daily basis, we stop roughly 450 million threats per day of all types.

Email drive by brute force attempts, everything in between. Let's talk about ransomware for a minute. So we look at defense systems, and if I just rewind a couple years, we, we were talking a lot about education, putting the right tools in place, educating our people, and, and we were gonna be able to address a significant portion through that.

Now, when I hear people talk about ransomware, they're talking about . It's not if they're going to get in, but when, and they're saying, all right. So if that's the case, we have to really focus in on the recovery aspect. I, I'm hearing a lot of different things. I, I'd love for the two of you to sort of lay out what a good plan for building a, a defense posture against ransomware might look like.

Uh, Ryan, do you want to, do you wanna start with that one? Sure. I, I think maybe one thing at one place I would start is a recognition that. They will do the level of due diligence to understand who within your organization has a job function. That means they have to go download files or they have to click on links.

So based on the job role you have within the organization, we work in more vulnerable ways, entirely legitimate with regards to what our job function requires of us. But you know, we have to go interact with third party suppliers. We have to. Take in resumes for would be candidates. We have to go review and download invoices.

We have to go interact with third party apps or whatever. But you're, you're also defining clinicians at this point too, right? They're exactly, they're, they're moving images around. They're downloading files from patients potentially through email as well. Right, exactly. So they're understanding exactly the type of work that people are doing.

That means that have to click that link, download that file, et cetera. So they know your job, they know your who you are within your organization. They know what your job title requires you to do. They know the type of work you're working on, and then they're gonna send you a link or a file that's aligned to that.

So that's the challenge. I think the first part of, of the equation, I'll let Gary build from here is understanding who is more likely to be attacked within, within your organization for these sorts of exploits. Because I think most healthcare institutions are resource constraint. Their budget constraint, they can't put the gold standard of security.

Right across their organization. It wouldn't even make sense necessarily to do that. So they have to go, as I say, kind of place your security betts and you gotta go figure out, okay, where am I more likely to see this sort of activity? And then what are the, what are my control options I can put in place to mitigate against that?

Interesting. So Gary, we've identified the people and, and the roles, and as you guys say, the attacks are getting more sophisticated, so the emails are literally. To the clinicians, we'll address something clinical and to the HR representatives, something around HR and to, I mean, we're not just seeing a single email go out to 10,000 users.

We're seeing very specific emails to very specific people that are, I mean, they're lures. So they, they're literally designed to get them to click or download something. What do we do next? So we've identified those people. What's the next layer of security that we're putting in, in place if we're specifically worried about ransomware?

So in our environment, we are not just a clinical environment, we're research environment. We're one of the largest pediatric research institutions in the country. So yes, the doors are getting more sophisticated. , about a year ago, we embarked on a zero trust journey. So we're a zero trust shop in terms of concept and philosophy.

We converged or a security program with our infrastructure program, so I lead both. So security is actually used as what I refer to the tip of the spear for innovation and not security for the sake of, of creating friction, right? If I can't secure Ingram in. Then clinicians can't do their jobs faster.

Researchers can't find cures faster. It's very much tied to the mission, but just from a zero trust perspective, it's all about the layering of defense. It's all about identity and entitlements in terms of who you are and what you're entitled to do. It's also about the whole notion of automation, of provisioning.

It's also about the separation of your credentials from your elevated rights, as it were. It's also about the removal of local administrative controls and an endpoint using that same profile. So let's say you abstract it and you apply the admin credentials to a service, not to the entity. Then if for any reason all that fails, then you have to look at anomaly detection for EastWest traffic to look after that stuff.

Then you also have to ensure that your endpoint detection service is 24 7, 365. If you do those things and continue to up arm that way because it's really an arm's wrist, then you'll stay ahead of the curve. Obviously, the whole idea of the data center, the center of the universe, is gone. As it relates to what happened in Covid last year, remote work is here to stay in our environment.

Today we have a hybridized model. We also have a permanent remote model, and then we have a permanent on-prem model because we're clinical and research, so we have all three different types of knowledge workers, and they are either a hundred percent remote, they're hybridized, meaning on-prem, off-prem, or they're on-Prem based on their job roles.

And in addition to which our data can be almost anywhere. So from a route, from a edge perspective, the home route is a new edge. From a weird data lives perspective, because we're distributed environment or data is everywhere, so for us, attestation or efficacy as relates to getting to the data. Is as important as where the data lives itself.

So if, for example, you use email vectors as a way to compromise or infrastructure, then the layering of the defense will prohibit you from ending up in a situation where you have an encrypted set of infrastructures and then you have a problem. If we're talking about credentials, skimming, for example, credential compromise.

Then anomalous behavior technology, which is what you need to have in place, is you're essentially in the coal mine. If you do those things, and if you do things like security in the cloud, which is what we do remotely for anybody connecting in. It's literally, um, secure web gateway technology to do security at, at the station of you as an entity, your entitlement, the health of your device, and then based on those entitlements, we IP tunnel you to where you need to go.

So those things have to be, in my mind, incorporated as a wrap up from a funding perspective. It's interesting. I just came out to a meeting with a subset of a board in our executive suite, you'll typically get the question. If you need additional funding does come to us and, and my response is, it's not really about that.

Funding is not an issue in our specific environment. It's the speed at which you can implement. And then mature processes around the technology and then mature the people side of the business, whether it's internal resources or managed services providing these services. So hopefully that provides some context.

No, that's, that, that's phenomenal. And I wanna tear that apart a little bit. The thing we've been using in, in, in these projects for a long time, people process technology. Give us an idea of, so from a security standpoint, you're looking at this, how much effort is, is put into each 'cause. It would seem to me, when we're talking security, you don't have unlimited people to monitor all the alerts and things that are coming through.

So you have to put in some technology, you have to have some automation. The processes have to be sound so that the, the, the handoffs are happening and the right things are happening at the right time. But we're struggling to find really good cybersecurity people to keep all this, all, all this functioning.

So give us an idea of what the breakdown is in terms of how you think about where you really allocate your resources and your time based on those three areas. So for us, we don't manage a soc at all. To your point, that to me is a lost leader. In terms of having the wherewithal to extend services like an accordion.

All right, so we don't do that. So we have a managed service for or SOC, or sim and our SOAR technology, we use machine learning to help automate the speed at which we can do event correlation. We have 24 by by 7 365 endpoint. Management and oversight, which again is a service because I can't scale for that.

The speed at which we need to at attend to potential threats, whether it's email vectors or brute force, is all down to machine speed. So what I spend my time doing is ensuring that we have. The right level of engineer is in place, which we do to help to not just interpret 'cause they really don't, but more to ensure that they handle exceptions if and when exceptions occur.

And for the most part, the ticking and time of the daily operations and the speed at which the reactor, these are all managed services. If I were to try to build out the people piece of this to compliment that. Given where we are in terms of, to your point, the difficulty in acquiring the right level of technical skilled workers, it would simply not work.

It would fall in its face. And then the anil to that to me, is really more about the process maturity that really comes from you having implemented the right technology stack. So if I implement a bunch of technology stacks, which I would've done mature the process. But then don't reinvest in the technology stack.

Then yes, I will have material processes, but I'm going to have stale technology. Unfortunately, it's a arms race today, right? And then there is a, there is a tight interlinkage with infrastructure as well. So I see core infrastructure pieces are adjuncts to the security program. Which would also then include our cyber physical stack.

'cause you cannot forget the cyber physical stack. I, I wanted to build upon something that, uh, Gary said a little bit earlier and just give you, um, one impression of what we see from a sophistication sort of standpoint. So we were analyzing, we were working with a, a, a teaching hospital. And this particular teaching hospital had significant research, sort of, um, reputation they had about, uh, had, they had five main institutes within their research function.

And at first glance, it was not surprising to us that research was one of the most heavily attacked function within their hospitals. But actually what we realized was. One of their institutes made up of about 55% of the overall attack. So although they had multiple research strands, it was really just one institution that was getting the lion's share of, of those attacks.

And then you dug a little bit deeper and there was actually one department within that institution that was getting about 40% of those attacks. So you have this very large. Teaching hospital 30,000 plus email addresses, and then really you boil it all down and like a significant portion of the malicious traffic and very sophisticated traffic going to a very small number of individuals.

And all I could really say from how did they figure this out is this particular institution was, I mean they, they were very noteworthy about this particular level of research. And so anybody who was a casual observer, even if you had, it's very sophisticated. A very technical level of research, but anybody who just browsed that institution and dug a little bit deeper on what they were about could figure out, like that's probably where the money is.

'cause there's always a monetization angle of these attacks. But it got down to like, they were very, very pointed into these small number of people. 'cause that's where the perception was, where the crown jewels were our a monetization angle from a technology standpoint. I wanted to also bring into the equation.

Is, and it's not like it's new technology, but it's isolation capability. And I mention isolation because it's readily available. It's mature technology, but it's not that well deployed within healthcare. And what isolation technology does is essentially containerize your sort of email traffic for whoever has that capability rolled out against their sort of email address.

And it then allows. People basically to interact with their email traffic in a kind of a safe environment because it's containerized. The ability for them to exfiltrate data beyond that or them to send anything that's going to bring data into that container is much, much more limited. So if you have somebody who has that vulnerable sort of way of working, or as you call like you have, they're happy clickers.

Are lots of use cases where that containerization technology or isolation technology. Would be really useful, particularly when, very precisely as an example I just cited, like who is being attacked. Yeah. One of the things we did is in all of our clinical workstations, were virtual. It's a form of containerization, if you will.

It's a form of breaking it down because you can tear down those sessions and rebuild them back up and, and potentially . Isolate any incidents you're gonna have within that environment. That's one way to address the, the endpoint. But what I wanted to do is I wanted to go back to, so we're sort of looking at this people process, technology, we got to this level.

I wanna go one step further and to just give it more color. Talk about phishing. So we have people process technology. So getting to this operating at machine speed and being able to have the right processes in place, I wanna take it down to just this one aspect of the protection layer and talk through it just to give people an idea of where you're spending your time.

What does it look like to operate at machine speed with regard to phishing attacks? Having the right processes and having the right people in place to address that. Loaded question loaded. Lemme take it. So we employ a lot of technology from a particular company. And one of the things that Ryan made mention of is something that we also utilize as well, uh, relative to isolation.

What we also do is that we look at what we refer to as a very attacked people profile. So those are individuals who . Based on their job role, and you alluded to that earlier, the job type, they see the preponderance. They're not top 10 in terms of individuals who get phishing attacks based specifically on them.

And again. Roughly 85% of whatever comes, comes in from a corporate email perspective is filtered out. And of the 15% that's led through, I would say again, between three to 5% would still be malicious in some way, shape, or form. It just wasn't obvious. But that being said, we spend quite a fair bit, a bit of time specific with our analysts looking at the three to 5%.

Three to 5% is also looked at by a managed service. Why? Because if something looks anomalous on the end point. It's detected immediately. Why? Because we use machine algorithms and our EDR endpoints, we use machine algorithms relative to our managed sim environment and those services. So from an analyst perspective, we utilize your analyst to only look at the exception somethings already quarantined.

Then you go and figure out, well, what happened? So it's not as if to say. The endpoint is compromised because of the phishing campaign, because they clicked into some maliciously, they dropped the payload, and the payload was able to call back home and then detonate. None of that occurs because our firewalls have Euro filters on them, so you cannot even call back home.

So let's say for example, you didn't have to call back home and it was a self detonating package, it still wouldn't work only because the EDR technology and endpoint is already isolating it. So a lot of the time we do, we spend on the analysis of what happened as opposed to stopping the event 'cause the event is already stopped now.

I think of, I think of this as you would say, for example, an IED where you'd have an IED charge and you'd have a a truck and it would get blown up and be kept up armoring. So everything, as I just said, try to build this better mouse trap. At some point, something will get through. It's a question of not if, but when, which is why the east west traffic or deep packet inspection technology is so critical for us.

because that allows us to look at anything anomalous moving east west. That also is looked at 24 by seven. So if anything we see as a, as anomalous, that's also sh So that's how we look at, we do our own phishing, but it, it really comes down to how we use the different technologies. To stop things from getting to where we consider to be our crown jewels, whether it's our data centers or our EMR that's hosted somewhere else.

Ryan, you work with a lot of different clients on, on this kind of stuff. What are you seeing across the industry? By the way, Gary, thank you for sharing those. I'm learning a ton here, so I really appreciate you going in depth with me. Ryan, what, what are you seeing as you look across the industry? . In terms of, and then again, we're focusing in people, process technology around phishing specifically.

I think one of the noteworthy trends that we've seen is the amount of phishing attacks that point people to legitimate file shares. Now more than 50% of the files or the links to people who are being Fisher Act are asked to interact with are actually a legitimate file share being a SharePoint account, a box account, Dropbox account, et cetera.

So it's no longer pointing you to some nefarious server in the middle of. Central Europe or whatever, it's pointing you to a legitimate file share that you would expect to go to. And I think that's a big, a big step change. It makes it more, more difficult for the technology to filter those things out because they're coming from these legitimate file share sources and it makes it harder for the, the clicker to not want to interact with that.

It looks even more legitimate 'cause it it, on the surface of it, the source of it is, is legitimate. So that's a significant change that we have seen in addition to what we talked about a little bit earlier, which is a much more targeted nature of those attacks and the language that's being used to interact with those facts.

The other point I would say, and I think Garrett touched on this a little bit, is there is always this monetization angle. So yes, if anybody who deals with money. Your accounts payable team, your people who are dealing with your business associates, anybody who has a role directly or indirectly with approving invoices or redirecting payments or changing bank account details, those people are going to be very heavily targeted and, and those are just a natural candidate.

Always for additional layers of security controls. We know how they're, they're monetizing ransomware. They, they shut you down and they ask for ransom. Some of these others are a little bit more sophisticated. They are, uh, essentially inserting themselves somehow in the middle of a process and, and extracting money in what would appear to be a pretty straightforward way.

Right, the promise of goods for services. Hey, you'll get this PPE transfer this money, or even changing an employee's information, and then money goes that way, or a vendor's information that goes that way. What are some of the other ways that they're trying to monetize this? I mean, we've seen examples where at points in time pharmacy functions were heavily hit.

So we don't have coffee with the bad actors. We don't necessarily know what their motivations are, but it would seem to me like they know that controlled substances have value in the black market. So they're trying to redirect those controlled substances. One of the more heinous things we saw, um, at a point in time, elongated point in time was the hospice.

Organization within a large, well, several large institutions were heavily targeted. Again, we don't know why. The working theory where there was that you, they're preying upon the good nature of the people who do those roles. And the people you know. Those are people who are so obsessed with, with the comfort of that patient that they tend to have access again to controlled substances.

They have access to the patient record and maybe they're not as well protected as other parts of the institution, so there's not as many controls in place. And so the combination of fewer controls and a very caring, giving sort of nature means that they can eat more easily, fall prey to an attack. I mean, that's just a theory we kind of worked out without knowing exactly why they were being targeted.

But yeah. Uh, the point being is whether it is controlled substances, whether it is the value of patient data. And then if you ever see nation state sort of actors, they generally are focused on IP theft. That's valuable for them to be able to bring that intellectual property back into their country. So there are multiple monetization angles beyond just payment.

Redirecting payment. So as Gary was talking about as a research institution, they would be targeted for their intellectual property. Gary, is there anything you have to do specifically around IP to try to protect it? You know, we make reference to people processing technology. So, and I know we're speaking more specifically about phishing emails and what have you, but as it relates to ip, there's also the social engineering side of it.

There is a situation that occurred where it's been occurring, not necessarily at Children's, but there's generally with the research industry where they, the lowering this particular case is having researchers slash PIs be invited to conferences. Wind and dined, and lots of researchers are very proud of what they do, and so they will talk and just by virtue of talking, they're literally compromising their, this has happened over and over and over again.

Different. Institutions, we have seen the threat in our institution as well. And so there's the people side of it, right Above and beyond just the normal security awareness training that you do. There's a social engineering training that have nothing to do with technology specific, and also if you're looking at, say for example, business email compromises, we have a manual process in place to ensure that no ACH or payment information is changed unless it's

Verified manually, human to human. So it it, it literally sits outside of the technology process. It's a manualized process to ensure that the technology request is actually legitimate. So there are two different things to do with social engineering relative to intellectual property and also on, um, accounts payable.

So I'm gonna ask you guys what the next five years, what do you want to get in front of? But I will share this story again as CIO, our internal auditor said, Hey, we're gonna do a social audit of our executives, and they came back to me with my social audit. They had almost my entire family tree cousins. I mean, just because I connected here with this person.

Oh, that's your mother. My mother had a Facebook account, pictures kids. I mean, they literally had the whole family tree. And then they had just information about each one of the things, and they're, they're showing me this thing. They're going, that's how much information's available about you. And you're fairly, and I, I'm fairly savvy and fairly cognizant of what I'm putting out on the internet.

Just those one or two connections gave them access to people who are in my family who are sharing an awful lot, and that information does. Create some holes, I guess is what they were trying to communicate to me with this, with this social engineering. Uh, so let, let me ask you this, give you a little time to think about this next five years.

What do we want to get in front of? I don't wanna say 10 years. 'cause then we have quantum computing and who knows what's gonna be going on in 10 years, five years even. Seems kind of long in this industry, doesn't it? I mean, five years is, is long to think. Let's, so maybe let's, let's look at three years.

What do we want to get in front of and, and stay in front of? I would like to give you some sort of. Very profound prophetic sort of answer, but I, I think really in healthcare, we are still talking about basic blocking, the HIMSS cybersecurity survey, which came out at the back end of last year, and it's the most recent cybersecurity survey that HIMSS have, have put out.

The data on that survey was pretty remarkable 'cause they served the amount of, they went through a number of security categories that say what was the level of implementation of these technologies right across the healthcare industry? And they went pretty basic. Do you have a firewall in place? Do you have multifactor in place, et cetera.

It went about, I don't know, 15 to 20 categories. Even if HIMS data is inaccurate, 'cause it's survey data, so it's surveys, you have to take a little bit of the pinch of salt, but it was pretty remarkable. So all the things that we're talking about that we would consider to be, I think relatively standard sort of capability technology is just not still deployed in healthcare.

So multifactor is still below 50% utilization. Even firewalls. Hims reported that only at 90% utilization. Now I'm sure it's a much smaller institutions that don't, are the ones who don't have those things in place. Right. But even, you know, Well, that's, well, that's what I was gonna ask you. I talked to a lot of health systems and one of, one of the ones, the CIO was saying to me, look, what, what can I do around security?

Because I, I have outsourced the, the operation center and whatnot, but I have two headcount. I have a policy person and I have a. Engineer, a security engineer, and then I have this and and it's not a small hospital. It's not a huge hospital, but how do you secure it with two people in an operation center?

You don't, this is not a direct answer to the question, but one of the answers to that question is you point them to the two most recent ransomware events in healthcare and you say to them, there's a direct correlation. One's ability to have the right source of security posture in place and the institutionals ability to meet its mission.

And if you don't have the right source of security posture in place, you cannot, in many cases provide patient care. You cannot adhere to your patient safety sort of mission statements if you have a compromise. You are essentially, if you have the ran or right, that sort of an event, you're out of business for a month or whatever and it's, this is no longer a co compliancy discussion.

It's not a brand discussion. It's not a fine discussion. Yes, those are all part of the equations. It's a patient safety discussion. I think if you need to get access to resources or funds, trying to frame it that way with your board might move the needle a little bit. Gary, I'm gonna put you in that spot.

I just promoted you. You're ACIO. Well, it might be a promotion. It might not be a promotion, but I just made you ACIO. It's a $750 million hospital right now. You're looking at, you have an outsourced soc and you have an engineer, and you have a policy person. What are you gonna do when you go in there? So I was gonna respond to what Brian was saying with the comment.

I find it's a little more. So let's say for example, you look at the operating expense and. So I'm not this new CIOI go and present to the board and to the C-suite and they get it. But from an operation expense perspective, they cannot afford to implement a technology stack required to run their operation because they're not just done as a security risk assessment in terms of what can we actually bear to suffer in the event of, and you talk about future state threats and things that you need to get ahead of in the next three years.

One of the biggest problems we have today is that we don't treat cyber threat as a national emergency issue nationally. So let's say for example, the state of Washington, the state of California, had a disaster, earthquake, fire, whatever it is you declare in that you declare a disaster within the state.

The federal government would then declare a national disaster to a specific area, and then you would get a FEMA response. FEMA response then brings on a whole slew of additional things, resources, funding, et cetera, et cetera. What is really required is something very similar on the cybersecurity side that does not exist today because you have all kinds of different healthcare providers of different levels of sophistication and their ability to have what I consider to be the baseline level of security controls, which cost money.

Is something that some of them simply cannot afford to do. Even if they were to factor in the risk of being compromised, it's almost easier for them to be compromised, take the hit, and then go and pay because can't afford it. So that to me is a big issue that obviously falls outside of our control. But to your point, the issue of the healthcare organization in San Diego who should remain nameless their physical security stack, it is obvious from how that threat occurred that that security stack was not at the level where it should have been, which speaks to a situation where either their c-suite or board did not understand the threat landscape.

Or by virtue of them not caring or not understanding it was presented to them or didn't have the right leader presenting information threat, either way, they were, they were probably in a situation where they could have funded that and accelerated their progress. To not be as compromised as they probably were.

And to back to what Ryan is saying, this is probably down to basic ticketing and time, which is not that sophisticated, but they at least had to have the basic, what I consider to be the starter kit implemented. So that's also another part of the issue. Then you have the problem that I'm worried about where there's no public private partnerships between government and private enterprise.

On the cyber threat landscape. And I'm saying three years because these things are emerging. And the other thing that really concerns me, well there are two other things, is if there's no global consensus on how to deal with, on how to regulate digital currency, which is still their form of legal tender for said bad actors, and the fourth thing that really is concerning to me is a rise of five G and how we're going to have to adapt to five G.

That, that's unclear to me as well, but it's just something, and I said, and we talk about three years because he didn't want to talk about five euro because it's highly speculative. And three years is, to Brian's point, it's still somewhat a bit of a crystal ball. It, it'll be interesting five G with the bandwidth that's gonna be available through five G in three years.

You, you sort of look at that and go, well, a lot of our traffic could come in. Through five G in three years. That is, is not really possible over four GLTE today. That could create some, clearly not there today, but a place like Seattle could be there in three years for sure. Yes, would be very interesting.

Well, gentlemen, I appreciate you coming on to talk about this presentation. I will say this the next time you come on, I'm gonna throw out any agenda and we're just gonna start right where we left off. And, uh, we're gonna , we're gonna just a attack. What can we do? I'll just probably just give you a couple scenarios and say small health system, big health system, mid-size, health system, academic medical center.

And we'll just tear it apart and, and see where it goes. 'cause. I, I learned a ton in this conversation, and I, I appreciate you sharing for the, uh, benefit of our community. Thanks again for coming on. A pleasure. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff.

I know if I were ACIO today, I would have every one of my team members listening to this show. It's . It's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google, overcast, which is what I use, uh, Spotify, Stitcher, you name it.

We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware Hillrom, Starbridge advisors, Aruba and McAfee.

Thanks for listening. That's all for now.

Chapters

Video

More from YouTube