December 1, 2021: Cyber attacks are more sophisticated, more frequent and the potential outcomes are far more devastating. What technology tools can help us detect the presence of those malicious threats within our environment, both in the cloud and on-prem? Jim Brady, VP, Information Security & Infrastructure/Operations and CISO at Fairview Health Services and Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint share crucial security strategies to survive phishing, imposter threats, ransomware, and supply chain attacks. What areas should CIOs focus on to deter risk? How can they address cyber with their Board? And what would you say to those who say "it won't happen to us”?
00:00:00 - Introduction
00:05:40 - Credentials are the Nirvana state for cybercriminals
00:06:50 - A strong number of attacks are being launched from well-known established data repository sites like Microsoft Office 365 and SharePoint.
00:08:12 - Every email that's coming in is technically eligible to be a bad email
00:22:35 - Research shows that bad actors are in your environment for up to 6 months before being detected
How Can Healthcare Reduce Cyber Risk and Maintain Patient Safety with Proofpoint & Fairview Health
Episode 467: Transcript - December 1, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Bill Russell: [00:00:00] Today on This Week in Health IT.
Ryan Witt: When an institution can make a direct correlation to, I need to invest in my cyber security defenses so that I can meet my institution's mission of patient care, patient safety. I can adhere to the Hippocratic oath of do no harm. How do I do that if I cannot protect someone's data? How do I do that if I cannot safeguard my systems so when they need my care and [00:00:30] attention, they're there and available and ready to access.
Bill Russell: This is a solution showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and creator of This Week in Health IT. A channel dedicated to keeping health IT staff current and engaged.
Before we begin. I want to share an exciting announcement for This Week in Health IT. Starting in 2022, we're going to have four channels to bring our community more specialized content for [00:01:00] your specific needs. The four channels are News, Community, Conference and The Academy. The News channel we'll have our Today and Newsday shows where we explore the news that is going to impact health IT. The Community channel is just that. A place where we come together and collaborate. One of the distinctions of this channel is that we will have guest hosts from the industry and people that they invite to talk about the topics that we wrestle with every day. [00:01:30]Things like clinical informatics, data security and the like.
We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.
Finally, this channel, the one you're listening [00:02:00] to right now will become our Conference channel. The same great content you travel across the country to receive. We're going to be bringing to you right on this channel. This show will become Keynote, where we do our long form 50 minute interviews with industry leaders.
And we will be augmenting that with Solution Showcases and briefing campaigns that introduce exciting solutions in more detail. For more information on our other channels and where you can subscribe visit us at this [00:02:30] weekhealth.com/shows - S H O W S. Now onto the show.
Today, we have a conversation about cybersecurity, cyber risk and maintaining patient safety. We have Jim Brady, VP of Information Security and Infrastructure operations, and CISO at Fairview Health Services and Ryan Witt the Industry Solutions and Strategy Leader for Proofpoint. It was good to see you guys down at the CHIME conference. It was just fun to be in the same room with everybody to have [00:03:00] conversations.
Jim Brady: Yeah. It was a bit surreal thinking wow, we're finally back. And these are all the folks that we've been seeing year in and year out. It's good to see everybody in person and to hear kind of what's going on. It was awesome.
Ryan Witt: Was great to re-engage and it's a really good indication of we're all products of our environment. Right? So the attitude towards, how do you engage in these sorts of conferences? What the right sort of COVID protocols ought to be were very much colored by where you traveled from.
Right? And [00:03:30] so we saw of course CHIME being a national conference, you've got a nice cross-fertilization of experiences. So it kind of is interesting to see how that all culminated at CHIME.
Bill Russell: I went from Boston to Philadelphia, to Florida, to San Diego and then up to Montana. So I think I did pretty much the entire cross section and it's interesting how vastly different we're still treating the pandemic across the country. I mean, even California was kind of surprising to me. There was really very [00:04:00] little in the way of mask wearing. Now everybody had to show proof of vaccination and whatnot but I, I expected California to be a little bit more like Boston. Boston was very a lot of mask wearing a lot of a lot of safety protocols still in place in the Boston market. So, very fascinating.
Jim Brady: You'll have to go up to Northern California Bill. Southern California. We're a little bit relaxed.
Ryan Witt: I'm based in Silicon valley and we are essentially, we are mask central. Masks are everywhere. So when I went to CHIME it was complete opposite sort of experience.
Bill Russell: It was [00:04:30] interesting. So we got together with a bunch of people at CHIME. What are you hearing with regard to cybersecurity at this point? Do we have this thing licked? There's not really much else for us to do or are we still in the early stages of figuring out who's on first and what's on second?
Ryan Witt: Yeah, I want to say it to your things hunky dory, and we have it licked, but it is the exact opposite of that. This is, I think maybe if I want to use an analogy, I'll use a sporting analogy and maybe you can reference, football as that is the sport that's top of mind right now, [00:05:00] given the season. Cyber criminals are essentially running the ball right now and they're going to keep running the ball until healthcare institutions can stop the run.
And right now, healthcare institutions are not stopping the run. Now we're seeing that play out most topically in the form of ransomware. Okay. That is the top of mind sort of cyber event that certainly was talked about a lot of CHIME and it gets a lot of sort of play just broadly. But if you just go beyond [00:05:30] ransomware, you see email fraud or any sort of fraudulent base attacks are very prevalent. There's more money actually lost to fraud than there is to ransomware. And truly the reality, the real issue is, is around credentials. I mean, credentials are quickly becoming the Nirvana state for cybercriminals. Once they have your credentials, once they have access into the network, they have lots of ability to do all sorts of wonderfully devious things. And so, no, we aren't, we are nowhere near having this licked.[00:06:00]
Bill Russell: It's interesting we're getting close to Christmas time and I started getting these emails, Hey, you've ordered this and blah, blah, blah. And I got three of them this week and I looked at it and they're getting more sophisticated.
Like I have to literally look at it really closely, then look at the email address that came from, it's, Hey, your apple computer, blah, blah, blah. But it's from a Gmail email address. I mean, that's not that sophisticated, but generally speaking, we're seeing an uptick in terms of the sophistication of what the [00:06:30] emails look like.
And I assume if I start clicking on those things or calling that phone number, it's not long before they're asking me for information they're going to use against me. Is that essentially, how is it working the same way within healthcare?
Jim Brady: So I think that and Ryan has a lot of data from his research arm of the organization, but you know, definitely there are a lot of attackers that are launching attacks from well-known established data repository sites, like Office 365, SharePoint. Those are things [00:07:00] that if you get a SharePoint link, you thinking it's okay to click on it.
Obviously there's a lot coming from Microsoft, some of the Microsoft exchange sites that are on at Dasher. So I think that the attackers are getting more sophisticated. One thing I do want to put a plug in for us, if an organization is not considered email isolation technology, I think that's really helpful because I know in my organization, you know, we're trying to get our users to not click as much on our simulated phishing efforts. And, that's kind of [00:07:30] like a never-ending battle. Cause they're, they're really busy. I mean, at this point, right now, we're in the middle of a mini surge so all hands on deck. We're in command center mode. And so, isolation technology, what it does is it allows you to open up any link or attachment in a incoming external email. If you can have that routed when the user clicks on it. So maybe it's a bad link. Like you're just talking about Bill, it'll open up container. So if it does get weaponized or something of that nature, it doesn't spread through the organization. I [00:08:00] think things like that are going to really help us out because we need to keep working on security awareness, but it's so difficult. There's so many emails, there's so much going on. It's really challenging to get people to realize that, hey, every email that's coming in is technically eligible to be a bad email. And so, people just are not thinking like that. So I think that's, something that we need to just be more aware of.
Ryan Witt: Jim made a really, really good point that needs to be emphasized. A strong number of the exploits that your health institutions are [00:08:30] receiving these days are coming from, they're housed in legitimate file shares. Okay. So they're housed in your SharePoint environment, your Box environment, your Office 365 environment.
And that's a marked change from where we were just a couple of years ago, where for the large part, those were coming from spirious kind of URLs that were out in the wild are being generated by bots. And that still happens of course, but when you're being pointed to an exploit that lives in a legitimate file share [00:09:00] it's a lot more difficult for a couple of things. One is for your, your email gateway to make the determination that says this is a bad, malicious sort of, activity. Number two, it makes it much more difficult for your users to spot it's a malicious activity. So that is a way that the bad actors have compromised these fileshares into something that should be significantly concerning for us. And back to your point, Bill, when you think about what is the level of sophistication to the emails are coming in with. So, think [00:09:30] about what you received. Think about that in a business context. Think about that now, coming from a trusted partner, maybe a business associate, somebody you're used to dealing with thinking about the quality of that email being reflective of what you would normally have in your conversation with that partner.
And then it's pointing you to a place that you would recognize it's a place to go to for more information. Now all of a sudden you've exponentially made this far more complicated [00:10:00] for your end user now to determine like should I, should it not engage with that sort of confrontation?
Jim Brady: Yeah. And it's kinda subposition that it's almost impossible for a human that's doing regular work to, to be held responsible, to not click on a potentially malicious link because it's just, they're very sophisticated and to add to it many links and attachments will pass through the email filters because they have not been weaponized yet. So when they do come in and you click on that link, then it sends out a signal [00:10:30] to what's called a command and control. And then it downloads the malicious payload. So, how can you stop that? So I think that's where the isolation technology might be really helpful, but it's very difficult. We're doing phishing simulation testing. If I wanted to fool 90% of the users with a very sophisticated email, I can do it easily. So we're doing like basic obvious phishing efforts that are pretty easy give aways just to get people to start kind of at the foundational levels.
So I think we, do need additional support and [00:11:00] technology to help us with this because it's this becoming, you know, really difficult.
Bill Russell: So the tools on the one side are getting more sophisticated. Let's talk about the tools on the other side. And that is kind of a scary concept that I get an email with a link to our Office 365 fileshare. Which is valid, right? It's within our technically it's within our four walls cause it's within our cloud environment. And so now I need tools that are going to be able to look at not only on prem, but also into the [00:11:30] cloud, protect me from things that normally are trusted locations trusted in the cloud, trusted internally, trusted fileshares internally, and those kinds of things.
So I want to go about this in two directions. One is Jim, I'm going to ask you about how we quantify the risk and where we get the money to do some of these things. And Ryan, I want to start with you on the, if the tools are getting more sophisticated, the attacks are getting more sophisticated.
We used to rely very heavily on education. I used to hear [00:12:00] CISOs all the time saying we've got a great education program and I understand the value of that education program. But to Jim's point, it's getting to the point now where the sophistication is high enough, and these people are moving fast enough in, in healthcare, just in general, that it's hard to say, Hey, we're going to educate them to the point where they're going to be able to identify these things.
Some of these things are not going to be identifiable. So we need the technology. What are we starting to see in terms of technology to [00:12:30] detect the presence of those malicious threats within our environment, both in the cloud and on-prem?
Ryan Witt: Sure, and this is kind of a good news, bad news side of cybersecurity in healthcare, right. On the good news is we're not waiting for a new technology to be developed. We're not waiting for a company to accelerate their roadmap, to bring out feature functions that are needed to tackle some of the problems. The bad news side of the equation is this technology is tried and [00:13:00] tested. It's on the shelf. It's has been readily deployed and in use for many years now, in some cases and other industries, it's just prevalent in healthcare yet. And so there are a lots of remedies. Jim mentioned one around isolation technology. There's a lot of cloud security capability out there. There's a lot of capability around verifying authenticity of an email. So is the email coming from who it purports to come from?
D mark [00:13:30] protocols, et cetera. So the solutions are available. And I don't want to make this only about technology sort of solution, but technology is a big part of the step forward, because I think you just can't train your way out of this, or you can't put enough processes in place to get yourself out of this? The technologies are available. Healthcare has got to make much more focus on putting those technologies and in place. And I know you're going to go on to where do you get that money? How do you get that funding? And I think Jim's got a [00:14:00] point of view here that I want to get to, but where we see their success from that.
And when an institution can make a direct correlation to, I need to invest in my cyber security defenses so that I can meet my institution's mission of patient care, patient safety. I can adhere to the Hippocratic oath of do no harm. How do I do that if I cannot protect someone's data?
How do I do that? If I cannot safeguard my [00:14:30] systems so when they need my care and attention, they're there and available and ready to access.
Jim Brady: So I think we need a combination of, we need the technology, but as everybody knows, technology is not the answer, just technology alone.
It's really a lot about process and how we think. And so I think that. In health care, we've only really had to deal with data breaches and fines, just recently, maybe 10 or 15 years ago. It's just the fines started. I don't think that people actually felt that they'd have to shut their hospital down [00:15:00]and they, they would have what's called business disruption or that it really hasn't come into the foray until the last year or two.
So now we're seeing major health systems down for a month or three weeks or something and millions of dollars daily being lost, that's sitting in the bottom line. So, so I think it's really important that, that the top down from the leadership, the board, the executives, that there's ownership, that this is a problem. It needs to be imperative. And so my organizations aren't experienced one of the [00:15:30]strategic imperatives that's woven in there.
It's a topic that the board, every time I go to present. So I think, I think it's getting people to aware of it and because there's many things that I'm seeing in my organization where people will think twice before clicking if anything looks suspicious, you know, cause we've had attempts to try to redirect our paid accounts, payables you know, we've seen where payer portals are getting compromised, just you know, are out there. And so I think it's, just helping the [00:16:00] business understand that even though we're in peace time in the US we're not actually fighting a world war you know, every individual is a potential victim.
And so just being aware of that. It's just kind of like having the neighborhood watch, in your neighborhood somebody can break in, maybe you live in a safe neighborhood, but it's possible. And so it's just being aware of it. I've already seen an increase in reported malicious activity.
We have a button that we we put on our, in our email client where you can just report it. We do respond to that. So I think that there's a lot that we need to do on the [00:16:30] process side. Getting people engaged, getting them, thinking that this is a problem and not just relying on technology.
Bill Russell: So, so Jim it's interesting being at CHIME and hearing the number of stories. So we, we heard the big brief stories we hear about. They're the news they're written about. And I think that has breached the board. It's reached the CEOs. And as you, as you mentioned, I mean, shutting down the health system is something that catches everybody's attention for 30, [00:17:00] 60 days, ish when these kinds of ransomware attacks happen. How do you, if you're going into the board, let's say next week, how do you quantify the cyber risk in order for them to understand it, get their arms around it, maybe even quantify for your team so they can get their arms around it so that you can, you can ask for the right amount of funds to do the things that you need to do.
Jim Brady: Yeah. So going to the board with a 50 page deck about firewalls and packet [00:17:30]encryption and stuff is like, that's a sleeper, okay. You're not going to get much. So any high level presentation of cyber security really needs to be focused on risk and it needs to be dollars. And that's ultimately what you want to get to.
So, it all starts in my opinion with getting that risk assessment. That's going to give you your foundation, your baseline, w so we're using the NIST cybersecurity framework. They have a, they have a maturity scale on one to five. And so, if you don't know the state of your organization [00:18:00] from that perspective, and that looks at people, process technology, then you really just, you're going to be talking to hot air so you want to make sure you have that assessment. And then it is possible to look at the high priority gaps that you're going to find. And then what's the likelihood of them occurring. What's the impact? What's the all that financial volatility that if that does happen from an actuarial perspective, like what the insurance companies do.
In other words, is it a one in 25 event? Is it a one in 50? A [00:18:30] hundred? One in 500? And what are the costs for that? You can look at the industry. There's a couple of models that can be used. Obviously you'd have to engage your insurance company or a broker or some companies that are doing this, but you can actually quantify the probability in what would be the expected loss on average for, some of these gaps and if you add them all up, you might have a $4 million loss likelihood in 2022, and maybe it's a 75%. And so, [00:19:00] coming to the board and, and sharing those numbers and then attaching them to the lines of business. It's like understanding how the health system makes its money. Is it specialty pharmacy? Is it by growth, et cetera? Is it by acquisitions and being able to talk in business terms with financial numbers and saying, Hey, if we do, if we do $2 million worth of stock closing some of these security gaps, we're going to address the probability of having, [00:19:30]we'll minimize by 50%, a $20 million loss. So I think it's just coming and having that conversation that definitely we'll get those members of the board talking.
They'll be able to relate to that because they are seeing in the news that there's health systems that can't collect revenue because their businesses impact.
Bill Russell: Yeah, I think the most prominent being the Scripp's breach and I think their financials, they showed 110 to 115 million in loss for [00:20:00] the quarter that the breach happened.
You sorta look at that and you go, okay. They're roughly a $3 billion health system, 30 day outage, roughly a diversion and whatnot. That's $110 million. It's that kind of quantification, isn't it?
Jim Brady: Yeah. So if you have the ability to engage a firm that can help you get those numbers. Either add up all of the individual ones to come up with a big number or just, maybe take the top five and say, Hey, we want to do these top five.
We have to start somewhere. That'll be helpful. You can also just take a rough [00:20:30] guess. Just a high order of magnitude based on what other health systems are paying. So it isn't like you have to be a very large organization or have a lot of money. Because right now the problem is there's way too many security holes to, to address, to stop, ransomware and all that from happening.
Then there is money. Otherwise we're not going to be able to cap labs are going to have to stop a lot of the things that are going to generate revenue. So it said balance. But I think it's just given. The board and the leadership the tools, the [00:21:00] details so that they can make the right decision on how much should we invest in cybersecurity to address a potential loss versus not knowing it and all you give them it's like, well, we're a 2.5 on a one to five scale that, that doesn't necessarily resonate with them. And then I often get asked at every board meeting Jim what percentage of risk are you reducing each quarter? So, how do you, as a leader, come to your senior management and be able to quantify that, [00:21:30] Hey, we've just reduced it 10%.
And that's good, so there, there is Monte Carlo simulations, there's Bayesians and Alice's model. So we're not getting into all the details. I'm not a statistics person, but insurance companies have this down. They do this, they've been doing this for many years. So it is possible to engage, to get that level.
And I think if we could start, just approaching in that direction, I think we would have a lot more support, and we get more business by
Bill Russell: At the risk of, one of the things I feel like in cybersecurity is in [00:22:00] healthcare, we're always fighting the last battle. We're not fighting the next battle. We're fighting the last one. Right. But I'm going to talk about ransomware anyway, because I feel like it is the last battle, but it's still going on. And I'd like to hear from both of you on this. You know, which areas do you recommend CIos focus on right now to minimize the ransomware risks. Ryan, we'll start with you.
Ryan Witt: I f you want to use your phrasiology, if you're fighting the ransomware battle, you're fighting the wrong battle. Okay. All right. If you're fighting the [00:22:30] ransomware battle, the likelihood of, of a bad actor being in your network, having an understanding of your environment setting up some sort of command control sort of environment is, is pretty high.
Okay. I mean, Punymon has some data around this saying that bad actors in your environment or in your network for up to six months before being detected. Let's say, Punymon data's wrong. Let's say they're wrong by 50%. Let's say it's only three months, but they're still in your network for three months, right?
That's [00:23:00] like the equivalent in a physical security standpoint, if somebody's living in the closet of your spare bedroom for three months, figuring out your operations of how you run your family and then making some sort of determination based on that reconnaissance about what is the best level of exploit to launch against your, your environment. Your family.
Or in this case, your network. So you need to work, my argument would be, you need to work in very, very strongly to keep people out of your environment, [00:23:30] to keep people away from getting credentials. User credentials is the Nirvana state. It's what everybody is trying to get to. And they's so valuable because it offers, it unlocks parts of your sort of network and your environment, your kingdom, that they do not use that data lightly. They want to make sure they are able to exploit it when it's most beneficial for them to exploit it. So when they can maximize their ROI.
So. [00:24:00] I would work really, really hard on making sure that if you had any sort of external facing systems pointed to the web, that you lock them down, especially your can, I know that's hard or secondarily or in parallel, I would make sure you work really, really hard to make sure you preserve credentials as a primary focus of your cyber activity.
Bill Russell: Jim, are you finding that a majority of people have dual factor authentication and is that enough [00:24:30] protection or is it, do we need more than that at this point?
Jim Brady: Yeah. So I know all the organizations that I've been at, of course, it's, number of years when we've been progressing but no, we have our cyber insurance companies that are now confirming that you be MFA. You need privileged access management for where you, where are you have MFA and you're not just giving hundreds, if not thousands of domain or other high elevated, privileged access accounts and people just have them and they never changed the [00:25:00] passwords and their service accounts, which kind of run computers. So I think that they're saying that's tough with them. I mean, for the, for those that have come through the, the joy of the survey turned into a long inquisition where you have to you know answer a lot of questions.
That's very high priority. So I think I think we're okay in it but I don't think we're anywhere near, like our internal applications cause many of them are legacy. They don't support MFA. A lot of us do not have MFA on all of our applications. We're just, we're kind of focusing on maybe the cloud [00:25:30]based ones like Office 365 or you know G suite etc. So I think that's a big area of opportunity, there's a, I'm trying to think of the animal, but let's say a turtle. I'm not sure if a turtle has a soft underbelly, but you know, it we want to make it difficult for people to not get in, but it's like ants in my house.
It's like where did they come from? ou know how did they get in? And so I think we spend a lot of time on trying to prevent people from coming in, but not up time detecting, are they in? So just in a Bill, you've lived in Southern [00:26:00] california, we have these little things called earthquakes and fires, but with fires you can't always prevent a fire. But what the fire department, they do focus on quickly responding to put that out as soon as possible. And I think, being able to respond more effort in detection. So there's threat intelligence, there's technologies you can bring in where you're looking for anomalies. I think that's important. And we need to be able to, have that as part of our arsenal.
We can't just think that we can just block everybody from coming in because they're, as Ryan said, they're going to sneak [00:26:30] in. And then once they get in, if they're allowed to have stayed for a couple of months, they have the ability, I guarantee you at most organizations to go undetected, get with a regular account.
They could probably get a high elevated domain access if they're, if you're not using that privileged access management. So, so anyway, lots of things you can do, but I think just those two things kind of popped up.
Ryan Witt: I'm a realist, right? I mean, as much as I think there needs to be more investment in cybersecurity across the board for health care, I [00:27:00] understand. And there are a lot of factors that play here from a budget sort of standpoint, resources. There's a lot of constraints here. But I think one of the remedies here is understanding who is being attacked in your environment, because there is a lot of data. There's a lot of research about where bad actors are focusing their time and their energy. And Proofpoint certainly talks about this and others do as well.
But like if you have any sort of connection to your credential and environment, maybe you're in an IT [00:27:30] support function likely to have you being attacked. That's been exponentially higher. If you at all work in your supply chain, if you're working with your business associates, you have access to, to funds or you could approve funds, or you can help authorize who gets funds. You're being attacked.
If you have a research environment, you are most likely going to be subject to not only attack, probably attacked by nature and state actors. The people who are far more sophisticated and far more targeted [00:28:00] point being is you could probably look at a standard organization and say 10% of my user force, my workforce are much, much more targeted than the broad industry or the broad organization as a whole. That's a 10% where you want to double down on your security investments. You want to double down on your layering. You want to make sure they have access to your controls. And so it's one of the mitigating factors and say, okay, I can't do everything from a budget standpoint, but there [00:28:30] are 10% of my workforce I can actually make a difference with.
And I would think that's the kind of usable sort of action that somebody could take away from this sort of conversation and say, yeah. Okay. I can, I can work with that.
Bill Russell: So Jim, armed with that information, I mean, you just heard those three, three areas, I heard supply chain, I T, finance I heard research. Armed with that information how would you approach it as a CIO? I mean, does that information help you a fair amount to, to really focus in on [00:29:00] what you want to do?
Jim Brady: Yeah, and actually that's what happened to my organization. We had meetings with the CFO because of some of our third party portals, that there were attempts to phish and get their credentials or just use social engineering. We even had an attempt to call the help desk, see if they could change our multi-factor authentication number so somebody could get in. So, we're definitely. We're definitely seeing the attacks so just sharing that, sharing the attempts that we we do have some technology in place where we can [00:29:30] proactively look for fraud.
And so, having the CFO see that, understand it, and then we realized that, that, Hey, there's some things on the process side that the business needs to look at to also participate in a secure things and reduce the risk. So in other words, what's the process to change a routing number and bank account, et cetera.
Is it just, you got an email and it said to do it so you just click on it or do you have to actually go in and a human has to approve that. So what they've done on [00:30:00] the supply chain. And the finance side is, there's certain things now that a human must look at it, have a conversation, maybe check and it can't just be automated.
And so those are things because, you know, you're, you're subject to losing thousands, if not millions of dollars, because it's really easy to just click a button, but we can't trust, it's a little bit like the zero trust. You really have to not trust everything and not trust, but verify. I think some folks have said. So anyway, so we're having those conversations, they've changed their [00:30:30] processes so that so that we can be more secure and have more gates in place to check to make sure that things don't happen.
Bill Russell: I would think that's incredibly powerful, right? If I look in my neighborhood and you tell me, Hey, it's those four houses over there that have the highest risk, I could focus all my energy, not all my energy, but I could focus a significant amount of my budget on, on process controls on education, on technology, on layering, the technologies, as you talked about around those, those four houses. Now, eventually you're going to have [00:31:00] to take care of the whole neighborhood, but that's I think that's a really pragmatic approach to stretching your budget instead of trying to protect the whole thing with the same level across the board, because it's so expensive. And sometimes we talk about healthcare. Like it's one big thing. Like everything's an academic medical center and they're not. There's, you have the academic medical centers, which probably have the budgets and the money and the need if they're having nation state attacks.
But then we have the much [00:31:30] smaller health systems which have to protect against those same areas. Maybe not research, but they have to definitely protect supply chain and the security credentials, and they can be shut down just like a large health system actually, as we've seen over the last year.
Ryan Witt: But it, to illustrate the point. And you mentioned academic research center. We did some work. Proofpoint did some work with an academic healthcare institution, very prominent institution. They had, I don't know, a half dozen or so sort of research [00:32:00] institutes. Okay. But there was one of their institutes who had a particular area of study, which they were world renowned in.
I don't want to go into the detail, but they were world renowned in one of these areas of study. So once you actually looked at the detail and who was being attacked, sure the resource organization was particularly being attacked by bad actors, but this one Institute, one of their six had like five times more attacks than all the other research institutions combined.
And it [00:32:30] was a very specific level of research that, I mean, I can't, I never heard it before, but you know, that's doesn't matter, but they had a world renowned sort of position on and the bad actors, they go through the level of social engineering to understand that.
And like that's where their attacks were. We see this time and time again. It's not a coincidence, right. They understand where the monetizeable activity is and they're putting their efforts there. And so that's, it's not only just about say research sure. [00:33:00] That's one of your four houses would be the research.
But in this example, there was actually one particular Institute that was getting exponentially way more activity. So when you have that level of insight about what is the threat landscape for your institution, it helps you a lot to go place your controls.
Bill Russell: You know one of the things you, said, Ryan, that really resonated with me is the technology's out there. We just have to get it implemented correctly and the training and whatnot, but focusing on [00:33:30] the technology again. And I hate to do that because I understand the mistake we make. A lot of just saying, well, we'll put this technology in and it'll solve the problem. It doesn't solve the problem in and of itself, but
Ryan Witt: Not to be in a really provocative at the end of the conversation but I'm, I'm glad the meaningful use era from a cyber standpoint is consigned to the dustbin because they pointed us in the wrong direction from a compliancy standpoint. And we didn't allow us to go tackle the security. problem.
Bill Russell: But you know, one of the things that I heard t ow ransomware events while I [00:34:00]was on my travels over the last four weeks, and one of them was misconfigured. I mean, they got in through however, they got in through email, as you would imagine. But it was a misconfigured set of devices that gave them the lateral movement across the entire network, which gave them the ability to really shut down the system. The other one got in through again, a configuration error, essentially.
So human error, human error but they're getting in, but their architecture was such that the the incident was contained. It was contained [00:34:30] within a, within a spot. And so the two things I'd love to hear you comment on is how do we minimize the human error potential? And then the second is how big of a role does architecture play to minimizing our exposure to a full-blown ransomware attack?
Jim Brady: Okay. So I'll take a stab at that. I would, sadly many health systems, we are running around putting out fires answering re requests, keeping the lights on. And we don't [00:35:00] have the time to actually look back at our systems, security systems configurations and say, Hey, are we utilizing the system that we spend a million dollars on? And then is it up to date? We could be utilizing it, but is it even up to date? Are we keeping up with things? Such basic things is patching. Okay. Patching is not, as I mentioned earlier, is not sexy, but how many of us know for sure that all of our systems, particularly the external systems have the patches applied and how fast does [00:35:30] it take us to do that?
How many of us can say that we have all of the security systems that we spend a lot of money on that they're running at a hundred percent or 95%. So there's so many basic things. All, I think that that we are not there, we could just look internally and not spend another dime and just get what we've got fully utilized.
I think it's also important to realize that because hackers or attackers, that's the large ransomware gangs, and then they have a slew of ransomware affiliates that go in and do their bidding. They buy the [00:36:00] ransomware as a service in there, and then they go ahead and attack the clients and the customers. They're a lot more sophisticated.
They're focused, they're targeted, as Ryan mentioned, they're doing their research, but we're not, we're not in healthcare you know we're underfunded in many cases. We're not doing any research. We're not even using what we've got. So I think looking at a, there's a thing called the MITRE kill chain, there's concepts called the red team blue team purple team.
These are, this is where you change the structure of your security team. This [00:36:30] is you know what can you do from a security team perspective instead of it just being a what's called level one level two level three, where you just have that kind of very linear approach where you conside r either using managed services or maybe some outsourcing, but get the level when it to get some automation, get some, get that so that you can actually look at the alerts because in many cases, the alerts are coming in by the hundreds and thousands, but we are not looking at those alerts because we're busy trying to you know satisfy a request or, we just are understaffed.
So I [00:37:00] think it's being smarter, looking at those basic requests that we have to do. And then taking the team that you do have left and then making them a little bit more like the attackers where you have the red team you're hunting, you're looking every day for anomalies, where you've got the blue team, that's looking at making sure all the systems are up and running.
And you're doing simulated insider threat. You know, you're, you're active. You're looking, you're checking, but right now I don't think that we're set up correctly because you are, [00:37:30] as I mentioned, underfunded, and we need to reshape ourselves to better address the level of attack that we're getting.
Bill Russell: It's interesting. I Interviewed a CIO for a health system that did go through a ransomware event. And he said in order to get reconnected to his community connect partner and whatnot, he had to get a hundred percent patched. He had to verify he was a hundred percent patched. He said, it's the first time as a CIO for the health system, that he thinks that they were a hundred percent patched.
And here we were a couple of months away. He goes, [00:38:00] and my guess is probably not a hundred percent patched now. And it's, it's interesting to me, cause I remember back, I don't have the exact numbers, but it's roughly this. I mean, when I first came in as CIO we were mid to upper 80% patched. And I'm like, all right, well that means 10% of our systems aren't patched. That's, that's a problem. And there's reasons for some of them not being patched. And I get that. There's timing for it and what not to, you have to take into account. And I think that we drove that up, but again, I don't think we were ever a [00:38:30] hundred percent patched across the board.
And I guess is there, let me ask you this way. We always talk about people, process and technology. It's the age old where should I, if I gave you, I dunno, a million dollars. What percentage am I spending on people? Process and technology. I mean, is it, is it 30, 30, 30? Is it 30, 20 10? So people, process, technology.
Cause I know we need a bigger team. I know we need to [00:39:00] educate people and get better processes. And I know we need better technology, but what do you think their percentage is just roughly?
Jim Brady: We're going over our budget now anyways, so timely question. So I'm just thinking of our numbers that staffing with FTEs, it's a little expensive if you're going to, you want to keep the higher end people on your staff and manage services and particularly if you're looking at outsourcing or strategic sourcing. That actually is very valuable. You can get lower rates for, let's say a cyber [00:39:30] security operations center where they're kind of looking at everything.
So I would say it's about over 50% for sure on the staffing component. This is from an operational, like all of the money that you spend, operationally, of course.
Those of you guys that are in health systems that have to go through the CapEx optics dance. There may be some technologies that you have to put in that will bump up and exceed your staffing.
But those are just kind of one-time implementation types of things, but, so I would say at least 50% you'd want to reserve for that [00:40:00] because that's where you're, I think in general, we have a lot of tools that I mentioned. We're just not simply using. And then we need multiple layers too.
If somebody slips through one tool, then you should be able to catch them with another. But if you don't have time to be looking detecting in your you're busy, just fighting fires, and most likely you're going to, get hit and chances are you maybe like I listened to the Sky Lakes YouTube video.
That was pretty insightful. And thankfully they had backups. No attackers actually can go after your backups. [00:40:30] Even if they're what's called immutable where they, they're read only and they can't be changed, there is a way to hack into them so that you can change their expiration dates so that they get deleted.
So there's things that, there's things that we just have to be spending a little bit of time on to protect. We can't assume that we can just go to backups because there isn't a way to get around those. So, yeah. So that's my thoughts.
Bill Russell: Wow. Ryan, people, process, technology. Where are you investing the million dollars I just gave you?
Ryan Witt: Well, I'm was going to jokingly say you can't get people at all. [00:41:00] So it is true.
Bill Russell: There's a lot of truth to that.
Ryan Witt: Right? So maybe we'd like to invest 50%, but that's probably not achievable. So I think it probably is a little bit situation more dependent. I guess I'm the example of the, of the carpenter only has a hammer. So I think I look at technology as, as one of the solutions and I don't see technology readily deployed. I mean, Jim started off this conversation talking about the wonders of isolation technology, and I think you're absolutely right. [00:41:30] But I think the last data I saw it, and this one is isolation tech capability was maybe deployed at 15 to 20% of healthcare institutions.
So I'm not trying to say it's all about technology, but there are some easy wins out there. A multi-factor is still not as broadly deployed as we like it to see it be. Micro-segmentation which is something I think maybe you referenced a little bit earlier, bill about they were able to containerize that ransomware event.
I'm guessing they probably use that. I don't know. [00:42:00] But so my point is there are, there are some easier wins if you haven't made those initial investments. There are some easy wins out there that can pay, I think, exponentially higher dividends initially. If you're already down that path, then I think processes investment, seeing where you fit on some of the frameworks that come from NIST or MITRE or others, there's a good sort of benchmarking and guideline. But I think technology is a really worthwhile investment. And I was a little bit [00:42:30] struck by your statement earlier about patches being deployed. And I understand that I don't, I have not walked in that sort of role. So I don't, I don't mean what I'm going to say at any sort of way to be disrespectful but I also wonder if maybe we need to rethink our whole attitudes towards this in the same way that athletes used to roll up to spring training. Oh I need spring training to get in shape for the season. No no no. You should be rolling up to spring training in shape and fine tune for the season.
I just want to, [00:43:00] maybe we need to rethink our expectations, our attitudes towards the whole way we look at our, our IT architectures with the idea of getting much closer to that hundred percent sort of patching.
Bill Russell: Yep. I agree. Ryan. I want you to get to comment on cyber insurance and then I want to come back to both of you with key takeaways. With regard to cyber insurance, interesting conversations with CIOs, who've gone through ransomware events that the first time they read their cyber insurance policy was, was just right after the [00:43:30] event happened. And then they were surprised by what was in it and how prescriptive it was and other things that were in it. But what would your coaching be, with besides read it, to CIO's about the cyber insurance policy?
Ryan Witt: You know, I've heard a few, a few CIOs say to me very recently, like we're seriously considering self-insurance right now because of the the level of work we have to do to, just to adhere to the, to the policy sort of questionnaire.
They used to be like a, an hour or [00:44:00] two sort of work. Now it's a tens of hours. Try just to fill out the questionnaire. And then the level of sort of caveats in place just means that they don't have confidence that could, they actually really utilize the cyber insurance if they have that sort of event. So I'm seeing a lot more interest in, should we use cyber? Should we self-insure or.
Bill Russell: And that, that makes sense. I mean, one of the people told me when the event happened, they read their policy and [00:44:30] the insurance company came in and essentially, put the tape around the site and said, do not disturb touch their systems for I think it was 48 hours while everybody's sort of descended, looked at the environment and determined all the things that they were going to do. So they, I mean, just flat out we're down for 48 hours before they could do anything.
Ryan Witt: Right. And I think if you look at now, all the caveats that have they've put in place in terms of what must you have in, kind of installed to make sure you qualify for insurance, if you did all [00:45:00] those things, you're likely to having a cyber event is extremely low.
Anyway, because they're talking about doing all the things that Jim and I had been talking on this call, like making sure you have your investments in your, in your technology and your processes, you have the people in place. And if you did all that stuff, you probably, I'm not saying you don't need cyber insurance, but it goes a long, you would have solved a lot of your problems anyway. Cyber insurance would kind of there to address.
Bill Russell: Yep. All right. Let's close on this. Key takeaways. So you've been at CHIME. We've just had this conversation. [00:45:30] What are key takeaways? If I'm a CIO or a CISO for a health system today? What do you want me to walk away from this conversation with? Ryan, we'll start with you.
Ryan Witt: I think don't let up. I mean we are at a long sort of runway of unprecedented level of cyber attacks that just not going to dissipate until we as industry find a way to keep the bad actors that day. For the most part, they are attacking your people, your people, your most vulnerable sort of asset in your environment.
They have the [00:46:00] access to the information and the monetizeable activity that your bad actors want. So making sure that you understand that that sort of threat vector, and you're doing everything you can to keep your key people in your institutions protected. Not because it's the right thing to do.
Not because it's good for your brand. Not because OCR says you have to, you don't want to be on their wall of shame but because it helps you deliver against your mission.
Bill Russell: Absolutely. Jim, you get the last word.
Jim Brady: Well, we talked about a lot of different things, topics, people, process [00:46:30]technology. So I think just like maybe just a couple of things in closing is as we did in the beginning of COVID, we realized that we could laser focus, you know, Stop doing a lot of the things that, the many pots on the stove and successfully do a few things exceptionally well. I think we've all experienced that with the recent surge.
I think we're kind of having to go back to that. So I think we can because now cybersecurity is an organizational risk. It should be an imperative. I think we need to give it some focus from a risk [00:47:00] management perspective. You know, it talked about if you can quantify it, that's great where there's we've got to get the board and the senior leaders to buy in to own the success or failure of risk management.
So I think that's key to doing it from the bottom up. This is going to be really difficult or we'll s ruggle and so I think, the best way is to get, get that top level buy-in. Second thing, we didn't talk about a ransomware readiness assessment. So those are things that you can do to say, Hey, I I've done my risk analysis.
I've done my HIPAA risk [00:47:30] assessment, et cetera. Now you can actually bring in a somebody to take a look and say, are you ready for a ransomware event? Do you have the communications? I mean, if something is going to have a really impactful effect on your organization. Everybody needs to be involved.
They need to know what they're supposed to do. What does the CEO is supposed to do in the first 24 hours. Or about the next 48 hours. So you have to have a run book. Many organizations have not gotten this far, so if something catastrophic was going to happen, like the case of that one [00:48:00]organization that all they had were cell phones and Cisco WebEx, I think that was all they had to communicate.
That's called mayhem. And, we can be prepared. So it's just doing a little bit of emergency preparedness. So I think that's important. We didn't talk much about third party risk management. A large percentage of our breaches, et cetera compromises do come from our, our business associates.
So getting kind of better managing that. And then lastly, I would like to just add that, large or medium sized, complex [00:48:30] academic health systems, or maybe not academic, we have but mergers acquisitions and we bring in different entities but we don't want manage their risk. We don't manage their IT but they're connected to our networks.
They're using our systems, et cetera. So it really looking at those entities and assessing the risk and then making an intelligent decision I think would be helpful. So there's a lot of organizations I think that, that are like that. That could, that could stand to get that improved.
Bill Russell: You know, Jim, you bring up a great topic for a future podcast, [00:49:00] which would be cybersecurity practices through M and A. Because when two companies come together, I think some things sort of get lax and you think that they would get more than the other direction, but sometimes they get lax cause somebody is getting acquired. And so they are worried about their jobs and they want to be good people and be deemed easier to work with and all that stuff. There's just a hole. And then just the whole practices. M and A is not something you go through all the time. It's something that you go through maybe once or [00:49:30] twice in your career, if you're lucky. But there's just a whole set of practices around that.
Jim Brady: To your point though, there, in addition to M and A's many organizations are constantly adding new organizations or they're selling or doing various things. So I think it's, there's the big mergers. And then there's the small, the spring of this home health organization lets get rid of half of them whatever. And so I think that, but I think those are areas we can focus on also.
Bill Russell: Absolutely. Gentleman thank you for your time and sharing your experience. [00:50:00] I really appreciate it.
Jim Brady: Thanks Bill. Appreciate it.
Bill Russell: What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It's conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We're out there. They can [00:50:30] find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That's all for now.