This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

sometimes , they're so incompetent that even if they give you the keys, the crypto keys to unlock the data that they've locked up or the systems that they've locked up, it might not.

Because they're, it's not like anybody's QAing the ransomware software to make sure it works the way it's supposed to. So, paying the ransom isn't even a guarantee. There's other things we can do to make sure we don't get to that position in the first place.

Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now onto our show.

Hello,

welcome. I'm Aubrey King from Dev Central at F five, and today I'm joined by Brian McHenry, who is our Vice president of Big IP and Engine X Security. Brian, how are you today?

I'm great, Aubrey. Good to be spending time with you once again.

Agreed. Agreed. A little bit of a different format. Used to be out in the field and now here we are behind cameras

all grown up.

That's right, . That's. And so today I think we're gonna be talking a little bit about how the healthcare industry is impacted by modern security threats today. And specifically you were going to talk about how that impacts the C-suite. That's correct, yes.

Yeah. I really want to talk about the CISO or chief security officer perspective on how to manage risks and, Maybe some perspectives on what these threats are and what kind of risks they expose and certain, key areas to focus on to help, you know, mitigate and reduce the risk.

Well, with your position, I think, it seems fairly clear that you must have a, pretty big bird's eye view of the industry as a whole.

So what do you see as the most pressing threats to the healthcare industry?

Well in, in my role at F five, I'm responsible for leading our security strategy on those big IP and engine x security solutions for our deployable products. And we spend a lot of time thinking about everything our customers face with regard to new and emerging threats or, even old ones that need new types of.

Mitigations are countermeasures. And, you know, I stay rooted even though I'm on the product side now. I really stay rooted in my customer background and my technical sales background where I was a, fierce customer advocate, or at least I like to think I was fierce. And as I look at and talk to CISOs uh, we recently had a, customer advisory board with a group of CISOs.

We're about to have another. One of the things I hear about is ransomware. And, and obviously this is high profile, it's in the news a lot, but in particular, healthcare providers are being targeted Hospitals in particular are, being held ransom. It's become a truly life or death situation in many cases where You know, admin, hospital administrators might be locked out of their, workstations and be unable to properly monitor the health of patients.

Or, something even worse when it comes to medical device security, where someone's life may actually be on the line. So I can't imagine a much more stressful position than CSO in many cases. But CSO of a healthcare institution has gotta be, you know, sort of the peak stress level position.

So the more information we can put in the hands of, our valued, customers and our stakeholders in the healthcare industry as far as mitigating threats the better.

Boy, I would imagine that the ransoms could get fairly sizeable for some of. Hospital systems. I mean, if you're, if you're let's say a bad actor that has had an opportunity to infect an entire hospital system or a good chunk of it boy that, that would be, as you said, very difficult for a CSO to be able to deal with.

Yeah, absolutely. So there have been documented cases where tens or even hundreds of thousands of dollars been demanded in. And the, trouble with ransomware is even if you pay the money, there's no guarantee that they'll unlock your systems or release your data. In fact, sometimes , they're so incompetent that even if they give you the keys, the crypto keys to unlock the data that they've locked up or the systems that they've locked up, it might not.

Because they're, it's not like anybody's QAing the ransomware software to make sure it works the way it's supposed to. So, paying the ransom isn't even a guarantee. And so there's a lot of good advice out there in terms of making sure you're backed up, making sure you can recover your data and you don't need to pay the ransom.

But there's other things we can do to make sure we don't get to that position in the first place. Right. So it's good to have the insurance plan in terms. Make sure if I have, been infected, I have a way to recover. And you should always have that in place. But there's some other things you should do as far as, you know, ransomware is just a very particular type of malware, so important that you realize, when you're making your plans, that ransomware isn't something, special that needs, it's a new class of malware really. So you really just gotta, you know, bone up your, malware prevention activities. And that's, there's a wide range of things that, that should be done to the lesson of risk of, of malware, infection, and any given environment, but especially healthcare, environ.

So with ransomware, have we found that, or, or are you seeing that it may be more effective to deal with ransomware, say at the systems level, at the edge level out in the cloud or a combination of, of all three?

It's always defense in depth and, in fact, the, first place to deal with ransomware and malware, the first layer of defense in my view and in, some people's views, may be the weakest link is, is actually at the human interface.

level There's a lot of varying opinions on security awareness training. But I think a lot of those opinions that tend toward the negative really might be from people who don't realize that, not everybody is tech savvy. And we have a lot of valuable workers in all our organizations who contribute in a variety of ways.

But most pervasively have access to computers and the internet. So the first line of. defense Educate your users and educate them on a regular basis. It's not a one and done type of thing. It's not a, new employee onboarding activity. It's a quarterly activity or a monthly activity where you, roll out, consumable bite sized awareness training that can enable, you know, even the average non-technical or non-tech savvy.

user To identify when they've been targeted and when something might be unsafe. And so get everybody thinking in that, sort of security mindset and putting, you know, owning their part of, keeping the organization secure. So that's the first line of defense for sure.

📍 📍 we'll return to our show in just a moment. I wanted to take a second to share our upcoming webinar. Cyber Insecurity in Healthcare, the cost and impact on patient safety and care. Cyber Criminals have shut down clinical trials and treatment studies cut off hospitals, access to patient records demanding. Multimillion dollar ransoms for their return. Our webinar will discuss it. Budgeting project priority, and in distress communication amongst other things. To serve our patients affected by cyber criminals. Join us on November 3rd for this critical conversation. You can register on our website this week, health.com. Click on the upcoming webinar section in the top right hand corner. I look forward to seeing you there.

📍 📍

So what about beyond awareness training?

What other kinds of things are, proving to be fairly effective?

So, , the number one thing in , any kind of security program, no matter what you're trying to fight, malware or otherwise, is to track the data pass. How does data get in and out of your infrastructure? So if you have, edge layer security, through a content delivery network or something of that nature certainly look into what you have.

Make sure you know you've got inspection tools in your DMZ that are able to inspect encrypted traffic. Hdps is 80 plus percent of the internet now, So even if you're, blocking all the, usual ports, but you're letting hdps in it, in and or out. Of your network, that's an encrypted tunnel.

Make sure you have visibility tools in place so that you know your next gen firewall, your IPS intrusion prevention systems your malware detection systems. Make sure that they have visibility to the traffic that's encrypted. And then, also look at some lesser known or lesser considered paths.

So one of the big paths in and out of a network that, that goes overlooked and we're, getting better at, looking at it, is dns. I highly recommend that you look at what are you doing to inspect DNS traffic, Ensure that it is DNS traffic flowing over, port 53. Sometimes it's actually hdps traffic flowing if you're not at least validating the protocol.

Even if it is dns, sometimes they can be smuggling data out in the payload of a DNS packet. And so these are usually unfettered paths out of your, network infrastructure that, the malware that gets loaded on a machine is looking for that path out. Some of the more advanced, more sophisticated pieces of malware are probing for these pads out, not just looking out.

HDP ports, but also looking out over, paths. For things like dns, which are usually maybe less inspected, and this is gonna be even more important as things like DOH DNS over https, or DNS over tls, D O t oblivious dns. There's all these new security , more secure ways of transmitting DNS traffic that make it harder to inspect.

So the sooner you get DNS inspection tools and, and protocols in place the more prepared you'll be for the coming change and flip to more encrypted DNS traffic. So definitely just inspect data paths. Like how does data get to and from either hosts on your network, whether those are systems and servers or, desktops and laptops that are, workstations for your employees.

So are there other portions of the environment besides kind of your, usual. Infected bits like servers and desktops in the environment. What else is specific to healthcare that, we're maybe not looking at?

Well, that's, you know, healthcare is, really interesting, right?

And I mentioned before that sometimes the devices that are targeted are not, your standard laptop, desktop server, they're life and death. Pieces of technology that are internet or otherwise network connected. So we're talking about things, everything from a, heart. Monitor to a pacemaker which can be Bluetooth or wifi connected, believe it or not.

These are things like, insulin pumps other types of, an MRI machine. All these things are, are network connected, whether it's to transmit images out or data out about a given patient's status or what have you. So if these things get hacked Or com otherwise compromised.

Someone can die. Someone's information sent very sensitive medical information can be transmitted to someplace it should not be. So the doubling that problem is that these are, fall under the category of IoT, Internet of things, right? And one of the pervasive problems with Internet of things.

is that Typically, these are things that don't have large amounts of storage. So they tend to have, embedded firmware. They're not necessarily running a standard operating system where we can put standard controls in place, like, antivirus and, device management. They often are subject to things like default password usage default administrative password.

So anybody actually walking through a hospital ward could. actually If they knew what to target, could scan for something listening and brute force some passwords to compromise a device. So this stuff is very serious and it's important that you at a very minimum audit, the use of default passwords on these, on these devices and turn off any connectivity that's not necessary.

So if you've got a machine that can listen on Bluetooth Turn that mechanism off on that device and keep it safe. Disconnected is often the safest way to make sure something doesn't get infected, so, Whether it's making sure there's no default passwords in use or making sure that things that don't need to be connected are not connected and are not enabled to do so.

That's really the key for me when I, think about medical device security. And if you, want to take it a step further think about all the things I just talked about in terms of data paths. What are the data paths to and from those pieces of. equipment Make sure that you're inspecting the data that's transiting in and out so that , you're aware of at least what's being attempted , and make sure there's nothing abnormal and you can do some anomaly detection and at least forensics , if something were to happen.

Nice. It's, funny having worked on a, uh, an IoT project with a former customer that was actually four pacemakers. It always sort of makes me cringe when I see people laugh. IoT hacks with refrigerators and mm-hmm. And, and microwaves and things like that. It, it really, and as we're talking about today for, a CISO in the healthcare industry, that creates some truly unique and scary situations.

Yeah, I mean, we need to look no further back than maybe a few years ago when, we had the Mira and then the purser thing bots that infections were whole legions of, self replicating IoT devices, whether they were, home routers security cameras that were, co-opted all over the internet, you basically, The, use of default passwords and these things were, you know, it was a little less serious because we're not talking about life or death situations, but these things were compromised and then they kind of laid in, wait.

And then were used for some of the largest scale DDoS attacks we've ever seen. And so that, you know, there's, all different types of risks, but the stakes, as I've mentioned numerous times now, the stakes in the medical and healthcare community and healthcare industry are much. And in particularly, when we're talking about hospitals and places where there are beds and people who are, underactive medical care.

So that, that is a, a fairly stark view , of the industry. But definitely, highlights some of the challenges that are out there. Brian, thank you so much for your time today. It's always great to talk to you about some of the latest challenges that we're seeing out. And this time for the healthcare industry,

Aubrey, always happy to share what I know.

Sometimes I'm not sure if I know much of use, but hopefully uh, a few people in the audience today, learn something new or find a new avenue to investigate and help make their environment a little bit more

secure.

All right, well, once again, I'm Aubrey King with Dev Central at F five, and have a great day.

I really love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors, olive rubric trellis. Mitigate and F five in partnership with serious healthcare for investing in our mission to develop the next generation of health leaders.

If you wanna support the show, let someone know about our shows. They all start with this week health and you can find them wherever you listen to podcasts. There's keynote town hall and newsroom. Check them out today. And thanks for listening. That's all for now.