September 21, 2022: Now more than ever, healthcare organizations must give patients easier access to their health data and focus on reducing friction. The challenge comes with balancing the need for improved user experience with the importance of adopting appropriate security measures to guard sensitive data. During this solution showcase with Lane Williams, Director Solutions Engineering at F5 and Jason LaValle, Senior Solutions Architect at Sirius Healthcare (A CDW Company) we cover:
• Attack evolution – Discover how attackers evolve their online schemes to take advantage of inherent vulnerabilities on web and mobile applications.
• Countermeasure efficacy – Address the whole spectrum of automated application attacks and digital fraud abuse by abandoning traditional point solutions.
• Identity and access management – Understand how healthcare organizations can protect PHI and their brand without compromising user experience or patient access to personal information.
What kind of attacks are coming for healthcare? What are the inherent vulnerabilities that they're going after? Are we seeing a difference between web attacks and mobile attacks? Are there different types of attacks for different types of devices? How do you create a framework that addresses all of the different attacks? Having dual factor is critical but no longer good enough. You also need protection on the edge. What opportunities do we have to identify fraud within our medical devices? Is there an architecture we should consider to have in place?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
That's where a web application firewall product is very important because now I can look at what exactly is the user doing? are they acting like a user and then bot protection comes into play as well. With artificial intelligence in the field. Now these attackers are getting more sophisticated where they're writing AI programs basically to, duplicate the effect.
All right. Welcome to a solutions code case today. I have the privilege of talking with Lane Williams with F5 and Jason LaValle, who is with Sirius Healthcare, a CDW company, and a solution architect. We talk about how to protect your applications. Quite frankly, the world is changing you could see 500 to a thousand attacks coming per second, as they try to get in.
Only a small portion of those have to be correct in order for them to gain access to your health system. And so what does it look like to identify the behaviors that are appropriate or inappropriate in those cases? And start to block those behaviors? We have that conversation and more today on the show, my name's bill Russell, I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated keeping health, it staff, current and engaged. You can subscribe wherever you listen to podcasts, apple, Google, Spotify, Stitcher, overcast. We try to be everywhere so you can find us. And if you can't find us there, just go over to this week. health.com and subscribe there as well. And now onto 📍 today's show.
All right today, we have a great discussion. We're gonna talk about fraud platforms and how it pertains to healthcare. And we're gonna be talking to some people who are on the front lines working on some of this stuff. We have lane Williams, director of solution engineering at F5 networks. And Jason L a Valle. Senior solutions architect, network security at Sirius, a CDW company, gentlemen, welcome to the show.
Look forward to the conversation. Hey, good morning, morning. So we have a lot of things going on in healthcare. One is 21st century cures. We have a lot of things that we have to make available. We have to be able to share data pretty readily and we have to reduce the friction in that whole process. And the challenge is really balancing the need for the improved user experience and the shareability of that data. And really the importance of adopting the appropriate security measures to guard that sensitive data that's a pretty complex puzzle. I mean, that's a pretty significant Rubik's cube isn't it to solve.
Yeah, without question. And it was, I think, compounded by COVID times where you had a lot more telehealth and providers moving more towards online than inpatient visits because of some of the constraints that we saw there. So how do you. Make it easier for a large demographic, some who are better online than not. And how do you reduce the friction of that as well as make it secure? Because there is a lot of very, very sensitive information in the healthcare space.
So whenever we're talking about protection and security I like to step on the other side for a minute and talk about the evolution of the attacks and what's coming at us. What is coming at us? Jason, what kind of attacks are we seeing come at us and what are the inherent vulnerabilities that they're going after, within healthcare?
Attacks have to your point have evolved over the years many years ago it was simply a TCP or UDP port attack or a DDoS at this point now attackers are acting like real users.
So now I have to get intelligence to look at the application itself and do more profiling to where I might look at an example, someone might be trying to log in. A hundred times a second or something along the lines of that. Whereas a user is not gonna actually do that. So a lot of the attacks that we're seeing are geared more towards web applications on the edge, say example, MyChart, for example, that's a common one that a lot of people use from a EMR standpoint. And a lot of the attacks are based around web attacks and getting that information.
So they will look like me act like me appear to be me. When they get into the system. So they will essentially, the system will say, Hey, this is bill. I'm gonna give you access to Bill's stuff.
Yes, correct. And that's where like a web application firewall product is very important because now I can look at what exactly is the user doing? What are they acting like a user and then bot protection comes into play as well. With artificial intelligence in, in the field. Now these attackers are getting more sophisticated where they're writing AI programs basically to, to duplicate the effect.
Interesting. are we seeing a difference between web attacks and mobile attacks, or has the technology sort of morphed so much that a, a webpage and a mobile application are similar? Are there different types of attacks for different types of devices?
They're very similar. with Android and iPhone, there's different vulnerabilities with some of these phones. And that's why it's important to keep your, your phone up to date as well. But from a, a web application standpoint, from what I see is it's very similar in the attack vector group very similar profiling, very similar type attacks.
Lane. I want, I wanna come back to you. So we're, we're hearing these attacks. They look like me, they act like me. They essentially, in some they cases they probably are me. And I just, the first couple times I logged in, I forgot my password and screwed up. But you know, how do you create a framework that addresses all the different things that are coming at healthcare systems today?
Yeah. And it's funny, you hit the nail on the head because sometimes it really is you, that is logging in. And so you have a situation where on the attacker side, there is a, a value chain, right? So when you hear about these data breaches that happen where usernames and passwords are lost, the attackers will take that and run these credential stuffing attacks where they'll.
take Millions of username and password combinations and just set them against the application and see which ones work. Right. And even if you have a half percent success rate, that's still very good. If you cuz it's just a law of big numbers. And so because of that, they can take over your account. And once they're in, there's a lot of valuable information, whether it's your protected health information, your financial information, maybe even prescription information that's in Jason mentioned my MyChart earlier, so there's a lot of information that's available there to those attackers to either go ahead and make money off of it there, or use that in other situations, right?
Because once they have all of your PII and your Phi, they can pretty much create an account for most anything for you on other systems. And so it's really important to understand that automated aspect of it because those credential stepping attacks, they only work well at scale, right? If you sat in front of your computer, It would take you a long time to do all of that.
And so the automation is a very, very important part of that. The one thing I will mention is that because there is a lot of value that you can extract from healthcare. The attackers will always kind of keep on upping their attacks. As long as that cost benefit analysis, from their perspective, they can still make money and in healthcare you can still make a lot of money. So they'll continue to ramp up the attacks and make them more complex.
I know there's gonna be some users sitting here going, Hey, we did dual factor authentication. We're good. Like, right. Don't you think we would hear that if we were sitting in front of a group, people, somebody would say, yeah, we do dual factor we're good. Is that not the case?
No. I mean, it's definitely a step in the right direction. It's very critical to have dual factor, but it's no longer good enough. Because these attackers have become so sophisticated. A lot of companies they're on the edge and they don't even know it.
They've been infected with something. there's a lot of if you even Google it, there's a lot of information out. And how sophisticated these attackers are. there's forums and there's like groups of hackers that are behind the scenes. So they collaborate and they work together and things of that nature. So dual factor is definitely a step in the right direction and critical, but it's, it's not good enough. You need protection on the edge.
Now you're just scaring me. if they can get around dual factor, authentication, which, I would assume somehow you have to the second factor, you somehow have to hijack that and get that information in order to get through if you're coming through the front door. And if those things are possible, what kind of tools and what kind of things can we set up in order to protect our health?
Yeah. with that, you have different options and Jason makes a very good point where you have to make it more difficult for them, because if not, they will just have the lowest cost attack and they will just continue to kind of get through. And so really if we look at automation first, right, because that's where they're gonna have the lowest cost for them. And that's where they're gonna start. And so from an automation standpoint, You have the ability to really actively interrogate the request coming in and try to understand. Who's making that request.
What's the device look like? What's the mobile device. What's the web browser, depending on what the application is. And if you're an attacker, you have to rent a botnet and you can make that a north American only botnet. It can be global, but you don't get your choice over the device and the web browser.
And so you have to write a script on top of that, that says, I am this device and I am this web browser. And then I have to go ahead and programmatically. Set it up where either I need to answer a capture through an API, cuz there are third party capture answering services where my usernames and passwords coming from my mouse movements and all that.
And so you have to script all of that. And when you start to do that at scale, it becomes very apparent that this is automation because you would've checked the browser to say, well, hold on a second. You say you're, you know this version of Firefox, but I did a check on your browser. You're actually this other version of Chrome, right.
Or either this other device. And so you can kind of peer through. And I, I like to think of it as layer eight information, right. NOI stack. It's really that client side information where you're not really collecting any kind of PII, but just determining, are you really who you say you are from a device and a browser perspective from an automat looking at automated fraud.
over time, you're examining what is normal activity on, on our network? What's normal access activity. What's normal access activity by this user. Are you storing all that information so that you can say, Hey, look, this user. Doesn't usually log in this way. Doesn't usually look this way.
They don't usually come in from an Android device. In fact, the last 50 times they logged in, they came in from a from an iOS device. I mean, that's the kind of stuff that, that is that enough to keep somebody from coming in or is that just enough to sort of trigger an alert of some kind?
Yeah. Well, you bring up an interesting point, right? If I'm automated, we can determine right. Actively interrogate to figure. Are you lying or are you not right on the device and the web browser and all these kind of factors that we look at. And so we can filter out that automation so that you just have people coming in.
And so bill, to your point, is this the same person or is this actually bill Russell? Right? That's kind of the big question, because once you start to mitigate the automation, they'll start to be manual fraud where you do. people and click farms with lists of using and passwords that are trying to log in as you, right.
And so once you get to that point, there's a couple different things that you can look at. So one. Their behavior, right? And some of this biometric information, so is this same device trying to log into many, many different accounts, right? Is this person coming in from a VPN? What's the local time on the machine versus what's being advertised in the HTTP request.
And there are a lot of factors that you can look at. That may determine whether that is fraudulent or not. And to your point, many fraudsters, once they get into your application, they behave differently. So from the fi perspective, we're trying to really look for fraud as opposed to establish this is bill Russell. Right? So instead of looking for known good, we're looking for known bad.
Interesting. What about things that are. They're not users, devices that are logging in. Right? So we have a ton of medical devices that log into our active directory every day. What opportunity do we have to identify fraud? That's taking place through those channels.
Yeah. And so in those situations, it's a little more difficult to kind of interrogate those requests, but that's where the WAFF comes in to be able to help understand that. And some of the API protection, because most of those devices are just accessing APIs.
And so using your WAFF as well as implementing zero trust policies are gonna help secure that request coming in from those devices.
So we're getting to a point where some of the traditional things dual factor authentication, we talked about capture we've talked about, I mean, essentially all the really cool tools we're using in healthcare. to automate things, this robotic process automation that we keep talking about and how awesome it is that we can process claims and whatnot on these older systems, because it can learn our key strokes. It can learn even mouse movements and all that other stuff. So we can process claims faster than we ever have before.
Those same things are being used to. Against us essentially at this point. And they can, they can mimic any kind of activity that we normally do. Where, what are we seeing health systems where are we seeing this in use in healthcare that we're, we're starting to really analyze the behavior of the of the actors on the network.
Jason will come back to you. Where are we seeing healthcare start to, to really look at this at a behavior of a device behavior of an actor on the other end of the device.
And I think it's important to touch on the medical device piece that we just mentioned. There are solutions out there that identify medical devices on the network. And I think the biggest thing I see with a lot of the clients is they don't know what's on their network today. And if you don't know what's on your network, You don't know what to protect yourself from. Without saying any product names, there are some solutions that gives you vis visibility into those medical devices.
To where now I can understand I have an infusion pump. I have a CT scan. I have a pacemaker machine, whatever it might be getting that visibility is the first step. And that's where I'm seeing a lot of the companies go to now, they're putting in solutions to identify those medical devices. So back to your point, bill, about where company's going internally on the network, it's really hard because a lot of. Applications are, are kick. I will say in healthcare, some are running dos. Some are still running windows, older versions of windows. So a lot of these bad actors, if you will find these vulnerabilities on these systems and that's where it goes back to a lot of these to what lane was saying, a lot of these vendors need external access to remote in and work on these systems. So now as an actor, I can pretend I'm a vendor coming into work on maybe a infusion pump or a, or. Device of some kind. So that's where a lot of these organizations are today.
Yeah. And then we have to worry about lateral movement once they get through, it's not just, Hey, why would they wanna get to that device? Well, if they get to that device, that's a, that's a gateway to other parts. other parts of the network. it's interesting as we look at this. The we talked about my, our MyChart was mentioned earlier before, but as we're developing new applications and whatnot to go out onto our network, is there a, an architecture that we should be thinking about?
Let's assume my health system was gonna start writing some mobile applications and, and whatnot. Is there an architecture we should consider to have in place in order to protect that new mobile application. Lane will come back to you?
Yeah. I mean you hear more and more about zero trust and it's not really a one stop thing, right? It's more of a journey and you're, it's a continual kind of evolution because to your point, being able to stop any kinda lateral movement, right. The way I think about it is. When the event happens, it's usually not gonna be an if it happens, but when it happens, how can I control the blast radius?
Right. And how can I control and minimize the impact to my network. And so whether it's vendors coming in and bad actors taking advantage of some of those polls, you leave for some of your vendors. Those are all ways that I think zero trust can be a big help and minimize the impact that a, that an event's gonna have on your customers in your network.
Start throwing some of the acronyms at me though. I mean, what are some of the, some of the things I need to have in place to ensure that we are protected, you talked about firewalls and, that kind of stuff, but the next generation, what kind of what kind of devices, what kind of technologies do we need to have in.
I'll talk about the external, right? So external facing, and then I'll let Jason talk about some of the more in internal facing aspects, but you have the situation where you have authorized and unauthorized. People coming into your network, right? So for the unauthorized, right, you've got your web application firewalls that are required because you're protecting against any type of flaws in the application itself.
And then you need a bot management solution, right. To stop that automation. And then you also need a way to understand the biometric. So you can take that information and put it into your SIM or some other tool of choice to really understand. What are the alerts that I need to set up to make sure that I don't have some of these manual, bad actors coming in the door and that could even be an aggregator so that once they come in, right, cuz maybe they're allowed in by some a member or something like that, but maybe they start scraping EOB or sorry, explanation of benefit information.
right. And that's something that maybe the, the provider doesn't want. Right. So being able to understand that biometric information But there are a lot of technologies that again, once they're in, how do you, how do you kind of control that?
Yeah. And that comes to you, Jason, what are we looking at internally? What kind of technologies.
an I O M T device tracker of for starters. And we've all heard of I IoT now, there's I OMT internet of medical things. Definitely you need visibility in your medical devices to understand what's on your network. Lane mentioned WAFF. I've seen some clients put WAFF internally as well.
Some companies access my chart internally for their employees and such to your point bill about getting it in that lateral movement. Once I'm in now, I can go anywhere. Zero trust is another big thing. A lot of clients are going to, but it's really a very complicated. Architecture, you really have to understand the flows of your applications and put that technology in.
So I would say I OMT Dedos is another big thing on the edge to protect that attack as well. Those are the big things that I feel that internally on the network and of course, tying that on to your SIM. So you have visibility into that information is critical as well.
it used to be, we have to program all these scenarios. So is this a true learning kind of environment that we're talking about that it's constantly learning or is this the kind of thing where we have to anticipate? And I mean, for lack of a better term, put in the controls, put in the, almost coding the thing to make sure that we're staying ahead of it.
Yeah. I mean, I think it's very important to have some sort of machine learning models or some AI in place to help you sort through all the data, because it's not as though healthcare providers don't have enough data, right. They probably have too much data. And so how do you go through that data in, in a reasonable amount of time?
And then have. Alerts pop up. Right. So I would see a situation where you'd have some really unsupervised machine learning looking at this data coming in, that's gonna generate alerts and then you'd have a person look at that alert and go, yes. Is this something that we should be concerned about or not?
Right. Or, and if it is. Maybe that then goes into a supervised machine learning model. Right. So that it's not necessarily something automatic that happens based off of an untrained model, because that can sometimes get you into the hot water pretty quick. By doing that. So having a combination to really, I think makes the most sense to be able to go through all that data, because to your point there are gonna be a lot of these unknown vulnerabilities that you have.
You don't know about it until suddenly something pops up. You're like, oh wait, we got a problem. And so how do you minimize that as much as possible? And I think having that unsupervised machine learning is gonna help generate some of those alerts for things you may not see.
if you just rewind, it might be a decade now might be might be a little, little less than that. But we used to have all these systems generated all these alerts and it just completely overwhelmed. the knock are we getting better at taking individual discrete data elements and data streams and turning it into information and even processing that to say, Hey this is level one, level, two level, three kinda stuff.
Cuz I hear this all the time. And you even alluded to it earlier. We get hundreds of attacks per second. At this point, if even 1% of those need to be looked at, you're gonna overwhelm the knock. So are we getting better at really I don't know, processing that data and that information.
I'd like to say yes. Right? I mean, I think in general it's better, but so one is we have a lot more data than we did 10 years ago. Understanding, what are the right questions to ask, right? What are the right alerts to set and what are the right thresholds for that? Because we see it a lot of times on our side, when a customer first comes on our platform, we have very high thresholds because there's a lot of automation, but once you start to mitigate it, the attacks get smaller, but they get a lot smarter.
Right. So you need to start to adjust the thresholds down. So it's not just set it and forget it. You need to constantly look at it and start. Trying to ask the right questions of the data coming in. So it's very easy to have a lot of noise coming from your alerts that really don't benefit you. Right?
So, so what are the right indicators of that fraud? And when you start to look at some of these manual fraud models, the indicators for one company or one provider might be different from another, right? So when we talked about things, A request coming in from a VPN. What's the local language on the machine.
What's the time on the machine? Are they pasting information into fields into the web application? Right. One might be a strong indicator of fraud for one healthcare provider, but maybe it's not on the other. And so it's a matter of going through and taking fraud that you've seen internally. Right.
And kind of. Ground truth. This is fraud. And tying that with an event that you've seen in your SIM to try to correlate the two. And that's, that's not always easy, right? And so you have to do that, but it's gonna help you understand what are my indicators to say. Maybe I do need to step up the authentication on this request or maybe I do need to know, mitigate the request, right?
So there are different ways that you can go about it, but really trying to underst. What really is fraud and what are the indicators in, in, in my business, cuz that's not always the same across the board.
The cybersecurity world's really changed. And this can be our, our out question. I believe, which is a lot of boards have recognized cybersecurity's critical to protect the ongoing operation, protect patient care to protect the brand of the organization. And so they've, they've started allocating money. Over the last year, it feels like in, in a little bit more liberally than they have in the past.
And so I guess my question is are you see still, are you feeling like these projects where people go, yeah. Are we need to be, become more sophisticated? Are they usually started out of a response to a certain type of attack or a hack to their system? Or are you starting to see more proactive type work. And what do these projects look like? That's a three part question. I'll let you both answer that. And Jason, we'll start with you. What are you seeing health systems do? And is it in response to an attack or is it being more proactive at this point?
Unfortunately, it's still, I'm seeing it a little bit, both. Prior to Sirius, I worked for a healthcare organization as a lead architect. Back in those days, we used to relate security to buying a missile defense system, to defend a meteor from hitting the earth. So it was a nice to have, it was. More response based. What I'm seeing now is more proactive measures being put in place due to the nature of what's been on the news in the last five years, not necessarily healthcare organizations getting attacked, but you know, manufacturing, whatever it might be.
And so I'm seeing a lot of the clients move more towards proactive approach buying solutions, like a WAFF, putting DDoS protection and trying to do zero trust, doing web application firewalls Things of that nature, but unfortunately there's still some reactive approach to it as well. Based on an attack, based on the information leak, whatever it might be. So I guess in a nutshell, I've seen a little bit of both, but it's gotten a lot better over the last 10 years.
And what do the projects look like? Is it come in and do an assessment or is it come in and Hey, there's certain gaps we know we have, and we'd like to fill those with some of the technologies we know.
So, yeah, some of it is just basically coming in and doing an assessment of the network to see what what vulnerabilities or patch levels are on systems, things of that nature. The other thing might be a penetration test from the edge seeing what are we vulnerable too? I see all kinds of different flavors, if you will, of, security assessments.
Organizations, especially healthcare are doing, but I think a lot of it is based around some of it is also based around if they had an event that happened. Example PCI is a big one in healthcare now we're taking credit card payments within MyChart. So now we have to segment the network off and we have to do the PCI standards for that. So it kind of depends on the project, but I will say that it's gotten a lot better from previous years.
So lane, you get the last word on this what's driving these projects and what do the projects look like from your perspective?
Yeah I think Jason's spot on where it's better, but. Many security is many times a cost center. And so you don't really get the money always until there's a problem. And I think it's also human nature, right? Ah, we'll be fine. It's not gonna happen to us. Right. And then it does happen to you. And so many times the architects will have at the company will have done the research and have a solution ready to.
They just need funding for it. Right. And so whether that's through an RFI that they've done previously, or just research that they've done with different vendors, but many times they might have a solution kind of in mind already to, to roll that out. When the event occurs. Now, we have definitely seen situations from healthcare providers where they've been a lot more proactive.
And many of these healthcare providers are so large, they might have. Smaller division have an issue that suddenly wakes up the whole company. Right. And so in that case you have something that's adopted very kinda by a small group internally, and then it starts to kind of branch out after that.
Fantastic. I sort of, I was gonna give you the last word, but here's a question I've been thrown out at the end of these just to make sure I don't miss anything. Is there any question I didn't ask in any area you want to talk about or you're like, I'm surprised you didn't ask this question.
Yeah, I'll go now I'll start. And, and maybe not surprised, but I think really what we're starting to see is you've always had these two camps of security and fraud, right? Security was cost center fraud was there kind of helping reclaim money and reduce some of this impact and. We're starting to see those teams kind of overlap a little bit or in a lot of these companies, we're starting to see more communication cuz before they were silos.
And they had a very different view of the world. And so one of the things we're starting to see is is the security team before they just kind of wanted the pain to go away. They needed a solution. They needed automation to go away and free up their systems where fraud, they want all this data so that they can make a decision because they.
Much better visibility into their members than you do, because you only have a slice or a single view. And so what's interesting is we're starting to see them share and be a little bit more friendly, right? So you start to hear all the acronyms, right? So maybe it's sec fraud, right.
Or fraud sec or whatever it's gonna be now instead of like DevOps and things like that. But I think you're starting to see a lot more. In that regard because they're starting to rely on some of the same information and specifically that kind of layer eight information that gives, gives them better visibility into what's happening.
Both outside and inside the network as we heard earlier. gentlemen, I wanna, I wanna thank you for your time as always a phenomenal conversation. And I really, really appreciate you sharing your experience and wisdom with the community. Thank you very much.
Thank you. Thank you.
what a great conversation with lane and Jason. I learned a ton and I I'm starting to re. How much things are changing in the cybersecurity landscape and we have to be vigilant and we have to stay current with the technologies that are coming down the. Pike because quite frankly, the, the attacks are, are morphing and they're getting more sophisticated every day.
So we wanna thank F five. We wanna thank Sirius healthcare CDW company for this episode and making it possible. They're investing in our 📍 mission to develop the next generation of health leaders. And we thank them for that. Thanks for listening. That's all for now.