How does our approach to security change if we assume they are already on the network?
Today in. How's it. We now know essential healthcare hack trace to employee downloading malicious file. We're going to take a look at the different approaches to cybersecurity proactive measures versus detection and response focus. And what makes the most sense when kind of thing? That's what we're going to talk about as we look at this story, my name is bill Russell.
I'm a former CIO for a 16 hospital system. And create, or this week health set of channels and events dedicated to transform health care. One connection at a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders, notable service now, enterprise health parlance, certified health and Panda health.
Check them out at this week. Health. Dot com slash today. Hey, this new story and all the new stories we cover on the show you can find on this week health.com/news. Checking out today. Finally share this podcast with a friend or colleague, you said as the foundation for mentoring, just have conversations with them about the subject.
It's not important. If you agree or disagree with me. The important thing is that you're having the conversations. And training up the next generation of leaders, they can subscribe wherever you listen to podcasts. All right. Here's the story? Got this from PC magazine, June. I don't know, June 14th looks like June 15th. Essential healthcare hack traced to employee downloading malicious file.
The ransomware attack on essentially a major us healthcare provider, as was traced to a malicious file. Download downloaded accidentally by an employee, likely through a phishing email. Spear fishing likely. The hacker group, black Basta. Is suspected to be behind the attack, utilizing spear fishing techniques to deliver the malware.
Although the breach led to the theft of files from seven servers, essentially to reports that no sensitive patient record. Within their electronic health record and other clinical systems were compromised. The hospital system is offering free credit monitoring and identity theft protection to potentially affected individuals. While, continuing to investigate the full scope. Of the data breach. So fishing remains the easiest way for attackers to get into the system. And then the question becomes, can they move laterally around the network to find other things and get into other things? So with that in mind, I thought I would take a look at the different ways that we try to defend against these things.
So we have email security, spam filters, email authentication. We have. We have tools that essentially mark emails as external and careful and all that other stuff. We've user training. Obviously we do a tests. Of our. People through simulated phishing attacks. Obviously we have access to controls, endpoint protection. Network security is there as well. Let's see assessments.
We do assessments, regular assessments, vulnerability assessments, security audits, those kinds of things. In some cases we have some advanced tools, AI and ML tools that are looking at behaviors. And understanding when a threat is actually happening. Let's. Thank you. Um, those are the basics.
If you're looking at. Proactive kinds of measures, the kind of measures. That would prevent a phishing attack or prevent the phishing attack from having a significant impact. That's where it that's where you would start. The thing about that is a lot of that is focused on the external, how do we secure the perimeter? As I've said on the show before. That one of the biggest aha moments for me was after a a. White hat. We had hired a firm to essentially do penetration testing and some other things, but we gave them a lot of latitude on our system and they were able to break in. And in the summary findings and the discussion we had later. They said that we should take a much different approach.
Now this was way back in the day. This was 2015. And they the approach that she gave us that day was essentially assume they're on your network. And that was a turning point for me. I don't know why it was a turning point. It seems so obvious now. That I should have thought about it then. But I remember when she said it, I thought, yes, that's right. I assume they're on the network.
Assume they're already in. You're not going to be able to build a high enough wall, a wide enough wall to keep them out. And then the whole approach and focus then starts to be about detection. And response. So how quickly can we find out? Can we see them doing what they're doing? So we avoid this. Oh, they've been in our network for months because remember back 2015. The average time on network before being identified was it was being measured in months. Now I think we're down to weeks. And hopefully in some cases, we're down to hours. But that's what it's going to take detection and response.
So we're trying to find them as quickly as possible and then respond as quickly as possible. So that is section off the area. Essentially contained the blast radius. So you identify where they're operating and you shut that down as quickly as possible. Some of the areas of focus in this kind of strategy are. Obviously continuous monitoring.
You have that monitoring that's going on at all times. Around the entire networks that when something becomes an anomaly, it gets flagged. Looked at potentially shut down very rapidly. I remember talking to one security officer who said they assume. Um, the w. What was his terminology?
I forgot what the terminology was, but they see what's it's a bad actor. And they shut it down. And then they will do the analysis and determine whether it is, or is not a bad actor. Now in healthcare, I thought that was pretty aggressive because you have so many systems that are important to the. Process of caregiving. But their rationale was that. Better one system than all the systems. So anyway, I'm just giving you that as a thought process, I'd have to think about that more and really delve into what systems we would shut down and which ones we wouldn't. Based on that kind of criteria seems again I do still think it's, it seems aggressive, but I understand where it's coming from. So continuous monitoring. A zero trust architecture, at least privilege access.
Micro-segmentation all those things that are associated with zero trust architecture. I would still be using the AI and ML that we mentioned earlier, looking for behavioral detection. Is that machine accessing data? Or whatever endpoint or wherever it's coming from is, are they accessing data the way that they should, are they accessing data that they normally do?
So looking at that behavioral analytics and then advanced CDR isolation automated response and those kinds of things, as we talked about earlier Let's see. If you're going to limit the amount of time they're doing things. Then, things like encryption and data loss prevention, data protection. Strategies make a lot more sense.
If you don't give them much time, it's hard for them to do anything. With it, if you're tracking the data loss, if you're tracking the extra. The paths. Of exfiltration. Then you're gonna be able to shut that down a lot quicker. But again, it's incident response, it's visibility. It's it's all those things.
It's assuming they're on the network already. Patch management. The most basic, but it's making sure that once they're on the network, they can do very little, you identify them very quickly and you shut that down. I know this sounds very basic. But it's interesting in the conversation and in reading the articles, how much of it is focused on securing the perimeter?
Let's train the users. Let's make sure they don't click on the email. I would say, assume they're going to click on the email. Okay, now let's operate from that perspective. They're going to click on the email. They're going to Make a bad decision. And once they make that bad decision, let's move forward with our, detection and response strategies.
Not that we rely on it solely, but that we spend a lot more time there and it's much more robust because. We assume that they're going to get in. It's interesting. I heard a presentation and at some point I'll have this person on to talk about this, especially after they get it done. But essentially they're taking a new hospital completely. To apple devices. And it was really fascinating to listen to.
And again, I will bring this person on and do an interview. At a later date once they get this implemented. But one of the, one of the key points of that was security, that Unix systems are harder to hack. Then windows systems. And that was just one of the many. Rationales for moving to an apple based hospital system. And you're going to say, oh how do you get the HR to work while they're getting the EHR to work? On an Mac device.
It's interesting to have a security. Conversation where somebody is pushing the boundary that much. That they're saying, Hey, we're using insecure devices. And we need to look in a different direction anyway. Just some of the things I'm thinking about, some of the things I'm looking at as I'm reading these stories about Ascension as more and more unfolds is what is our approach?
How are we thinking about it proactively? Yes, we need to protect the perimeter, but let's assume they're already in and build out our. Detection and response strategy. All right. That's all for today. Don't forget, share this podcast with a friend or colleague, have a conversation with them and use it as a foundation for mentoring.
We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Notable service now, enterprise health parlance certified health. And 📍 Panda health. Check them out at this week. health.com/today. Thanks for listening. That's all for now.