This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. 

A special thanks goes out to our partner Fortified Health Security. Discover how Central Command can help simplify the management of your fortified cybersecurity services. Check out thisweekhealth. com slash fortified for all the details. Okay, Today on Unhack the News. (Intro)  

Third party risk now has to go beyond just third party. It needs to be also considered, fourth and fifth party as well,

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

and now, this episode of Unhack the News.

(Main)  hi, this is Drex and welcome to Unhack the News. I'm with my good friend, Russell Teague from Fortified Health Security.

Thanks for being here.

I think it's going to be exciting to be able to talk about some of the news articles that we have today.

Yeah, we did a little collaborating ahead of time. So we know the articles we're going to talk about and we both dug into them a little bit.

And the hardest part sometimes of these episodes is that when I first get Russell on or anyone on, and we've done this pre work is that we start talking about the articles right away, because sometimes they're really interesting. And I'm always like, stop, don't talk about it. Let's save it for the show.

So, so here we are. The first one is an article from Healthcare Brew. It's ransomware is ravaging healthcare organizations and making it harder for them to get cybersecurity insurance. And of course, I think we all know that this has been a thing that has been going on for a while, but I felt like maybe we'd hit a little plateau, but I'm not so sure that's the case.

what are you getting from your side?

Yeah, I think so as well, right? We obviously because we do so much of the IR response side of the house with cyber insurance, we do get a sense that the cyber insurance organizations are struggling with the amount of breach and therefore the amount of risk and the amount of payouts that come with that.

Back in 23, the cost of cyber breaches for healthcare exceeded 10 million and that continues to go up. I think, based upon what we've seen in the first half of 24 there's a good chance we're going to see an increase, both in premiums and total cost of breaches, simply because of the magnitude of which what we're continuing to see.

I don't believe we've hit the tipping point associated with, The peak of this, I think based upon what we're still seeing, more and more organizations are being breached on a regular basis, the speed continues to pick up and cyber insurance is really dealing with the brunt of it, because for many years, health organizations have elected to go after cyber insurance as a way to partner and manage that cyber risk, that liability associated with it.

I think the insurance companies, too, over time have gotten wise to that, right? I think for a long time they could do cyber liability insurance. It was a pretty good profit. There wasn't a lot of information. to help them set those tables to figure out how much they should charge and how much they could make.

But what we've seen in the last few years is a lot of information that's helped all the cyber liability insurance companies who have all those hardcore math folks in the background working all those tables. They have a lot more information to figure out. What they should charge and the things they should be asking too, right?

That turns out to be a really big deal for cyber liability insurance.

It's a very good point, Drex. When you think about, let's not lose sight of the fact that cyber insurance coverage is a business itself. They're managing a portfolio of coverages across multiple sectors. And If you think about when banking, finance, retail was the number one targeted sector, they backed away from coverages there and put coverages in other sectors to balance out their risk profile across their portfolio.

Now that healthcare has moved into and has been in the number one spot for a number of years, we're starting to see cyber insurance draw back from, because healthcare sector a more risky play. Now, there is some good lining in this. We have seen some of the smaller cyber insurance firms step forward to healthcare and really beginning to tackle it from a different perspective, whereas we've seen some of the larger, more pronounced cyber insurance providers back away from them, right?

So, share that with the community to make sure that you do shop around. You engage with your brokers and think about the different coverages and the different providers. Don't just keep going back to your same provider year over year.

What about some of the questions that they ask?

Because I know, a few years ago, the question sets that they asked were really just a few, and the questions were just, things like, do you have antivirus? And yeah, really simple things. And now. You and I are both out there. We talk to a lot of CISOs and a lot of CIOs and general counsels and others.

those questions sets are no, kidding now.

Yeah, you're exactly right. If you roll the time back where the annual risk evaluation of your renewal cycle was a single page, 10, 15 questions all, on a single page. Pretty basic stuff. Now I've seen them exceed 50 pages.

So they're almost doing a full risk analysis to really determine efficacy of your program, right? Overall, right? And they are following. more of the major themes of the attacks that we're seeing when multi factor started really surfacing as a primary attack vector. We almost instantly saw them started showing up on the risk analysis that are being done in your providers to a point that says, either you do have or you don't have, and then your cost of your premiums and your coverage limits being directly impacted whether you did or did not have some of the critical security functionality, so.

It's interesting too, some of those questions are written like, do you have this Or don't you have this? And even if you do now, the questions have follow up questions about, tell me specifically exactly where you have MFA coverage or where you don't have MFA coverage. Like they really dive in deep, right?

They do. They really do. And they're trying to get to a point where they can determine the level of completeness that you have within environment. And we have seen an increase of the cyber insurance. Post event when it goes through all the event, the coverages, all the urgency has calmed down.

We've seen an increase of the cyber insurance clawing back claims. Based upon your last annual review and the questionnaire you filled out, you indicated that you did have, example, multi factor in this breach. Exposure was now identified as a multi factor entry point. Thank you. And so beginning to question whether they cover those and whether they actually make those payments, and so, the accuracy of how you fill out those surveys, I would highly encourage you make sure that your security teams are engaged and being open and honest about it and not playing in the gray spaces because they're now being used when it really matters most when you do get breached and you need the coverage that you're paying for.

Okay. Yeah,

absolutely. We could talk about cyber liability insurance like all day, but yeah, I'm going to move on. There's another story about third party data breaches and how they continue to disproportionately affect healthcare. This survey from Security Scorecard said that more than a third this is a little confusing because we use the word third here twice, but more than a third of third party breaches last year affected healthcare organizations.

And you and I see that all the time, but man, there's a lot going on with third parties and a lot of work to try to manage that, right?

Yeah, no, absolutely, and I think it is almost probably better stated as a third of your supply channel or your supply chain which is predominantly third party entities more than a third are suffered breaches that directly impact or directly affect Healthcare organizations, right?

So we clearly have seen the threat actors shift to that attack vector, right? And you can understand why if you think about the value from their perspective. If they breach a third party, that third party generally has hundreds, if not thousands, of connections to other health organizations, right? It's not, it's so you're breach one to access many.

And so your potential of, really hitting a payday. Is much higher, right? And you think about the impacts of some of the most recent third party breaches and how they've had sector wide implications I think it's proven.

Yeah, absolutely. Two different versions of risk there, right?

One of them is that if you hit a third party and you can get into that third party, they may very well have network connections. to your health system. So they become a relay, into your network. And the other version of it is I think as we went through the pandemic, we saw more and more folks sign up for software as a service and other kinds of I don't want to run it here.

I don't need to run it here. Some of that was because I didn't bring people into the office or into the data center anymore. So we began relying a lot more on those third parties. That means a lot of data from a lot of health care organizations are also in those databases, and that can be great exposure.

We've seen that.

Yeah, no you're spot on network based connectivity from a third party or data sharing or data exchange with that third party, right? Both of them have severe implications of the health organization, because ultimately you can outsource that responsibility or grant that responsibility.

Access to that data for business purposes, but ultimately you still own the accountability and protection of that data, even if it's at a third party or fourth or fifth party, as we've discovered, right? Through obviously Change Healthcare and others where organizations, looked at who they paid and, change wasn't on my third party vendor list but they were fourth or fifth party on, underlying another partner or another connectivity, right?

And so. Third party risk now has to go beyond just third party. It needs to be also considered, fourth and fifth party as well, right?

  📍 📍 📍 📍 Hi everyone, I'm Sarah Richardson, president of the 229 Executive Development Community at This Week Health. I'm thrilled to share some exciting news with you. I'm launching a new show on our conference channel called Flourish. In Flourish, we dive into captivating career origin stories, offering insights and inspiration to help you thrive in your own career journey.

Whether you're a health system employee in IT or a partner looking to understand the healthcare landscape better, Flourish has something valuable for you. It's all about gaining perspectives and finding motivation to flourish in your career. .

You can tune in on ThisWeekHealth. com or wherever you listen to podcasts. Stay curious, stay inspired, and keep flourishing. I can't wait for you to join us on this journey.

 It's interesting to I had a conversation with somebody actually it was this weekend and they're a vendor partner and they were saying that one of the other surprising effects that I had not thought a lot about was As another partner that had nothing to do with this, their ability to get paid by the health system was affected by that because of the cash flow crunch that came from that event.

So, there's all kinds of other cascading consequences from some of these breaches besides the things that we just think of. normally?

No, absolutely. If you think, change healthcare, an example, which was a cyber event for change, right? But then became a revenue recognition and service delivery problem for the entire health ecosystem.

One of them, every three Americans had data going through some process associated with that, and it was impacted. Whether it be through pharmacy and getting, those transactions processed and paid, or whether it just be access to critical things because to protect themselves, they disconnected everything and that had a huge ripple effect people's ability to deliver service.

But to your point, the revenue recognition side of the house created secondary and tertiary problems around cash flow issues for most of those organizations. I know Change did a wonderful job at reacting quickly and providing a lot of Funding sources to get everybody back up, but as we all know that took some time.

Yeah, all those all the claims flow Yeah,

for the federal government too. I think that program is just ending now that they were allowing some exceptions to the rules around how they were paying too. but yeah, it really interesting to think about all the rest of the cascading events that happened because of that.

I'm going to move to the third story. And I'm just, I'm not going to call out one particular story. There are several things on thisweekhealth. com slash news. As this snowflake breach continues to expand and, there are more and more stories written about it. The way it's played out now is that Snowflake itself continues to claim that it's not been breached, but some of the customers have had their data breached, and some of those reasons are attributable to, back to our favorite topic, not having MFA.

And so there's this consternation now between who should be responsible for Making sure that a company has MFA. Like if you're using a third party provider or, as a service, like Snowflake, should they compel everyone to use MFA or is it still the company's responsibility to do the right thing?

my ultimate thoughts are at the end of the day, it is the company's decision on whether they want to enable it, should enable it, as so long as it is. An organization like Snowflake, which is providing a service, has the capability to enable it, right? Microsoft is another example where they have the ability to enable it, but you have to go in and turn it on.

And so, I think the standard practice in today's technology is making sure that the technology does have the capability to leverage it, enable it, and turn it on. But when you buy a service, you get paid. configurable settings and whether you enable it and, force all personnel that want to use that service through that multi factor authentication.

Given today's time though, I think it's prudent for organizations like Snowflake to really highlight the importance of it, the education of it, and almost, they could start it out by default being on and forcing the customer to turn it off. And if you turn it off, at least you have an audit log saying, look, it was on by default, and you've elected to downgrade your security, right?

But that's really a company by company, decision to be made in terms of, the set configuration they want to

I agree with you. I think somehow this has become a story about Snowflake and I'm not sure that's necessarily where the story belongs. You do a lot of work with health systems across the country. Most are using MFA. Is there still a lot of challenges around MFA? Why are there still challenges around MFA from what you're seeing?

Identity as a whole, if you think IAM and using multi factor and then privilege access management, PAM being overall identity access management.

It's complex. It's difficult. And it's not only a healthcare thing. It's every industry, right? In my almost now 30 years experience, identity and access management and watching the progression of multi factor, two factor and many other, privileged access management technologies. It's complex because it starts with, overall infrastructure and the technology you're using to enable it.

And healthcare has some very unique challenges associated, whether you're a university, whether you're a research facility, whether you're health plan. When you've got some

Or a contractor or a physician that may not work for the health system. Yeah, it is a complex environment.

Traveling nurses, right?

Traveling physicians, right? That, most physicians in a local community work at multiple hospitals. Health organizations. And so, when do you turn down those services? When do you turn them up? Do you force, the doctor or the nurse to have multi factor authentication to each environment?

The answer in today's threat world is yes. We need It is a critical attack vector. We all know now after the fact that, missing it on change is what led to the inbound breach that ensued. is a complex problem for health organizations. It is one that they definitely should focus on.

If you think about, the top critical risks for all healthcare multi factor authentication is clearly in the top five, only preceded by the employee risk with education and awareness. Misconfiguration, which, you know. Multi factor could be considered part of misconfiguration if you think you have it deployed everywhere in the enterprise and all your points and you find one that doesn't.

Misconfiguration sits right there as item number two. Is

a lot of this, we kind of string some of these things together, the third party risk management story. A lot of that sort of boils down to do you know who all your third parties are? And do you know what all your apps are?

And do you know who you're exchanging data with and what data you're exchanging? That very basic awareness level, which sounds like it should be simple, but again is super complicated for a lot of reasons in healthcare. This whole MFA thing and the IAM and identity and all of that also really boils down to, do you know all the people?

Who are in your network and what they're doing and the access that they should have. And which is, again, as we alluded to really complicated for a bunch of reasons in healthcare. It's that basic stuff that I think in a lot of ways, we're still working on cleaning up to make the environment less complicated and more secure.

Yeah, no, absolutely. I try to bullet down when I speak with boards, and senior executives around where to focus on, where to spend the time, the dollars, and the effort, because we all have limited resources, limited time, and limited dollars to address this challenge, but understanding where your data is and how that data is protected, how it's accessed, and by your existing staff or third party, right?

Understanding the data because after all, the threat actors are going after one thing. It's the data. The data is the true gold in the organization that they're going after. And let's take a few, successes from other industries like banking and finance and retail, where they were the number one breach tied to payment card data.

And again, data, right? Payment, data. Now let's replace Payment card data with patient data, right? And if we begin to think about where that data lives, where it moves through our IT infrastructure, who has access to it? How's it protected? Either encrypted or not? We can begin to basically reduce some of these risks in.

Security incidents are going to always happen. It's something that we have to live with. They will never go away, right? There's too much money that they're they're able to monetize from their attacks. So we need to understand that security incidents and security investigations will always be something that we deal with, but our ability to identify early, meaning identify, detect, and then take appropriate actions to protect that data.

stops the breach or stops the incident before it becomes a disclosable event, right? So, those three steps should be normal actions. We should track them, report on them, obviously, within our organizations, but that should not be the anomaly, right? That should be the normal course of action You either have a cyber operations center or You have a partner that brings you that cyber operations center that can do proactive analysis, response, and recovery before it becomes a disclosable event.

It all starts with, which systems touch and interact with the data, and which third parties touch and interact the data, because you want, we said earlier, third party attack vector is a major attack vector that they're exploiting today.

Yeah, hey, wow we're out of time. I really appreciate your time.

I'm glad you're here today. Thanks for the insight that you provide and the work that you're doing

absolutely. Keep up doing what you're doing. You're doing a great job. Thanks. For connecting the industry and allowing us to, share our thoughts and opinions with the larger ecosystem here.    📍

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.