Drex DeFord, MSHI, MPA is healthcare strategist for CI Security of Bremerton, WA.
Tell me about yourself and the company.
I’m a recovering CIO. I have been a healthcare executive for most of the last 30 years and an independent consultant for the past four or five years. I serve as the healthcare strategist for CI Security. CI Security is a group of world-class security professionals who provide managed detection and response and cyber consulting services, with a mission to secure critical systems. We specialize in healthcare, but also cover other critical infrastructure.
What are the takeaways from University of Vermont Health Network’s month-long downtime from a cybersecurity incident?
This is one of those situations where the breach occurred long ago. The bad actor was in the system for a long time before they ultimately wound up revealing themselves. That’s part of the challenge today.
Historically, we have worked hard to build high castle walls to keep the bad guys out. But what we’ve realized, at least in the last few years since ransomware became prevalent, is that all of your frontline employees are now frontline cybersecurity people, too. One wrong click going to the wrong website and you’ve been breached.
You feel like you have to meet this challenge of building a tall castle wall, but the real opportunity is to find those bad guys as soon as they’re behind the castle walls, catch them, and throw them out. That’s a lot of what managed detection and response is about. Whether you’re in a big place or a small place, rethinking the strategy around security is critically important.
Is it true that human hackers aren’t involved until sometime after the technology back door has been discovered or opened via mass Internet probing?
This is another way that cybersecurity and attacks have evolved over time. You can certainly have nation state attacks, but now there’s ransomware as a service. We often find that health systems or other organizations are hit by ransomware as an accident. They are just collateral damage. Somebody was trying to make a quick buck, punched out a bunch of ransomware, and somebody in the health system clicked on it. It wasn’t directed, it wasn’t intentional, and it wasn’t focused on that health system. It’s just one of those things that the organization found themselves wrapped up in.
As the types of ransom market and attacks evolve, we will see more and more and more of that, where it’s not really aimed at a health system or hospital, but the cybersecurity posture of many health systems leave them vulnerable to these collateral damage attacks.
How can CIOs convey that threat to board members who might see it as theoretically possible but so unlikely that it doesn’t warrant funding and focus?
A lot of this is keeping your board informed and helping them see the negative results on competitors or other organizations. Boards and other executives are very involved in this now, from what I see as I talk to CIOs across the country. Every time there’s a SolarWinds attack or something like that, board members start sending questions about, are we covered? How are we doing? Is everything OK?
You are right that it’s hard to prove a negative. If you’ve been doing a good job in your cybersecurity posture and you haven’t been breached, there’s still plenty of story to tell about the number of taps you’ve forwarded and the number of ransomware emails that don’t get through. A lot of those things are still happening to you, but you’ve been doing a good job of catching them. Those are the stories you should be telling.
Is healthcare more at risk because the many hospitals that are outside of big cities won’t have a lot of local cybersecurity expertise available and might not have the money to develop it?
That’s a real challenge in most places, especially with small and medium-sized health systems. The talent problem is real. It’s tough enough to try to hire the hire the people and get them to move to these areas. But once you get them there and you start teaching them some of these cybersecurity tools, you’re apt to lose them quickly, too. Retaining good talent is tough.
The other challenge I see over and over is that lots of vendors have silver bullet products that they would like to sell to organizations. The organizations get them, install them, and run them, but then quickly start to realize that it’s going to take more than a fractional FTE to actually get value out of that product. After they have accumulated a whole plate full of these products, they realize they have created a situation where they are more exposed. They know about these things, but they can’t do anything about them, or they don’t have the talent to actually run those products.
Being able to bring somebody in and let them do management section of response for you, 24/7/365, is the other big gap that we see. But being able to do it 24/7/365 — and having wraparound professional services that can help you get started through things like security, risk assessments, and penetration tests and all the other things that can be combined into a single package — makes a big difference to small and medium-sized health systems. They just don’t have the people to handle the challenges that face them. It’s not a core business skill that they would normally have.
Have recent incidents raised an awareness that cybersecurity breaches aren’t just an IT annoyance but in fact could put a hospital out of business?
There’s a cybersecurity and risk continuum that ranges from not very mature health systems to mature ones. There’s an understanding, or lack of understanding, that it’s not just about being hacked, It’s about the impact to the business. Short term, you have to get the systems back up and running and help get patients get back in. But long term, there’s the reputational impact. Especially for not-for-profits that have fundraising arms, being able to instill confidence in your donors that you’re a good place to donate money to because you take good care of patients and families and you never let them down. That’s how cybersecurity is tied to everything else, because it really isn’t standalone.
A simpler, relatively modern infrastructure is way easier to secure than one that has been built haphazardly over a number of years. That includes even infrastructure projects, upgrading switches, and upgrading end-user user devices. It doesn’t have to be bleeding edge, but that maturity and understanding makes the difference between mature organizations and relatively immature organizations.
Attacks in the past were usually focused on widely present misconfiguration vulnerabilities in JBoss servers or Windows Remote Desktop, where if an organization was paying even modest attention it could protect itself. Have attack methods broadened, and how do healthcare organizations share information about their experience and actions?
Trying to protect yourself against yesterday’s attack is a good thing to do, but lots of new types of attacks happen every day. It also comes back to doing simple, straightforward things. If you’re a CIO, you need to make sure that your network, server, and application teams have the time to apply patches to reduce your vulnerability. Cybersecurity is connected to everything else, including operations. Healthcare has gotten a lot better at sharing information through organizations such as CHIME.
H-ISAC – the global, non-profit Health Information Sharing and Analysis Center that crowdsources cybersecurity — has become a critical component in the sharing of cybersecurity information. You do preparatory work, such as doing tabletop and full-blown exercises where you connect to the organizations that you may need help from. You want to have your connections – such as state police, the FBI, or other healthcare organizations in your area – in place and on speed dial so that you are ready to connect. That’s not something you want to figure out after you’ve been breached. More connections and more collaboration puts you in a better position from a cybersecurity perspective.
ISACs exist for different industries and healthcare has a great team there who are always looking and working closely with the FBI, HHS, ONC, and others. They log, catalog, make recommendations, and share information about the kinds of breaches that are occurring.
It’s another reason too think about managed detection and response, because if you’re a standalone medium-sized hospital, you’re working off only the connections that you’ve been able to make as a small shop without a lot of time. A professional service organization like ours has lots of connections, not only in healthcare, but in other industries. This is what we do every day, so we are more likely to be looking for problems or openings for the bad guys that you may not have even heard about yet
What are the security risks involved with vendors and providers making initial moves to the cloud?
A cybersecurity professional company can help you navigate these waters. We have seen health systems, time after time, assume that software as a service means that if I don’t run this on my premises, and instead have it run by a company who does it for a lot of other people, I should be more secure. Generally speaking, that’s probably true, as long as you’re doing all your due diligence with that third party to make sure that they’re doing all the things that they should do to be secure.
When it comes to the cloud, the true cloud, this is another one of those situations where there are opportunities to make mistakes. You’re probably going to be more secure than you are. If you try to do it yourself — especially if you’re a small or medium-sized health system — engage a professional to look at the vulnerabilities and make sure you’re covered for what you’re trying to do.
Do you have any final thoughts?
CI Security is happy that 2021 has arrived and 2020 is in the rearview mirror. Cybersecurity is in front of boards and healthcare leaders.We look forward to supporting the need for critical healthcare infrastructure with easy to understand, easy to consume cybersecurity services and managed detection and response that is packaged up to be delivered in a better, faster, cheaper way.