HIStalk Interviews Dan Dodson, CEO, Fortified Health Security

Dan Dodson, MBA is CEO of Fortified Health Security.

Tell me about yourself and the company.

I have been in cybersecurity since about 2014, and in healthcare IT for 20 years. Fortified Health Security is a cybersecurity company that is focused exclusively on healthcare. We provide two kinds of services, advisory services and our managed security service provider business, or MSSP, for 24×7 monitoring and management of cyber technologies.

How does a healthcare-focused cybersecurity firm work differently than a more generalized company?

The attacks, adversaries, and the vectors they use are similar to other industries. The difference is how you respond to those threats and adversaries and risk reduction.

We believe strongly in having a knowledge base and an understanding of how healthcare organizations work, not only from a governance and regulatory perspective, but regarding infrastructure, legacy applications, mixed environments, EHRs, and medical devices. We build our playbooks and recommendations to take those elements into consideration. Our clients get more actionable intelligence so their teams can respond and take actions faster with the intelligence that is infused into our recommendations.

The top things organizations are trying to work through are AI, third-party risk, and training and awareness. Those three things are what organizations are talking mostly about with us.

What findings have surprised you in performing security risk assessments?

One surprise that we see is that everybody is at a different spot, and the weaknesses and the opportunities to improve are pretty vast. We’ve seen a lot of organizations make investments in different areas, some of which are reducing the risks that they set out to do. Sometimes they have opportunities for improvement. But as they’ve built their program over years, some areas tend to have significant gaps.

Third-party risk is a big area where organizations are struggling to tackle those challenges. Obviously with the rise of AI, we are in the early innings of understanding that from a risk perspective at the client side.

A lot of conversations are happening around end-user training and development. It’s a big challenge to actually drive better utilization of the tools to combat phishing, et cetera.

Are easily guessed or shared passwords still a big problem?

That certainly is still a challenge. The vast majority of compromises that could lead to a breach of data involve the end-user clicking on an email and giving up their credentials into a phishing email. Then the adversary comes in, moves laterally across the environment, and ultimately causes havoc. That’s still the number one entry point, so organizations are focused on combating that.

It seems like tools should have gotten sophisticated enough to block the clicking of suspicious links.

Tools are out there, and not having a tool would certainly increase your exposure. But this is an area where the adversaries are good. They are able to navigate around those tools and ultimately end in the inbox.

We see organizations thinking about how to reduce that attack surface. Do I have employees within the healthcare organization that maybe don’t need external email to execute their job? That’s a little bit of a culture challenge, because in the US, people associate their employment with having email. No one really talks about that. It’s the norm.

We are seeing some creative designs around that to make sure that we are limiting the attack surface. There are actually some cost benefits as well, such as fewer licenses for whichever email that you may use.

The other approach is training end users. A recent development is that most people are familiar with someone who was compromised personally for some type of phishing attack. Or, they have been impacted by breaches at Target or Nordstrom’s. One part of training is whether to focus more on the personal side and helping users understand how to protect themselves at the individual level. That would ultimately increase the level of protection for the organization.

What about users logging into their company email from personal devices?

That is still an issue. BYOD is prevalent. We have a lot of contract labor. If you live in a metro area, physicians have multiple privileges at multiple facilities. 

Who is winning the AI war between hackers and organizations?

I think the data would would tell us that the adversaries are being more successful. Breaches are continuing to occur. If you look at the Office for Civil Rights, the number of breaches year over year is stabilizing, but the impacts are getting larger. So I would say that, unfortunately, the adversaries are probably winning that fight. The adversaries are also using AI to launch more sophisticated attacks, both via email and help desk voice impersonations. They are definitely leveraging AI to hit us on all fronts.

How is the government’s role in healthcare cybersecurity changing?

Our view is that we are in a little bit of a standstill. There was a lot of energy at the end of the Biden administration. Senator Warner was leading that charge. Frameworks were put in place for programs that would provide clear expectations, along with some monetary support in a carrot-and-stick model to adopt said frameworks.

But a lot of that has stalled. The current view is that we may see tweaks to frameworks and expectations, but monetary support coming alongside that is probably off the table, at least in the near term.

Hackers have threatened to report their breach to HHS or have contacted individual health system executives, board members, media outlets, and even patients to threaten to expose breach information in hopes of getting a ransom payment. How do you address that dynamic, especially knowing that you wouldn’t be paying the most of honorable people with no recourse if they don’t deliver?

That’s the biggest challenge if you have a ransomware event or active breach that ends up in some type of negotiation. Thinking about adversarial intent, bad actors come after us to begin with because it’s monetary. They will pull all the strings that they can to create as much leverage against that organization to increase the likelihood of payment.

Also driving that behavior is class action lawsuits. Attorneys who used to chase car wrecks and malpractice cases have turned their eyes to cyberattack class action lawsuits. The adversaries know that, so they will weaponize that against the victim that is under attack. They will pull the strings on anything they can do to increase the likelihood of payment.

What are the advantages of organizations moving from point tools that are monitored by understaffed internal security groups to moving to a more centralized approach?

In most healthcare delivery organizations, teams are quite small. A lot of those individuals have been at that healthcare organization for a number of years and have made their way to the cybersecurity team. Health systems in general are not the best at training and having dollars available to train resources.

How do we make those individuals who have institutional knowledge about the networks, environment, and culture of the organization as effective as cyber warriors as possible?  We partner with those organizations to bring high-fidelity, actionable information to that team so that they can take quick and swift action.

As far as which service or what opportunity, I would just tell you that every healthcare organization is at a different point in their cybersecurity journey. They have made prior investments. Can our organization plug in, leverage existing investments, and operationalize that in a more efficient way to ultimately drive down risk?

One of your reports about downtime preparation quoted a chief nursing officer whose hospital experience an unanticipated problem because young nurses couldn’t read the cursive handwriting that doctors used to write paper orders. Is it common to find problems during downtime that weren’t anticipated in the plan?

Almost every time. Organizations do their best to prepare for downtimes that are short in duration. Hospitals go on diversion a lot for various reasons that have nothing to do with cybersecurity. They have downtime when they have to patch a system, implement a system, or upgrade a machine. We are relatively good at doing that for a short period of time. The challenge arises when you are down for a long duration and you don’t really know how to manage through days or weeks of not having access to the systems.

That’s driven by a couple of things. One, we are heavily reliant on systems when delivering care, whether that’s the EHR or the hundreds of other applications that power these health systems. So when they are down to some degree, the clinicians are frozen in their normal work habits. Anxiety and nervousness sets in because they want to take care of the patients, but they don’t have the technical controls in place to ensure that they provide swift, quality care. It slows down the care delivery model significantly.

Calculating is another issue we see. How am I calculating if I’m making an order for a particular medication? Med reconciliation is another thing that drives a lot of nervousness, making sure that I’m giving the right meds at the right dose to the right patient. Most of that at scale is done electronically, and that becomes an issue.

Communication is also another big challenge that we see. How are we communicating as a team if we’re using some type of a pager system or a walkie-talkie-system like Vocera and it’s down? That’s how we are used to communicating.

Lastly, a lot of the younger physicians have never operated in a world where they haven’t had technology. They were trained on an EHR at med school and they’ve been delivering care for years while being guided by electronic systems.

How do you advise organizations to deploy resources to protect their ever-increasing reliance on external technology vendors?

Step one is understanding how you interact with those third parties technically, so that if they have an event, you can take quick action to sever ties to limit the disruption to your organization from an adversarial perspective. But then comes the challenge that you need that system to deliver it, but the reality is that for the hundreds of systems that are that are in these healthcare delivery organizations, there’s not enough dollars to have backup systems for every single one of them. It’s unrealistic, both monetarily and operationally. That would also double your attack surface, so it’s not necessarily recommended. The first step is getting your arms around all of your third parties.

Step two is determining what the interaction is between your organization and those third parties. 

Step three is putting in some contractual language and some compensating controls on your side to try to limit the downtime.

Step four is that as you think about the disaster recovery plan, work with your clinical teams to understand how they would operate with certain critical systems down. Start with the ones that are most useful clinically and are most widespread so that you have some type of backup plan in place in the unlikely event that it’s unavailable.

What is the company’s strategy over the next few years?

Our strategy is to continue to work with healthcare organizations to increase their cybersecurity posture. We believe very strongly that a coordinated, programmatic approach through various elements of their cyber program can help minimize that risk. We are going to invest in our central command platform, which is our service delivery platform that provides actionable information and drives results across their entire organization to reduce risk.