While it’s clearly positive that hospitals are using the internet of things and an increasing number of advanced medical devices to help patients, they are simultaneously enlarging their organizations’ attack surface, says Michael Erickson, chief information security officer (CISO) for Baptist Health System of Kentucky and Indiana. In this interview, Anthony Guerra, editor-in-chief and founder of healthsystemCIO, interviews Erickson about the cyber-landscape for large health systems. Erickson says he is looking at vulnerabilities associated with the shrinking of devices (used for both good and evil) from the perspective of protecting an organization with 400 clinical locations.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
… when you think of the next generation of attacks, as things get smaller and more sophisticated in technology for all of the good reasons that we’re doing things with medical devices and IoT, attack tools are getting more sophisticated and smaller.
… we need to focus a lot of energy on the traditional stack. But we also need to think about the next generation of attacks. I think you cannot turn your back on this problem.
… a lot of people outside of our field think of security as needing some sort of technology as the secret to it, but really it’s your people and the amount of time you have. Those are the precious resources.
Guerra: Michael, thanks for joining me.
Erickson: Thanks for having me. Good morning.
Guerra: I like to start these interviews off by asking about your career journey. Now, I see for you, it’s a little unusual in that you’ve been at Baptist for 26 years. We don’t see too much of that. Tell me about your career journey and how you wound up, specifically, in health information security.
Erickson: I spent the first half of my career doing administration: endpoint, servers. I specifically wanted to be in healthcare right out of school. I was interested in healthcare technology. My career started with traditional IT operations and support. In 2005-6, I made the switch to management and had that responsibility for security. During my time doing system administration, I was writing a lot of scripts. I was writing a lot of automation and doing things that I was very interested in. I realized I could use those things to manipulate computers – and a lot of computers at the same time – and it was something that started to be interesting to me; the unintended uses of technology. I got used to security through that. Then in 2016 we formalized the role of chief information security officer. And I was grateful to have the opportunity to lead the organization in a new way and to establish a distinct security program.
Guerra: Fascinating. You said you were always interested in healthcare. Were you ever interested in the clinical side? If you were interested in technology from the beginning, what drew you to healthcare?
Erickson: I thought that technology would be a differentiator in healthcare. I was never interested in being a clinical person, but I could see the value of applying technology to clinical outcomes and the advancement in clinical care both on the data management side and on the proliferation of medical devices.
Guerra: We’ve seen a lot of folks come from the infrastructure side. Some say that’s because there wasn’t a focused security discipline 20 years ago. It sort of evolved naturally from the infrastructure network. Does that make sense?
Erickson: It does. I think security has been part of our jobs in the infrastructure world for a long time, too. I think it’s a natural fit.
Guerra: The genesis of this interview was a release that you’re doing work with a company called Sepio. We’ll get into that. I want to build a framework around what you’re doing with them and the larger issue. It’s very interesting to me. Here are some of the phrases in the release: hardware security-related risk, physical layered vulnerabilities, weaknesses in physical security controls. This is a very specific type of security we’re talking about. We’ve talked a lot about medical device security. But this sounds like the larger umbrella issue we’re talking about, of which medical device security is a component. Is that correct?
Erickson: It is.
Guerra: Ok. Explain this issue to me at a high level. This larger umbrella issue again.
Erickson: Well, let’s start with two of the main risks we have in the industry right now. Social engineering is still a big risk we’re managing, and vulnerability management or configuration management. It really ties into those themes. We’ve been doing quite a bit with phishing and education and awareness and trying to help people understand those types of threats.
And on the technical side, we’ve been spending a lot of time with asset management, inventory, vulnerability management, patching—all of those things, to try and make sure that all of those opportunities are closed. But when you think of the next generation of attacks, as things get smaller and more sophisticated in technology for all of the good reasons that we’re doing things with medical devices and IoT, attack tools are getting more sophisticated and smaller. And those tools can be a mechanism to launch an intrusion in a company, just like a phishing message can. So, in this case with Sepio, we were looking for a product or a service that could help us identify things before they take any action. We were looking at this problem from our perspective of being an organization with 400 clinical locations. It’s a public institution for taking care of our patients. What if one of those devices wandered into our organization, accidentally or on purpose. In a lot of things, in our field, we’re monitoring the activity of things connected to our network.
But if you have an attack tool that’s designed to actually look like, or simulate or impersonate something that’s relatively benign, and it’s in your environment and it’s not doing anything, it’s pretty difficult to know that it’s there. Sepio has this technology that’s actually fingerprinting down to the peripheral device; mice, keyboards, everything. And they’re able to understand if that device has anything embedded in it, or an extra chip set that may not be what it poses to be or what it’s designed to do.
Guerra: The fascinating thing here is we’re talking about physical devices. Things you can hold in your hand. When I’ve been talking with people about medical device security, we’re talking about the securing of the medical devices that the hospital has actually purchased. These are actual legit hospital devices that we’re trying to protect from malware, correct? That’s one area. That’s one bucket. Now you’re talking about bad actors getting physically—how close? In the hospital, in the physician practice? Is that what we’re talking about? They’re inside with the physical device?
Erickson: That’s the opportunity that we’re trying to close. Think about it as, anything within proximity to a medical device or any other connected device in an organization. It doesn’t have to be a hospital. It could be a wireless device or a physical wired device that’s maybe got a key logger built into it, or it’s got some sort of keystroke injection mechanism — anything that could be physically touching a device or in close proximity to those devices.
Guerra: Because we’re talking about physical things, do we wind up as a CISO having more conversations with the people in charge of the physical security of the organization?
Erickson: We do. At our enterprise, we have a very robust risk management function. And cybersecurity is a part of that function. Physical security is a natural fit there.
Guerra: Can you tell me about some of their functions, some of those interactions. Who’s the key person. What’s their title? Not the name, but the title. Just so people understand. If you could give any advice about those conversations CISOs should be having.
Erickson: Think about it as a team of people. It’s not any one individual title. This is also a theme in organizations: cybersecurity is a team sport. You have to have conversations with procurement, finance, physical security, the business leaders that are responsible for those different business units. It requires that level of understanding of these types of problems – so that everyone understands the particular challenge you’re trying to face.
Guerra: All right. I want to read you another sentence from the release that you can go into a little bit. “Organizations may also fall prey to supply chain attacks where criminals target organizations with rogue hardware brought into their facilities either deliberately or by supply chain manipulation.” Can you explain that to me a little more?
Erickson: Sure. Think about this part of the supply chain as something that’s not happening in the manufacturing of the device, but what we’re thinking of is the last mile. When you think about the delivery of a piece of equipment, are we able to be sure that the equipment that was delivered is actually what was designed by the manufacturer. It ties back to our social engineering conversation. This isn’t about a prevalence of attack paths that we’ve seen. This is about shutting down an opportunity and being aware of these opportunities. If someone accidentally has a package substituted in delivery, or someone is unwittingly moving a device into our organization because they think it’s legitimate – that’s one attack path that we’re trying to address here. It’s possible that someone is purposely trying to do that and wants to implant a device. But it’s much more likely that someone is accidentally taking possession of something.
Guerra: This is probably hard to answer, but do you think that most CISOs are focused elsewhere and not on physical devices getting into or near the facilities and that so much of the focus is on what we call the traditional areas of IT security, and this is something that people had better start thinking about more?
Erickson: Our thought is we need to focus a lot of energy on the traditional stack. But we also need to think about the next generation of attacks. I think you cannot turn your back on this problem. I think you need to stay focused and make sure those traditional tools are still functioning, robust and continue to innovate in those spaces. For us, we were looking for another way to innovate in our threat management platforms and this seemed to be a natural progression for us. It’s not necessarily focusing on what’s prevalent, we’re focusing on reducing opportunity for these types of things.
Guerra: Do you think there are state actors behind the physical device type of attacks, where you’re getting that proximity? You can’t be talking about someone sitting in Russia. If there’s a device coming near your property. Are we thinking this is a different group of actors?
Erickson: I don’t know. I think that’s probably a better question for Sepio because I’m not in tune with the nation state threat actors. What I’m looking for is something you’ve probably seen quite a bit in the news, even something as simple as the credit card skimmers – when you go to the gas pump and your credit card is stolen. Those aren’t nation state threat actors, those are criminals just trying to steal money. Imagine that the criminals now find a way to pivot that strategy, and find a way to extort money, and do something malicious in an organization. I think it’s much more complex that just a nation state threat actor conversation. I think it’s thinking through the way organized crime might use this technology, as well.
Guerra: You’ve obviously thought a lot about this issue. It came into your world through your sources of threat intelligence. What can you tell me about the ways you stay current so that you say, “Hey, there’s something going on over here, and we have to start looking over here.” How do you do that?
Erickson: The simple way is to stay in tune with the innovations in advanced penetration testing tools and talking to people who are certified ethical hackers and do that for a living. There’s quite a bit of advancement. Even commercially available tools are becoming cheaper and easier to obtain, to use these proximity devices to help companies understand their vulnerabilities. Just like we’ve seen with software tools and social engineering, some of those tools end up in the hands of criminals and can be useful to them.
Guerra: Right. One of the other things mentioned was, the tool you were using with Sepio integrates fairly easily into security controls. That’s an important thing as a CISO, right? You can’t have one-off solutions all over the place that don’t work together. Tell me about that concept and your thoughts as you go into the marketplace and look for different holes to plug in your stack, so to speak, to make sure it comes together?
Erickson: I think a lot of people outside of our field think of security as needing some sort of technology as the secret to it, but really it’s your people and the amount of time you have. Those are the precious resources. Whenever you’re buying a tool, you have to take those things into consideration. How long is it until we see value in the tool? And how many people is it going to take to maintain and support and manage the tool? If we try and maximize those things; it’s a factor in business decisions, and Sepio happened to be something that was very lightweight and something very simple to install. And we saw value from it very quickly, without adding staff.
Guerra: What’s your process – and I imagine everybody’s got a different buying process? You’re not going to just sit there and let salespeople tell you how great everything is. What do you want to see? What proof do you want? Do you just say, “Show me?”
Erickson: And a lot of it comes from customer feedback, so talking to other customers who have already implemented the product. Sometimes it comes before a proof of concept, or a “try before you buy.” That’s not always what we do, because that can sometimes be a sales tactic as well. People come in and say, “Here, I’m going to show you where all your risk is, and then you’re sort of motivated to buy from that. For us, it was more of us looking at other industries, especially financial services, and some other areas that were early adopters of Sepio. That helped us with that decision.
Guerra: Security around third-party vendors is a huge issue now. I just had the not-so-stunning thought that even security vendors are third-party vendors. I’ve talked to different people, and people have programs in place. They may be somewhat automated, or they may be more manual. Some people have a program where, “Going forward, we’re getting really good with third-party vetting, but we’ve just got way too many vendors to go back and check everybody.” What are your thoughts around third-party security?
Erickson: I think it’s critically important because those third parties have access to our systems. They have access to our data, to some extent on a limited basis. I think it’s important for us to have quite a bit of scrutiny on those vendors, and it’s a risk-based approach, so the more data they have access to or the more likely that they’ll need remote access, to us, that pushes them up to criticality list. And then we spend more time scrutinizing those people. I think it’s also helpful to think about them as an extension of your organization. Their security has an impact on your security. I think in the future you’ll see more people adding that as a decision point – one of the more important decision points for an organization selecting a vendor.
Guerra: I’ve heard CISOs express some frustration with the level of security at some of these vendors who want to work with them. Have you been surprised at what you’ve seen?
Erickson: No, it doesn’t surprise me. It’s something that’s hard to manage and measure. There’s not a defined framework just yet. It’s getting better. But it’s difficult to say, “What is mature and who is secure.” Those third parties may have the intent; they may be working very diligently on these things; but they don’t pass certain peoples’ expectations. I think it’s an industry problem. I think we have to collectively get better at understanding what is the assessment framework. How do you assess what is safe and secure?
Guerra: And if you have hundreds of third parties that you are working with, and you do an assessment, that’s a snapshot in time. So, one year from now, that needs to be renewed and reviewed. There could have been a change in leadership where focus is lost and what was secure is no longer. So that makes it even more complex, right?
Erickson: It does. And I think there are some commercial products looking into continuous monitoring and trying to innovate in that space. There’s some work to be done there. For us, we do periodically go back to the venders, and we are also using managed services, so if they’re working with another client, and they see an issue that we haven’t assessed in the last couple of months pop up on another client, we get an alert on that. I think you have to have a team of people focused on this, and you have to be pretty diligent about these things.
Guerra: Let’s talk a little bit about zero trust. Usually when I ask CISOs about zero trust, they like it. They’re interested in it, but they’re a little intimidated by it. They’ll say they are working towards it, but it’s very aspirational at this point. It may be a year, or two years, or three years. What are your thoughts around zero trust?
Erickson: As a concept, I think it’s wonderful. It has to be applied at different layers of the organization, though. It’s not one thing, and it’s not one particular solution. The only criticism I have about it is some people want it to be simple and linear. It’s not. It’s really about authenticating people and things and making sure you know what is intended to be used on your environment network-wise. With the proliferations of impersonations and peoples’ attack paths that use an existing person’s authentication, or use an authenticated device, zero trust is a big challenge. But it’s a combination of things: network authentication, two-factor authentication, different layers of controls. Sepio’s part of our zero-trust platform. I think it’s something that has to be plugged in at all layers of the organization.
Guerra: One of the other areas that can be challenging for large organizations like yours is shadow IT, gray IT, purchasing that happens without the traditional controls. It doesn’t come through you. I know a lot of people are trying different ways to make sure that doesn’t happen. Through financing, purchasing, contracting—all stopgaps where things get flagged for sign-off from the CISO or from security. Most people, again, make it sound like this is a work in progress, and not a lot feel that they’ve got this totally locked down. What are your thoughts?
Erickson: I think that’s another value proposition for us, working with a hardware access control like Sepio because let’s say you’ve got a person who’s new to the organization and they are cost conscious. They want to buy something that saves the company money. They may look to a refurbished piece of equipment, or they might want to use something that’s a lower-cost option or buy something from an unauthorized vendor. And they think they’re doing the right thing. Or maybe you’ve got somebody who’s trying to reuse an old piece of equipment. Their intentions are pure. But they may not understand the risk of that decision. Being able to monitor the existence of things and understand when that’s happening is really important. Not just on the software side. I think it’s really important on the hardware side, as well.
Guerra: Many people say you need an employee base with a good security culture. If people don’t care, all the tools you put in place don’t matter. It’s not going to help. You’re going to have problems. Is that almost another part of your job? There’s the technical side, and then there’s, “How do I work with HR? How do I work with my peers? How do I get people to care and educate them to understand that there’s a patient care element to this?” There are patient safety risks if you click on the wrong thing, and we wind up having to go on paper for a month. What are your thoughts around that and making that part of what you do?
Erickson: I think cyber-hygiene is an organizational change-management problem. I’m grateful that at our organization we have this collaborative spirit. No one’s expecting the security team to solve these problems. It’s something where we talk about behaviors and education as a team. An important thing for organizations to do is to start thinking about it as a business risk, not as a technical risk. And really think about it in every process that you implement. Making sure that people understand how to safely proceed with their business process.
Guerra: How are you seeing the talent market? Are you able to fill the roles you have open? Are you able to maintain people? Do you see either a current or coming shortage where you can’t fill positions despite paying a pretty good rate? What are your thoughts around the IT security talent market out there?
Erickson: I think it’s a perfect time to get into the IT security market. I would encourage everybody to explore it as a field because we need more people. I’m actually optimistic about it. I’ve got relationships with lots of colleges and universities, and I just see so much interest in this field. And people are asking how to get in and how to add value. And I think it’s a good time for the industry to embrace that and find ways to bring new people into the field instead of looking for people who have a high level of credentials or some level of experience. I think it’s a perfect time to bring in people without that experience, help train them and inspire them, and I think we’ll be surprised at how big this population of candidates will become.
Guerra: Are there any key traits you’re looking for in someone at that level who doesn’t have the experience? What do you want to see from them?
Erickson: We want people who care about the organization’s mission and what we’re doing. That’s very important to us. We also want them to be inquisitive. We want them to think about and understand the intended uses of technology and also understand the unintended uses of that technology. We look for the marriage of those two skill sets.
Guerra: As a CISO, what would you say to our CIO readers about what CISOs need to be successful?
Erickson: First of all, I’d say thank you to all the CIOs because it’s not possible to function as a security team without having that strong relationship with the IT teams. It’s a journey that we’re on together. I would say to CIOs, “We are partners in this.” They can focus more of their energy on intended uses of equipment, assets and technology. And CISOs can step in, and help be responsible for managing the unintended uses of that technology.
Guerra: Do you have any advice for your CISO colleagues who haven’t been as focused on the core issue that we talked about today?
Erickson: Stay open to new ideas. Continue to be inquisitive yourself. It’s difficult to decide what to do and when to do it in this business, but I would just say stay inspired, stay focused and embrace your business partnerships because those are going to be your best allies in this fight.
Guerra: All right, Michael. Thank you so much for your time today. I really appreciate it.
Erickson: It’s great to spend time with you, Anthony. Thank you.