Healthcare is abuzz with talk of artificial intelligence. And when it comes to cybersecurity, that buzz both has to do with how the bad guys are going to use it, and how the good guys can apply it to defense. But Ryan Witt, VP, Industry Solutions, Healthcare, Proofpoint, warns that today, the time of small- to mid-sized health systems is better spent on basic blocking and tackling, especially around the major threat vector of email. Amazingly, he adds, some of the foundational steps for email security are still not in place. In this Live @ Vive interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Witt covers these issues, the Health Sector Coordinating Council’s efforts to consolidate and simplify guidance, and whether mandatory cyber guidance should eventually become a reality.
Podcast: Play in new window | Download (Duration: 18:32 — 12.7MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
If I had to guide anybody in terms of, where would you focus your time and effort, we’re really blessed in healthcare with the 405D program and the document they produced that’s called HICP. They also put out very strong, very worthwhile, guidance all around cybersecurity preparedness.
It feels like we still haven’t shaken away from the Meaningful Use era when we were all focused on the patient record. We were all focused on the things that gave us funding for the patient record, and not those conditions that were security related, which were actually much more regulatory-related, compliance-related, and so we made investments in that direction. We did not make enough investments in security, and I don’t think healthcare has ever really caught up.
… there’s now a strong understanding that cyber events are related to patient outcomes. We’re no longer just doing these things because it makes good sense financially, or because there’s some compliance measure we’re trying to meet, or because we care about our reputation or whatever.
Anthony: Welcome to healthsystemCIO’s Live @ ViVE Interview with Ryan Witt, VP of Industry Solutions at Healthcare, Proofpoint. Ryan, thanks for joining me.
Ryan: It’s great to be here, Anthony. Live at ViVE. I mean, it feels like I’m live at HIMSS, my goodness.
Anthony: Well, we’ll be there in two weeks.
Ryan: Right, right.
Anthony: Let’s start off with a little bit of a background on Proofpoint, a little bit about your organization and role.
Ryan: Proofpoint is all about human-centric security. There’s this acknowledgment now that the bad actors are really focusing their efforts on attacking humans and how they work. Proofpoint tries to help organizations mitigate against that; so protecting humans and then ultimately defending what’s often the ultimate target – data. So we defend data, defend people how they work, and try to prevent data exfiltration.
Then, from my standpoint, I focus on creating that aperture really around healthcare, so that we are building out solutions and strategies to go make sure that healthcare industry customers have a great experience working with Proofpoint.
Anthony: Very good. We’re here at the show, and every year there seems to be a different buzzword; blockchain was one that was huge a few years ago. Obviously, the pandemic stuff in the middle and now we have AI everywhere, in every conversation, what’s going on with AI, what are people doing with AI, and they want to know what their vendors are doing with AI, what the bad guys are doing with AI, all kinds of stuff. I’m sure you get asked all the time by customers and prospects about what you’re doing with AI. Your thoughts?
Ryan: You’re absolutely right. I think, unlike blockchain where that might have been a moment in time – I don’t want to diminish blockchain, but it might have been a moment-in-time topic – I think AI is not going away. I don’t think it’s a moment in time, it’s going to ultimately revolutionize how we all interact with technology going forward.
But I think it’s also important to temper it a little bit. Every customer wants to understand what their vendors are doing with AI. There’s an expectation that there’s significant investment in AI, and that’s conversations I have on a very regular basis, and we are certainly making significant investments in AI and had been for many years.
At the same time, if you look at everything from every hack or cyber event that has occurred for the last week, months, year, or two years, it really is still a lot of all the old-school attacks. Phishing is still a very prominent way people are attacked. The desire to obtain credentials is essentially still the nirvana state, so I don’t know if you’ll see a significant need to go to sophisticated AI-enhanced attacks when, clearly, you just look at the news cycle in the last 40 hours in healthcare, the old-school attacks are still prevalent and are still working.
That being said, we’ll still be in arms race. Vendors will be investing in AI and attackers will be as well. The one caveat I would give to all these comments is that something like two-thirds of the country and the world are going through a significant election cycle in 2024. So I do think you’ll see a prominent uptick in deep fakes and AI-style attacks raising the overall temperature on cyber events.
Anthony: It sounds like you’re saying there may be some exotic attacks but they may be the outliers.
Ryan: I’d be really much more interested in doing your basic blocking and tackling first. Like almost every healthcare institution we talk to, they have got to make trade-off when it comes to their investments, put investments in people, in technology, in processes, in training; so I’d be really layering my investments, layering in my security controls, to block the more basic, old-school attacks before I worry about blocking AI style, deep-fake attacks.
Anthony: Right. We don’t really know anything about the Change Healthcare thing? Do we know about the entry point?
Ryan: Probably not a lot we can say right now.
Anthony: That’s what everybody is talking about.
Ryan: Yes. It’s absolutely what everyone is talking about in the conference. But it goes back to what we’re talking about – healthcare is still significantly under attack, will remain under attack for the foreseeable future, and so making sure you have all your controls in place to mitigate against the attacks.
Anthony: Right. It’s under attack, some people say, because it’s got a lot of juicy stuff, so to speak, for cyber criminals, the healthcare personal data, clinical data, it’s got all the social security numbers and, sometimes, the credit card stuff too. But you also could be heavily attacked because you’re the weakest point, right, you’re the weakest link? I guess if you combine those two, you’re super ripe for attack.
Ryan: We have a lot of reasons why healthcare still gets attacked. I mean, for all the reasons you just stated, many healthcare institutions are a rich source of research data. They’re a rich source of access to control substances. ID theft, they are strong platform for stealing someone’s ID. There’s still a strong monetization angle at healthcare. So healthcare has so many different reasons to get attacked, and they’re so much more attractive to the threat actors for all those reasons.
Anthony: Your organization, you work to help people around email. One of the things that’s been discussed recently in cybersecurity in general has been an excessive amount of guidance information, frameworks, a lot of stuff coming at CISOs, and for organizations that don’t have a strong CISO, it can be a lot coming at you from a lot of areas that are all trying to help you, but it could be difficult to figure out which way to move forward.
HICP can out of 405D, which is supposedly a pretty good document to move forward. Now you have these HPH-CPGs coming out. They’re voluntary right now, they may be mandatory at some point. They’re supposed to line up with HICP and NIST and all that stuff is supposed to work together.
My question to you is two-fold. What do you think about this concept that we see of a desire or an attempt to simplify guidance and coordinate guidance coming at security professionals? And then in the area that you deal in, what are they calling for and requiring that health systems do around email?
Ryan: Those are two great questions. I do agree, yes, there’s a plethora of framework certifications, guidance and lots to get your head around. If I had to guide anybody in terms of, where would you focus your time and effort, we’re really blessed in healthcare with the 405D program and the document they produced that’s called HICP. They also put out very strong, very worthwhile, guidance all around cybersecurity preparedness.
A lot of that is maps back to NIST. If you have to pick in healthcare, if you’re going to go pick one area to focus on, I would really look at the work that the 405D team has done. It’s often been said we won’t know until we get there. By the way, we may not get there, but if there is legislative appetite to go bring in new regulations, to bring in new fines, to bring in grant money to go invest in cybersecurity, it’s highly likely that they will put requirements in place that map back to 405D guidance.
It’s a public-private partnership. I think it’s generally very well received, and I think the guidance is granular enough that it’s applicable to multiple sizes of organizations. I think it is the bellwether going forward for cybersecurity frameworks in healthcare. If I had to map the one thing, that’s what I would map to.
Anthony: Yes.
Ryan: In terms of the best practices that they would talk about as it pertains to email, you have at the basics – you want to make sure you have a strong advanced email security gateway installed in your institution, make sure you have the right firewall, make sure you have the right antivirus installed. That might sound overtly basic, and I would understand if it did, but I’m harking back to HIMSS research data which showed there’s still around 10% of organizations who don’t have a firewall installed, 15% of organizations don’t have anti-virus installed. It’s important to remind everybody that they need to have those basics in place.
Going beyond that, I would say you need to have a strong focus on authentication. We are seeing that fraudulent-type attacks, fraudulent email attacks, impostor email attacks, work. Using authentication to absolutely verify that the recipient or the sender of those emails is who they say they are, is really, really important to helping plug a very porous security hole right now. I haven’t seen recent numbers on it, but I think it’s something like only around 25% of healthcare institutions have say, DMARC, for example, deployed. So there’s a long way to go for other healthcare institutions to make that investment.
Anthony: Does it shock you that those numbers are so low?
Ryan: Yes. Yes and no. I talk to healthcare teams regularly so I understand the challenges, and I understand all the security holes they have to go address. It feels like we still haven’t shaken away from the Meaningful Use era when we were all focused on the patient record. We were all focused on the things that gave us funding for the patient record, and not those conditions that were security related, which were actually much more regulatory-related, compliance-related, and so we made investments in that direction. We did not make enough investments in security, and I don’t think healthcare has ever really caught up.
Anthony: To your point that you make all the time, email is the number one vector that your attacks are coming in. You mentioned a few things, authentication, DMARC, the basics. There is a finite number of things that are doable, right. These things are doable.
Ryan: They’re doable.
Anthony: It’s not an endless list. You don’t need to read a 300-page paper to understand it. If it’s the number-one vector and there’s a few basic technology-focused things. I know education is another part. But it’s just like: you’ve got to check this box and get it done, right?
Ryan: You do. We work very closely with other industries as well. For example, financial services, where they place a tremendous amount of importance on speed of transaction. They’re always waiting for the new chip that will make them a nanosecond quicker. Healthcare isn’t waiting for anything. Everything healthcare needs to solve all these problems is readily available technology.
Anthony: That’s interesting. That’s a very good point. Let’s talk a little bit more about what could be coming out. So as I said the HPH-CPGs are voluntary, are you in favor of some minimum requirements? Do you think that would help the industry?
Ryan: Healthcare is historically a compliance industry. If a higher authority, a government authority or a state authority says, ‘thou shall do, dot, dot’, healthcare has shown in the past, they will adhere to the legislation or regulations. Things that are suggestive, they don’t seem to work. Should these things be mandatory? Yes. Do you therefore want to have a carrot or stick approach? That’s a different tone of conversation. Maybe you do a little bit of both, right?
Anthony: Right.
Ryan: I think healthcare definitely gravitates towards that government behavior and they’re used to that. To me, that would make sense for the industry.
Anthony: Well, everyone says that small and rural health organizations will need some help on the resources side if there are mandatory cyber requirements. Are you sympathetic to that argument?
Ryan: Right. I’m very sympathetic, which is why I think sometimes there has to be a carrot. If you want us to embrace and adopt these capabilities, the government will fund it to whatever extent. I don’t know how that’ll worked. But I don’t think it has to be punitive. In other words, they can’t be like, ‘you were told what to do, you didn’t do it, therefore, we’re going to fine you.’ I don’t think that works – that’s not the right solution.
Anthony: Right.
Ryan: Certainly not for them.
Anthony: Anything else interesting that you’ve seen at the show here that people are asking you questions about, or any final thoughts?
Ryan: I think it’s a really interesting time for cybersecurity. I think the two things that I’m really encouraged by is the strong guidance coming out of HHS in the form of 405D, how there does appear to be a pathway to that becoming legislation. Now, we’re in an election year, is there a legislative appetite? I don’t know. We’ll see. But there seems to be a path there.
Then, secondly, there’s now a strong understanding that cyber events are related to patient outcomes. We’re no longer just doing these things because it makes good sense financially, or because there’s some compliance measure we’re trying to meet, or because we care about our reputation or whatever. Yes, those are obviously drivers, but we’re doing it more and more because we recognized that we can’t meet the vision of the institution. I think that mindset change is really valuable in terms of getting boards and executive teams to put the right level of investment to go solve some of the cyber challenges that we still have.
Anthony: Very good, Ryan. I want to thank you so much for your time today. I really enjoyed it.
Ryan: Likewise, good to see you.
Share Your Thoughts
You must be logged in to post a comment.