Published February 2021
Cybercriminals still have their sights trained on attacking healthcare organizations, but their efforts are becoming more sophisticated and focused. Current efforts to gain advantage are using email, with criminals researching potential targets with publicly available information on Google, LinkedIn and Facebook, and studying the inner workings of healthcare organizations to find vulnerable targets with certain levels of responsibility and reporting relationships. The COVID pandemic has complicated security efforts because healthcare organizations are interacting with many more partners, primarily through virtual means. Now more than ever, provider organizations need to up their sophistication in training staff and supplying them with the right technology, says Ryan Witt, managing director of healthcare at Proofpoint. In this Partner Perspective interview with Anthony Guerra, Founder and Editor of healthsystemCIO, Witt lays out commonsense next steps for security staff at the nation’s healthcare organizations.
Guerra: Ryan, thanks for joining me today.
Witt: It’s great to be here today. Thank you for the time.
Guerra: Tell me a little bit about your organization and your role.
Witt: Proofpoint is focused on protecting people and how they work from cybercriminals. Cybercriminals these days really focus their attacks on people and focus their attacks on leveraging their style of work, their interactions, and cracking those to unwittingly co-opt them into their crime. I’m the chair of the healthcare customer advisory board, and I also run the healthcare industry practice. My emphasis is squarely focused on making sure that we deeply understand the healthcare industry use cases and that we’re solving for those use cases so we can better protect the healthcare institutions and those in the industry.
Guerra: So you mentioned the email attacks. Would you say that’s the main threat facing hospitals?
Witt: I think people are being attacked. If we had this conversation a few years ago, there would be talk about network-based attacks; there would be talk about zero-day attacks; there would be talk about patches that weren’t being deployed. And then the cybercriminals were basically exploiting each one of those areas to try and launch malware against an institution. These days, almost all of their activity is focused on attacking people, and almost always, they’re doing that by email.
HIMSS recently had their 2020 cybersecurity survey released in December, and they said 89 percent of all attacks come by email as the initial point of compromise. So if you had to solve one thing and one thing only, that would be the area, at least according to HIMSS, that should get your attention.
Guerra: So we have to assume that criminals are not stupid. So if they’ve changed their tactics from what you were talking about before – exploiting the technical holes – to this targeting people through email, they have found this to be the easier, more fruitful line of attack.
Witt: They have. I think what they realize is it’s a lot easier to understand your health system, your environment, the various job functions within your health system, the hierarchy of how your organization works. They can do a lot of this work on Google; they can do it on LinkedIn. They can social engineer their attacks to you; they can craft very compelling, very relevant, very timely lures in the form of an email and some form of call to action to compel you to interact with them. That’s easier to do than deeply studying network security or becoming a network administrator and trying to understand where there might be a little vulnerability in someone’s environment. So yes, they absolutely do that.
We’ve seen several examples, just through COVID for example, how the COVID story line has evolved. We’ve seen several examples where they’ve changed their lures, they changed their emails, they changed their form of attack on email. So early on, their lures might have been around frequently asked questions: Hey, you’re trying to understand about coronavirus and COVID and what it means, and here’s an email purported to come from WHO or the CDC. As the pandemic has increased, they were then using lack of using PPE supplies as a lure; they were then using the CARES Act as a lure – learn more about the CARES Act, get your stimulus funding. They were using the need to go spin up telehealth and portals. So as the story line has evolved, they have changed their lures.
Guerra: Social engineering has been around for a while, but there’s more information out there. Is that a big difference from the past?
Witt: I think it’s a huge difference for a couple reasons. The barrier to entry is much lower, so if you are a cybercriminal gang – and almost always these days, they are some form of organized cybercriminal gang attacking health institutions, at least at scale – it’s much easier to go train your team to go surf LinkedIn, what to look for on LinkedIn, how to use Google. That’s a lot easier than it is to go read a technical manual on network architecture. Not only is the barrier to entry a lot lower, but to your point, there’s a lot more information out there that if you can take a little bit of time, I can understand deeply about any individual that I want to target. I can understand who they are, where they live, what their work-life is like, who they report to, if they’re on vacation or they’re away on business.
So building up a picture of an individual is pretty straightforward, unfortunately, and they can then learn how a health institution generally works, what does this job title mean, what does this job title typically report into. So they can go figure out where the vulnerabilities are within your health system, and therefore, who are the right people to attack. And make no mistake, they are targeting in that way because they want to find a monetizable event.
Guerra: A lot more information, a lot more sophistication and a lot more thought being put into this, it’s no longer the typical attack about inheriting money from a prince in some far-off country. We’ve come a long way from that.
Witt: But if you think how long that lure lasted, it lasted so long because it was impactful. That was the forefather of this kind of attack.
Guerra: Let’s talk more about the supply chain; so that’s around COVID. At a high level, it’s all about being super-targeted. COVID has opened up a lot of communications with new parties, and that’s provided an opening, because now it’s not strange (to get unexpected communications). We’ve talked before about this, and they find out what’s going on, either from a macro, industrywide level, or from a micro level, what’s going on in a health system. They spend a lot of time thinking about what’s the pitch, and who’s the pitch has to go to.
Witt: I think the way they’re impactful here is they need the receiver of this email to interact with their lure. The type of email they’re sending these days, for the most part, they don’t have a link embedded in them, they don’t have a file to download – so they’re not being caught by the traditional filtering technology to keep these malwares from the recipients. So what they’re doing is they’re asking information to cultivate a relationship to try and extract information from you. If you were a bad actor, you’re trying to penetrate a health institution, it’s a lot easier to do so by purporting to come from one of your already identified partners, whether one of your business associates or a medical device supplier, or in the use case you identified, you’re a contractor who is building out a wing or doing some work for the hospital.
So if you are able to mimic or send an imposter email purporting to come from these institutions, right away the red flags are not raised, because they’ve done the homework to find that “John Doe expects to receive an email from this individual.” It’s not out of character to receive that email, because you’ve done the research. And then they craft an email that John Doe would expect to receive because topically it makes sense; it’s aligned to his job function. And so those have a lot more success in terms of getting clicks or getting information. So the supply chain, we have found more and more, is a huge area of focus for bad actors, and we think it’s a trend that will definitely continue.
Guerra: So you’re saying a lot of these emails are just text, and there’s no link because people have gotten pretty good about not clicking on links. Do you see them trying to turn that first email into a phone call or even a video call as sort of the next level, or do they want to handle all this through email, the scam?
Witt: I think it’s a really good point. I don’t think we should underestimate how patient cybercriminals are these days. They’re not looking to hit a home run with the first email; they don’t need you to, like exploits of yesteryear, to click this link, boom, I’ve got you. They’re very happy to walk you through the process, and the process will be befriending you, cultivating the relationship. And then, three or four emails in, they’re going to ask you for something; they’re going to say, “Hey, can we have a phone call?” Or can we interact in some other way? And that’s when they’re going to say something like, “Oh, by the way, we have changed our bank, so can you now send all future payments to this new bank account.” I’ve never even asked you for any information as a bad actor; I’ve just provided you, because now we have this relationship and you trust me, I’m just asking you to redirect future payments to a new bank account. So that sort of a cyberattack very much relies on the individual taking time to build a relationship with a cybercriminal – unwittingly, of course. They were unfortunately being duped into this exercise.
Guerra: When you talk about building the relationship, it’s like a good salesperson – you build relationships. But then at some point, the pitch comes, the close comes. I want to get your thoughts around at what point is this not cybercrime. It’s an email, but it seems like a regular old scam.
Witt: I think it is cybercrime. Where the term crime becomes difficult is because the typical legislation that we tend to default to with regard to this area didn’t really contemplate this sort of activity. So it may not run afoul of HIPAA regulations, for example, but there is a crime being committed, there is harm being done.
Guerra: Oh no doubt, I’m with you on the crime. The word cyber, that’s what I question, I wonder if it’s just regular crime. Your tools help you detect the malicious links; what kind of services do you have to help protect organizations when there aren’t phony links?
Witt: There are things you can do. The first area is I would definitely incorporate education into your overall cybersecurity culture and cybersecurity defenses. So regular training, simulating attacks, and penetration tests are great ways to teach your users about how to spot a possible attack and how to spot potential cybercriminal activities. So using common lures in the marketplace that are very crafted for healthcare, exposing those lures by training your staff and your teams is very important. Furthermore, recognizing through threat insight, through data, who within your organization is more likely to be attacked is also really key.
So, I mentioned to you previously that they are looking for a monetizable event. Each health institution is a little bit different, but there are definitely functions within your health institution that are more valuable to a cybercriminal than others. So for example, if you have any sort of clinical research component in your institution, it’s quite likely they will be attacked, and typically by nation-states actors, we mean the higher end or the more sophisticated end of the spectrum – those who are looking to steal intellectual property and therefore have much more sophisticated tools and techniques to penetrate that. So if you know that, it can be an area of further training and developing capabilities or controls that you can put in place to protect that environment.
Back to your supply chain example, if you are a team that deals with the supply chain, you’re someone who has to deal with invoicing or issue payments, those people are being much more highly attacked, so they are definitely candidates for not only advanced training but advanced controls. One of the controls I would definitely look at is putting in solutions around how do you basically unmask imposter emails. Imposter emails are really hard to detect through conventional security tools because there’s no link, there’s no document to download, so they tend to get through a lot of the conventional email tools.
But if you could deploy domain based or message authentication tools like DMARC – DMARC is a standard that allows email authentication to help stop spoof emails before they basically defraud your employees or your clinical team or others. So DMARC is a capability that says, “Is this email really coming from who it purports to come from?” There are protocols in place with DMARC, which is an industrywide standard, which allows you to understand very clearly who is this email coming from, even if it’s masked in the header and it appears to come from a trusted source, DMARC can do that under-the-covers authentication. That would be one very important capability I would look at.
Another capability that is really important is recognizing within your environment who potentially is, as we would call them “happy clickers,” more prone to click the link when they appear, or has the job function or job role that they just have to interact with those third-party apps, and have to click links and have to download stuff. It’s just the nature of their job function – they’re not doing anything wrong; it’s just because of the way they work, it puts them at more risk. So there is something called isolation technology where you can go and isolate some of that traffic so you can essentially allow that user to go do their job, but click the link in a containerized environment so that there is no exposure to the broader health system network from interacting with that link or downloading that document.
So maybe your supply chain team, you offer that, or maybe if you have a large number of third-party consultants who have legitimate reasons to go look at third-party webmail tools or other sort of cloud applications that are not authorized by your systems, you can allow them to have that sort of engagement and work with those tools in a containerized, isolated environment.
Guerra: So that’s not something that you would want to roll out to everyone? It doesn’t make sense or it’s too expensive or it doesn’t scale? You want to target that to people who are at high risk?
Witt: It’s not a scale issue, but it’s looking at who is the most vulnerable part of your environment. You could offer everybody the Cadillac or the gold standard, if you can offer everybody that gold standard, it’s not a bad thing, but it’s probably not appropriate for most institutions, and it’s probably going to be overkill for a lot of job functions. But if you could identify who is more vulnerable – who does work in a way that makes them have to click those links and download those documents – you can offer those technologies or things like multi-factor authentication. Maybe not all 50,000 of your staff need to have multi-factor authentication, but some do. In the same way, some may need advanced security awareness training, some might need isolation technology. I think it’s more about trying to make sure and understand who is being attacked and, therefore, trying to figure out what controls are best for their workflow.
Guerra: Let’s talk about CIOs and CISOs. You’ve probably seen all kinds of setups. Is it as simple as if an organization is large enough, they have a CISO who is in charge of security. If it’s not big enough, then you have a CIO who is in charge of security. What are your thoughts around that and different reporting structures? Have you seen any kind of reporting structure that’s been problematic in your experience?
Witt: I don’t know if I’ve seen one reporting structure more problematic than the other. I’ve heard some respected CISOs in the community on conversations like this or other webinars, panel discussions, I’ve heard them opine, at some stage, that maybe the CISO will ultimately report into the CMO or CMIO and that cybersecurity will more and more be seen as a component of patient safety. And as those are the stewards of patient safety, we have to maybe roll that function into those job areas. The thinking is if you have a cyberattack against you as an individual, if your identity is breached, to your well-being that is as impactful as having the flu or a more clinical challenge, and so we should treat patient safety, we should include cybersecurity and good, strong data hygiene in the overall patient safety umbrella.
And certainly, where I do see structures that work more effectively, at least in my experience, is those CIOs and CISOs who can make a connection to building out a cybersecurity posture that’s akin to building out capability to better serve our patients and protect our patients. It’s not just like an insurance play – we hope you never to use this technology, we buy it because we have to. No, it’s you have to adapt to your patients in other areas, because you want to protect your patients, and by the way, you invest in cybersecurity technology because you want to protect your patients.
Guerra: To me, the last 15 years, the degree to which cybersecurity has been elevated is unbelievable. To me, any forward-thinking organization, the security role has to be right up there in the C-suite. People know it has to be built in from the beginning. You can’t treat security as an afterthought or as an annoyance. I think CISOs have gotten much better at being enablers rather than being seen as impediments.
Witt: I agree with all that – I think (CISOs) are a lot better at that. What’s also interesting is that we’re seeing more transformation of roles, those people who are rolling out these digital transformations recognize that the sanctity of the patient-doctor relationship is still really important – it’s probably the most important professional relationship that anybody is ever going to have, and the vulnerability of that relationship is much higher if you have a virtual sort of engagement. So therefore, to safeguard that relationship – to make sure we are able to preserve the importance of that relationship – it behooves any institution that’s on a digital health journey to make sure that they’re building in all the important security safeguards to preserve that relationship along the way. Because if you fumble the ball virtually, and you don’t have that eyeball-to-eyeball long-term relationship to fall back on, how likely is that patient to say, “You know what? I’m going to go to another institution that can treat my data more securely.” I think it’s easier to leave your health institution if everything is only digital. I think recognizing that and trying to build out a security posture accordingly is critical.
Guerra: How long have you been in security?
Witt: I know I look very young, but all of this century, I want to say.
Guerra: Do you see some common elements in people who are drawn to this?
Witt: I guess I will answer the question a little bit differently. I was drawn to healthcare first because I see a commonality about people who choose to work in healthcare. Now I don’t directly work in healthcare; I’m not in the savings lives business and I don’t want to overstate my importance. But, I am a technologist who works in cybersecurity. I actively choose to work in healthcare and have for many years because I feel better about this mission, the nobility of this industry, the importance of this industry, and doing my best within my very modest ways to help this industry out. So I find a commonality of people who choose to work in healthcare.
With regard to cybersecurity, there is also a commonality. There is a law enforcement overarching theme to people who gravitate toward cybersecurity. A lot of people who are ex-military gravitate toward cybersecurity roles. A lot of the language, a lot of the techniques are borrowed from military history and military strategy, albeit all done in a virtual cyber sort of format.
Guerra: You’ve got want to stop bad guys.
Witt: It’s like catching bad guys. It’s a big motivator.
Guerra: Any other thoughts you have? I don’t know if you want to talk about security talent. I know hospitals are always trying to find talent.
Witt: A couple of things. One is there is perpetually going to be a challenge finding cybersecurity talent, it’s a challenge in healthcare more broadly. Healthcare doesn’t quite pay the way other industries do, so healthcare is always going to have that risk. To me, it’s about finding people who want to work in this industry, and often if you just get exposed to this industry, it’s easy to fall in love with it – it’s easy to be really touched by the magnificent work these people do and want to be part of that.
I think health institutions should make broader investments in cybersecurity and I think that will help their ability to pull talent. One of the things that was very concerning in the recently released HIMSS Cybersecurity Survey was the amount of what I think we consider to be standard cybersecurity technology that’s currently deployed in hospitals vs. other industries is very poor. Things like encryption or data loss prevention or isolation technology, just to pull out three or four. When you talk about adoption rates in healthcare, if the HIMSS data is accurate, it’s a 30 to 40 percent adoption rate, where those technologies elsewhere would be in the 70 to 80 percent range.
One way to improve your overall cybersecurity posture is to make those investments, automate as much as you possibly can, and also showing that you have seriousness in addressing that problem, and then tasking someone by saying, “We’re going to invest in your ability to be successful in this role, and we’re going to tap into your knowledge about how you’ve done this and allow you to build it out here.” That commitment to that investment might be a way to attract new cybersecurity talent into healthcare.
Guerra: I have to ask you the question about what keeps you up at night.
Witt: I feel a lot better about what I’m going to say than I did a couple years ago. I think during what I call the Meaningful Use era there was a lot of money on the table to build out EMRs, and so healthcare institutions were very focused on getting that grant money, implementing the EMR. Unfortunately from a cybersecurity standpoint, there was way too much emphasis and focus on checking the box and meeting compliance standards, and knowing pretty well that they weren’t being secure, and we put people’s lives at risk. And there are a couple of reported cases overseas where cybercriminal attacks have directly caused people to lose their lives or have absolutely interrupted surgical procedures. There are a couple of hallmark examples in the Northeast where oncology departments couldn’t deliver services for up to six weeks.
What concerns me more and more is will the cybercriminals have this plan in place, they’re nefarious and heinous, and they just don’t care how their activities can cause real harm, physical harm to patients. We, as an industry, need to be cognizant of that and make sure we’re doing all we can to make sure that it doesn’t happen.
Guerra: When you mentioned meaningful use, we know security and interoperability didn’t come along for the ride.
Witt: They did not. Neither one of those came along for the ride. They’re both big challenges facing the industry because we didn’t really tackle those issues.
Guerra: So now everybody’s working to try and catch up. So we’re on a mission; the CISOs, like yourself, are mission-driven, so I think they really appreciate the messaging today, and you’ve given them some solutions and some things to think about. Thank you so much for your time today.
Witt: Thanks Anthony, I really appreciate it.