Published December 2019
Proofpoint’s managing director of healthcare says the data not only reveals people are being targeted, but which people.
There is no doubt security is top of mind with just about every healthcare IT executive. But according to Ryan Witt, managing director of healthcare with Proofpoint, many of those executives are making their security investments in the wrong places. That’s because while focusing on the network is still the defense of choice, cybercriminals have changed tactics, and are now actively leveraging social media and other public information to profile and target select individuals at health systems. The good news is that their favorite targets have been identified by the good guys and can thus be better protected. In this interview, Witt discusses the new reality of healthcare IT security and how professionals can best respond.
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
Guerra: Hi Ryan, thanks for joining me today. I’m looking forward to chatting with you about the state of security in the healthcare industry.
Witt: Thank you for making time. Looking forward to it.
Guerra: Very good. Why don’t you start off by telling me about your organization and your role there?
Witt: Sure. I work for Proofpoint. Proofpoint was founded 17 years ago and we really do have our heritage and our DNA around email security. We’ve evolved quite significantly since then, and we are now a leading cybersecurity key player in all aspects of protecting what in healthcare is the most vulnerable attack vector – which is the people.
We have a comprehensive range of solutions around targeted attacks, safeguarding data, training people to mitigate against those attacks, et cetera.
My role within the organization is the managing director of the healthcare industry practice. I have a tunnel vision on healthcare. My job is to make sure we’re doing the right activities and the right initiatives so we’re focusing adequately on healthcare as an industry segment.
Guerra: Based on the way the company is set up – you’re the head of healthcare and Proofpoint covers other industries as well – I would imagine you get together with your other managing directors in the company and talk about what everybody is seeing in different industries. That probably gives you some unique insights.
Witt: Yes. We have a significant threat intel research team as well. We are able to have a pretty good lens and insight into the key attack vectors, not only across the company but within various segments.
Also, because of the investments we’ve made in healthcare, we can be very granular in terms of our understanding of where the attacks are happening and how they differentiate. For example, we can go look at small, medium or large health systems based on bed count. We can look at pediatric care institutions. We can look at ambulatory clinics. We can look at teaching hospitals and we get even that level of insight in terms of what’s happening in the landscape.
Guerra: And so you might notice attacks differ by size and type of institution?
Witt: Yes and no. At the broad-scale, yes. The similar types of attacks are happening for all industries and all industry segments. More granularly though, it absolutely depends on the nature of someone’s work or the profile of their institution, or the part of healthcare they are focusing on – that does raise their overall profile with cyber-criminals and does mean they are more predisposed to being attacked in certain instances. We can capture that from an intel and research standpoint.
Guerra: You mentioned that cybercriminals are now targeting specific individuals they have profiled. Can you talk about how and why someone becomes a target?
Witt: I think it’s an interesting dichotomy in terms of how the cybersecurity marketplace is working today. If you look at where the investment is occurring on the healthcare side, you still see a lot of investment in protecting the infrastructure, the architecture, the network, and we say that’s where the defenders are placing their bets. If you look at where the attackers are attacking, they’re very much attacking people, and they’re largely attacking people based on either their profile within their organization, their access to important data or based on how they work.
They might work in a vulnerable way, so to speak. That’s where the attacks are coming in. They’re largely coming in by email and cybercriminals have worked out that actually trying to understand who within a health institution is a worthy attack – a recipient for their malware, for their ransomware, for their phishing attack and social engineering. Then they go put together a very compelling email to try to dupe somebody into taking an action, not that the target will do it maliciously, but they wind up taking an action that is really beneficial for the cybercriminal. You’ll see those attacks very much now oriented on people, and not on infrastructure.
Guerra: It’s interesting, it sounds like they’ve almost made a science out of this, right?
Witt: I think that’s a great way of looking at it. I mean the science yesteryear was around network architecture and understanding network security, understanding where the network was vulnerable, understanding where patches were not likely to be deployed, understanding where a zero-day attack might be impactful. It’s completely reversed now.
The science is on social engineering. It’s understanding who within a health system hierarchy is vulnerable to attacks, who has a high profile focus or job function that puts them in the public eye, who works in a vulnerable way. Maybe they’re working with your business associates and, by the nature of their job, they have to go download files or interact with cloud apps, maybe there are pharmacists within their health institution and they’re dealing with opioids or Oxycontin or other pharmaceuticals which have street value that can be monetized. Maybe they’re in a nursing function where they are touching the EMR on a more regular basis and often in a frenetic way. They’re vulnerable in how they work.
The science now is figuring that out, not figuring out the networking. They are using the tools that are most obvious – like Google, LinkedIn, and Facebook – to build a profile of those individuals and trying to understand their work pattern, how they operate, who they’re likely to report to, what their function is within the health system and putting together impactful emails that compel them or make them want to take an action in the cybercriminals’ best interest.
Guerra: Is it possible to tell if an email is coming from someone other than who it appears to be coming from, or can it be masked so the recipient is totally fooled?
Witt: That’s a great question. So let me answer in two parts. The first part is your readers should not underestimate the level of sophistication that these emails come in at these days. It is very hard to determine what we would call an imposter email or a business email compromise sort of attack where somebody is purporting to be, or impersonating, a trusted person in your organization who appears to be asking you take an action. It is very hard to determine when that’s happening because the level of sophistication is so high and the level of research is so profound. That’s part 1.
Part 2 is there are capabilities, there are technologies, there are controls that could be put in place to help people, to help institutions, to help security teams mitigate against those sort of attacks. There are training capabilities in terms of how do you educate your users, or there are capabilities like DMARC which is a protocol within email security for how you can determine when this email – which looks wholly legitimate on the surface – actually is not coming from the source it says it’s coming from.
Guerra: Could you ever see a scenario in which email become almost unusable because we cannot trust what we’re seeing?
Witt: No, I think actually quite the opposite. There are multiple tools, technologies, capabilities, training materials in place to protect users and protect people in terms of how they should be working with email. Email remains one of the most important collaboration tools. Certainly within healthcare, we see collaboration becoming a more profound part of the care continuum where you’re bringing in expertise from various parts of the world, in some cases, to go help with a patient-care scenario, and email or other messaging tools are a very predominant way that people are going to communicate with each other.
The key is not not to use email, the key is to make sure you’re using email in a safe way and to put the controls in place to make sure you’re not going to run afoul of these attacks and to significantly reduce your risk.
Guerra: Very good. You had mentioned earlier that healthcare security spending is not lining up with the current attack threats. Can you tell me more about that?
Witt: Sure. If you just look at the prevalent analysts who measure this aspect of the marketplace, they will say that a very large percentage of security expenditures, like over 90%, still goes to the network, it goes on the Web, to Web applications, it goes on endpoints, and only around 7% or so actually is going on email.
Yet, if you actually look at where the initial point of compromise within a health institution occurred, it’s almost always two things. One is a phishing attack or similar related malware attack on email or, secondly, somebody within that health institution is doing something – often on the email – that they shouldn’t be doing, not in a malicious way, but they’re just being duped, they’re being tricked, they’re being compelled to take an action that’s not in their best interest.
Yes, there’s a complete dichotomy here in terms of where the expenditure is going versus where the attacks are happening.
Guerra: What’s your advice for CIOs and CISOs about some things that they can do based on the current situation?
Witt: First off, they have to understand how they’re being attacked. I think that the data very much shows that they’re being attacked largely on email. That would be the headline in terms of the first guidepost, if you will.
Secondly, I would try to understand who within my organization is being attacked and why are they being attacked. We released some research recently, and I kind of alluded to this a little bit earlier, where we have found that clinical researchers (if that’s a component of your health institution) are heavily targeted. Why? Because they have access to IP, they have access to information, data and research that’s very valuable in the marketplace.
Also targeted is the pharmacy community, the pharmacist. That whole function, they have access to monetizable pharmaceuticals that has a strong ROI and a quick ROI in the marketplace. And the nursing function – they have regular access to the EMR. We know that area is being targeted heavily.
If you have a foundation within your hospital, within your health institution, if you’re raising funds in a charitable way to support your health institution, we see evidence of those people being attacked. It’s not what you would necessarily expect it to be, sure the CEO and CFO are targets, but cybercriminals have become far more sophisticated, and they’re actually looking at who within the organization has access to information, who has access to data, who can unlock credentials, et cetera.
Just imagine the scenario when we’re in the holiday season – imagine the scenario right now where you have a foundation actively trying to raise charitable donations as part of a holiday drive. Somebody feels compelled to give because they want to support the cause and then they learn in hindsight that actually the money is being funneled into a cybercriminal’s account because it’s been a whole imposter campaign trying to impersonate that foundation. It’s hugely traumatic, not only for the hospital and the foundation but those people who are choosing to donate in that way.
Guerra: So should IT executives focus on education, tools, a combination of both?
Witt: I think we have to look at what are the right controls to put in place. What is the solution for you? If you’re able to determine that 10% of your workforce, of your clinical teams, are your most targeted, then what do you do?
There’s a lot of controls you can put in place. I would definitely start with training. I mean, training is your best form of defense because those people are on your front line, so to speak, but there’s also technologies, capabilities, I think about as well.
I mentioned this protocol called DMARC which is how you’re able to determine whether somebody is impersonating you on email or impersonating your domains. That sort of capability should be looked at. If you’re moving a lot of data around in your job function because that’s just part of your job, there’s things like encryption and DLP that can be put in place.
There’s a vast email protection capability as well – you can isolate someone’s email traffic. You can make sure that they’re operating in a safe way, so to speak, to prevent harm until you’re able to validate that email, that website, or until that email traffic passes the protocols or the test you put in place.
The learning point here is take the time to understand that your people are being attacked, understand who is being attacked within your institution and consider what controls you want to put in place from among the multiple controls I alluded to.
Guerra: Maintaining usability is always an issue when implementing security measures. Are clinicians more accepting of their impact now that they see how much damage outages can do to patient care?
Witt: You asked a really good question and it’s something I’m actually encouraged by. There was some very recent data that came out from the American Medical Association that said doctors and physicians are concerned about cybercriminal activity impacting their ability to provide patient care. They’re concerned about how a cyber attack will impact their ability to access the patient record, provide a meaningful diagnosis and remedy or course of treatment. This is a tremendously positive change.
Yes, there might have been some resistance historically around any sort of controls in place that impact clinical workflow, but I think we’ve seen a complete change in that thought process. I think the clinical community now wants to embrace better controls because they know it actually helps them provide better overall patient care.
Guerra: Do you ever have conversations with health systems about the profiles of their employees and how they should or should not use social media so as not to become a target?
Witt: We do our best to educate the healthcare industry about the vulnerabilities of the attack vector and the fact that people are being attacked in multiple ways. Yes, one of those ways is through social media channels. Of course there’s a lot of really, really good reasons for health institutions to be active on social media. That’s where their patients are. That’s how their patients want to consume information. I understand wholeheartedly why they’re using those channels. But really, I think the learning point here is to make sure you have the safeguards in place so you don’t expose your institution unduly in those channels.
Guerra: We hear over and over that healthcare is behind when it comes to the use of technology. I assume that applies to security as well. Are those observations or comparisons ever helpful?
Witt: I have these discussions all the time in terms of how does healthcare, as an industry, compare to financial services or another industry segment, and it does help to a degree. Understanding how others are approaching the problem is certainly a learning point there, but I think it’s probably more relevant to understand what’s happening within healthcare.
So certainly the discussion we have more regularly is, ‘Explain to me what my peers are doing,’ explain to me what my birds of a feather are doing, give me a like-for-like sort of comparison within my industry, which is why we now offer this very granular threat intel. If you are a children’s hospital, we could give insight into what is the threat activity within the pediatric care segment. You understand how your peers are being impacted and their threat level of activity. We find that level of granularity is probably more relevant for healthcare.
Guerra: Also, we see a lot of ransomware going on. Is healthcare a uniquely vulnerable target to that type of thing?
Witt: I don’t think so. I think ransomware plays to the current mindset of cybercriminals generally. Ransomware is a monetizable activity and that’s what cyber criminals are looking for. It’s impacting every industry segment, institutions, large and small. It will dissipate at times but it never really goes away and yes, healthcare is vulnerable, but it’s not unduly vulnerable because every industry segment is vulnerable to ransomware type attacks.
Guerra: Very good, Ryan. Those were my main questions today. Is there anything else you want to add? Any final words of advice for our listeners today about dealing with the new reality we described?
Witt: I think to sum up, I would like to just reiterate or stress the point that the data is very clear, people within health institutions are under attack and they’re under attack through email and similar messaging channels. First, understand that top-level point and then, more importantly, understand who within your health institution is being attacked. With that now in mind, what would you do differently? How would you change your controls to make sure you’re protecting the most vulnerable part of your health system?
Guerra: All right, Ryan, that’s great. I really appreciate your time today. I think this is going to be very valuable to our listeners and readers.
Witt: I enjoyed it. Thank you very much.