Published June 2021
Ryan Witt, Managing Director of Healthcare at Proofpoint, talks with healthsystemCIO Editor-in-Chief Anthony Guerra about the most recent cyberattacks against healthcare organizations, and how studying those attacks can help IT professionals avoid becoming the next victim.
never underestimate a couple of things. One is the lengths the bad actors will go to understand an environment, to explore, to use Facebook, to use LinkedIn, to examine your environment and then to figure out how to launch a compelling lure.
The conversation now really is: am I impacting patient safety? Is my lack of security posture having a direct impact on the mission of my institution because we can no longer provide care because we’re locked out of our EHR or our systems or we can’t see patients.
to know that I’m doing work that even remotely moves the needle to help this industry be a little bit better makes me feel a lot better about the work I do and the career path I’ve chosen.
There are about 10% or so of your employees whose job functions are far more heavily targeted, and that’s where you can make a difference – there’s research available that tells you who those people are.
Anthony: Ryan, thanks for joining me today.
Ryan: Anthony, great to be here.
Anthony: Can you start off by giving us a little bit about your organization and your role there?
Ryan: Sure, I work for Proofpoint. Proofpoint is a cyber security company wholly focused on protecting people, how they work, their organizations. It’s no surprise these days that the threat of cyber criminal activity is now on attacking people as opposed to attacking networks, machines, or devices, not that those attacks don’t happen but really the focus is on people.
We have a whole range of technology and solutions around trying to make sure people are safeguarded from that activity. My role within Proofpoint is to focus on the healthcare industry segment. We have a deliberate investment in a small number of industries, healthcare being one of those. My role is to make sure that we are bringing the best possible experience to the market for our healthcare industry customers.
Anthony: Very good. Recently, we’ve seen a lot of attacks. It seems like the severity and the pace is picking up. What are you seeing?
Ryan: I would agree with that. I mean, I think we have to probably make a little bit of a distinction between cybercriminal attacks and nation state attacks. We don’t necessarily know which falls into which camp, but I think there’s a speculation that some of the activities that we’re seeing, the more headline-focus activity, is nation-state activity.
That’s a different type of endeavor and something that we have to certainly be concerned about. But I think for those reading this, unless you have something about your institution which makes you a target for nation-states – and if you have research within your institution, then you definitely could be a target for nation-state bad actors – they aren’t going to target you.
But the real probable challenge that will likely being encountered for most people who are going to be reading this conversation would be cybercriminal activity. I think the one that I would really draw the attention to that I think is very noteworthy is what happened at Scripps down in San Diego.
This is a very prominent health system, certainly one of the linchpins of their community, an organization invested quite heavily in the broad spectrum of digital transformation for healthcare. They had a pretty significant ransomware attack which took their system down for quite some time. It’s not that we haven’t seen that elsewhere because we certainly have, and we’ve certainly seen other health systems be impacted, but this is probably the most prominent health system that I can recall having this severe of an attack against their systems.
Anthony: Do you know anything about that attack specifically to discuss it? I mean, we want to use these events as learning experiences. We don’t want to pick on anybody.
Ryan: Absolutely not.
Anthony: Because every CISO will tell you it’s going to happen to them at some point but we do want to use these as learning opportunities. Do you know enough yet about that to be able to discuss it on that level?
Ryan: Yeah, and I want to echo your point. The point of mentioning them is as a learning point. It’s not to name them in a derogatory way at all.
Ryan: I think the broader point is that every institution is vulnerable and this idea that I’m going to be out of the crosshairs because of whatever reason is just erroneous and so we should learn from these experiences. I don’t think there’s enough information in the public domain right now to discuss Scripps in any sort of meaningful way.
What we are seeing more broadly, though, with regards to ransomware, is the attacks frequently starting on email. It’s not necessarily a traditional ransomware attack where there is a ransomware exploit attached to some sort of email that gets launched against the environment. I mean those absolutely do happen but most of your email gateways out there are going to catch those or, if they’re launched against your system or your network, your firewalls are going to catch a lot of those.
What we are seeing, however, is a much more sophisticated type of attack, where the purpose really is to phish the individual in the network. It starts off as a cred phishing sort of exercise and they will eventually launch that exploit or that malware later on when they’ve penetrated the system, when they’ve befriended somebody, they’ve been able to obtain credentials, get into an environment, and then they will launch that malware much, much later.
They have an ability to skirt past the defenses that are catching the commodity-based malware because they have credentials into the environment now. I think that is probably one of the trends we need to be very aware of is how sophisticated the attacks are these days, and the fact that they are multi-stage sort of endeavors where it’s not just launched, send you some ransomware, hope you click and there you go. It’s a multi-stage sort of campaign and I think one of the points I would really want to make sure we understand is never underestimate a couple of things. One is the lengths the bad actors will go to understand an environment, to explore, to use Facebook, to use LinkedIn, to examine your environment and then to figure out how to launch a compelling lure.
Then number 2, how patient they will be. Once the doors are a little bit open, they will be very, very, very patient before they actually launch their exploit.
Anthony: Creepy, right? You mentioned research. If you have research, they’re going to target your organization. They might want the research, but they don’t necessarily need to attack people doing research, right? They could find an easier way in with the people that are doing supply chain or dealing with a lot of vendors, come that way, then get to the research, correct?
Ryan: Absolutely, 100%. I think the thing that I would say on this point is if you were somebody thinking about where your system might be vulnerable, look at it from an attacker’s eyes and think about what do we have that can be monetized, whether that’s controlled substances, whether that’s data, whether that’s invoices within your supply chain, business associates, whether that’s research, if you have something that could be monetized, the likelihood of that person or that department being attacked is exponentially higher. That’s number one.
Number two is if you are known for something, if your institution is known for prowess and expertise in a particular area, the bad actors are aware of that and they are aware of the potential value associated with that, and they’re probably going to put their attacking efforts against what you’re known for because that’s what’s most valuable.
I have a little vignette for you, if you’re interested.
Ryan: I was looking at a teaching hospital who had a strong academic research sort of component to their institution and they had about gosh, a dozen sort of research institutes attached to this institution, but there was one particular thing that they were really, really known for.
When we did some analysis on that institution, research was exponentially more attacked, but there was actually just one of their institutes that was most heavily attacked. It was just, from a layman’s sort of perspective, it’s really obscure research, I’m like – who would even have heard of this? But the bad actors figured out that this institution is known for that level of research. It was around genomics and they wanted to attack them for it.
They do due diligence, they do discovery to say this is what this institution has that is valuable, and that’s what I’m going to go after. I think we saw also during COVID how quickly they pivoted in the news cycle, like they’re following this stuff really, really, really intensely. They will know what you have in terms of what’s monetizable and what’s desirable on the black market.
Anthony: Ransomware works against anyone, right? I mean, you don’t have to have cutting-edge research for it to work. They shut down your systems and you’re going to want them back up, right?
Ryan: It doesn’t matter at all. You’re absolutely right and, in fact, in some ways it almost makes you more vulnerable. A couple of things I would say – one is these are equal opportunist hackers. They don’t discriminate between big and small, rural and urban. They want to go after whoever they believe they can give them a monetizable return on their investment, number 1.
Number 2 is in many instances, at least previously, we have seen the smaller institutions – be they school districts or be they community hospitals – be prime targets for ransomware, for a couple of reasons.
One is they tend not to have as many defenses in place so they’re easier to penetrate. Two, they’re more likely to pay a ransom because they just need to have their systems unlocked and 3, actually, if you go for a lower dollar value in terms of what you’re trying to extract, the propensity for it to be paid is much higher. It’s one of those things. Everyone wants to hit the home run and get the big multi-million-dollar ransom, but the bread and butter of going for smaller payouts pays the bills.
Anthony: So this can happen to anyone. And people should know that it scales. Hackers can have a lot of lines in the water.
Ryan: They can have a lot of lines in the water. Ponemon led research in this area about how long a hacker is in your environment before you realize it and, with healthcare, it’s generally 6 months.
Ryan: They are in your system for 6 months before you even recognize that they’re there. If you think about that from a physical security sort of example, that’s like the equivalent of somebody living in the closet of your spare bedroom for 6 months, watching your activity. The opportunity to launch a scaled attack against that institution is quite pronounced because, they’re there, they have the ability and exposure to go do that.
Anthony: What should CIOs and CISOs be doing to protect their organizations?
Ryan: I think it’s a good question. I think when you think about the answer to that question, we should also note that the marketplace has changed, right? Ten years ago when we would have this dialogue, maybe 8 years ago, the concern would be around: am I going to have a HIPAA violation?
Five years ago if we had this sort of conversation, it was like, okay, what do I have to make an investment in to make sure I qualify for Meaningful Use – the cyber components that will allows me to unlock those dollars. The conversation now really is: am I impacting patient safety? Is my lack of security posture having a direct impact on the mission of my institution because we can no longer provide care because we’re locked out of our EHR or our systems or we can’t see patients? That, I think, has got to be the true north that we think about in terms of how you answer this question.
The attack surface is almost always on email. I think the HIMSS report that came out in December said with 89% of all attacks the initial point of compromise is on email. If you could do just one thing, stop email-based attacks because almost always that’s where they’re happening, if you want to believe the HIMSS data. By the way, Verizon, they would all corroborate this. They’re all saying the same thing.
You need to have a strong training program that allows people to identify what a malicious email looks like. You need to have authentication tools that allow your institution to identify spoofed emails. What sort of tools can we use there to prevent fraud? Do we have the right sort of filtration capabilities? If someone gets into our system, we don’t allow them to extract information from the system. I think these are some of the basics that I would expect to be in place.
Then you can go a little bit further around things like isolation technology. If you’re working with your supply chain or you’re working with people who have to click on links, download documents as a core component of their job, you can isolate their email traffic so there’s no vulnerability to the overall environment.
These are some basic technologies that can certainly be put in place. We we probably all bank with organizations that the moment a suspect credit card transaction happens on our account, we’re getting a text almost in real-time asking, hey is this you? That’s just an investment in technology, investment in analytics, an investment in automation which that industry has made that healthcare hasn’t made yet.
Anthony: Right. So what you’re saying is that the attacks are coming in through email, and they require some cooperation on the part of the employee to be successful.
Ryan: That’s what we’re talking about and ultimately in many cases, it’s a multi-embedded sort of program. Someone may not hand over their credentials but they might hand over pieces of the jigsaw puzzle and then your colleague, a couple of cubicles downs, hand over a piece of the jigsaw puzzle and then before you know it, they’re able to assemble the puzzle.
Anthony: We’ve talked a number of times and I’d characterize you as a true-believer. Your heart is in this. Why are you so passionate?
Ryan: There is something about the industry – I just kind of caught the bug. I didn’t catch the bug enough to actually become part of the clinical side, but I wanted to work with the industry. I actively sought out roles where I could focus wholly on healthcare and I think it was the nature of the industry.
I am not in the saving life’s business. I know that. But to know that I’m doing work that even remotely moves the needle to help this industry be a little bit better makes me feel a lot better about the work I do and the career path I’ve chosen.
I often say whether you’re an accountant, whether you’re a researcher, whether you’re a clinician, there are a lot easier ways to make a living than working in healthcare, but you choose healthcare because you have something in your makeup that wants to help humanity, and I kind of feel like, although I’m on the supplier side, I kind of feel akin to that. I mean, there are probably other industries I could work for, but this is the one I want to work in.
Anthony: We’re almost out of time. I just want to know if you had a final thought for our CIO and CISO listeners.
Ryan: Yeah, the final thought is – I’m a realist. I understand that the resources in healthcare are different than other industries. There’s a reason why financial services can send you that text immediately and healthcare can’t. I get all that. It would be impractical, unreasonable to say the gold standard for cybersecurity should be in place throughout your organization, but there are pockets within your institution where you need to make that investment.
There are about 10% or so of your employees whose job functions are far more heavily targeted, and that’s where you can make a difference – there’s research available that tells you who those people are. You can either avail yourself of that research or you can just think about what’s monetizable in your institution and that’s where you can make incremental investments and move the needle in a way that’s more cost reasonable within your institution.
Not everybody needs a gold standard, but maybe 10% need the gold standard. Figure out who those 10% are and that I think that variable of knowing who’s being attacked should be a strong guide point to where you make your investments, whether the investment is in technology or processes or whatever. I think that’s where you should keep your focus.
Anthony: All right. Thanks so very much. It was a great, great conversation.
Ryan: I really appreciate it, enjoyed talking to you.