Published March 2023 –
Threat actors are very sophisticated these days, requiring CISOs to match their “elegance” in devising countermeasures, according to Ryan Witt, managing director of healthcare at Proofpoint. In this episode of healthsystemCIO’s Partner Perspective Interview Series, Anthony Guerra, founder and editor-in-chief, talks with Witt about how identity is the new perimeter, and emails are still one of the key ways attacks will come. That’s why you need to know what threat actors are after. They want to monetize healthcare data, and particular institutions and certain people are of more interest than others. Research units and fundraising departments are major targets, as are the people who work in these areas. Witt says to step up security and layer it for these folks, because “healthcare data is still really, really valuable,” and very much part of a cyber-criminal’s business plan.
Podcast: Play in new window | Download (Duration: 41:43 — 28.6MB)
We should treat this as a sophisticated line of business in a cyber-criminal organization that’s akin to drug trafficking, racketeering, etc. It is a line of business. And they will look holistically at what is the best way for them to monetize their activity within that line of business, in the same way they would do more traditional sorts of criminal activities.
… it’s easier to launch an exploit against somebody who’s downloading a lot of files, for example. So if you’re a clinical researcher, you’re very interesting from an identity standpoint. If you work in the fundraising arm of that health institution, you have an interesting identity. So definitely any access is interesting, but there are certain access points that are way more valuable.
… it’s about understanding that there is a direct connection, or there can be a direct connection, from a cyber event to some form of adverse patient outcome.
Guerra: Ryan, thanks for joining me.
Witt: Great to be here. I always enjoy these calls.
Guerra: Very good, Ryan. Looking forward to it. Let’s start off with the basics here. You want to tell me a little bit about your organization and your role?
Witt: Sure. I work for Proofpoint. Proofpoint is all about protecting people and defending data. I think we’ve talked about it a number of times on these calls. And I think it’s pretty well known within the industry, people are now at threat of cyber-attacks. We have a lot of technological capability around protecting people from cyber events, because identity is the new perimeter. They are attacking identity with the idea of trying to exfiltrate something that can be monetized. So it comes down to the defending data part of the equation. I am the managing director of healthcare. That means I run solutions strategy for the healthcare industry practice. I’ve been doing this for about seven years now. And I also chair the company’s healthcare customer advisory board. It’s the only advisory board we have dedicated to an industry.
Guerra: Very good. So you mentioned identity, which is interesting, because for the last few years I’ve been hearing when I talk to security professionals that as you said, identity is the new perimeter or there is no perimeter, and it’s all about identity. And of course, the fatal perhaps weakness in that is if someone gets a hold of an identity, right? Because if we’ve made everything about identity with the zero trust type thing, somebody gets a hold of your identity, they’re you, all that protection – not all of it – but a lot of it is gone. Right?
Witt: Once you have the identity, there are lots of things you can do. We know a lot of nefarious things you can do to monetize that activity. So yes, getting a hold of identities is the goal and the key, right now, for most threat actors.
Guerra: So if someone gets a hold of your identity, can that be detected by software which looks to see if people are doing things outside of their normal pattern of work, just like what’s being done with some device monitoring software?
Witt: Yes, but maybe let’s go back a second. I think one thing that’s a unique characteristic of the healthcare industry is how valuable the data still is. So just the exfiltration of data – old school stuff, I’m going to try to steal your data – there’s still value for that in the black market, particularly when it comes to ID theft or trying to establish a new ID, etc. There are a lot of monetizable assets within data. So you have all the financial characteristics of data that permeate all industries, so that permeates healthcare as well. But healthcare has a lot of intellectual property, particularly if you’re in clinical research, or if you have the ability to potentially get access to controlled substances; get access to the supply chain. There are many aspects of activity that are interesting to threat actors. And we haven’t even mentioned ransomware – the ability to get an identity and then get access to some key clinical systems and then launch a ransomware attack. And maybe one of the things that have changed in how threat actors behave is there’s no longer this situation where a threat actor would be tied to their key exploit. There are so many sophisticated exploits available on the dark Web.
A threat actor’s real goal is just getting the identity, getting access to the network, doing their reconnaissance, doing their due diligence, and then trying to figure out what is the best exploit to launch against that institution. Maybe it’s a fraud attack, maybe it’s a ransomware attack, maybe it’s a data exfiltration exercise, maybe it’s a combination thereof. So I think it’s important to understand that it starts with the identity, because that’s your keys to the kingdom. And then you can move around the kingdom. And you can figure out what is the best thing for me to focus on from a monetization standpoint. And let’s not forget that monetization is almost always the main focus for threat actors.
Guerra: And when you say “what’s in it for me,” it may not even be the individual who’s stolen that identity and doing that reconnaissance who will launch the exploit; they may be looking for vulnerabilities and then sell it to someone else who specializes in that type of exploit.
Witt: 100%. Absolutely. We should treat this as a sophisticated line of business in a cyber-criminal organization that’s akin to drug trafficking, racketeering, etc. It is a line of business. And they will look holistically at what is the best way for them to monetize their activity within that line of business, in the same way they would do more traditional sorts of criminal activities. Absolutely, they’re going to look at the best way to execute their plan.
Guerra: So they know the roles they want to target, then they research those folks on social media and launch a sophisticated phishing campaign. Is that correct?
Witt: I mean, yes, I would say any access to the network is valuable. So any penetration of identity is valuable. And to illustrate that with a very well-known example, I think it goes back to 2014, or whatever it was, when Target had their whole system compromised over Thanksgiving. Somebody penetrated the phone system of their HVAC. So, okay, that’s not happening so much these days, those sorts of holes are being plugged. But it does illustrate that once you have access, you can then move laterally.
But to be sure, and I think the emphasis of your question, and the key point here, is not all roles or identities are created equally, not at all. There are certain attributes about an identity that are way more powerful and way more attractive to threat actors. So if you have a persona that’s publicly known, you’re going to be more attractive to a threat actor. If you have a job function, or you work in a department that is perceived to have access to systems throughout your health institution, you’re going to be attractive. If you have a persona or identity who works in a vulnerable way, not because you’re doing anything untoward, but you work in a way that means you put yourself in harm’s way – you’re downloading a lot of files, you’re interacting with people outside the organization, those files could be transcriptions, they could be invoices, they could be bills, payables, you could be somebody who is doing remote work and you’re downloading files, you could be clicking on links all the time, you could be HR downloading resumes, so you just work in a way that’s vulnerable.
So those access points are interesting, because it’s easier to launch an exploit against somebody who’s downloading a lot of files, for example. So if you’re a clinical researcher, you’re very interesting from an identity standpoint. If you work in the fundraising arm of that health institution, you have an interesting identity. So definitely any access is interesting, but there are certain access points that are way more valuable.
Guerra: Right and so the bad guys know that, and most of the good guys know that. I wonder what you think. What percentage of CISOs are taking a tailored approach to rolling out their security program in that they are doing extra protections and extra education towards those “very attacked people”? Do you think that’s prevalent? Do you think that everyone’s doing that, or do you think there are some that are just taking a blanket, ‘everybody gets covered the same way’ approach?
Witt: You know, I think the industry is finally shaking off what I call the Meaningful Use era. So the Meaningful Use era was all around, I have to check boxes, cybersecurity boxes, to qualify for funds to go roll out my EMR. And that exercise gave a lot of executives the perception, and maybe the comfort, to think, “We’ve done our due diligence,” from a security standpoint.
I think the more savvy security executives knew that the box-checking exercise wasn’t always going to result in a secure and robust security posture. And we paid the price as an industry for that. I think we’ve moved a long way forward since then. And I think we have situations now where they do recognize threat vectors are extremely different. And threat activity is very different. And you do need to tailor your activity accordingly, you do need to layer in your security controls to make sure that the right parts of the organization, those who are more attacked, those who are what we would call the “very attacked people,” do have the right protection which reflects their true threat and vulnerability status in the marketplace.
Guerra: All right. So we understand that different constituencies are attacked at different levels. Let’s get a little more into specifics. Can you address what CISOs need to do in the areas of tools/technologies and education?
Witt: Yes, I think it’s a great question and one that is worthy of discussion. I think, at the VIP level, the very important people, I think institutions know that those people require layers of security, they’re going to be attacked. So I think the industry has done a pretty good job of making sure that the CEO, the CFO, etc., are not clicking on things. There’s enough safeguards in place so that the malware and various nefarious emails are not getting to them.
At the very attack people (VAP)-level, it’s a little bit different. I recall this incident or this instance in an academic healthcare institution noted for its research, noted for its genomic research. And it was almost a case study on how important it is to make sure you protect who’s being attacked, and a case study in to what degree the threat actors will use their social engineering and due diligence to try to understand that institution.
So briefly, this institution had six public facing research arms or research units, and it was pretty easy to determine that. They were overt about that on their website. But one of those units was known for this particular area of study. And that’s really what put the institution on the map, and we were working with them. We did an analysis of their threat research. This is a very large institution with 50,000-plus email addresses, to give you a little bit of size and scale. Sixty percent of all of their nefarious attack emails were going into their research units. And within those six different units, 90% of that 60% were coming to this one research unit.
And within that one research unit, there were about a dozen or so individuals who were receiving 50% of the of the attacks. So it got super granular. It got down from this broad-based organization, to they were focusing on research, and then to they are focusing on this one research unit, and then to they are really focusing on a few departments within that research unit. That’s the level of social engineering that the bad actors will go to, to make sure they’re attacking what they believe to be the most valuable portion of that institution.
And so I think that’s why we do need to think about and use the prevalent research available today from threat research organizations like Proofpoint that says, “Yes, we can make a determination where you are likely to receive the most threat activity and, therefore, what are those sorts of controls that need to be put in place to make sure that those particular individuals, or those particular departments within a health system, are being adequately protected?
Guerra: So that’s obviously very valuable information to have. I assume that in order to do that an organization needs to engage a company like Proofpoint to get to that level of detail. If you’re a CISO, and you say, I want to know where the attacks are going, I want to know where the email attacks are going. And I want that data so I can react accordingly. So there’s the general information that you said is available online for anyone on your site with the information about the attack constituencies, but if you want that granular information about your specific institution down to the email-address level, that’s something that you need to engage someone like Proofpoint to get?
Witt: You would. And I think then it goes back to looking at how you protect those people. How do you put the right layered controls in place, whether it’s things like isolation technology, or data loss prevention. The level of telemetry that looks at threats, who’s likely to be attacked, I think is so important, and how you deploy those sorts of tools. A lot of DLP technology uses behavior awareness, in terms of is this person doing things that are outside of their normal activity. Or is this person working with content that’s valuable? Those are more common attributes of these sorts of tools.
Guerra: Yes, in all our conversations you have consistently said that security starts with knowing who is being attacked.
Witt: I think it’s essential. It’s essential for a lot of reasons. One, I think that’s how you provide the best layer of defense for where the attacks are occurring. Number two is it’d be great to think we could roll out the gold or platinum standard to everybody in the institution, but that’s not pragmatic, it’s not possible, you don’t have the resources, you don’t have the budgets, you can’t respond to that many alerts. I mean, it’s just not pragmatic.
And then I think it also really gets down to focusing on what is core for your organization, core to your being, core to your mission. And thinking about how you can safeguard those people or those departments that are core to you delivering your mission. And I think one of the things that distinguishes the executive teams and the cybersecurity teams and CISOs who do a really good job here is they understand, at the core, what the mission of the institution is, and they do a great job of articulating that risk back to the executive teams, back to their board about, “Hey, this is not only a financial harm possibility, or regulatory harm, or brand harm, but if we don’t do something about this, it actually fundamentally cuts into who we are, as an institution, why we’re here, why we exist.”
When you can make that connection back to the mission, that’s when you get hospital executives, hospital boards to really sit up and take note and say, “We have a responsibility to meet the goals of our mission,” which is a much different way of thinking about things.
Guerra: Right, so if you’re trying to protect everyone the same, you’re not spending wisely. You may be throwing money away in areas that don’t warrant it?
Witt: I would totally agree that there’s an elegance and sophistication to layer your controls to where you think you need that level of protection. Not everybody needs that. So recognizing this is when you think about, for example, going back to my discussion a little bit earlier about thinking about who in your organization just works in a vulnerable way. They might be a consultant who is more affiliated with a different organization, or different institutions, but they consult for you a little bit. So therefore, they’re using messaging tools that you don’t have control over, they might be on your network, and it’s harder to secure them.
They might need access to your systems, but they don’t belong to your health system, so they may not have the same level of controls institutionally put in place. So you might think for that type of person, “I’m going to layer my controls in,” versus the employed person doing similar work, but just by nature of their employment, they get better controls already.
Guerra: I liked your use of the words elegance and sophistication for an approach that can be taken to rolling out cybersecurity. You work with a lot of health system CISOs. Do the good ones use elegance and sophistication?
Witt: I think the elegance allocation is finding the right tool, or the right level of protection or the right level of training (it’s not always about tools) and deploying them in the right way. But also, I think the ones who really impress me are those who can use the right language to explain the need for that protection to the right audience. And so I think about two primary stakeholders often in this discussion, one is the clinicians and physicians. And so if you can equate this to a patient safety discussion, that resonates greatly with that community.
“So we’re doing this, we’re putting these controls in place, to help you provide patient care, or to make sure that you’re not hampered or hindered from providing patient care. We want to ensure that the system or the EMR or this modality – which is so vital to your patient care process – is available to you,” or they have the right level of ability to then translate that message maybe to the hospital board, or communicate the risk.
Boards are always about managing risk. And so if you could talk in terms of explaining the cybersecurity needs or postures and investment in terms of mitigating risks, or understanding risk, and, “This is why you mitigate against that risk,” that’s the language that, again, resonates greatly with that community.
I think the ability for the CISO to talk about what they’re doing, raise up the language and the way they’re going to go tell the story, that narrative, so it’s relevant to the audience, is very critical. And I think that’s what, to me, distinguishes elite CISOs from those who are still struggling.
Guerra: So you’ve got more general, market-level threat intelligence, and then you can have analyses done to determined exactly how your organization is being attacked. Taken in conjunction, I think those two would be very powerful. Does that make sense?
Witt: I think it makes a lot of sense. Proofpoint makes, at a macro level, our findings available to the marketplace. So we’ve talked about a lot. For example, if you have any clinical research within your organization, the likelihood of it being attacked is exponentially higher.
And also if you have, as most health systems do, any foundation or fundraising component, those are two departments that tend to face far greater levels of threat activity. And so will we make that data available. So if you want to look at threat intel, more broadly, that comes from, I don’t know, Health-ISAC, for example, as one institution that works very broadly about their threat alerts, or more granularly, about someone like Proofpoint, we’ll talk about what we think is happening in a healthcare context and what we think health institutions should be thinking about. If we publish research that says the foundation or the research departments within these healthcare institutions are being attacked, you can assume it applies to you as well.
Guerra: What are CISOs doing to get education and information to the people who are being heavily attacked?
Witt: I’ve seen a big shift there and a meaningful, noteworthy shift. A lot of education historically was around making sure they were on the right side of regulatory issues. Again, not that that’s not important, of course, it’s important. But more and more education these days is trying to explain to the user that it’s a patient safety or patient care issue. We’ve seen that with many high-profile ransomware events where the health system is essentially knee-capped for a month, six, eight weeks. And they’re basically relegated to reconstructing the patient record on paper, trying to either move patients to a neighboring health system, etc. So it’s about understanding that there is a direct connection, or there can be a direct connection, from a cyber event to some form of adverse patient outcome. I think that makes it far more real, from an education, security awareness training standpoint. I think that resonates more greatly with those users, as opposed to some code somewhere, some regulation stating they can’t do something.
Guerra: Yes, it makes total sense. I always find it odd when an organization that has to go back to paper says patient care hasn’t been at all compromised.
Witt: I would respectfully say that’s not accurate. If you lose access to your EMR, if you lose access to other critical systems, it has got to impact patient care.
Guerra: I want to shift gears for a minute. A lot of folks have moved, or are moving, their email to the cloud, such as to Google. Does that change their security posture or requirements?
Witt: I mean, not focusing on Google, per se, but focusing on cloud. Fundamentally, it’s a huge change. And it doesn’t improve your security posture necessarily. In fact, it makes it in some ways a lot more precarious.Compromising those cloud environments can happen because, due to the importance of these systems, they are less likely to stop access after three or four failed attempts or whatever. So you can run a lot more programs against that, trying to penetrate those systems.
And then, unfortunately, when you get into those environments, let’s say you get into a OneDrive or SharePoint – again, I’m trying to pick on any vendor or any capability – but once you’re deemed to be in the system, you’re in the castle. And so when you start launching exploits from those environments, it’s deemed to be much more credible, because it’s coming from my internal source.
We have found people are still being attacked largely on email. HIMSS would say that emails are almost the primary initial point of compromise. And the fact that it’s done in the cloud has not changed that; it’s made it more vulnerable. People are still trying to attack that environment. And it has not improved the security of it at all.
Guerra: So let’s make this your final question. You mentioned that things haven’t changed much, but security folks always say they love that the job is always changing. How do you reconcile that. Talk to me a little bit about that and your final piece of advice for our listeners.
Witt: I would say the areas of attack haven’t changed too much. I mean, it’s still about phishing; it’s still about ransomware. We didn’t see fraud attacks 10 years ago. And, quite possibly, a few years from now, we’ll be talking about deep fake technology or whatever, but the point is, they’re still trying to do the same thing. They’re trying to penetrate the system, they’re trying to compromise an identity, they’re just using different tactics to do so. Social engineering didn’t exist 10 years ago. Social engineering is a core component now of an attacker’s arsenal. And so it’s the tactics and all that that have made noteworthy changes. So I think that’s what keeps the role particularly interesting. And the ability to penetrate the system. And the things that we talked about 10 years ago are happening, but some of them, it’s interesting, some of them have not evolved in the way I thought they would evolve.
So I think it was at Black Hat 2008 where Barnaby Jack, one of the notorious white hat hackers, got on stage and demonstrated how he could basically compromise an pump. Everyone said, “Okay, medical devices are going to be the newest attack vector.” Fifteen years later, we don’t see too many examples of infusion pumps being attacked. And it’s not because the security of those have improved over time, they haven’t really improved much at all. In fact, many of them are still very vulnerable. What’s changed, however, is how valuable old school attacks still are. So it’s still attackers, cyber-criminal organizations, just doing phishing attacks, penetrating identities, ransomware style attacks. And so, the new style attacks, like attacking in a network of devices or medical devices are coming, but they’re not really here yet.
Guerra: You’ve said that before. It’s a lot easier to write an email than to hack an infusion pump.
Witt: You could teach somebody within a couple of days how to go on to various social media websites and start building a profile. You can think about chatGPT these days, telling it: “Write an email as if I were a physician looking for a new IT system.” I mean, there are a lot of tools to help you with that. There aren’t so many tools to tell you how to go penetrate a security diagram of an infusion pump. And what are the radio transmission frequencies, all that thing; you don’t really run into that so much.
Guerra: Right. Any final advice?
Witt: I think my final advice would be to recognize that healthcare, unfortunately, is still at the forefront of activity for cyber-criminals. They see a lot of valuable data in this industry. And they’re trying to compromise, penetrate identities – and not all identities are treated equally. So figuring out who’s more likely to be attacked, based on their job function, based on their access to systems, based on the way they work, I think that’s a significant clue about how you should go layering your security controls.
Guerra: Ryan, thanks so much for your time today. A real pleasure. I really appreciate it.
Witt: I appreciate it too. It’s been a good conversation.