0:06
Hello everybody.

0:07
Welcome to the next episode of Cracking the Code.

0:09
Episode #20, Healthcare is in the middle of a digital revolution.

0:14
The benefits are immense, but so are the risks.

0:17
Recent cyber attacks like the Change Healthcare breach have shown us how real and immediate these dangers are.

0:23
Here today to discuss the recent breach and how your organization can protect itself.

0:27
I have Chris Bowen, Clear Data’s SISO and founder, and Ryan Boyer, our VP of Solutions Architecture.

0:33
So I’ll go ahead and remove myself from camera and let them discuss.

0:38
Thanks, Natalie.

0:39
And we are on location in Upper State New York today and it’s a little cold, Brian.

0:45
I gotta be on snowy.

0:46
So both of us are from the South.

0:47
Yeah, you don’t exactly get this much.

0:49
Yeah, for sure.

0:50
So let’s set the stage.

0:52
We’ve got healthcare middle of a digital revolution.

0:55
We’ve got data that is sprawling everywhere.

1:00
And in fact most data is is generated by healthcare throughout the world.

1:05
We’ve got breaches that have been perpetuating and and promulgating across the the landscape if you will.

1:14
Ransomware is a big part of that.

1:16
We’re going to talk a little bit about that today.

1:19
We’re going to talk about a recent change health.

1:22
I would call it a catastrophe if you if you think about the impact and the breadth and and and the impact of of how this has affected people.

1:32
And we’re going to talk about how it happened and what we can do about it.

1:36
We might even get into some of our thoughts about some HHS opinions, urgings, whatever we want to call them and we’ll get into some of that.

1:47
So.

1:48
So Ryan, thanks for being here.

1:51
It’s fun to be in the same room.

1:52
I know this day and age we don’t get to do this very often.

1:55
So.

1:55
Yeah, sorry.

1:56
So what’s your take?

1:57
What’s your take on this whole calamity?

1:59
Well, I mean like when you look at what happened it it’s the what as you said it’s the impact, it’s not just that change healthcare felt the impact, it it was such a huge dependency for so many providers and pharmacies that at the end of the day we’re seeing a disruption to the healthcare system like we’ve never seen before.

2:17
The good news is people have gone out there and they’ve worked through it and you know change has made those commitments to ensuring you know loans and things like that that will get us through.

2:26
But you know we’re three weeks into this and we’re we’re not at the end.

2:30
There’s I think I read an update last night that said they’re at the final Test of the last system and this is the unfortunate case of ransomware.

2:38
I know the city of Atlanta a few years ago had something happen like this and it was out for a month.

2:43
I got out of a parking ticket because it happened during that time frame.

2:48
They had to recover from a three month old database.

2:51
So it’s just when you start thinking about what what is going on and change.

2:55
Healthcare has been a very big part of the healthcare story in public cloud for a long time.

3:04
IT it’s really amazing to see that they were the target of this.

3:07
And I know when we go start going through this and we see what happened with ransomware and we know ordea some of it, we know it was a third party application that had over permissive permissions to what it could do.

3:20
That’s how they got in.

3:22
And when we start thinking about this, if Change Healthcare is having that problem, who else is susceptible to this?

3:28
And I think that’s what we really have to start asking ourselves, is it.

3:32
It’s no longer if this will happen.

3:34
We see the data every day from the threat actors trying to hit our customers.

3:37
It’s it’s immense because every healthcare system is under attack constantly.

3:42
It’s constant.

3:43
It’s it’s it’s crazy if let’s just humanize the impact of this a little bit.

3:49
Grandma has some challenges, needs to go to the doctor’s get some medicine.

3:53
She can’t get her medicine because change health adjudicates and helps validate the the prescriptions and and such.

4:02
She can’t get it.

4:03
Eventually she gets it, but she has to pay cash.

4:06
Maybe it’s her entire amount of money she has to live for that month.

4:12
Immense impact.

4:14
Really really frustrating that this happened connect wise you know has this this this vulnerability it’s been taken advantage of by by you know black cat and just just terrifying consequences.

4:30
No.

4:30
Absolutely.

4:31
And crazy Yeah just yeah.

4:33
I mean the humanizing aspect of this is, you know, it’s not just the, hey, I’m struggling to pay my bill for this, but then you think of the mental health impacts which are going to perpetuate care issues down below the road with stress and the challenges that come from it.

4:48
So this, this will have a serious impact on how we look at healthcare and you know the trust in the system of the consumer, I think that’s a key point.

4:57
It’s the trust in the system at this point we’ve we can, you know throw darts at those who click on the link in the basement.

5:06
We can you know criticize Bob who decides to you know do something stupid on a website.

5:13
But this is a systematic thing that nobody saw it coming.

5:17
We should have seen it coming.

5:18
When we have a dependency on one system that does all of these things, I I got to think that the regulators, regulators have got to step in and say we can’t allow this part of our critical infrastructure to be like this, to be this, this tinderbox of what could happen, right.

5:34
It’s single threaded and you know the amazing thing is you see all these companies popping up now with change healthcare compatible APIs over the last month trying to move people over.

5:45
But even then it’s it’s not just that easy of compatible APIs.

5:48
It’s it’s a major process flow and change and you can’t just replace it in one month and it’s going to force you know we in IT.

5:56
We’ve talked about these concepts forever, disaster recovery.

5:59
I don’t know if the Finserv world does it the same way and they look at it, it’s like, oh, we need Dr.

6:03
for payment processing.

6:05
We need Dr.

6:06
for our vendors this way.

6:08
But we’ve always looked at this from a disaster recovery perspective of how do we get there to support these things And that I think that’s what we’re gonna start seeing is that it’s not just we’re gonna have one vendor anymore, we’re gonna have a whole bunch.

6:21
We’re gonna have diversified vendors and I think what you’re going to see is providers and payers and all the different healthcare entities that depended on change are going to put in stricter vendor mandates.

6:32
They’re going to be things like they will request high trust compliance in certification.

6:36
They’ll not just HIPAA compliance, they’ll also look for things like SoC, two NIST, more international broadly defined standards.

6:43
The bar is going to be raised.

6:44
Well, let’s hope so.

6:45
Yes, that’s we.

6:47
We very much hope so.

6:48
I mean come on I’ve had I have opinions Brian I I know on some of this I I’ve I’ve been critical of some of the the output that has come out from HHS around voluntary standards.

7:03
Let’s be honest, nobody if they’re not doing anything kind of you know what they’re supposed to be doing in their own infrastructure from a voluntary perspective.

7:11
Now they’re not going to never voluntary never works in this type of scenario.

7:15
It’s just it’s it’s not enough it’s it’s hey, yeah, we can and we hope the free market will push everybody there.

7:21
But the end of the day if there’s an investment that needs to be made and it doesn’t drive revenue it only takes away from profit.

7:27
It’s a really hard sell for organ to say yes.

7:29
Well, when you’re when you’re trying to defend against what hasn’t happened exactly, then you’ve got you’ve got to make it a huge business case that you would think would be easy to make.

7:39
Given the hundreds of millions of patients that have been impacted by breaches before.

7:45
You’d think that that would be a driver of of some kind of economic business case.

7:49
Well, especially if you’re an insurance company that understands the risk, the cost of doing nothing and the potential impacts, which is the ironic part about this with everything.

7:59
These are the business models, but it is really hard from like a Csos point of view and I’m always curious about your take on this.

8:05
How do you define the value of reducing risk in an environment?

8:08
It’s it’s hard to say, hey, there’s $100 million worth of risk out there.

8:13
What’s that worth to me?

8:15
Everybody thinks that they’ve got a handle on what’s going on and and I think there’s some level of arrogance in the industry that says it’s it’s not going to happen to me.

8:26
If it does happen to me, you know, we’ve got insurance, we’ll hold our vendors accountable.

8:33
Well now we’re going to have a a bunch more vendors which which is a good thing but now we’ve to your point we’ve got to really do a lot of vetting on these on these vendors ourselves our customers required of us.

8:46
I think I’ve for one customer I did six different questionnaires and and I actually had to give some blood right.

8:53
Oh wow some blood on that that’s pretty vendor diligent.

8:57
I’m kidding about the blood part anyway it’s it’s so we have a managed detection and response team within our company and you know we we have this report that we put out in December.

9:13
Guess what we warned against ransomware specifically black cat right.

9:18
I do remember reading it and I remember going when we when they announced it, I think you and I were together in LA and you said wow, you know prophetic all of those it it those who don’t read these kinds of reports need to start doing that because what we’re seeing and again our our we have this contributory network of of hundreds of customers in healthcare only and we’re seeing what’s happening over here and we’re defending with countermeasures all across the fleet.

9:49
And so when we put something out like that, it’s it’s not because we just think it’s cool, it is cool, but it is.

9:55
It is in some cases life saving.

9:58
It’s saying, hey, this is guys, you know, you think about like when there’s turmoil in a foreign country and the State Department puts out the, hey, you should probably leave this country right now because there’s something going on.

10:07
It’s equivalent of that in many ways of us saying this is what you need to be prepared for.

10:12
This is what’s coming down.

10:13
This is what you should be investing in.

10:15
And I think, you know for us this was something that our team saw back in December, the rise of increased ransomware through Black Cat and what patterns were there.

10:25
And you know when you think about this of what you need to do, ransomware isn’t scary until ransomware spreads right.

10:33
Like ransomware doesn’t usually get to your core database right away.

10:37
It usually has to go and find its way through the network, go from a in client machine, hop around, find somebody with admin access.

10:45
So when you look at like that first boundary of just identity access management, like how you allow people to access your critical infrastructure, that becomes a huge area that and that’s not that hard to manage.

10:59
But at a scale, you have to manage it.

11:02
You have to manage it.

11:03
But then once something like loads into a critical piece of infrastructure, you have to know that right away.

11:08
And what is your scenario for how you respond to that as an organization?

11:13
Hey, we just detected the Black Cat Alfie ransomware.

11:17
Or we just detect and move it?

11:19
Great.

11:20
We need to quarantine that as soon as possible and understand where it’s spread and we need to quarantine.

11:25
But at the same time from an operational perspective, Dr.

11:27
backups what?

11:29
Where ransomware gets really tricky is it hides for X percentage of time hoping to outrun your backup.

11:37
So it’s not easy to recover from and but for something to spread like this it means there was likely a systematic failure of networking permissions IM permissions monitoring.

11:48
All these things should be captured through some sort of EDRMDR type security solution.

11:53
We should have seen traffic patterns going out to Russia, Ukraine, North Korea.

11:57
We should have seen all these things.

11:59
We know that’s how we identified it.

12:02
So many things had to fail to not to get to this point where a critical database of this network infrastructure for this motion, so many things had to fail at that level that should have been caught right away.

12:16
And just like getting a virus on your computer, quarantine it, remove it, take it out production replace it.

12:22
One hour of downtime instead of four weeks.

12:24
You know we we talk about IAM that’s that’s a a subject that’s near and dear to ours.

12:29
We’re talking to customers all the time about, you know, rotating your keys, getting people who have not logged in for a year or two, you know MFA, come on MF AM, F AM, F AM, FAI almost swore there, sorry, but but there’s some other things that we thought about in the wake of this change.

12:50
Healthcare one was I am obviously that’s front lines, you know you can’t protect your house if you take the door off, right.

12:56
It’s just not going to happen.

12:59
So.

12:59
So we talked about having strong and well manicured.

13:04
I am if you will.

13:06
We talked about some, some other areas of focus for preventing this going forward.

13:12
Can you remember some of those?

13:13
Well, yeah, I think a lot of that we talked about is looking at this from there’s a couple of ways that we’ve, we talked, discussed you know better architectural patterns to prevent spreads.

13:23
So one of the things in the cloud mindset of development was networking became an an afterthought for a very long time.

13:29
I I was at AWS for five years.

13:31
I remember people saying networking is dead, you don’t mean network engineers anymore.

13:36
The the reality is we are starting to see because of the security challenges that have arised with bringing certain applications into the cloud.

13:44
We need to go back to having things like centralized inspection of east West traffic from a network layer.

13:50
Like we can’t allow traffic to flow freely between subnets and VPCS from database subnets to app subnets.

13:58
We have to have more strict monitoring in IPS there.

14:03
That’s like 1 area.

14:04
I see a lot.

14:05
The other thing is, you know, vulnerability scanning.

14:08
I don’t know how many people don’t do vulnerability scan, but I can tell you my time at AWS, they’re like, oh, the cloud provider takes Oh no, they will tell you when you’re infected and when it’s spreading, but it’s too late.

14:20
When they call you, you need to have regular vulnerability scanning and there’s tools in the clouds provided, you know, we provide customers with this capability off the bat because we know it’s that important.

14:31
But if you’re not addressing the vulnerability scanning and actually looking at the reporting and seeing what those patterns are, you’re not addressing anything well.

14:38
And and here’s a bonus, if you’re doing a vulnerability scanning, you can actually pick up your your assets along the way and actually understand in your fleet, right.

14:47
And then you might even be able to say, oh, OK, well, maybe there’s a CSCVSS score of a 10 on maybe a Connectwise issue, right.

14:55
Why don’t we go fix that?

14:56
Maybe that’s the first question you ask when you get in in the morning.

15:00
Are we using this?

15:01
In fact, I remember asking that question are we using this?

15:05
And the answer was we used to a long time ago And I’m like, are you damn sure that we’re still the the that it hasn’t popped up somewhere.

15:13
It’s not in that random developer access where somebody left that access key open to the public.

15:20
Yeah.

15:20
And I think, yeah, you know, you MFA I think is the other one I just look at.

15:24
It’s just like it’s such a no brainer in this day and age and it’s so easy to implement in every cloud provider.

15:31
And if you’re not doing something like SSO in a cloud provider, which you should, you should have your identity provider tied to your core Active Directory or to your HR system.

15:41
So that like if somebody leaves, it’s not a ticket to the cloud team to take them out of access to a system where they have critical there.

15:49
It’s a automated process that flows through from the HR policy to the employee being shut off to taking that out.

15:56
And I think that’s one of the critical things that I know we’ve seen with customers as we’ve helped out of their IM is if they didn’t have MFA keys, they had users that were manually created.

16:07
These were things that just sat around because people were too scared to delete.

16:10
It’s the old data center.

16:11
What’s that server do in that rack there?

16:12
I don’t know, but don’t touch it.

16:13
We we don’t want to break anything.

16:14
So you know, everybody has that challenge.

16:18
We we take the opposite approach as you know, if you don’t speak up, that server’s dead.

16:23
Exactly.

16:24
I have had things blown away here because of that and it it it upset me.

16:28
So the following like those standard processes that you are in there for like tagging and understanding ownership of these things.

16:35
It’s just it’s what needs to happen.

16:37
And again, I am of the mindset now that an hour of downtime now is so much more important to me to have than a mistake that’s going to cause a day, a week, a month of downtime, which before this I don’t think anybody thought would happen in the healthcare industry.

16:53
We would see a month outage of a critical provider critical and this is what we have to deal with now.

17:00
So reframing our thought around the cloud of being 100% uptime and ensuring that is we have to start making taking, shifting back towards security first mindsets where if we have to take something offline for a maintenance window because we see something that is scary or even potentially scary, we should do it.

17:19
I I remember doing that early in the days of clear data we saw an impact about to happen and it was in a hospital the hospital system and and I had to make that call.

17:31
I couldn’t get a hold of their C cell whatever.

17:33
So I had to just I just gave the command to shut off the server save the hospital.

17:40
It saved literally.

17:41
They were really mad.

17:43
But then they realized after what we did now again we we could enhance our communications.

17:49
But but there’s, you know, there’s a lot, a lot more to unpack on this.

17:53
Maybe we have another version of this endpoint.

17:57
Detection of response is critical, critical, absolutely important.

18:01
It’s not expensive anymore.

18:02
There’s vendors out there that make it like there’s open source tools there’s you know the tools everybody knows but and and there’s our team as well.

18:11
Our team does it so well, so well.

18:14
Employee training and awareness.

18:16
I mean, if you see something, say something, do something.

18:21
But if you don’t know what it is that you’re looking at, yeah, then you’re in trouble.

18:25
Exactly.

18:25
And I remember, so I was at Amazon for five years and I probably sat through one of those every three months on the things and it used.

18:31
You never really think about it until it comes up and you get that phishing e-mail and you’re like, that’s weird.

18:38
But at the end of the day, that’s, that’s those things, that frontline protection.

18:43
How about how about rehearsing an incident, huge tabletop exercises.

18:48
I don’t know about you, but when I’m playing the Super Bowl, I like to run that play.

18:51
I just want to see how it’s going to go exactly.

18:55
And you identify your gaps to process that way.

18:57
If you’re not doing, like, incident response simulations and tabletop exercises, how do you know what your gaps are?

19:03
Like?

19:04
Literally sit in a room.

19:05
It’s like, OK, this happened.

19:06
Our software detects this.

19:07
It goes to John’s team.

19:09
Oh, my team’s not 24/7.

19:11
So if we get it at 3:00 AM, you’re not going to respond to it.

19:14
Yeah, we’ll get it at 7:00 AM OK, we have a gap.

19:17
We’ve already found it.

19:18
And that’s the way you actually like in a security mindset.

19:20
It’s not just tooling and process it.

19:22
It’s about people, process and tooling, all coming together.

19:26
And it is a complex situation if you’re doing it on your own.

19:30
I think our team does a really good job of helping our customers bridge that gap, especially if they don’t have that expertise in house.

19:36
You know it’s hard to get that in house.

19:38
It’s expensive too.

19:39
It’s expensive.

19:40
It’s hard to find the talent.

19:42
I think we’re, we need to wrap up here but give us a call let us help you figure out where where you might be resilient.

19:50
One of one of the things that very few people remember these days, security risk assessment, figuring out where your gaps are, a cloud well architected framework review that you guys do.

20:04
Let us at the very least say hey you know like I’ve been called a nitpicker before let us at least nitpick your stuff so you can say well that’s that’s a it’s a good point or maybe maybe This is why we do this kind of thing but get a second set of eyes give us a call.

20:20
Yeah, absolutely.

20:21
We’d love to talk.

20:23
All right.

20:24
Well, thank you again for tuning in.

20:26
And we might get some cups next time.

20:29
Yeah, cracking the code cups.

20:30
I like that idea.

20:31
All right.

20:32
Take care everybody.