PG - Do You Understand the Words That Are Coming Out of My Mouth

hey everybody it's guy mcdoudfella one of the co-chairs of the b-sides las vegas proving ground track our next talk is titled do you understand the words that are coming out of my mouth by chay jackson who was mentored by anna skelton good morning ladies and gentlemen my name is shea jackson and today we will discuss the top vulnerabilities to the healthcare industry during the rise of covet 19. first i would like to talk about the business impacts not only to the industry but also to our organization that includes disruption to operations also financial loss on average the recovery of a ransomware attack cost businesses 1.85 million dollars also there are negative effects to patient care

and unauthorized access to sensitive data not to mention the loss of trust by our clients due to a data leak and also our reputation let's talk about our first vulnerability employees whether it's them not having any education at all about information security and how they can protect data or there not being a strategic plan in place to help them with what measures they can take in order to protect data and also critical infrastructure as you see by the headlines there was an increase of 220 percent phishing attacks during covet 19 insider threats continue to be a risk for employers and also there was concern with as many people working from home there being potential access to

sensitive data let's talk about some of the risks to the business first we mentioned phishing email have you ever got an email or heard about someone getting an email from hr or the it support and they asked them to click on the link as soon as they clicked on the link there was malware that was able to go out through the systems or be able to have unauthorized access to data that's a phishing email or what about if one of the employees checking their personal email on their company laptop there's a sale 50 discount you have to click the coupon right now in order to get it but once they click it it leaves the company open to

an attack look at the data 3.4 billion phishing emails are sent every day worldwide next insider threats this is a threat where an employee a third-party vendor or business associate in the healthcare industry or a contractor has authorized access to systems and also data but intentionally or intentionally they share the information or have access their people that have access to it that may cause harm to the organization again let's look at the numbers 60 of data breaches are caused by insider threats and remember it's not always intentional there's unintentional as well that is due to a lack of education to the employees lastly let's talk about ransomware attacks we've heard about it in the news from

the colonial pipeline and also the jbs meat industry in the news and critical massive harm done however a misconception for some small and medium-sized practices is that oh that would never happen to me hackers are focused on large organizations and that is totally not true what actually the actual situation is small and medium-sized businesses are considered low hanging fruit because threat actors believe that they may not have the security measures in place or safeguards needed in order to protect their critical infrastructure and also data ransomware attacks will occur every 11 seconds in 2021 that means wow 11 seconds billions and trillions it seem like over the year we need to learn how to protect our

organization from this type of risk what are some possible solutions one big one is having cyber awareness training employees are a first line of defense when it comes to protecting the organization but they may not know how so being able to educate them and also train them on what a phishing email looks like what they can do in order to safeguard the data is one of a critical step but also a simple one that can we can implement in our organization another solution is limiting employee access using least privileged access which means a rep receptionist should not have the same level of permissions and also authorities that i.t support would have all they need to access

is the information in order to complete their responsibility and task for their positions next let's talk about cloud computing while 630 of cloud service attacks during covet 19 there was a rush obviously which if we look at the other headline could potentially cause a cyber pandemic let's look at the risk when using a public cloud one is having miss um system misconfigurations and also there being flaws in the firewall application what can this mean this could mean that we are not abiding by the hipaa security rule when it comes to risk management taking the time to look at do a risk analysis to see what the gaps are whether it's making sure that something that is public and the

parameters are private to ensure that there is not unauthorized access to information for all personnel only key people once they're in the cloud why not have a system attack this goes back to what we talked about with ransomware when there's an unauthorized when there's unauthorized access in the cloud they're able to not only encrypt the data but also hack systems think about the risk that is involved and also the impact if a patient who is on the way to the hospital however the data cannot be accessed and it can be a matter of minutes or seconds but we have to avert them to another hospital or medical practice because we can't access their information these are some of the things that can

potentially happen when cloud computing is not secure and security measures are not used to ensure that our operating systems and also the data are a focus to make sure that threat actors do not or cannot have access what are some possible solutions cloud security is a huge one again going back to the hipaa security rule that's being out of compliance if the standards are not met when it comes to having safety measures having protection and also making sure that whatever layers of defense that can be used in order to protect the patient's protected health information and also the systems from cyber attacks are implemented also another solution is using multi-factor authentication well what does that mean

shay that means not only are we going to ask them to put in their user id and password we're going to use another form of authentication maybe sending a code to their phone for them to type in the number so that we can for sure absolutely for sure guarantee that that person is who they say they are lastly let's talk about connected medical devices now this has been a great revolution and an explosion when it comes to connecting medical devices whether it's his insulin pumps dealing with high blood blood pressure or not only external medical devices but also those that are implanted inside of a patient to get readings it seems to have improved patient care

but with that improvement there also become there also are challenges and risks as well one risk that i would like to discuss is a information security professional being able to hack into his insulin pump wow now yes he was an information security professional and in your mind you may think that'll never happen however you we never thought that a colonial pipeline ransomware attack would happen right so just because it seems out of the realm of belief or reality that doesn't mean it can't happen again making sure that our patients are our patients welfare and security should be our number one priority even when it comes to medical devices let's look at the numbers there are 5

200 attacks that have occurred with connected devices now in the news we haven't heard about a pace a patient expiring or there being any type of massive critical issues when it comes to medical devices whether it has to do with the patient inside of a medical practice or a hospital however the possibility is there for a threat actor to have access not only to the patient's information but let's go back again like i talked about the insulin pump who says that the dosage can't be changed a dosage change could be the difference between the life and the death of a patient another risk is a hacker having access to protected health information 2 million 268 million

189 693 health care records let's just take a moment and think about that wow between 2009 to 2020 that's the number of records that was reported as being exposed however that's just a the tip of the iceberg because again that was for reports where there were 400 or more records affected think about smaller practices or smaller healthcare delivery organizations that had a exploit and their data was leaked as well so this number that i just mentioned the 268 million 189 693 records that were exposed exposed is actually greater than that probably approximately 4 million that's a lot that's a lot and who wants to have their information exposed and we talked before about the reputation of the organization

and also the loss of trust due to a client not so much not just when it comes to maybe their personal identifiable information like their name their address maybe their social security number or their credit card information but what about the medical records what about critical information that a patient would not want to have shared or exposed on the internet ladies and gentlemen this is how serious this matter is what are some possible solutions inventory management is a key one you can't protect what you don't know is on your network it goes back to what i talked about before concerning the hipaa security rule the hipaa security rule and the standards say that you have to do inventory

management so that you'll know not just to have a list but let's dig a little deeper understanding if there are possible updates or patches that come about that can apply more security to those different devices but also what if there is a operating system that is no longer supported that is something that our staff needs to know so that we can set up parameters in order to protect not only our patients not only the data but also the systems as well security defenses is another solution that means defense and depth or layer defenses for instance we talked about multi-factor authentication and on top of that we can add intrusion detection and prevention systems as well it's just looking at

what of all the tools the resources that we can apply and it always doesn't mean more money it can be simply changing something in an application we have to heighten the security so taking a step back looking to see not only what applications we have but also what we can apply at that may be simple or easy to do an easy fix or easy implementation and also those that take the minimal amount of effort is massive that can be taken a proactive stance to apply safeguards to our organizations i want again reiterate the business impacts these top three vulnerabilities have had on the health care industry disruption to services and operations financial loss i want to tell you the number again it

takes 1.85 million dollars to recover from a ransomware attack the negative effects it has on patient care unauthorized access to sensitive data potential lawsuits as well when a patient finds out that their data was exposed due to the organization or company not having or addressing the safeguards they needed to for potential threats for that particular practice thank you ladies and gentlemen that's it for my presentation thank you for being a front row being on the front row and listening to a meeting what did i do in this presentation i talked about top health care vulnerabilities now just because like i mentioned before my specialty is healthcare security you can apply these same things or these same points

that i did in my presentation to yours as well i talked about and outlined the risks that came along with these vulnerabilities i discussed potential impacts to the business possible solutions that we can implement i also use non-technical terminology and when i did use technical technical jargon i took a moment to explain what it meant and also give an example one thing that i would also like to say to make your presentation more effective and impactful during the meeting is find out what the business objectives are because when talking to stakeholders and all upper management and key personnel that is was that is at the front of their mind so if you're able to align what vulnerabilities there

are what risks what safeguards can be used and apply it to the business objectives i guarantee you they will be you won't get the glass eyes there but they will listen more because that's what's important to them not just the bottom line but whatever objectives and goals the business is trying to accomplish thank you so much my name is shea jackson do you understand the words coming out of my mouth thank you hi everybody i'm here with shay that was a fantastic presentation and very timely given the current issues we're seeing with ransomware and healthcare providers so our first question is from alan uh any guidance on thinking about the medical devices versus the traditional i.t

side of the healthcare environment and then he follows up with any thoughts on how or whether to treat them separately for things like scanning and management yes good question i think that they should be seen as separate especially because with medical devices being hooked to patients and the dangers that can come along with that being able to implement maybe a network segmentation as a safeguard but also making sure that the healthcare provider or the the health delivery organization knows all of the devices on their network not only that but what is to support are there any patches that need to be done those are some of the i'll say perils that go along with the vulnerabilities when it comes to

connected medical devices not that iot devices aren't imported like say for instance a camera or something like that but when we patient safety should be number one because that's a connected devices medical devices are aligned with patients they should be seen as different thank you for your question oh sure you know it's really interesting to me you know we've had the same basic mitigations and they're very powerful ones vlans right network segmentation that's been around for 20 plus years right yes yes and yet it's it's it's those there's so much low hanging fruit which i suppose brings me to another question so when you speak with upper management especially in a healthcare organization why does there seem to be

such a disconnect between what's happening in the news and the reports of all the ransomware attacks and getting the organization leadership to actually implement a cogent security plan in their organization why do you think that is several reasons great question again um there are a lot of reasons number one obviously there is a talent gap when it comes to being able to address those risks and even being able to mitigate them another one is being able to talk in their language where upper management understands and that's why my talk i talked about understanding the business objectives making it quantitative so that on their language because sometimes it's easy because in our mind we think that even if it's in the news

or their words being spoke that everyone should know that however we should not have that mindset whenever talking to upper management or stakeholders take the mindset of you're speaking to someone that's in middle school and i know that may seem like what but honestly if you're able to just break it down in layman's terms and also connect it to the business objectives and also how it can affect the bottom line i believe it would be more effective and a strategic plan can be in place in order to protect the critical infrastructure sure and so do you suppose with regards to strategic planning do you see any differences between large healthcare organizations and these large hospital chains versus

rural clinics or community health centers you know that might have one or two offices what what sort of differences do you see there kind of the same strategic plan and i'll talk about a little bit about the hipaa security rule because no matter how large or small the health delivery organization everyone has to abide by the hipaa security and privacy rule right however there are some things that when and i'll use the net cyber security framework as a something that they could use to kind of map the different standards that they have to meet there are some things that yes a large organization may need to address that a solopreneur or a small or even rule a

medical practice does not have to so being able to lay everything out see what you should apply and also what things you'll say you know and it also comes down to their risk appetite and their risk tolerance as well so again the hipaa security rule is the standard for everyone it's just knowing what safeguards tools that need to be implemented in order to mitigate risk you know that's an interesting concept i hadn't i mean when i think about hipaa and high tech i don't tend to think of it in terms of there being a lot of room for risk appetite and risk profiles yeah i tend to think of it more as thus saith the lord you shall see these

things right right right and a lot of people do can you give us an example of what kind of room is in there like what kind of differing profile do you have yes great question so for instance let's take um fishing so let's say for instance for a large organization yes you would want to have uh do fishing hats fishing security services in place let's we'll say 50 to 100 even lower than that um but for a solopreneur or a smaller office let's be honest if there's a phishing attack i mean if there's a phishing testing going on if it's five people pretty soon the employees will be able to talk to each other and tell each other hey i got this email

watch out for it so in this instance are fishing security services are important when it comes to a large uh delivery or even a middle of medium healthcare delivery organization absolutely because once they click then we can implement a video or training to help them understand why they shouldn't have clicked on for a smaller office they may think in their mind well you know i really don't need this service however not um doing the fishing test but being able to educate them about fishing about solo i mean about social engineering and things of that nature it wouldn't cost the same amount of money for a small organization as it would a middle medium i would say medical side medium

or large organization still very important however they look at it different also when it comes to least privilege as well you're looking at a large organization there are many different employees yes we do need to make sure that a receptionist like i mentioned doesn't have to have the same permissions as someone in it but for a smaller office if it's just a doctor and they're a an assistant or maybe a receptionist as well definitely still need to have that security in place but it wouldn't take as much time or as far as the rules are concerned as more in depth as it would for a middle or large delivery organization sure sure sure so you talked about phi and medical records

i know that there is there's i mean one of the things that has happened in the last 10 to 15 years is the digitization of medical records and i used to live in madison wisconsin which is home to epic which is one of the larger companies that provides uh phi and digital health records yes do you see any gaps in what those companies are providing especially with their managed products yes i do and it's difficult i think because when you think of applications it's always as technology advances we want more consumers and you have you address the consumers however sometimes that um security devops is not implemented so having those those gaps are there but one thing as far as the organization

is concerned just because like you mentioned epic they may say that they're hyper-compliant they're things that the organization needs to do to ensure that their patients are protected and that's something that as we talked about before there's a disconnect because it's who i have this application i'm great they have helper compliance they have some security rules in place then i'm fine but that's not true but again it comes to who's going to do that whose role is it do we have someone even the hip uh the hipaa security or privacy offer officer which sometimes is the same person depending on the size of the practice who's responsible for that who can do it who has the bandwidth to do it

so as we see more exploits as we see more ransomware attacks that's great that we're saying yes we need a solution but we also know that we need to start training and gearing up more professionals that can help meet those needs yeah that's interesting and that's very true with most of the other cloud and hybrid stuff that we've seen right now there's it's not just enough to pay the invoice you also have to verify that they're doing the job absolutely right well i think we've got a couple seconds left is there anything you'd like to close with any words you like to leave with the audience i do um one thing that i want to say as far as and we talked

about the size of the practice small and medium medical practices are considered low-hanging fruit because they believe that oh um we're not a bailiff scouting white which is a large hospital in texas or one of the larger organizations so no one will be really looking at us and we don't have to really have as many safeguards which isn't true because you are the low-hanging fruit and because you're connected to the network you're the easy way in so when it comes to thinking about implementing security practices to don't always think what you hear in the news is about the larger organizations small and medium-sized businesses are a a prime victim as well and unfortunately whenever they're they are attacked

they're not able to because of how much money it costs in order to i want to say come back but i'll recover most of them a lot of businesses within six months that's unfortunate well thank you very much i think that's our time so thank you for the fantastic talk and just a reminder to our our viewers you can keep asking questions in the discord channel all day thank you thank you so much have a great day