Editor’s Note: We hope you enjoy the video above. If you’d rather just listen to the podcast, click the button below to Apple Podcasts: The Common Bridge. It is also available on all other podcast platforms. We have included the transcript to this program below. We offer this program in it’s entirety to our paid subscribers, and welcome all to subscribe below.
You can also help the show by contributing in any of these methods:
• Shop. https://thecommonbridge.com/subscribe-shop/
• Zelle. rich@richardhelppie.com
You can also send an email to Editor@TheCommonBridge.com
Thanks!
Richard Helppie
Hello, welcome to The Common Bridge. I'm your host Rich Helppie. Today we're going to talk about a serious topic that affects everybody because ultimately, we're all patients in the healthcare system and the healthcare system is ever dependent on computers and on interconnectivity. There have been some big events in the news lately about cyber criminals attacking healthcare. With us today is the chief executive officer of Fortified Health Security; we welcome back to The Common Bridge, my friend Dan Dodson. Dan, it's really good to see you.
Dan Dodson
Hey, Rich, great to see you. And thanks for having me back, really appreciate it.
Richard Helppie
In full disclosure, at one time I was affiliated with the Fortified Health Security group, have not been now since 2020 so we're bringing you straight-up news reporting. Dan is the best expert I know about cybersecurity in the healthcare space. So Dan, for the listeners, readers, viewers of The Common Bridge, why are the cyber criminals going after health systems? I mean, it sounds obscene to me. What's behind their motivation?
Dan Dodson
Yeah, excellent, question Rich, and something that we talk about often, obviously. You've got to think about what we call adversarial intent. What's the intent of the bad guys? Why do they target certain industries or certain people or certain organizations? At the end of the day, it comes down to money. These very complex, very sophisticated adversaries are trying to monetize the work that they're putting in so they're going to try to attack organizations and segments that have the fastest path to revenue for them which is primarily the likelihood to pay ransoms. Unfortunately, Rich, you mentioned a little bit on the opening the interconnectivity, the number of applications, some of the nuances we have in healthcare which make them susceptible for attacks so that's one of the reasons why they're targeted. The second reason is the data is so valuable. I mean, think about it, when you get hacked in your Target account and you've got to replace your credit card, well, you can easily do that. It's a pain in the neck and nobody wants to do it but you can do it. In a health record, it's very hard to kind of reset. It's got your social, it's got your medical history, it's in disparate systems, it's in a bunch of different places, you can't just reset it. What that leads to is a very valuable data set because the bad guys can monetize it for a longer period of time and in more than one way. So those are the two primary reasons why we see them attacking healthcare.
Richard Helppie
The threat, if I'm understanding it, is they can take all that rich personal data, they can threaten to put it up on the dark web, which is problematic. They can tell people you can't have that. They're going to say, wait a minute, I was counting on that healthcare portal to let me understand my longitudinal history. I think a point you inferred there, a health system is 24 hours a day and when an order for something goes in, you need it right now. It's not like, well, we're going to be down for a few days. So the ransomware, if they seize the system there's huge motivation to accommodate them to get your data and your systems back up. Is that right?
Dan Dodson
That's exactly right. I mean, if you think about it, healthcare organizations exist to deliver care in the communities that they serve. Whenever there's an outage - whether it's cyber or any outage to that matter - they have to work very quickly to get systems back online so that they can execute their mission, which is take care of patients and their communities. There's that forcing function that really puts a lot of pressure on the organization to rectify any situation, including cyber, if it's going to impact patient care. That's not present in a bunch of other industries as much as it is in healthcare.
Richard Helppie
In a modern health system, where you've got interconnected hospitals, physicians, diagnostic sites, and inpatient portals, is there a backup plan? Most of the people that are working in the health systems today grew up in the age of automation and digitization. If they don't have a computer system can they do diagnostics and treatment?
Dan Dodson
It becomes very difficult Rich, I mean, you think about anything that's complex, it typically relies heavily on diagnostics - to your point - laboratory tests, radiology tests, etc. And those systems are all driven by computers at the end of the day to simplify it so if the computers aren't working, the doctors and nurses and clinicians can't deliver care. You'll hear in some of these events that have gone public things like downtime procedures or executing care on paper. There are procedures that they can go to but the effectiveness, efficiency, and their ability to deliver care is drastically impacted without this technology online.
Richard Helppie
Now with ransomware, which we've talked about on the show before, the bad actors infiltrate a system, they infiltrate the back-ups; have they gotten to the point where they're infiltrating, let's say, the main administrative system and then they get into the laboratory system and the radiology system and the pharmacy system and the dietary system before they demand the ransom? They're everywhere? What's going on? If you want to cite some of these case studies we've seen lately, like Change Healthcare and Ascension, I know people are really interested in that.
Dan Dodson
Let's take a look at both of those Rich, because a lot of people are talking about them. And from a cyber perspective they're both a little bit different. Let's explain a little bit about what happened. As backdrop, Change Healthcare basically helps facilitate administrative functions in healthcare. Think of them as like an octopus, whereas their heart or heartbeat, that's the technology, and then the tentacles reach out into so many different facets of hospitals and physician groups, etc. One of the hearts of the octopus was attacked at Change Healthcare. The action that they took was they cut off all the tentacles, all of the interconnectivity. What ended up happening at the endpoint where patients actually engage is they couldn't get care, they couldn't get bills, they couldn't get prior authorizations, because they were cut off. Now, let's look at what that means. If they hadn't cut off the connectivity, if Change hadn't done that, then at the end of each of those tentacles there could have been a cyber event. But in fact, there wasn't because the virus didn't spread through the tentacles because they cut them off. However, what happened was massive disruption to care because they couldn't do the administrative functions required to administer care. So although not a cyber event at the end of the tentacles, it was certainly massively impactful to health care. There are a lot of arguments about things that could have been done better in that situation; there are always lessons that can be learned. But ultimately, the way they were attacked was that somebody's credentials got harvested and they did not have the proper security controls - MFA, Multi-Factor Authentication - and that's how they ended up getting attacked. So one little attack impacted basically a third of US patients because of that.
Richard Helppie
When you say someone's credentials got harvested, that would be that if I was an authorized user, the criminals lifted my password and my sign-on or I sold it to them and that's how they access the system.
Dan Dodson
Yes, generally speaking, yes. We don't know specifically about the exact vector in here, what we do know is that the device that was compromised did not have multi-factor authentication on it and it was used with credentials. How they got it, I think we'll learn over time. But yes, in theory, that's what happens.
Richard Helppie
Multi-factor authentication for people not familiar with that term - we've recommended that when we had the leadership from SenCy on [the show] - that's where when you try to sign-on to something using a username and a password it sends a text to your phone and says here's a special code, put this in before you go further. It's one of the things you can do, as well as never use the same ID and password ever for two different sign-ons because the bad guys have those things.
Dan Dodson
That's exactly right. Rich, and I would strongly recommend it. You'll see this in all your consumer facing apps; your banking apps, even your social media stuff has that, and to your point, please don't use the same password for your social media that you use for banking, that you use for other things. Make sure you have a diversity in your passwords and always use multi-factor authentication. It's annoying but it does provide a lot of protections for individuals.
Richard Helppie
With the Change Healthcare, it sounds like a compromised sign-on versus a phishing link that got clicked. And ultimately, the chief executive of United Healthcare said, pay the $22 million in ransom because it's going to cost us more than that to unravel this. Do we know yet how things are at Change Healthcare? Did they get their systems back and has there been ongoing damage?
Dan Dodson
It was a slow recovery, Rich. From what I can tell today, the majority of the systems have come back online, there was some pretty devastating financial impacts, especially to small provider organizations. They've tried to put some loan programs in place, etc. to help it out. From a healthcare perspective, it was largely an administrative and [revenue] cycle and cash flow problem to the physicians and clinicians. I'm not downplaying it, it was impactful for sure. Then as recently as this week, they started to come out with what type of information was extracted and it turns out that there was a lot of sensitive information that has been stolen from the systems, unfortunately.
Richard Helppie
When these cyber criminals get in there - at my healthcare provider they've got, of course, our insurance information which is monetizable, they have credit card for the private pay which is monetizable, they have every detail about the family's health care, who all the providers are. For some people that would make a big difference because they want to keep certain things more private, the threat is real. That data, I can see, is very, very valuable. What do we know about the attack on the Ascension Healthcare? What happened there? Do we know where that stands today?
Dan Dodson
That was a bit different. You mentioned a phishing email, for my understanding it was a phishing email; somebody clicked the link. So this is a very interesting use case to think through, Rich, because you have one person click an email that launched the payload that ended up holding the organization hostage. Look, I mean, multiple states, hundreds of facilities impacted by one email clicked. That just goes to show that these adversaries are very impactful with their tactics. That's what started [it]. They've begun to bring systems online. From what we can tell, as you mentioned earlier, backups were probably impacted, which is what's taking so long for the systems to come back online. But ultimately, this will be a massive, massive impact to that organization but also to the patients that they serve.
Richard Helppie
We know that a lot of these cyber criminal organizations are in hostile countries - China, Russia, Iran, to be specific - so that using some kind of enforcement, international criminal prosecution, is really difficult. It seems that if you are a victim of ransomware, basically you should be insured for it and pay the ransom. But what about companies like Fortified? What are you doing to stand between the cyber attacks and the cyber criminals and that precious healthcare system that we all depend on? What do you guys do and how does it work?
Dan Dodson
Excellent question, Rich. I think one of the things is that if you think about just building a defensive in-depth strategy against these adversaries, you've got to look at - as I mentioned earlier - healthcare, their mission is to take care of patients so they're not equipped to handle the cyber pressures of today's environment. There are opportunities to partner with organizations like Fortified where we can come in and put in state of the art technology monitored 24/7for them, and make sure that in the event that somebody attacks their organization, limit the radius, the impact of that organization because every organization is being attacked all the time. How do we build a strategy that puts you in the best position to limit the likelihood and then the impact if an event happens, that's really what Fortify does. Healthcare does not have the resources that other organizations have of similar size and scale and they certainly don't have the expertise from a cyber perspective. So creating partnerships with MSSPs like Fortify just makes a ton of sense, rather than trying to do it on your own.
Richard Helppie
What is an MSSP?
Dan Dodson
A managed security services provider, sorry. It's a third party managed services company focused in cybersecurity.
Richard Helppie
When you think about the layers - remember that the listenership, readership, and viewership of The Common Bridge is a lay audience and highly interested in what to do with this - it seems to me that there's a level of surveillance, and there's a level of protection. I would imagine that you're gathering known threats and preventing them from spreading, and then also a set of remediation. Take me through, if I'm a health system executive and I need to protect my organization; what's the difference between no coverage, training on my own, or going to Fortify? Why would I want to use another company to protect this very valuable information?
Dan Dodson
First of all, I think that the main reason why is you just bring expertise that the healthcare organization doesn't have it inside. The process that we take clients through, it starts with the risk analysis, Rich, this is where do I have cybersecurity risks? Once I know that, then I can put up a game plan to mitigate, minimize that risk to a certain level. Based on the size and scope of the organization, what remediation against that risk analysis can I do; it's different for every organization, we work with them on that. Then ultimately, we provide the eyes and ears to monitor their environments to make sure that we put them in the best position to be as defensible as possible.
Richard Helppie
I've been in your security operations center, it's been a long time, but one thing I was impressed with is that you actually could see the threats coming from Eastern Europe, from South and Central America and from elsewhere. I would imagine that is something that your average healthcare provider couldn't do on their own.
Dan Dodson
That's exactly right. I think there are two things. One is that we need visibility inside the four walls of the organization, as well as visibility to the threats. And then most importantly, we have to put in how do we respond to those threats. Because of the the attack landscape, what do I need to be doing differently? That is a constantly evolving situation. How do we make sure that we're not chasing the shiny red dot, that's not going to actually lower risk and making sure that we're prioritizing it within the constraints that we have as an organization. It's very complex; it takes a village to be able to understand where to put the resources that we do have.
Richard Helppie
How often have you seen it in your practice where despite the surveillance and despite the barriers that you put up, that a cyber threat does penetrate? What does it take to fix it given that my understanding is the cyber criminals now are putting their malware inside the back-up systems too; you can't just stop and recover and go on because they've already planted it there for weeks or months?
Dan Dodson
I think that the biggest thing to think about, Rich, is how have I deployed the technologies in my environment to provide the protections. Look, you mentioned earlier the CEO of United, they had a policy to put multi-factor authentication on there, they didn't have it on there. That would have prevented it, or was more likely to prevent it, I should probably say. Part of what you have to do is make sure that you're putting the right level of technology all the way through your environment. Look, we've all been in projects, whether you're in IT or not, you get to the last 20% and it's like the next project pops up. Well, that's where your risk lies. Those are the things that you've got to make sure are really thought through and executed throughout the entire organization. And the larger you are, the more complex it becomes.
Richard Helppie
I've heard that - you'll have to help me with the term - an air gap or air link that basically disconnects some of your systems and feeds them a different way. What's that about?
Dan Dodson
It's like an air gap, air gap back-up, basically. Think about it as your backup is not connected all the time. If the left side, so to speak, gets attacked and compromised there's a gap between it and the right side so it doesn't get compromised. There are ways to put in those types of controls for sure.
Richard Helppie
Probably like a lot of Americans, I really like having my personal health record on My Chart, this is the dominant application in the industry. It would seem to me that safety would say, let's put that outside of the hospital and physician processes, let's go ahead and feed it, but we're not going to take anything back from it, just keep it isolated. It might be a little bit out of date but it seems like that'd be a good way to close the door to our people thinking about things like this.
Dan Dodson
I think people are thinking about that. I think the challenge, Rich, is that if you think about a My Chart patient portal, you're going to have various different data sources. Most of the time, you don't consume all of your healthcare in the same spot every time so you may have a specialty physician or you may have an outpatient surgery, or you may have two hospitals because you need a specialist; they all have to feed it. It becomes very complex to be able to put actionable information in the hands of the patient, in the hands of the caregiver, without having a bunch of interconnectivity. So it is a challenge that is difficult to solve. Then, for another podcast someday, it's like, well, who owns the data? And if it's all moving there and it's moved out of my system and it's in My Chart it becomes a very complex situation.
Richard Helppie
My take on it, it's the patient's data and that other people get to use it. But that battle, I'll just say we fought to a draw at one point. But the other thing too, there's more healthcare moving into apps; blood pressure monitors, glucose monitors, etc, it's on your phone and guess what? Your physician wants to see that. How do they want it? Just fire it to me in the portal. Untold millions of connections, all of them that could be carrying malware that can meet up and and put that health system into a very difficult position. By jumping back to Ascension, do we know, did they pay a ransom? Or are they they're trying to just forge ahead, absent paying ransom?
Dan Dodson
As it sits today, I have not had confirmation either way on that, I do know that they're in the recovery stages, and they have begun to bring some of the facilities online. I do know that one of the things that I think your viewership should should realize is that when these organizations get impacted, most of the time if they're in an urban setting, the impact is also on the other care sites that may not be affiliated. Because their emergency departments get overrun or their [providers] get overrun. There are second and third level impacts in the urban area on other organizations. Then in the rural areas there may not be other options for patients. That's where it's really devastating because you won't be able to get care, in some instances, for hundreds of miles. We don't know specifically if they paid the ransom or not, we do know that they're on the road to recovery and that they have brought some facilities back.
Richard Helppie
On the rural side to that, oftentimes, the radiologists doing the read of a particular image isn't in the geography, they might be offshore. If your systems are down, that means nobody can read your ultrasound, nobody can read your MRI, no one can read your X-ray, obviously just fundamental diagnostic tests. Dan, as you look at this industry...before I go there I'm going to just try to imagine myself as the chief executive of let's just say a mid-size three billion dollar health system. I go to my board and I say we are victims of a ransomware attack and the ransomware criminal wants $50 million or they're not going to give us the keys to turn our systems back on. I'm imagining standing in front of that board - having been on those boards - the first question that would be asked is how would you let this happen? What would be a good answer for a CEO? Here's what I did and it still happened versus what would be a bad answer to that question?
Dan Dodson
I think the good answer would be you should have been educating your board well in advance to this situation, number one. I think that the decision on how to manage this risk needs to be one that is agreed upon and governed by the board and the leadership team together. I think that's what I would say; what the starting point would be if that hadn't happened yet. I think most of the time, the calculus probably moves pretty quickly to what are our options. As we think about the decision making process key tenants to that calculus; our impact to patient care, impact to revenue, we have to generate revenue in the US to deliver care. It's part of our system. How fast can we get the systems back online? Are we more likely going to be able to get them online faster if we pay the ransom? If we don't, I think that's the discussion that ends up happening really quickly more so than how did this happen? I'm sure people feel that and that's like the knee jerk reaction, but we see it quickly move into like, okay, what are our actual realistic options that we can do to get back online.
Richard Helppie
One of those might be we prepared for this and we're insured? Well, let me phrase it a different way other than how did this happen. It would be anytime you have a adverse event, you want to get together and go, okay, how can we prevent this from happening again? What would be a good answer from a chief executive to their board at that time? Like, yeah, all right, they got in this time, it hit our insurance carrier or it hit us for a big payday but we're back up. The next question would be, what are we doing to prevent it from happening again?
Dan Dodson
Typically what we see, Rich, is a significant increase in cybersecurity spending post event (Rich Helppie: After it's already happened.) After it's already happened. It's a situation I wish wasn't present but if you think about it, prior to the event, every dollar that's put into a non-revenue generating or non-clinical care environment is heavily scrutinized. These organizations are running on grocery store margin budgets. If you take your three billion dollar example of revenue, net patient revenue, versus a three billion dollar business that's not in healthcare, the amount of money that they spend on cybersecurity and the amount of individuals that they have on the team is drastically different. In some instances, it's like ten percent of what you would see, so they're just clearly not putting the right level of capital by it. The other thing that I would say is that healthcare deploys capital based on three things: patient care, revenue, and regulation. Think about how star ratings and quality metrics have moved the needle in various different aspects of healthcare; we could argue if they moved it the right way, but it moved. There is no minimal standard required of these organizations. And I will tell you, if you were to ask me what's the biggest thing happening right now in healthcare, there's a massive, massive move to create a minimal standard, with a carrot and a stick. The Biden administration...this actually started during the Trump administration, Biden administration carried it forward and there's a lot of thought that regardless of what happens in November, it's going to continue to be there. There has to be some requirements and some funding to support those requirements for organizations. I think that'll be the the biggest outcome of the two events that we talked about today.
Richard Helppie
That's really good to hear because sometimes that's what it takes; if people won't do the sensible thing they have to be regulated into doing it. Dan, to that end, is the responsibility going to lie with the health systems or is it going to be with the technology providers like Epic Systems, Oracle - now Cerner - or any of the other technology providers? Do they have a regulation requirement that they need to meet and to help their customers avoid a cyber attack?
Dan Dodson
I think it's a shared responsibility, Rich, and I will actually tell you that I think the number one push-back, especially coming out of the AHA relative to the conversations happening about the regulatory landscape, is...only 50% of the equation is the health care providers, what about all these other third parties? You mentioned some of them, but there are hundreds of them big and small. What's their role in this? Then you add another dynamic with the medical device manufacturers. There are so many different aspects and areas within the healthcare ecosystem that could be impacted by a cyber event. It's really a shared responsibility, I think, across the board. There's going to be a lot of work to be done to try to get that right and get the balance but it can't fall only on the health systems for sure.
Richard Helppie
I might have already heard your answer to this question. In your practice and in your business, what is your greatest frustration and what is your greatest satisfaction in terms of your role in preventing cyber attacks or remediating them?
Dan Dodson
Great question, I actually think the biggest frustration across the board would be that there are a lot of really good people in healthcare cybersecurity at these healthcare organizations that know what to do and I think they've struggled to have a seat at the table in the C-suite to get the attention of the board. Both of those things are changing, primarily because of the events we're talking about, but they know what to do, they need the funding and the support to be able to do that. One of the things that makes me very happy is when we're able to partner with those individuals to help them further their cybersecurity program by giving them the intelligence and the information that they need about the landscape so that they can better educate the C-suite and the board and get more funding so that they can protect the patients in the communities that they serve. When we're able to do that, it's really special, we appreciate it and are honored to be able to do that.
Richard Helppie
They're leveraging your investment instead of trying to do a one off, roll your own and they're creating something for their health system, riding on the backs of the investments that you make and continue to make.
Dan Dodson
That's exactly right. I think we try to help organizations think through...when you talk about educating C-suite and boards, you need to put out this information in the same way that they're used to receiving information. I mean, look, they know how to manage risk, they do that all the time - clinical risk, do I open a facility risk, financial risk, like all these things - we've just got to couch it in the same way that they are used to receiving information and ultimately making decisions. We try to help them do that so that they can gain the appropriate funding and support they need to, again, protect the patients.
Richard Helppie
Dan, I would imagine some place on your desk there, there's a crystal ball that you can gaze into the future. If not, I'm going to ask you to use your imagination a little bit. I think about 5g, the Internet of Things, artificial intelligence growing, is there ever going to be a day where we're not constantly facing cybersecurity threats and particularly ransomware? Is there a way to defeat this thing?
Dan Dodson
I wish I could tell you that there was a way to defeat it. I think that this is something that's going to persist for a long period of time. I think the threats will evolve and change. I mean, think about it this way; years ago, we used to laugh when we got the email that there was a prince or princess that wanted to give you a million dollars - you didn't fall for that. Now, that same attack vector is impersonating your CEO, or your CFO or your chief nursing officer; you can't tell the difference. That's the same attack vector but, boy, look how it's matured over time, if you will. I think the adversaries are going to continue to do that, unfortunately. Again, I think that the whole notion of understanding where the risk lies and minimizing it to an acceptable level is going to be a game that we're going to be playing for a really long time.
Richard Helppie
It's going to get more sophisticated with the fake imagery and video that can be made. We both have experienced situations where it looked like the chief operating officer was saying, hey, I need to get a report run with everybody's social security numbers and ready to pay. It looks just like that but there's one little letter off someplace, and people are busy, and they send out that data. I guess maybe the one of the watchwords is slow down, be skeptical, be cynical, pick up the phone to make that call to ask is this you? I've seen some pretty clever things; just trying to pay a lawn care person, someone had intercepted their files and were spoofing all of their invoices. It just didn't look right. I picked up the phone and called, yeah, their customer files had been breached.
Dan Dodson
I think that makes a ton of sense. It's like, if something doesn't feel right or look right or look normal - normal being how you're typically engaged - be skeptical, to your point, pick up the phone. With the newest generation of employees and associates, they're even less likely to pick up the phone, I mean, they grew up in the age of cell phones and texting and the internet. Sometimes you've got to go old school and just confirm what's going on, so that's a great recommendation, Rich.
Richard Helppie
Dan, as we come to our close today, as a expert in the field of cybersecurity and expert in cybersecurity for healthcare, waging a war against some very sophisticated bad actors, what message do you want the listeners readers and viewers of The Common Bridge to hear?
Dan Dodson
I would say that first and foremost, the vast majority of people in healthcare, cybersecurity, are trying to do the right things to protect the patients in the communities. There is massive devastation and disappointment and frustration when any of these events happen. Obviously, there are some dynamics that make it more difficult sometimes to do what they want to do. But by and large, these folks are trying to do the best that they can and are bought in. I think that the viewers should understand that and recognize that it's a very, very challenging environment out there. Then second is I would recommend that everybody be really thoughtful about how they're using technology today and try to protect themselves. Personally, I think that's really important and that certainly bleeds into healthcare as it relates to patient portals and stuff like that. But use that MFA (multi-factor authentication) as we talked about and just be skeptical when things don't necessarily seem right.
Richard Helppie
We've been talking today with Dan Dodson. Dan is the chief executive of Fortified Health Security. I believe their website is FortifiedHealthSecurity.com where you can look up their case studies. They also put out an annual report called The Horizon Report which talks about the latest and greatest in cybersecurity. We all have an interest in this because ultimately, we're all patients someday. With our guest, Dan Dodson, this is your host, Rich Helppie, signing off on The Common Bridge.
Protecting Healthcare: Unveiling the Cybersecurity Imperative