Explore the latest cybersecurity trends, challenges, & solutions tailored to the healthcare industry as security experts from Omega Systems & Morphisec share insights & strategies to strengthen your healthcare IT defenses. What you’ll learn:
Kaleigh Alessandro (KA): Good afternoon, everyone, and welcome.
My name is Kaleigh Alessandro. I’m the Director of Marketing for Omega Systems and I will be your host and moderator for today’s webinar.
I’m going to let our esteemed speakers introduce themselves in just a minute, but first, on behalf of both Omega and our partners at Morphisec, I want to thank everyone for joining.
We’re looking forward to shining some light today on the growing cybersecurity threat landscape for healthcare organizations, as well as offering some practical advice and strategic guidance for those of you operating in that sector to take home with you as you think about the future of your business’s security strategy.
If this is your first time here with us or you are not familiar with Omega and Morphisec, let me just start with a quick primer.
Omega Systems is a managed service provider as well as a managed security service provider.
We work primarily with customers operating in highly regulated industries such as healthcare as well as financial services and other regulated industrials, among others, and helping them achieve greater efficiencies, security, and compliance for their businesses.
Morphisec is one of Omega’s strategic technology partners, and they are leading the way in a next-generation technology called Automated Moving Target Defense, or AMTD.
It’s proven to thwart the increasingly sophisticated and undetectable ransomware and zero-day attacks that conventional endpoint security tools cannot.
We’ll talk a little bit more about advanced security tools later in our presentation, but let’s go ahead and introduce our speakers for today’s discussion.
I’m joined by representatives of both Omega and Morphisec, my colleague, Rick Mutzel, Omega’s Manager of Technology, as well as Brad Laporte, CMO at Morphisec and a veteran of Gartner, both of whom boast a wealth of security industry knowledge.
Gentlemen, why don’t you each take a quick minute to share a little bit of your background. Brad, let’s start with you.
Brad LaPorte (BL): Yep, so along with being a veteran at Gartner, also a veteran at Dell and IBM, I really pioneered a lot of markets over the course of not only in cybersecurity, but in healthcare.
So, over 20 years of experience in that industry and also a military veteran as well, which is where I got my start.
Thanks for having me here today.
KA: Glad to have you here and thank you for your service. Rick, want to tell us a little bit about yourself?
Rick Mutzel (RM): Sure. So, Rick Mutzel, I am the manager of technology here at Omega Systems.
I get to review and look at all the technology that we provide from a managed services and managed security perspective.
I’ve been with the company for 12 years, and prior to here at Omega, I was the IT director for local government for behavioral health and intellectual disability.
So, keenly aware of healthcare, HIPAA, PHI, all that kind of good stuff.
KA: Awesome. Love that you both have direct health care experience we can feed off of.
So, looking forward to a good discussion.
Before we dive in here, I’ll do a quick reminder for our attendees on how things work.
We’ve prepared a lively discussion that we anticipate will fall sometime in the 30 to 45 minute range, after which we expect to have time to take any questions that you might have.
So, you can feel free to submit those questions using the Q&A function on your GoToWebinar dashboard and feel free to do that at any point during the course of the presentation.
For those who are going to ask, yes, we are recording, so if you want to revisit any of our discussion topics today, share them with a colleague, you’ll get a link tomorrow afternoon with that recorded version, which is usually right about 24 hours from now.
And then I figure just because it’ll be fun, one last thing before we get into healthcare cybersecurity, of course, today is April 1st.
So, most important question of the day, what’s the best April Fool’s Day prank you have either performed or seen performed?
Anyone have a good story?
BL: Yeah, so it’s kind of interesting. I have a good friend of mine, he’s in the IT industry and he does a lot of the onboarding of net new devices in a hospital.
It’s actually where he met his wife. And although it didn’t land exactly on April Fool’s Day, he did kind of play a prank on her when he first was trying to ask her to go out.
And as his nurse was basically onboarding new systems, as you all know, sometimes they will scan QR codes. What he did was create his own QR code and basically it was an invitation to dinner.
I thought that was really interesting and really kind of a cute way to have a prank-like thing to really get interested into somebody.
But even though it exposes a lot of vulnerabilities into their system, which we’ll talk about today, I thought that was just an interesting story.
KA: A fun little meet-cute.
RM: I was going to say, Brad, don’t ever scan a QR code.
BL: Not in any hospitals I’ll be running, but yeah, I wouldn’t say it was the best security practice, but here we are.
KA: Fair enough. All right.
Well, do you have a good one, Rick?
RM: I don’t.
KA: I don’t have an IT related one, but the one that sticks out in my mind is that I was a teenager and I have a younger brother and he thought it would be wise, he was probably 10 or 11 at the time, he thought a great prank to play on our parents was to super glue the freezer shut.
And so needless to say, it didn’t go over particularly well.
I have just very vivid memories of my parents using a knife to pry open the freezer.
So, word to the wise for all those parents out there, don’t keep super glue in the house or tuck it away somewhere where your kids can’t access it. It doesn’t end well.
Well, on that note, you know, funny as it sounds, pranks are a good segue into the topic of cybersecurity.
I think it would be helpful if we kind of set the stage by talking about where we see the cyber threat landscape as it stands today.
Brad, you know, it seems like we’re constantly seeing healthcare related breaches in the news and our social media feeds everywhere we turn, but maybe let’s distill for everyone listening in today, some of the common threat trends that we see permeating the industry right now and maybe one or two examples that kind of demonstrate why these threats are so serious.
What are you seeing out there today?
BL: Yeah, absolutely. The health care industry certainly introduces a lot of challenges that are very unique to that industry.
Basically, if I look back in 2024, there were on record about 650, almost 700, major healthcare breaches that took place, impacting hundreds of millions of people, almost 200 million people, which is two thirds of the United States.
I mean, just focusing on the United States for a second.
So, you can imagine what that number is globally, where they don’t necessarily track a lot of these different numbers.
In the total number of breaches, you would look at it at its surface and be like, well, this is actually the last year over a year, what’s the problem?
Well, the volume of the compromised records have surged by over 276 million, I think is the number, and that’s more than double the previous year.
It’s getting worse and worse, and you have some of these major events.
I mean, just in the past day, we’ve had an announcement that the FBI is now investigating Oracle. There’s a compromised computer systems and install healthcare patient data.
So, if you’re leveraging that back-end system, you’re leveraging that, you know, that effectively becomes a supply chain attack and a third-party attack, introducing those vulnerabilities into your system, into your healthcare systems, into your hospitals that are leveraging those technologies.
We had some other really big attacks that have occurred. So, you know, the past year we saw Ascension Healthcare with the Black Basta Ransomware which caused system outages.
It delayed surgeries, it delayed and caused the divergence of ambulances, and providing critical care.
Change Healthcare, how can we not, I’d be remiss if I didn’t mention them?
Obviously, impact, major issue across the board, impacting almost every organization outside of the veterans’ affair in terms of payment processing and disrupting millions of patients unable to pay for their treatments, delaying it weeks and in some cases months.
And then even on the other spectrum with veterans, we, and this was near and dear to my heart, but TRICARE data breach was also a major issue as well.
And that impacting, you know, that finally coming to a settlement and resolving that.
So, a lot of things that have happened over the course of the past couple of months and really the evolution of this.
KA: Rick, other, not necessarily examples, I think you’re familiar with all those too, but trends that you’re seeing in this space or like the same types of threats that we see permeate other industries, is also kind of occurring in the healthcare space as well?
RM: I think the healthcare space a lot of times has a lot of unique issues.
A lot of the machinery, the diagnostic machines, things along those lines are very costly. It kind of aligns with like the manufacturing industry where, you know, MRI machines, diagnostic machines along those lines are very very expensive and oftentimes run on old and equated control systems and those are ultimately connected to the network in some way shape or form so it kind of all goes back to like IoT and items related to that where it’s not really cost efficient to replace all those systems and so those are oftentimes very vulnerable and used by threat actors as pivot points or lateral movement to gain persistence.
So, we’re seeing that a lot in trends in the healthcare space.
KA: That makes a lot of sense.
You obviously have a unique viewpoint you mentioned earlier, in addition to developing technology solutions for Omega’s customers, but obviously, previously as the IT director for a behavioral health department within local government.
So, as someone who understands the sensitive of healthcare data and PHI, are there other unique risks outside of legacy systems and applications that you’re seeing that are making the healthcare industry a little bit more vulnerable than potentially other sectors right now?
RM: Yeah, I think it’s important to kind of take a step back and think about these healthcare providers, whether, you know, what services they’re providing, the line level staff, they’re doing this because they genuinely love to provide services.
From an IT perspective, we have to keep in mind, we are providing services and the tools that they need to give care to the consumers of those services.
And so IT is not top of mind for your line level workers.
What we have to really keep in mind from an IT perspective, especially around security, is trying to make it as transparent as possible and making the tools that we use efficient in giving them the ability to do the job that they’re trying to perform for the consumers of their services as transparent and secure as possible.
So, there’s a really good balance that has to happen and those discussions kind of happen from the top down.
KA: Sure, yeah.
We’ll get into that a little bit more as well.
BL: Yeah, if I could just add in about the data sprawl. I mean, this is becoming more and more of a systemic issue, especially as more and more organizations look to add automation.
They’re adding artificial intelligence and more applications than ever.
It’s the business at the speed of now.
We have a lot of patients that have been added.
A lot of people have been added to the health care system.
We have an aging population with baby boomers.
We have more and more people that have come to the United States, as well as a lot of people that are entering into other countries as well. This is a problem.
We have this issue where organizations don’t even know what’s on their network. Forget about just traditional endpoints. I mean, with health care, it goes even beyond that.
Start getting to medical devices, and IoT, and all of the different connected devices that you have, and pretty much everything is connected to the internet now. So, we’ve gone over into that spectrum of, it’s no longer just air gapped or standalone or just off the network. Now we’re introducing a much larger, more complex attack surface, and being able to manage all of that, especially since the people managing it, they’re managing the MRI system and they’re being forced to handle the IT and to some degree a security element or at least some kind of monitoring element to bring in the centralized security team depending on their role and function.
So, this is becoming more and more complex. It’s becoming more and more challenging and we don’t really have an easy way to programmatically combat this.
And, you know, it’s definitely a big driver for managed services and then having better technology that can get ahead of this and preemptively mitigate that attack surface and making it easier for these managers and people that are running these technologies to operate and do their job.
RM: That’s actually a really good point, Brad.
We see a lot of the through mergers and acquisitions, especially on the healthcare side of things with offices. As they get acquired by a larger entity, there’s typically a data migration that occurs from one system into the other, and not all the time is the data cleaned up from the previous system, or it’s not integrated fully, and so they need to keep those old systems around for legacy healthcare information.
And it’s kind of not updated. There’s no care and feeding put into it. It just kind of like sits around there.
I think it’s also another point to point out that while in the United States, we have HIPAA and HITECH, which kind of gives breach disclosure requirements, not all countries have that.
So, a lot of the numbers that you see are specific to the United States worldwide, the number is much, much higher. There’s just no regulation where they have to disclose it.
I think we just saw something similar to that very recently in some other countries where we only found out about disclosure of health information because somebody figured it out and kind of disclosed it themselves. It was more of a legal back and forth in that fashion.
So we’re a little different in the United States with some of the protected health information and the disclosure statements.
BL: Yeah, data privacy is becoming more of an issue, managing of that data, data sovereignty and privacy.
Going back to your statement about basically some acquisitions and migrations, I’m struggling to think of an example or a person that works in the healthcare industry that’s not going through some kind of ERP project or enterprise resource planning.
And switching ERP platforms, migrating them or they’re having to work in swivel seat between multiple different systems. So I’m in Epic, I’m in Oracle, I’m in this, I’m in SAP, all these different disparate systems and varying levels of legacy versus net new, upgrading to new versions, consolidating, all that good stuff.
It’s really challenging and my goes out to these people that are dealing with this day in and day out while dealing with IT challenges and cyber security attacks.
KA: Yeah, it’s a complex workload and a good segue you both touched on it, but into the regulatory compliance aspect where obviously here in the US, we do have some frameworks in HIPAA and HITECH and others that are giving healthcare organizations parameters and setting expectations for certain controls.
And obviously, we could spend hours upon hours talking about HIPAA but we don’t have that kind of time today, but I do want to touch on it at a high level.
Starting with you, Brad, and maybe just give us some broader context of why these regulatory requirements are so essential and what they signal to healthcare organizations in the context of data privacy.
BL: Yeah, it’s a mandate, not a recommendation, it’s not a best practice, it’s not a suggestion. It’s something you have to do in order to operate business. And if you don’t do it, the fines are incredibly high.
I mean, for a non-compliance, for just HIPAA, Health Insurance Portability and Accountability Act requires the safeguarding of PHI, whether you want to or not. It mandates those breach notifications and data compromises within a certain timeframe.
But the fines can range anywhere from $100 for a record or up to $50,000 for a violation and beyond depending on the scope of it. And that’s not even getting into the lawsuits.
You have things like HITECH, which is Health Information Technology for Economic and Clinical Health Act.
But with that, that enhances it and goes one step further, enhancing HIPAA by incentivizing the adoption of having secure health IT systems and introducing more restricting reporting requirements. It’s a higher level certification level and kind of regulatory component that you need to adhere to.
We’re seeing more and more of this as well as adoption of best practices and frameworks like NIST, even more cutting edge hospitals are starting to look at post-quantum cryptography standards. What do we do if AES gets broken and what is the impact of that?
I actually just did a webinar on this exact subject where it could potentially be a major issue where threat actors would be able to look at health records and personal data and getting a treasure trove of information on the dark web and getting access to this data, the motivator behind this is healthcare data is good money.
It’s basically the most expensive or highest return on investment on the dark web when you’re selling this information. So that’s why these regulations are in place.
I mean, people didn’t use a seatbelt until the lawmakers made it mandatory to have a seatbelt and the manufacturer started implementing it. These regulations are basically providing the seat belt, providing the safety so we do at least the bare minimum to implement this.
And I don’t see this slowing down, especially given all the data breaches that have occurred really in the past, I’d say 12, 24 months and I expect this to only increase in the scrutiny of this to increase moving forward.
KA: Yeah, that’s a good point too, because now they’ve got to constantly evolve their requirements to keep up with this complex and ever evolving landscape and how sophisticated threats are getting.
So, Rick, I know that there are active proposed changes to the HIPAA security rule that were proposed at the end of last year and obviously we’re still waiting to see how things shake out, but at a high level, I want to pick your brain on maybe what your biggest takeaways are from the proposal.
Let’s assume they decide to move forward with enacting the changes. Where can we expect healthcare organizations going to need to focus their security efforts?
RM: HIPAA is finally catching up with all the rest of the frameworks. We’ve seen major changes come through from the other regulatory bodies within the United States. So, it’s logical that HIPAA is in line to bring them current.
So, a lot of the changes kind of seem normal to most people in the security industry. I think the big change is they’re changing the distinction between required and addressable as far as the implementation specifications go. They’re making all of the implementation specifications required and noting very specific limited exceptions. So those things like multi-factor authentication, that’s a given these days. Everything should have multi-factor authentication on it.
Some of the harder to implement items that we’re seeing in the new recommendations are like network segmentation, so those kinds of projects are typically hardware related. So, you may have switches that don’t support VLANs in the entire hospital, right? So, there is going to be some hardware changes, some network implementations. Maybe you don’t have a networking team to implement that going over to all your devices and re-IPing things, right? So, from a technical level, that’s going to be one of the more difficult ones. Not that it shouldn’t be done, but I really see that being a stumbling block for some of the providers, smaller providers especially.
Having written documentation of all of your security policies, procedures, and plans sounds like a given but we don’t always see that implemented and people are aware of what those policies and procedures are, how to enact them, and keeping them current, right? And so that’s an easier one, that’s a zero dollar one for the most part, but getting those in place.
I think one of the other items that is often missed is going to be vulnerability scanning, internal vulnerability scanning and addressing those in a timely fashion. So having a policy and a procedure in place to do internal vulnerability scans and then following that up with adequate remediation. Just accepting a risk technically can be a remediation But you don’t want to see that and you don’t want to be, you know, on that list. Specifically, like we mentioned, the TRICARE data breach. That was literally because there was known vulnerabilities that weren’t patched so that could have been prevented.
That’s really where the impetus behind this is going, is to bring a lot of these controls back up front, more modern, and kind of reducing the risk level of an environment, not saying there won’t be a breach, but you’re less likely to have a breach or you’re at least aware of where your exposure points are so that you can put mitigating controls in place.
BL: Absolutely. I just want to add on that.
It’s really nice to see it evolve over time. I had to look this up. So basically it’s the data restoration timeline that’s changing. So right now there’s no specific timeframe for it to be restored and that was a major issue that we had with MOVEit, with Change Healthcare and all that it’s like okay well when is this going to get fixed? Because it impacted everybody differently it was a sliding scale and whether it was a day or months and now it’s you know you must restore critical systems and data within 72 hours of data loss incidents so that requires people to look at their business continuity plans, through disaster recovery plans, increase not only their overall resilience as an organization, but also the cyber element of this, because there’s multiple elements that are added to this.
It also requires them to look at it from an application and kind of software inventory perspective as well, because it’s not just vulnerability patching. In order to patch something, you need know what’s there, right? Unfortunately, this is something that that a lot of healthcare organizations just, they’re not really up to speed on compared to like, say, the financial industry or you know, something that’s more forward leaning in terms of maturity level as a whole as an industry. Being able to look at the individual assets, what level they’re on in terms of operating system and patches, and maintaining that in a in a continuous fashion and identify OK, misconfigurations, hybrid software, all the nasty stuff that could be in that environment, especially given how increased that attack surface is.
So great points by Rick, I definitely agree.
KA: Yeah, no, that’s great insight.
I think regardless of whether these new requirements are published by HIPAA or not, there are certainly a host of security best practices and existing requirements applicable to this audience.
And again, we can’t get into every single nuance today, but we definitely want to lay the groundwork for some critical areas where we believe healthcare organizations should focus their cybersecurity efforts.
I think if we think, what are widely considered kind of the key tenets of security, people, process, technology, maybe we can start to talk through some of the must haves within those pillars.
Rick, I want to start with technology and put you on the spot. I’m going to ask you to give us three IT security controls no health care organization should go without. I know there are about 25 running through your head right now. But we don’t have time to talk about 25 so give me your three must have controls in 2025 for health care.
RM: So three with three letter acronyms. How about that?
So multi-factor authentication (MFA), managed detection and response (MDR), endpoint detection and response (EDR). Those are the three.
BL: Great, great list, look at that list.
RM: So these are all things that should be implemented and are used, one, to secure the environment. MFA is going to give you identity protection. So giving that second factor, whatever that is, it’s very common in healthcare, like hospitals, to use a badge or something you know, something you have, right? So, issuing FOBs or badges, security tokens, what have you.
Having multi-factor on authentication sources, especially external.
MDR for actual being able to respond to a security incident, being able to have your SOC team or outsourced providers be able to actually go through logs when there is an incident. Being able, like Brad was saying, with 72 hours to respond, I kind of laugh at that because we’ve gone through IR events with customers. Like at the 72 hour mark, nobody’s talking about restoration. You’re still trying to figure out how they got in and capturing the evidence for the lawyers and the incident response team. It’s kind of funny in all the regulatory spaces where they’re really making these low response times for notifications or restorations. They’re not really thinking where it takes more time than that just to figure out the who, what, where, when, and why.
You can’t restore, or why would you restore to an environment that’s not secure? And so it takes time to get through that process. That’s where MDR comes into play, where you have something that can stop the executions, isolate systems, provide automated responses in the event it’s detecting things, but also having the logs so that forensics and analysis can happen now versus manually collecting items, threat actors delete the logs, they’re covering their tracks, right? They don’t want to be found. Having those items for the SOC team to perform that analysis faster gives a faster response and gets you to the restoration steps faster.
And last thing is EDR, right? Having something that ties into your MDR platform that can feed and stop a threat actor on your end points. I’ll kind of hand off to Brad since that’s your wheelhouse on the EDR side, but having those tools already deployed, after the fact that if an incident is occurring, that’s not the time to be deploying an EDR solution, it’s too late, right? So having that in place to stop executions on endpoints is paramount before an incident happens.
BL: Yeah, thanks.
KA: Maybe you can even take us back and kind of talk through the evolution of EDR because clearly there’s been, You know, we started with kind of traditional antivirus and it’s really revitalized itself and taken on a whole new form these days. Maybe you can kind of talk about in the broader context how we got to where we are today with EDR.
BL: Yeah, let’s go on that time machine. I’ll start off by kind of giving a simple analogy for everybody.
And you know, what we have here with MFA is really like, if you think about your hospital or your house that you’re in, and MFA is basically the locks on that house, you know, locks on the door, locks on the window, and preventing people from getting in. But those locks can be picked.
With credentials being stolen, access brokers, criminals now have access to basically bypass MFA and get into, and get access to credentials, and have account takeovers and walk right in the front door.
EDR acts as kind of that security camera where, OK, you’ve walked in the door, you’ve tripped these wires, you’ve gone through the laser beam or now I’m tracking everything that’s happening in your environment, tracking all the keystrokes, tracking all of the network connections, all the downloads and all the executions, right? I’m able to build out that story so I can implement and stop down from happening and then effectively hopefully restore it and get it back to that standpoint.
Now that requires a global forensics team to do. It gets more and more complicated as you start layering in those different detection mechanisms because a lot of this traditionally was done through signatures. This has kind of evolved over the past 11 years now.
EDR really came on stage really in 2011 and kind of hit a tipping point in 2014, specifically after the December of 2013 Target Corporation breach where their point of sale systems were compromised and really kind of woke up everybody that, oh, I need to have something that protects me above and beyond just my laptop and protecting all of the different assets that I have, whether it be a point of sale system or a EHR system or anything, maintaining client data servers, workstations, IOT, medical devices, etc. & having visibility across all of that because you need to have a security camera in every single hallway.
With that, it’s really evolved in terms of adding, we switched from traditional antivirus and having traditional signature-based, rule-based, I see something bad, I want to stop and block it, to basically the more next generation components and combining next generation AV, which looks at behavioral analytics, looks at heuristics, looks at anomaly detection, looks at indicators of compromise and things that are kind of in that gray area, there’s unknown threats and being able to proactively stop that, but it’s primarily rule-based and what happens when there’s a zero day or basically something that bypasses those tools or basically bypasses that security camera.
Now we’re hitting a point of diminishing returns as an industry that, because it’s 11 year old technology, arguably it’s 14 years old. We’re seeing a shift where now we’re needing to become more preemptive. We want to mitigate the blast radius that occurs when someone enters into your house. They bypass those traditional controls, they bypass MFA or maybe you didn’t have MFA on one device or you didn’t have EDR on another device and want to basically stop that persistence and how many steps that criminal or that person breaking into your house or into your hospital, how many steps they can take going in and wreaking havoc and the damage that they’re going to take and moving laterally from room to room.
Where MDR comes in is they provide that white glove, that red carpet, effectively that SWAT team or that security team that’s going to help you every step of the way before they even walk onto your yard or in your driveway all the way through and through and getting them eradicated and out of your environment in a full life cycle of that.
Getting you as close to that 72 response time that Rick was so concerned about, it’s that meantime of the detector respond and getting that down to a more efficient process as possible, that breakout time and doing it in a more efficient way. We’re seeing a major shift and I’ve written about this extensively and I’ve done a couple of podcasts on this where we’re now seeing this shift towards preemptive where we need to programmatically and in a hands off manner, being able to reduce that attack surface and almost have it be a moving target.
Technology that we call it automated moving target defense and basically identifying or reducing that attack surface in an automated fashion, identifying misconfigurations, identifying different security trolls, are they operating correctly and at the level that they need to, looking at these different vulnerabilities that Rick was talking about, identifying where are they on the risk component and how do I prioritize them because there’s only a finite amount of time and really prioritizing getting surgical around being able to mitigate this as much as possible, or mitigating those exposures to mitigate that blast radius.
In the event that there is that impact where someone is infiltrated, they’ve gotten past those initial controls, mitigating that as much as possible, disrupting it in flight, so they’re basically not able to move. That actually works out into the defender’s benefit because that time is money, and the harder of a target that you make it, the more network segmentation that you can implement, the more harder attack surface that you have, more security controls that you have, the stronger your resilience and posture is, the longer and harder it’s going to be for the threat actor to be, and that’s going to drive up their costs. They’re going to get frustrated, they’re going to move on to a weaker target, which thankfully it’s not going to be you. And basically preventing that from happening in the first place.
It’s really interesting to watch this evolve and we’re really getting into this kind of adaptive exposure management type space and getting into kind of what’s being called preemptive cyber defense and bolting that onto EDR and seeing a diversion now, just like traditional AV and exploration AV kind of bisected about 10 years ago and now, traditional AV is obsolete. It’s been replaced by endpoint protection platforms and EDR.
Now we’re seeing EDR split. All you have to do is look at the MITRE results and how that kind of bisected between the different vendors.
You know, we’re seeing more and more innovations come out of the leaders and less and less innovations out of the laggards.
What ends up happening is, really, we hit a point of diminishing returns, you can only have so many security cameras. You can only, really you can only have one ADR tool, adding another ADR tool doesn’t make you two times more secure. You have to diversify, you have to get more proactive with your endpoint security. That’s really the shift that we’re experiencing and now the evolution of this kind of approach.
KA: Do you have any real-world examples or case study share and kind of how this more modern anti-ransomware technology in particular is preventing the likes of today’s zero-day attacks?
RM: I do.
BL: Oh, yeah, yeah. Go, go, go.
KA: I’m sure you all do.
RM: A great timing example. We responded to a healthcare provider, you know, we’re down, we’re watching our servers drop. Got engaged, did not have EDR so we deployed EDR. It’s kind of like the first step, get something in there so we have some visibility and we can figure out what’s going on. EDR found several indicators that were going on for behavior that was occurring on the servers.
Myself personally was observing this. I was helping with the IR response, but still noticing the threat actors in the systems, running process executions.
So, we put Morphisec, shameless plug, on the machines as well, stopped it right away. Threat actor responses were ended and we were able to move on to kind of the next triage steps in the IR event. However, that ended up being a state nation actor, previously never before seen pivot.
So, State Nation Group, Black Hat, they pivoted to a new tactic that they were using with new executables, and Morphisec, again, being file-less, doing the AMTD process, was able to just kill it right away in execution. And so, that was a great example of how these newer technologies are able to not need those signatures. Again, never before seen, still did the job and allowed our SOC team to move on and to, you know, move in through the steps on the IR event. It was a great example that you’re looking for, actually.
KA: Yeah, absolutely. Brad, any others that come to mind on your side?
BL: Yeah, the favorite stories I have are the ones that don’t make the front page of the newspaper. We’re stopping 30,000 different attacks and threats a day at Morphisec, so it’s a lot and the stories that we kind of pride ourselves on are the ones that don’t make the front page of the newspaper and there’s a lot of them.
A lot of our customers and in clients that we have, you know, they’re they’re really finding a lot of value. You can’t really, sure you can put a cost or a price on, you know, preventing a ransomware attack and a data breach, it’s, you know, $4 million, etc. but really it’s priceless because of the long standing, reputational impact.
I mean, if your hospital is down for a day, even an hour, let alone a day or a week or month. What kind of impact does that have on life and limb? That’s something that you just don’t get back, right? That’s not something you put a dollar amount to.
But there’s a lot of those real stories that are happening on a daily basis across the healthcare industry, across healthcare insurance, and across hospitals and we’re very proud of the work that we do.
KA: That’s great. Great to hear the real-world examples.
Well, we could talk about the technology aspect all day, but I do want to touch on process and people as well, kind of to round out, you know, the holistic cybersecurity risk management program.
Rick, to that end, the controls are critical, but they’re only effective in so much as if they’re documented, reviewed, governed through formal security processes and procedures. So at the process level, what should healthcare, IT executives be thinking about?
RM: Making sure you have those policies and procedures, if you haven’t gone through. Step one, get your policies and procedures.
You know, if you haven’t reviewed them, you know, go through with an outside assessor, making sure that you have the appropriate policies, that they actually have the required components to them, and that they were reviewed at least annually.
And then making sure that those policy and supervisors are disseminated so that staff actually know what the policy is. So nobody should ever ask you, what is my security policy? They should be signing off on that every year to acknowledge that they understand what that is, and they should be updated. Technology changes, the threat landscape changes, and your implementation that you have within your systems changes on a frequent basis.
At any major change to system, whether it’s acquisition, data migration, or putting a new ERP system in place, right? All of that should trigger a review of your policies and procedures to make sure that they don’t need something adjusted to their verbiage changed if you’re so specific that you’re citing vendors in your policies or procedures, that means you have to update those as well. Keeping them up to date, like I said, at least on a yearly basis.
You should have a risk committee within your organization that should meet quarterly, semi-annually, and that’s a great place to review those as risks come in. They’re reviewed, they’re balanced up against your policies, and then you can adjust them at that time as well.
KA: Yeah, I think those inflection points are a really good reminder when you’re adding new applications, acquiring companies, etc.
Good reminder.
Brad, of course, the final layer is people, again, controls and policies are only going to be as effective as they are maintained and used by the individuals working within the organization. So, constant need to educate and train employees in the healthcare space on what threats to look for, as well as how to prevent and report them.
And as we talked about at the top of this presentation, that tug of war is constant between security and compliance on one side of the rope and operational efficiency, productivity, simplicity on the other side.
So how would you coach health care companies today to strike the right balance between efficiency and security?
BL: Yeah, so maybe just advance the slide a second.
I would definitely acknowledge that tug of war and acknowledge that the human firewall is kind of that first line of defense. I think that’s overlooked. People expect technology to do it all and unfortunately that’s not the case especially as we introduce things like AI. Really ask yourself what is your organization doing to prevent a nurse or a doctor from uploading records to, say, ChatGPT in a browser setting or whatever on either a personal or corporate device in your environment, what kind of protections are in place to prevent that from happening, and backwards plan from there.
But it goes above and beyond that.
Part of it protecting sensitive patient data and having that balance of having seamless, efficient operations, while not having a burden on workflows or preventing them from doing and delivering the cure that they need to for their patients and their customers.
And part of it is that resilience aspect of it. Part of it is the technology to make it as easy as possible. So if someone clicks on something that they’re not supposed to click on or send something that they’re not supposed to do, that there are technical controls in place that prevent that catastrophic event from occurring. But also like having there be not only an education process, but a re-education process when those factors are happening.
You always want to have like a gamification. So having simulations and real world scenarios and phishing exercises, etc, but taking it one step further so it’s less than a check the box type scenario.
We’re actually, there is learning that’s occurring. There’s a difference between training and learning, right?
We want people to actually capture those values and identify, okay, these are the things that are going to ultimately make our business more viable, our organization more viable in terms of execution.
Anything that really can be automated should be automated, I will say. Certain things that reporting and compliance and those technical controls, as much as can be automated should be.
Having multi-factor authentication combined with single sign-on, certainly when implemented correctly can streamline a lot of different things so people don’t have like the kind of the post-it note, so to speak of like, oh, here are all my passwords right here in terms of, you know, one, two, three, four, five. It’s not only the password to my luggage, but it’s a password to my medical records at the same time.
Yeah, you laugh, but you know, anyone that’s ever been a doctor or a nurse that’s kind of old school, you’d be surprised some of the things that you see.
But, you know, you want to have that positive security culture, they want to see it as a savior and not a burden. And obviously optimizing those workflows and trying to have that safety net in case when things go wrong.
KA: Yeah, that’s a great point.
So Rick, obviously the tone internally really needs to be set at the top of the org chart. When you work with customers to develop policies, design new controls, roll out training programs, how do you help them communicate the value of security at the board level?
RM: I mean, usually the first thing that has to happen at the board or the C level is introducing somebody that actually knows something about technology into the board or the C suite.
Usually there’s a lack of visibility there so it’s glazed over.
These are business critical functions, right? These days you can’t, we go into hospitals all the time and speak to doctors and they say, I can still write a prescription on paper, this doesn’t impact me. If the computer’s not working, it’s fine. I can still do whatever I need to do
Until that system goes down and then, you know, everything’s on fire and I need my computer back up right away.
That mentality of I can still do things in a paper chart, there’s no more paper charts, right? Everything’s in the computer system. And so that is a huge part of your business.
Bringing that up the level, getting acknowledgement and representation in the C-suite or at the board is the first step. Then once that person is there, making sure that that person is empowered to affect change. So if they’re making recommendations, if they’re bringing policies and procedures and needing, it all comes down to funding at the end of the day, right?
And so making sure that those recommendations are prioritized in the budget, going back to your risk mitigation strategies, your vulnerability remediation strategies, and getting funding behind that so that you’re not in the news and a breach doesn’t occur.
Then the rest kind of naturally aligns behind that. Once you kind of get those placeholders in the higher level and people are acknowledging and routinely reviewing these things that they may or may not be doing right now, you present a vulnerability report to a board and vulnerability reports are always like these 100 page long things with everything is red and green and blue and nobody knows what any of this stuff means.
Having somebody there that can actually decipher that to a board or a C-suite and convey what needs to happen and put a dollar amount behind that, that’s key.
Finding the people that can do that or if you have somebody, empowering that person to be able to make that recommendation to the board is super important.
KA: Absolutely.
BL: Great points.
KA: All right, looking at the time here, we’ve got a few minutes left to hopefully take a couple of questions and then round out with some key takeaways.
If you have a question, if you’re listening in and you have a question for Rick or Brad, please feel free to submit that into the questions box in your GoToWebinar dashboard and we will try to answer a few here before we get to the top of the hour.
I have one or two here that I see that I will start with.
Rick, you talked about vulnerability scanning earlier. What is your recommended cadence for risk assessments and vulnerability scans?
RM: My recommendation, it’s always interesting. So it generates a lot of work for remediation efforts.
Finding that happy balance is going to depend on how large environment is. For a smaller environment, monthly may make sense, it’s going to give you a much stronger environment. Larger midsize environments, once you get into the enterprise, quarterly is probably going to be the best that you’re going to be able to do.
I wouldn’t go anything less than quarterly. But again, like, depending on what the vulnerabilities are, you may just accept that risk. Make a note, accept it, but you’re going to accept it every quarter. Don’t just whitelist everything and kind of brush it under the rug.
So, I would say quarterly is probably where you’re going to end up landing if you’re right around that mid to larger size.
KA: Another question.
BL: I’ll add to that and give maybe a different view or expand on the view and I think if you ask 10 different people you get 10 different answers on the subject and I think it really just to hone in on that it really is tailored to the business and your unique requirements, your budget, your resources, your risk tolerance, your strategic alignment between security and your financial goals and being able to do that and do the best that you can.
I totally agree with Rick’s cadence. I’ll also add in there after any major changes, so we did talk about subsidiaries and acquisitions, all of that. Don’t forget the risk assessments and the affordability assessments. While you’re going through those major changes, you’re going through an ERP project, whatever, through those major milestones, you have to account for variable change. I think that’s the number one thing that people miss and they have these gaping holes and it’s like well, how did we end up with xyz or this breach or whatever and it’s because they missed they didn’t patch the thing that they forgot about or they implemented they choose that new risk.
RM: Pro tip – use vulnerability scanning in your merger and acquisition development strategy. That can drive the cost down.
BL: That’s another webinar right there
KA: One other question here about third-party risk.
We work with a lot of different vendors and service providers. How should we be assessing third-party risk and accounting for potential supply chain risks?
I know that’s another hour in and of itself too, but maybe at a high level, either of you have a good recommendation there?
RM: You should have a vendor risk management policy to align with that. Specifically, if we’re talking healthcare and HIPAA, right? You should have at least business associate agreements in place with those third parties.
I usually like to see my personal is I want to see a SOC 2 report and review the controls.
It’s not always the best because that’s kind of a CPA doing it but it meets usually my minimum requirements to at least peek under the covers and see what something is, how they’re doing it.
And then have your own kind of insights into that. Have your own like vendor due diligence requirements.
Don’t do them once, you know, obviously that should occur with any new vendor or system you’re looking to onboard, should go through your vendor due diligence process and meet your procedure, but that should also occur ongoing as well.
Like the financial industry, this is down pat, they’ve been doing this stuff for years.
That’s why you don’t see a lot of that kind of stuff with third parties and you see it more proliferated in other industries. Vendor due diligence is near and dear to my heart. I do it for us at Omega, people do not like me, vendors do not like me.
KA: Yes, a lot of questions.
RM: Yeah, every 10 vendors that get thrown my way, nine of them right out of the gate, I won’t even talk to because they don’t meet my minimum security requirements. I’m not gonna give my data or access to my systems or my customers to somebody that I don’t trust, right? And the same goes for the medical industry as well, even more so since based on the sensitivity of the information that you contain.
So go through, develop a good vendor due diligence, a vendor management policy, at least yearly, have it gone through and redone. There’s a lot of systems out there to automate that process that can automatically send reminders out there to your core vendors and have them review. Anytime somebody has access to your environment or your data or your data sits in somebody else’s system outside of your control, there should absolutely be a yearly vendor due diligence performed on them.
BL: Yeah.
KA: Absolutely.
BL: If you wouldn’t invite them in your house, then maybe don’t invite them over to be your partner. So, yeah, there’s some rules to live by.
KA: That’s good. All right, I’ll give you each 30 seconds here. If there’s a key takeaway or one thing you want this healthcare audience to take away from the conversation today, Brad, I’ll put you on the spot first.
BL: Yeah, continuous improvement, right? Assess where you are today and assess where you want to be tomorrow. That’s your gap analysis. That’s your project plan. Those are the basics. As long as you continuously improve, those micro reactions will compound over time.
KA: Very good.
Rick, key takeaway?
RM: Yeah, just try to get out ahead of the front of the upcoming changes. They are coming. And while we understand it’s yet another federal mandate that is unfunded, as HIPAA usually is, you know, traditionally, OCR and CMNCR are going to fund themselves traditionally through regulatory fines, and so they’ll find a way to fund themselves when funding gets cut by the administration’s.
So, changes are coming, fines are probably going to be coming as well behind that for teeth behind HIPAA.
My crystal ball says get prepared now so that you’re not caught next budget year having to put everything out there to meet those requirements so start early and get your house in order
KA: Awesome All right.
Great questions great conversation today Um, I want to quickly remind everyone that they will receive a link to the full recording of today’s discussion as well as the transcript So you can easily revisit all of this great content we covered today. Those materials will be delivered to inboxes around 1pm Eastern tomorrow afternoon.
Huge thank you to Brad LaPorte and Rick Mutzel for joining me today and sharing all of your security perspectives with us.
And of course, final thanks to all of our attendees for listening in. We hope you will do so again soon.
With that, I will say goodbye to everyone and hope you all enjoy the remainder of your day.
Thanks, everybody.
BL: All right. Thank you.
RM: Thank you.
Explore the latest cybersecurity trends, challenges, & solutions tailored to the healthcare industry.
