2021 Healthcare Security Predictions from the Experts at Scope

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:20.0 Mike Murray: And hello and welcome back to another episode of In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. And again, this episode, I’m really lucky to be joined by two members of the Scope Team, Jeremy Richards and John Daniele. In our last episode, we talked a lot about Year in Review for 2020. In this episode, it’s time to talk a little more about 2021 and where we see the world going, and amazingly, between the recording of the last episode and the recording of this episode, we have had some major things happen out in the world that I think will probably impact the conversation around 2021. Specifically the attack against the SolarWinds infrastructure by… Who everyone seems to be attributing to, the Russians, although I don’t know how solid that attribution will turn out to be, but guys, maybe we just jump right in and start talking about attackers in 2021, how does… What’s happening with the SolarWinds stuff, with FireEyes compromised, what does that precede going into 2021? And John, I’m gonna throw this directly at you first, and then maybe we’ll just see where we end up, but I feel like this is some big events in December that might have some big impacts next year.

0:01:35.3 John Daniele: Absolutely, I think the biggest one is the SolarWinds hack and related fallout. This was a pretty eventful occurrence that I think the full scope and scale of that attack still hasn’t been properly evaluated, but at first blush, it appears that tens of thousands of organizations, victims, targets may have been affected by this breach. So it certainly precedes more attacks in 2021 against managed services providers, and not simply because of any information that they necessarily have, but because they’re a conduit to their victims, which are the actual targets of attack. We’ve already seen, with respect to the COVID-19 vaccine distribution plans, IBM have reported a phishing campaign that was detected against organizations involved in the cold chain or cold storage supply chain for the distribution of the COVID vaccine. So we’ve already seen evidence that supply chain attacks are on the rise, and certainly in the years leading up to 2020, they’ve been on the rise, but I think that the full impact of those supply chain attacks have not really been felt. I think leading into 2021 we’re gonna feel the full impact of what it means to have a compromised supply chain across a wide variety of different industries.

0:03:16.3 MM: It’s interesting, people have been talking about this for years, and people have been saying supply chain, supply chain, supply chain, I mean I had this conversation with so many people. And yet this is the first time that I think everyone’s really waking up to the reckoning there can be an attack on the supply chain. And especially if you think about healthcare, so many of those medical device manufacturers in the supply chain could potentially be compromised and have some of this same sort of thing. It doesn’t have to be a technology company like SolarWinds, it could be an EMR company, or a medical device manufacturer, or someone who provides those services, and we’re gonna see a lot in 2021 about the insecurity of all of those vendors. A friend of mine who worked for me at GE used to talk about inheriting other people’s failures, and I think that that’s a world that we we’re starting to wake up to… What do you guys think?

0:04:13.4 Jeremy Richards: So just to take this back for a second to the supply chain issue, I think… So there’s no surprise that FireEye was kind of first to the table or first to detect that they’ve been compromised, and a lot of respect for how they handled it. I think it was pretty classy act to have such a timely release of detection signatures. So for listeners that don’t know, FireEye has a red team and they have a collection of tons of tools to do intrusions, and they released detection signatures for their own tools very, very quickly after they were compromised. I think with whatever attribution you want to do, we’ve got an actor that has shown that they’re proficient in attacking supply chain and laying low, so I don’t think we’ve even begun to see what the impact is, and that 2021, sure we’re going to find out some of the noisy stuff, but I doubt we’ll ever know the true extent of the compromise. In terms of inheriting problems, that unfortunately seems to be the CSO or the CISO cycle, where there is a breach and then there’s change in leadership, and that’s exactly what happens. There is inheriting a mess that needs to be cleaned up.

0:05:37.4 MM: Alright, let me take this in a different direction because… How many times have we talked about ransomware on here? It feels remiss to not talk about ransomware gangs going into 2021; we’ve seen some really interesting ransomware things over the course of this year, obviously, we three have talked about it on a couple of podcasts. But with that, where do you two see it going? Where’s… What’s the next thing in the world of ransomware?

0:06:01.0 JR: Well, the FBI just had a statement today, so there is a recent article saying that the DoppelPaymer ransom gang is now routinely harassing victims who refuse to pay. So they’re actually calling them on the phone and harassing them. So there is that that’s new and emergent. I’m guessing that the… A friend of ransomware is urgency, so definitely ransomware around the supply chain of an upcoming COVID vaccine, so looking at industries that are going to be involved in that global effort of distribution being high value targets.

0:06:43.1 JD: I think it’s an interesting trend that you’ve got cyber criminal gangs now escalating their actions and activities against their targets. It may be an indication that targets are perhaps paying ransoms less frequently, and so the gangs need to up the pressure in order to continue to receive those payments. Now, this is their business model, after all, they will hold the data at ransom and the victims need access to that data and will agree to pay, and the ransomware gangs promise to provide the keys in a very reliable way, and after all, they’ve built out their own supply chain network to provide reliable access to keys, and they’ve got a great help desk and support.

0:07:32.4 JD: So there’s that, but perhaps there’s an increasing trend in not paying because if the data is going to be breached and publicized anyway, which is something that ransomware gangs had done, perhaps that in itself was a strategic blunder because if everyone knows that, well, they have the data and they could release it at any given point in time, then what’s the point of paying the ransom ’cause I could never truly trust that that data is never going to hit some underground market. So I kind of think that what happened in the latter end of 2021 when ransomware gangs declared that they were going to escalate and publish data, I think that was a strategic blunder to their business model, and clearly it’s having an effect because they’re scrambling to find ways of pressuring victims and resorting to street-level tactics is I think an indication of weakness.

0:08:34.1 JR: And DDOS as well. They’ve started to… You don’t pay your ransom and you end up getting DDOSed as well.

0:08:41.4 MM: I told you guys both this, and I wanna bring it into this conversation. I think what I’m hearing you both say, and we’ve heard it from some of the folks we were talking to on the customers side as well, is people are preparing for ransomware authors to become more creative. I was talking to a healthcare CISO recently who was talking about a scenario that they were preparing for where ransomware authors moved towards extortion in new and interesting ways. Like Jeremy, you were talking about DDOS as an example, but a situation where suppose I as a ransomware author, could find a vulnerability in a common infusion pump and go to healthcare organizations that I’ve compromised and say, “Unless you pay me X Bitcoin,” in the same sort of ransomware world, “I’m going to randomly shut off half of your infusion pumps tomorrow at noon.” And more creative than just simple encryption-based schemes, the thought is that ransomware authors will start to move, especially as hospitals and as targets do a better job of having a solid backup strategy and testing those backups and being able to restore business continuity relatively quickly, are there other ways that we think that these folks will get more creative?

0:09:58.4 JD: And by creative you mean evil?

0:10:00.9 MM: Yes, yes, exactly.

0:10:03.2 JD: Because the idea of just shutting off critical clinical technology, unless payment is made in 24 hours, I mean, what does a hospital do if some of that equipment is on a patient right now, if some of it is being used on a surgical floor, how do you just simply swap those components out? In some cases, they may have to stay in place until it can be properly contained, so that just seems like an absolute nightmare scenario to me, and just an indication of just sheer evil at the end of the day. It’s a bit unconscionable to think that human beings will treat other human beings in this manner.

0:10:41.8 MM: It’s true, but I think if 25 years insecurity has taught me anything is my level of ability to anticipate how evil some humans will be to others is dwarfed by the actual reality of the situation. As much as that makes me sad at times, and it’s true, the bad guys are bad people in a lot of situations.

0:11:03.7 JD: Yes, so we definitely need to find ways of disincentivizing criminal gangs from the profit-driven activities that they’re engaged in. So I think government also needs to take a look at different ways that you can go after the proceeds of those funds, track the process of those funds, in some cases, perhaps sanctions, if it’s a foreign government entity that is performing these activities. So if it’s a group that’s associated with a known national agency, and this is underscoring the reason why I think, moving into 2021, organizations need to coordinate with law enforcement more frequently, particularly as it pertains to these ransomware payments. Now, recently, there’s been a notice from the Office of Foreign Assets Control regarding ransomware payments that if victims pay to individuals that are on the SDN list or a sanctions list, that they themselves will be open to prosecution and liability. And I think that just behooves organizations to work with law enforcement, especially if they are considering a coordinated payment to a ransomware gang. It’s a critically important thing to think about. It also underscores the fact that now your cybersecurity strategy also has to include risk-based sanctions compliance programs to cover ransomware payments, so that is an entirely new thing that’s emerged within cyber security. We’ve never had to think about it.

0:12:44.9 MM: And especially in healthcare, right… If you’re a government CISO, maybe you’ve thought about some of those things traditionally, but the CISO for some hospital in middle America or middle Canada has probably never had to even consider some of these really international problems that have started to come up and… So I wanna take us in a different direction because we could talk about attackers and bad guys all day and depress ourselves, but I think 2020 has seen something that I’m curious to see what you guys think about where we’re gonna go. If we had been sitting here 12 months ago and having this same conversation, we would have never been able to predict the amount of remote and outside the four walls of the hospital, changes that have happened during the COVID pandemic, right?

0:13:32.9 MM: The hospitals that we talked to, going from everybody inside the building to everybody at home over the course of a weekend, going from… I heard a statistic at the HIMSS conference a couple of weeks ago, they were talking… I don’t remember which hospital CISO it was that was talking, and they said that they were seeing a few hundred telemed patients a week before COVID started, and now they’re in the tens of thousands of remote telehealth patients a week. Obviously, that genie’s not going back in the bottle. But what else do you guys see? We’ve talked about the move to the cloud and a lot of infrastructure, what do you guys think the themes of 2021 are gonna be in terms of technology, especially, and that sort of digital enablement of healthcare?

0:14:20.2 JR: So I think we’ve already been seeing EHR moving to the cloud in conversations that I’ve had with several individuals. We’ve seen projects for getting cloud-native EHRs, with all of this remote work, I think there’s a high chance of having EMR-focused phishing.

0:14:41.4 MM: I think one of the interesting things there is how many of our healthcare CISO friends don’t think of EHR as a primary attack surface for them, and traditionally the EMR has been the realm of the privacy team and the compliance team, and I think more and more… I completely agree with you there, Jeremy. I think 2021 is gonna see attackers start to really understand the value of the EMR in the modern healthcare system. And by extension, to your point, as as soon as you move that to the cloud, suddenly I can start phishing creds for your Epic instance or your Cerner instance without having to compromise the network. If it’s not behind a firewall anymore, like the world has changed. And I think we’re gonna see… My prediction, I’m letting you guys be the predictors on this one, but my prediction that I’m gonna throw in for 2021 is, I think more and more the healthcare CISO community is going to start to realize that the EMR is not just a database of records, but is an incredibly important operating system for the modern hospital, and I think the attackers are gonna realize it that as well. With that, what else do you guys think 2021’s gonna bring?

0:15:57.0 JD: Well, one of the things that I was going to mention with respect to EMRs, EHRs is I think it underscores the fact that API security is gonna be something that we’re gonna have to think about in 2021. This is something that most organizations have really been ignoring, it’s a bit tricky to handle, it requires additional tooling to get visibility on your API calls in order to do proper threat detection, gaining telemetry in a near real-time sort of scenario, requires a DevOps pipeline, visibility and observability pipeline. So these are things that a lot of organizations I find have been lagging in developing those capabilities, and I also find that there’s a lag among security companies to make use of DevOps tooling and observability pipelines. So both sides of the coin need to get together and discuss more closely what can be done, and especially hospitals as they’re moving towards cloud-native EMRs, EHRs, API security will definitely be something that we have to talk about.

0:17:03.8 MM: I completely agree on that. And so my experience with API security comes from time at tech startups, because it’s the DevSecOps community that have really started to understand that API Protection piece. I think if you’re in a world where you’re not doing development and you haven’t got those jobs because that’s just not part of your business model or your threat model, I think you’re right, John, I don’t think very many people have really started to get their heads around the API challenges that are gonna be present, especially as healthcare becomes more API-driven. Inherent in I think what you’re saying, and tell me what you think about this, but inherent in what you’re saying to me is the idea that healthcare is becoming more API-driven with things like the CARES Act driving data interoperability with the new updates to the HIPAA rules that are driving patient control of their own data and patients being able to come to their provider and say, “Here, I have this app on my phone, please take all my protected health information and send it to this app.” That’s not a use case that really existed five years ago, and that’s where I think you start to really… As the healthcare industry becomes more about sharing data and moving data from point to point, I think APIs become the primary mechanism for doing that and then become a primary threat surface because of it.

0:18:25.9 JD: I think you’ve really highlight a new future trends, deep integration in healthcare is a thing now, once again, as you say, you never had to think about that before, but as we have sort of larger and larger networks of hospitals as well, deep integration across the clinical technology environment with medical OT IoT, and the need to gather telemetry and share it broadly and also mix in other relevant sources for diagnostics, I think is something that definitely is an upward trend as we move to the new year.

0:19:03.0 JR: So speaking of APIs, I’m really expecting attackers to start pushing on models that we’re developing in the security space. So malware authors have been doing it for a long time, they’ll look for strings that people or that models are hitting on by slowly taking them out and continuously hitting an API, the virus total API, they’ll selectively take out strings until they’re able to bypass detection. So this is an example of how they’re attacking these models via an API, they’re basically doing blind SQL injection or a… They’re enumerating or doing principal component analysis on the model, they’re trying to find out what pieces of the binary end up triggering the model. I’m expecting us to see a lot more of that from an attacker’s perspective, they’re already doing things that try to get out of log windows. If they know that logs are rotated on a two-week basis and your SIM isn’t able to query back past two, three or four weeks to correlate events, they’ll actually spread events over long periods of time. So I expect, as attackers begin to learn how these anomaly detection models work in SIMs, that they’re going to attack those directly.

0:20:31.5 JD: Well, one of the things that you had brought up in an earlier conversation is the availability of a lot of the models that modern security technology are using in order to drive that outlier and anomaly detection. And having those models available and accessible widely across the research community, is also a bit of a concern because from an adversarial perspective, if I can run that model on my own neural net that I’ve trained, I can find out peculiar ways of evading that model for that kind of detection. So maybe you can talk a little bit more about that ’cause that was a fascinating conversation that we had a day or two ago…

0:21:13.0 MM: Actually, John, that was me, it was me that was bringing that up because I was talking about an old friend of ours that… Named Kevin Mahaffey, who was one of the founders of a company called Lookout, where I used to be the Chief Security Officer, and Jeremy used to work as well. The idea of adversarial machine learning and the attackers getting access to models is one of the reasons that we’ve been so protective of our models and keeping them in the cloud and keeping them in places that only we have access to, because as soon as the adversary can control both inputs and outputs to that model, you start being in a situation where the adversary has the advantage.

0:21:50.2 MM: And with that, I know Jeremy spent more time thinking about this than me, but I stole that one entirely from someone smarter than me in this case, Kevin. So with that, I wanted to talk about one last thing in terms of prediction, because I think it’s an important one. This year has changed the business models of a lot of our customers, especially during the COVID times, folks have gone, had to cancel electives, and had to do a lot of things that really impact revenue. And unfortunately, healthcare is largely something that you can never go back and make it up, right, if you didn’t do any surgery in March, you can do that knee surgery in June, but it’s not like you have more doctors and more time on the operating room, the operating room’s booked full every week. If you lose a week of bookings, you just lose that revenue, how do you guys see the security implications of some of that business change, especially moving into 2021 with another wave of COVID and many more months of potentially having challenges with ICUs and the thing… And the like, what do you guys see in terms of cyber security and in terms of that landscape?

0:23:05.8 JR: So maybe this is naive for me to think, but I do definitely feel that the healthcare industry understands that security is a priority and there will be budget for it. Security is still going to be top of mind. I think though, what’s going to happen is there’s going to be more expectation out of that budget, and there will be trimming the fat and there will be consolidation in tools and probably also consolidation in the healthcare delivery organizations as a whole, but I just see a demand for consolidating tools and making use of what you have in place.

0:23:48.5 JD: Here’s something that I’m thinking about as well, perhaps digital transformation becomes more important right now, because if you think about cyber security in healthcare, there is a lack of telemetry, there is a lack of data and information that can be used to build out good detection models and things of that sort. And the reason for that is because we don’t have the ability to gather the data and information required to build really, really good detection, and that’s the problem that scope security is specifically tackling; how do we build detection specifically for things and threats that we see within the healthcare environment? If hospitals focus on digital transformation, then building out that telemetry network to be able to gather good data from all the different kinds of technology within the healthcare environment may then drive additional cyber security tooling to do a better job within the healthcare environment. So I think perhaps when we’re talking about budgets and where money should be spent, I think more increased funding in digital transformation for healthcare is required, and without that, it’s holding back what we can do from a cyber security and threat detection perspective. So digital transformation becomes really important.

0:25:09.6 MM: I think there’s another piece that you just brought up that’s really interesting, John, and this is a conversation that I’ve had with a bunch of folks in the regulatory side, is that this is hopefully maybe 2021, we’ll see some change in this way, but exactly what you were just saying about that telemetry thing. FDA released pre-market guidance for cyber security for medical devices in 2014, they released post-market guidance in 2016, and that really speaks to how you design and build the medical devices from a secure perspective, as well as how you… Effectively, for lack of a better term, how you issue patches and how you make sure that when a vulnerability is found it doesn’t linger in the environment. The one thing neither of those standards talks about is exactly what you were saying, which is how you monitor those things for security operationally, there are no standards for that. And I think the medical device manufacturers themselves don’t have that answer from my experience and in my time at GE, and knowing a lot of folks in that space. It’s not like there’s been a proposal for, “This is how medical devices should log and should report on security incidents against themselves yet.” And so even if you have all those devices and they’re designed securely, monitoring them and operating them securely is a real challenge, and hopefully that digital transformation effort can move us that way.

0:26:33.2 MM: Guys, with that, I’m gonna wrap us up, but we were way longer in our predictions for 2021 than we were in our review of 2020, but… Thank you both as always. You guys know this is my favorite time to record a podcast is just hanging out with the two of you. And so to all of our listeners, I hope you had a happy 2020. It’s been a very odd and strange year. I’m sure 2021 will have lots of surprises for us, and hopefully we’re gonna play this back in early December of next year, and the three of us are gonna laugh at ourselves and… Have a glass of wine or a cocktail while we listen to how ridiculously wrong we’ve all been in all of our predictions. If we had done that last… If we had done this podcast last year, I’m sure our predictions for 2020 would have looked ridiculous in light of how 2020 worked out, and this podcast will probably end up the same. But thanks again, guys, for dropping in and doing this, and hopefully our listeners got a kick out of it.

0:27:30.9 JR: Thanks for having me.

0:27:31.0 JD: Same here.

0:27:32.7 MM: Happy Holidays, everybody.

0:27:35.5 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]