A Conversation with CISO Frank Attilio: Low Budgets, High Stakes
The former CISO of CarePoint Health and industry veteran Frank Attilio shares a few tales from the trenches and his thoughts on ‘getting back to the basics’ of healthcare security.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In today’s episode of In Scope, host Mike Murray is joined by Frank Attilio, to discuss being a CISO and making budget cuts. The conversation begins with Mike asking what C Level executives should be focused on during this time. Frank says you have to focus on the new and old things. It’s the small things that get you, so Frank encourages a strong focus on education, especially around phishing. Frank now has employees take a short test on cybersecurity and receive a certification. This certification also helps the company save money on cybersecurity insurance. Hackers are looking for the easy way in, so making it harder and more complicated for them to get your data is the best way to ensure they go some place else.
There is a big concern in health care that there isn’t money for cybersecurity. Frank says you have to be creative and innovate new low cost solutions to security problems. When you have no budget, good relationships can get you a long way. Frank stresses that treating his vendors well is an essential part of his business because vendors are critical to the business. Years ago the hospital was contained, that is not the way it is now. We’re using VPN, BYOD and NAM. These are helping secure medical devices, and prevent data from being hacked.
Not only does Frank work to innovate creative solutions when budgets don’t allow him to invest money in cybersecurity, but he also barters with vendors. Working with them to improve product and promote their brand awareness allows him to develop vendor relations and accomplish a lot with a little. Mike chimes in here, agreeing that from a vendor perspective, clients like Frank are ideal. They serve as collaborators who help make their products even better. Frank finishes by giving a piece of advice to all CISOs and healthcare C Levels. He encourages them not to write passwords down, or make them so complicated that they need to be written down somewhere.
The episode ends with an installment of Vital Signs, a segment on updates in the healthcare security community. One of the main reasons healthcare security can be so difficult is because it exists in three separate domains, each with their own set of challenges. The first is the traditional IT environment that exists within every modern corporation, they deal with phishing, malware, and vulnerabilities just like everyone else. The second environment is clinical technology and medical devices. The third environment is the center of healthcare security—Electronic Medical Records (EMR). EMR holds all of the patient data from personal information, to financial records, to medication and every interaction with hospital staff. A breach of the EMR is a breach of the entire hospital, but it isn’t enough to secure one environment. You have to be able to secure all environments and be able to track hackers across environments. That is the difficulty of securing healthcare.
– Mike introduces today’s guest, Frank Attilio
– What should C Level executives, especially those in health care be aware of right now?
– How do you handle old medical technology, low budgers, and cybersecurity?
– Franks talks about building relationships with vendors.
– Frank explains his philosophy, “think stupid and get the answer.”
– Mike and Frank discuss bartering with vendors to improve systems.
– Franks final piece of advice about passwords.
– Vital Signs—healthcare security update.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.8 Mike Murray: Welcome. With us today we have Frank Attilio. Frank’s been around for a long time. I mean, I think there’s a lot about a bunch of old guys sitting around talking about security, but Frank’s been doing this for over 20 years across a whole bunch of things. One of his more recent roles was as the CISO of CarePoint Health, but Frank has done all kinds of different things in his career. And the conversation today that we really wanted to focus on is what it’s like to be a CISO when you’re struggling with budget, when you’re struggling with the organization that you’re with, and just when you’re dealing with all these things. Frank advises tons of companies and is on the Rutgers Advisory Board as well, and is just a really smart guy about security that I’ve gotten to know over the last little while, thought we would have a chat today. So Frank, welcome. It’s good to have you here.
0:01:10.2 Frank Attilio: Thank you. Thank you for having me.
0:01:12.0 MM: So, really interesting background you have. You’ve done everything from super technical to C-level executive. As a place to start, what do you think the really important stuff, if you’re sitting in the C-level suite, especially in healthcare ’cause we’re obviously… We’re talking about health care a lot. If you’re sitting in a C-level suite, what are you focusing on these days, especially with the world being as weird as it is?
0:01:34.0 FA: The way I see it right now is it focuses… If you look at the old way they used to hack, and there’s new ways to hack, and you’ve gotta address both.
0:01:43.4 MM: When you say the old ways, which ones are you specifically thinking?
0:01:46.5 FA: Phishing is a big one right now, because right now phishing, I constantly do phishing attacks within my network to validate that everybody is cooperating, and I gotta understand every time I do it, I get 99% people clicking on it. And the phishing, the old way, has been migrated and mutated from just clicking on a URL. Now, if you just hover over the URL, the malware comes in, and they also did where they do documents that are attached for malware. So you can get a legitimate document from another person in your firm, but that was… In some way, it got compromised with malware, so as soon as you open it… And you don’t see any of this going. It’s in the background. Those are the biggest concerns we have right now.
0:02:34.9 MM: So it really is like the old days, right? It’s really like going back 20 years to some of the simple stuff. A good friend of mine, Cliff Neve, who runs MAD Security used to say, it’s the dumb stuff that we don’t like doing, but those are the most important things to do. What are your thoughts on that? How do you solve this, especially right now?
0:02:54.1 FA: It’s true. And I’ll tell you, I had a mentor, he’s no longer here, his expression, and this is way back when I was starting as a technician in the help desk, he said, “Listen, Frank. I don’t care what you put on, but you’ve gotta look it’s got a frame, four wheels, an engine, transmission. Everything else is just static. So just concentrate on the basics. If you can get the basics down, and I’ve lived my career by doing the basics, everything else will fall in place.” And it has. You’re right phishing and… Education is a big thing. We don’t educate our employees enough. And what I did institute was, when you now come into the company, CarePoint, you now have to take a test. It’s not a big test, but you take a test on competency of knowing about security, cyber security, and how to utilize a PC, then you get a certificate. That certificate actually helps you with reducing your cost on cyber security insurance, ’cause now you’ve proven that there was a test and you passed it.
0:04:04.4 FA: The problem is keeping up with that, because once they do it, as mine is a C-level, I have a problem with constantly having refresher courses. They don’t wanna show up, so I now know, get them into a town hall, where I now have the CMOs reach one of the hospitals, mandate it. So they come and I give them the class and you update it, refresher course. And it helps a lot. Those are my biggest concerns on the old ways. I mean, there’s other old ways too like I was a network expert also before I became a security expert. The fault I see with CTOs today is they turn around and leave the default admin, username, and passwords in. And when you do a pen test, you find that constantly. Well, that’s an easy way in and the problem with leaving that, if then if they leave it in voice systems, data systems, any border guards or firewalls, that’s an easy way in. And hackers don’t want complicated situations. The easy way in, they’re gonna do it. If it’s hard, they’re gonna go some place else and get that data. So that’s something to keep in mind.
0:05:16.4 MM: So you said the username and passwords, when I first went to GE Healthcare we had this practice of hard coding our root usernames and passwords and then printing the hardcoded password in the manual. I imagine medical devices in healthcare IoT, I mean, especially a lot of the stuff that is designed, especially the big iron, stays in the hospital for 20 or 25 years. How do you handle that when you’ve got all this old medical stuff that’s all basically in the same situation, you know?
0:05:46.0 FA: That’s a good question. And here’s what I did. I turned around, and I know my staff got annoyed with me, but hey, listen, I made them delete all local username, admin passwords, and elevated public passwords and user IDs. I only use domain, and they could only log on… Everybody that’s on the IT staff has two log ons. One is a normal Joe Smo, everybody else has, and then there’s an elevated one. The only way they can log on with the domain admin is if they have to do work, they log on, they log back off, they deactivate that account, not delete it, but deactivate it, and they log on in normal so they can do their normal routine. That I find without elevated privileges, I’ve seen malware come in that couldn’t execute. It’s a simple fix. And I had to tell you, without having a budget, which is the biggest concern of healthcare, you have to find ways to do things that are creative.
0:06:42.5 FA: I tested this in New Jersey Rock, and we found out that it’s true, nothing can elevate. Now, the only draw back on that is, ’cause I instituted it in the government as well, is if you forget your password, you go through 10 times, you’re gonna have to go in, plug in to the network in order to recoup it. But look at to what you’re gaining. You’re not spending money, you’re gaining security, and the only thing you gain is inconvenience if they don’t know the password and they lock their system out, they gotta come to the site to plug in. I think that’s well worth mitigating the risks that are out there.
0:07:17.0 MM: Yeah, it might be a bit more of a challenge in the COVID times with everybody having to work from home, but it’s… To your point, I think healthcare is… We all know health care security struggles with budgets. You’re one of the people that I know that have done the most with the least. Probably the best that I’ve ever seen at it. Maybe share with the audience how you think about doing this with no budget, ’cause I’m sure there’s a lot of other CISOs in that chair right now.
0:07:45.2 FA: Yeah, that’s correct. And you know, budget is a big thing with healthcare. When you go to the board member and ask for a budget, they basically will show you the door. They want you to make sure that you don’t get breached with no money. So what I did was I was creative. My VaRs, I spent millions of dollars at other locations and other positions I had. I was able to because I treated them very well. I became very friendly with them. So at this point, they were concerned that I left the government, went to healthcare, and I had no budget. So then we talked six months later, I had no budget. So they said to me, “Listen Frank, I’ll do your favor. Let’s do proof of concept, I’ll give you this stuff for six months for free. And we’ll keep on changing it out so you can get your ability to protect your identity and protect your company and not risk losing your job because of a breach”.
0:08:40.7 FA: So what I did was, and this is, I didn’t mention this to you before and I mention it now is… I would do a VaR, they would lend me this software for six months to a year, I do proof of concept. Then I would be able to keep it as well, because what I did then said, “I’ll write, I’ll evaluate your… I’ll fine tune any of your systems. If you give you me an ability to keep it, I’ll write your IPRs. I’ll follow through your IPRs. I’ll make sure that it gets rectified and then you’ll get top of the line”. And mean while I did that. So, what I did was it took a lot of time. I got the software installed, it was installed on my network. I was utilizing it, and then I would write the IPR. I seen something I didn’t like, and would need improvement, I would send that IPR to the company and I would follow up with them until they get resolved and re-tested.
0:09:36.2 FA: So I kind of like did a barter system and then, people are probably gonna laugh, but that is the only way you could do things in healthcare without a budget. And being a CISO, I’ve seen so many the healthcares getting breached. That was the way to do it. You write an IPR, get the software, help them find-tune to become the top notch. That’s what they did and it would work very well. Then I would write reports as well, and also reference letters for them to other CISOs. And if they were looking to get into company A and company B, I would send a reference letter over to company A, B, if I knew them personally. If I didn’t, I would still write the letter and they would then hand deliver it, and when they try to get a meeting.
0:10:19.3 MM: It’s funny, man. I think most of the CISO community tends to really complain about vendors and to avoid creating the relationships that you’re talking about. What I hear you saying is that, especially if you have no budget, good relationships can get you a long way.
0:10:33.6 FA: Absolutely, you gotta treat the vendors… I don’t beat on my vendors, I’m sorry, but I find that way back when I was at Paine Weber I was a young executive at the age of 21, I learned that you don’t beat on your vendors. One of my mentors, Tom Polando, a fantastic guy. He kinda took me under his wing back then at Paine Weber. One of the things he always told me, “Vendors are critical”. Now, it’s true and I’m seeing this and I’m mentoring the people that I have under me, explaining to them vendors is gonna help you some day. And now they see firsthand. And the excitement they get seen what happens with me, now they know that we ain’t wrong, they can actually do the same thing.
0:11:14.4 FA: Budgetary issues are critical. And not having the proper equipment, applications, or structure, or infrastructure and security, or network security, or network itself, infrastructure, really fogs, puts a big hole in risk. The other thing that I’ll let you know that CISOs should know. I disagree, CISOs used to report right to the CEO, and now they report to the CIO. And in my experience in the past, which is just a recent one I was at in healthcare, you can do whatever you want as a CISO to document every risk, mitigate, write relegations, write remediation plans, it’s never gonna get above the CIO because you have to hand it to him. So now it’s the fox managing the hen house, so eventually it’s gonna come to light. So the CISO that, I’m sorry, the CIO that I reported to ended up losing his job because they came in, the board decided to kick off a third party assessment. The assessment had everything that I documented, but never reached the board. So when they came in they had said, “Listen, I haven’t seen security, or network security have any improvement. It’s getting worse year by year.” So my head would have been chopped off the block being the security expert here. But because I documented very well and kept that documentation, even though I submitted it to CIO, it came to save my job.
0:12:46.6 FA: But seriously, you really gotta understand there’s newfangled ways of doing things too. And we went with the old way, and I told you about the old way of doing it with phishing. That’s one thing. The other thing is, I had an incident that happened. And we have used QuickBooks, and one of the things that they did, which was really funny, they called up the user, maybe they were a field engineer for QuickBooks, said they had a problem. The person left the VPN in and they went to RDP and what happened was, they breached by getting all your documented records. I was able to cut it off, but point was, these are new, old ways of RDP, old ways of calling, these old ways are so effective. The new ways, they get in too.
0:13:36.3 FA: So we talked about phishing, we talked about calling and posing as somebody in RDP to get into the network. We talked about getting admin username passwords from default. Now I’m gonna go new ways. New way is, people do not do VLANs anymore, VLANs and network. And that’s a big problem. VLANs are a way of securing a network. And it was an old way of doing things back in the 80s and 90s. What happened was, I was in a conference with the FBI and some self care. And the guy decided that his boss was away, he was gonna plug the refrigerators on the network. And he did, and it was University Hospital of Utah. They plugged them in and they got breached right away, because most of your chipsets come from China. Most your malware comes from China, it’s already infected and the government doesn’t regulate any chipsets. So you’re coming already with malware embedded and there’s no way to test it.
0:14:39.4 FA: So therefore, they plugged it in. If they would have VLAN. I VLAN my whole network. So, any system can only talk to a control, cannot exit the network, cannot enter the network, it only could talk within it’s only VLAN. I did it to every one of the systems, EMR systems. If you needed to do bridge the gap between the two networks, I was able to do that and I did that too. The problem is, the VLANs, people aren’t used to using VLANs and thinking, “Well, my network is secure.” It’s not. The VLANs helped me considerably and Utah… I actually helped the University of Utah talking to conference, I was in Chicago, told them the VLAN, and I actually went in and helped them VLAN it. And the guy thanked me for it. And it was an easy fix and easy fix it cost no money. Then CISOs out there, you’re gonna laugh but things stupid and you get the answer. Like I said before, in a previous statement of Mike, a car has four wheels, a frame, an engine and transmission. Whatever you put on a Cadillac, whatever with a Chevrolet, Ford, it doesn’t matter, it still has the basics. So learn the basis, get the basics covered. And if you wanna add things, sure, but CISOs are shooting themselves on the foot too, Mike, and I will tell you why.
0:16:01.3 FA: CISOs aren’t understanding. They come up the ladder, they do all these book knowledge. And they don’t have OJT. The problem is they’re gonna throw money at everything, like I’ve seen every place that I went, they have like five different end points. They have a lot of threat intelligence. So many that one of the things that I noticed and I’ve seen, and Mike and this happened with me, I had Cylance in my network and I went to Sentinel One. The CTO didn’t wanna take it out proper, just decide he was gonna do it without my advise. Well, what happened was the agents were still on, so we had Sentinel One going crazy because Cylance was still there, Cylance was catching things, Sentinel was catching network, Cylance was doing it thinking it was malware. [chuckle] Be clean, do you things the right way and you won’t have problems.
0:16:52.2 MM: Yeah, multiple endpoint softwares running at the same time can definitely…
0:16:56.2 FA: Absolutely. [laughter]
0:16:56.9 MM: That can be a fun nightmare.
0:17:00.7 FA: Absolutely.
0:17:01.5 MM: So quick one on the VLAN thing, I agree with you, as you were talking about that I was flashing back to my CCNA that I got early in my career. But I think it’s really interesting. I think the VLAN thing has been harder for healthcare than for most other places. If you go to a financial services firm, they’ve still got strong VLANing. But I feel like in healthcare, it’s the idea of risk-aversion around, if I have these two devices that have never spoken before, and maybe on separate VLANs and suddenly they need to talk when a patient is bleeding out on the table. The answer for a lot of healthcare has just been, “Okay, take out the VLANs, take out the internal firewalls, let’s make sure they’re all on a flat network, so they can always talk to each other.” But it lends to the problem that you’re talking about, like how do you see across the healthcare environment? How do your peers handle that? ‘Cause it seems like we’ve been very risk-averse for a very long time around non cyber issues but now obviously you have to consider that too.
0:17:58.1 FA: I did consider it and what happened was, I had a switch. So say they need to talk based on… That’s why I announced Cardigan at 9 AM. What happens is, based on your role, you have access, so you may be able to get between two VLANs. Say somebody underneath you doesn’t need it, cannot do it. It’s automated. So if you know that, okay, you’re a doctor and you pretty much know you’ve got to close VLANs, because we put you in Cardigan, being you’re a doctor, being a doctor of A, B and C, you know you gotta go to VLAN A, B and C to get to the systems. Because of your title and who you are, you automatically get routed along them. Now, I haven’t had a problem setting it up that way, with an IEM and automated configurations and I use the AD and the LDAP to make sure it gets done properly. I haven’t had a problem. I honestly, with the hospitals, with everything that is going on, I didn’t have a problem.
0:18:57.0 MM: You’re gonna get a whole bunch of phone calls from people after this goes live, because everybody’s gonna be like, “Hey Frank, how do I do this in my environment?” Because I mean I think that you just described… I’ve heard people say repeatedly, identity is the new parameter, and tying your network access to your identity is sort of the holy grail of Google’s BeyondCorp idea and some of the new zero trust architectures you’re talking about. If you don’t have a good identity, zero trust doesn’t work very well, but what you’re describing is really like… Is effectively the beginning of a wonderful zero trust framework that doesn’t cost you a whole lot of money. You don’t have to go to a zero trust vendor to set up what you’re talking about.
0:19:35.6 FA: Absolutely, and the other thing you said, federated trusts, you make it system to system, because if you use system to system ports, nobody could break in. I’m starting to do that now because now I realize I need to do federated trust. I did a lot of federated trust with my contractors that needed to do filling or something like that, but they still get all their data over an SFTP. So federated trust set up and I don’t have to worry about it. So these are the old ways that you really have to pay attention to. One of the things I never did, I’m gonna talk to you about the new ways. And this is funny because CTOs don’t figure it, CISOs are trying to get the CTOs know it, the CIO don’t wanna hear it and the problem is… Let me give you an example, I wanna give you an example of each one and I’ll go through my story.
0:20:23.9 FA: Medical devices, they’re considered an IOT, but they’re really medical devices. Every one of these things have been in this hospital for ages and they update the firmware, they don’t. I have firmware that’s 20 years old, their idea is if it works, it’s not broken, don’t touch it. My problem is, you still have a way to get in because those devices have a CPU that needs to get out of the internet, and when you’re going on to the internet, people have mobile units now, it’s not like years ago, the hospital was contained. It’s not contained. Now you’ve got mobile going out there and they gotta connect back to the hospital. You have doctor offices, you don’t use private lines anymore, you use VPN, it’s a lot more budgetary friendly compared to the expense of doing a private line.
0:21:14.0 FA: So therefore, you have to make sure you’re secured all the way around. These things are IoTs that work and I’ll give you an instance. We did have a hack, we had a hack that came in on a pacemaker that came back and they violated the pacemaker and a patient died, so now we got sued. I had to prove that we had all the security in place, we did not. The board then gave me money, it was 75 grand, to do… I got Medigate in and I did the IoTs and fantastic, beautiful piece of equipment. EHRs wasn’t mature enough, the other competitor. And honestly, that’s one piece medical devices. Now you’ve got people will be… Here’s my biggest thing, ready, “Don’t got no budget Frank.” I said, I don’t let BYODs on my network. Well, the chairman of the board decides that he wanted his phone on there. Everybody can have BYODs now.
0:22:10.1 FA: So now I said to them, I need an MDM, but really, I really don’t need an MDM. I don’t need an MAM, I need an NAM. He goes, “What’s that?” I said, network access management. I need to put things on people’s phones that are company-owned, that I can erase if they go away. Now, you can’t have a budget, so right now for BYODs, I’m trying to run through my NAC. I have a NAC called Forescout, and I’m actually bastardizing that network to work as an NAM and it’s working, but it’s creative things like that when you don’t have money that you have to work with. And the NAM was bought by the CTO, but I was able to put my security spin on it, which helped out.
0:22:51.4 FA: So that’s now medical devices, that’s now BYODs, here’s two killers for you. Voice systems, they’re not voice like the old kind, when you got an operator plugging a wire, so you have to take… It’s data. Every phone system out there’s VoIP or IP-based phones. That’s data. It’s easy to hack data. Guess what? People don’t realize you gotta BLAN them out as well, so I did that, I work with them to BLAN them, set them up, that was taken care of. And the first thing I got, I had people hacking into the real… We had Medigate working with the forms because that doesn’t interfere, it’s like a passive way. We had people from all over the world hacking into our… And I showed the board, okay, you got that. Now, we didn’t pay for it. So what I had, I got one year free, I’ve been working IPRs with them, I’ve been doing like what we’re doing now, I’m helping them out, and that’s how we’ve been paying for it, and that’s helping me out because that is a big one.
0:23:49.0 MM: I’ll tell you just a quick one, as a CEO of a very new vendor, customers like you are gold to us. You always wanna be able to show the top line and the revenue and all of that kind of stuff, but a customer who will engage and who will tell us when we’re not good at what we’re doing, and will give us advice on, “Hey, I need this feature, I need that feature, I need this report, need this dashboard.” Man, people like you are gold to people like us. And so what I’ve seen is, it’s funny, I think most CSOs don’t ever ask their vendors like, “Hey, can I barter?” Right? I don’t have budget this year, but maybe I could deploy you anyway and I’ll be a reference for you, and I’ll work with you and I’ll give you advice and you can use me as a guinea pig. And I think that that’s so rare we do that in this industry, and I think you’re nailing it.
0:24:41.3 FA: You know it’s funny. Were you in my office? ’cause that’s exactly my spiel to the heart. You know, I hope you get better and you give me the system, let me work through your IPRs and I’ll help you fix them. I’ll help you become the top of the line, we’ll barter. And seems to be what I’ve been doing since healthcare. I did it in the government, but we’re not allowed to do it, so I used to get my hand slapped a lot. But when I came to healthcare, and I realized I was at risk of being getting a bad name, I went to barter out and like I said, the vendors, they’re willing to work with you, they wanna improve their system, they want their name out to, “Hey, well, hey, how come you didn’t get breached? Well, I’m using Medigate. Hey, I’m using Sentinel One. I’m using Forescout and then I’m top of the line.”
0:25:24.1 FA: “Well, is there any problems, Frank?” “No, but only eight drives talk to one, and I use… ” Here’s my kicker, I even use my NAC as a SIM, I don’t have a true SIM. I built my Forescout to act as a NAC, to take all the Syslogs in, sort them out and give me… Get rid of all the false positives and I fine tuned it. So now my NAC is now a SIM as well, even though it was never a SIM, now they market it, Forescout, that you could use my NAC as a SIM and it works.
0:25:51.8 MM: That’s hilarious.
0:25:52.8 FA: So it really helps out. I mean, you get the bang of two for the buck, but I get the bang of having that system in at a comparable… Now, I couldn’t get that one for free, we did pay it, but I think I got about 25% of the cost based on me going and doing everything I need to do to help them out.
0:26:08.9 MM: Yeah, it’s a great way to do it. So as a CISO, your job is don’t get breached. They don’t always tell you how you have to accomplish that, right?
0:26:19.1 FA: Yes.
0:26:20.4 MM: And especially when they say, “Don’t get breached. By the way, you have no dollars.” You get to be creative, you gotta come up with some neat ideas. With that, I know we’re running up on time. I just wanted to thank you. And an important question, where can people find you if they wanna get in touch with you? If they wanna ask you more about how to do this on no budget and how to navigate this and how to be creative?
0:26:43.0 FA: If you go on LinkedIn and you look on my profile, Frank Attilio, I have… My son’s Frank Attilio on there as well. I’m Frank P. Attilio, but also Mike, one more last one.
0:26:53.7 MM: Yeah, throw it in.
0:26:54.7 FA: Besides the… Make sure that when you guys, when you do passwords, make sure… This is really a simple, very simple, this is going back to the basics. When you instruct your staff, please make sure that they don’t write their passwords down and don’t instruct them that it has to be so complicated, they have to write it down. One of the biggest breaches I’ve seen in the government is everybody writes their password under the keyboard. Well, anybody could get… So what happened one day. Short story. One day somebody came in, flipped over the keyboard, signed in, sent a nasty Telegram email, and he got fired ’cause he couldn’t prove he wasn’t at the desk. So make sure that nobody writes it. I had that at the hospital. We had somebody jump over the desk, steal somebody’s pocket book, got their first name, last name, and they were able to log on and send information that they shouldn’t have. So keep that in mind. Simple, basic ways are key. And you’re right, anything you can do to barter. I tried like, let me see, Logarithmic, I use their freeware honeypot, I use their network monitoring. These are freeware. Freeware is a little dangerous because you don’t know what the back end is, but when you have no budget, you’ve gotta try to keep it under control. I log on every day, every darn console, and I look at every system, I follow everything up, even the CISO, my staff does too, we don’t trust anybody.
0:28:17.5 MM: To me, that’s the way you gotta do it. You gotta put in the effort, you gotta put in the work and you gotta do that. Frank, thank you again for being a guest today. Very informative, and I’m sure the audience has learned a ton. I’m sure people will reach out to you and ask a bunch of questions as well. Thanks again for the time today.
0:28:33.8 FA: No, you’re welcome, Mike, anytime.
0:28:37.0 MM: Up next is the latest installment of Vital Signs, where the Scope Security team shares their insights and advice on issues we think the healthcare security community should know about.
0:28:48.3 MM: We talk a lot about the difficulty of healthcare security, but I don’t think most security folks that aren’t in healthcare understand why it’s so difficult. One of the main reasons is that healthcare often exists as three separate security domains, each with its own set of challenges. The first domain within the modern healthcare environment is the traditional IT environment. It’s the laptops, the desktops, the switches, the routers, the firewalls, etcetera, that exist in literally every modern corporation. Healthcare is no different than your average financial institution or technical company in this way, the healthcare security team has to worry about phishing their users and exploitation of vulnerabilities in servers, malware, just like everybody else.
0:29:29.1 MM: The second environment is one that you hear a lot about, and we talk about it a lot, clinical technology, and the short hand is often to talk about medical devices. And as you know, we talk a lot about the challenges of this environment, out-of-date operating systems, systems that don’t have patches available or can’t be brought into your modern security environment, that you can’t deploy security technology on. In a lot of ways, this environment is akin to the operational technology or OT or IoT environment that you hear a lot when you talk about those who have to secure factories and other industrial control systems.
0:30:05.3 MM: The third environment though, is the center of the healthcare ecosystem, the Electronic Medical Record system or EMR. The EMR forms the beating heart of the modern hospital technology environment and also holds all of the patient data, not only the patient’s PII, like their address and their birthdate, but also their financial data, records of every interaction between the patient and the doctor, medications that the doctor prescribes, literally every activity that happens in the entire health system. A breach of the EMR is the ultimate breach of the hospital in that all of the key data is stored there. As a healthcare security leader, it’s not enough to simply secure one of the three environments. To build a modern healthcare security program, you have to have a strategy for securing all three. Most importantly, you need to have security controls that allow you to track an attacker as they move from one environment to the other. The modern breach scenario is an attacker who phishes a laptop and then uses that laptop to compromise a medical device, and then uses the medical device to access the EMR and steal the data, that’s the nightmare scenario that every healthcare CISO has to live with, and that’s the difficulty of securing healthcare.
0:31:12.8 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]