Looking Back at 2021: Ransomware Attacks and More
In this bonus episode, Mike shares updates about the exciting developments coming from Scope Security and looks back at the recurring cybersecurity topics of this past year, both on our podcast and out in the world! Of course, it wouldn’t be an end-of-year episode without 2022 predictions. Thank you for tuning in this year! We’re excited to bring you more exciting topics and conversations in the coming year.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In this episode of In Scope, Mike Murray looks back on a year filled with an equal measure of hardship and opportunity, and how 2021 ultimately turned out to be a fantastic year for Scope.
Over the last 12 months, Scope was truly able to scale, now serving a plethora of customers from small, innovative healthtech companies all the way to traditional hospitals. “We’ve delivered on the promise this year,” says Mike. “We’ve been finding attacks across clinical devices, across clinical information systems, […] and finding misuse and insider threat through the EHRs; as well as seeing behaviors in those clinical devices through the EHR.”
Mike then speaks on the growth of the podcast and what has clearly emerged as the “theme of the year”: ransomware. Virtually every guest, no matter their role in the world of healthcare, has touched on ransomware on some level. And as ransomware is effectively the tip of the iceberg with regards to healthcare cybersecurity, Mike unpacks what he considers the “three technology environments” in this space: traditional IT, clinical systems, and EHR.
Mike attributes the persistent and universal issue of ransomware to the fact that it is a topic that has never been particularly “interesting” and that it is only when an oil pipeline shuts down that ransomware finally catches the attention of the average Joe. To bring even more perspective, Mike cites the alarming statistic that 25% of the hospitals in the United States have been shut down at least once in the last three years by a ransomware attack. If the same happened with banks, this would be a national emergency. Yet, why do we barely notice when it comes to our hospitals?
This question was precisely answered by our previous guests Christian Dameff and Jeffrey Tully. The two MDs explained that if a hospital is shut down, that is also a regional problem and not just a national problem. And so, the reason ransomware is attracting more attention this year is that hackers have been hitting targets that have a more national influence.
Finally, Mike gives his end-of-year predictions, including ever-increasing investments in new technologies to drive patient engagement such as telehealth solutions. He adds the warning: “With innovative products come new vulnerabilities and new opportunities to be attacked. As these health systems create more threat space, as they create more attack surface, we’re going to see more attacks.”
“Ransomware will not disappear. It will change. The really interesting question is: How?”
– Scope’s fascinating 2021.
– The In Scope podcast’s “theme of the year”: ransomware.
– Mike explains the three technology environments.
– Ransomware is not a new problem… but it’s never been “interesting”.
– Mike’s end-of-year predictions.
– Making ransomware less profitable.
– The goal of every cybercriminal.
– The episode wraps up, and Mike addresses what is to come in 2022!
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.5 Mike Murray: Hello. And welcome to this week’s episode of In Scope, The Healthcare Security Podcast. This is gonna be a different episode. It’s the end of the year and I wanna start by saying, Happy Holidays to everyone. It’s that time of year and when our podcast producer, Phil, and I were talking about not having any guests, ’cause everyone’s on holiday, we decided that we would just take a page out of Mike Florio’s book. Mike Florio does the Playmakers Podcast, and he’s usually one of these guys that always has guests on his podcast, and he has these podcast episodes where he just gets on and talks, and so we decided that I’m just gonna get on and talk and we’re gonna see where we end up. So at first, let’s just say Happy Holidays again, because 2021 has been quite a year. And it’s been quite a year for all of us, and I think everyone is in that point for looking forward to a well-deserved holiday. And 2021 has been a huge year for me personally and for the folks at Scope. We don’t talk about Scope Security much on this podcast because most of the time I’m so fascinated by our guests, I just wanna let them talk. And I just wanna hear all these really smart and interesting and brilliant folks tell us about everything that they’ve had to say over the course of the last couple of years. But it’s been a fantastic year for Scope, this has been the year where we really started to scale the business.
0:01:36.4 MM: We really started to serve a whole bunch of different customers, everybody from small health tech companies that are doing innovative things in healthcare and needed our help with cyber security for their way of care delivery, all the way to traditional health systems and hospitals. And we’ve delivered on the promise this year. We’ve been finding attacks across clinical devices, across clinical information systems, across EHRs, and finding misuse and insider threat through the EHR, as well as seeing behaviors in those clinical devices through the EHR. It’s been a fascinating year. And looking forward to next year, we’ll have some updates on Scope sometime in Q1 that will probably be interesting for the audience. But I’m not going to steal our thunder by sharing that now. Consider this Shakespearean foreshadowing. So that’s been Scope this year, but let’s talk about the podcast a little bit. We started this in the middle of the early part of COVID, mostly just as a way to get out there and talk to all the people that I would normally go have these conversations at a conference or at a meeting or something. And getting to share them with an audience has been a really cool and interesting process. We brought on the most amazing podcast producer this year. Their name’s Phil, and you’ve heard me mentioned Phil before.
0:02:49.0 MM: Phil’s been incredible and helped us out so much. And we’ve just had these incredible guests from folks that are living it on the health system side, to privacy lawyers, to just everybody across the ecosystem. But it’s interesting. When we think back to it, I think about a bunch of themes, and it’s hard not to have ransomware be the theme of the year. Regardless of who you talk to in healthcare, it’s a conversation about ransomware at some level. I don’t necessarily believe that that should be what we’re talking about all the time. I think ransomware is the top of a very large iceberg beneath it that really speaks to the challenges of detection and response in the modern healthcare environment. But it’s hard to escape, and so what I think has been really interesting is whether we were talking to Kai Bernardini about how ransomware groups exist, or whether we’re talking to a Christian and Jeff from the MedSec perspective, and they were talking about what it’s like to live through a ransomware attack internally, it’s been such a fascinating conversation about why healthcare is so special from a ransomware perspective. And I talk about that a lot, specifically that the healthcare environment is actually not one technology environment, but it’s three. It’s traditional IT stuff, and IT stuff we have good security for.
0:04:05.3 MM: I love to say that CrowdStrike works on a laptop in a hospital, just like it works on a laptop in a bank. The interesting thing from the healthcare perspective is that IT stuff is really only 30%-40% of their network. Then you’ve got the clinical systems, the medical devices, the PACS and the RIS, and the lab systems, and all the stuff that makes up the actual technology that we use to deliver care. And for that, there’s really less cybersecurity capability. Those devices aren’t necessarily designed well. A lot of them are old. We wrote a whole paper in 2020 about all the challenges around clinical technology and why that’s so hard. There are starting to be solutions for those products. There’s the Medigates and the Orders and the Armises, and there’s so many, Sileras, Scenario, that have evolved that are effectively firewalls for those devices. And those solutions are great. We’re big fans of a lot of those companies. Medigate got purchased a while ago by the folks at Clarity. And it’s such an interesting space, but I’ve always said, if the only thing you have is a firewall, that’s not really a cyber security strategy, right? You need more than that. You need more visibility than a firewall can give you. So they’re an important part of the ecosystem, but then there’s the third technology environment, and that third technology environment is the EHR, the Electronic Health Record System.
0:05:23.9 MM: And not just Epic and Cerner. Everybody thinks that Epic and Cerner, when I say HR, that’s where their brain goes. But it’s not just that. It’s the patient portal. It’s the fire APIs that we talk to John Markey and Alissa Knight Lisa about earlier this year. It’s the interface engines and all the old HL7 stuff, and it’s rev cycle, and literally anything involved in moving health records around the hospital and the health system. Anything involved in moving the patients records is part of that EHR system, and for that, there’s almost nothing to help secure it. You can put EDR on the servers, and you have network controls, but those network controls don’t understand HL7 and they don’t understand Fire and they don’t understand any of those products. And almost nothing is there to actually give you visibility into what’s happening in the application space. And so if you think about what a health system has to deal with and why ransomware runs wild, it’s really because if you go into a Bank of America or some financial services firm and you look at their Splunk dashboard, Splunk has visibility into 90% of the things on their network. You walk into a health system and they have Splunk or LogRhythm or IBM QRadar, whatever their SIM is, it has visibility into 40% or 50% of what’s on their network. And that’s really the difference. That’s why we see healthcare shut down so much more than traditional IT-based businesses.
0:06:49.1 MM: And the funny thing about this is, ransomware has been the scourge of health systems for four or five years now. I was having a conversation recently online with Nina, who y’all will remember that Nina runs the Biohacking Village, and we’re big fans of her work and everything that happens over at Biohacking Village. And she was mentioning that she’s been talking about this problem since 2014. It’s not that ransomware for healthcare is really a 2020 and 2021 problem. This has been a problem going all the way back, but the interesting thing has been, it’s kind of uninteresting. There was never a 60 Minutes story on ransomware until an oil pipeline got shut down. Colonial Pipeline earlier this year, right? Then ransomware is interesting to the average person. Then the government decides to get involved. But all of our health systems… I quote a statistic a lot that I saw in Beckers, and I don’t know the origin of the statistic beyond that, but that 25% of the hospitals in the United States have been shut down at least once in the last three years by a ransomware attack. And you imagine if 25% of the banks in this country had been robbed or 25% of the oil pipelines in this country had been shut down, what would the response be, what would the media response be?
0:08:04.4 MM: Whereas when that happens to hospitals, we barely notice, and it was really Christian and Jeff that actually mentioned why this is the case. And this is why I love this podcast, that everybody’s so smart to come on and talk. And we were talking to them, and if you go back and listen to their episode, they were talking about how health systems are a local emergency. If you shut down a hospital, that is a regional problem. It’s not a national problem. And far too often, even when UHS was shut down, and UHS is a huge health system that affects many, many communities, it was still pretty regionally contained. And so it doesn’t become national news. It doesn’t affect every single person when it happens, and because of that, we seem to miss it. And the security of health systems has been for the last five, six, seven years, a real challenge. But that challenge is local and it spreads locally. If one hospital in a city is shut down, it impacts all the other hospitals in that city, but it doesn’t impact people on the other side of the country. And so it seems that ransomware has gotten a lot of attention this year, much more because the attackers have started to hit targets that are more nationally-based. And so suddenly you have federal government involvement and you have sanctions against various attackers and arrest warrants and all that sort of thing.
0:09:27.8 MM: So everybody loves to do end-of-year predictions. I tend to really not be a huge fan of the end-of-year prediction episodes, but I’m gonna get sucked into it because I just talked all about what the themes of 2021 were. Let’s talk about what I think 2022 is going to bring. And by the way, the first one’s pretty easy. It’s pretty easy for me to sit here and say healthcare’s gonna get attacked more. I don’t think that the bad guys are going to be retiring any time soon, and I think health systems have been so vulnerable over the last few years. And health systems, in the last couple of years, have really been investing in all kinds of new technology. We talk to Alissa about Fire and the challenges with that one piece of new technology. But if you walk into a modern health system and talk to them about what they’re doing. They’re fighting for patient volume. They’re fighting to work on driving more patients into the health system. And so they’re building all of these digital strategies. The phrase you hear a lot is Omnichannel digital front door. And you understand that health systems are investing in all this new technology to drive patient engagement. They’re driving telehealth. They’re driving the ability to send medical devices home and monitor the patient at home, called remote patient monitoring. They’re driving all of this innovation.
0:10:48.6 MM: Well, with innovation and with innovative products come new vulnerabilities and come new opportunities to be attacked. And I think that we’re going to see, as these health systems create more threat space, as they create more attack surface, we’re gonna see more attacks. And we’re gonna see new attacks and different ones. And unfortunately, because it’s all new technology, most of that’s not easy to monitor. If you have Splunk, good luck getting the logs out of your new cloud-based chemotherapy product into Splunk in a way that will be able to be detected. And I’m not picking on Splunk, by the way. They’re just the big market SIM and they’re like the biggest name. Same thing goes for QRadar and LogRhythm and all of the others. That’s not their world. Their world isn’t figuring out how to be a SIM for innovative healthcare products, it’s being the best SIM for everybody. And so those new technologies are gonna be hard to monitor. And we already saw earlier this year, I said innovative chemotherapy, cloud-based chemotherapy product, there was one of those that got breached earlier this year. And so I think we’ll see more and more of that kind of thing, more and more new and interesting attacks, because there’s just more new and interesting technology being deployed within health systems.
0:12:04.4 MM: I think the other one is that ransomware authors have been targeted by the US government in the last six months, and because of that, I’ve already seen people start to talk about how the ransomware authors are looking for new business models. Maybe that’s not attacking the United States. Maybe that’s attacking in different ways. There’s a rise in new types of attack. I’ve seen that phrase kill-ware thrown around over and over again in the last couple of months. I don’t know if I like the FUD behind that, but the idea that as we make ransomware less profitable or more fraught with risk… Five years ago being a ransomware author was probably a pretty cushy life. You collected lots of money and you didn’t have a whole lot of risk. Suddenly Interpol is out to get you if you get on a plane. Okay, well, if ransomware becomes more difficult and ransomware becomes a more fraught activity, a more risky activity, well, I like to make jokes about things, but obviously this is not a thing to make a joke about ’cause it’s not really funny, but it’s true. It’s not like those guys are gonna go get day jobs. The ransomware authors aren’t suddenly gonna be like, Oh, I’m gonna go be a software engineer at Scope instead of doing ransomware because that’s not profitable. But they’re just gonna find new ways to be cyber criminals.
0:13:20.8 MM: I’ve been in security for getting close to 25 years, and in the entire time I’ve been here, the attackers have never quit and decided that crime doesn’t pay, and we’re gonna go be upstanding citizens. It’s just shifted, right? It has shifted from stealing credit cards to stealing identities, to selling botnet to now ransomware. It’s not going to disappear. It will change, and the really interesting question is how? I used to teach courses on security and I used to say that the hardest thing for a cyber criminal is figuring out how to turn an information asset into dollars. And that has always been the challenge, right? And that’s always been the goal. The goal of a cyber criminal is to take the information that they can gather illicitly, or the access that they can gather illicitly, and figure out how to get paid for that. And ultimately, ransomware’s been a very efficient way to do that. I can get access to your information, I can lock that information down, and I can get you to pay me money for it. Well, if that starts to be less profitable or more difficult, there will be a new way that bad guys figure out how to turn information and access into dollars.
0:14:34.7 MM: We just don’t know what that is yet. And so, my prediction for ’22 is that we’re going to start to see new business models. There will be a new model for what bad people do. With that cheery thought, with that cheery happy note from me, I’m gonna close this out. And I’m going to say Happy Holidays again. And for all of you that are in security and health systems or want to be, I wish you a very restful holiday season because you’ve had a very long year and you had a very long year last year. And I hate to tell you, but it’s gonna be a long year for us next year. It’s gonna be a long year for us at Scope. We every day fight this battle on behalf of our customers, and it’s gonna be like that next year and there’s gonna be more customers, and there’s gonna be more battles, and there’s gonna be more attackers to stop. And that’s really what ’22 is gonna be about. It’s gonna be about new and interesting encounters with our cyber enemies for all intents and purposes. That was a cheesy metaphor, but we’ll keep it.
0:15:42.3 MM: With that, I wanna say Happy Holidays. I wanna thank again, Phil. You are absolutely the most incredible producer anyone could ever ask for. My team at Scope, every single one of you from our leadership team, Roy Ross, Jeremy Creck, Mike Myers, who runs our SOC, all of the people that have joined the team over the last year, everybody who’s been involved in our incredible team of investors. Everybody from Kareem at Thrive, who’s my thought leader and thought partner and favorite person to talk about healthcare security with, all the way to everybody that’s ever talked to us, and every single one of our customers and partners out there in the world. I wish you all the happiest of holidays and a very restful time and looking forward to continuing it with you in 2022. To you who’s listening, if you listened to this whole episode, wow, I just talked straight for 20 minutes and apologies for me droning on this long. But thank you again for listening. We do this so that hopefully we’re entertaining and hopefully we teach you something. And look forward to doing a lot more episodes in the New Year. And with that, Happy Holidays, one more time, regardless of which holiday you’re celebrating this season, and I look forward to seeing you next year.
0:17:02.4 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, pop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Mike Murray is the founder and CEO of Scope Security, the healthcare security company. At Scope, Murray builds on his nearly two decades of experience leading teams of highly skilled security professionals to solve critical security problems in healthcare.
Throughout his career, Murray has helped discover some of the world’s most notorious breaches and nation state threats, and is sought out by industry, media and security teams for insights on today’s most pressing issues in cybersecurity.
Prior to founding Scope, Murray served as the Chief Security Officer at Lookout, where he presided over the protection of nearly 200m mobile users and their data. Previously, he led Product Development Security at GE Healthcare, where he built a global team that secured all of GE Healthcare’s portfolio of pre-market medical devices and services. Murray also co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including Lookout, nCircle Network Security, Liberty Mutual Insurance and Neohapsis.