Ransomware Roundtable with the Scope Security Team

0:00 0:00

In the wake of a number of devastating ransomware attacks against hospitals, our experienced threat hunters discuss why ransomware is on the rise, and how health systems can protect themselves.


Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

Today’s episode of In Scope is a unique episode, host Mike Murray interviews a couple members of the Scope Security team rather than an external expert in the healthcare security field. Mike speaks with the Head of Threat Intelligence, John Daniele, and the Chief Architect, Jeremy Richards, about what they’re seeing today in terms of ransomware and threat intelligence in the healthcare space. This conversation is particularly relevant in light of recent attacks and news that has circulated about them.

As the conversation gets underway, Mike asks John to describe and provide his thoughts on the landscape of healthcare security as he’s observed it in the news over the past few months. John specifically shares about the recent UHS attack, which may have involved Ryuk ransomware, and explains both how he’s found he didn’t know as much about Ryuk as he thought he did and how the interconnectedness inherent to a healthcare system makes a Ryuk attack potentially devastating. John goes on to talk about the ability of live threat actors to maneuver through an environment as a necessary factor to incorporate into threat assessment.

Jeremy continues this line of thought, sharing about the evolution of intelligent ransomware. A major difference between the attacks of today and of the few years or so prior is that it now feels like things are becoming specifically targeted. And there have been plenty of attack samples to consider, as recent weeks have seen a string of attacks. Further, attack evolution has brought with it the development of double extortion. As Jeremy explains, attacks often involve three different aspects working together; first, an initial infection employs something like Emotet. Next, Trickbot may be used to move laterally across a network and perform data exfiltration. Then, ransomware such as Ryuk is deployed and a ransom note sent.

Attacks have grown in their complexity, which makes protecting against them more complicated. With modular and extensible platforms now available to attackers, and with the increasingly polymorphic nature of ransomware, there is a need for more evolved tactics and techniques from a blue team perspective. There is already a playbook for recognizing and dealing with compromised machines, and healthcare leaders need to make maintaining visibility into their environments a high priority.

Looking ahead, John explains that he expects we are on the cusp of an increase in campaigns; he’s concerned that attackers are seeing room to extract significant revenue from hospitals, which have a high incentive to deal with ransomware attacks quickly in order to get back online. Unfortunately for hospitals, they are also unable to recoup time lost in the same way as other businesses. Mike wonders what he and Jeremy would suggest to a CISO looking to prepare for a possible attack, and they touch on such necessary priorities as detailed forensics, asset discovery, inventory management, and passive vulnerability scanning. Overall, the two recommend visibility of all three healthcare environments.

As the conversation moves toward a close, Mike asks his guests to look ahead five years and predict how things will play out on the stage of healthcare security. Jeremy and John have mixed opinions; Jeremy thinks things are trending in a favorable direction. However, John has concerns about what will come in the future—concerns rooted in such issues as a perceived deficiency in CISO succession plans. Listeners may not know what will come, but they are left with much insight to work now for a secure healthcare space.


– Mike introduces the episode and his guests.

– What is John seeing out there and what does he think about it?

– Jeremy comments on the evolution of ransomware and how different elements of an attack work together.

– There is increasing complexity within attack platforms, and this calls for new methods of protection.

– There is a playbook to follow, as well as a need for visibility.

– What will happen in the months ahead?

– John and Jeremy provide ideas for how a CISO can prepare for possible attack.

– What will things look like five years from now?

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:20.2 Mike Murray: Welcome to this week’s edition of In Scope. I’m Mike Murry, as always… This week, we have a bit of a different episode. As we usually have all of our external experts, this week, I’m joined by a couple of members of the Scope Security team. Because with all the stuff that’s going on right now around ransomware, we wanted to talk a little bit about what we are seeing and a little bit about threat intelligence, a little bit about how to detect the ransomware if you’re a health system or up against it.

0:00:49.6 MM: And so, I’m really lucky to be joined this week by our head of threat intelligence, John Daniele, and our head of AI and all things security AI, Jeremy Richards. And we’re gonna talk about the things we’re seeing at UHS, the things that have been in the news and probably what’s behind it. Some information about the threat actors themselves and about the tools, and why this has been such a challenge for healthcare.

0:01:14.7 MM: Just a quick note, if you haven’t checked it out already, we also released a white paper on the ransomware challenge the healthcare folks face. So check it out on our LinkedIn and on our website. But with that, there’s a lot of healthcare news around ransomware and attacks and breaches and the like. John, I’m gonna throw it to you first, and maybe you can tell us a little bit about what we’re seeing out there and what you think about it.

0:01:42.9 John Daniele: Well, it’s been a pretty exciting few months in cyber security in healthcare with the attack against UHS occupying the news cycle lately. With rumors that the Ryuk malware was used at UHS. So that’s quite interesting. I had spent a couple of years looking at Ryuk and dealing with the Ryuk threat actors. I felt that I had a keen understanding of how the malware campaigns works and the different components. But after taking a look at what people are saying about UHS and Ryuk, I feel as if I know nothing about Ryuk all over again. There’s so many new editions, different kinds of features that have been added. It seems like the same lateral movement techniques, still using SMB and RDP, to laterally move, but definitely the inclusion of some additional techniques that I don’t remember seeing before in previous Ryuk infections.

0:02:45.2 JD: And given the connected nature of hospital environments, I could only imagine how quickly Ryuk would move through an interconnected UHS environment. When you have the enterprise IT environment so intrinsically connected with the Clinical Technology Environment and EMR systems… When you factor all that together, it sounds like a really devastating kind of impact for a hospital to experience something like Ryuk. And the one thing that I don’t think most people are keenly understanding when it comes to threat actors like Ryuk, more advanced ones, like EMOTET and the folks that are using these kinds of campaigns, you’re ostensibly dealing with a live threat actor behind that platform.

0:03:35.7 JD: So although there’s automation that’s used in some of the initial stages of that attack, the attacker is also evaluating what they’re getting from that system in that environment, and they’re modifying their techniques accordingly. If they wanted to pivot to a particular machine, they can download some additional module updates and pivot to those machines if they wanted to use particular credentials, they have the ability to do that. It’s fairly extensible as an overall platform.

0:04:02.2 JD: And that’s something that I don’t think most victims of ransomware keenly understand. And certainly, I’ve been in the room where threat assessments are being done to try to figure out what is the real risk to the organization. Because perhaps we’re not aware of any sensitive information that’s been touched. Where our crown jewels are, that hasn’t been encrypted. But what’s not being factored into risk assessments is the ability for the threat actors to use something like Ryuk to pivot and maneuver at will.

0:04:35.0 JD: And I don’t think that that’s keenly being factored into the equation. But I’ve seen ransomware authors leverage that platform and maneuver through an environment. Not in an automated fashion, but really making some key discernments in terms of where they go next. What’s that next hop? What is it they’re trying to exfiltrate from that machine? What are they looking for? You can clearly see the telltale signs of some intelligence behind some of those maneuvers, especially days into the attack.

0:05:14.4 MM: And that intelligence is really a new evolution. In the early days of ransomware, obviously it was a lot less intelligent. Jeremy, you have a lot of insight on to how this has sort of evolved, maybe you wanna jump in and tell us a little bit about where did Ryuk come from? Where is this intelligence evolving from?

0:05:33.3 Jeremy Richards: Yeah, sure. So hospitals and healthcare networks being compromised and shut down isn’t brand new. Possibly one of the most notable is back in the WannaCry days, back in 2017, 2018, when the British healthcare system… It wreaked havoc. So there is that problem. NotPetya, hit some US Health Systems 2017, 2018, but it never felt kind of targeted. It kind of always felt like they were swept up in the whole scanning.

0:06:10.6 JR: But recently it feels like things are becoming targeted. So 2019… I’ve just read a stat to prepare for this… But 2019, it was 764 healthcare providers were hit by ransomware in 2019. That’s insane. I don’t have numbers for 2020, but I’m sure it’s going to be higher. Last year was a record year… 2020’s been pretty insane across the board. So I’m sure that things haven’t gotten better in the ransomware game. And we’ve seen that, right? So we talked about putting this podcast together because of the last four weeks. There is September 15th, University Hospital of New Jersey, hit with TrickBot and SunCrypt. And then five days later… What was it? The… Universal Health Services… September 18th was the University Hospital in Dusseldorf, Germany.

0:07:03.9 JR: So it’s been rapid succession. There’s been four or five of them in a row, just in the last month. And I’ve been kind of trying to figure out what tools that they’re using. What’s the most popular in the health care sector. And it’s definitely looking like, Ryuk for ransomware, TrickBot still for going laterally across a network, and EMOTET, still is very popular.

0:07:30.6 JR: One of the evolutions though, that I found really interesting was the Conti evolution. And what we saw with the university hospital in New Jersey, where their ex-filling data… They’re actually stealing the data before they encrypt. And it’s like a double extortion, it’s a double whammy. And so they’ve actually leaked records. It’s concerning that that… That’s going to be a trend that develops.

0:07:57.7 MM: And so you mentioned… And either of you can jump in on this. I’m not gonna pick who talks. But you mentioned EMOTET, TrickBot, and Ryuk. And those are names you hear a lot about. And they’re usually… You hear a lot about them together. Maybe explain to the audience, and whoever wants to take it… Explain to the audience, what is that relationship? Why are those things always heard together? And how do they play when you think about an infection?

0:08:26.0 JR: Rock, paper, scissor? [chuckle] I’m happy to start. So to compromise or to get the ransom campaign started, there needs to be some kind of initial compromise. So either you’re gonna go in phishing, which is the EMOTET. Or you’re going to compromise something external. So the recent attack in Germany, it was a Citrix vulnerability. And then after you’ve got… After you’ve compromised a single host, you’re looking to move laterally. So you need some additional tooling around that. And that’s typically going to be something like a TrickBot. They’ll install TrickBot, and they’ll search the network. They’ll for the keys of the kingdom. They’ll look at what’s operationally going to hurt if it comes grinding to a halt. And now, apparently, there’s another step of data exfiltration, where what’s going to hurt if we leak?

0:09:19.9 JR: So they take their time, I imagine, to find this data, ex-fill the data, and then when they’re ready… When they know that they’ve found the systems that are going to hurt, that’s when they deploy the ransomware. That’s when they deploy Ryuk. And Ryuk’s all about taking care of encryption, making sure that files can’t be recovered. And then they dropped their ransom note.

0:09:44.6 JR: Interestingly, actually, the attack in Germany, it was a university hospital that was compromised and shut down, but the ransom note was to the University. They had no idea that they had hit a hospital somehow, and when they were contacted by the German police during the ransom negotiations… When they found out… They actually gave up the encryption keys on the spot when they found out it was a hospital. So I thought that was kind of interesting, but the ransom letter was addressed to the university and not to the hospital.

0:10:18.0 MM: Nice that the criminals had a conscience there. John, with that, and combining that with what you said about the intelligence behind it… And when you think back to the olden days of NotPetya, and that sort of ransomware where it was all one step… Does the complexity of multi-stages and the intelligence behind it make it harder to detect?

0:10:39.1 JD: I think certainly it makes the attacks more sophisticated. It ensures that the attackers can be much more resilient, as well. So at the end of the day, you might be able to detect an infection in one portion of the network environment and you’ve isolated those infected hosts. But because of the different components that go along with more advanced versions, more modern versions of malware, they can change what they’re doing on the fly. So as a result, you might have found one technique that they’re using and you swat that down, but then you missed perhaps one machine somewhere in the network, and all of a sudden you have a new infection being spawned with a completely different tack technique that’s being leveraged.

0:11:29.3 JD: So I think that’s the danger. And the way to think about this, in terms of TrickBot… It’s really… It’s a module-based crimeware platform. So it’s very extensible, and it allows different kinds of updates to be downloaded and run. So different kinds of modules. EMOTET, essentially was a module that was downloaded through the TrickBot trojan. And EMOTET, Ryuk, are essentially those module updates that were so related to TrickBot in the initial stages of that threat group essentially leveraging the platform.

0:12:07.5 JD: But these platforms, as I said, they’re modular, they’re very extensible, they can download different features and functionality. If they want to be able to gather certain credentials using a particular technique, they can signal essentially to those infected endpoints and say, “We’ve got another update. Download this. Execute it. Run it.” If they wanted to get a more interactive shell on a box… These are all things that can be leveraged through the toolkit.

0:12:36.9 JD: Now, not every victim is necessarily going to witness some of these advanced features and functionality. Sometimes it’s just the basic features that you’ll see in an attack. But certainly in previous infections outside of healthcare, I’ve watched Ryuk threat actors move through an environment laterally. And there seemed to be much more intelligence behind their actions rather than just simply an automated set of actions that were being performed just according to a particular script.

0:13:10.8 MM: Well, and now we’re seeing them evolve even further, right? You were mentioning that potentially, we might even be seeing them evolve their tool chains beyond EMOTET, and TrickBot, to include other sorts of tools. And the interesting… The interesting thing from where I sit is if you have human intelligence behind it and they can continually be modular, it becomes… It’s not like you’re looking for a specific signature or a specific behavior pattern, but each attack could potentially be different, right?

0:13:42.9 JD: Well, certainly, if you take a look at modern ransomware infections, there’s increasingly a polymorphic aspect to it. Which means that the initial dropper files that are downloaded and executed will have a completely different file signature each time it runs. Or the malware components will have randomly generated attributes that can’t be easily captured using a static detection rule.

0:14:07.5 JD: So for example, crimeware dropper kits such as TrickBot or Q-Bot, which commonly spawn second stage malware payloads like Ryuk or EMOTET, that have been implicated in a number of the healthcare-targeted breaches that we’ve seen today will have polymorphic features that completely evade simple rules-based detection or signature-based detection.

0:14:31.6 JD: This means that you can’t just get rid of it from your environment by looking for these static signatures related to those malware components that you’ve found, because these components could also be wrapped in a polymorphic container with a completely different file signature associated with it. So the next thing you know you have infections across another segment of your environment because you failed to identify these polymorphic variants of the ransomware you’re dealing with. So what this means is, at the end of the day, organizations that face off against modern ransomware need to move away from static detection towards more dynamic approaches. They need to be focusing much more on the behaviors that the malware exhibits rather than focusing on, “Let’s find this particular file signature.”

0:15:19.9 JD: And that’s essentially where we need to evolve our tactics and techniques from a Blue team perspective. We need to look for the behaviors that the malware exhibits live, and we’ll have a better chance to detect that kind of threat activity. At some point the malware needs to make certain library calls or modify registry keys in order to maintain persistence. So we need to look for these things and assess them and ask ourselves, “Is this indicative of a threat?” And at the same time, we need security operators that know how to sift through data with a fine-toothed comb, inspect it with a magnifying glass. These are the kinds of approaches that modern Blue team-ers need to start using in order to catch up to and disrupt the activities of the modern bad guy.

0:16:06.7 JD: At the end of the day, organizations that are faced with modern ransomware, they need to move away from static detection and move much closer towards a dynamic approach. They need to be focusing much more on the behaviors that this malware exhibits rather than focusing on, “Let’s find this particular malware component because it has a certain signature.”

0:16:31.9 JD: That’s where we need to evolve our tactics and techniques from a Blue team perspective. We need to look for the things, the behaviors, the signs, the symptoms that the malware exhibits live, and we’ll have a better chance of being able to detect that activity. So an unauthorized change to a registry key. If you know that you’re not doing any significant update on a machine and there shouldn’t be massive numbers of registry keys changing or at least 10 different locations at a condensed period of time, those are the things that you might be able to look for to say, “Hey, we’ve got a machine where some new registry keys were created.”

0:17:15.2 JD: “We need to assess that. We need to look at that.” Is this indicative of a threat. Those are the kinds of questions that we need to begin to ask ourselves. And look at things more with a magnifying glass and a fine-toothed comb, essentially at the end of the day. Those are the tools that modern Blue team-ers need to use in order to catch up and disrupt the activities of the modern bad guys.

0:17:41.8 JR: There’s no doubt that a compromised workstation is acting differently on a network, right? Like this host is searching for other hosts. That’s not normal activity. With net flow, with being able to look at the traffic… It’s a very different traffic from usual. And yes, there are different components that can be loaded, but there’s a kind of a playbook for doing this recon.

0:18:13.2 JR: After you’ve compromised a machine, dump all the browser passwords. That’s lateral movement. Dump browser passwords and dump local accounts. Look at all of the current connections. So you look at all the file shares that you’re currently connected to and then start scanning for more. So if you’re looking at the right logs the right way, that kind of lateral exploration is… It… If you look at it the right way, it definitely filters to the top.

0:18:45.0 MM: So one of the challenges I think that healthcare has that other environments don’t have, and we talk a lot about this inside a scope, is visibility onto the environment. You both just said something really interesting. You talked about, “I’m looking for behaviors on a host.” Well, how does that play when you’re talking about a medical device or a part of the EMR infrastructure where you’re not looking at the behaviors on the host? Is there any way to contain this kind of infection, if you’re only looking at the IT environment?

0:19:17.0 JR: No, because it’s not just the IT environment that’s impacted, right?

0:19:20.4 MM: So what do you do?

0:19:21.8 JR: They still emit logs, they still emit behavioral characteristics, and they’re still attached to IT devices. So you get telemetry from them that you build behavior baseline analytics on, and you go from there and you do the same thing that you would do with your traditional IT’s. You pull the logs from them as well, so that you can have that whole picture of what’s happening.

0:19:49.1 MM: So let me flip this to a different direction. What do you guys think is gonna happen in the next couple of months, in the next three to six months? How is this gonna evolve, how’s this going to increase, especially during the time of Covid? People are talking about Covid coming back for the fall and the winter. Are healthcare organizations going to be resilient to this, or do you pull out your… The first part of your crystal ball, ’cause I’m gonna ask you more in a second. But what do you guys see in the next six months? Is this better or worse, the same? Maybe… John, I’m looking at you, you get to be predicting first.

0:20:24.7 JD: I think we’re at the cusp of an increase in campaigns. Certainly we’ve already seen that within the last several weeks that we’re up to, at least a number of hospitals that have been compromised in a condensed period of time. UHS is an example of a nationwide campaign. We haven’t really seen that before within healthcare, even though there have been some large-scale attacks against healthcare institutions, so I think that… I think the trend is definitely an upward trend. I think that as new threat actor groups realize that there’s a possibility of extracting value and money from organizations that are focused on healthcare, because they’re special organizations in the sense that the infrastructure that they manage is connected to clinical environments, and you’ve got blood monitors, and PACS workstations, and MRIs, and all the sort of tools, these tools and technologies that need to be online, need to be available, and if they are not online and not available for any length of time, that’s a pretty critical situation to be in for a hospital.

0:21:43.1 JD: So a lot of hospitals have an incentive to just get back operational as quickly as possible, and I think what we’re seeing right now as hospitals starting to pay those ransoms out. And I think that is gonna create a bit of a dangerous situation, because at the end of the day, the hospitals don’t have much of a choice, they need to be back up and running ASAP. And the bad guys are starting to realize, “Hey, this is a reliable source of income, because there is such a high threat environment.” And I’m a little bit fearful as to where this trend ends up. Do hospitals continue to pay, or do they find other ways of recovering their businesses? And can those businesses even survive? It’s not as if you can recoup the amount of income during a certain period of time in which surgeries are rescheduled and ambulances are diverted away from the hospitals that are being affected by these ransomware attacks.

0:22:48.2 JD: In that sense, there’s a loss of revenue that’s never gonna be recouped. So the impacts of these attacks are very different than what you would see with the financial institution that can always try to make up their numbers in the next quarter. It’s not something that hospitals can do. And so as a result, the ransomware attack against the hospital, of a certain magnitude, could spell the end of that hospital, particularly in the United States.

0:23:16.1 MM: We saw that exact pattern in Covid when hospitals had to cancel elective surgeries, it’s not like if I cancel a knee surgery this week, that next week, the doctor can do two at a time. So you never get to come back from that, and I think a lot of people don’t think about that when it comes to the hospital’s operating model for its business, that everything is so time-based that if you… You’re right, John, if you miss out on something, you don’t get to make it up, and so there’s such an urgency to be back online, to be back available. And there’s a perverse incentive, as you pointed out, if everyone pays the ransom, the ransomware actors make more money and then they do more of it because it’s successful. If you don’t pay the ransom as an individual hospital, however, you’re holding out, your patients suffer, and your business suffers. So how do we balance this global versus local problem? Where globally, if we pay the ransoms, it’s bad, but locally, if we don’t pay the ransoms, it’s bad. It’s a really interesting challenge for the hospital administrative staff and for the security leaders.

0:24:27.7 MM: So let me ask you guys a question, let me flip this into a different direction. I just deputized both of you as the CISO of a health system. What do you do about it, guys? Jeremy, you wanna start?

0:24:39.3 JR: Okay, well, so is the situation, I’m a CISO, I’ve been compromised, and I’m deciding whether or not I’m going to pay?

0:24:47.1 MM: No, no, I’m actually giving you the… Suppose you haven’t been compromised yet, you get to go prepare. What steps do you take? Or if you’re one of our listeners, one of the healthcare security folks that’s tuned in listening today, you put yourself in their position, how do you go prepare for this?

0:25:03.9 JR: So you’ve got a million point solutions to try and keep you safe. All that need to be monitored. Most of them probably aren’t. So with most of these hospitals that are compromised, there’s forensics work that’s done, and they’re able to kind of track some of the things about what happened, but that’s too late. So what I do is ongoing full-time forensics, all the time on all of the logs that the forensics people would look at.

0:25:41.5 MM: That’s a lot of work.

0:25:43.5 JR: Right. So I just go out and hire 500 SOC analysts to go through my one terabyte day-to-day, easy. Right? No.


0:25:55.0 JR: I know that’s that’s not easy, but I guess that’s it. To prioritize the existing information that’s in our environment to get early warnings, to find them, maybe in that lateral move phase that we reduce it to a workstation that needs to be re-imaged rather than paying a massive ransom.

0:26:16.8 MM: John, what about you? Got any thoughts?

0:26:19.6 JD: Certainly pre-preparation and planning. At the end of the day, time and attention needs to be invested in things like asset discovery and inventory management. Know where your devices are, where they’re deployed, understand what operating system and what patch revision you’re on for any given device. These are things that are crucial bits and pieces of information to know about when an attack happens. Because at the end of the day, if you’re involved in an incident response and you’re dealing with an infected clinical workstation, you need to make a judgment call as an incident responder in terms of what are the potential impacts here? What could be affected, and knowing how that system is connected in with other systems? What servers that workstation has access to? What credentials can be leveraged off that workstation to pivot elsewhere? This is all information that’s really vital during an incident response, a live attack type scenario.

0:27:22.6 JD: And the more quickly the incident responders that are trying to help you as a hospital recover from that breach can get to that information, the better that they can decide on courses of action that are appropriate for that given ransomware campaign or cyber security incident that you’re dealing with. So understanding your systems, understanding the dependencies between systems, the patch revision numbers that they’re at, this is all information that you can gather ahead of time and you can manage it.

0:27:54.7 JD: Vulnerability scanning also factors in. In a healthcare setting, this is a little bit tricky as well, because unless your clinical technology vendors has said, “Hey, it’s safe to run an end map scanned against this device,” you don’t wanna do something that might actually cause that device to crash and when it comes to OT, IoT and clinical technology, certainly we’ve come across a number of instances where even doing soft probes of a piece of equipment can cause that equipment to fail, so understanding which devices can be scanned and how they can be scanned is important.

0:28:36.5 JD: One of the other techniques that I employ within sensitive environments, like critical infrastructure environments, and hospitals most certainly are critical infrastructure environments, is passive vulnerability scanning. So if I can create a scan port on a switch and start passively listening to the traffic that’s going across a healthcare environment, I can get a sense for what operating systems are on that network segment. I can get perhaps a sense of even what patches have been implemented or not implemented. I can get a sense of what ports might be accessible and open, what services are being transmitted across that network environment, what kinds of clients are being used, and this is all information that’s useful at a time of an incident to decide on what’s the best approach here? Can I isolate this clinical workstation that has been attacked with some kind of malware dropper? Is it okay for me to do that? Is this device currently in use? Is it connected to a patient? Can I isolate that device or if I isolate that device, do we not get any more telemetry from that device, and then all of a sudden we’ve got a patient care issue. Those are the kinds of considerations that have to be made when doing incident response engagements against healthcare that are not the same kinds of decisions that you would have to make elsewhere.

0:30:05.2 MM: What I hear you saying… Let me just see if I got this right, but specifically in healthcare, we talk a lot about there being three environments, and what I hear you guys saying is you need visibility, you need to be able to see all the stuff that’s in your traditional IT environment as well as the OT stuff, the clinical technology, the medical devices, the PACS, the diagnostic equipment, all of those things, as well as… If we’re talking about… Especially and, Jeremy, you mentioned this earlier, where people are now working on exfiltration before encryption that brings your EMR environment into play in a way that perhaps you’ve managed to avoid before, and I think that that’s… Those three environments are all often in the same room in a hospital, it’s not like a traditional IT/OT environment where if you were BP, you would have your IT environment at headquarters and your oil rig, that is your OT environment in healthcare, you could have one room with a doctor’s laptop, a medical device, and the connection back to your EMR, with an EMR workstation, all in the same spot, and I think that that is something that we don’t think about enough.

0:31:23.9 MM: Alright, I end every interview of all the people with the same question, and I’m gonna put it out to both of you guys. Fast-forward five years from now, and you can go pessimistic, you can go optimistic, you can go whichever way you want. How does this play out down the road? What is the future of attacks against healthcare? What’s the future of ransomware? What’s the future of hospitals becoming resilient to it? How do you see it? And Jeremy, you get to… I keep making you go first, but I’m gonna make you go first on this one, fast-forward down the road, where do we end?

0:32:00.9 JR: Okay Mike, we work together. You could have prepped me and told me that you were going to… Alright.

0:32:10.9 MM: I ask the hard questions, man.

0:32:12.9 JR: I don’t know if I see it getting… What was the time frame, five years?

0:32:17.4 MM: Five years, five years. I’m pushing it way out, and I know it’s hard to predict sometimes that far ahead, but you’re probably one of the best to make that prediction, let our audience know what you think.

0:32:29.4 JR: I think things are moving in the right direction. I think that just like SCADA environments that kind of lagged a little bit because of the criticality of their networks. And my network’s different, I can’t do that on my network, is kind of the common thing that you’ll always get out of them. Like John mentioned you Nmap this box and it crashes. So I see in five years, and I know it’s happening now, I know that the FDA is working on getting devices to a point where they’re regulated and can be updated, device manufacturers are getting better at that. So I’m gonna put on my optimism hat and say that in five years things will have improved, that these environments over continued attacks will become more hardened. So that’s what I’m going with. That’s what I hope.

0:33:30.7 MM: John, what about you?

0:33:32.3 JD: Sadly, I think of the eternal pessimist, when I look at this environment, I see an initial lift and shift of EMR systems into a cloud environment without native integration, and I think that is a cause for some concern. I think we’re gonna see logs and other vital information stored on S3 buckets as EMR manufacturers or software designers start to move their infrastructure to the cloud. I think that credentials and tokens that are not being refreshed often enough are gonna become a big issue with those EMR systems, if they’re not already with some of the few cloud EMRs that have been deployed in hospitals today.

0:34:21.8 JD: And I think there’s also going to be an interesting challenge as CISOs retire, and the institutional knowledge that a CISO has about that given hospital institution disappears, unless they did a really, really good job in transferring knowledge and grooming the next CISO that takes a step up. I think there’s gonna be a period of time where we may see a repeat of old vulnerabilities in new modern environments, just simply because the next person who has assumed the position in a healthcare institution doesn’t have same institutional knowledge and is making risk decisions that are incorrect risk decisions for that hospital or for that institution. So I think that’s also going to factor into play, I think we’re gonna see the quality of risk decisions within these organizations falter in the years ahead, and then hopefully we’ll see it get back on track.

0:35:23.5 JD: But I do worry about certain CISOs that have been in the position for a long time in some of the largest hospitals, when they retire, I worry about how well the next iteration of security leaders in healthcare are gonna do. Because I see a lot of hospitals that hire a CISO, make an investment, they’re there for three or five years, but there’s no succession planning, and I think that is the number one reason why hospitals are failing at security today. There’s no continuation of that security strategy from one leader to the next.

0:36:05.4 MM: And I think just to add a little color on that, and we could talk for… That’s a whole other conversation were could talk about. But that far too often, we bring in CISOs from outside of healthcare, and it takes them a long time to come up, so when those folks that have learned those hard one lessons over those five, six, seven years, retire, and you go bring in the CISO of a tech company or a financial services firm into healthcare, they have to spend a lot of time and… We’ve all done this, we didn’t all start in healthcare. You have to learn a lot about healthcare to be good at this, for healthcare, and I think there’s definitely a big gap there.

0:36:46.6 MM: Guys, I really wanna thank you for this, this is a really cool opportunity to do it with… To do these interviews with folks on the team, and I know we’re gonna do some of these every once in a while, ’cause it’s a blast, and you guys are both brilliant. Thank you so much. To the audience, you can find all of us on LinkedIn, hit Scope Security up on LinkedIn, hit Scope Security up on Twitter. We’re Scope Security within an underscore on Twitter. And you can find Jeremy and John on Twitter and on LinkedIn and all the various normal places. So please continue the conversation, ask us questions, and one more time, we recently put out a paper on this, so please download the paper if you’re interested in this topic, and… Thanks again.

0:37:29.8 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]


About Jeremy Richards


Jeremy Richards has spent the last two decades becoming an expert in both exploitation and detection and AI technologies. Most recently, he was a Principal Security Intelligence Engineer at Lookout, where he created the machine learning models behind Lookout’s PhishingAI and assisted in discovering APT threats on mobile globally. 

Previously, he was a senior security research engineer at Saint, Digital Defense, and nCircle. Jeremy is passionate about AI and machine learning, feature engineering for anti-malware and anomaly detection.

About John Danielle

John Daniele has over 20 years’ experience working in the security and defense community in Canada and abroad. He has extensive experience developing threat hunting and detection, digital forensics analysis capabilities, and investigating cybercrime.

John has also led offensive red team assessments, engaged in vulnerability research and exploit development activities, and has provided related training to the Department of National Defense and other security agencies across Canada.

He is an alumnus of both KPMG and EY, where he served as a national practice leader in cyber forensics and most recently as vice president of cybersecurity operations for CGI. John has previously served as a civilian forensics analyst at Ontario Provincial Police (Anti-Rackets), the Ontario Ministry of Finance, and as an investigator with Ontario’s Correctional Investigation and Security Unit.

Today, John serves as head of Threat Intelligence for Scope Security, a cybersecurity start-up co-founded by Thrive Capital, that is developing a healthcare native SIEM that provides holistic visibility into threats targeting clinical technology environments and electronic medical records systems.


Leave a Reply

Your email address will not be published.