Each day, it seems that we hear of another healthcare organization being compromised by a cyber attack. It is clear that the healthcare industry is the new favorite target amongst cybercriminals. Fortunately, vigorous efforts are available to combat these threats. We recently spoke to Errol Weiss, Chief Security Officer at Health-ISAC. Errol spearheads the information sharing and analysis center, helping to make the healthcare sector better informed and more resilient.
Tell us about how you became involved in the cybersecurity profession.
I got interested in cybersecurity as a teen, reading about various computer heists and hacking. When I started my career with the National Security Agency, we tested systems at military bases and command posts all over the world. The last job I had there was performing penetration testing on government systems. Some of my colleagues had left and worked for consulting companies, and although I wasn't actively looking for a new job, they convinced me to join them.
I spent time working with some government contractors who were offering commercial security consulting. We were working with banks, insurance companies, and manufacturing companies at a time when the internet was just becoming popular and online banking was starting to develop. It was a matter of great timing for me to take the skills that I learned in the government and translate those into practical consulting services. Eventually, that rolled into an opportunity to work on the InfoSec team at Citibank. While I was there, they were looking to create a cyber threat intelligence function inside the bank, which was a fairly innovative concept at the time. This was back in 2008 when there weren't many commercial threat intelligence teams in existence. I helped create that function when I was at Citi and then headed that operation. By the time I left, we had 40 people working for that team in six different countries all around the globe. We had a 24x7 "follow the sun operation" built up from that.
The experience I gained at Citi helped to roll ahead to my current position with the Health Information Sharing and Analysis Center (Health-ISAC). I have been here for five years. I was recruited to help create the member-to-member sharing and threat intelligence functions that an ISAC offers. When you look at the basic functions of an information sharing and analysis center, it centers on the member-to-member sharing. I helped create the online systems that we use to foster that collaboration.
All of the ISACs are different. This becomes evident when you look at the services that each one does. For example, some of what I learned while in the banking and finance sector and the Financial Services ISAC was they had a pretty robust internal team that was producing original threat intelligence. We wanted to replicate that in the health sector because we have a lot of organizations that can consume intelligence but don't really understand how to do it, nor do they have the resources to purchase those kinds of commercial intelligence feeds. So, threat intelligence is a great basic function that we can provide for the industry. Health-ISAC's Threat Operations Center is headquartered in Orlando, Florida. In the past year, we've also hired two people in Europe, so we're starting to expand this team globally as well. The creation and expansion of that team was a big part of my job originally. Since the team has expanded, we've also hired an expert in medical device security.
A lot of what we do inside Health-ISAC is also paying attention to what the medical device manufacturers are doing, looking at the issues, vulnerabilities, and threats in that space. We also hold regional events and workshops that we host for our members, including tabletop exercises. Health-ISAC provides all the technical expertise and background for running those kinds of events. There are a lot of great activities taking place to benefit the healthcare community.
This year has been particularly busy, especially with the developments in the Change Healthcare incident back in February, and then the Ascension Hospital ransomware event in early May. We have been supporting our members with intelligence, practical advice, recommendations and other information that we can provide in terms of what we know about the incident, how it might've happened, and helping our members to protect themselves from those kinds of threats.
What are some of the biggest challenges when it comes to communicating with your members when there's been a breach?
In an ideal world, when an incident happens, we would hope that our members can take the information from that incident to prevent an attack from occurring in their environments. Indicators of compromise, the Tactics, Techniques, and Procedures (TTPs), or the ways that the malicious actor may have gotten into those systems, and what weaknesses they take advantage of in order to perpetrate that attack are all valuable to building better security and resilience.
The ability to take all of that information and share it with the ISAC so that once it gets into the community, all of the other members can look at that information and ask themselves the questions: Are we vulnerable to this kind of attack? Have we seen this kind of attack? And what do we need to do to protect ourselves? The other benefit of the ISAC is that we can take that information from the victim organization -- we can even anonymize it -- and share it with the rest of the members.
As a member and as somebody who's participated in a network like this, when I was at Citibank, for example, I would look at the information that came from the ISAC, and we would use that information to make sure that we were not vulnerable to the same attack. In a perfect world, that is what should happen. Unfortunately, because we live in such a litigious society, what happens a lot of times is that an incident occurs, and internal counsel finds out about it as part of the response, and they immediately clamp down on everybody, restricting any information from being shared. They need to protect against any notification of an incident because, ultimately, they are concerned about that information getting out in the public domain and, in turn, being used against them.
Too many times, we learn about a cyber-incident in the media – and I will say very openly – I have a form letter that we send out that basically says, we're sorry to hear about what happened. Is there anything we can do to help? Can you share the indicators with us? That's what I'm really after. Usually what happens is I either don't hear from them, or they reply back and say that they can't share anything. A third option is to anonymously share information. We can get it out to the community so that everybody can learn and hopefully not become a victim.
The reciprocal effect of sharing is that the victimized organization may learn from what other members of the community have seen and what they experienced. They may get some mitigation recommendations or support from others in the network that could help shorten the downtime. There's definitely some value in sharing, and they could learn from others as well. In my experience, probably one third of the respondents to our inquiry are able to share incident information with a strict understanding of anonymity.
Is there anything more healthcare-specific that is being done to reduce liability in breach reporting?
There are federal liability protections on sharing the type of information we're talking about. However, information sharing is ultimately treated as a legal risk decision by organizations. What we're trying to do at Health-ISAC is to make this more of a business-based risk decision. The corporate legal team can give their advice, but we want the CISOs, the CIO, and the CEO to offer their insights as well. We are planning to provide workshops about this starting this summer. We want the legal advisers to understand that there is a low risk to sharing but great upside benefit by participating in this sharing network. We hope to change that risk conversation a bit.
From a public perception standpoint, we have recent examples where if the CEO had been able to state what happened, adding that they shared openly and actively with Health-ISAC and all the other sharing communities to try to make sure that our partners, our customers, and everybody else were protected, they would have had a much better story to tell. People may be more sympathetic to what's going on instead of what I'm reading about now, which is that the company is being negatively criticized for its lack of a meaningful response.
What are the three most important things every organization should be thinking about when it comes to security?
First, you must use multifactor authentication on all remote access and privileged user accounts.
Second, you must stay up to date on patches. We're still seeing organizations getting beat up and getting attacked because of years-old vulnerabilities. Third, the organization must practice good data backup techniques, and you've got to make sure that those backups actually work. One way to test that is to pretend everything's broken, everything's down. Go build a new system and start from scratch. The questions to be answered in the after-action report would include: Can we restore the systems? How long is that going to take? What's the downtime as a result of that? Is your staff equipped to operate on paper for that amount of time?
Unfortunately, there are countless examples of impact like that, from ransomware especially. In 2022, Health-ISAC was a part of the ZLoader botnet disruption, and in 2023, we participated on the Cobalt Strike botnet disruption. Health-ISAC provided testimony and statistics about how much disruption the botnet caused. Hospital revenue losses and patient impacts, ambulances being diverted to other hospitals because they couldn't take in emergency room patients, and oncology appointments having to be canceled or rescheduled. It caused seriously horrific and very real human impacts.
What is your view of the balance between risk acceptance and risk avoidance, especially when patching is involved?
There is a two-pronged answer to that. On the one hand, there are the lack of resources that these healthcare organizations are struggling with when it comes to proper protection and defense. From a cybersecurity standpoint, many are running on skinny profit margins as it is. Some are losing money and struggling for additional budgets for cybersecurity and subsequent resources.
On the other hand, particularly when it comes to patching, an organization can use many of the free resources to approach vulnerability and patch prioritization. For example, CISA's Known Exploited Vulnerabilities (KEV) catalog is freely available. If an organization can check the vulnerabilities that are on that list, it becomes easier to prioritize patch management.
How do vendors fit into the work that Health-ISAC performs?
Coming from the finance sector to the health sector, and now at Health-ISAC, it is interesting to discover what kinds of organizations are in our membership. It's not just hospitals. We also have medical device manufacturers, insurance companies, pharmaceutical manufacturing companies, and health IT organizations. Some of our members are also creating electronic health record software systems. The whole idea here is that because all of these systems are dealing with sensitive patient information, we want to make sure that they're doing what they can to be secure and that they understand the threat environment that we're dealing with every day.
We have different levels of partnerships with vendor organizations. We host four summits a year around the globe, and vendors and partners participate in those events as well. We also try to make a conscious effort to provide a variety of vendor organizations there. It's not just the same vendors that you see coming to those summits. We're also trying to explore new innovators, maybe even venture capital and early-stage startups. We try to include a good mix of organizations to offer our members a good view of what's coming, what's stable, who the long-term players in this space are, and some new innovators to take a look at.
What are the most prominent cyber attacks that are occurring in the healthcare industry?
Ransomware is definitely at the top of my mind for the CISOs that I have spoken with. It's not just their organization, but it's also the partners and suppliers that they use as well that they're concerned about. Healthcare is such an interconnected, complex system, and if any one of your partners' suppliers gets breached, it could reflect back onto your organization as well. Working together and making sure that security is being considered all throughout the whole ecosystem is vital. It's truly a team sport.
Third-party partner breaches are a high concern, as are phishing and social engineering. We are starting to see sophisticated phishing and scams happening that are defeating multifactor authentication, such as "MFA fatigue." AI is also becoming a threat as a result of large dollar scams, like the heist that happened at a Hong Kong firm from a deep fake that tricked a CFO into sending 25 million out of the company as a result.
Cyber attacks against healthcare organizations affect everyone. That's why the work of Errol and his organization stands out as champions in the effort to help the healthcare sector become aware of cyber threats and how to protect against them.