CISO Talk: Healthcare and Cyber in a COVID-19 World

When we hear the words “cybercrime” or “cyber attack” we usually think of financial gains and personally identifiable information. Today, cyber threats are no longer just an inconvenience, but a matter of life and death.

In episode five of CISO Talk, Miranda Ritchie of IBM joins Mat Newfield and Mitch Ashley to discuss healthcare and cyber in a COVID-19 world.

The video of the conversation is below, followed by the transcript. Enjoy!

Transcript

Alan Shimel: Hey, everyone. I’m Alan Shimel, and welcome to another episode of CISO Talk. I am joined by my co-host, Matt Newfield. Mathew is the CISO over at Unisys. Matt, welcome. 

Mathew Newfield: It’s a pleasure to be here. It’s good to talk to you again.

Shimel: And Matt and I are joined by our usual sidekick playing Ed McMahon this week, Mitch Ashley. [Laughs] 

Mitchell Ashley: Can I introduce you…

Shimel: Yes. [Laughs] Mitch is, of course, CEO and founder of Accelerated Strategies Group. And our guest for his episode is Miranda Ritchie of IBM. Miranda, welcome and thanks for joining us.

Miranda Ritchie: Okay. Thank you for having me. My name is Miranda Ritchie, and I’m a global delivery leader at IBM’s Managed Security Services.

Shimel: Excellent. And thank you. So, guys, the theme for this week’s show is cybersecurity and healthcare. You know, and we were talking a little bit in the green room – well, I’m in the green room. But we were talking a little bit before turning on the recording about, you know, the unique – just the uniqueness of cybersecurity and healthcare where we’re not necessarily talking about financial gain or stealing money. We’re not even really, at this point, talking about personally identifiable information and HIPAA information at this point. We’re talking about the life and death nature that cyber threats can pose to individuals, you know, as a result of being within the healthcare industry. So with that as a backdrop, Matt, I’m going to ask you to kind of kick us off today and get us started.

Newfield: Yeah. Absolutely, Alan. You know, a few years ago it was all the rage in the cybersecurity world to talk about how we had broached over or moved over from being in this virtual world to where the cybersecurity code, attack code, could actually impact physical things. And you can remember some stories about refinement machines being destroyed via bits and bytes. And that was a real eye-opener for a lot of people when it came to infrastructure and critical infrastructure and time.

Now we’re starting to really see in the news a lot lately about how these cybersecurity attacks – these adversarial attacks – can impact much more than what we’re used to reading about. We read about dollars, as you said. We read about our data, personally identifiable information. And we think it really stops there. Maybe it goes to reputation. Maybe it goes to me losing my checking account. But there’s a lot of talk right now, and healthcare being the main area, about how it can impact life. And we’ve heard stories before, but this has been one of the real big ones. And whether or not you believe that this poor individual in Germany actually died because of the ransomware attack against the Dusseldorf University Clinic is almost irrelevant. It’s open to conversation.

And as we were discussing in the green room, it expands beyond to a much greater level of, “How is it we are going to, as a community of cybersecurity professionals, help to protect an infrastructure and help secure and lock down an infrastructure when you really look at that environment as something that has never really been locked down before and is run and utilized by a group of people where seconds do matter? Take away ransomware, seconds matter. And if you put too many gates in place, your cybersecurity could impact life. And it just opens up a very interesting conversation that I’m very excited to have with you, Alan, Miranda and Mitch today.

Shimel: Absolutely. So, Miranda, with you as the new person here I’m going to – don’t wait for us to call your name. Feel free to jump in and comment and, you know, take the conversation where you want it to go. But you’re right, Matt. It’s life and death. And for some of our audience… may not be familiar with the Dusseldorf case of this person who might have died. Does anybody want to just kind of give a quick brief on the facts pattern there? Does anybody know the fact pattern there?

Newfield: I do. 

Shimel: Okay.

Newfield: So there was a 70-year-old woman who was experiencing cardiac arrest. She was picked up by an ambulance. The ambulance, through a ransomware attack on the hospital, was rerouted to a hospital that was much further away than the one she should’ve gone to. So when the ambulance crew arrived, they picked this poor woman who was experiencing a significant medical emergency. And instead of going to the closest hospital, this system routed to a hospital further away, and it was blamed on a ransomware attack. And again. There is no evidence today – and people comment… we’re not here saying that cause her death. There’s no evidence to say if they had cut five, 10 minutes off of that trip she would’ve survived. But again. It opens that relevant point. Let’s say there had been another medical emergency where five minutes would’ve mattered. You can-

Shimel: Well, yeah. No. In medical emergencies, minutes and seconds count. And anything – whether it’s cybersecurity-related or any other related… if it’s shaving minutes, you know – costing you minutes and seconds, people’s lives are at risk.

Newfield: Right. And, Miranda, you and I were talking a little while ago about this, extension – we could go to that extreme of, “You know, what’s going on in a hospital with ransomware? And what’s going on with the heart monitors?” But you had a really interesting perspective in conversation around PPE and that supply chain. I think that could be really interesting conversation as well.

Ritchie: Yeah. Yeah. So earlier this year, IBM reported on a campaign targeting a task force that was, you know – the sole purpose was to supply… you know, act as a supply chain for personal protective equipment. This was in Europe. And so, you know, even though they’re targeting – through phishing, they’re targeting over 100 individuals at that task force probably to steal information, it’s not necessarily to encrypt their data – it’s just part of the race for a vaccine, race for the cure. Right? But as a byproduct of that or collateral damage of that, if you’re restricting people’s access to PPE in an already tight-crunch situation where there’s not enough to go around, you’re still putting people’s lives at risk if they’re having to reuse, you know, old equipment.

Shimel: I think, too, Miranda, of the whole supply chain integrity problem. Right?

Ritchie: Right.

Shimel: It’s that kind of an attack, or is this truly valid PPE or whatever that is, drug we’re delivering, vaccine? Or has it been compromised? Is it falsified, and you have to maintain that chain of control in your supply chain? And you lose that – there could be lives at the other end that immediately are at stake.

Ritchie: Right. Right. If the PPE is tainted or testing equipment is faulty and it’s returning at a different false-positive, right, than it necessary should be, that’s definitely something to consider.

Newfield: Yeah. I mean, you can take that to an interesting extreme to say, if – let’s say a bad actor was able to breach one of these suppliers. Think of… in healthcare, again, the people who are making a vaccine and they beat them to market with a vaccine that may not work or may have implications later, you could go to an extreme to say, “There could be that the human factor of, ‘I get really sick from the vaccine, or the vaccine doesn’t’ help me,’” But you said something a second ago that really stuck in my head; which is that false-positive. “What if I think I’m cured? What if myself and my thousand closest friends think we’re cured, and then we go to that stadium and infect other people?” And you end up with potentially another strain of this virus. Or you-

Shimel: Super spreader event.

Newfield: You end up with a super-spreader event. Because, again, you’re finding a cheaper alternative that sounds like it’s the same thing when it’s not.

Shimel: Black Sunday 2 or something like that. Be another good movie. But, you know, guys. When I hear you talking about these things, in my mind there’s two camps. One camp is the ransomware attack, the supply chain attack that Miranda mentioned and the cost to human healthcare or the cost to humans who, as a result of healthcare, is almost collateral damage. “I didn’t ransomware the hospital because I meant that lady to die, or I didn’t do something to the supply chain because I wanted that nurse not to have an N-95 mask. I did it, you know – I did it because I’m a scorpion, and that’s what I do. Right?

“So I killed the frog halfway across the river.” But then there’s another type of attack altogether. And that is the, “On purpose, I’m trying to kill someone,” attack. Right? And that is more kind of what we – when you talk about we’ve seen, “Can we control someone’s pacemaker? Can we hack into someone’s pacemaker or insulin pump or something like that?” You know? And now, you’re starting to get into state-sponsored… not even espionage but murder; assassination.

Ashley: Yeah. Well, we do that to – Russian does that supposedly through poisons today. We hear about all the…

Shimel: I don’t think you have to say supposedly anymore. It’s pretty well documented.

Ashley: Trying to be PC hero.

Shimel: Yeah. Unless people apply neurotoxins to themselves. But yeah.

Ashley: You know, you’re talking about frogs and scorpions. So, you know.

Shimel: Yeah. Well, I was trying to – what’s the word there? An East side…

Ashley: Analog, right?

Shimel: Yeah. But no. I mean – so I think as cybersecurity professionals, we have to worry about both of these scenarios. Right? The inadvertent collateral damage of individuals’ healthcare as a result of cyber activity. And then, the on-purpose downright murder of individuals using cyber methods. Right? Terrorism. Can you imagine – and I don’t even want to say it out loud. I’m afraid someone will get an idea. But a tainted virus. A tainted vaccine.

Ashley: Tainted vaccine. Yeah.

Shimel: Right?

Newfield: You know, you can take it to the murder word where someone shuts that pacemaker off; you know, someone turns that MRI machine on when someone’s in there doing work and the magnet turns on and rips the pacemaker out of your chest. But you can go that extreme – you can also think of ransomware in a new variant. Right now, ransomware is about, “Give me dollars and cents or I’m going to steal or sell your data You know, the other variant I’m hearing from you – and, Miranda, I don’t ‘know if you’ve seen this in the wild or hear any chatter on this. But I could also hold your hospital short-term ransom. “You’ve got 20 minutes to pay Bitcoin or I will not turn your neonatal intensive care unit systems back on.”

Shimel: Can you imagine?

Ritchie: Yeah. And we’re also seeing kind of an uptick in these blended ransomware attacks similar to May’s. Right? Where they’re not just encrypting your data but they’re taking it first and then playing a sort of name-and-shame game. Right? Where they’ve got this wall of fame, and they’re going to publicly out you. I mean, imagine if that happened to a pharmaceutical company who did have, you know, a cure or a vaccine. That’s the keys to opening up the economy. There is a huge financial incentive for taking that data and exposing it publicly.

Newfield: Yeah. Absolutely. Or not exposing it and just trying to replicate it yourself, to Alan’s point of nation state actors. And this is really what’s scares people in this profession, is – so, “Okay. What do you do? How do you convince doctors and nurses and practitioners in these environments whose entire lives have been focused on a singular mission – to save human live, a very noble mission?” But when you add that securely to the end, that is a new realm.

That’s a new realm for some of the pharmaceutical companies. That is a new realm for hospitals and a lot of doctors and nurses. And, you know, some of us may come across and go, “Come on. You know, you got to do this stuff. You have to take cybersecurity seriously.” But I get it. If you’re a doctor and your sole focus is to go in and do brain surgery or, in the neonatal units, to make sure those children live, how do we as cyber professionals broach that gap and that divide to say, “But we want to make sure this potential thing that that doctor probably has never experienced in their life, a ransomware attack, a virus” – something that you read about but may not…how do you bridge that gap? And that, I think – Mitch, I don’t know if you thought through this. But how do you bridge that gap?

Ashley: It’s interesting you ask that because both Alan and I have some experience selling security solutions into medical environments into hospitals. And every environment has its own kind of unique personality. And I think maybe the personalities of doctors is kind of infamous of what it’s like to work in that kind of environment. And I know exactly what you’re talking about. It’s that thing that gets in the way for me not just doing my job– saving a live, taking care of this patient, my oath…right? To do no harm.

So you’re talking about a whole other level of it. I wonder if there are places where we can replace things like tokens and passwords with something you wear where proximity will enable to use a piece of equipment, Log onto something instead of fat-fingering your password for the third time or have, “I forgot my card.” Right? But something that you can wear as part of your – the things that make the environment, as you enter, open up and give you the secure access; those kinds of approaches rather than the typical things we think of in a corporate environment like passwords and token cards, things like that. 

Ritchie: I think that makes sense. We also have to kind of go back to the basics and look at how these threat actors are doing what they do. And it’s not sexy. It’s not cool. But spam and phishing accounts for such a huge percentage of day-to-day attacks – including the one I mentioned earlier about the attack on the PPE supply chain. When we talk about ransomware – whether it’s the plain-old encryption variety or the information-stealing, name and shame variety, a lot of it is still coming in through E-mail. And a lot of attackers are playing off people’s fear to get them to open an E-mail. You know, fi you get an E-mail that says, “Urgent,” you know, COVID vaccine-related, you’re more likely to Click on it than if you think it’s a Nigerian prince.

Ashley: Well, and there’s a lot of publicly available information about what’s happening with COVID specifically; where the hotspots are; where the increases are, the testing rates. You know, the positive rates of that. and I think many of us, most of us, expect there’ll be all kinds of phishing to say, “In this location in Iowa, if it’s a hotspot go blanket those folks. You can get the vaccine today. We will overnight it to you tomorrow. And get you on the program now. Enter your credit card,” or whatever. I mean, you know that’ stuff’s going to happen if it’s not already happening.

Newfield: Oh, yeah, it is. And, you know, we’ve had other shows, Alan, where we talk about like get-back-to-basics. And you and I have been bantering that around. But it is very true. It gets to the point here of, “Maybe the angle that we need to take in industry is to help not overly secure an environment but help them get back to basics so that the threat landscape…doesn’t goes to 0, but it gets to a much smaller number.” Which is key. And, Alan, if you’re okay with this, one variant of the conversation – Mitch brought up, “How do you change authentication mechanisms?”

And we’re starting to see – at least I’m starting to see in a lot of my conversations – companies try to deal with biometrics; facial recognition, for example, and having that become an acceptable way inside of an organization – let’s not say corporation, just an organization – to have it be your authentication and your continual 0-trust authentication mechanism as you’re walking around. And there’s still, I think, a problem with perception of what you can do with that information or, “What is it watching? Did it see me scratch the side of my face? Did it see me messing with my hair? Or if I’m wearing a toupee, I don’t want people to know as I’m shifting it around walking down the hallway” – kind of private information. But has anybody heard if there’s going to be better acceptance because…?

Shimel: Well, no. I don’t think there will be better… to the contrary, Matt. And correct me if I’m wrong. Maybe you guys – I think the problem with a lot of the facial recognition is inherent races. [Laughs] Right? It has a very hard time distinguishing black faces. And so, a lot of people are shying away from using that now. Right? Because you’re going to have a problem with people of color; it being effective or not. And if that – and I don’t know if that’s the case or not ’cause I don’t’ know enough about the technology to know right from wrong, truth from fact or life. But that’s what I’m hearing.

So if that’s out there, how the heck can we use it? I think your basics come and is dead on, Matt. Mitchell, I’d love to live in a world where magic abracadabra, they know it’s Alan and the door opens for me. But that’s a world of magic abracadabra. And we’re not going to get to abracadabra so quickly. You know? Call me, you know, a stick in the mud. But I’m done chasing those magic bullets. I’ve spent 20 years in security looking for my next magic bullet. I don’t think it’s there. I think if it comes, great. But in the meantime, what can we do today?

We can get back to basics. We can try to cut down the phishing. You know, 85 percent of breaches are coming from known exploits, not some super-duper 0-day cooked up in a lab in Beijing or Wuhan or wherever. Right? They’re coming from known VE’s that we didn’t patch. They’re coming from, “People just didn’t have good hygiene in their E-mail.” Can we work on that while we leave the CIA to come up with the next magic bullet abracadabra or M6 or whoever works on these things?

Newfield: But that, you have – it’s a very valid point. There have been a lot of articles I’ve read even as recently as this morning that there’s a lot of homeland security; and United States is highly recommending you patch, you have to patch. And when you look at the date you say you have to patch by, it was a week-and-a-half ago. Right? You know, and they’re worried because people could be six months or a year away. Miranda, we’ve talked about the upticks we’ve seen in WannaCry.

Ritchie: Oh yeah.

Shimel: Right. Oh, you mean that new threat, WannaCry. Yeah.

Newfield: Miranda, are you still seeing that where you are?

Shimel: We’re still seeing, you know, companies not patched for EternalBlue. [Laugh]s Yeah.

Newfield: I mean…

Shimel: Yeah. So I think for anybody watching this thing, “Well, what can we do? I’m in healthcare, and I’m worried. You know, you scared me with that ransomware thing,” or, “I’m worried about the pacemaker hack.” It really starts with back-to-basics. Right? “Can we patch what we already know is out there?” Right? I think back. You know, Mitchell and I, we co-founded StillSecure along with our friend Raj. And we had a vulnerability assessment management tool. Was it 2003, Mitchell? 

Ashley: Yeah.

Shimel: 2002. And, you know, back then the idea of patching… I don’t even think Microsoft had Patch Tuesday’s at this point.

Ashley: They were just coming out with Patch Tuesday.

Shimel: Right? There was a company called Citadel. Hercules was the product. That was sort of automated patching, “This’ll put a lot of money into it for the federal government.” People weren’t doing it then. If you would’ve told me – if I could, you know, back to the future to 2002 and say, “I’m sitting here on a Zoom video in the middle of a worldwide pandemic that no one can go out of their house, and in 2020 and we’re still not patching in a timely manner,” I would’ve said, “What happened? Did we all get stupid?” Right? “Why haven’t we solved that basic problem?” And now, it manifests itself into something as important as healthcare.

Newfield: But who’s problem is it, Alan? Here’s my concern. If we rely on patching and healthcare – which I think is different than a lot of industry…

Shimel: It is.

Newfield: It’s a lot of embedded operating systems.

Shimel: Yeah.

Newfield: These operating systems where you cannot patch. I mean, we’ve – you know, in my history I’ve helped companies that are still running Windows MT environments because the amount of money it would take to get them off of these old systems is beyond their budgets. It’s beyond their capabilities. They can put controls in place to limit access to it. But, you know, Miranda. You were covering the phishing and the vishing and those kinds of attacks. The back-to-basics on top of patching, Alan, to me is education and done in a way where you’re not insulting someone as we were joking earlier that May believed they’re better than others or smarter than others; which mostly likely they are.

I promise you I would be a doctor if I could pass all those tests, and I didn’t – if I liked the sight of blood. But, you know, how do you help convince people….and it’s a real psychology problem as well, the get-back-to-basics. Because again. If you weren’t used to an environment that – if I’m getting my E-mail on my corporate device, this thig right here…I’m. getting my E-mail on it and the hospital is required or I believe the hospital is protecting me, so I should only get valid stuff on here, how do you educate them?

Ritchie: Do you introduce the concept of targeted training? Right? Most companies do user education at least annually. But how many have you seen that are doing a targeted training for medical professionals or healthcare professionals related to COVID? How many companies do you see in the lead up to a special event like the upcoming elections training their employees specifically to look for potential attempts to exploit concerns or worries or whatever about the election? Not to take us off-topic. But, you know, the problem exists. Targeted training. Right? 

Newfield: Targeted – but there’s two other things. I mean, something as basic as banners. The amount of pushback I’ve seen at companies where you’d be flagged – any E-mail that doesn’t originate from your own corporate environment is flagged with external banner would cut down on a lot of people failing phishing tests, not realizing that, “I, the CISO of this corporation did not just Send you an E-mail from some other URL asking you to blank. If it says external and has my name, it’s probably not me.

Shimel: You mean you didn’t lose your wallet in Nairobi, and that you need me to wire you money right away?

Newfield: And I couldn’t get access to corporate-

Shimel: Yeah. You couldn’t get access to your corporate account. [Laughs]

Newfield: But, you know, these kinds of things – and I know we’re sticking in healthcare, but a lot of the message can go beyond. But in healthcare, these are the things that I think you have to start focusing on, is education. And if you can help – And, Alan, I get your point around facial recognition. And I’m not a facial recognition expert.

Shimel: Neither am I.

Newfield: I’m not a phone print recognition expert. I’m also not a voice recognition expert. But I’ve seen plenty of technologies, especially as people adopt Zero Trust concepts; where you can start thinking differently. And I think, Miranda and Mitch, your points were you can stick with the legacy – that’s stuff we did in 2000, 2002, ’99 – let’s be honest – and hope for the best, or you can try to push for better and more optimal ways. And sometimes, they’re not – to your point – brain surgery or rocket science. You know, one of the things that I’ve seen that I’m a big fan of lately is adaptive phishing training. “Alan, if you get a phishing test in your organization and you pass, we’re not going to bother you for 60 days. Mitch, you failed. We put seven indicators of a phish in that E-mail. You’re going to get another one tomorrow with six. You better not fail it.”

Shimel: Talk about wall of shame.

Newfield: Then five. And we’re going to tie it to your HR record.

Shimel: You know, Matt, I think there’s another part of this back to the basics. And we’re talking largely about things that – with end users. Right? That are accessing the systems. So part of my background is running a company that provides a digital certificate to device manufacturers; Wi-Fi, energy, medical, network. And we don’t all realize it if you’re not in the manufacturing world. But the authenticity of devices and the amount of kind of fakery, if you will, of people that take a device and then make one look exactly like it…the digital certificates are used to really – before something can connect, right, even talk on a network could ask to go through that handshake.

And I think that’s also part of that supply chain discussion. But fundamental to that is an infrastructure that we’re doing the basics in. If you’re not renewing certificates – a simple thing like that – you may shut off access to the network. I’ve gotten calls from customers saying, “What happened, and why is this? I didn’t even know there’s a digital certificate in there, and now I can’t get anybody on my network. How do I get a new certificate out there?” Those are basics that, within the infrastructure, we also have to take care of. Because we can be just as impactful to not be able to get your job done, deliver a service, do some medical procedure if we do that. 

Newfield: That’s very true. You know, another get-back-to-basics that I’d be curious about…you know, we’re not victim-shaming here. But, you know, we tend to talk about what the end organization should be doing to fix the problems here. And one of the things we did broach in this conversation I think really does impact and focus on healthcare is the fact that a lot of these environments cannot be upgraded. Right? They’re either locked by the manufacturer, they’re owned by the manufacturer, they’re, “Oh, you don’t want to be on that Windows 98 system anymore. Give us another $10 million, and we’re going to get you on Windows 10. And you better hope that it doesn’t EOL in four years because it’s another $10 million, and it’s a life-saving device.” Have we ever thought about going back and phishing the manufacturers to change their protocols?

Shimel: So I think, Matt, you’re onto something. Ultimately, I think it is the manufacturer’s responsibility to manufacture devices that can be upgraded; you know, lock down better that are future-proofed to a certain extent. I had this – again, back in my StillSecure days, I remember going…we went to a bunch of hospitals. This was around NAC was first rolling out – Network Access Control. And we don’t think about what has an IP on a network in a hospital. But, you know, if you’ve ever had IV in a hospital – right, you have that IV pump – well, that IV pump has telemetry that’s showing back in the nurse’s station how much fluids you’re getting and so forth. That has an IP address.” Can that IV pump be updated?”

Right? “And if it can’t be and I got to replace all the IV pumps in the hospital, think about it. Each one of those IV pumps” – I forgot what the number was, But back then, it was like a $25 or $35 K a pop. Because they all have to transmit telemetry. Forget pacemakers for a second. Just your basic EKG monitor – the wires they put on you; the six wires. And it reports in. It very rarely – those stations that used to be over your bed, and you could see the – you always see it on TV. Do-doop, do-doop, do-doop. Each one of those stations can be $100 K a pop.

And then, they still also have to report back to the central nurse’s station. So they’re wired for the Internet. If those machines weren’t designed to be upgradable, patchable, poor, poor design by the manufacturer. And it should be their responsibility. And if you’re in a healthcare field, forget being a cyber person even right now. But you’re responsible for, you know, choosing these kinds of IOT devices. Right? ‘Cause that’s kind of that they are.

And you’re not picking devices that were designed with an upgraded pass in place, you’re as responsible for that 89-year-old lady as someone – as the…well, maybe not as much as the hacker. But, you know, you bear responsibility for that let alone, Matt, the MRI machines and the $2 and $3-million pieces of equipment. You know, I will tell you personally I had an oblation procedure about a year-and-a-half ago for A-fib. And before they put me on it, I was able to be in the Cath lab watching all these high-tech monitors of – and they had my heart up on the monitor and everything. And I was – it was like Stark Trek in the way…I mean, thank God the doctors did an amazing job.

And I haven’t had a problem since. But this equipment, that was the new – that’s the equipment that I would expect. And I spoke to a lady who actually ran the main machine that does…the doctor works the catheter. But this catheter tests the nerves around your heart and decides which ones need to be isolated. This lady, she said, “I’m a dinosaur ’cause I was a nurse before I got into this and got trained. I’m the only one I know who actually has a medical background operating these machines. Most of the people operating the machines are engineers.” 

Ashley: A lot of times, they’re from the manufacturer of-

Shimel: They are from the…because the manufacturer is the only one who trains them. But those machines were designed with the Internet in mind. They were designed to be upgraded. They were designed to be better secured as time goes on. I think overall, we’ve gotten better at that. Far from perfect.

Newfield: But you still had – it’s still expensive. And if you’re an old-

Shimel: But that’s part of it. Well, everything about healthcare is expensive.

Newfield: Yeah. But you got to get the money. We bail out – governments bail out a lot of companies. Maybe it’s time to not…again. I’m not trying to be inflammatory in this. But maybe it’s time to bail out some hospitals to give them that upgrade. And I agree. You know, I think…and again. I’m not going to call any medical company out. But let’s be honest. A lot of companies design non-future-proof equipment on purpose.

Shimel: Absolutely. It’s a gravy train. If you’re –

Shimel: So I’m going to throw something out there. I’m going to throw it out for my cybersecurity friends who are watching this. If we gave as much of a crap about making our medical equipment upgradable as we care about having personally identifiable information be locked down in HIPAA, we’d have a hell of a lot more better equipment now than we do right now. and I think, “Have we put the wrong emphasis in here on worrying about PII as much as we do when we’re losing sight of the real life and death of, ‘We need these machines to be upgradable’?”

Ashley: Well, and they need to be current. And, I mean, the technology needs to be – as you said, have some future path to whether it’s a new product or an upgrade of it. And it also has to be reliable. I mean, that’s part of it too. Right? Of course, you know, in security is making sure that things are available. I just had a family member who had a mammogram. And the system crashed in the middle of it. Now, not a life-saving situation. But can you imagine sitting there and some computer crashes that you’re like, ‘What the hell? What’s that thing doing? And am I – is my heart going to stop, or what’s going on?” 

Newfield: To your point, Alan, fi you’d look up at the Screen and saw blue screen of death, how would you have felt?”

Shimel: Pretty dead. Pretty dead. [Laughs] I mean, but it was amazing. But you know what? Hey. I went to see the Rolling stones in Miami last year, and I saw Mick Jagger running around that screen. He had a heart valve transplant or heart replacement two or three months before via a catheter. We’re doing amazing things in medical. No doubt about it. Why can’t we get it right about improving the security pathways for our medical devices?

Newfield: So hopefully, as people start to see – you know, to make this full circle, as people start to see that the infrastructure inside of hospitals that they’ve been stuck dealing with, how susceptible…in a lot of cases in a lot of countries in a lot of regions of non-third-world countries how legacy and antiquated it is; how old it is. Like I said. It is not uncommon and does not – I don’t even bat an eyebrow to see a Windows NT environment, to see Windows 98. To see these legacy systems. The only one that causes me consternation these days is when I see Windows MT. ‘Cause at what point did you install that? Why would you have installed that?

Ashley: Or Vista.

Newfield: Or Vista. But it is the fact that over and over and over again, what I hear is we cannot upgrade even if I wanted to; even if I bought Windows 10 today, it will not work on that device. That device has never been patched; ever, ever, ever. And hopefully, people e can start seeing that we can go at them and, say, patch when they can. We can go at them and say, “Hey. You need to do a digital transformation.” You can’t. Moving it to the Cloud doesn’t fix the fact that the systems on PRIM in that hospital are susceptible. And most hospitals that I don’t talk to don’t have hundreds of millions of dollars of liquid cash sitting around to do those upgrades. And if they have to decide between upgrading something that works…it works. Something that also works that is new but maybe more secure or expanding a wing, adding more neonatal units, hiring more doctors, more nurses, you know which one they’re going to go because that’s what they’ve been doing for the last 30 years.

Ritchie: To your point, Matt, what do you tell a client like that? Where do you spend what limited resources they may have? One thing that we see a lot of is, ‘Okay. we can’t patch the system. It’s legacy. The manufacturer doesn’t even exist anymore, maybe. You can still guarantee you have visibility. Right? And we’re seeing a big uptick in demand for IOT monitoring, agentless monitoring, IOMT – medical things monitoring – and just making sure that, at the very least, you can see what’s going on because I think a large number of healthcare companies, they may have a lot of these devices in their network, and they can’t fix it. They can’t patch it. But they also can’t see it. 

Shimel: So, Miranda, are you talking about like augmenting these devices with some sort of visibility module, even if it’s like a physical thing you put on there? ‘Cause I’ve seen this in manufacturing now as well.

Ritchie: I mean, in MSS we work a lot with agentless partners. So you don’t even need to actually install something on the device itself. But it still allows cybersecurity professionals to gain visibility into what those devices are doing.

Ashley: They have a fingerprint or a footprint that you can recognize with the…yeah.

Newfield: And you baseline. Right? So you baseline, and you verify that that’s a good known set of traffic, and any deviation from that baseline is investigated.

Ashley: I was just thinking about the patching when I was in the device security world. They were just starting to think about doing updating of IOT and other devices. Right? Now you can buy routers that’ll auto or set to auto-update. But how many cameras are out there? How many, “Let me monitor my blood pressure”? There’s a lot of legacy stuff there that isn’t even upgradable, more or less set to upgrade its own software or users who would know or want to do that. It’s a lot of legacy stuff there.

Newfield: It’s the legacy mindset. And, Alan, you said something a little while ago that I really agree with. It’s a mindset change. And the manufacturers have got to start thinking that way and putting cybersecurity, putting upgrade, putting monitoring in and taking this seriously. You know, we could have a whole conversation on cameras and how most cameras out there that you can buy off the Internet are all running the same operating system, all have the same default password, all have the same protocols and all have the same bugs. Because the manufacturer wasn’t interested in security. What they were interested is, “How cheap can I make this device and still differentiate it in the market so I can sell a bunch of them?”

Ashley: Well, I think take it one more step, Matt. I agree with what you’re saying, Matt. Take it one more step. My observation was, the fundamental change next is changing the business model. Because those manufacturers make those devices, sell them, we’re done; we’re onto designing the next edition for next world whatever…next year for whatever the mode’s going to be. They were not in the past set up to even do patching to software or-

Shimel: No. There was no upgrade path.

Ashley: Now that’s part of the model. That’s part of the business. You’ve got to do that. 

Newfield: Yep.

Shimel: So I think the onus –- instead of being placed on these hospitals, the individuals hospitals, needs to be passed to the manufacturer. And it has to be that way. Hey, guys. We’re – yeah, we’re ridiculously over time, actually. But [laughs] yeah. But that’s okay. That’s okay. It’s okay. You know, I got-

Ashley: Who’s turn was it to watch the clock?

Shimel: It wasn’t me. But I got to be honest with you. I am so thrilled that we had a discussion on cybersecurity and healthcare, and it wasn’t focused on HIPAA. Kudos to all three of you. You know?

Newfield: That was the word of the day, Alan. No HIPAA.

Shimel: No HIPAA. I’m going to – I think that’s what we’re going to title this one. Cybersecurity, healthcare, no HIPAA.

Ashley: I got the e-mail. Didn’t you all get that e-mail, no HIPAA on…?

Shimel: No. I must’ve missed that one. But what a great show. What a great show. Miranda, will you come back and visit us again and add in here to the chorus?

Ritchie: Sure. Thank you, guys, for having me. Thanks for thinking about me, Matt.

Newfield: Absolutely.

Shimel: Thank you. Thank you, Miranda. Mitchell, as always, thank you very much. Matt, what can I say? I’m sorry it took us so long to get our next episode done. But we’ve got another one coming up really soon. We’re going to discuss – I think we’re going to discuss why every tech vendor should have a CISO and the mysterious case of the Uber CISO. 

Newfield: Absolutely.

Shimel: What’s happening there. So it’s going to be our next one. But for now, hey. We’re going to wrap this CSO Talk episode up. Miranda Ritchie, IMB. Thank you for joining us. Mitchell, Matt, thank you. This is Alan Shimel. Catch us on our next CISO Talk show. But for now, we’re out.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More