CSO Perspectives (Pro) 4.26.21
Ep 44 | 4.26.21

Security in different verticals: Healthcare.


Rick Howard: In our last episode, we talked about the difference between cybersecurity strategy and tactics in the financial sector. To refresh, strategies are concepts about how to accomplish some goal.

Rick Howard: For example in World War II, the Allies' goal, or mission for you military- types, was to defeat the Axis powers. Their strategies for doing that were to defeat Germany first, and at the same time, hold off Japan as much as possible. In other words, concentrate on Germany first. For you, historians out there, I know I am greatly simplifying this, just bear with me.

Rick Howard: In cyberspace, our first principle goal is to reduce the probability of material impact due to a cyber event. In this podcast series, we have outlined four first principles strategies to do that: zero trust, intrusion kill chain prevention, resilience, and risk forecasting.

Rick Howard: So that's strategy. Tactics are the operational tasks, the actual things we do to pursue each strategy. In World War II, the Allies launched D-Day and slow-rolled Japan in a series of Island hopping operations. In cyberspace, CSOs might deploy a software defined perimeter or SDP in order to pursue their zero trust strategy.

Rick Howard: The question I'm trying to answer this season is whether or not our first principle cybersecurity strategies are universal across all verticals. In other words, are they really first principles? Do I need to change my strategies to defend my digital environments depending if my boss runs a bank or a hospital or a power plant?

Rick Howard: In the last episode, we invited financial sector experts to the Hash Table to see what they had to say. All three of them thought that the strategies were universal across all sectors, but that the tactics deployed would be wildly divergent based on the vertical you were in. For this week, we brought in some hundred pound brains from the healthcare sector to see if they agreed with their financial peers.

Rick Howard: My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

Rick Howard: Before we get into the healthcare strategy, I have a special treat for you. Two of our Hash Table guests today are from the Health- ISAC. Denise Anderson is the President and CEO and Errol Weiss is her CSO. I have known these two forever. We first met many years ago when we were all working for the FS-ISAC or the Financial Services Information Sharing and Analysis Center. I ran a team that the FS-ISAC contracted with to run their security operation center back in 2006. But Errol was one of the original founding bank member volunteers and Denise was employee number two when the FS-ISAC was first formed. What we have here sitting at the Hash Table is ISAC royalty.

Rick Howard: For those that don't know in the U.S., President Clinton officially created these information sharing organizations with a Presidential Directive in 1999, designed to facilitate cooperation and intelligence sharing between competing businesses that worked for the country's critical infrastructures, like finance, healthcare, energy, 16 in all.

Rick Howard: It was a nationwide realization that even though members competed in business against each other, it made total sense to cooperate against these external cyber threats because that activity hurt the entire industry and the country at large. In the early days, the people working for the FS-ISAC took the lead compared to the other ISACs in terms of progress made. The leadership of the member financial institutions threw a lot of money at it for it to be successful and they donated some of their best people like Errol to help run it. 

Rick Howard: When the members of the Health-ISAC decided to step up their game in 2015, they reached out to Denise to run it, which was a brilliant move. She was instrumental in making the FS-ISAC successful after all. And one of her first moves was to convince Errol to come help her do it. 

Rick Howard: While I was working on this show, I discovered an interview that Errol did on the most excellent podcast called Security Weekly a couple of weeks ago where Errol describes the history of the ISACs. The hosts of the Security Weekly were gracious enough to let me play a bit of that here. Here's Errol: 

Errol Weiss: The whole concept started, I would say probably in the early to mid 1990s. When the U.S. federal government realized that  85% of the critical infrastructure was owned and operated by the private sector. And looking at how to try to protect that critical infrastructure, knowing what catastrophic events could follow, they came up with the idea of the ISAC to encourage the private sector to take an active role in protecting the security of the infrastructure that  these private sector organizations were running. 

Errol Weiss: It really started out, with the Financial Services ISAC being the first one out of the gate in October of 1999. It really started out as being a way to share cyber threat information with each other in a secure forum. 

Errol Weiss: Roll ahead to September 11, 2001, where resilience really started to become an issue. When they were planning backup sites in New York, nobody was thinking that the entirety of lower Manhattan could become a problem site. 

Errol Weiss: So not just sharing incident information, but even sharing best practices today. When the government defined critical infrastructure, there are 16 different critical infrastructures. Everything from transportation, banking, finance, healthcare,  energy, water,  et cetera, et cetera, you can go look them all up. One of the very unique things with healthcare,  is a lot of healthcare in countries outside the U.S. is run by the government. There are  state sponsored healthcare plans. Government organizations who are members or pieces of those government organizations that are members, because ultimately they're the ones that are delivering the healthcare. They're also delivering the IT behind it.

Errol Weiss: We publish  tactical information on a daily basis. We've published strategic reporting as well. And I know many of the other ISACs do that as well. And then,  there are vehicles to share,  automated threat indicators as well. But  there's other things. There's conferences, summits, regional meetings. There are special interest groups, work groups, committees that are set up,  typical birds of a feather. Getting people together that are dealing with a common problem and sharing best practices. So there's a lot of different services that fall under the ISAC today.

Errol Weiss: If you've seen one ISAC, you've seen one ISAC. They are very different from each other. The  principals change from one to another. 

Errol Weiss: From the Financial Services ISAC standpoint, where I spent many years, probably in  2007, -8, -9, -10, somewhere in that timeframe,  the rules did change to allow government organizations  to have some membership entitlements.  They weren't  seeing all the sensitive member sharing information. The  real spirit of what was going on there was to allow the people that were protecting their networks.

Errol Weiss: So just as an example, maybe the SOC at U.S. Treasury could belong. But the idea was just making sure that the regulators did not have access to that same information.  The whole idea was that you want a member of  that can confidently share sensitive information, especially when they're dealing with an incident. They want to be able to share that with their peers, but they don't want it going through a regulator who's going to potentially use that against them in an examination.

Rick Howard: For Denise, she's the closest personification the security community has to an international information and intelligence sharing ambassador. And you know that I'm all about the information sharing. We have talked many times on this show about the Cyber Threat Alliance, an ISAC for our security vendors or more accurately an ISAO for Information Sharing and Analysis Organizations that are not part of the U.S. government's official critical infrastructure designation, and famous for their dedication to automating intelligence sharing with members. But Denise is arguably the automated information sharing bannerman for the security community. 

Denise Anderson: I consider it myself an evangelist for global information sharing and information sharing is so simple.

Denise Anderson: It's such a key piece of situational awareness and understanding the threats that are out there and sharing best practices within the sector, helping each other out all the time. We see this constantly within the ISACs and in particular in the Health-ISAC. 

Denise Anderson: Doing simple things like information sharing, getting support and buy-in from the top of the organization to do those kinds of things, especially when an incident happens so that everyone could learn from it and protect themselves as a result, is absolutely something easy that can be done and something that we should be doing. And, shame on us if we don't because the bad guys do.

Denise Anderson: Health-ISAC is actually on the forefront of automation.  They were one of the first ISACs to adopt automated sharing, and we're doing some amazing things in that realm. 

Rick Howard: Our third guest at the Hash Table today is Rick Dotan, the Carolina Complete Health CISO, and he is the perfect guy to help demonstrate the complexity in the healthcare vertical. 

Rick Howard: His company Carolina Complete Health provides services to the healthcare community, but they are also a nationwide insurance company. In other words, a giant financial company too. Here's Rick Doten.

Rick Doten: When we're looking at the Healthcare-ISAC, the things we talk about are probably 90% the same: What ransomware is out there. Hey, has anyone  seen this? Who has advice on that?   

Rick Doten: We're also tracking our adversaries and they are doing the same and maybe some of their adversaries are different or maybe more,  but fundamentally we're doing the same thing. If we want to go back in history, ISACs were developed because it was where the critical infrastructure is and you fit in a critical infrastructure. 

Rick Doten: From a size standpoint, there's a lot of big financial institutions.  And even in the FS-ISAC, they have their own little club of  the big Wall Street boys.  In the Healthcare-ISAC, it is mostly,  providers and labs and  different hospitals systems and things like that. And we are  one of four very large healthcare providers that  are a part of it. There's not a lot of us at that level. 

Rick Doten: We are actually looking at the Financial Services-ISAC because there are more at our level as far as,  size. And I think that's more of a contributor to how we do things.

Rick Doten: I was on a round table yesterday and I said, Yeah, I represent a very, very large company who has silos of individuals in every single, role you can imagine. And I know that I am not,  like others on this call.  My viewpoint's very, very different

Rick Howard: If you surveyed a bunch of security executives across all verticals and had them rank stack each vertical in terms of cybersecurity maturity, my guess is that most would put the financial vertical somewhere near the top and the medical vertical somewhere in the lower third.

Rick Howard: It's no secret that healthcare leadership spends whatever cash they have left over, after paying the bills, on improving patient care as well they should. But it's also not a secret that healthcare IT and security operations are not subjects that the healthcare boards spend a lot of time on either. Denise says that healthcare tech people joke that the IT staff doubles as the janitor staff in order to save some money. 

Rick Howard: I've always assumed that the healthcare boards have assessed the cyber risk and have decided that they can just eat it, you know, accept it compared to the hundreds, if not thousands of other risks that may be more impactful. What is clear is that healthcare security executives are not getting nearly enough time in front of board members to talk about cybersecurity risk and CISOs are buried down in the leadership chain.

Rick Howard: Here's Denise.

Denise Anderson: A lot of them  report to maybe the CIO or someone else,  that then reports to the C-suite or may have another layer or two layers between them. In healthcare,  I would say the reality is that the CISO is not having the conversation with the board. Some companies  are,  the larger ones obviously,  the ones that get it, but I would say in general,  that is the case. I wouldn't say that they assess the risk and are willing to eat it. I would say that they don't understand how important cybersecurity is to their organization. 

Denise Anderson: One of the things I think is it's  starting to happen, but I think it needs to happen a little bit more is board level conversations in healthcare organizations so that the board understands and supports cybersecurity efforts within the organization. Too many times in the past, when there was a dollar to be spent, it was spent on patient care. Something that went to help the patient without realizing that now with cybersecurity and its disruption that it can cause so that people can't be treated,  could be just as important a factor as just the patient care dollar.

Rick Howard: Rick Doten agrees with  Denise about ICSO placement in typical healthcare leadership chains, but also points out that in prioritizing the four first principles strategies, resiliency is the one that should take precedence over the other three. 

Rick Doten: Healthcare certainly is way behind financial, as far as the importance of cybersecurity. Even the position of the CISO  all the big banks, our size,  reports to a board or,  some other things outside of IT, and all the big insurance companies, all the CISOs report to the CIO.   

Rick Doten: 15 years ago,  I was talking to a hospital system in Long Island. The CISO is, like what's the biggest risk to my hospital, you know, confidentiality, integrity, availability. And I knew the answer to this question and like it's availability. I said yes, there is HIPAA. Yes. You need to protect patient data. But if your doctors can't access data to make  lifesaving decisions, and people start dying, you're going to go of business a lot faster than if you have to pay a fine for a HIPAA violation.

Rick Doten: Resiliency is like a big thing for us is to make sure that,  the payments are getting paid to the doctors because particularly  in our kind of business,  we want to make sure that we are a good team member and we're paying  our providers timely and accurately. And, from a medical management standpoint, that the data is always available and accurate, so they can make   better decisions for health outcomes. 

Rick Doten: Yes, it needs to be protected and yes, it needs to be HIPAA certified and yes, all that kind of stuff. From a risk perspective, it's just making sure that everything is up and everything is working and yes, of course, it's gotta be secure. 

Rick Howard: Errol has a slightly different take. He points out that healthcare is a giant set of diverse activity and some of those subsets do quite well, like the ones that are similar to the financial sector, but others need some attention.

Errol Weiss: Healthcare, yeah, definitely.  There's plenty of room to grow from an investment standpoint. Some of the different sub-sectors that we see within healthcare, big pharma, insurance, payment,  very similar investment infrastructure that I've seen in financial services. They have phenomenal security teams and they're spending plenty on security.  They're doing a really great job there. 

Errol Weiss: There is plenty of room to go on the other end of the spectrum when we started looking at  health delivery organizations, hospitals, there are plenty of hospitals that have incredible security teams and  they've got money that they're spending on security, but we're reading about plenty of other hospitals in the news today that are getting bit by ransomware and other problems and leaking  sensitive patient information. 

Errol Weiss: You  spend five minutes, perusing, HHS's, I call it, the wall of shame.  It's public information. And you can see all of the data breaches that have happened in the health sector within then the last, I think, 10 years worth of data that's there.

Errol Weiss: We know that there is not enough security spending generally across the health sector. 

Rick Howard: Which brings us full circle to the question at hand, listening to those hundred pound brains about the difficulty of cybersecurity in the healthcare sector, you can certainly see that security executives have some distinct challenges, but do those challenges require different strategies? I asked Rick Doten if he thought that just the compliance complexities alone mandated a different set of strategies. He said that once you've identified the risk for each organization, the strategies for reducing those risks look very similar to the first principle security wall we've been talking about for this entire podcast series.

Rick Doten: We're looking  compliance as a risk. If we're not compliant, we can be fined or we can not  conduct business in a certain venue or state or whatever. The compliance might be more of  a standard, like an ISO compliant might give you access to bid on different projects or,  make it easier for you  to get customers or something like that. And so that may be a big impact  in a service industry or something. This  patchwork of different compliance and laws and regulations that different industries have, once you have it all down, the risk register all looks the same which is like your foundation wall there.

Rick Howard: Errol says that many of the strategies that he learned in the finance sector, back in the day, apply here as well in the healthcare sector. He points out that the threatscape is a bit different and maybe the attack surfaces too. But the strategies for tackling them are the same, regardless of what sector you work in. And Denise puts it succinctly. 

Denise Anderson: Basic cybersecurity, basic enterprise risk management strategies are the same. 

Rick Howard: In the last two episodes, we have talked to six experts in the finance and healthcare verticals. All of them concur that there is such a thing as a set of universal first principle cybersecurity strategies. They are also in violent agreement though that the tactics each vertical uses to prosecute those strategies are wildly unique and the priorities for which strategies get resources first differ based on the organizational culture and potential impact of different risk factors.

Rick Howard: And that's a wrap we aren't done with this conversation though. Next week, we've invited thought leaders from the energy sector to weigh in on this discussion so you don't want to miss that. And as always, if you agree or disagree with anything I've said or anything our guests have said, hit me up on LinkedIn or Twitter and we can continue the conversation there.

Rick Howard: CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I am Rick Howard. Thanks for listening.