The Security Detail Download: Cyber Threats to the Healthcare Sector

Note: This is an auto-generated transcript, which may contain errors.

Zach Nelson: Long story short, eventually from cutting my teeth in IT, I always wanted to do cybersecurity when I was in the military. I did physical security as a military policeman. I injured myself, figured I can't fight bad guys in the streets, so I'd fight them on the Internet. And eventually found myself in cybersecurity, did some SIEM work, SOAR, incident response. I was always pretty enamored with intelligence. And so I went back to school, got a master's degree from University of South Florida and cyber threat intellige nce, and then also took the SANS certification, GCTI. Was looking to build out a cyber threat intelligence program for the mid-sized central Florida hospital system that I worked for (a Healthcare delivery organization) and through that, I think we became members of Health ISAC. I had an opportunity; I saw the job requisition and I said, it's time for me to grow, it's time for me to move to the next step. So I came into Health ISAC as the team lead of the Threat Operations Center. It's not something that they had before and something that they were looking to build out. To me, it's really not even about helping the members. It's about helping who the members are lo oking to protect. And that's essentially your family members, my family members, and protecting their data and making sure that when they go to the hospital that there's no downtime and that their services are not impacted in a negative way. And so if I can do that at a larger scale by augmenting the healthcare sector and being a part of that, that's really what drove me to be a part of Health ISAC in this position. 

Audra Streetman: And in your time at H-ISAC, how has the threat landscape evolved? Are there any new trends that you’re seeing in terms of cyberattacks targeting healthcare organizations?

Zach Nelson: Within the last three and a half years, as it's varied, you've seen some, some trajectory to where it's up and to where it's down. And it seems like the trajectory is still upward as you know a lot of the different ransomware groups are definitely seeing healthcare as a go-to source for where they might find some vulnerabilities that they can exploit. We do have a variety of intelligence partners, whether it be government or paid for, or people that understand the premise of protecting the healthcare sector and what that means. They provide us telemetry data that we send out in the form of a targeted alert to make sure that the healthcare sector stays resilient against those ransomware attacks.   
Audra Streetman: So, How important would you say information sharing is within this industry in particular? And how does H-ISAC help to facilitate that?

Zach Nelson: I can't encourage anybody enough to be part of an information sharing and analysis center. There's one for each bit of critical infrastructure, whether it be healthcare, finance, water. You have aviation, you have a whole variety of ISACs that fall under the National Council of ISACs, but due to the presidential directive back in ‘98, it provides somewhat of a system that's not subject to FOIA requests or anything along those lines.

It's tailored to just about anybody, whether you want to be a fly on the wall and just get the information that you need, or if you're looking to really show off what you're capable of, or if you're looking for best practices, to share cyber threat intelligence. Sometimes those targeted alerts that I mentioned before do come from other members that are looking at that content. 

Our purpose is really just to be that clearinghouse as the Health ISAC Threat Operations Center to help the members as a whole. But again, what we do as a Threat Operations Center is just a small piece of the pie of what a ISAC can do, especially Health IS AC. There's a whole variety of different workshops, road shows, different things where our members get together and share best practices and you can learn from others. So it's really an extension of your team per se, cause there's a lot of cash strapped organizations, especially within healthcare where there's a limited budget. So it's definitely helpful to have others that you can lean on, rely on and get the information shared to you when you need it and have others looking out for your organization.  

Audra Streetman: H-ISAC recently released a report with Booz Allen Hamilton about the cyber threat landscape for healthcare organizations. Ransomware was named a top threat to the industry, not only due to the financial impact, but also patient safety. How can downtime from a ransomware attack potentially endanger patients?

Zach Nelson: Ultimately, if a hospital shuts down and somebody needs to be rerouted and they're having a heart attack, that could potentially be a life threatening event. I'm not saying that that's necessarily occurred or if you are currently in the hospital and they have to go to downtime being part of a healthcare delivery organization at one point, we were always concerned about downtime and making sure that those downtime computers were up. And that's where I think your tabletop exercises come into play to make sure that everybody is aware of what l should occur should that event happen within your facility. That way business can continue to keep moving on as it should and you continue to protect those patients because you continually still want to have access to their data to make sure that you're giving them the appropriate care that they need and deserve.

Audra Streetman: And, HIVE Ransomware is one group known to target healthcare organizations and the FBI recently announced an operation that took down HIVE infrastructure. Do you think that's an effective way to fight back against these attacks?

Zach Nelson: Absolutely. I mean, it's very important that we do everything we can to deny, degrade, disrupt whatever the adversary is attempting to do against any organization. I actually had the pleasure as part of the InfraGuard group that I'm part of here in central Florida to have heard a great presentation regarding what happened with HIVE that I can't get deeply into. But what I can say out of this is, it definitely take advantage of those opportunities to be part of your local InfraGard groups, your IC2 groups, and whoever might bring in those types of speakers. So you'll have more of a pulse check as to what's going on with those organizations.  

Audra Streetman: Yeah, I thought it was interesting that when the FBI gained access to HIVE infrastructure, investigators determined that only about 20% of HIVE victims reached out to law enforcement. So, what’s your recommendation to healthcare organizations if they fall victim to a ransomware attack. Should they contact the FBI, and what’s your stance on paying the ransom?

Zach Nelson: I think we need to remember that the FBI is not a regulatory organization. They're not looking to come and get you. They're looking to help you in any way that they can. Definitely reach out to them. Based on what I heard in the Hive situation, I'm sure a lot of those organizations are glad that they did and for a very specific reason. But again, go to those InfraGard meetings to have a deeper and better understanding as to why. And then kind of going back on to what my stance on paying ransom and there's a bit of a loaded question and I know it's a common question that's asked. As long as we continue to keep pushing money into this ransomware ecosystem, they're gonna continue to go to it until that well runs dry. However, my only caveat to that is when it starts to impact in healthcare and it starts to impact patient safety and somebody can't get the appropriate medication that they deserve or they can't make it to the hospital because they have to be diverted and that's a potential obstacle to their well-being and staying alive. That's where I kind of have a gray area when it comes to stop paying the ransom. It's very important to me that human life is preserved, being in the healthcare sector. 

Audra Streetman: Absolutely, it’s a difficult decision when you add in the potential impact to patient care. In terms of initial access for ransomware attacks, phishing and social engineering are common adversary tactics. What do you recommend healthcare providers do in order to better l defend against these attacks?

Zach Nelson: Ultimately security awareness goes a long way. You know, I've had the joy of establishing through Cali Linux SET, our social engineer toolkit, the capability of phishing our own environment when I was at the healthcare delivery organization, and then we went over to a paid-for service. I think it's very important, again, going back to the tabletop exercises and also people don't know what they're up against until they know what they're up against. And if you don't train them, then you can't be mad at them for clicking on those links, clicking on those attachments. Now I think it's also very important that you have your secure email gateway tuned properly and go and get the appropriate vendors that are doing a better job of stopping these inbound attacks from occurring. And I think that's also a point of collection for a lot of organizations as they can start to look at that data and look past the indicators of compromise and begin to realize why attribution is very difficult. They can start modeling and predicting what may occur in the future that will help them  better reduce their attack surface.

Audra Streetman: I wanted to ask you about generative AI. There’s a lot of talk about how large language models like ChatGPT could lead to more sophisticated phishing emails. Are you concerned about that potential use case… and do you see generative AI as a tool that could be used for network defense?

Zach Nelson: I think that's a two-pronged approach.  You know, when I first began in cybersecurity, a lot of that was analyzing those incoming attacks through phishing. And, you know, we'd identify what those phishing attacks were, and then we'd reach out to the exchange team and have them rip out those emails out of the box. And that was commonly a telltale sign… how the email was crafted, you could pretty much tell what was a phishing email and what wasn't once you got very well versed in what you were doing. Now going into the AI aspect of that, I think this helps the adversary, especially if the language in which they're attacking in, is anybody can go into the ChatGPT and create just about anything in any language. The other day I wrote a Python script and... in a foreign language just to create a calculator, just to see if it would do it. And I found that to be very interesting. I think we need to embrace ChatGPT. I think we need to embrace AI because if the adversaries are gonna use it to attack us, we need to figure out how to embed it into our day-to-day lives to fight against it. So... Just as much as it can be bad, it can also be good to help us quickly identify what it is that they as adversaries are looking to attack us with and what we can do to leverage the same tool to defend against it. So I think we need to embrace it, create policy around it, appropriate policy within our organization so it's not abused, so it doesn't create data leakage within your organization of intellectual property or potentially PII or PHI or health records for that matter. S o definitely embrace it within reason.

Audra Streetman: The H-ISAC and Booz Allen Hamilton report I mentioned earlier included observations of advanced persistent threats targeting healthcare organizations. For example, North Korean state-sponsored threat actors are using Maui malware to target hospitals for financial gain. Is nation-state activity a significant concern for H-ISAC members?

Zach Nelson: I mean, I think that really boils down to the member and their field of view and who is after them. So you speak a lot about espionage or potentially intellectual property. So you have a lot of the different groups from a nation state perspective that are being sanctioned and they have nuclear aspirations in my mind. And so how do they continue to keep gaining the funds that they need to... move forward with their aspirations of protecting what they think is protecting themselves against other nation states from a nuclear perspective. And I think this is the way in which that they do it, is to gain money either via embedding mining malware on machines or endpoints for that matter, or even going as far as to establish ransomware within an environment to gain those funds. And you know, continue with t  heir nuclear ambitions.

Audra Streetman: I wanted to ask you about a new law allowing the US Food and Drug Administration to reject new medical devices if they don't meet cybersecurity standards. Essentially, under this law, medical device manufacturers have to release updates and patches after a product goes to market and they’re also required to provide a Software Bill of Materials. So, are you encouraged by the healthcare industry becoming one of the first to require SBOMs and do you think that will help reduce the attack surface for providers?

Zach Nelson: Absolutely, I do believe so. That was a common point of some level of contentiousness in the past. But I think it's very important to know what is in a medical device, what firmware updates, or if there is vulnerabilities within those systems, what needs to be updated, and that is definitely done through the Software Bill of Materials. I'm very encouraged with that. I think I went to DEFCON, what year was it? 2017 or 2018 and I remember they had a panel with the FDA up there and some other government agencies and everybody was kind of a little bit up in arms about, you know, when is there going to be some form of regulation within that realm of healthcare when it comes to medical devices. So, I'm very encouraged to see that they are kind of putting the hammer to the nails and making sure that those vulnerabilities are being shut down. And I know that there's some great vendors out there that are getting into that space and determining how you do a scan of a medical device to make sure that those aspects of firmware are updated. So it's not an attack vector that the adversary can leverage and taking their actions on objectives.

Audra Streetman: My last question has to do with budgeting and setting priorities. Oftentimes healthcare organizations are very limited in terms of their IT and security teams and the resources available to them. Where should these organizations focus their efforts to essentially get the most bang for their buck?

Zach Nelson: I mean, here's a shameless plug. Become part of your ISAC, It's probably the most bang for your buck, the amount of, you know, the amount of resources that are going to be at your fingertips consistently, the amount of other analysts, managers, directors, chief information security officers from a multitude of organizations from small, medium to big that you can bounce ideas off of. And in our case, I mean, if you go to our website, h-isac, I-S-A-C dot O-R-G, you'll be able to find the cost for the different tiers and... It's definitely affordable and it's probably the least amount that you're going to pay for anything, but you're going to probably get the most out of it.