In this episode, Jason Nadal and Eric Englebretson, leaders from BESLER’s IT team, provide a 2024 healthcare cybersecurity refresher for Cybersecurity Awareness Month.
Podcast (hfppodcast): Play in new window | Download
Learn how to listen to The Hospital Finance Podcast® on your mobile device.Highlights of this episode include:
- What is the state of the healthcare industry regarding security and trends
- A review of the largest 2024 cybersecurity incidents
- What some of the biggest risk points in organizations’ technology are
- What we can do
- Some specific technologies that can help with your security posture
Kelly Wisness: Hi, this is Kelly Wisness. Welcome back to the award-winning Hospital Finance Podcast. We’re pleased to welcome Jason Nadal and Eric Englebretson, leaders from BESLER’s IT team. October is Cybersecurity Awareness Month. In order to gain more awareness of cybersecurity, our IT leaders will provide a 2024 healthcare cybersecurity refresher during this episode. Welcome and thank you for joining us, Jason and Eric.
Jason Nadal: Great to be here.
Kelly: Wonderful. Well, let’s go ahead and jump in today. So where do you feel like we are in terms of the state of the healthcare industry regarding security and trends?
Jason: 2024 has been a really challenging year, more than other years. There have been large efforts that are seeking out specifically healthcare and financial data. So, healthcare in general has had significant loss of privacy for patient records in the past year and a lot of prior years. But I think most would agree by the scale of the exposed information, 2024 has been the most damaging single year for private data in our sector. So, some of the most recent examples of successful attacks each have some lessons that we can learn and apply to our own organizations. I’m seeing a lot of articles that are sensationalizing the data and numbers and basically just going for click views for the articles. But it’s helpful to revisit the reporting of the breaches a month or two later and kind of assess what the root cause of the breaches are. This is really where we can get most of our lessons and action items for what we can take back to our organizations. So here I’m going to go through some of the three most impactful breaches from this year. So UnitedHealthcare’s Change Healthcare subsidiary had a $22 million ransom paid to a ransomware group, this Russian affiliated BlackCat through a third-party intermediary who then released the stolen records anyway. So, one of the lessons we can learn from here is that even if you do pay a ransom for ransomware, there’s no guarantee that the malicious actors will do what they say that they’re going to do and not release your data. Or if they’re working with another party to money launder the bitcoin to make the financial records harder to track, there’s no guarantee that there’s any honor among thieves, so to speak, that they won’t release your data.
So, the stolen records in that breach were more than 6 terabytes, or roughly 6,000 gigabytes of data, a huge amount of data. Some portion of this were just sensitive medical records. We don’t know specifically how many records or what specific data in there. But since UnitedHealthcare processes 15 billion transactions a year, even patients that aren’t customers of United might have been affected. So, some articles and research say that it could be up to 45% of the entire U.S. population. So far, this has been a $900 million cost to UnitedHealth and that’s still going. So, it’s been dubbed the most damaging cyberattack in the healthcare sector in US history. Looking back at what the root cause of this breach was, there was a single server that they identified that didn’t have multi-factor authentication. So even if the rest of the organization had plenty of checks and balances in, they found one server that had low security on it. They found a compromised password, likely somewhere else. This was probably credential stuffing. So what credential stuffing is, is the practice of using a password in multiple places. One other site that you use it in gets breached, that password’s out there, and then a bad actor can then take that password and use it in your organization if they secure their stuff with that same password. So once it’s stolen from one site, it can be tried in another. And that attack led to an outage of so many services across the nation, such as the verification and processing of pharmacy prescriptions, and the ability for doctors to bill insurers or even to look at patients’ medical histories for a substantial amount of time.
A second major breach, this one not specific to healthcare records, but financial records and private information was National Public Data. This one was interesting because it was a third party that not a lot of people knew that their data was even in. So, credit bureaus, TransUnion, Experian, would go to National Public Data to get information about people that had credit. So, what National Public Data did, they had such lack security that they published a file of plain text username and passwords, not encrypted, just plain out there usernames and passwords in a zip file on their public website, which for the amount of data it was, it’s a huge red flag as to what security practices are for them. So, in that data set, there were Social Security numbers, addresses, phone numbers that were made available by exploiting the mistake. And the net result of that is the risk of credit fraud for hundreds of millions of Americans. So, one thing to keep in mind here is some lessons about where to keep confidential data, how your usernames and passwords are stored, and just that constant reminder of always keeping your most secure sensitive information encrypted.
Thirdly, I’d like to talk about a more recent breach. This was a hospital group who I won’t name here. They settled a case where a breach involved photos of nude cancer patients posted online. So, this was the largest data breach settlement per capita in US history. They settled for $65 million for 134,000 records. So, what this means is there are different categories in this settlement, depending on whether your photo was released or whether it was a photo containing nudity or it was just personal information about you or your procedures that had been done to you. The cause of the breach was, again, the same Russian-affiliated ransomware group known as BlackCat, who targeted a single physician practice. So, what happened here was likely spear phishing, which we’ll get into a little later. But the lesson here is that ancillary access to your networks can be a soft target if those access points aren’t hardened and monitored in the same way that your overall internal network access is. It only takes one weak link in that chain to exploit and to pivot into your other systems. So given the high volume of people affected by the breaches we just touched on, in addition to the actionable items of looking for similar weaknesses in your own infrastructure or opportunities for greater education on the methods of attack, what should you tell employees or acquaintances about action items?
For financial information or private data, such as Social Security numbers, dates of birth, etc., credit monitoring and credit freezes are highly recommended. Most of us have received one breach notice, many of us from multiple breaches, and these usually include trials for credit monitoring services. So, you can try out multiple of these and have multiple services monitor your credit. And what you should do is sign up for those, have your credit monitored, and see which one provides the information that helps you best. Maybe with a service, you get more constant notifications or notifications to texts or emails in a way that’s better for you to monitor. Try them out, see which one works best for you. So, the data can be used to pivot onto other systems not under our direct control, this financial data. So, maintaining a credit freeze and keeping a close eye on your accounts and checks being made to your credit under your name can help you protect from the effects of your data being stolen. Further, use a password manager. Don’t use that password on multiple sites. So, if you use a password in one place, generate another one for every other site that you do. And ensure that you enable multi-factor authentication, whether you’re on a website, whether you’re using an application on your phone, on your company network, or even a medical device if it allows you to do so.
Kelly: Wow, those were some significant security issues that we had this year. It has been a crazy year, that’s for sure. What about the malware or ransomware you mentioned for the hospital group? How did that get on the physician’s network in the first place?
Jason: As I said, that was likely targeted spear phishing as an entry point. Note that some of the physician data is actually public knowledge. So, it could either be directly published on a website affiliated with a physician group or with your hospital. And that usually has a small bio giving a bad actor even more information to seem convincing on a phone call. There are public data sets also available, such as the list of all NPIs, or even the state licensure databases give information about what the doctor’s specialty is, where they’re practicing out of, and how they were licensed. From there, a bad actor can craft a story. They could represent a figure of authority. Similar to how if you’re at home, you might get an email pretending to be from the IRS, trying to represent organizations that might be common for your daily work life. So here we’ve seen plenty of examples where we’ve gotten phishing emails pretending to be from Microsoft or Amazon, UPS, anything postal is a common target. And even the Department of Justice, people are pretending to be, saying that they’ll send police to your home if you don’t send money quick enough. So, the approach from the bad actor in this case is to be convincing enough to get you to perform an action, whether it’s clicking a link or going to a website that they tell you on a phone, or even clicking a link in a text message to install an application. Typically, then it’ll go on to something that looks like a credential entry screen. It usually will be fake. It’ll look pretty legitimate. But if you enter in your username and password there, then they’ll have that. And if it doesn’t work due to multi-factor authentication, they can take that stolen username and password and try it on other sites. And if you’re reusing passwords, it could work somewhere else.
Kelly: Yeah, these bad actors have gotten very smart, for lack of a better term, about all this. And I know I get several emails a day pretending to be people, and I know they’re not legit, but I know it’s really difficult to determine what’s legit these days and what isn’t.
Jason: Exactly.
Kelly: Yeah. So, what are some of the biggest risk points in organizations’ technology?
Eric Englebretson: So, for this one, man, it feels a lot of times like there are just so many that we’re never going to get on top. Some days it feels like you push the security boulder up to the top of the hill and then it comes back down to the bottom because there’s a new risk or a new threat vector. Cybersecurity, honestly, is the number one thing that keeps me up at night. I don’t really worry about the servers or the databases as much as I used to. Dealing with a database outage is really almost cake compared to something like a breach. And again, healthcare data, it makes identity theft a breeze. So, we all know the bad guys want to get into your network to get at it. And we’ve got to get it right 100% of the time. The attackers only have to get lucky once. And so, we’re already at a disadvantage. And so, I want to think of, or I want to mention some things that maybe most people may not think about. One of those things, we’re all familiar with the Internet of Things. You’ve got devices like garage door openers, refrigerators, thermostats that you put on your network, you give it an internet connection so that you can control them remotely, all useful, great stuff. But we’ve actually got also the internet of medical things as well. We’ve got things like ultrasound machines, blood glucose meters, infusion pumps, just different things like that to name a few.
And so often, a big problem with these devices, and not just medical, but the standard internet of things as well as the internet of medical things, security is often an afterthought if it was thought of at all. And what’s worse is that we place these devices onto a trusted network. Obviously, we’re not taking medical devices home to plug into our home network, but that garage door opener, how often does it get updated? Things like that. Ultimately, if you’ve got these devices on a trusted network, they make great targets for malicious entities trying to get a foothold into the network and then jump over to a device or workstation or server that has the data that they’re after. Some of our other risk points are things like, let’s say an MRI machine. Well, the MRI machine has got to be controlled by something, and that can often be a Windows machine running something like Windows XP or Windows 7. Operating systems well out of support and no longer patchable. Just because Microsoft or the MRI manufacturer has stopped support, that doesn’t mean the bad guys have stopped looking for the vulnerabilities. Legacy devices like that are a huge area of vulnerability. And in many cases, the out-of-support or unpatched devices can allow an attacker a foothold where they’re basically almost looks like they’re asleep. Like they’re not really there because what they’re doing is they will observe.
They’ll look at what they might be able to get to. They will see where the important systems are, and then they’ll jump. They’ll basically wake up, jump over to those systems once they’ve discovered vulnerabilities there, and then they’ll exfiltrate the data. That could be years that– well, maybe not years, but in some cases, we’ve seen that. But could be days, weeks, or months are far more common of observation and reconnaissance. And it’s a hard thing. You’re not going to toss out a perfectly functional device when its replacement is like a quarter to a half a million dollars. Hospitals are already squeezed tight from all sides and stretched thin, so it’s a really hard line to walk. And it could be, and I would actually argue that it is. The reputational loss due to a hack is really going to far outweigh the capital expenditure costs for a new device. But if we put our security hat on for a second and we think about things like air gapping, which is physically cutting off network access for some of these more sensitive devices, or put some additional productions, firewalling them off from the servers or the workstations. We can eke out a few more years, but you really have to listen to your security people. I know that these security decisions aren’t easy, and I will say that Jason will tell you, I’m often the guy advocating to make our users’ lives a little easier. But when push comes to shove, security often has to trump convenience. Yeah, the staff might be a little put out, but it’s going to end up being much, much worse if a ransomware attack, again, like that Russian BlackCat group takes down key systems and everyone has to go to paper, if you can even do that at all.
Kelly: Wow, I mean, that paints a pretty bleak picture, Eric. So, what can we do as boots on the ground?
Eric: I know it does, and I hate that, I really hate that I’m painting that bleak of a picture, but I think ultimately the answer is constant vigilance and education. And I’m going to unfortunately delve into the area, I’m going to make it even worse so that I can make it better here a bit. Jason already alluded to this and covered it a bit, but I want to cover it again because I think it’s just that important. He mentioned both phishing and spear phishing, and that I think is really an incredibly significant threat to the cybersecurity landscape for most of us. I mean, like you alluded to, you’re getting multiple emails a day purporting to be from Microsoft or whoever. And I’m going to argue that that’s one of the most prevalent scams or schemes out there right now, just simply because of the payoff. Most people are familiar with phishing. You get a fraudulent email or text message that appears to come from Microsoft or Amazon or whoever, and they’re trying to steal sensitive information like usernames, passwords, credit card details. We’ve all seen the worldly crafted emails that come from Microsoft, but if you look at the address, it’s something like, joesmith@microsoft.supertech.ru, .ru being the top-level Russian domain. But not as many people might be familiar with what Jason mentioned, which is called spear phishing.
Spear phishing, it’s a more targeted form of phishing where the attackers customize their messages to a specific individual or organization, and it makes it more convincing and harder to detect. This is what is really kind of a self-own here sometimes. Attackers will often gather the information from publicly available sources such as LinkedIn and Facebook. I’d argue nobody should be using Facebook, but I know not everybody agrees with me. But we’re all familiar with it, which is why I use it as an example. LinkedIn and Facebook get used by these attackers to pull data and craft personalized messages that can trick recipients, just us day to day, into divulging confidential information or performing actions like clicking on malicious links or downloading malware. And again, what makes it so dangerous is that we ourselves gives the attacker most of the information. It’s only natural, right? When you get a new job, you want to share that, be that on Facebook, be that on LinkedIn or any other social media site. And due to the public nature of those sites, it’s easy to overshare. You go on vacation, you get your new job and you post all the details about that. That lets attackers craft those messages and they’ll spoof them so that it looks like they come from other people in your company, but they’ve got very convincing details. And that right there is kind of the big problem.
“Oh, this must be this person that they say that they are.” Maybe my coworker in accounting or whatnot because they’ve mentioned these details that I shared with everybody in the company. Once your guard is down, you may not notice that the site you just clicked on is actually MirrorSoft instead of Microsoft, and you’re entering your login credentials into a very convincing clone of a Microsoft login. And so, I think one of the things that helps here is to limit what you share on social media sites. You don’t give the attackers information they can use to disarm you by making their emails personable and mentioning personal details like, “Oh, how cute your new puppy is that I saw you posted on Facebook.” How gorgeous that beach looked from your recent vacation photos. “Oh, I’m such and such from the company that you just got hired on to.” Those little details are what, again, kind of disarm us a little bit and will kind of allow them to get a foothold into that email or whatnot and make us not pay so much attention. So, try not to give those little pieces of your personal life to them, I think is a really big thing. The other thing that I’m going to mention is to keep on the alert when you’re dealing with email messages you weren’t expecting. I used to say trust but verify, but now when I get an email, it’s almost always verify first and foremost. If I get an email and it is something that is out of the blue from a client, from a vendor, it’s like, if I didn’t ask for this, I do not trust this email. And I think that’s really one of the best ways. I don’t want to get everybody paranoid, but I do want everybody to pay extra attention. Constant vigilance, I think, is a huge thing here.
And Jason mentioned this as well. It’s really best. Any place you can get multi-factor authentication turned on wherever possible, do it. I think that’s a huge deal, just simply because, okay, let’s say you did accidentally put your username and password into a site that was crafted by an attacker. If they don’t have that multi-factor authentication, if they aren’t able to get that six-digit code or that message that comes to you that says, “Hey, here’s your code that you need to enter in.” It protects you even if you’ve managed to give away some of those keys. The multi-factor authentication really helps to protect. I think at the end of the day, education, vigilance are really the big thing. Teach your people how to identify phishing emails, phishing phone calls, texts, things like that. A simple thing organizations can do is to flag external emails, but definitely don’t rely on those alone. I mean, simply because your customers, your vendors, they’re still going to come in with that external flag. And so, you don’t want to just rely simply on that. It could have this– again, could have the same external identifier as the legitimate source such as Microsoft. And so you’ve got to educate people like when you’re looking at an email, hover your mouse over the link and things like Outlook and other email clients they’ll tell you what that link actually resolves to because it’s easy to say, “Oh yes, this goes to www.microsoft.com,” but in reality, it goes to – I’m just going to make something up here – hackersite.ru. So, if you mouse over that, it’ll give you where it’s going to go and you can pay attention, or you can at least avoid something that might look like it’s safe, but really isn’t. And pay attention to the actual email address. Why does Joe from Microsoft have an email address like joesmith@microsoft.supertech.ru or an email address with random numbers and letters. And finally, I think one of the other key things, Microsoft, if you’re a Microsoft shop will do this, you can turn on link checking so that it will validate ahead of time if a link is valid or not.
Jason: Thanks, Eric. That was pretty detailed. I think there’s a lot of signs that we could look for. And I love that constant vigilance phrase. It’s important to foster that culture within organizations. But I think in addition to looking for signs that things are right in the email, we also need to verify that it is the person that we’re talking to. So, one of the things that has been–it’s probably about two years old now where there’s been a big trend of people asking for gift cards from the CEO or on behalf of the CEO when it seems pretty out of character. They try to foster that sense of urgency, like, “Don’t ask questions about this. We’ll talk about it later. Just I need you to get me these gift cards now.” So, within that constant vigilance, try to verify who you’re talking to. Does this seem out of character for the person that you work with to do something like this? How do you verify that the person is who they say they are? So, you could call them back on a known phone number. But what about the cases where they’re calling you from a hotel room and maybe their cell phone’s dead and they can’t talk to you via your normal method of communication? So, in these cases, you could either wait, you could talk to somebody else in the company to see if they’ve also gotten a similar request and if they’ve verified it properly.
One of the things that I like to suggest to establish for key communications with your stakeholders is a one-to-one passphrase that only you and that person know. So, this is something that you’re never going to say in a podcast like this. You’re never going to say in a corporate briefing that you might post online. You’re never going to put this in writing out there in a public forum or on a company memo. So, I could look out the window and I could see red bird and I could see a yellow flag. Maybe that combination is my passphrase with my direct manager so that in the case of an emergency, we have this code that we can verify who each other are. So, this is especially important going forward, this technique or other techniques because of artificial intelligence. Especially for people who are more vocal or on videos or give presentations more often, the more material that’s out there in the public, similar to what Eric was talking about with Facebook before, is training information that people could make deepfakes of either voice or video of that person. These are pretty convincing now. You could gather information about this, spin up a demonstration of this in a day or less, and have something that can be reasonably convincing to a person if you’re not too concerned with the speed of responses, or maybe the person just tends to be a bit more thoughtful and slower and more deliberate in what they’re saying to you. So having that code that’s not part of any AI training data should stick out as a sore thumb as, “Okay, this person can’t verify the challenge that I gave them.”
So additionally, several signs aren’t always true indicators of things that are signs to look for malware or a phishing attempt. But you should promote an attitude where it’s safe to question anomalies. This is part of that constant vigilance. So, is there a change in speed for your online resources? Well, that may or may not be an indicator that something’s going bad, but it is something that you should be concerned about. And maybe you do bring it up to your IT department, maybe you check around with others in your department to see if they’re seeing similar effects. It could be a sign that something is bad going on with your workstation or your employee’s workstation. Is there an address bar in a browser that’s just shuffling through links and you see things flashing up there where there shouldn’t be? That could be a sign of malware. It could be a sign that somebody’s trying to exploit a vulnerability in your web browser. But there’s a word of caution there like anything else. It might not always indicate an attack, especially if you use things like single sign-on. So that makes it a lot of fun to go through these things where you see things that may or may not indicate something bad, but your organization should have an environment where it’s safe to question these things.
Kelly: We really appreciate all those tips. There were some really great ones there. I know I can attest to all the great education that you all provide for us here at BESLER. Even in my personal life, I’ll just give a quick example. I received an email from supposedly from my State Farm Rep, and it was very odd. It was oddly worded. And it did not seem legit. It basically said that my payment didn’t go through even though it’s on autopay. And so, I thought about some of the lessons that you all have provided to us. And I thought, you know what? This seems a little fishy. I’m going to call State Farm. And so, I did. And she did verify that it was from her, but she was also very thankful that I thought to call and verify before I would do something kind of crazy and something foolish with sharing information with someone I shouldn’t. So, kudos to you guys because sometimes these things are legit, but sometimes they’re not and I would much rather call and verify and have it be correct than not. So just want to give you guys a little shout out there. Yeah, so what steps should you take to prepare for a security incident or event?
Jason: So, this is a complicated one. So, you should first and foremost have plans in place for incidents. You hope they never happen, but the best thing that you could do is plan ahead while you’re in a calm state of mind and not rushing about trying to deal with something that looks like a real incident. That’s the worst time to be to make calm, reasonable, and rational decisions. So having cookbooks, having communication lines set up in advance, having plans to preserve your evidence, that’s a really, really important one. You don’t want to jump to fixing the problem at the risk of destroying the evidence. A, it’s really bad for you in retrospect because it makes it look like you might be trying to cover stuff up. But B, more importantly, it could actually hinder your ability to fully clean up at the end because maybe logs are missing of where an attacker pivoted to. Don’t immediately jump to restoring backups before you understand what the incident was, before you’ve reported it to the appropriate agencies. They might want to look in to determine if they could provide additional assistance in how to determine what happened and what to do next. So you also want to control messaging and be sure that information is shared.
This is a big one from the outside where we’ve seen a lot of other places have breaches, where a lot of other places have outages, where they’ve had to take their systems down while they determine what the scope of the breach is, what to do about their systems. And we’d be sitting here in the dark wondering, “What’s going on? Does this involve my data? Does this involve our clients? Does this involve our systems? Does this involve my personal data? Or is this just a couple people unrelated to us?” Having no messaging at all is a really bad look. It makes your clients very nervous. It’s more important to be sure that you’re sharing some information about what you can share, but make them know that you’re on this, you’re doing things appropriately, you’re going to notify them as soon as you’re able to, and just have that communication to give an indication that you’re on top of this incident. So the other important thing is that in a lot of these situations where there’s ransomware, especially, one of the first things that you do is shut everything down. Turn off the ability for them to either encrypt more data in such a way that you can’t access it, or worse, to exfiltrate the data to their own systems.
So, shutting down those lines of access from the bad actor is important. However, in a lot of cases, there are networks where companies have stored their cookbooks, have stored their business continuity plans. You want to make sure that your key stakeholders on your business continuity teams have access to copies of those plans in a place that is distinct from your systems so that in an emergency, they’re still able to get to them, even if your systems are shut down. The other thing that’s important here, kind of preparation-wise, is have a plan for how you’re going to use these plans and try it out. Run through simulated attacks. Ideally, you want to have a situation that you’ve accounted for in your plans so that you can try out how those plans work. Ensure that you follow what’s in those plans during those simulations so that you’re used to going through and saying, “Oh, I need to go to this document for business continuity. I need to go to this procedure for how to restore backups. I need to go to this procedure to investigate how to search through emails for data exfiltration.” But once you’re done with that simulation, do a post-mortem, “What did work out of my plans? What didn’t? Oh, we didn’t have this vendor in there and they’re critical. We don’t know how to contact them quickly.” That’s something that you can improve on. Or, “We hadn’t accounted for this critical system. We don’t know how to restore it from backups.” So, you want to improve your plans, as I said, when you’re not under a real threat or an actual breach or outage. It’s the worst time to make changes.
So, one other thing you want to do is try to assimilate a scenario that you haven’t considered in your plans. This will enhance your cookbook. It’ll provide another scenario that you’ve thought of. You’ll also want to challenge your employees to improve those plans and to think outside the box of what typical scenarios you’ve already thought of were.
Eric: And I’m going to jump in here for just a second. I cannot stress how critical it is to do the post-mortem. I mean, there have been a number of things where we have done simulated exercises, and it wasn’t until the post-mortem that we hit upon something that we had overlooked. I mean, so to running these simulations and doing the postmortems, such a great piece of advice.
Kelly: It was all great information, guys. Thank you. Are there some specific technologies that can help with your security posture?
Eric: There are definitely a few for sure. You’ve got some simple things like, again, if you’re a Microsoft shop, Microsoft Defender doing link scanning for Teams and Outlook on the local workstations or laptops or devices. You’ve got DNS and URL filtering, which I don’t want to get too technical. But those can be done by things like Cisco’s Umbrella or Zscaler or Netskope, and that is definitely not an exhaustive list. Those are just some that are top of mind for me at the moment. And those normally work by preventing your computer or device from resolving a website address so that your computer can’t connect to a malicious link like www.malicioushackersite.ru or whatever it is because it’s effectively denied the ability to look up that underlying server address. You can use those to disallow whole categories of sites that people shouldn’t be going to. The most important of which are those like the malicious sites and these companies like that I mentioned, they have teams dedicated to figuring out what sites are malicious and then they update those definitions kind of like antivirus on a constant basis so that if somebody does try to go to a malicious site, you’ve got one level of protection that’ll just simply even keep you from going there at all. You’ve got newer defenses too. The big buzzword is, of course, AI or artificial intelligence. We could probably do a whole another podcast on this, but I’ll cover it real brief. Everybody’s probably right now because the big buzzword is an LLM.
LLM is a large language model. It’s a type of artificial intelligence that’s really designed to understand and generate human language. Again, we could probably do a whole podcast on this, so I’m just going to– I’m not really going to cover the LLM because I don’t really think that that’s really where it’s going to be at on the security side. There’s a broader category of AI called machine learning. At its core, machine learning is a subset of artificial intelligence and it uses algorithms trained on data to perform complex tasks. That sounds like a whole bunch of gibberish, but ultimately what you can think of just very, very simply, and this is a 10,000-foot overview, pattern recognition is one of those things that it does really well. In IT, we generate an absolute metric ton of data from workstations, servers, medical devices, network gear, cameras. I mean, the list goes on and on and on. Human beings simply cannot sift through it all. But if you use something like machine learning, a security scanner can see patterns. Let’s say you’ve got a user, [we’re going to?] call it Bob, that normally uploads data to a client at various times throughout the week. A security scanner will see those patterns develop. And more importantly, for our purposes, it’s going to notice inconsistencies. If Bob, and maybe this is a malicious actor that’s trying to fool your security scanner, suddenly starts uploading data outside of the established norms, like let’s say it’s still an upload at 4:00 PM just like Bob normally does. But this time it’s to North Korea instead of the normal 4:00 PM to North Carolina. A human might not even notice just because of all the data it has to sift through, but a security scanner that’s designed to look for these things can ingest that data and then within a few seconds go, “Hey, wait a second, this isn’t right.”
And when well-tuned, it can go ahead and shut those things down. And I think that’s going to be one of the biggest boons to us in IT healthcare and security is really machine learning when properly tuned because it can be reactive to those abnormalities, again, within seconds, rather than weeks or months that it might take a human if a human even noticed it all. And machine learning, I think, again, is going to be really huge in transforming a number of industries by providing those sorts of insights, not just security, but again, we’re focused on security here and that is one place that it can really help.
Jason: So, another thing that can help security posture, again, with this constant vigilance theme is reinforcement throughout the year via education. And we’re talking about technologies. There are platforms out there that do a lot more repeated and small dosed security messages. I’m not going to mention specific vendors here, but the idea is to focus on what’s more recent in trends. For example, there’s a focus insecurity on pig butchering, which is a practice on playing on the emotion of a victim’s loneliness in order to achieve a goal. So, the hope is that they’ll find a soft target that maybe doesn’t have a spouse or somebody that they’re with and play on their emotions to be friendly with them, lead them on, and then maybe pivot towards information about their business, things that they could use to pivot to get more access into your organization. So just like with spear phishing and phishing in general, the thought is to get that little foot in the door and just widen it up with more information and more systems that you could pivot to an attack. So, keeping your employees and people educated on what to look for, what’s new out there, what new techniques are these attackers trying, helps you stay ahead of it, at least be aware of what to look for. So, it can also help to have a periodic digest that you share with your organization of some of these large-scale, successful attacks so that your employees can see what can be improved in your posture.
Here at BESLER especially, it’s not a one-person job. No one person can handle all the security. And I’ll say for us, no two people, me and Eric, are not the only people here involved in this. Every employee we have has to be trained on this and kind of know what to look for to help us. Because as Eric said before, it only takes one mistake when they could do as many attacks as they can. There could be several groups. They could be doing things in off hours when we have to sleep and eat and spend time with our families. So, you can see through these attacks that have been successful, “How did it happen? Would we have succumbed to that same attack at our organization?” Some of these simulations for phishing can open up people’s eyes to falling for an attack. I do like running phishing simulations, and that’s kind of the practice of sending out fake phishing emails to your own employees. But I would strongly recommend not making this personal like, “Oh, I see, you failed this phishing attempt. How bad of you was that? You really need to do better.” Don’t make it personal. Don’t make it punitive. We’re trying to make our organization better. Help your people understand how this helps us. It helps them know what to look for. And sometimes, myself included, it helps seeing what you did wrong to not make that same mistake again. It’s better that it’s your people than the malicious actors. So help your organization to see this as an aggregate. “How are we doing as a company? Did we all succeed at not dealing with this phishing simulation in a manner that wasn’t safe? Or do we need some more work on this, some more education?” So that’s something that we can learn about there.
Kelly: Yeah, that education is certainly key. Well, thank you both so much for joining us today, Jason and Eric, for sharing your tips and your insights on healthcare cybersecurity. We really appreciate it.
Jason: Sure, I guess I’ll close out by saying a couple things here. This year has been a rough one for attacks, certainly. But the most important things you can do are be on the lookout for the weak links in your security infrastructure, because you can rest assured that the bad actors are trying to find those soft targets. Keep pushing the education. Keep pushing that culture of being on the lookout for risks. And I could say as the person who the reporting goes to, I’m never upset with the report that winds up amounting to nothing. It just shows that our people are on the lookout and kind of helping to protect our company and our clients.
Eric: And yeah, everyone’s busy. It’s really easy to let security slip off to the side. And like Jason, I really want to stress the constant vigilance. Again, educate your users on remaining vigilant in the face of all of these threats that we’ve talked about, but don’t beat them down. The short little trainings are, I think, perfect. Find that balance. You want your users to partner with the security team. At the end of the day, we all want to turn in our best work and help our patients or our organizations. We support for the best outcomes for us all. And security does not have to come at the expense of that. In the face of a lot of these real and prevalent threats, we can work towards a more secure environment that’s still incredibly functional. Like Jason mentioned, I think 2024 has been a rough one. And the change healthcare incident can really be a watershed or that coupled with 2024 as a whole could really be a watershed year for us to reevaluate our security setups and just make them better for all of us.
Kelly: Agree. There’s a lot to learn this year. Well, if a listener wants to learn more or contact you to discuss this topic further, how best can they do that?
Jason: There’s a contact form on www.besler.com that anyone can go there and fill out your name and contact info and whatever question or content that you want more information about, and we’ll reach out to you and try and help you out as best we can.
Kelly: Wonderful. Thank you for that. And thank you all for joining us for this episode of The Hospital Finance Podcast. Until next time…
[music] This concludes today’s episode of The Hospital Finance Podcast. For show notes and additional resources to help you protect and enhance revenue at your hospital, visit besler.com/podcasts. The Hospital Finance Podcast is a production of BESLER | SMART ABOUT REVENUE, TENACIOUS ABOUT RESULTS.
If you have a topic that you’d like us to discuss on the Hospital Finance podcast or if you’d like to be a guest, drop us a line at update@besler.com.
