Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #32 - Healthcare Cybersecurity

This week, the guys discuss considerations in cybersecurity for healthcare organizations. Despite some people thinking that healthcare organizations have a completely different set of circumstances than other organizations, they must meet HIPPA Cybersecurity Compliance. However, that is not the case for the most part. They discuss despite some different nuances, it's still vital for Healthcare organizations to be equipped in cybersecurity and protection, and the same rules and protocols for HIPPA Digital Security can still apply.


Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Audi and Volkswagen Involved in a Massive Data Breach

Ransomware: Russia Told to Tackle Cyber Criminals Operating From Within Its Borders

Colonial Pipeline Cyberattack Proves a Single Password Isn't Enough

Unpatched Bugs Found Lurking in Provisioning Platform Used with Cisco UC

Critical Entities Targeted in Suspected Chinese Cyber Spying

Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data

Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

The First Step: Initial Access Leads to Ransomware

Will “Data Poisoning” Be a Particularly Dangerous Type of Computer-Made Misinformation?


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello  and welcome to the cyber rants podcast  
this is your co-host zach fuller joined  by mike rotondo and lauro chavez and today  
we are talking about health care and hipaa  compliance and all the important things  
that health care organizations should consider not  all of them because we only have uh limited time  
but we're going to get through as much as we can  today but before we do that mike why don't you  
kick us off with the news and you know strangely  think zach there's no health care hack news this  
week didn't find any but we're going to kick  off with audi and volkswagen involved in a  
massive data breach that's right if you've the  volkswagen declared that 3.3 million customers  
had their information exposed to the massive data  briefs that happened after one of its vendors left  
a cache of customer data unsecured on the internet  uh so if you bought a volkswagen between or audi  
between 2014 and 2019 or 2019 and 2021 you have  potential for a data breach and all i can say  
potential for a data breach and an oil leak  for sure exactly yes and that may or may not  
be environmentally safe so uh ransomware  russia ransomware uh russia told to tackle  
cyber criminals operating from within its borders  so the united states and g7 i think you've all  
heard there there you know met and talked and  came out with other fancy policy statements  
and then they made a statement to russia  basically saying or western china basically  
warning countries that allow ransomware groups to  operate from the borders don't make any efforts to  
deter their actions they will be held accountable  for their lack of action warning comes from the  
g7 and a joint statement published following g7  sub summit specifically calls out to russia to  
do more when it comes to stopping cyber attacks  and to identify disrupt and hold to account those  
within its borders who conduct grants ware  tax abuse virtual currency to launder ransom  
and other crimes president biden also went so far  as to give a list of 16 industries not to target  
which i believe putin will see as a target list  or basically say okay well we'll not hack these  
16 will hack the other ones so basically it's the  equivalent of stop or i'll say stop again russia  
and china are shaking in their boots right now  they're terrified i'm sure yeah it's successor  
you know i mean if they're letting them operate on  their borders i mean it's well it's cyber warfare  
right yeah i mean it's it's really something we  could unpack in a whole podcast episode but it  
yeah i just it just it just seems fabulous to me  but that's that's just me colonial pipeline cyber  
attack proves a single password isn't enough and  i've been saying this for a long time but darkseid  
gang was able to acquire the password to a vpn  account that was no longer in use yet remained  
active the single factor authentication method  granted the attackers access colonial's it network  
and in turn its sensitive data this incident  highlights several mistakes that are critical for  
enterprises in order to avoid falling victim to  similar attacks basically put into factor yeah put  
it in and here's the thing is that there's not a  framework out there right now that doesn't require  
it at least for all administrative level technical  controls right i mean so exactly and how about um  
when someone leaves the company you actually  deactivate their account including their password  
novel idea i think like something i think  you're onto something yeah bottle that up ict  
enterprise insights did a survey 2021 that 60 of  manufacturing companies are planning to increase  
investment in cyber security which is promising  however that still leaves another 40 percent that  
haven't figured it out yet we call them victims  yeah exactly maybe putin will reach out to them  
in a special way unpatched bugs found working  in provision platform used with the cisco uc  
the acadian provisioning manager which is used  as a third-party provisioning tool within cisco  
unified communications environments has three  high severity security vulnerabilities that  
can be chained together to enable remote  code execution with elevated privilege  
privileges they are cve 2021-31579 cbe  2021-31580 and cve 2021-31581 and 82.  
so look into that if you're using that critical  entities targeted and suspected chinese cyber  
were spying cyber estimates campaign blamed on  china was more sweeping than previously known  
uh respected suspected state-backed hackers  exploiting a device meant to boost internet  
security to penetrate the computers of critical  us entities that's the hack of the pulse connect  
secure networking devices it came up in april but  its scope is only now starting to become clear  
according to the associated press they have  learned that hackers target telecommunication  
telecommunications giant verizon the country's  largest water agency in the new york subway system  
among others so basically make sure that you're  patching all of your stuff microsoft gets second  
shot at banning high iq from scraping linked  in user data this is an interesting thing and  
it goes past the federal high q is basically a  competitor to linkedin and i didn't know that  
linkedin was owned by microsoft so but long story  short the u.s supreme court has granted linkedin  
another legal option to try to prevent high q  labs from scraping public information from its  
users profiles they've been fighting this for a  while but it appears what this really is is that  
it goes against the cfa computer fraud and abuse  act and the the issue here that the supreme court  
looked at is the ability for one person to do it  versus bots to do it because there's a concern  
about bot versus human and good bot versus bad  bot for this type of activity so stay tuned for  
that and we'll see if microsoft can crush someone  else hackers flood the web with hundred thousand  
malicious pages promising professionals free  business forms but delivering malware reports this  
isn't really interesting because we all and i t  have at some point googled or safari or duck.goat  
or whatever you want to use uh some kind of form  that we need some kind of template for a policy  
or a procedure or something of that nature well  what's happening is these business professionals  
are currently being lured to hacker-controlled  websites hosted on google sites an inver  
inadvertently installing a known emerging rat  or remote access trojan the attack starts with a  
potential victim performing a search for business  forms such as invoices questionnaires and receipts  
upon attempting to download the alleged  document template users are redirected  
unknowingly to a malicious website where the rat  malware is hosted so basically you're downloading  
your own by looking for forms that are already  done so make your own forms yeah i use like i use  
lycoses that's okay still yeah sure you know ask  jeeves they're they're all good i ask you if i can  
search lycos yeah there you go critical through  tech flaw opens millions of connected cameras  
to eavesdropping this is a fun one sis on tuesday  issued an advisory regarding a critical software  
supply chain flaw impacting through tech's  software development kit that could be abused by  
an adversary to gain improper access to audio and  video streams like zoom successfully exploitation  
successful exploitation of this vulnerability  can permit unauthorized access to sensitive  
information such as camera and audio video  feeds through feeds through text point-to-point  
ptp sdk is widely used by iot devices and  with video surveillance or audio and video  
transmissions capabilities such as ip cameras baby  and pet monitoring cameras smart home appliances  
and sensors to provide remote access  to media content over the internet  
they still have never one understood why someone  needs to have an intelligent washer and dryer or  
refrigerator but anyway that's beyond me if they  would get the clothes and like put it in there  
i would consider that intelligent and then and  then fold them and put them back or hang them up  
that would be awesome put creases in my in  my shirts exactly and get the ironing done  
properly that would be phenomenal but uh you  know surfing the web off my washer and dryer  
not a priority first step initial access leads to  ransomware surprise surprise ransomware attacks  
still use email but not in the way you might  think ransomware operators often buy access  
from independent cyber criminals groups who  infiltrate major targets and then sell access  
to ransomware actors for a slice of the ill-gotten  gains that's kind of what our evil does uh cyber  
criminal threat groups already distributing  banking male where other trojans may also become  
part of a ransomware affiliate network the result  is a robust and lucrative criminal ecosystem in  
which different individuals and organizations  increasingly specialize it specialize to the  
tune of greater profits for all except of course  victims this is a really good one to read out of  
proof point i highly recommend that you look at  the website and and take a look at this last one  
is that will data poisoning be a particularly  dangerous type of computer-made misinformation  
we all heard the screams of fake news fake  news misinformation and that sort of thing  
uh turns out that they're actually experimenting  um with different kind of tools of creating  
fake information to mislead cyber security  professionals that they may make so they  
would make changes based on the data provided  to them um and sort of trick them to allow  
hackers to get a leg up um this is kind of  interesting kind of a little bit dangerous so  
um be really careful where you're taking your  guidance from um and that's it for the headlines  
laurel awesome mike thanks for that so this week  with exploitation really only have one good one  
to talk about but it um it involves a piece  of software solution company called unified  
total connect and they're essentially  a small business unified office as a  
small business solutions provider they you know  claim to do stuff for restaurant services dental  
hospitality healthcare business auto service and  agricultural and they have got a pretty nasty sql  
injection um to the unified office of weight  business solution that was put out on the on  
the downloadable sites so if you've got unified  office total connect and you're still on 1.0 make  
sure you go back to the vendor and get an upgrade  to that and um yeah if it's not exploitable is  
it really vulnerable i don't know it's a good  question zach what are we talking about today  
well we're going to talk about healthcare but  before we do we're going to take a quick break  
and be right back want even more cyber rants  be sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought to  
you by silent sector a firm dedicated to building  world-class cyber security programs for mid-market  
and emerging companies across the us silent sector  also provides industry-leading penetration tests  
and cyber risk assessments visit  and contact us today and we're back let's talk  
about healthcare so this is a big topic to unpack  but i want to start by saying and we'll see where  
the conversation goes i do want to start by  saying there are a lot of people out there  
that say that healthcare cybersecurity is  completely different and unique and it's a  
different animal and all that i wanted to start  by saying it's not right okay the fundamentals  
still apply you still need to follow a framework  you still need to get risk assessments and pen  
testing understand your environment right there  are compliance requirements so the fundamentals  
still exist but there are some nuances to it right  so it's not it's not that you're in a completely  
different boat if you're in the health care  industry not the case at all but cyber security  
is critical right because uh with all this  stuff going on um things like covid for example  
cyber criminals are taking advantage of  that and they're seeing the health care  
industry as a critical piece of our uh  of our nation's backbone which it is  
and they're exploiting it as much as possible you  know they know these organizations are strapped  
thin they got a lot going on especially in today's  environment so um they are taking full advantage  
and ransomware is prevalent in healthcare um  and uh organizations are really starting to  
wake up i think and realize that hey we got to  do everything we can to keep operations going so  
from there it dives into well what do or you know  it starts with what do healthcare organizations  
need to do you know i mean the fundamentals  everything we talk about on this podcast and  
various episodes but you know i for us it's always  well you have to start with risk assessment and  
testing understand where you are um and you have  to do that before you know to know how to improve  
right so i mean in my mind that's always step  number one um do you have any other thoughts  
well i think i think some of the nuances that you  you talked about that kind of separate the health  
care industry from from other industries  are i see i see kind of two places where  
that that's you know factual in one place is  that they get a lot of pre-engineered devices  
so a lot of the equipment that's being used for  lab work and for you know on-prem medical work  
are devices that are created by companies that'll  put a you know it's a you know a pump or whatever  
it is right that it does but it's controlled by an  operating system that you know can link to other  
other types of things and so those are kind of  embedded and pre-engineered and then delivered and  
so a lot of them aren't connected to the networks  right they're kind of a standalone device that  
you know someone would use in a room or someone  who's in a lab and so that's one of the nuances  
i i believe that you know kind of separates that  industry and then the other one is really they're  
they're maintaining a lot of vital information  on humans in regards to like bio weaponry  
and stuff like that genetic data and that type of  information right i think they have a lot of that  
and then of course you know i think just um in  general being that the industry that it is right  
i mean it's a it's a it's a critical industry and  as we saw in code like you said zach when when the  
hospital's taking advantage of you know the people  that are sick and the people that need that care  
they feel that even worse right um there's  actually a hacker group out there and i think  
it is our evil that says that you cannot use our  software to attack a health care agency that's i  
mean it's an interesting point because at least  they're trying to pretend to have a soul when  
it comes to stuff like that this is a complete  inside to what lauro was saying but i mean there  
is a lot of stuff out there and the other one is  prosthesis there was a large uh research company  
out here that was doing a lot of prosthesis work  that just got torn apart by chinese hackers so  
there's a lot of concerns out there um but there's  one important safety tip i want to give to all  
healthcare organizations that might be learning  that if the people presenting you with a proposal  
for working with you can't spell hipaa correctly  walk away that's great it's like eight p's it's  
like eight ps and four a's right is that what it  is three eyes yeah excellent point it does happen  
yeah that's what we we see a lot of you  know hipaa compliance a lot of organizations  
regardless of what they are from medical  laboratories to facilities to um med medtech  
like software as a service type companies  uh when they reach out you know of course  
hipaa compliance is important so you have  your phi right protected health information  
that's critical and that's generally the number  one concern but i think you're right when you say  
that you know there's uh like genetic data um  different types of biological information that  
are much higher demand even than phi especially  from nation state threat actors um some of them  
of which or some of which were earlier uh are  mentioned earlier in the podcast you know so  
those types of data that's that's a  whole nother level of security but  
i think most organizations are are primarily  concerned with phi and so they're looking at hipaa  
compliance they're considering requirements like  high trust and that sort of thing but i think it  
goes back to the fundamentals because of the  iot devices and the devices within a healthcare  
environment a lot of which are deprecated  right because they can't well a lot of them
yeah they're i mean it's it's um it's it's  unfortunate but there's just no way to keep  
keep a lot of those systems um current right so  there's good there that's i think that's always  
going to be the case so understanding  how to segment the environment and and  
um remove those from the basically from  public access is one thing but i think  
there's a whole other realm and the um and just  the sheer number of people that are accessing  
especially in healthcare facilities that  are accessing devices that's a whole other  
can of worms so to speak when it comes to policies  procedures standards staff awareness training  
all of that so you know i guess when if if we  start with looking at you know how does a health  
care organization know where they stand um there  are you know a variety of considerations there are  
risk assessments pen testing uh physical intrusion  testing right understanding the physical layer  
um of your uh environment or physical  security of your environment i should say  
and yeah because i think just yeah not not to jump  in here but with that with that physical intrusion  
piece if you're you know that's a good note if you  know if you're out there and you're listening to  
this and you're asking yourself how do i know if i  need you know a physical assessment as part of my  
you know annual hipaa penetration tests and other  things that you might do if you're holding genetic  
data or you have laboratory work i think it's a  it's a very important thing uh because you know  
like you know exactly my talk about those those  devices that they're they're they're certified  
right so from a vendor manufacturer is going to  maintain a x-ray device whatever it is it's going  
to be the software is going to run on a certain  version of windows usually right or something  
else right ubuntu or whatever and they're going  to certify that software to that version they're  
going to package that up and it's you know cool  little equipment with its buttons and all that  
kind of stuff and they're going to roll it out  to to the shops and this is going to be like okay  
you know this this widget that runs on this  version of software and you know all you need  
to do is plug it in and so there's a lot  of those are like that and how do you care  
and feed for that and like you said how do you  how do you properly segment those so that they  
if if they're susceptible to physical intrusion  because a lot of those thumb drives and you know  
a lot of the bluetooth and those types of  capabilities are still active on a lot of  
that system um and so it's super important that  that's a segmentation but yeah please continue i  
think you're right with the whole you have to do  everything you do for any other framework right
yeah you know we've we've actually heard  it's kind of scary because when you know  
medical devices are incredibly expensive  uh the organizations rely on them for  
their operations and patients lives in a lot  of cases and security seems to be the the last  
thing on a lot of people's minds when it comes  to that now we've actually heard the ceo of a  
prominent medical device company that has devices  in hospitals and facilities all over the world  
flat out say oh i don't care what happens with  these once they're delivered our job is to get  
them out the door and into the facilities yeah  that was horrible that was horrible i don't know  
when we say yeah this is this so this stuff's not  made up this is the reality is these devices they  
are going to be um decorated so i think you know  getting putting a lot of emphasis on um ongoing  
penetration testing like we talked about physical  intrusion testing that's going to be critical  
because you have to keep constant a constant eye  on the environment and on those vulnerabilities  
that exist um through all these types of devices  so it's it's a it's a big load to carry but it's  
one of those things that um especially medical  facilities that have you know more complex  
infrastructure than most businesses uh just  need to do i don't i don't see a way required  
yeah there's there's not a way around it and i  think that most hospitals and medical facilities  
tend to run really lean on it because they  don't see that as a requirement they see it as  
making sure the computers are running so you  can run notes and you can do that kind of stuff  
they forget or don't figure out a way to properly  provision the devices that need to be provisioned  
um do you put these devices in active directory  that are running x-ray machines or do you do how  
do you how do you actually deal with them and i  think they're overlooked a lot of time because  
it's all the vendors managing it vendor isn't  always managing it properly and it certainly  
can be deprecated we've seen that many times it  always it usually always is and you know there's a  
there's an interesting evolution that happens  with technology systems and businesses right  
you know they start out you know this this  thing that you know needs to be done and then  
you know people come and go and make changes and  leadership has different um you know ideas of what  
needs to be done so you have this kind of evolving  thing that has had lots of hands on it i call it  
like an ongoing painting you know everybody gets  a gets a chance to to paint something on the  
on the canvas and so what you end up with was  you know a leader that comes in that typically  
has a keen eye and an understanding of you know  the need for cyber security but he's inherited  
he or she's inherited a you know kind of  a again you know kind of a a put together  
a put together evolved sort of painting and how  do you finish it how do you make it you know it's  
supposed to be a castle or it's supposed to be a  sunset or supposed to be you know birds in a tree  
how do you make it that from the scribbles and  scratches that have been there before and that  
i think that's really part of the magic of you  know you know using these frameworks and and and  
leveraging your your capability in the business  to to kind of see that transformation happen  
um so you know you you have to you kind of  have to you can see that perspective that  
they're kind of stuck right i mean they have  these systems that and like you said mike we've  
we've dealt directly with vendors we've tried  to help them and they've shut us down because  
they don't they literally didn't care it's  a terrible thing to think about right that's  
going into our health care systems but um you know  that physical intrusion piece is you know i think  
necessary and real quick um but back me up where  did that happen mike where that um those those  
um vagrants were breaking into the hospital and  stealing equipment they put like on they put on  
like scrubs and they went in there and just stole  a whole bunch of equipment and tried to pawn it  
oh yeah there was california somewhere but yeah i  know i know what you're talking about but i can't  
think of the exact location but yeah i think  it was california somewhere yeah better reason  
for physical pin testing to you know test your  guard staff reaction and all that kind of stuff  
well yeah i mean you think about anybody  that that has you know enough that can  
walk into confidently into a building carrying a  clipboard or wearing a brown uniform carrying a  
you know brown box or uh you know scrubs with  a you know stethoscope and can walk into one  
of these buildings if they do it confidently  enough and most people aren't going to question  
it's the scary part that physical peace is very  critical so i mean you really need to have that  
and it's it's an important piece of something that  we do and it's something that we need to be doing  
more people need to be doing a lot you know  rather than going lean people need to be you  
know fattening up their i.t staffs and really  taking a look and i would love one day to walk  
in and see a new cio go we're going to strip  everything down and go to green fields we're  
going to build a parallel environment it's going  to be secure i realize we can't take everything  
down now but we're going to move everything to  this new environment once it's built properly  
and i don't think it'll ever happen but it's  a little dream of mine i think it is well get  
a physical pen test i mean you know it's a lot  easier for you know one of us to walk in um in a  
confidence you know kind of manner and you know  plug in a thumb drive to one of your computers  
even even most times more often than not your your  computers and your man trap are available to to us  
um or to attackers right um typically anywhere you  go yeah absolutely we leverage wireless as well  
um to lure to lure people away right um you  know there's a there's a difference between  
using your wireless infrastructure to actually  ingress your infrastructure and and get you know  
you know get get activities there versus luring  personnel away from your authorized architecture  
on ours to snoop right so there's there's a  different method of attack that you can use  
for that for that type of um you know technology  if you're if you're using wireless you're in your  
hospital so i certainly we certainly recommend  that right i mean we certainly see the benefit  
and we've demon we've been able to demonstrate  i think the benefit to all of those those types  
of activities but um it's so much easier to carry  a physical thumb drive right into an organization  
and just plug it in knowing that most systems  are in their network and you know if you've got  
a rubber ducky or a bash bunny or anything else  you've got some basic python skills you can do  
some really really really bodacious things with  um yeah i said that i was watching bill and ted's  
excellent adventure it's a good word good word  hey mike you do a lot of work in the hipaa  
compliance realm what what's your advice to  companies to ensure they're hipaa compliant  
and they're ensure they're operationalizing  it to maintain that compliance continuously  
i would say hire silence sector to help you out  with that well of course that's that's insane  
honestly i mean it you do needs to operationalize  it and then you need to integrate it and you  
start with building or starting we'll start really  find a framework right so hip is going to be a  
piece of your framework but hipaa is a derivative  in this so start with nist and start hardening  
the system from there and then integrate that into  bring your people online uh to work on this stuff  
you can find multiple crosswalks where you can  see where the critical hipaa pieces marry up to  
the missed pieces but really a lot of times what  we see is it kind of sounds a staff right i mean  
you got two it people supporting 500 users and  they're trying to be compliant and they're trying  
to be you know secure in the system and priorities  fall we see a lot of people just writing the paper  
so they can say i've got all these hipaa  policies and then you ask them and they say i  
have no idea what it says but we've got a hipaa  policy so um yes definitely operationalize it  
start gathering evidence prove it's done and  just truly be committed to actually doing it  
and stop you know chasing the next flashy thing  that comes along um build your foundation which is  
going to be hit by a mist and then go from there  i think it's like we say over and over a lot of  
a lot of organizations will chase one compliance  requirement to the next rather than starting with  
a foundational framework like miss cia miss  csf or 853 or something like that to build  
a more robust holistic program and then go from  there but yeah again those so those fundamentals  
remain the same in healthcare and you know hipaa  compliance again is focused on protected health  
information it's not a holistic framework by any  means um high trust gets some notability in the um  
in the healthcare world it is a pay to play game  i you know for most people that if they don't have  
customers demanding high trust compliance and  and audits and such uh nist csf and hipaa are  
going to be great and just you know stick with  those run with them and if you're in the med tech  
space software as a service system integrator  for healthcare or something like that of course  
the hipaa compliance all of that's going to likely  apply to you as well so make sure that you're  
you're speaking their language and and following  a good framework getting your pen tests all the  
fundamental activities that need to occur and with  that any final words of wisdom before we jump off  
here don't don't limit scope make sure that you  do the whole thing buy it all off right you may  
not be able to do it all at once can't shoot all  at once but you can certainly start because if  
you focus on a certain amount um the rest all the  security possibly their wings and it's still going  
to cost you risk so scope it all out just make  sure that your security vendor can spell hippo
wells three piece four a's 3b that's right that's  right well thank you for joining us everyone  
uh if you'd like the podcast subscribe  let us know reach out let us know what you  
want us to talk about topics of interest linkedin  or on our website are great places and by the way  
the news articles the links to those articles are  on the website and you go to the  
podcast page and you can find the episodes and  such there so thanks for joining us and we will  
see you next week