welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller
joined by mike rotondo and laura chavez what are you guys having for lunch today
security i'm having fish tacos and a couple of nice gusto blondes the beer not the
those of you in massachusetts or wherever you know it's not not cannibals
here um yeah it's it's made by us yeah you can check it out i've got i've got pen testing work for
lunch with uh with a couple double shots uh you know to drink so and i mean the coffee no
professional with some koalas on the side yeah a little little clawless to get your mouth wet yeah
delicious well hey let's uh let's dive into it here today we are talking about uh the wonderful topic of healthcare
cybersecurity healthcare cybersecurity and hipaa compliance are
critical things obviously if you're in that industry you know that and if you're not in that industry this is
still a good episode because a lot of these compliance principles a lot of things that we were talking about
probably filter over to your compliance requirements as well it's all the same
just in different wrappers really talking about phi pii you know all kinds
of data requirements tremendous amount of overlap so that being said i've done enough talking
so far to start this episode out mike why don't you take off here with the news 49 of all of
small medical practices don't have a cyber attack response plan cyber attacks are crippling the health care providers by posing a threat to core functions and
patient privacy according to software advice survey findings reveal 22 of small practices have experienced a
ransomware attack 45 percent of large practices have experienced a ransomware attack 23 of small practices have
experienced a data breach 46 of these breaches were caused by avoidable human error 42 percent of small practices and
25 of large practices spent no more than two hours in it security and data privacy training in 2021 that's scary in
and of itself small practices risk more significant losses in the event of a cyber attack often due to lack of
training adequate security technology and support staff it says 46 of breaches were caused by avoidable human error
couldn't we argue that 100 of the breaches were caused by avoidable human error
i mean i would concur with that statement but you'd have to you'd have a big fight with a bunch of software developers right yeah i'd go high 90s
just to be safe but yeah okay okay yeah that way everybody can put themselves in the two three percent
right yeah it's okay we're all you know what was it back to 50 percent of people think their genius is or whatever it was
that yeah they think they're 50 or 90 of people think they're above average
intelligence yeah and we know that ain't true security flaw is found in 82 percent of public sector software
applications varicode has released new findings that show the public sector basically the government has the highest
proportion of security flaws in its applications that maintain some of the lowest and slowest fixed rates compared
to other industry sectors analysis of data collected from 20 million scans across half a million applications revealed these public sector specific
findings like sixty percent of flaws and third-party libraries are unfixed after two years which is double that of other
sectors the public sector has the highest proportion of applications with security flaws at 82
everybody that surprised the government's behind the times raise your hand that's all of you i think
three million all three million i did not raise my hand all right so two million
and less laurel so three million less plural nsa employee indicted on sending classified data outside the agency
national security agency employees accused of sharing top secret national security information with the unauthorized individual in the private
sector the employee was arrested and the indictment unsealed on march 31st the doj indictment alleges the nsa
employees shared classified information related to national defense on 13 occasions from february 2018 to june
2020 the nsa employee was aware of where the person was not entitled to receive the information and that the information
could be used to the injury of the united states or the advantage of any foreign government the nsa employee
allegedly sent materials while using his personal email address because the personal email address is
not considered authorized storage location classified information the nsa employees faces 13 counts of willful
retention of national defense information on top of 13 counts of willful transmission each charge carries
a maximum 10 years in federal prison didn't read the acceptable use policy exactly
uh palo alto network's firewalls vpn's vulnerable to open ssl bug there's two stories on this one by tech radar one by
looking computer a variety of vpn and firewall products from palo alto networks have been found to suffer from
a high severity vulnerability the company has warned according to bleeping computer pan-os global protect app and cortex xdr
agent software are running on a vulnerable version of the open ssl library the vulnerability track does cve
20 2207 778 was discovered three weeks ago and if abused can enable a mild
attack service attack or remotely crash the vulnerable endpoint nearly 40 of max left exposed to two zero-day exploits
between 35 and 40 percent of all supported max might be at heightened risk of compromise for two
two zero day vulnerabilities that apple has said are being exploited in the wild but for which the company has not yet
issued a patch i don't know why apple disclosed the two vulnerabilities cbe 2022 22 675 and cve 2022 22674
last week and described them as impacting devices running its mac os ios ipad os operating systems company
released updated versions of our software that addressed the issue for users of apple's latest mac os monterey
and ios 15 and ipad os 15 operations however in a break from its usual practice apple appears so far at least
not to have released a corresponding fix for the flaws in the two immediately proceeding versions of the mac os big
sur and catalina so it's the only fixed monterey vmware addresses several critical vulnerabilities in multiple
products vmware has addressed critical remote code vulnerabilities in multiple products including vmware's workspace
one access vmware identity manager vrealize lifecycle manager via realize
automation vmware cloud foundation products the virtualization
giant urges its customer address the critical vulnerability immediately to prevent its exploitation the good news is that the company is not aware of the
attacks in the wild being exploited and users that cannot immediately fix these issues can apply the work around
instructions provided by the company that's all in the article there's a couple of headlines that are interesting mailchimp is breached intruders
conducting phishing attacks against crypto customers germany shut down the hydro dark net
market identity fraud skyrockets hackers stick to pre-pandemic techniques and american express got shut
down for a while their users report login and payment issues so with that
laurel what do we got well exploits uh thanks for the thanks for the news mike some good good
headlines there make sure you guys check that out on the site where we post all that info a little bit
more this week about spring for shell i just wanted to let everybody know if you
know if you're still if you haven't heard a cd is not yet to be assigned however um as of thursday a
release of spring boot has has landed so you do have the ability to upgrade your
spring frameworks off of five three eighteen and five two twenty uh the vulnerable version so make sure make
sure you look into that uh also another exploit for this week if you're using postgres sql you should
know there is a remote code execution with a really really really nice gun
uh python poc to make this happen and this payload is downloadable for
everybody so if you're using postgresql 9.3 to 11.7 make sure you're updating that or adding
in some sort of denial lists for some of the patterns so um 14.2 is the current
version for postgres sql so if you're not on 14.2 what are you doing what are
you doing that's all i've got for this week i would guess they're probably in the public sector then because probably
way behind based on the news anyways yeah well outstanding let's dive into healthcare
cyber security but first we're going to take a quick commercial break and we'll be right back want even more cyber ants
be sure to subscribe to the cyber rants podcast get your copy of our best-selling book cyber rants on amazon
today this podcast is brought to you by silent sector the firm dedicated to
building world-class cyber security programs for mid-market and emerging companies across the us silent sector
also provides industry-leading penetration tests and cyber risk assessments visit silentsector.com and
contact us today we're back more talk about hipaa compliance healthcare cyber security all the good stuff and
with that i want to preface this conversation with the fact that a lot of organizations i think this is a
problem we need to talk about it a lot of organizations in the healthcare space
think as uh hipaa or think of hipaa as being their only requirement right or being
their requirement and why they secure their organization for hipaa compliance right
but i would argue there's a lot more to think about than just typical compliance yes it's a necessary thing that we need
to do in the healthcare space but there's a lot more to a holistic cyber
security program so i want to remind everybody that to start with but first i wanted to ask you guys do you guys
have any particular stories tips pointers anything that you see going on today regularly in the
healthcare field that needs to be addressed well i would say first few consultants out there they're trying to get into the medical space make sure you
spell hipaa correctly two eyes it's two eyes four ps and four a's exactly just
like mississippi that's a key thing okay so i have one i have one that i
think is a problem and and that is the medical device the medical devices that are that are in the in some of the rooms
and the operating places and and things like that where they've been purchased from you know
a medical manufacturer that you may manufacture this you know certain x-ray machine or whatever the case may be
and it comes with a pre-defined pre-engineered pre-configured version of
windows 98 uh with with the app that's built you know uh in dos uh in
order for you to use the x-ray machine and you cannot update it but it has usb
drives all over it it's got like 14 usb drives and firewire
and a network port but they don't want you updating it or modifying the software the vendor this
is right the vendor of this medical medical device i think that's a huge problem for
for health organizations right now is like you said zach it it kind of has to be a blend of of your health care
information right because the health care industry wants you to you know they have the the
oversight to say you need to secure your health care information that doesn't give you the the excuse to
de-scope all the rest of your technology it's right and so a lot of health organizations are kind
of blending that hipaa with nist and other things and so as they as they they work to
secure the technologies in the in the organization they run into this i think they run into this problem a lot of all
these devices that have been you know purchased and they they're technology devices but they can't they
can't how do you manage those things you know what i mean if the vendor's saying don't touch it yeah and then a lot of them put it all
on a flat network so once you get a hold of one of those you're just free you have free reign right
let's dig into that a little bit let's talk about for those those organizations of those leaders and
companies right now healthcare whether it be you know be facilities or laboratories or anything like that in
the healthcare space what can they do when they face that
the fact that hey we're going to have to run this equipment that was built many
many many years ago it's deprecated we can't upgrade it but it still has to exist in our environment what would your
recommendations be to them to secure the organization that's faced
with that well the simplest thing is to not connect to the network if it doesn't need to be right but i mean if you're
going to connect this to the network a lot of these actually need ad to be uh to work
and uh if you're not going to if you have to connect to the network you put in a separate vlan and it's curviline
yeah absolutely i mean i'd even go one step further and say they should you know somewhat be air gapped if they
require active directory they should be on their own air draft infrastructure with their own ad
you know that way that way in case there's a there's a ransomware uh incident you know you
don't lose you know you don't you lose your vital machines that are providing things like life support and stuff like that right
so certainly a bad idea to keep them all on a flat network with the rest of your your technologies that support the
hospital or the health care system that you're running yeah and then you know you can always
you know they don't need to connect directly to the internet that can be an intermediary some kind of jump server that allows you to get to them and you
know that kind of thing i mean so or jump box i should say um so yeah i mean that's the
there are ways around it and we can we can't be really specific because we don't know the specific requirements of every device out there right but we have
dealt with companies before where i just remember one where the ceo we actually met wind up meeting with the
ceo zach and i did and the guy came in and said nope i don't believe this is real there's no way it can get
hacked even though it's on the internet and the security i think he quit like two weeks later
so yeah weird weird stuff happens right um you know
you know certainly you know nothing is is imperative to to cyber attacks right
any any electronic over time it's gonna be compromised with time and pressure right so it's all you really need
but you know to your point yeah there's there's a lot of different devices out there that the medical industry has to deal with a lot of it you know requires
some form of a beacon home yeah you've got to plug it into the network and it's got a call out to you know an api out there with the vendor or
um you know or requires active directory hopefully you've got some of the devices that don't require any network
connectivity at all they just simply require a power cord right and in those cases i think it's important to you know
make sure that even if they have network connectivity if they don't need to be on your on your network don't let them be
because of the deprecated software it's going to cause you problems so it's going to come up in a vulnerability scan
it's going to come up in an audit if you can if you can justify uh keeping those things disconnected
from the network i think you're going to be better off in in both in the hipaa audits and then any other type of
technology audit governance audit that you're doing like nist or anything else because you can definitively say that they're air gapped right they require no
network connectivity so it's a vendor managed third-party pre-engineered device that you purchased
doesn't require network connectivity but it you know if anybody gets on it looks it's running a usually they're running a
deprecated operating system right or deprecated patch level because they they build them and they do an accreditation
and a certification for the device functionality based on the operating system that is being leveraged at the
time that they're built right and so they get this this very stabilized build for this medical device
and they just then they reproduce it over and over and over again and so it works as it came pre-engineered you know
if you start throwing patches and other stuff on there it might not work and you know if it's if it's providing
you know breathing or you know other types of emergency services to patients you you know there's a reason why you
don't want these these things being updated but it causes that it causes that that
you know that that sort of break in a compliance versus a security posture that you're supposed to be maintaining as an
organization and it's i think that's i don't know i mean that
you guys driving don't raise your hand while you've got your hands on the wheel but i'm you know i imagine that there's a lot of healthcare professionals out
there that are kind of feeling the burn on this on this particular issue here well there's been a lot of healthcare hacks lately too and i i have to believe
that some of it is tied to the devices out there but you know one of the things we also have to keep in
mind is unlike a computer that gets recycled every three to five years some of these devices a are
highly expensive and b will be around for 20 years they're not going to be replaced every three or four year five
years and that causes problems for the manufacturer because when they built the device originally windows xp was
supported well now windows xp is what five operating systems ago or four
operating systems ago from microsoft so there has to be a better way of doing
this and you know but with everything out there there's gonna be someone trying to break into it right someone's
gonna try and break it one way or another um you know medical records
for whatever reason are the key piece that is a like holy grail for a lot of
uh you know cyber criminals simply because that's what they're going for and what they can mine because there's a
whole lot of data in there uh but also the other thing is that we've seen is that there's a lot of foreign espionage
on a lot of the high-end research that we're doing like at the mayo clinic and other places like that on cancer and
limbs and you know that sort of thing you know artificial limbs um
a lot of that biogenic stuff um so they're trying to hack our research and you know find out
you know what we know and give themselves a jump ahead um so it's even more critical to keep
those type of systems even further locked down air-gapped if possible um but so
yeah there's there's certainly some um something to be said about you know the the genome
research that we're doing here in the united states and that a lot of the big health organizations like they're maintaining a lot of that that dna
genetic information on on americans and health patients and so it is a good loot right and
where i think the biggest struggle you know from an attack vector that hospitals have is really um in
healthcare organizations have is the physical security you know a lot of times that you know if
you if you go visit somebody in the hospital i guarantee you'll see that the nurse's station is really a card table
pushed up against the wall with two computers and a monitor up there and you know those computers are hooked up to the network and they have usb um
they have usb ports exposed and that's the question is do you know do you have
do you have the circumvention for you know you know a criminal that comes in with
you know an arm driven or you know a mini linux driven usb that can then you know dump ransomware
or yank out files or deploy some sort of remote access tool kit um like nano cortex or anything like that you know do
you have you know usb protection where you know you've disabled the usb or you've
whitelisted specific type of usb drive um i think that's probably you know one of the largest concerns for the the
attack vector because everybody goes to the hospital and a lot of times those computers that the staff are using are
right there accessible to you know everybody who's walking through the hospital
yeah and i think the argument is you know i got a patient crashing i can't remember my 14 character password
you know so they have the usability problem yeah that's true they do so
yeah you know that's an excellent point the physical security aspect which we you know just
talked about right in the previous episode but the i think there's a misconception
out there that you know this cyber crime happens from criminals overseas and you know the
chinese and the russians and stuff yeah absolutely it does but people forget that on the dark web
people want to make a quick buck right they can go on they can get these jobs and dark web forums and post scenes
and all that and go out and that job might be hey go you know plug this thumb drive or you know load this this malware
on your thumb drive and go plug it into uh some healthcare facilities around town right we'll pay in bitcoin that
sort of thing so that's that absolutely does exist and does happen there are
criminals right here in the united states and you know it could even be a
college kid just to make an extra buck so well everybody can look up the story i mean to your point zach sorry to jump
in here but everybody can look up the story that just happened in memphis tennessee where a man essentially wearing scrubs
walked into saint francis and stole a bunch of equipment yeah and so you know i mean and this is
this is just a homeless person that that happened to be at like a you know a goodwill or or
i'm seeing vincent de paul and was able to find some old scrubs and threw them on and walked right into the hospital
and walked right out with a bunch of stuff so you're you're absolutely right it doesn't have to be you know the
iranian you know in the you know drinking mountain dew and you know in the basement of you know it's hut or whatever you know what i mean it's it's
certainly it certainly can be uh you know very you know very easily can be an american
that you know is just you know down and out or um you know anybody else here who's you know want to be militia
yeah definitely concur let's talk about everybody's favorite
subject for a few minutes here hipaa compliance and we happen to have a compliance
absolute compliance wizard on the line today mr mike rotunda
[Music]
what are you seeing i mean where are some of the big fails and hipaa compliance and how can how can
organizations better better understand whether or not they are in alignment with the requirements
that's a big chi the biggest fail i see and the most consistent one i see
is that someone will say we have to be hipaa compliance we need all this documentation so we'll go buy a documentation set
and then never look at it never read it so when they come to an audit i've actually had this happen
all right so are you doing xyz function i don't know what that is and that's from the hipaa compliance option
so there's a lot of people they're just trying to check the box so they can say they're compliant
um so that's the biggest that that's the one that always sticks in my mind
documentation needs to be personalized you go through this you need to verify you know what
what is important what is being done and and then the other thing that i have is that the usability factor that we always
talk about that balance uh small companies that are growing into larger companies always have the well
we've done it all we've always done it this way um attitude which is not
necessarily compliant with hipaa nor is it compliant with a security framework
and i think what's missed is a lot of these companies are like well i'm doing these hipaa check boxes but that does
not make you secure so you have to couple hipaa with mist or cis or something
just to ensure that you are actually secure while being compliant and the best customers out there are the ones
that understand that and are doing both so that's my 30 000 foot level view of
hipaa without clouding without outing anybody mike is the eye in hippa yeah yeah
well outstanding well um the the
the other thing too that healthcare organizations face that more prevalent than some other types of
companies maybe tech companies um even
even brick and mortar you know manufacturing stuff like that is just like we mentioned before the volume of
people that go through the facility and the fact that you have to have access all over the place so i think it's
important for health care organizations and we certainly um do a lot of this and and and some organizations are being
more proactive than others but um remember to get your testing done get your technical
testing uh by that i mean penetration testing right so get your internal and external network pen
testing your wireless penetration testing even you know social engineering tests right physical instagram tests
exactly get it get get the actual testing done
as as it makes sense for the organization as you can you know
do that start with pen testing because you can do everything right on the governance
side and a misconfiguration or something could leave you open so i recommend that i mean that's that goes for anybody but
i think it's i think healthcare organizations tend to have a broader attack surface
because of how they what they have to how they have to operate and how they have to serve their their clientele so uh well there's
a higher profile target too yeah yeah they've got they've got super
valuable data and yeah they're open to the public essentially so it's it's it's a very difficult
um it's it's a very difficult attack surface to close effectively and you know um
just being you know hipaa compliant doesn't won't cut it unfortunately you'll have to you know blend that with
you know nist or or cis or something else that adds that more complete holistic view and not try
to just protect the medical data because you'll you'll cause yourself problems by doing that you know one of the other
problems i was thinking of is the social engineering aspect of it not going at the
medical establishment but going at regular people right so if i call you and say hey mr chavez i'm calling to
follow up on your surgery you had three weeks ago uh how's everything going well you're gonna you're in your most people in
their mind are gonna say all right well he's obviously involved with my medical practices how
else would you know i had surgery so they forgot to get a safe post
tagging the hospital yeah my room number yeah yeah
doctor i've been fighting like a goat and i can't stop ever since you worked on me what happened
so here's what my point is is that the social engineering factor goes the other way so you can break into somebody these
companies go when they hack the the health care provider then they can go ahead and hack you know just a regular person and say
because they've got all this information oh can you verify your birthday can you verify your address can you give me a
credit card can you do this and because most people i would say most older people i don't
know if it still translates down to younger people but will trust a doctor implicitly without any question or
someone who comes across with medical permission yeah and there's been some fraud too where
some bogus collections agencies have been trying to like falsely settle medical
debt so yeah you know i think that's a big thing too right a lot of insurance isn't you know is not going to cover a
whole bunch of the costs of procedures and so especially with covet happening you might have some you know extra costs
at the hospital you know you now owe the hospital and um if if the data is siphoned
these these fraudsters were essentially saying hey we can sell your 25 000 hospital debt for you know 500 bucks
today you know it means something ridiculous and and it was actually you know it's it's it's it's a viable scheme
that you know certainly brought them some money so be be leery of those things out there right but i mean that
that unfortunately is you know you're right that social engineering aspect there's a there's a certain trust right
that comes with the the doctor patient confidentiality thing you know right
so that you know just puts it more you know incumbent upon the health care providers to be that much more secure because it's you know it's
not just your data got breached all of a sudden the repercussions of your data breach expand far and away beyond
you know your immediate what you see immediately it's every patient yeah and and if you look at previous
cyber attacks you'll you'll notice that probably one of the the most
i think the most um common ways that cyber criminals um you know get a
leverage is that they're abusing trust they're abusing that trust right the abusing things you trust solar winds
great example you know what i mean you know that's why it's best not to trust anything or anybody
ever again or or trust me verify you know what i mean whatever yeah but yeah exactly zero
trust no trust yeah it's negative like negative a million trust yeah just just
just pessimism and just uh yeah i think uh
that's that is the it's not it's not about the glass it's half full or the glass is half empty or
the glass is holding half of its required constants the glass might be a cyber criminal trying to take your data
that's right i got a voicemail the other day from someone pretending to be from uh you
know a health care provider saying i you know wanted to contact you your employer contacted us and wanted to follow up
with you on your your health care i was just like all right my employer
no i'm an employer [Laughter] and i do our benefits and i haven't
contacted anybody but yeah there's a lot of stuff out there so yeah but nice try
well don't be social engineering mike he'll i'll get you
yeah but i i do think that i do think that physical security penetration test is
super important for medical industries because i think a lot of focus is put on the electronic controls
and they do a pretty good job i think you know we've obviously everybody's going to have those devices that
you know from the vendor that you just you like you don't even know what to do with it's just like the horror show of the hospital right but i i think a lot
of lacks has has been put into the physical security aspect of it and there will be
there'll be a day today is probably not the day but there'll be a day where i get to tell a very generic version of a story
where i got into a medical healthcare organization's data center yeah yeah and
that really happened that's not like oh i you know get to tell this fake story no it really it really did have two
witnesses right here on the on the podcast with me
so i know nothing you know nothing we'll talk about nothing anyways but things like that do happen and i think it's
important that the healthcare organizations take a harder look at physical security
because the adversaries again they're going to abuse that trust well everybody coming into the hospital needs to be here not
necessarily true you know what i mean you can see that from news stories and previous problems one key factor when
you're doing physical penetration testing is to ensure that the people that know about it are working the day you do the test
because otherwise you can go really bad yeah yeah yeah definitely well we had it i mean
you might yeah or tased uh yeah you're you're certainly going to be held at taser point or gun point if you're if
you're pulling these off right but i think she said mike it's important that uh yeah uh exactly you know our process
is that executive leadership is aware and they sign our little get out of jail free card sort of speed right that we're
carrying around but um yeah making make sure they make sure the people that know are there
well as we wrap up today back to your first article that you listed mike in the news 49 of small
medical practices don't have a cyber attack response plan i would call it an
incident response plan but uh cyber attack response plan is good too and then 45 of large practices have
experienced a ransom attack 22 of small practices have experienced a ransom
attack so really it's not a matter of if but when this stuff happens so you're in
the healthcare industry be prepared out there and
you know also be prepared for an eventual hipaa audit as well and follow a major framework so
we're i don't want to don't want to beat a dead horse with that because i think we we tell people that on just about
every episode but yeah um it's it's got to be done so that said any final words of wisdom
before we wrap up that that you know following a framework
is a is a very good prescriptive daily routine that i think
all organizations that that leverage technology for any part of their business have to be doing so yeah you
certainly need to follow a framework and do your best to align to that i think that's you know you're going to do
yourself as a security professional or security leader or a business leader you're going to do the
most justice to the people that entrust you with their data and your employees and everybody else who utilizes your
service you're going to do them the best justice and and by by following some form of framework
for for your operational you know processes yeah you keep mine compliant is not secure
nope we say that a lot but it's true that's i mean it's it's a it's a dumb i i'm tired of saying it but it i i'm
still shocked by how much i hear that people think being compliant is security
yeah yeah well you know i mean repetition is is key to success in a lot
of areas of life and the fundamentals are too right so before you go out and
shopping for the latest fanciest technology you can find and get your hands on that you saw a black cat or
whatever make sure you get the fundamentals in place and yeah that's gonna
that's gonna help you manage risk a lot better so that being said thank you for listening
to the cyber cyber ants podcast check it out cyberratspodcast.com where you'll see
the news articles and there's a web form you can reach out with topics you'd like
us to cover reach out there or linkedin i don't really use any other social media but
we are we are accessible and i hope you enjoy this please subscribe rate it
share it if you like this episode if you know people that can benefit from us helps us get the word out
and news and everything else that we think people should know to protect their organizations so have a great rest
of your day and we'll see you on the next episode