Speaker 1: 0:05

you're listening to the audit presented by it audit labs. My name is joshua schmidt, your co-host and producer, and today we're joined by the usual suspects, eric brown, nick mellum of it audit labs. Today we're joined by ed gadet from sensonet, so we're going to be talking about ransomware and how that's affecting patient health. Um, I know ed has done you've done a lot of work with that and so, more specifically, when ransomware attacks hit a hospital, most people think it's mostly about stolen data, but patients are actually being impacted by these attacks. So we're going to get into that today and, without further ado, I'm going to turn it over to Ed. Can you give us a little background on yourself, ed, and what you've been working on?

Speaker 2: 0:43

Yeah, thanks, joshua. Thanks folks for joining the podcast today. I'm Ed Gaudet, I'm the CEO founder of SenseNet and I guess you'd call me the serial entrepreneur, although I hate that label. People are so much more than the labels, right, but I've been at tech and solving problems with tech since I graduated college, so it's been a long, strange trip, as they like to say, in the wonderful world of the Grateful Dead, joshua. I thought I'd throw that in there.

Speaker 1: 1:15

A little shout out to the song we talked a little bit about that earlier. Yeah, Speaking about connections, Eric just joined you on your podcast Risk Never Sleeps, which you aptly named after the Russ Never Sleeps Neil Young record, I believe.

Speaker 2: 1:30

I did. Yeah, I did. You know I was thinking about a way to personify risk, and especially in healthcare. It's 24-7, right, it's not a bank, it doesn't close right after five Patients are coming in at all hours. Care is being delivered at all hours, so risk is always there, it's always on, it's always present. And when you think about the personification of risk, you know people we eat, we sleep, we work, we play, we sleep, we work, we play. This notion of sleep was really interesting and pertinent, because risk never sleeps, it's always there, it's always on.

Speaker 1: 2:09

Well, I'll start out here with a little statistic, then I'll turn it over to Eric and Nick a little bit here. You shared with me from 425 incidents impacting 27 million people in 2020 to 592 incidents affecting 250 million in 2024. What's driving this explosive growth in healthcare targeted attacks.

Speaker 2: 2:31

Well, I think the bad guys are following the money right. It's the old adage, you know go to bank robbers, steal from banks, because that's where the money is right. So it went from data theft which, again, again, you know it's problematic, especially finances figure out a way to make people whole if they lost their identity. But in healthcare it's a little different. If your data's out, your data's out. It's hard to get that genie back in the bottle. And that was all good and well until right around 15, 16, we started to see this thing called ransomware occur, and it was the ability of the attackers to actually shut down the operations based on the data, so locking up the data in a way that was unusable. So therefore you couldn't operate. And today everything, most everything, is digital when it comes to patient care, and this notion of locking out doctors and nurses and clinicians and administrators from delivering care becomes a real problem, especially if you're 24-7, 365 days a year. You've got people that are getting ready, maybe for surgery next week or the next day or in a couple of hours, or somebody is coming in via ambulance and they can't get into the health system, and maybe that health system is in a burgeoning city. So the next one is a couple of maybe a mile away or two miles away. But if you're somewhere out in the country and the next available hospital is two and a half hours away, that's a problem, especially if you're the one in the ambulance having the heart attack right. Minutes mean muscle and muscle means lives. So we started to look at it and we started to again, anecdotally, believe that ransomware and these attacks and these incidents, events, were causing patient harm. But no one really could point to any research, qualitative or quantitative or otherwise. So we back in.

Speaker 2: 4:37

Just I think it was actually during COVID we approached the Poneman Institute you may know them, larry, poneman does a lot of research on the cost of a data breach and the cost of a data record stolen. And I had this thesis that, hey, there's more happening within the healthcare environment than we know. It's not just the data theft, it's actually impact care. So let's qualitatively study that. And so we built out a research study that literally showed if a hospital had a ransomware attack, they were getting some increase in mortality, or they were getting diversion of care coming into an ambulance, or they were canceling labs or other procedures. They were canceling labs or other procedures.

Speaker 2: 5:24

We were seeing this data and realizing holy cow, qualitatively or otherwise directionally, something is happening here. And then I think we published that on a Wednesday I got a call from Josh Corman over at CISA and he's like what's your methodology? I shared it with him. He said we're publishing a study in two days which is quantitative. It'll back up what you're finding. So that's when we realized, okay, we've got a big problem here. Right then we realized this is more than just data. It's about lives, saving people's lives. And it became personal because everyone has been a patient or they have a family or a friend or a mother or an aunt, you know, sister, brother or friend hooked up to a life-saving device and you definitely don't want a ransomware attack on that hospital or that device how do you?

Speaker 3: 6:17

in your point of view, how is the healthcare industry, cyber security, different from outside healthcare, whether it's OT or private organizations, a school district per se? Is there a big difference between those two areas?

Speaker 2: 6:30

Well, I think, if you compare it to traditional industries and again, having been through creating products for many different companies and focusing on many different industries, I've always looked at healthcare as late adopters of technology. They used to be five years, you know, behind everybody else prior to 2009. And then in 2009, the Obama administration passed the high tech and the ARA legislation, which provided really a forklift upgrade from a technology infrastructure to these healthcare organizations and they were able to really digitize all paper-based processes right, care delivery, which is on a paper chart, went to an electronic medical record or an EHR. An electronic health record and everything else around that that supports the electronic medical record was also digitized right. And so now you went from being able to not worry so much about downtime of servers or your network or your infrastructure to wow, if it goes down, we can't deliver care.

Speaker 2: 7:42

And it was in a very short period of time 2009 to, I'd say, 2019, really that 10 years was a very transformative period for healthcare. Whereas it took, you know, everybody else sort of at the pace of the technology, right, healthcare had to catch up. So you had sort of that compression of that infrastructure update, the transformation of all those processes now onto electronic systems, and then you throw on top of it the introduction of ransomware. It's the perfect storm.

Speaker 4: 8:16

And Ed. I spent some time in healthcare over the years and doing some of those transformations of systems, going from paper to tools like Epic and the ICD or the International Classification of Diseases was that ICD-10. I think ICD-10 is the current version of that and interested on your take on this, but what I learned about that was largely this transition from paper to this electronic health system. Yes, it benefits the patient, it makes data portability easier, but also it is really the benefit of insurance and these ICD codes are billing codes that insurance uses and there's you know, you can search on the internet there's some pretty funny ones out there, like encounter with a duck or I think there's like initial bite from a pig or something like these, just these different codes and you know there's thousands of codes that essentially, care is provided and then the care that the person receives is codified and then that helps insurance.

Speaker 2: 9:42

With reimbursements. Exactly, you're spot on, eric.

Speaker 4: 9:45

You know, as you think about it, it is absolutely wonderful that as a patient I can log into a portal and I can get information about the care that I just received, I can see the doctor's summary and all of those things. I think insurance has driven a lot of the technology advancements but with those advancements, as you say, in the health care space introduces a ton of risk and we've seen over the years millions of records exposed in ways that they really shouldn't have been if they had been protected with due diligence.

Speaker 2: 10:25

Yeah, that's, that's right. And you know, I feel in some ways, you know we made such progress on the threats around ransomware and now we've got a new threat which has exponentially opened up the attack surface called AI. I'm sure you guys have heard that. Yeah, so you know, on one hand, we wouldn't be able to realize all the workflows into those use cases to deliver better care outcomes. We always talk about that and applying technology to do that, but for the most part, I would say over the last decade or two, we've really been, you know, paying our dues, if you will. It's been more painful than it has been more of a, you know, of a process of healing. I feel like we're starting to go through that now. But with AI, there's a huge promise around the advancement of technology. The problem is that it exists within the context of all of the products and services that we currently use, that are in inventory Right, and some of them we know about but most of them we don't know about.

Speaker 2: 11:51

I remember when, when Adobe, you know, turned I don't know if you guys went through this, but all of a sudden Adobe's got AI in the, in the, in the product, and I'm like what the hell, I'm trying to turn it off. I can't find the actual X. There's no X to turn it off or disable it or anything. So I go on Reddit and Reddit's like blown up, it's all red, red, right, it's all about they're just slamming Adobe for putting this turning something off. They eventually recanted and they made it optional, but man, it was brutal. I literally had to uninstall it, because we're a security company. I couldn't risk having Adobe do whatever it was doing. I had no idea what it was doing.

Speaker 2: 12:29

That was the point right, and so I immediately took it off my system and then I monitored it, and then, shortly thereafter, they did the right thing, which is good, but Microsoft's doing the same thing. Shame on you, microsoft. Like you're doing the same, I turned you off, and then you're doing the same. I turned you off and then you turned yourself back on.

Speaker 3: 12:47

What the hell? Why are?

Speaker 2: 12:49

you doing that? What is wrong with you? Right, it's a big, it's a huge issue. What are they doing? Why are they doing that? Do they not learn? But sure enough, they don't learn, right? So you imagine that's just on our own laptops, right? Imagine you're a health system and you have to manage thousands of nodes and endpoints and laptops and devices, and both personal and professional, and they're turning it on and turning it off and all hell's breaking loose. That's what the CSO and the CIO are dealing with today, on a daily basis dealing with today on a daily basis.

Speaker 3: 13:24

I think the issue that we had if I remember this correctly, it was at a client and they're obviously a Microsoft shop and Microsoft's migrating MFA, and I don't have all the details in front of me right now, but we had the text option turned off at the client so you couldn't receive the code through the text and you had to tell us the time to migrate. We had all that in place. The migration was basically done, but it hadn't been turned on yet. Right, because we're just right where we weren't quite to the point. Microsoft on their own, turns back on the text messaging option and that somebody did do it and a phishing email they use that login to get into the personal Gmail on a company computer computer received an invitation for a luncheon and they clicked it went through, so we had an issue there it could be worse it could be worse, we could be worse.

Speaker 2: 14:12

Nick, we could be at a cold play concert with our hr director, I had to do it, guys, I'm I'm sorry.

Speaker 1: 14:23

Too soon.

Speaker 4: 14:23

Too soon.

Speaker 1: 14:24

No Perfect timing.

Speaker 3: 14:26

The power of the internet right.

Speaker 4: 14:33

Ed, you talk about Microsoft turning on and turning off things. I just recently ran through this with a customer where they went a different direction than the Defender product suite, which Microsoft is trying to cram into everything, and that thing is like a virus. They went with the Palo Alto solution. Yeah, it's a real problem.

Speaker 2: 14:53

I mean, you know, if you're going to be secure by default and secure by design, right then by default. And this is we learned this lesson. We obviously, like everybody else, we took a look at AI when it came out. I mean, it's been around forever, right, we've used it in certain areas of the product, but never like generative AI or like eugenic AIs today.

Speaker 2: 15:14

So we looked at that when it came out a couple years ago and said, okay, this is game changer, but we have to figure out how we build it in, because we're not like everybody else. We have a fiduciary responsibility to our customers to not just force them to adopt AI, like I went through with Adobe. So how are we going to do it? So we built it in, we partnered with AWS, we did a self-contained approach to the infrastructure and to the architecture and then we enabled customers by default. It was turned off and on demand. If they wanted one or they wanted all or they wanted some combination, they could turn on those capabilities when they were ready, based on their ability to consume that, and that's really what customers should be getting and that's what vendors should be delivering to customers, not forcing these on by default, which is disastrous right.

Speaker 4: 16:11

And that Defender, like you've got Defender for Office, you've got Defender for SQL, you've got just all the Defender for 365. They just throw Defender in front of it and then, like a virus, are turning it on behind the scenes, making it really hard to disable, and it was like, well, if they made a good product, hey, we'd love to turn it on, you know, and use it. But it's just not a great product and it's unfortunate that Microsoft has stepped so far away from the ecosystem of the office suite and email management into all of these derivatives where they are certainly not the best in class, and it's really frustrating, like you say.

Speaker 2: 16:57

No, and they're using their customer base as a lab. Right, they're turning it on to make it better because eventually you know they'll figure it out right, and they must do. You know they're smart guys. I've been out to Redmond, I'm out to Bellevue a lot. They're really smart, right? So someone's running a model Talk about you know an actuarial model, like the insurance company. Someone's running models that say you know what running models and say you know what we're going to benefit better if we know it's a problem. We know people are going to complain about it, but guess what? The benefit's greater than the pain we're going to cause. So we're going to just do that, although I can't understand why they're doing it. They're Microsoft, they don't need to do this.

Speaker 4: 17:36

It's a brilliant model, though, because if their software wasn't so shitty to begin with, we wouldn't have to patch it constantly. I mean, look at the amount of patching that comes out for their nonsense month over month. So I got to buy your crap to begin with, and then I got to pay you to secure it as well, which is just ridiculous, right? So, no, I'm not going to buy the Defender product. You're not going to just force feed me a truckload of your stuff.

Speaker 2: 18:04

That's right, but you know, on the other hand, there are worse vendors, so Microsoft. I am a happy user, so please don't make my world.

Speaker 4: 18:16

Please don't make my world a hell, please.

Speaker 1: 18:19

You both already have a ca AIca. I know exactly.

Speaker 2: 18:23

I feel like I'm in the matrix. It's going to come and open up my pod and rip me out. You already have a ca AI ca. I know exactly. The future is these agents. I feel like, yeah, I'm in the matrix. It's going to come and open up my pod and rip me out.

Speaker 3: 18:30

I'm like slamming down, I'm not going to say a word.

Speaker 2: 18:33

Yeah, so you know, I noticed you guys are moving around. Am I supposed to?

Speaker 1: 18:39

Is it okay if I just stick you a little here. You can do whatever you want, okay. So speaking, yeah, bringing it back to you know kind of this risk and around AI and some of these user interfaces, you know, chat, gpt and other AI technological advancements, what are some of the risks that you've seen crop up that our listeners might not be aware of?

Speaker 2: 19:02

Yeah, I mean there's risk to data. The data quality is a big issue. The data could be biased, right, so parts of the population that you're serving could get different types of care. You could get different types of diagnosis and results from the actual analysis based on bias. You could also have hallucinations of the data, where it just is not in sync with the context of what you're trying to accomplish. You know you could lose the data because you're sharing it for training purposes.

Speaker 2: 19:32

So let's say you're working with a tool that's helping you, you know, through the analysis and implementation of better care through data, but the data then is going outside, and maybe it's going outside into an LM that's not well protected or to a site that's not well protected. So you're sort of at the behest of the controls that are in place with the third party. I mean, there's a million different challenges with AI and especially the model. Change over change, right. So I had this model, I I tested and I verified it. Maybe we we trained against it, we trained against it, but these updates are coming so quickly. How do you verify that the new model that you take isn't going to blow away all of the imperfections that you sort of you know, wrung out over the last, you know, four months or whatever, three months or two weeks, right?

Speaker 2: 20:28

So there's that, and there's the thing I've been worrying about. I'll share it with you guys. You've heard it for the first time. You're hearing it All right, okay, here we go. This is the thing that bothers me the most. Go, this is the thing that bothers me the most. It's the fact that we haven't seen more stuff happen in a bad way to the industry, in a systemic way, right, the fact that we're not seeing something really big or we haven't heard about some really big attack coordinated yet. And the reason I worry about that is because it feels like over the last six months, things have actually been pretty quiet. Yeah, you get your data breach here. You get your event there, you get some ransom or whatever.

Speaker 4: 21:13

Are we becoming numb to it?

Speaker 2: 21:15

Ed no no, no, no, we're not numb to it. Come on Eric, come on man. Come on man. No, we're not numb to it. That's why my spidey senses are going Like what are they doing right now? Like what's going on? You know, it's sort of that. You know it's that silence before the big assault. It's the Tet Offensive, right. Oh, everyone's off celebrating Tet, right.

Speaker 3: 21:44

No, they're just preparing right. And with that spidey sense, what's coming down the pipe? What are the spidey senses telling Ed?

Speaker 2: 21:52

I just feel like this major coordinated attack across more than one critical infrastructure. I think it's that level where, if you think about the evolution of these attacks right, they were individual. Right, and oftentimes they were you know, some kid trying to figure out some new toolkit right, they weren't coordinated. And then, about five years ago, six, seven years ago, they started to become more organized. Right, we all know organized crime. Right, but organized crime as we know it never looked like this crime. Right, but organized crime as we know it never looked like this.

Speaker 2: 22:28

Now, all of a sudden, and they're having these microservices, this concept of microservices they're applying to actually the process of ransomware. Right, Somebody collects the money, somebody creates the virus, somebody sends it out. Right, everyone has a different job versus one person doing everything. So that was the first thing that was like whoa, okay, they're leveraging technology now in an organized way. That's scary. And we saw the big spike in ransomware and now I feel like it's kind of leveled off a little, gotten quiet, and but yet we have this unbelievable tool called ai. What are they doing? What are they doing? What are they doing? Now? We're still seeing stuff. It's not like everything has gone quiet, but it's just eerily quiet for me. So if I think about exponential step function attacks, which is what we've seen, what would be a step function? A step function would be organized in a way that takes out multiple critical infrastructures at once.

Speaker 4: 23:29

That would be bad. Going back to Josh's question, when he was asking really, what are they going after and this is a conversation internally we've had quite a bit with our customers too of the threat actors, wherever they are from, whoever they are, there's really only three things that they could be going after, you know. One would be some form of hacktivism. Another would be some form of money. Right, they're going after a way to get money ransomware, what have you? Right, there's a monetary motivator there. And then the third and final is the nation state where they're really looking. You know, nation state also does financial, but also to disrupt critical infrastructure. So if you break it down to those three things and then you figure out where your organization is in that, right, if you're making shoes, well, they're probably not going to go after you to disrupt critical infrastructure, but there could be certainly a ransomware or a monetary component to it.

Speaker 4: 24:42

Follow that tree back to where you were saying of like, what is next? I've been kind of thinking around in the financial space, particularly in the crypto space, and how actively crypto is trading now, especially with the Bitcoin boom of where you know what is it? In the last 90 days, bitcoin has, you know, just about doubled. So when we look at that, if you could go after, you've got to spend money, time and resources. If you're a threat actor to target an individual or an organization, you know it's just not going to happen by osmosis. You've got to put energy into it to get through their systems, their people, what have you? Are they going to be going after systems that they could ransom or are they going to be spending that time and effort trying to get into somebody's Bitcoin wallet because the cash reward there may be more short-term advantageous?

Speaker 2: 25:51

I actually was thinking I've been thinking about this week. It's kind of weird that you're talking about Bitcoin. But you asked the question, Joshua, about why healthcare, and I gave you one answer. The other answer is it's easy right, it was an easy target right. Gave you one answer. The other answer is it's easy right, it was an easy target right. And I think Bitcoin is not so easy. So I think there are people that are testing it. But here's what's happening. It's more physical assault right. They're finding out who's a holder of Bitcoin and then they're actually kidnapping and that's real and that's scary. A coordinated attack on Bitcoin. It's's distributed. That would be really hard. They'd have to. I don't know how. I guess they'd have to hit some of the major servers, but then they only take out sort of that area and not so much everything else, and you know it that that's an interesting attack vector to to consider mathematically it's been more through like binance or coinbase or just directly with users or engineering.

Speaker 1: 26:48

Yeah, yeah, I had to do some moving around some crypto and it asks you if you're going to view your. You know your passcode. It asks you like are you OK, you know? Are you? Are you being ransomed right now?

Speaker 4: 27:01

Yeah, no, it's true. What's your coin? What's your wallet address, josh?

Speaker 1: 27:05

Yeah, it's like tie this what's your coin, what's your wallet address, josh? Yeah, tie this all in together. So risk never sleeps, right we're. We're at a kind of a 24 seven model. I'm curious how you know healthcare industries approaching that 24 seven security model and maybe what other industries could learn from that. I know Eric and Nick have joked about stories of you know 3am or help desk job. You know you know have joked about stories of you know 3am or help desk job. You know you know being on call at night. You know some of our more junior members you know getting their their teeth cut on that on call kind of status. So what does the approach look like compared to maybe did in the past when we're operating on a 24 seven model?

Speaker 2: 27:45

Great question, I think you know. Think up until probably about three years ago, it was all in the identity, detect, protect part of NIST CSF. If I can take the framework and just sort of decouple it. To answer your question, right, everyone was focusing on identifying the risks, detecting them and then ultimately protecting them, not doing much in the form of response or recovery. The other areas are governed now, which is part of the new update to the NIST CSF, and I think we as vendors have always known you can't have 100% security. It's not possible. Right, your facility would be unusable if it was 100% secure. Your house would be unusable if it was 100% secure. Right, you would never get Uber Eats to the door. You'd never be able to get your food from the. Thank you, nick, thanks for that.

Speaker 2: 28:51

So if you don't have 100% security, you know you're going to get hit. It's not a matter of if. It's a matter of when, which I don't like to use, right, then you have to reduce the aperture, though you got to reduce the aperture of the when as much as you can. So you do what you can and then you put as much investment in the response, recover, and I think that was the shift that's happened recently. People are now getting more and more investment on the response recovery side. Because if you get hit and it's a critical function and you have to be up in hours, then make sure you're up in hours and start to think about it that way.

Speaker 2: 29:25

Not all products, not all vendors, not all applications or devices are created the same, so tier them accordingly into critical functions that you need to operate your organization, whether it's a hospital or a bank or an ice cream stand or whatever it is right. Think about those applications that are critical, tier them, do as much assessment around those and then go to the next level of high. Do maybe a little less, but still have that discipline and rigor. And then, when you get to the mediums and the lows, you can be a little looser, right, but make no mistake, a low vendor can still cause you pain if they get through, if there's an attack, right.

Speaker 2: 30:12

So I'm not saying don't assess and don't look at any vendor or all vendors. I'm saying use a tiered approach because you don't have infinite time, you don't have infinite resources or money. Make sure you cover the first two buckets right. And if you do that and you have corresponding continuity and disaster recovery plans and you've tested them. You've tested your RTOs and your RPOs. Then if it goes down, you know you're going to recover, so you can manage the downtime accordingly. You can manage the impact you have on patient care. You can manage a number of things better than you could a decade ago.

Speaker 1: 30:51

I think that's a great spot to leave it. Thanks so much for joining us today, ed. It's been a really stimulating conversation when speaking to Ed Gaudet from SenseNet and the usual suspects Nick Mellom and Eric Brown from IT Audit Labs. My name is Joshua Schmidt, your co-host and producer. Thanks for listening to the Audit. Please like, share and subscribe, and leave us a review on Apple Podcasts If you get a chance. We also have video now on Spotify as well. We'll catch you in the next one.

Speaker 4: 31:18

You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization. Thanks to our devoted listeners and followers, as well as our producer, joshua J Schmidt, and our audio video editor, cameron Hill, you can stay up to date on the latest cybersecurity topics by giving us a like and a follow on our socials and subscribing to this podcast on Apple, spotify or wherever you source your security content.