The Monica Talks Cyber Show

Code Red: The Cyber Health of Healthcare

July 27, 2022 Monica Verma Season 2 Episode 11
The Monica Talks Cyber Show
Code Red: The Cyber Health of Healthcare
Show Notes Transcript

How has the cyber health of healthcare evolved and what challenges lie ahead of us?

In this episode Monica Verma, CEO | CISO, and Joseph Davis, Chief Security Advisor, Microsoft, talk about cyber threats, trends, risks and recommendations connected to healthcare services, medical devices, brownfield environment, and their interconnection and convergence with IoT, cloud and more.

Looking to become an influential and effective security leader? Don't know where to start or how to go about it? Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career. Subscribe to The 10x Circle newsletter at https://www.monicatalkscyber.com.

Monica Verma  0:00  
How has the cyberattacks and cybercrime evolved towards healthcare? And especially with regards to interconnection with medical devices and IoT devices? Where does the onus of cybersecurity lie in terms of medical devices and IoT devices? What's up guys, welcome back to my YouTube channel, Monica Talks Cyber and a fantastic new episode of We Talk Cyber with Monica.

Monica Verma  0:29  
If you wish to hack your career, grow personally and learn about tech, cybersecurity and leadership than hit the subscribe button right away. You could also tune into we talk cyber in your favorite podcast app and also on my YouTube channel, Monica Talks Cyber. In today's episode, we'll be talking to an industry expert, and a Chief Security Adviser from Microsoft. We'll be talking to Joseph Davis on how has the digital landscape on the one hand, versus risk and threat landscape, on the other hand changed in the last year, especially within healthcare? How to really understand and implement the zero trust concept in cloud? With migration to cloud on one hand, and regulations such as HIPAA, GDPR, and other health care laws, and as well as national security, what are some of the key challenges with moving healthcare data to cloud? What are some of the recommendations there? How to store process and manage healthcare data securely within cloud? So before we hop right in the episode, make sure you subscribe to my YouTube channel, Monica Talks Cyber, hit the subscribe button, click on the notifications bell. And let's meet our guests right away. This is Monica Talks Cyber. Hi, Joseph. How you doing? Welcome to the podcast show.

Joseph Davis  1:35  
Hi, I'm doing well and you, Monica?

Monica Verma  1:37  
Doing fantastic. Thank you so much. So it's lovely to have you on the show today, Joseph. Would you like to just say some few words about yourself to the audience and maybe share a fun fact?

Joseph Davis  1:50  
Sure, yeah. I've been in cybersecurity, arguably, probably over 27 years. And I'd say arguably because I took a moment to kind of switch my focus into medicine for I don't know, maybe seven years out of my life. But I was I was in cybersecurity and interested in telecommunications, networks since I was a kid. Fun fact about me is I'm really into music, especially alternative music from the 70s to the 90s coming out of Manchester, England, specifically or, you know, northern Northern England in general. Yeah. Big time into the into the journalism of it all.

Monica Verma  2:30  
Awesome. Yeah. My favorite is also alternative but more alternative rock. But that's fantastic. Fantastic, amazing. Yeah, it's really beautiful to have like these kinds of fun things that we do outside of work that make us as whole professionals that we are. So that's really amazing. So let's get into the episode right away. You are obviously a Chief Security Adviser, you have worked a lot with CISOs with the C-suite. And you obviously have a lot of experience with healthcare. So today, our focus will be cyber risk, cybercrime, and especially healthcare and the digitalization that's happening there. So let's hop right into it. Um, the first thing that maybe let's start with what are some of the biggest challenges that you're seeing with regard to cybersecurity, and some of the trends that you're seeing, especially with regards to healthcare?

Joseph Davis  3:20  
Oh, well, the biggest trend across the industries, but especially around healthcare is trying to implement a perimeter, less computing environment, focus mainly on zero trust, conditional access. The issue that we've had for the last 20/30 years in IT and cybersecurity, from a technical perspective, and even that of a process and a people perspective is that many of these areas of protection defense have been siloed. What we're seeing now is kind of going back to a more centralized integrated model of understanding what's happening across the kill chain when a threat actor comes in, either from an internal perspective or an external perspective, right? Is it an insider? Or is it an external threat? Or is it an external threat in being an imposter, right, acting as if they're an insider? So right now, we've got companies scrambling customers scrambling to adopt integrated solutions, not just point solutions anymore, and really come up with a great zero trust conditional access experience for their users and those that they collaborate with outside of the organization.

Monica Verma  4:36  
It's lovely that you say that already about zero trust. Because talking about that, let's just maybe talk a bit about how do you see the digital landscape on one hand versus the risk and the threat landscape on the other hand changing and have evolved in the last few years, because I mean, zero trust is definitely one of the controls that we are seeing that we are going forward with more and more as we see that the perimeter, the four walls don't work anymore. But how have you seen the digital landscape versus the risk of the threat landscape evolved over the last years? 

Joseph Davis  5:08  
Well, we've been able to reduce risk mainly with the scalability of the cloud. And let me explain a little bit more about why I say that. So you think about these, years ago, we used to protect our environment with server based applications and appliances, and really examining packets, but nothing could really keep up with the live threats that were occurring, especially the identity based threats. It was very, very difficult too because identity based threats, use a combination of social engineering in order to get someone to hand over something really critical, like a username and password, where it's, you know, you had these appliances, that we're mostly looking at things like open ports, close ports, you know, scanning for vulnerabilities, all those things are important, but we really want to understand what's going on at the user level. And it became even more intense and important to do that, as we moved to remote work. Many of us had been doing remote work for ages. But this is, you know, the pandemic forced us to work remotely in a serious way, and even meet and collaborate remotely. So, how do we do that without a perimeter? Right? So the approach is to take the risk of the device and the risk of the identity, kind of combine them and make decisions based on what they can, you know, based on their risk level, what they can access. Now, how do you do that at scale, you have to use the cloud, you have to use these large datasets that can only exist in the cloud, because it's petabytes, if not more than that of data. And then you use these really refined machine learning models, to help understand what good looks like and what bad looks like, right and offer the user helpful tips around, especially with a phishing attack, hey, it looks like you don't usually receive email from this sender. Right. So that's kind of a tip off. The other tip off would be to put the word external in a subject line, something like that. And this is what you know, in order to keep track of what kind of emails a user receives, we're talking about millions upon millions of users, and to be able to be nuanced around the behavior of a single user experience that really takes the scalability of the cloud to understand you know, within context, is this something that's normal, or something that's abnormal? And if it's abnormal, how do we inform the user that this looks abnormal before they are duped by a phishing attack?

Monica Verma  7:39  
Absolutely, and one of the things that you mentioned that is key is the behavorial analytics. So you need to understand the behavior and be able to distinguish between the good versus the bad, at least to a certain degree of percentage of certainty, if not 100%, because you can never be accurate 100%. But this is very interesting, because we need to obviously move more and more in this direction, because we know from experience, just putting in preventive controls will not help us if you're not able to detect the good from the bad if you're not able to detect on time. And these kinds of preventive controls need to be in place to help us with the detection, right? For an organization that's going into the cloud and finds this like very difficult, they've never done that they don't have this petabytes of data. And they're trying for the first time. What are the three things or a couple of things that you would recommend to these organizations? Where should they start? Because everything really is evolving around identity, behavior, and really, as you say, so where do they start? So, it doesn't seem very daunting.

Joseph Davis  8:45  
Yeah, there was there's two places really taking an integrated approach to cybersecurity rather than point solutions best of breed, I think is super important. 10 years ago, five years ago, even we were forced to and even further beyond, we were forced to take a best of breed siloed approach to cyber defense and basically response if you will, right, where I would have to have one product from a different vendor, managing my identity system and a different product from a different vendor, managing my email hygiene and secure email gateway type technologies, and anti malware, anti virus on the endpoint. These are all different things. They don't necessarily, out of the box, they're not able to talk to each other so you don't get from a cybersecurity defense point of view and incident response point of view, you don't really see the full story right? If you're an email administrator, you see the amount of malware or phishing attempts that come in. If you're an anti virus administrator, you're gonna see the number of you know, incidents of potential malware on endpoints, but those two combined it becomes very, very powerful because then you can identify the activities of an identity or of a device throughout the kill chain lifecycle. And when I talk about the kill chain, I'm talking about the the process that threat actors typically use in order to get access to sensitive information and exfiltrate it, right, action on objective.

Monica Verma  10:17  
Absolutely. So, because what you are trying to say here is it's not enough to just integrate security into your business, but also integrate the different aspects of security, so you can learn from each other and you can see the full picture. Because that's what we're seeing in a lot of organizations. And I gave a talk a keynote last year about from risk to recovery, because that's where the whole thing starts. And what I see from experience as well is that a lot of organizations, they are trying, obviously, we have talked a lot about the situation on a silo and it should be integrated. But what is often missed is the different aspects of the entire security chain from risk to recovery, that people have not or the organizations have not really integrated. So what are your experiences with that, and what do you recommend, in terms of that lack of visibility of the whole picture?

Joseph Davis  11:03  
Well, not only do organizations have to get out of their silos, right, within my customer environments, but your technologies have to get out of their silos. You have to walk through scenarios that say, alright, what are we discovering after the fact right? So anytime there's a suspected breach or a suspected threat actor in someone's network, typically what the organization will do is they'll call in the experts, the incident response experts to find out like, basically put the crime together and try and figure out how it started, how it you know, how it evolved, and then exactly what data was taken. And that last one is usually the most important question to be able to answer, especially for the regulators and those in charge. But you right now, if you're looking across that kill chain, in an integrated way, in an end to end way, you're able to determine a couple of things, you're able to determine the behavior of the user, not only from a "has this user's credential been compromised, so somebody else can authenticate", to "has this user been behaving in a way such that it looks like they're attempting lateral movement in a network", right, whereas they're usually say, an accountant, and they wouldn't typically perform the commands that that identity is performing down to what has this identity done with respect to data, has this identity copied, you know, terabytes of data onto a USB drive, has this identity copied terabytes of data up to a cloud storage provider, on and on those those types of things, that you're not going to get that full picture that full vision, without selecting technologies that are fully integrated, that are talking to each other. And without working together, kind of like in a fusion center. And with a common mission. Right, I just, I want to prevent the front end of a phishing attack, it's I want to, I want to try and prevent the front end of a phishing attack. But also understand if one is successful, because it's quite nuanced, and it relies more on social engineering. I want to be able to pick it up quickly before you know it, maybe maybe I pick it up during lateral movement, maybe it's already too late, maybe the user has already given up their credential somehow, right? They're not using multi factor authentication, or they were bribed in giving up their multi factor authentication or something to that effect. And now I'm seeing lateral movement in my in my, it doesn't even have to be my network, I will say in my estate, because remember, an on premise network, and in a cloud service provider, they're kind of one in the same to the end user at this point, especially when they're working from home. And they're one in the same to a threat actor to typically what we've been seeing at Microsoft is that threat actors will infiltrate an on premise data center, infiltrate an on premise infrastructure, and then move outside and use that as a as a way to leverage their movement into that organization's cloud, right? So when they cultivate their privilege, they assume the identity of these privileged accounts that have access not only to sensitive data on prem, but also have access to sensitive systems and data up in the cloud, regardless of what the cloud is AWS, GCP or whatever.

Joseph Davis  11:30  
And you said, one of the things that is interesting, you said something about, to get the visibility of the whole picture, it's very difficult unless these technologies talk to each other. Right? Would you also say that it's correct for people in different roles to talk to each other, and also processes to talk to each other? Right? I mean, we're seeing this. And I feel more and more that we talk a lot about again, which I said before as well, that security should be integrated in business, but how security overall is integrated with each other with regards to technology, people and process. That's something that's very lacking in the organizations as well. Would you say that that's equally important? 

Joseph Davis  14:44  
And my thought process was: wouldn't it be fantastic if we can just knock down these few walls here and in IT and we can all like the the DBAs will be working with the front end people, and you know, and the application people, and so on and so forth. And I believe it's the same thing we need to see the same thing in cybersecurity defense and prevention, as well as investigation.

Monica Verma  15:22  
Absolutely 100%. And you said something fantastic that you're experienced with medical devices, let's let's switch a bit and talk about medical devices. In the healthcare, now we have to seen, especially because of the pandemic but in general as well to have better health care across the world, better systems, there's absolutely been a digitalization that's happening that has skyrocketed in the last years in health care. And then obviously, there is medical devices, there is IoT, there is convergence that's happening between IoT and IT. What kind of cybersecurity threats and trends are you seeing, especially not only just towards healthcare, but because of this digitalization and convergence that's happening?

Joseph Davis  16:02  
Once in a while, we'll see, you know, an announcement in the trade journals about you know, like yesterday, I think I posted something about a robotic surgical device has a flaw where it can be accessed remotely. I mean, we see these things up here now and again. I would suspect that some of these things aren't being reported. I would also suspect that it's hard to really call anything a trend if we don't know, the cause of the malfunction. Right. So when a medical device malfunctions, you know, a lot of investigation needs to go into determining whether there was a vulnerability in some sort of communication protocol stack, or, you know, to make that that medical device either break or do something that wasn't supposed to do. Right. So that's why I think the reporting is a little skewed. My, my concern, really, and I think it's the concern in the industry is this, what I've been heard called the Brownfield environment, right. So connected medical devices, that started to come out in droves around the, you know, release of the early release of the iPhone, because back then marketing teams for medical device companies wanted doctors to be able to connect to these medical devices with their iPhone and an app etc. And we see it today, right, I have a humidifier in my apartment that I can control my iPhone, I have a pulse oximeter that I can control, like the data gets uploaded to my iPhone. Right. With that rush to market, there wasn't a lot of secure software development lifecycle or product development lifecycle. So now we have maybe a decade's worth or more of medical devices in the wild that could be susceptible to all kinds of attack. Right? And the big question, and I don't have an answer to it is what to do with the Brownfield? Right? It's not like these medical device manufacturers and developers are going to recall all these brownfield devices or even spend any R&D money on them whatsoever, because they're moving on to the next thing. So I think it has to be a coalition between the med device folks, the the researchers who are finding flaws in these devices. And the cybersecurity companies that make products like, you know, like Microsoft has defender for IoT, we're making these products to really defend against attacks against IoT, right? So it's got to be kind of that three way working group where, you know, we there's so many avenues to report back a vulnerability and that vulnerability somehow gets patched. But we have to be also pragmatic in understanding that some of the early connected medical devices can't be upgraded, right. It'd either have to be replaced, or there has to be other mitigations applied, other controls applied to prevent them from being exploited in the first place.

Monica Verma  18:55  
Let's just say that, obviously, it has to be a collaborative effort from both the providers and the cybersecurity companies that are providing such kind of defender and other kind of scanning tools for IoT, and detection tools and so on. Where does the accountability of cybersecurity with medical devices really lie? Who has the onus of that? Because that's a really challenging question, is it? And I mean, I understand that it's a challenging question, but I still want to hear your thoughts on it. 

Joseph Davis  19:25  
Yeah, so I'm gonna I'm gonna take the example of who has the accountability when a plane goes down, right or who has the accountability when a vehicle malfunctions, right. So, it I think it depends on the product of the investigation, right. If it can be proven that there was a vulnerability in a particular connected medical device that was known about but was unpatched, then you know, the accountability goes back to the manufacturer or someone who designed the device. But if it was you know, if the if the device wasn't used appropriately, you know, the accountability could be with the patient or it could be with the healthcare provider. So it's, it's a big, it depends, right? It really, you know, we saw we saw with Boeing and MCAS on their 737 Max series, that Boeing didn't do a fantastic job of explaining to the pilots, that MCAS was actually in the control, right? So in the, in the system, right. So, you know, when the rudders would do a certain thing, the pilots would react in such a way that would, you know, MCAS would fight them on it. Now, if they had realized that MCAS was there, one could argue they could have recovered from the situation. Right. So it's almost like, does the health care provider, does the patient know, is their informed consent around all the potential risks that you know, to this device? So that's my take on it, there is no silver bullet answer to this problem.

Monica Verma  21:02  
That rarely is in cybersecurity. That's, that's very true. So and you said also, one of the things that was very interesting about the integrity of data, especially health data, right. And we talked a bit about cloud, and everything is just being digitalized. We're moving to cloud. We're putting a lot of data in cloud. And slowly the questions that the organizations are asking are, can we put the health data in the cloud? What about the confidentiality? What about privacy? What about integrity of data? What controls should be in place? There is one thing from a cybersecurity perspective. But then there is obviously HIPAA and GDPR. And all the other laws, I mean, for HIPAA doesn't really prevent your go to cloud. But a lot of these laws and GDPR is obviously a big one, then you have the national security, because some of the data will be relevant for national security, espionage, there's so much to take into what do the organizations really do? How can you really - So what are the risks on one hand? And two, what would be a recommendation in terms of under what circumstances or what controls should be in place, if you do decide to move health data into cloud?

Joseph Davis  22:08  
Yeah, now you're moving into the realm of the the responsibility matrix, right? Where the customer is responsible for certain aspects of their deployment of services and data in the cloud, and whether the cloud service providers responsible for it. But I want to say upfront, before we start getting into this, that I'll take data integrity over data confidentiality, with respect to health care any day of the week. And here's, here's the reason. Yeah, if someone gets a hold of my medical records, it might be a little embarrassing, and might restrict, you know, who I could work for, etc, based on, you know, some physical malady that I have. But if my data integrity is wrong, and I go in for a procedure, maybe they're operating on the wrong arm, maybe, maybe they're operating on the wrong organ, you know, and that is that could be potentially life threatening, right? So I'll take I'll take data integrity any day about data confidentiality, but we want to ensure both but not at the same level. Okay, so let's go back to the original thing. There's, you know, as service providers, and you know, payers and all the rest, they start to move their workloads into the cloud, they are still even though they can do it, they're still governed by HIPAA best practices, regulatory requirements, etc, not just with reporting, but how data is handled up there, right? My assertion is that the cloud is actually more secure than an on prem implementation, one would think that position is nine tenths of the law, right? So the cloud is running in somebody else's data center. And now I don't have access to my data. And it's really the contrary, right all the way up from infrastructure as a service through platform as a service, and ultimately, software as a service. What the customer is always going to be responsible for is data, identity and device. So I would argue that it's actually there's more available for you to be compliant when you move to the cloud, right? You don't have to go out and buy all these other tools. You know, it's as easy as either signing up to a subscription to something, or it's already there, right? Like, your score is pretty much already there. When when you keep your money in a you know, in a mattress, all the risk is yours. When you keep your sensitive data in your data center on premises, all the risk is yours. It's really a business decision to say, do we want to trust these cloud service providers who will their entire business model is based on the integrity of the you know, maintaining integrity of the data that that is beholden to them, maintaining the confidentiality of the data, or do we want to, you know, really kind of trust ourselves with it.

Monica Verma  24:57  
I think we had really amazing conversations today. Before we close the episode, would you like to maybe say or share a key message to the audience today?

Joseph Davis  25:06  
Think about, please don't think about zero trust as being one of two things, either a product, it's not a product. Zero Trust is a framework. And please don't think of it as a marketing term. I think it's a really great way to impart the idea of understanding the risk of the entities that are accessing your sensitive data.

Monica Verma  25:30  
Fantastic. Thank you for your wise words, and very lovely that you came on the show today. Thank you so much for that.

Joseph Davis  25:37  
Thanks, Monica. Thanks for having me.

Monica Verma  25:39  
That was today's episode of We Talk Cyber with Monica. Make sure you subscribe to my YouTube channel, Monica Talks Cyber and tune into We Talk Cyber both on my YouTube channel or in your favorite podcast app. So today we talk with Joseph Davis from Microsoft. It was fantastic conversations. I hope you really enjoyed the show. So continue tuning in. I'll be back with more amazing guests and amazing conversations. This is Monica Talks Cyber.