RR2: Cyber RX

0:00:13 Chris: Hey guys, welcome back to another episode of Barcode Risk Radar. If you’re new to the series, we focus on trending cybersecurity threats facing small to medium sized businesses. And for those that aren’t familiar with barcode security, we are a cybersecurity firm that helps SMB organizations become more secure and to address a lot of the risks that you’re going to actually hear about on this program. So barcodesecurity.com is the website you can read up on our services, and you can also catch risk radar episodes on demand there as well. So throughout the live broadcast, if you have any questions at all for the guest, please feel free to throw them into the chat and we’ll try to get to them.

0:01:04 Chris: And with that being said, I’d like to introduce our episode number two guest, Krista Arndt. Krista is the CISO at UMP United Musculoskeletal partners.

0:01:13 Krista: I hope I said that properly, better than I can. And I’ve worked there a year and a half.

0:01:18 Chris: I usually just say. And Krista oversees the security program’s day to day operations there. So welcome, Krista. Thanks for joining me.

0:01:28 Krista: Hey, likewise. Thanks for having me.

0:01:30 Chris: Absolutely. So let’s just jump right into know there’s no surprise that healthcare organizations are underfunded, especially in the SMB market. Yet they are significantly targeted. It’s a stat that we see over and over again. I don’t care what white paper you pull, what research firm you talk to, I can almost bet that healthcare is at the top of that list. And mid sized healthcare organizations struggle with understanding where to prioritize their defense mechanisms.

0:02:07 Chris: As we all know, health or attackers don’t discriminate. They hit small, medium and large organizations. So in your opinion, what are some of the best practices that healthcare SMBs can implement? And then also, what should they prioritize first?

0:02:27 Krista: Yeah, I answer this, it’s tough, right? Because you have to think fiscally or financially conscious. A lot of the costs that we allocate to security obviously get kicked back to the cost of running a practice, especially if it’s physician owned, for example. So I’m going to say they’re not like catch alls, right? Or else we would all be winning some sort of Nobel Peace Prize by now for serving the world cybersecurity issues, but multifactor. And I’m not just saying, I know we have issues with push MFA and user fatigue. I know you guys have probably read a lot about that, but introducing folks to the numbers matching multifactor, if you have Microsoft, for example, because a lot of healthcare runs on Microsoft on the back office and getting the license to support that. And basic Microsoft security tools is relatively cost effective. Right? So why don’t you get the authenticator, do the numbers matching? And although it is currently being socially engineered in certain capacities, yeah, it’s a lot more difficult just because you don’t have that user fatigue, although you still have the issue of the users kind of not paying attention to who’s socially engineering them on the other end asking for that code.

0:03:43 Krista: So there’s always that awareness end. You’re already on board, right. As a security practitioner at the organization, so you really want to focus on awareness. We send out little reminders and campaigns. I’ll tell you that one of the coolest things that is caught on for celebrating data privacy week is getting a form together on Microsoft forms. Because again, it’s a free tool that you guys should have access to through your licensure for the practice and having people fill out a form so you can send little security like valentines out to folks to thank them for something cool that they’ve done for data privacy or security or being conscious and show people that they’re getting. Thanks for thinking of the little things that turn into big wins for your organization.

0:04:28 Krista: And really the two primary attack vectors haven’t changed a lot. So you’re looking at still organizations being breached through their third party providers. So I think in healthcare there’s a huge swing towards bolstering your third party assessment programs. You don’t need to spend money. I can tell you when I’ve stud up third party risk assessment programs. As long as you understand the methodology and take it baby steps, right? It doesn’t have to be perfect or the most mature process at first. Get some eyes on their security program.

0:04:58 Krista: Make a document. You don’t need a GRC tool up front because they can be really expensive. But note those security risks and work with the organizations to see how you can partner to mitigate if it’s a vendor that your really wants to use because they’re cost effective for them. And then you’re looking at the typical DDoS campaigns to try to take down or deface the websites. So getting a WAF in front of that, I mean Microsoft has a WAF, Google has a WAF, they all have their own wafs. If you don’t want to pay for another provider for your web application firewall and then email security, one of the best and most impactful solutions that we have paid for as an organization and that I’ve implemented over the years is going to be a robust email security tool because what is one of the primary attack vectors of any sector now, whether it be to laterally move to compromise accounts and compromise other systems, just ask for ransoms or impersonate somebody’s email. Like lay low and slow, impersonate an email and then try to get money off of them and then leave like standing up a website and impersonating website.

0:06:09 Krista: It’s email security. And if you do a really good provider and invest there and then figure out from a maturation standpoint where you want to invest and mature incrementally, you will be in a really good place to thwart a lot of the stuff that has caused you headaches. And then on the other end, always review and do your own tabletop exercises if you can’t. Outsourcing is phenomenal for tabletops. It is like a totally different arena when you outsource and have someone come in to run them.

0:06:37 Krista: But if you can’t do that and you don’t have the money in your program, run one for your executives. I did a choose your own adventure that was really well received because people don’t have to sit in a room and do it where it plays out over Microsoft forms, depending on the feedback that your executive leadership team decides to give you. And then you can tune your scenario that way. So you have to think outside the box when it comes to solutioning, to prepare your organization, because it really is all about preparedness. You can have incident response documentation until the cows come home, but if you’re in that situation, you rarely are. Like, hey, let me look at my playbook and see what I do.

0:07:17 Krista: You want to respond immediately and you want to make sure that attack is cut off and that you are doing the best you can. So practice makes better. It doesn’t make perfect, but it makes better.

0:07:30 Chris: Yeah, you made a great point about email as well, because when you look at number one attack vectors, 99% of the time it’s coming through email. So if you look at that and can address that, that’s an easy win, I think. And like you said, it doesn’t need to be overcomplicated to help get that in a position where you’re more secure than you are today. How about the standard leading frameworks that we see today, or trusted organizations, CISA or CIS, NIST, any of those type of frameworks as well? Is there any free tooling out there that organizations can trust in helping them strengthen their high level defenses?

0:08:16 Krista: Well, Chris, I’m glad you asked, because as a nerd, I feel like that. To run or lead a security program or lead a team in a security practice, you’re only doing your organization justice. If you parse through everything that you know of and source that type of information from other folks who have been there, done that, and know of these things like crowdsourcing it to try to reduce the cost to your practice. Right? Like, let’s just say you get allocated a set amount of money, then you can allocate money elsewhere for something you really do need instead of allocating it for tools that you could have found for free. So like a nerd, I have put together a list and I’ll read off some of them.

0:08:57 Krista: Did you know? And these are all through awesome sources and people who are way smarter than I am. And it’s almost like threat intelligence. I have feeds that I source this stuff from and keep lists of because it helps me in every scenario. So business continuity. The ACSC and CISA have released a business continuity in the box. So it’s located at cyber gov AU vulnerability Management. Try Showdan. I know it’s a really cool threat intelligence tool, but have you ever thought to do external vulnerability scans through Showdan? You don’t even have to get a license for it. And if you do want their license around Christmas time, it’s like $5 and you have a lifetime license to Showdan. Security awareness.

0:09:41 Krista: I have a couple things for this, but to feed threat intelligence alerts, feeding them through slack or teams or intranet alerts on your intranet page so people can keep up to the latest and greatest on what they should be looking for in their personal lives and how they’re being attacked. So there are ways that most threat intelligence feeds can be configured to go to an email box of yours, a central security box, whatever you want from sources like hi sac dark reading Krebs and security.

0:10:15 Krista: There are so many publications now that have amazing information before some of these other paid organizations do. And when it comes to security awareness and training, I’m going to harp on 405 D, the healthcare and public health, the HPH 405 D program. The folks who run that and the folks on the board are the smartest folks in healthcare. I learn a lot from them every day and they have a whole page of resources, videos, posters, training stuff. The hiccup framework that you mentioned.

0:10:48 Krista: Frameworks. If you don’t want to get into CIS. If you don’t want to get into NIST, even though it’s like a recognized framework under HIPAA. Hiccup will cover everything that you need as a small medium sized business to feel like you have made strides to not only be compliant, but be secure, which means go above compliance in the areas that make sense for your business. Cisa I’m glad you mentioned Cisa. They have a whole page at Cisa Gov of cybersecurity, information like awareness and some tools that you can use. And here’s some of the cool stuff that I didn’t even realize that they had that I just found by revisiting their site.

0:11:23 Krista: So I got my incident response templating not the whole template but the rating system off of there because it’s easy to defend when you want to deal with incidents, your timeliness and updates and stuff like that about severities. But they have a vulnerability scanning tool that you can sign up for the Kev catalog. They have something called get your stuff off search, where you can actually search your digital footprint and it’ll help you figure out how to reduce your digital footprint to keep yourself safer and not as much of a target, especially for us as small medium sized companies. As you start to grow, you are going to be on someone’s shit list and you are going to get on someone’s radar. So you want to make sure that you manage your digital footprint.

0:12:05 Krista: Digital footprint management tools can be horrendously expensive to get people to do it for you, and it may not be in the cards until a couple of years coming for you. So let’s use a tool like that. One of the really cool things I wanted to call out is going to be have I been poned for password management. So if you don’t have the capability to feed some sort of source in of commonly compromised passwords or known compromised passwords, you can actually configure have I been poned to feed into your log sourcing or your environment to give you that type of feed so you know what has been compromised and if someone tries to use a compromised password, you can, based off of that regularly updated database and for pretty much free.

0:12:52 Krista: The Stigs. I don’t know if you haven’t worked in the government sector, you might not be familiar with the security technical implementation guides. It’s almost as bad as saying UMP, but yeah, the Stigs will help guide you from a technical capacity on how to implement a control, for example. And you know, this is tried and true. The government has paid to figure these things out. A lot of people, let’s use it. And then CIS has policy templates, core controls, hardening guides there that are tried and true again.

0:13:25 Krista: And I would be remiss if I didn’t call out. It’s not free, but it is nearly free. ISACA’s audit and compliance assessment programs that you can download for like $25. As a member, I’m going to give props to someone on his ISAC’s board for mentioning that because I completely forgot about it and it saved me a ton of time over the last couple of weeks in putting together an audit and compliance spreadsheet. So I know this a lot and we can probably certainly put this list out to you through barcode.

0:13:53 Krista: But yeah, I mean, those are some of the things that I’ve leveraged and I still leverage. It doesn’t matter how big my budget is or how big my team is. These are all awesome tried and true resources.

0:14:03 Chris: No, that’s great to know. Thank you for running down that list, and we’ll definitely get those documented and posted. There’s a lot of great information there and very cost effective solutions as well. And I’ve used many of them being in the healthcare sector at one point myself. So definitely thank you for running that list down. You mentioned this earlier, so we talked about supply chain. So when you look at supply chain, you look at also medical devices, both sides of that, the threats are continuing to grow.

0:14:38 Chris: What pragmatic, straightforward steps can healthcare organizations at the SMB level take to inventory, monitor and patch those devices, and then also doing the same to try to keep an eye on their third parties and supply chain vendors?

0:14:58 Krista: Yeah, I can tell you that as healthcare organizations, even small and mid size, they have a pretty good amount of assets to monitor, whether it be medical devices or otherwise. So really we try to monitor them through the same systems like patching. We like to create partnerships with our medical device manufacturers because of how strict it. So you guys have to remember, if you don’t have a lot of experience with medical devices, because some small businesses, they may have an MRI machine or an x ray machine, you have to be very cautious. And a lot of these folks won’t let you deploy agents, for example, on a machine because of how critical it can be to patients. And the manufacturers have to attest that they’re hardened. Right? So work with your manufacturers and see what is available from them and leverage their resources in order to maintain security around your medical devices and also leverage segmentation. Right.

0:16:00 Krista: If you have providers who virtually manage your MRM machine, x ray machine, et cetera, if there are issues because it’s more cost effective to the practice, make sure they do something a best practice, like using a fido token, for example, to access the machine. Right. It’s not fish proof, but it’s practically not fishable. For example, Fido tokens are a great way to ensure security. So to your point, how do we remain secure other than implementing technical controls?

0:16:32 Krista: Do validations on your vendors third party risk? It’s not a catch all, but you have to have a layered approach to your security. I know we all talk about that, that it’ll catch some of the most critical things. And then as you go to implement and monitor these solutions or these medical know, it’ll kind of get the outliers. And also me and my security engineer, he’s one of the smartest people I know in our organization, talk a lot about how DICOM is being exploited and kind of locking that down a little bit more. So understanding the threats. So just because you have medical devices, just don’t throw all of your resources at them, right. You want to make sure that you understand the risks and the threats to those and kind of try to take a proactive approach.

0:17:21 Chris: So what about when we look at tooling for this? I mean, is there tooling for this? And people are going to hate me for saying this, but Excel, is Excel really a reliable resource for at least just tracking what you have? I mean, it’s better than nothing, right?

0:17:37 Krista: It certainly is. Right? So there are misconceptions that you have to have tools to secure or to solution certain things. And where do you think startup companies start? They don’t have the money to spend millions on security tooling and they have very limited teams. So start a risk register on an excel spreadsheet. I know organizations who do that for years before they get a GRC tool because they don’t have people to manage it.

0:18:01 Krista: As far as an asset management tool, use your endpoint. If you have like XDR or something like that, then do a poll and see what it’s doing there. Use landsweeper. Landsweeper is really cheap, right? And then go into your endpoint management software and just pull a list from there. Just because policies prescribe what they call a CMDB, it doesn’t mean you have to go and spend on a CMDB. A CMDB is what you say it is. It is. Hey, if I say prescriptively that my CMDB is pulling from A, B and C, and I know I can defend because I do checks and balances on scanning in different sources as far as assets that suffices, right? It’s meeting an objective, not everybody has the capacity for the same controls.

0:18:49 Chris: Yeah, 100%. I want to talk about telehealth. Telehealth is something that you’re starting to see, especially with what, within the past five years, sort of advancing as well as other data sharing advancements in the field. Can you sort of pinpoint any optimal yet economical solutions or ways to implement security trolls here in this space specifically? And we talked about IAM or other data security or data encryption type of mechanisms and what variables should be considered when an organization is looking at implementing these things that may be specific more towards the healthcare industry.

0:19:36 Krista: Are you talking about telehealth specifically? Like video? I mean, even text, right? That’s a really common thing.

0:19:45 Chris: Yeah. Across the board, more of these data sharing type platforms. I’m thinking telehealth because that’s the first thing that comes to my mind.

0:19:53 Krista: Yeah, you hit one of the nails on the head. Identity access management is huge, but conditional access don’t. I think a lot of people just rely on MFA, but don’t use the conditional access controls to know impossible travel, identifying devices that typically log in and setting those alerts in your sim and doing those types of things to make sure only the people who are accessing it need to access it. And you have other identifiers besides this person because you can have authenticated MFA, it can be from a bad actor who is able to socially engineer someone.

0:20:30 Krista: It could be coming from a legitimate account. But is it from a different device? Is it from a different location? Geofencing is huge. If you can do it, it’s an ongoing problem. Right? Like you can geofence Okonis countries, but they’ll just divert to us based ip addresses. But it at least limits your attack surface and then makes it more manageable. So it’s not a catch all, but then it makes again. So it’s like chipping away incrementally.

0:21:02 Krista: So the end to end encryption, right? That’s huge. And then also data storage. So let’s talk about text message. A lot of folks, like in small practices may say, hey, if we use iPhones, it’s encrypted end to end, right? But what happens from a liability perspective once it gets to that secondary device, if it’s a BYOD, you can’t manage, especially if you’re sending it to folks in other companies who maybe want to see a calendar or something like that, you don’t know. And you have no control over that data and what they do with it once it hits that other device. So if you can containerize through mobile application management.

0:21:41 Krista: Leverage Microsoft Teams if you don’t want another application to do text messaging if your EHR doesn’t support. And like, kudos to our security engineer, he actually came up with this idea. You know, talk to different other organizations through teams because you will know that you can spend the resources to make sure your Microsoft environment is HIPAA compliant and is secure and you can ensure that all of that data stays in the same place.

0:22:10 Krista: So you can do things like that. But yeah, it’s sad to say how much we rely on encryption, especially with like, I won’t nerd out too much, but with quantum on the forefront and experimenting with quantum cryptography algorithms too, it’s like it is only going to be a solution for so long, and it is until it’s not. And I know that seems like a cop out way of putting it, but you’re literally secure until you’re not. Everything is working until it doesn’t.

0:22:40 Chris: Yeah. What about the data security or the data sharing side? From the patient clinician standpoint, at larger organizations, you tend to see these patient portals set up for that type of communication. Is that something that would be difficult for a smaller organization to stand up?

0:23:02 Krista: It can be costly. I can tell you that. The biggest thing about patient communications is you want to make it easy for both the physicians and providers and clinicians to talk to folks and you want to make it easy for folks to talk to them. They might use ten different provider brands, right? And the whole idea of high tech is making sure stuff talks to each other and doing it securely. But we are still in that realm of folks trying to get up to speed. So they do have solutions that you can implement where your other practices can request digital images, for example, through this. If you guys are all on the same, I’m not trying to drop names of software here, but they enable that.

0:23:54 Krista: There’s still some coming up to speed that they have to do on security controls there, but it’s relatively safe. It’s better than telling a patient to email from their email and then the patient’s email has like password, one exclamation on it and it gets compromised and they get all of their medical history. I can tell you one of the best ways that we solution information sharing for our consumers and banking was standing up some sort of portal. You can leverage SharePoint if you have it by locking again, identity access management and access control by locking it down appropriately.

0:24:26 Krista: It is a cost effective way to have them drop files where you can provision it to only one person, but you have to have those mature internal processes on your end to make sure you are then moving that to a location it needs to be through, like your EHR or wherever you’re storing that data. So there are solutions that you don’t have to pay for from other providers if you understand how to leverage Microsoft tools appropriate until you get to that point where you want to invest in one of those solutions where you can wholly control what happens to the data that’s dropped in there.

0:25:01 Krista: For the love of God, I’m not trying to be this Debbie downer, but even don’t box enterprise and Dropbox Enterprise, please don’t. If you love your patients and you love your practice, try not to.

0:25:17 Chris: Don’t go Dropbox or box enterprise. You’re would be your. What would be your solution there? I think initially external file sharing.

0:25:30 Krista: Yeah, I mean for external file sharing, if you don’t want a patient to drop stuff from, email it directly to you, which is still commonly used, it’s not a bad thing because TLS still meets the mark. It’s like compliant but not secure. Coming into your practice, I would honestly come up with a system to leverage sharepoint for patients in a manner where you can temporarily provision a folder only to the patient who needs to drop information.

0:25:57 Krista: And I don’t know how manageable, I haven’t played around with it, but we do it pretty easily internally for sharing temporarily sensitive stuff back and forth. And when you get into a rhythm, it’s a really great solution, comparatively speaking, versus the risk that you pose to the patients because they kind of know, but they don’t know, right? Like you can’t expect them to be technology experts and they do really rely on us very heavily to do the right thing.

0:26:24 Krista: So that’s something. I mean, a lot of these EHRs have, you have the remote deposit check capture when you deposit a check and you’re banking. A lot of them now have those where they can take photos of certain patient information and put it right into the HR. It’ll never touch the device, it’s continually improving. I don’t have all the answers, but those are at least some things to think about.

0:26:49 Chris: Yeah, absolutely. And if you’re an office 365 shop, we can get into how licensing is split up, but there are so many native controls that you can leverage that if you’re not, you should look into and you should tune them to be able to take advantage of your current investments as well. Like you said before, you need to invest in the tools. Some of those controls may be accessible to you now. All right, well, we’re coming up on time.

0:27:17 Chris: Chris, I wanted to give you an opportunity to let our listeners know where they can find and connect with you online. And if you have anything coming up soon that you want to mention, any keynotes that you’re giving or anything like.

0:27:36 Krista: That, feel free to reading something. Yeah, I just want to say, if you guys want to connect on LinkedIn, I mean, I learned from everybody and what they asked, too, because it makes me think of different things when we converse back and forth. It is how we all continue to learn. You can hit me up on LinkedIn. I think it’s k e, aren’t K-E-A-R-N-D-T-I feel like I should know that by now. I will be doing a couple of keynotes. So at the end of March, secure world in Boston.

0:28:05 Krista: Never been to secure world there. I’ve been to Boston once, and I hear it’s phenomenal. So I’ll be doing my keynote there. I’ll be doing Philly keynote. And actually, I’m really, really excited for the Philly secure world in April to do the Barcode podcast with you and the visit Philadelphia Ciso Keith and then the Penn entertainment ciso Dave. It usually turns into a CisO comedy hour. Although there are some really good actionable info being passed from experience, they have way more experience than I do. So I just sit there and high five them. I’m like, the guy.

0:28:41 Krista: So, yeah, if you guys ever want to please come out, because I learn from human interaction. That sounds, like, really bad. I don’t get out of my house much.

0:28:51 Chris: You and me both. And I think the chemistry that you three have is unlike none other. And it’s always a good time, and I’m really looking forward to that. I’m stoked for that event. And following that event, we’ll get that published as well. So for those that can’t make it to Philly on site, we’ll be able to have that for you.

0:29:11 Krista: I see a question. Do we have time to answer a question?

0:29:14 Chris: Yeah. Do you see it? Because I don’t see it.

0:29:16 Krista: Yes. The potential for security coming from AI. Oh, my goodness. So using data for learning, poisoning the language model. So if you are training, making sure that you’re vetting inputs. I actually just went through this, so this is like, top of mind. Oh, thank you. I can’t wait to see you at secure world. But, yeah, so those are some of the things bombarding where it’s hosted. It’s going to be similar to, like, DDoS attacks, but the one that I read about early, they actually coined the term sponge attacks for it, but it’s essentially feeding it false information.

0:29:52 Krista: So I know falsification of information is out there a lot, even on social media, et cetera. We talk about it a lot, especially in healthcare. So think about that, right? If an AI training model is breached, if the code may be affected, or even if there’s a question, it could definitely poison. Like, if it’s giving recommendations for coding, recommendations for treatment, recommendations for documentation, it can certainly poison the records that get fit into your EHR and cause a huge problem there. Not only regulatory, with the coding and the regulators are going to be like, what gives? Like, you’re trying to charge for all this shit and it doesn’t make sense to what you have documented, but also falsify records in your EHR and really hurt the human being that we’re trying to treat.

0:30:37 Krista: Because then if you prescribe something, for example, and the record was falsified, and three months later you’re prescribing something can actually be detrimental to them. So you really have to have a system of checks and balances out there. Someone was asking about, was it Secureworld IO? I think has all of them listed?

0:30:56 Chris: Has the events listed?

0:30:57 Krista: Yeah.

0:30:58 Chris: Yes. Securityworld IO, yeah.

0:31:01 Krista: So Secureworld IO. And they’ll have all the events out. Um, I might do New York and I might also do Dallas and Denver again, so if any of you guys are from those areas, Dallas and Denver were so much fun. So I’m excited to get and at least see Philly is my are. We are definitely an interesting crew out here and I absolutely love it. So thank you.

0:31:23 Chris: And if you can come in, it’s definitely worth, it’s worth taking days off. And we’re rolling right from the day one closing keynote into happy hour, so just another reason to make it there. But Chris, I want to thank you so much for stopping by, sharing your knowledge with us and thanks everyone for tuning in. I’ll see you on the next 1 February 13, so take care. Be safe, everyone. Bye.