April 1, 2024 • 25 mins
On this gripping episode of Security on Tap, we undertake a detailed exploration of the recent, impactful cybersecurity incident at Change Healthcare. We outline the events that unfolded on February 21st when Change Healthcare became the latest casualty of Black Cat/Alf V's sinister ransomware service. We shed light on the monumental repercussions this episode has had on the healthcare industry, disrupting pharmacies, SMB healthcare institutions, and even Medicare.
Additionally, we emphasize the critical importance of disaster recovery, business continuity planning, and rigorously evaluating third-party risks and supply chain vulnerabilities. We further broach topics including the security-related implications of mergers and acquisitions, and the vital need for sound identity verification and advanced authentication measures in the face of a surge in cyber threats.
The episode also delves into more profound aspects of cybersecurity, such as 502 compliance, privileged access management, and the rising threat of social engineering. We demonstrate how essential cybersecurity training for employees can drastically minimize potential threats in sectors like healthcare.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Hey there, Leader. Today, today in Security on Tap, we're going to talk about
the Change Healthcare incident.
What happened, what it means, and how it impacts you.
So, Randy, like we do, since you know and you're in full disclosure,
Randy's current position is in the healthcare space.
So, he's a little bit more closer to this issue than I am.
(00:25):
So, Randy, if you wouldn't mind, take us through what happened at our friend's Change Healthcare.
Yeah, so apparently on February 21st, they experienced a network incident.
That's how it always starts. Always starts. It always starts as a network incident,
which quickly evolved into a cybersecurity incident.
And now, as most of you know, through what's publicly available out there,
(00:49):
Change Healthcare was compromised by Black Cat slash Alf V, a ransomware as
a service operator, which you got to love that.
That criminals are very industrious, you know, just as you have containers as
a service and software as a service. Well, I mean, it's like having,
it's like building a house, right?
You got the architect and you got to get your tradesmen, you got to get your
(01:10):
drywall guy, you got to get your ransom guy. That's right.
And they operate ransomware as a service. And using that platform,
a nefarious fellow compromised a privileged account, changed healthcare.
And we know this because Alfie Blackhead is a fairly well-known actor in the
space and social engineering and then getting in and then compromising and escalating
(01:35):
your privileges is how they do this.
Yes. And they're well-known as well because this is their new name.
Before they were Alfie, they were Dark Light or Dark something.
That was when they took down Colonial Pipeline. Oh, yeah.
So if you remember the Colonial Pipeline incident, exact same thing happened
where they came in, they infiltrated, they compromised, and then the FBI promptly shut them down.
(02:02):
And they just went somewhere else and named themselves something else.
And all the people that speak Russian, because they all speak Russian fluently, started a new group.
That source code is transportable. I mean, one ransomware group will stand itself
up. It'll create a ransomware package.
They'll, you know, they'll, they'll work on the code. And then when they decide
(02:22):
to get out, they put it up for sale or they hand it off to some other affiliate
and then they start it up.
And there's probably anywhere from a 20 to 80% overlap in staff.
Yeah. Yeah. And the people that do this stuff.
Yeah. Yeah. And Change Healthcare, unfortunately, as an M&A of Optum slash UnitedHealthcare,
found itself losing about six terabytes worth of PHI and also found themselves
(02:47):
with ransomware across most of their infrastructure.
So a brief aside there, one of the things that Randy just said,
he said those letters, M and A. Yeah.
Mergers and acquisitions. Well, it's never M. It's always A.
You never do the M, which is part of the problem, right? You never fully merge the unit.
And that in turn, Optum Healthcare, you know, I was on one of the public calls.
(03:09):
Again, all this public information.
I was on one of the public calls with the parent company.
They had to establish a fund to help small and medium-sized businesses stay
in business because their revenue cycle was abruptly interrupted.
Well, let's talk about that in a second.
First of all, as a brief side note, mergers and acquisitions,
dear security leader, I would say probably 60 to 75% of the incidents that I've
(03:35):
worked in my career have been part of an acquisition, right?
And here's the thing is that when a company is going to get acquired,
they operationally cut.
And security is one of those things that you cut in the short term and it won't
show effects until after you've been bought. Yeah.
So stand your ground, bang on the table and say, we need to do a deep dive and
we need to have money in the acquisition budget to fix what's wrong.
(03:57):
Yeah. There needs to be money in the budget to assess the acquired company and to actually fix things.
You yourself have found that as well when you found yourself not only reverse
engineering software in a previous role. We're not going to talk about that. Yeah.
But then also you found yourselves in charge of facilities along with it.
So you got to do everything. Good times.
(04:21):
You were in charge of toilets and DevOps. What a wonderful place to be.
Really nice guy who used to empty the garbage cans.
So anyway, so we get past that. So one of the things you found though,
and this is one of the things I really wanted to drive home because I believe
that the chief information security officer should have either own or have a
(04:41):
strong hand in disaster recovery and business continuity.
Which failed, by the way, at change. Well, and I, yes. And I want to hear more of that from you.
Every process, the way we have solidified and centralized services,
change healthcare, what did they say?
One in three medical transactions, financial transactions? One in three medical records, yeah.
(05:04):
Yeah, that's 33.3% of transactions going through the United States on medical
went through one place. There's nothing wrong with that.
Right. But you as a customer of that organization need to be able to have a
plan in place to deal with it.
They go bye-bye. Yeah, you need an alternative.
(05:25):
If you're solely reliant on a company for your medical claims processing,
as an example, what happens if that medical claims processor or revenue cycle
processor goes down, which is exactly what happened.
Yeah, it's right up there with having the fuel company for your data center,
you know, diesel fuel for the generator.
You should have had another changement power, another transaction processor just on retainer.
(05:49):
The problem is- It's worth the five grand or 10 grand just to be the next in line.
Yeah, the problem with white collar jobs, right, is you don't necessarily think
about supply chain management, right?
You think of manufacturing, we're not getting the steel. What if we don't get our rivets?
But here it's the same thing, right? Sorry.
Are you a Bugs Bunny cartoon? Yeah, sorry. Well, but, you know,
(06:11):
we don't get our widgets, you know, from company X.
Well, the same thing here. If you're relying on a third-party service for the
core functionality of your business, that's supply chain risk. Yep.
And people don't necessarily treat it that way. And that's one of the things
that is really uncovered.
I mean, and I've read this is all publicly available, but pharmacies were in
danger of running out of medicine.
(06:32):
Yeah. Right? Right. Because the transaction system completely failed and they had no recourse. Right.
And there was no way, you know, because logistics relied on the computer system
to tell them how many were left, how many are in stock, et cetera.
They quickly ran out. A lot of local or remote pharmacies that happened with,
I had someone that works where I work now, go to the pharmacy,
(06:56):
you know, in the last week of February, and they literally were on paper handwriting
things down. There was no computer records.
And, you know, when you're handwriting things down, one, that creates a huge
surge of stuff that has to be entered in later, right? Right.
But then also user error, transcription error. Transcription error.
(07:17):
The litigation that's going to come out of this in the next 12 to 18 months
is going to be significant.
It's going to be what lawyers like to call productive.
Yeah, yeah. It's definitely going to produce quite a bit.
It's going to send some kids to college, some lawyers' children to college.
It's going to keep your third-party risk analysts quite busy,
too, as you look at where are we vulnerable, right?
And immediately, too, anybody that's in this space starts asking the same questions.
(07:41):
So, competitors to change, for example, would ask.
Right.
Even the Federation used to go and secure other sources of dilithium.
Yeah, that's true. Never, you know, even just in case the Klingons got a little
frisky, you got to make sure you got another place to get it.
You have to have an alternative place, which creates opportunity as well.
(08:03):
Because if you operate in the space, you then can be the backup.
Maybe only 80% of the volume goes through, you know, vendor A and the other
20% goes through vendor B to make sure that, you know, we have the capacity
to, an ability to flip over. over.
But the revenue cycle generation on this, it wasn't just on the front end where
(08:23):
people couldn't get their prescriptions,
but then smaller SMB healthcare institutions weren't getting paid.
Yeah. All the way on it, and it affected Medicare as well.
So all the way down to the guy who has a retail store that sells walkers and
canes and other medical, small medical equipment, found themselves in dire straits
(08:43):
because the money dried up. Well, and by the way, here we are,
it's today is March 17th, right? Or no, March, whatever.
18th. Yeah. And still down, right? So they couldn't do BCPDR, they're rebuilding.
And meanwhile, these companies out there aren't getting their money.
They're not getting paid.
So what does the parent company have to do? They got to establish a fund to
(09:06):
fund these companies. So they're just giving credit.
Yeah. And what is the cost to that? You know, we've had four.
It's very, it's very rainy. Well, we've had 14 incidents with clients since
I've been where I've been.
Unnamed clients. I'll cut that out. Okay. Well, we've had a few things happen.
And what's consistent about them is when you do an anatomy of post-mortem of
(09:31):
what happens to companies, two of those 14 gone out of business.
They no longer exist. Actually, Mayo Clinic had to step in and operate because
one of them has 17 hospitals, right?
Randy, we're going to have to cut this. You can't say Mayo Clinic.
Okay, why not? Because you're, I mean, if I was from your company and listening
to this, you're basically identifying companies.
(09:52):
I don't have a relationship with Mayo Clinic.
Oh, okay. All right, whatever. Yeah, well, now we do have to cut it.
Yeah, but somebody could figure out who you're talking about.
Okay. It's up to you, but I'm just trying to protect you. I get it. I get it.
Everything, nothing I'm saying is not publicly available. So anyway,
where do we want to start? Well, no.
What I want to say is we've talked a little bit about supply chain side,
(10:14):
but I want to get back to the control side.
So I have been hearing from some of the larger organizations that we work with
and some that we don't, some that we're just friends with, 502 compliant,
I am here authentication assurance is where we're going. Sure.
If you're not getting a YubiKey or a FIDO2 compliant or a fingerprint reader
(10:36):
or something built into the laptop that shows the person doing the authentication
is tied to the device doing it, you're going to have to do that soon or you're going to be the target.
Yeah. And it's going to be the zombie apocalypse, right? I don't need to run
faster than the zombies. I just need to run faster than you.
So the guys without it are the ones that are going to get hit.
Yeah. Yeah. Yeah. The onus will be put on proving you are who you say you are
(10:58):
in a huge, in a huge fashion.
You know, the impact of this to you as, as a security and risk practitioner is exactly that.
You know, while it might just be in the healthcare industry today,
this is something that's going to drive behaviors throughout all industries.
You know, and I'm trying not to get mad, right? I'm getting a little angry.
(11:20):
Like, apparently, Black Cat Alfie had a prohibition against hitting health care.
That was off limits. And then after they got taken down in 2020 in December
by the FBI, they sort of lifted the restriction, went and got their big payout,
and now they've shut down.
Apparently, they've just said, you know, they've double tapped and I'm out.
(11:43):
We're going to take our 22 million and retire to a not an extradition country.
I hear North Korea is lovely. Yeah. Yeah. No, wherever they're going,
they speak Russian. That's for sure. Wherever they're going, they speak Russian.
But, but taking them offline is good because the quality of really good pen
testers like that is just not readily available. I mean, it's really.
(12:03):
Untapped pool of professional services. Yeah. Yeah. Well, then that's another thing too.
You know, there's lots of talks here recently about the white hat folks,
you dear security and risk professional. You need some cash.
So what do you do? Well, that's, that's where you, you, you see folks going
over the dark side and doing things they should not do.
Don't do that, by the way. Yeah. We generally frown upon. It's not worth it.
(12:26):
I mean, there's the line from office space, right? You go to federal,
pound me in the prison. Yeah.
There's no stay camp prison. Yeah. I do want to touch on a little bit from the control side.
So we talked a little bit about 502 compliant. client, the escalation of privileges.
So they got in there, and I'm saying this just because I know this is how this group works.
(12:50):
They gain access, and they escalate, and they move, right? Stick and move, stick and move.
What should our dear listeners be doing to detect that?
Well, not all companies are rightly using, well, Well,
They're not leveraging PAM at all in some places.
(13:10):
Right. So let's just start there. So let's push that.
So if you're not using something like CyberArk or Lieberman or BeyondTrust.
Yeah, BeyondTrust, whatever.
Whatever you got. Yeah. I mean, that is a critical thing. And plus,
and if you're using the right authentication, so they've cracked their way in
through social engineering to the VPN or to whatever you've got your VDI.
(13:30):
But when they try to escalate and they hit the privileged access manager,
they've got to socially engineer again the two-factor, unless you're using FIDO2
compliant or something like that.
It's another layer of protection, and it also protects you while it makes your
job harder as a sysops devops because you got to go check out the admin account,
which, you know, you check it out, you use it for what you need to use, you check it back in.
(13:53):
It's only assigned to you. That administrative burden of the check-in,
check-out, everybody says slows you down.
Right. But it also, if you think about it, dear administrator,
it removes the risk from you because if you checked it back in,
that account gets popped.
It wasn't you and you can prove it wasn't you.
Here's something that's important, I think, along those same lines,
(14:14):
which is we spend a lot of money doing things like DLP, which I have an opinion
on and I'm going to reserve it for maybe another later episode.
We do things like DLP and we run around in circles for other stuff.
And then organizations like Alfie, Scattered Spiders, and others,
they consistently take us down through social engineering.
Yeah. And then through escalating or accessing accounts that shouldn't be where
(14:39):
they are, right? Or they shouldn't have access to.
Yeah. And so it really comes down to stupid user tricks. Yeah.
Stupid user tricks. It's behind the keyboard.
And they're not evil. Nope. There's not an evil person. As a matter of fact,
one of the most intelligent people.
And my company fell for one, right? Well, one of the key things.
(14:59):
Nothing happened, but they, you know, they were tricked and were like,
I thought this was legit.
Everybody rolls their eyes when you say this, but it's absolutely true.
Education and awareness, training those folks on what's going on and exposing
them to what's going on because people are click happy.
The sad part is, is this hits healthcare so much because you've got doctors
(15:22):
and nurses and administrators that are tired.
They're working hard. A doctor, not a security admin. Exactly.
No, but they're working long hours, you know, and they're spent.
And a lot of it too, the social engineering on the front end, don't click on it.
But then also, you know, they fall for the clickbait, but you also have to just
(15:42):
have good common sense practice around managing your accounts.
And when you see something suspicious, say something.
Say something. Well, the beautiful thing since I'll tell you,
since change happened at my, I've had a numerous people come to me out of the
blue and say, Randy, I saw this.
Randy, this happened. Is this normal? Randy, look at this. And a lot of them
turned out to be nothing, right?
You're like, oh, that's probably big red and angry. You should get that looked
(16:05):
at right there on your neck. Oh God.
This rash looks like a QR code. What should I do with it?
I'm healthcare Jason. I'm not actually healthcare. I can't help you.
No, but what's beautiful about that is, again, never letting a good incident go to waste.
You take those folks that are doing the right thing, you highlight that to see
your leadership and say, hey, these people are doing the right thing so that
(16:27):
they know what good looks like. Yeah.
Because all too often, something happens, nobody says anything,
and that's how the bad guys get in and they sit and wait for the right person to come along.
The thing is, is that, you know, and Malcolm Gladwell does Blink and there's
another one. I can't remember the name of the author, but they,
it talks about your cognitive mind. I read that one. It's a good book.
(16:50):
Get from a friend. Yeah. Cognitive mind versus your lizard brain,
right? The one that makes shortcuts.
We're always going to fall for the shortcut, right? There's always going to
be a percentage of users in security awareness, phishing testing, whatever.
They're going to just fall for it. They just are. Not because they're dumb.
It'll always be different people.
There'll be repeat offenders. Yeah. Well, but humans are humans.
They always take the path of least resistance. And the good news is,
(17:12):
is the bad guys are that way too.
The bad guys and girls have limited bandwidth.
Yeah. They want to make money with as little amount of work as possible.
They want to go after the softest target with the biggest gain.
And sadly, right now, it's U.S. healthcare is where we're the softest right now. It is.
It's a little bit stunning to me, and I'm going to get off topic here,
(17:33):
but it's a little bit stunning to me that healthcare should be more like financial services.
Financial services, you know, I remember it was a Chase or Citibank declared
that their information security budget was unlimited. limited,
however much they need, right?
And because they took it that seriously, you're not getting in, we're drawing the line.
Healthcare needs to start adopting that same very rigid stance about risk management
(17:58):
and not doing the expedient thing.
The sad part is- I say that for all of you who are in healthcare listening to
this, I'm saying that from the cheap seats. I'm not in healthcare.
No, but the sad part is you've got the regional hospital and let's just make
something up. Assistant to the regional manager?
Yeah, exactly. Let's just make it up. Iowa and Southern Wisconsin,
(18:19):
let's just make up a place, right?
It's your regional hospital chain in that area. You don't even have a CISO.
You've got a VP of infrastructure and security. Congratulations.
Right? You simply don't have the resources to thwart something like that.
And that's the sad thing. And the problem is, is that's where the crooks tend to go.
(18:42):
Yeah. And the other thing too, because it's low dollar, or the FBI doesn't pay much attention.
I mean, it is true. They'll go for whatever opportunity they can get.
Change Healthcare, MGM, Caesars, these are not small organizations.
They're getting in there and they're learning how to adjust.
Based on the hard lesson learned. Yeah, but some of those are attention grabbers,
(19:03):
you know, screen grabbers, if you will, headline grabbers. Yeah, yeah.
Because if you're going to make the money, here's how I make my money.
I'm going to hit Iowa and Southern Wisconsin.
And if your cyber insurance is
$2 million, I'm going to say I need $1.5 million by the end of the month.
I've got a good friend, and I'll give him a shout out here.
(19:24):
His name is Scott Ferber. He has started his own, or he is part of a firm that
does incident response and electronic funds tracking. Real good.
He's extremely experienced. But when we, he and I talk about it, right?
Like if you steal $2 million or 20 bucks, nobody cares. You steal 20 million, they will find you.
So if you beat up on these little guys enough, nobody really cares, right?
(19:47):
You know, Dubuque, Iowa PD is going to go, well, they're in Russia.
I don't know what to do. Yeah. Yeah. Yeah. You shouldn't have paid them, you know. Yeah.
What were you thinking? It was only $300,000. You guys will be fine.
Well, and what we don't talk a lot too, as you know, being a fraud expert that
you are, since you get Fraud Magazine and I get it at my house and I don't read it.
(20:08):
I read it sometimes. You should read it. It's a good magazine. Yeah, yeah.
Since you're a certified fraud. For those who are members of the ACFE,
he's talking about the Fraud Magazine that comes with your certified fraud examiner.
As you push your glasses up on your- That five bucks will get me some salsa, right? Yeah.
But there are acceptable levels
of fraud where if it's not above a certain threshold, you write it off.
(20:33):
And all businesses have that somewhere. Yes, they do.
They have to. I mean, I hate to say it, and you and I have talked about this
in the past, it's sort of that value set adjustment where you say-
The Pinto value set is cheaper to pay the lawsuits than it is to fix it.
So you as a leader also have to say, is this the kind of organization I want to be in?
(20:56):
Because do they understand this risk? Have I said it well enough?
And if I have and they're not listening, should I remain here?
I used to know who the CISO of Change Healthcare was.
I don't know who it was during your incident. It was the same person I used
to know. I interviewed there several years ago, by the way. Oh, did you?
Wow. And I don't know who it is.
(21:18):
And my heart goes out to it because you're working in an organization that's
trying to maximize profits and you're trying to reduce risk, which costs money.
And you're tugging, you know, tug of war, being outspoken, being plain spoken,
finding a way to turn it into dollars rather than just, this is scary.
These are some of the key components that you need to do. Yeah.
(21:39):
And you, as a security and risk practitioner, you know what's broken.
You can see it pretty plainly, right? Yeah. How are you articulating that risk
of senior leadership in a way that at least gets their attention long enough
to appropriately disposition it?
Yeah. And appropriately disposition doesn't necessarily mean you agree with it.
No, no. But as long as they've taken on that risk and not you.
(22:03):
Yeah. You know, you will always have to have that decision as a security leader,
as a CISO or anything else. Do I want to be a part of that?
If this is what they're willing to do, are these the values that I have?
And I'm not saying every single CISO should bail, but that job is increasingly
more dangerous and more risky.
(22:23):
Riskier, sorry, more risky. I went to a state school.
One of the things I'll touch on too, I read a lot about this recently,
you know, all the insider threat and all this other stuff that goes on and we
get so hyper-focused on insider threat, we ignore the actual external threats.
But one of the things that, what I appreciate about the Marine Corps,
(22:44):
and again, I'm an Army vet, so it's hard for me to say this.
As an Army vet, I will. The Marines are very much about character development.
And we don't talk enough about that in the corporate level. We do the right
thing, be honest and act with integrity, is something that we really do mean,
(23:04):
instead of just being transactional in who we are.
Yeah, and that's actually probably, you know what, Randy?
Let's do this. We'll do a little advertisement here. Let's put a pin in that.
We're going to do a special event. Oh, I know what you're doing.
Let's do a leadership lost and found episode on that.
So that's something else. So here in security on tap, we started this,
(23:25):
you know, 18 months ago and we left leadership lost and found and pivoted over
here to security on tap to do specific cybersecurity leadership.
But one thing's for sure, leadership lost found has been quite busy.
People are still interested over there. So we will pivot and we will produce
some material for that dusty podcast over there. What?
(23:47):
Will you break eye contact? It's really creepy. Yeah, sorry.
We'll produce some material for that. And maybe that's what we'll talk about.
Character development. Character development.
Because it is corporate character development, right? Nobody talks about that.
How do I ensure that we stay at a level of value and integrity that we need to be at?
(24:08):
And how do you teach someone to resist?
Yeah. Right? Resist the temptation. All this, just this once. Yeah.
Well, dear leader, we're at the end of our time together here in Security on Tap.
And by the way, everything mentioned here is publicly available somewhere on the internet.
So no one is at risk. Except for Randy's social security number, 375-129987.
(24:31):
8675-309, baby. Yeah. Call Jenny. Tommy Two-Tone is my product manager. What?
Two-Tone. Tommy Two-Tone. He's your product manager?
That is the band that some i know who they are but how's he your product manager
goodness it was a joke all right so i'm gonna cut that that you should we'll
(24:52):
fix this in post yes and that being said i'm randy fields i'm jim desmond and you guys can you believe.
Music.
Hey there, Leader. Today, today in Security on Tap, we're going to talk about
the Change Healthcare incident.
What happened, what it means, and how it impacts you.
So, Randy, like we do, since you know and you're in full disclosure,
Randy's current position is in the healthcare space.
So, he's a little bit more closer to this issue than I am.
(00:25):
So, Randy, if you wouldn't mind, take us through what happened at our friend's Change Healthcare.
Yeah, so apparently on February 21st, they experienced a network incident.
That's how it always starts. Always starts. It always starts as a network incident,
which quickly evolved into a cybersecurity incident.
And now, as most of you know, through what's publicly available out there,
(00:49):
Change Healthcare was compromised by Black Cat slash Alf V, a ransomware as
a service operator, which you got to love that.
That criminals are very industrious, you know, just as you have containers as
a service and software as a service. Well, I mean, it's like having,
it's like building a house, right?
You got the architect and you got to get your tradesmen, you got to get your
(01:10):
drywall guy, you got to get your ransom guy. That's right.
And they operate ransomware as a service. And using that platform,
a nefarious fellow compromised a privileged account, changed healthcare.
And we know this because Alfie Blackhead is a fairly well-known actor in the
space and social engineering and then getting in and then compromising and escalating
(01:35):
your privileges is how they do this.
Yes. And they're well-known as well because this is their new name.
Before they were Alfie, they were Dark Light or Dark something.
That was when they took down Colonial Pipeline. Oh, yeah.
So if you remember the Colonial Pipeline incident, exact same thing happened
where they came in, they infiltrated, they compromised, and then the FBI promptly shut them down.
(02:02):
And they just went somewhere else and named themselves something else.
And all the people that speak Russian, because they all speak Russian fluently, started a new group.
That source code is transportable. I mean, one ransomware group will stand itself
up. It'll create a ransomware package.
They'll, you know, they'll, they'll work on the code. And then when they decide
(02:22):
to get out, they put it up for sale or they hand it off to some other affiliate
and then they start it up.
And there's probably anywhere from a 20 to 80% overlap in staff.
Yeah. Yeah. And the people that do this stuff.
Yeah. Yeah. And Change Healthcare, unfortunately, as an M&A of Optum slash UnitedHealthcare,
found itself losing about six terabytes worth of PHI and also found themselves
(02:47):
with ransomware across most of their infrastructure.
So a brief aside there, one of the things that Randy just said,
he said those letters, M and A. Yeah.
Mergers and acquisitions. Well, it's never M. It's always A.
You never do the M, which is part of the problem, right? You never fully merge the unit.
And that in turn, Optum Healthcare, you know, I was on one of the public calls.
(03:09):
Again, all this public information.
I was on one of the public calls with the parent company.
They had to establish a fund to help small and medium-sized businesses stay
in business because their revenue cycle was abruptly interrupted.
Well, let's talk about that in a second.
First of all, as a brief side note, mergers and acquisitions,
dear security leader, I would say probably 60 to 75% of the incidents that I've
(03:35):
worked in my career have been part of an acquisition, right?
And here's the thing is that when a company is going to get acquired,
they operationally cut.
And security is one of those things that you cut in the short term and it won't
show effects until after you've been bought. Yeah.
So stand your ground, bang on the table and say, we need to do a deep dive and
we need to have money in the acquisition budget to fix what's wrong.
(03:57):
Yeah. There needs to be money in the budget to assess the acquired company and to actually fix things.
You yourself have found that as well when you found yourself not only reverse
engineering software in a previous role. We're not going to talk about that. Yeah.
But then also you found yourselves in charge of facilities along with it.
So you got to do everything. Good times.
(04:21):
You were in charge of toilets and DevOps. What a wonderful place to be.
Really nice guy who used to empty the garbage cans.
So anyway, so we get past that. So one of the things you found though,
and this is one of the things I really wanted to drive home because I believe
that the chief information security officer should have either own or have a
(04:41):
strong hand in disaster recovery and business continuity.
Which failed, by the way, at change. Well, and I, yes. And I want to hear more of that from you.
Every process, the way we have solidified and centralized services,
change healthcare, what did they say?
One in three medical transactions, financial transactions? One in three medical records, yeah.
(05:04):
Yeah, that's 33.3% of transactions going through the United States on medical
went through one place. There's nothing wrong with that.
Right. But you as a customer of that organization need to be able to have a
plan in place to deal with it.
They go bye-bye. Yeah, you need an alternative.
(05:25):
If you're solely reliant on a company for your medical claims processing,
as an example, what happens if that medical claims processor or revenue cycle
processor goes down, which is exactly what happened.
Yeah, it's right up there with having the fuel company for your data center,
you know, diesel fuel for the generator.
You should have had another changement power, another transaction processor just on retainer.
(05:49):
The problem is- It's worth the five grand or 10 grand just to be the next in line.
Yeah, the problem with white collar jobs, right, is you don't necessarily think
about supply chain management, right?
You think of manufacturing, we're not getting the steel. What if we don't get our rivets?
But here it's the same thing, right? Sorry.
Are you a Bugs Bunny cartoon? Yeah, sorry. Well, but, you know,
(06:11):
we don't get our widgets, you know, from company X.
Well, the same thing here. If you're relying on a third-party service for the
core functionality of your business, that's supply chain risk. Yep.
And people don't necessarily treat it that way. And that's one of the things
that is really uncovered.
I mean, and I've read this is all publicly available, but pharmacies were in
danger of running out of medicine.
(06:32):
Yeah. Right? Right. Because the transaction system completely failed and they had no recourse. Right.
And there was no way, you know, because logistics relied on the computer system
to tell them how many were left, how many are in stock, et cetera.
They quickly ran out. A lot of local or remote pharmacies that happened with,
I had someone that works where I work now, go to the pharmacy,
(06:56):
you know, in the last week of February, and they literally were on paper handwriting
things down. There was no computer records.
And, you know, when you're handwriting things down, one, that creates a huge
surge of stuff that has to be entered in later, right? Right.
But then also user error, transcription error. Transcription error.
(07:17):
The litigation that's going to come out of this in the next 12 to 18 months
is going to be significant.
It's going to be what lawyers like to call productive.
Yeah, yeah. It's definitely going to produce quite a bit.
It's going to send some kids to college, some lawyers' children to college.
It's going to keep your third-party risk analysts quite busy,
too, as you look at where are we vulnerable, right?
And immediately, too, anybody that's in this space starts asking the same questions.
(07:41):
So, competitors to change, for example, would ask.
Right.
Even the Federation used to go and secure other sources of dilithium.
Yeah, that's true. Never, you know, even just in case the Klingons got a little
frisky, you got to make sure you got another place to get it.
You have to have an alternative place, which creates opportunity as well.
(08:03):
Because if you operate in the space, you then can be the backup.
Maybe only 80% of the volume goes through, you know, vendor A and the other
20% goes through vendor B to make sure that, you know, we have the capacity
to, an ability to flip over. over.
But the revenue cycle generation on this, it wasn't just on the front end where
(08:23):
people couldn't get their prescriptions,
but then smaller SMB healthcare institutions weren't getting paid.
Yeah. All the way on it, and it affected Medicare as well.
So all the way down to the guy who has a retail store that sells walkers and
canes and other medical, small medical equipment, found themselves in dire straits
(08:43):
because the money dried up. Well, and by the way, here we are,
it's today is March 17th, right? Or no, March, whatever.
18th. Yeah. And still down, right? So they couldn't do BCPDR, they're rebuilding.
And meanwhile, these companies out there aren't getting their money.
They're not getting paid.
So what does the parent company have to do? They got to establish a fund to
(09:06):
fund these companies. So they're just giving credit.
Yeah. And what is the cost to that? You know, we've had four.
It's very, it's very rainy. Well, we've had 14 incidents with clients since
I've been where I've been.
Unnamed clients. I'll cut that out. Okay. Well, we've had a few things happen.
And what's consistent about them is when you do an anatomy of post-mortem of
(09:31):
what happens to companies, two of those 14 gone out of business.
They no longer exist. Actually, Mayo Clinic had to step in and operate because
one of them has 17 hospitals, right?
Randy, we're going to have to cut this. You can't say Mayo Clinic.
Okay, why not? Because you're, I mean, if I was from your company and listening
to this, you're basically identifying companies.
(09:52):
I don't have a relationship with Mayo Clinic.
Oh, okay. All right, whatever. Yeah, well, now we do have to cut it.
Yeah, but somebody could figure out who you're talking about.
Okay. It's up to you, but I'm just trying to protect you. I get it. I get it.
Everything, nothing I'm saying is not publicly available. So anyway,
where do we want to start? Well, no.
What I want to say is we've talked a little bit about supply chain side,
(10:14):
but I want to get back to the control side.
So I have been hearing from some of the larger organizations that we work with
and some that we don't, some that we're just friends with, 502 compliant,
I am here authentication assurance is where we're going. Sure.
If you're not getting a YubiKey or a FIDO2 compliant or a fingerprint reader
(10:36):
or something built into the laptop that shows the person doing the authentication
is tied to the device doing it, you're going to have to do that soon or you're going to be the target.
Yeah. And it's going to be the zombie apocalypse, right? I don't need to run
faster than the zombies. I just need to run faster than you.
So the guys without it are the ones that are going to get hit.
Yeah. Yeah. Yeah. The onus will be put on proving you are who you say you are
(10:58):
in a huge, in a huge fashion.
You know, the impact of this to you as, as a security and risk practitioner is exactly that.
You know, while it might just be in the healthcare industry today,
this is something that's going to drive behaviors throughout all industries.
You know, and I'm trying not to get mad, right? I'm getting a little angry.
(11:20):
Like, apparently, Black Cat Alfie had a prohibition against hitting health care.
That was off limits. And then after they got taken down in 2020 in December
by the FBI, they sort of lifted the restriction, went and got their big payout,
and now they've shut down.
Apparently, they've just said, you know, they've double tapped and I'm out.
(11:43):
We're going to take our 22 million and retire to a not an extradition country.
I hear North Korea is lovely. Yeah. Yeah. No, wherever they're going,
they speak Russian. That's for sure. Wherever they're going, they speak Russian.
But, but taking them offline is good because the quality of really good pen
testers like that is just not readily available. I mean, it's really.
(12:03):
Untapped pool of professional services. Yeah. Yeah. Well, then that's another thing too.
You know, there's lots of talks here recently about the white hat folks,
you dear security and risk professional. You need some cash.
So what do you do? Well, that's, that's where you, you, you see folks going
over the dark side and doing things they should not do.
Don't do that, by the way. Yeah. We generally frown upon. It's not worth it.
(12:26):
I mean, there's the line from office space, right? You go to federal,
pound me in the prison. Yeah.
There's no stay camp prison. Yeah. I do want to touch on a little bit from the control side.
So we talked a little bit about 502 compliant. client, the escalation of privileges.
So they got in there, and I'm saying this just because I know this is how this group works.
(12:50):
They gain access, and they escalate, and they move, right? Stick and move, stick and move.
What should our dear listeners be doing to detect that?
Well, not all companies are rightly using, well, Well,
They're not leveraging PAM at all in some places.
(13:10):
Right. So let's just start there. So let's push that.
So if you're not using something like CyberArk or Lieberman or BeyondTrust.
Yeah, BeyondTrust, whatever.
Whatever you got. Yeah. I mean, that is a critical thing. And plus,
and if you're using the right authentication, so they've cracked their way in
through social engineering to the VPN or to whatever you've got your VDI.
(13:30):
But when they try to escalate and they hit the privileged access manager,
they've got to socially engineer again the two-factor, unless you're using FIDO2
compliant or something like that.
It's another layer of protection, and it also protects you while it makes your
job harder as a sysops devops because you got to go check out the admin account,
which, you know, you check it out, you use it for what you need to use, you check it back in.
(13:53):
It's only assigned to you. That administrative burden of the check-in,
check-out, everybody says slows you down.
Right. But it also, if you think about it, dear administrator,
it removes the risk from you because if you checked it back in,
that account gets popped.
It wasn't you and you can prove it wasn't you.
Here's something that's important, I think, along those same lines,
(14:14):
which is we spend a lot of money doing things like DLP, which I have an opinion
on and I'm going to reserve it for maybe another later episode.
We do things like DLP and we run around in circles for other stuff.
And then organizations like Alfie, Scattered Spiders, and others,
they consistently take us down through social engineering.
Yeah. And then through escalating or accessing accounts that shouldn't be where
(14:39):
they are, right? Or they shouldn't have access to.
Yeah. And so it really comes down to stupid user tricks. Yeah.
Stupid user tricks. It's behind the keyboard.
And they're not evil. Nope. There's not an evil person. As a matter of fact,
one of the most intelligent people.
And my company fell for one, right? Well, one of the key things.
(14:59):
Nothing happened, but they, you know, they were tricked and were like,
I thought this was legit.
Everybody rolls their eyes when you say this, but it's absolutely true.
Education and awareness, training those folks on what's going on and exposing
them to what's going on because people are click happy.
The sad part is, is this hits healthcare so much because you've got doctors
(15:22):
and nurses and administrators that are tired.
They're working hard. A doctor, not a security admin. Exactly.
No, but they're working long hours, you know, and they're spent.
And a lot of it too, the social engineering on the front end, don't click on it.
But then also, you know, they fall for the clickbait, but you also have to just
(15:42):
have good common sense practice around managing your accounts.
And when you see something suspicious, say something.
Say something. Well, the beautiful thing since I'll tell you,
since change happened at my, I've had a numerous people come to me out of the
blue and say, Randy, I saw this.
Randy, this happened. Is this normal? Randy, look at this. And a lot of them
turned out to be nothing, right?
You're like, oh, that's probably big red and angry. You should get that looked
(16:05):
at right there on your neck. Oh God.
This rash looks like a QR code. What should I do with it?
I'm healthcare Jason. I'm not actually healthcare. I can't help you.
No, but what's beautiful about that is, again, never letting a good incident go to waste.
You take those folks that are doing the right thing, you highlight that to see
your leadership and say, hey, these people are doing the right thing so that
(16:27):
they know what good looks like. Yeah.
Because all too often, something happens, nobody says anything,
and that's how the bad guys get in and they sit and wait for the right person to come along.
The thing is, is that, you know, and Malcolm Gladwell does Blink and there's
another one. I can't remember the name of the author, but they,
it talks about your cognitive mind. I read that one. It's a good book.
(16:50):
Get from a friend. Yeah. Cognitive mind versus your lizard brain,
right? The one that makes shortcuts.
We're always going to fall for the shortcut, right? There's always going to
be a percentage of users in security awareness, phishing testing, whatever.
They're going to just fall for it. They just are. Not because they're dumb.
It'll always be different people.
There'll be repeat offenders. Yeah. Well, but humans are humans.
They always take the path of least resistance. And the good news is,
(17:12):
is the bad guys are that way too.
The bad guys and girls have limited bandwidth.
Yeah. They want to make money with as little amount of work as possible.
They want to go after the softest target with the biggest gain.
And sadly, right now, it's U.S. healthcare is where we're the softest right now. It is.
It's a little bit stunning to me, and I'm going to get off topic here,
(17:33):
but it's a little bit stunning to me that healthcare should be more like financial services.
Financial services, you know, I remember it was a Chase or Citibank declared
that their information security budget was unlimited. limited,
however much they need, right?
And because they took it that seriously, you're not getting in, we're drawing the line.
Healthcare needs to start adopting that same very rigid stance about risk management
(17:58):
and not doing the expedient thing.
The sad part is- I say that for all of you who are in healthcare listening to
this, I'm saying that from the cheap seats. I'm not in healthcare.
No, but the sad part is you've got the regional hospital and let's just make
something up. Assistant to the regional manager?
Yeah, exactly. Let's just make it up. Iowa and Southern Wisconsin,
(18:19):
let's just make up a place, right?
It's your regional hospital chain in that area. You don't even have a CISO.
You've got a VP of infrastructure and security. Congratulations.
Right? You simply don't have the resources to thwart something like that.
And that's the sad thing. And the problem is, is that's where the crooks tend to go.
(18:42):
Yeah. And the other thing too, because it's low dollar, or the FBI doesn't pay much attention.
I mean, it is true. They'll go for whatever opportunity they can get.
Change Healthcare, MGM, Caesars, these are not small organizations.
They're getting in there and they're learning how to adjust.
Based on the hard lesson learned. Yeah, but some of those are attention grabbers,
(19:03):
you know, screen grabbers, if you will, headline grabbers. Yeah, yeah.
Because if you're going to make the money, here's how I make my money.
I'm going to hit Iowa and Southern Wisconsin.
And if your cyber insurance is
$2 million, I'm going to say I need $1.5 million by the end of the month.
I've got a good friend, and I'll give him a shout out here.
(19:24):
His name is Scott Ferber. He has started his own, or he is part of a firm that
does incident response and electronic funds tracking. Real good.
He's extremely experienced. But when we, he and I talk about it, right?
Like if you steal $2 million or 20 bucks, nobody cares. You steal 20 million, they will find you.
So if you beat up on these little guys enough, nobody really cares, right?
(19:47):
You know, Dubuque, Iowa PD is going to go, well, they're in Russia.
I don't know what to do. Yeah. Yeah. Yeah. You shouldn't have paid them, you know. Yeah.
What were you thinking? It was only $300,000. You guys will be fine.
Well, and what we don't talk a lot too, as you know, being a fraud expert that
you are, since you get Fraud Magazine and I get it at my house and I don't read it.
(20:08):
I read it sometimes. You should read it. It's a good magazine. Yeah, yeah.
Since you're a certified fraud. For those who are members of the ACFE,
he's talking about the Fraud Magazine that comes with your certified fraud examiner.
As you push your glasses up on your- That five bucks will get me some salsa, right? Yeah.
But there are acceptable levels
of fraud where if it's not above a certain threshold, you write it off.
(20:33):
And all businesses have that somewhere. Yes, they do.
They have to. I mean, I hate to say it, and you and I have talked about this
in the past, it's sort of that value set adjustment where you say-
The Pinto value set is cheaper to pay the lawsuits than it is to fix it.
So you as a leader also have to say, is this the kind of organization I want to be in?
(20:56):
Because do they understand this risk? Have I said it well enough?
And if I have and they're not listening, should I remain here?
I used to know who the CISO of Change Healthcare was.
I don't know who it was during your incident. It was the same person I used
to know. I interviewed there several years ago, by the way. Oh, did you?
Wow. And I don't know who it is.
(21:18):
And my heart goes out to it because you're working in an organization that's
trying to maximize profits and you're trying to reduce risk, which costs money.
And you're tugging, you know, tug of war, being outspoken, being plain spoken,
finding a way to turn it into dollars rather than just, this is scary.
These are some of the key components that you need to do. Yeah.
(21:39):
And you, as a security and risk practitioner, you know what's broken.
You can see it pretty plainly, right? Yeah. How are you articulating that risk
of senior leadership in a way that at least gets their attention long enough
to appropriately disposition it?
Yeah. And appropriately disposition doesn't necessarily mean you agree with it.
No, no. But as long as they've taken on that risk and not you.
(22:03):
Yeah. You know, you will always have to have that decision as a security leader,
as a CISO or anything else. Do I want to be a part of that?
If this is what they're willing to do, are these the values that I have?
And I'm not saying every single CISO should bail, but that job is increasingly
more dangerous and more risky.
(22:23):
Riskier, sorry, more risky. I went to a state school.
One of the things I'll touch on too, I read a lot about this recently,
you know, all the insider threat and all this other stuff that goes on and we
get so hyper-focused on insider threat, we ignore the actual external threats.
But one of the things that, what I appreciate about the Marine Corps,
(22:44):
and again, I'm an Army vet, so it's hard for me to say this.
As an Army vet, I will. The Marines are very much about character development.
And we don't talk enough about that in the corporate level. We do the right
thing, be honest and act with integrity, is something that we really do mean,
(23:04):
instead of just being transactional in who we are.
Yeah, and that's actually probably, you know what, Randy?
Let's do this. We'll do a little advertisement here. Let's put a pin in that.
We're going to do a special event. Oh, I know what you're doing.
Let's do a leadership lost and found episode on that.
So that's something else. So here in security on tap, we started this,
(23:25):
you know, 18 months ago and we left leadership lost and found and pivoted over
here to security on tap to do specific cybersecurity leadership.
But one thing's for sure, leadership lost found has been quite busy.
People are still interested over there. So we will pivot and we will produce
some material for that dusty podcast over there. What?
(23:47):
Will you break eye contact? It's really creepy. Yeah, sorry.
We'll produce some material for that. And maybe that's what we'll talk about.
Character development. Character development.
Because it is corporate character development, right? Nobody talks about that.
How do I ensure that we stay at a level of value and integrity that we need to be at?
(24:08):
And how do you teach someone to resist?
Yeah. Right? Resist the temptation. All this, just this once. Yeah.
Well, dear leader, we're at the end of our time together here in Security on Tap.
And by the way, everything mentioned here is publicly available somewhere on the internet.
So no one is at risk. Except for Randy's social security number, 375-129987.
(24:31):
8675-309, baby. Yeah. Call Jenny. Tommy Two-Tone is my product manager. What?
Two-Tone. Tommy Two-Tone. He's your product manager?
That is the band that some i know who they are but how's he your product manager
goodness it was a joke all right so i'm gonna cut that that you should we'll
(24:52):
fix this in post yes and that being said i'm randy fields i'm jim desmond and you guys can you believe.
Music.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!