This week I am talking to Daniel Brodie (@db_doskey), CTO and Co-Founder of Cynerio (@cynerio) who are working to improve healthcare security one incremental step at a time. Daniel entered into the healthcare world a little surprised by the state of security and infrastructure that he found in facilities and set about finding ways to develop solutions.
We discuss the details of the Cyber attack on the Colonial Pipeline company that focused the spotlight of the nation on cyber attacks and ransomware and the havoc they can bring to our world. Interesting to note that the point of entry and the actual disruption was in a sub-system of the company but it still brought about chaos to our fuel supplies.
Death by Ransomware
We discuss the payment of ransoms and the non-payment of ransoms as Scripps University did, leading to down time of 4 weeks or more and review the ever increasing number of hacks and attacks on the healthcare industry with healthcare seeing an increase of 123% in attacks last year and with the lucrative nature of medical records, they are likely to continue increasing. These attacks can have dire consequences for hospitals, not just on their revenue, but worse, they can be life threatening and we have now seen the tragic case of Alabama-based Springhill Medical Center alleged death caused by Ransomware
Listen in to hear why healthcare remains high on the target list, what institutions can and should be doing about it and what regulatory steps are being taken and what the future looks like in protecting our all important healthcare system and the important perspective that perhaps the “Wall of Shame” is not helpful in our ongoing fight for better healthcare security.
xx
Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next week at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.
Listen along on HealthcareNowRadio or on SoundCloud
Raw Transcript
Nick van Terheyden
Today, I’m delighted to be joined by Daniel Brody. He is the chief technology officer and co founder of scenario. Daniel, thanks for joining me today. Thank you for having me. So, for the benefit of the listeners, tell them a little bit about your background, how you arrived at this, how you ended up founding the company.
Daniel Brodie
So I’ve been in cybersecurity for more than two decades doing quite a bit of research and development and quite a few cybersecurity companies. Large stint was added on mobile cybersecurity companies where we researched mobile web malware, and we’re trying to work to protect mobile devices from mobile malware, especially for Bring Your Own Devices in organizations. And in one of the the previous startup that I was before, I found it scenario with my co founder Leon, that’s actually where I met him. We were doing a cybersecurity product for exfiltration from organization, and we were really struck by, okay, we’re doing again, the cybersecurity work the cybersecurity product. And this gap between figuring out how we actually provide value to customers, and how it’s not just all that FUD fear, uncertainty and doubt which exists and it’s very common in cybersecurity world, and you kind of scary the customer, oh, there might be an attack and you don’t know what’s going to happen, and you really need the cybersecurity product. And we kind of left the company we didn’t, we didn’t feel that we were we were succeeding and doing that. Now, my dad was a deputy CIO at our healthcare system, and my co founder of the underman, who’s also been in cybersecurity for many years, from the sales side of things. We kind of talked to a few people that we knew from that healthcare world. And when we learned about the state of health care IoT, we were pretty shocked at the state of how things were we’re talking about devices that are running 20 year old offices, some of them from Wess from companies that went bankrupt, they don’t have any antivirus on it. FDA doesn’t allow them to do install anti viruses or, or any kind of security software on them. Vendor Support is minimal to non existing for these old devices. And there’s this huge black hole in how healthy organizations work. And that’s kind of and as you were talking with the CISOs, and getting more and more information, and we were just like, Okay, we really, really want to get into this. We also kind of were maybe a bit naive, we didn’t believe situation was so bad, until we actually founded the company and we discovered situation was worse. So, and that’s kind of what we saw here, it’s an opportunity to really be able to provide real value. This is not just cybersecurity from Oh, you don’t know what happened with China, when the China Russia will attack your organization or North Korea or whatever this is providing real value that can really help the organizations we want to give or sell our product to and even potentially save lives. And that was very, very motivating for us to kind of do cybersecurity that, that was interesting, that was helped us sleep better at night.
Nick van Terheyden
You know, I people can’t visually see us. But yeah, I’m shaking my head as I’m listening to you. Because I know all of the things that you said, are entirely true. And they’re not just true about security. They’re true about many aspects of healthcare. And I think the thing that the subtext that you didn’t mention, but I know is also true is not only are those devices all old, and not updated, not supportive, but some of them not just as adjunct devices, but in some cases implanted in people, as medical devices in our bodies that we use. And you know, so there is a absolutely enormous problem in healthcare. It’s not confined to healthcare, you’ve obviously got experience outside. Before we get into the healthcare side of it. Tell us a little bit about some of the cyber attacks that we see. You know, obviously, there’s a little bit of grandstanding on the pass of the media. You know, we saw the Colonial Pipeline, we saw the Florida what you know, you name it, we’ve seen these things, and, you know, there’s a lot of attention drawn to it. Is is Is it as bad as it sounds to us through the media?
Daniel Brodie
So I think ransomware has become a huge issue across different verticals, but I think there is also a bit of a click Beatty in terms of the news The new story now some of these stories. So if we take, for example, the Colonial Pipeline attack, the attack was able to come in through the, the office building system. And that’s pretty much the main effect that it had the how the colonial pattern would build people for giving them gas, and then they took down their gas pipeline, not so much because of the ranch mark. But because they weren’t able to bill people for the gas. So this became a big news story, because it just was, it was very attracted, you know, you have people waiting in gas stations, it’s very newsworthy, you can do a lot of pictures on it, a lot of discussion on it, but and the effect and the effects of, of the damages that there were, they had to pay $4.4 million dollars in ransomware, which was actually 75 bitcoins in terms of how to do the ransom, the US Department of Justice recovered some of that it came out to only 2.3 million, because the fluctuations in how Bitcoin happened till they got there. The the recovered amount from the Department of Justice, so they got officer recovered from that money, they were able to raise the prices of gas for a little bit for a while to kind of recover their costs. So even though it was a big news story, at the end of the day, it wasn’t this really huge cybersecurity attack. And the effects were relatively limited to how it was affected.
Nick van Terheyden
You know, and it’s interesting, you sort of detail that that emphasizes the point around security, it can be in a small, I don’t want to say unimportant, obviously, billing is extremely important, but it’s one of those, it’s the multiple potential edges, or facets or entry points exist in every organization, know much more so than in healthcare that has wide sort of access points in different places, some of which are very public facing. We’ve seen a number of attacks in healthcare. Tell us a little bit about what you’ve seen in that and the entry points and the challenges that we see in in the healthcare world and cybersecurity.
Daniel Brodie
So an example of a popular attack that happened at around the same time the Colonial Pipeline in the in Scripps Health in SoCal, it’s about 15. Hospitals big now has 19 facilities, about 700,000 annual patients. So it’s not a small health system, not a huge one, but not a small one. And what happened was, is that, well, we don’t really know much about the root cause of the attacker, we know that it really shut down how the organization happened. And they unlike colonial, they did not pay ransom, they had four weeks of recovery time until they were able to bring back their operation. And they lost in damages more than $100 million in terms of lost revenue, to kind of fix the issues that they had, and so on and so forth. They were able to return back to normal, but the damage was done both in terms of the financial aspect of it. And also in terms of what happened to patient care during this four weeks. So there was an uptick of patient cares in hospitals surrounding them, they had had to delay or cancel care for some of their patients. And that kind of connects it to how the fact that these ransomware attacks on health care organizations. The effect isn’t as widely seen, you’re not going to see the effect of delaying care for a critical patient by four weeks. Let’s get some things might come up could come up years down the line. There was opponent month study that talked about this, where they looked at health care organizations that were going that had ransomware attacks on them during the COVID time that it was led covering an 18 months period. And they saw that about more than a third of hospitals that had ransomware attacks on them, then they had an increase of patients that had complications in care. And more than one in five increase in mortality rates. Yeah, I think
Nick van Terheyden
there’s, you know, good proxies for this. We see it with the instances of the marathons, the Boston Marathon where there’s a shutdown to the hospital systems is actually a well established paper that demonstrates a rise in morbidity and mortality as a direct consequence of that. That’s not ransomware it’s the diversion of ambulances as a result of that. So I think, you know, there’s clearly a reliance between the impact of this on people’s individualize. We’ve even seen that in the case of Spring Hill, an instance where you know, there’s attributable death in this case, do you want to share a little
Daniel Brodie
bit about that? Yeah, that’s a very unfortunate situation where a hospital was shut down. So this happened in 2019, or a hospital was shut down for, for quite a while due to a ransomware. Attack, we and we have your unique situation, where due to the litigation that is happening, we getting a lot of visibility to what actually happened there. So the ransomware shut down a lot of the network, a lot of the devices and their connectivity. And this is kind of where connected health care. The negative aspects of it showed up, right, the positive side is hospitals can finally provide much better care can can handle a much larger load of patients with less infrastructure and was less personnel. And that’s kind of become the norm for these health care organizations. That’s how they all operate. Now they’re dependent on these connected devices. And then you have a ransomware attack, shutting this down. And suddenly, the healthcare organization, healthcare professionals don’t necessarily know how to operate, they’re going back 3040 years or so you need to provide care manually using pen and paper. And so you know, you might have these 3040 people with 3040 years of experience, nurses or doctors and they, they remember how to provide care in and how these procedures look like, right? How do you go and measure vitals every 10 minutes to make sure that vitals don’t fluctuate or put a patient at risk. And you have the younger, less, just, I don’t know screwed up just newer personnel, and they don’t have that experience, they don’t have that training, then you have the veteran needing to kind of train these newer healthcare professionals on the fly while the hospital is suffering a ransomware attack and there’s an increase in in stress and the amount of patients and have you need to care about them. That’s putting a tremendous amount of stress on the health care professionals. And that’s pretty much what happened. They had the neonatal monitors would not alert in the central station for nurses when something bad was happening, one of the patients, and they were so they wheeled the patients near to the nurse’s central stations, they’ll be able to hear the monitors beeping, and they ramped up the vowel volume as much as possible. But they very sadly missed one of the infants whose heart rate went down and cause the unfortunate situation of him passing. And now it is under litigation for malpractice with the hospital. There are some other interesting quotes that came out from that situation as well as part of the lawsuit and anesthesiologist saying how they don’t have access to the patient records. And they have to just go by best practices in terms of how how much of the for how much to get the patient to kind of put them under and not being able to see based on the actual amount that they need to give to the patient. So there was just a spec best practices and yeses, and that’s not the situation to be in.
Nick van Terheyden
Right. So for those of you just joining, I’m Dr. Nick the incrementalist and today I’m talking to Daniel Brody. He is the CTO and co founder of scenario. We were just talking about the tragic incidents at the Springhill hospital, the neonate that died as a result of a ransomware attack, obviously a great tragedy. You know, currently undergoing litigation. I guess the the positive side effect of that is the revelation of the details behind that one of the things that we miss in cybersecurity is what actually happened, people are very reluctant to share information, in part because of the negative publicity. That’s obviously one of the consequences. How can healthcare seems to be front and center and I’ve covered this in, you know, blog posts and other guests. Why is that? What’s what why do we have to take on or maybe we’re not, is it not just healthcare and, you know, Colonial Pipeline was just another hack that would be as, as important or as healthcare really front and center.
Daniel Brodie
I think healthcare is being significant has been significantly targeted over the past two years, especially. We’re seeing that with 92 attacks in 2020, hurting over 600 different health care providers. And there’s we’re seeing quite a ramp up in 2021 as well. So if in 2020, we’re talking about eight million PHA records being exposed 2020 21 isn’t over yet. And we’re already know it’s more than 40 million PHA records. So the reason is I think it’s just lower hanging fruit toss healthcare organizations have health care organizations have less available personnel, they have less resources, they’re already overwhelmed by the COVID pandemic, their resources are already stretched thin. They have, they’ve historically had difficulties in implementing cybersecurity programs, I people know that they have these old outdated devices and other healthcare IoT devices on their network. And that just makes him a very ripe target for being able to attack them. And, and the other side of that is, at the end of the day, there’s somewhat of a critical infrastructure, right? If a health care organization will a lot of times end up paying the ransomware. B, just so that they can continue to provide care, even though a lot of them don’t, but some of them do. And that’s because they just don’t have room for error with terms and how they provide care, to the fact of a ranch or unhealthy organization could be devastating for for the patients that go through there, as we saw the Spring Hill.
Nick van Terheyden
Well, so we painted a pretty bleak picture. Let’s be clear, it doesn’t sound very positive, it’s getting worse. You know, clearly not just healthcare, but healthcare has this big target for all the reasons that you describe? What do we do about it? What’s how do we approach this given that, you know, in the words of the game show, you are the weakest link? And I mean, that as the individual the human being, and this is oftentimes, how can we protect against this because people don’t set out to cause a breach or or make these errors? That’s clearly not the activity? There is some small subset, but how do we approach this?
Daniel Brodie
So I think we need to birth a great question. And I think that we need to look at this in the same way that connected healthcare went and allowed healthcare organizations to automate a lot of the processes of providing care to patients, and allowed them to have use less resources and provide more care. Hospitals are coming to the realization they have to go through a similar process around their security, especially healthcare, IoT security, but in general around security. So if, five years ago, the inventory for medical devices was handled manually, health organizations are coming to the realization they need something that will help them automate detection of inventory in their home in their house, and their health system and on their network. And part of that that’s part of the work that we do with our solution as well, we come to healthcare organization, and they use us and they can map that out to their real inventory. And we even saw instances of devices that were considered lost, that the hospital even know we’re still connected on their network and used on patients. Which is pretty scary. And, and that’s, and that’s just for inventory, right? At the end of the day, you need to be able to reduce a risk that you have in your organization again, instead of doing that manually. And with a complicated process of clinical engineering, networking, IT security, hospitals needs to kind of implement, and then there’s been they’ve been doing that and they moving more and more towards that a more automated process of how they can know what the critical risks and organizations are connecting that to what the impact on the organization will be, whether it’s patient safety, patient confidentiality, or service availability, and figuring out what are the tools that they need to use to actually lower that risk. And a lot of healthcare organizations have quite a few IT security solutions in place. They just can’t really use them for this healthcare specific stuff. Because they’re not built for that.
Nick van Terheyden
You know, I gotta say, I wish I was in the room, at the point that that inventory showed up. Devices that they thought they’ve lost, but not only hadn’t been lost, but were in use. I really wanted to see the faces on the individuals, whether it was wow, that’s a relief. We thought we’d lost it all. Oh, that’s, that’s terrible. We lost it and it’s in you. Really not sure. But anyway, joking aside, I mean, obviously, understanding the the spectrum of opportunity where those attacks can come from obviously being able to reconcile that with you know, where those devices are obviously gets you to the point of saying, now we can do something about it, but that feels like halfway there. must be more that has to take place that, you know can turn this tide. We’re in a circumstance where it feels like this onslaught continues. You know, Scripps was a relatively recent, but it just continues. And as you described, expanding, do we need additional action is the regulation that’s forgot what’s missing in this? It seems like we’ve been talking about this for a long time. And it just gets worse and worse, and it feels like it’s a nuclear arms race.
Daniel Brodie
Yeah, so I’ll let me answer the the regulatory side first, I think the regulation side of things has been pushing, as you mentioned earlier, has been pushing healthcare organizations to not share, to keep things to themselves. And to work in a way that’s very individualistic. I think there’s regulatory changes that could happen, that will motivate less less of a stake, right, less of fines and less of trying to keep things under wraps. And let’s try to do and the Hall of shame that I’m not sure if you’re aware of it, or the Hall of shame, which shows the cyber attacks or any other P Chai basically an HIPAA violation at Bank for health organization. And that’s, that’s not positive or conductive for, for sharing and for being open. And what’s happening with these attacks. And the Springhill situation is unique in that regard to finally, there’s a very open discussion about it, but it’s for the wrong reasons for litigation. And regulatory bodies can help by using more of a carrot and helping organizations figure out how they can work together. After all, they all invest together, to improve, to understand what the processes need to be to share their experiences. So one organization goes under and go through an attack, they can take that experience, and share that with another organization. That’s also part of the work we’ve been doing. And we’ve seen it being very fruitful. So we are working with hospitals that are on very different parts of the spectrum in terms of where they are with their cybersecurity journey. And we can work with hospitals that are later in the states already have budget, they have the personnel, they know what the project needs to look like. And we’re working with them. And then we can take that experience. As we’re working with healthcare organizations that are earlier on in their journey. They might even not even have budgeted the personnel for it. And we can share that experience with them and help them to understand where they need to get you in how they need to get you. And I think the government can help do that as well.
Nick van Terheyden
So I think you bring up a good point, the Wall of Shame is not a positive reinforcer, I will say in his defense prior to that, there was nothing and essentially everything was kept quiet. And it was at least at the time, it felt like a step in the right direction, because there was no stick. And, you know, it was the shaming of organizations that started to change behavior. So I think there has to be some public exposure, but perhaps not with the accompanying Shame, shame, shame, activity that goes with it. As you think about the future, what gives you hope, have, you know, our securing of healthcare and our healthcare records and the healthcare services that we’re delivering?
Daniel Brodie
So that’s very interesting. And we saw that from when the company was founded, and we were talking with healthcare organizations and, and really, then they’re mostly focused on inventory aspect, and utilization understanding, really think that we’re very bare bones in terms of cybersecurity. And we’re seeing nowadays that healthcare organizations are really moving towards a much more risk reduction. Discussion. That’s what they’re interested. That’s what they’re focused on. We’re seeing interest in one of the things that we’ve pushed out recently from our product is something called ADR which allows us to help organizations actually detect and respond to attacks that happen on their networks. And we’re seeing that organizations even though they’re going through a beating the past couple of years, they’re coming out stronger. On the other side, they’re realizing what needs to be done. They’re focused on doing it, and they’re motivated to get that work done. It’s still going to be difficult, not going to be easy, but it’s something that the motivation is there. And that brings a lot of hope that we’ll be in a better place after in the near future.
Nick van Terheyden
I agree. I think healthcare security is an investment. It’s not a cost. People have to change their mindset. Unfortunately, as usual, we’ve run out of time just remains for me to thank you for joining me on the show, Daniel. It’s been a great pleasure. Thanks for coming on the show.
Daniel Brodie
And thank you very much for having me. It was a pleasure being here.