Cybercriminals Know Your Vulnerabilities: How to Fight Back?

00;00;00;19 - 00;00;22;29
Tom Haederle
Imagine getting an email or a phone call from a total stranger with this message: "I have your medical information and I know that you had surgery on this date." Pretty scary stuff. We've seen a sharp uptick this year in the brutal tactics of cybercriminals, who are now directly contacting and threatening patients during ransomware attacks, pushing the boundaries as never before.

00;00;23;01 - 00;00;48;26
Tom Haederle
As always, the bad guys demand payment and if a victim resists, they may threaten to publish sensitive photos online, take advantage of stolen patient records, or even send phony incident reports to the local police to trigger a harrowing visit from a SWAT team. Yes, that's happened too.

00;00;50;06 - 00;01;20;19
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle, with AHA communications, John Riggi, AHA’s national advisor for cybersecurity and risk talks over with two experts how this latest despicable tactic in the arsenal of cybercriminals should be managed starting with updating incident response plans. As John notes, if there were ever any question that the intent of these gangs was to harm patients, it is now clear that is their fundamental intent.

00;01;20;22 - 00;01;45;21
John Riggi
Hello everyone, and thanks for joining today. I'm John Riggi your national advisor for cybersecurity and risk at the American Hospital Association. Today we'll discuss a new cybersecurity trend. Cybersecurity criminals are contacting and threatening patients during ransomware attacks. And there is a need to update incident response plans to adjust for the uptick in this despicable criminal behavior.

00;01;45;24 - 00;02;31;11
John Riggi
Unfortunately, last year was the worst year on record for data theft attacks and ransomware attacks. Foreign-based bad guys, primarily Russian ransomware gangs, are continuing to evolve their despicable tactics to increase the likelihood of payment by victims, including calling victims directly based on information in their stolen health care records, demanding payments from them directly, and/or conducting swatting attacks, dispatching local police to fake armed incidents at those homes of patients, which is very, very dangerous for the patients and responding law enforcement, and also threatening to publish very sensitive photos of patients online.

00;02;31;13 - 00;02;56;11
John Riggi
So, as you can see, they are pushing the boundaries directly, threatening patients. If there was ever any question that the intent of these gangs was to harm patients, it is clear now that is their fundamental intent. Today I'm joined with Jake Milstein, chief marketing officer at Critical Insight, and Johnathen Inskeep who was the former CIO at Caribou Medical Center.

00;02;56;13 - 00;02;59;12
John Riggi
Jake and Johnathen, thanks for joining the podcast.

00;02;59;15 - 00;03;00;14
Jake Milstein
Thanks for having us, John.

00;03;00;14 - 00;03;01;21
Johnathen Inskeep
Yeah, thank you.

00;03;01;23 - 00;03;12;00
John Riggi
Jake and Johnathen. Let's jump right in. Can you help our listeners understand what cybercriminals are doing during ransomware attacks and how they affect patients?

00;03;12;00 - 00;03;38;09
Jake Milstein
I think you, you know, you hit on some of the attacks that just occurred, but I want to go back actually a couple of years here, and recognize that this has been a criminal tactic in sort of a spotty way. You know, you go back 3 or 4 years and there was an attack on a school district in Texas, and that attack on the school district in Texas, the school district, I don't know, they either didn't pay quickly or decided not to pay.

00;03;38;11 - 00;04;02;20
Jake Milstein
And the criminals started calling parents and emailing parents and saying, oh, I know your son's name. I know your daughter's name. And of course, the parents started calling the school district. We saw it in health care a couple of years ago, but it was kind of spotty. The big change here is at the end of 2023, we saw it several times.

00;04;02;20 - 00;04;27;10
Jake Milstein
We didn't just see it one time. We saw it at a health care organization in Oklahoma, and then we saw it at Fred Hutch Cancer Care Center, which you talked about, which is in Seattle. And in the Fred Hutch case, the criminals went so far as to threaten these swatting attacks. The swatting attacks are when the criminals would, you know, they threatened to call 911 and say, you know, this person has kidnaped me and I'm in the basement.

00;04;27;10 - 00;04;48;27
Jake Milstein
Send the SWAT team, right? So the SWAT team would come. And you know, how might it affect patients? I mean, wow, can you imagine getting an email as a patient? You know nothing about cybercrime. And all of a sudden, you know, somebody emails you and says, I have your medical information and I know that you had surgery on this date.

00;04;48;29 - 00;04;52;05
Jake Milstein
You know, I mean, that's pretty scary stuff, right, Jonathen?

00;04;52;07 - 00;05;11;17
Johnathen Inskeep
Oh, absolutely. I just try to put myself in the shoes of, like the patient. If you're receiving those phone calls, you start to wonder. It's like, is this really happening to me? And then you start like, how did you get my information? And, you know, they point back to the hospital and you immediately lose trust and value in the health care service provider that you were going to.

00;05;11;18 - 00;05;21;13
Johnathen Inskeep
It's just devastating. And then a lot of people, it's like, I don't really have any problems, but I don't want any problems that I've had shared with anybody. So it really just leaves you vulnerable.

00;05;21;15 - 00;05;42;15
John Riggi
Just think about it from the patient perspective. As you said, you're getting these calls. And of course, the first thing that patients are going to do is call the hospital. Now the CEO is getting calls. . . . word that these patients are being directly extorted. Imagine again the pressure on the hospitals. Nobody wants to pay ransom. And again, of course, we at the AHA strongly discourage the payment of ransom.

00;05;42;15 - 00;06;06;07
John Riggi
It will only encourage these groups to continue to conduct these attacks and fund them for perhaps other, more serious crimes as well. But you know what I was confused about, I should say, wondering about in this latest, highly publicized case when they were contacting patients directly for demanding a ransom payment from them, they were only asking $50 each.

00;06;06;10 - 00;06;08;13
John Riggi
I don't get that. That's a lot of work.

00;06;08;14 - 00;06;28;01
Jake Milstein
You know, it's super interesting. It's super interesting. And, you know, I've seen a debate and actually been part of a debate on this. So folks know what this is. And I might have the exact figures wrong here, but basically what the criminals said was pay us $3 and we'll let you know if we have your records. You can see your record for $3.

00;06;28;01 - 00;06;50;23
Jake Milstein
And if you want us not to expose your record publicly, then it's $50. And so some people have said that really this is just a pressure tactic that I personally think that that is more advanced than a pressure tactic. And I actually think that the bad guy - this is just a new revenue stream for that. It is the what is the triple extortion?

00;06;50;23 - 00;07;09;13
Jake Milstein
The quadruple extortion. I think you know, this is the you know, we're going to tier your payments. I actually think it's a revenue stream because, you know, you know, criminals are you know, they're good at math. We know this. You know, let's say you have what, 100,000 patients and everyone pays you $50,000. I mean, you know, it's real money.

0;07;09;15 - 00;07;33;00
John Riggi
Right? And, you know, as I'm thinking this through, ransomware as a service has proliferated dramatically the past couple of years. And people are assuming, wow, if they're demanding millions from the hospital victim, why would they go after patients for $50? Well, maybe this is a separate department within the ransomware as a service. Said, you guys can have the patient aspect of this.

00;07;33;03 - 00;07;54;12
John Riggi
There's others we know that are making money off stolen credentials. So we have the initial access brokers. This is truly a very efficient underground economy all around ransomware where there are multiple components making money off different aspects of the attack. So this is my theory only there's probably some groups said, hey, whatever you can collect from the patients you keep.

00;07;54;15 - 00;07;58;11
John Riggi
And that helps apply pressure to the victim organization as well.

00;07;58;16 - 00;08;32;17
Jake Milstein
Yeah. I mean, rewinding back to that Texas attack on the school district. There was no demand for money from the parents. That was strictly a hey, call the school district and, you know, get them to give us $5 million or whatever the ransom was. This new thing is different. Now, I will also say there's another case in, I believe, the Los Angeles area - plastic surgeon, bad guys got the pictures and both extorted the plastic surgery clinic and demanded $500 per patient from the patients.

00;08;32;19 - 00;08;47;01
Jake Milstein
Now, I will say that is an actual moneymaking scheme. And, John, if you're right, you know, what we're looking at here is these criminal enterprises, and they are enterprises are now developing a B2B wing and a B2C wing. Like this is ridiculous. But that's what we're starting to see here.

00;08;47;03 - 00;09;07;26
Johnathen Inskeep
Yeah. The other thing I would say, too, is when you have a victim called like that, what are they preying upon? The reaction of the victim, right? So as the victim...oh my gosh, they have my information. I'm going to pay the $3. Well, that's a great way for that victim to be victimized again, because you put in through their paywall your information to be able to pay that.

00;09;07;26 - 00;09;22;05
Johnathen Inskeep
Now they have your financial information to take advantage of your debit card, right? So a great way to snag the person once again, unfortunately, it's just a great way to prey upon a person, which is just unthinkable.

00;09;22;08 - 00;09;25;01
Jake Milstein
Are you saying the criminals don't accept cash, Johnathen?

00;09;25;04 - 00;09;29;10
Johnathen Inskeep
I've never got one to accept cash. I would try to get him to do monopoly money once, but he told me no.

00;09;29;12 - 00;09;30;05
Jake Milstein

00;09;30;08 - 00;09;58;00
John Riggi
Wire transfers? No, that's no good. Digital currency? I recently made a provocative comment on social media, in a sense. And I said that digital currency is the root of all cybercrime. And ultimately, if it wasn't for crypto digital currency, it would be much more difficult for bad guys to conceal, transfer, anonymize the proceeds of crime and certainly would take a massive reduction.

00;09;58;00 - 00;10;04;12
Jake Milstein
Yeah. I mean, I think that that is definitely true. I'm not sure I agree that it's the root of it.

00;10;04;12 - 00;10;05;07
John Riggi
They're meant to be thought-provoking.

00;10;05;07 - 00;10;25;20
Jake Milstein
I understand. You know what, I don't know if it's the root of it, but I do think that it brings up an interesting question for folks like it is. I understand deeply that the AHA tells people not to pay a ransom. I don't think people should pay a ransom. Some organizations make the business decision to pay the ransom.

00;10;25;23 - 00;10;47;14
Jake Milstein
And one of the things that folks need to do in building an incident response plan is to come up with, are we going to pay the ransom? Under what duress would we pay the ransom? Would we never pay the ransom? And I will say, if you come to the possibility that you might pay the ransom, think about how you're going to do that before you're in this situation.

00;10;47;17 - 00;11;02;23
Jake Milstein
If you're going to have to buy Bitcoin, how are you going to do that? If you're going to use a firm, how are you going to do that? Again, do not think anybody should pay the ransom. But this is all part of it. I will tell folks, I was in a fascinating tabletop with this guy, John Riggi, who's joining me on this podcast.

00;11;02;25 - 00;11;18;12
Jake Milstein
There was, hospital exec and the hospital exec said, I'm never going to pay the ransom. I'm never going to pay the ransom. John, I don't know if you remember this. And John got to, you know, all your systems are shut down. No, I'm not going to pay the ransom. You're on divert. I'm not going to pay the ransom. 00;11;18;16 - 00;11;26;08
Jake Milstein
And then John said, the criminals have started calling your patients. And this hospital exec said, okay, I'm paying the ransom.

00;11;26;10 - 00;11;46;04
John Riggi
Exactly right. There is a boundary. They know what the pressure limits are to extort these payments. These are equivalent of violent crime extortions. So you know my background, 30 years in the FBI - dealt with a lot of bad guys, including Russian organized crime bad guys, and terrorists as well. They know what the pressure points are, apply pressure to get whatever their objective is.

00;11;46;04 - 00;12;08;10
John Riggi
They claim these are financially motivated crimes, the bad guys, but really financially motivated, under threat of harm to patients, under threat of harm to patients again is why we always say these are threat to life crimes. There is a whole network now. Again, I said a whole industry around how do we creatively find ways to extort money out of the victims?

00;12;08;10 - 00;12;37;03
John Riggi
We extort the patients. We also have data leak sites that if the organization, the victim organization has not reported the attack publicly, the ransomware guys publicize it on their public web leak sites, notifying the government. So they have all types of issues there. Again, trying to maximize pressure on the victim to pay. Again, we discourage payment. We know that ultimately, even the FBI says this is a business decision.

00;12;37;06 - 00;13;01;11
John Riggi
And if patient safety is at risk, that is a consideration of whether to pay or not. Now, the best way is you talked about being prepared. Cyber insurance companies now actually generally come with their cyber policy methodology is to pay the ransom in digital currency. They actually have ransomware negotiators. There's a whole industry on the good side that's developed around ransomware.

00;13;01;14 - 00;13;22;12
John Riggi
So all these things have to be thought out. But ultimately we say, look, just don't get yourself into that position if at all possible. Offline secure backups that are immutable, that you can use to restore, know where your data is. But ultimately, if your data is encrypted, the bad guys can't use it. Even if they get to it, they can't use it.

00;13;22;14 - 00;13;48;28
John Riggi
Quite frankly, I think that there is not enough attention being focused on data mapping and encrypting the data. All these layers of technologies, millions and millions we spend are around protecting data, ultimately to protect patients. So let's start at the bullseye. Let's encrypt the data at rest and in transit. Even the government says if the bad guys get to your data and it's not readable, you don't even have to report it.

00;13;49;00 - 00;14;10;15
John Riggi
So again, let's start with some of the fundamentals and the basics. So speaking of vulnerabilities right? Which lead to these attacks for both of you. So are there common vulnerabilities in hospital systems that you see that cybercriminals, especially ransomware groups, are most frequently exploiting? Maybe Johnathen, you could take that.

00;14;10;18 - 00;14;31;04
Johnathen Inskeep
I think they take advantage of obviously the patient care aspect, right? But what they're finding is a lot of these real hospitals and stuff like that, maybe lack a little bit of direction and don't have the securities in place to be able to handle those type of attacks. And then what happens is that can either come in through a third party.

00;14;31;06 - 00;14;46;09
Johnathen Inskeep
There's a lot of risks that's there. There's a lot on the plate for the hospital, and it just puts them as a prime target, right? They've got all the medical record information there on the patient. They know they can hit a bunch of people all at once. And so it's actually kind of a scary scenario. You're just you were talking about targets.

00;14;46;09 - 00;15;00;25
Johnathen Inskeep
Hospitals are the prime target. And so to try and find a way to curb that, I agree with the encryption process. I also think that you should be following a security framework to help narrow that gap, to be able to identify risk. Yeah. Ultimately you're always going to be a target for the bad guys to hit.

00;15;00;28 - 00;15;23;21
Jake Milstein
And I think there's a basic unfairness here. There's a basic unfairness in that you can do everything that you should do to build up your defenses, and yet the bad guys only need to be able to get in one way. And when you look at that and you look at how they're getting in, it used to be the number one way bad guys got into hospitals was through email.

00;15;23;23 - 00;15;58;01
Jake Milstein
That's no longer the case. So when you look at the HHS data, you know, the number one way that they're getting in is through vulnerabilities and through third parties. What's a vulnerability? So a vulnerability is every time Chrome tells you to update or your iPhone tells you to update or whatever, because there's a vulnerability. If you look at all of the devices, if you look at all of the software a hospital is using, all of them, there are vulnerabilities that need to be patched, and those patches need to be treated as urgent incidents so that bad guys can't get in.

00;15;58;03 - 00;16;21;13
Johnathen Inskeep
And I would add to that, the other thing that's really makes it difficult is you to patch your home computer pretty easy-peasy, right? For some of these hospital systems, for them to be able to implement a patch, whether it's an EHR patch or even just a simple Microsoft patch, it takes a lot of coordination to make sure that that patch doesn't have a profound effect on other operating systems, right?

00;16;21;13 - 00;16;39;13
Johnathen Inskeep
So there's a lot of times that those patching processes take proper planning, like how do we have time to be able to have downtime for the network to be able to restart and implement the patch, do a little bit of testing. And so when they drop, unfortunately, we can't just immediately go run and patch it and come up all good, right?

00;16;39;20 - 00;16;44;11
Johnathen Inskeep
There's a little pre-planning that has to take place which leaves you exposed.

00;16;44;13 - 00;17;16;09
Jake Milstein
And you know we mentioned third party. So I want to break third party vulnerabilities into two buckets. Bucket number one is third party is holding patient data or employee data. And bad guys get it by getting into a third party system. And that's the data theft. The other is the third party has a door into the hospital network, and then the bad guy uses that door to get into the hospital network, and then is able to launch a ransomware attack on the hospital network.

00;17;16;09 - 00;17;22;02
Jake Milstein
Those are two different kinds of third party vulnerabilities, and both are getting bigger and bigger.

00;17;22;03 - 00;17;52;21
John Riggi
Yeah, I agree, and is actually even a couple more. So not only do they hold the data or they are the electronic pathway in because how does that all that data move through electronic transmission, but also that the third party themselves maybe become victim of a ransomware attack, which then disrupts hospital operations? You have some mission critical or as I often say, life critical third party that immediate patient care depends on - is then struck with ransomware.

00;17;52;21 - 00;18;14;21
John Riggi
And the bad guys are strategic and intentional. They know if we hit this particular third party, it will disrupt care in 100 health systems, placing massive pressure on that third party to pay tens of millions of dollars in ransom, tens of millions of dollars in ransom. So and then there's the other third party risk of their technology risk, third party technology that has vulnerabilities in it.

00;18;14;21 - 00;18;21;19
John Riggi
Right? We don't write our own operating system code very often I would assume. We don't build our own medical devices. We rely on third parties.

00;18;21;21 - 00;18;41;05
Johnathen Inskeep
Yeah, absolutely. I can't remember the last time I broke down the code to build something, right? So we have all these dependencies. And I think one of the biggest things centered around that is proper risk identification, right? If you take a third party on for operational purposes, how much do you know about either of that product? Where was that product made, manufactured?

00;18;41;05 - 00;19;01;02
Johnathen Inskeep
What's the risk of it coming into your environment and third parties you work with? Like what's the obligation? How strong is your business associate agreement with that third party vendor? Did you identify things that are related to risk in your environment that you're talking about in your business social agreement? Because I tell you, if you don't have it listed, they're not going to be held accountable for it.

00;19;01;05 - 00;19;23;02
John Riggi
Quite frankly. You know, we don't want to alarm folks too much here, but really it's third party risk management and fourth party. So, who are the subcontractors for those third parties? That should be part of the evaluation. Where are they based? Are they based in the United States or overseas? China's ofering a lot of good deals these days to get into our health care sector.

00;19;23;09 - 00;19;26;26
John Riggi
Unbelievably good deals, related to the Chinese government.

00;19;26;26 - 00;19;28;24
Jake Milstein
We saying that deals are too good?

00;19;28;27 - 00;19;53;23
John Riggi
They're too good to be true, right? As we always say. So take a close look at that. What type of technology are they using? Is that technology vulnerable? Third and fourth party risks? Some of it you can control, some of it you can't. But that's where we have to be ready with that incident response plan that not only takes into account if you are the direct victim, but what about if our mission critical third parties are attacked?

00;19;53;28 - 00;20;05;14
John Riggi
How does that disrupt our operations, disrupt and delay patient care, risking patient safety. And the IT department has no control. Right, Johnathen, your third party gets hit. What do you what can you do about that?

00;20;05;21 - 00;20;23;26
Johnathen Inskeep
No control because you have to function. I think one of the most interesting things was this like our EMR vendor that we had - American company, right? However, when we went to do updates at night with the HR vendor, they were people from India that we worked with. And what was interesting to us is we had a geo blocked on India.

00;20;23;29 - 00;20;41;28
Johnathen Inskeep
So they had to call me and say, hey, we can't connect to your system. Can you make an allowance on your firewall? And that wasn't a risk that we thought we would run into because we're working with the American company that's here in America, and they outsourced their technical deployment out to India. And it was just this astonishing.

0;20;41;28 - 00;20;47;26
Johnathen Inskeep
Like we didn't factor that in when we committed to the HR program. And it's things that hindsight we should have looked at.

00;20;47;27 - 00;20;53;03
John Riggi
Right. And of course, the time you discover that is in the midst of a crisis.

00;20;53;05 - 00;20;54;05
Johnathen Inskeep
Absolutely.

00;20;54;07 - 00;21;26;15
John Riggi
You know, I do a lot of media. Talk to a lot of reporters. I explained to them in these terms, hey, these are foreign bad guys being sheltered by hostile nation-states, attacking us, putting us at risk. They're very sympathetic. They understand and generally do want us want to help by promoting good, accurate information. So just as when we face the threat of terrorism, the media was very helpful to distribute alerts to really show what the impact of these threats are and help folks prevent attacks.

00;21;26;17 - 00;21;54;17
John Riggi
Thank you both, Johnathen and Jake, for sharing your thoughts and insights and joining this podcast with us today. For AHA members, for our listeners, if you would like to learn more about AHA's cybersecurity programs, please visit aha.org/cybersecurity. This is been John Riggi, your national advisor for Cybersecurity and Risk.

00;21;54;20 - 00;21;57;23
John Riggi
Stay safe.

00;21;57;25 - 00;22;06;07
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.