Podcast Bonus Season: Cybersecurity in the Age of COVID-19 Featuring Chris Roberts, Mary Beth Borgwing and Ed Bassett
With the recently reported hack attempt on HHS systems, we gather with some of the leading experts in cybersecurity.
Welcome to NeoCast. Join our experts each week as we discuss strategies and solutions for your businesses and manage IT, cyber security, government contracting and much, much more. Sharing is caring and we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.
Well, hello everybody and thank you for joining us for this bonus episode of the NeoCast podcast. We’re trying to cover some topics that are top of mind for most cybersecurity professionals right now and frankly concerned Americans about what’s happening alongside of this COVID-19 crisis.
Today on the show we are going to have Chris Roberts, a researcher and expert in cyber security across the gamut. We have Ed Bassett, you all know him well, our CISO with NeoSystems, and we have Mary Beth Borgwing, with the Cyber Clan. She is the chief strategy officer with the Cyber Clan as well as the founder of the Cyber Guild and United Women in Cybersecurity.
Thank you all for being here.
Thanks for having us. Appreciate it.
Today, in this first episode, we really briefly wanted to talk about what’s happening in our healthcare systems. It’s been front of mind since it was mentioned in one of the White House briefings that the HHS had a cyberattack attempted on them. There’ve been lots of conversations around loosening any kind of restrictions or regulations around HIPAA. On the other side, there’s lots of people who are very interested in getting data quickly, so that they can come together and find vaccines and cures and so on and so forth, to really tackle this issue, which, of course, for most people in your field starts opening up your brains to, Oh my gosh, what can our industry do? What do we need to be thinking about? And what are the real dangers for losing any of these restrictions?
Also, what can organizations, agencies and contractors do to keep an eye out on the safety of everyone’s data and their systems?
To start off, Chris, would you maybe just outline for us, given that this is going to be a critical time for everyone, which we’ll go into in a little bit deeper in another episode, but can you just outline for us what do we need to be thinking about? What’s going on right now? What’s, what are we doing right? What are we doing wrong in thinking about healthcare?
To your point, it’s a fairly critical time at the moment. There’s a huge pull in several different directions. Obviously, what we have been trying to do with healthcare is to protect the data, which for good or for bad means locking it down a little more effectively. Obviously given the current situation with the virus, we need to reverse that to some degree and open the data channels up more effectively, so people can collaborate and corroborate more effectively and more rapidly.
What we’re seeing is hospitals, healthcare facilities and research labs wanting to get access to data much quicker than we’ve been able to put in place before. We’re relaxing the HIPAA rules to allow that to happen. The upside on that one is we get more rapid response. Downside on that one is we from the security side have to figure out how to more offensively do cyber hygiene and make sure that we can communicate more effectively with the various teams holding onto the data, and obviously, still do the best we can to protect the facilities and the data itself.
Absolutely. Makes a lot of sense. Of course, that means though that through this process we’ll be opening ourselves up to a lot of incidents that we need to be thinking about.
Mary Beth, your organization, Cyber Clan, this is a particular area of expertise here. How would you advise agencies, contractors, and the light to be thinking through incidents and how to respond to them and how they can jump quickly into action to stem any kind of issues from these types of attacks?
Mary Beth Borgwing:
Yeah, thank you. I would like to be able to say that we all have to be vigilant about our identities and our PII data and who and when and how we give it to people. I think that will help because there’s a lot of healthcare workers that don’t even understand some of the HIPAA rules because they’re just in parts of the job. What we’re seeing and what we’ve come in to do is to help when there’s an incident that’s been escalated. Sometimes they don’t even know when there’s an incident happening.
There’s a lot of learning that has to go on in this time of crisis. Pushing information out to these organizations quickly, I think, is something that could really, really help with the education piece and educating the workers. Also, when there is an incident, they have to say something. If they see something suspicious, they have to say something. It’s about communication.
As Chris said, it’s about collaboration. Without that you’re kind of data in the water because it’s this human side is the weakest link to an incident. We are seeing an uptick in even doctor’s office, and if you think about the doctor’s office, they communicate with the hospitals. There’s a supply chain of information that can be stolen and used improperly. It really starts at the worker who’s taking in those cards. It also is reliant upon the patients. We have to have a supply chain of vigilance.
That makes a lot of sense.
Given that I’m going in for a procedure tomorrow, I’m already thinking through which boxes I’m going to tick and to be thinking around my own health information that I’m sharing.
Ed, given that a lot of the organizations that your NeoSystems works with are government contractors and, therefore, may be impacting some of these issues in the sense that they are providing services to HHS or other government agencies.
Have you seen an uptick in response from your end… Of people asking you to help them bolster their security or what are you hearing on your end?
It’s not so much bolstering security as it is sort of thinking about what kind of security they need given the changes. As a security officer, this is not the time for anyone to be beating the drum to become more secure. It’s really more about in the time of disruption settling for not doing anything stupid. Making sure that we’re doing the smart things. We need to prioritize health, safety to human lives over security certainly. We’re going to take some chances. We’re going to take risks we might not take. You’ve seen that CDC and others have put out some relaxed protocols for things like use of masks, which were in short supply. We’ve seen some licensing rules that have been relaxed for telemedicine. People who maybe weren’t licensed to operate remotely in terms of delivering healthcare services are now being allowed to do so.
These are all things where you take a little more risk because you have a sense of need. I think this applies on the security side too.
It may be even beyond healthcare. It’s not just the healthcare industry that’s disrupted by this. Other industries are having to have everyone work remote with new technology and new techniques. We’re going to take some chances. Security folks need to make sure that those chances are well informed. That we’re making smart risk trade-offs, right? If we need to be expeditious, we need to do something fast and a little looser than we might otherwise do, let’s make sure that we’re doing security where it makes sense and relaxing where it makes sense.
What have you all seen out in the market? You’re much closer to this issue than most anyone. As the public starts to look at these things, they’re going to look more and more towards cybersecurity experts, like all of you for clues on, should we be freaking out? Are there other things in place already? The protection, is it there and we just don’t know about it? How would you put people at ease?
I think for me it really doesn’t change anything that we’ve been talking about for a while, which are the basics. It’s the simple things. It’s how do we educate the population to think a little bit more, ask more questions. You’re never going to stop somebody from clicking on something, but how do you arm them more effectively to think about what they are clicking on? We’ve obviously extended the network would beyond the office now to our homes. How do we help people be safer in their homes and what choices they make on their end points on the networks.
The whole concepts of VPNs and architecture and then, quite honestly, helping them understand when something goes wrong, how to more effectively recover. That’s obviously Mary Beth’s side. There’s the basic stuff we’ve been teaching them, it’s quite honestly, I’d say we don’t change that messaging, we just try to increase it and we say, look, we’re here to help and here’s how we want to help.
Mary Beth Borgwing:
I think one of the worst things that people can do is to not focus on their customers right now, but focus on reaching their customers safely. Everyone I’ve talked to is working remotely and I think that their security veil is a little bit weak. I’ve had a lot of IT professionals reach out over the last two weeks trying to figure out how to have their whole workforce work remotely, which is a huge issue on from a security perspective. From manning up on the IT perspective, because not everybody has a laptop. There’s a shortage of laptops right now.
I think companies have to get… First, think of security and safety and then they have to think about the workflow, right? How do they create protocols and work arounds, so that they don’t create a security issue because going to a home computer and losing data on a home computer and having caught client data on social media is probably one of the worst traumatic things that I’ve seen happen to Fortune 10 and Fortune 20 companies.
Also, I think the secure use of apps like Slack and protocols around that. It’s a time for IT and security to come together and really do security protocols with their workforces.
When there is something that goes wrong, don’t hesitate. Call a professional. Get someone in there that understands an incident. Usually those of us in the industry, we are up and running on an incident within 15 minutes. That’s a good amount of time. The bad guys already have a jump start on us, but if there’s something going on in your network or your laptop or whatever, raise your hand! Make sure you have an 800 hotline number to call because they’re all available. Those of us in the industry all have them and they do work. We do pride ourselves in being vigilant about getting up and running because that’s the key to reduce reduction of an incident.
Erin, you brought up the fact that we’re probably going to be relaxing some rules in a lot of places, maybe taking more chances than we used to. The question then is, are we going to see more incidents? Are we going to see more criminal activity because of it? So far, we’ve seen that the criminals are not taking a holiday because there’s a crisis going on globally. Right? They’re not feeling the humanitarian spirit. Criminals are criminals. We’ve seen a lot of scams that are taking advantage. They’re using coronavirus issues in their ruse, trying to trick people in a traditional fishing sense, using that in their story. You mentioned the announcement this morning of a break in at HHS. Was that something targeted? Was a routine? There’s still some discussion going on about whether that was intentional, state sponsored type attack or something more like random noise of the internet. The reality is that the world is potentially a better target now and criminals are definitely taking advantage of that.
I think we can expect to see an uptick in attacks at a time when it’s… As I mentioned earlier, it’s not really possible to have a scaling up of our security. We’re going to have more incidents. We are going to have more things to deal with.
Before we end our episode on healthcare specifically and then move into providing the audience with fuller view of what we need to be thinking about period, across the board in cybersecurity.
It’s not lost on me that when computers are infected, they are called viruses. I’m just curious from your perspective in this field, is there advice or ways of thinking that you would think are analogous to the situation that we’re facing in the health crisis? Are there ways that the professionals trying to hack quote unquote this disease could be thinking about it the same way that you all think about cyberattacks?
Mary Beth Borgwing:
There is no vaccine in cyber. Right now, there is an education that’s needed. That’s the vaccine. We don’t have enough educated people in the cyber ecosystem because we’re all connected. That is something that we’re working really hard on, so every supplier to a hospital, maybe it’s a very small company, maybe it’s two or three people, they have to be educated on how they are using cyber hygiene and protocols. It’s that education piece that I would say is the most important thing.
I couldn’t have said it any better. Perfect. Great.
Great. I appreciate you all tuning us in to what you’re thinking about as far as how this relates to healthcare and specific.
I hope everyone will join us for the next episode where we’re going to discuss a little bit more broadly what we need to be thinking about as all of us go to remote workforces.
Thank you Ed, Mary Beth, and Chris.
Thanks for having us.
Mary Beth Borgwing: