Healthcare Security in the Age of 5G and Remote Work

Hank Schless  00:08

Hi, everybody, and welcome to Endpoint Enigma. I'm your host, Hank Schless. And today we're going to be taking a look into the future a bit by discussing what a couple of aspects of healthcare will look like in the age of 5G. Today, we're very happy to be joined by Mike Murray, who is the CEO at Scope Security and actually former CSO of Lookout. So it's great to have you back, Mike. Great to be reconnected and really excited to have this conversation with you. Well, welcome to the show.

‍

Mike Murray  00:33

It's great to be here, man. It's so cool to be able to come back on the Lookout podcasts and contribute to a prior life and still be part of the family.

‍

Hank Schless  00:42

So look, before we dive in here, I just want to give you the opportunity to tell people a little bit about what Scope does and, you know, what your mission is there, what's going on.

‍

Mike Murray  00:49

Sure. So it's the funny thing, I got really good advice when I was very young that you should spend the first half of your career learning your craft and then the second half of your career trying to use the skills that you've learned to give back. That's one of the reasons that I ended up at Lookout in the first place. The opportunity to help protect hundreds of millions of phones at a time was a driver to come aboard and to chase actors like Pegasus and Dark Caracal and all the folks that you guys have chased over the years. It was a wonderful time. But then as I got to a certain point, the problems in healthcare became so evident, and they were evident to me when I started Scope about a year and a half ago. But 2020 has borne it out –– right? –– with the huge ransomware attacks against organizations like UHS. We've seen the increase in threat actors around COVID. We’ve seen the Russians and the North Koreans trying to attack our COVID supply chains. This is as strange a year as it's been for healthcare customers, and especially healthcare cybersecurity leaders. This is the year that people understand how important it is that we solve our healthcare problems. And so it's really exciting to be working in that space. I don't think most people think about it that often. But your healthcare organization has almost all the same financial information that your bank has about you. Plus, they have all of your health information that can be incredibly damaging. And tell us about  someone who wanted to blackmail you a ton about your life. Plus, you're in a situation where you were in those machines that might be being broken into by Russian hackers. And nobody that I've ever talked to wants to be in the middle of one of those MRI tubes, while the Russians or the Chinese or some major APT group is messing with the settings on that magnet. And so, you know, healthcare to me is the biggest problem that we as an industry need to solve. And so it was a hard decision to leave. Lookout, you guys have one of the best missions, and I really, I love everybody there. And you guys are continuing to do all the great work that you always did. But solving the healthcare problem is so important that I had to chase it down. So that's what we've been doing.

‍

Hank Schless  02:46

Yeah, absolutely. Sometimes you just get that calling and feel the need to follow along with it. And I respect the hell out of that. So… And this, also, this isn't your first time in healthcare security, right? Didn't you work for a company before Lookout and you are now back in that world?

‍

Mike Murray  03:00

Yeah, it's funny. I always tell people that I'm a security person first and I came to healthcare later,  after the last company I started, after we exited that company, which was a training and consulting company. There’s a big part of it still running, actually; it's called Mad Security. And my former team is running that. I ended up at GE HealthCare through a whole bunch of serendipity, where I spent the first, you know, six months there learning that security people know nothing about healthcare, and all the things we think are true about security, they have a different bent in healthcare. And I had to learn that and the more I learned, the more I realized that nobody was really solving this problem. As a security industry, we have traditionally built all of our products for financial services first, government second. And in some organizations, it's government first and financial services second, but everyone else is a distant 14. And so that works for most places, right? When I was CSO of Lookout, the tools that work for a bank customer work largely in a technical organization –– right? –– like the company that you guys are. There's nothing that looks less like a bank than a hospital. And that's true of technology. That's true of politics. That's true of staffing levels. There are multibillion dollar health systems that I work with that have security teams between five and eight people. I had that many people on my security team at Lookout when we were a 300 person company. And so all the things you expect of healthcare. And my favorite example, Bank of America, has about 5000 people on their security team. I know because I asked the recruiters. We've done back of the napkin calculations based on what we know. I'm pretty sure there's not 5000 people at all the healthcare systems in the United States combined. Their security team is not one bank. And so the challenges you have in those environments are just completely different. And if we're walking in and saying, well, it works for Bank of America, it will work for you, that's the most ridiculous statement. And so we went out to build a company that's focused on healthcare. Now the funny thing is the two worlds are kind of converging. And so my knowledge that I gained from Lookout, which you wouldn't think is necessarily going to be healthcare relevant, has been incredibly healthcare relevant over the last couple of years. So it's been a really interesting journey.

‍

Hank Schless  05:13

Yeah, for sure. I mean, then, you're right. You want to think that a solution –– you can say the work for a place as a team of 5000 people… make sure at least has the capabilities to be able to kind of convert for those smaller teams, with all the conversation around like the short staffing of security teams globally. I mean, it's the stat that everybody in security has heard over the last, what, like three to five years of the massive, you know, understaffing, blah, blah, blah. You never really think to break that out by vertical. And then when you think about –– to your point, you think, like, oh, you know, banks have massive security teams, that's fine. You know, the federal government has a lot of security people, that's probably fine. But then when you really start to get into things like, you know, like healthcare and, specifically, like hospital systems and all that, you're absolutely right, it's pretty crazy. So, you brought up something earlier, which I do want to get into a little bit, which is the idea of, you know, I mean, we've obviously seen all these healthcare systems coming under siege, basically, for lack of a better term, especially this year with the pandemic, you know, it all kind of… it sort of makes sense that that would happen. But outside of the pandemic, any other particular reasons you can think of that you see that the hospital and healthcare system are getting so heavily targeted these days?

‍

Mike Murray  06:23

Oh, yeah, absolutely. And the reason that we built Scope, the way we built it, we're fundamentally a detection and response platform. And we're not EDR. We're overarching detection and response. And the reason for that is really simple. You look across the security spectrum of all the activities starting from, like, governance and compliance, you know, through threat surface reduction, through security operations and detection and response, all the way to, like, incident response, cleanup and defer. There are companies that do most of those things. Well –– right?–– doing vulnerability management or endpoint software on a laptop in a hospital is very similar to doing endpoint software on that at Lookout or at a bank or whatever –– right? –– laptops or laptops. And frankly, the EDR products that are in those markets work pretty well, even in healthcare. The really interesting challenge about healthcare is it's not one environment, it's three. And people aren't thinking about that. The first environment is the traditional IT stuff, you know, the stuff. We're just talking about laptops and desktops, switches and routers, firewalls, all the stuff that already exists. And there's tools for that that work relatively well. Then you have the OT stuff –– right? –– the thing we love to talk about in security, operational technology. And in healthcare, that's the clinical technology. It's the medical devices. And medical devices look a lot like what you see in a factory or an oil rig, right? It's old legacy operating systems that don't get updated very often. It's devices that have incredibly long life cycles, like the average useful life of a CT scanner is between 20 and 25 years in most organizations. And so you realize you have these devices in these hospitals were designed and built in 2003, and with all the security state of the art that was 2003. And they're pretty much the same device today with a couple of patches, but good luck even getting security patches for something that was built that long ago. You have this clinical technology problem. Now, OT is really interesting in the traditional way. And if you think about that, I'm going to make up a customer, right? Exxon, if you go to Exxon's headquarters, that building is almost all IT stuff. If you go to Exxon’s oil refinery, that building is all OT stuff. You go to a hospital, every room you're in is IT stuff and OT stuff. And then there's a third environment that layers on top of that, which is the modern EHR, the electronic health record system that holds what most people in security think of as a database, right? It's just a big database of patient records. Not what an EMR is these days. That system is now the modern operating system for a hospital; you can't do anything in a hospital without a doctor or a nurse or someone keying something into the EMR. It controls who moves where and all of those sorts of things. You have all three of these environments layered together, where you got some good security stuff for your IT stuff. There's starting to be a couple of firewall companies that do OT things for the OT stuff and almost nothing for the EMR. And there's certainly no way to see across all of it. My favorite game to play with healthcare security leaders: Is it simple things? Okay, you have a doctor who's on a compromised laptop and that doctor accesses a bunch of records in the EMR. Do you believe that's a risk? Everyone says that's a risk, right? –– that that's a problem. Okay, how do you find out when that happened? And the answer always involves phone calls, people manually reviewing logs, and weeks of time. That's modern healthcare incident response because they can't see all three environments. They can see their IT stuff. They might have a little bit of idea on their clinical stuff. They have no idea on their EMR and so that’s the idea of, like, how do you do incident response when you only see a third of your systems? Well, now you understand just from that one thing why attacks spread through healthcare and environments are way more easy than everywhere else. That's a sign. And I always make the joke that ransomware is the only attack that detects itself. If what you're worried about is ransomware. What that says is our detection environment is telling us so little that the only time it warns us is when the attack wants to be found. You've been in this space for a while. What about all those bad guys that are sitting there quietly? That means you're never going to find those folks. It's sort of like when I came to Lookout. When I came to Lookout, I walked in the door. And I remember the conversation like it was yesterday. And Kevin Mahaffey was in complete agreement with me, and I love that. I said, “Look, this is a platform where we've never done good detection and response that tells me there are APT actors, there are bad guys that we've never seen in the world, because they're only on the mobile platform. And we've just never found those folks.” And within 12 months of me being at Lookout, we had discovered Pegasus and the NSO group. We had discovered some actors out of China. We were at the beginning of the dark Caracal investigation for the folks out of Beirut. And all of a sudden, there's this world of, “Oh, wow, now that we got better at detection and response, there really are sophisticated attackers in this space.” healthcare is gonna see the same thing. It's especially in that clinical. One of the things that I saw is bad guys will phish to get into the environment. And then they know you're not watching. You don't have any EDR on a CT scanner, because FDA regulations say you can't, right now. Medical devices are a challenge in the building. If you read all the stuff about healthcare and where it's going, the hospital of the future anticipates the idea that we're going to start sending medical devices home to people. So now your home network is going to have that same medical device on it. And without any of the firewalls or the perimeter. We talked a lot in past years about, how do you do as medical device manufacturers move to the phone? How do you do more interesting security on those devices, because most people still have this idea that it's on the iPhone, it's by definition “secure.” It's by definition “privacy enhancing.” I mean, Apple's done such a good job with their marketing around that, that people just believe it. And so you have these medical folks that are out there, like, “Here, I'll sell you a probe that sticks into the headphone jack on your cell phone, and now your cell phone’s an ultrasound machine.” That's great for a doctor's convenience. But what if that doctor's kid takes that device over the weekend and goes and installs a bunch of random cracked Fortnight from some Chinese malware site? And suddenly that medical device is now reporting all of its data back to China? And what did you put on that medical device to protect it? I guarantee you that device is not running Lookout. And suddenly an attack against one of those protocols becomes compromising for an entire healthcare organization in a way that no one has thought about. Right? And people are like, “Oh, 5G is gonna be amazing.” You see those AT&T commercials where they're like, look, we can do remote robotic surgery, you know, hundreds of miles away over 5G. Great, as long as that’s secure, right?

‍

Hank Schless  13:00

It's the conversation that always comes up whenever there's new revolutionary technology that's gonna be great, that’s gonna be widely accessible. Now, to your point, with so much of it basically having a front end on an iOS or Android device… I mean, even to kind of use a home example that people would be able to look at: Like, I'm sitting in a second bedroom, our back office, with a Peloton right next to me. And that runs on Android, like everything now is running on a mobile OS. Because it's simplified, it's easy to manage, it's, you know –– you can connect from anywhere. And with 5G, a lot of that will start to tie into it. So, one thing that's interesting to me is that when we talk to people a lot, now, obviously, the conversations that you're gonna have with another CEO of a healthcare system might be a little bit different. But in terms of compliance, where does that change? How does 5G? How do you think it will change?

‍

Mike Murray  13:47

Let's separate out the two main parts. at least, for healthcare delivery organizations compliance. One is HIPAA. And that is what the delivery organization has to comply with. But you have to remember when HIPAA was written. HIPAA was written in 1996. Think about the technological environment in 1996, as compared to the technological environment today, and you have a really wonderful example of laws not keeping up with the modern world. But there's been some talk that I've heard about potentially fixing HIPAA at some point and doing like a HIPAA 2.0 kind of thing here in the next few years. What's particularly interesting, though, is there is no regulation that says, “This is how you enable health systems to monitor those devices, the log standards, what comes out of those devices” that allows you as a hospital CSO to say, “I have a sense that that device just got compromised.” None of that exists in regulation. I think the regulatory environment really has to evolve over the next five years to keep up.

‍

Hank Schless  14:48

Yeah, that's the case with everything that the human hardware has not evolved at the rate at which the device software has. I mean, literally, like, we haven't evolved that much in the last 10 or 15 years. Really, when all this has really exploded, and you look at how much the devices themselves and even the ones that are lagging by a few years from their kind of conception to release, like, yeah. It's just the way we are. It's just the way this whole ecosystem acts. 

‍

Mike Murray  15:14

Yeah, completely. And actually, that's one of my favorite topics –– social engineering. And I think it's exactly that problem. You grew up in a world where a cell phone was a phone, and I grew up in a world where a phone was a thing on a wall with a rotary dial and a long cord to get across the room. One of the real challenges that people have getting their heads around in mobile security is if you're anything older than about 40, your concept of what a phone's risk profile is, it goes back to that rotary dial thing, and even the cell phones that you had up until about 2010. So if you're 40, you know, in 2010, you've spent 40 years of your life where, if someone, had your phone, all they could do was dial a number on that phone for themselves. And all of a sudden, we get to this point in 2010 where now what we call a phone is no longer a phone. It's a computer that has connections to the entire world and to everything. How do you make that mental shift? It's really hard to update the concepts you grew up with. We are bad at updating our brain, right? Absolutely. Yeah,

‍

Hank Schless  16:22

For sure. So we've just got a couple minutes left here. Just the last thing I want to do is, look, you are a security professional in your healthcare profession, you're wearing 100 different headsets at Scope. One thing I'd love to hear is just, like, two or three key pieces of guidance you would give someone in healthcare, maybe not. But when it comes to security and what you think really is key to focus in on as people look into 2021 and beyond.

‍

Mike Murray  16:49

Yeah, so, good question. If I think about it, one of the hardest things, especially as a business executive, is to update our threat model with respect to new technology. And I watched our healthcare friends go through that this year. I was talking to a healthcare leader recently, who said that in February, they were licensed to have 300 concurrent users working remotely from home. And over the course of a weekend in early March, they went from 300 concurrent users to 6000 concurrent users. I heard another healthcare CSO talk at a conference I was at last week. And they said, in the same timeframe, right in February, they had, I think he said, 3000 Teladoc visits. And in March, they had 60,000 Teladoc visits. And updating your threat model is really hard, right? You built this whole security program. You've got a plan. You know what's going to happen. And then when that happens, suddenly, you're talking about a completely different world. And you have to figure out how to update that quickly, right? Because, same problem that you have with mobile: Like, I have had a security strategy for the endpoints in my organization for 15 years and then all of a sudden, the smartphone proliferates. And now that mobile device is a threat vector, not only to your organization, but to yourself, to your financial well being, to your privacy. So the advice, and this is like philosophical advice –– right? –– is question your own assumptions, question your own view of all of the concepts. That's something that especially security folks need to be doing constantly, because that's what the attackers are doing. The attackers are saying, “Hey, suddenly, everybody carries a supercomputer in my pocket, how do I exploit that? How do I take advantage of that?” And if you're not thinking that same way, like how can I protect that new thing that might be a threat vector that I've never considered, you're gonna fall behind. Look at the stuff that happened with the SolarWinds attack, with the FireEye attack. These are modern attackers thinking in modern ways. And if you're not willing to go along for that same journey, you need to be a modern defender thinking in modern ways, or you're gonna lose, right?

‍

Hank Schless  18:53

Absolutely. So look, Mike, this has been awesome. I'm really, really happy to get this all lined up. Before we go, you mentioned you guys have a podcast for Scope. Give me a quick rundown of that. What people could expect there?

‍

Mike Murray  19:03

Sure. So it's called in Scope, the healthcare Security Podcast. What the aim of it is, I try to mix it up between guests that reflect our customers’ and prospects’ worlds. You know, healthcare, CISO’s healthcare, folks that are dealing with this problem on a day to day basis, and people who would be interesting. So we've had some security researchers on to talk about ransomware. I had former State Department bio informaticists talk about how security's affected his world. We try and just do anything that would be interesting if you're fighting the same fight we're fighting –– right? So obviously, we're gonna have some folks from Lookout on to sort of reflect this as well. I really want to talk about that medical challenge. As we move more and more medical devices to mobile, there's so many things we can do and there's so many things that people I don't think are doing.

‍

Hank Schless  19:53

I'll definitely be tuning in a bunch. I hope that our listeners will as well. Probably find it on Spotify and iTunes and all the places everywhere you get your podcasts,

‍

Mike Murray  20:02

You bet. It's everywhere you get your podcasts, as they like to say, as the kids say these days. 

‍

Hank Schless  20:05

Well, look, I think that's a wrap for us today. But Mike, thank you again. This has been awesome. It's been great to be connected again. Look forward to, hopefully, episode two. So that's it for us. Thank you, everybody, for listening. Don't forget to check out blog.lookout.com. For more educational security content, check out Scopes Security. Mike's got some great stuff he's writing about on LinkedIn and only sharing good stuff. He's a great, great resource in the security world. And yeah, I think that's it for today. So thanks for taking the time to listen to Endpoint Enigma. Mike, thank you again, and stay safe everybody.

‍