Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul Ducklin] (00:14)

Welcome back, everybody, to Exploited: The Cyber Truth. I am Paul Ducklin, joined as usual by Joe Saunders, CEO and zfounder of RunSafe Security. Hello, Joe.

[Joe Saunders] (00:26)

Greetings, Paul. Great to be here as always.

[Paul Ducklin] (00:29)

Yes, thanks for joining us. I know you are on the road once again. Now we have a super special guest today, and that is Greg Garcia. And our topic for today, it’s quite a dramatic sounding title, but a very important one. The next cyber crisis might not be one hospital, it could be the entire health system. So why don’t we kick off by you, Greg, telling us what you do now, where you come from, and what your aim is for cybersecurity in general and for healthcare in particular.

[Greg Garcia] (01:05)

Glad to thank you, Paul and Joe. Glad to be here. I’ll keep my title simple. I am the Executive Director of an Industry Coalition called the Cybersecurity Working Group of the Health Sector Council. The Sector Coordinating Council is an industry-organized, industry-managed advisory council to the government and to ourselves about critical infrastructure protection. Healthcare is considered critical infrastructure, just like electricity, telecommunications, financial services. 

Before this, I actually ran the same kind of sector coordinating council for financial services. Before that, I was the nation’s first assistant secretary for cybersecurity for President Bush, where I had visibility across the entire spectrum of critical infrastructure, because we are also interdependent. I can’t do healthcare without water. I can’t do healthcare without electricity or telecommunications. It’s been a long and a rich career that has enabled me to make those connections across business, technology, national security, and government policy.

[Paul Ducklin] (02:15)

Now, Greg, one thing that I’ve noticed, certainly in my visits either as a patient or visiting other people to hospitals in the UK, they are an astonishing mix of IT and OT. When you’re in a modern hospital, you’ve got all these fancy gadgets that are electronically controlled. Plus, you’ve got doctors and nurses running around with laptops, connecting via Wi-Fi to the regular IT system. And the two interoperate in a way that may not be the case in almost any other industry. Would you agree with that?

[Greg Garcia] (02:50)

I would, although coming from the financial services sector and a major global bank, a bank is really a technology company that happens to move money around. Not just a company that buys technology, but they’re so big and sprawling and specialized that they roll their own. It’s not quite as sophisticated as that in the healthcare system. But yes, the modern hospital is a technology organization.

[Paul Ducklin] (02:59)

Yes, okay.

[Greg Garcia] (03:17)

That happens to do patient care. And that technology is being used to run medical devices, to run payment systems, patient data and scheduling systems, diagnostics, and imaging.

[Paul Ducklin] (03:28)

They’re also understandably very strictly regulated because if a machine goes wrong, might not be that it doesn’t complete your loan application in time, it might actually kill you.

[Greg Garcia] (03:41)

That’s exactly right. The American hospital system has a number of regulatory requirements. Most prominent is HIPAA, the Health Insurance Portability and Accountability Act, and it has the HIPAA security rule. That requires hospitals to employ various security measures, and it requires that they practice downtime procedures, incident response capabilities. Much of the healthcare industry consists of smaller, under-resourced health systems whose margins are zero to negative. When you have regulatory requirements that sometimes involve significant costs, and when you’re a hospital administrator, you’ve got your choice. Do I hire another nurse? Do I upgrade my MRI machine? Or do I invest in cyber? I’m sorry, I have patients to take care of.

[Paul Ducklin] (04:16)

Absolutely. It really does focus your mind very differently, doesn’t it?

[Greg Garcia] (04:43)

Right.

For the cyber person, the harsh thing to say is, look, doc, hope is not a strategy. Hoping that you won’t get hacked is not a good risk management strategy. We have a ground truth in the cyber working group that cyber safety is patient safety. One of my members, CISO’s chief information security officer, told me a story. It was somebody very senior in the hospital system who was a doctor, said, look, I can’t be bothered with cybersecurity right now. Look, I’ve got 20 patients a day to take care of, to which the CISO responded, 20 patients. You know what? I have every patient in this hospital system to worry about. Because if I am not securing our network and the patient data, if I’m not securing our medical devices and all of the other OT operational technology like refrigeration, HVAC, elevator,

[Paul Ducklin] (05:41)

Yes, it’s not just the CT scanners, is it? It’s very much the things that make those work.

[Greg Garcia] (05:48)

So I’m responsible as a, so for every patient in the hospital, let’s look at it that way. And I think that was persuasive to the physician that cybersecurity is everybody’s responsibility at different levels of complexity.

[Joe Saunders] (06:02)

And within that, of course, just given the scale of the healthcare system, when you talk about all the patients that one hospital serves, when you talk about all the technology that’s involved and all the suppliers of technology into each hospital system, but you look at healthcare in general, it’s just under one-fifth of U.S. economic activity. And if you add up all those hospital systems across the country and all that technology and all those suppliers that supply that technology and all those medical devices that get deployed, you can see with good reason why this industry is part of the critical infrastructure and so vital to our own economic activity in the US, also just the safety and the health of Americans. It’s a massive challenge to think about security across an entire country that does so much healthcare activity.

[Greg Garcia] (06:52)

You know, we talked earlier that the healthcare industry is regulated. There are a lot of critical infrastructure industries that are regulated, and regulation can be setting minimum standards is good. Sometimes the government gets a little bit too ambitious and they start saying how you should do things and starting to micromanage that can actually be counterproductive. 

But one of the things that the health system, particularly the health providers, have been calling for is greater accountability among those third-party technology and service providers, many of them in the high-tech industry, that are not regulated. We argue, and I have testified before the Congress when they ask, well, what should we do to be helpful? Well, Mr. Chairman, we have a healthcare industry that is heavily regulated, yet the technology that they must buy, the services that they must buy, is not regulated; often that technology and those services are not adequately secured against cyber threats, yet they can continue to sell to us. 

Well, shouldn’t it be a fair policy of the United States that any third-party technology and service providers serving any critical infrastructure, you ought to be held to a higher standard of cybersecurity because cyber threats aren’t going away. And if you are the vector, through which an attack is successful against a hospital system that disrupts operations and harms patients, you need to figure out how to better serve your customers.

[Paul Ducklin] (08:28)

This is really a special case of managing the supply chain, isn’t it? Yes. Now, Joe, we’ve talked several times on this podcast before about the automotive industry, where even traditionally, before everything was software defined, you have to account for at least four levels deep in the supply chain. It’s not just enough to say, I bought this from X, who I think is okay. You have to know that what X bought from Y is okay as well and what Y bought from Z and so on. Do you think we need regulations of that sort in the healthcare industry? And can we get those regulations without damping down innovation?

[Greg Garcia] (09:10)

This is a great question. We have a tool for that. You can go to our website at healthsectorcouncil.org, type in SMART, Sector Mapping and Risk Toolkit. Much of the US healthcare system is very well aware now of this company called Change Healthcare. I’m not going to throw anybody under the bus, but Change Healthcare is one of those critical services and utilities that healthcare depends upon. What does that mean?

I’m a patient. Walk into the doctor. The doctor gives me a prescription. The prescription needs to go for prior authorization by the insurance company. I go to the pharmacy to pick up my prescription. I pay a lower cost because the insurance covers the other cost and the insurance company then pays the doctor. Change Healthcare handles that prior authorization communication and it handles the reimbursement. What happened? Change Healthcare got hacked in February of 2024.

It went dark. Change Healthcare serves one-third of the healthcare system.

[Paul Ducklin] (10:09)

Dear.  Was that a ransomware attack, Greg?

[Greg Garcia] (10:16)

There was a ransomware attack. Millions of Americans could not get their prescriptions because the pharmacy never received the prescription. Hospitals and doctors did not get paid because Change Healthcare could not execute that transaction. Small rural hospitals, many of them went out of business because they had daily expenses of, you know, a million and a half, just a small rural hospital, yet no money was coming in. Can we map out all these essential healthcare workflows, retail pharmacy, I just described that to you, medical imaging, blood supply and distribution, pharmaceutical and medical device manufacturing. It’s like a board game. To complete a workflow from beginning to end, it takes a number of hops. And so if you’re a hospital system or a pharmaceutical manufacturer, you look at this map and you ask yourself, who’s doing this reimbursement service for us?

Who’s doing this imaging diagnostic service for us? And what is their relative importance? What is their material risk to the successful completion of this workflow? Like Change Healthcare, there’s only about three organizations that do what they do. That means you don’t have any alternatives.

[Paul Ducklin] (11:34)

So that essentially makes a private commercial company part of the critical infrastructure simply because there’s nobody to take over in an emergency.

[Greg Garcia] (11:44)

That’s right. Exactly. So we’re trying to map that out. We have 17 workflows. If you go look at the toolkit, there are 17 workflows that any healthcare organization can look at and see where do we fit in or where do our suppliers and technology providers fit in. And then we can build a risk profile. 

Now the government looks at these maps. Just as you said, Paul, there is this large community of technology and service providers that are not regulated, but nevertheless serve critical infrastructure, are therefore part of the critical infrastructure. How do we hold them accountable? What kind of monitoring can we do of this global supply chain system? When somebody starts arguing for regulation in this country, with this administration, you’re probably not going to be very successful.

[Joe Saunders] (12:33)

Yeah, I guess we could all react to the politics, but we have to look across the ecosystem and look at the risk and do what we can. A really good example thus far. So in 2015, the FDA started regulating and requiring Software Bill of Materials. Also, before you release your medical device to market, you need to demonstrate your mitigation strategy against all the vulnerabilities. And that gets to sort of the supply chain question, at least for the medical device manufacturers.

They have their own suppliers, and have the open source software they incorporate. They have third-party components that they get from other software vendors, and they themselves manufacture portions of the system they produce, at least from the software perspective. And so that process works really well because everybody knows that they need to generate and understand all the software components that are in their system. They need to share that Software Bill of Materials with the healthcare providers themselves so they know what they’re receiving and they can diagnose things should an event occur. And they need to do an ongoing continuous assessment of the vulnerabilities inherent in those medical devices and take mitigation actions. Without that, I’m not sure all these organizations would necessarily do it. We do think that that would naturally be considered good business for a medical device maker. We did a survey last year at RunSafe.

And I see this as an encouraging statistic, but it’s also, you can look at it slightly differently. The Medical Device Cybersecurity Index we did last year, interviewed hospital systems and medical device makers and related folks and had specific questions around cybersecurity. And one of them is that 46% of hospital systems declined to purchase a medical device due to the cybersecurity concern. So I do think there are some market forces there.

But I also think there is a regulatory role. If we just left it to market forces, the other 54% wouldn’t care. And so I think 46% is a great statistic that encourages the change. And if the major manufacturers of medical devices are taking actions, then that’s doing great wonders for the resilience of our healthcare system. 

But we still have a ways to go, especially in light of the fact that 22% of healthcare organizations experience cyber attacks on medical devices, also from our cybersecurity index. The need is high to address cybersecurity. I think if we leave it to market forces alone, we won’t get there. You know, we’ll be 54% short. One good thing that is happening from the EU Cyber Resilience Act is global manufacturers of medical devices are building in security protections into their device and are being held accountable if there is in fact a vulnerability that they did not address.

[Joe Saunders] (15:21)

And those global manufacturers who are working feverishly now to catch up to those regulations and make sure they’re on point are doing that for all their devices, not just the ones they ship in the EU.

[Greg Garcia] (15:31)

Yeah.

[Paul Ducklin] (15:31)

Joe, it’s interesting that 54-46, they’re pretty much half and half, which kind of suggests that there is an equal role for, as we like to say on the podcast, the stick and the carrot. Market forces are really helping. Hospitals are saying, you know what, if you’re not up to scratch, we won’t actually buy your product, we’ll prefer your competitor. And then we have things like the liability regulations, notably in the EU Cyber Resilience Act, that say if you don’t do the right thing, then you can’t sweep it under the carpet. There will be some liability so think about it well in advance.

[Joe Saunders] (16:11)

Then across the product manufacturers, there’s kind of five criteria for when cybersecurity controls get adopted. The first one is industry requirements. The second one is corporate governance. The third one is if there’s advanced persistent threat that is providing some form of existential threat or real risk to their devices themselves, a hacker group targeting those devices. They have to react to that. The fourth one is customer requests. So that’s fourth on the list, is what drives security adoption. It’s after industry requirements, internal governance, and APTs. Fourth on the list is customer requests. And then fifth is differentiation. So that shows the mindset in which a manufacturer who’s making these products goes through in considering what are my priorities from a cybersecurity perspective.

[Greg Garcia] (16:59)

The customer request issue is an interesting one because you could say that there’s a large number of health systems that would not request cybersecurity in medical devices if it costs more. The cost needs to be built in as well, which is why in the cyber working group, one of the values of what we provide is that we serve as the forum for those customers and providers to come to the table together. 

One of our flagship products, is called the Medical Device Joint Security Plan, first published in 2019 and again in 2023 as an update. Major hospital systems sitting down with major medical device manufacturers and considering how do you design and build and test cybersecurity into medical devices from the ground up as a product lifecycle enterprise? 

When I came into this in 2017, I saw a lot of circular finger-pointing where the hospitals would say, quit selling us junk to the medical device manufacturers and the medical device manufacturers say, we are building the security that you demand from us and that is required of us from FDA. And there’s a lot of other parts to this that we don’t have control over. But by the way, hospital fix your crappy architecture. Stop using password as your default password. It just went around and around. And so we bring them together and say, okay, let’s do some myth busting here.

And let’s learn from each other’s business models. Why do hospitals have the problem they have? Why do medical device manufacturers have the problem that they have? And it’s not as simple as the other side thinks.

[Paul Ducklin] (18:38)

Greg, can I just ask at this point a question about something that is effectively the elephant in the room, if you like, in healthcare perhaps, that we’ve already touched upon, and something that can actually cause massive healthcare disruption, and that is the terrible problem of ransomware, something like a hospital, is in the least position to deal with an outage, and therefore gets targeted by cyber criminals who, for all we can see, are in it for the money, whether they’re in it for their own aggrandizement or whether they’re in it for money for a regime that is otherwise sanctioned. So where do you think we’re going with ransomware in the healthcare industry? You already mentioned that case of Change Health. They got ransomware, and that had a knock-on effect to pharmacies, to hospitals, to GP clinics, to patients, to everybody.

Where next with ransomware?

[Greg Garcia] (19:38)

It remains the gift that keeps on giving for the hackers, particularly for healthcare. Yes. Do you want to continue to serve your patients? Okay, then it’s only going to cost you a million and a half dollars. You don’t want to pay the million and a half dollars. Well, then you’ve made the decision that your hospital is possibly going to go out of business and patients will be harmed. Take your choice. So as long as that calculus remains, it is a business model that works for the criminal groups. They even have call centers, you don’t know how to use Bitcoin. Well, we have assistance over here standing by ready to help you deposit your Bitcoin.

[Paul Ducklin] (20:15)

And they even come up with special names for their work. yeah.

[Greg Garcia] (20:19)

Absolutely, special names for their groups.

[Paul Ducklin] (20:21)

Post-paid penetration testers as though their work is entirely legitimate.

[Greg Garcia] (20:28)

That’s particularly for hospitals, for any enterprise, many cyber attacks, most cyber attacks are successful, not because they’re doing sophisticated medical device hacking. Medical devices are really not that targeted. Usually, a ransomware attack is successful because of social engineering. I get an email, it looks legitimate. The boss has told me to open up this attachment. Here’s your performance appraisal.

And that’s not my performance appraisal. It’s loaded with malware and that is the access point. Training and practicing and training again and exercising, building muscle memory against these at the user level might be the most effective defense. And then I think another common attack is your supply chain. Supply chain meaning, you get a software update where the software provider had been hacked.

That software update, infected software update, is going out to your 10,000 customers. One mouse click, you’ve just infected 10,000 organizations.

[Paul Ducklin] (21:31)

Given that many hospitals and clinics really struggle for budget and nevertheless they need to have high uptime, they’re kind of fighting this battle between operational continuity and being at the cutting edge in terms of software and hardware and user training. How do you reconcile those problems? And you may consider it a terrible risk to try and change too much at the same time in case the safety and the patient care aspects fall apart anyway.

[Greg Garcia] (22:06)

Yeah, that’s an existential issue. You may have heard of this artificial intelligence agent called Mythos, which is made by Anthropic.

[Paul Ducklin] (22:17)

Yes, every third news story has that word in it because it’s great for clickbait even if you aren’t interested in AI.

[Greg Garcia] (22:26)

And it is scary for not just the small hospitals, but for the maybe even more so for the larger ones. In very simple terms, Mythos can find vulnerabilities in software that no software engineers have. And out of that vulnerability discovery comes the need for patches. Now, imagine if you’re the CISO for mid-sized or small hospital in rural Ohio, you are getting bombarded with patches. You better install them.

And often with a patch, means at some point you’re going to have to reboot your equipment. That medical device is attached to a human being. How do you deal with that? On the one hand, it’s great because they’re finding vulnerabilities. On the other hand, it’s resulting in a flood of patch requirements. Eventually, those vulnerabilities are going to get out into the wild, and they may be exploited before I have a chance to patch that phone.

[Joe Saunders] (23:22)

I think we’ve actually reached a point of no return on that. We cannot keep up with patches in a manual fashion, patch by patch at AI speed. And if AI is identifying vulnerabilities and writing exploits faster than we can patch, we have to rethink the process. And it comes back to the software development process. It comes back to what you put into it. And quite frankly, we need a silver bullet here that eliminates entire classes of vulnerabilities, as opposed to the cat and mouse game trying to keep up with AI, which humans will lose.

[Greg Garcia] (23:56)

Maybe that silver bullet is AI. I mean, AI, software developer, right? So then it becomes machine versus machine. AI versus AI is what we’re going to be facing.

[Joe Saunders] (24:06)

At RunSafe, we have a different opinion. We take off entire classes of vulnerabilities from cyberattacks, even if a patch is not available. And that’s a deterministic thing that can pass those safety measures across these industries, including the safety measures in medical arena. I do think AI is helpful, but it’s almost like a digital cold war at that point. And no one will ever keep up and will always be one step behind the latest release of the AI engine. And so I think we have to rethink the model altogether.

And that’s in part why RunSafe exists. We think these medical devices should run safe regardless of whether a patch is available or not.

[Paul Ducklin] (24:42)

Whether it’s AI versus AI or human versus AI or whatever combination, if you’re continually having to deal with threats by making changes to your network and to your devices all the time, if we get to the point that even things like drug infusion pumps are getting patched seven times a day like your favourite web app, then we’re running a great risk that no matter how good those patches are, we’re going to affect that operational continuity and we’re going to start having great security but maybe poorer safety. That’s right. Just patching faster is not good enough on its own.

[Joe Saunders] (25:23)

In part because you have to test every patch still. Yes. And you have to deploy it, like you say. So can the hospital systems afford the downtime to apply all these patches? No. And with an exponential increase in vulnerabilities, it’s an impossible task and it puts the sector at risk.

[Greg Garcia] (25:40)

We have a five-year cybersecurity strategic plan. The strategic plan boils down to 12 implementing objectives. I believe it’s objective number 12 that calls for an environment, a culture of mutual aid, mutual assistance. You have healthcare systems in a region, in a state, large and small. Is there a way that they can better pool resources? And where does the government play in this for those small rural hospitals? What kind of grant money can they apply? And to have it as a culture that it’s not siloed and we’re in this alone. None of us is as smart or effective individually as all of us are collectively.

[Paul Ducklin] (26:29)

Greg, I’m conscious of time and I think you’ve brought us to a great point by talking about culture, by talking about working together. Once again, this just reinforces that idea that cybersecurity really is a team sport, it’s not an individual game. And so it’s almost a sense of ask not what healthcare can do for you, but what you can do for healthcare. 

[Greg Garcia] (26:57)

That is really the motivating factor behind the cybersecurity working group. We have today 10 task groups bringing together the experts and their senior management to consider some of these problems. They know that if they can do anything to reduce risk in the broader ecosystem, because we’re so interconnected, they are reducing risk to themselves. The former NSA director, Chris Inglis, said it best when he spoke to us about this mutual aid. He said, in order to beat one of us, you have to beat all of us.

[Paul Ducklin] (27:34)

So Greg, before we finish, just give us the URL that people can visit, for example, if they want to learn more about smart.

[Greg Garcia] (27:41)

Go to healthsectorcouncil.org. Go through the publications tab and all of our publications are there. They are free to use. If you’re interested in joining the Sector Coordinating Council, it does not cost anything. The cost is sweat equity.

[Paul Ducklin] (27:58)

Excellent. Greg, Joe, thank you so much for your time and your passion and your thoughtfulness and that idea that this is a question of all for one and one for all. That is a wrap for this episode of Exploited: The Cyber Truth. If you enjoy this podcast and find it useful, please subscribe so you know when each new episode drops. Please like and share us on social media, and if you listen via a podcast feed. 

Please write us a nice review. That really helps us get the message out to everybody. As you’ve heard, this is not a sales spiel podcast, it is a community engagement podcast. So thanks to everybody who tuned in and listened. And remember, stay ahead of the threat. See you next time.