Webcast Transcript: Keeping Healthcare Secure During a Global Crisis
Special Guest Melina Scotto, GDIT’s Federal Health Chief Information Security Officer
Nov 5 2020 | 30 mins
Description: Cyber criminals have responded to the COVID-19 pandemic with a wave of attacks against the healthcare sector. Their goal is to steal private data, shutdown systems with ransomware and exploit the crisis for financial gain. Even before the pandemic, many healthcare organizations struggled to maintain adequate cybersecurity. Recent research reveals that 83% of healthcare providers are running outdated software. More than 56% of medical devices are still running Window 7, which Microsoft stopped supporting in January 2020, and the FBI recently warned that "continuing to use Windows 7 within an enterprise may provide cybercriminals access into computer systems.”
Melina Scotto, GDIT’s Federal Health Chief Information Security Officer, joins Virsec to outline best practices for maintaining security in today’s extraordinary times. She will detail how healthcare organizations can deploy cybersecurity solutions that automate protection and make critical applications and devices self-defending, without requiring painful software and platform upgrades. She will also discuss how to overcome the challenge of enabling remote patient and provider access without compromising security.
Melina Scotto, GDIT’s Federal Health Chief Information Security Officer
Willy Leichter, Vice President of Marketing
Willy: Hello, everyone, and thanks for joining us again today. This is part of our ongoing series of webinars on security from the inside. We're very honored today to have a special guest joining us to share her expertise. Melina Scotto is joining us. She is a true industry expert in both government and healthcare fields of cyber security. She has been a DC IT veteran for over 20 years in cybersecurity operations. She has a CISSP, CCSP for cloud security, CISA and CEH certification. She has a background both in transportation IT and has worked in global health for the last decade and more. She is an expert on implementing HIPAA and high-tech security rules. She has worked for the National Institutes of Health, the Center for Information Technology and Access Control, and now she is currently CISO for GDIT's federal healthcare practice. Welcome, Melina. Thanks for joining us. Did I get all that right?
Melina: That was perfect, such a great intro to kind of the areas of my concentration. Our team at GDIT spans over 150 contracts, and a $2 billion health data portfolio, if you count in all of the CMS state and locals. My concentration is in federal, international, domestic health, protecting data and privacy, as well as just general FISMA requirements. I say that not so much from the audit side of the house; I come from network engineering, so I'm a big advocate of building cybersecurity layers into the traditional silos of engineering, operations, app dev, so that's me. Thank you so much for having me.
Willy: Thank you, Melina. You're more than welcome, and your combination of expertise in both healthcare and cybersecurity I think is really interesting. I like to say that we're in a perfect storm now. If you think about the global, unprecedented healthcare crisis, along with this ongoing global cybersecurity crisis, I think it's really a challenging time. Why don't we jump into this and maybe you can talk about the cyber side first. What are the top cyber challenges that your customers are facing?
Melina: Absolutely. I heard recently that cybersecurity challenges are just business challenges. I think that there was a time where we kind of considered them separate, but I don't think you can seriously talk about business risk without talking about cyber risk these days. What we see in our division is certainly an increase in threat activity. Manual processes, incident investigations haven't really been sustainable given the number of attacks.
Because we are federal health, there are a lot of medical devices and Internet of things type devices that are on our networks. That's certainly a challenge, and that's everything from maybe a refrigerator that's holding samples in a lab, to radiology equipment, which can often have a database built into it, to some very sophisticated ophthalmology equipment, everything now has an IP address, sits on our network, and can be both an area where data can leak and an area where a malicious actor could target, successfully infiltrate, and pivot to other things. That's certainly something that we look at.
Then, misunderstandings and intricacies around cloud security, cloud environments, hybrid clouds. That's a topic that we've been speaking on quite a bit lately. The toolsets change when you're in the cloud. The requirements don't change, so you still need a SIM, you still need vulnerability scanning, all of those great things. You have the added responsibility of securing your hypervisor because the platform itself can be a target for a malicious actor that would want to spin off their own servers and so forth for their own Bitcoin miner or whatever it is that they're doing out there in the Netherlands. It's been a real challenging year, year and a half, and I would say that COVID didn't help things.
Willy: That's a good segue. Let's look at another slide here. I know certainly COVID hasn't helped things, and I think it's probably raised a whole new layer of cybersecurity challenges. Can you give us a little bit of view of what some of those challenges are?
Melina: Sure. We in federal health have seen an increase of attack factors based on VPN, based on applications as organizations use VPN more for telework. The numbers that we're seeing, because we're a very in-person kind of agency with HHS and so forth, so you went from maybe a 15 percent telework community to maybe a 90 percent telework community, and so more vulnerabilities are being found and targeted by malicious actors using VPN and applications. There are also kind of some other nuances there. If VPNs are going 24/7, your network teams or security teams, or whoever is shoring this up for you, may be less likely to keep them updated with the most recent security patches, because you went from not being a 24/7 to being a 24/7. Then ‒
Willy: It seems like a remarkable series of events we've been through. You mentioned that remote access went from 30 percent to over 90 percent in just a couple of weeks, and access 24/7. This must have introduced a whole new range of challenges and security concerns. Can you talk to those?
Melina: It absolutely has, and we add to that that we had to shoot more resources into that available zone because, obviously, folks were pretty used to logging in and getting their e-mail and so forth, and running applications like Zoom and BrightTALK and things like that. They weren't used to doing it on such a massive basis, and you often found that your intranet offerings weren't accessible in that zone. We've had to caution many of our federal customers not to start just opening up any zone that a VPN user might need for mission critical activities without multifactor authentication, because it's just too easy to drop a keylogger in a laptop, or pivot from a local, maybe successful phishing attack to a VPN if you're only looking at passwords to protect you. You've got to have that multifactor authentication.
Willy: Also, I would imagine with all this increased remote access, there is increased exposure to legacy apps. We all know there are many legacy apps that have been used for years and still will continue to be, but has this changed? Has this raised security concerns now that these apps that used to be considered isolated out of necessity we're having to access them remotely?
Melina: Absolutely. It's so hard. Many of the legacy bits that we see at HHS, NIH, FDA, CDC were built 20 years ago. Because it was a highly-waivered environment, whether it was technically secure or not was not as important to the organization as what it did for the mission. Just as early as this week, we observed a new business application incident at the VA, where over 45,000 PIA records were compromised from an old kind of business application. You can see it in the news, you can kind of theorize about how those things happen, particularly across applications that were never really intended, perhaps, to be on the wire 20 years or more. So, really looking for solutions that will help those applications in the new rather than going back and spending all of the money to re-engineer them.
Willy: Melina, you also mentioned medical devices. I imagine that's a whole other layer of concern. Certainly, most people would not be able to or allowed to, say, update the Window server running an MRI machine because of the certification and other requirements. Can you talk about that as a concern?
Melina: Definitely. Medical devices are often built on these kind of squishy Linux or Debian operating systems. They weren't using CIS benchmarks, for instance, when they were rolled out. Oftentimes, again, they're in this kind of segmented area, so instead of actually securing them, we just kind of pushed them off into this VLAN, you know, only assumed dirty devices would sit in. That's not really security, right? I mean, you're not encrypting it, you're not reducing the risk on it, you're not performing any regular vulnerability management on it, so it's just a real dicey place to keep data. Medical devices historically have been a challenge, and NIST is getting really much better at documenting those types of things. There was a draft that came out, an SP 800 series, just in June-ish. Don't quote me on that.
Sometime over the summer, where they're really going to vendors and saying, "This is what you need to do to make sure that your devices will stand up to the current audits." Current audits for OIG and HHS, and I think across every agency is just getting more detailed. GAO in particular is really showing the light for HHS devices. We've got to really consider their impact on the whole organization, not just that little VLAN that they might have been kind of riding dirty in, and how can that pivot back to the rest of your network and really cause some issues for people.
Willy: I can imagine, and I'm going to share one more slide here that I think is very topical, just in the news, recent US-cert advisories, and these are probably piling on with the VPN concerns with Iranian hackers.
Melina: Iranian-based threats were yesterday, and then the day before was the Chinese malicious cyber attacks. We've had confirmed exploits from Russia, of course for the election, as well as medical issues. Particularly right now, HHS has had the worst. This was in the news back in March, but a direct attack on our ability to respond quickly to COVID. They attacked the HHS. These US-cert advisories, those of us who have been watching them for years and years, have really had to jump up our visibility. Very much like the news cycle, the US-cert cycle has just gotten faster and faster and faster. You might have had one alert a week or one advisory a week, and now you're getting multiples every week, so certainly the attack vectors are plentiful, and the actors are plentiful. The nation states have been proven over and over, so it's just a fascinating time to be in cybersecurity right now. I mean, it's so fun right now to be in this and to really be helping our customers with solutions that will be meaningful for them and keep them out of the front pages.
Willy: Right. Now, Melina, you're an expert and you can probably get your head around these daily certs, but what do you advise your customers? Should they be looking at these every day? How do you keep up with these?
Melina: I try to put it, even for our own team, there are over 120 cybersecurity professionals in our federal health programs, so we do a weekly cyber sync to kind of give a roundup, "Things you need to know this week. Things your customers might shoot your way. Things that are in the news." Certainly anything that is a "Zero day, you better pass this now," kind of event, and then we review things like the new NIST language or new US-cert advisories, we'll do a deep dive into that. What we really try to do is pare what the advisory is saying, because that can be so dry, and it can get scary, and then you kind of do have a tendency not to pay attention to it anymore. I focus on, "How can I turn that into a toolset solution?" For instance, in that advisory, when you click down a few levels, they have indicators of compromise, "What are the indicators of compromise that you know that this has happened to your system?"
We would break that up into what the host would be doing, what you would see, and then what your network would be doing. I tend to focus on the network side because that's just my area, and we have a lot of that work. But, for the hosting side, as well, "What are those indicators of compromise? How can I pull that into a Splunk, for instance, report so that I know whether I have it, or my customer knows whether I have these things or not?" Even better, if I have some automated way to fix it, they show you a few CVEs in there, so this would be running some sort of vulnerability scanner that aligns with some vulnerability that you may have in your environment. "How can we get that patched really quickly? Can I just make a little fix, for this instance?" They fix and then shoot that over, so in an automated way, after I test of course and do a few use cases. I don't want to break anything.
But, if we want to get kind of like a high-yield, low-risk way to automate some of these remediations and keep us kind of protected, that's what I try to do. US-certs, they can come at you pretty fast. I look at it daily and I give folks kind of a daily digest on what's going on, and particularly watch what's going on in terms of, "Do our systems have that?" You know, the bigs, right? Our systems have a ton of Cisco in them, a ton of Palo Alto in them, a lot of JIRA in some cases, certainly a lot of Oracle, anything showing up as a vulnerability that's under active attack, you want to bring those to the surface right away.
Willy: Melina, here is one of your slides, a diagram of really a framework for thinking about defense from GDIT. Virsec is partnering with GDIT, and we'll talk about how we fit into this, as well. But maybe, Melina, you can give us a little bit of the lay of land, or lay of the cloud, I guess, in this case. How should we use this framework?
Melina: Right. I like to focus on cloud because so often I hear this misunderstanding that security in the cloud is the same as security in traditional data centers, that 800-53 is the 800-53 wherever you are, and that's not wholly true. You've got to secure your hypervisors. You have a different set of threats that are happening in your cloud environment, and for a different set of goals. Individual actors, of course you wouldn't have any inside actors here, per se, in the cloud but you certainly would in your internal data center. You've got terrorist organizations, nation states, the state-sponsored ones, opportunistic groups. We used to get that at NIH all the time, you know, good folks, who you know, the animal rights activists, and things like this, so that's understandable. But, these things happen, and you can just kind of plug in for whatever your organization is doing.
There is always going to be some sort of activist that's in there, so that's kind of the outer realm of this picture. Then, you kind of get into some of the ways that they attack in that kind of darker gray circle, right? You're going to have social engineering, you're going to have tech changes, you're going to have a dynamic attack surface, and so forth. Malware, that is the number one thing that people I think have trouble wrapping around. "How do I know it's malware? What is my indicator of compromise? How can I quickly remove the noise from these reports?" Then, we have kind of in the green all the good stuff that we're doing at GDIT and elsewhere. We've got DevSecOps, we've got continuous monitoring, we've got patching. It all starts with governance, of course, "What are our policies?" and so forth, "How can we automate cyber? What is an ISAC?" for instance. "How are we using intelligence to drive security operations?"
It's just, again, wonderful stuff right now. Then, the very inside, all those things that we are trying to protect ‒ the integrity, availability, and confidentiality. In my world, it's all about integrity. I mean, that's really how I get my researchers to understand what we're doing. I don't want to make life difficult for you, and I don't think that innovation needs to be at odds with cybersecurity. It's all about the integrity. This is your life's work. Why wouldn't we want to ensure that all of the data is valid, that it hasn't been obfuscated in any way, that certainly it hasn't been augmented in any way, or had any other hands touch it other than the folks who are working in that particular study, and so forth. So, integrity is the name of the game for federal health. If I were NSA or if I were DOD, I'm sure confidentiality is, but even for our commercial friends, availability is a big thing. Whatever it is, you want to keep your data clean and available for all of your customers, and that's in a kind of circle. I guess that's what I like about Virsec so much. You keep the security very close together.
Willy: Sure, and I'll talk just briefly here about how Virsec fits in, and why we're partnering with GDIT.
All of the external layers you talked about are certainly important and need to be maintained, but I think we can all assume that things will get through. There may be medical devices we talked about that can't be patched, or other critical systems, so it's also important to look at them from the inside. Virsec's technology, at the heart, is about mapping what an application is allowed to do and making sure it only does that. It's essentially a positive security model, which complements all of the external rings and all of the other layers of defense that GDIT and others provide.
All right, let me ask one other question. We've heard from a lot of security professionals during this crisis, which now has been going on for six months and it still feels like it's new, that in some cases there was so much urgency around allowing remote access and keeping businesses running that security projects were sometimes put on hold or paused. That's obviously an area of concern given that the attackers don't appear to be pausing. What are your thoughts on that, Melina?
Melina: There have been a few phases that I've seen in federal health, so I can certainly speak to that. In the beginning, March and the beginning part of April, it was all about, "Let's uptick our VPN, and let's ensure that there is MFA in our VPN, even for partners or ancillary staff." So that was kind of the first wave. In a sense, those are cybersecurity deliverables, but perhaps not the ones that they started off the year looking at. When I work with our growth team and so forth, many of the contracts that they expected to come out for cybersecurity have been pushed to the right a little bit. As a contracting company that can both work to your benefit and not, for a re-compete, it might mean that you get an extension, and so that really can be a nice thing, particularly if it's in jeopardy.
For the new work, it's actually positive. It gives you more time to really solidify your blue teams, your cybersecurity solutions, and things like this, and get more thinkers in the room, and certainly add COVID-19 to your solution, what it's going to mean for now and in the future. So I've seen it go both ways. Now I think we're leveling out, and we're starting to see a breakthrough in that jam. And many more of those cyber opportunities are coming down the pike.
Willy: That's reassuring to hear. I certainly don't envy IT professionals on the front lines these days. I think when COVID hit, probably a couple years' worth of digital transformation happened within maybe a few days, so it's probably remarkable what we've accomplished. Are there some particular use cases, Melina, that you can talk to that might be of interest here?
Melina: I think I can. What we saw ‒ well, we like to talk about people and process and technology. What we saw was a real uptick in technology early on, both from the Department of Education and NIH. They had so many people to get onto this 24/7 ability to work from home. Each of them used different toolsets to amp up their VPN, but they were able to do it. In the case of the National Institutes of Health, over a week period. In the case of the Department of Education, in a weekend, which was just crazy. But, they had a little bit different architecture in place and able to do that, so I would say we partnered really closely with the vendors in order to ramp up what we were doing in VPN.
We also did a lot of kind of penetration testing for both customers to ensure that this would all work in a safe way, and didn't increase cyber risks across their organization, because that's the last thing you want to do. I mean, of course you want to get people working, but you don't want to do it at the cost of your cyber scorecard or your cybersecurity posture, because that's not going to help. There was a real sense in the beginning, "We don't know how long this is going to go on," kind of thing. But now I think they've pretty much baked it in, certainly those two customers, into what they're doing every day. There were also a bunch of kind of Splunk innovations that went along with that so that we could directly program stats into our VPN. All of our customers have some sort of monthly or quarterly reporting on VPN, but it went to daily for NIH.
They really wanted to make sure that none of the research would suffer, particularly at NIAID, Dr. Fauci's group, to make sure that every single researcher who would be working on studying the virus and coming up with information for a potential vaccine, had the access that they needed to get everything done. So, we went to daily reporting on the VPN, and that was through some API work that we did with Splunk, so it was just great. Everybody came together, and it was a real testament to what you can do when you weave some of the strengths of multiple toolsets together.
Willy: Thanks for sharing those, Melina. Really interesting stuff. We could talk a lot more but, before we run out of time, maybe we can wrap it up a little bit and if you could talk a little bit about some of the best practices. I know you're dealing with massive organizations that have shown remarkable agility and nimbleness in the face of this crisis, but what recommendations do you make for organizations that are still in the middle of trying to grapple with this new reality?
Melina: Well, I was recently at Billington, which is the cybersecurity conference for federal needs, and Maria Roat, who is just amazing, over at the Office of Management and Budget, said something that really resonated with me. That the days of hard shell and mushy internal controls are gone. You've got to look at those internal controls. Five years ago, we used to say, "Oh, that's not public-facing. We don't have to worry about that application that's doing whatever it's doing." But, we've got to build cybersecurity into everything we're doing. The government is moving toward a DevSecOps model, in some places quicker than others. But the budget has to be there, from her perspective, to support building cyber into everything, including zero trust, cloud capabilities, application security.
That's where our federal government is going. I would say internal controls are everything, multifactor authentication and encryption, those things that we put off that we have waivered. In my little part of the world, we can no longer afford to waiver them anymore. We have got to, unfortunately, put our money on the barrel and really make sure that we have those basic tenets of cyber risk shut down.
Willy: Thank you, Melina, for sharing all of that. Really fascinating stuff. Also, thank you for the important work you're doing, really, on the front line here of trying to really solve important issues for our society and keep things functioning as always.
Melina: It's a pleasure. Bring me your daughters. We need many more young women in cybersecurity.
Willy: Yes, I agree with that. Having a daughter of my own, I certainly encourage daughters and all kids in the sciences. And thank you to the audience for joining us. As you know, this is a series of webinars that we put on almost weekly. There is a lot more information on our site about Virsec's solutions. And continue to watch our BrightTALK channel for upcoming events on a range of topics, demos, technical discussions, and other panel discussions. Thank you all, and thanks again, Melina, for joining us.
Melina: Thank you, Virsec. I appreciate it.