44. Jared Vinson: "It started with a phishing attack, but It ended with a whole mess of other things."

Episode 44 of the HIPAA Critical podcast includes an interview with Jared Vinson, director of cyber security at Hill Country Tech Guys.

Rather read?

Sierra Langston: Can you please provide some background on the Hill Country Tech Guys? Who you guys are, who you serve, would be great. 

Jared Vision: Hill Country Tech Guys was founded as medical computing solutions in 2006. Whit Erich is our current CEO. We are a managed service provider and managed security provider, providing IT and cybersecurity services for organizations throughout Texas. Our primary verticals are healthcare and finance. 

Sierra: Can you provide some additional background on yourself and your focus specifically?

Jared: I'm the director of cybersecurity. I've been with Hill Country for about seven years or so. I'm part of our leadership team, my background is in IT and IT security, three college degrees, my MBA is a cybersecurity focus as well.

A little bit about what I do on a day-to-day basis; I've helped build and develop our cybersecurity program offering and I also walk side by side with our clients and their security journeys, compliance, implementing policies, procedures, you name it, that is a lot of what I do on a day to day basis.

Sierra: Can you give us some examples of phishing scams that you've been seeing and any advice on how to avoid being a victim to these scams?

Jared: Now, that's a big question. So phishing attacks, they've been around for a long time. We have seen an uptick, I wouldn't even say in the last few years, but specifically over the last year. I'm seeing these attacks, and ideally, they're not successful, but some of them are almost on a daily basis. And they're getting more and more sophisticated. 

They're doing the reconnaissance, they're doing their due diligence. You could say [they are getting] research from their targets. Some attacks I've seen lately, we had an organization reach out to us trying to figure out where they had an incident and trying to figure out where it started from. Typically, what we'll do is we'll go in and do forensic analysis and check things out. But this organization had, at some point in 2020, received a phishing email. 

So a phishing email came through to a high-level individual to change their office 365 password or something like that. So they were in a hurry, it was like a payroll day or something like that, which is pretty common, when people click on things they are typically in a hurry and just need to slow down a little bit. But they entered their credentials. At that point, it took them to a broken link. In their mind, they just thought, okay, the website's down, let me get back to what I've got to do. I've got a deadline. 

But really, what was happening on the back end of that is, those credentials were sent to wherever in the world, wherever the attack originated from, or whatnot. At that point, the attacker went to this specific organization that had Office 365 with webmail, which is very common for most organizations. The attackers were able to log in and essentially start doing some reconnaissance in this person's email. They're looking at communication going back and forth. They were looking at vendors that the organization worked with, and, and at some point, they pick their attack at that point. 

So they found a vendor specifically that this organization did a lot of business with and they found an invoice. They downloaded that invoice, altered the payment information on the invoice of where the money would be sent to. Then they went out at that point and registered a domain that was very similar to this vendor. It was just a little bit off, and they created an email address. 

Then the attacker started sending invoices to the organization, to the finance person, which they received a lot of invoices. Again, this isn’t a client of ours, but an organization that reached out to us. 

So at that point, they started paying, and they didn't stop for about five months. About a quarter-million dollars later, somehow they piece it together that the two connected, right. And they saw what was happening. 

That’s a high-level example of a very expensive example of some of the types of attacks we're seeing.

Sierra: No, that's extremely complicated. It’s something that I personally would never think would have happened. I'm so glad you brought up that specific case study. 

I'm going to, for sure, let our finance person know, as I'm sure some of our listeners will, about some of these scams. Finance is a huge target. Our finance director has been targeted on the same day that I was targeted and impersonating our CEO asking for items. 

Can you tell our listeners how, when, and why you were brought in after a HIPAA breach to help your clients?

Jared: Yes. There are different scenarios. Even if you take HIPAA out of it, just think of an incident or a breach, or something. In my other example, it started with a phishing attack, but it ended with a whole mess of other things. 

But we've, we've been brought in before and asked to give advice and guidance on a variety of situations. Something recently involving ransomware, where a large organization was targeted. It also started through a phishing email, very similar to how it works. At this point, they were able to successfully exploit a user workstation. They moved across the network laterally to be able to eventually install ransomware; which ransomware encrypts everything. And basically, they ransom your data. 

So this was a big, big one. What happened in this case, is they not only encrypted everything but the backups were misconfigured. Backups are huge. Backups are King. Well, the backups were misconfigured. The organization was able to get in the backups and destroy the [misconfigured] backups. At that point, they're down for days, weeks. There's not a lot they can do, at the end of the day, with that type of scenario. 

Sierra: What cost is associated with some of these breaches in the one that you've talked about, specifically?

Jared: I can't tie numbers directly to that. But you'd be surprised. 

Depending on the size of the breach, the amount of data, and the data records that are exposed, hundreds, thousands, millions. It's really crazy. Then, depending on the type of the industry, like with healthcare, you're looking at patient records and information being exposed. Costs can go from thousands to millions.

Sierra: How do email encryption and email encryption for your clients factor into your overall approach to HIPAA compliance and IT security?

Jared: One thing that we've done at Hill Country is within our security department and team, we approach security as a layered approach. If you think of a pyramid and the different layers that go into security, you have your basics. Your foundation, which I would consider your backups, your firewall, your email encryption, your antivirus, the list goes on. 

But that is all really your foundation because, at the end of the day, when you're sending encrypted email, it's going to prevent things like what they call a “man in the middle attack.” Think of it as I'm sending you a message and in the middle, there's someone that intercepts that message, reads it, and then changes information and be in that middle point and go back and forth. So when you're encrypting things that's a big one. 

Sierra: All right, great. What information technology and cybersecurity infrastructure best practices or advice do you have for our healthcare listeners?

Jared: What I always say when I go into organizations is, let's go back to the basics. Let's pull out your policies. Let's pull out your procedures. Let's start there. 

Then let's also evaluate your infrastructure and see how much of it maps back, how much of its accurate, how much has it been reviewed in the last five years. Ideally, you're reviewing that stuff annually and making sure everything maps out. Security assessments, vulnerability management, I could go on and on, talking about the different things from a recommendation standpoint. But really, the biggest is to go back to your foundation. 

Are your basics covered? Conduct a risk assessment. That's huge as required by HIPAA. It's a no-brainer. And then what are you doing with that risk assessment? Are you conducting it because it's a compliance requirement? And then it goes in the closet? Or do you have a plan to mitigate the risk and then move on from there?

Sierra: How do you keep up with the industry trends and best practices? Are there any podcasts you listen to? Any books you've been reading? 

Jared: The security field changes pretty rapidly. Technology does in general. Being in security and cybersecurity, it changes at an even faster pace. Being able to keep up with that sometimes can present a challenge. But being members of organizations helps. There's a number of different ones like AI, or SSA. Those are all information security organizations. Keeping in touch with those. They have membership meetings; before COVID they used to be in person and whatnot. 

Of course, continuing education is key, getting certification, CISSP. I've done a variety of that, as well as continuing my education by going back to school and getting several degrees. That’s one thing that I enjoy.

Keeping up with IT, following podcasts, following various security sites, being on an email list that you receive when a vulnerability comes out. 

In early March, there's this huge Microsoft email vulnerability that comes out. That was a zero-day vulnerability. That affected all Exchange servers. There are thousands of cases where that [vulnerability] had already been attacked. Without going too much into that, you get notified from being members of intelligence feeds and stuff like that. You're getting those types of notifications.

Sierra: That concludes the questions for the podcast. I really appreciate you being on today. 

Jared: Thank you for having me.