Episode 51 of HIPAA Critical includes an interview with Dr. Eric Cole, a former CIA hacker and founder of Secure Anchor.
Hannah Trum: I'm Hannah Trum and this is HIPAA Critical, a podcast where we discuss security, technology, and compliance news with healthcare industry leaders. In today’s world, you don’t have to look very far to see why cybersecurity is a hot topic and a hot industry. In fact, the global cybersecurity market size was valued at over 167 billion USD in 2020. So if the threat of bad actors isn’t going away, why are so many organizations slow to update their security practices? How do we force an industry, but especially healthcare, to quote get with the times in the digital world? That’s exactly what today’s guest and I discuss. Dr. Eric Cole has over 30 years of experience in the world of cybersecurity. As a former hacker for the CIA, Cole understands the need for robust cybersecurity efforts at an organizational and individual level. Hi, Dr. Cole, thank you so much for joining the HIPAA Critical podcast today. I'm really excited to pick your brain about cybersecurity.
Dr. Eric Cole: Oh, it's my pleasure. Thank you for having me.Hannah: Of course. Okay, so my first question is kind of an interesting one. What is the biggest lie that we're told about cybersecurity?
Dr. Cole: To me, probably the biggest lie is that these adversaries are unstoppable. What we're hearing a lot now is that when you hear the ransomware or the Colonial [Pipeline] or all these different breaches out there, that is this big, bad adversary, and they're super sophisticated, super-advanced, Mission Impossible-style attack vectors that you can't protect against.
And to me, at least what we're seeing is that is the biggest lie.
Because right now, if organizations follow two simple rules, any systems accessible from the internet are fully patched and do not contain critical data. I studied this. Of all of the major attacks over the last three years, 93% of them would not have happened.
So to me, yes, the adversary could do advanced capabilities. But right now we're leaving the front door unlocked, and they're just walking right in. And we're blaming them.Hannah: Definitely. We say that human error is at the forefront of every single problem that there is in cybersecurity because people don't know what they don't know. And they think just like you said, it's super easy, but then you get an email, you click on a wrong link, and all of your information is compromised. Do you think that individuals and businesses should approach their cybersecurity efforts the same way?
Dr. Cole: Yes and no. So at a high level, in terms of understanding that it doesn't matter who you are, or what you do, that you are a target and that cybersecurity is your responsibility. I believe that those are the same.
Now when it comes to individuals, to me, the big thing is, a lot of the applications and components we’re using, from online banking, e-commerce to others, there's a lot of security built-in that we're just not turning on.
For individuals, if you go into your banking application, turn on two-factor authentication, turn on account notification. So, whenever somebody is logging in or trying to access your account, you get notified. You can take action that's going to go a long way to protect you.
The problem with most personal individual attacks is they just don't have the visibility. They just don't know what's happening until it's too late.
When we look at corporations, what a lot of it comes down to is making sure you're putting the critical things at 100%. What we were talking about earlier, I call it the law of 90%.
If we look at any of these organizations that got breached, we can honestly believe that they have no patching policy, believe they have no data protection, they have no asset inventory, that that would be silly.
However, what I realized is when you look at these big companies, 90% of their assets they're aware of, 90% of their servers are patched. 90% of their data is protected. Now if we're in school, and we're taking Physics or Calc 3, 90% is good.
But in cybersecurity, if you have 100 servers, and you’re only protecting 90%, that's 10 that are still vulnerable, and 10 that are still exposed.
With companies, they're not getting the fundamentals correct. The foundational items like asset inventory, configuration management and patching. If they focused on that 100% that starts to solve a lot of those problems.Hannah: I agree. They are not aware of the attack surface that they have. I think it was the Equifax breach where they didn't even know about the vulnerability that they had. That's all it takes is just one tiny little crack, a cybersecurity attack gets in and that's it for your organization.
Dr. Cole: No, it's funny, you bring that out because to me, if you look at Equifax and Target, if we learned those lessons, we wouldn't be having the problems today.
Solar Winds is Target all over again. The Colonial Pipeline is Equifax. It's the same fundamental problem: we're not learning our lessons and keep repeating them over and over again.Hannah: Look at what LinkedIn repeated twice in like six months, they had 400 [million] people get breached, and then 500 [million] people get breached. What did you not learn in this six-month period of time between breach one and breach two? Like 98% of LinkedIn users' information has been leaked, depending on what kind of information they put out there. You would think that LinkedIn would have learned their lesson by now.
Dr. Cole: Yes. But it goes back to the companies that don't think they're a target. They don't think it's their responsibility.
If I add a third piece to it: they're not focused on the detection. They think that “oh, we have firewalls and some IPS, and we can prevent all attacks.” When the name of the game of cybersecurity is prevention is ideal. But detection is a must.Hannah: Yes. You have to be proactive. What do you think is the first step that businesses should take when updating their cybersecurity?
Dr. Cole: To me, the first step today that they should take is to assume they're compromised.
If you look at all the data, it's scary because the number keeps going up. [It] used to be most companies were compromised for 19 months, before they detected, then it was 23, then it was 27.
The latest numbers that just came out are 31 months, most companies are compromised.
So especially after COVID, where companies basically did anything for survivability and ignored security for 6, 9 or 12 months, the probability that you are compromised right now and don't realize it is very, very high.
So the first thing I would do is you need to do some threat hunting. You need to go in and see what's happening, what's occurring. The next thing I would do is it's all about critical data. If somebody breaks in, and they don't access, steal, or encrypt critical data, then it's pretty much a minor breach. So, understand what is your critical data? Where is it located?
While a lot of security professionals in the past didn't like the cloud, to me, the lesson is: the cloud is a much safer place than a data center because that's what [the cloud] business is. So really get that data controlled and managed.
Then the third thing I would say is, look at the endpoint, especially what happened with COVID. But even before that, look at laptops that people are carrying around. The average hard drive is four terabytes and most people have at 95% full.Hannah: That's a lot of information.
Dr. Cole: That's a lot of gold you're keeping in your house without a lot of security in place. I'm always a big fan of minimizing endpoints. The data can be better controlled and managed in a single spot.Hannah: Yes. I would say data control is really big in healthcare. Paubox is a healthcare security solution, and PHI is so valuable on the dark web. Something so many people don't realize. So, you're right; it's about making sure that your information, all of the information, from your CEO down to your admin, all of their information is encrypted, or you're just opening yourself up for a breach or a violation.
Dr. Cole: The key to encryption is making sure that the key that you're encrypting is stored on a separate server.
What I see in healthcare all the time is these attackers get in and within minutes, steal all the information. I talk to the executives or head doctors and they're like, “but Eric, it was encrypted, how could they have done that.”
And the only option is the keys are stored with the data. So they basically break in. It's like putting the key under your floor mat. It's not fooling anybody.
I would also say encryption doesn't work if you don't protect, control and manage the keys. That's where a lot of healthcare organizations fail on the security spectrum.Hannah: I agree. A lot of cybersecurity options for healthcare require so many extra steps. You have to type “encrypted” in the subject line. You have to sign in to a portal. All of these things. And that's why I love working for Paubox because it installs on the back end of your inbox and you just send encrypted [automatically]. I don't even trust myself to remember to encrypt an email. And that's why I love Paubox because I just send [the email] and it's gone. It's so easy.
Dr. Cole: You hit the key spot. It’s important when you're talking about hospitals and healthcare [to remember], doctors are the kings and queens of their kingdom. A solution, if it's cumbersome if it requires them to do an extra step, it's not getting done.
That's why I love what you keep saying about it's transparent. It's better. Solutions that work in all areas, but especially healthcare, are transparent solutions that you're not even aware of and keeps you safe.
That's what we need more of. As opposed to these super cumbersome, really heavy, user-based solutions that nobody's going to follow on. Nobody's gonna do this.Hannah: Humans are… we're dumb. We're dumb creatures. We make mistakes. As millennials take over every industry, we're more tech-savvy. Which I also think makes us dumb, because we think we know everything. And then the next hack comes and [the hackers are] just so much better than what we already know. You mentioned this a little earlier. When we were talking about employees working from home, large companies like Twitter and Facebook are going to let a lot of their employees continue to work from home. What do you think is a good step for people to take, other than securing their endpoints, that businesses could take with this changing threat landscape?
Dr. Cole: To me, one of the big ones is recognizing that the two most dangerous applications on planet earth are email and web clients. That's pretty much the source if you're looking at ransomware, phishing, all those different attacks.
My approach to security is, you have to give them solutions that adapt to how they do business. Not telling people not to do things.
Don't get me wrong. I love awareness. I think awareness is great. But awareness isn't going to get the job done. I've seen it all the time where you tell people don't do it, don't do it. Don't do it. And it's like putting candy in front of a three-year-old.
We put way too much pressure on them. I had one client say “Eric, I don't understand why we get breached all the time. If our users just checked email, didn't click the link, didn't do this, they actually looked at this, they verify.” And I'm like, really? You're expecting [your employees] to do that?
So, that was one of the simple things we do for our clients.
In my office, because we get targeted all the time, I have my Windows computer that I do my work. I write my reports, I do my analysis. And then I have an iPad that I only use for checking email and surfing the web. So I fired up or weeded them out.
Now as you know, it's not that Windows is more vulnerable. It's that it's a ‘90% install base’. Most attackers are going after Windows. So, the probability of there being an iPad-based exploit is very, very small. Even if it did, I just reimage my iPad. There's no data, there's no information. I just have those two applications on it.
To me, it's coming up with those types of technical solutions, where they can get trained to do it, but not expecting them just to analyze and trace back every email address to make sure it came from a legitimate source.Hannah: Yes, that is not a good cybersecurity rule to just say employees can't do anything on email, except to read it. I read a little bit that you recommend cybersecurity and risk management checks for all of your readers and for the companies that you work with. What is a basic cybersecurity hygiene routine that our listeners could get into? How often do you think individuals should be checking their cybersecurity versus organizations?
Dr. Cole: I'll just throw it out there. Unless you wear bell-bottoms and like listening to the Bee Gees give up passwords. We need to give up passwords. Passwords don't work.
People use the same password all over. Two-factor authentication is built into just about anything. If you're using a personal app or a third-party app, trust me, it's there. You just don't have it turned on.
To me, the first hygiene factor is you’ve got to make sure that authentication is robust. You have to use two-factor authentication. Get away from passwords, get away from those areas.
Next is to stay away from free. When you look at your phone, computer, all the free apps and free this and free that most people don't realize free is not free. Free means they're accessing your device.
If you don't believe me, take any of your devices and go under the security advanced and look at the location tracking, camera, microphone and look at all the apps. I do that weekly. I'm always amazed. This Sunday I did it. And I'm like, “why is this application accessing my camera and my microphone? That's a little weird”
So I turned it off. That's the other thing; is know what's on your system. My general rule is anything on my devices I pay for if I would rather pay $9.99 and control my data than have a free app that doesn't. So that would be the second piece.
And then the third piece of good cyber hygiene is just awareness. Like I said, turn on alerts.
It drives my wife crazy. Like this morning, she uses Venmo, which I don't like. But after 26 years, I realize you can't say no. So she's gonna do it. But, I get an alert that says, “hey, there was a $200 Venmo charge on it.”
And I checked with her. And she was like, “yep, that was me.” And she was like, “so I’m being spied on?” I'm like, “No, we're checking and protecting.”
It's a little annoying when you use a credit card or Venmo to get that alert. But here's the question I always have. I said, “Honey, there are two options. One is I texted you to verify and it took us 30 seconds, and it's legit, or it was fraudulent. I assumed it was you. And then our bank account was wiped out.” And she's like, I like option one. I'm like, that's what I thought. So you have to have a little inconvenience, in order to protect, secure and react to these things that are happening.Hannah: I totally agree. Everyone always thought that I was nuts for turning all of that on. Years ago, I started turning it on. I don't want anyone to have access to my data. I work in Marketing. I know how these social media platforms are collecting data. I've always told these people, go through their phone apps. [Apps] want to have access to everything, because that's how they learn information about you. Turn it all off. It's annoying, take the one hour to do it and make sure it's off. Because like you said, they can either get an annoying text from their husband that says, “hey, was this you” or you can have no money in your bank account and go through that whole headache. Do you have any last-minute words of wisdom or cybersecurity tips for our listeners?
Dr. Cole: The only thing I would say is it doesn't matter what business you're in, if it's large or small or individual, you need to recognize it, you're a target. These attacks are happening all the time.
We didn't really get a lot into the ransomware, but I always find it fascinating where I get on these interviews. They say “Eric, so what's the cause of the increase in recent ransomware?” And I'm like, “What are you talking about?” And they're like, “well, it's only been in the last couple of months that ransomware attacks.” And I'm like no. I said the worry of 2020 small [business] and individuals being hit with ransomware. Now the ransom payment for individuals was $200. And for companies, it was $15,000. But it was still out there.
So I think the media, sometimes only covering the big stories gives individuals or companies this illusion that only the government and billion dollar companies and billionaires are targeted. But in reality, everybody is targeted.
And in a lot of cases, it's the smaller individual that gets hit a lot more, because it's easier, simple. And they have their guard down. So just always remember, you are a target and cybersecurity is your responsibility.Hannah: Yes, our CEO says the same thing. You can't look at what's in the news for what's really happening. It's why we started ZeroTrust Email because there's so much ransomware out there. People are complaining about it. but it's always been there. Cybersecurity actors are just being smarter about getting through your encryption. You have to be proactive, because like you said everyone's a target. And you are going to fall into that trap. You said that passwords are over. I totally agree. Do you think that people should adopt more passphrases? So saying something like “MyDogsNameIsBingo” instead of the password being “Hello5678”? What do you think about passphrases versus passwords?
Dr. Cole: So if you can't do two-factor, and it's just not an option, you can't do it, then yeah, I'm absolutely a huge fan of a passphrase. The only trick that I do is use a passphrase, but use it to create a random string. So for example, if you say, “my first dog, Fido was born December”, you would go in and pick the first letter of each word and create a phrase.
So now when you're typing in, it's uppercase m, lowercase F, etc., and it looks like this random string that nobody could guess. But it's very easy and simple for you to remember. Then it's one of those things where now you can have different passwords for each of your different accounts.
The joke I always had is I used to use my kids, like my first son, my second. I told my wife, I'm like, “Listen, I need more passwords. We have to have more kids” and she was like, “come up with a different ski. Right?” That, that's not gonna happen there. So, it's picking things that are easy to remember but hard for somebody else to guess.Hannah: Yes. My mom does all of her children or some variation of our birthdays that are all her passwords. And I'm like “mom like this isn't really that safe. We should probably think about updating these but it's okay. I don't think anyone's gonna steal your stuff.” Thank you so much, Dr. Cole for being on here. I really appreciate it. You have been really helpful, and as I said earlier, have been eager to pick your brain about cybersecurity.
Dr. Cole: It is my pleasure. Thank you for having me.Hannah: For resources on HIPAA compliance, healthcare cybersecurity, or how to prevent a data breach, please visit paubox.com/blog. Looking to network within the industry? Join our next social mixer on August 26. It’s 100% virtual. If you’re interested in attending, please send an email to firstname.lastname@example.org . The 4th annual Paubox SECURE is in Las Vegas on September 29th and 30th. Head to pauboxsecure.com for more information, to register, and book your hotel. If you’re looking to sponsor or speak, please email email@example.com . As a reminder, you can listen to every episode of the HIPAA Critical podcast on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music or wherever you listen. Thanks for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.