Episode 62 of HIPAA Critical features an interview with Hector Rodriguez, Principal Industry Specialist, Healthcare & Life Sciences – AWS.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders.
Everything about healthcare feels complex — the technology, the compliance rules, the cybersecurity threats. Every organization has to be on the constant defense to keep bad actors at bay. How does an industry that relies on antiquated fax machines and complicated portal-based email encryption begin to tackle the real infosec issues the industry faces?
To start, if your organization relies on the cloud, start assessing what assets you move over more often. If you’re not using the cloud, why not? Consumers are already using it in their everyday lives; why wouldn’t we want to meet them where they are?
Exploring these topics with me today is Hector Rodriguez. He has over 25+ years of experience focused on security, compliance, and privacy. Hector is currently the principal industry specialist with AWS’s healthcare and life sciences.
Hi, Hector; thank you so much for joining me on HIPAA Critical today. I want to go ahead and jump right in.
Can you explain in layman’s terms what an intrusion framework is, how it works and why an organization should have one?
Hector Rodriguez: The basic premise or structure of an intrusion framework is to illustrate the process and the set of activities that attackers or intruders employ to intrude upon an organization.
One of the things to know is that it also can be physically entering a building, or digitally gaining access, or a combination of both, which we do see in some sophisticated attacks, where an intruder starts with a reconnaissance activity. That reconnaissance could be done digitally.
They could also do it by going into someone’s office and gathering data.
One of the traditional examples of an intrusion process is based on Lockheed Martin’s research called The [Cyber] Kill Chain. A more recent one was presented by the Cloud Security Alliance, and they just simply call it the ransomware attack stages.
Hannah: Which is very helpful, especially in today’s age with ransomware everywhere.
I’d like to go back to the [intrusion framework] that is based on the Lockheed Martin one you sent me. It’s great reading. Does that classic framework fit in with modern cybersecurity needs these days in 2021?
Hector: The thing about classic frameworks is that they are classic. They tend to be a little bit dated, which is fine. But like an old classic record that you listen to, you listen to it; you love it, you embrace it.
And that’s what we have to do with these classic intrusion analysis frameworks is learn from their core, and the purpose, why they were designed what they were meant to do. But then they need to be updated.
We need to ensure that they embrace the cloud, that they embrace the hybrid cloud because that’s the way healthcare works. And that they embrace multi-cloud architectures so this isn’t a single vendor industry. Unfortunately, even classic frameworks were sometimes developed with that single thought in mind.
One of the things I’ll say is the world works differently today. It will continue to do that in the future.
One of the challenges that we have in cybersecurity is that, again, those frameworks, those solutions, need to keep up with modern technology. The pace of change is so dramatic. It’s so accelerated. So start with the classic but don’t stay in the classic world.
Hannah: How does the AWS framework differ from a classic one?
Hector: Well, the AWS approach [is] more of an approach leveraging the learnings from the classic intrusion analysis frameworks, but then has been modified for a cloud approach. It embraces those capabilities I spoke about earlier: that the fact that we are living in a modern world, we all live in the cloud.
Then one of the things that I appreciate about the framework and the work that was done there is it’s combined with an updated set of what are called courses of actions and courses of activities that you would employ at each phase of the intrusion process to thwart the attacker or thwart that intruder to stop them in their tracks as early as possible.
That’s the goal. The goal is to slow down, isolate and remove or destroy the intruder earlier in the intrusion process to reduce the impact significantly.
Hannah: I was reading the file that you sent over to me, I noticed that there were more steps or preventative measures in the AWS framework than in the classic framework.
I’d like to talk about the cloud a little bit because you’ve mentioned it a few times. Why do you think it is so hard for organizations to transition to the cloud? Because well, I think it’s safer for healthcare organizations to keep their information there.
Hector: It’s funny, we make these big statements, “the cloud is safer [than] on-premise.” It all depends on what you read, what people are writing that day, and what’s happened.
The reality is that you have to focus on what problem you’re trying to solve. I’ve been in cloud computing for a long time now. In my career, I started when the cloud started to take off.
But we started with security, privacy and compliance. We ensured that the cloud services offered would enable an organization to meet or exceed its compliance requirements. And that’s critical. That is foundational.
The other thing about cloud computing that I love, particularly as a developer and even as a solution architect and strategist, is I have the opportunity to fail fast. I can iterate through different attempts to solve a problem. But because I’m failing fast, it means I’m learning fast. I’m succeeding more quickly and at a lower cost. I’ve got this highly scalable, this highly agile infrastructure.
The one thing I want to stress about cloud computing and the reason to move to this more modern world of cloud is, we all live there already. All of us carry smartphones. We’re all connected to the cloud. Think of the cloud as a fabric that enables an ecosystem of services and solutions to come together.
Now you can work in your industry. You can work across the industry. You can share data. You can share all these solutions. You can crowdsource. It’s just an accelerant to everything we do. It’s a phenomenal opportunity.
I challenge everyone to make sure you know why you’re doing what you do, what problem you’re trying to solve, and how the cloud becomes part of your solution and not part of your problem.
Hannah: For data security or technology employees that are looking to convince their management, someone at your level, to go to the cloud, how would you suggest that they show these positives? That “hey, this can help us, this will be better for us.” Would that be by saying, “Hey, this is a problem, and this is how the cloud can fix it?” Or what would that look like?
Hector: One thing I love about this question is the use of the word[s] “am I trying to convince you.” We went through that a lot when the cloud first started. It was a, “we’re going to convince you to go to the cloud.”
The reality is that healthcare and other industries don’t have a cloud problem. They have other problems. In healthcare, we have the challenges of cybersecurity, disaster recovery, and recovery strategies for ransomware mitigation.
We also have the bigger problem of healthcare, which is how do we better serve our patients? How do we better serve the community? How do we make sure to develop new therapies, like the COVID vaccination, as quickly as possible at a lower cost?
This is where cloud computing comes in as an accelerant, as this highly supercharged platform with these capabilities, not just of technology, but of knowledge of data.
So when I look at this, when I’m speaking to an organization, I will always work backward from what that organization is trying to do. What problem are they trying to solve? How quickly do they need to get there? What types of resources do they have? How can they leverage the work of others? How can they get the best out of everything that’s been put in front of them to get there?
And sometimes, the cloud isn’t the answer.
We do see that 85% of most healthcare organizations are leveraging the cloud in some way, shape, or form. And it’s not just now for email. It is for mission-critical solutions. They’re putting their electronic medical records in the cloud. They’re putting their telehealth solutions in the cloud. But we will live in a hybrid world forever in healthcare because of bedside systems and things like that.
But it goes back to what you said. What I’m saying is make sure you know what problem you’re trying to solve. Make sure you understand how the cloud does help get you there. And then where you’re going to go in the future, how you’re going to scale, and how you’ll be more agile.
Hannah: You mentioned that many healthcare people are in some way, shape or form using the cloud.
How often should organizations be assessing [information]? “We have 30% of this information in the cloud, but the 70% we have elsewhere.” How often do you think organizations should be deciding when to move stuff over to the cloud when it is safer for them?
Hector: It really should be a process for continuous innovation, continuous assessment, and a drive towards operational excellence.
Traditionally we’ve done this. We set up our budgets once a year. We set up our project plans, and we reassess every six months or every 12 months. We’ve got to break those old norms, those old work habits, and we’ve got to ask ourselves the questions you just asked on a more timely basis.
I know every day is difficult, but every week, every month, how do we better improve? Because we, as healthcare consumers, we’re demanding more, we’re using the apps.
Even healthcare employees are bringing the apps to the doors with them on their smartphones. And that’s what they’re using. They do that because they realize it is more accessible, it is more efficient and effective.
But it’s not secure. It’s not compliant. So we have to find that right balance. But the conversation can’t be something that you do once a year, then put away, and say, “yes, these are the three projects we’re going to work on. This is how we’re going to do them.”
It’s continuous improvement.
Hannah: Yes, cybersecurity is continuous, as are ransomware attacks. This brings me to my next question. Are there any ransomware attacks you’ve seen that have really caught your attention over the last year or even the last six months?
Hector: I think the last year has been fraught with these ransomware attacks [in] healthcare. We read it all the time. [Healthcare] is one of the most expensive industries.
When recovery is required from a ransomware attack, attackers are smart. They know that healthcare is vulnerable. [Attackers] know that’s not [a provider’s] job. They’re focused on providing care.
But the recent attacks on both small and large hospital systems have locked down the electronic medical record where clinicians have said to us, “we can’t get to the data. We can’t schedule appointments. We can’t see our patients.”
The delays in care and then the cost when you have to reschedule surgeries, the lost revenue to a hospital, all of that highly affects a hospital’s ability, even a health plans or life sciences organization’s, ability to do their best work.
Now what we’re seeing are hospitals being sued for the recent story where an infant’s life was lost.
Hannah: In Alabama.
Hector: Yes, so that one. Just talking about it makes me nervous. It makes you emotional. It just resonates for me. It sticks in my head.
People need to understand that this is not just a ransomware attack where we’re paying a few $100 or a few $1,000 or a few million. It is a patient safety issue. People’s lives are at risk, and people are dying.
Hannah: Their lives are at risk. Their health is at risk. Hospitals are at risk. With a giant ransomware attack, people won’t trust you anymore. It goes back to your reputation.
How do y’all handle ransomware training or phishing training at AWS?
Hector: One of the things that I really appreciate about AWS and being a modern cloud organization and provider of services is that at AWS, we use the phrase “security is job zero.” That really means that security is our top priority.
While we say it’s a shared responsibility between ourselves, our customers and our partners, it also is everybody’s responsibility. It’s your responsibility to understand how ransomware affects your role and then how it affects the other organizations of the other people you work with.
There’s a lot of talk about the human element of ransomware attacks. Historically, and unfortunately, it’s always been very negative where we hear humans are your biggest risk. Even recent research says 85% of all ransomware attacks started with a human error.
The reality is also that we as humans are our number one line of defense. But that defense has to be built up, that muscle has to be trained so that we understand what phishing attacks look like. What [do] these web or social engineering attacks look like? And we start to avoid them.
But also, as individuals, we have to ask and challenge everybody who walks through our door if it’s a partner, bringing in a solution. If it’s another person coming in having a look around. We do have to be cybersecurity aware and [be] cybersecurity challengers. Actually, what I call cyber defenders.
Hannah: That leads me right into my next question.
Why do you think healthcare organizations have such a big gap between cybersecurity best practices and what employees are actually doing? Why is there still 85% of these attacks that have a beginning human error point?
Hector: It really is about time. It’s about people. It’s about resources. Cybersecurity has gotten expensive. It does need more investments from the healthcare industry. And we do see that happening.
Also, the healthcare industry is a complex industry. Healthcare is complex. We are complex beings. Biology is complex. We have to learn from each other.
Historically, organizations took on this workload on their own. Nowadays, we’re seeing more crowdsourcing. We’re seeing more anti-phishing scenarios being used in training that is being leveraged across industries—being leveraged through data-driven approaches. So we have adaptive learning. We have psychological learning to really train these behaviors.
The other thing that we need to do more of is, people need to be trained constantly. You said it earlier. Cybersecurity is always on. Attackers are always on. We, as cybersecurity defenders, have to always be on. We have to continue to evolve.
And so security awareness training has to be part of the way we work, it has to be. What I say is operationalized IT. No longer is it a once-a-year exercise where you say, “I went through training. I am now HIPAA compliant. I am now security-aware.” It does not work that way.
Hannah: It does.
My previous guest, Brian Fritton, said that cybersecurity should be part of your company culture. It should be something that you ingrain in people. “Hey, we have these 401k benefits. We have all these other benefits. And then we also have the cybersecurity training for work, but then also home.” Because if they’re practicing at work and practicing at home, they’ll only get better.
Hector: That’s a great statement. When I was thinking about this, one of the notes that I made was that we have to do security awareness training and are always on continuous evolution. We have to develop a cyber security-aware culture.
And actually, that’s what AWS has done. We are all cybersecurity aware. It is job zero. We take it very seriously. And particularly in the work that I do, but I don’t walk into any AWS conversation where someone doesn’t bring up the security discussion.
Hannah: It makes me think when I was in school, we learned how to type on a computer, [so] I wonder now if we should be teaching children, on a basic level, in school [about] cybersecurity one on one.
Because the kids today will be on the internet forever. They won’t know a world without the internet or a smartphone. So it makes me think, is that something that we should take as an industry, the initiative to teach children at the level that they’re at about cybersecurity?
Hector: We do. We have to do more of that. You’re absolutely right, we have to start early with children as they’re using smartphones, or laptops, whatever.
Then we also have to continue to teach it in medical schools. Cybersecurity should be part of the way we all work. It’s no longer just seeing patients or talking to the members of your health plan, or running a clinical trial.
You have to think, how do I run this clinical trial securely? How do I share the electronic medical record with this patient and their lab results securely? How do I enroll my members
in a way that they want to? An easy way for them?
Hector: Yep, absolutely. That experience matters.
Hannah: Yes, it definitely 100% matters because if someone doesn’t have a good experience, they’ll go find another provider.
Do you have any last-minute tips or cybersecurity moments you’d like to share with our listeners today?
Hector: I think about more than anything is keep asking the questions. Keep challenging yourself to be a cyber defender. Learn good habits.
Learn how to be an anti-phishing advocate. Use multi-factor authentication, even if it’s SMS. Everybody likes authenticator apps. I use those myself but build your own defense. Everyone should have their own personal cybersecurity plan and continue to evolve that.
Hannah: You just said SMS versus authenticator… do you think one is better than the other? Or do you just think blanket two-factor authentication is the way to go no matter what?
Hector: I think a blanket two-factor authentication is the way to go.
There is a move away from SMS because it can be hacked. I use authenticator apps. I use a UB key. That’s what we do at AWS. We have three factors, at least.
Hannah: I was gonna say, you’ll have way more than I have!
Hector: We will continue to evolve that, and it does help. But multi-factor authentication. Everyone should have that on everything that they do online. Right away.
Hannah: I totally agree. Well, thank you so much for joining me today. Hector. I really appreciate it.
Hector: Thank you, Hannah.
Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.