Resources

45. Greg Reber: "This is the biggest information breach that we've ever seen."

Written by Hannah Trum | Jun 2, 2021 7:00:00 AM
 

 

 

 

Hannah Trum: I'm Hannah Trum, and this is the HIPAA Critical Podcast.  Cybersecurity protocols and practices will never be a one-size-fits-all solution. Different industries have different requirements for compliance. Healthcare has vague but vast security rules to follow under HIPAA. So how do organizations stay ahead of the cybersecurity curve? Peer collaboration and information sharing are important for mitigating risk. Still, until a company ends up on the HHS Wall of Shame, most are reluctant to share embarrassing breach information or cybersecurity flubs. So what can healthcare providers learn from past data breaches or HIPAA violations? How can healthcare, an industry known for its outdated technology like the fax machine, use this knowledge to keep protected health information safe?  Greg Reber, Founder, and CEO of AsTech Consulting, is with us on today’s episode. He and Sierra Langston discuss the changes and challenges in cybersecurity, including implementing solutions that meet regulatory standards, the evolving threat landscape, and how information sharing is a key to the future of cybersecurity. Let’s take a listen. 

Sierra Langston: Greg, I know that you were on the future of AI and machine learning and healthcare security panel at our Paubox SECURE conference a few years ago with Anya Schiess of Healthy Ventures and Brent Newhouse of Qventus

I'm very, very happy to have you on and have your expertise back with us. 

Greg Reber: It's great to be here, Sierra.

Siera: Greg, can you provide our listeners with some background on aspect consulting, know what you guys do? How many locations you have and who you serve would be great? 

Greg: Sure. I started AsTech in 1997. Our focus has always been to advise companies in areas of information security and help them get things done to continuously improve security awareness and posture, just like a lot of security consultants. 

I'm a big fan of what's called the OODA loop. Observe, orient, decide and act. What we do is essentially based on these four areas. The first is to orient and observe. We do a situation analysis, looking at people processes, and technology that makes and then make recommendations based on the industry. 

We've been based in San Francisco Bay area for more than 20 years and most recently opened the Dallas office.

Sierra: You briefly mentioned a little bit about why you founded AsTech, but is there any other information about the background of the company that you would like to provide?

Greg: Ah, well, we've been in this a long time. 

In 1995, I was consulting for a California-based regional bank that has since become the fourth largest in the country, working very closely with one of the greatest minds at the time and security-related issues. 

Dr. Martin Carmichael went on to become chief security officer at both TD Ameritrade and McAfee. He very enthusiastically changed how security is done at the bank when the internet was relatively new. The vision that Dr. Carmichael had was groundbreaking. And working very closely with him, I saw that every company needed what we were doing at the bank. 

So, I started AsTech. And I've been having a great time working with a fantastic team since. Dr. Carmichael’s still active, and he's one of my mentors. I still talk to him regularly. 

There are a lot of people like me in any job who get up in the mornings and say, “why am I doing what I do?” And it is a very easy question to answer for us and for our team. 

Sierra: You have to have a passion and reason for what you're doing in every single space.

Greg: Yes, and it's a great motivational force. We've really done some great work over the past 20 years or so.

Sierra: Greg, is there any other information on your background? You gave a little bit of background on AsTech. Is there anything else about your background or yourself that you would like to share with our listeners?

Greg: Well, probably a lot, but I'm not sure how interesting it is. 

After I graduated from the University of Maryland with a degree in aerospace engineering, I worked in defense for defense contractors for a while and realized that wasn't for me. After that, I lived in Eastern Europe, Czechoslovakia, when it was still a country, which was a spectacular experience, with which I could probably fill a different podcast. 

Returning to the US, I got into IT. A couple of years after that, I found a professional home, so to speak with when I met Dr. Carmichael, and we did a lot of security work together. 

When I started the company, our basic tenant is watching companies, and the [security] awareness tick up over the past few years. Especially while people are really taking stock of their security, what’s their part in it and not outsourcing security so much as they used to. 

It's one of the reasons Paubox is recommended so much because it solves multiple security issues within email encryption, data loss prevention, email archiving, which are mandated by most regulatory frameworks. That's the kind of solution you look at and say, “what's the biggest bang for the buck?” and those types of solutions are actually moving the needles. Paubox is at the top of the heap there. 

Sierra: Well, we appreciate that kind of feedback. 

Greg: It's an observation, not just an ego thing. 

Sierra: We appreciate it. There are a lot of things that companies can do to secure themselves from breaches. What do you advocate for a company that implements basic recommended security measures? Are they ahead of the curve?

Greg: Well, threats evolve every day, becoming more and more sophisticated. What we're trying to do with our team is looking at connecting the dots to see what's coming before it becomes a threat. 

It's a great start to implement what we call “basic security measures, basic blocking, and tackling.” Sometimes, companies need a reminder of the importance of doing the basics to secure their companies. Some companies’ main role is to serve as a warning to others to do the right thing.

Sierra: Yes. The HHS Wall of Shame! 

Greg: So, we have a lot of a few examples. I don't want to go into all of them that come to mind. 

After the Target stores breach in 2013, every company looked at their networks for having appropriate segmentation. Or they should have because that was an H-back vendor that was hacked by bad guys. Then the bad guys were able to use that connection into Target's network. 

Sierra: Okay, that's bad. 

Greg: Then Target's network was flat, so to speak, there wasn't any segmentation so [the bad actors] could get everywhere. That drove a lot of regulatory visibility into “you will segment your network from different things." 

2019, and some times since then, ransomware targeting unpatched Windows machines brought some companies and municipalities to a standstill. Then they spend 20 to 50 million fixing that problem that underscored the importance of patching. Everybody knows we have to patch, we have to stay on top of things, but not everybody is doing it. That kind of an example drives that behavior more, currently. 

This is top of mind for a lot of security people, and it should be for everyone. The solar winds hack of late last year, which may be the most sophisticated attack that's ever been made public, software companies, especially security-related ones, will be changing their threat modeling practices to include supply chain hacks and attacks. 

Because that's what happened with the solar winds, it was a software supply chain hack that went undetected, for we don't know how long yet. Now, threat modeling will include that type of attack.

Sierra: Companies don't know what they don't know. I have Google alerts for every single ransomware or phishing attack on the internet. That way, I can stay abreast of the threat actors and how they're getting more conniving on the internet. That way, we can talk about it on the podcast and use that as a predictive way to implement better security practices. 

Greg: Awareness is key. 

Sierra: Right. Innovation is changing daily, weekly. Everyone in the healthcare industry, IT, and security must stay abreast of what's going on.

Greg: When companies are saying, “we're doing everything right here as far as the basic security measures,” that's the right thing to do. 

But as with the OODA loop, you have to keep revisiting that in light of more recent threats, more reason to act, what's going on, and being able to kind of look over the horizon for what's in store for an individual company or entity. 

There is another old adage that militaries of today are always fighting the last war. They're built to fight the last war, staying as current as possible, which will bring that last event horizon much closer to the present.

Sierra: You mentioned previously that we need to connect dots and see what's coming and get more predictive if you will. Do you have any more examples of how companies can start predictive behavior?

Greg: If you start looking at what's going on, and the big hacks of the last five, seven years, then [you’ll know] in the near future, [we will live] in a world where there are no more secrets. 

If you think about this, some of the stats that solar winds hack affected 425 of the Fortune 500 companies, including all of the top 10 US telecommunications companies, and not to mention, hundreds of universities. 

So here we are. Let's go with what the ICT, the intelligence community says, this was a Russian government hack. The Russian government has information on all of the entities now that I mentioned. What are they going to do with the information? They're going to go through it and say, “what information will we keep for ourselves?” Mostly, the military and State Department stuff. Then it’s “we will sell the rest of it to whoever gives us money for it.” 

This is the biggest information breach that we've ever seen. I don't want to say that we've ever experienced because there might be bigger ones that are public, but we don't know. 

So all that information is out there, essentially for the highest bidder except for whoever perpetrated this most, likely Russia, wants to keep for themselves and gain an advantage over every other country in the world, political and military. 

The Equifax hack 2017 exposed the personal information needed to apply for credit of 150 million (plus) Americans, more than half the adult population. All that information is out there. And it's not retrievable. You can't undo this. 

Now, more recently, video and photography editing technology has evolved to the point where the so-called “deep fake” videos are everywhere. Anyone can manipulate digital video to make it look like anyone is doing and saying anything. 

In fact, a mom of a cheerleader in Pennsylvania created videos of her daughter's rivals for the cheerleading squad and posted them trying to smear their reputations and get the school to not consider them. Now imagine that this is an adult doing things against a teenager. If we look at something and know it’s not right, now we can name it immediately. 

If it seems out of whack, even something like this might not seem out of whack, it will be taken as truth. This trend is getting worse, not better.

Sierra: Yeah, that's absolutely terrifying.

Greg: We could be heading into a future where there really aren't any more secrets. 

What do you do in a world where all your information is out there for anyone to buy? When we talk about what's coming, we have to take these things into account. What do we do? All your info is out there for anyone to buy. Are there fake videos of anyone? Can nothing can be trusted?

Sierra: I feel like that's how it was with the election. Everybody was reading things on the internet. Nobody knew what was true and what wasn't true. I agree that we're starting to progress that way. And it's extremely scary.

What do the protections look like? What can companies and individuals do to minimize their risk?

Greg: I love these questions. These are questions that get to the heart of the psychology of security, right? What makes people feel secure? What risks are we going to protect against? That’s the bigger question.

In today's world and environment, government entities, companies, and academic institutions, information sharing is key. These are the entities that have information that needs to be secured. We expect it to be in today's environment. It's to their advantage to keep it secure because of breach notification laws, their reputational loss, all sorts of things. 

When a company is targeted with a new attack that's not been seen before, letting others know can help the whole infrastructure prepare a defense. The solar winds hack is a perfect example. 

Most likely government entities were asking, “when did they become aware of this,” and the answers are not forthcoming. As soon as they knew about it, they released the info. So sharing information among these kinds of entities is key to be able to short this kind of attack or minimize the dangers. 

For individuals, taking more control over their own destiny is the way to go. Understanding risks, how they work on the internet, it's only going to help people make better decisions when it comes to what they do online. 

Adding to that, as you mentioned before, this healthy increase in critical thinking is going to go a long way in not being taken in by misinformation campaigns. Questioning what you see, even if it falls within your frame of belief system and or not talking based and just talking about what we believe you, we really need to question everything we see and read now.

Sierra: For individuals, an example of minimizing risk is as we switched to remote working because of COVID, we did an entire podcast on the vulnerabilities with home networks. 

While I was doing the podcast and doing the research, I just thought to myself, “Oh my gosh, I didn't know this information. I need to implement this stuff for myself.” Then a lot of times when I ask folks on the podcast, “how do they stay abreast of the latest IT security information?” Most say collaboration with peers, peer groups, making sure they're in groups so that they can communicate what's happening at their company. 

Then they can learn what's happening at other people's companies to do the same thing that you're saying just to help with the predictive behavior of what folks, individuals, and companies can do to minimize risk.

Greg: Sharing that information is key, too, because we're all part of the infrastructure, right? The individuals aren't in a competitive environment. Sometimes the companies are and of course, the government wants to keep things secret. But we have to break down some of that knee-jerk reaction of, “I'm not going to tell anybody what just happened to me.” We have to break that down a bit. 

Sierra: I agree. I think companies, especially on the HHS Wall of Shame, it's when you're on the wall of shame that it is detrimental to your reputation. The embarrassment, too, is a lot of reason why people don't communicate that information because they're embarrassed that they weren't prepared for that breach.

Greg: I worked with an entity called the Identity Theft Assistance Center. About 10 years ago, there was a consortium of banks for information sharing for these purposes. It didn't really get off the ground, because the financial institutions held things close. “We may have had a breach here, but we're not telling.” So the anonymization of the data and information even didn’t help. 

One really cool thing that's happening now is the push for more privacy controls so there just isn't as much data out there. Everything we were just talking about is in the short term, here's what we do information sharing. 

If we're moving to that kind of a future where nothing is secret, behaviors will change on a deeper level. For example, the Equifax hack, if you know that your social security number, name, address, driver's license number, and credit history are all publicly available, that can be used to apply for credit in your name

You'll pay closer attention to your own financial footprint. That's the behavioral change that people started paying for, the credit monitoring, and Equifax gave it up for free for two years. New industries are springing up to give this kind of visibility into your own stuff. 

Is that making things easier? It also increased awareness. How many more conversations started to question “why do we even have these credit reporting industry leads that are making money off my information” and “[why are they] making my life somewhat difficult when there's no law that says we have to have them.” 

I remember having those kinds of conversations. The mindset is evolving with the staggering amount of data now that's supposed to be non-public but is now public or publicly accessible.

Sierra: Thank you so much for being on the podcast today. I learned a lot and I absolutely loved discussing all of this with you. I appreciate you being on the podcast.

Greg: Sierra, I love doing this if you can't tell so, anytime.

Hannah: For more about Paubox and our HIPAA compliant email solutions, please visit paubox.com or paubox.com/blog to find resources and information on how to keep your organization safe.  Paubox SECURE is back in person this year! Join us in Las Vegas on September 29th and 30th for our fourth annual cybersecurity and innovation conference.  During this two-day event, you’ll hear from industry experts, like Kelvin Coleman of the National Cyber Security Alliance, discuss healthcare, compliance, and mitigating risk. Attendees will have ample opportunities to mingle and network with our speakers and their peers during this event.  If you’re interested in sponsoring or speaking at Paubox SECURE, please reach out to me at hannah@paubox.com For additional information about Paubox SECURE, head to www.pauboxsecure.com  Are you looking to expand your professional network or meet with industry professionals to discuss cybersecurity or innovation trends?  Join our next June Social Mixer for just that. Each month, Paubox customers and non-customers connect to share tips, tricks, and best practices from their own careers and professional lives.  Each attendee receives a beverage of their choice delivered to their doorstep on the day of the mixer. Attendance is completely free and if you’d like to attend, email me at hannah@paubox.com . Don’t forget, you can listen to every episode of the HIPAA Critical podcast on paubox.com or you can subscribe via Apple Podcasts, Spotify, iHeartRadio, Stitcher, or Amazon Music. Thanks for tuning in to another episode of the HIPAA Critical Podcast. I’m your host, Hannah Trum, signing off.
SEE ALSO:  HIPAA Compliant Email: the Definitive Guide