Episode 58 of HIPAA Critical includes an interview with Matt Cooper, Cybersecurity & Data Privacy Principal at Vanta.
Matt Cooper: Well, sure. Great question.
So first off, I would say that proactivity is a critical approach to cybersecurity, specifically, education. So I'm gonna dust off an old Ben Franklin, “An ounce of tears worth a pound of prevention.” Definitely applicable in information security.
It's better to be prepared. Do the things in advance to prevent that big breach, so you're not spending time on that painful incident response in the middle of the night. And huddling with your team on short notice on the Fourth of July.
Hannah: Yes, no one wants a 2 am phone call on a holiday. That's for sure. What do you think are some qualities that are tracked cybersecurity threats, obvious and nonobvious ones?Matt: Well, the obvious one is, do you have valuable and interesting data?
Let's get back to everyone's data is valuable and interesting to them in their own business space. But do you have data that's interesting from a criminal perspective? That's kind of the obvious one.
Another one that's sort of obvious is just complexity in your current environment.
Do you have a highly complex environment? Do you have a highly complex supply chain or network of other companies? Do you have a lot of guests and visitors? Something like a hospital.
It's inherently super complex. When you have that level of complexity, it's going to be easier to have certain vulnerabilities.
The less obvious one, but I would say folks should consider, is what is your role in the supply chain and who are your customers or clients. Even if you don't provide technical service, you could still be a threat to them.
Hannah: Those are great tips. I don't think a lot of people think about that. They think about their own personal information but not the information of a company as a whole. By now our listeners know that we just talked about this being proactive in infosec is really the only thing that you can do at work and at home. What is the number one tip that you bring home with you?Matt: So number one, “don't click it.” This is the opposite of Nike. it's not “just do it.” it's “just don't.”
If you don't know what you are receiving, responding to it seems weird, just don't be tempted. Don't go there. Make them email you a few times and say “Hey, why aren’t you opening my email?” Don't be that person that clicks on the thing. So that's number one.
Password reuse, don't do it. That's bad. Don't use your Facebook password for your bank account, your corporate email, you know, etc. Again, basic but it's hard to do. Passwords are a pain.
Another one that I'm guilty of is saving passwords in a browser. It's so convenient.
One thing I do is, even though they're not supposed to reuse passwords, I have kind of like a garbage password that I do reuse for low-impact sites.
It's just not my bank account, my email, things I care about. Those are hardened. Those are all unique. If I'm going to download something, make me put it in my email and a password management system.
Hannah: Exactly. I have a lot of Millennial friends who do that. And I think it is also very popular with Gen Z to have a junk email just to sign up for stuff. So, there's not that threat there. It's just going to an inbox that you don't monitor.Matt: Exactly. Yeah, that's my main one.
The last kind of basic one, don't you or let your kid go to sketchy websites from your laptop computer. My kid is really into Minecraft. The places he has to go to download his mods etc. I do not want those sites on my computer.
Hannah: Part of your position as the cybersecurity and data privacy guru at Vanta is to work and vet audit organizations to help improve experiences for all of your customers. What have you found are some green flags and some red flags when choosing an audit partner?Matt: Yeah, this is a really interesting question. I think sometimes people come to this with the idea that like, “hey this auditor is good and this auditor is bad.”
So I want to recontextualize that a little bit and say, first off, companies need to decide what is important to them. That's not always the same depending on who you are. Maybe you're head of compliance, maybe you're the CEO, maybe you're head of operations or a sysadmin.
You might have different interests.
One person might want to make sure this audit is really going to uplevel their security. If they go into an audit, let's make sure it has internal value for us; gives us better assurance. Another person might just say, I want to lubricate the sales process. I don't necessarily care about getting pushed by my auditor, and so on, and so forth.
So align internally on what matters to you.
And then make sure you communicate that with the auditor when you're doing that interview. Feel good about their responses.
Because we put a lot of folks through SOC2, Company A can work with Auditor A, have a lovely experience, and Company B works with the same auditor, and they have a terrible experience. It's not because the audit really changed. But the company's goals and objectives were not necessarily aligned. So that's one thing.
Another thing, just kind of basics, but communication. Communication is huge and expectation setting. So just make sure you feel good about it. Is this person responsive to you? Are they telling you what you need to know? Are they setting expectations for you for the process? And then beyond... Do you like this person? Can you work with them? Are they annoying to you?
Hannah: What do you think is an essential question that any organization should ask any auditor that they're trying to work with?Matt: One thing that I encourage folks to do upfront is, show the auditor the controls that [you’re] planning to go for SOC2. And ask “do you have any issue with the control design” upfront. Because the auditor should be able to effectively answer that.
That way, when you get into your audit, there's not going to be questions around what controls you are doing. What does your control language look like? You will just be simply auditing the effectiveness of the controls. So I would put that up there upfront, to minimize the possibility that something like that comes back to you.
And then again, the things you care about. What's my timeline? That can be a big one. When am I going to get this deliverable? Who needs to be involved from our side? What is your process methodology? What am I going to be expected to show the auditor to really set expectations for you and layout like what you should be planning for during the audit?
When those are aligned, things go well.
Hannah: That's great advice. All audits are basically the same, you know, you want to have achieved total compliance, no matter what that is, but exposing and fixing security vulnerabilities are just another part of an audit of things that you can fix. You and I both know that HIPAA is completely different. Vanta recently launched a HIPAA compliant automation solution. Can you give us a little bit of background about how this solution came to be?Matt: We grew up in the SOC2 space. We've been doing that pretty effectively.
And we really looked to the market and to our customer to say, What do you need? What do you want? Where is the market need?
And for HIPAA in particular, it's challenging because there is no HIPAA certification. And so I think technology companies know how to develop their product. They don't want to go be a HIPAA compliance expert, and they don't necessarily want to hire a HIPAA compliance expert for, you know, $275 an hour.
They just want to know What do I need to do? And they want that punch list. They want that assurance that they've done all the things and so looking to a third-party expert, really can give them some comfort. Then at the end to know, “Hey, I did all these things on my everything is green, my tests are passing, I am HIPAA compliant, and now I can go forward.” And I can say that to customers with confidence. And I can have competence internally.
So I think that was a huge piece of it. Every compliance framework is a good fit for automated monitoring when you're giving a higher level of assurance, checking things all the time. So, I think those were kind of some of the main things behind why we chose to work it.
Hannah: I think it's a great idea to automate these kinds of things. Because human error is so prevalent, and the more things you can automate, the less chance there is for an employee to mess something up or you to mess something up. So what have you found is the biggest challenge when completing a HIPAA audit versus an ISO audit?Matt: HIPAA audits and ISO audits are actually pretty similar. There are a certain handful of HIPAA controls, which are over and above what you have to do for SOC2. Which are more onerous to folks that have gone through it.
But you know, if I was going to highlight a couple of specific things: logging and monitoring. Logging and monitoring around PHI, you have to do it.
And probably you have to do it at a level over and above what you're doing for your normal business, logging and monitoring. So just a very prescriptive thing.
Another potential challenge for cloud companies is the retention of the record. Specifically the ill-defined requirements. You have to retain six years of required documentation?
The whole question of “Oh, is that my logs? Well, which logs? Does it... Wait, I'm a cloud company, I have terabytes and terabytes of logs? Do I really have to put those into storage for six years?” Coming to a defensible position can be a challenge.
And then the last thing I would say would be backups and availability are in scope for HIPAA.
Hannah: Would you agree that it is just smart for any company, specifically, who has to deal with HIPAA to just move to the cloud? Because it's easier to keep those six years of data in the cloud versus in a storage room?Matt: I'm gonna build upon that. Every company is a unique snowflake. So while like, in general, maybe yes, but you know, everyone's unique. So you really need to determine it for yourself, your own environment. Maybe you own six warehouses and storing favorites, no big deal. So great. Keep doing it.
Hannah: My hidden agenda is to get everyone who has to be HIPAA compliant on the cloud.Matt: Okay, okay, good to align with your agenda here. That's my hidden agenda.
Hannah: So after a HIPAA breach, I usually assume that as a network server or an email breach. Because I do our HIPAA breach report every month, I know that those are the two most common attack vectors. When you look at statements released by companies who have been breached, it's so vague, there's never really any real information. Why do you think that healthcare organizations are so much about breaches when their breaches affect so many people?Matt: They're embarrassed. It is painful. No one wants to expose what they actually did or didn't do, that caused a breach. Like, “oh, we didn't patch a nine-month-old vulnerability on a public facing server and we got breached,” not something you want to put out there.
So I really think that's a big part of it.
The other thing is, as you know, you can be breached in certain conditions where it's not a real breach. In fairness to these companies, all their consultants are telling them, “hey, when something happens, don't go out there, telling everyone about it, we need to really do due diligence, we need to make sure legal looks at this, we need to eliminate every possibility that this wasn't a breach before we're going to go out there and say that it was.”
Obviously, there's all the ramifications that come with those other things you have to do. And so you know, it's a painful, time-consuming, expensive process to deal with the breach. So I can see why they're not super forthcoming.
Hannah: How would you suggest the CIS, security officer, or a CEO create an environment of “controlled transparency”, where customers have information, but it's not so generic, that they're confused, but we're not giving them too much information at the same time.Matt: Honestly, I think the answer here is, again, the prevention side is planning for it.
So are you doing your tabletop exercise? Are you assuming you're going to get breached? And just from a business perspective, if this happened, what are you going to do? What are you going to communicate to the customer and what are you going to do to mitigate their risks?
That's a big part of it. The regulator's going to look and have all that stuff lined up, dialed in. Have all of your partners pre-planned so that once you've determined that a breach has happened, you already know and you've already thought through how can we make the most, effective communication to the customer. That, to your point, is material but not alarmist and then also tell them, this is how we're going to help you. At the same time plan, plan, plan. That's what I would advise.
Hannah: And I think it would be helpful to go back and look at previous companies like Solar Winds, or Equifax or Kaseya, and see what they put out and the confusion around it from there and see how you can improve. That's my thought at least.Matt: Only a fool learns from his own mistakes.
Hannah: Yes, Only a fool. Okay, so the last 18 months have been insane. There has been so much change across the world, especially with ransomware. Ransomware has always been around, but it is very prevalent lately. And human error continues to be the top entryway for bad actors. What do you think we can learn from the past 18 months that we can bring with us into the next 18 months?Matt: The first answer is more things change, the more things stay the same. You just said it, humans are the eternal vulnerability. The eternal weakness is your human and that's going to continue forever.
And so what are we doing around that human control? Are we doing one hour of a security awareness video each year? Probably not enough, right? And so just, you know, focusing on that education piece and that awareness piece forever.
The other thing I think we can, you know, think about when we're talking about the future is humans are madly rushing to put every single possible piece of equipment loading, you know, what have you online and network.
So we are just massively expanding our attack surface at the same time, and we have to expect new vulnerabilities. These things aren't secure new things to hack, you know, etc. And it's only going to increase in only makes sense. As we put more new and novel devices online, you're gonna have more attacks.
Hannah: I read something that said, at home Wi-Fi networks, used to have two or three connected devices, and now they have like 60 devices. So you're right, we're only increasing our attack surface, at home and in the office. What are some of the biggest threats that you've seen over the last year? And how have those threats changed how you approach your position at Vanta?Matt: So you mentioned ransomware. Ransomware has been very painful this year. I've seen it in the real world with customers. As those actors gain sophistication that folks really need to look at what is our vulnerability to ransomware and how are we going to respond to that. What's the status of our backups and all the various controls that you can put around that.
The other one that I saw that really like that makes me physically sick is the sim swapping attacks specifically I've seen these in the crypto space. Folks have an account and have 2FA, which is such a great control. Then your provider essentially get social engineered. They switch out your phone, they switch up your 2FA now you have an account takeover attack.
I don't know if you've seen these but people are having these crypto wallets drained of literally millions of dollars. They're contacting the company and they're like, “hey, not our problem. Your account got taken over like our controls are good. And sorry, you lost $20 million.” Like I just can't even imagine so that that to me is a super scary one.
And it's painful because 2FA is such a good control to now see that kind of the easiest simplest, most dominant implementation of that via SMS is now at risk.
Hannah: Would you suggest then that people move from A to FA authentication via a text message to like a Google Authenticator or an authenticator app?Matt: 100% Yeah. 100%
Hannah: Do you think it's better for just everything like I have to factor authentication on my Facebook? Should it be the same thing they're like anything should move to like an authenticator versus a text?Matt: I think it's how much you care about that thing. Your bank account? Yep probably. Your Facebook? How much you care? If your professional reputation or your influencers side? Then yeah. If it's just for fun and pictures and you can deal with being locked out for a couple of months, then you know, okay, okay, what's appropriate to the risk?
Hannah: Okay, so that leads us to my last and final question. Like I said, it's cybersecurity month. Do you have any final tips for our listeners today?Matt: Well, this is more toward the business side of things. I want to see phishing testing become the norm.
I have some friends and customers who do extremely sophisticated phishing testing on the regula. Every month there's the [HHS] Wall of Shame.
This is very sophisticated organization just to show people these things can be extremely sophisticated like literally, anyone can fall forward if you're just not paying attention or get caught at the wrong moment.
And so that folks know in the organization they will be phished if only by their own company to just give them that heightened level of awareness and pay attention.
Beyond that, it's the basic. I hope everyone on Mac and iPhone installed the latest updates. I put it on my Slack yesterday.
If you will, [go] back to basics. Every layer of the security onion, pay attention to it, assess your risk. Understand both personally, where do you sit in the chain? And from an organizational standpoint, where do you sit in the chain?
And if you're managing your security well you know what your problems are. So if you don't think you have any problems or any weaknesses, or you don't know what they are, then you have a problem right there because you probably do.
Hannah: There's always a vulnerability. There's always a patch, there's always some way that you can be more proactive. And if you don't think you can, you're probably already breached. Not to scare you, but that's probably what it is. I mean, it's a high chance you're probably already breached if you think your cybersecurity is perfect. Well, Matt, thank you again so much for joining me today. I've had an absolute pleasure talking to you and we'll speak soon.Matt: Great, thanks so much.
Hannah: Head to paubox.com/blog for all the cybersecurity and HIPAA compliance tips you need. Are you registered to attend our next free social mixer? Join us on October 28, and we’ll send a complimentary beverage to your door that day. During this event, you’ll be able to ask questions about anything infosec-related while you network with others in the industry. At our most recent event, attendees discussed how to sell a robust cybersecurity stack to the C-suite and how Paubox is “just like insurance” when it comes to email encryption. Please email me at hannah@paubox.com to register and submit any topics for the event. Don’t forget to add Paubox SECURE to your 2022 calendar. This event takes place on March 23 and 24th at the Park MGM in Las Vegas. Head to pauboxsecure.com for more information. You can listen to every episode of HIPAA Critical on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music or wherever you listen. Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.