This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the News): Summer Breach’s Surge and Hidden Security Lessons with Josh Howell

[00:00:00] This episode is brought to you by Rubrik. Rubrik works with you to better understand your data and workflow so they can help you build up better security solution that's just for you.

A solution that not only secures your data, but puts you in the best possible position to recover faster from a ransomware attack. So. Reduce complexity and make sure your data is protected no matter what cloud provider you're using or how bad the cyber landscape looks. Find out more on how Rubrik can help you elevate your cybersecurity game.

Check it out at this week, health.com/rubrik. That's R-U-B-R-I-K this week. health.com/rubric. Today on Unhack the News.

Josh Howell: the faster we cross pollinate, the faster we as vendors, customers, providers, practitioners, lawyers, you know, whatever can come to this is how to solve this problem.

Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and [00:01:00] long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main) Hey everyone, it's Drex.

Welcome to UnHack the News.. I have Josh with me today. Hey, Josh.

Josh Howell: It's nice to be with you. Drex. Good to see you again.

Drex DeFord: I'm glad you're here. you know, This is, I think the first time that we've had you or Rubrik on UnHack the news. So why don't you gimme a little bit about your background. We were talking before we started the show.

It's really interesting. Tell me a little bit about your background. Tell me a little bit about the work you're doing now with Rubrik.

Josh Howell: A little bit about my background. I've worked in it since I was 15. A couple different countries came back to the us My parents worked for nonprofits overseas and went to college.

Joined the Army. [00:02:00] Army, sent me to Washington. Turns out you and I live pretty close to each other in terms of the geography of the US and, I worked for a bunch of different organizations before jumping over to the dark side and helping vendors sell stuff. And so today I try and be helpful to like all of our healthcare customers, so a lot of different organizations across the country and I spend a lot of time talking with them about cyber resilience understanding what's happening at some of their sister organizations and the emerging body of knowledge about how.

Industry and practitioners are coming together to try and address the scourge that's racking it these days. So I feel like I have a wonderful job in that. I just get paid to go and have interesting conversations and meet interesting people. Tony Lakin at UTSW and Brad Busick at MultiCare and, all these interesting folks that it's fun to hang out with.

So I feel really fortunate.

Drex DeFord: I feel like that you and I have the same [00:03:00] text buddies yeah, it's I mean, we are, we're super lucky, right? To be able to work in healthcare. It's a great mission, patients and families all the good things.

Josh is super humble. If you get a chance to sit down with Josh and have a conversation, he's not somebody who's gonna run you over but ask you a lot of good questions and share a lot of stuff that he knows, and I know that you won't say that, so I'll say it for you. I always have a great time every time we sit down and have a chat.

I always come away smarter. So

Josh Howell: yeah, the discussions about hair advice. If nothing else, I've been trying to implement some of your tips.

Drex DeFord: We do what we can. Thanks for sharing some stories for us to hit on today. One of them is from bleeping computer. The heat wasn't just on the outside. Cyber attacks spiked in the summer of 2025, and There's a bunch of bad guys that they cover in here, a few anyway they talk about quillin, they talk about scattered spider and Riseda and interlock.

I mean, the point of this whole story is really just about the way that the [00:04:00] bad guys are just continuing to be relentless on healthcare. Tell me what you guys are seeing as you talk to health systems across the country.

Josh Howell: It's difficult because we want to have empathy for the organizations we talk to.

And we know that, the fear is already there. Nobody needs to be convinced that this is a problem to take seriously and deal with. And every organization was already dealing with tight margins, budgetary cuts. And at the same time that we've seen cuts to rates and reimbursement, we're also seeing this just proliferation of threats.

And there's a number of reasons for it. As one, they're increasingly targeting places where we can't live without that service. So healthcare, it's critically important. Downtime can be measured in lives and there is a massive litigation risk if data's breached. So there's a lot of organizations that we've talked to.

We run this immersive ransomware experience that's a departure from, the usual month in, month out, tabletop thing. And we often get this [00:05:00] debate about whether you're obligated to pay a ransom. Because does it set you up for litigation risk later if you don't, if you can't prove that you've done everything you can.

And yet we know that every time an organization pays a ransom there is an increased odds. They get hit again really quickly. I really feel for CISOs, CIOs and security practitioners who are caught in this perfect storm of haves and have nots of like, if you've got everything and you're all set you're in a much better shape.

And if you're trying to justify cybersecurity investments at this point that's tough, right? So, like, there's a few trends. Dwell times seems to be decreasing, so it's gone from, a high number of days to weeks to, in some cases a day or less.

Drex DeFord: I've seen some of the reports coming outta some of the organizations saying sometimes it's even just minutes.

Depending on how the bad guy's set up and how they get in they crack open the safe and start exfiltrating data within just minutes.

Josh Howell: Yeah. And then just the sheer creativity of how [00:06:00] some of this is happening. And I was reading an article about how they're targeting hypervisors and the control servers and using those to execute attacks against like virtualized domain controllers and exfiltrating the, VMDK's or the VHD files so that then they can take their time brute forcing every single password to use to reestablish access after the recovery has been done.

And. It's just highlighting again, how identity, if you were privileged enough to hear Eric Decker speak at HIMSS this past time. I sat there and just kind of put my head in my hands at some of what he was sharing, and we had a chance to talk again in Chicago and he's an interesting guy.

I think I'm supposed to talk to him this coming week about some stuff, but the announcements that we've made around, active directory protection and identity resilience of like, how can we help spot some of these, privilege escalation or if people are changing, like the kros ticket, granting token time to live, things like that, that are emerging indicators of [00:07:00] an attack in progress.

But unless you have the right tooling and telemetry to spot those things happening, in my previous career when I was last responsible for active directory I would've never noticed those things. I had so many other things to do, so. It's kind of mind boggling.

And there's always this tendency to think that the things that we have are the most important. And then I'm always coaching our sellers to like try and put themselves in the shoes of their customer and think about how what we do is one small part of the vast number of things that organization has to worry about.

Think about that CISO, CIO, VP of Infrastructure has on their plate in any given moment just as a way of understanding how to approach them or be a good partner. So it's what's the curse? May you live in interesting times, right? We do.

Drex DeFord: And interestingly, I think that's a Chinese curse, if I'm not mistaken.

Josh Howell: It's been so repeated that I don't know.

Drex DeFord: Well, so, the the other thing I think as I hear you talk about that, that I realize from time to time when I [00:08:00] talk to leaders in healthcare, it is that sometimes there are members of the staff who have done things the way that they are doing them today.

They've done them that way for a number of years. And so for them, that's what good looks like.

And of course they know the world is changing and the bad guys are, getting better and faster and smarter and using AI and doing all of the things. But they keep looking at their same tool sets as this is how we're gonna solve the problem by buying more of that, or turning up the volume on it or something like that.

Instead of really sort of taking a step back. And I think this is a. I dunno if it's a culture thing. I think it might be a little bit of an ego thing that they can't take a step back and say, if I could empty out the entire shoebox, what would I really put in here now? It's hard for people to sort of put that aside.

You see the same thing sometimes when you're talking to customers or when you're hearing from folks at many conferences that you go to.

Josh Howell: I'm actually really glad you asked that [00:09:00] question. It wasn't something you and I talked about discussing, but I have this like massive frustration and I understand the value of RFPs.

I understand why we do them. But boy, does it frustrate me when we get an RFP that feels like it was written in the late 1990s. Yeah. It's just all about data protection, like the traditional classical, can you restore an individual file? And I'm like, everybody should be able to do that by now.

And it doesn't ask any of the questions about the new set of capabilities. Yes. I mean, that's human nature, right? So like we still call these things phones, even though. That may be the thing that we spend the least time doing on them. But that was the mental box that we had. So we replaced the phone with this thing and now it has all these new capabilities, but we still think of it as a phone.

Right, right,

Speaker 3: right.

Josh Howell: And so, we'll get these massive RFPs that have like a week and a half turnaround time that require all of this work to put together. That aren't really even answering good [00:10:00] questions, right? And so sometimes I just offer people, I'm like, look, I have a list of the new required capabilities.

They're not in rubric terms, like use it or don't, whatever. But yeah, there, there is a new set of tooling and it's actually something I'm kind of fascinated with is there's. The things we are talking to organizations about, the importance of having downtime procedures, of identifying the minimum viable hospital of critical applications of understanding that DR.

Measures won't save you. Because what you're really struggling with is this loss of trust. So if you want to get back online in a reasonable amount of time while the forensic. Investigation and remediation is happening to regain trust, then you're going to need an isolated recovery environment. And once you arrive at that, then the needs that you have around data protection and the tooling are completely different.

Well, not completely, but when it comes to recovering from these attacks, what you don't restore is [00:11:00] as important as restoring. Important data and that if you contaminate that and introduce malware, you get to start all over again.

And so,

Drex DeFord: and you see that's why sometimes these things take 30, 40, 50, a hundred days for people to recover from because they keep Yeah.

Shooting themselves in the foot as they go through this restoration process. And they have to go back to the beginning and clean up and restore. So have an IRE having understanding I have this clean environment to start kind of a huge deal.

Josh Howell: It is, and the, This is what I'm fascinated with is like how we as a vertical, an industry, a sector as a society, we come to develop this body of knowledge together in that, a health system that gets hit, they responded to their attack, but it was very specific to them.

So how do we take the lessons from that? Get them out from behind the lawyers who don't want to talk about what happened, share them broadly. So, ardent Health their leadership Annika and Lonnie, the CIO and ciso. I think [00:12:00] I'm supposed to talk to I Lonnie tomorrow. They got up at Chime, fall Forum and were very transparent not Rubrik customer.

I'm just so grateful to them for having the courage and for having worked with their legal team to get permission to share broadly. This is what happened. This is what it looked like. Here's what we dealt with. Here's what we were unprepared for. These are the takeaways. If you do a few things, do these well.

Right? I've heard other CIOs behind closed doors say, don't quote me. I don't want my name attached to this, but here's what I would want to have everybody know. And so I really admired them for sharing the Ardent Health folks. So we take that knowledge and then we try and build it into products.

Right. And then we try and convince everybody that's the right way to do it. And sometimes we're wrong and we have to go back to the drawing board. But there is this emerging body of knowledge. Like organizations like HealthLink Advisors when I talk with them about their blackout blueprint and how they define downtime processes and build this set of minimum viable hospital [00:13:00] applications.

And then we talk with Mandiant and others is like, we're slowly kind of arriving at here's how you address this. In a practical, repeatable, tested way. Right. So that's just. Something that I spend a lot of time thinking about is like, how is we as an industry can do more knowledge sharing in the wake of what's a very sensitive event?

Drex DeFord: I mean, not to toot our own horn, but it's a big part of what we do with the 229 project and the CISO summits is that when you get those people in the room, they will talk plainly and clearly to each other even though they will from time to time say. This is just between us, right? but that's the whole point is that you can get it off your chest.

You're not alone. You can get feedback from others in the room. And for the partners who are in the room, there's a lot of great sort of insights about. How the whole situation came about and where they made mistakes going through the process to recover and getting back on their feet.

There's nothing else like it. That's why I'm kind of involved with this, but there's nothing else like it. I [00:14:00] love the way that these guys and ladies will just kind of unload on each other. Because it's okay to be vulnerable and that isn't the rest of the world that we live in.

Like you said, everybody lawyers up the instant that it smells at all, like maybe there's a breach going on minutes later there's a class action lawsuit that's been filed. All those things that happen that are counterproductive in a lot of ways, it keeps everybody's mouth shut when they should be talking to each other.

Yeah. Other great organizations through the healthcare isac health Sector Coordinating Council all about trying to help folks share information and do better, especially in the heat of the battle when something's going on.

Josh Howell: Yeah. I like the Chatham House rules format that you guys have.

And in fact, as an example of this, I first heard about attestation at one of your events. One of your CIOs shared and said this was a huge problem and I furiously jotted it down and went [00:15:00] back to our product team and we talked about is there a way we could help? And then later we heard Ardent Health when they presented, talk about the same problem.

So we actually took a lap with a couple vendors who we don't compete. And so we started thinking about like, how could we give the lawyers. Better grounds on which to write those attestation letters much earlier in the process. And restore some of those services that have been cut off, out of an abundance of caution.

Sure. So it's interesting the faster we cross pollinate, the faster we as vendors, customers, providers, practitioners, lawyers, you know, whatever can come to this is how to solve this problem. Right? Yeah.

Drex DeFord: And get systems back up and running for patients and families. Right. That's ultimately what resilience is all about.

Josh Howell: Yeah. Drex, I, you said earlier, I wouldn't toot my own horn, but I'm going to now. Okay, good.

My team and I think we know more about quantifying the financial impacts of ransomware attacks and data breaches in healthcare than [00:16:00] anything else I've seen. So we have consumed. Every study we can, and built the most detailed model that I know of.

And it's really fascinating when you start to apply facts like you're looking at a 20 to 40% decline in patient volumes the first week after the encryption event.

Speaker 3: And

Josh Howell: that's just top line, right? There's going to be increased rev cycle leakage for the patients that you do treat and the care that you do provide will be less

thorough. You're gonna order fewer tests, order less labs, et cetera, because the increased friction of that,

Drex DeFord: they're gonna be less well documented. Right. So you're not gonna paid as much for them. Yep.

Josh Howell: And then the coding will happen later on insufficient notes that were taken by hand, and then the billing may be, or, late, so reimbursement and denials Yeah.

Will be affected and so forth. And the chain of events keeps propagating. According to Deloitte, they wrote this really prescient white paper beneath the surface of a ransomware attack. And it was a number of years ago. I wish I had a hand in it [00:17:00] 'cause it's really well done. But it talks about these 14 categories of costs that every ransomware and data breach have.

And. The work that we've done in this model we've built isn't trying to convince anybody of a number, but when you go through and you put some number in every category, you quickly start to realize like this is a board level discussion. This is a existential threat to a number of organizations. So I know, and it's public and it's been for a while, so we can talk about it, but like there was an article, SMP Health.

Publicly said that ransomware attack was the nail in the coffin.

Speaker 3: We

Josh Howell: couldn't bill for three months.

Speaker 3: Mm-hmm.

Josh Howell: Shut down. And so there's all of these facts and statistics, like there's a 30% increase in medical errors. Mortality takes a quote, slight but significant increase from three in a hundred to four in a hundred patients, which you could look at as small or you could say that's a 28% increase, plus I'm the one.

Yeah. And I, the 28% came from a different study that math doesn't math, but when you start to apply these things and you [00:18:00] think, okay, then that is a 30% increase in the rate of settlements that we'll pay. Over business as usual. And then you get to like the tertiary downstream effects of, increased cost to raise capital, brand evaluation, on and on.

One of the things that always people ask me about when I walk them through the math line by line is that the notification costs can dwarf the actual class action settlement. Right. And people think like they think in terms of the large numbers that are attached to the settlement, right?

But they don't think about how in the immediate wake of an incident, the lawyers are asking who was affected, how many records, who do we have to notify? And if you get that part wrong and later you have to go back and well, you've already spent $3 per person minimum to notify them. And that can be. Two to three times what you spend in the class action settlement.

Right. And the

Drex DeFord: reality too, For the notification process. I think most organizations are probably, they work that conservatively, so their [00:19:00] tendency is to over notify. So right out of the gate, they're probably spending more money than they need to, 'cause they don't really know what happened in many cases.

Josh Howell: Right. Yeah. And not to talk about us, but like, that's one of the things that we're saying, like if you can determine not the sensitive records that were on that server now, but what was on there 30 days ago. When this happened. What changed right around that time? Anything you can do to constrain that list and be as accurate as possible, rapidly starts to constrain the overall costs of the data breach, the litigation, the eventual class action, settlement, et cetera.

Actually, I'm gonna put out an appeal, if it's okay with you, if there's anybody who's works in fp and a or A CFO for it who is willing to answer some questions. We're constantly. Working to improve our model, to flesh out other categories around like cyber insurance. We know things like.

There's a 67% increase in marketing and public relations costs in the wake of a ransomware incident and data breach.

Well, [00:20:00] that's an interesting factoid, but when I have no idea what that cost looks like for normal business, I can't estimate it. Right. So we have been on a tariff for a while now, trying to give the organizations we work with the best

look at this is the risk number, right? Because any investment in cybersecurity, whether it's. Something related to Rubrik or it's perimeter security, or I-D-S-I-P-S-M-F-A, what have you, right? Manage soc. You have to start with what is the risk that we're mitigating? Is this warranted? Right? And the white paper from Deloitte, their whole point was that these costs and impacts are being systematically underestimated.

We are drawn naturally to the headlines, which are usually about the ransom, the data breach, whatever. But that there's actually these factors that play out over a decade. That it takes a decade for the financial impacts to all settle out. And when you aggregate those, it's an eye watering number.

So, anybody who's willing to just answer some questions off the [00:21:00] record, I'd be so grateful.

Drex DeFord: would love to do that. If you send me the link to the Deloitte paper, I'll make sure we also put it in the notes. And I'm sitting here thinking, I feel like we should do another show somewhere down the road where we actually maybe walk through some of the math that you guys do.

'Cause I, you don't have to be a rubric customer to walk through that math with you, right? You'll help anybody kind of think through that process.

Josh Howell: Yeah gimme a call. We'll get on a Zoom and I'll punch in some numbers and you can help me fill in some others and I'll share the results with you.

So, again, like I've been on all sides of the table. I've been a customer, I've ran a channel partner, I've been at a vendor a number of times, and I think, you develop empathy for those other roles and you just want to be a good partner and give something of value back to the organizations you call them.

So happy to do it.

Drex DeFord: I think it's a great idea. The reality is what you're doing is helping cyber leaders build the business plan to support their argument, to spend money for [00:22:00] cybersecurity and resilience. Mm-hmm. And that's hard math. But it's math. You just have to figure out what numbers you want to stand on.

And some of it is just, I think, getting started. So it's cool that you're doing that.

Josh Howell: Well, it's a fun job. Like I said, I think I have the best, coolest job in the world. So, no,

Drex DeFord: I got the coolest job in the world. But everybody, you're close. I can, Hey, thanks for being on today. I really appreciate it.

Sometimes we really get into the news and sometimes we go down a side path, and I love the side path today. So thanks for taking me on the trip.

Josh Howell: Yeah, of course. Thanks for having me. And apologies for going off on a weird tangent, but if we can help in some way, we'd love to, and maybe this is one of those ways.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT [00:23:00] news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.