This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.

Learn more at fortifiedhealthsecurity. com

today on Unhack the News.

(Intro) if you think about doctors and nurses, they're people that want to help.

Right? And urgency matters because seconds matter , in those, lives. So when you're sending somebody, Hey, I need you to click this thing real quick. I need some help there's probably a reason that healthcare higher, right? It's a natural tendency to want to help and to be helpful.

But it also leads to maybe getting tricked sometimes.

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative [00:01:00] cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

(Main) Hey, I'm Drex DeFord, a long time recovering healthcare exec and now the cyber guy at This Week Health and this is Unhack the News, a podcast where I sit down virtually with some really smart folks who really know this business and together we get to pick through some news stories and talk about some challenges in healthcare cybersecurity and today we're I have Preston Duran, Vice President of Threat Defense at Fortified Health Security.

Preston, welcome to the show.

Hey, glad to be here. I'm really excited to get to talk about some of the recent things in the news and have a great conversation.

Nice. I was looking into your background a little bit. Because I have a tendency sometimes to creep on some of the guests that are going to be on the show.

[00:02:00] You've been at Fortified for a while. Can you tell me, just real quickly, just tell me about that journey. And you've done so much stuff and I'm sure been to so many sites and seen so many CISOs and teams and learned so much. It's why I love to have people like you on the show because, clearly you're grounded in tons of experience.

Thanks.

So I've been in Fortified about five years, which pre Fortified, I've spent most of my career in healthcare cybersecurity in very large environments. And, it's ready to make a change. And the opportunity at Fortified came up And so I was like, hey, this is right up my wheelhouse, right?

It's cyber security, healthcare, it's all the things that feel like home to me. I started as kind of a VC, so the virtual CSO and, pretty quickly on, there was an opportunity to run the threat defense center and I'm technical by nature. And so it made a lot of sense for that transition, and I've loved it ever since.

We built a really good program up, and I get to live in a little bit of the ones and zeros, and maybe a little bit of code, and the things that really keep me energized and keep me passionate [00:03:00] about this.

Yeah, love it. So Threat Defense. Now you're the Vice President of Threat Defense. What's that mean?

What are you focused on?

Yeah, so if you think about defending against threats, right? I don't, not to restate the title, right? But it's defending against threats, think technology enabled services. Really cybersecurity operations. SIM, XDR ConnectedMed, Managed EDR, those kind of things the 24 7 services and so that all falls under me and then the kind of the implementation of those services as well.

Nice, nice. get into a couple of the stories and see what's going on here. So one of the stories is around Microsoft unveiling resiliency. And security enhancements following the July global IT outage. By July global IT outage, we of course mean the CrowdStrike July 19th event, which took a bunch of computers down.

took a look at the story. What's your initial impression of what they're doing?

I really like what they're doing, and I'm not surprised this came out. This year at Falcon, right? CrowdStrike, [00:04:00] you use your conference. The first thing in the first day keynote, right?

The, President gets up there and he hits it head on, right? He doesn't shy away from it, right? It's his whole talk track or a lot of his talk track was around resiliency, right? And we're hearing that more in the industry. And I think they did a really good job, the special guest speaker in that was the CEO of Microsoft, right?

Publicly. We all saw the back and forth from maybe different people, so it was really good to see a lot, and the CEO of Microsoft talked about some of these things as well. Alright, so not surprised to see this come out, and to me, there's a lot of kind of parts to it, but you can break it down into two primary focus areas,

what is Microsoft doing internally? And then how are they essentially enabling either IT or partners, let's get into that a little bit, for the IT involvement if they had rolled this out, on July 18th, this part would have been great. But, IT admins can modify Windows Update settings and stuff, and really repair unbootable systems, even if [00:05:00] they're in a state that can't boot.

That is a really interesting, and without physical access. So if you think about And that

was really the situation after the July 19th CrowdStrike update, is that machines were blue screened, and you you had to physically go visit the machine and start over from scratch.

absolutely. And for this one top point, or that, the one part of the article, the two main things it kind of references is like unbootable. And without physical access. And doing it remotely. And that is a really good example of taking a situation.

And then, really hyper focusing on how do we remediate this or prevent this in the future? And so I love to see that's available because that goes into, a lot of, Different things, which is the second point with the how are they helping IT admins is The hot patch in Windows.

I don't know what they're gonna call it. I think that's what they're calling it, but essentially it allows you to apply patches without rebooting and that's big thing because in healthcare, you come from healthcare like I do, and it's very difficult to pass on healthcare, and [00:06:00] it's not out of laziness,

it's out of, it's never a good time to take down your EMR, there's never a good time that you're not treating patients, and, when we think about the CIA triad, confidentiality, integrity, and availability, which is one of the kind of interview questions I'll always ask people which one do you think is most important in health care?

Almost everybody says confidentiality, unless they've worked in health care and they know it's availability, now, obviously, it's situational, right? But this seems to be up to treat patients. So this kind of speaks to that. So if I'm thinking about this, it's okay, you can push patches without having to reboot.

And if something happens, you can recover without being physically there, Those things are going to, allow, us at IT, cybersecurity and the IT side of that in healthcare to feel more comfortable, getting these patches a little bit sooner and having a more regular schedule.

Especially we're so spread out, right? That's the other thing. When I talk to CIOs and CISOs around the country and you do all the time too, but this situation of there's a bunch of folks. Maybe who are working [00:07:00] remotely from home, from the IT department, or even if they come together, they usually come together mostly in a centralized building or a centralized department.

And sometimes you have, I've worked for a health system that had had clinics in Washington, Alaska, Montana, and Idaho. There were not. IT people in all of those locations. And that seems to be more and more of the situation. So being able to do this capability. Remotely is pretty cool.

If they can execute anywhere close to what it looks like, which I'm sure they will be able to, then, , this is gonna be huge, the hot patch thing, being able to reboot, four times a year instead of twelve for those Windows updates. Doesn't speak to third party stuff, but, it's a good start,

It will allow them to feel more comfortable making progress without, sacrificing the business operations, right? So we've got to talk about two pieces. There's the what are they doing to help make it easier for us? And then what are they doing on their side? And I think on their side, the main one is the talks about transitioning from C to [00:08:00] Rust.

was a lot of very similar conversations for the Linux kernel and a lot of, funny to follow high school drama associated with that with some of that community, right? But, when you get into these kind of safer programming languages, you should start seeing a little bit less things where memories issues and stuff like that.

That one is an aside. Just the FYI. I think there's not really any action for us. The other one, and the Microsoft CEO spoke about this at the Falcon conference, is the transitioning out of kernel mode to user mode for like antiviruses and stuff, right? So it minimizes the damage that can happen if there's, misconfigurations and things like that.

There's a lot of

folks

third party wise for Microsoft that have access to the kernel as part of the, here we go down the hole, have access to the kernel, which is when I was at CrowdStrike, we referred to it as like the beachfront property of the whole operating system. And if you make a mistake.

They're obviously it's not great for the whole [00:09:00] machine.

I think there's so many benefits because like right now it's, again, the managed EDR stuff falls under me and so does the implementations. And what we run into is when you're doing a rip and replace of some legacy thing, or just two antiviruses, you can't have them both and protect them all at the same time because they fight over the kernel and it'll cause blue screen.

So you have to accept some level of risk for a certain period of time, while you're making that transition and doing that tuning. And so hopefully this will minimize some of those risks because again, All we're doing here, when we're doing these things a lot of our efforts are focusing on the availability of the data in the systems.

Yeah. Hey, thanks for taking that apart for us. It's actually super helpful. There's a lot in that article, and it's a very compressed kind of package of information. Hopefully the audience gets a lot more out of it because of this conversation. I want to do one other article.

And this is one that you and I talked about before we started, and there's an article that came out of UC San Diego, it's called [00:10:00] understanding the efficacy of phishing training and practice. And they get into. The, okay there's sort of the security awareness training that we do on an annual basis.

Then we do the sort of ongoing phishing training. And they have a lot of findings in the paper, some of it's a little surprising. What did you think as you got into it and read it, and what are your thoughts about what's going on?

Yeah, so found the article, found the paper, and it was like 76 pages, and I was like, oh man, and and I was just going to summarize, browse, I ended up reading almost the whole thing.

It's very interesting. It goes into a lot of detail, and a lot of the paper is them essentially explaining their methodologies, improving the numbers, which really adds a lot of credibility. So the summary of the overall paper is, essentially that there's no significant reduction in phish failure rates, whether you've taken training or not.

They had control groups, they had Groups that weren't given any training. They had groups that were given static training, [00:11:00] right? It was like, read this thing, or they had the, embedded training slash interactive training. And there was, especially with the static stuff, not only does it not help, the math in their training Viewpoint shows that it hurts, I think it was like a 14 or 15, 000 user healthcare environment.

19, 500 people that were in the pool studied. Yeah.

I was shaking when I read this. I'm like, this goes against my assumptions.

So did you feel about it?

Yeah, no, that was, I think my initial reaction to it too was one point in my life, I was the CIO of a research institute too. And so my first reaction when I read the abstract, and then I, like you, I was like let me scroll through this. There's something in here I'm not getting.

And then, once I got to about page 70, my initial reaction was somebody else needs to replicate this study. This is what, these studies are great. To put something out there and say, we [00:12:00] did a study and here's what we found. Basically, if you do this kind of training, it really almost makes no difference as to whether or not employees will click on phishing emails.

And in some cases, like you said, maybe you're doing something that might actually make it more likely that they'll do the wrong thing. So I'd love to see someone else or four or five someone else's do this same kind of study. Like you said, they've done a great job documenting all the stuff that's in there.

How they did the study, what their assumptions were, all those kinds of things. I think if some others would do that same kind of study, it might be interesting to see, do they have the same result? Do they have a different result? Because it definitely goes against our thoughts of yeah, if you train people, they will do better.

And maybe not.

it also goes against the experience that I've had in health care, with this stuff. And just for those listeners that haven't or don't plan on reading it, some of the statistics is 56 percent of the people failed, one of the simulations, and then that kind of the eye opening statement is, out of these [00:13:00] training groups, it only showed like a 1.

7 percent like absolute reduction whether you've been trained or not trained. And when you think about the time, energy, and dollars we spend on this topic that's a little bit concerning, right? jotted some notes for myself on a couple things that, some definitions, embedded versus static.

Right? Embedded is a lot of times we've done this with Novo4 and CoFans, different phishing things where you click on a phishing email and it makes you take the training right then, right? Hey, you should have spotted this. And so only, one thing it pointed out is that may look like continuous training, but it's actually not because unless you actually fail.

You're not getting trained, right? Which was always like, that's a great point, right? And then they captured the time on page for when they did that, and on average, users spent less than 10 seconds. On that, right? But what they found is some users spent 90 seconds and the users [00:14:00] that spent 90 seconds did have a reduction, right?

What that kind of tells me is everybody's busy, but if some users, when they get that training, they're not really paying attention to it. Which means they're also not really paying attention to the content in the email, which caused them to then click and get the failure. Yeah, so like that was really interesting.

And then like what they found with the once a year training was that really didn't do a whole lot. And other than if they were trained and then immediately took a quiz, it did help them pass the test. Yeah, it didn't help them with not clicking on phishing emails, but it did help them pass the five question quiz or whatever we all have to take as we do those things.

It's and the other part of this is that and you alluded to it. This is all done. As much as they can, trying to just isolate this particular situation, but it doesn't take into account like, are people really busy? They have a hundred things going on and they're distracted.

And so they're more likely to click on the phishing email, maybe because of [00:15:00] that, but, they've isolated. Linked it to the training. There's so many other things too, that I know that you and I have seen in the field around phishing one of my favorite tricks that somebody told me about a couple of years ago was that they tied a tiny portion of all managers.

a bonus program to the phishing click rates of their employees. And that turned into a, in every daily huddle and in every management staff meeting, there was the, Okay, and before we close the meeting today, don't click on phishing emails, right? It became part of the culture of the conversation.

There's all those other things that can have an influence on this.

totally agree. And, again, just reading through a lot of this stuff, the interactive stuff seemed to do better than the, non interactive stuff. But if we think about the challenges with specifically in health care, right?

I think one, as not everybody has a dedicated system, like an account, it's going to have a dedicated [00:16:00] system, right? A lot of nurses and doctors, they don't. So what media are they actually taking that training on, right? If you click something in a little video pops up, you have to do it.

If that's, depending on where it is, if it's a on a floor or something like that, then you're not really going to be able to have sound and things like that. And the other thing is, if you think about doctors and nurses, and who, from a psychology perspective, who healthcare workers are, they're people that want to help.

Right? And urgency matters because seconds matter , in those, lives. So when you're sending somebody, Hey, I need you to click this thing real quick. I need some help that, there's probably a reason that healthcare higher, right? It's a natural tendency to want to help and to be helpful.

But it also leads to maybe getting tricked sometimes.

Yeah, that is such great insight. We talk about that regularly, how folks who work in our business are pre programmed. to be fireman, to be helpful. And yeah, that's a great point. Hey, I really appreciate you being on the show today.

You've really helped us unravel a couple of these stories, dive in a little bit deeper. Thanks for taking time and [00:17:00] thanks for being on. I really appreciate it, Preston.

Thank you for having me. I had a great time. I really enjoyed the conversation.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.