Rachael Lyon:
Hello, everyone. Welcome to this week's episode of the To the Point podcast. I'm Rachael Lyon, here with my co-host, John Knepher. Hi, John.

Jonathan Knepher:
Hi, Rachael.

Rachael Lyon:
Hi. So what are you doing this weekend? You have any fun plans? Anything going on in San Diego?

Jonathan Knepher:
Let's see, this weekend we're packing the kids up to go off to college in another couple of weeks, so.

Rachael Lyon:
Ooh, big one, big one. That'll be fun. I, oddly enough, I am not cool at all, but I got invited to a fashion show, so yes, that sounds.

Russell Teague:
Like a lot more fun.

Rachael Lyon:
Know, I think it'll be really awkward for me because I am not, I am not fashion forward. I wear black tops, black pants, and there we go. We're good to go. So anyway, without further ado though, I would love to jump into this week's guest. Please welcome to the podcast, Russell Teague. He is CSO at Fortified Health Security. He's more than three decades in the information security world spanning sectors such as healthcare, pharma, financial services, technology, among many others. Eddie's contributed his expertise to the White House National Cybersecurity Healthcare Strategy, among many others as well.

Rachael Lyon:
Welcome, Russell.

Russell Teague:
Thank you, Rachael and John. Well, look, many of our colleagues are also sending their children off to college. Mine are a little bit older now at 36, 29 and 25, so.

Rachael Lyon:
Oh, nice. Okay. Are any of them living at home? We were talking about that earlier that a lot of boomerangs after college.

Russell Teague:
My youngest did come back after college. He was a music major playing saxophone and he did come back, but he's engaged and, and soon we'll be moving out on his own again. So.

Russell Teague:
Yeah.

Jonathan Knepher:
Congratulations.

Rachael Lyon:
That's wonderful.

Russell Teague:
At that point, we'll be empty nesters for the second time around. But we've got one beautiful two year old granddaughter. Just amazing, right? And so because we, we, we had three boys and didn't have the young girl and so my, my wife is over the moon.

Russell Teague:
Right?

Russell Teague:
Just absolutely over the moon. Bank account's hurting from it, I'm sure.

Rachael Lyon:
Oh, that's fantastic. I would move back home, Russell. I'm just saying, I don't think you're ever too old to move back home. Putting that out there.

Russell Teague:
Well, and it's just so difficult. Today's economics.

Russell Teague:
Right.

Russell Teague:
I mean price of that price. Even rental homes and everything else are just through the roof. So it's, it's difficult for the, for young, young career, young young adults in, in the early st. Career. It's just challenging for them.

Rachael Lyon:
So yeah, it's. When I lived in New York last, last little sidebar here. I lived in New York for about 15 years and worked on at some agencies. And so there are always a lot of, you know, right out of school folks joining and they would have like five or six roommates in a one bedroom apartment and you know, someone sleeping in the vestibule, someone sleeping in the bathroom and. But that was the only way they could afford to live in New York City. It was bananas and it's, that's just crazy to me. I couldn't do that myself. Yeah, yeah.

Rachael Lyon:
All right, John, do you want to kick us off and like, let's get to the real conversation.

[03:43] Top Cybersecurity Threats in Healthcare Today

Jonathan Knepher:
Yeah, Russell. So let's just dig right in here. What are the top cybersecurity threats in health care today?

Russell Teague:
What, where do we start? Right. And so, but I think if I was to kind of pick maybe the top three to five here, ransomware, and probably most specifically ransomware as a service.

Russell Teague:
Right.

Russell Teague:
Because we're seeing more and more where sophisticated, advanced persistent threat groups or hackers are creating ransomware as a service and enabling much less sophisticated organizations to go after it. And healthcare still has the largest data trove available.

Russell Teague:
Right.

Russell Teague:
If you think about identity theft and there's so many undocumented people here in the country, identity theft is a major issue as well as targeting revenue cycles and payment redirections and things like that. That ties right into third party.

Russell Teague:
Right.

Russell Teague:
Third party risk would kind of be my number two in terms of third party compromise because the threat actors see the opportunity to breach one entity but get access to many. So it's a one to many situation for them because most of these third parties are interconnected with so many significant organizations. Change Healthcare and move it is two great examples of where third party risk is really starting to be on the rise in terms of the overall threats. AI. No conversation in cybersecurity can be had without AI nor healthcare. AI is everywhere. It's not a fad. Let's be clear, everyone, it's here to stay.

Russell Teague:
It will change our lives and the way we operate, as many wonderful disruptive technologies do. But when I think about AI and AI threats, there's kind of three domains. One is the enablement part, and I'll speak from healthcare perspective. The added advantages that the doctor gets not only in just recordings, but also access to information to compile therapies and the efficacy of therapies. So, you know, if you need services, you want the service that's going to give you 100% outcome, right? I want to know that, you know, my disease or whatever I'm dealing with can be solved. I don't want to try. Well, well, maybe it sort of worked over here and this doctor knows that, and it might work over here, this doctor knows that one. But over in the Europe they've got a, you know, 100% efficacy, right.

Russell Teague:
And so I want the one in Europe, right. I mean, so. So AI is giving access to all that information and bringing us better therapies that have better outcomes. So that's saving lives. Two kind of stools to the legs to the stool in terms of AI is the offensive and defensive side, right? Offensively, right. Threat actors are using it to be better at what they do as well as even evolve those, right. We're seeing malware that self evolves associated with AI intelligence. And then you see in my world, being a managed security service provider with fortified health security, the defensive side, right? Ability to rapidly process massive amounts of data, draw conclusions, look for unique behavioral changes both in system and network traffic.

Russell Teague:
So AI is definitely there. And then I'll end with hack the human, right? It's still the most number one prevalent way that threat actors get access into our environments. Humans just by nature, we want to be helpful, we want to hold the door open, we want to, you know, let me show you where that's at. And you know, we like to click on the funny things, the morning news and things like that and HR and people's payroll. And so it's still the most common way to get someone to either social engineer them or send them an email or browser link and get them to click.

Russell Teague:
Right.

Russell Teague:
So end user training is essential and.

[07:48] How Does Russell Teague Prioritize Threats for his Clients?

Rachael Lyon:
AI has been helping that aspect along quite handily. So thank you for that. So it's an incredibly broad landscape and I think for something like health care or. I know, right. The stakes are incredibly high. Russell, we were talking about that a little bit before we started. I mean, we're talking. Lives are impacted at stake.

Rachael Lyon:
And you know, in all your work with clients, how do you, with a vast threat landscape like this, with such high stakes, how do you counsel them, how do they prioritize? Particularly when we know a lot of these organizations are just financially strapped, razor thin, but budgets, you know, doing all they can to kind of shuffle things around to Work day to day. I'd be curious, how do you even kind of go forward in that landscape?

Russell Teague:
One of the things that I think we advise our clients on the most is, you know, think about the threats that are targeting your organization. Every organization has a unique set of threats based upon their size, their rural location, the communities they serve, how integrated with those communities they are. And so they all have a bit of different challenges. But most importantly, when you think about what you need to do, have foundational components in your program around operational resiliency, around sustainability. Cyber attacks are always going to be there, right. It's just part of the, what we do as cyber leaders and healthcare is the number one targeted sector currently. And so operational resiliency, maintain patient care, the ability to deliver patient care and build in mechanisms to do that. Incident readiness I think is another really key item is, you know, train and be prepared to fight the fight.

Russell Teague:
The, you know, fight the fight.

Russell Teague:
Right.

Russell Teague:
Old military term, you know, always trained to be ready. And so, so incident readiness, you know, tabletop exercises, solid instant response plans, business continuity, disaster recovery plans are all critical elements to that. But, but you have to balance it, have a balanced approach, have both capability to have visibility into your environment. So you know, when things go awry or go different than what's expected. And then when you understand those, understand the business impact that it might have. Control your blast radius, we like to call it through network segmentation and limiting the blast radius or impact and then vulnerabilities and exploit abilities.

Russell Teague:
Right.

Russell Teague:
Know your vulnerabilities in your system. We all deal with legacy devices, so understand those vulnerabilities, but then understand what you're actually being exploited in the wild and prioritize getting those fixed up front. Healthcare can't protect everything, right? At least not equally. But with the right visibility, process discipline and a well formulated response plan, we can prevent disruptive attacks from becoming major crises.

Jonathan Knepher:
So Russell, you kind of touched on a little bit of the disparity of the sizes of the healthcare organizations and what you were saying there. And you know, when we've talked to people in the past on the show here, right. There's always this, you know, how do the smaller guys play and protect themselves?

Russell Teague:
Yeah.

Jonathan Knepher:
Here on Healthcare, like what does that look like? You know, how do the smaller or say more rural or different health care organizations manage to, to do what's appropriate, Right?

Russell Teague:
Yeah.

Russell Teague:
John, you're 100% correct, right. I mean there's about 1900 rural and community hospitals throughout the U.S. unfortunately, the state of their business affairs probably Puts more than half either at or near bankruptcy. We're seeing large, large consolidation. Right. Where mid enterprise or full enterprise health organizations, health systems are buying up the small rural ones, spreading their market and their brand, which is great because they need the help. But the bottom line is the, you know, call it the fairness across the board is not the same.

Russell Teague:
Right.

Russell Teague:
You've got rural, you know, rural facilities that are, you know, 25 beds, 30 beds. You know, they're serving a critical need. This is where federal government's got to step in.

Russell Teague:
Right.

Russell Teague:
They've got to bring assistance and capability. I know there's some challenges associated with the big beautiful bill from the current administration around Medicare Medicaid funding and reimbursements. There's been multiple movements. Senator Cassidy, Senator Warner, many others on the Hill are working in the right direction to try to move legislation forward that leverages Medicare Medicaid reimbursements, but gives you the benefit if you don't do comply. If you divert funds and do invest in cyber as a critical element and you can achieve or demonstrate that, well, then you get better reimbursement. So there's a bit of an incentive and then there's going to be a bit of a stick.

Russell Teague:
Right.

Russell Teague:
But that stick has to have a long enough run rate for people to actually achieve it.

Russell Teague:
Right.

Russell Teague:
Healthcare in general, I feel is running, at least in the rural space, could be running as much as 20 years behind.

Russell Teague:
Right.

Russell Teague:
So they're missing some of the foundational elements I talked about.

Russell Teague:
Right.

Russell Teague:
You know, at Fortified, I advise my, my clients, right. The top five things I would focus on, on a, on a robust health care cyber program, annual risk analysis, vulnerability threat management.

Russell Teague:
Right.

Russell Teague:
Penetration testing, annually incident response readiness and then have technology enablement through both EDR endpoint detection and response. In your simulation.

Russell Teague:
Right.

Russell Teague:
Log management, bring that together so you can have predictive and be proactive in your response. Those five things are critical. There's another five to round out the top 10, but I won't really go through those. But I think that's the element. There is a disparity between the enterprise ones that are well funded, supporting major metropolitan cities, right. With lots of patients and lots of, of access. But some of these rural communities where, you know, the, the average mean income is, you know, well below $80,000.

Russell Teague:
Right.

Russell Teague:
These services, a lot of time that they're, they're filling their communities is not covering the cost to run the service and so we need government subsidy to.

[14:34] Cybersecurity Training Recommendations

Rachael Lyon:
Take care of that, are there, I know there are small business resources, for example, And I think rural healthcare facilities are in some ways so small businesses as well. Is there, from your perspective, is there training or things that they can kind of do on their own? Because I suspect like a small business, they have a IT guy who's covering a lot of grounds in addition to cybersecurity. And are there kind of certifications or trainings or things that you might recommend for folks just to kind of arm themselves with a little more knowledge and capability?

Russell Teague:
Yeah, there are some great informational sites and access to services. CISA is a perfect example.

Russell Teague:
Right.

Russell Teague:
That and they're part of obviously the HHS and CMS world, but they offer free, free services. They'll do free tabletops, they'll do some risk analysis. All organizations, I highly encourage them as part of their incident readiness plans to know who their local CISA rep is, engage with them in those services.

Russell Teague:
Right.

Russell Teague:
They can help augment your cyber program at no cost. They offer those services free. You may have to wait a little bit to get in the queue and get scheduled. But there's also opportunity to participate in regional events.

Russell Teague:
Right.

Russell Teague:
That they offer at no cost as well. And I've been part of and led a few of those as well. They're wonderful events because if you participate in one of those, you can have your team present, walk through the same exercise and actually declare it as a tabletop, you know, a virtual tabletop that you've done for your organization. You're just playing it on the national stage where we do have some of those situations. But the cyber readiness divide requires the rural and community hospitals to do things differently.

Russell Teague:
Right.

Russell Teague:
Because the funding is not there. Acre HSCC Health Sector Coordinating Council. It's headed up by Greg Garcia. Eric Decker used to be one of the leads, is now, but he's moved on, still heavily part of the effort. But Greg Garcia has amassed a significant set of resources to really help training and educate the users. There's stuff on AI, there's stuff on cyber resiliency, vulnerability management, you know, how to operate in down economic times. There's just so much information. I participate.

Russell Teague:
I think there's 13 or 18 working groups that are going on every single week. I participate in a number of them like the White House and many other in terms of what is the right implementation plan for health care. So that's a great source, right? Health Sector Coordinating Council.

Russell Teague:
Yeah.

[17:32] Data Minimization Options in the Healthcare Industry

Jonathan Knepher:
So Russell, this question might be a little bit from left field, but you know, we often talk about like data minimization in a lot of other fields.

Russell Teague:
Right.

Jonathan Knepher:
Like protect the data by simply not ever collecting it in the first place. And you know, when I think about like years past in healthcare stuff was on paper, right? Is there any minimization or offline options for the healthcare industry anymore? Or is that, is that a boat that sailed, like it's all going to be in the cloud?

Russell Teague:
John. It's a great, it's a great topic and a great question. I don't know that was ever on the table, right. If you think about healthcare, healthcare has always been about research, been about, you know, historics in terms of, you know, how many people have this and looking at, you know, efficacies across large population basis. And we learned from that statistical data, those trials and if we don't record those and keep them available, then we can't obviously refer back to them. And so with electronic enablement, access to that data has gotten faster, obviously more easy. With large language models and AI machine learning, we're able to crunch big data set, I mean massive data sets now in a blink of an eye because the computing power has gotten there and you know, with supercomputers and everything else that's coming in the near, it's actually near term we're even going to seek access to that. So people want to put more and more data online.

Russell Teague:
But the root of this is data management, data access, right? It's an interesting stat. Over 97% of today's breaches that we're seeing do not involve the emr, the electronic medical record system, right, where we store sensitive data. And in healthcare, data is the gold in your organization. It's what everyone is going after. They're trying to redirect payments, but that's still data, right? They're trying to get identity theft information, that's data. Trying to get financial records data. They're trying to get research and new, you know, farm and farmers, they're trying to get new drug releases and trials, they're trying to get access to that information. It's all data, right? And so if 90, if less than 3% of attacks involve an EMR, then we can reasonably assume that is a safe place to keep it.

Russell Teague:
The problem is, is 97% of those attacks find data unprotected, unstructured. It's like when you walk in the house and you lay your keys next to the front door, right? Throw your wallet there, your keys, your credit cards, you go upstairs, go to sleep, someone kicks in your front door. Thank you. It's right here. I'm glad you left it available for me. You didn't Take it upstairs and put it in the safe. You didn't put it in a locked room. You didn't even take it upstairs to another room.

Russell Teague:
You left it laying right by the front door. Because that's where I'm gonna exit in the morning and I'm gonna go right to it. It also allows those thieves to come with the little receivers, pick up your transmitter. Transmitter that's probably next to your front door. Your car's in the driveway, right? And they start your car and drive off with it. Right? Because they can transmit that in a reasonable distance. But if that key was on the opposite side, right, they wouldn't be able to do that. And so it's very similar mechanisms that we see repeat itself over and over again.

Russell Teague:
And data management, or we call it data exposure, it's one of the top, you know, 60 elements of a cybersecurity program. And I think it's probably one of the more critical ones. It is one of the largest, one of the hardest things for healthcare to do, right?

Rachael Lyon:
So you need to wrap that data in tinfoil so they can't.

Russell Teague:
Well, it needs to be encrypted, right? But, you know, supercomputing is, you know, the theory right now is our current encryption mechanisms can be broken. And obviously as the computing power becomes faster and faster and more available, those algorithms to actually break those cryptographic algorithms are going to happen. And right now the assumption is, well, you can't break it in 50 years. Well, what happens when that comes down to five minutes? And it will come down. And so we'll have to come up with new ways to encrypt or. John, to your point, stop storing it or store it differently, right? Make it non usable, right? Hash it, encrypt it, so you can still get the analytical value without having the risk of repercussions when it does get breached. Credit card did it through tokenization, right? But the time to live on a credit card is days now, right? And call it, and call it and have it canceled almost immediately. My app just says, shut it off.

Russell Teague:
Right?

Russell Teague:
I can't do that to my Social Security number. I can't change my name that fast. You know, I can't change my medical conditions, right? And so all of those are being used to exploit the human and extort the human. Now, not only are they going after corporations, but then they take the individual users, find out information about them, and then they go extort the individual. Oh, I heard, you know, you've been recently diagnosed with Parkinson's disease. Well, I bet you don't want people to know that, you know, pay me a thousand dollars and I won't release it.

Rachael Lyon:
It's like the 23andMe, I think, right when they shut down and there was a lot of discussion on who are they selling that data to, which is very informative of, you know, potentially future illnesses or things. I mean, there's a lot of precious data in there that somebody could truly exploit against millions and millions of people. It's frightening.

Russell Teague:
Yeah, absolutely.

Rachael Lyon:
And I hate to do this, everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week. And as always, don't forget to smash that subscription button and we'll see you next week. Until next time, stay safe.

About Our Guest

Russell Teague, CISO at Fortified Health Security

Russell Teague, CISO at Fortified Health Security, is an innovative cybersecurity leader who shields healthcare organizations from digital threats. Experience spans three decades in information security, covering the Healthcare, Pharmaceutical, Financial, Retail, and Technology sectors.

A distinguished U.S. Army Intelligence veteran with extensive leadership experience. Served as Chief Security Officer (CSO), Chief Technology Officer (CTO), and a founder and board member for multiple leading cybersecurity companies.

Sought-after cybersecurity expertise, which led to consult with the White House on the National Cybersecurity Healthcare Strategy, Health and Human Services (HHS), and actively participate with the Health Sector Coordination Council (HSCC).

Often contributes thought leadership to numerous publications and has presented at leading industry conferences, including CHIME, VIVE, MUSE, HIMSS, Healthcare IT Institute, Health Connect Partners, Oracle Health Conference, RSA, and Blackhat.