Cyber Security Trends: Third-Party Security Assurances

Host: Today we’re talking about Cyber Security Trends & Third-Party Assurances with Chief Information and Security Officer, Hans Guilbeau. Hans has over 25 years of experience in network and infrastructure engineering, security systems administration, network penetration, vulnerability assessment, IT auditing, incident response, and forensics investigation. Hans is a Certified Information Systems Security Professional (CISSP), and a Certified CSF Professional (CCSFP). Welcome Hans.

Hans: Hey. I’m excited about our topic today and, really, this whole month, as you know, it’s Cybersecurity Awareness month.

Host: 100%. It’s an important topic that has far-reaching implications from industries all the way down to individual consumers. According to IBM’s Cost of a Data Breach report, the healthcare industry is one of the top five most impacted industries by cyber incidents.  

Hans: Yes, the healthcare industry is extremely lucrative for cybercriminals. It has the highest payouts. If cybercriminals were a nation-state, they would be the third largest nation in the world from a gross domestic product standpoint. Third, after the United States and China.  

Host: Wow. That’s a scary figure.  

Hans: Yes, the bad actors are ahead right now. And, every company needs to have the mindset that it’s not a matter of if, it’s a matter of when you’re going to get hit with a cybersecurity incident. Not necessarily ransomware, but some kind of cyber incident.  

Host: That sounds like it could be a controversial statement.  

Hans: Most definitely. But let me explain why it’s an important view to adopt. It means not only having defense systems in place, but also it means having a comprehensive response plan ready to go.  

Host: This makes sense. It’s preparing for the worst and hoping for the best.  

Hans: Exactly. If a company ends up in a cybersecurity incident, there’s financial risk that comes from different directions. Beyond, let’s say, the traditional idea of paying a ransom, you have to consider the trickle-down effect on a company’s reputation and potential loss of business, either in the form of new business or current business. The concept of preparing for ‘when’ it happens means that the company has thought through all of the different possible scenarios and ways to respond—from a cyber perspective all the way down to public relations and communication plans.

Host: Is there a way for health plans to verify that their vendors have these security processes in place and are prepared for cybersecurity incidents?

Hans: Yes, so there are industry certifications like HITRUST. HITRUST is an external cybersecurity audit for healthcare companies. It evaluates security frameworks for systems that house and manage PHI, and it incorporates compliance regulations from a variety of sources like HIPPA, GDPR, and others. So, going back to what I was saying earlier about being ready with a plan of action for how your company is going to handle a cyber incident, HITRUST helps to protect against an incident, detect, respond, and recover from an event. It’s comprehensive and takes about 9-10 months to complete the certification. It’s no small task. There are also external auditor-completed assessments by the AICPA, called SOC I Type II and SOC 2 Type II. SOC stands for System and Organization Controls. SOC I, Type II focuses on the controls around the financial systems and both the business and technical processes. And then, SOC 2, Type II focuses on the privacy security availability and some business processes.  

Host: Is it possible for a company to have all these certifications and still encounter a cybersecurity incident?  

Hans: Yes, so the certifications are great. The HITRUST 2024 Report states that less than 1% of organizations with their certification have reported a cybersecurity breach in the past two years. That’s a great number and an indication of proper controls and processes. But still, it’s not fool-proof. Cyber incidents can happen to any organization, sans certification.  

In addition to certifications, there has to be continual verification to support it. For example, we do tabletop ransomware exercises regularly just to ensure our controls, processes, and documentation are up to speed so if, or more likely, when it happens, A. We know what process and documentation to go for, and B. We know the steps we have to take to mitigate the risk. We also do incident response tabletops. One of the things I’ve had teams do in the past. Don’t try to make up some crazy incident that no one has experience with. Instead, go grab a past incident that we’ve dealt with, either internally or with a client, and make that the tabletop and run that exercise internally so we can make sure our processes and documentation are sound. It’s one thing to talk to an auditor and show them all the right evidence, but it’s another thing to test it. You don’t want to be testing it in a real-life situation.  

From a risk mitigation perspective, organizations have to look at people, processes, and technology. The process, if it doesn’t work, can introduce a vulnerability. From a technology breakdown perspective, incidents typically occur because a new entry point has been discovered and the vendor wasn’t fast enough to fix it. Cybercriminals can exploit the hole very quickly. We call this a zero-day vulnerability. It’s a vulnerability that is known to exist, it’s known that it can be exploited, but there’s no patch or technical fix for it. There are mitigating processes or things you can do, but that hole exists in your environment, and bad actors are actively going after it.  

Then you have people. The human factor is probably your biggest risk in any organization. Here’s the thing: you can patch systems, applications and software all day, but you can’t patch people. If someone is going to click on something, I can’t stop them. But, what I can do is have controls in place to mitigate that activity. If an employee holds the door open for someone instead of making them swipe their badge, or leaves their laptop open at a coffee shop. There are a thousand scenarios where people are the weak link. So, we put processes and technology in place to set boundaries for people. Ongoing education for employees is critical, so security is always top-of-mind, and as the cyber landscape evolves, employees are kept up to date. Some of the phishing emails have become quite sophisticated. It used to be fairly easy to identify a nefarious email, but now, with AI, honestly, it’s hard to tell. They’re getting pretty slick.  

If you remember the MGM/Caeser's hack that happened not too long ago. So here’s what happened: a member of the tech team that was being used to support their servers had a LinkedIn account that had information about where they worked, and what level they were, and then they had Facebook and social media accounts with personal information. The threat actors identified this individual as having highly privileged access to the MGM environment. They leveraged the information they gathered on the social media accounts to call the help desk and impersonate this tech team member. They got the help desk to reset the authentication credentials. So, the help desk was socially engineered based on too much information provided by the employee online.

Host: This brings me to a subject I’m pretty passionate about—online privacy. I’ve read all the Kevin Mitnick books and it’s really scary that as a society we’re providing all of this personal information to the world. We’re just putting it out there—pictures in front of our house with our street address, the name of our kids and pets, schools we attend. We post on our birthdays and our kid’s birthdays, and memorialize every special event online. We connect ourselves to people who tag us. It’s just not that hard to be a hacker in 2024 when we’re just giving the information away. As a company, we want our employees to support the company’s digital growth by proudly identifying themselves as part of the company, participating in employee of the month campaigns on LinkedIn, and reposting important company events. But, we also want to protect the company. What advice would you give to companies and employees about posting on LinkedIn?

Hans: That’s a good question. How much is too much? From a professional social media standpoint on LinkedIn, don’t list all the things you do. For example, my LinkedIn profile identifies me as the CISO, but it doesn’t list all of my duties. Your summary should be just that. I know some people use LinkedIn as their resume, but I advise against it. It’s okay to list your title and a high-level summary, but you don’t want to list everything you’ve ever worked on and are currently working on.

Host: Okay, that sounds like a sensical approach. Let’s jump back to the health plan vendor relationship. If you are a health plan vetting vendors, what would be a good line of questioning to ensure they have good security practices?  

Hans: Yeah, this is important. If I were a health plan in discussion with a vendor. I would ask: What type of incident exercises can you perform? What type of threat modeling do you utilize, and how do you come up with these exercises? Some will follow current industry trends or current notifications from the Center for Information Security Administration from the federal government.

How often do you run these exercises? What’s the basis for the exercises? Are they pie in the sky made up, or are they founded on real-life examples you’ve experienced in the past?  

What is your media plan for an incident? Are you ready? Have you identified who the spokespeople in the company are? Who can talk to the media? Probably, this is going to be a team composed of public relations, legal, and a security subject matter expert.  

What does the disaster recovery and business continuity process look like? If a vendor encounters an incident and has to temporarily shut down, who is the backup vendor? For the same process, there needs to be an A, B, and C alternative. It seems redundant, but it’s a failsafe. That’s the business continuity piece. Then there’s the IT piece for disaster recovery. You know, people think business continuity and disaster recovery are the same, it’s not.  

Host: In the health plan environment, what would that look like?  

Hans: Let’s say the claim’s processing vendor A goes down and we need to switch the vendor B. That’s change management. From an IT perspective, we would change the systems, the servers and applications to stop communicating and transmitting data from Vendor A and point them to Vendor B.  

Years ago, I worked in security for a motor company. Twice a year, they would conduct a drill where they would literally shut the entire operation down from the primary location, and shift it to a totally different location. They moved their people to different offices, and brought up a totally different data center, and ran on it for 36 hours. Dealerships were still selling cars, financing vehicles, and plants were still receiving orders to build vehicles—and none of them knew we had completely changed locations. Everything was business as usual. We called it Switch Over, Switch Back. Whether it’s healthcare, a motor company, or Amazon, every business should have those processes and testing in place. Move the people, processes, and technology with minimal downtime and disruption to the business. That’s the holistic view, protect people, process, and technology.  

Host: Hans, it’s been great having you on the podcast today. This conversation is a great contribution to the industry for Cybersecurity Awareness Month.  

Hans: You bet. I’ve enjoyed it. And again being part of cybersecurity awareness month, there’s multiple places you can go for that.  

Host: Thanks to our listeners. If you liked this episode, share it with your colleagues on LinkedIn, and follow on Apple and Spotify to be the first to know when new episodes drop.