People

Meet the CSO helping warn hospitals about cyberthreats right now

Errol Weiss, CSO of the Health Information Sharing and Analysis Center, has had a busy few weeks.

The emergency room entrance at NYU Langone Health Center

As coronavirus cases rise, protecting hospitals from cyber threats is critical.

Photo: Angela Weiss/Getty Images

As the coronavirus outbreak escalates, hospitals across the U.S. are bracing for a surge in sick patients. So, too, are the cybersecurity workers at these organizations, who are preparing to fend off ransomware attacks and other threats that could disrupt patient treatment.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


One organization that will play a crucial role in that effort is the Health Information Sharing and Analysis Center, an industry consortium that provides health care organizations of all kinds — including hospitals, insurance providers, medical device manufacturers, pharmaceutical companies and laboratories — with information on the latest threats and vulnerabilities targeting the industry. If one health care organization sees indications of a new attack, H-ISAC gives them a confidential way to share that information with peers.

Errol Weiss, the organization's chief security officer, said the next few weeks will be especially difficult for health care cybersecurity workers, as many of them shift to working remotely and take care of kids — and potentially become sick. The challenges will be especially hard for small hospitals, which lack the budget and staff to stay on top of cybersecurity issues.

Weiss, who held top cybersecurity roles at Bank of America and Citigroup prior to joining H-ISAC about a year ago, talked to Protocol about ransomware attacks on hospitals, hackers pledging to not target health care organizations during the coronavirus outbreak, and what the government's role is in fending off attackers.

This interview has been edited and condensed for clarity.

Errol Weiss Smaller health care organizations may not have the resources necessary to protect their computer systems, says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.Photo: Courtesy of Health Information Sharing and Analysis Center

What emerging cybersecurity threats have health care organizations been dealing with in recent weeks?

We've been pushing out quite a number of threat intelligence and vulnerability reports over the past few weeks — there have been a lot of COVID-19 issues that have come up. A lot of phishing emails that are taking advantage of the situation, stealing username and password credentials, placing ransomware on victim computers.

There's been talk about vulnerable VPNs for the past several months that we've been notifying our members about, and that concerns me now that so many people are working from home. Malicious actors can take advantage of the VPN vulnerabilities to bypass authentication and essentially log into an enterprise infrastructure as a legitimate user. Some cybersecurity companies are sharing the IP addresses with us that tie back to health care companies, so we've been notifying those organizations that they have a vulnerable Pulse or Citrix VPN server or whatever else it may be, and provide them all of the updated information we have on that. We provide that information whether they're a member or not because one of our basic tenants is that the security of all health care organizations impacts the security of the entire system, so we're trying to raise the bar.

One of the evil ones we've seen is there have been a bunch of fake coronavirus-tracking maps and websites, using data from organizations like Johns Hopkins University to lure people into clicking on malicious attachments. We're sharing indicators about those things with our members and have gotten updates from Johns Hopkins directly and are working with them to find ways to help slow down the fakes.

How can you slow that down?

When I was doing threat intelligence for banks, we would actively monitor the internet for brand infringement; we would find websites and social media posts that used the brand name to try to dupe people into downloading something or going to a fake site. Johns Hopkins could actively monitor for those kinds of things — that may be one of the things that the government could help out with.

Over the last year, hospital systems in Alabama, New Jersey and many other states were hit by ransomware attacks. Are you concerned that these types of attacks could disrupt hospitals while they're dealing with the coronavirus response?

Ransomware attacks are happening all over and way too often. The key to this is going to be about raising awareness of the threat and making sure hospitals are taking the minimum steps to avoid it or recover quickly from it if it does happen. That's a lot of the guidance we've been putting out recently. Some security researchers have found default keys to unlock computers if organizations do get infected. But some of the attacks are using very good encryption, so they're getting harder to beat. So the real answer is avoiding the attack in the first place and being better prepared.

If a hospital does suffer a ransomware attack in the coming weeks, do you think the U.S. government should pay the ransom so it doesn't disrupt treatment?

Before I got to the health care sector, my stance was we shouldn't pay ransoms because we would be encouraging more of these attacks. But here we're talking potentially about patient lives. It's a tough question. I can't answer it. I'd much rather be advocating for organizations to spend the money on better preparedness and recovery.

What ways do you think the government can help?

I'd like to see the U.S. work on a policy to ensure foreign nations are actively prosecuting and punishing cybercriminals when they're caught, and that would be a better deterrent than what we have today. We don't have a great policy in place that's being taken seriously. A lot of countries who are trade partners of ours are ignoring cybercriminals and allowing them to operate in their country as long as they know what they're up to.

Are there signs that hackers are targeting hospitals more now that they're dealing with coronavirus?

I saw a hospital in the Czech Republic was recently hit by a cyberattack. But I also saw a report that ransomware gangs are saying they would stop their attacks against health care organizations. Supposedly the operators of Maze, DoppelPaymer, Ryuk [and other ransomware strains] put out an edict to their subscribers saying don't go after hospitals at this time. We'll see if they live up to their promise or not.

Besides cyberattacks, what has been top-of-mind for health care tech leaders?

We have a large amount of information sharing and collaboration in online chat channels. One of those channels that has been very active is about telework issues: providing equipment, ergonomic tools, reimbursement policies for internet service, how that works. There have been a ton of posts in there about how health care organizations are handling it, and you can imagine how complex and quick things are moving there. One post was from a company that had employees in 160 countries globally that they were quickly moving out of offices.

Are health care IT staff able to work from home?

The big challenge we have from a brick-and-mortar standpoint is we have sick patients coming into our facilities that could affect staff trying to keep the facilities running. I've been seeing a large number of hospital infosec staff working from home, but there are some core groups that have to show up on site. I hope their offices are located elsewhere, that there's separation or isolation, but the smaller hospitals probably don't have that.

Are health care organizations prepared for cyberthreats?

One challenge is that some of the smaller health care organizations may not have the resources that are needed to properly secure their environment. Their budgets are tight, and it's a complex and very difficult job. When I was in finance, we had an army of people working on cybersecurity for the banks, and from my experience I haven't seen the number of people in hospitals properly needed to secure those environments. There's a lot of talented people in the infosec departments in these health care orgs, but we need more help.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


Are any cybersecurity organizations offering free help to health providers?

I've been really busy over the last couple days talking to the leading threat intelligence providers and popular third-party risk-scoring tools — we've been talking with them about offering some level of free service for health organizations. With the risk-scoring tools, members can look at their own score to understand their own posture and then look at their main third parties to understand their top risks. Some smaller hospitals could find tremendous use from this, because they've had limited resources to focus on cyber and can get a free and useful snapshot of what their strengths and weaknesses are.

Climate

New Jersey could become an ocean energy hub

A first-in-the-nation bill would support wave and tidal energy as a way to meet the Garden State's climate goals.

Technological challenges mean wave and tidal power remain generally more expensive than their other renewable counterparts. But government support could help spur more innovation that brings down cost.

Photo: Jeremy Bishop via Unsplash

Move over, solar and wind. There’s a new kid on the renewable energy block: waves and tides.

Harnessing the ocean’s power is still in its early stages, but the industry is poised for a big legislative boost, with the potential for real investment down the line.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.
Entertainment

Watch 'Stranger Things,' play Neon White and more weekend recs

Don’t know what to do this weekend? We’ve got you covered.

Here are our picks for your long weekend.

Image: Annapurna Interactive; Wizard of the Coast; Netflix

Kick off your long weekend with an extra-long two-part “Stranger Things” finale; a deep dive into the deckbuilding games like Magic: The Gathering; and Neon White, which mashes up several genres, including a dating sim.

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Fintech

Debt fueled crypto mining’s boom — and now, its bust

Leverage helped mining operations expand as they borrowed against their hardware or the crypto it generated.

Dropping crypto prices have upended the economics of mining.

Photo: Lars Hagberg/AFP via Getty Images

As bitcoin boomed, crypto mining seemed almost like printing money. But in reality, miners have always had to juggle the cost of hardware, electricity and operations against the tokens their work yielded. Often miners held onto their crypto, betting it would appreciate, or borrowed against it to buy more mining rigs. Now all those bills are coming due: The industry has accumulated as much as $4 billion in debt, according to some estimates.

The crypto boom encouraged excess. “The approach was get rich quick, build it big, build it fast, use leverage. Do it now,” said Andrew Webber, founder and CEO at crypto mining service provider Digital Power Optimization.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Policy

How lax social media policies help fuel a prescription drug boom

Prescription drug ads are all over TikTok, Facebook and Instagram. As the potential harms become clear, why haven’t the companies updated their advertising policies?

Even as providers like Cerebral draw federal attention, Meta’s and TikTok’s advertising policies still allow telehealth providers to turbocharge their marketing efforts.

Illustration: Overearth/iStock/Getty Images Plus

In the United States, prescription drug advertisements are as commonplace as drive-thru lanes and Pete Davidson relationship updates. We’re told every day — often multiple times a day — to ask our doctor if some new medication is right for us. Saturday Night Live has for decades parodied the breathless parade of side effect warnings tacked onto drug commercials. Here in New York, even our subway swipes are subsidized by advertisements that deliver the good news: We can last longer in bed and keep our hair, if only we turn to the latest VC-backed telehealth service.

The U.S. is almost alone in embracing direct-to-consumer prescription drug advertisements. Nations as disparate as Saudi Arabia, France and China all find common ground in banning such ads. In fact, of all developed nations, only New Zealand joins the U.S. in giving pharmaceutical companies a direct line to consumers.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Latest Stories
Bulletins