People

Meet the CSO helping warn hospitals about cyberthreats right now

Errol Weiss, CSO of the Health Information Sharing and Analysis Center, has had a busy few weeks.

The emergency room entrance at NYU Langone Health Center

As coronavirus cases rise, protecting hospitals from cyber threats is critical.

Photo: Angela Weiss/Getty Images

As the coronavirus outbreak escalates, hospitals across the U.S. are bracing for a surge in sick patients. So, too, are the cybersecurity workers at these organizations, who are preparing to fend off ransomware attacks and other threats that could disrupt patient treatment.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


One organization that will play a crucial role in that effort is the Health Information Sharing and Analysis Center, an industry consortium that provides health care organizations of all kinds — including hospitals, insurance providers, medical device manufacturers, pharmaceutical companies and laboratories — with information on the latest threats and vulnerabilities targeting the industry. If one health care organization sees indications of a new attack, H-ISAC gives them a confidential way to share that information with peers.

Errol Weiss, the organization's chief security officer, said the next few weeks will be especially difficult for health care cybersecurity workers, as many of them shift to working remotely and take care of kids — and potentially become sick. The challenges will be especially hard for small hospitals, which lack the budget and staff to stay on top of cybersecurity issues.

Weiss, who held top cybersecurity roles at Bank of America and Citigroup prior to joining H-ISAC about a year ago, talked to Protocol about ransomware attacks on hospitals, hackers pledging to not target health care organizations during the coronavirus outbreak, and what the government's role is in fending off attackers.

This interview has been edited and condensed for clarity.

Errol WeissSmaller health care organizations may not have the resources necessary to protect their computer systems, says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.Photo: Courtesy of Health Information Sharing and Analysis Center

What emerging cybersecurity threats have health care organizations been dealing with in recent weeks?

We've been pushing out quite a number of threat intelligence and vulnerability reports over the past few weeks — there have been a lot of COVID-19 issues that have come up. A lot of phishing emails that are taking advantage of the situation, stealing username and password credentials, placing ransomware on victim computers.

There's been talk about vulnerable VPNs for the past several months that we've been notifying our members about, and that concerns me now that so many people are working from home. Malicious actors can take advantage of the VPN vulnerabilities to bypass authentication and essentially log into an enterprise infrastructure as a legitimate user. Some cybersecurity companies are sharing the IP addresses with us that tie back to health care companies, so we've been notifying those organizations that they have a vulnerable Pulse or Citrix VPN server or whatever else it may be, and provide them all of the updated information we have on that. We provide that information whether they're a member or not because one of our basic tenants is that the security of all health care organizations impacts the security of the entire system, so we're trying to raise the bar.

One of the evil ones we've seen is there have been a bunch of fake coronavirus-tracking maps and websites, using data from organizations like Johns Hopkins University to lure people into clicking on malicious attachments. We're sharing indicators about those things with our members and have gotten updates from Johns Hopkins directly and are working with them to find ways to help slow down the fakes.

How can you slow that down?

When I was doing threat intelligence for banks, we would actively monitor the internet for brand infringement; we would find websites and social media posts that used the brand name to try to dupe people into downloading something or going to a fake site. Johns Hopkins could actively monitor for those kinds of things — that may be one of the things that the government could help out with.

Over the last year, hospital systems in Alabama, New Jersey and many other states were hit by ransomware attacks. Are you concerned that these types of attacks could disrupt hospitals while they're dealing with the coronavirus response?

Ransomware attacks are happening all over and way too often. The key to this is going to be about raising awareness of the threat and making sure hospitals are taking the minimum steps to avoid it or recover quickly from it if it does happen. That's a lot of the guidance we've been putting out recently. Some security researchers have found default keys to unlock computers if organizations do get infected. But some of the attacks are using very good encryption, so they're getting harder to beat. So the real answer is avoiding the attack in the first place and being better prepared.

If a hospital does suffer a ransomware attack in the coming weeks, do you think the U.S. government should pay the ransom so it doesn't disrupt treatment?

Before I got to the health care sector, my stance was we shouldn't pay ransoms because we would be encouraging more of these attacks. But here we're talking potentially about patient lives. It's a tough question. I can't answer it. I'd much rather be advocating for organizations to spend the money on better preparedness and recovery.

What ways do you think the government can help?

I'd like to see the U.S. work on a policy to ensure foreign nations are actively prosecuting and punishing cybercriminals when they're caught, and that would be a better deterrent than what we have today. We don't have a great policy in place that's being taken seriously. A lot of countries who are trade partners of ours are ignoring cybercriminals and allowing them to operate in their country as long as they know what they're up to.

Are there signs that hackers are targeting hospitals more now that they're dealing with coronavirus?

I saw a hospital in the Czech Republic was recently hit by a cyberattack. But I also saw a report that ransomware gangs are saying they would stop their attacks against health care organizations. Supposedly the operators of Maze, DoppelPaymer, Ryuk [and other ransomware strains] put out an edict to their subscribers saying don't go after hospitals at this time. We'll see if they live up to their promise or not.

Besides cyberattacks, what has been top-of-mind for health care tech leaders?

We have a large amount of information sharing and collaboration in online chat channels. One of those channels that has been very active is about telework issues: providing equipment, ergonomic tools, reimbursement policies for internet service, how that works. There have been a ton of posts in there about how health care organizations are handling it, and you can imagine how complex and quick things are moving there. One post was from a company that had employees in 160 countries globally that they were quickly moving out of offices.

Are health care IT staff able to work from home?

The big challenge we have from a brick-and-mortar standpoint is we have sick patients coming into our facilities that could affect staff trying to keep the facilities running. I've been seeing a large number of hospital infosec staff working from home, but there are some core groups that have to show up on site. I hope their offices are located elsewhere, that there's separation or isolation, but the smaller hospitals probably don't have that.

Are health care organizations prepared for cyberthreats?

One challenge is that some of the smaller health care organizations may not have the resources that are needed to properly secure their environment. Their budgets are tight, and it's a complex and very difficult job. When I was in finance, we had an army of people working on cybersecurity for the banks, and from my experience I haven't seen the number of people in hospitals properly needed to secure those environments. There's a lot of talented people in the infosec departments in these health care orgs, but we need more help.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


Are any cybersecurity organizations offering free help to health providers?

I've been really busy over the last couple days talking to the leading threat intelligence providers and popular third-party risk-scoring tools — we've been talking with them about offering some level of free service for health organizations. With the risk-scoring tools, members can look at their own score to understand their own posture and then look at their main third parties to understand their top risks. Some smaller hospitals could find tremendous use from this, because they've had limited resources to focus on cyber and can get a free and useful snapshot of what their strengths and weaknesses are.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins