People

Meet the CSO helping warn hospitals about cyberthreats right now

Errol Weiss, CSO of the Health Information Sharing and Analysis Center, has had a busy few weeks.

The emergency room entrance at NYU Langone Health Center

As coronavirus cases rise, protecting hospitals from cyber threats is critical.

Photo: Angela Weiss/Getty Images

As the coronavirus outbreak escalates, hospitals across the U.S. are bracing for a surge in sick patients. So, too, are the cybersecurity workers at these organizations, who are preparing to fend off ransomware attacks and other threats that could disrupt patient treatment.


Get what matters in tech, in your inbox every morning. Sign up for Source Code.


One organization that will play a crucial role in that effort is the Health Information Sharing and Analysis Center, an industry consortium that provides health care organizations of all kinds — including hospitals, insurance providers, medical device manufacturers, pharmaceutical companies and laboratories — with information on the latest threats and vulnerabilities targeting the industry. If one health care organization sees indications of a new attack, H-ISAC gives them a confidential way to share that information with peers.

Errol Weiss, the organization's chief security officer, said the next few weeks will be especially difficult for health care cybersecurity workers, as many of them shift to working remotely and take care of kids — and potentially become sick. The challenges will be especially hard for small hospitals, which lack the budget and staff to stay on top of cybersecurity issues.

Weiss, who held top cybersecurity roles at Bank of America and Citigroup prior to joining H-ISAC about a year ago, talked to Protocol about ransomware attacks on hospitals, hackers pledging to not target health care organizations during the coronavirus outbreak, and what the government's role is in fending off attackers.

This interview has been edited and condensed for clarity.

Errol Weiss Smaller health care organizations may not have the resources necessary to protect their computer systems, says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.Photo: Courtesy of Health Information Sharing and Analysis Center

What emerging cybersecurity threats have health care organizations been dealing with in recent weeks?

We've been pushing out quite a number of threat intelligence and vulnerability reports over the past few weeks — there have been a lot of COVID-19 issues that have come up. A lot of phishing emails that are taking advantage of the situation, stealing username and password credentials, placing ransomware on victim computers.

There's been talk about vulnerable VPNs for the past several months that we've been notifying our members about, and that concerns me now that so many people are working from home. Malicious actors can take advantage of the VPN vulnerabilities to bypass authentication and essentially log into an enterprise infrastructure as a legitimate user. Some cybersecurity companies are sharing the IP addresses with us that tie back to health care companies, so we've been notifying those organizations that they have a vulnerable Pulse or Citrix VPN server or whatever else it may be, and provide them all of the updated information we have on that. We provide that information whether they're a member or not because one of our basic tenants is that the security of all health care organizations impacts the security of the entire system, so we're trying to raise the bar.

One of the evil ones we've seen is there have been a bunch of fake coronavirus-tracking maps and websites, using data from organizations like Johns Hopkins University to lure people into clicking on malicious attachments. We're sharing indicators about those things with our members and have gotten updates from Johns Hopkins directly and are working with them to find ways to help slow down the fakes.

How can you slow that down?

When I was doing threat intelligence for banks, we would actively monitor the internet for brand infringement; we would find websites and social media posts that used the brand name to try to dupe people into downloading something or going to a fake site. Johns Hopkins could actively monitor for those kinds of things — that may be one of the things that the government could help out with.

Over the last year, hospital systems in Alabama, New Jersey and many other states were hit by ransomware attacks. Are you concerned that these types of attacks could disrupt hospitals while they're dealing with the coronavirus response?

Ransomware attacks are happening all over and way too often. The key to this is going to be about raising awareness of the threat and making sure hospitals are taking the minimum steps to avoid it or recover quickly from it if it does happen. That's a lot of the guidance we've been putting out recently. Some security researchers have found default keys to unlock computers if organizations do get infected. But some of the attacks are using very good encryption, so they're getting harder to beat. So the real answer is avoiding the attack in the first place and being better prepared.

If a hospital does suffer a ransomware attack in the coming weeks, do you think the U.S. government should pay the ransom so it doesn't disrupt treatment?

Before I got to the health care sector, my stance was we shouldn't pay ransoms because we would be encouraging more of these attacks. But here we're talking potentially about patient lives. It's a tough question. I can't answer it. I'd much rather be advocating for organizations to spend the money on better preparedness and recovery.

What ways do you think the government can help?

I'd like to see the U.S. work on a policy to ensure foreign nations are actively prosecuting and punishing cybercriminals when they're caught, and that would be a better deterrent than what we have today. We don't have a great policy in place that's being taken seriously. A lot of countries who are trade partners of ours are ignoring cybercriminals and allowing them to operate in their country as long as they know what they're up to.

Are there signs that hackers are targeting hospitals more now that they're dealing with coronavirus?

I saw a hospital in the Czech Republic was recently hit by a cyberattack. But I also saw a report that ransomware gangs are saying they would stop their attacks against health care organizations. Supposedly the operators of Maze, DoppelPaymer, Ryuk [and other ransomware strains] put out an edict to their subscribers saying don't go after hospitals at this time. We'll see if they live up to their promise or not.

Besides cyberattacks, what has been top-of-mind for health care tech leaders?

We have a large amount of information sharing and collaboration in online chat channels. One of those channels that has been very active is about telework issues: providing equipment, ergonomic tools, reimbursement policies for internet service, how that works. There have been a ton of posts in there about how health care organizations are handling it, and you can imagine how complex and quick things are moving there. One post was from a company that had employees in 160 countries globally that they were quickly moving out of offices.

Are health care IT staff able to work from home?

The big challenge we have from a brick-and-mortar standpoint is we have sick patients coming into our facilities that could affect staff trying to keep the facilities running. I've been seeing a large number of hospital infosec staff working from home, but there are some core groups that have to show up on site. I hope their offices are located elsewhere, that there's separation or isolation, but the smaller hospitals probably don't have that.

Are health care organizations prepared for cyberthreats?

One challenge is that some of the smaller health care organizations may not have the resources that are needed to properly secure their environment. Their budgets are tight, and it's a complex and very difficult job. When I was in finance, we had an army of people working on cybersecurity for the banks, and from my experience I haven't seen the number of people in hospitals properly needed to secure those environments. There's a lot of talented people in the infosec departments in these health care orgs, but we need more help.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


Are any cybersecurity organizations offering free help to health providers?

I've been really busy over the last couple days talking to the leading threat intelligence providers and popular third-party risk-scoring tools — we've been talking with them about offering some level of free service for health organizations. With the risk-scoring tools, members can look at their own score to understand their own posture and then look at their main third parties to understand their top risks. Some smaller hospitals could find tremendous use from this, because they've had limited resources to focus on cyber and can get a free and useful snapshot of what their strengths and weaknesses are.

Fintech

The bitcoin crash has people talking about another crypto winter

Volatile crypto prices have scared consumers and companies away from the sector before — sometimes for extended periods.

“Crypto winter” is a prolonged period of flat trading following a price crash.

Illustration: Christopher T. Fong/Protocol

The sharp drop in cryptocurrency prices has spurred fears that the notoriously volatile industry is about to go through another prolonged slump.

The market cycle has become such a predictable pattern — a steep decline in coin prices followed by a prolonged period of flat trading — that it even has a catchy name: crypto winter.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

COVID-19 accelerated what many CEOs and CTOs have struggled to do for the past decade: It forced organizations to be agile and adjust quickly to change. For all the talk about digital transformation over the past decade, when push came to shove, many organizations realized they had made far less progress than they thought.

Now with the genie of rapid change out of the bottle, we will never go back to accepting slow and steady progress from our organizations. To survive and thrive in times of disruption, you need to build a resilient, adaptable business with systems and processes that will keep you nimble for years to come. An essential part of business agility is responding to change by quickly developing new applications and adapting old ones. IT faces an unprecedented demand for new applications. According to IDC, by 2023, more than 500 million digital applications and services will be developed and deployed — the same number of apps that were developed in the last 40 years.[1]

Keep Reading Show less
Denise Broady, CMO, Appian
Denise oversees the Marketing and Communications organization where she is responsible for accelerating the marketing strategy and brand recognition across the globe. Denise has over 24+ years of experience as a change agent scaling businesses from startups, turnarounds and complex software companies. Prior to Appian, Denise worked at SAP, WorkForce Software, TopTier and Clarkston Group. She is also a two-time published author of “GRC for Dummies” and “Driven to Perform.” Denise holds a double degree in marketing and production and operations from Virginia Tech.
Entertainment

Google is developing a low-end Chromecast with Google TV

The new dongle will run the Google TV interface, but it won’t support 4K streaming.

The Chromecast with Google TV dongle combined 4K streaming with the company’s Google TV interface. Now, Google is looking to launch a cheaper version.

Photo: Google

Google is working on a new streaming device that caters to people with older TV sets: The next Chromecast streaming dongle will run its Google TV interface and ship with a remote control, but it won’t support 4K streaming. The device will instead max out at a resolution of 1080p, Protocol has learned from a source with close knowledge of the company’s plans.

A Google spokesperson declined to comment.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Enterprise

Why software releases should be quick but 'palatable and realistic'

Modern software developers release updates much more quickly than in the past, which is great for security and adding new capabilities. But Edith Harbaugh thinks business leaders need a little control of that schedule.

LaunchDarkly was founded in 2014 to help companies manage the software release cycle.

Photo: LaunchDarkly

Gone are the days of quarterly or monthly software update release cycles; today’s software development organizations release updates and fixes on a much more frequent basis. Edith Harbaugh just wants to give business leaders a modicum of control over the process.

The CEO of LaunchDarkly, which was founded in 2014 to help companies manage the software release cycle, is trying to reach customers who want to move fast but understand that moving fast and breaking things won’t work for them. Companies that specialize in continuous integration and continuous delivery services have thrived over the last few years as customers look for help shipping at speed, and LaunchDarkly extends those capabilities to smaller features of existing software.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.

Workplace

Building an antiracist company: From idea to practice

Twilio’s chief diversity officer says it’s time for a new approach to DEI.

“The most impactful way to prioritize DEI and enable antiracism is to structure your company accordingly,” says Lybra Clemons, chief diversity officer at Twilio.

Photo: Twilio

Lybra Clemons is responsible for guiding and scaling inclusion strategy and diversity initiatives at Twilio.

I’ve been in the corporate diversity, equity and inclusion space for over 15 years. In that time, I’ve seen the field evolve slowly from a “nice-to-have” function of Human Resources to a rising company-wide priority. June 2020 was different. Suddenly my and my peers’ phones started ringing off the hook and DEI leaders became the most sought-after professionals. With so many DEI roles being created and corporate willingness to invest, for a split second it looked like there might be real change on the horizon.

Keep Reading Show less
Lybra Clemons
Lybra S. Clemons is a seasoned C-suite executive with over 15 years of Human Resources, Talent and Diversity & Inclusion experience at Fortune 500 companies. She is responsible for guiding and scaling inclusion strategy and diversity initiatives across Twilio's global workforce. Prior to Twilio, Lybra was global head of Diversity & Inclusion at PayPal, where she managed and oversaw all global diversity initiatives. Lybra has held critical roles in Diversity & Inclusion with Morgan Stanley, The Brunswick Group and American Express. She serves on the board of directors of Makers and How Women Lead Silicon Valley Executive Board of Advisers, and has been recognized by Black Enterprise as one of the Top Corporate Women in Diversity.
Latest Stories
Bulletins