Executive Conversations: Proactive Cybersecurity in Healthcare with Shawn Henry, President of CrowdStrike Services
Shawn Henry, President of CrowdStrike Services and Chief Security Officer of CrowdStrike, joins Phoebe Yang, General Manager of Public Sector Healthcare at Amazon Web Services (AWS) to discuss the past, present, and future of cybersecurity in the healthcare industry and society at large, with a focus on how cloud technology can help organizations preempt attacks. CrowdStrike, an Austin-based cybersecurity technology company, offers cloud-native security solutions, threat intelligence, and cyberattack response services to organizations in healthcare and other industries.
This Executive Conversation is one in a series of discussions held with thought leaders in healthcare, life sciences, and genomics, where we seek to learn more about the impact of technological innovation and cloud computing on their industries.
Phoebe Yang: The U.S. healthcare system has been the subject of a lot of attacks, particularly in the last couple of years, especially with the rise of COVID-19. Many of these attacks have been high-profile, but many more were never heard about, for lots of reasons. How could those incidents have been prevented? At a minimum, could there have been measures put in place to strengthen and expedite the response to those incidents?
Shawn Henry: At CrowdStrike, we respond to thousands of incidents and have more than sixteen thousand customers around the world; as a result, we have a lot of visibility into adversary tactics, techniques, and procedures. Healthcare organizations are being targeted because of the value of their data as well as the potentially devastating impact of disruptive attacks. Certain actors have attacked the healthcare sector from a nation-state perspective, while organized crime groups are targeting that same sector for financial gain. The value of personally identifiable information (PII) taken out of those data environments is incredibly high. Many criminal organizations are also engaged in the deployment of ransomware aimed at disrupting healthcare operations.
Healthcare organizations need to start with awareness and build proactive programs. Historically, the financial services sector has been the best-protected sector. They invested the most in security early on because they saw a strong ROI. In contrast, healthcare was one of the least-protected sectors 10 years ago—organizations were less focused on security and more focused on providing care and treatment. But I think that as we’ve moved forward in the last 10 years, particularly in the last two or three years, the targeting has increased, and healthcare organizations have become more aware of the need to invest in security. It’s important to be proactive, have the right technology and people in place, and have a strong security posture where people understand their requirements.
Everybody in the organization is part of the security solution: users are being trained not to click on phishing emails, and administrators are learning how to store and save data—what needs to be saved and what doesn’t. There’s a whole host of things organizations can do to minimize their target space and better protect their environment, and they need to do that on the front side.
Phoebe Yang: The term “zero trust” gets thrown out a lot and it’s been around for many years, but the idea of never trusting/always verifying seems to be more important now than ever. Can you explain why zero trust is essential to a modern security strategy?
Shawn Henry: When we think of zero trust, there’s no perimeter anymore. The overwhelming majority of what folks are doing is in the cloud. This concept of the perimeter has really kind of evaporated, and we see adversaries taking over user identities, gaining credentials, elevating their privileges, and moving laterally through the environment. It’s incredibly difficult to identify that type of activity when somebody takes those actions, and the threat risk for a company increases dramatically.
The principle of zero trust is about increasing rigor in the system by ensuring that individuals are authenticating. It should be seamless and transparent in many ways. You don’t want to add a lot of friction to the user. You don’t want to impact efficiency in the environment. There’s always going to be a bit of a balance between security and friction. But I think it’s a necessary step for organizations to take right now to keep their environment safe because the risk is just too high.
Phoebe Yang: Within healthcare, we are seeing a proliferation of devices, both collecting and disseminating data, in many settings, both clinical and beyond. In light of this rapid rise of the Internet of Things (IoT), including critical medical equipment, what are the implications for security across the board?
Shawn Henry: Introducing new devices into the environment adds vulnerabilities and targets. Medical equipment, heart monitors, and a whole host of IP-enabled diagnostic devices are part of IoT—each one is vulnerable, and each represents a potential ingress that could allow an adversary to jump into the broader IT environment. However, security is too often an afterthought. Companies need to understand that as a target space gets bigger, they need to have a wider aperture and a broader lens so they can see what’s happening in the environment.
The first thing is making sure the devices you’re putting onto the network are protected with secure, unique passwords. Many are shipped with common passwords right out of the box, or pre-assigned passwords are hard coded in and need to be updated. It’s also important to think about the healthcare supply chain. Agencies are partnering together, acquisitions are being made—every single organization you’re connected to or doing business with is a potential ingress into your environment. Organizations have to ask themselves questions about vendors and patients who have access to certain parts of the environment. How are they controlled? What is the nature of each individual’s access? What is the visibility into those types of access? You can’t just rely on the security of your proper network; you have to consider everybody who’s connected to that network.
Phoebe Yang: Attacks can come through completely unexpected avenues. Is the necessary kind of protection really possible in an on-premises environment, especially with a complex supply chain and a high number of devices connected?
Shawn Henry: I think that with the movement to the cloud, there are some folks who have concerns about the cloud from a security perspective. I see it the opposite way. I think that the cloud provides flexibility and visibility. It provides access for security teams to have a better understanding of what the environment looks like to have better control over their environment. And when you’ve got devices that are moving; such as people taking heart monitors to use at home, you’ve got diagnostic equipment that’s moving. It’s not necessarily on the corporate security stack. And because it’s not on the security stack, you lose visibility. However, in a cloud-enabled environment, you’ve got much more visibility because using the cloud from a security perspective provides the opportunity to see devices regardless of where they may be. As long as they’re connected to the internet, you’ve got visibility. And if you’ve got visibility, you’ve got an opportunity to protect those devices. So I think cloud technology is an especially important component of any security program in this space.
Phoebe Yang: Have you observed significant operational differences between organizations that have moved to the cloud and those that have not?
Shawn Henry: Generally, when we see this digital transformation and the movement to the cloud, organizations see great value in the beginning. They recognize that they’ve got visibility into spaces they previously didn’t and that it provides more functionality. From a security perspective, a cloud environment makes it possible to be much more responsive and proactive. On-premises legacy devices simply aren’t conducive to the way we do business now. We’re in a new phase of life. And this digital expansion is not going to slow down. It’s going to continue to get bigger and much broader. I think those that have embraced cloud technology find that their business is more effective and more efficient. And then again, from a security perspective, I think you’re in a much stronger position to maintain the integrity of the data and the environment. It’s still the early days of cloud, even though it’s been around for a long time. But, I think I say early days because the adoption is growing and with what we’re seeing as organizations move, I think that they’ll only see a positive ROI and their experiences are going to be overwhelmingly positive as we go forward.
Phoebe Yang: I’ve heard you speak about the importance of the convergence of information technology (IT) and operational technology (OT) and targeting the gap between the two. Why is that important, and how does it translate into situations we face today?
Shawn Henry: IT has typically been considered part of the corporate enclave, whereas OT is most prominent in the manufacturing sector. In some organizations, we’ve seen the two separate groups have almost an adversarial relationship; there’s not a lot of collaboration there. They certainly are very different types of technology; however, I think organizations are missing an opportunity if they’re not examining both IT and OT from a holistic security perspective.
Adversaries who are targeting IT are going to target OT. The two business units should be talking to each other, sharing intelligence, understanding who the actors are that might be targeting them, and sharing best practices. There has been some movement towards that as some OT environments have been hit with ransomware attacks, causing companies to lose the ability to manufacture their products. Both IT and OT environments are required for a given organization to meet the needs of their customers. If you’re not looking at both of those environments in a comprehensive way, you’re missing opportunities and leaving yourself vulnerable.
Phoebe Yang: OK, here’s the million-dollar question. If you’re the subject of a ransomware attack, do you pay the ransom?
Shawn Henry: That’s a nuanced question. I would say it depends. I don’t support terrorists, criminal groups, or organizations that are destroying the fabric of our lives. When you look at ransomware attacks that have hit municipalities and shut down cities for weeks, it’s destroying the fabric of what we are. So I don’t subscribe to supporting and funding those organizations. That being said, I’m aware that there are some multi-billion-dollar organizations that would have been out of business if they had not paid the ransom. The attack constituted an existential threat to their entire organization. All of their data was encrypted. They had no way to recover it. They didn’t have backups or they couldn’t recover the backups.
What I encourage people to do—as we’ve already discussed—is invest on the front side. We know the actors are out there with nefarious intent, capability, and capacity. They are not slowing down, so you need to prepare for it and protect yourselves proactively. You can identify attacks by hunting in your environment and looking for unusual behavior. You need to have the right technology, the right posture, and the right people in place to mitigate the attacks by disrupting them and limiting the consequences. That’s the best outcome. The attacks are going to come, so your preparation and your response are what will determine your success and survival.
I don’t want anybody to ever be in the position of paying a ransom. But if you’re stuck in the position where you have to pay it, you’re in a precarious spot. It could be illegal to pay the ransom. The government has actually put protocols in place that make it a criminal act for organizations to pay ransoms to certain groups, such as certain terrorist organizations. In the last six months, the Treasury Department instituted processes that identified some of the groups that are launching ransomware. In light of those federal penalties, it’s even more worthwhile to invest on the front side. Don’t nickel and dime this—the risk is too high. If you’re strategic and thoughtful and you’ve got the right personnel in place, you can successfully avoid these types of attacks and ensure the safety and integrity of your environment.
You can now read part two of this executive conversation, in which we explore how to position cybersecurity to board members and executives. Also, to learn more about how AWS is helping Healthcare organizations, visit: https://aws.amazon.com/health/.
Shawn Henry serves as President of CrowdStrike Services and Chief Security Officer of CrowdStrike, leading a world-class team of cybersecurity professionals in investigating and mitigating targeted attacks on corporate and government networks globally. Under his leadership, CrowdStrike engages in significant proactive and incident response operations across every major commercial sector and critical infrastructure, protecting organizations’ and governments’ sensitive data and networks around the world. Henry’s work includes educating boards of directors and executives of key companies on critical proactive security measures, governance, and corporate readiness in the event of a breach. He also oversees all security aspects of global CrowdStrike facilities, personnel, executive protection, and corporate events.