The recent breach of the Change Healthcare platform serves as a strong reminder that the healthcare sector remains extremely vulnerable to different types of attacks. In late February, a ransomware gang known as Black Cat claimed responsibility for hacking Change Healthcare, a subsidiary of UnitedHealth Group. The intruders disrupted operations and stole up to four terabytes of data, including personal information, payment details, insurance records, and other sensitive information. It is also reported that a ransom payment of $22 million was made. What is even more concerning is that Change Healthcare is being extorted again by another ransomware group. Incidents such as this jeopardize the survival of countless healthcare providers nationwide due to delays in patient care and delays in making reimbursements. This hack generated massive economic and legal shockwaves across the US healthcare industry, from major industry players to small-town, rural physician practices. In this episode, Amer Deeba, CEO and Co-founder at Normalyze joins me to review the state of cyber security and maturity of the healthcare industry and talk about proactive defense strategies to fortify sensitive healthcare data.

Action Items

• Quantify the value of sensitive data assets and identify the highest risk areas.
• Implement continuous monitoring and controls where sensitive data resides.
• Connect data security priorities to organizational mission and goals to gain leadership buy-in.
• Innovate solutions focused on data visibility, classification, access controls, and continuous auditing.

Time Stamps



00:02 -- Introduction

03:18 -- Guest's Professional Highlights

04:19 -- State of Cybersecurity Maturity in the Healthcare Industry

9:01 -- Consequences of healthcare data leak

10:54 -- Challenges of securing healthcare data

12:03 -- Practical strategies for securing healthcare data

18:07 -- A proactive approach to securing healthcare data

21:55 -- Best practices

29:21 -- Making the business case

32:46 -- Closing Thoughts

Memorable Amer Deeba Quotes/Statements

"We're expecting that by 2026, about 175 zettabytes of data will be available across multiple types of cloud environments."

"It all starts by understanding where are your most important and critical assets, where are your crown jewels, and whether you are able to understand at any point in time where this information is, who has access to that information, how can they access that information? Do you have the right controls and mechanisms in place in order to secure it, to understand the value of it for your organization and make sure that it's fortified from such attacks."

"With data exploding and moving everywhere, between environments and between cloud and SaaS applications and on-prem, this is the new frontier for attackers."

"You're not boiling the ocean; you are prioritizing based on where your most sensitive information is, and you are making sure there are no attack paths to this data."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website:

The fast-evolving quantum computing phenomenon represents a paradigm shift in how computers process data. Due to its ability to process vast amounts of data and solve complex problems at an unprecedented speed, quantum computing holds great promise for new material discovery through the simulation of physical systems, portfolio optimization in finance, and more. It also poses a significant threat to cybersecurity, requiring a change in how we encrypt our data. Even though quantum computers don’t technically have the power to break most of the current forms of encryption yet, we need to stay ahead of the threat and come up with quantum-proof solutions now. If we wait until those powerful quantum computers start breaking our encryption, it will be too late. I had the pleasure of discussing the quantum computing phenomenon and its cybersecurity implications with Duncan Jones, Head of Cybersecurity, at Quantinuum. We discussed the potential threats and opportunities of quantum computing for cybersecurity, as well as its potential to revolutionize various industries. We recognized the need for new algorithms resistant to quantum computing, staying ahead of technological innovations, investing in cybersecurity measures, and prioritizing the migration of sensitive data to quantum-resistant algorithms.

Action Items

1. Assess organizational risk exposure from quantum computing threats like "store now decrypt later" attacks.
2. Prioritize migration of sensitive long-term data to quantum-safe encryption.
3. Speak to vendors about their roadmaps for quantum-safe migration.
4. Explore available quantum random number generators and other quantum cybersecurity technologies through pilot programs and starter kits.
5. Choose credible service providers who are partnering with reputed organizations and prove their claims.
6. Raise awareness of quantum computing implications among leadership and get buy-in for piloting relevant quantum cybersecurity technologies.

Time Stamps



00:02 -- Introduction

01:59 -- Guest's Professional Highlights

06:19 -- Overview of Quantum Computing

08:19 -- Commercially Leveraging Quantum Computing

10:51 -- Evolution of Quantum Computing and Cyber Attacks

12:55 -- Recommendations on Leveraging Quantum Computing Benefits and Securing Data from Quantum Computing Enabled Cyber Attacks

17:49 -- Roadmap for Proactive Safeguards

23:34 -- Can quantum computing enabled encryption ensure that even if a human is a victim of a phishing attack, it will be hard to get into systems? Is that a fair aspiration?

26:38 -- What recommendations would you make for organizations who are trying to explore and adopt quantum computing?

29:19 -- Cybersecurity Challenges and Hurdles

32:52 -- Challenges of Quantum-Safe Migration

34:09 -- Cryptographic debt

37:32 -- Final Thoughts

Memorable Duncan Jones Quotes/Statements

"I think of my career as a series of very fortunate accidents, rather than some very carefully planned out thing."

"Quantum computing as a different form of computation, as opposed to necessarily always a better form of computation."

"Leading companies are now starting to engage with quantum computing because they know they have to build the skill sets, they have to develop the intellectual property that will begin to deliver value in the not too distant future."

"Quantum computers are becoming more and more powerful every year."

"We'll actually see Quantum as a as a big benefit for cybersecurity, but we've got some headaches to get through...

In this podcast, I enjoyed talking with Chirag Shah, Model N's Global Information Security Officer and Data Privacy Officer, about creating a security-minded culture. Infusing a security culture within organizations starts with leadership buy-in and support. Chirag highlighted the need for interactive and engaging training programs tailored to specific departments, involving real-world examples and practical scenarios. He stressed the significance of fostering a security mindset among employees through daily reminders and reinforcement and leveraging free or low-cost resources to implement effective security awareness programs. Chirag also emphasized the need for a strategic approach to security and a security-minded culture where employees are empowered and responsible for maintaining a strong security posture.

Action Items

Develop an interactive that delivers bite-sized security awareness content, quizzes, and scores performance.

Organize escape room and security hackathon events as hands-on learning initiatives.

Contextualize training for specific employee roles and responsibilities.

Incorporate security into employees' goals and recognize adherence to policies.

Lead by example and make security part of a company's vision and operations



Time Stamps



00:02 -- Introduction

02:38 -- Guest's Professional Highlights

04:14 -- Why do you emphasize the importance of infusing a culture of security?

06:35 -- How do you create a security-minded culture?

09:42 -- How do organizations create engaging and effective cybersecurity awareness training to develop security-minded cultures and cyber hygiene habits among employees?

15:49 -- Personalizing security

19:49 -- Dealing with common challenges and hurdles associated with creating security-minded cultures.

27:53 -- How do you get top management buy-in?

29:05 -- Creating a culture of accountability

36:35 -- Treating cybersecurity as a strategic enabler

37:57 -- Final Thoughts

Memorable Chirag Shah Quotes/Statements

"Security belongs to everyone, not just the security team. It's about embedding security awareness and responsibilities into the vision, mission, and day-to-day operations of all departments and employees."

"Security should become part of the daily goals for the execution of the business."

"Focus on security awareness training that is engaging, fun, and rewarding for employees, and move beyond annual compliance training to create a continuous security learning culture."

"When anyone asks, how big is your security team, I say about 1300 some people, right, because that's what my company is. All of them are our security team, and they are the security champions, and they helped me manage and drive the security program to the next level."

"What you want to do is implement a phased approach to security awareness training, starting with basic concepts and gradually increasing the complexity of those concepts."

"90% of the employees in US companies use laptops to conduct personal transactions, whether they're paying the credit card bill or they're booking travel tickets, they're all doing it online, and using a company laptop."

"Appoint security champions within different departments to assist in training and awareness."

"The message has to be very simple and to the point, so employees can understand and have an open dialogue."

"Implement pre-and post-training assessments and measure changes in employee knowledge."

"Leaders and managers should lead by...

Student-led cybersecurity clinics are increasingly playing an essential role in strengthening the digital defenses of nonprofits, hospitals, municipalities, small businesses, and other under-resourced organizations in our communities while also developing a talent pipeline for cyber-civil defense. Sarah Powazek, Program Director - Public Interest Cybersecurity at the University of California, Berkeley Center for Long Term Cybersecurity (CLTC), sheds light on this important development. One of the highlights of the discussion was the recognition that the cybersecurity field is such a melting pot of different skill sets. In Sarah's words, "it's actually one of the biggest advantages we have; threats are changing every day. If we don't have folks from different backgrounds and different life experiences, we're really not going to be prepared; we're not going to be able to adapt."

Time Stamps

00:02 -- Introduction

01:46 -- Guest's Professional Highlights

04:35 -- Center for Long-Term Cybersecurity (CLTC) Initiatives

06:13 -- Training students

07:20 -- How do the cybersecurity clinics benefit students?

09:11 -- Resources for Non-Profits and Under-Privileged Organizations

11:01 -- Types of Clients for Student-Run Cybersecurity Clinics

11:42 -- Guidance to universities who want to create student-led cybersecurity clinics

14:29 -- Consortium of Cybersecurity Clinics

17:20 -- Not-technical roles in cybersecurity

18:46 -- Cybersecurity field is a melting pot of different skill sets

21:12 -- Different Cybersecurity Roles

23:32 -- Final Thoughts

Memorable Sarah Powazek Quotes/Statements

"Cybersecurity clinics are modeled after medical and law school clinics."

"We're running programs where students will learn how to provide a cybersecurity maturity assessment. We accept students from all different majors, at least at UC Berkeley, it's very interdisciplinary. They spend the first part of the course learning all about cybersecurity and about the basics, basic cyber hygiene, multi-factor authentication, regular patching schedules, incident response plans, etc."

"There isn't a real clear academic pathway into cybersecurity."

"One of the big student-run clinics is the University of Nevada, Las Vegas. They operate as a student club; the students train each other, create programming, and engage with the clients, and they operate year-round. They've got a really interesting model for clinics where they're working with clients, but the students are really the ones taking on that responsibility. And the faculty advises them."

"We have a toolkit on the Consortium's website that actually has step-by-step instructions on how to design a clinic. How do you pick out the curriculum? "

"There's a couple of things that we really encourage folks to have, if they want to start up a clinic program, the first is a faculty champion."

"So we've really switched the focus and formed the consortium a number of years ago around centralizing resources, making it easier for folks around the country to start up programs, making the programs even better and more effective at both training students and providing real value to clients. And we have a goal of having a clinic in every state by 2030."

"I think that there are many people worldwide who care about the mission and protecting their communities but haven't gotten some of those skills yet. And anyone can learn. Anyone can learn cybersecurity. I truly believe that, I think people from all backgrounds provide something really valuable to the field."

"Cybersecurity is really a trade. It's something that anyone can learn."

"I'm starting to meet a lot of...

Developing and maintaining resilient and secure data centers is a huge part of cybersecurity readiness. Spiros Liolis, Chief Technologist and Managing Consultant, EYP Mission Critical Facilities, Part of Ramboll, joins me to discuss the challenges and best practices of creating and maintaining state-of-the-art data centers. Topics covered include a) elements and attributes of resilient data centers, b) creating and maintaining a resilient and adaptive data center, and c) the different types of risks – geological, meteorological, and human – that must be considered when building and maintaining the data centers.

Time Stamps

00:02 -- Introduction

00:49 -- Setting the Stage and Context for the Discussion

01:54 -- Guest's Professional Highlights

02:56 -- Overview of Data Center Resiliency

05:41 -- Criticality of Data Centers

07:53 -- Key Elements of a Resilient Data Center

12:06 -- Build Your Own or Co-locate

15:00 -- Assessing the Effectiveness of a Data Center

19:32 -- Significance of Simulated Exercises/Tabletop Exercises

21:46 -- Importance of On-Site Visits

23:56 -- Technical, Commercial and Operational Due Diligence

26:17 -- Adaptive Design

28:32 -- Data Center Facility Locations

30:15 -- Best Practices & Final Thoughts

Memorable Spiros Liolis Quotes/Statements

"Everything we do today, as professionals and as consumers, relies heavily on data centers."

"There's a cloud of course, but nothing up there, 35,000 feet above the ground, is hosting servers. The cloud is practically data centers on Earth, right."

"What do we mean by secure and resilient data centers? will refer to the ability of essential data center infrastructure to withstand and recover from disruptions and ensure their continued operations."

"When we talk about potential threats, we need to think of them in terms of geological, meteorological, accidental, or even intentional risks. These are primarily the risk types we talk about when it comes to data center resiliency."

"The moment you power up a data center, you practically cannot shut it down."

"So the resiliency of a data center must consider how to build enough redundancy by design and by implementation into these data centers."

"So our methodology is to look at the different risk factors that may have an impact on the facility itself, whether it is your own, or whether it is being hosted; you need to evaluate, and measure the impact of different risks and these are geological risks, meteorological risks and human risks, whether accidental or unintentional."

"Nothing beats an on-site visit to check a data center's resiliency."

"So the hybrid design is really all about building the necessary critical infrastructure that capitalizes on multiple sources of energy."

"Education awareness is absolutely paramount. And that is probably one of our faults as well, data centers today are considered to be the naughty neighbors. I mean, they say, Oh, they're energy consuming, they take our water, they take our power; we as an industry need to educate our communities, we need to tell them what is it that we do. And of course, we need to make sure that we build them in a sustainable way, we'll use renewables, we will become community friendly. All of that must happen."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:...

Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:

What do we need APIs for? Why do we need API security? What are the consequences of lax API security?

What are the risks of APIs today? How can we remedy current API security issues?

Time Stamps



00:02 -- Introduction

00:49 -- Setting the Stage and Context for the Discussion

02:26 -- Guest's Professional Highlights

04:37 -- Overview of APIs

09:12 -- Common API Security Risks and Vulnerabilities

12:29 -- Design with security in mind

13:23 -- Securing APIs

13:36 -- Integrating Security into the Development Process

13:52 -- Different Ways of Security Testing APIs

17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts

19:22 -- Role of Humans in Acting on Vulnerability Alerts

21:33 -- Staying on the Right Side of the Law

23:37 -- Significance of Maintaining Logs

25:36 -- Selecting Robust APIs

27:59 -- Key Takeaways

28:57 -- API Governance

30:25 -- Zero Trust Approach

32:10 -- Use of APIs in Leveraging Large Language Models (AI)

33:41 -- API Governance and Taking Ownership

36:12 -- Final Thoughts

Memorable Jeremy Snyder Quotes/Statements

"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it."

"We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API."

"API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day."

"So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization."

"Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now."

"Proactive security is always much cheaper than reactive security."

"From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live."

"You should actually pen test your API's before they go live."

"Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing."

"The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days."

"The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs

Attackers have started increasingly targeting victims' backups to prevent organizations from restoring their data. Veeam's "2023 Ransomware Trends Report" found more than 93% of ransomware attacks specifically targeted backup data. My discussion with Gabe Gambill, VP of Product and Technical Operations at Quorum, revolves around the following questions:

• What vulnerabilities of data backups do ransomware hackers exploit?

• What are the common mistakes and barriers when recovering against a ransomware attack?

• How to successfully recover from a ransomware attack?

Time Stamps



00:02 -- Introduction

00:49 -- Setting the Stage and Context for the Discussion

01:41 -- Guest's Professional Highlights

02:16 -- Revisiting Ransomware Attacks

03:24 -- Phishing, the Primary Delivery Method for Ransomware

04:33 -- Ransomware Attack Statistics

05:34 -- Payment of Ransom

06:51 -- Protecting and Defending from Ransomware Attacks

08:07 -- Franchising Ransomware

08:51 -- Last Line of Defense against a Ransomware Attack

10:23 -- Data Backups and Prioritization

11:33 -- Data Recovery Best Practices

13:31 -- Holistic Approach to Tabletop Exercises

14:40 -- Significance of Practicing the Data Recovery Process

14:48 -- Common Mistakes and Barriers when Recovering from a Ransomware Attack

18:47 -- Being Appropriately Prepared For Disaster Recovery

20:38 -- Vulnerability Management

21:37 -- Reasons for Not Being Proactive

24:48 -- CISO Empowerment

25:54 -- Cross-Functional Involvement and Ownership

26:56 -- CISO as a Scapegoat

28:43 -- Multi-factor Authentication

29:47 -- Best Practices to Recover from Ransomware Attacks

31:26 -- Final Thoughts

Memorable Gabriel Gambill Quotes/Statements

"The next logical step was ransomware, where they're taking your data, and they're literally encrypting it right from under your nose and holding you accountable, so that they can get money out of you to give you back your own data."

"More people are paying and not talking about it, which is the worst thing you can do in that situation."

"80% of people that are hit with ransomware are hit again. So if I'm the ransomware person, who am I going to attack? I'm going to attack Caesars Palace (hotel in Las Vegas) again, I know they're going to pay. So there's the trade off there between the right thing to do and the hard thing to do."

"The last line of defense are your backups. So it's like an onion, you're gonna have multiple layers of defense, you're gonna have security layers on your perimeter, you're gonna have antivirus, you're gonna have endpoint protection, you're gonna have things such as network scans. There's all kinds of things you can do to provide layers of protection into your environment."

"The ransomware attack is not through vulnerabilities as much as through phishing. And because of that, people are the weakest link in your security plan, inevitably, it's going to happen to everybody."

"The most common thing that I've found is when they recover from ransomware, they don't contact their insurance first. And the bad part about that, whether you're going to pay whether you're not going to pay, if you didn't contact your insurance first, chances are, they're not going to pay you back."

"The other big mistake I see is people rushing the recovery to get back online versus getting back online safely."

"On the technical side, the mistakes that I often see people make is they want everything to be integrated and simple. And there is a level for that in your production environment that is...

While tabletop exercises (TTX) are considered a proven tool for finding gaps in an organization’s security posture, they can be painstakingly challenging to plan and implement effectively. In a time where information security teams are understaffed and overworked, are TTX still worth the time and resources? Or are there other ways of ensuring incident response readiness? Navroop Mitter, the CEO of ArmorText, a mobile security and privacy startup, sheds light on the various aspects of tabletop exercises and their effectiveness as a preparedness tool.

Time Stamps



00:02 -- Introduction

00:49 -- Setting the Stage and Compelling Stats

02:48 -- Guest's Professional Highlights

05:12 -- Overview of Tabletop Exercises

07:15 -- Comparing Tabletop Exercises to Simulation

11:12 -- Benefits of Running a Tabletop Exercise

12:36 -- Table Top Exercise Resources

15:18 -- Legal Representation in Tabletop Exercises

17:07 -- Doing Tabletop Exercises Right

23:20 -- Mistakes To Be Avoided

29:14 -- Building Resilient Communication Capabilities

34:28 -- Final Thoughts

Memorable Navroop Mitter Quotes/Statements

"A tabletop is a tool for organizations seeking to enhance their cyber resilience and readiness. It helps you develop muscle memory and identify gaps in your existing plans or other opportunities for enhancement."

"Unfortunately, too often, tabletops are seen as something the cyber folks do alone in their dungeons. But they're just as essential for C-suite senior leadership and the board."

"When we're helping organizations think through tabletops, or the simulations they're going to run, whether it's a very quick, lightweight discussion around the table, or a much more nuanced, immersive simulation, we're asking them to assemble stakeholders like senior leadership board members, IT and security teams, public relations, communications teams, legal counsel, human resources and finance together. This is not about the technologist. It's not just about security. This is about operational resilience. And that means the entire organization."

"When you test your IR plan, even without having a formal team in place, just testing the IR plan alone was nearly as effective; you still had 48 days saved just by having rehearsed and tested your plan, just by having run the playbook before, and understanding what it was to be in that scenario, or something similar to it."

"I think the need of the hour is increased executive and senior leadership involvement."

"Done right, tabletops are actually there to help you prepare for managing regulatory litigation and reputational concerns that often follow these events."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes are released every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338