A Game of Cat and Mouse: How the FBI is Confronting The Rise of Cyberattacks in Health Care

00:00:00:29 - 00:00:28:12
Tom Haederle
If the steady rise in hospital ransomware attacks has taught us anything, it's that cybercriminals never take a day off. Life saving technology, CT scanners, MRIs and heart monitors can all be - and are - targets for cybercriminals every minute of every day, disrupting hospital operations and threatening patient care until a ransom is paid. That means that the good guys, the defenders against these threat to life crimes, can never take a day off either.

00:00:28:15 - 00:00:42:09
Tom Haederle
Well, they don't. And their constant vigilance is making a difference.

00:00:42:11 - 00:01:08:25
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I’m Tom Haederle with AHA Communications. Hackers are targeting hospitals and health care companies at alarming rates. It’s a continual cat-and-mouse game. When a cybercrime ring is arrested or shut down, new ones quickly pop up in their place. In many ways, the FBI is the tip of the federal spear pushing back against cyber criminals and their ceaseless assaults on the health care sector.

00:01:08:28 - 00:01:33:16
Tom Haederle
In this podcast, hosted by John Riggi, the AHA’s National Advisor for Cybersecurity and Risk, we hear from Bryan Smith, recently retired section chief of the FBI's Cybercriminal Operations section, on how the Bureau tackles the huge challenge of protecting our caregivers from ransomware attacks and how critical it is to partner with a private sector to prevail in the long game against cyber criminals.

00:01:33:18 - 00:02:03:17
John Riggi
Thank you, Tom, and thanks for everybody tuning in today. We've got another great special episode on cybersecurity issues. I'm really pleased and privileged to be joined today by my good friend and former colleague Bryan Smith. Bryan is the section chief of the criminal section of the FBI's Cyber Division, and he's been in the FBI since 2002. So just over 20 years, tremendous change in cyber and all types of investigations in the FBI since that time.

00:02:03:24 - 00:02:07:10
John Riggi
Bryan, welcome If you could, tell us a little bit about your background.

00:02:07:17 - 00:02:36:03
Bryan Smith
Great. Thanks, John. I really appreciate being here. And it's always good to have a conversation with you and looking forward to this talk today. Like you said, I've been in the Bureau for over 21 years. Prior to the Bureau, I did consulting work for Deloitte and Accenture, and then within the Bureau, I spent most of my time working white collar financial crime dealing with cryptocurrency and then probably for the last ten years, getting back to what I did before the Bureau, which was cyber.

00:02:36:06 - 00:02:52:11
Bryan Smith
Cyber is what white collar was 25, 30 years ago, and that cyber is just the new method by which folks are doing the same things that they've done since antiquity. They're stealing secrets, they're stealing money, they're trying to gain a competitive advantage. And so it's a really interesting space to work.

00:02:52:14 - 00:03:25:27
John Riggi
In as we realize the bad guys are evolving, just as technology is evolving, It's another way to steal money, much more effective and efficient way to steal money, steal secrets and commit crimes against the United States and our good citizens. But of course, the thing that we're most concerned about are these high impact ransomware attacks, which shut down medical technology in hospitals and health systems and really result in the very serious disruption and delay to health care delivery, ultimately risking patient safety.

00:03:25:29 - 00:03:53:13
John Riggi
Now, on the plus side, I can't have it all doom and gloom. On the plus side is that we as a field, as a hospital field, as a health care field, have come together just as we did during the pandemic, to exchange threat information and best practices and work with the government and very closely with the FBI in particular for the common defense, in the common good of the health care field and the nation, and most importantly, the nation.

00:03:53:15 - 00:04:05:06
John Riggi
Bryan, given your role as national leader for all FBI cyber criminal investigations, what do you see as the most significant cyber threat that is impacting health care today?

00:04:05:09 - 00:04:29:08
Bryan Smith
You know what I'd say is probably the biggest cyber threat that we're facing right now are I think the health care is facing right now is probably ransomware because it's immediate and it impacts hospitals or medical facilities ability to operate on any given day, which obviously has significant impacts on revenue, certainly has a significant impact on expenses as to we've got to still operate.

00:04:29:08 - 00:05:12:01
Bryan Smith
We can't bring money in because we don't have services that we can perform here. But as we've seen in a number of instances, it has a real life impact on individuals. And that the care that these individuals are needing, they are not able to get because of the ransomware attack. And so we've had some instances where, you know, you know better than I and people in this industry know better than I that the precision by which we get our medical care and the medications that we get are so precise in certain instances, be it chemotherapy or other specific ailments that we have, that if we don't have those records in front of us, we can harm

00:05:12:01 - 00:05:33:25
Bryan Smith
the patient. And so when an entity gets hit with ransomware and they're in a position where they cannot in good conscience deliver the care that the person needs because they can't tell what that amount and the dosage should be, that has a real life impact and can impact lives. And so it's critically important that we are all focused on that ransomware threat.

00:05:33:27 - 00:05:50:11
Bryan Smith
Yeah. And then on the economic side, there's the aspect of thinking about the long term intellectual property that's being stolen by foreign adversaries from our medical institutions that they're leveraging to create their own in direct competition with us.

00:05:50:13 - 00:06:32:23
John Riggi
Thanks for all that, Bryan. When a ransomware attack strikes a hospital and the encryption disables every piece of medical technology, shuts down our internal networks in our Internet connections, we have seen, unfortunately, time and again, a serious disruption in delay of health care delivery. So what does that mean? That means when there is a stroke patient enroute to the nearest available emergency department and that hospital is under a ransomware attack, they're going to have to divert that ambulance because they won't have the necessary CT scanners perhaps available to diagnose that stroke case.

00:06:32:25 - 00:07:06:03
John Riggi
Really very serious consequences. That's why we say and I know the FBI director Ray has publicly proclaimed that we believe and the FBI believes that ransomware attacks against hospitals are truly threat to life crimes. Given your role, national view, what do you believe are the most common vulnerabilities and methods being used by our cybercriminal adversaries to take advantage, to penetrate our networks, to steal our data and execute these highly disruptive ransomware attacks against U.S. health care?

00:07:06:06 - 00:07:29:23
Bryan Smith
Yeah. So by and large, the things that we see is the things that we've been seeing for the last 15 years, which is spear phishing or phishing emails, by which then they're able to gain access to somebody's system. Then they move laterally, escalate privileges, gain additional insight into the system, and then figure out what it is that they want to do while they're in there and what they can take advantage of.

00:07:29:25 - 00:08:11:03
Bryan Smith
We have seen some zero day exploits over this past year, and that gets into some of those scenarios where there actually were patches and some vulnerabilities that were identified that could have been mitigated had people been updating their systems. And so there's a huge learning curve on the user engagement and users owning the problem here. But there's also some really simple things, some fundamentals that can be done by organizations and by individuals to make sure that they're doing the rudimentary, fundamental activities that keep each of us safe on our own systems.

00:08:11:05 - 00:08:36:03
John Riggi
So as I always say, the bad guys simply hack before we patch. And in health care, sometimes it takes a while because we can't just patch a medical device quickly without testing it and understanding what the ramifications for patient safety are. Now, I'm going to get on my my soapbox a little bit here and say, look, yes, we've got to do a better job of patching, but the technology providers have to give us more secure technology.

00:08:36:06 - 00:09:01:26
John Riggi
And I know the White House has promoted the concept of secure by design and secure by default. So kind of shift that responsibility back to the technology developers versus the end user. Shared responsibility: You know, my belief is we've got to get the technology providers to give us better secured technology. Now, with that, we certainly understand that no organization, including the federal government, is 100% immune from cyber attacks.

00:09:01:28 - 00:09:13:04
John Riggi
Bryan, what do you believe are the top three, 3 to 5 best practices to help mitigate the risk of a successful cyber attack against health care or any organization?

00:09:13:06 - 00:09:48:16
Bryan Smith
Well, I guess the first one is doing the fundamentals. I love baseball and I love baseball is that if you do the fundamentals right, you do the little things right, then big things will happen for you. And you do that over time. And I think that's appropriate within the cybersecurity arena. Is that if you're patching, if you're running antivirus, if you have engaged personnel who are looking at this stuff, not on a quarterly basis, but this is every day activity and you do that well, you're going to catch a lot of the activity and or you're just going to make it harder for the adversary to get in there.

00:09:48:16 - 00:10:10:11
Bryan Smith
And they may decide that they're going to give up and move on. The other thing is that we want people to think functionally. And when I say functionally, I go back to my earlier comments about what cyber being used for, and it's everything that people have been doing since antiquity. We want people to think of if someone gets into my network, what is it they can do here?

00:10:10:14 - 00:10:35:18
Bryan Smith
What can they take advantage of? How would they monetize it? Because that's what you're talking about here. At least with the cybercriminal actors, they are financially motivated and so if you can figure out how they make money based off the information that they have within your department, your division, your group unit or your work unit, and protect against that, you make it a lot harder for them to then monetize that type of information.

00:10:35:21 - 00:10:56:23
Bryan Smith
And that goes along with treating this like a business problem. I think far too often we've treated as an IT situation, so the business lines need to take some ownership of, Hey, I'm part of this, I need to be doing due diligence and making sure that what I'm doing on my network and what am I'm doing with our systems is not going to put the organization at risk.

00:10:56:26 - 00:11:15:25
Bryan Smith
And until we do that, it's going to be an arms war for the IT folks. So we've got to get that pulled together. And then the last thing I think is be prepared. Recognize that no matter what you do, you are likely going to be a victim of some sort of cyber attack. And are you prepared for what that means?

00:11:15:27 - 00:11:33:21
Bryan Smith
And that means do you have the partnerships laid out ahead of time so that you know who to call, what that's going to look like? Do you have a plan when there's an incident and let's say it's ransomware of do you have a policy of whether you pay or don't pay? Who's going to be helping you with the negotiations on it?

00:11:33:23 - 00:11:45:27
Bryan Smith
You want the game to slow down when you're in this event, which means that you're prepared for and you've already thought through what that's going to look like. And now it's just a matter of executing it and you're not having to think on the fly.

00:11:45:29 - 00:12:24:15
John Riggi
So gaming it, train like you fight, right, as we would say. So that will help reduce the stress level and make those decisions much easier. So, Bryan, as we've been chatting, I've been thinking, as I heard you talk about defensive measures, the basics, but we know that defensive measures can only go so far in reducing the risk of a cyber attack. And I believe, you know, based upon my experience in FBI cyber and counterterrorism, that's extremely difficult for the FBI to conduct law enforcement operations overseas, including arresting bad guys that are being sheltered by hostile nation states like Russia, China, North Korea and Iran.

00:12:24:18 - 00:12:47:05
John Riggi
So just like in terrorism matters, we may not be able to arrest our way out of the cyber threat. But I also believe there must be a whole of government approach to this, and that would include leveraging all the capabilities of the U.S. government to conduct offensive cyber operations to disrupt and dismantle these foreign bad guys before they attack us over here.

00:12:47:12 - 00:12:58:25
John Riggi
So, Bryan, can you tell us about how the FBI is going on the offense against these foreign cybercriminal organizations? And I know you've had some successes recently, so can you tell us about that?

00:12:58:27 - 00:13:19:12
Bryan Smith
We've broken that down in a couple of different areas, and then we target all of those areas, not just one of them, not just the finances, not just the infrastructure, not just the malware and the the marketplaces and forums by which they communicate, but all of them, and that it really becomes a targeting of the ecosystem. I would call this an ecosystem problem.

00:13:19:12 - 00:13:43:01
Bryan Smith
It's not a ransomware problem. Ransomware is a symptom of a larger disease. And what we're trying to do is eradicate the disease. In the process we may take care of the symptom, but we've got to go after that ecosystem. As we've moved forward with our strategy, we've also recognized that this is not going to be some sort of one knockout blow that's going to stop them from engaging this activity.

00:13:43:04 - 00:14:15:16
Bryan Smith
Just like any business, businesses don't go bankrupt overnight. They go bankrupt over time because they make bad decisions, they make bad investments, their expenses get too high over time. And eventually it gets to the point where they can no longer be a going concern. And that's what we're trying to do with the cyber adversary, is increase the expenses for them to engage in this conduct and expenses can be the risks of you might be going to jail, expenses can be it costs more because we're tearing down your infrastructure.

00:14:15:18 - 00:14:40:12
Bryan Smith
It costs more for you to get into the network. So that goes back to the defense side of this and that if you're prepped and you make it harder for them, that's raising the business costs on their end. And now what you're seeing across the board is that when we take actions, it's not just the FBI, it's the FBI with a multinational partnership with a number of different entities to include sometimes civil and regulatory entities.

00:14:40:13 - 00:14:54:18
Bryan Smith
Again, with the objective of there's not going be a knockout punch, but we can deliver body blow after body blow over time that will get us into a position where I think we can clean up the ecosystem in a much more comprehensive way.

00:14:54:20 - 00:15:24:10
John Riggi
Truly appreciate your comments, Brian. And I was thinking back again to my counterterrorism days, and it's the same problem. We knew there would not be one knockout blow, but you know, this continuous effort of what I call the enterprise theory of investigation: Go after the leadership, the communications, the finances, operational activity, the entire infrastructure that they might be using to ultimately increase risk and consequences for the bad guys as the deterrent and hopefully disrupt them.

00:15:24:12 - 00:15:51:26
John Riggi
So Bryan, victims of ransomware attacks or other cyber attacks often reluctant to work with the federal government, often upon advice of outside counsel, because they're concerned that the information provided to the FBI to further the investigation may ultimately be used against the victim in some future regulatory or civil liability matter. Brian, can you tell us how the FBI works with cyber victims to maintain confidentiality?

00:15:51:28 - 00:15:56:23
John Riggi
And also, does the FBI share information with regulatory authorities?

00:15:56:25 - 00:16:22:25
Bryan Smith
Yeah. So one of the issues that we have across the board is a reluctance by victims to report. And so we really need to change that reporting mechanism. Now, we don't say what companies got hit with it, but over time we develop that. We can't do that if people don't report to us. And so it's critically important for now and in the future that if you want to prevent these things to tell us what's going on, it begs the question of why not?

00:16:22:25 - 00:16:41:12
Bryan Smith
And I think some of it is that people don't know what to expect. What I'll tell you, we will not be showing up in the blue ray jackets with the yellow letters on the back. We're not going to make a scene at your office building. You call us. We will handle this in a very discreet fashion. If it's important for us to be out there, then we will do that in a discreet way.

00:16:41:15 - 00:17:01:29
Bryan Smith
We are not looking to revictimize folks. The other part is that there's got to be a value proposition for the victim of, Well, what do I get out of this? Well, one, you can help protect the ecosystem and which I talked about before as far as the intelligence that we can share. Just like us, criminals make mistakes. So we make mistakes and we let them into their network.

00:17:02:02 - 00:17:25:15
Bryan Smith
They will make mistakes. And the more victim data that we have that we can then identify instances where, you know, their VPN dropped or they reused a wallet ID or something that we can then latch on to make connections and then we can actually identify. And then once we identify, then we have a much better shot at doing something about the actor.

00:17:25:17 - 00:17:47:08
John Riggi
Thanks, Bryan. So obviously there's not only a benefit potentially for the victim to contact the FBI. You may be able to assist and guide them through the incident. Just as you said, you've got the experts, but also it's good for the nation. It's good for the nation and the rest of the sector. A victim cooperate and can help prevent future attacks against other hospitals or other entities.

00:17:47:11 - 00:17:56:19
John Riggi
Bryan, I just want to clarify in terms of sharing information with the regulatory authority, is investigative information shared with regulators for their purposes?

00:17:56:21 - 00:18:11:05
Bryan Smith
We are not regulators. And so when you give information to us, it is going to be held by the FBI. And we take the sensitivity of that information. We understand it. We're going to use it in the investigative capacity, but it's not going to be used for any sort of civil regulatory action against you.

00:18:11:07 - 00:18:42:19
John Riggi
And also, I'd like to point our listeners to a very helpful statute. It's called the Cybersecurity Sharing Act of 2015. I'm not a lawyer, but it does provide lots of robust regulatory and civil liability protections in that statute for victims and private entities to share information with the federal government. So have your outside counsels take a look at that statue, and I think you'll find that there are protections for sharing information with the federal government, cyber threat information sharing.

00:18:42:21 - 00:19:03:13
John Riggi
Right. So speaking about contacting the FBI, at what point during a cyber attack should a victim, hospital or health system actually reach out to the FBI? And what's the best way to contact the FBI? And let's say in an urgent ransomware situation, we've got we've got ambulances on diversion with stroke and heart attack patients who do we call in that situation?

00:19:03:16 - 00:19:36:13
Bryan Smith
So my advice is be prepared. And being prepared is to have the local FBI contact the supervisory special agent in your area that you can call and say this is what's going on here, that that's not the first time that you've had a conversation with them, that there's a relationship there. And so they can then help and walk you through. You know, let's say you haven't done that the earlier you call the local FBI office in the incident, the better because we're going to provide you with the help that we can. We will provide that to you and try and help out on it.

00:19:36:17 - 00:19:53:14
Bryan Smith
That includes whether or not we are aware of decryption capabilities. Sometimes those are ones that we have. There may be also ones that we know that maybe a private sector entity has. And so we will share that type of information with you to help you kind of deal with that incident as it's happening in the moment.

00:19:53:16 - 00:20:04:12
John Riggi
What can a victim organization realistically expect if they contact the FBI for assistance during a cyber attack? Does the FBI always have the magic decryption key?

00:20:04:15 - 00:20:30:14
Bryan Smith
Unfortunately, we don't. I wish we had it every single instance. But if we did and this wouldn't be such a lucrative business for the adversary to be in. So if we have it will provide it to you. But what you can't expect is that we're going to have any indicators of compromise about the group. Unless it's a new group, we will share what we know about how that group operates, our experience with them in the negotiations, what you can expect on the back side of it.

00:20:30:17 - 00:20:44:13
Bryan Smith
And so that just that kind of insight of this is what and how they do this. Is really helpful for you understand what you can expect and then you can make decisions based off information, not based off what you think might be happening.

00:20:44:15 - 00:20:56:28
John Riggi
So could you could describe to us a little further on what your role is at the FBI and how you work with CISA, HHS and the intelligence community, even state and local agencies on cyber issues?

00:20:57:00 - 00:21:17:14
Bryan Smith
Yeah, I think if I could sum this up in kind of one phrase is that we're all in this together. And that is government, that's private sector, that's international partners. I'm really proud to work at the FBI. We have some incredible people here. But as good as we are, we can't do this alone. And so we need partnerships.

00:21:17:14 - 00:21:49:00
Bryan Smith
And that's why we have engaged with HHS and CISA and the IC community and Secret Service and foreign partners. If you look at any of the operations that we've had, there's a good 12 to 14 different flags on there, and that doesn't even count then the fact that there may be three or four different agencies within each of those countries that are working on these things together, so that we can have the maximum impact in a bunch of different areas against the adversary.

00:21:49:03 - 00:22:03:13
John Riggi
It's just great to hear that. Again, that same philosophy, one team, one fight force multiplier is being leveraged in this fight against these cyber adversaries as well. So, Brian, as we close out here, any final thoughts for our listeners?

00:22:03:16 - 00:22:27:18
Bryan Smith
Yeah, just a couple of things. There's not going to be, as we've talked about before, one knockout punch on this. But if we can deliver body blow after body blow, then that will have an impact. One of the lessons that we've learned is that we're all in this together. And so one of the best practices that I've seen across a variety of industries is partnerships between related entities.

00:22:27:18 - 00:22:42:07
Bryan Smith
And whether this is in the financial services or in other industries, is that when we share information and we collaborate with each other, we are making it harder for the adversary to attack any of us.

00:22:42:09 - 00:23:00:09
John Riggi
Thank you very much, Bryan. Thanks for all your thoughts and for being here with us today. Thank you and your team for what you're doing to help defend the nation against cyber threats. And thanks to all the men and women in the FBI for what you all do every day to defend the nation against cyber and physical threats.

00:23:00:11 - 00:23:13:10
John Riggi
And special thanks to all our frontline health care heroes for what you do every day to care for our patients and serve our communities. This has been John Riggi, your national advisor for Cybersecurity and Risk. Stay safe, everyone.