In a recent podcast interview with Cybercrime Magazine host, David Braue, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses the proposed rules from HHS that aim to combat rising ransomware attacks and data breaches in healthcare organizations across the US. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing forensic information on all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott, Schober cyber expert, CEO of Berkeley, Veritronics, systems, and author of the popular books Hacked Again and Senior Cyber. Scott, thanks for joining me today.
Scott: Yeah. Wonderful to be here with you, David.
David: So we are very interested to see recently the discussion about healthcare providers. There's been a lot of discussion about how to protect healthcare firms. Better, how to make sure that hospitals stop getting hacked and shut down by cyber criminals. It has become a real problem. And now the Department of Health and Human Services is working on ways to try and set some standards. Get some stuff that would really help improve the security of healthcare organizations. What's going on?
Scott: Yeah, it's a mess out there. And we kind of see year-over-year increases in cyber breaches and hacks. Every time we think it's going to get better, we only hear of another breach. Some interesting stats, one I came across, I thought was kind of telling, I guess you could say. And this was from The HIPAA Journal, which mentioned in 2023, there was a 239% increase in hacking-related data breaches in the healthcare sector compared to 2018. So you're talking 5 years. And you see that staggering increase in healthcare breaches. When I think about it, the part I kind of back up and just meditate for a minute and say we're spending a lot more time educating people, employees, policies, procedures, people are making changes, they're understanding the human weakness of it. Yet we still see increases, be it in ransomware, be it in phishing attacks and success, and major data breaches and compromising this valuable healthcare information. And I think that just sends off the alarms to me. We're making one step forward and perhaps 2 steps backwards. When I look at some of the stats
David: The stats are definitely scary. I was looking around as well, and apparently, last year, in 2024, there were 13 data breaches of healthcare organizations, each involving over a million healthcare records. There were 703 total breaches last year, each involving more than 500 records, and 180 million people were affected by healthcare security breaches just last year. I mean, these numbers are actually staggering.
Scott: Oh, yeah, it is.
David: Is this just a function of healthcare being such a large thing that it, you know, any time that it gets compromised, it's a bigger impact?
Scott: Yeah, that's a really good point. I think that is part of the factor. But I think also a lot of healthcare related things haven't changed. They've gotten a little bit complacent. They hear about it, and they go, "Yeah, yeah, yeah," and they don't do it. Give you a case in point. Fairly recently, my wife had to go to the hospital kind of an outpatient for a procedure, and I went there just to, you know, be the moral support and help with the paperwork and the insurance, and so on and so forth. And one of the 1st things they were drilling her for is, they said, "Well, we need your full social security number," and I thought it was interesting. She knows me, and I'm always harping on don't give away personal information and be cautious. She stopped, and her head snapped, and she looked over at me. And then the person collecting all the data for the hospital that does the billing, basically, they stopped and they looked at me. and I was like, I just shook my head. I said no; I said we're not providing social security numbers, and the woman said, "Well, I'm required by hospital policy to ask; let's continue on. And that's okay. You don't have to provide it." And I sat there and I said, "What? Why do they keep doing this?" Everybody pushes to get as much information as they can to fill out their forms, and again, it all has to do with the fact they can put you through collections if you default and don't pay your bill. So they're trying to cover their butts, I guess, and make sure that people pay because there's a lot of people that are delinquent and don't pay their hospital bills, or they don't have proper insurance. So it's kind of a cat and mouse game back and forth. But my biggest concern is when they have personal information like that, that they're just writing down on a piece of paper. Where does that go? Where is that stored? Is somebody, a database clerk, entering that in later at night? And where's that being stored, and redundancy? And so on and so forth. So those practices really haven't changed fully. And that's part of the problem, I think. There's a lot of other problems, too. But that's just one of them standing out in my mind.
David: Well, that is often cited as one of the issues in healthcare. There's still a lot of paper in healthcare. There's a lot of manual processes. There's a lot of stuff that hasn't changed in a long time, and because healthcare is managed at so many different levels in so many different ways. It's hard to even speak about it as one industry, because there's so many different ways to skin this cat, so to speak. You know, in terms of the social security number, I'm sure what she was actually thinking is, "Don't worry. We'll just go on the dark web and look it up."
Scott: There you go. Yep, which is true, and they could get it pretty easy for a minor fee. It's not that big a deal. If somebody's going to get it, and I guess, in defense of the Federal Government the Social Security number was never really designed to be a metric for authentication to verify it's me, but it kind of morphed into that. And people think of it that way, and it does kind of work that way inefficiently. So it's got to be fixed, though it's just a mistake.
David: Well, it is an interesting example of the way that something that wasn't really intended for this has become the linchpin, I suppose, in terms of personal privacy. And so, you know, when they get compromised that gives people access to more than probably should in a paper record system. I guess this is seen as something that can be at least a little bit confidential, and it's taken that primacy.
Scott: Now, I can say there is a silver lining. I recently had to go to an ear, nose, and throat specialist every once in a while, and before my going in there I had to digitally file all my paperwork, which was kind of different for me, and create an account, and I was happy to see that they did require me setting up multi-factor authentication as a requirement before they took all my personal information, such as my license and other personal information about my background and health. It gave me a sense of okay, some places are getting it now. Some people in some health-related organizations understand it because this was an interesting stat I read earlier. The source was from Scoop Market, as of January 2025, it mentioned approximately 56% of healthcare organizations have implemented multi-factor authentication to enhance data security. So a little more than half. That's not good. That's not good at all. Here we are in January 2025, and you have a little more than half the people doing what they should be doing as a bare minimum. So I think that's why it's great. We're talking about topics like this. At the same time, it's good that HHS is mandating some of these things as a requirement as well as encryption of patient data and things of that sort, to prevent future data breaches.
David: Well, this is so important. I mean, MFA is available. It's certainly a realistic option for these organizations to use. But you have to have the political weight and the investment in the technology and the commitment to it, I guess, to make sure that people are using it on a regular basis. So that's definitely one of the key measures that's been discussed. Encryption of patient data. What would, I guess, be involved in making this into reality? HHS has been really trying to set some standards that people could apply, and that healthcare organizations could really aim for.
Scott: Yeah, I think they have to keep the push-up. And I guess what's probably a positive thing is that they've got some proposals out now, and they've got this window of about 60 days for the public comment period. So industry players, healthcare firms, and others can provide feedback to say, "Hey, this will work. This won't work. This is practical." But I guess the negative side is that some are cited as saying, this is going to be really expensive. It's going to cost, I think they mentioned there in the 1st year, somewhere upwards of about $9 billion in subsequent years, about $6 billion following. And that's a lot of money to be spent to get some of this worked out and implemented. But it is important, and I think it's important always to compare maybe industries versus other industries. So if we look at the healthcare sector, they've been pounded. They got to do these things for years, and it's been falling on deaf ears.
And, as we mentioned, for MFA, for example, only 56% of the healthcare organizations have implemented that now contrast that to other sectors, such as technology. Technology's got an 87% adoption rate of MFA and a much higher percentage, again, with encryption of things. So technology companies and organizations get it because they probably look at it and say, "Hey, we're more vulnerable," even though they're a little more savvy. They know what it takes, and they tend to spend the money. They spend the money on training and they implement proper encryption. They implement MFA and the training that needs to be taken on. Especially with remote employees and things of that sort, so it can be done. It just has to take an effort, and you don't want to say an act of God, but in this case, maybe an act of HHS to really push it and mandate it through so they could make it happen. And I think we're going to see some positive results in the years to come.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation, file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now back to the podcast.
David: Well, it definitely would be good if they could get some momentum behind this technology. It seems like a pretty common-sense request to get people using this a lot more. Of course, the thing that really created the impetus for this change is the attack last year on Change Healthcare, which was, I mean, massive even by healthcare standards. Over a hundred million people were apparently affected by this, as they were talking about it being way. More than that, recently, as they kind of go through the rubble. I mean, that's a huge percentage of the population of the country. This is not a small thing, and they were all compromised. The services that were being delivered using this information were also affected, so people couldn't fill their prescriptions for a while. This kind of breach can just have really far reaching implications. Once it happens.
Scott: Yeah, you mentioned a brilliant point there, because when you look at the aftermath of it and kind of looking back now we could see a lot clearer the damage that happens and is happening from something with a breach that big and in part, I think what's telling is, look at the value of the personal data associated with the healthcare sector. If you take my credit card and it's compromised anywhere, I can go on the dark web, and it'll be sold for $3 to $5, typically.
Now, if you have healthcare, personal information for somebody, especially if it's put together with the proper codes, and enough personal information that is associated with me, that will sell for hundreds, if not thousands, of dollars, because of medical fraud and other things that you could do and get away with it very quickly. So it becomes a dollars and cents thing. If you see the value of the data, you see part of the problem. So that tells me they really need to intensify protecting valuable healthcare data. Because now, as we know, the breaches keep happening. And they happen so wide it's only going to get worse. So they got to really tighten the reins and start implementing this stuff immediately, or it will be an uproar with people being very upset and having some significant damages as a result.
David: It's ironic because HIPAA requirements put pretty onerous expectations on healthcare organizations and the way that they manage this private data and this very sensitive data. But in terms of securing it, it really hasn't been there. The whole reason that the Change Healthcare thing happened was that the attackers were able to use credentials that they'd gotten from somewhere else and basically just plug those into a remote access portal running Citrix and they got straight into the company systems, and from there they could get everything. I mean. It just seems ridiculous that this is still possible and that, despite the supposed attention on security and privacy, these large healthcare organizations are still allowing this sort of thing. It's a really concerning problem. Do you think that the imposition of guidelines and this sort of top-down approach that they're taking will make a difference?
Scott: I do, and I kind of have a similar kind of gut feeling. It's kind of pathetic what's happened and is happening now. I'm always glad to see when they're willing to try something new, willing to implement something as long as there's not too much overreach, because that causes other types of problems. But there are no checks and balances right now. It's like the Wild West, I feel like in the healthcare sector, everybody I talk to has had problems and data compromise and is frustrated and annoyed with it. On top of that, throughout the US, if you have to go to a doctor, you have to go to a hospital. You're already paying a lot for your healthcare coverage, and now you're paying a lot out of pocket, and I often hear this is probably more so, you hear about it with prescriptions and things like that. You can go to other countries, and it's rather affordable. But specifically, in the United States, it's so expensive. And a lot of times, they circle back and will say, well, part of the problem is the cost of a data breach, and the cost of having all this information compromised drives up the insurance costs, which drives up the cost of prescriptions and healthcare. So it's kind of this circular excuse that you're hearing. But they're not focusing on the problem and making it safer and protecting the data as we're talking about here.
So to your point - Yeah, it's good that we're going to start seeing some of these things implemented. And yes, I think it'll start to make some improvements. It's not going to solve the problems we know. But baby steps are okay. You have to make some forward progress, I think, toward keeping people's data protected in this valuable healthcare sector.
David: We definitely have to do something. So basically, what you're saying is that they can't protect our data properly, which causes data to be stolen and lost, which causes insurance to become more expensive, which then causes them to in a traditional way of things, have to raise their prices to cover the cost of their increased premiums, which then makes the data more valuable, which then increases the incentive for people to steal it and sell it, which then creates - I see where this is going.
Scott: Yes, it almost could make you a little bit dizzy, as they say, because you follow the circle of money, and that usually helps you find where the problem really is and hopefully directs you toward how you could solve it. So yeah, some of these things need to be implemented immediately, and then some of these organizations need to back up and then assess it and say, "Okay, here's where we were. Now, here's where we are. How much more secure are we? How much better is this valuable healthcare data protected? Okay, now, going forward, how do we protect it even more?" So if they have the right mindset and everybody gets on board. I think a lot of positive things can happen.
David: Well, certainly that checking of how we're going is very important as well. You can't just implement something and then say, "Oh, we're secure." You've got to be checking in all the time, monitoring your exposure. You're trying to get a sense of where your vulnerabilities are and actually doing something about them. I mean, you mentioned the cost being around $9 billion in the 1st year, and about $6 billion after that per year. That seems like, I mean, it's a large amount of money. But for this particular industry, it's probably small change for the potential benefits that it could deliver.
Scott: Yeah, I think you're right there. Those are peanuts in comparison to the big picture, so the potential savings could be much more than that. I also try to weigh in and ask myself, what are we hearing a lot about in the healthcare sector? One of the most driving areas for change and innovation is artificial intelligence. So I think that's something else that we need to keep in mind. How is that going to have an effect?
David: Scott, thanks again for your time.
