Beyond SaaS: What Cybersecurity Looks Like in Healthcare and Banking

Jara Rowe: Gather around as we spill The Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Welcome back to The Tea on Cybersecurity. We're talking about going beyond SaaS to understand what cybersecurity looks like in other sectors like healthcare and banking. As we know, I am not the expert, but I have my favorite cybersecurity expert with me on this episode, Jim Goldman. Hi, Jim.

Jim Goldman: Hey, Jara. It's great to be here.

Jara Rowe: Yes, I'm so excited. So, let's go ahead and dive right on in. So, how does cybersecurity strategy differ across industries, like healthcare and banking, when we consider their unique challenges and regulatory requirements?

Jim Goldman: The truth is we do spend the bulk of our time, the majority of our customers are software as a service companies, but we have a variety of customers in banking and finance, healthcare, manufacturing, et cetera. And what they all have in common is they all have cybersecurity concerns and privacy concerns. And those are distinct. And so, each of them have to implement controls. They have to implement security controls and privacy controls. I think the big differences come in, in the compliance side. And as we always said, there's a big difference between security and compliance. And I think the place where people sometimes get themselves in trouble is confusing, well, what's the dog and what's the tail? And sometimes the tail ends up wagging the dog. In my opinion, security is the dog and compliance is the tail. But if people are only interested in compliance, do you know what I mean? They can be compliant with some standards, some certification or another, but potentially overlook a control that's vitally important to their particular environment. With several industries, that actually have been regulated for a fairly long time outside of the cybersecurity and privacy realm. So, let's take finance, for example. Finance has been heavily regulated for a long time. Why? Because we wanted to prevent fraud. We wanted to prevent money laundering. We wanted to make sure loans were being issued in an equitable and fair manner, that kind of thing. So, these are what we would call really heavily regulated industries. They just haven't necessarily been regulated all that long or longer than any other industry in terms of cybersecurity and privacy.

Jara Rowe: Let's hone in on healthcare for a moment. What are the most pressing cybersecurity threats facing healthcare organizations today, and how do they impact patient safety and privacy?

Jim Goldman: People say healthcare and they think hospitals. So, they think hospitals and doctors' offices. Well, what happens is the healthcare industry is this incredible kind of spider web network of all sorts of different supporting organizations, claims processing companies, pharmacies, you name it. It's almost like an infinite number of concentric circles of different health- related organizations delivering this incredibly complex system that ends up being patient delivery, but it's almost like an infinite number of companies interacting. Now, the HIPAA regulation, which has been around for a long time, hit the nail on the head when they created it. Because what they said, well, there are these entities that really are the health care providers, but then they depend on other businesses who would have some level of access or another to patient records in order for them to deliver the services. And so, they set up this thing called business associates, and they set up something called a business associate agreement, but kind of says, " That's our patient data, but we're going to share it for a specific purpose with you. We're going to ask you to do this. And oh, by the way, you're going to agree to protect it up to these standards, under these circumstances, etc, etc." So, that was very forward- looking. The problem comes with anybody's willing to sign a piece of paper to get a contract, but what are they really doing in terms of legitimate cybersecurity controls and protecting privacy? What's interesting is to start out with the real purpose of HIPAA was protecting patient privacy. Again, it almost flips the script in that the goal was protecting patient privacy. In order to properly do that, you had to put in certain cybersecurity controls. You also had to put in a lot of non- technical processes to assure, for instance, that hospital workers and so forth, could only gain access to the records of patients that they had a legitimate need to see, that kind of thing. But that's also why every time you or I go to a doctor, we're having to sign another HIPAA permission form and write down who can see our information, with that kind of thing.

Jara Rowe: The way technology is changing, a lot of our health records are becoming digitized. And the rise of ransomware attacks targeting hospitals and clinics, how are healthcare institutions adapting their cybersecurity to ensure data integrity and make sure that all of our info is safe?

Jim Goldman: It's quite unbelievable, very recently. So, a company named Change Healthcare, which is a UnitedHealthcare subsidiary, suffered a cyber attack. And to date, its cost UnitedHealthcare 870 million, and that's just in Q1 of 2024. And it costs them about another 600 million to restore systems, and response efforts, and so forth and so on. The costs are expected to reach 1. 6 billion. It's not just about the pay. I mean, I know people personally that go to their pharmacy and their pharmacy can't process the drugs they need, or it's all on paper now. Because remember I talked about the network of all the interrelated entities working together to deliver patient services? So, if anywhere in that myriad of interrelated services Change Healthcare was anywhere in there, there's going to be a disruption. And so, it's not just the dollar figure, but it's how do you put a cost on patient frustration, potentially surgeries that couldn't get scheduled, that kind of thing. Insurance claims that couldn't get processed properly. They're tied to 67, 000 pharmacies, 131 million patients. The sad part is that the root cause was that Change Healthcare was not using multifactor authentication. When we first started talking about ransomware, we said, what's the single thing that anyone can do to prevent ransomware? Multifactor authentication. So, I looked up how many employees Change Healthcare had, 14, 000 employees. And I looked up, what's multifactor authentication cost per employee? And I estimated that it would cost them no more than$ 1. 68 million to have multifactor authentication for all of their employees. So, compare that. They bypassed a$1. 68 million cost and now have incurred a 1. 6 billion cost as a result of the breach. And I think that's small. I think it's going to go way beyond that.

Jara Rowe: All the listeners, make sure you flip on MFA on your accounts that you're able to.

Jim Goldman: And the excuses that people continue, sometimes it's, " That's more money than we want to spend." But then I also hear excuses about, " Oh, that's so inconvenient. People don't want to do that. Our sales people will revolt."

Jara Rowe: I mean, it's like 30 extra seconds.

Jim Goldman: You bet. There are several sections in the HIPAA regulation, with security being one of them. And as I said, it's both the security and the privacy. So, there's people controls, there's process controls, there's policy controls, and then there's more technical controls, which are the security controls. Now, the thing about HIPAA is HIPAA says what needs to be done, but it doesn't say how to do it.

Jara Rowe: So, let's go ahead and dive more into banking and finance. What are the key cybersecurity risks, specifically that are related to banking and finance sectors, and how are organizations mitigating these risks?

Jim Goldman: Banking and finance are probably the first industry to see the correlation between good cybersecurity and good finance security. In other words, as I said at the beginning, banking and finance has always been about security. In other words, going back to the Old West, that's why we had banks, because it wasn't safe to carry the cash on you. It wasn't safe to bury it under your mattress. That's why we had banks. If you think about it, they've always been in the security business. Now, what's happened over the years is banking has become cyber- dependent, cyber- related, that type of thing. And so, cybersecurity has had to evolve. How do I want to say this? The idea of the need for cybersecurity, in my opinion, is not a new concept to finance and banking. They've always had a security- related frame of reference. They've always had security as a top priority. So, it only made sense when they started depending on cyber, that they would be very cybersecurity- focused. There are many aspects of banking and finance, and it's like each of those aspects has their own set of regulations. So, the one that initially comes to mind, just because it's really so much on the consumer side, most people have several credit cards. Well, how does credit card information get protected and what are the standards around that? But that's called PCI, payment card industry, the PCI regulations. And so, it's not just banks, but any entity that processes and stores credit card information has to be PCI compliant. So, that's a whole set of regulations. That's the more specific nature of the financial institution we're talking about, so banks and so forth. You've got the Gramm- Leach- Bliley Act, GLBA, that requires financial institutions to protect sensitive data and explain their information practices, information sharing practices, that type of thing. And what's happened is GLBA has become a blanket for protecting financial information. Not just in banks, but in other entities, institutions of higher education and so forth, that offer financial aid, gather financial information. Those institutes of higher ed now need to be GLBA compliant in terms of how they handle and protect that financial information. And then there's something called the Bank Secrecy Act, that prevents financial institutions from laundering money. And then Sarbanes- Oxley is more about protecting investors from financial fraud. So, depending on which aspect of the banking or financial industry you are in, there's a whole variety of them. Some are specific to states. New York State has their own cybersecurity regulation. Now, remember that I said a lot of this comes down to not just security, but privacy. And so, GDPR, which is the European Union, standard privacy comes into play here. So, you say, " Well, if it's a US Bank, why do they need to be GDPR compliant?" Well, if they have any personal information on any European citizen, that's why they have to be GDPR compliant.

Jara Rowe: Can you explain what GDPR is for maybe a new listener?

Jim Goldman: You bet. So, unlike the United States that does not have a federal privacy policy or regulation or whatever, we have several different state ones. The most notable and probably the first being CCPA, the California Consumer Protection Act, which in many ways is served as the model for other states. So, some time ago, the European Union passed GDPR, General Data Protection Requirements. What it does is, in my opinion at least, it really establishes first and foremost who owns the data. And what GDPR very clearly did was said, " The consumer whose data this describes, if you will, they are fully in control of that data." So, they have a right to review it. They have a right to have it corrected. They have a right to have it deleted, that type of thing. And in order to be GDPR compliant, you have to have the processes in place, the technology in place. And have to be able to prove that you can not only protect private data, but also have the means to assure that all of those rights, and there's like eight or nine of them, all of those rights of the data owner can be respected and can be executed.

Jara Rowe: Another acronym I want to clear up a little bit. You were already talking about PCI and what that stood for, but what about PCI DSS?

Jim Goldman: Yeah. So, that's just payment card industry data security standards.

Jara Rowe: What does that mean?

Jim Goldman: Fortunately, that's one that gets updated periodically as it needs to, changing landscape, changing threats, changing technologies. So, the PCI Council has done a good job of keeping those standards up to date, updating them and said, " Okay, here's really what needs to be done to protect that payment card information."

Jara Rowe: How do banks and financial firms prioritize cybersecurity initiatives to maintain these regulatory compliance, while safeguarding against cyber threats?

Jim Goldman: If you think about our typical customers, like our SaaS customers, they show compliance by hiring an external auditor to come in, make sure they're doing everything right, and then they get a certificate. The banking industry, again, because they've had non- cyber regulations for so long, but they've been federally inspected for a very long time about things totally unrelated to cyber. Does that make sense? In other words, they have federal regulators, is what they're called, coming in and inspecting them nearly on a constant basis. And so, what happens is they don't have to do this whole separate thing. It's just part of their ongoing federal regulatory inspection cycle.

Jara Rowe: All right, Jim, this has been great. So, what advice would you give to our listeners to empower them to take proactive steps if they are in these sectors, to improve their cybersecurity?

Jim Goldman: Multifactor authentication, you better get it today, later today. Don't wait until tomorrow.

Jara Rowe: Yeah, don't wait until tomorrow, everyone. It's so easy to do. Well, Jim, I appreciate you taking your time to go over some of the industries we haven't talked about yet on the podcast. It's been super helpful.

Jim Goldman: It's my pleasure, Jara.

Jara Rowe: Now that we've spilled the tea on healthcare and financing industries, it's time to go over the receipts. It was nice to talk to Jim about other cybersecurity and privacy concerns, other than what I am most familiar with at this point, which are our SaaS companies. So, I learned a lot from my brief conversation with Jim on healthcare and banking. The first thing that I learned is that healthcare and banking are heavily regulated industries, simply based off the type of information and data they have on everyone. So, when I asked Jim about how these industries differ in cybersecurity and compliance, he actually started by telling me what they have in common, which they all have security and privacy concerns or data that they need to protect. But they differ based on the different compliance and regulations set by those specific industries. Another receipt I have from Jim is about how healthcare is honestly a web. Healthcare goes beyond just doctors, like we have our claims and insurance to pharmacies. So, when we think about our information and how it's passed through, it is touching a lot of hands and things like that, which is why HIPAA is very important. So, when it comes to banking, banks are subject to many cybersecurity regulations because of the customer data, and to prevent money laundering, and to protect investors as well. And because of that, banking and financing was one of the first industries that needed to be regulated and implemented data privacy standards and things like that, to keep our money and information safe. Another receipt that I have on banking and financing in particular are the regulations and how they happen on a consistent basis. So far when we think about compliance and regulations, we've talked about SOC 2 and ISO 27001, and we know that it is always continuing, but we typically do it yearly or when something big happens. But when it comes to banking and financing, these regulations and standards are looked at more consistently, which totally makes sense when our money and information is involved. And the final receipt I have, which is something that we've probably talked about in every single episode of The Tea on Cybersecurity, is the importance of MFA. Jim gave a great example of how MFA would have helped a company save a lot of money. And again, it's just that extra simple thing to do to keep our information a little harder to get into. I hope you learned as much about these industries as I did. I will see you on the next and final episode of season three on The Tea on Cybersecurity, as I give the ultimate receipt of everything we have gone over. See you there. And that's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.