Things That Make You Go Hmm – Ep 514 

This week on “Things That Make You Go Hmm,” we’re serving up a digital cocktail featuring disappearing network routes, dark web AI tools with a flair for phishing, and Microsoft’s bold new idea to let Copilot tinker with your system settings—what could possibly go wrong? In this episode, we dissect digital disasters and marvel at how event planners might just be outdoing some organizations when it comes to risk assessments. It’s equal parts facepalm and fascinating.

In this episode:

Things That Make You Go Hmm – Ep 514

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Things That Make You Go Hmm

Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption – May 29, 2025

Not the endpoints but the ability for the security team to get to the endpoints. They said it was a “software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform.”

Sounds a bit like the Crowdstrike issue without the endpoint damages. One lost control of the cars and the other lost control of the road. Either way it caused backups and crashes to operations. It also brings up the importance of understanding how a single point of failure can impact not just your business but your security.

Unleashed AI: Hackers Embrace Unrestricted Chatbot, Venice.ai | Certo Software

For less than a Netflix subscription you too can own a phishing factory! For just $18 a month you too can create uncensored private tools with the criminals on Venice[dot]ai.

According to their article, Certo testers have confirmed it can do things like phishing email and malicious code already. We know how these things learn as they go which means it will only get better as they find it successful. The testers were concerned with how well the emails it crafted sounded and looked like a real one.

This is a web based tool with nothing to load or code. No skills required, just a desire to make some money in a scam.

They mentioned another article in Slashnext that tested out one of the AI tools on the criminal forums and they had a more chilling statement about their results in their article:

In one experiment, we instructed WormGPT to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice.

The results were unsettling. WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.

The fact that they were unsettled makes me very unsettled – not sure what to call that but certainly not a confident moment.

Speaking of feeling uncomfortable about AI this one will be another one that we have to keep an eye out for just like Recall. I think I stopped breathing when I read the title.

Microsoft unveils new AI agents that can modify Windows settings

The concept is you can just tell CoPilot to change settings for X to ABC and it will do it so you don’t have to find them. AWESOME! Sometimes it is important that people can’t find them on their own!

Think about this from a simple formula: physical access + voice/keyboard access and you have a level of admin control if this isn’t locked down properly. What if someone comes by a workstation that wasn’t signed out because the owner was just running down the hall for a second. I hear it all the time. They can quickly have it change a setting much faster than actually going to get it even if they know where it is.

There are so many reasons this makes me nervous. If you can simply type out the instructions we are opening up a huge opportunity for an attacker to send instructions without much skill at all.

Clinicians can ‘chat’ with medical records through new AI software, ChatEHR

So exciting right! WRONG! It is a bit exciting until you think about how often we already argue with AI agents about the data they have been given. I have had it happen where I know it is stated in the article that I just gave it to evaluate and it tells me it isn’t there and refuses to acknowledge it. We all know it also just makes things up sometimes.

Add that stubbornness to the fact that so much in a medical record can be from legacy systems and notes are from different clinicians that may use different terms – it is a disaster waiting to happen.

One of the featured quotes was “Making the electronic medical record more user friendly means physicians can spend less time scouring every nook and cranny of it for the information they need.” So it says info isn’t in the record but it doesn’t look in every nook and cranny for the information just like a human might do. Technically, you should confirm what it tells you which is complicated when you have to confirm the negative.

Patient safety could certainly be impacted with this tool in a multitude of ways!

Risk Assessments should be part of all important business processes, not just cybersecurity. This blog post got my attention because it perfectly demonstrates that. Our boot camp session on SRA starts with a discussion about how we do risk analysis all the time for a lot of reasons and this really brings that point home.

Event Risk Management: A Straight-Forward Guide

It is from a company, The Events Calendar, that makes event management software. We use a part of it with our scheduling in the Kardon Club which is why it landed in my inbox. It is a great way to explain what an SRA process looks like in a more relatable manner. It shows that SRAs aren’t just an IT checkbox — they’re a business survival tool.

I am sure we could connect this to some event that people understand whether it is a concert, a family reunion, business conference or a wedding. All of them have to have these issues considered. Image if we took them down the path of planning an event and doing their RA for it. Then, point out you just planned more thoroughly for your wedding than your cybersecurity program – is that something you should think about here?

Here is the opening to the list that really makes the point:

Essential risk categories every event planner must address

Every event comes with its own set of risks, but there are a few common areas that all planners should pay attention to, no matter the size or type of event. Identifying these early can help you avoid problems, protect your team and attendees, and keep your event running smoothly.

The categories could easily be equated to what we have to do in our world.

• Loss of crowd control
• Medical emergencies
• Unpredictable weather
• Transport and traffic management
• Food safety
• Staff and volunteer safety
• Technological breakdowns

For each one they reviewed potential issues and suggested best practices to mitigate those risks. Then, for the cherry on top they include a list of key steps you should take to build your risk management plan. Here are the steps and a specific quote about each one.

1. Assess all potential risks at your venue
   1. Consider high-probability risks (like delayed vendors) and high-impact risks (like a medical emergency or fire). Cover every angle so there are no surprises on event day.
2. Create a risk management team
   1. Hold a few planning sessions before the event so everyone is aligned. Each team member should be trained in basic emergency response protocols and know how to escalate issues quickly if needed.
3. Categorize and prioritize risks according to likelihood and severity
   1. Once you’ve listed all potential risks, the next step is to organize them based on how likely they are to happen and how severe the impact would be if they did.
   2. Use a risk assessment matrix to classify each risk.
4. Prepare a contingency plan for risk mitigation
   1. A contingency plan is your safety net. It lays out what to do if something doesn’t go according to plan, and how to minimize the impact on your event.
5. Post-event analysis of risk management strategies
   1. Your job doesn’t end when the event does. After everything wraps up, take the time to review how your risk management plan worked in practice.

They did a great recap at the end and it sounded very much like what we would say for cybersecurity:

Here’s your quick checklist for a risk-ready event:

Risk assessment conducted? ✅

Crowd management plan in place? ✅

Emergency medical services coordinated? ✅

Contingency plan established? ✅

Staff and volunteers trained? ✅

Communication strategy ready? ✅

Insurance coverage secured? ✅

HHS Announces Paula M. Stannard as Director of the Office for Civil Rights

The new HHS OCR Director appointed is Paula Stannard. Now, we have to wait and see how things change concerning enforcement of HIPAA rules and the discussions about making changes to the Security Rule will likely start back up again. It is worth noting that her background includes public policy and health law, which might signal renewed regulatory activity coming our way. But these days – no idea whatsoever!

Well, if today’s episode taught us anything, it’s that the dark web has a customer service model, Microsoft’s AI has access to your settings, and wedding planners might deserve a seat at your next security meeting. The digital landscape keeps throwing curveballs, but with a little skepticism and a lot of prep, you can stay a step ahead instead of scrambling to catch up.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.