cybersecurity stories with Gary SalmanThis episode is the continuation of our Cybersecurity Tales Part 1 from last week. We get into more discussions with Gary Salman about real world cases involving cyber attacks where the team at Black Talon have been called in to assist with data breach response. This part is where David really started getting scared!

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Cybersecurity Tales with Gary Salman Part 2 – Ep 271

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

[02:31]MSPs have the keys to the kingdom, to all of our clients. You owe it to your clients to make sure that your own stuff is rock solid. Don’t complain if your clients don’t take security seriously if you’re not doing your own homework.

Let’s get into part two of the interview with Gary Salman from Black Talon Security!

Cybersecurity Tales with Gary Salman Part 2

[04:13] We’ve talked about the IT providers, and it’s something that we’re well aware of .  What we talk about often is making sure they spend the time to learn.

cybersecurity stories with Gary SalmanWe actually had a couple of folks in our last Boot Camp that are coming to us to learn. We’re thrilled!  But I tell David we’ve got to do more because we kick them all the time, but then we don’t offer more solutions. But it’s also a problem of “I got a guy” because I don’t want to pay, I want to pay as needed for break-fix service because I think I can still function like I did in 2003.

Can you share some cases where they have just kind of said, let me blow it off, I don’t need to do HIPAA, I don’t need to do this security stuff and then realize how it could have saved their business?

[05:44] I can tell you that in 90% of the breaches, no one’s had anything for HIPAA. OK, wait, you know what? They did have that sign hanging on the wall and a piece of paper that the patient signs.

So you look at the smaller health care providers, a couple offices, maybe even a single office. They have basically nothing in place for HIPAA. They have nothing in place for security.

[06:46] We did a breach in the Midwest recently where the practitioners were notified by their malpractice carrier that they need to step up their game. Literally, they were told you need to start implementing advanced cybersecurity because there’s so many health care providers being hit.

So they called the executive of their IT company and sat him down like, hey, here’s the letter. Right? We want something done here. What do you recommend?

And his exact words were, “I’m a computer engineer. This is what I do. You’re fine.”

Fast forward two weeks later they got taken out. The MSP got taken out and all of their clients were going crazy. You know, they’re like we actually tried to do the right thing. We’re just surgeons. We ask the right questions. We were basing our decision off what we were told.

The amount of under reporting breaches is off the charts.

[10:57] I think the “I have a guy” concept is probably more prevalent than most people realize. It’s a friend, it’s a colleague, it’s a son, a daughter, someone that works for a big Fortune 500 company in IT.  They show up once a month. They have no insurance. They have basic computer skills at best.

[17:15] When you interview the owners of the business or the physicians or dentists, they’ll say, “you know what, our plan was to call our managed service provider or IT company if something goes wrong. They were going to help us, but they’re obviously not available because they’re a victim of the attack too.”

Since January, we’ve done six major breaches where the managed service provider (MSP) was hit. One hundred or more of their clients were impacted. We have smaller ones with less than 100 but 6 have been more than that just this year.

[23:06] There’s a specific threat group out of Russia. Their entire business model is targeting MSPs. They make hundreds of millions of dollars in targeting the MSPs and then targeting their clients.

They launch a single attack and literally take out thousands of computers at once. Even if you look at these smaller attacks, if you’re an MSP and you have one hundred clients and you service the smaller market, let’s just say on average, you probably have about 12 computers and maybe a server for a small business. You take out 100 of those small clients and you’ve just destroyed over 1,200 devices.

We dealt with an MSP out in the Midwest the end of last year. The Russian group hit every single device the MSP supported. We worked with about a dozen of those victims in that one attack out there. We only found one computer, out of all those businesses, that wasn’t hit. And we couldn’t really figure out why the machine wasn’t hit.

[29:30]  We worked on a breach about nine months ago where when we asked for some of their HIPAA security documentation, they said “Here’s my report from my IT vendor. We passed.”

I think most of us understand that’s not really HIPAA. That’s just a little piece of software running some tests that often have incorrect information.

They came back and said Big Boss says 10 more Bitcoin

[38:59] If you look at a lot of these health care providers that don’t have insurance and the attackers want one hundred grand, how many people have one hundred thousand dollars liquid cash sitting around?

[45:08] When we look at these issues and say we’re using this piece of technology to protect me, like your VPN. We have a problem, right, the second you bet your entire livelihood on one piece of technology, you’re going to have a problem. That’s the reality of it. And I think that the big takeaway from this presentation is there is so much money being made by the criminals right now. They’re spending an unbelievable amount of money. And leaving no stone unturned to try and figure out how to get on these networks because they know the value of the data.

What worked today is probably not going to be working tomorrow because people are actively trying to figure out ways around everything you’re doing today to protect yourself.

There is a lot of information in these episodes. We are definitely going to bring Gary back in for a chat about what we all think you should be doing to prepare or prevent these attacks.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.