Looking At New Tech And True Threats To Healthcare

The Chief Information Security Officer (CISO) Exchange is a flagship event bringing together the most innovative and insightful technology leaders across industries for in-depth discussions and exchanges of experience and ideas to address the emerging landscape of digital business in a digital economy.

Taking place this year March 24-26 at the InterContinental in San Diego, California, this year’s theme was “Empowering A Circle of Trust: Consistent and Collaborative Security from Inception.”

Here, Cyber Security Hub caught up with Banner Health's Sam Buhrow to find out about what's on his mind, insider threats and his thoughts on the conference.

Sam Buhrow
Director of Cyber Incident Management and Forensics
Banner Health

Buhrow is a Certified Information Systems Security Professional (CISSP) with over 18 years of experience in cyber security strategy, architecture, implementation, incident response, malware analysis, computer forensics, E-Discovery, data security, disaster recovery, and SIEM implementation and configuration.

He has extensive experience in cyber security management; identifying and mitigating risk, training and development of Information Security resources on and off-shore, and creating new processes, procedures, and techniques to solve clients’ needs with novel approaches. He has created numerous business process improvements, coded or guided software solutions, and saved his principals millions.

CS HUB: As a security professional, what keeps you up at night?

BUHROW: Two things: unpatched systems, and the other is an unaddressed alert — not so much someone didn’t notice it, but maybe there was high CPU utilization and later on [a security professional] says storage is getting utilized too much and if you put it together you’d see a place where bad guys are putting data together or they’ve encrypted it or it’s part of a DDoS attack. My concern is because of different sensors in the organization there’s not that mosaic view of the organization that it’s a targeted attack.

CS Hub: What’s your take on CISO Exchange West?

BUHROW: I like the targeted speakers and it’s fascinating to talk to vendors who are not on [Gartner’s] Magic Quadrant yet and who I haven’t heard of. [I’m focused on] incident response, and I love finding one thing I don’t know about so I can incorporate it into my [toolset].

I used to be virtual CISO and I’m more of a change agent now where I’ll find a piece of technology and tell [security] ‘This is a tool you should look at,’ that weren’t known but the vendors are in the final proof of concept. The risk scoring technology I saw here; to have something be able to tell you where all your crown jewels of data are and calculate in real time that this particular server isn’t patched and could cause this much exposure — that’s a lot of work someone has to do — and if you can automate that it would be fascinating.

We subscribe to NIST and our SOC team is all about detect and protect. We’re about respond and recover.

CS Hub: Are insider threats a big concern?

BUHROW: It’s obviously a concern for us and … it’s something the industry’s definitely been focused on the past few years. My team does cyber incident response and e-discovery. We haven’t seen a large uptick in [insider threats] in healthcare; I don’t know why. With all the data we have … that’s not as big an issue as ‘Don’t click that [potentially malicious] link. If you see something, say something, but the biggest risk is still the user inadvertently clicking something.

Phishing is still [a] pretty large [problem] in our medical group. A good portion of our effort is put into educating the employees and doing phishing campaigns to make them aware of what’s out there. My belief is the bad guys are getting so good, in healthcare in particular, but overall, too. We’re about 100,000 [employees] and about 40-50% are clinicians so they don’t have the same exposure [to malware] but they’re dealing with all these emails and what’s happening is it’s one more thing for someone to have to remember and deal with. So there’s a lot of cross between training fatigue and phishing fatigue. We’ll see a positive impact from training, but you’ll still see … a high click rate when we self-phish them.

CS Hub: What initiatives are on your plate this year?

BUHROW: The biggest one is tabletops … which is when a facilitator comes in to the SOC and different groups and they’ll say, ‘Here’s this scenario: you’ve got an alert and at what point does the incident response team come in?’ What its more designed to do is make sure there are no gaps in communication and decision making and from the beginning to the end you have a cohesive plan to address what this threat is. Last year we did two of them … this year [the goal is] 15 to 16 tabletops.

In the healthcare industry you’ll see a lot of ransomware, so we’ll give scenarios about that or insider threats. It’s up to our third party to develop them but they’re usually [done on] things you’ve seen in the news and how you’d deal with them. We find they’re an area that doesn’t get the light shined on it as much as it should. Once you have them, you’ll see how the tabletop gets addressed with the C-suite.

See Related: “CISOs Gather To Collaborate On Security Strategies”