In this episode, host Dr. Aaron Fritts interviews Jason Newton - an attorney with 14 years of private practice defense experience and current General Counsel at Curi - about cybersecurity in medicine and healthcare.

---

SHOW NOTES

Jason begins by introducing how he became an expert in cybersecurity law. Dr. Fritts and Jason then segue to the present day threats of ransomware in healthcare, beginning with a birds eye view and progressively getting more granular. They cover the topics of staffing shortage, how threat-actors are akin to present-day pirates, and the chief risk of ransomware.

We learn that healthcare is the most common target of ransomware from threat-actors and how “big fish” are not only the main targets, meaning many smaller health entities are also under real threat. Jason explains well documented reports which detail the intense interest in health information of several US targets such as government leaders, military personnel, celebrities, and popular athletes.

Dr. Fritts and Jason underscore how money is the central driving force behind ransomware attacks on healthcare. Jason also takes a deep dive into how threat-actors engage in social engineering to ensure their success. Troubling enough, Jason also shares how threat-actors (on average) have already infiltrated health systems 66 days prior to the day the breach has been discovered. Essentially health systems will only see threat-actors when these hackers want to be seen and demand ransom.

ChatGPT, AI, and deep-fake technology is also discussed and how it can be used by threat-actors to bolster their ransomware attacks on healthcare. Jason also mentions the need for health systems to invest in cybersecurity insurance and the inverse relation between “secure” and “easy”. Health systems’ responsibility to secure their data is paramount to mitigating and avoiding ransomware.

Jason highlights the necessity of training, the fact that people can be the weakest link in security, and how it is critical for everyone to approach their email inbox with a “no-trust” policy. Anti-phishing software can also be a very helpful addition to health systems looking to bolster their cybersecurity. Mr. Newton supplies some helpful training, consultation, and investigation resources from the Cybersecurity and Infrastructure Security Agency.

While we hope this discussion may be helpful, there are no guarantees that the information and resources shared will prevent and/or mitigate bad outcomes, and no guarantees or endorsements are made. Although Jason is an attorney, he cannot and does not offer legal advice to external parties and an attorney-client relationship is not established with listeners of this podcast. Please contact your personal or corporate attorney if you require legal advice.

---

RESOURCES

Cybersecurity and Infrastructure Security Agency website:

https://www.cisa.gov/resources-tools