Artificial Intelligence & Machine Learning , Leadership & Executive Communication , Next-Generation Technologies & Secure Development
ISMG Editors: Our Pledge to You in a New Era of Journalism
Also: Palo Alto Networks' Strategy Pivot; Massive Change Healthcare Cyberattack Anna Delaney (annamadeline) • March 8, 2024In the latest weekly update, Information Security Media Group editors discussed the cyberattack at Change Healthcare that's sending shock waves through the U.S. healthcare sector, Palo Alto's strategic pivot and its far-reaching implications for the industry, and new developments in tech and journalism at ISMG.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discussed:
- How ISMG is tapping into artificial intelligence technology but also doubling down on insights and perspectives to help our readers see beyond the headlines;
- How the BlackCat ransomware attack on Change Healthcare, confirmed by UnitedHealth Group, has disrupted U.S. healthcare systems, with ongoing investigations and efforts to restore services amid claims of a mega data breach;
- Palo Alto Networks' strategy to provide complimentary products to new platform users and the subsequent reaction from the market.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 23 edition on the "new frontier" of AI and identity security and the Mar. 1 edition on OpenAI's response to The New York Times case.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and amongst our discussions this week, we're delving into the cyberattack sending shockwaves through the healthcare sector. And we'll be discussing Palo Alto strategic pivot and exploring its far-reaching implications for the industry. The brilliant panelists today include Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, and Michael Novinson, managing editor for ISMG business. Very good to see you all.
Tom Field: Thanks for having us all, as always.
Michael Novinson: Good to see you.
Delaney: Tom, what is your topic today, I believe it's ISMG - one close to home.
Field: I do. This is something we don't talk about nearly enough. And I think it's time that we talk about how we editors, that Information Security Media Group go about approaching our business, I'm going to start with a little bit of background, I came to ISMG, almost 17 years ago. At that time I worked for a print publication that didn't quite get the memo about online. To them, the web presence was where you put sidebars and pieces that didn't fit into the magazine. The notion of using the web to lead with your information as your main conduit to your readers was lost on the editors at the time. And that was one of the things that attracted me to ISMG - an opportunity to come someplace where security was the focus because you can see that security was going to be a big deal. And where online wasn't just part of the strategy. It was the only strategy. And so I gladly made that move. And it's panned out in so many ways, look at the organization and the team that we have today. And ever since that time, we've focused on what's important and why it's important. We've done that in banking, in government, in healthcare, we've brought in from the U.S. to the world. We've added recent topics such as AI and certainly broadened into events and to programming. So it's a far different world. When you look around at the media landscape in 2024, the print publication I came from, is gone. Most print publications have gone away and are left with their online presence. When I came over, to be in the publishing business required a significant investment in infrastructure. There's no barrier to entry today, you can be on social media and you can declare yourself an influencer. And as long as somebody supports you, you're an influencer. And the what and the when, the things that we as news people built our foundations on, they are commodities now. Anybody can be a source of news. And with the use of gen AI in particular can put news together in a way that anybody can give you the what and the when. There's nothing unique about that. And so that's forced Information Security Media Group, to rethink how we do things. The focus is not just on what happened and when did it happen. Why does this matter? What can you, our audience members, do about these issues that we're putting in front of you? How do experts in the industry feel about this? And what advice can you take from them? And it's the way we've shifted the way of how we focus on producing the content that we do. Now you see it in different ways. You see it in your own programming, Anna. This panel right here, where we bring together our internal experts to talk about what we see what we're hearing, and what we're participating in, occasionally bringing in guests such as Troy Leach from the Cloud Security Alliance a couple of weeks back, and Jeremy Grant, not long ago, either, the recent programming that you and I have done in the Proof of Concept series, talking about election security, and talking about the use of AI. We've seen it in our coverage. Over the past week or so, the couple of weeks, the LockBit shutdown and aftermath has been something where we have focused not on just each individual event that's happened. But what does this mean? How does this impact your role? Marianne's going to talk about UnitedHealthcare today, and this huge healthcare breach story, her coverage has been much the same, not focusing on every little item that happens. And the who, what, when, and why. But what matters here, is what can you - our audience members - do with this information. We had a meeting yesterday, where I thought Marianne and Matt summed things up well, is when taking in all this information. You pay attention to what are the key questions we have to focus on. And that is our mission, to focus on the right questions for an audience of over 1.3 million security and technology leaders globally. Now, the objective for us, it's not to be first, this isn't a medium anymore, we're being first to get your points, and we've got to be best. And best means to be comprehensive, to make sure you're focusing on the topics that matter, to be analytical, make sure you're diving in and exploring why this news matters to our audience, and to present a view, to give them something that's unique that they aren't going to get somewhere else. And certainly, they are going to have served up by gen AI, focusing on the topics that count. And today that can be AI, it can be OT, it can be the further evolution of SASE or identity, ransomware. And it's going to be programming that engages where we get together and discuss what we know, we bring our guests in to share who we know. And we make sure that we're answering the right questions. So in a lot of ways, it's a brave new world. It was a brave new world when I came here in 2007. And we made the shift from print to online, we're making the shift now from online to exclusive to stand out. And at a time when you see giants in the industry, and I've spoken about this before, we've seen the venerated magazine Sports Illustrated shutdown. We've seen the Los Angeles Times, pare down its newsroom by 20%. I don't want to be in those numbers. I want to make sure that we know that people know who we are, that we're here that we're not forgotten, and that we stand out. And I thought it was just time to take a few minutes to talk about who we are at ISMG - what we stand for, and our pledge to you as our audience members too. When you come here and you share your time and attention with us, we're going to make it worth your while and give you information. It's going to help you understand what's happening in our world, and how you can apply that in your own enterprise. So there you go.
Delaney: Very well said! So Tom, as journalists, we need not fear AI, but use it to our advantage and get those creative juices buzzing.
Field: Oh, there's so much to be done with AI that helps us in our own personal productivity and helps us analyze information. It helps to automate some of the manual things that we do now. I like it. I've said this again before, I hate to do it because it shows how old I am every time I say this, but when I first started newspapers, I was given a choice between did I want a typewriter or did I want to use a computer, which at that time, by the way, was a RadioShack Tandy computer. I chose the computer because I wanted to be part of the emergent technology, I wanted the ability to be able to write and cut and paste and edit and do things you couldn't do with a typewriter. We are at a similar inflection point now. And gen AI is going to open so many doors for us and help us evolve our roles in ways that we can't imagine. It is something to run to, run with, not run from.
Delaney: Very well said. Marianne, so for the past few days, you've been reporting on what's been called the most significant cyberattack on the healthcare sector in U.S. history. And I know there are a few twists and turns here, but maybe just bring us up to speed with the story and its implications for the healthcare sector.
McGee: Sure. Every day it just seems like the fallout from the February 21st cyberattack on Change Healthcare gets worse. And as you said, some groups including the American Hospital Association are calling the Change Healthcare incident the most significant cyberattack in the U.S. healthcare system to date. And I have to agree with that assessment based on everything that I've seen so far. And all the zillions of other breaches and attacks that I've been covering over the years in the healthcare sector. The impact is being felt like no other cyberattack in the healthcare sector today. What happened is that Change Healthcare for those people who are not familiar with it, is an IT services firm that was acquired a couple of years ago by Optum for $7.8 billion. Optum is a unit of UnitedHealth Group, which is one of the largest health insurers in the U.S. Change Healthcare says it handles about 15 billion transactions per year, touching about one in three U.S. patients in some way. Now Change Healthcare provides IT services for more than 100 different critical functions that keep the U.S. health system running from claims processing, pharmacy benefits, clinical information exchange, and pre-authorization for patient care. However, since the attack on February 21, most of these it functions have been unavailable because Optum took Change's IT systems offline as the company responded to the attack, and to keep the damage from spreading to other parts of Optum and UnitedHealth Group's IT environments. In the meantime, the American Hospital Association which represents thousands of U.S. hospitals, says that as a result of the ongoing change in healthcare IT outage, patients are struggling to get timely access to care and their prescriptions. Billions of dollars have stopped flowing to providers. And this is all threatening the financial viability of hospitals, health systems, physician offices, and other medical care providers. Meanwhile, the American Medical Association, which is a professional organization that represents physicians, also contends that the Change Healthcare outage is threatening the viability of many medical practices, especially the smaller ones that operate on tiny margins and are already under tremendous financial pressures. The AHA and AMA and others also say that the many manual workaround processes that Optum has been recommending for affected entities to implement while the outage persists are ineffective and impractical. Meanwhile, UnitedHealth Group took the highly unusual move the other day of announcing a financial assistance program to help some of the entities that were affected by the Change Healthcare IT outage. That assistance includes short-term financing to help with cash flows that are being disrupted. But the American Hospital Association was highly critical of the program, saying it was too onerous and exceedingly limited in terms of who can take advantage of the financing. Since then, the U.S. Department of Health and Human Services has also stepped in with some regulatory maneuvers aimed at helping affected healthcare organizations with their cash flow problems. That includes, for instance, some moves that are meant to help facilitate faster payments to Medicare and Medicaid health care providers as they trudge through this outage. Now, last week, BlackCat took credit for the attack claiming to have stolen about six terabytes of data pertaining to all Change Healthcare clients. To add insult to injury and all this now, it's being reported that UnitedHealth Group paid a $22 million ransom to a BlackCat affiliate for the decrypter key and for the destruction of the stolen data. Now, the BlackCat affiliate who claimed to be behind the attack now says that BlackCat administrators kept the entirety of the Optum payment, and did not share any of that with the affiliate. And so it appears that Change Healthcare might have gotten a decrypter key for the ransom, but that its stolen data is still being held hostage by the BlackCat affiliate. Optum has not commented on the reports that the company paid a ransom. In the meantime, our colleague Mat Schwartz has also reported this week that BlackCat's Tor-based data leak site has a message posted on it saying that the FBI ceased the sight as part of a coordinated law enforcement action, taking down BlackCat. Now, last December, law enforcement did indeed cease BlackCat's infrastructure, but it only temporarily disrupted that group. And now security researchers are saying that this is sort of a ruse that BlackCat has put up this notice to make it seem like oh, no, we're out of business. But it's just some sort of exit scam. And the DOJ right now is denying that it took BlackCat down for a second time. In any case, the situation is just growing worse, as this outage lasts, and it just keeps persisting, we're not sure when it's going to be over. And we've seen many ransomware attacks in the healthcare sector. But this has been so disruptive by for so many in the ecosystem that it will surely negatively impact the bottom lines of many change healthcare clients and their affiliates. Now, on top of that, with all this disruption, it's only a matter of time before Optum determines the extent of the data compromise that most likely occurred and probably affects not only scores of the company's clients but millions of their patients. So we'll have to wait and see what happens next. But this whole thing is just a lesson in what you don't want to happen. And it's happened. It's sort of like the nightmare scenario.
Delaney: Huge story. Marianne, what about the vulnerabilities exploited here? How are researchers and experts analyzing the cyberattack and its underlying vulnerabilities?
McGee: I guess it, sometimes this thing seems to be rolling into months. But it's only been a couple of weeks. I think it was last week, that the U.S. government had put out a publication of indicators of compromise for BlackCat, in general. Optum has said that it's also shared the indicators of compromise that they've found so far in their investigation. And it looks like it was like a multi-vector sort of thing. there's their suspicion that there was social engineering involved early on in this attack, they were suspecting that connect-wise, the screen connects, and product vulnerabilities might have been exploited. Maybe that's the case. But that was not the main way this happened. It seems to be a multifaceted sort of thing and then I was listening to a webinar just yesterday with some pundits speaking about this. And it seems like it was like an enterprise-wide sort of attack. So it wasn't just one way in; it was well planned, and a multiple sort of strategy involved with the attack, which again, it's a frightening scenario for the healthcare sector, because, again this is a lot of financial transactions that are being impacted and patient safety is always a concern as well.
Field: Good time to host a HIMSS conference now.
McGee: Yeah. This should be probably, I would say, top on the agenda of what's discussed there. Good timing for HIMSS.
Delaney: This won't be the last of it. But thank you so much, Marianne. Michael, there's a big industry story of the past few weeks, and that is Palo Alto Networks' decision to offer free products to new platform customers. So tell us about the strategy and the market's response.
Novinson: Palo Alto Networks had their earnings. And they did announce exactly what you described there. And it came as a surprise to industry observers, to competitors to customers. And that is essentially the problem, as they described it is that they're seeing prospects out there who use Palo Alto for certain pieces of their technology stack. But then they're interested in growing their other footprint with Palo Alto Networks. But it's too expensive because they're locked into an existing sim product or an existing endpoint security product, an existing firewall, existing cloud security tool. And they simply can't afford to pay for two different tools that do the exact same thing from two different companies at the same time. So Palo Alto Networks was thinking is, hey, how can we make it easier for customers to transition onto our platform and use our technology in multiple different areas of security? So what they came out and said is that if you agree to use our platform, and the question is going to be how that's defined, we will for up to six months, pick up the cost of the Palo Alto Network security tool, while your contract with your existing vendor runs out. So essentially, it's just trying to lower the barriers to entry for people to expand their footprint. And with Palo Alto Networks, this is not something that we've seen established big security vendors do. Security vendors historically have been very clear that they compete on quality, they don't compete on price. They're not trying to be the cheapest, they're trying to be the best. So it's an unusual move. The folks who have seen this move of bundling free technology is Microsoft and Microsoft has grown their security business very quickly doing this in particular, what Microsoft does is they have what's called an E5 license, it's a type of enterprise software license, which where if you pay for Office 365 and they've been just essentially throwing in Defender for several months at no cost. The idea is, that once people try it out, they'll realize how good it is, and then they'll be willing to pay for it. Okay, that's an unusual tactic in security. And it has a lot of people who are surprised and people trying to figure out what it means. So in terms of legacy vendors, the question is, and we've already seen in places like endpoint security, that the market is consolidating around Palo Alto Network, Microsoft, CrowdStrike, and SentinelOne before. Companies who are growing endpoint security faster than the market as a whole? Does this just accelerate that if they're making it easier for us to make it easier for customers to leave a legacy antivirus standard? We see that in the same space where you certainly have a lot of legacy SIM players. Do we see it in cloud security, where we have companies who are doing kind of small pieces of cloud security, CCIE and CSP? And but not the whole thing? Do we see more customers leaving if they're not locked into an existing vendor? So that's going to be interesting to watch, there's been a lot of talk about this, I think one piece, in my opinion, that's been missed in there's been a lot of talk about platform association, which is a term Palo Alto Networks came up with, or this idea of consolidation. And I think with Palo Alto Networks, because they play in so many different spaces, there are two different questions. There's consolidation within a security technology, and then consolidation across different security technologies. And I think they've been very successful in the former if you look at cloud security, that they've done a fantastic job of getting customers to move away from standalone CASB and CSPM and CIEM vendors and to embrace this vision of CNAP and all in one cloud security. And they've all gotten customers to leave their existing vendors and adopt Prisma cloud, what's been more challenging is to get customers to adopt each of the different technology stacks that Palo Alto has to adopt their cloud security technology and their security operations technology and their network security technology. And part of this is just how it was built that Palo Alto Networks was born in the firewall, but everything else that they've done has been built off of acquisitions. And certainly, they've added value they've integrated, they've enhanced upon it, but the foundational elements of every other space they play in this acquisition. So in that way, it's the company has three different platforms for each of its technology areas, rather than a single platform. So they're trying to get more loyal customers to use them more in across different areas of security technology, which is a bit of an uphill climb, especially for large enterprises, who often have different buyers and each of these security technology areas. So now in terms of how others are responding, we've gotten to hear from a couple of executives, during their earnings calls. We heard from heard from Jay Chaudhry the CEO of Zscaler. Last week, we heard on Tuesday from George Kurtz, the CEO of CrowdStrike. In short, they're essentially spinning this as a desperation move from Palo Alto Networks where they have a lot of business and sales tied up in firewall hardware. And that this is essentially a way to cover for that to make sure that they're not losing customers in legacy technology by essentially just throwing it in no cost for some period of time, and from the standpoint of Zscaler, that the markets just kind of moving away from how Palo Alto Networks does things that it's moving toward zero trust, that it's moving towards a different model that doesn't rely on network hardware, in the case of CrowdStrike and this message I've heard from them because they've gone up against Microsoft, who does bundling for years now, is that there's a difference between price and cost that yes, Palo Alto Networks may cost, or the price may be lower if they're offering it to you for free for several months. But the total cost of operating CrowdStrike is lower in the long run. Because the architecture is unified. It's a single agent, it's a single console, and in terms of personnel and manpower they are using even if you have to pay more upfront to get CrowdStrike as the years go on them so much cheaper platform to operate because it is requires less resources and it requires less of a technology so I'm curious given how they use AI. So it's going to be interesting to see how it plays out. Will anybody else match Palo Alto Networks in doing this type of in terms of doing some type of freebie for people who adopt the platform? it's something that takes several months to build out. So nobody's going to come out and say, yes, we're doing it right now, like Palo Alto Networks doubling with customers for a while. So I think at some level, the question is going to be 3-6-9 months from now, what are we hearing from Fortinet, Zscaler, CrowdStrike? Are they still sticking to that discounting and bundling doesn't work in cybersecurity, or do you see them doing their own test versions of what Palo Alto Networks is doing now?
Delaney: That was a great explainer. So what do you think, Michael, Do you think, do you believe Palo Alto strategy will ultimately succeed in consolidating its position as a leader in the cybersecurity market? And why or why not?
Novinson: It's a good question, and they certainly are entitled to the benefit of the doubt. they've made some bold moves over the past half-decade. And people only said that platforms don't work. Then people saw what happened to Symantec and McAfee, that you have to be best of breed, and you need to focus on doing one thing well, and the cash threw that out the window and made lots and lots of acquisitions and lots of different security areas, and certainly, not every acquisition is worth. But in general, they've worked and they've been able to build a cloud security offering and market-leading cloud security offering purely through acquisitions and subsequent organic investment. So I think they deserve the benefit of the doubt. And I think people are realizing the impact that Microsoft is having under space, and that if you're going to have to compete with Microsoft with Palo Alto Networks, increasingly, as Microsoft rolled out their own security Service Edge technology, which is a space Palo Alto Networks is big. And so they're going head to head there, Palo Alto Networks, who has grown endpoint security and XDR space where Microsoft's haven't begun in a while. So historically Microsoft did email and Microsoft did endpoint, Microsoft did Active Directory Identity which was different than what Palo Alto Networks did because Palo Alto Networks did firewalls and network security, which isn't a space Microsoft does much in. But they have to go head to head where I think Palo Alto Networks realized that we have to have a way of competing with Microsoft on the price that if they're just going to throw in stuff for customers and no cost, that it's not reasonable to ask small organizations where resource-constrained organizations to pay significantly more for our stuff that people, especially in the current economic climate, just can't afford to do that. So I think they're trying to find a way to match Microsoft. But yeah, it's not a move that's typically worked well for pure-play security vendors that probably have won out over price. I think what's the proof is going to be as are all of Palo Alto Networks, competitors, saying the same thing that this is a fool's errand six months, 12 months from now? Or do you see them testing and trying to do the same thing that Palo Alto Networks does, but yeah, it's an unprecedented move in this space, and it's going to be a very interesting one to watch.
Delaney: Completely. Thank you so much, Michael. Finally and just for fun, if you were to design a ride for a cybersecurity theme park, what would you name it? Tom, you've got yours?
Field: I do have an idea. I call it the Ransomwhere Rollercoaster. Where does it take you? It takes you from launch to infection through lateral movement to detection through response to containment and the question isn't to pay or not to pay because you'll pay.
Delaney: It's a bumpy ride.
Field: Indeed, buckle in.
Delaney: Marianne, go ahead.
McGee: Mine is a Dark Web Whirl - it takes place in the dark and it stops and if you pay a fee, you can have someone help you off the ride and out the door otherwise you're on your own.
Delaney: Spooky. Michael, bring some color to this.
Novinson: I was thinking of the Ransom-Go-Round kind of merging the two that merry-go-round ransomware style - you experienced the vertigo, you experienced the nausea, that security practitioners feel after an incident like this. And when does the right stop? Nobody knows for sure.
Delaney: I'm going for a Phishing Pond, like the chocolate lake from Charlie and the Chocolate Factory. But watch out there Trump's some tricky emails and phishing scams hidden in the midst and if you fall for them, you might be taken down some unexpected turns however, you don't there are some treats in waiting for you at the end of the lake. This is a lot of fun, and informative as always. Thank you so much all of you, appreciate it, and thanks so much for watching. Until next time!