A

Welcome to Advancing Health. In this second of a two part podcast, FBI leaders share details of a new national effort involving everyone to help defend against the latest malicious cyber threats that continue to plague all sectors of society.

B

Hello everyone, this is John Rige, your National advisor for Cybersecurity and Risk at the American Hospital Association. Welcome back for part two of our conversation with FBI Cyber Division Assistant Director Brett Leatherman and FBI Office of Private Sector Assistant Director Gretchen Burrier to discuss all things cyber information sharing and AI. So Brett, back to our discussion. We talked a little bit about the nation state threats of criminal groups, but some of the groups that are actually being used as proxies and being directed by nation states. Can you tell us a little bit more about that connection?

C

Yeah, we're really focused, John, on the blended threat right now. And that is how nation states are leveraging criminal groups and or industry in their country to help facilitate their cyber network operations directed at the United States. And so we talked a little bit earlier about the PRC and this whole of society approach that they take. We have named companies in China who have helped procure access to US networks is a result of their hacking campaigns. Flax Typhoon is an example of that. Where they leveraged Integrity Technology Group, a company within China, to provide access to networks here in the United States. Salt Typhoon, one of the most consequential, the most consequential cyber espionage campaign launched against the United States was facilitated by multiple companies in China. And so we continue to see this blended threat where nation states use these companies to facilitate that access, but they also work within the criminal ecosystem as well. DPRK is a great example of that. Where they continue to do cryptocurrency thefts or place IT workers in networks here in the United States. Remote IT workers, these groups are very aligned with criminal groups to understand tactics, techniques and procedures and how they can advance their geopolitical ambitions.

B

And we know firsthand of the North Korean remote IT worker threat almost weekly. I received some report from a hospital or health system that they identified a suspicious remote IT worker and have limited their access, actually ended their access. And of course we're concerned the fact they have access. They're raising funds for their programs back in North Korea, potentially even nuclear weapons programs. But the fact that you have that access to steal data and or deliver malware. Can you talk to us a little bit about threat hunting? What do you think some of the best practices are to identify the threats as well in case they're already in our networks, both from the criminal hacker perspective. And from the nation state perspective. Yeah.

C

Well, first and foremost, we should be looking at the indicators of compromise that the FBI and our partners put out on a regular basis to identify where those emerging cyber threats are. So it's incredibly important to look at those joint cybersecurity advisories that we put out there that help you understand both the technical information and the contextual information to hunt through your environment and try to detect an adversary or to block at your perimeter some of the things that we see. But you know, no podcast in today's day and age is complete without talking a little bit about artificial intelligence. We saw in November of this past year, Anthropic put out an advisory about the PRC's use of Claude, their artificial intelligence platform, to target industry. And what Anthropic put out was that 80 to 90% of the kill chain activity that happened there, from reconnaissance to identification of targeting to lateral movement privilege escalation, was, was done agentically through AI. And we've got to start employ similar capabilities defensively to look at deviations in behavior. And that's where we have to move. And I know that no organization in health care is likely ready to apply artificial intelligence to the totality of its infrastructure. It's just too, too soon to do that. But there are ways that we can start surrounding key user accounts that have privileged access, key network devices or key data stores within our environments. And we can start to pull the logs off of those environments, run them through approved artificial intelligence devices to try to find those anomalies in behavior. And so behavior based detection is kind of the wave of the future. We're doing it now, but we have to do it much more efficiently through artificial intelligence. And we can start with baby steps doing that.

B

There isn't a presentation, a discussion I have with leaders in the health care field where AI does not enter into the conversation. We talk about how the bad guys are very nimble and absolutely very quick to adopt. AI takes us more time, obviously we have to test it. We have to ensure that it does not corrupt our data or expose us to security and privacy issues for that data. But I've always said, and I 100% agree with you, Brett, AI is fueling the next generation of the cyber arms race. We are not just at the beginning, we are, I think, beyond that. And we've got to make sure we are using AI in our defensive measures, just as the bad guys, as you said in the Anthropic report which we published, are already using it to conduct these attacks. Gretchen, the American Hospital association and I have had this tremendous opportunity to work together with the FBI for the last several years. I've heard you describe our ongoing information exchange as the gold standard for private sector relationships. From your and the FBI's point of view. Could you tell us why you believe that and what you believe the successes of our relationship have been?

D

Yeah, absolutely, John. You know, I do describe our relationship with the American Hospital association as the gold standard because it reflects exactly what effective public private partnerships should look like. And I do talk about it all the time. I even brought it up at the SAC conference recently. But first, it is built on consistency and trust, right? We're not only meeting when there's a crisis and it is not transactional. We have an established cadence of engagement that allows for real dialogue with hospital CEOs and our FBI senior leaders. And to me, that continuity builds confidence on both sides. And second, right, it's genuinely two way. Hospitals are on the front lines of cyber threats, ransomware, foreign adversary activity. What they share with us helps the FBI see trends earlier and warn others before the damage spreads. And in turn, the FBI has an ongoing dialogue with them to ensure they're tracking various threats. What I see is the real roll up your sleeves, get to work action on challenges impacting this country's national security and most importantly, John, the life of patients. I can't thank AHA and our nation's hospitals enough for the work that they do and for the willingness to lean in and work with us in the FBI. I really think it's the combination of trust, continuity and real world impact where we're collaborating together on reports or other real time threats. That's why I consider it the gold standard.

B

Thank you, Gretchen. And to your point, we look not only to just meet and exchange information, but we've developed these ongoing projects. What will we do, what will we produce? And we will measure our impact on helping defend the healthcare sector. So again, thank you and your team so much for that. Now, we have a great relationship at the national level, which benefits the entire field, but there's over 5,000 plus hospitals out there. How can hospitals on a local and regional level establish productive relationships with the FBI?

D

Sure. Look, hospitals can establish a relationship with the FBI by reaching out to their local FBI field office and asking for the private sector corporate coordinator. And of course, John, you're a great resource as well from your time in the Bureau. And I know that if any hospital reached out to you, I know you would assist them with an introduction as well. And of course, at the End of the day, the office of private sector. We also will get everyone connected with who they need to be connected with for whatever reason.

B

And again, we can't emphasize that enough. The FBI is always predisposed to help. And, and one thing I do want to point out, by contacting the FBI does not somehow place you at risk of regulatory exposure. The FBI is not a regulatory agency. Their job is to help you all recover from the attacks, to try to discover attribution, and really to provide you assistance during an attack. Brett and Gretchen, what do you think the best way for the field, the hospital field, healthcare field, is to contact the FBI in a true cyber emergency, like a ransomware attack, which is causing ambulance diversions.

C

I know Gretchen mentioned reaching out to your local field office, and that is the best way to reach out. Now, we prefer to talk to you before a crisis happens. So I encourage everybody to reach out and get to know your private sector coordinator, like Gretchen mentioned, as well as your cyber supervisor in your local field office. We take a victim centric approach in everything we do. Our job in FBI Cyber division is to impose cost on state and criminal adversaries, but an equal mission is to provide significant support and assistance to victims of cybercrime. And we can do that best when we have an established relationship with you, and that is through the private sector coordinator and your local cyber squad in your local field office. So I would reach out in advance to have those conversations. But even if you don't have have that relationship and you do suffer a cyber incident, reach out, have that conversation. There is value in bringing the FBI in. We protect information when it comes in. It's protected under law enforcement investigations. We don't share information that we get pursuant to those investigations with regulators. We don't make that information available publicly. We are bound by the Victims Rights act and we treat victims like victims. That has always been a part of our DNA and will always be a part of our DNA. The other thing that that does though, is it allows an organization to reach out. Say this is what we're seeing. We have this particular ransomware attack in our environment. These are the IOCs, the indicators of compromise we see. And in the FBI, we can run that through our law enforcement holdings. We can check with our intelligence community partners. We have 22 cyber assistant legal attaches globally who sit with foreign partners. We can run those things through foreign partner vis and we can come back and we can provide additional information that helps with threat hunt, containment and eradication activity. So as much as we want to pivot upstream against the actors. We also want to help organizations in containing the threat and getting back on their feet to help patients, which is the core mission of the hospitals. So really that is part of the value that we bring to reaching out. Every One of our 56 field offices have a cyber task force that is comprised of federal, state and local law enforcement partners, and they're there to help.

B

Such key points, Brett, and again, I think one of the key points that you made was the fact that by contacting your local FBI office doesn't mean that you'll just get the resources of that local office, perhaps in a remote area. It unlocks the resources of the entire US Federal government and allied partners. All the agencies, all the intelligence communities will be notified of the attack and then their resources information will be brought to bear to assist your hospital, whether you're a multi state, multi billion dollar system covering millions of lives or you're a 10 bed critical access in a very remote area where the next nearest available hospital is 100 miles away. Gretchen, anything else to add on how our hospitals should contact the FBI during a cyber emergency?

D

You know, I think Brett said it perfectly. I would just again encourage you to reach out if you don't have that relationship and start building it today. Because if a cyber incident hasn't happened, it probably will, unfortunately. And this way you've got a contact and hopefully that individual's contact information is in your cell phone. You can call them immediately. So no time is lost because time is critical in an incident. Yeah.

C

John, I would just add to what Gretchen was saying there, that it starts with a conversation and think about it that way, because the FBI teams at the private sector coordinator level, the cyber level, even the special agents in charge and the assistant special agents in charge were happy to have a conversation. And there's no commitment beyond that. You don't have to feel like you're now committed to providing very sensitive information to the FBI. We're never going to ask for patient information or sensitive information. What we ask for is fully aligned with threat, pursuit and victim response. And that is, you know, anonymized indicators of compromise, not phi or anything like that. And so I would encourage folks, if you have questions, reach out, have that conversation to start with. And it's as easy as that.

B

Totally agreed, Brett. And during that conversations, folks will come to see the FBI are human, they're good folks, they want to help, such as your. And it'll help allay some of those fears. Perhaps legal folks might need to be involved to just assure them that you don't collect phi, you don't need that, you don't need access to the service. And you would never tell a hospital not to restore because it's pending your criminal investigation. So in a sense, the rules of engagement can kind of be worked out ahead of time. You don't want to have those questions during an emergency.

C

To your point, like you brought up legal counsel, that is incredibly important in today's environment. It is often outside counsel in coordination with inside counsel who kind of control the flow of data and information. And so the earlier you as a chief information security officer or network defender can have those conversations with your counsel and encourage them to engage the FBI in advance, the more ready you will be to share and receive intelligence on day one should there be a breach. And so incredibly important point is that counsel plays a very important role in the bilateral sharing of information and so bring them into those conversations early.

B

Absolutely. Agreed. And again, sensitizing them and helping them become comfortable to the relationship to the information sharing can certainly expedite recovery, quite frankly, with the assistance of the FBI and the federal government. Brett and Gretchen want to thank you again for being here today, sharing your very important and salient points with us today for the benefit of the entire field, our patients and the nation. And thank you both for what you do and all the men and women of the FBI every day to protect the nation and to our health care providers. Thank you for what you do every day to defend networks and care for our patients and serve our communities. This has been John Rigi, your national advisor for Cybersecurity and Risk at the American Hospital Association. Stay safe everyone.

A

Thanks for listening to Advancing Health. Please subscribe and rate us 5 stars on Apple Podcasts, Spotify or wherever you get your podcasts.