Transcript
This transcript has been edited and refined for clarity.
Marianne McGee: I'm Marianne Kolbasuk McGee, executive editor at Information Security Media Group. Today, I'm speaking with Clinton McCarty, who is director of enterprise security and CISO at National Government Services. So Clinton, for starters, please tell us a little bit about National Government Services and briefly about the type of work that you do as director of enterprise security and CISO at the company. For instance, are you responsible for enterprise security within NGS's own IT department? Or do you also help clients with their security needs?
Clinton McCarty: I have been with National Government Services for about 15 years. We are part of the larger Elevance Health organization. NGS builds digital health solutions and processes Medicare claims for the Centers for Medicare & Medicaid Services. We're a legacy Medicare claims processor and systems integrator. We build digital solutions and secure and protect data and data systems on behalf of the U.S. government and leverage our expertise as SIs, architects, system assessors and subject matter experts to deploy solutions that ensure the stability of our nation's federal health programs. Some of the agencies that we support include the Centers for Medicare and Medicaid Services, the Department of Health and Human Services at large, the Defense Health Agency, and the National Institute of Health. In my role, my teams work to protect major applications, federal data systems and also our home office applications. So in my role, I have oversight of asset management, access management or security operations team, security governance team, system security officers that build and assess system security profiles around federal systems, and our enterprise data center, to name a few. It's quite a broad swath supporting the home office and federal systems.
McGee: What are some of the latest cybersecurity threats that are targeting the public health sector that are most disturbing to you? And what about the threats facing government healthcare agencies?
McCarty: They are typically one and the same. It's malware and ransomware attacks from malicious actors who are motivated by either financial gain or motivated to do harm to the U.S. federal government. The attack surfaces are often very similar in the public and private sectors, but the motivation of potential malicious actors may be slightly different. The threat of ransomware has upticked significantly year-over-year. In the past five years, many statistics point to over 256% increase over large breaches that have been reported involving hacking and a 264% increase in the number of reported ransomware attacks - that is a cost across both the public and private sectors. The work that we're doing to protect our home office dovetails nicely with the work that we do to protect federal data systems.
McGee: Based on the major disruption that we saw across the healthcare ecosystem with the Change Healthcare attack, how should government agencies that deal with healthcare and public health organizations be better prepared to deal with such a disruptive attack? What about potential attacks in the future that also involve key healthcare sector players? How does this all kind of shake out?
McCarty: In the case of the recent high-profile cyberattack, the malicious actors were able to carry out a ransomware attack by compromising credentials. Fundamentally, it's reducing the attack surface - those public-facing hosts and sites, ensuring that they're up to date with latest patches and vulnerabilities are managed, ensuring multi-factor authentication is in place on the perimeter to support critical assets. Management of IDs involves blocking and tackling or protecting critical assets, whether federal or private sector. The need to respond quickly is the second tier. Having assets scanned regularly, detecting threats, understanding that early detection limits the nature of breaches and continuous diagnostics and mitigation programs that have been in place at the federal level are a good start by reporting vulnerabilities at agency levels and reporting log data. The movement toward a zero trust architecture and doing recursive validation of individuals that are accessing our systems and networks moves us a long way toward further early detection and prevention. The other element here that I would highlight is the processes that we navigate, from an audit and compliance standpoint, mitigate risk and confirm our adherence to security control standards. But, agencies and public groups alike need to ensure that those audits and assessments aren't destinations but they're milestones to recursively validate that all of the controls that we put into place are effective.
McGee: In the case of Change Healthcare, the UnitedHealth Group CEO testified before Congress, and one of the things that was brought up was that when UnitedHealth Group acquired Change Healthcare, the system that wound up getting compromised - the portal that got compromised, which did not have multi-factor authentication, was a legacy system. There are several legacy systems in healthcare, and there are several legacy systems within government. Can you share any tips on how organizations can get a faster and more accurate grip of legacy systems in their organizations that might be vulnerable to such incidents that could potentially cause this sort of impact?
McCarty: We can't secure and protect what we're not aware of. The blocking and tackling element here is knowing what our assets are, having a true CMDB that's accurate and updated through continuous reporting and monitoring and scanning of our environments, endpoint detection, having software whitelisting and blacklisting in our environment. Once we have an accurate inventory of the assets in our environment, we have to continuously scan and monitor them. And it's one thing to conduct vulnerability scans. It's a completely different thing to prioritize and make risk-based assessments around those legacy systems. Tech refresh budgets in supporting federal systems have a great deal of oversight and a long lead time. Supply chain concerns come in when we talk about moving forward with tech refresh. It's important that we have road maps beyond just the initial term of a given federal contract and see into the future and plan for the maturation and modernization of federal systems. I would say the other element here is ensuring that we're leveraging some of the collaborative nature of vulnerability monitoring. The Cybersecurity Infrastructure Security Agency, CISA, promotes monitoring of known exploited vulnerabilities. I would recommend organizations add context to their vulnerability scans and legacy system risk profiles by reviewing what vulnerabilities have been exploited and what are identified as the highest risk by that agency as well.
McGee: When it comes to cyberthreat intelligence sharing between public health data systems and healthcare data systems in the government sector, how might that be improved to help the overall health ecosystem better respond and perhaps prevent attacks in the threats that we see in real time?
McCarty: I'll point back to CISA as a proponent of building resilience and real-time collaboration and sharing. I would point any cybersecurity professionals to their "Stop Ransomware" guide, which is a fundamental guide that outlines some of the very same controls that are NIST embedded or other agency security control frameworks embedded. But, the encouragement across the community of sharing early to get our arms wrapped around the attack surfaces and the attack points that malicious actors are leveraging, building a culture of collaboration to fully understand the "It's not if, but when" - these types of breaches occur, will lead to better alignment across agencies, and with that comes better standardization and protection.
McGee: Going back to your role as a CISO, in terms of being a healthcare industry CISO these days, what are the biggest challenges and how do you think the role of CISO is evolving within the healthcare ecosystem?
McCarty: We're having to support at a much faster pace. The risks that exist to our data systems emerge at any moment in time. We see malicious actors targeting on holidays frequently. We'll see zero-day vulnerabilities come out at times when staff are typically dialed down in conventional IT organizations, we have to monitor our assets 24/7. Those who wish to do us harm and wish to negatively impact our federal assets are working around the clock to find vulnerabilities and attack vectors. We have to work diligently around the clock to prevent those risk points and eliminate them. We need to be thoughtful about prioritizing diversity across our communities, upskill our existing staff, prioritize maturation and process, and I'll point back to leaning toward a zero trust framework. It's going to take millions and millions of dollars of investment across federal agencies to move that paradigm shift forward. But, the more we talk about ZTA and the way we can validate the access points, data classification and the various pillars of a zero trust architecture, the more secure our assets will be.
McGee: Thank you so much, Clinton. I've been speaking with Clinton McCarty. I'm Marianne Kolbasuk McGee of Information Security Media Group. Thanks for joining us.