Stopping Snake Oil with Smaller Healthcare Providers: Addressing Security with Actionable Plans and Maximum Value

Conference:  BlackHat USA 2020



The presentation discusses the importance of trust relationships in cybersecurity and the need for effective communication and training to maintain them. The speaker emphasizes the need for relevant and concise training that ties directly to employees' jobs and the importance of being available and responsive to customer requests.
  • Context information on the use of questionnaires and certifications in the healthcare industry
  • Importance of a callback policy to prevent account compromise
  • The need for relevant and concise training that ties directly to employees' jobs
  • The importance of being available and responsive to customer requests
  • An anecdote about the effectiveness of a callback policy in reducing BECs
  • Acknowledgment of individuals working to improve cybersecurity in the healthcare industry
The speaker shares an anecdote about a warning from a federal agency that was four pages long and did not provide clear instructions on what people needed to do. The speaker and their team condensed the warning into 85 words and provided relevant action steps in 200 words, resulting in numerous people being able to protect their accounts against sim swapping.


Healthcare has been the most affected industry by ransomware, data breaches, and hacks. Every week there is news of yet another provider that has been hacked. In multiple cases, this has led to practices shutting down, and patients not even able to get their medical records. The guidance provided to many providers has not specifically addressed what organizations need to do to protect their patients and themselves. There has not been a specific list and toolset they can use to protect themselves.In addition, there have been many snake oil companies out there that have only provided risk assessments, costing smaller providers tens of thousands of dollars, while not delivering anything of value. We want to change that and provide maximum value and immediate returns.We want people to take what we've developed and released here and use it as guidance for developing their own information security programs at small practices while not wasting money for info they will not use. Our families and friends use these providers and give them their most personal information. We want to make sure that we give back. If we stop at least one attack and protect the information of those patients with this information, it's worth it.Instead of a toolkit that is meant to demonstrate exploits, or a framework that takes a long time to implement, we're giving something that anyone can use to help their local providers out in securing the information their patients entrust them with.