Getting to know Errol Weiss: CSO at Health-ISAC

We recently sat down with Errol Weiss, Chief Security Officer (CSO) at Health-ISAC to better understand the challenges, excitements, and concerns facing executive-level security leaders: in healthcare and across the board. 

We discussed subjects including prescriptively preventing burnout, the largely untapped value in sharing threat intelligence, and closing the security loop so CISOs can sleep at night. 

Tell us about your journey into cybersecurity. 

 I remember being interested in the field since high school or college. It was all about detecting “computer intrusions” at the time, I had my subscription to 2600 Magazine, and it just seemed like the most exciting thing around.

After college, I joined the NSA and began working on various projects until a position in penetration testing became available. After spending a few years in that role, numerous other opportunities arose, and I began the path that led me here at Health-ISAC. 

Tell us about your work at Health-ISAC. We’d love to hear more about your recent work with Microsoft & Fortra specifically.

Health-ISAC: Leaps and Bounds

Sure. At Health-ISAC, I had just come from the world of banking and finance, and many things were glaringly different. For example, I became their first CSO: they didn’t have one before, and I found that wasn’t exactly rare at the time for healthcare organizations. Many lacked a CSO, CISO, or similar leadership, which helped me understand the industry's cyber maturity level and some of the challenges they faced.

Since joining in 2019, we’ve been able to significantly evolve the program. When I arrived, there was no dedicated threat intelligence team; instead, analysts had to do this work on the side as part-time assignments. We had to create our own internal threat intelligence capabilities from scratch, which my previous experience in threat intelligence and the finance sector helped prepare me for.

Today, we have a fully functioning Threat Operations Center in Florida that delivers threat intelligence to our over 1,400 members regularly. Health-ISAC's membership spans the globe, so in the past few years we’ve even been able to expand our analyst base internationally. We have people in Europe, APAC, and scattered across a follow-the-sun model, so our members are supported worldwide.

As that has grown, I’ve been able to expand the service delivery we provide to those members. We now have a medical device security organization, for example, providing alerts, advice, and guidance to hospitals and medical device manufacturers. The evolution from pre-2020 to the present has been truly exciting.

Microsoft: Proving Cybercriminal Fallout

Back in 2012 when I was with Citibank, I had the opportunity to work with Microsoft and the Digital Crimes Unit (DCU) at a time when banking fraud was making big waves. That experience proved educational for what I would do later at Health-ISAC, especially when working with Fortra. 

Microsoft significantly changed the landscape when it came to targeting cyber-criminal organizations. They would leverage this civil litigation strategy, which would draw in other affected victims as evidence to bolster the case in court, demonstrating that what these groups did didn’t just affect Microsoft and its copyrights, but potentially thousands of people worldwide.

This was the case when we were dealing with the Zeus banking trojan: Citibank could be liable for hundreds of millions of dollars in fraud losses due to this issue. Then, Microsoft would take the case to court to strengthen its argument, demonstrating how these attacks were affecting things on a global scale and garnering support to pursue these groups. 

Fortra: Disrupting Attacks on Hospitals

Fast-forward to Fortra, and we’re essentially working with them on something very similar. Following the cyberattack on the Irish Health Service Executive (HSE) back in 2021, Microsoft’s DCU threw its weight behind a crackdown on cracked versions of Cobalt Strike, something Fortra was already on top of.

The two joined forces officially in 2023 when Fortra entered the case as a co-plaintiff. They were able to provide watermarks for unauthorized versions of the tool, which ultimately became key pieces of evidence in court. 

We (Health-ISAC) joined as co-plaintiffs as well, and together alongside Microsoft and Fortra were able to link these cracked versions to 68 separate ransomware attacks on healthcare organizations across nearly 20 countries. 

It was a great experience to demonstrate that we could disrupt these malicious botnets and cause some pain to the bad actors, making these networks a safer place.

What are the essential skills for a modern CISO?

That’s a great question, and I’ve noticed how the answer has changed over the years. I think initially, the role required someone with vast technical expertise to steer the ship, which was primarily a threat-busting one. It’s not that way anymore.

CISOs today are responsible for safeguarding business risk and aligning security strategies to achieve this goal. They need business acumen, leadership capabilities, and problem-solving skills. They need to know how to collaborate and communicate effectively to get things done, and we see people from various career paths filling these positions.

Organizations today are clamoring for a single, ultimate cybersecurity leader, a CISO, if you will, to spearhead these initiatives and take control. I think a lot of the job involves working with different lines of business and understanding their needs. Downstream, that’s customers. Upstream, that’s your senior-level leadership and your board of directors.

CISOs have an incredible amount of sway in both directions, and companies need a dynamic leader that can see the big-picture problem and solve it in practical, business-friendly ways. And if you’ve had experience running other parts of a business, even better. You need to understand all the elements of a cybersecurity program, of course, but gone are the days when CISOs are primarily hand-plucked from IT with no diversified experience. 

What are some of the biggest cyber threats facing healthcare right now? 

There are two big ones: ransomware, and a super dependence on third parties. 

Ransomware

Ransomware hits especially hard on healthcare systems that are still lagging in security, making networks less secure than they should be. The problem extends if the organization is behind on backups. Restoring everything becomes a nightmare, and in many cases isn’t entirely possible, making these incidents even more devastating for hospitals and medical groups. 

Ransomware attacks have crippled healthcare organizations in the past because budgets are still strained, and security measures are not as robust as they should be. Backups are often behind as well, making each hit a devastating event as these systems can’t get back online. This displaces patients, and has the potential to inflict some real human impact.  

Third Parties

Another challenge is that healthcare organizations often focus on doing one thing right – healthcare – and outsource many other critical functions to third parties. In some cases, there are not many vendors providing these services (such as IT, SaaS, and even blood supply), so when one of them is affected, it causes a ripple effect throughout the sector.

Like we saw with Change Healthcare back in 2024, one third-party attack caused the most significant healthcare breach the sector has ever known. Patients couldn’t access their prescriptions, hospitals faced cashflow issues as they couldn’t bill insurance providers, and even blood supply (OneBlood in Florida) was interrupted.

What can CISOs do to prevent burnout, especially during security incidents?

As CISOs, we have a responsibility to lead by example. Burnout can occur both slowly and steadily, from constantly working in a strained healthcare SOC, for instance, and suddenly, when an incident strikes. 

When we’re dealing with day-to-day burnout, it’s good to lead by example and let your team see you taking breaks. Head to the gym, take a walk around the building, or go for a bike ride. Whether it’s in the middle of the workday or when you get off, they’ll see you taking time for yourself before it’s too late. Take that mental health day and create a work environment where it’s acceptable to do so: this is a stressful line of work.

It becomes even more stressful when a cyber-attack happens. I recall working for someone who was incredibly prescriptive during these times and truly prioritized people. If someone had been there for more than ten or twelve hours, he’d send them home and bring in the second shift. 

In an incident, it’s very exciting, and people want to work, and everybody wants to help out. This is great, but it can also backfire - on your people and on the mission. Besides burnout, people working tired and unfocused can not only cease to be productive but can also cause costly mistakes. And when you're dealing with a potential breach, that’s the last thing you want.

It’s tough: there’s more to do than time in a day, but overworking your teams won’t make up the difference. More likely than not, it will only exacerbate the situation. As CISOs, those are the kind of judgement calls that we’re hired to make.

If you had to create a security program from scratch, where would you start?

I’m a firm believer in involving leadership from the ground up so they can gain a clear understanding of the situation, then building out from there, rather than growing organically and transitioning someone out of IT to handle the task. It takes more than hardcore technical chops, and here’s why.

If you had a greenfield program and were starting from scratch, prioritize leadership. Get someone in (a CISO) who can help build a strategy, build the budget, find the people you need, and map out a plan over time, whether that be one year or five years. This is the most critical hour: you need someone there to establish what that program looks like at the start.

Otherwise, you’re scrambling and spending money haphazardly, and your security program will grow askew. Typically, with a lot of waste, shelfware, and turnover. There are so many vendors and products out there – AI and otherwise – that you really need a plan.

What is the biggest challenge you face as a CISO in healthcare?

The healthcare sector faces a unique set of challenges when it comes to cybersecurity. First, they are perennially resource-strapped in the security department. The budget is moving in the right direction, but it’s slow.

You can trace the problem back about 30 years, to when digital records were first introduced in the mid-90s. The HIPAA Rule was also introduced around that time, and I think organizations were so intent on complying with the new regulations that security often took a back seat, as it usually does.

We’ve been paying for those mistakes ever since, but things have been changing over the years. Ironically, it’s been cyber-criminals who have been showing industry leaders the need for increased defenses, one major healthcare breach at a time. 

We’re at a time now where most everyone is on board, and eager to bridge those gaps.

Explain the culture of threat intelligence sharing within the healthcare industry.

It's a generous one. Despite still not having access to all the necessary security resources, the people I speak with at our member organizations genuinely care about their overall mission.  They care about helping people, about improving lives, about saving lives. That translates into a desire to help, collaborate, and work together.

That’s why you’ll see more cyber threat intelligence (CTI) sharing in healthcare than in other industries, as a general rule, and a same-team mentality. It would be great if this caught fire in other sectors. 

Even if you’re not doing it for altruistic reasons, there’s still a lot to be gained from engaging in CTI sharing across the board.

What do organizations stand to gain from sharing threat intelligence within the community?

While the old wisdom was to keep your security cards close to the chest, we’re entering a new era where it’s becoming more beneficial to share, even when the cards are down. 

Most organizations today are aware of threat intelligence sharing and appreciate the concept. You’ll see them share CTI in steady state, when nothing is going wrong, and that’s a start.

However, the real value lies in what you can learn during times of crisis. This is typically the time when most teams clam up, no doubt due to legal counsel that wants to handle the issue internally without exposing too much to the public. However, this is precisely the time when organizations can benefit from community help the most.

At Health-ISAC, we allow members to inquire and share anonymously. Members experiencing a particular incident and seeking remediation guidance can contact us, and we can discreetly connect them with another member who has faced a similar issue.

Whether anonymously or openly, this type of community-level threat intelligence sharing helps teams learn from one another. Maybe there was an organization that faced the same ransomware attack and was able to restore quicker, smarter, and better.

As part of the threat sharing community, you have access to that tribal wisdom. 

What keeps CISOs up at night?

The fear that some obvious security task was left undone. Insider threats, in particular, are a big one. Are people crawling around maliciously, and do we have the proper controls in place? Are people causing trouble mistakenly, accessing things they shouldn’t access or clicking stuff they shouldn’t? Are the systems in place to prevent such behavior?

And lastly, what about the exceptions? Have we closed the security loop? For instance, when an admin forgot their 2FA token, and we granted them temporary access, did we retire that access? Or is it left hanging open?

As much as CISOs are in charge of worrying about the big things, you can’t shake your security roots; you’re constantly worrying about the little things as well. I guess it comes with the territory.