Health Tech, Artificial Intelligence

How To Spot Deepfakes and Other Cybersecurity Panel Takeaways from HLTH

Two chief information security officers offer some advice at a cybersecurity panel at HLTH.

By Arundhati Parmar on October 24, 2024 5:18 pm
MedCity News Senior Reporter Katie Adams moderates a panel with Joey Johnson, CISO at Premise Health, and Chris Bowen, CISO at ClearDATA, at the HLTH conference in Las Vegas on Sunday

The business world was roiled earlier this year when a finance worker in Hong Kong was duped into handing over $25.6 million (200 million Hong Kong Dollars) after he joined a video call with someone he believed was his chief financial officer.

But that costly error could have been easily avoided. Joey Johnson, chief information security officer of Premise Health, a provider of healthcare services on-site, said there’s a simple way to spot deepfake technology — in this case, one meant to be interactive. Johnson spoke at a cybersecurity panel discussion at ENGAGE at HLTH, MedCity News’ partner programming at HLTH on Sunday.

Let’s get to the scam first.

According to news reports, earlier this year, Arup, a London-based engineering and architecture firm alerted Hong Kong police that a local employee had been conned by a deepfake video involving the company’s CFO. The elaborate scam began with emails appearing to be from the chief financial officer based in the U.K asking that employee to approve a secret transaction. When the employee ignored the request, the email appearing to be from the CFO asked him to join a video call with other staff members.

When the employee joined the call, he was relieved to find his CFO and other staff members on the call. He, thereafter, approved 15 wire transfers across multiple bank accounts amounting to $25.6 million as he thought was requested by his boss.

But it turns out that the video call was populated by multiple deepfake videos of actual company employees — including the CFO.

How to spot the deepfake

presented by

Such sophisticated scams are entirely possible with AI technology, which Johnson described as a technology like fire — both good (able to cook your food) and bad (it can also burn you).

Johnson explained that he has told his wife and children that his digital persona might easily be hijacked for nefarious reasons given that he speaks widely at conferences. In other words, both his voice and his image are easily obtained.

“You might see a video of me. You might hear me. It’s gonna be my voice. It’s gonna look like me. It’s gonna sound like me. It’s gonna be whatever,” he told the audience at HLTH.

So how can they be sure it is Johnson that is speaking to them through video?

“So we need to create a safe word for the family. It can be anything you want, but maybe some memory from a vacation … so that you can say, ‘Hey, Dad, what’s the safe word?’ Because the adversary is not going to know that. No amount of AI is going to give them that answer. So that’s something you can use personally. It’s also something that we implement professionally within our organization to try to protect certain things.”

Johnson’s co-panelist Chris Bowen, founder and chief information security officer at ClearDATA, a company that helps healthcare organizations protect data and assess its vulnerabilities, agreed that a simple precaution like that is all that can be needed to spot bad actors.

Undertake organization-wide security assessments

The challenge with large healthcare entities is that sometimes they have thousands of apps on their systems and many different vendors that they have to manage. Assessing it all and knowing what risks one can take is absolutely essential.

“What kind of data is this vendor going to touch? I think I’ve probably done several hundred security risk assessments in the early part of our company, and that criticality analysis is so important because you have to understand of all of your assets, which ones are the most important to you to run as a company, to protect that data,” Bowen said.

Knowing is half the battle in this regard.

“One little slip up with an MFA and look what happened, right?” Bowen said, referring to the Change Healthcare cybersecurity breach that brought the healthcare system to its knees. “I agree with you, [Johnson] on, let’s illuminate the risk. Let’s let’s shine the light. And the more light that we can shine [the more we can] find the monsters that are under the bed.”

Be thorough and deliberate

Knowing your risks is crucial but being thorough about how much cyber insurance you need to buy and what will be covered is no less important.

“It’s really sad that if you miss something on your questionnaire for your application, you may not be covered, and that may be something that just kind of fell off the CMDB [configuration management database], the database that shows you what all your assets are. Well, if you miss one, insurance companies have a good way out…,” he warned.

Still, while it’s important to understand where your data is and how to protect it, the reality is that you cannot cover it all, he said.