Never pay the ransom — a cybersecurity CEO explains why

Steve Cagle is the CEO of Clearwater Compliance, which is an entire cybersecurity firm focused on the healthcare industry. Basically, they lock down hospital computer systems, which contain a huge amount of personal data, and are so mission critical that ransomware attackers know that hospitals are more likely to just pay up. 

Steve told me there’s so much personal information in a hospital system that a single patient’s record can sell for a huge premium over entire datasets from other kinds of companies. And, if the cryptocurrency explosion has accomplished anything, it’s making ransomware attacks easier and more lucrative for bad guys.

Steve and Clearwater Compliance try to keep the bad guys from accessing patients’ data. His company has a big market to address, and like every industry, there’s competition and consolidation. Steve tells us about all of that.

This transcript has been lightly edited for clarity.

Steve Cagle is the CEO of Clearwater Compliance. Welcome to Decoder.

Thank you for having me today.

Our conversation is part of The Verge’s Cybersecurity week, which is actually two weeks — it’s a very loose definition of what a week is. We are talking to a lot of folks about cybersecurity and exploring different parts of this huge industry. So quickly, let’s just start with: what does Clearwater Compliance do?

Clearwater is a provider of cybersecurity, privacy, and compliance solutions to healthcare and other regulated industries. We focus on healthcare in particular, and we think of it as an ecosystem. There are different practices at Clearwater specializing in hospital systems, physician practice management groups, digital health, and health IT. We help our clients achieve their missions by moving them to a more secure, compliant, and resilient state.

Let me unpack a lot of that. There are hospital systems, which are consolidating and becoming ever-bigger companies. There are also doctor groups. All these people have computers and EMR [electronic medical records] systems. You come in and say, “We are going to make them more secure. We are going to run all of your IT for you.” What is the specific thing that you do for these companies?

To help our customers tackle the challenge of protecting their critical, protected data and their organizations, we first and foremost help them better understand their risk. It’s a very complicated process, especially in hospitals, health systems, large provider organizations, and even in digital health companies that are implementing new technologies. The challenge of actually protecting the organization’s sensitive information and operations is very difficult.

To be good at that, you have to understand where your risks are. What we do first is help organizations identify what those critical information systems are and to understand what type of controls they might have in place currently. Then we look at the specific vulnerabilities that those systems have, the threats that are applicable to those systems, and we help them understand how likely it would be for an attack or breach to occur and how that would impact their organization. 

From there, we help organizations make better decisions about what they should do in order to solve those challenges or to address those specific risks. We also help them in execution mode by building programs to run and manage that on an ongoing basis and by doing some of the other more tactical activities that are involved in that. In healthcare in particular, compliance is a big part of the equation. We are helping organizations not only to address the cybersecurity risk, but to also do the things that they need to do to comply with the various regulations that are applicable to them.

We are going to have a whole moment where you just explain to me what HIPAA [Health Insurance Portability and Accountability Act] is. It’s going to be great. I’m very excited for this question to come. 

When you talk about that sweep of things, every time I hear a security person say, “We assess the risks,” I just think of that scene at the beginning of the movie Sneakers, where Robert Redford’s company figures out how to break into the bank and then they go and tell the bank how to secure itself. Are you doing pen testing? Are you out there figuring out, “Okay, these are the vulnerabilities in your systems. We’ve exploited them, we can fix them.” Or is it a little more sedate?

That is definitely a part of it. When we think about risk management, it’s an ongoing program. This is a really important point. Any type of organization that has something at stake that it needs to protect is going to think about risks. We think about that in many domains, not just in cybersecurity. We think about it in how we protect our organizations from lawsuits or from environmental risks, so on and so forth. 

When it comes to cybersecurity risk, you have to start by thinking about the information assets. These are not necessarily physical assets; it’s data that is very sensitive and very valuable, and people want to get to it. You are also thinking about risk to your operations and your ability to continue to operate if you don’t have those information systems available to you.

The first things we need to think about are, “What are those systems? What are those crown jewels that are really important to our business?” Then we need to think about, “How do we assess the risk to them?” So pen testing, like you mentioned, is one of the things that you might do to test how strong or how effective your controls are and how good the organization is at closing vulnerabilities. There are different levels of pen testing you can do. 

Then there are other types of things that you would do as part of your risk management program by looking at the controls themselves that are in place and looking at very specific vulnerabilities. It’s not just an attacker coming from the outside, it could be somebody from the inside. A real big problem that we see today in healthcare is insider threats — people recognizing how valuable this information is, stealing the information, and selling it.

You are thinking about risk management. You are thinking about defining how you’re going to do it from a governance structure and where your risk threshold actually is. Then you are really putting a process in place to do this on an ongoing basis. You are identifying assets, assessing controls, assessing threats and vulnerabilities and the effectiveness of those controls, and ultimately having a determination of your risk, and then you are managing it on an ongoing basis with a risk management plan. 

So yes, pen testing is part of that. Risk analysis, which I just described, is a part of that. Then there are other types of security activities that we will want to do on an ongoing basis like vulnerability management and so on.

When you talk about valuable data, is it patient data? Is it billing data? Is it data about the number of people who got vaccinations last month? What is the specific data that you are trying to protect in the healthcare system?

It’s really any type of sensitive data, but particularly in healthcare, we think about what’s called EPHI, which is electronic protected health information. That is one of those HIPAA terms. It is really all the different types of information you just described. This is very well defined in HIPAA and there are certain criteria for what defines EPHI. 

That data is very valuable because it is extremely rich in terms of the types of information that are included in it. You obviously have your personal information, very often social security number, medical records, insurance information. Criminals are buying this information on the dark web in order to obtain prescription medications that could be part of drug trade. There’s also medical insurance fraud. Credit card information is obviously part of that as well. It’s very rich and robust information that can be used to generate economic benefit for a criminal. That’s really the motivation.

The other motivation of cybercriminals is that they want to extort money via ransomware. If they are attacking a healthcare organization and disrupting operations, that then becomes a patient safety issue for the healthcare organization. If they are attacking a digital health or health IT company that’s providing technology to a provider, then they are still interrupting services. Those types of organizations might have dozens or hundreds of customers, so you are just multiplying the amount of data that they have and that makes them a very interesting target.

This is very valuable data. Just to give you a frame of reference, an electronic protected health record on the dark web could be up to $1,000 per record, as opposed to a social security number or a credit card record being just a few dollars. I mean, you can change your credit card information. You obviously can’t do that with your social security number, but medical information has a lot of different components to it. You put that information together and it becomes very, very valuable.

We are talking about the specific data implicated by HIPAA. You run a HIPAA compliance vendor. Give me the 30-second definition of what HIPAA is and how it works.

Sure. Just to make this note, Clearwater started in compliance. HIPAA was a big driver back in 2009 when a lot of the regulation came out with the HITECH Act [Health Information Technology for Economic and Clinical Health]. We don’t have to go into the weeds on that, but what that required was two big components of HIPAA — and that still really hasn’t changed much. 

First, we wanted to make sure that that information was portable and that it could be shared. There was a big push to get hospitals and health systems to EHR, electronic health records, to make our data more digital. We also wanted to make sure that patients could access that data — that was a very big part of HIPAA — and that we protected that information as well. We made sure that it was kept private and that it was kept secure. So in a nutshell, that’s what HIPAA is about.

In terms of Clearwater, while HIPAA has been a big driver of what we do, at this point cybersecurity has become the biggest driver. There are other types of regulations that have also come into play over the last decade or so, such as state regulations around privacy and security. We also have contractual obligations that have become, in some cases, much more stringent than even the regulations themselves. I just want to make the distinction that while HIPAA is still very important and a big driver, it is just one of the many things that healthcare organizations have to deal with in terms of compliance and managing their security program.

I just think HIPAA is one of those things that accomplished its goal of computerizing health records, giving people access to them on their phone, and making it easier to take those electronic records to your other doctor or to switch providers entirely. That’s all good. “We made a database. We are going to make that database secure in some way. We are going to give you, the customer, access to that database.” 

On Decoder, we always talk about the idea that once you add computers to stuff, you inherit all of the problems of computers. When my medical records were in a paper file in the basement of the hospital, they were harder for me to get to, but they were very hard for anyone else to get to as well. We have added computers to the chain to make it easier for me to get to them. Now you’re saying, “Oh man, we switched from HIPAA compliance to cybersecurity.” It seems like that is just a consequence of computerizing health records.

I think that’s right. If you look at some of the trends through the pandemic, we had a massive acceleration of digital adoption over the last couple of years. That happened very quickly in response to a crisis. In that case, as an industry, we didn’t necessarily go through all the typical steps. Even under the best of circumstances, we are probably not doing as much as we should in healthcare. But in this case in particular, there was a very rapid adoption of these new technologies. 

The data is available now to people working from home. Now, in addition to HIPAA, we’re also required to promote interoperability. We need to share information more openly yet securely with other healthcare and technology providers.

The massive change in the technology landscape in healthcare led to increased vulnerabilities, and more data. We are protecting more information than ever before. You have this dual effect, and now bring in the threat actors. Ransomware attacks increased 123 percent in 2021, and we had a doubling of cyberattacks in the past year. The environment is becoming more and more complex to manage. There is more at stake, more people coming at you faster better-coordinated. It is an evolving landscape that needs to be continually managed over time.

Let’s talk about ransomware since you brought it up. It’s been a long year of ransomware attacks — of crypto-based ransomware attacks in particular. Is this still a problem? Is it as bad as it used to be? Has the industry started to figure it out? 

It is still a huge problem, absolutely. There were 160 ransomware attacks against healthcare organizations in 2020-2021. This year, we continue to see ransomware attacks. This hasn’t been announced as anything more than a cybersecurity incident right now, but CommonSpirit, the second-largest nonprofit hospital chain in the US, is experiencing something right now. They shut down their IT systems. There is another ransomware attack going on in Texas at an organization called OakBend Medical Center. So right now, there are healthcare providers dealing with ransomware attacks. 

It’s a huge problem. Healthcare providers are the most likely organizations to actually pay the ransom. The ransomware attackers know very well that this has a huge impact. You can’t get medical records, you can’t get tests back, you have to delay procedures, you have to divert ambulances from emergency rooms. That is a severe impact on the quality of care, and the attackers are going to continue because they know they are more likely to get their money and to get it very quickly.

Then you add on double extortion. Now you have not only the ransomware attack, but they have exfiltrated the data. Even if you refuse to pay and you say, “I’m just going to restore everything from backup or do whatever I need to do to get my systems back online,” you still have the threat that they are going to expose or sell your data. And sometimes, even if you do pay, they expose your data anyway. It is a very, very difficult problem, especially in healthcare when you factor in the sensitivity of the data and, of course, the delivery of care.

Isn’t the data encrypted inside the healthcare system? If you get the data out, how are they decrypting it?

It’s not always encrypted, no. That is part of the challenge. Even if it is, what you see with a lot of ransomware attacks is that they start with gaining employee credentials. That is the most common way that these attacks start. Once they get access through some sort of social engineering or phishing, where somebody is duped into providing their credentials, and if the organization doesn’t have the appropriate security controls in place like the multifactor authentication or other controls, then they can get into the organization. Then from there, of course, they can begin to move laterally.

Not everything is encrypted. These days though, most laptops are encrypted. You would be less likely to see data breaches via stolen laptops like we saw maybe five to 10 years ago. But certainly, once you are inside the organization and you have those credentials, there is a lot of opportunity to exploit vulnerabilities, to continue to move laterally, and to then exfiltrate data or tie up the organization in a ransomware attack.

What is your relationship to the vendors? Let’s say an attacker hits a hospital system — they lock down the system, they encrypt the data, and they say, “If you want this back and if you want to run your hospital again, pay us the money.” The hospitals are mostly running on Windows, and then they are running EMR software on top of Windows, maybe from Epic or somebody else. When there’s an attack, is it Clearwater that goes out to the vendors? Does Microsoft ever even get involved? How does that work?

Clearwater is not dealing with the attack itself, although we do have partners that we work with that can help our customers through that process. Most healthcare organizations should have policies, procedures, and plans in place to deal with these types of situations. There is a lot of shared responsibility in cybersecurity today, because many organizations are now in the cloud, using third-party software, and they are relying on that vendor to have security controls in place. The hospital, the payer, even the vendor itself that has its own vendors, should all be conducting an assessment of their vendor security program. They should understand how they are going to protect data. 

In the case that there is a third-party breach — which has been a huge problem in healthcare and other industries because there is just so much information we are now trusting to third-parties — unfortunately, you are relying on that vendor to deal with the situation. It’s still the covered entity, the provider, or the payer who has to deal with reporting to the Office for Civil Rights (OCR) and has the responsibility of dealing with the notifications to their patients.

So, let’s say there is an attack and the people who are watching are like, “Oh shit, we’re being attacked.” What happens next?

That’s a great question. First and foremost, you’re trying to contain the attack and you’re trying to shut it down. There is actually a good white paper coming out where we talk about how Tech Lock went through that process of chasing an attacker out. Let’s say you have a ransomware attack, and now the organization is going through the process of having to deal with that. This is a really important point. We find that organizations that have done incident-response exercises, that have playbooks they use to deal with those situations and have gone through those tabletop exercises, are going to be much better prepared for that attack. 

We recommend going through that process. You are typically going to have your executives in the room and you’re going to have to answer some questions like, “Who do we call?” If you are a larger organization, you’re going to follow your plans and procedures. If you’re a smaller organization, you’re probably going to call your insurance provider and they are going to bring a forensics team in to support and assist you. You also have other questions to ask like, “What are we going to do in terms of our reporting to our patients? Do we have any third-party information that we have contractual obligations to report on?” We might not know at this point if any data has been exfiltrated. 

We also need to make that decision whether we pay the ransom or if we try to restore. “How long will that take?” Then there is business continuity. “How are we going to manage and operate during this time?” There are questions from the media, questions from your employees, it goes on and on. Those decisions have to be made very quickly. If you’re sitting around the table with a number of people and you haven’t had these discussions before, that can be quite difficult and quite stressful. That will be the environment. On the hospital side of things, there are certainly plenty of cases where we have seen some of the impacts on organizations that weren’t prepared.

We have talked about paying the ransom several times. You can only pay the ransom because cryptocurrency exists. If the attackers were demanding US dollars, the attackers would get arrested more often.

I haven’t seen anybody take a suitcase and make an exchange or anything yet.

But that is real, right? One of the things that cryptocurrency has enabled is ransomware attacks at scale. Crypto has crashed; it’s not quite as valuable as it used to be, though it might be coming back up. Do you see the pace of ransomware attacks fluctuate with the price of cryptocurrency?

To be honest, it’s not a trend that I have looked at specifically. It’s a great point. I don’t think that the fluctuation in the crypto market is necessarily having a big impact on the attacks that we’re seeing, especially in healthcare, just looking at what we’ve seen over the last several months.

It is very interesting, because the cyberattackers that are asking for the ransom will spend time actually thinking about what the organization is willing to pay. They ask smaller organizations for less money and they ask bigger organizations for more money. They are pretty good at trying to find out, “Okay, let’s pick an amount they are probably going to say yes to.” They’re very clever like that. I think as the market fluctuates, they will probably be thoughtful in that regard as well.

Since this happens so often to hospitals and they end up paying the ransom, do hospitals just have a reserve of Bitcoin? Are they all good at it now? How does that work?

I don’t think it was recently, but I actually heard somebody at one point saying, “Oh yeah, we’ll just have enough Bitcoin available to pay the ransom.” I don’t think it’s a good strategy, or a common one either. There is cybersecurity insurance, and that has been a very interesting trend as well. Cyber insurance underwriters have had record payouts with all the breaches and ransomware attacks that we have seen, and as a result, the premiums are rising substantially. They have doubled over the last couple of years.

On top of that, they are really demanding — there really is no other word for it. They’re requiring that you have certain security controls in place before they even sign the policy, which is putting even more pressure on the insurees. It’s good because they’re becoming more secure, but it’s basically a cookie-cutter approach. “You have to have these things, whether they are the best things for the organization or not.” The retention is rising, so you’re going to pay more out of pocket if you have a claim. Limitations are going down, and costs are going up. The average cost of a breach in healthcare over the last two years has gone from $7 million to $10 million according to the Ponemon Institute.

Breaches cost more, your insurance is harder to get, it’s more expensive, and it’s covering less. That is a really challenging environment. The solution goes back to risk analysis and risk management. You have to do a very rigorous, thoughtful assessment and analysis of the risks in your organization. Then you have to make a business decision on where you want to spend money. By just saying, “It’s going to happen, so I’ll have some Bitcoin over here,” it’s almost 100 percent that if you pay the ransom they are going to come back again.

Really?

The FBI has said this; I have heard them say it over and over again. If you pay the ransomware ransom, they know you are going to pay, so they are going to come back at some point and try again. It’s a very tough decision, and sometimes, there is no other option. You have to negotiate something because you just don’t have a good alternative, but you want to make it as difficult as possible for those situations to occur. 

You want to have a good business impact analysis in place, to understand what the impact is going to be to different business processes if it were to occur. Then you want to design your disaster recovery and your business continuity plan, test that plan, and then test your incident response. If you do all those things, you’ll reduce the impact of a breach or ransomware attack.

You mentioned the FBI. It occurs to me that we have mostly talked about all of this as sort of a lawless anarchy. The attackers show up, so now you, the executives, and the insurance company are involved. Are the police involved as well? Is the FBI involved? Does the FBI ever say, “Hey, pay now so we can catch them the next time they come back”?

Well, unless the FBI has changed its position on that, I believe they will tell you not to pay. The FBI is involved, or should be involved, so one of the things that we recommend to our clients is that they establish a relationship with their local FBI office. The FBI does get involved, especially in the cases of hospitals and healthcare providers. It is a critical-infrastructure industry. One of those first calls should be to the FBI. They will certainly assist and investigate. 

They are trying to do things to stop this. There is law enforcement out there, it is just very difficult because a lot of these attacks are coming from Russia and from other parts of the world where our law enforcement is not really able to operate.

What is the endgame here? In fact, let me ask you the supervillain question.

Sure.

You make your money because of these threats, and the insurance companies make their money because of these threats. You seem like a very nice guy. I don’t think you are a supervillain. But if you were a supervillain, you would be funding the attackers, right? There is an incentive loop for you, the insurance companies, and the other providers of services here, to make sure the threat environment remains high. How do you get out of that loop? How do you end it?

I think our incentive is to help our customers be secure. To me, making it more difficult for an attacker to be successful is really our endgame. We want to make it increasingly challenging for a third party to be able to successfully attack, because at the end of the day, this is about economics. There is a whole industry that has been established. There’s ransomware-as-a-service, affiliates, and almost like franchise locations for ransomware. There’s a reason for that. Everybody is making money doing it.

If only the industry itself was better at protecting the organizations… It’s kind of like what you see in the financial industry, which is a very mature industry when it comes to cybersecurity and you don’t hear about a lot of ransomware attacks in financial institutions, because there has been investment in controls and ongoing risk management. Does it mean that the banks are not being attacked? Of course not. I’m sure attackers are still trying to go after that industry where they see weaknesses, but where they’re really focusing a lot of their time and effort on is healthcare, education, et cetera — those industries that have under-invested.

The endgame here is to get to a point where it is not economically viable to continue to attack your company or your organization. Go attack somebody else, or eventually, it would be great if they all go out of business. I don’t think that is going to happen, but we are trying to get our clients to a point of maturity that makes it very difficult for them to have those events occur.

I feel like I could go to the CEO of a bank and say, “Hey, we need to invest in security.” They will at least understand that there is money in the bank and investing in security keeps the bad guys away from the money. You go to the CEO of a hospital and say, “Hey, you need to invest in security for whatever cloud-based system is expressed on the Lenovo laptops throughout the hospital.” They will say, “Why?” Is that the issue? Do they not see the connection there that they might end up paying a lot of money for ransom? Or is that changing over time?

I think in this day and age, every CEO certainly understands the importance of cybersecurity. I just can’t imagine being in that position and not being aware of that.

Well, there’s a lag. You are describing a lag between where the banks are and where the hospitals are.

Of course, and that is changing. The healthcare industry has a lot of challenges. It’s had a very rapid adoption of technology while underinvesting in cybersecurity. It’s not great, but that’s what happened. Reimbursements are getting more challenging for a lot of hospitals and health systems, they have major challenges in staffing, costs are going up with inflation, and there is a lot of pressure to spend money in a lot of different places. When they’re thinking about risk holistically across the organization, cybersecurity and the risk of a breach or a ransomware attack is one of many risks they’re dealing with.

Risk has become greater and more impactful to the organization. Different healthcare providers, other organizations, and other companies have experienced that. They’ve seen it happen. They’ve seen the cost and the devastation. It’s moved from, “That could happen, I get it, but I have all these other things happening right now that I need to deal with,” to, “Oh, wow, that’s happening.” Eighty-nine percent of the organizations surveyed from the Ponemon Institute had a cyberattack that targeted them last year. Almost every organization is being attacked. It’s happening, and that’s why we’re seeing more investment in cybersecurity. 

There’s a long way to go, and it’s not going to happen overnight. It would take a lot of time, effort, and resources. Again, that is where we think we are helping our customers quite a bit, by providing them with those capabilities that they don’t have and doing it through a managed service that allows them to get a lot more for their money. That’s really what we’re trying to do.

One of the things that has come up in this conversation a lot as a theme is consolidation and the pressures in the healthcare industry. There’s a lot of consolidation in the healthcare industry. The big hospital groups are rolling up, the physician groups are rolling up, your company is rolling up. Is that helping or hurting? If there are only three big hospital chains in America, are they going to have all of the resources and be able to repel attackers? Or would they be a little bloated and slow, so attackers are going to go after them because they are rich targets?

In the long term, it is helping. I think in the short term, there is a little bit of disruption. You have organizations coming together on different systems and going through a process to integrate those technologies. As you do that, you’re exposing the organization to even more vulnerabilities. How do you address that? Again, you should be doing risk analysis before we implement technology. You should always do risk analysis.

“You should buy my product.”

Whether it’s from me or from somebody else, they should be doing it. The point there is that smaller organizations are going to have a harder and harder time dealing with this. Their data is still valuable. Whether you are a critical access hospital — which is a 25-bed or less hospital — or a large integrated delivery network with dozens of hospitals, clinical locations, ambulatory, you name it, you still have very valuable data, and there is going to be some amount of money that you are willing to pay.

Now, most of the small hospitals, the small providers, don’t have a security officer. They probably have an IT person who has some security responsibilities. How much are they spending? Healthcare is spending between 5 percent and 7 percent of their IT budget on security, as opposed to the financial industries that are spending 10 percent or more. The IT budgets are much bigger to begin with, so it is a bigger percentage of a bigger number. With small hospitals, it doesn’t amount to a lot of money. Coming together certainly creates some efficiency or some scale in trying to address that challenge.

We are trying to advise our clients that when they’re doing these integrations they need to be thinking a lot about governance. They should set up their policies and procedures in a way that ensures that the organization is operating within the framework and the risk tolerance they have established, while also giving them some flexibility at the individual hospital level to do the right things on the ground. We call that our principle-based governance policy and procedure framework, and it is really helpful in those types of situations.

I have mentioned several times that it feels like Windows is in the background of all this. All of these companies run on Windows. I know Microsoft does a good job, but would it help if there were more operating systems in the mix or more EMR software providers? It just seems like you have these huge attack surfaces at huge companies, so you have a shrinking number of giant companies running the same software. If you are a Russian ransomware operator, you can just focus your effort as opposed to saying, “All right, we now have to go figure out iOS 2 or Linux.”

I think it’s always great to have competition in the market. There is a flip side to that as well. When you have multiple technologies, you have to learn how to protect those different technologies. That is a great point from an attack surface perspective — the attackers are only having to learn one technology. I think you could probably argue that either way.

Is that true for you, too? Does your team only have to really think about Windows?

No. Windows is going to be a common one, of course, but Macs and mobile devices are operating systems we have to think about as well. We are now dealing in cloud technology, so we have to be good at understanding AWS, Azure, Google, and so on. All those things require a lot of expertise. It’s about keeping up with what’s happening every day. 

That’s why it’s important to have a partner or an advisor doing that. You want to make your decisions on what’s best for the business, not on, “Well, if I have multiple technologies in here, I have to learn how to protect all of them individually.” That is an important consideration, but ideally you will have the capability, whether that is in-house or externally.

Do you think all the way up to the sort of state actor level? Like, “Oh boy, the NSO Group in Pegasus can target zero-click attacks at doctors with their iPhones. We have to factor that into the risk profile of the hospital.”

We have to think of all that. Of course. We have to think about all the threats and all the vulnerabilities that we think are relevant in particular for the healthcare market. Yeah, absolutely. Threat intelligence and having that incorporated into how you think about risk is another great point. 

Also, from a monitoring perspective, you’re looking at different techniques and different indicators of compromise that may occur. You need to have a good understanding of those. From the perspective of monitoring the technology we use, having good technology helps to identify those things, orchestrate them, and automate them so that it goes to an analyst to investigate.

What’s the next thing people should be looking for as this entire cybersecurity industry develops?

Well, we touched on that before. For Clearwater, there is a lot of wood to chop here on integration to get to a point where we are really seeing value for our customers. I think we’re seeing that already, but we have a really clear vision of being a leader in healthcare cybersecurity. We have all the pieces now, and the next step is to put them into programs for our customers that create a lot of value for them and give them a lot for what they are paying. We are really focused on that. 

Managing security and detection, threat detection and response, is a really big part of where we’re going with the company now. We are combining these technologies, these assessments, and other things that we’re doing for our customers into a single pane of glass. That’s ultimately what we want so that customers have a single view of what’s going on in the organization.

We didn’t talk too much about medical device security, but that is a really concerning topic for security professionals and clinical professionals in the healthcare space. The FBI just released a bulletin last month identifying an increased number of vulnerabilities posed by unpatched medical devices that are running outdated software.

They found that as of January 2022, over 50 percent of the connected medical devices or other internet of things in hospitals had critical vulnerabilities. That is just a staggering number. That’s a real safety risk. 

From an industry perspective, we are in the very early days of ensuring that we are addressing those vulnerabilities and monitoring those devices. We’re talking about things like insulin pumps, mobile cardiac pacemakers, and pain pumps. It is a very serious concern if a cyberattacker gains access to and is able to control those devices.

I think for the industry, that is a big challenge and one that we are going to have to find better ways to address. There has been a lot of technology that has come out over the last several years, but the healthcare organizations are having a really hard time using that technology, making sense of the data and doing stuff with it, because they just don’t have the people to do it.

Again, we are adding computers to things and inheriting all of the problems of computers. If I am a consumer or patient and I see one of these devices floating around — these insulin pumps that are connected — how do I make sure that the thing is safe or that it’s been patched?

Oh, that is a good question. I have yet to hear of patients in hospitals asking about the security program in the hospital. I think you want to work with providers that are demonstrating that they are protecting your data well. If you’re a consumer, something you can look for without even having to ask questions would be the way that the professionals are interacting with the data they have.

I remember one time I was getting my eyes checked. There must have been somebody that was subbing in to do the exam, and she didn’t have the password to the machine. She shouted down the hallway asking for the password, and they shouted it back down. That concerned me. That’s not good. If things like that happen, then you might want to question their security program. 

I think you really want to make sure you are going to organizations that demonstrate that they protect information. You can look around and see if screens are left up. It’s probably going to be hard to identify whether a medical device has been patched. I’m sure if you asked your nurse, she is probably not going to know the answer to that question or is just going to say, “Of course.”

We have to normalize it. Decoder listeners everywhere have to start asking this question when they go to the doctor.

Yeah, absolutely. That is exactly where things are headed, I think. Patients and employees, we all need to take control or be responsible for how we protect data. For Decoder listeners as well, thinking about the security of your own personal data that you have at home is something we all need to be very aware of. Security awareness is the number-one thing that really leads to avoiding phishing attacks, which is the most common way that bad actors are successful with a ransomware attack.

Before we wrap this all up let’s do, what I think of as, the Decoder questions. How big is Clearwater?

We just did a couple of acquisitions this summer, which grew the company quite a bit. We have over 200 workforce members today. With the two that we did, we acquired a managed service security provider called Tech Lock, which provides managed detection response services, security operations, and is doing things like endpoint detection and log management. 

We also acquired, or really merged with, a company called CynergisTek, which is another healthcare-focused cybersecurity and compliance provider that we have respected for a long time. We have competed against them and now are joining forces to be a stronger partner for our customers. It’s growing quickly, but certainly still not an extremely large organization. We are definitely feeling very excited about the new capabilities we have as we grow.

I was reading the press releases of those acquisitions. Both of them say, “We are going to run these as independent divisions of the company.” How are you structured? How are you thinking about the company structure over time?

For now, we’re spending a lot of time learning and getting a really good understanding of what each of these organizations is doing. We’re certainly planning to bring everybody together as one organization, but in a way that doesn’t destroy any value for our customers. We know there are a lot of good solutions, good experiences, great people from all these companies. We’re working through aligning the services portfolio and the technologies that we have. There is a lot there, which is really exciting. 

Ultimately, it will be one organization serving our customers. Tech Lock has pretty quickly been fairly well integrated into the organization already, and we’re now working very diligently on doing the same with CynergisTek.

More abstractly, after all these integrations are done and you’re looking at your company, what will the structure be? Is it mostly security engineers? Is it mostly accountants? Is it mostly CEOs? 

A good place to start might be from the go-to-market perspective. All the companies have been fairly similarly organized, with a consulting services division that provides solutions. Clearwater and Tech Lock both also have software development groups and we have leaders for software development and for consulting services. We have a very specific go-to-market strategy in how we approach our sales and delivery. 

We focus a lot on different market segments, particularly within healthcare. A hospital system is different from a digital health company. It’s much more complex at a hospital in terms of the organization, the technologies, how they are structured, and their overall maturity. So that is just one example. 

The way we have aligned our sales organization and our delivery organization is to have people that are really good at understanding the business of a digital health company, versus an ambulatory organization, versus a hospital. We found that that allows us to be more valuable to our customers and more competitive in the marketplace. Even within our services organization, which is the largest part of our team, we have different practice areas for those different verticals. 

We also have different types of practices, which are not really as vertical-specific. Those are things like technical testing services, privacy around HIPAA. That tends to be something where you still have some, but not necessarily as many, nuances as you move from one industry to the other. Our services and sales organizations are organized that way because it helps us to be better solution providers. Then we have a marketing division, which is integrated, and then your typical back-office functions.

You said you have a marketing function. Are you the one buying the ads in the airport and on Thursday Night Football? Those are always tailored at CIOs. Is that you? Does that work?

Our marketing budget has not yet allowed for Super Bowl ads, but we are working our way to that. Our marketing approach has very much been thought-leadership-based. If you go back into the history of Clearwater and CynergisTek, both of those organizations’ founders initially established the companies by learning a lot about the subject matters they are helping their customers with, and then going out, talking about it, and teaching people.

There is a lot of education needed in our industry because things are happening and changing so quickly. It is very difficult for our customers to keep up with all that. What we do at the core of our marketing program is produce a lot of thought leadership — webinars, white papers, and educational programs — and then we share that freely with the market. When we go out and do advertising, when we are buying those digital ads, it’s all about leading people back to that thought leadership. 

It’s not the same type of strategy where you are going out there and saying, “Hey, Clearwater is a leader in this space.” We are trying to establish our leadership by providing valuable content, and people will make that connection on their own from what they are seeing and what they are reading.

So I walk through the airport and I see the ads for cybersecurity, and literally the ads are designed to be scary. There’s like a guy with a hood and a keyboard.

Yes.

Then it’s the name of a huge company. I am always told by the various marketing people who work at those huge companies that the idea is basically that the decision-makers are walking the halls of the airport. If we just get our brand name in front of them enough, when it comes time to write the check, they are more likely to write the check to the familiar name. That is the whole game they’re playing there. 

Clearwater is a 200-person company, and you are obviously a leader in one industry. Do you fight that? Do you feel like you have to fight the perception that Accenture or whoever else can come in and do this for you?

Yeah, absolutely. There is a lot of competition in this space. It’s a huge market. It is growing in healthcare, I think 16 percent compound annual growth rate per year. So it is a very attractive market even within healthcare, which is very nuanced. Most people that work within healthcare will feel very strongly about that. 

We have differentiated ourselves in the marketplace for a long time with our understanding of the healthcare industry. We have people who have worked in environments with healthcare technologies who understand the regulations like HIPAA. We have worked with our customers who have had investigations or corrective action plans with the Office for Civil Rights, which is the enforcement arm of HHS (Health and Human Services) that enforces compliance with HIPAA. We have helped our customers in four dozen cases and we have had a 100 percent success rate with having our risk analysis accepted by OCR.

We have some very important benefits that we can offer our customers, and people working in the industry appreciate that. We are speaking their language and we can offer something that is a little bit more differentiated and unique. We are still trying to get our name out there, not as broadly as being in the airports, but we do it through other places that executives are traveling. 

An example is the CHIME organization, the College of Healthcare Information Management Executives, which are basically all the CIOs of hospitals. We are a sponsor of CHIME and work very closely with that organization. It is a little bit more of a targeted approach, but we are still trying to get in front of the right people that are making the decisions.

How do you make money? What is a typical contract? Is it by the hour or is it a service fee? How is that structured?

All the above. Most of our customers are moving to managed services. It’s maybe something more healthcare-specific, but I think having that predictable cost for what they’re getting is very attractive. Today we’re offering a couple of programs that are aligned to the market segment in the managed services bucket. 

In the hospital and health system space, we offer a program called ClearConfidence, which is really rooted in that risk management program I described before. It is moving hospitals and health systems from point-in-time assessments of their risk and response to an ongoing risk management program. They are outsourcing that to Clearwater, which is helping them address some of the challenges that they have around staffing, resources, and expertise. 

They are just so busy dealing with the day-to-day, and there has been so much transition in security, especially within healthcare, that it is hard to get that consistent program going. We take that program, we outsource that with a fixed monthly fee, and then they can bolt on additional services that we can add and incorporate.

The other type of managed services program that we have is our ClearAdvantage program, and that is targeted more to physician practice management, digital health companies, and other mid-market organizations that need a more mature and robust cybersecurity and compliance program. They just don’t have the people to do that or really the knowledge of what they need to do, let alone the resources. So we outsource that. 

We will take on the role of Chief Information Security Officer for the organization, which is a seasoned executive that has both technical and business experience. Then we will actually implement and execute their program for them on an ongoing basis and map to whatever it is that they need to achieve — customer requirements, HIPAA, other regulations, and of course their own risk tolerance.

That is a big part of our business. We also have a software program called IRM Pro, which is a risk management tool and a compliance management tool really geared for healthcare organizations. That is something that we sell for a subscription fee — your typical SaaS model. Lastly, we do have consulting services that are more project-based. They also tend to be a fixed fee, which I would say is preferred nine times out of 10.

Let’s say I run a small physician group and I’m like, “Man, I don’t want to hire a head of security. I installed all these computers and that was a mistake. I should have done this all on paper, but whatever.” So now I hire you to do it. Am I just paying you a fee like I would pay every month for janitorial services? Does the price go up and down? Is that predictable for you?

It’s very similar. It depends on the contract with the customers. Most of the physician practice management groups we’re working with are not your single-doctor practice. From a trend perspective, private equity has really been investing a lot in rolling up these groups under MSO, managed service organization models.

They are bringing in professional management teams and going out and acquiring different practice locations. They usually have some sort of strategy, whether it’s a technology platform, a reimbursement model, or a specific focus on how they are delivering the care. 

It’s very business-focused and growing really quickly. Their concerns are, “Hey, my business is growing really fast. How am I going to protect it while I continue to grow? Because what I really want to do is grow the business.” Like most private equity firms, at some point they want to sell the business. If I have a ransomware attack or a breach, that is going to make it difficult for me to do that. So do I want to do that myself? Or do I want to go out and get somebody who is really good at that? 

That is what private equity firms and professional management teams do; they go out and they figure out, “How do I have the best operations I can?” It is operational efficiency and quality. That message has resonated really well.

Those types of organizations a lot of times go with our ClearAdvantage Program, which has all these components. There are different levels of the program depending on where they want to get to and how quickly they want to get there. Then there is a fixed fee that we establish for them. As they grow, if they get to be larger, then there is some increase in that fee. It’s not a linear increase, but it is very reasonable. It’s a predictable model. They know that they are really working with somebody who is going to manage it for them on an ongoing basis.

You also run a company that has PE investment. You are growing — you are merging with and buying other companies in this market that is growing. How do you make decisions?

That is a good question. There are a couple of ways. First, we have Clearwater’s well-defined strategic principles. We have aligned on a strategy, and we have put some very strong statements around that strategy and what we are trying to achieve. When we are going out to make decisions about where we play and how we play there, we want to make sure that it fits our strategic principles. 

For example, we are focusing a lot on healthcare, right? So, are we doing something that’s going to be valuable to healthcare? Is it going to help us to grow in a market that we have identified as a growing market? If we are going to a new market, is it growing? Then very importantly, can we be competitive? 

That is a really important strategic principle. We don’t just want to be able to do something, we want to be able to do something better in a market that is going to continue to grow.  We think a lot about value for our customers. How does it create value? Is it going to solve a pain point? Is it going to make our customers better? Then again, how differentiated is that? 

Culture is a big part of our strategic principles — how what we’re doing benefits our colleagues at Clearwater. That is a really important part of how we make decisions. Then of course, we have financial goals and objectives like every other company.

We start with those strategic principles more from an organization perspective and how we try to make decisions in the organization. We communicate our strategic priorities to our entire organization. Our most important priority is always quality and customer success. That is the message that I daily am giving to the entire organization. In addition to that, we have priorities around our business plan and growth. 

The purpose of doing that is to ensure that everybody in the organization understands what’s most important. When they are thinking about decisions — because we do want to empower our colleagues to be able to make decisions — we want them to be thinking about our strategic priorities. Where does it fit in the priority scheme? How do we make choices? 

As we just discussed, we’re not a huge organization and we have limited resources. We need to make sure that we are doing things in a way that aligns to our strategy according to our priorities in the organization.

You mentioned PE companies. They tend to move fast and then try to flip the company. You have a PE backer, and you have just bought two companies. That is a roll-up just like the PE companies are doing with doctors. Are you on a timeline to going public, or exiting, or selling yourself?

No timeline. I think the real important point here is that our investors have a lot of conviction about the market growth and about Clearwater. We are really excited by that and appreciate that very much. 

In terms of the acquisitions, they were very strategic. One driver for us — an important driver in terms of our strategy and where we want to go with the company — was to position ourselves in the MSSP [managed security services provider] space, particularly with the 24/7, eyes-on-glass security operations that we didn’t have at Clearwater. We see that as a really important market. It fits our strategic principles, it is a growing market, it has value for our customers, and it is a place we think we can be competitive, but developing on our own would be really challenging to do. That was the investment thesis around Tech Lock, which is also bringing some important additional compliance capabilities that we don’t have. It’s a very strategic acquisition for us.

With CynergisTek, a lot of the motivation there was about gaining scale, increasing our customer base, and having complementary solutions that we can provide to our customers, ideally packaged into managed services, which we think will provide more value to them, and making us a stronger partner and giving us a more robust management team with the resources we are getting in terms of the consulting team. It’s not easy to hire talent in cybersecurity today. I think we have done a good job of it and of retaining folks, but we need people. We are a people business and we got great people as a result of that. 

We are pretty early. Since that has happened, we have a lot of work to do to fully realize the value and the synergy of those transactions. Like any other private equity firm, we all know at some point they are going to do something to exit the business. What that means right now, I don’t know. We’re not even thinking about that. We have so much ahead of us right now in terms of growth opportunities, so our full focus is really on that right now.

Amazing. Well, Steve, thank you so much for coming to Decoder. This was a great conversation. We will have to have you back soon.

Great. Thank you so much. I enjoyed it.