Cybersecurity Expert from Defense Weighs in on Healthcare's Opportunities

Sobol: Today, we are pleased to welcome Darcy Corcoran to the CereCore podcast. Darcy is an executive level cybersecurity consultant for CereCore with 21 years of experience in the United States Department of Defense and eight years in the commercial sector supporting major domestic and international initiatives across a variety of industries. Her career began as an active-duty soldier and culminated as a federal civilian employee with the Marine Corps as a cybersecurity professional for the Marine Corps CIO. Throughout her tenure with the Department of Defense, she provided cybersecurity architectural, engineering, and accreditation support for critical Department of Defense organizations, including the Joint Special Operations Command, Special Operations Command, United States Central Command, and the United States Marine Corps. Selected from hundreds of international applicants, she served as a senior scientist on the NATO cybersecurity staff in The Hague and oversaw security architecture, governance, compliance, and accreditation of assets across the entire NATO capability portfolio and allied transformation. Upon retiring from federal service in 2016, Darcy assisted both international and domestic companies in creating their cybersecurity offerings and products. Darcy holds an MBA in Information Technology from Western Governors University, a Certified Information Systems Security Professional Certificate, and a Certified Cybersecurity Maturity Model Certification Assessor Certification. Darcy, welcome to the podcast.

Corcoran: Thanks, Phil. That was a great introduction. I don't know how I can follow that up with much more about my background, but, I am happy to be here.

Sobol: Yes, we are glad to have you, not only on the podcast, but with CereCore as well. So, we would like to start off by discussing your background. And certainly, we have hit some of the highlights now, but we always like to hear from you a little bit about your journey. And then, ultimately, what led you to focus on health care?

Corcoran: Well, as you said, my background is defense and I started in active duty. I really started in IT and tactical communications, which included signal support, all the radios, and tactical radios. It was really before cybersecurity was even a thing. And so, it was more called information assurance. And it was the stuff that nobody else wanted to do. So, as you are new in the military, you tend to get everything handed to you and it kind of rolls downhill, it is the stuff that nobody else wants to do. So, that is how I got into cyber security, because it was just the stuff nobody else wanted to do at the time in the early 90s.

And so, I was lucky. I got to do every job I ever wanted to do in the military. I supported overseas assignments in the Middle East, in the special operations community. It was a lot of fun. And, of course, NATO and Europe, I lived in Europe as a senior scientist there. And then, when I retired from the Pentagon headquarters Marine Corps CIO office in 2016, I was like, man, I have to really grow up now and go get a real job. I have had so much fun, and I am not sure this is legal.

So, I continued supporting the Department of Defense (DOD), Department of Energy, and other aspects of industry as a contractor, consultant, critical infrastructure, and in the cybersecurity space. So, that is my journey. Milestones for me, I think I was rudderless before I joined the military. I like computers. My first computer was a Commodore 64 and in the 80s, I would like to skip lunch and recess, sneak into library and play with basic programming. And then, I would stay home from school and be “sick,” so that I could sit home and play with the Commodore 64, right?

Sobol: Yes.

Corcoran: So, I think I had an early interest in those sorts of things. And I was a bit rudderless in the military. Really, I say it was a generally a positive career decision. When I look back, I'm always thankful to have been surrounded by great leadership and mentors. And I always seem to fall into these situations where I am around great people and great mentors that always prepared me for the next step, navigating high pressure and high stakes scenarios. So, the defense industry forced me to get out of my comfort zone with new assignments every couple of years. So, you are constantly being challenged in continuous professional development with these changes, and there is just not an opportunity to become stagnant. And I was always engaged in some complex information technology initiatives. Just, you know, you get all these new things, bleeding edge, cutting edge, things that the military does, and you must just jump in and roll up your sleeves. That was a cool aspect of getting to where I am today.

So, healthcare and cybersecurity have been interesting to me because I consider it equally important than anything else I have dealt with. And it is because it directly affects human life, right?

Sobol: Right.

Corcoran: So, impacts to medical operations industry have a geometric ripple effect to society. And I think patients need to trust and have reasonable assurance that health care technology is going to keep their data safe and private. And at the same time, physicians need to know data is reliable, secure, and resilient.

Sobol: Indeed, that's excellent. I think those of us who have been in the health care space for a while know that when it comes to cybersecurity and what we deal with day in and day out it is always at the forefront and top of mind for everyone. Especially now as healthcare continues to get hammered and given everything that has transpired over the past several years. It seems like we have very few choices on how to respond to some of these things.

And so, if you would not mind, share your perspective with the listening audience about your perspective, because it does come out of defense, and it was not originally born in healthcare. So, your perspective around cybersecurity strategy, what do our listeners need to be paying attention to? What are some of the things that they could learn from your experience and knowledge from the Department of Defense standpoint and what they should be looking for?

Corcoran: I think network defense in general is a very important conversation. And I think many CIOs are awake at night over network defense.

Sobol: Indeed.

Corcoran: And my philosophy is proactive network defense versus reactive network defense. And so, reactive network defense is unfortunately the cycle that many organizations are caught in today. Active defense starts with a little bit of an intellectual shift. So, what it really comes down to is making it so cost prohibitive for the malicious actor that it causes them diminishing returns.

And we do that by always giving these attackers a bigger problem to solve as often as we can. And then when that occurs, they will move off you and they will find a softer target. And so, as our client, I always want to know who is interested in you and why. I want to know how the attacker sees you. And the value that our clients get from that is being able to effectively and efficiently defend yourself with a threat intelligence that has context to you.

So, a lot of general threat intelligence information today is not really that good because organizations need to know where they rank in the pecking order of attractiveness to malicious actors.

Sobol: Interesting.

Corcoran: You must be able to provide context to that thread and then draw a line to where you can adapt it into your defense strategy. Reactive network defense focuses on fortifications, boundaries, and looking at what is attacking as it hits the boundary. So, in a sense, network defenders are like sitting in a dark room and every noise they hear is a threat, and then they react. And that is not only expensive, but it's also exhausting, and it just might not be enough. So, we need to have an informed defense with context.

I do a proactive defense. I do not do a reactive defense because in a sense, what we are doing when we do active defense is we are pushing the boundary beyond the current firewall. And we are looking at this from a global perspective because attackers are coming at us from a global perspective. So, defense has to start at a global level.

Sobol: Yeah, that is a good point. And certainly, a different mindset. And when you have that different mindset, it impacts strategy on how you approach it. So, you mentioned these malicious or bad actors, and I do think that sometimes there's some misconceptions about these individuals, right?

They are kids in some third world country with a computer looking to make a couple of bucks. But we just do not pay a lot of attention to the ones we are trying to defend against. And so, I think you raise a good point.

So, if you would not mind giving our audience a little bit of perspective about, who are those bad or malicious actors? And what should they be thinking about in the context of, in essence, first, from a defense standpoint, right? Understanding your enemy and then being able to effectively make a strategy.

Corcoran: Yeah, first, I do agree. I think there are some harmful stereotypes about hackers. People tend to think it is a disgruntled loner. For example, someone sitting in their parents' basement eating Cheetos. Maybe in some cases, that is the truth. But I think there's a bigger force at play here, or I know there's a bigger force at play here. And these are sophisticated, well-funded criminal enterprises behind this $1 billion ransomware industry. And for 2023, it was $1 billion. It is mind boggling to me. We must understand what we are dealing with if we want to beat them.

These criminal enterprises are converting cryptocurrency into multiple other currencies, laundering and moving money around the globe with expert, like cartel expert sophistication. So, these are real criminal enterprises, and they are motivated. They are highly competent with sophisticated cyber operations and incredible resources. More resources than any individual healthcare organization can defeat alone.

And so, our threat intelligence team has spent an extraordinary amount of time understanding the adversary from their techniques, tactics, and procedures, including their attack process, how they reconnaissance, and profile a target. We know the key indicators of when an organization's being actively reconnaissance. So, to beat them, the strategy and mindset needs to shift to an active defense strategy that is going to synchronize these cyber operations against specific actionable threat intelligence and maximize the full effectiveness in synchronizing the right elements.

Secondly, a fundamental shift is needed from this hyper focus of administration in GRC to an organized common operational picture that integrates everything into a concerted operational view to defend against this persistent, sophisticated, competent criminal enterprise, right?

Sobol: Wow. You paint a daunting picture for organizations. Certainly, there are larger entities and organizations that have the resources to go up against organizations like this. But as you mentioned, not every hospital or health system has that ability or has those resources. And so, to start heading down this path and not be seen as one of those soft and easy targets, where does an organization start? So many of the hospitals that we work with do not have a CISO in place, right? Their CIO wears all those hats. Is there something that they should be looking at and potentially looking at it from a partnership standpoint to help them fill those gaps? So, I guess, the question is, it's an overwhelming and a daunting proposition. Where should they start?

Corcoran: We tend to think that the more money we pour into these networks, the better it will be, and that is not always the case. I have seen giant cybersecurity budgets with much less secure networks and small cybersecurity budgets with more effective and secure networks because it comes down to the external understanding of the threat landscape and then being able to synchronize internal capabilities. And that is critical and doing that efficiently and often requires training and education. So, don't get me wrong, people are highly skilled, and they are essential to cybersecurity, and they are in there doing their very best. But the problem is that we seem to be working for tools instead of the tools working for us.

And there are more capabilities today than there have ever been, but there is also more alert and audit fatigue and an inability to leverage the full capacity of tools over the lack of synchronization, more so than there has ever been. And so, I would caveat to all that by saying, none of this is easy to do.

Sobol: Right.

Corcoran: There is a complexity of technology and emerging threats that are geometric year over year. But it's a dynamic problem that requires dynamic thinking beyond the basic blocking and tackling of network operations that has been occurring.

And so, I would say it is the only time in history where the defense is weaker than the offense and more resources have been put into the defense than the offense. And so, part of what we do in our CISO advisory services is help the CIOs to build cyber defense strategy that implements core competencies in a meaningful and measurable way. Again, this is not easy stuff. We are dealing with the next level. And so, we have got to catch up to the next level.

Sobol: You make a great point. You paint a better picture, right? So, even if the resources are not necessarily there, I think you are bringing up a great point in and around the strategy. So, those bad actors and malicious actors are out there with a strategy. Yes, they are well-funded, but they are being strategic about who they are going after and how they choose to go after them. And to your point, our industry has typically said, OK, well, I need firewalls and I need these defender tools. And if I put those in, that's the best I can do. But they are not taking that next step forward to say, well, who would be interested? And why would they be interested? And what can we do as an organization to make us a lot less interesting to those organizations.

So, I think that is a great point and I think it is a little bit unique in how we have traditionally looked at things over time. And so, I know that not everyone has your background in all this stuff. And if they don't have the background, if they don't have the capacity, where do health systems or hospitals turn to kind of help fill that void for them and get them down that right path?

Corcoran: Yeah, I think, you know, if a CIO wants a more robust cybersecurity program, if they just contact us, we will have a great conversation with them. I am always willing to chat with anybody and that's free, of course. I'll talk to anyone for free, but I think there are three areas that are important to look at.

And one is the threat intelligence, understanding the threat surface down to the DNA level, and being able to look externally without any internal insights. Then contextualize that external landscape and look for ways to prioritize and leverage resources within in a more impactful way. And so, we can do that with clients, but they could attempt to try to do that themselves as well.

The second thing, I think is that they are up against with digital transformation, as organizations are looking at modernizing, moving to the cloud, and bringing new tech like AI. We have been able to bring great value with some transition criteria and best practices. We want to reduce any unintended consequences. And so, every time a transition occurs, there is an increased vulnerabilities and the organizational risk profile changes. And I think that goes unaccounted for a lot of times.

And lastly, we can look at compliance and regulatory baselines, do assessments and gap assessments. But those are the three areas that I think are key for CIOs to look at. And we certainly focus on those three areas in supporting our clients. We do a lot more things obviously, but those are the three things that we seem to be getting the most business in these days with all the changes.

Sobol: Well, it is definitely an area that is top of mind for everyone. It is understood that it is a need, all the way up through the board of directors. But sometimes I think even the translation from the technical aspect to people sitting on the board that may or may not understand any of that stuff. Yeah, I think there is some help there too, around making sure that all those key stakeholders inside of the organization understand and then are working from the same page to come up with a better solution, a better approach to this going forward. I think one of the other things that is top of mind for everyone, because you can't escape it at this point, is this whole concept of AI. Everyone's talking about it, particularly in healthcare. How do you see AI impacting cybersecurity, in the near term and then far term and what should CIOs be paying attention to there?

Corcoran: Well, AI is definitely starting to come up in every conversation with our clients these days. And you are right, we cannot escape it. It is everywhere. And yeah, I mean, it is exciting with all the new advances in technology. AI has made some incredible advances in expanding the effectiveness of primary care providers, streamlining access to care, and it's helping to reduce burnout, which is very important. I think it's also important to really embrace these changes, because I think they are good for everyone. But the biggest risk to organizations with AI is that very few people understand how the technology works. And so, there are always two really critical components to consider.

One, being the data that it ingests and analyzes. And then two, what are the operational protocols? Is it internal or external? What is the QC and maintenance process look like? Is it talking back to a foreign country? Are they taking data samples? And are those going back to a foreign country? This is important because, as we in cybersecurity, we always try to balance the equities of the operational needs against things like data quality, privacy, security, and ethics. And so, as we are trying to balance all those equities, we do not want to have a denial of service internally because our policies are so strict that no one can do anything. But we want to make sure we are protecting those important things we are charged with. And I think in cyber advisory work, we are shaping and enabling our clients' success by giving him the understanding of those pitfalls and critical pieces to ensure their environments are secured, prepared, and built to handle privacy and security challenges that are going to be inherent to AI. And in fact, we have offered some of these AI packages to clients that highlight all the critical need to know about AI, implementation, policies, and best practices. And that is the kind of products we have been helping clients with that are really tailored to meet operational needs.

Sobol: Oh, excellent. And certainly, a lot of things for us to be mindful of and paying attention to. And, heck, there is no doubt that at some point, even those bad actors are going to be using AI to tell them which are the right targets to go after. More to come on that end.

Corcoran: Yeah, I think it has already started. And to be honest, we have all these out of the box tools that they are leveraging, like ransomware as a service. And coupled with AI, maybe it is that kid in the basement of his parents' house eating Cheetos that's now going to be able to do that. I mean, they have increased the effectiveness of what they can do with these technologies as much as we have.

Sobol: Indeed, it is a never-ending race for us in that regard. And it does not just fall on the CISO, it does not just fall on the CIO, right? We all know that cyber security is all our responsibilities as employees and across the health system, etc. So, especially considering what we have talked about, what advice would you have for leaders as they look to keep the rest of the folks inside of the organization trained on the cybersecurity do's and don'ts?

Corcoran: Yeah, cybersecurity workforce is pretty near and dear to my heart coming from the military. We grew up with a lot of focus on mentoring, leadership and, and shaping the next generation of cybersecurity professionals. And I believe leadership is critical to shaping the next generation of professionals. And one of the reasons I actually resonated with CereCore was, of course, the culture, the leadership, and the remarkable retention rates for an IT organization is a very key indicator, because retention starts with great leadership. People don't quit their job, they quit their boss, and the numbers do not lie.

So, understanding that, and as for leaders, flexibility and thinking outside the box is important when we are dealing with highly technical people. So, as an example, I inherited, early in my career as a young leader, I inherited a group of people, and they were supposed to be on task at 07 in the morning and not leave until 5:00 at night. And when I inherited this team, the morale and productivity was so low, and the absentee rates were super, super high. And I started talking to people and trying to understand what was going on here. And I just finally, one day, I got a lot of flack from my peer leadership group on this, but I did it anyway and I told my team, work when you want and work how you want within these constraints. These are the tasks that need to be done. These are the deliverables, and these are the due dates. And people came to work when they had a good idea and at like crazy hours. This resulted in something I never imagined would happen, but I had employees coming in at midnight because they could not sleep because they had a good idea, working until 7:00 in the morning, accomplishing more than they would in a normal week. And others come in at 2:00 p.m. and leaving at 2:00 a.m. And when you let people who are passionate about what they do work when they want and how they want, they will exceed your expectations every time.

So, our productivity and quality went through the roof. Our team just completely blew away at the 40-hour work week. I do not know how many hours, probably 60 or 70. I am getting calls from wives saying their husbands need to come home because they are just working. They are loving it and having a great time because they are not being constrained by industrial age mindsets about punching a clock. And so, when morale improves and we are having fun and working hard, we accomplish a lot. And so, cybersecurity never sleeps. So, my mindset was, I do not care when you come to work because the threat is ever persistent. And so, when you lead highly technical teams, you must think outside the box and be flexible. Now, I understand this is an extreme case, and yeah, in a world where we have business things that must occur on a normal workday, then I understand, you just cannot have people coming in at 2:00 a.m. and things like that. However, just mindset of flexibility and within your environment's constraints could help with the retention. And that is a big problem in cybersecurity and IT. And then I think, the last thing I would say about cybersecurity in terms of training, if people want to enter the workforce of cybersecurity and expand their careers, the thing that has always helped me is to be curious because it is changing so fast. You must always be curious, always be looking at what is new and interesting. And just be excited to learn it, otherwise you will be stagnant.

Sobol: Indeed, I think those are certainly great points. Ultimately, if you head down that path from a career standpoint, you must have that passion. And then you have got to have that freedom to expound upon that passion. And part of the role is to also educate the rest of the organization that does not carry a security moniker in their title, right? So, whether nurses, physicians, or whoever's on there, they must truly understand the why. The why is important to understand the ramifications and why the organization is asking them to do the things they are doing from a diligence standpoint. Asking why, ultimately results to having diligent employees stop and say, oh boy, that email looks kind of funky, should I click on it or not, right?

At the end of the day, if you click on it, that could have implications to our ability to deliver care. It just comes down to what you mentioned previously about, how you have got to build passion. You build passion then you can foster that creative spirit, effectively communicate through the whole organization the why, and remember why we are all in healthcare. We all get that mission driven aspect of it. And when you understand that, wait a minute, the why directly impacts our ability to deliver against that, then I think we will all be in a good spot. So, that is excellent.

Corcoran: Yeah, in the non-technical positions, such as nurses, the adversary is constantly never stopping with their campaign of trying to get in. And they only have to be right once. We have to be right 100% of the time. And so, our campaign and our information campaign to our user group, and our organizations has to be just as constant as theirs.

Sobol: That's right.

Corcoran: And we are never going to be able to meet them, always where they are. And then we are never going to be able to stop with that messaging and the constant education.

Sobol: Indeed. Well, Darcy, we always like to wrap up these podcasts with just kind of an open call for you to share any additional insights, words of wisdom around the topics that we have been talking about today that we might have touched on, or if we have touched on what we need to, just maybe summarize for folks what should be top of mind for them.

Corcoran: I would like to paraphrase Sun Tzu, “tactics without a strategy assures you will always have another battle to fight.”

And that is relevant to what we do in cybersecurity. As a leader, it is important to give your organization a clear strategic vision, allow them and employ them to build a plan that aligns with that strategy, and defend that strategy. This ensures the strategy, network strategy, network defense strategy and the vision align with the daily basis needs. All these things require a clear strategic vision from the top down. The staff must be empowered to execute that vision and the leaders must empower them.

Sobol: Indeed. That is spot on. And certainly, we are grateful to have you as part of the organization. You are already adding tremendous value to our clients. And we look forward to seeing what is yet to come there. Because as you mentioned, this is not going away. The impact is going to be with us forever, unfortunately. Cybersecurity is something that we need to be mindful of, have a strategy for, regardless of the size of the organization, regardless of the size of your organization, regardless of whether you are a critical access hospital in the middle of Kansas, or a large IDN with facilities across multiple states. Everyone is a target now and everyone must have a plan.

So, Darcy, thank you. I really appreciate you taking the time with us today and we look forward to perhaps having another one of these soon.

Corcoran: Yeah, thanks. I enjoyed being here and you are very welcome anytime.

Sobol: Excellent. Thank you.