 Okay, if everyone's ready to go, we'll get started with the next talk. The next talk is by Mitchell Parker. Mitch is the Executive Director of Information Security and Compliance at Indiana University Health. I had to read that before I get that all wrong. Whether it's the safety of a ventilator, all the way through to credit cards in the cafeteria, Mitch is responsible for the safety and security of all those different elements. His areas of interest include security, governance, regulatory compliance and all those boring things, but actually he has a regulatory compliance over everything to do with the hospital and the university issuance with them. He specialises in solving security problems in healthcare and all the legacy systems that are involved with that. He's spoken at a number of different security forums and events and we're absolutely delighted to have him here today. With no further ado, I'll hand over to Mitch. Thanks very much. Thank you very, very much. Are you okay? Okay, so first of all I'm very happy to be here, spoken at a number of information security and healthcare conferences. First DEFCON, hope it's definitely not the last, and thank you all so much for coming. So, the purpose of what we're going to talk about is we're going to talk about replacing that constant stream of fear, uncertainty and doubt that is usually what people consider healthcare information security and a lot of organizations, I mean realistically, they scare a crap out of people for the sole purpose of trying to put security influence, which doesn't exactly work very well. So that's the number one reason we're here. We want to replace that with actionable intelligence. Number two, we're going to talk about implementing it. In my role about these PowerPoint slides, and I do these slides for these presentations, is you take them, you download them, you print them out, you do whatever, put them in your office and you read from them. I don't design these presentations to look good. I design them so you, the audience, can get something out of them. You can take back to your office or place of work the next time you need to look at them. That's the goal. So we're going to talk about implementing that. And of course number three, profits. So why am I here? I'm here because I want to tell people how to deal with the organizational structure of healthcare organizations and how it's like a series of unstructured kingdoms operating at a loose confederation under one ruler. So you'll see it is not by coincidence I have a map of the Prussian city-states right here for a very, very good reason because that's what most healthcare organizations are like. Of course this changes at budget time and of course you've got to have the obligatory SKCD reference. So how are healthcare, what do you say? Cool. How are these organizations designed? They're designed to operate separately and disjoint it. So you think of it this way, your departments are kingdoms, your doctors are the rulers. And medical staffs in every hospital, in my case I got 17 different hospitals, they're all separate. Everyone gets their own budgets. And what's even more interesting and a lot of people don't realize this, the individual physician groups in healthcare organizations can actually contract and enter in the business with other healthcare organizations. I'm going to find an example. My last job I was, the CISO at the University Health System for eight years, I had a neurosurgery report that was under contract with approximately seven other different hospitals. They were a profit center like no other. But you never realize it until you actually got in there and you realize, oh hey these guys are actually contracting for services at all organizations. And IT is considered a cost center and of course all these organizations didn't get their own vendor because they all follow the golden rule, i.e. he who owns the gold makes the rules. And usually finance and support services like IT are considered drains on profit, innovation and productivity. Well we're going to change some of that today. So again, brutal truth, these organizations are not used to centralize anything. Let alone the IT team telling them how to operate. They don't work on good communication organization and if anything you're dealing with a series of small businesses all working together even with different tax ID numbers. The Balkanization is crazy. So I do a lot of collaboration work with CIOs in the business and one of my favorite things is sitting there a couple months ago having a conversation, one of them going, So tell me what you know. How does your private IT actually work for patients that you know you have that same Kardashian issue, you have 50 people working at some location record that shouldn't be. Could you tell me what they were doing? And this is one of the most famous ones. So the Balkanization goes all the way up to the top in a lot of cases and it's very very common unfortunately. So another fact you're going to take into consideration with healthcare is that they adopted technology early and couldn't get out from under your decisions. So you go into any large health organization, you will find a huge amount of legacy applications and data that they run their business off of. You will find everything from mainframes to Windows XP, heck you will find those in some places. And my favorite example, pages and faxes. The one type of organization that has a incredible usage of them is because they can't find anything better to interchange data and say use pages and faxes. And the departments and businesses, they want to remain fiercely independent. There's two reasons behind that. Number one, when a lot of organizations try and centralize, they do so and they say oh yeah we're going to centralize but it's going to cost you X number of thousands of dollars. Best example I can give is I have an organization that I was working with that was trying to standardize security cameras. And the central organization said oh no if you want to do this it's going to be $12,500. To what your average small department said $12,500 for security cameras, no I'm going to buy my own for $10,000 less I'm going to run them and you're not going to be involved. And I can tell you that this falconization and this fierce independence because of high cost centralization, it's actually directly led the ransomware attacks. I was at a conference several years ago I had another CIO from a healthcare organization come right out and say oh yeah this organization didn't want to pay for backups. So we paid the ransomware to get their data back because it cost less than the backups. True story happened 200 plus people in the room and kind of a shocker. And healthcare is also risk averse that means they purposely inhibit change. And if something is perceived as affecting workflow or efficiency never gets done. And you will get meeting doubt in healthcare. I'm giving two examples of actual projects that I've worked on that I believe that can sponsor for that have been these are the things I had to do. I am not going to kid you I had two leadership meetings in 45 minutes put a nation privacy monitor. And so four executives I think that took about three months. Four executives going to at least 25 leaders without the state of Indiana and 10 regions and went there. And for two-factor authentication at least 10 different meetings most of the time even the same executives in several different meetings and sign off for multiple people. And even though a lot of the medical staff already had duo still getting it in place took that many meetings. And realistically a lot of organizations are jumping on the enterprise risk bandwagon. And what they're doing is if you don't do the risks exactly the way that enterprise risk does they won't even pay attention. And I've had C-suite people tell me that to my face. So another big factor. Most people can't tell me what HIPAA is or what it means or what it does. They really don't understand it they don't understand what privacy and security rule are. All they hear is HIPAA and run. And you have significant fear uncertainty and doubt because no one really knows what HIPAA is. And especially when someone gets let go because they violated the HIPAA security rule or privacy rule by looking at someone's medical records. Which happens a lot more than you think. They just don't publicize it like they did Jesse Small. And very few people understand it and I'm going to tell you most of the people that actually understand HIPAA realistically are lawyers. And lack of knowledge of HIPAA we actually consider it to be one of the biggest stumbling blocks to inhibiting better healthcare. We put this in place to empower patients and it's at the point where it is so unknown. And it scares so many people that we inhibit innovation that would help patients. So another thing we talk about is vendor fraud. So there's a lot of organizations and companies out there that will be glad to tell you that you have a problem. And that you're going to get fine five million dollars by the officer's civil rights if you don't buy their software. I'm not kidding you. I was in one meeting several years ago this company said here's your breach calculator. Here look at this spreadsheet how many patients you got and for this breach OCR is going to find you this amount of money. And I'm not kidding you even down to the New Jersey accents. I kind of noked out of there and was kind of happy I didn't end up in that like swan plan next to MetLife Stadium. So I mean really vendor fraud these people scare them. There's one vendor in particular I'm not going to name their sales pitch is if you don't take a meeting with us we're going to call your board and tell them you're not serious about privacy and security. I have evidence I have it in writing. I'm not naming the company. So people that do buy that software they got a false sense of security. So in the words of the one of the greatest comedians ever Chris Rock sit out. We have to take a look some other complicated factors as well. Very few people have had the chance to actually understand what security is because people have not sat down with them and risk assessments. They're considered they scared a crap out of people. I'll be very serious. I did my first risk assessment. I literally had to calm people down to tell them I'm not going to fire you. I just want to know what's going on. I'll make it something else relevant. I had a room full of executives I was talking about the risk assessment with. I actually had a director race their hands in this mind. This is a 30 executives and said to me do you want me to say that this is answered centrally or do you want me to write down the truth that should tell you enough. This is a person that has been in it over 30 years and has run it for pretty good hospital. That tells you what we're dealing with in health care. So let's get the business. Let's get the business. Let's start talking. Not an opinion and picture of how this really works. Let's talk about what we can do here. You can't effectively have good security without help. So what how do you do it? How do you build it? You build an OSM and recon program in your own organization. And because realistically you need to be doing a better job in your information systems departments than the rest of it. They only have to be concerned about keeping things up and running. You got to be concerned about reducing risk and mitigating risk. So here's six different ways that I consider my customers to be targets. Fishing is the always a good one. Business seems a compromise and targeted social engineering attacks. You have no idea how good they are until you've seen some of them. They're getting to the point now of hacking small businesses that organizations do business with, getting in, inserting themselves into conversations and making such targeted convincing emails that they full senior finance executives. That is a major challenge that I have. Malware has always been a big one. I've opened a big one. Curious on lookers. If you thought they only go after Kim Kardashian when it comes to medical records, you're wrong. They take a look at everybody. I can tell you numerous cases over the past 20 years where people have just been curious. They've looked at these records and that's a serious violation of privacy and it really hurts people when you do it. And of course you got ransomware and my favorite new one robo calls. I have never seen such an effective denial of service attack. And those of you who know my organization know a couple years ago, somebody sent out a few hundred thousand of them with a switchboard number of one of our hospitals. Good DDoS attack on our main switchboard for a while made national news. So brings us to corporate communications. I'll bring a little background about that. Corporations do not handle communications well. And they don't handle communications about security well either. There's first of all a lot of companies have a concern about liability. They're concerned they don't want to be liable for issuing recommendations about what people do in their personal lives or with their personal devices. Just a fact of life I've had this told to me numerous times by other organizations. There's also a very big concern about device of social issues. So the three I listed here me too came from our corporate communications department. Gamergate and social media those are huge ones. They don't want to talk about them because most organizations don't want to take a stance because they don't want to deal with the drama. And when you have an order when most of these health organizations they're huge. And when you have to deal with some of these issues unfortunately you just have a challenge because drama can blow up really quickly in a small population or a large one. And you have to make sure you align your messaging with your corporate values. Which is something I didn't really appreciate well until I started writing with communications regularly and doing this. And also there's always that one use case that goes counter to what you talk about. And someone when they talk about it they will just hammer that use case continually. Perfect example I can give I ran a Windows 7 upgrade project a number of years ago at a job. And one of the things I remember when I ran that project I had somebody in the meeting every meeting without fail. We're talking about upgrading 10,000 machines. One person goes well I have this machine with a scanner on. What about my machine with a scanner? It got so annoying I just kicked the person out of the meeting. But it took but imagines dealing with that you will have that happen all the time. And what happens is unfortunately some people because they're passive aggressive will use that to try and divert the main issue. And I'll try and use to attack you as well. And also takes a long time to navigate large companies. So what's the first major step? Know your structure. One unique thing about health care is the leadership turn at the top is constants. Because one of the unspoken rules is to become a health care executive you have to change jobs. You have to change organizations. I have only ever worked with one CIO that's been more than 10 years as a CIO in health care. Literally to get promoted or get a better job or level up you have to change organizations. So what happens is you have an executive class I consider executive class director or not. That changes jobs every few years and the amount of turn you have is crazy. So I'll make a perfect example. Last job we changed CIOs in January 2012. The last direct report to the previous CIO changed in 2016 when I left the organization. So in five years you have 100% leadership turnover in the IT organization. So that's what you're dealing with. You go into clinical areas it's worse. And the deal is that's not because they don't like each other. They love each other. They're all friends. Many talk and there were friends with their peers in other institutions. And you don't usually become an executive without knowing somebody. So what this leads to is that power will disconnect between ESLT and everyone else no matter what organization you work for. So that leads us to the other part of structure that people will actually know what they're doing. So that's the group that I've been with the organization the largest and they have the most history. So usually I consider that managers on down they've been there for years they've stuck around. And realistically most people don't work their way up from line from line employee to executive they just don't. But they're the ones you want to be best friends with because they know what's going on. So you have to account for that. When you're dealing with implementing security programs there's that power will disconnect between the executive leadership and the team members that you have to account for. And you expect there to be good communication there really isn't. There's a lack of knowledge on why things happen. There's a loss of organizational history between your management staff and the executives. And there's a lack of trust because again these people haven't been in your organization. They're not as well known. And governance is kind of difficult when you have to do that. So bring us to risk assessments. So big thing in health care and again I'm sorry if the audience is rolling it out is the risk assessment process. They're required by the government once a year to hand in a risk, to hand in a complete a risk assessments. So usually when those are done those involve directors and executives with little input from the managers. And what usually happens is to get them done they want to get the best possible answers. So what they will do is they will actually go and hand pick people that are going to fill out the risk assessment. They don't actually voluntarily ask people they pick them. I've been in those meetings. I've even heard the delusion that someone has to take that role. So bring some more basics and past structure know your business, interview everyone you can possibly speak to. And the truth is with active listening people are actually going to tell you what's going on. You're going to hear more about computer security problems in your organization than you ever thought possible. You're going to hear about the big work arounds the system. You never were that we're not going to hear everything. if you talk to the right people. And you also gotta understand their needs and to understand their concerns. So the goal of what you have to do in building a cyber program, is to get people to talk to you. There's only two little things I do. My apologies if I'm not being super technical here. I practice active listening and I follow up. Ieithio gynnig i ei hunain. Ac mae e'n cwylwch y fwyaf yw'r isu gerdyn nhw. Yna'ch gwybod i'nwch iawn. Mae'r sefydliadol i hwn o gwybod i'r wrongs insectivig o gwybod i hwn i'r hollesperau. Mae'r cwysig wedi'u gwybod i'r armadau tyg o denghwyr fforddol o'r c HOW ac mae'r gwybod i'r gwahanol i gynnig ffferdd. Mae'r gwybod a oedd gweithi'r awr yn y gweithio. I had the PCI issues resolved and these are actually pretty serious type of glitches. I'm not going to go into details and weaknesses in the environment, but I had the older account customer started talking about things in my personal life that I had to deal with and parents. We got the issue resolved very quickly and I drove two hours out there too. So your credibility in these organizations is basically the ability to do those two things because if you don't do this, that's what leaves you being perceived as what we call an outsider. And if you keep doing this, people are going to keep feeding you information on what's really going on in the organization. And if you don't, we're going to have the issue where people are going to, well, perceive the organization is not caring about them. And what happens is that's the opposite of a virtuous cycle where they don't tell you and you continue to have a lot of these issues. So another truth here, talk a little about risk assessments. They don't capture months. Here's why. There is a perception with a lot of people in upper management that when you have to do a risk assessment that they consider it a knot on their ability to manage. They consider it showing their weaknesses. These people don't like being considered weak. And there are CIOs out there that will purposely hide bad risk assessment results. So give a perfect example about this. I read the change management program at a job. The CIO didn't want it known that we didn't have a good one. And he purposely hid that fact from other executives so he wouldn't be perceived as being anything less than perfect. So to give you an example of how bad this guy was, he would literally sit there and his idea of employee coaching was, if you don't do 100%, don't do it. We have to be seen as always being worse. So a couple of years later, after he left the organization, I was having dinner with a very, very senior person from a big firm. And first words out of this guy's mouth about this situation were, Bob fucking new. Bob being the late Bob Luxe for a financial officer of the organization I worked for. So I made it my mission to resolve that issue in particular. But again, you will see this happen and you will see it happen with security issues a lot. And a lot of the reason why people don't have security issues going to the board is because the executives that are responsible for those areas, they see it as a knock against them or them being less than 100%. So quite frankly, they hide them. So that also goes down to the management level. There's a lot of managers who aren't telling their directors that. There are managers that want to look good to get promoted. So human nature, they hide these issues. Truth is, and this is again for 11 years of being a CISO talking. People think they're hiding these issues. We know they are. And we can smell BS a mile away no matter how you think you're doing it. There's a little thing about OSN I didn't put in that slide deck. Make friends with everybody because they'll tell you the real story. And one of the reasons I do that is to sniff out BS when people try and hide security issues or risk issues. And I consider human nature to be security's worst enemy because of that. And people do whatever they can to look good to say there's no risk because realistically they think they're going to get penalized. And they think they're going to get fired. They get scared. And they want to get promoted. So you have a lot of people who don't want to get promoted. Human nature works against us. And this is what happens. So who do you make friends with? I am very happy to see a number of people wearing BOFH t-shirts today. Simon Travaglia got it right with the BOFH, the bastard operator from hell. Make friends with the cleaning staff, facilities and security. I'm very serious, especially with the cleaning staff. They've actually been great help to me, especially when I want to find out who's been putting stuff in the not secure trash. And the PC techs, you want to find out what else is going on in your organization. Make friends with the people that actually service the PCs. I actually had two major cases of security issues come up because the PC techs called me up and said, hey Mitch, thanks for coming over last week. We took a look at this. Something doesn't look right. Can you look into it? What ended up happening is we found a couple of major security issues because of that. Also, I should know you're the actual application administrators. Not the ones that the directors say to go to, but the ones that actually do the work. They'll tell you a lot of things. And of course, other big tip I give, make sure you know every administrative assistant in your organization. There will be a time when you discover something and you need to get your hands on the right people. And you need to get a meeting with an executive. You're not going to get that going to your boss. You're going to get that by being friends with the C-Sweets AA. Of course it was awkward when I was doing something with our security training program. Got a one-on-one with my boss's boss and as I was waiting to meet with my boss's boss, my boss walked out of his one-on-one with him. A little bit awkward, but that's what we had to deal with. And also if you're in the healthcare provider space, nursing runs the organization. I don't care what the C-Sweets says. Nursing runs the organization. I'm going to give a real-life example of this. I had an issue about, oh I don't know, six years ago we had a major event go on. It wasn't security related. They had to put the emergency room in a major academic health center on Divert, which meant they wouldn't accept patients from the ambulances. So the person that made that call was the chief nursing officer. Not the CEO sitting there. Not the other members of the executive suite. No. CNO made the call. And the call center staff, again, always your best friends because they're the ones that call people when things have to get done. So they have all the good contact information. You need to get someone's phone number? They have it. A lot of most of the hospitals out there run a call system. It's called American Messaging, which has all sorts of hidden fields when you look at a person with all the numbers that, quite frankly, they don't want the public knowing or other team members knowing. Make president, you get those phone numbers. So another big tip I always tell people, be your own public relations firm. Why? Because no one knows who you are if you don't advertise. And you need to get out there to go to conferences. You need to do webinars and you need to publish articles. And we're going to talk the real reason why in a few minutes. And your customers will read them and they will follow you on social media. Sometimes you will have people coming up to you in the cafeteria talking about your Twitter feed, too. And you need to constantly do this for outreach. Otherwise, if you don't do this, no one's going to know who you are. And I know, look, I'm a natural introvert. Most other people in security, you have a lot of different introvert people in the field. But if no one knows who you are, other people will fill the void. And this is why. Senior leadership. The people that make the decisions, listen to the big four, they listen to the major analyst firms, or their peers before they will listen to their own teams. I am very serious about this. And I can tell you a number of times when people say, oh, call so-and-so first. Oh, what did so-and-so say? Replace so-and-so in a very large analyst firm based in Florida. And you'll get the picture. And you get a lot of meetings. And unfortunately I had a lot of them. I met this person at a CIO or IT executive conference who can solve all our problems meetings. I.e. the people selling snake oil that wear the slick suits. This is how they work. Because they exploit the gap where leadership, because quite frankly the executive suite moves around too much, doesn't trust their own teams, doesn't trust their own team. They fill the void, they know what they're doing, it's social engineering and it's finest. So you've got to fill that void and you've got to be delivering a message at the conferences. Because it gets around. They listen when you publish, they listen when you give citations. And it's, and we're talking about places like this, places like Black Hat and places like Hymns. Not at some like vendor trade rag. And quite frankly there's enough of them. And they also listen when you work with the standards body. So if you do work with IEEE, you do work with UL, NIST or ISO, they're actually going to listen to you and you're going to be considered more credible. And I've had this discussion about credibility with the C-sweets. They're big about this. So you also got to be your own publisher. Why? Because the perception of security comes from major analyst firms, the big four, we're scary as from vendors. And there's a very good reason why every time you go to an airport you see advertisements for computer security companies. Because that's where executives are who make decisions. The only airport I have been to that was not completely peppered in computer security ads was King County Airport in Wisconsin. Why? Because 80% of people that go to the airport are there to visit the biggest electronic medical record vendor in the country, Epic. And so the reason why this isn't good, these people that are telling the executives what to do, they don't have boots on the ground, they don't get it, they don't go to places like this. They have a lot talking about emergency technology without actually understanding what it really means. Or as I like to refer that as, blockchain. And also the we could have prevented that and other lies. So you've got to publish, you've got to be out there to get the word out to your customers directly and also to your senior leadership. Because I'm going to tell you a perfect example I always give with that is passing blockchain. The reason why, they put out this technology that has significant risks. If you know what you're doing, you can do some BGP hijacking or DNS hijacking and completely screw up someone's day. The blockchain problem is most organizations repeated a mantra literally that came out of some analyst document that said, oh this improves security. Yeah, but how? It really didn't improve security. But you have this big hype cycle and the next thing you know, everyone's talking about it being secure when it really isn't. So that's the perfect example of what happens. So get the word out to your customers, get on a good thread and tell this, if you're in higher ed and you're not working over at ISAC, you should be. You're not in healthcare, you're not, if you're in healthcare not a member of ISAC, you shouldn't. Get the word out to your friends. And we also want to avoid that circumstance that march towards another high price solution that does nothing. I wanted one of those, I'd be somewhere else. So, and there's also a lot of issues and you have to be a good educator as well. Even the CIOs don't know what to do. This is an actual quote from the CIO that he said for senior leadership team three years ago. In front of 30 of his peers around people seven thirty in the morning because his boss loved that 70 a weeks talk. He goes, what do I need to do? Okay Mitch, I know I need to be secure. What do I need to do? Problem is I got people telling them buy this product when it's something else. So what you do, take everything you know, take your intelligence, take the open source intelligence, do your recon, follow up with your customers to make sure they understand. Follow up with your boss to make sure they understand. Be their guide, be their friends. Because intelligence is nothing without action. I'm not considered to be less than intelligence if it isn't. So what are our goals today? What I talked about is taking analogist out there, adapting it for the people in your organisation. That's going to be something else other than powerpoint fodder. Replace the constant stream of fear uncertainty and doubt that usually defines healthcare information security. Sorry, but it's the truth with real knowledge. Not what the buzzwords are and not what someone wants to sell or scare your senior leadership team with. And I got to admit there's some people out there saying some scary things and I'm going to say this. Most of the security vendors I deal with most of the ones that do business trying to do business with me lie. So I remember a quote from old director supply chain I worked with years ago. Her first words to me goes vendors lie. I mean that's pretty much in the security space in healthcare. That's what we see and this is what we have to combat by following what we've learned today. So what are your end goals? Recon. You get people feeding you information. You get the team calling you. It's not about open. It's not about your service desk response time. It's about okay someone told me something. Now I have to do something about it. That's where you want to be because you have that issue of a lot of people hiding problems and hiding risks and not telling you about them. So what you do with this at the end game by using these techniques you reduce risk and what doing what's important. Not look this is still up to senior management to make them look good because realistically that's what we do. So how do you follow up? I'll leave the slide up here for everybody and I'll be available. Follow me or DM me on Twitter. Connect to me on LinkedIn. Here's my real email address and here's my blog on CSL online where I post things every month and I got some good feedback from our leadership on it and of course the obligatory spongebob. So I'll put this back here and I'll be and I can take some questions from the from the audience right now. Anyone have any anyone have any questions? Yes, I don't consider it narky. I'll be very clear. I don't consider what I do or my team does narky. I consider it. You actually help people out. I'm not here to I'm not here to discipline people. I'm not here to beat a police. I'm here to resolve risk and address issues and help my customers do their job and and I believe anyone that uses that mindset of fear, uncertainty and doubt is perpetuating the situation making it actually worse. I get in there. My customers are my world to me and I want to see them help them out, do their jobs and be successful and I'm not saying this from a business book. I'm saying this because I really do feel that way and also that whole narkon thing. If you get caught doing it, you lose all your credibility with your customers. Yes? Yes? About having distilled versions of the truth to aid the organization to see the correct path forward. Is there any proper position for a straight version of the truth versus a pseudo kind of distilled version which is kind of a connotation of manipulation to say I want to nudge you this way to the good thing but sometimes the hard version of the truth to it at least accept to say we're in a bad way but we know we're in a bad way and we can get better. I usually use my risk assessments for that so I do a comprehensive risk assessment every year and so what ends up coming at it at is for risk assessment the way I look at it is mine ends up being about 150 page document with lots of paragraphs lots of commentary in there and scoring that actually reflects how bad it really is and I've actually had executives call my risk assessments brutal and you have to make sure the risk assessment which is the base of everything you do in health care for information security that has to be the unvarnished ugly as possible version of the truth because what ends up happening is you take the results from that you distill them for senior leadership you distill them for everyone else that's when you do the nudging is on your risk management plan that is your question there any other questions from the audience here yes uh you really put me put me there on that one I'm going to have to say the most clever was a business email compromise that I saw and it was actually a few years ago where they took advantage of the fact that the other organization I was working with didn't have SPF and was making very convincing almost down to the level of like even with the headers ways of spoofing information so that it looked really really real to the point where it actually got up to corporate treasurer who's basically called bullshit on it and said I don't think this is right also I had an almost successful ransomware attack three years ago where I had the CFO of a hospital got a piece of got a forged PDF that contained ransomware that was from an actual vendor of his that referenced actual orders and had he double clicked on it's I would have been in a bad way and so would have he but that piece of ransomware attack that was so convincing and real that it actually looked like a real vendor invoice and it literally had real invoice data in it that it seems the most clever any other questions thank you very much