The CyberPHIx Roundup: Industry News & Trends, 2/11/22

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:03] Good day, and welcome to the CyberPHIx Health Care Security roundup, your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our resource center on MeditologyServices.com, which includes our CyberPHIx interviews with leading health care security, privacy, and compliance leaders, along with blogs, webinars, articles, and lots of other educational material. Got some great updates today; quite a bit to get through, so let's dive into it. 

Brian Selfridge: [00:00:33] The Department of Health and Human Services, or HHS, recently published insightful lessons learned document that chronicles a large-scale, huge-scale ransomware attack on the Health Service Executive, or HSE, of Ireland. The HSE is Ireland's publicly funded health care system, consisting of over 54 public hospitals directly under the HSE authority and voluntary hospitals which utilize the national IT infrastructure. You might be thinking, why is the U.S. HHS analyzing in Ireland based health system attack? Well, it turns out that the attack mirrors many of the ransomware attacks that we've seen here in the states and provides ample lessons learned for the potential impacts to health care delivery organizations that are common across all health care providers, wherever they may reside. So I'm going to spend quite a little bit of time on this story because a lot of work was put in by HHS to distill the message into key takeaways that I hope can benefit your organization and the health care industry as a whole without actually having to live through one of these events yourself. Hopefully, you haven't yet, but if you have, I'm sorry. If you haven't, take heed of these lessons. 

Brian Selfridge: [00:01:35] So on May 14, 2021, last year, HSE suffered a major ransomware cyberattack that caused all of its IT systems nationwide to be shut down. Yikes. It became the most significant cyberattack on an Irish state agency, as well as the largest known attack against a health service computer system in history. That is not an understatement, occurring or not an overstatement anyway. So it occurred during the COVID 19 pandemic. It took four months to resolve. I'll go through the timeline with you a little bit in a moment. With just massive, massive downstream impacts that you might expect from this, we're going to dig into it in some more detail. So the ransomware flavor used in the attack was the Conti ransomware, which is a follow-on ransomware malware type to the Ryuk ransomware, which you may recall was one of the malware attacks of choice for the Russian and Eastern European criminal gangs. Over the last year or two, if you remember those big advisories that the FBI put out toward the end of 2020 and to 2021 were all about the Ryuk ransomware that was targeting health care specifically. If you don't remember that then go look up our resource center and check out the history of all that. 

Brian Selfridge: [00:02:46] So HHS provided all kinds of stats in this report they put out on the ransomware itself, which is consistent with the bulletins and materials that we've published before. So, you know, go to Meditology Services dot com. If you search for ransomware, you find webinars we delivered on this podcast, CyberPHIx, podcasts on it, blogs around the Ryuk ransomware in particular. So if you want to know what this thing is and how it works, that's a good place to go. So the impacts from the ransomware event for this monster health system included a hospital staff being forced to revert to pen and paper. Not surprising there and also not fun, kind of painful 80 percent eight zero percent of the HSE I.T. environment was encrypted by the ransomware, severely disrupting the health care services throughout the country. It prevented access to diagnostics and medical records that expose the private information of thousands who received COVID 19 vaccines, and they exfiltrated the bad guys. Exfiltrated 700 gigabytes of unencrypted data, including protected health information, PHI, and then specialists tracked stolen HSE data to a commercial server in the United States. And there were lawsuits from patients over interrupting patient care and substantial financial cost and burden to the organization and the Irish entity as a result, as you might expect. So in terms of the timeline, I mentioned, I would sort of go through that a little bit. 

Brian Selfridge: [00:04:11] The attackers first gained access to an end-user workstation on March 18th. 2021. They waited then a couple of months with March late in two months. They waited until May 7th to launch their attack. They spent about a week poking around the environments, actually exactly a week, seven days before dropping the actual Conti ransomware on May 14th, seven days later, and thereafter. Almost immediately thereafter, 80 percent of the environment became encrypted in the coming hours and days. Decryption keys were obtained one week later on May 21. So you see how fast this stuff moves, right? One week in one week to launch the attack, one leak to, I suppose they paid. It didn't say how they got the decryption keys, but I'm suspecting there was a payment involved. So one week later, 20 May, 21, they got the keys. And but the recovery of systems was not completed until four months later in September 2021. So, you know, the attack moved pretty quickly there. The ability to sort of getting to decryption moved relatively quickly, although I'm sure those were very painful two weeks. But the impact was felt for four months until they really got things cleaned up. So. So what did they learn? Some of the key findings from the HHS report included that HSE did not have a single responsible owner for cybersecurity. 

Brian Selfridge: [00:05:33] Senior or executive management level at the time of the incident, so no CISO or equivalent. That is a that is asking for trouble. As we all know, there was no dedicated committee that provided direction or oversight to cybersecurity and the activities required to reduce the organization's cyber risk exposure. So that's another double whammy. This sort of starts from, you know, rots from the top, so to speak, you know, no, no security leader, no committee, no visibility. These are all just bad places to start. There were known weaknesses and gaps in key cybersecurity controls, including, you know, specific vulnerabilities as any program has, honestly. But I'm sure there was plenty of identified missing patches and stuff by the IT folks and the lack of a cybersecurity forum in the HSE hindered the discussion and documentation of the more granular cyber risks. It sounds like they got kind of buried or run over, as well as the ability to identify and deliver mitigating controls. The HSE also did not have a centralized cybersecurity function that managed cybersecurity risk and control. So again, you've got fifty-four hospitals plus a bunch of other sorts of smaller hospitals, outpatient stuff. Nobody's sort of coordinating that across. Maybe if even if you were fortunate enough to have some smart and talented people running at an individual hospital and sort of on top of some in cybersecurity stuff, it sounds like it was really difficult for them to roll that up in a meaningful way to get the support they needed to build the program. 

Brian Selfridge: [00:06:58] And it was a known issue that the teams with cybersecurity responsibilities were under-resourced, so that is something that had been percolating and had been reported. But again, this is this to me, that everything there is sort of seems like a failure of leadership in a lot of ways. So some other findings the HSEs technology had grown organically and consequently became what they say, overly complex. But I sort of I chuckle at that because what health care provider isn't overly complex from an I.T. footprint perspective and application perspective? I don't I don't know that you can sort of getting in front of that and reduce the complexity, necessarily as any health system is going to grow organically. But anyway, they noted it as a finding that they were complex and that made it harder, which increased the vulnerability of HSE to cyberattacks, right? Larger footprint work like it's the same thing we all deal with, right? So I don't, I don't kind of blame. I don't really blame them for that part of it other than to say you then have to recognize you're a complex organization and do something about it. So the HSE had a large and unclear security boundary that encompassed many of the organizations connected to Ireland Ireland's National Health Care Network. 

Brian Selfridge: [00:08:07] So that's more of like the IT sort of backbone if you will. The HSE's effective security boundary did not align with its ability to mandate cybersecurity controls, they say, and there's no effective security monitoring capability that could detect, investigate, or respond to security incidents across the HSE IT environment. Their antivirus tool was over-relied upon to detect and prevent threats on endpoints. So, you know, that's almost like a very legacy mindset, right? Like we have, we have antivirus. We're good, right? It's going to pick it up and it's going, knock it out. We don't need a team. We don't need to report this like that is that's probably 20 - 30-year-old thinking. In my view, I don't mean to beat up on the organization. It's not our point here. But if any of these aspects that you're seeing here might sort of feel familiar to your organization anyway, I think that's really the intent here is just to say, Hey, this is a problem. So the IoT environment itself had high-risk gaps relating to twenty-five out of twenty-eight cybersecurity controls that are most, at least by the report, most effective at detecting and preventing human-operated ransomware attacks. The HSE organization did not have a documented cyber incident response plan and had not performed typical preparatory activities like tabletop exercises to prepare for this. 

Brian Selfridge: [00:09:23] So again, that's another one that may be some listeners here might be in that boat. If you haven't, maybe you do tabletop exercises for incident response. Hopefully, you do. Maybe you haven't done one on ransomware. Maybe you should. Maybe you should update your ransomware plan, and we'll talk about some more recommendations in a minute. But I think those are definitely key contributing factors here now. The cyberattack was not actively identified or contained prior to the ransomware execution, despite the attacker performing what they say, noisy and stealthy actions so that that week that they were in there poking around, it sounds like they weren't very cautious about it. And they were just clunking, knocking things over, being noisy, making a mess almost like when you get a pen test or something. A lot of times your pen testers will be noisy on purpose just to say, Hey, you ought to find this. It sounds like they didn't. The HSEs antivirus tool identified a commonly used tool bad malware tool by ransomware groups called Cobalt Strike on six servers on May 20, May 7, 2021, and several more servers in the following days. But the alerts of the antivirus that had picked up those sort of handful of incidents. Were not escalated or addressed, they just sort of the tool picked him up and nobody did anything about it. So I think that's another really important one that, you know, there's a sort of kill chain to this, right? Like if you can identify one machine, it's like whack a mole. 

Brian Selfridge: [00:10:45] If you can go and knock it out and get that addressed and put the bad guy out of there out of their work, initially, they're likely to get spooked and move on. But if you're just if they're poking around and they're adding in one machine to Machine five, machine seven machines, and nobody's doing anything that's sort of their clue to go full in and say, OK, this organization's not paying attention and we can really go big. In which case they did. Two organizations, they say, successfully acted on detections of the attacker preventing the deployment of ransomware within their organizational units. But that's two out of how many. And then the HSE, with the help of third parties, mobilized a response to the ransomware attack and overcame many of the significant challenges the ransomware attack presented. Drawing on their experience responding to crises including COVID 19. So I think that's indicative of health care organizations in general. We are really good firefighters when it comes down to it because you're constantly having it systems go down or deal with other sort of emergencies. And while that's a good skill set to have, it can also become an over-relied upon skillset to say, Well, we'll just figure it out when the ransomware hits. And obviously, the pain that we're coming covering here and the impact on the organization is not worth going through. 

Brian Selfridge: [00:11:57] And there's a lot that could have been done to reduce the likelihood and impact of this happening. But it's good to see that we're good firefighters as best they could. The HSE was reliant on third parties in the early weeks of the incident to provide structure to the response activities, and that's pretty typical. You're going to bring in a group that's going to help you, you know, a forensics group and those to figure out what's going on and get organized. And that's not, by the way, that's not cheap. When you get into it, that becomes a pretty expensive endeavor. But they did say time was lost during the response due to a lack of pre-planning for high-impact technology events. So that goes back to the tabletops and those types of things that they were figuring out all on the fly the first time, and that is just not a situation you want to be in. So the HSE spent a significant amount of time during the response gathering information about applications, and this information was not recorded, not up to date. So classic sort of inventory out of date. Nobody knows what the most important systems are or no central application register. Or, you know, I imagine we can all identify with that to some extent. You know, it sounds like they didn't have anything. Sure, most health systems have an imperfect and incomplete inventory, but that's no reason to give up on continuing to try to get that as accurate as you can so that you can deal with events like this in a more structured way. 

Brian Selfridge: [00:13:15] There was a heavy reliance on specific individuals during the response, and that is also pretty typical, but that's a problem. But they say this likely contributed to a recovery timeline that was longer than could have been achieved. And that's that whole four months that they spent post decryption key actually getting things back up. And that's where the real financial cost, I think lays in that you go weeks and months and things start to add up quickly. The response initially prioritize the recovery of foundational systems and applications on the operators of Essential Services list before advancing to an approach that focused on clinical risks and the recovery of ending clinical services, they say. In HHS says there was they said there's a lack of clearly defined and delineated decision-making authority between the HSE, the hospitals, and the different entities that sort of manage the whole shop here in the midst of the crisis. The OCIO, which is, they didn't define that for me, I guess it's the office of the chief information officer will guess was not able to provide or source through third party capacity the scale of the IoT support required by the hospitals during the response to get them back up in place. 

Brian Selfridge: [00:14:29] So that's a big part of it. A lot of times we'll say, OK, your cybersecurity team is there, you've got a plan, here's what we're going to do. But if you don't have the ability to bring in staff augmentation resources and it folks to the SWAT team, if you will, to come in and help clean things up, then you're always going to have this limiting time factor of recovery. So the incident response provider identified evidence of how the attacker was able to gain unauthorized access to the environment and subsequent activities. So their forensics firm did a good job and came in and was quickly able to figure out what's going on now. The impact of the ransomware on the IT environment was reported by the HSEs management that led to that 80 percent encryption of the environment, which is just staggering. And there also the impact on communications were severe as the HSE almost exclusively used on-premises email systems, including Microsoft Exchange, that also became encrypted. So gosh, I can't even imagine the ability of trying to do enterprise-wide communication without your email system so that hampered them quite a bit. I'm sure that's an understatement. The HSE took action to contain the ransomware attack by powering down systems and disconnecting things from the internet. I've been I've lived through some malware incidents like that where you're. 

Brian Selfridge: [00:15:43] That's really the last thing you want to have to resort to is the sort of the air gap of systems and literally pulling Ethernet plugs out of the wall, which I've I've seen that happen before, and it's effective to an extent, but of that sort of containment. But then your recovery becomes that much harder when everything becomes offline. So they say it's unclear how much data would have been lost if a decryption key had not become available without the decryption key. It's unknown how long it would have taken to recover systems from backups, but it would likely be taken considerably longer, and that makes sense to me. The HSE, they say, missed opportunities for efficiencies in the recovery of systems and applications due to their lack of preparedness. So they closed this whole report and we spent a lot of time on it. But I just think there's so much, you know, the insight here. They close with, some areas to make sure you focus on for your own program. So governance and cybersecurity leadership. So I'll claim that as make sure you have a CISO, a good, solid team underneath that, especially for an organization of this size. But even a single hospital system should have some version of that, as well as steering committees that roll up one or more steering committees that roll up to leadership so they know what's going on. They also recommend making sure having an understanding of technology and the dependence that's necessary dependency is necessary on the IT side to get things back up and running and what type of resources you have. 

Brian Selfridge: [00:17:02] Cybersecurity strategy and leadership, they mentioned. We sort of just talked about that a bit. They mentioned not having, you know, ransomware-specific assessments. So get a risk assessment done that is specific to ransomware. Have your tabletops done that are specific to ransomware. It sounds like that might be, you know, overkill to focus on one issue, but let's face it, ransomware this year. What else should you be focusing on, if not if you haven't spent energy around specific playbooks and instant response playbooks and assessments on ransomware? Pen test based on ransomware, you're falling behind very quickly and at risk of a lot of this stuff. They also recommend, as you might expect, testing the cybersecurity capability through simulated attacks, tabletops, and then having specific incident response and crisis management plans related to ransomware, as well as business continuity planning and its disaster recovery for ransomware scenarios specifically. So all of that sounds pretty straightforward, right? But I guarantee you there are many, many organizations, health systems in the U.S. that are not doing all of those things. They may be doing some of them or they may be doing a lite version of some of them, but it's time to get her act together on this stuff. All right. So let's move on from this one because we got some other areas to cover today. 

Brian Selfridge: [00:18:14] So in other news, the same Department of Health and Human Services Health Sector Cybersecurity Coordination Center that published the Ireland Lessons Learned document we just talked about also released a publication this week about the Log4J vulnerabilities in the health care sector. For those unfamiliar with Log4J, check out our prior podcast episodes where we covered in detail. But basically, it's a massive vulnerability in open-source Apache software logging utility that impacts thousands of applications that support health care and other industries. So that's sort of it in a nutshell. The HHS report goes into detail about the Log4J vulnerability and the timeline of attacks, which have remained steady since the initial exposure of the vulnerability in December of this past year. The United States is also listed as having forty-three percent of the targeted exploits for the vulnerability, which is by far the highest country across the board, followed by the Netherlands at twenty-one percent of the attacks. Foreign attackers are believed to be exploiting the vulnerability including China via their well-known attack groups of hafnium and aquatic panda. Iran also has the vulnerability in hand and using it to deploy ransomware, and Turkey and North Korea have also been active, heavily active in leveraging the Log4J vulnerabilities. So everybody's jumping on the bandwagon. It's a nice open door into many organizations, so they are walking through it kindly. 

Brian Selfridge: [00:19:40] The Conti ransomware group also cybercriminals that we, we have seen earlier in that that Ireland attack are also using the exploit, so they've not hung up their hats. Is that the right term? They haven't given up. They're still there's still a full-scale business and leveraging this new exploit to gain that initial entry. There are several mitigation steps published by HHS on the bLog4J. Issue. I won't cover them all here, but the key principles are basically disable the Log4J Library if you have it in use. Disabled Jnd lookups or disabled remote codebases, disconnect affected syntax, isolate vulnerable systems and deploy a web application firewall and last but not least, patch, please to the latest versions of Log4J if you are going to keep it in use in your environments and then they didn't get into this. But I would add you need to do some third-party vendor risk management surveying and analysis of which of your third parties have any of these exposures from log forge and make sure you have a handle on that as well. 

Brian Selfridge: [00:20:45] Ok, so we have established that the cybercriminals are busy and having some well-documented quote-unquote successes, but it's not all money in glory for our ransomware actors out there, lest you think that we are entirely losing the battle. The infamous Russian-based ransomware gang, known as REvil, saw some big arrests of their team and seizure of assets this past week. 

Brian Selfridge: [00:21:07] Russian Federal Security Service, or FSB, said that it identified and shut down the entire REvil criminal enterprise can by conducting raids at twenty-five different locations. As a result of the raids, Russian authorities seized over four hundred twenty-six million rubles, or six hundred thousand dollars cash, along with cryptocurrency wallets, computers, and 20 luxury cars whose surprised by that right. It seems like in every report we do here, there are luxury cars are taken. Isn't that sad? Fourteen individuals were implicated in the ransomware gang's crimes, though it's unclear how many arrests were made in total. Russia hasn't exactly said. However, a senior White House official did say that one of the individuals arrested was responsible for the Colonial Pipeline incident that caused gas shortages and all kinds of mayhem. You know, last year, if you recall that one. The Russian FSB also said that the raids came at the request of the U.S. government after the White House had passed along a list of hackers within Russia's borders that have attacked U.S. organizations. So for those that have been following the CyberPHIx podcast here over the last year or two, you've been up to speed on the pressure and diplomacy that President Biden and the White House have been placing on Russia following this supply chain and ransomware attacks. I'll admit that I did maintain a degree of skepticism about the efficacy of diplomacy in these particular cases, although I thought and said at the time that it was the right thing to do regardless like we've got to put pressure on anywhere we can. 

Brian Selfridge: [00:22:39] Well, it looks like it's working, at least to some degree. The takedown of the entire operation is a great sign of the potential, I think, for us to collaborate with other nations to thwart cybercrime, even from nations that may be attacking us and have differences on other cyber fronts like Russia in this case. You know, it's very complicated. But any dent that we can put into the cybercriminal networks in business models, I think, is a success and a win. And this takedown of REvil is absolutely a success by any measure to be celebrated by us all as we continue to defend health care organizations and patients against these types of destructive attacks. So it sounds like we fed Russia with the intel. Here are your guys. Here's who attacked us. Here's where they are. Go get them. They went and got them. And so that's a win for everybody. 

Brian Selfridge: [00:23:23] In other news, this week, Excellus Health Plan, its affiliate and its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) reached a settlement to resolve a class-action lawsuit that was filed in relation to a cyber attack from 2015. So the Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several violations of the HIPAA Security Rule including security failures and permission, impermissible disclosures of fee of nine point three million individuals. The case was settled in January of 2021, and Excellus agreed to pay a $5.1 million penalty. If you remember that, we covered it at the time. Now this class action lawsuit is, I think many of you may be aware, you know, are sort of in addition to any OCR civil monetary penalties. And that's why we keep talking about them so much because they can be so painful. But the Excel's defendants and the Blue Cross Blue Shield Association agreed to cover reasonable attorneys fees, costs, and expenses approved by the courts as part of this class action, and the costs include a maximum of three-point three million dollars to cover attorney's fees and reimbursements and no more than a million dollars. But also they issued service awards of up to seven thousand five hundred dollars per individual that will be provided to class representatives and people that were impacted by this. So that's pretty significant. I don't know what that adds up to. They haven't didn't say, I imagine it's expensive. So they said changes will be made to business practices as part of the settlement of safeguarding fee, which will cover three years from the finalization of the settlement and two years after each of the changes has been implemented. 

Brian Selfridge: [00:25:04] So that's kind of consistent with what OCR does to do a three-year sort of post-action settlement review. This class action is going to have something similar, but then this two-year tale after that is kind of new. So that will be, you know, likely increased oversight for the next five to 10 years. I would think, as this plays out if I'm thinking about it practically, the information security requirements detailed in the settlement require Excelsis defendants in the Blue Cross Blue Shield Association to increase and maintain a minimum information security budget, develop a strategy and engage vendors to ensure records containing high or disposed of within one year of the original retention period take steps to improve the security of its networks, including the use of. Tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention. They have to engage in extensive data archiving program and provide the plaintiffs with documentation about that project archiving project. They need to provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR Settlement and Corrective Action Plan over time. And then finally, they need to make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has been not been possible to comply with any of the items. So that's going to be a very painful and expensive degree of oversight driven by the courts and by class actions in addition to the OCR pieces. So that's all you need to know about that one. 

Brian Selfridge: [00:26:30] Moving on to more updates, the security firm Kaspersky released a report that warns that technology is supporting telehealth have been placed have placed health care data at risk. The data and their reporting show that telehealth adoption has increased 38 percent since the pandemic began in 2020, which is great and a lot of ways in the way we're able to deliver care remotely. But Kaspersky hypothesized that the rapid digitalization of medical services and the trove of sensitive and valuable patient information collected, stored, and transmitted by these new telehealth technologies has not gone unnoticed by cybercriminals who they say are looking to exploit vulnerabilities as we all know they are. The report highlights increased activity for cybercriminals targeting telehealth applications and systems, so I think it's time to double down on those investments and third-party vendor risk management supply chain risk management programs for your organizations, including the prioritization of telehealth vendors and platforms. If you aren't already doing that, let's move on to a couple of other quick updates from the federal government here, including activities by the Department of Homeland Security and NIST. Dhs has followed through on some of the provisions set forth in President Biden's executive orders on supply chain risk recently. Specifically, DHS has officially established a cybersecurity review board to review and assess significant cybersecurity events so that both the public and private sector can improve their overall cybersecurity posture. 

Brian Selfridge: [00:28:00] The board is comprised of 15 of the nation's top cybersecurity leaders, and their first task is no surprise to dig further into the Log4J exposure that we talked about earlier, and I'm very eager to see the output from this board over time as we look to get better at it as an industry at responding to these type of attacks and hopefully preventing them to some extent. If the stuff coming out of HHS and DHS over the last couple of months and weeks is any indication, I'm very, very hopeful that these initiatives are going to give us a lot of intel and data that's going to help us get more visibility into the attacks and prevention mechanisms. 

Brian Selfridge: [00:28:36] The National Institute for Standards and Technology also released some updates this week, including the publication of their popular NIST 800-53 Rev 5 standard in formats that can be more readily consumed by automated security tools and platforms. This is a contrast to prior releases that were essentially big PDF documents. If you've ever worked with NIST 800-53, the new formats that have been released include CSV, comma-separated values used predominantly in Excel or other types of tools, plain text, as well as programming languages like open security controls, assessment language, or OSCAL and enriched XML format JSON, and YAML. I could pronounce them all, but I'm going to get them wrong. So I'm just giving you the letters. So lots of formats really help incorporate those standards into automated tools, which is awesome. And then NIST. 

Brian Selfridge: [00:29:30] Also, while we're talking about NIST, NIST also launched a new international cybersecurity and Privacy Resources website that provides an overview and links to NIST Internal Resources, which includes NIST International Cybersecurity Privacy Resources site, the NIST Privacy Framework. If you haven't dealt with that and this National Initiative for Cybersecurity Education Framework or NICE is the acronym for that one, so many thanks to NIST for continuing to carry the torch forward and provide updates for the industry, and we need all the help we can get. 

Brian Selfridge: [00:30:00] There's so much more I would love to cover with you all. There's just so much exciting stuff going on, but fortunately, it's going to have to wait until the next episode since we are running short on time here. 

Brian Selfridge: [00:30:10] So alas, that's all for this session of the CyberPHIx Health Care Security roundup. I hope this information has been informative for you. We'd love to hear from you if you want to talk about any of this. Just reach out to us at [email protected] Services.com. So that's all for this week and so long, and thank you for everything you do to keep our health care systems and organizations safe.