Nicholas Schopperth – Dayton Children’s Hospital

Having spent over a decade in cybersecurity, Nicholas Schopperth has pretty much seen it all. But when one hacker went after the direct deposit information of his colleague at Dayton Children’s Hospital, the mild-mannered Air Force veteran got mad.

“I don’t like when people bully my people,” Schopperth says. “So, I called the bank, because we had the [attacker’s] routing number, and told them, ‘Hey, this account is being used fraudulently. What are you going to do?’”

Nicholas Schopperth | Chief Information Security Officer | Dayton Children’s Hospital

The bank punted, telling him the card in question was a prepaid debit card and he’d have to call another number. But Schopperth persisted; he called the second number and told them the same thing. The person who answered listened, then told Schopperth the company had marked the account as fraudulent, launched an internal investigation and stopped accepting deposits or withdrawals from it.

“I kind of call that a personal win,” he says. “But they’re like hydras, right? You cut off one head, and two more sprout.”

Schopperth would certainly know. As chief information security officer at the Ohio kids’ hospital, he’s encountered everything from run-of-the-mill phishing attempts to realistic invoices with altered bank information designed to snatch a six-figure payout. In fact, by his fourth day on the job, he was dealing with an active campaign against the hospital. His team managed to neutralize it “pretty quickly,” he says.

But who would target a hospital caring for sick children? State-sponsored hackers from Iran, China or Russia, for one—last year, the Federal Bureau of Investigation said it had thwarted an Iranian attack on Boston Children’s Hospital which threatened to disrupt the care of its roughly 400 patients.

The cyberattacks Schopperth has seen most often at Dayton Children’s involve phishing attempts going after money. But they are part of a rising wave of attacks targeting healthcare organizations.

According to a report released earlier this year by Check Point Research, healthcare companies saw an 86 percent increase in cyberattacks per company last year compared with 2021. And healthcare is now America’s second most-targeted sector for cyberattacks.

Keeping the hospital in working “Ordr”

“Cyber is a team sport,” Schopperth likes to point out. And while he can’t say enough laudatory things about his small but nimble team, by that he also means that his team needs the help of other departments at the hospital to be successful.

“We work with pretty much every other team within Dayton Children’s,” he says. “We can’t do our jobs without input from everybody else. While we might have the permissions and the access to do those things, we need assistance from other teams to help us with the actions.”

To that end, Schopperth and his team run monthly internal phishing drills using a product called KnowBe4. It allows them to set up legitimate-looking email addresses and emails sprinkled with indicators that the recipient is not receiving an authentic email. KnowBe4 gauges the success of the drill based on how many people click a button that says, “Report as phishing.”

The team also monitors hospital equipment to make sure it stays in peak form using Ordr, an Internet of Medical Things discovery software platform. Ordr uses data flows coming across the wire to identify pieces of medical equipment that are communicating on the network. It can identify what each device physically looks like, so when Schopperth and his team open the program on their computers, they can search for a device and see a picture of what they should be looking for.

“If my team were seeing some bad traffic going from some sort of pump, they could look at Ordr, and see what it looks like, and start walking around looking for those specific devices, rather than going from computer to computer checking for an IP address or anything like that,” Schopperth says.

Greeting the “dmarcians”

However, the most recent weapon Schopperth added to his arsenal is DMARC, an anti-spoofing and brand management protection protocol which makes sure malicious actors can’t send emails pretending to be someone at Dayton Children’s. By this summer, Schopperth expects to have the @childrensdayton.org domain fully protected.

Implementing DMARC is free, but Schopperth and his team have also partnered with a company called dmarcian to help them navigate the nuances of the protocol and make sure it’s working correctly. And that required Schopperth to obtain funding for the partnership, which is a four-month project expected to wrap in September.

“We’ve been having weekly calls starting maybe three weeks ago with one of their staff, who is walking us through how to approach getting ourselves to the point where those [spoofed] messages will be blocked,” Schopperth told Toggle in June. “Because it’s not just on our email servers; those protocols talk to each other, and they’re widespread.”

Dayton Children’s also works with outside marketing agencies that are authorized to send emails on its behalf. Right now, those arrive with a red banner that says the message is from outside the network and to exercise caution. Schopperth says once they’ve fully implemented DMARC, those messages will be flagged as legitimate and will arrive without the warning banner. That will provide reassurance to internal users and likely increase efficiency, he adds.

A winning team

A former “enlisted guy” who earned his B.A. and master’s degrees from Bellevue University, Schopperth says his drive to learn is ultimately what carried him to where he is today.

He spent the first 13 years of his military career doing systems administration. Then, in 2013, after the Air Force stood up an entire career field in cybersecurity, he jumped at that opportunity. Schopperth worked on a defensive cyberspace operations team for about five years, then landed in Ohio teaching professional continuing education courses in cyber operations and planning.

“When I started job searching, I did not want be in charge of anybody, I did not want to supervise anybody, I did not want to be the chief of anything; I just wanted to be the one banging on the keyboard and doing the work,” Schopperth laughs. “But when I started doing some technical interviews, I realized that I was very much out of practice, and I should probably lean more towards my leadership skills.”

So, he applied for the CISO job at Dayton Children’s in 2022 and counts himself lucky to have gotten it. At the hospital, he has a team he doesn’t want to leave and an assignment—protecting sick children and the people treating them—that’s worth fighting for.

“I really do like my job,” Schopperth says. “And fortunately, I have a wonderful team that is very responsive and smart and able to handle all these things.”

View this feature in the Summer I 2023 Edition here.