Healthcare Cybersecurity Rock Stars: CISO Highlight Reel

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:10] Welcome to The CyberPHIx, your audio resource for cybersecurity, privacy risk and compliance for the healthcare industry. I'm your host, Brian Selfridge. We have a very special edition today of the podcast, where we get to hear from over 20 healthcare cybersecurity rock stars, including CISOs, risk management officers, CTOs, privacy officers and more from the nation's premier healthcare organizations. We'll get to hear practical guidance and seasoned insights from CISOs in their own words as they guide us through the thought process and lessons learned.

Brian Selfridge: [00:00:40] The CyberPHIx podcast has been running for over three years now, if you can believe it, and we've produced over 85 episodes. I can't wait to share these highlights with you, and so let's dive right into it, shall we? So we have just an amazing set of leaders and organizations represented here in our discussion, so we're going to hear from HCA Healthcare, one of the largest health systems in the country, if not the largest Molina Healthcare, Sentara, Geisinger, Premier Health Systems in the country, as well as we're also going to hear from some business associates, some some vendors servicing healthcare industry that have a unique and important perspective on a lot of the topics that we'll cover today. We're going to talk to a pediatric health systems.

Brian Selfridge: [00:01:26] We're going to talk to some technology organizations that support healthcare. And so, you know, you can see the different variety of organizations that we've been able to pull together here. Well, hopefully give you sort of that 360 degree view of the challenges that we face in some of the recommendations. So the topics that we plan to cover today are pretty ambitious, right? We're going to cover a lot, you know, a typical discussion like this would be on one, one or two topics, maybe at most, but we're going to cover seven topics of interest, and these are things that we do hear from our client base that they want to know more about what I want to hear a variety of perspectives. So they're going to be things that are focused around HIPAA compliance and some of the more regulatory side of things. We're obviously got to talk about the big risk areas like third party vendor risk ransomware. They're just dominating right now. But we're also going to spend some time hearing from leaders about some of the more pragmatic aspects of being a security leader and reporting up through the business and engaging with the business in a meaningful way and how that's evolved and and some best practices and then some more technical aspects like your cloud security approaches, medical device and IoT and how to acquire and obtain these.

Brian Selfridge: [00:02:40] We will discuss healthcare cybersecurity certifications, like HITRUST, SOC 2 and those types of attestations. So I cannot wait to have you stop listening to me and start hearing from these, these amazing leaders that we have in place for the session today. So let's dive into it.

Brian Selfridge: [00:02:56] The first topic we're going cover today is HIPAA compliance and risk management. We sampled perspectives from very large healthcare providers all the way across to health information exchanges or HIEs and business associates, and those types of organizations to get a sense of how compliance and risk management are handled and perceived in their organizations. Our first security leader we're going to hear from today is Britton Burton from HCA. We asked Britton about techniques that work or don't work when you're trying to figure out how to check the hip of boxes and other compliance obligations for that matter, while still making sure your program is focused on effectively managing enterprise risk. So let's hear from Britton directly on that point.

Britton Burton (HCA): [00:03:36] Yeah, I think the short answer to that is to spend time doing the detailed legwork that it takes to tie every control standard, every actual control implementation in your environment to the authoritative sources that are driving that control. You know, this is not not simple, not quick, it's not glamorous work. But the more you can, you know, make that just a foundational piece of your program through through your controls framework, the easier it becomes to report on compliance requirements, and you can still focus on the big picture of we care about risk at the end of the day. Not compliant? Well, of course we care about compliance, but our main focus is risk. But as we have all this mapping inherent to, we do this control and this performing this well, mitigating this threat and its ability, if we know that that control exists because it's tied to a HIPAA requirement or a PCI requirement, or whatever it is, it's just a lot easier to report on that. Again, that's that's difficult work. You don't just snap your fingers and you've got it, but that's in the wheelhouse of GRC platforms, right? So how do you how do you leverage those tools to to try to make that reporting as seamless and as quick as possible, but still have it be a part of your bigger picture risk framework making risk visible to your leadership? I think you can have it both ways. You just got to build the foundation and that can take a very long time.

Brian Selfridge: [00:05:07] So that's one way to spin it, you know, focus your program on a controls based model that can scale to organizations, you know, as large as HCA and drive that consistency and compliance across the organization. And I would argue you don't need to be as large as HCA for that model to make sense if you have more than one hospital or even a variety of outpatient facilities or or multiple business units, I think does this approach in that concept makes a whole lot of sense? So next, we're going to hear another perspective from Stoddard Manikin from Children's Healthcare of Atlanta, who looks at compliance through the lens of patient safety and operational impacts.

Stoddard Manikin (Childrens Healthcare of Atlanta): [00:05:41] We've got the HIPAA security rule and a privacy rule, and one of the key phrases in that in that statute is what's reasonable and appropriate. And when you have a cybersecurity incident, you have got to take reasonable and appropriate steps to address it. Any organization can be compliant without being secure, and we can't confuse those two things. There is no regulation out there that if you comply with it, you will be one hundred percent secure. That includes the credit card standards for PCI. It includes HIPAA for healthcare and many other industries. So we, as security professionals, need to take that balanced approach of saying yes, we want to be compliant, of course, but we're not doing a security program as a box checking exercise. I do think that now is the time where we need to reconsider sort of the controls based, compliance based approach to security that healthcare typically has taken and move much more towards a threat and risk based security approach. So from that perspective, I'm absolutely worried about medical devices from a patient safety issue, but typically a single metal medical device being compromised will impact one or a few patients. Whereas a ransomware incident can affect all of your patients in one way or another.

Stoddard Manikin (Children's Healthcare of Atlanta): [00:07:01] So I think that as an industry, we have historically focused on being compliance. Here in the U.S., we're focused on things like HIPAA, and what we really need to be focused on is what is the risk to the patient? We've always been mostly worried, too, about disclosure of data and the fact that hackers would steal data and post it or expose it online and that sort of thing, and then we'd have to report it as a breach and go through that whole legal compliance government rigmarole. Patients can recover from a data breach. In those cases, they cannot recover if they are killed due to a safety event created by either a bad medical device or a ransomware event. And I think that needs to be the number one focus as we run our security programs to say, of course, we're worried about patient data confidentiality. But at the end of the day, the most important thing is to do no harm, and we have got to make sure that we're enabling our caregivers to take care of patients and the best way possible. And that means that they need the availability of systems that are otherwise compromised due to ransomware.

Brian Selfridge: [00:08:12] I really appreciate Standard's perspective here is we need to continually be tying back the purpose of compliance to supporting the mission of the business. Very often, that mission is about maintaining operational viability while maintaining the risk to our patients versus getting hung up solely on, you know, satisfying the specific mandates from this or that regulation and and checking the boxes, so to speak. So we appreciate Snyder's perspective there. Our next healthcare security leader, Nick VanDuyne from Healthix, which is an HIE health information exchange out of New York, takes this discussion a step further in relating audits and compliance to the concepts of trust and respect within our communities, which I would imagine we all would like to enhance any way that we can. So let's hear from Nick.

Nick VanDuyne (Healthix): [00:08:54] Maintaining audits is as mundane as it sounds and is as unglamorous as it is, is really an important part of making sure that you've established good trust with both your clients and with the community at large. Again, because if we don't really have that level of trust and people can't feel that they're being taken care of, that their data is being taken care of, then we sort of lose the whole premise of what we do, right, because everything is based on respect and trust, and we have to make sure that we maintain that. So we take it very seriously. We would probably over audit, to be honest. But in our sense, we feel that that does does us a better service than than not.

Brian Selfridge: [00:09:42] Now, not everyone is as pro-audit as Nick is. For instance, when we spoke with Joey Johnson, the CISO of Premise Health, he provides an important reminder, you know, the imperfections of some of the regulations. They're not exactly all that all the time. We have to be careful not to drive all of our program efforts toward satisfying a specific regulation, since those regulations can be flawed and their ability to measure the effectiveness of a risk management capabilities overall versus just the effectiveness our ability to comply. So let's hear from Joey in his own words.

Joey Johnson (Premise Health): [00:10:13] We'll take on HIPAA for a second, I think. I think the HIPAA approach to required controls versus those that are that are not right. That's that's that's bad because you can't have you can't have a framework where, you know, a large healthcare payer that's invested billions and is put all the right tools and technology then. But it's a much bigger target is battling to be compliant. Whereas you have Dr. Jo's vision shop, you know, up in the farthest northwestern corner of Montana also can say that they are hip compliant and they don't have half of the controls in place right now. I understand. Obviously are scales of what organizations can invest in. But but to be able to use a different measuring stick that makes both organizations come out on a different end of the equation is that's a broken model to me. So that's what I think on that one.

Brian Selfridge: [00:11:11] Ok, so audits are not for everyone, and frankly, they're they're rarely fun unless you're a sicko like us here at Meditology and you do this stuff for a living and these audits. But but we do like it. I want to switch gears a little bit to another topic that is even less fun than audits and that is dealing with cybersecurity incidents, including ransomware. And hopefully we'll can find some silver bullets here somewhere. The first security leader we're going to hear from on this topic is our very own Nadia Fahim-Koster. And much like myself, was a healthcare CISO prior to coming to Meditology. Let's hear from Nadia as she talks through some very practical lessons. Learned the hard way, unfortunately, of getting prepared for real world incidents. So let's turn it over to Nadia.

Nick VanDuyne (Healthix): [00:11:53] All organizations have business associate agreements in place and saying, Well, I have a place that signed, so security is their bailiwick. I don't have to worry about it. That's simply not true. It's the same when it comes to incident responses. You know, you're relying on the third party to provide a huge portion of your services. You better test that with them. That's also the opportunity while you're testing with them to make sure that whatever contractual documentation you have in place is reviewed, what level of services they have and they can provide you with. Because if in the case of an incident, you know, you're going to know, well, now that I'm testing with them, they're telling me it's not the right level of service. Maybe I need to upgrade to that next level of service. And again, I think those are components that should be able to get planned out. But again, Brian, as you know, you can't always anticipate every single issue that's going to happen. But the more you do it, the more you anticipate. I think, the better off you are. And I have another anecdote back again to my former life as a CSO. You know, I had a breach and I thought I was golden. I'm just going to call my cyber liability company at the time and turn it over to them and tell them, OK, here's here's the problem, and I need to call that forensics company that's part of our contract with you guys. Sure, we're here to help you. And it was right before Thanksgiving, but you guys don't have an actual contract with that forensics firm. Then what? Wait a minute. I have a contract with you, my cybersecurity vendor, cyber liability vendor. You never mentioned during the contract negotiation that I had to have a separate contract in place with every sub vendor you put down on the contract. And the answer was no. Yeah, you do. So here I am, negotiating with that subcontractor in the middle of the 60 day threshold with Thanksgiving and Christmas in the mix, it was it was quite fun.

Brian Selfridge: [00:13:53] I think Nadia's insights here are invaluable for making sure you have all of your ducks in a row before the real incidents occur and getting getting prepared as much as possible. Now, even though we've already heard from Stoddard Manikin of Children's Healthcare of Atlanta, I want to bring him back once more. This will be the last time to talk about ransomware specifically, since he is a wealth of knowledge on this topic. So here's Stoddard.

Stoddard Manikin (Childrens Healthcare of Atlanta)): [00:14:15] I don't think ransomware is going away anytime soon. It has proven to be highly lucrative for the people who use it. And so we do need to focus on prevention, but also be ready with response plans. So define your plan in advance. Have retainers in place with a good security resource in terms of doing forensic analysis and recovery. Have contacts at law enforcement on speed dial and crisis communications. And just be ready because it will happen to all of us at one point or another. It it just varies on how widespread the impact will be and the widespread portion of it is really up to each organization as to what preventative controls they have in place.

Brian Selfridge: [00:14:56] I also asked Stoddard about an incident in Germany where a ransomware event led to the death of a patient. This is the Dusseldorf hospital for those that would follow that in the news a little while back. I asked him if he were the CISO in that chair when that event started. What would he have liked to have had access to in terms of preparation and materials and to manage that event effectively? So let's hear Stoddard's thoughts on that one.

Stoddard Manikin (Childrens Healthcare of Atlanta)): [00:15:20] I would have liked to have had my incident response plan from ransomware completely defined. And whether that's sitting in a binder or on a shared drive somewhere, it's totally up to each individual. But I would recommend both because if if the shared drive is impacted by the ransomware event, then you're not going to be able to get to it. For our team, we keep those types of documents on local PCs for people who go home at night so that we have access to it, regardless of whether you're connected to the network or not and so forth. I would want to have our communication plan documented to know who and when we would do notifications, when we would bring in broader teams outside of and to include communications, potentially law enforcement and so forth, and even to have on speed dial our crisis communications firm, possibly law enforcement, legal advice and that sort of thing.

Brian Selfridge: [00:16:13] All right, the next guest we'll hear from on the topic of incident response is John Jessup, the CISO of a large healthcare entity based in New York. Johns asked us not to share the entity names or keep that generic. For now, we hope you appreciate his desire for privacy as that's what we do, right? Privacy and security. So I asked John about how he manages trying to accomplish planned work for this security program amidst the barrage of day to day cyber incidents that his team faces. So that whole balancing operational day to day work with all these fire drills and Lord knows there's enough of them. So let's hear from John.

Nadia Fahim-Koster (Meditology): [00:16:47] Well, thankfully, the way we have our infosec team broken down into a program side and an operation side, it really falls more heavily on the operation side to manage incident response along with our MSSP. I myself would probably get pulled to support the incident response activity. I'm a I guess my role is that of a floater, and I'll go in between the programs and the ops side and help out. Now, in terms of communication, we have extremely well defined communications plans based on the severity and the type of incident, and they address who should get what and on what frequency. And we we even have the comms template out, so you just have to plug things in. Now on the program side, if we think that there's going to be any type of an impact, we can certainly communicate to our affiliate organizations very easily. We communicate with our affiliate organizations on a regular basis anyway as part of our security awareness program. And also as part of our HIPA security compliance program. We alert folks on a regular basis so they expect to see communications from us. And they've been very supportive in the past. And they understand that if something so egregious happened that it impacted on our capabilities to roll out a project, we would just push back and we would have the support of senior leadership within the organization and at the affiliate organizations that we support.

Brian Selfridge: [00:18:47] So that wraps up some insights on ransomware and incident response. Some very helpful recommendations there, for sure. Moving on to our next topic, which I believe is arguably the most important risk vector right now in the industry, we're going to tackle third party supply chain risk. There's been a flurry of activity for healthcare entities trying to react to the deluge of supply chain attacks against Kaseya, SolarWinds, Microsoft and all the rest this year can't even keep track of them anymore. Let's hear from some healthcare cybersecurity experts on their approaches to tackling this mounting problem. We're going to open our discussion with a special sneak peek actually from interview with Steve Dunkle, the CISO for Geisinger Health System. I say sneak peek because this podcast interview with Steve has not yet been released, so this is a special view and we'll be launching the episode in a few weeks. So stay tuned for that on our CyberPHIx podcast channel. Now I ask Steve whether or not he thinks we can expect to see regulations around third party risk and supply chain, whether or not those are imminent and what we can do to prepare. Just given all of the action happening at the White House and globally around cyber risk and the bills being introduced in the House and the rest. So let's hear from Steve.

Steve Dunkle (Geisinger): [00:19:55] The whole supply chain thing is definitely a wake up call. I think we're just starting to see the tip of the iceberg on that. But when you have multiple parties and it chains down party one as a vendor or party to which again, the whole supply chain depth, when you get that level of involvement, I think then yes, regulatory regulations and law does fit in. There is sort of to, you know, rules of the on the play playing field. It just to me emphasizes how important it is for security professionals to spend some of their time thinking, not just about what's there today, but, you know, putting on the other hat and saying If I were to attack an organization. What are the ways I would come at it? And when you think about it, especially buried down three or four levels in a supply chain, what better way in SolarWinds look at the coverage they got out of that they've been meaning the other side. So yeah, I think regulatory is going to come into that. But also security professionals need to be doing a lot of research in this area and thinking about it and working within their organization with the procurement folks and the if you have a chief purchasing officer and things like that certainly be having discussions with them and collaborating with them and partnering with them.

Brian Selfridge: [00:21:34] Ok, next, we're going to hear from Eric Zematis, who is the CISO of Lehigh University, on how he approaches conversations with the business around third party vendor risks specifically. So turn it over to you, Eric.

Steve Dunkle (Geisinger): [00:21:47] I implemented a process at Lehigh where we're involved in every new mission that involves technology and in that we have a number of guided questions. So, you know, I sit down with with folks and we we have a conversation that comes out with something like this. You know, I want to talk to you for a couple of minutes and I'm going to determine whether I is the security person even care about what you're doing. So what could trigger my interest sensitive data or valuable data integrations with other systems, connections with other systems? So I have a couple of questions that I would ask the business leaders as their requirements product. First, I start off with. Tell me about it does. And then we get into questions about how is it going to integrate around data or systems? And as we walk through that, I kind of tell them, you know, the type of things that would elevate a risk score or make it something more risky. Sometimes I question whether or not they even need to have certain data. So, you know, can you work off of other data elements to get the match or close enough to the match? And a lot of times they really the business leaders really identify with that and say, Yeah, we're going to make sure that they don't have access to Social Security number or other sensitive data because they really don't need it. It doesn't provide a lot of value for me. So if they have problems matching because they don't have a Social Security number, it's either not going to happen very often.

Eric Zematis (Lehigh University): [00:23:27] Or when it does happen, it's just a little more work for the vendor. And that's what we're paying them for. So so we often reduce our risk right up front by by reducing the amount of data we provide to the vendor. That being said, when you're dealing with something like SolarWinds, which Lehigh doesn't have. You know, the whole reason they're there is to help you run your network right and your environment. So there's no way to not have that real tight integration. So at some point you deal with vendors where you have to take that step. You have to have that shared and with their help them illustrate what the risks are. And one big risk I actually often talk to stakeholders about is the risk of availability because they often don't think about that, that systems can go down. This was unavailable for an hour. What would the impact be if this was unavailable for eight hours? But the impact would be 24 hours? Tell me what the impact would be and that helps them kind of think through. And then often they have to thinking that through they either insist on some kind of contract provisions or an SLA, or they they will come back and say, You know, I'm looking at two equivalent vendors and one seems like I have a lot more availability guarantees I'm going to go with that vendor. So those are kind of some of the common things that we deal with and talk about to help the business understand the risk involved.

Brian Selfridge: [00:24:50] Ok, moving on in our conversation on third party risk, I want to hear from some of the leaders of service providers that specialize in third party risk to get their input on how they approach solutions for the broader industry. So we've heard sort of the provider perspective. Let's hear from some more broader perspectives. The first leader we'd like to hear from on that front is Devin Wijesinghe. Devin is the chief transformation officer for CORL Technologies, who is Meditology Services sister company that specializes exclusively in providing technology and managed services for third party vendor risk in healthcare. So over to you, Devin.

Devon Wijesinghe (CORL Technologies): [00:25:23] You can't impede commerce. You have to, you know, you have to do enough vetting. You have to do enough. That doesn't stop the flow of business, right? And so you mentioned something. And again, I think maybe coming full circle to the beginning of this is like, you know, data at its core, how do we maybe share information that's, you know, approved with secure access and not not entirely proprietary and so forth, but that industries, particularly in healthcare, where there's such a critical mass of third parties that serve, you know, multitude of different, whether it be insurers and systems and so forth, you know, how can we do better by exchanging information quickly and then creating like a clearinghouse that allows for folks that have been cleared kind of like think of, you know, literally the clear system at the airport, right? Kind of like TSA PreCheck, like very similar. How do we create a clearinghouse whereby people could participate in that? And then it can be like a central focus where, oh, you know, this has been approved and this is the last time it was done. Here's the standards, but you're also getting a getting a seal from a really reputable source, and it's peer reviewed to that. Then you can go, Oh, the vetting, I need to do maybe only a little bit different, a little bit more specific to me, but the vetting that the hip standards, the NIST standards, all these different other standards off to two factor authentication, all these other ones know that you're getting access to that with, let's say, third party approval potentially instantly. And so some people have created things like exchanges and so forth, and obviously those are unique and interesting. But if you could, if you could work with all these different ones and if we could, we could have again kind of pure buy and you could have a clearinghouse that really acts as that function. And you know, maybe we come upon the TSA PreCheck or the clear that works for healthcare and I see solutions and an industry moving towards that direction.

Brian Selfridge: [00:27:34] All right. Those are some great insights there from Devin and the CORL team focusing on reusing vendor risk data and trying to shorten that assessment cycle with pre validated data. So we can we can make the whole process go faster. Hopefully, whether that's faster for a sales cycle for vendors or faster just to get through the assessment and the volume assessments we need to do on the supply chain. Next, we're going to hear from another industry giant and the vendor space, and that's Kelly White, the CEO of Risk Recon, on his recommended approach to managing the third party risk for small and medium sized vendors in particular.

Kelly White (RiskRecon): [00:28:09] Well, there's a number of ways to achieve good third party risk management outcomes or restating there's a lot of good ways an organization can achieve good cybersecurity. They don't all involve massive piles of money and high-powered consulting firms and so forth. So there are many paths to the destination, although I answer the question. So that said, I'll answer the question this way. Jeff Belnap, the CISO of Slack, said this, which I thought was really insightful. If you are in the business of processing other, if your business involves processing the data of other organizations, then you are in the security business period. So it goes part and parcel if you are providing if you're processing data that belongs to other companies, you are in the security business and it's just part of being in business in that part of the business. So you can't play the card. Oh, and small or geez, I can't afford it. Well, if you can't afford it, then you don't have a viable business. If you can't do it, you shouldn't be in the business at all of handling other organizations information because again, it's not your data, it's somebody else's. And that's somebody else is looking at you. Your customer is looking at you, knowing full well for themselves that they've outsourced systems and services to you. But they have not outsource their risk. So for every company like you or me or any third party providing services to other companies where we handle their data, we have to do that knowing that it is their risk, it's the risk of our customers that we've been entrusted with managing well so that size doesn't matter. So I'll talk about some things that have been really interesting to me to observe that I think are innovative in the healthcare space.

Kelly White (RiskRecon): [00:29:56] Primary among those is some leading healthcare organizations have actually boiled down. If you look at cyber risk management program and you want to do a thorough review of it, you seek assessment questionnaires that can be one hundred two hundred and three hundred questions long. And while large entities with sophisticated, robust information security programs may have the capability to comply with all of those and answer all those and so forth. As you mentioned, you've got this a lot of small, innovative companies that are that are providing a lot of value and that healthcare organizations are dependent on for operating their businesses and delivering their services. So you look at those small, small businesses, what do you do? You know, they're not going to have a CISO, a dedicated threat intelligence monitoring team, so on and so forth. I've seen the innovative organizations look at these types of vendors through a lens that's properly adjusted to match again. What's what's the really the risk surface? What's the value at risk in that organization? What's the nature of that? And they kind of approach it in two levels. Many organizations have boiled down some essential characteristics necessary to achieve good risk outcomes that they apply to measuring their vendors. Some of them have said, OK, these 10 or some of them even call it these. These are the sacred seven that they must have in place for us to even know that we have a basis for achieving good security outcomes. If they don't meet these basic requirements, then we can't do business with them or we need to get them to meet these basic requirements because it often is in the doing the basics well, the small number of basics well upon which cybersecurity outcomes rest.

Brian Selfridge: [00:31:41] Ok, great stuff there. So let's switch gears a little bit onto the next topic, which is risk reporting and engaging with the business. We'll begin by hearing from Lauret Howard, who served as the chief risk officer for the healthcare organization Nasco.

Lauret Howard (Chief Risk Officer): [00:31:56] I think the key one to avoid is you don't want to be the person of No. No, you can't do that. No, that's not the right way to do that. You really have to turn that around and become a key resource and become a partner to those in the business. So you need to find a way to yes, you need to work and understand what's the business outcome you're trying to get to. You know what potential type of data or risks are you creating for the business and what is the work that needs to be done to be able to address those particular risks? So when the the security team and risk management can help the business people be successful, then they are going to be engaged at the beginning of the process. There's nothing more difficult and I think a challenge in shifting culture is when you have legacy processes and legacy systems and the lift to try and get the right controls in place can be very can be very difficult. But making sure that any of the new capabilities that you're developing integrate those security standards to incorporate the audit controls and the ability to evidence those controls at the beginning is going to make it simpler going forward. So you have this two pronged approach is what do you need to do to help get the existing business in compliance? And then how do you integrate the security practices and and controls into any new capabilities so that when you take these services or products to market, you have eliminated a potential risk to the sale because you have affirmation that it's that the security controls are in place and that that is not going to disadvantage you in the marketplace.

Brian Selfridge: [00:34:11] Ok, so the next guess we're going to hear from is TJ Man, who was the CISO of Children's Mercy Hospital, and he discusses with us how we can frame cybersecurity in our discussions with the business. So I don't want to steal this thunder. Let's hear it from him directly.

TJ Mann (Childrens Mercy Hospital): [00:34:27] Cybersecurity is an enterprise risk, so when cybersecurity breaches incidents to occur and it's also a matter of when, not if, they impact the entire organization and they don't disrupt one single business unit or one single team, they impact the entire organization. So its entire organization is responsible for reducing cyber risk by partnering with the cybersecurity teams and change the organizational culture.

Brian Selfridge: [00:34:59] Now, that's a short and succinct perspective, but I do recommend you listen to that full interview with T.J. as he walks through accountability for cybersecurity at all levels of the organization, from staff up through management and everybody in between really, really great perspective that T.J. provides us there. So next, we're going to hear from Wes Wright, who is the CTO of Imprivata. And also the former CTO of Sutter Health in California. So Wes has that perspective on the vendor side particularly focused around identity management, so you'll hear him focus on that digital identity topic. But Wes, his perspective as a as a healthcare leader in the provider space for very large organizations also much appreciated. West also employs my favorite analogy of the year here in this particular episode discussion we have when we were talking about cybersecurity, digital identity management, in particular with the business. So I'll let him. I'll let him start off with that analogy. And let's go from here.

Wes Wright (Imprivata): [00:35:53] A good identity governance program is kind of like plumbing, well, you don't see plumbing and it's hidden in the walls and unfortunately in your organizations, I would bet there's hardly anybody at the in the sea level suite this, you know, CEO, CFO and so on that realize exactly how important digital identity is and how important it is from a patient safety perspective, from a cybersecurity perspective. So that's where I would start. I mean, if you're if you're a CTO, brief your CIO about why digital identity is important. If you're a CIO, grief your counterparts, your CEO, your CFO and get and get an understanding in their minds exactly why this is so critical to the organization. So that if you're if you're if you're doing nothing else, then then constantly be marketing to to your compatriots in other divisions. Exactly how important digital identity is to the safety. Because cybersecurity is a patient safety issue in my mind, to the safety of your organization, that is where you've got to get that, that that that executive staff on board with the importance of identity governance. So that's that's where you have to start.

Brian Selfridge: [00:37:28] So I love that plumbing analogy, and I'll steal that from West to use from time to time of, you know, us being the pipes and just stuff just needs to work. All right. So next, I would like to move on to our fifth topic in our this lightning round of insights from healthcare CISOs and leaders. This time we're going to talk about cloud security, certainly a topic that's on a lot of our minds these days. So the first guest up and panelist here is Dan Bowden, who is the CISO for Sentara Health. So let's hear from Dan on cloud security considerations.

Dan Bowden (Sentara): [00:38:01] You just have to get the the tools in place, right and and manage all of your your connectivity to figure that out. So you need to get things like Cosby technology, you need to make sure that you're you're managing all of the the connectivity of the endpoints that you support so that you know and discover where everyone is, where they're going and what services they're using. And anyone who hasn't done either use the CASB and seen the inventory or posse nick has been seeing the inventory. I promise you'll be surprised at, you know, unless you have one of those really hard core default deny. Nobody goes anywhere except for the sites we allow through our proxy, which are aren't very many places like that. And if you have a generally open proxy, even if you're you're trying to block malicious content and other categories you don't like, you know, you'll end up being pretty surprised at where people go. So you just have to buy the tools to do it or go through implementing some sort of a default benign posture on how you manage access to internet.

Brian Selfridge: [00:39:22] We appreciate Dan's perspective there. Got to get the right tools. But, you know, it's more than just tools that we need to get the job done. I think we know that in any particular discipline. So I also asked our next guest, Mark Eggleston, about how to optimize cloud security implementations, including platforms like Microsoft Office 365. And you know, we'll see how he expands upon just sort of the technology side of things.

Mark Eggleston (Health Partners Plans): [00:39:47] Let's go back to things we're all comfortable with, like people process and technology paradigm. Make sure you have the resources and the expertise. You should have an SME who's been down this road before. Whether that road is adopting a cloud based model or has some expertise in a specific technology or seeking to adopt like Office 365. You need some SMEs out there. They're going to help you. I think also a lot of us are familiar with the DevOps framework. You have to really kind of put yourself in that frame of mind where you're instituting controls on the fly in a test or a pilot environment.

[00:40:26] A lot of us have some discomfort there, but embracing that, we're throwing out some lots of different technology. Microsoft is going to change this every month anyway. We need to make sure we're in a position where we can readily adopt and monitor and put some of these newer controls in place.

Brian Selfridge: [00:40:44] Ok, we're going to move on next to hear some perspectives on the topic of medical device and IoT risks that many healthcare providers are struggling to manage their healthcare entities more broadly. First, we're going to hear from Mike Wilson, who is the CISO at Molina Healthcare. He talks about asset management challenges and approaches related to medical device in IoT ecosystem. So let's hear from Mike.

Mike Wilson (Molina Healthcare): [00:41:06] The challenge we have with them and you allude to inventory is there's a lot of them. And if you think about the nature of a medical device, you know, by its nature, it moves. It could be a drug pump or, you know, an insulin pump could be a variety of different things and an MRI machine, for instance, and some less portable than others. But generally speaking, they're hard to inventory. If we think about the asset problem in it, and that's been a grappling one we've dealt with from the IT context for years and years and years, and it's been challenging and we've and we're really dealing with, you know, what is a server, what operating system does it run? And, you know, perhaps what application is on it and what does that mean from a business priority standpoint and in the sort of connected device IoT IoT. But medical device realm, you know, you've got just an extraordinary level of complexity in terms of the types of devices. You know, the operating systems are somewhat relevant, but what is the device itself? What's its firmware? What is it doing? And the number of devices far outstrips the ITP. So the inventory question is very difficult.

[00:42:19] And coupled with the reality that, you know, we have a set of devices that are sitting, you know, in a portable nature across, you know, provide a space and managed care in general. You know, it makes the problem very difficult to sort of pin down, you know, what is that asset? Where is it? Is it vulnerable to something? Has it been updated in a while and you take that through and once one more comment and we can move on. But one more comment relating to, you know, if we're getting security for a moment, you think about optimizing your assets from a financial standpoint. So here we've got a set of assets, medical devices and in some cases, very expensive assets. They're moving around. They're very portable. And when we think about optimizing our IT expense and understanding what is our IoT expense based on assets, that same is true in the medical device realm as well. And yet, how well do we know, you know, do we need an extra MRI machine? Do we need an extra drug pump? You know, is it just switched off? Where was it last? Yeah, these are difficult questions from inventory standpoint.

Brian Selfridge: [00:43:21] So those are certainly some of the challenges we need to be aware of and focus on, you know, in terms of solving this challenge, we'll hear next from Susan Ramonat, who is the CEO of Spiritus, a company that has made strides in medical device and IoT inventory risk management using blockchain technology and other awesome automation capabilities that they've been able to to pull together. So Susan gives us some thoughts on dealing with identifying and securing new and legacy devices. So over to Susan,

Susan Ramonat (Spiritus): [00:43:48] There's a lot of talk in healthcare about medical records and the pharmaceutical supply chain. Not as much about medical devices. I think we're exceptional in that sense that there are few folks that are realizing the opportunity here. And importantly, while the technology is making significant progress and there's opportunity to experiment with different protocols, if you will. Importantly, key points are here are governance and bringing together a consortium of interested players, a group of the willing, if you can think of it that way, who understand the importance of collaborating in the end, what you're talking about, whether it's from the device manufacturer, the health delivery organization or the intermediate or commodity suppliers whose components are represented in this developing conviction that you've got sort of tone at the top management commitment, which is a matter of education on the part of the professionals in the health delivery organization about why this is important. An education that's not a one time meeting, you know, it's an education over time and builds over time. So the organization really has a standard that's reinforced by the executive team and the underlying behaviors and incentives are aligned. That puts your technology teams where they're coming from, the traditional IoT or the operational technology side showing the and clinical specialists on a better footing because everyone comes to work every day wanting to do the best they can. But having that sit in a context where there's a strong executive support and the associated behavioral and structural arrangements to reinforce sound solutions, I think is critical.

Brian Selfridge: [00:45:32] I agree with Susan that collaboration is essential for this particular problem, you know, the complexity of the medical device ecosystem. However, I think is going to continue to be a challenge to coordinate all these disparate stakeholders inside the organization, outside the organization to work together to secure our critical devices. And we've got a long way to go there, for sure. Still. So the last perspective we're going to hear from on the medical device front is Andy Seward, who is the CISO at Solution Health. This is a short perspective, but I think an important one about applying automation to assist with securing medical devices. So let's hear a quick quote from Andy on this piece.

Andy Seward (Solution Health): [00:46:08] The medical device management, it's an area in cybersecurity that's really worried us with all of these infusion pumps and telemetry devices and IoT devices out there within our hospital systems, and I'm sure it's the same in other industry sectors. So anything that you can do to sort of understand your environment, inventory it and be able to get useful, actionable data off of that's an area where automation can definitely help us.

Brian Selfridge: [00:46:34] All right. We have, alas, arrived at our closing thought from over 20 healthcare cybersecurity leaders and privacy and risk management folks. So many amazing perspectives here that we've heard today. We want to close things out with some commentary on cybersecurity enterprise certifications like HITRUST, SOC 2 and the like. This time, we'll hear from Bethany Page Ishii, who is one of our top directors here at Meditology. I asked Bethany about the common pitfalls that healthcare entities encounter when pursuing cybersecurity certifications for the enterprise, like HITRUST CSF and SoC 2 and others. So let's hear from Bethany.

Bethany Page Ishii (Meditology): [00:47:10] Yeah, I'd say first and foremost, a pitfall and a recommendation is going through a readiness assessment. So you want to go through the exercise to go through and assess the requirements that will be in scope for when the certification time comes. So it's almost like a, you know, we call it a readiness because it's getting not only the organization ready, but also, you know, you're building that relationship with the client. So the assessor and the organization are building that relationship. The assessor is getting to know the stakeholders and the control owners ahead of the certification period. So it's really just setting up both parties to be successful as possible when the certification period comes around. So not doing a readiness is definitely a common pitfall because organizations will be seeing a request for the first time. Whereas if you go through a readiness assessment, you're familiar with the request, you know what documentation needs to be provided. And by the time the certification comes, you're really just refreshing the documentation that was collected during that readiness period. Another common pitfall I see is having external drivers setting the pace of sometimes there's a deadline and you're backing up into the deadline.

[00:48:35] Sometimes you can't help that. But you know, to that end, if there is a hard deadline. I've seen organizations not give themselves enough time following a readiness assessment to really go through and remediate the gaps that were found during that readiness period. And you know, there are certain rules high trust has right, and one of those is a 90 day control run period. So you need to have policies and procedures in place for 90 days leading up to that certification period. And outside of policies and procedures, you also need to make sure that you have a control implemented and operating effectively for 90 days, you know, and the whole intent behind that is just to ensure that, you know, the organization doesn't install anti-malware on all their servers a week before certification, and then we go through and test it. So the 90 day rule makes sense and is something that organizations definitely need to make sure they bake into their timeline when they're looking to achieve high trust certification.

Brian Selfridge: [00:49:47] All right, well, that was a whirlwind of updates we heard from over 20 healthcare leaders. We've gotten some amazing insights across seven or eight major topics there and I recommend to you if you wanted to dig deeper into any of those topics, definitely do. Check out the CyberPHIx podcast. It's available on all major platforms. And you know you'll get to hear that the full perspective of these folks, as well as others that we've interviewed over the years. We also put out a biweekly what we call CyberPHIx Roundup, which is about a 15 to 20 minute overview of all the major news and trends that are happening and analysis from myself on what's been going on in healthcare, cybersecurity, privacy and risk. So hopefully all those resources are useful for you, and you can get some, some information that you can take back to your own organization or share with your colleagues that that ability is sort of work with each other, work with our peers, listen to what others are doing. I've always found when when I was a security officer myself just to be critical to to my success there and also just overall, you know, career wise, just staying in tune to what's going on just makes us all better professionals.

Brian Selfridge: [00:50:57] And my many, thanks to the 20 plus panelists and all the folks that have participated in the CyberPHIx podcast over the last couple of years and their willingness to to really pay it forward and share with you all that insight. They're very, very busy folks that took their time to to sit down with us and go through some of the toughest topics that are out there. And we're very thankful.

Brian Selfridge: [00:51:19] That's all for this session of The CyberPHIx Healthcare Security podcast. I hope this has been informative for you and love to hear from you if you want to talk about any of this. Just reach out to us at [email protected] Services. So that's all for this week and so long, and thanks for everything you do to keep our healthcare systems and organizations safe.