SolarWinds & Weak Links in the Healthcare Supply Chain

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:19] Welcome to the CyberPHIx, your audio resource for information security, privacy, risk and compliance for the health care industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and healthcare information security and privacy in this session. We'll be speaking with Devon Wijesinghe, who is the Chief Transformation Officer at CORL Technologies, a tech-enabled, managed services company dedicated to vendor risk management compliance with a focus on healthcare. I will be speaking with Devon today about the SolarWinds supply chain attack and what it means for larger trends and third party risk management for the health care industry. So now let's get on to another great conversation with yet another amazing guest, Devon Wijesinghe.

Brian Selfridge: [00:01:09] Hello and welcome to CyberPHIx, your leading podcast for cybersecurity, privacy, risk and compliance, specifically for the healthcare industry. I would like to welcome my guest, Devon Wijesinghe. Devon is the Chief Transformation Officer at CORLTechnologies, a tech enabled, managed services company dedicated to vendor risk management and compliance with a focus on servicing the healthcare industry. Devon's responsibilities at CORL span, new product development go to market acquisition as well as inorganic growth efforts for the company. He's an acclaimed innovator and leader in the data industry with extensive experience transforming tech enabled service organizations into On-Demand software as a service platforms. Prior to CORL Devon was the head of corporate and business development at Cision, where he helped lead its private sale transaction to Platinum Equity for two point seven billion dollars. And he was also the founder of two other data software companies, including E-Verifile and Insightpool. Today, we're going to discuss the recent SolarWinds supply chain attack and its implications for health care organizations and the management of third party vendor risk more broadly in twenty, twenty one and beyond. So at that, Devon, I would like to thank you so much for joining us on the CyberPHIx today.

Devon Wijesinghe: [00:02:16] Happy to be here, thanks. Thanks again for including me. It's a it's a that's a really interesting time we're living in, so I'm looking forward to get into it with you.

Brian Selfridge: [00:02:24] Great. Well, right off the bat here, Devon, why don't you tell us a little bit more about yourself, your background, your role with CORL. I know we did your bio there, but I'd like to hear what aspects of your background inform your perspective on these supply chain risks that we'll be talking about today.

Devon Wijesinghe: [00:02:37] Yeah, absolutely. So the interesting part about all the different businesses that have involved in it's always been data at its core. And when you think about E-Verifile that became the largest privately held information services company with data on people for doing like vendor credentialing on individuals. And then we sold that company to a private equity firm and then Insightpool. And what was the at the heart of it was social media data. So data on different patterns and uniqueness of who we are on social. And eventually you saw that for a couple of decision. And the decision was a huge data company that captured everything from what you were essentially reading. If you looked at a press release to a database of what journalists to contact. And so was kind of the largest PR software company in the industry and of course, then sold that for a few billion to platinum equity.

Devon Wijesinghe: [00:03:36] So each one of those things, though, was with data at its core. And that's what's obviously super excited about CORL how it delivers its service is is truly bar none. But really extracting and putting a spotlight on the data that it's captured in the healthcare industry is really, really awesome.

Brian Selfridge: [00:03:58] So what kind of data is most useful for third party risk? What what is it that we're looking to mine and harvest and and apply to this risk management challenge or supply chain challenge?

Devon Wijesinghe: [00:04:09] Well, you know, I think when you when obviously you look at different security protocols and different standards, there's some that are pretty generic. But I think with with CORL, what you also find is you have industry experts sitting behind the scenes that also know for, like, how to look for small patterns to look for. Well, this doesn't look like it jives with this. It's not like we're maybe if you're only software, you look at something that's just binary. Right. Passed or failed.

Devon Wijesinghe: [00:04:40] And and if you think about things that might be out in the industry today, while automation definitely has its place, when you're thinking about something as significant as third party risk, where, you know your business could just either effectively evaporate or just that the losses could be millions and millions, you want to make sure there's at least a set of eyes that, again, truly is an expert that probably has maybe even forgotten more than you know about the space that checks that check that box office. I think what it is is also looking for patterns, looking for things other than just, hey, do you have a software compliance plan or do you have to factor authentication?

Devon Wijesinghe: [00:05:23] Because candidly, if a computer can answer that and like I said, while it might be helpful to take those answers in, we want somebody on the back and making sure that, yes, this this looks like it matches with what you're trying to accomplish.

Brian Selfridge: [00:05:36] So we promised to talk about SolarWinds, in particular this massive attack that occurred toward the end of twenty twenty and is percolating into twenty twenty one here. Just to level set with our listeners here, could you give us a quick overview of what that was all about and why it's it's sort of getting the attention that it is?

Devon Wijesinghe: [00:05:54] Yes. If you if you look at the SolarWinds attack, it comes into the back door. Right. So if you think of access to Microsoft's kernel access, like the vulnerabilities that were exposed, that the first. Actively took the Orion platform that SolarWinds sits on and being able to back end into it again through different third parties is pretty, pretty well coordinated.

Devon Wijesinghe: [00:06:19] So it wasn't just like there was one entity that got breached. But, you know, if you have multiple entities, the different levels of access and you can breach 10 of those easier than you can breach the nucleus, will you breach 10? And now you pretty much are at the right. And so the point of that was, is that that also help government systems that were on that Orion platform that that held a multitude of really, really scary critical infrastructure that we probably don't even know the depth of which it was breached.

Devon Wijesinghe: [00:06:53] But but the point simply being is if you want to hack Microsoft, you don't have Microsoft. You have somebody that has two or three degrees of levels of access and you just hack multiple ones. And so so, again, we've really coordinated and we can speculate where it actually came from. The sophistication to get in there was just looking for the weakest link and usually the weakest links are from third parties.

Brian Selfridge: [00:07:20] So for our non IT centric audiences out there, they may not know what SolarWinds does, but it's essentially a network monitoring platform, among other things. Right. Pretty focused type of tool. Are there other platforms like that that are sitting out there that could be potential SolarWinds type of platforms that might have non optimal security controls, let's say, and could serve as another entry point for that sort of rapid scale of infiltration that we've seen with SolarWinds? So is or is this just a one off like this was? This is a perfect storm, this particular software and some some sophisticated bad guys like could this happen again? I guess is really the question.

Devon Wijesinghe: [00:07:59] Yes, obviously. I think you think about the ones that are really prevalent. If you want to just talk about us for a second. Amazon Web Services, Amazon Web Services hosted lots of cool things like Netflix runs on this platform. There is a number of obviously Amazon itself runs on that platform. But Amazon Web Services has probably a significant percentage of any cloud based healthcare system at its some junction. Some portion of it is probably hosted on AWS.

Devon Wijesinghe: [00:08:35] And so if you're a hospital provider and you're buying an EMR that is also cloud hosted, the likelihood is that's on us and you're not going to bring down all of us. Right. Because by that time you get some kind of root access into it, they partitioned it off so well. But you might be able to bring down Mayo clinic, for instance, hypothetically on AWS. You might be able to bring down five. You might be able to bring down different government facilities that sit there on that partition. So if you think about just cloud hosting in general, again, weakest link being who got rights, access to that platform and what did they then do that looked like they were an administrator.

Devon Wijesinghe: [00:09:25] And if there were an administrator, they could effectively wipe out a platform that manages patient record information. What do you do then? But I was a hospital react after that. I'm sure there's some backup protocols and so forth. But needless to say, if somebody really wanted to get to the heart of what we're what we're going through right now, think about the surging of Covid and just think about how truly messy it is with everything up and running. If an attacker wanted to do something, why wouldn't they attack our health care system? Why wouldn't they do something that can maybe really kind of cripple the medical industry in our country if they wanted to, if they really wanted to do something?

Devon Wijesinghe: [00:10:09] So so my point is I just think there are a lot of different instances. And and and the biggest one is where I see companies that grade their access of third parties to critical infrastructure, where they think only a certain amount of parties should they really grade. And the reality is it's like, well, who had access to to what? And you probably want to be a little bit more broader when you think about what would happen if you lost all your patient records. And that's an anomaly, but something that you have to consider.

Brian Selfridge: [00:10:41] Do you think SolarWinds was on the radar of third party risk management organizations for those those reasons you mentioned, prioritizing your your portfolio and sort of figuring out which vendors are we going to look at? We can't look at them all with SolarWinds, one that really would have fallen into a priority category. And if not, what what should we do to maybe bump up organizations like this to make sure they get on our radar?

Devon Wijesinghe: [00:11:03] Yeah, you know, I think depending on how people would have installed it, I cannot understand how it wouldn't have been right. I've never heard of a low criticality network infrastructure monitoring software. Right. However, what I do think is like, again, who did they allow access and what they did go deeper into the supply chain. And so I certainly think there is more that absolutely could have been done. But, you know, I and I have found that there are there are parties just that go, well, I'm going to put that risk on the vendor. I'm going to indemnify it. Right, so that they go, hey, but do they have the resources, the time or whatever it might be like, hey, I'm just going to make sure you indemnify me. And the reality is, is like you're not going to get back all you lost, ever.

Devon Wijesinghe: [00:12:06] And so it's a structure. I'm just surprised how that would have been missed. But I'm unfortunately not surprised that people wouldn't have done that vetting and screening because they thought they could make it up through insurance.

Brian Selfridge: [00:12:19] Now, the SolarWinds attack has reportedly affected many industries, right? The federal sector was a big target. The big tech organizations, big, big names, Microsoft, VMware, right. Nobody was spared. Now, given our audiences focused on on the healthcare sector predominantly, are you aware of not that you to be an expert on? You're not you're not functioning for the FBI. So I realize there's blind spots. But are you aware of this impacting health care? Is this something a health care entity should also pay attention to mitigating if they are using SolarWinds? Or is this really just, you know, corporate espionage, government to government happening somewhere else outside of our infrastructure?

Devon Wijesinghe: [00:13:01] Well, yeah, if I told you, I'd have to kill you. But but other than that, yeah, I obviously don't know and can't speculate. But, you know, if you think about, you know, healthcare is percentage of GDP, like, how is that not critical infrastructure? Obviously, government services is critical infrastructure, but healthcare, there's a significant portion of of healthcare facilities that are publicly owned. Right. That are state run and so forth, too. So if you took down a government or you just had access to government services system, that might be that you also have access to the health care system to. Right. It was it was one that was far reaching. It wasn't just relegated to like the dot. Right. It was it was full government systems that, you know, monitors because because they can get scale and economies of scale and price reductions that way. When you see services like that.

Devon Wijesinghe: [00:13:54] And I absolutely imagine that health care has been impacted and already maybe felt some breaches and maybe not felt any effects from it. But certainly there's no question that it was already impacted. I just don't know the extent.

Brian Selfridge: [00:14:07] What do you think the access from SolarWinds and other sort of third party supply chain attacks are really are really driving for the bad guys here? What are their motives? Is it to take down critical infrastructure through ransomware, through denial of service? Is it to steal the data? Is it to monetize the data somehow? Is it all of the above? Do you have a sense of where these attacks might go now that this sort of back door is opened, of where we should be looking at which crown jewel should we be most worried about?

Devon Wijesinghe: [00:14:38] I think of the old saying, knowledge is power. Once you have the knowledge, you didn't have the power to be able to use that in a multitude of different sources. If you think of you could create your own little black market dark web information exchange. Right. So you're selling this data to go to sure.

Devon Wijesinghe: [00:15:03] Like government agencies that are, whether they be friend or foe, that they don't want to know that information. So whether they say that's on it, maybe it's just part of planning for or whatever they decide. And then you just say and say, oh, well, now I've also got ransomware folks, right? Like the there's a market for ransomware parties. Versus the hackers, are they the ones that know how to truly monetize all that and truly protect themselves after they monetize it? Probably not, but there's other people that do. And so then you have a market for that. Then you've got a market for, hey, yeah, we actually are going to take something down. I think in large part, you don't see people try and take something down right away. They start fighting at the edges.

Devon Wijesinghe: [00:16:01] When you stop when you do something so significant, that means you've got the multitude against you and you've got all the guns pointed at you at once. If you think about right, like if somebody launched a weapon of mass destruction that Upshaw's nobody is going to think about anything other than figuring out who did that and taking them out. FBI manhunts, all these different things. We have all the resources. You know what? If you just, like, fight at the edges and you have the knowledge, so all of a sudden you have access to some portion of the banking federal clearinghouse, you have access to some portion of this, you have access to some portion of the electrical grid. You have some access to health care information systems and so forth.

Devon Wijesinghe: [00:16:46] So when you think about little by little, you can then start doing things that nobody notices until it's too late. And when that happens, there is no leg to stand on. There is no negotiation. There is no anything. You just at the mercy. And I think when you think about things as sophisticated as SolarWinds. They take a little bite at a time. Don't launch something huge at once and make the news and, you know, have all guns pointed against you. You know, the smartest one would be the evil that you don't even see until it's too late.

Brian Selfridge: [00:17:38] That's actually my understanding of the SolarWinds attack, was that they got caught by accident. There was a one of the attacker engineer guys, I'll assume is a guy, that they had been in there for I think nine months plus and had this attack running at all, sprawled out all the places that we've now learned where it is and are still learning. And it was one slip up and oops, got detected and then we chased it back. And guns are all blazing is as you said. And so it's really it's it's a great point that this is something that may be going on elsewhere, that there's no desire to get caught. It's low and slow burn through getting the information and the access.

Brian Selfridge: [00:18:18] But I want to switch gears with you a little bit and talk about solutions right where it's easy to frame the problem and say it's going to be really rough for the next five, 10, 15 years in managing third party risk and supply chain risk. What are some of the tools, processes, mechanisms that are either on the market today or sort of emerging in the market that can help tackle this problem at scale? Now, third party, this fourth party risk all the way down the line. How do you see that? What tools and capabilities and processes do you see helping with that today to sort of start there?

Devon Wijesinghe: [00:18:53] Well, it's definitely not an Excel spreadsheet. You really need technology, whether that's a combination of platforms, like PowerBI or a combination of solutions that might have a third party management solutions out there. Obviously, CORL is one of those. But the reality is, is that there's just there's just no way to have an ammunition to viewpoint into supply chain if you're tracking it in a manner that doesn't scale.

Devon Wijesinghe: [00:19:37] I think the first part of it is that obviously you need to know what it is you're looking for. And so there are solutions out there that can be, well, really helpful in organizing the information. But maybe they're not as useful in actually understanding, interpreting and helping you decide on the information. Right. So there could be a combination of sorts that that folks might use, whether it be internal or external and things to manage it. Obviously, in some rare instances, you know, maybe platforms to do both. And we're fortunate to be one of those.

Devon Wijesinghe: [00:20:16] But the reality is, if you have these combination of assets, that's OK, too. But you really need to have a kind of like a red, yellow green set up at scale. If you're a small community hospital and you only have 10 beds and you know every vendor that comes in because you went to high school with them, you probably don't need anything other than an Excel spreadsheet that I just just abide by government standards. But when you get bigger, you can't get things through like, well, who is this entity that came in and then they sum this out to another entity, I thought I was contracting with this entity, but they're a contractor subcontractor relationship. And you're like, I vetted this entity, but I have no idea. And you thought, well, I just indemnified them. Well, guess what? The person maybe on the ground was actually doing could care less if that there's there's there's insurance coverage from their company or their companies, subcontractor companies and so forth.

Devon Wijesinghe: [00:21:21] So so my suggestion is just utilize software that helps you see the omission to you so that you can understand where some vulnerabilities are. And then obviously back that up with if you have an internal great. But if you can access some external resources, usually cheaper than it is to hire to actually know what you're looking for and make sure that you're not just buying software that does one or the other. And if it only does one, make sure you pair it with the other fortunate enough to to get both in the in the same box then self-locking.

Brian Selfridge: [00:22:03] What are some common pitfalls, organizations that stand up there, third party risk management program or are making investments in it, either in tech or process or people or whatever? What are some missteps that you see happening in the industry, if at all, where you could help guide folks sort of more toward that vision that you laid out there?

Devon Wijesinghe: [00:22:22] Yes, so I think the biggest thing is thinking the load is too much to bear. How much more work does this create internally? And usually that creates enough of a significant obstacle where people push that decision off. Right. So, most of the time when you're trying to implement programs like this, it's for the stick, not the carrot. Right. It's like, well, we have to you know, then what happens is that what we have to just do this group. Well, then it becomes a little bit less have to and maybe it's like a vitamin, not a painkiller. They're like, oh well, we don't have to do the second group. We don't have to do this third group, and obviously everybody deals with budgets and constraints and so forth, but there might be creative ways to to approach that. Maybe the the vendors deduct that from their their the next bill to you. But you just say like it's required that you go through X, Y, Z process and that comes often. And if people couldn't spare the few hundred dollars or whatever it might be as an assessment on them, maybe their maybe their contract value isn't that they're getting that much access anyways. Right.

Devon Wijesinghe: [00:23:50] Take a take a good hard look and don't believe that it's too big of an obstacle to roll uphill and it's not worth it because there are multitudes of different systems out there that literally, even if you had, you know, half a person on your side helping manage this process, you absolutely can do it and you can absolutely get get the external help as well. And obviously. Don't skimp. Just get creative on what that is going to look like from the standpoint of getting other people inside of your system. We've got to make a decision because we only have X amount of dollars to come up with some creative ways so that you don't have to, again, feel like that you're having to make a trade off between abomination or your budget.

Brian Selfridge: [00:24:50] I feel like there's several topics in health care that fall into that category, third party risks is one of the problems that are too big to solve. So we just we don't do anything or do or we sort of throw a token effort at a third party risk, medical devices.  Another one is medical device security;  we say, well, this is really complicated. There's a lot of stakeholders. There's dependencies on third parties in that case to medical device manufacturers. And we just say, well, I'm not really going to invest much in this because I don't know really how to fix it right now. And doing nothing just kind of exacerbates the problem.

Brian Selfridge: [00:25:19] So to that end, I want to talk to you about the future, about where this space is headed, given that we may not be making the headway in managing risk effectively, if we just look at the breaches like SolarWinds as a microcosm, but the sort of scale of breaches, the volume, that that's sort of the curve that spending upward in all the wrong ways for for that thing. How do you see? How is this threat landscape and risk situation playing out in the next five to 10 years? Is it is it on that curve? Is it going to keep doing what it's doing if if we don't take measures or how do you see it evolving?

Devon Wijesinghe: [00:25:58] I definitely don't see it getting less. Right. So, you know, it's interesting. You don't hear of people robbing banks anymore, but do you ever hear of like a guy walked in and got a bunch of cash from holding a gun up? Like, I never hear about it anymore. It just there's so many less invasive ways. To do things and less likelihood of getting caught, so we think about just the bad guys in general. I just I don't understand why somebody, if they were a bad guy, were like, oh, well, we're going to go knock off a bank, like a bank doesn't even have that much money anymore.

Devon Wijesinghe: [00:26:45] Like, it's it's all digital, right. So so you could access somebody's Bitcoin portfolio and shave points off of that like and have a bunch of black servers. Why wouldn't you do that. Like to go to walk away. I don't know, like five hundred dollars in small bills that they might keep at one teller that they like know exactly who you are, where you get like I mean, what's the point. Right.

Devon Wijesinghe: [00:27:11] So, you know, I can't imagine if I was a career bad guy that my ultimate goal is to take the highest risk for the lowest reward. So I don't take the lowest risk for the highest reward we'll get. That's what that's through penetration of infrastructure and that's through hacking including the third party supply chain. It's only going to get more. It's only going to get worse. There's going to be ways hard to keep up with all of them, but absolutely one where. Good can outweigh the bad.

Devon Wijesinghe: [00:27:55] And there's no you can't just lay down your arms, if you will. The reality is, is that we need to be constantly evolving just as we're all constantly evolving and everything we're doing and be rest assured that there's a lot more coming. It's it's not going to come in the face that you think it will. It won't be obvious and it will come through likely third parties and not even your own folks. So be watchful.

Brian Selfridge: [00:28:28] How do you see our solution set evolving to to keep up with that situation? And what do the third party, the solutions of five to 10 years from now look like? Are they are they different iterations of what we have today? Are they more focused on the data? I know that was something you mentioned earlier. What is it? What does it look like and how do we catch up?

Devon Wijesinghe: [00:28:49] Yes, I think the number one thing. Right, like you can't impede commerce. You have to do enough vetting. You have to do enough. That doesn't stop the flow of business. Right, and so you mentioned something and again, I think maybe coming full circle to the beginning of this is like know data at its core. How do we maybe share information that's approved with secure access and not not entirely proprietary and so forth, but that industries, particularly in healthcare, where there's such a critical mass of of third parties that serve a multitude of different insureds and systems and so forth. How can we do better by by exchanging information quickly and then creating a clearinghouse that allows for folks that have been cleared?

Devon Wijesinghe: [00:29:46] Kind of, I think, of literally the Clear system at the airport. Right. Kind of like TSA PreCheck, very similar. How do we create a clearinghouse whereby people could participate in that? And then it would be like a central focus where, oh, this has been approved and this is the last time that was done. Here's the standards. But you're also getting a getting a seal from a really reputable source and it's peer reviewed to that.

Devon Wijesinghe: [00:30:17] Then you can go, oh, the vetting I need to do, maybe only a little bit different, a little bit more specific to me. But the vetting that the standards, the NIST standards, all these different other standards off to do up and all these are the ones that you're getting access to that with, let's say, third party approval, potentially instantly. And so some people have created things like exchanges and so forth.

Devon Wijesinghe: [00:30:41] And obviously those are unique and interesting. But if you could if you could work with all these different ones and if we could, we could have, again, kind of peer by and you can have a clearinghouse that really acts as that function. And, you know, maybe we come upon the TSA pre check or the clear that works for health care and I see solutions and an industry moving towards that direction.

Brian Selfridge: [00:31:09] Well, Devon, this has been a fantastic discussion, I guess I'll just leave us with, in the interest of time, just any other thoughts or lessons learned or insights that you'd like to leave with us, just as we think about taking addressing the SolarWinds, which is where we started, and maybe more this more broad risk management for third parties and supply chain going forward. Anything else you'd like to let let folks know about or think about as we as we try to figure this out together?

Devon Wijesinghe: [00:31:34] Yeah, don't don't be intimidated. Data is not intimidating. People can help you distill that really into simple forms. And, you know, I'm a simpleton, so I just think of things like red, yellow, green. Right. You know, think about think about your business in red, yellow, green. And the data is just to just a byproduct of that, and so if you can if you can simplify it in your mind, you can wrap your head around a number of different solutions and obviously things that we provide to that that make it a lot easier. And again, definitely don't ever let that impede commerce, make sure they work hand in hand together.

Brian Selfridge: [00:32:14] Fantastic thoughts and much to take away here for us to chew on, so I really am very thankful to have you, Devon, for taking the time to share these insights with us. So I'd like to thank my guests, Devon Wijesinghe, for a great conversation on third party supply chain risk and one that we will probably have to have you back on to see how our predictions are panning out over time and how these solutions evolve. But thank you so much for being with us here today.

Devon Wijesinghe: [00:32:38] My pleasure. Stay vigilant, my friends. Thanks, Brian.

Brian Selfridge: [00:32:57] Again, I would like to thank my guests, Devin Wijesinghe, for his sharing his insights on SolarWinds attack and third party Supply-Chain Risks. I appreciate it. Devon's vision for where we are headed and third party risk with data and technology at the center of both our challenges and the solutions going forward. But third party risk, we clearly have a long way to go as the health care industry grapples with multiple threats on the clinical and business fronts amidst unprecedented pandemics and global cyber attacks. And hopefully not a whole lot more this year. We'll try to keep it to those two difficult items. As always, we'd like to have your feedback and hear from you. Feel free to drop us a note about what topic you'd like to hear about or thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of the CyberPHIx. We look forward to having you join us for another session coming up soon.