The Bleeding Edge: Healthcare Cyber Threats That Cut Deep

PODCAST TRANSCRIPT

Brian Selfridge: [00:01:13] Hello and welcome to CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I'd like to welcome my guest, Ron Belfont. Ron is the Information Security Officer and Director of Security and Support Services at BayHealth Medical Center. Prior to a security leadership role, Ron has held positions in customer service, support management, application development, infrastructure, and more, both inside and outside of healthcare. I'm excited to be speaking to Ron today about a slew of new cyber threats and vulnerabilities facing healthcare organizations this year. Our session is titled The Bleeding Edge Healthcare Cyber Threats That Cut Deep. We're taking on an ambitious agenda today to cover a flyby view of many of these emerging threats to our businesses. And really, any one of these areas does have the opportunity to cut deep and have material impacts to patient safety, financials, reputations, and so on. So we'll cover a lot of ground today, and I try to give you a little taste of each area through the lens of Ron's years of experience safeguarding patient information and systems. So with that, Ron, thank you so much for taking the time to join us on the CyberPHIx today. 

Ron Belfont: [00:02:16] All right. Thank you so much. It's a pleasure to be here. It's nice to be on the side of the microphone instead of just listening. I am a fan of the show, so really happy to be here with you. 

Brian Selfridge: [00:02:25] Well, we're thrilled to have you here, both as a listener and as a guest. So we'll look forward to getting your insights on all of these topics. And the first one I want to start with is around IoT, Internet of Things, Internet of medical things. There's all kinds of terms for the same stuff, more or less. But I was wondering if we could just start off level setting with the audience a little bit about maybe the difference between IoT, Internet of Things, and IoMT, Internet of medical things. Are they the same thing or is there or is there an important difference that we should be aware of? 

Ron Belfont: [00:02:57] It's a great question, Brian. And there there is a really important difference that we need to be aware of. Typically, when we talk about IoT, the world of IoT, just take a look around your house. There is tons of IoT equipment in a house, so you're connected, smart speakers and your ring doorbell, whatever it may be. Anything that's talking to the back to your wireless router in a house that's an IoT device in the workplace, in a hospital here. Typical IoT will think more about building automation systems. So things that would regulate your temperature, maybe the blinds in a patient room or the lighting in a patient room. But when we start talking about the IoMT, that's the medical devices. And that's where there's a lot more risk to the patient when we start talking about the security on an IoMT device. Of course, the IoT device, we have to be cautious about that from a security perspective because we want to protect the perimeter and things like that. But the stakes are much higher when we start talking about IoMT, the medical side of the house. 

Brian Selfridge: [00:04:05] Nor are the threats and solutions different or the same for protecting IoT or IoMT devices, recognizing there's a distinction in the criticality of those devices. But is it the same playbook, or do you need a slightly different playbook for medical devices? 

Ron Belfont: [00:04:19] Well, the threats are very much the same. It's obviously a lot more of a risk to patient safety threat when you start talking about IoMT. So if we're looking at a hospital, typically you have limited resources, either funding wise or staffing wise. So while you need to do a good job with protecting everything, the IoMT definitely needs to be the higher of priority because at the end of the day, there's a life that may be in jeopardy if we don't do a good job there. But the mechanics of protecting that, whether it's IoT or IoMT, really are the same. And for a lot of healthcare organizations, the first step is just identifying what's in the network or hanging on your network. I should say. We here we recently implemented a tool here that helped us identify everything that's really on our network. So traditionally i.t we start to talk about, well, we know we have x number of servers or PCs or whatever that might be. And then we take a look at a tool that really does a more robust discovery for you. Then you start to find all these different pieces of equipment that have snuck onto the network over the last five, ten, 15 years. And that was really eye-opening for us. So first, understanding what's in the environment and then parsing that out to decide and understand the classification on that, that will help you decide how are you going to go about securing that, what process you're going to use? And at the end of the day, it was really it was somewhat jaw dropping to see how many devices we had on the network that were indeed very old and out of date in terms of firmware. So that was part of the discovery. And then the remediation efforts that that's where we are right now, where we're going through and not only just identifying but fixing a lot of the things that we have discovered. 

Brian Selfridge: [00:06:20] And we talk about things sneaking onto the network. And I absolutely understand that as any large network with a wide variety of business units and stakeholders is going to have stuff cropping up. Is there anything we're doing now? Is there should be doing as industry to sort of stop the influx of these devices either at the network sort of connection layer initially or procurement. Is there any way to catch those before you discover them later with the tool? 

Ron Belfont: [00:06:45] Absolutely. And when I say sneaking onto to the network, a lot of this didn't necessarily sneak on. These are things that were consciously decided upon that we were going to add to the network. But before we knew better, we would just allow things on because the vendor said, Hey, you need this, enable to in order to run something. So we, we put it on the network. And largely, I think a lot of people, regardless of whether it's healthcare, I.T. or other industries, there was this notion, this idea that it was a set it and forget it when it came to some of these devices that are taking care of building automation and things like that. And then the threat actors are very smart people. And when they start to realize, oh, I bet you they forgot about that device that manages that boiler down in the basement and those became exploitable and newsworthy. That's when the whole industry changed around, Gosh, we need to secure these things too. So there is definitely been an awareness, thankfully, an awareness cycle, if you will, on that. So what we do now, here, we have a very rigorous process in place. So when there is something that's coming into the organization, whether it's clinical engineering or our plant operations and facilities, there's a process to go through to vet that. What is it that we're installing? What is it that we are installing here on our network and then talking to the vendor to understand how long they support that and how long they offer patching and updates for that. So that's one of the things that we weren't doing just a handful of years ago that we are doing now. So I think that's I don't think that we're unique in that space. I think a lot of organizations have moved into that direction. And if anybody is listening at an organization, it hasn't moved in that direction. This is probably a good time to start to consider a process internal that would work for you. 

Brian Selfridge: [00:08:42] Well, in terms of audience members, let's say listeners that haven't gotten off the ground yet might be making that business case for getting some investment in IoT and IoMT security. Are there certain threats that you think are more important or more critical? For instance, do we when you go to make your pitch to leadership and say, I need some more funding for this, are you talking about ransomware as being a predominant threat or hackers specifically targeting these two? Like, what's what are the top maybe one or two threat sources that you're you're most concerned about for these devices, in particular. 

Ron Belfont: [00:09:17] With these devices? The thing that I'm most concerned about, Brian, is that they are often several years out of date. By the time we have made that initial discovery, running an old version of Linux or whatever it might be, and firmware hasn't been updated, say three or four, four or five years. So at a high level, ransomware is always a concern. And we have a savvy senior leadership team here. They're very engaged in a security program, and they recognize that as a threat that we live with on a daily basis. But we start to talk more about IoT devices. Again, that's where the threat vector really changes, because now we're talking about if that is breached, if that device is knocked over, it could really have some dire consequences that it turns it to something that could be life-changing or life-ending. So we have to be very careful about that. And again, we have a very savvy leadership team here and they understand those threats. So they've been very generous in funding the program. So I'm very fortunate to work in an organization that does I'm doing air quotes here, but they get it, which I think any CISO, they have a responsibility to try that, to try to paint that picture for their leadership team, to help them understand it's not an IT thing. It's not a cybersecurity only. Hey, gee whiz, here's a new tool. Look what we're doing with it. It's we need these to be able to protect our organization, our patients. And at the end of the day, that's really what we're here for, is to do the right thing for the patient. So I think looking at the two sides of it, IoT, IoT, both critically important that they get secured and really helping the senior leadership and other stakeholders, even up to the board level, understand the urgency behind that, I think goes a long way in getting funding for a cyber program. 

Brian Selfridge: [00:11:23] So let's say you've got the cyber program funding and everybody's bought in there. You've scared them appropriately. And hopefully, we're not doing too much fear, uncertainty, and doubt anymore, but hopefully, you've gotten that buy-in. What are some of the strategies and solutions that you've seen that are effective at sort of protecting IoMT and IoT devices either now or going forward? You mentioned inventory tools and visibility. That sounds like a first step, but are there other things that organizations should be doing from your experience. 

Ron Belfont: [00:11:51] At that point? I don't think our organization is much different than many others. We have an IT department and we do have a separate clinical engineering department. Bridging that gap and bringing those two different departments together and working collaboratively is it's a critical step in securing the comp devices. And same with our plant operations team reaching out to them and helping us understand what does that widget control down the hallway? So building those relationships internally and trying to drop that barrier, if you will, around cybersecurity, that here comes i.t. And a cyber guy. So going to make things difficult, expensive, hard. It's let's talk about this for a minute. What does this device do? What is it control? And is there a patient on the other side of that? And then we start to talk about those what if scenarios. So if this device was unavailable because it did get ransom or it was knocked offline, what would that impact be to your area of the business? So would we lose steam or what would happen here at that level? I think when we start to have those types of conversations with other stakeholders that don't necessarily understand the cyber side of it, but they certainly understand their side of the business. 

Ron Belfont: [00:13:10] That's when you start to have some really productive conversations. And now it's not a here's an it thing, but here's something that we're working on together to make sure that that steam down a hallway is always going to be available or the hot water stays available, whatever it may be. And similarly, on the IoMT side, it's the same idea. So inventory build the internal partnerships, and then you have to develop a pecking order as to where to start with this because it can just be overwhelming. So what is the most critical risk? And there's there's different metrics to use to evaluate and determine what is the most critical risk. And once you have done that, then start at the very top of the most critical and then put together milestones along the way. So there are some victories and I think that's just project management 101, really. So start someplace, have an end in mind, and then have milestones along the way so you can show meaningful progress through it. 

Brian Selfridge: [00:14:10] I think that's fantastic. And I'm sure there's a long, longer runway here for us to figure out IoMT and IoT over time. But I do want to I promise at the outset here we would cover a bunch of topics. So I'm going, this is like the Lightning Round episode here today, but I want to switch gears with you a little bit, Ron, and talk about take our heads out of the enterprise healthcare, enterprise security side of things just for a moment. And we'll come back and talk about some of the risks to patients in particular around securing health apps and wearables and some of these devices that that many of us will acquire privately, so to speak, that's not directed by our health system or our primary care provider. But hey, would it be cool if I had this app that tracked my this or that and I could put it in my vitals and I could make sure I'm alive and all that stuff? Are there any specific security threats that just as a patient that you think or you advise patients to be aware of as they're becoming their own little mini? Chief Information Security Officer of themselves that that should be sort of paying attention to as they sign up for or get one of these devices or apps. 

Ron Belfont: [00:15:16] Definitely, Brian. I have a wearable myself. I've been using it for quite some time. The biggest concern there is around the privacy, the privacy aspect of that. So as as individual wearer, it's always a good idea to understand where when you sign the agreement to begin to use that application. You know, by installing you accept these terms and conditions. It's always a good idea to understand exactly what you're accepting, what information are they collecting about you? What information are they storing about you? When information is shared with other organizations, who has access to that and even where your data is being stored because HIPAA laws don't necessarily apply outside the borders of the United States. And those are things that a lot of folks just aren't aware of. They think, well, I bought this device. It tracks my heart rate. It tells me when I have to go to sleep, how much calories I need to burn today. It's great. But we do need to be a little bit savvier as consumers as to where that data is going. So privacy is the biggest concern there because again, that does fall outside the enterprise. And quite often people are very alarmed when they get phone calls from solicitors saying, hey, Brian, you know what? I see that you've been you lost £15. It's great. We've got this great diet plan for you. It might seem at first as spam type marketing, but then you have to stop and think, how do they find that out? So where is that data going? Those are the types of things that consumers definitely need to be aware of. 

Brian Selfridge: [00:17:02] So is it an all or nothing thing or do you. For instance, like if I have this wearable and I'm checking it out and I see something really alarming, like we will share your we reserve the right to share your information with whomever and however we want and you know, you have to deal with it. Is this a situation where you just need to totally walk away from some technologies or is this more of a the skeptical buyer's kind of guide where like maybe there's one device does it better or maybe there's one device gives you some options to opt out of certain pieces. Or do you think you just walk away from some of these sketchy places? 

Ron Belfont: [00:17:31] If there is the ability to opt out, certainly that should be an option, a viable option. Every reputable manufacturer would be able to offer to a consumer at this point the ability to opt out. And I know in Europe that's that's something that is required by law through GDPR. So I think the industry is starting to move that way towards opt out, selective opt opting out of certain data collection and data processing and storage. But again, it really does turn into the consumer needs to be better aware of that. And I don't necessarily think that through a lot of the marketing efforts that are put in to talk about the benefits of the wearables, they're very seldom, if ever, is it discussed around the privacy in a perfect world and the world that I'd like to I'm sure you'd like to see this, too, from a security perspective, in a perfect world, maybe one of the marketing things should be about not only does it do all these great things, but we protect your privacy and here's how. So it would be nice to see if the industry would adopt that type of approach. 

Brian Selfridge: [00:18:47] We're putting our I mentioned we took our enterprise security hat off for a minute there. Let's put it back on, because I want to talk about whether or not you get questions about these types of wearable apps and health apps, even though they're not provided by the health system or by the organization. Do you get questions in routed through staff or others about what are best practices? What do we advise patients to do? Or is this largely the conversation that that that hasn't or isn't happening within the four walls of the health system and is sort of thought of, well, that's a patient thing and they need to figure it out. Or do you actually get and field some questions around this stuff? 

Ron Belfont: [00:19:22] We definitely get in-field some questions around this. And it's interesting to know we're talking consumer-grade completely, consumer-grade talk and Fitbit and things like that. But there are wearables that some of the patients have, whether it's an insulin pump or something like that, that's wearable as well. That was actually prescribed by a physician for this patient for them to stay healthy and alive. So there are there is that duality of wearables as well. There's the pure consumer grade that you can just buy through Amazon or any major retailer. And then there's the wearable that certain patients need in order for them to just function and have a good life in existence. So that's where we really have to be careful about, again, not only privacy on those, but some of that information on those physician-provided wearables. We have to protect that data because at some point that data very well may be coming into our EHR. So that's where we have to have some that's where the wearable turns from the personal device into now it's something that we've got to manage at a corporate level as well. And that's where things get a little bit more challenging. 

Brian Selfridge: [00:20:40] Yeah. Maybe it's we need a new acronym because we love that we'll do Internet of medical wearable things I, o and w t that's that'll be the next asset category. Someone will kill me for adding more acronyms. So, you know, my understanding, at least over the course of time here, is that most of these consumer-grade wearables are not in scope for HIPAA. And I think that's a common misunderstanding at the patient level. Like, Oh, well, I bought this Fitbit or whatever and it's HIPAA. They'll make sure to protect it. But, you know, that's not the case. We've seen the FTC sort of trying to jump in here and put more regulation enforcement around those consumer-grade devices. And then, as you mentioned, there's this overlap between sort of some that are kind of consumer-grade, kind of commercial grade. What have you seen and observed just from a regulatory perspective around these types of devices? Any trends or anything that you if you've seen wearable manufacturers investing in security or not just any anywhere you want to go with, that's fine. 

Ron Belfont: [00:21:37] It's a great question, Brian. And again, I think. As more consumers do become slowly aware of the potential privacy risks that are inherent to these devices, manufacturers will respond with better privacy offerings and as we just mentioned, the ability to opt-out. And if a manufacturer doesn't have a strong privacy statement or the ability to opt out of some of the data collection, it's probably in the consumer's best interest to walk away from a product like that because there's no better way to send a clear message to a manufacturer that their product is really not fit for the market in the current market space than just not purchasing that. So I think what we're going to wind up seeing over the next few years is that the wearable market at the consumer edge will continue to just grow and expand at a rapid pace, as it has been for the last several years. But I do think that along the way, there's going to wind up being some consolidation that only the biggest and best and most technologically sound companies are going to be the ones that are going to be pushing the product out successfully. And the other is there's always going to be the smaller I don't want to say less expensive, but typically in consumer electronics, you've got the top tier and then the mid-tier and I think the top tier that will be offering the products on the services that wrap privacy in there as a real offering in their product. Those will be the ones that survive and the others are going to become smaller, niche players. 

Brian Selfridge: [00:23:17] Or they'll get breached to death. Right. I wonder if there's a term for that. Some of these small organizations, vendors that just can't survive the big breach. 

Ron Belfont: [00:23:26] It's unfortunate, I just read an article about a college that a university that after 157 years of being a viable institution, unfortunately, had to close their doors because of a ransomware attack. So that does happen. 

Brian Selfridge: [00:23:43] Scary stuff for sure. And we think about how big the impacts are to larger organizations. These smaller vendors just can't, can't suffer, suffer it. That's a whole nut. We'll get back to fourth party and third party risk in a moment. So save that one for later. But I do want to stick a little bit on this sort of regulatory topic we mentioned earlier, because I think there's there seems to be a lot of movement. You know, IPAs, what, 25 years old or something? My math is probably off there, but things are getting a little stale. On the regulatory side, you have OCR changing the way that they're going to be issuing and distributing fines to potentially give some of that to some of the victims of breaches. We have the HIPAA safe harbors. I'll put that in air quotes as well that they're putting around this new adoption of cybersecurity best practices that OCR is kicking around. We've got federal regs and bills being introduced just in that whole sphere. What do you have your eye on and what are some of the trends that you're watching for on the regulatory side that you think might have some legs that you need healthcare organizations should be prepared to address. 

Ron Belfont: [00:24:47] Right before we did start the recording of the show, as you and I were getting ready to start, we did talk and touch briefly on I'm just looking at the screen here, Brian. I apologize. But we did talk at the right at the onset of the show about the bill that was just passed strengthening American Cybersecurity Act of 2022. So this is going to be something that. I'm not quite sure how deep that's going to impact healthcare it, but I think that act is going to wind up having an effect on the other 15 critical industries or infrastructures as CISA has identified them. So healthcare is one of the critical 16. And healthcare we've always been on the hook for reporting any kind of a breach. And if we don't do that, there's a penalty. And if we don't notify patients, there's a different penalty. So healthcare is very highly regulated when it does come to, I guess, post-breach activity, which I think is very interesting because you mentioned the HIPAA laws being 25 years old. That's our framework, right, that we're still working in these outdated type of you must do this as a healthcare industry, but not necessarily that here's what's required and here's what's recommended. 

Ron Belfont: [00:26:15] And if you go back and look at that, I think 25 years ago, that was a good framework. But just like anything else, it's 25 years old now. It probably doesn't really fit. So I do think that we need to have a deeper look at what is expected and required of healthcare in terms of cybersecurity, some of the things that maybe were recommended, they all now to be required. But going back to this law that was just passed I'm sorry, the bill that was just passed, that's going to put the same level of reporting responsibility on the other critical infrastructures in the United States, that you start talking to the chemical industry and communications industry and things like that. So if there is a breach, they're going to have to report as well. So in some ways, it's. It's helpful because again, it raises the bar in cyber across all critical infrastructure, but I'm not quite sure how much that's going to play out and really change the drum that we're marching to here in terms of what is required and mandatory and so forth in healthcare. 

Brian Selfridge: [00:27:34] I'm curious to get your perspective about one of the ongoing debates that we hear and then get we have conversations with OCR and talking about updating HIPPA and what they want to do. And it seems like there are two ends of the spectrum. Like HIPAA was originally written to be really pretty vague and not by design to allow flexibility for organizations to adapt and adopt the pieces in a way that made sense for them. But a lot of new regulations and standards have also been getting more prescriptive because organizations say, well, you know, it's too vague to tell me, I need to do encryption, you need to tell me where and how and what or for instance, or organizations may say, well, is multifactor authentication required or not? And what do you do? You think it would be helpful to lean in any particular direction in the spectrum? Like, tell us exactly descriptively what we need to do and then everybody has to get behind that. Or do you like the flexibility to kind of call your own shot within some rough guidance from a regulatory perspective? 

Ron Belfont: [00:28:32] That's a great question and a lot of ways that is a question that is a bit careful how you answer that. Right, because how much control do you want to surrender over to the federal government to tell you exactly how to run your business or your shop or even your industry, for that matter? However. I do think that there needs to be a revision of HIPAA, and I don't think the, experiment, I'll call the experiment that we've been on with over the last couple of decades. I don't think it produced the results that we wanted. And I really think that the healthcare industry, when it rapidly went from paper to electronic through the Meaningful Use Act in 2009, changed the landscape. It took a few years for the threat actors to sniff healthcare out, but when they did, by 2013, 2014, 2015, healthcare was in the throes of just became a punching bag for the threat actors because there was a rapid move from paper to electronic using outdated regulations for security. And there is a very short time frame in which to revolutionize the entire industry. So just in a handful of years, you went from paper to electronic, and unfortunately, security took a backseat in that rush because recall there were the incentives. If you met, you were incentivized to receive reimbursements that would largely offset the cost. If you didn't, then there are penalties where you would not receive the same reimbursement through Medicare or Medicaid. So I know this is a really long answer to get back to the what the problem here is when the healthcare industry moved from electronic to paper to electronic. The regulations didn't adapt and change with. And then when healthcare start to get became the primary target for threat actors and ransomware a few years after that move to electronic still no change to the regs at that point. 

Ron Belfont: [00:30:54] So we've been living in an environment where healthcare is just being picked apart for the last not quite a decade, but we're coming up to it shortly where it's just been bad news after bad news for healthcare. So how do we get out of that? Clearly, the loose regs that we have in place that are 25 years old, don't work anymore. It doesn't appear that healthcare, if left to their own devices, are necessarily making the right investments. And this turns into it really comes down to resources. So if a hospital has a half-million dollars to spend, do they want to buy a couple of new CAT scan machines which will generate money or do they want to build a cyber program? And it just comes down to where the money gets allocated to. So, again, through individual organizational decision making, we haven't done a great job as an industry where we're going to put the money and the focus. So I don't want to say that I'm all for Big Brother stepping in and saying, this is what you have to do. But in this case, because lives are on the line, literally lives are on the line, I think that the government needs to step in and say healthcare, these are some things that you have to do. And we can take that same approach that was taken 25 years ago where this is what's now required and it makes some recommendations behind that. But that list really needs to be gone through and revised and brought into a modern-day era. 

Brian Selfridge: [00:32:30] Well, the modern-day is fascinating, right? Because it changes the modern-day feels like the modern hour because we're every day there's a new threat and something has changed. And that's actually one of the areas I wanted to talk with you today about, which is around the remote workforce phenomenon and this sort of massive move from on-prem staffing and cyber workforce, particularly in healthcare into the post COVID work, remote work settings. And now it's not only healthcare that has to deal with this, I know, but healthcare, and I'd be curious if you're if you share the same experiences been pretty reticent to allow folks to work remotely over the years for whatever reason. We're just very insular that way. And now it's finally happening. But it scares the daylights out of me from a cybersecurity perspective because I don't think we're quite geared up and ready to deal with it. So have you seen what have you seen changed from a security perspective or compliance perspective that the remote workforce has introduced that we need to pay attention to? 

Ron Belfont: [00:33:29] I would totally agree with you that the move to remote work hybrid models, it's been slow in healthcare and I think rightfully so. Again, we start talking about an industry that is largely playing catch up to other industries in terms of where we are with cyber. What we started to do here. We've been we made a significant investment in the virtualization of desktop sessions and things of that nature. So we put a good infrastructure in place that would allow us to be able to offer that type of service to an employee if it was appropriate for that position, for them to be able to work either full remote or some sort of a hybrid scenario or a couple of days a week. But it it has to start with some real strategic planning. A lot of healthcare organizations, they find themselves in a lurch, especially during the pandemic, where it was, you know, now we've got a contingency of employees here that we need to socially distance. The only way that we could do that is maybe we had to get them out of the building. So remote work. I know for a lot of folks that I speak have spoken to, it turned into something that just had to be done posthaste. So not a lot of planning went into that. So it grabbed the laptop, you know, download some kind of a VPN client and here's the IP address that you have to hit. 

Ron Belfont: [00:35:01] Don't worry about it. We'll figure out when you get in. That's a really bad place to be, right? So we were fortunate in the fact that we already had some of this infrastructure in place, actually a good piece of it, where we were able to then spin up some virtual desktop sessions for people to come in in a much more secure and controlled way. And it implemented dual factor authentication. So we were able to move in that direction and that's continuing now even as hopefully we continue to see the numbers trend downward and in the right direction. But that is really something that we're we're continuing to build on is have that remote capability not only for future of just regular work because that's what the workforce is really expecting at this point. But again, if there ever was a significant spike in numbers where we had to get a large number of people socially distance, again, we could send people out and know that they can come in securely. So again, planning a good infrastructure and having those certain requirements in place for people to work from home. Dual factor obvious and then. It's impossible to regulate, manage what people are running on their home network. So there's a lot of worry about that as well. So what's happening on the home network? Who has access to that network? I'll just. I'll stop there. 

Brian Selfridge: [00:36:45] I want to talk about that virtualization a little bit more because I think that that's a potential game changer for a couple of reasons. And so so one question they'll come back to is, does that apply to both desktops and workstations, traditional workstations, because just, you know, my I might be dating myself a little bit here, but back when I was a security officer, we would have like the tower, like the PC tower on the floor would go with get legs and somebody would and then you'd have to spin up this whole, you know, what data was on the machine and you'd have to wipe all that stuff. Laptops are well documented, and have been a problem for years. Does the virtualization partially or somewhat help with the whole encryption problem of laptops and workstations as it replaced that issue? And is it being extended to laptops, too, or is this just still a workstation kind of model, a traditional workstation? 

Ron Belfont: [00:37:31] We've got the primary model that we're using when people are working remote. It's a virtual desktop session. That's. It runs in our data center. So the expectation is that that person goes home and they can use any device to come in and you're going to hit that authentication. So you'll authenticate dual-factor. And what you're seeing is you're just seeing a snippet of a desktop session in whatever browser window that you're using. So you can use the home device, or you can use a corporate-issued device. The experience is always going to be the same, whether you're using its platform and operating system agnostic. And the beautiful part about it is since it does run on our data servers and our data center, they're fully physically secured. Everything is backed up and everything is encrypted. So that's a huge benefit from a security perspective that we were not able to offer as an organization just a handful of years ago, because just like any other organization, our traditional external access back in was through a VPN client, and we all lived in that space for 20, 25 years, about the same length of time that the HIPAA regs have been around. Right. But again, the industry, the technology has changed. There's a much better way to do it now. So we adopted that model, like I said, just a few years back, and we're continuing to build off of that. 

Brian Selfridge: [00:39:10] Excellent. I want to switch gears a little bit here and jump back, actually, in a way to a topic I mentioned we would come back to when we were talking about wearables and vendors and all this stuff. So I want to talk a little bit about these third-party and fourth-party risks, which is now right. You have the third parties that provide you a service and then those third parties are using tools like Microsoft Log4j, SolarWinds and those are I'm picking those vendors in particular because they've had some trouble. It seems like every few weeks we have some either third or fourth-party supply chain vendor or product that's become breached and all of a sudden everyone's scrambling. How have these fourth-party breaches impacted healthcare organizations from your perspective so far? 

Ron Belfont: [00:39:53] If nothing else, these types of breaches have really made it a lot more difficult for organizations, for healthcare organizations to become eligible for for cyber liability insurance. That was when I just finished. I just finished filling out the application for liability insurance for us. And there was a separate questionnaire all around the Log4j vulnerability. How deeply impacted were we? What was our mitigation strategy? How long did it take to mitigate? And of course, they're asking the right questions. Right. But that that is something it's definitely a byproduct effect that happened as a result of that massive, massive breach. And I think one thing that. One of the questions that really struck me was, are we do we allow for automatic updates to be applied to our systems? And again, at a convenience, a lot of organizations have moved in that direction. Here comes a patch. It's automated. It's set up to go out to all your workstations, and all your service servers at the same time. How convenient for the staff. Thankfully, we've never moved in that direction. Everything that comes in goes into a sandbox and we look at that and we test it to make sure that it's going to be compatible with our systems. Because the last thing that we want to do is release an update or a patch that's going to break a system in clinical space. And now we've introduced a lot of heartache to the providers that are trying to take care of patients. So we do that to make sure that there's no interruption in the service that they already know and expect. But I think a byproduct of that is that in some way, having that little bit of insulation between the time that that is released and the time does actually apply to your systems. And holding that in that sandbox space has been a potential lifesaver for us from a cyber perspective. So. I don't think we're going to be running over to automated automating our updates anytime soon. 

Brian Selfridge: [00:42:11] Yeah. I've got some more stories there as well. I won't go too much into it, but I remember those days where you'd launch a patch and it'd be running a server that's running six or seven different apps. Some of them, it's the app dependency. It's like, Well, we use this old thing that hasn't been the app itself, hasn't been updated in ten years. And so while all the other systems were fine, other applications were fine, this one just stopped working, you know, and all of a sudden you've got patient safety implications. So, yeah, it's I wish that's why healthcare is so hard, right? It's it's not just I think from folks from the outside, some things the patch is out just to apply the patch, put it everywhere. Log4j was like, No, we've got to do our diligence, make sure we don't hurt anybody. Right. And that's a that's something I think that's it gets under advertise of why it's so as we just talk about how hard our jobs are but it makes it really difficult. So you talked about with. Internet of things and medical things about getting visibility and getting your inventories and having tools to figure out what's on the network. Do we have a similar challenge here with third and fourth-party risk. Are there ways that organizations can start to inventory? Well, what third parties are we using and what products are they using to support them? Are we even starting that conversation? Are we there yet or how do you see that playing out? Put your take your crystal ball out. 

Ron Belfont: [00:43:28] Perhaps those conversations definitely have started because you have to understand the entire supply chain and not having that visibility into that, that puts the organization at risk because what you don't know can really hurt. So if again, if that's not on your radar now, it really should be on the radar to start to have those types of conversations. Understand who your partners and vendors are. Understand all the data that's being sent out of your organization. That was another thing early on in the program. Really spending a little bit of time understanding all the different SFTP jobs and what do we send out on a daily? What do we receive in on a daily? Where is it going? That is something that every organization needs to spend a little bit of time doing. Similarly vendors and third party really need to get a good handle on that and make sure that you have updated contracts in place, and updated BAs in place. Those are critical in the event that there is a breach. You need to make sure that you're protected legally. So that's something that I would strongly urge anybody that may be listening to this is that work with your internal compliance team, your legal teams, to make sure that you've got up to date contracts and business associated agreements in place with anybody that you are doing business and exchanging data with. 

Brian Selfridge: [00:45:01] I'm really pleased you brought up the data aspect because it's often we're so focused on the vulnerabilities and the systems and all the techie side of this, but we're voluntarily shipping data out outside on a pretty breakneck pace. And I've always thought about it like I used to work in investigations with the Office of Attorney General and in my local state here, there it was all about following the money, right? When you're trying to track down the criminals that follow the money, I think about it. Follow the data in our setting. Right? Like where is the data going? How much are you getting it? So just to digress a little bit, have you seen any workaround that, any kind of data governance work or organizations starting to pay more attention to what data is going in and out in a truly organized way, or at least an ad hoc way for now. 

Ron Belfont: [00:45:46] Brian, that's a great question. I'm not sure what is happening in other organizations. I really haven't spoken to a lot of people in the industry about that specifically. I do know that we're having those levels that that type of conversation here at different levels of the organization really to get a handle on again versus data going and going back to the contract side of it to make sure that you understand what happens to it when it leaves here, your organization as well. So where is it being stored? And then we talked a little bit about that with the personal wearables. Where does that data go? It's even more important to understand that when you're talking about the hospital's data, your patient's data. Again, I would really urge everybody to think about making sure that that data stays stateside, specifically because the HIPAA laws do not apply. And that's something that we've got to be very conscious and cognizant of. Where is that data going? How long does it retain and what happens to that data? Should you and a vendor partner separate? So you might have a great relationship for three years, five years, ten years. They've got a lot of data about your patients. What happens when you're no longer doing business? All that should be in a contract upfront. So when you do get to the end of a relationship, there's no hard feelings or no back and forth about, well, that's not your data anymore, that's ours. We do, we de-identified it. What happens to it should be negotiated upfront when the contract is signed. 

Brian Selfridge: [00:47:15] Well, that's great insight and practical advice. So for our listeners, if you aren't having those conversations, make sure you understand what happens to your data when it, when it gets the relationship, is over, when you break up. So, Ron, we've covered so much ground here. I'm going to but I'm going to be selfish and cover one more area with you, because I know we're running short on time, but I'm just loving this conversation. So I want to talk to you about, I say, perhaps the most salacious topic for the end, but I'm going to ask you to answer it more quickly than the other areas. But I want to talk about cyberwar and the threat landscape that's coming from that. And I'll leave it pretty open-ended for you. But just how is how has this last year or two, even if we just talk about the last year, if we want to limit it to that, the cyberwar and the hacktivists, everything coming out of the Eastern Europe conflict and otherwise, how has that changed or how is that impacted healthcare? And what are some of the things that you have on your radar and some of the things you're putting in place to just protect against not only the current situation but perhaps as things may escalate. 

Ron Belfont: [00:48:18] What's happening in the news definitely affects cyber. I think it's really important that everybody on my cyber team, we talk about this on a regular basis. Everybody's responsible for checking up on different open-source information. So whether you're getting that through InfraGard or another source, each one of my team members has a responsibility to gather news every day and then bring that back in. We have a team huddle every morning, the cyber team here to talk about what's happening, emerging threats, things that we need to know about, even if it doesn't appear to be a threat. Things that happen again, geopolitical tensions can have a ripple effect because, again, United States were a great target for a number of foreign countries that look at us as the enemy. What better way to instill fear in a population than to be able to take out their healthcare system? So those are things that we need to be thinking about. It might seem like a small hospital here in a small state, but we are a target just because of the very nature of the work that we do here. So I think an awareness of that. And not again, going back to not the fear, uncertainty, and doubt. That's not what that's about. It's just a good, healthy awareness and making sure that we're not nose blind to hacktivist groups and other threat actors that are intentionally focusing on healthcare sectors, whether it's a group from Russia or China or whatever. We've got to be really aware of that because that does exist. 

Brian Selfridge: [00:50:07] I think that's a great nugget of practical advice for our listeners. If you're doing nothing else, huddle together. Get those conversations going and get your staff and your team because they're all looking and watching and seeing different things. None of us can keep on top of it all, all of it, even those of us that try have major blind spots. So we've covered so much ground today. Ron, I can't thank you enough for being a guest here on the CyberPHIx. This was just a fantastic conversation. And we put you through the wringer of having to cover multiple topics. I'm sure our listeners will appreciate that. I'd like to thank my guest, Ron Belford, Information Security Officer and Director of Security and Support Services at Bay Health Medical. Ron, thank you so much for your time today. This is great. 

Ron Belfont: [00:50:46] Thanks, Brian. It's a pleasure. Thank you. 

Brian Selfridge: [00:50:55] Again, I would like to thank my guest, Ron Belford, who was the information security officer and director of security and support services at Bay Health Medical Center. I really appreciated Ron's insights into all the topics we covered today. The few areas that stuck with me, in particular, were the idea to huddle together with your security team to keep on top of emerging threats. And I also appreciated Ron's recommended approach around virtualization of endpoints to secure the hybrid and remote workforce. There were so many other great insights here, and I hope you enjoyed this conversation as much as I did. As always, we'd like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is CyberPHIx at Meditology Services. Thanks again for joining us for this episode of CyberPHIx and we look forward to having you join us for another session coming up soon.