This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Solution Showcase: Pro Security In Your Pocket With Will Houston, Preston Duren, and Spencer Bales

Learn more at fortifiedhealthsecurity. com

I'm Drex Deford, president of Cyber and Risk here at this week. Health and the 229 project where we're transforming healthcare one connection at a time. Welcome to this solution Showcase, where we spotlight solutions that work. Let's see what's protecting patients and families today.

Drex DeFord: Hey everyone. I'm Drex Stepford, a longtime recovering healthcare, CIO now, the cybersecurity and risk leader at this Week Health.

I've gotten to know these folks a little bit and, could be a good time. It's an episode where we're gonna dive into cybersecurity, and if you're working in the security team or leading the security team or anyone else in the health system in reality, you're all part of the security team in your health system.

This will be a great episode for you. We've lined up. For this really great conversation. Three awesome cybersecurity leaders who have pragmatic solutions to some really tough problems. So get ready to take some notes because this will be a good one. Preston and Spencer are here with me. I'll introduce them in just a minute. We're also joined by Will Houston from MDI Hospital will leads the network and security team at MDI. And Will. We're glad you're here and the best place to start is with introduction.

Will Houston: Awesome. Thank you Drex for having me on and thank you fortified for inviting me. My name is Will Houston. I'm the network security manager at Mount Desert Island Hospital. I have been in this role for about 12 years.

It feels like 40. We are a small 25 bed critical access hospital located in Bar Harbor, Maine. Which brings together some very interesting things because we are at Acadia National Park. We are the second most visited national Park in the country. We see upwards of 4.25 million people. So in the middle of the winter you can bowl down Main Street, but in the middle of the summer you cannot walk down Main Street.

Mm-hmm. So we see a pretty good influx of people, which makes us kind of one of the biggest small little hospitals I've ever had to work with.

Introduce yourself.

Preston Duren : Thanks Drex. So my name is Preston Duren. I am the Vice President of Threat Services here at Fortified Health Security. I spent a little over 15 years doing healthcare cybersecurity specifically worked in some of the largest health systems in the us. Mostly on the provider space, really building up programs, maturing programs, help start a threat team at one of the large, you know, three letter uh, healthcare companies.

And, you know, then found my way over to Fortified, which worked out perfectly. because this is all we do. So, happy to be here. The uh, things that fall up under me are things like your traditional soc, your threat defense, right? Your SIM XDR along with incident response, penetration testing, VTM stuff like that.

So, happy to be here. Excited for a good conversation.

Drex DeFord: Preston's been on the podcast before too, so if you look back at some of the historical stuff with Preston and I, you'll get some other really good insights and into some of the work that he does and some of the work he does at Fortified. Last but not least, Spencer Bales the VP of Product at Fortified, say hi.

Spencer Bales: Yeah. Thank you so much for having me, Drex. I'm a Marine Corps veteran. My background was in IT engineering in the military as well. I, my joke is always, it's the one thing in life I'm really good at, right, is computers. So I've spent the last 15 plus years working in IT and cybersecurity across, you know, a mix of industries from manufacturing and the military to healthcare, cybersecurity.

Before joining Fortified I worked at medhost, which is a big, you know, very large EHR mm-hmm. Software and hosting company. These days I, as you said, I'm the VP of product at Fortified Health Security where I get the joy of building and kind of shaping the solutions and the central command platform that fortified offers and that we use to help organizations, you know, increase their cybersecurity.

Whole journey that kind of started with fortified. And one of the things I want you to talk about is this. You mentioned something about the terrible summer, so I asked you a lot of questions there, kind of

Will Houston: enlighten ly. Absolutely. Yeah. No, no, no. Uh, so I actually am on my, uh, I, I,

Because it's in cyber, I refer to it as my second term.

This is my second time with Mount Desert Island Hospital. When I came back I was purely in the opposition of security and it was a lot 120 5-year-old organization that had policies that were probably 125 years old that needed to be updated. But along that journey um, you know, we did, we started with the basics governance.

So the bad summer, we were in transition. We had just signed contracts and we're moving to the EDR solution. With Sentinel One, we had about, let's say about 80% of our environment covered and we had our first introductory call with the incident response team. Like everything fun in IT security on May the fourth, which should be an IT holiday.

We had, some alerts that came in at five o'clock in the morning. Fortified had sent some alerts to let us know that there had been escalation of privileges by six o'clock in the morning. We had already reached out to the fortified soc, but. Because I was in transition, I did not have full SentinelOne coverage because I was in transition.

We spent weeks. Weeks. So I went from talking to the incident response team once, to talking to the incident response team every day for three weeks. And sometimes late at night, you know, sometimes 12 o'clock at night when we saw some incidents going on. And that May the fourth was the beginning of a very long, arduous summer that we had up here.

Preston Duren : Kudos to MDI really, two things stand out to me. One, everybody says they have like, oh, executive involvement, executive backing.

I mean, she is in it. Right? And then and one way you know that is because most. Health organizations that experience something like this, you, there's no way that they're allowed to talk about it publicly.

It's hard to find people that actually talk about it and will, you know, to his credit and his team is, they're like, no.

Drex DeFord: so you're in the process of deploying your You're not fully deployed, you're still sorting issues with the sim. You've signed up with fortified star Wars Day happens and the alarms start going off and you engage Fortified. Preston, what's it look like from your side of the house?

What's going on over there?

Preston Duren : Yeah. So I mean from our side, what we saw there is really exactly what we trained for, right? So arms start firing, you know, within minutes. You know, our SOCs got eyes on it, but it wasn't just us having eyes on it, right?

It wasn't just us escalating. It's understanding the context. And I think that's really important. Right? So, you know, we got this context. We're not just looking at one alert, we're looking at telemetry and threat intel and all these things to kind of help tell this story and paint this picture to then present that to Will. It's kind of worst case scenario, right? So like you, you know, you always, you always gotta kind of make risk decisions on like, okay, what's the chances that Durening the transition period, right?

We're looking at what we do have against threat intelligence and you know, it, I remember, you know, the kind of the tone and as we escalated that it wasn't really a tone of panic, right? It was more like, Hey, we've got something here. And, you know, from a cybersecurity guy's perspective it's one of those things that, you know, you look at so many false positives, right?

And when something does happen, you say, you gotta kinda remind yourself, all right let, let's stay calm. We know what to do. Mm-hmm. We've done this before. Mm-hmm. Let's put the playbook in action. Right. It's calling the troops. We got war room escalate to the client and kind of take it from there.

So that's kind of what, from our side on the back end, what we were doing.

Even when the EDR is deployed, there's tons of stuff that won't hold the client, you know, won't hold the agent. And so you're still, you're inferring a lot. It's why it's important that you have people who have like, experience looking at these kind of issues.

Preston Duren : Absolutely. And in reality you don't always need all the pieces of the puzzle, right?

The playbook is the playbook where having all the pieces of the puzzle comes into play is like, how far can we remediate, right? But I only need a little piece of the puzzle to understand what's going on. And it's like once we identify that, it's like, alright, playbook in action, let's go. Right? So, you know, I think we, you know, would've loved to have everything, but give me something and I'll work with it.

Drex DeFord: this was all part of your central command setup. Right. Will you have when we talked earlier, you were sort of talking about getting started with Fortified.

Speaker 6: Mm-hmm.

Will Houston: And could not access anything else Now. And the other thing I'm going to, I'm gonna say and to everybody's awesomeness we, we shut down 170 accounts before seven o'clock in the morning. We were able to identify where the threat actor was emanating uh, and then we overkill.

And it was that guidance. Preston and the team, they go through this all the time. Mm-hmm. Yeah. I, hopefully I'm going through this once. Mm-hmm. And only once. So being able to kind of rely on that expertise.

Preston Duren : To Will's team's credit, you know, they jumped right into this, right.

So for him to say like, we do it all the time, and this is the first time, I mean, you know, the response, I mean, he talks about, you know, disabling all these accounts before 7:00 AM right? I mean, that, that, that's impressive. And to do that, the, yeah, and the best part it about it is, you know, there was no being defensive.

Right? So a lot of credit to Will and his team .

Drex DeFord: I mean it's interesting, we talk about this all the time.

Cybersecurity's a team sport, but that's kind of the perfect example of the team sport coming together. Spencer, I wanna shift to you because I wanna ask the question about central command. Tell me about central command fortified central command and what it is and how it works and what it does.

And, you know, just kind of gimme the lay of the land.

Spencer Bales: So a few years ago we, you know, as we talked to our clients, we worked with them on all these different managed services. One of the resounding things we kept hearing was, we've got all these services with Fortified. You guys have a lot of this data on us, but we don't have any way to bring all that together, right?

All into one place. So for us and for our clients, they have kind of one place to go to consume anything that they may need from us on the fortified side as we're partnering with them on these different managed services. So, you know, the goal for us is that we help you kind of prioritize what matters most and streamline how you track and address things like escalations and vulnerabilities or, you know, your risk assessment when you're going through a risk assessment with us.

That whole process takes place in there. So our the goal really is that it becomes like the. The operational hub that kind of powers how we deliver all of our managed services. So we've got modules for all of our technology enabled managed services, our advisory services as well. Things like risk assessments, third party risk management, stuff like that.

Like, we don't wanna just build something that there's some stuff Preston and I always joke about when we were designing a lot of the features and there's stuff that like, we would be like, this is so cool. And then we'd show it to the clients and sometimes they're like, that's not that cool. And then we would be like, this is super basic.

And then we put it out there and clients would be like, that's what we need. And we're like, okay. Well, but it's been a fun project to work on as we've kind of iterated on it over the years. .

Drex DeFord: I think the iteration's kind of the key to the operation. One of those things that I wanted to ask about Will, was you mentioned the SOS button at one point.

Can you tell me about that?

Spencer Bales: Just for you. Well, you sent that in. That's right. And we sent it straight to the developers.

Preston Duren : You gotta prioritize the important stuff and emojis we do. And you know, it's like, how can we forget?

Drex DeFord: Yeah, absolutely. That has to definitely be one of the ones. So tell me about that SOS button. You've mentioned it you were mentioned it when we talked earlier and. Kinda hear that story again. Okay.

Will Houston: So, so the SOS button, it exists within the, the platform. The work life balance is kind of where it comes in.

So I can put this thing on my phone. I can see that I have an escalation and I can react to it from my phone. And the one thing that we're talking about a lot in cybersecurity is burnout. So imagine if you will it's nine o'clock at night. I have a network administrator who receives kind of a weird alert, well.

And then they reply and they start to go to work. So here I am. It's nine o'clock at night. I'm on my cell phone. I'm not nowhere near my computer, and I'm allowed to communicate with a SOC two or a SOC level technician to verify a vulnerability. It turned out to be a false positive. But again, no waiting, no stress.

Myself and my colleagues have all been through it. So anything that you can do that allows me to have the ability to, I don't know, go to dinner with my wife,

Speaker 6: right.

Will Houston: And still kind of have that protection, it matters. It's interesting.

Drex DeFord: No. Call tree or no bot, you had to work through. You just, this is, that's great.

But you know, we built, we're like, well, we want people to be able to contact the SOC and be able to get escalations on their phone. And what we didn't, what we weren't thinking at the time was, we want to correct some of that work life balance or help them keep some of that work life balance.

It was just, well, everything's. Got a mobile app, we gotta have a mobile app and we wanna get things out of email a little bit. But we heard from folks like you and many other clients that said, Hey, you know, one kind of tertiary benefit of this has been that like after hours I'm not living in my inbox.

because they're like, what would happen before is I'd kind of constantly be checking, looking for an escalation or an alert. And then, you know, pretty soon you start scrolling and it's been 20 minutes and you're like you went to check for five seconds and you look up and you've been in there for an hour scrolling through your email.

And, you know, clients were like, we're able to see it. We know that if we get an escalation, it's gonna pop up on that lock screen and like we're gonna be able to address it and then go back to dinner with the wife

I mean, I, I sleep with my cell phone by my bed. Yeah. My boss knows this and will text me at six o'clock in the morning and my wife is like, just don't sleep with the phone next to your bed. And I'm like the data breach happened at five 30 in the morning. Mm-hmm. My phone will forever be beside my bed.

Yeah. But just rolling over and being like, Hey Preston, it's your favorite vegan. Um, And sending him a text versus, you know, setting a five alarm fire. It's a big deal. I mean, it, it really is. It helps, It helps me as a client, but it also helps you guys because you know, you're not having to triage 80% of the phone calls that probably come in.

Yeah.

Will Houston: We are a big fan of succession planning. You know, I am, there's not a whole lot of security professionals up in down East Maine if you will. So for me to be able to centralize and get all of my documentation in one location, that's a big deal. If something were to happen to me being able to know that the hospital and the organization is still gonna have everything it needs, means a lot.

So, yeah, I am moving a lot of our information and infrastructure into Command Central. Incident response is coming. Um, We use the Escalation iq. Unfortunately for me, everything comes in on a Saturday or a Sunday. Wow. I gotta think of all the things I've got. I got M-D-R-X-D-R, I've got IOT that I do with them.

And then I've got the 108 questions being asked by us for NISTs. So, we are living in it and we are building it to be our security repository. As I look at the risk registry I have looked at other compliance softwares before and it's gonna be the last one we're gonna load all this data into.

it gives fortified the extra information that they need. To help me in a bad day

Drex DeFord: So how are other customers using Central command? What other things are they doing with it?

And so it's like when they go to create an escalation, we try to surface to them relevant information about that client and other services they may have or other details about that client historical knowledge we have about them. So when they're looking at something and they're doing an investigation and deciding.

Hey, does this need to get escalated or not? They've got a bunch of contexts perspective, and the more services we have, the more data and information we know about to kind of provide that context, and we're working to kind of bring that throughout the organization. So things like as part of the ra and now as just part of the platform, we kind of document what other technologies you may use.

If so, let's take action. We know you use it. And so, that's what's helpful for us. But I mean, as far as the platform, we've got, you know, escalation IQ is a big part of that. We reimagined that experience. You know, historically a lot of that just comes through emails and you can't really control how or when or the way you consume those things.

Will Houston: Hey Spencer, and one of the things that I will tell you has been amazing with the Escalation IQ is the trajectory. You know, being able to see how the threat came in, where it went. because , because really, again, this is my environment, I should know it pretty well. I can take a quick glance from my cell phone and say, oh, this isn't a big deal.

Or Excuse me, honey, I have to step out. Which, yeah, that has been amazing for us.

I'm sorry to steal your line, Preston, but like, we're not alert forwarders. We're storytellers, right? We're here to figure out what happened and tell you what happened, and then tell you what you should do to remediate it now and what resilience recommendations you can get to help stop it from happening again.

And so powering all of that into central command and on your in the mobile app is key. And then we've got. You know, we've got a lot of other services. We're releasing our IR module right now for our incident response program that we're really excited about using that to help, you know, document and move that journey forward from an incident response perspective.

And we've got a third party risk management module as well. That's obviously a very hot topic right now across the industry is like, what do we do with all of this vendor risk and what can we do now that we've identified that vendor risk? How do we track that? We now we know, right? So before we potentially didn't know there was a risk, now we know there's a risk and what are we gonna do about it?

And so there's a lot of capabilities. I think we're up to like 12 modules now inside the platform, but across all of our different services.

Preston Duren : you mentioned, you know, about the value of having multiple services. I mean, I wanna give you a tactical example, right? Because it's easy to say, you know, oh, the more services you have with us, more money you spend with us, the better it's for you, right?

So new vulnerability comes out. My analyst's gonna go, they're gonna query the data lake. They're gonna say, okay. Who's the clients that has Citrix, right? So no new Citrix vulnerability came out, right? So we're gonna, we're gonna get that information. Now, we've drilled this list from hundreds down to, you know, well, for Citrix it'd be a lot, but say some other technologies down to 10 clients, right?

They might go look at their vulnerability management part of Citrix command and say like, do, are we seeing those kind of assets? Then make a look at the risk assessment and say, how do they score from a NIST perspective on their vulnerability management program? Do they have some of it, but they're not really patching all that good because it's hard to patch in healthcare.

Let's say they got a, you know, critical risk there, right? So now they just jumped up on the list, right? So my dedicated threat hunters are then looking at that kind of information that's not just SOC stuff. Like what? SOC looks at a risk assessment for information for Intel, right? To know how to prioritize hunts.

Drex DeFord: It feels like I will, I heard you say this, I've heard other customers kind of say this too. The soc in the pocket idea, like you've got a SOC in your pocket on your phone.

All this information is there. Fortified. You guys are using it across multiple customers to look for patterns and trends and things that are happening to help. Keep your customers ahead of the game. because a lot of this is, you know, catch it and kill it. But a lot of it is just, you can see it coming.

You can intercept the past before anything ever happens. So tell me a little bit more about the SOC in the pocket concept and the work you've done there. Preston, I'll ask you to start.

Preston Duren : Yeah. So again, I think that having access to. Real people, real analysts are looking at your data 24/7 right? We all have our phones on us, right?

Here's a, again, tactical example on the webpage. If you log in, one of the things we do, if it's a high escalation, is we call, right, and we put call notes in. If you're on the webpage, it's kind of towards, you know, the middle to the bottom. If you're on your phone, it's the first thing you see.

I need to know if I'm out to dinner with my wife, can I put my phone back in my pocket because Spencer's handling it or whatever.

So like we did things like that. So you talking about SOC in your pocket, it's access to information and people that have the context and the telemetry of the situation. You have immediate access to them.

Drex DeFord: Here's another thing that I didn't mean to really sort of save this punchline to the end, but fortified.

Only focuses on healthcare. This is another really interesting and unique aspect of the company and the product. That's awesome.

Right? And when you hear that it, you know, in certain ways that could kinda be true. But I think that the important part is the why, and it's not because of lack of caring, because I would, I would argue that there's more care in the healthcare than a lot of other spaces because of what's at risk, right?

You're talking about human lives. We don't do this. For the, the doctors and nurses. We do this for the patients in the communities that our clients serve. Because one of our clients is, the hospital I was born in is the hospital my daughter was born in. I went to them and said, trust me, you don't want anybody else protecting this data than me because I've got real skin in this game.

I

Drex DeFord: know what

Preston Duren : that is. Yep. Right? Everything in a hospital is not just a node and an IP address. And if you don't understand how these things enable patient care. How they should and shouldn't communicate, and honestly, how poorly some of the software is written from a legacy perspective, right?

Yeah. Like understanding that lets us remediate creatively. It cannot be a shoot first and ask questions later, right? Yeah. You have people that. Like, you know, you have to treat patients, right? So that's really the mindset that we bring is because we grew up in healthcare,

I sent out. Three letters that had a pretty lasting effect, and that was to my wife and my two kids.

And

both my kids are under the age of 18. And it doesn't matter what you're doing, when you're going through a spreadsheet and you come across those names, it forces you to pause.

These aren't just MRNs, these aren't just first names, last names. These are people in our community people that. For where I am, fuel assistance is a big deal. If their credit is gone, they're freezing this winter. You know, that has a huge impact. I, my wife is a provider. She does things in the community.

And I think that's something that, that maybe we lose in cyber is we chase ones and zeros and sometimes we forget that the mission. Yeah and, and Mission that Drex, that is exactly it.

Spencer Bales: Yeah, you have to remember that you can trace the thread from the port on the firewall to the patient in the bed. Like, and that's what keeps you going is it's not just ones and zeros, it's real people.

Drex DeFord: Love that. Hey, we'll, one thing we could go on forever. I'm gonna give you the last word here. What's your best advice for hospitals and small teams that are facing off against some of the adversaries that we're seeing today?

Fortified for us has been excellent. We do choose them. Because they only focus on healthcare. If I were to say I have an XP machine, we all smile and laugh. because you know, we all have XP machines in a hospital. Yeah. A bank finds that intolerable. Mm-hmm. For us, I have to support nuclear med. So I think if you can find a partner that can help you mature your program, and protect you and be there for a bad day. Grab 'em and growl. Don't let go of them. And then just get as much information from 'em as you can. We did not have a very exciting summer which is a great thing for me.

We really appreciate that you wanna know more about what we're doing and where we'll be. Go to this week, health.com/subscribe. We'll keep you posted on the webinars and podcast and city tour dinners and summits, and the new City staff Roundtable, all those schedules as we travel, the US Transforming Healthcare one connection at a time.

Thanks again for listening. It's healthcare, it's cybersecurity. Stay a little paranoid and I'll see you around campus.