This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Newsday: Healthcare Caught in the Crossfire of Iran War with Drex and Sarah

Find out more@harmonyit.com.

Drex DeFord: Hey everyone. I'm Drex Deford, one of the principles of this Week Health and the 2 29 project here. Our mission is healthcare transformation powered by community. This is Newsday on the UN hacked channel, breaking down the cyber and risk stories that are impacting healthcare. Here's some stuff you might want to know about.

Sarah: Hey, welcome to Newsday. I'm Sarah Richardson and joined by Drex to Ford Drex. Happy birthday today.

Thanks for that. Best. Thanks for the good wishes.

Sarah: Of course, and our listeners are hearing this probably a week or two after your birthday. So what's even better is we will make this officially birthday month. So please send well wishes to direct for his birthday because you know, today we're diving into something that should absolutely be on everyone's radar.

And it's not just a geopolitical story, it's an operational reality that's gonna affect your systems, your vendors, your partners, and most importantly your patients. Two stories broke this week and actually one overnight that together paint a picture of what 21st century warfare actually looks like. Uh, and a spoiler, as Drex would say on his two minute drill, doesn't play out on a battlefield.

It plays out in your data center, your cloud, your medical device ecosystem. So Drex, we're gonna break this down and, uh, tell you what it means for our listeners.

Drex : Okay, I'm ready. What do you, what do you wanna talk about? Which, which story? What do you

Sarah: talk about? I wanna talk about the loop one. Now. Do I say that OODA loop because that's where

Drex : my head went.

That they now have put on the target and attack list, and it's companies like Google and Apple and Boeing and Intel and Meta because in their words, in their mind they think that they assert that, um, those companies are the companies that are providing the infrastructure and the tools that enable the high tech warfare that they're up against right now. So those companies in their minds now have become legitimate combatants in the [00:03:00] war. Um, it's interesting to kind of see, you know, how this evolves in the spirit of, one of the things I say all the time is, you know, everything's connected to everything else that. I, I can, you know, if you can suspend, you know, reality for a moment and kind of follow along with their logic, I can see how they can get there.

Not crazy about the idea. And part of the challenge too is that. There's lots of other companies and lots of other things that we depend on in healthcare that are also tied to many of those companies. Um, we've already seen, uh, AWS data centers in the Middle East come under physical attack from Iranian drones, so they're actually attacking.

It's not just combatants on the battlefield, as you said, it's now definitely cyber warfare is, is a whole new ballgame. It's not just attacking that government, whoever you're fighting and their computers. It has exploded. It's EE, everyone and everything is a target.

Sarah: When you shared, you've been sharing earlier, the deep fake, the employment, the nation states, China, Russia, Iran, North Korea.

Drex : Mm-hmm.

Sarah: They don't hack for espionage. Their positioning inside critical infrastructure for the ability to like, like degrade, disrupt, destabilize the concept of persistent access where they get in and they wait.

Drex : Mm-hmm.

Sarah: So it's not like a strike against a system, it's an occupation.

Drex : Yeah, we've seen the, you know.

And it wasn't for, uh, I mean, it, it was just a destructive attack. It was one of those things they put, you know, they put in malware that wiped machines and, and, uh, wiped, um, wiped the phones and it wasn't done because they were trying to hold anybody ho hostage. They were just making the point. We can do this now, and so we're going to do this especially against critical infrastructure and critical infrastructure companies.

Sarah: Isn't that really a fundamentally new doctrine that whether you agree with the framing that these communications and AI companies are being used to track and plan strikes, and now you helped aim the weapons, so you're part of it that is. That has massive implications for health systems. I mean, if you've got Azure, AWS, Google Cloud, these aren't a neutral utility anymore.

I mean, if you're an adversary, could they be considered instruments of war?

I mean, I'm not a lawyer and I'm, you know, I'm a. Retired Air Force officer, but under the Geneva Convention could possibly, maybe be considered, um, a legitimate target. And we've co-located all of these things with that legitimate target, which makes it very difficult to say, I'm only going to hit server.

78 and 79, and I'm not gonna blow up the other servers, especially in the physical attack, um, scenario. So, I mean, it is interesting, right? We've gone, we went through, uh, COVID the, a lot of this is unintended consequences too, right? Mm-hmm. We used to have all these things in our data centers, and when COVID came and we kind of went hands off, we started having a lot of conversations about how do we get things out of the data center, move them to the cloud, do software as a service.

But the unintended consequences of that has turned out to be some of these things we're seeing now as part of the US Israeli war.

Sarah: So is it fair to say then when a nation state takes action, and that could be kinetic, economic, cyber, we really shouldn't be surprised when the response isn't contained to where I guess it was created.

I mean, isn't that kind of how conflict works? And for us, it's not, are you right or are you wrong? It's are you prepared to be caught in the crossfire? And there were two different CIOs I spoke with yesterday who said, wow, our business continuity, resilience, and planning has hit a whole new level because of the A, the Stryker incident, but also what might be happening otherwise with some of these presences in the Middle East.

Like how should be thinking about all that?

And now we're definitely spending a lot more time talking about third parties and supply chain and looking at every contract I have and every partner who supplies anything to me and the health system and asking the question if that organization goes offline, if that partner goes offline. What's my backup plan?

It's about all of our suppliers now. So, you know, how are you getting bandages? How are you getting, I mean, everything, if that company goes offline. Blood, you know, the, the whole blood event that happened a couple of years ago where, um, the donation system, the, you know, how do you cross type and match.

Mm-hmm. All, you know, all of the blood supply system in the southeast wound up jammed up because there were only a couple of companies down there. And when those companies were breached and they went offline, hospitals across the region were like, oh, no. Like, what's our backup plan? How do we do this? So the resilience planning kind of does kick into a new gear, and you do spend a lot of time now thinking you should spend more time thinking about now the whole supply chain, and how do you survive if any one or two or five of those partners go down, not just from a cyber attack, but it could be anything.

Sarah: Well, heck, the hurricanes disrupted IVs.

Drex : Absolutely.

Especially, I mean, AI makes bad guys matter. You know, it's one of the things that I was sharing with a friend last night.

Drex : It's really interesting too. So this idea of resilience and learning from the bad guys. So when. This pro Iranian Hacker Group ela

Sarah: mm-hmm.

Drex : Uh, hit Stryker, uh, within literally a couple of weeks, the FBI Department of Justice, other law enforcement organizations, took down the ELA websites, um, just went out and completely tour them down.

Month, all things that we know, but then we get to actually kind of see it in action and, you know, double check ourselves like, this is, this really is how they work, this really is how they think.

Sarah: Yeah, I mean, Stryker's attack, you Stryker's own software against them. And to think that your supply chain could be at that level of risk because you may not even know it.

It might just be sitting in, wait for something to happen and if you're watching, you know, weather patterns or other aspects of what is that true, perfect storm of things coming together. Drex, as we close out, just this part of the conversation is you're the CISO and you're at a regional health system.

Drex : Yeah. If you're, um, you know, I think if you're in the seat right now, uh, the power of storytelling, uh, becomes incredibly important. And a lot of this is the story of. What's happening, how it's happening, why it's happening, uh, using examples of other companies who've been affected and how that's affected healthcare.

And then. Helping to tell the story about how that impacts business and clinical operations and patients and families. And that's the, that's the story your executive peers need to hear. They don't need to hear the details around the server names that go down or the, the hacks that are being used, the all the mumbo jumbo language.

It's not about more money, it's about you have to get folks inside the organization to jump on board with this idea that we are going to be more resilient. And a lot of this doesn't have to do specifically with the Chief Information Security Officer or even the CIO. It has to do with clinical leaders and business leaders and research leaders in that case.

So,

Sarah: okay. I lied. You made me think of one other question or another.

Drex : No, no, go ahead.

Sarah: Because I mean, it's, I keep thinking about some of the conversations I had last night just with some of our community and. Some of 'em are exceptionally well prepared, and I keep thinking if you're that much more prepared, does the bad guy do a sniff test and realize, eh, you know what?

Like if now your vendor is targeted by a nation state mm-hmm. How should the contracting language change, or what would that dynamic look like in, in that conversation? Because that's probably not in your contract right now.

Drex : Yeah, the, the important part I think in all of this is this whole conversation that we have all the time, um, with our community around partnership, and partnership with, with our, with our vendor support.

Um, there's gonna be a lot of things that probably you just can't think of everything and put it in your contract. I mean, you can try and there's, you know, there's probably a ton of stuff that if you are working with the right general counsel. Or the right outside counsel who's done a lot of this work, they'll give you good language that you should put into your contract, but it's hard to think of everything.

It's the spirit of the relationship, and that's what you've gotta work with your vendors on.

Sarah: Having that incident response plan that includes supply chain failure. Yeah. And maybe what their footprint looks like in the Middle East. Like those are legitimate questions

Drex : when you think even you have something going when going on.

Yeah. When you ha think you might have something going on, you need to let us know. And again, that's hard, vague language and you can make it much more specific. But again, when lawyers get involved, it, it can be, um. To be, you know, more specific can be a problem and more vague can be a problem. So it's again, comes down to the partnership, I think.

I'm like, ah. I went from like Saturday morning coffee to like high anxiety alert until I realized, okay, I'm not running a health system anymore. Accept that. So many people we support and care about are obviously, and just that fear factor of like 5,800 cyber attacks have been linked to Iran aligned groups since this conflict began.

Yeah. I mean, and they're targeting infrastructure across us, Israel, Gulf States. I mean, that's not a campaign. Again, that goes back to the sustained offensive,

Drex : It's, it's very, it, it's not, it's not necessarily super well organized either, right? Yeah. So you have the Iranian government who have their own set of hackers, who honestly are some of the most battle hardened cyber warriors in the world because they've been fighting Israel on a minute to minute basis for years now.

And then the other interesting thing about the Iranians is that they have. Lots of volunteers, lots of folks who are just out trying to deface websites and they wait for direction from the, from the IRGC, and then they sort of take that as their. Marching orders to go do some stuff. So there and all of that is decentralized.

And so it'll be a, it's gonna be an adventure. We're all learning a lot of, a lot of new lessons, and I do talk about the new lessons almost every day during the 2 Minute drill or an extra, or just in the regular posts, uh, up on LinkedIn.

And it's not to scare you, it's just what it is. And you need to know where all of those assets are sitting.

Drex : Yeah. Everything's connected to everything else. Yeah. So stay a little paranoid,

Sarah: stay a little paranoid, have that conversation with your board. All right, Drex, we're wrapping up. It's your birthday.

Uh, I'll be curious to see what happens between now and the airing of this episode. I know you'll cover it in two minute drill, but how, uh, close this out.

Drex : Close this out with what?

Drex : It's, it's all the, you know, it's all the good stuff that, um, you know, that I think we're working on with the community. Um, I, I, I get a lot of great notes from the community too. Folks who give me heads up on things that are happening that, um, even sometimes aren't, are aren't widely known. And we started talking about Stryker before Stryker was being reported in the news because.

Somebody, a member of our community sent me a note and said. Hey, somebody I know their phone just got wiped at Stryker. There's something weird going on, you know, you need to look into this. And that was, you know, we were off to the races. So, uh, a lot of this isn't just stuff that I'm finding out, you know, because.

I'm especially good at digging at things. A lot of it is people sending me notes and tips and have you seen this or look into this. So thanks for doing that. I think that is another indication of just great community and folks who are trying to help everyone else in the community. So keep doing that. I appreciate it.

Sarah: Sounds good. Hey, thanks for tuning into Newsday. That's all for now.

Drex DeFord: That's Newsday on UNH. Hack with Drex De Ford. Get daily security insights delivered to your inbox because every healthcare leader needs a community to lean on and learn from. Sign up at this week, health.com/subscribe and stay safe out there. I'll see you around campus.