This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Learn more at fortifiedhealthsecurity. com

today on Unhack the News.

(Intro) if you think about doctors and nurses, they're people that want to help.

Right? And urgency matters because seconds matter , in those, lives. So when you're sending somebody, Hey, I need you to click this thing real quick. I need some help there's probably a reason that healthcare higher, right? It's a natural tendency to want to help and to be helpful.

But it also leads to maybe getting tricked sometimes.

. And now, this episode of Unhack the News.

(Main) Hey, I'm Drex DeFord, a long time recovering healthcare exec and now the cyber guy at This Week Health and this is Unhack the News, a podcast where I sit down virtually with some really smart folks who really know this business and together we get to pick through some news stories and talk about some challenges in healthcare cybersecurity and today we're I have Preston Duran, Vice President of Threat Defense at Fortified Health Security.

Preston, welcome to the show.

Hey, glad to be here. I'm really excited to get to talk about some of the recent things in the news and have a great conversation.

Nice. I was looking into your background a little bit. Because I have a tendency sometimes to creep on some of the guests that are going to be on the show.

Thanks.

So I've been in Fortified about five years, which pre Fortified, I've spent most of my career in healthcare cybersecurity in very large environments. And, it's ready to make a change. And the opportunity at Fortified came up And so I was like, hey, this is right up my wheelhouse, right?

It's cyber security, healthcare, it's all the things that feel like home to me. I started as kind of a VC, so the virtual CSO and, pretty quickly on, there was an opportunity to run the threat defense center and I'm technical by nature. And so it made a lot of sense for that transition, and I've loved it ever since.

Yeah, love it. So Threat Defense. Now you're the Vice President of Threat Defense. What's that mean?

What are you focused on?

Yeah, so if you think about defending against threats, right? I don't, not to restate the title, right? But it's defending against threats, think technology enabled services. Really cybersecurity operations. SIM, XDR ConnectedMed, Managed EDR, those kind of things the 24 7 services and so that all falls under me and then the kind of the implementation of those services as well.

Nice, nice. get into a couple of the stories and see what's going on here. So one of the stories is around Microsoft unveiling resiliency. And security enhancements following the July global IT outage. By July global IT outage, we of course mean the CrowdStrike July 19th event, which took a bunch of computers down.

took a look at the story. What's your initial impression of what they're doing?

The, President gets up there and he hits it head on, right? He doesn't shy away from it, right? It's his whole talk track or a lot of his talk track was around resiliency, right? And we're hearing that more in the industry. And I think they did a really good job, the special guest speaker in that was the CEO of Microsoft, right?

Publicly. We all saw the back and forth from maybe different people, so it was really good to see a lot, and the CEO of Microsoft talked about some of these things as well. Alright, so not surprised to see this come out, and to me, there's a lot of kind of parts to it, but you can break it down into two primary focus areas,

That is a really interesting, and without physical access. So if you think about And that

was really the situation after the July 19th CrowdStrike update, is that machines were blue screened, and you you had to physically go visit the machine and start over from scratch.

absolutely. And for this one top point, or that, the one part of the article, the two main things it kind of references is like unbootable. And without physical access. And doing it remotely. And that is a really good example of taking a situation.

And then, really hyper focusing on how do we remediate this or prevent this in the future? And so I love to see that's available because that goes into, a lot of, Different things, which is the second point with the how are they helping IT admins is The hot patch in Windows.

it's out of, it's never a good time to take down your EMR, there's never a good time that you're not treating patients, and, when we think about the CIA triad, confidentiality, integrity, and availability, which is one of the kind of interview questions I'll always ask people which one do you think is most important in health care?

Almost everybody says confidentiality, unless they've worked in health care and they know it's availability, now, obviously, it's situational, right? But this seems to be up to treat patients. So this kind of speaks to that. So if I'm thinking about this, it's okay, you can push patches without having to reboot.

And if something happens, you can recover without being physically there, Those things are going to, allow, us at IT, cybersecurity and the IT side of that in healthcare to feel more comfortable, getting these patches a little bit sooner and having a more regular schedule.

And sometimes you have, I've worked for a health system that had had clinics in Washington, Alaska, Montana, and Idaho. There were not. IT people in all of those locations. And that seems to be more and more of the situation. So being able to do this capability. Remotely is pretty cool.

If they can execute anywhere close to what it looks like, which I'm sure they will be able to, then, , this is gonna be huge, the hot patch thing, being able to reboot, four times a year instead of twelve for those Windows updates. Doesn't speak to third party stuff, but, it's a good start,

was a lot of very similar conversations for the Linux kernel and a lot of, funny to follow high school drama associated with that with some of that community, right? But, when you get into these kind of safer programming languages, you should start seeing a little bit less things where memories issues and stuff like that.

That one is an aside. Just the FYI. I think there's not really any action for us. The other one, and the Microsoft CEO spoke about this at the Falcon conference, is the transitioning out of kernel mode to user mode for like antiviruses and stuff, right? So it minimizes the damage that can happen if there's, misconfigurations and things like that.

There's a lot of

folks

third party wise for Microsoft that have access to the kernel as part of the, here we go down the hole, have access to the kernel, which is when I was at CrowdStrike, we referred to it as like the beachfront property of the whole operating system. And if you make a mistake.

I think there's so many benefits because like right now it's, again, the managed EDR stuff falls under me and so does the implementations. And what we run into is when you're doing a rip and replace of some legacy thing, or just two antiviruses, you can't have them both and protect them all at the same time because they fight over the kernel and it'll cause blue screen.

So you have to accept some level of risk for a certain period of time, while you're making that transition and doing that tuning. And so hopefully this will minimize some of those risks because again, All we're doing here, when we're doing these things a lot of our efforts are focusing on the availability of the data in the systems.

Yeah. Hey, thanks for taking that apart for us. It's actually super helpful. There's a lot in that article, and it's a very compressed kind of package of information. Hopefully the audience gets a lot more out of it because of this conversation. I want to do one other article.

Then we do the sort of ongoing phishing training. And they have a lot of findings in the paper, some of it's a little surprising. What did you think as you got into it and read it, and what are your thoughts about what's going on?

Yeah, so found the article, found the paper, and it was like 76 pages, and I was like, oh man, and and I was just going to summarize, browse, I ended up reading almost the whole thing.

It's very interesting. It goes into a lot of detail, and a lot of the paper is them essentially explaining their methodologies, improving the numbers, which really adds a lot of credibility. So the summary of the overall paper is, essentially that there's no significant reduction in phish failure rates, whether you've taken training or not.

19, 500 people that were in the pool studied. Yeah.

I was shaking when I read this. I'm like, this goes against my assumptions.

So did you feel about it?

Yeah, no, that was, I think my initial reaction to it too was one point in my life, I was the CIO of a research institute too. And so my first reaction when I read the abstract, and then I, like you, I was like let me scroll through this. There's something in here I'm not getting.

And in some cases, like you said, maybe you're doing something that might actually make it more likely that they'll do the wrong thing. So I'd love to see someone else or four or five someone else's do this same kind of study. Like you said, they've done a great job documenting all the stuff that's in there.

How they did the study, what their assumptions were, all those kinds of things. I think if some others would do that same kind of study, it might be interesting to see, do they have the same result? Do they have a different result? Because it definitely goes against our thoughts of yeah, if you train people, they will do better.

And maybe not.

7 percent like absolute reduction whether you've been trained or not trained. And when you think about the time, energy, and dollars we spend on this topic that's a little bit concerning, right? jotted some notes for myself on a couple things that, some definitions, embedded versus static.

Right? Embedded is a lot of times we've done this with Novo4 and CoFans, different phishing things where you click on a phishing email and it makes you take the training right then, right? Hey, you should have spotted this. And so only, one thing it pointed out is that may look like continuous training, but it's actually not because unless you actually fail.

What that kind of tells me is everybody's busy, but if some users, when they get that training, they're not really paying attention to it. Which means they're also not really paying attention to the content in the email, which caused them to then click and get the failure. Yeah, so like that was really interesting.

And then like what they found with the once a year training was that really didn't do a whole lot. And other than if they were trained and then immediately took a quiz, it did help them pass the test. Yeah, it didn't help them with not clicking on phishing emails, but it did help them pass the five question quiz or whatever we all have to take as we do those things.

It's and the other part of this is that and you alluded to it. This is all done. As much as they can, trying to just isolate this particular situation, but it doesn't take into account like, are people really busy? They have a hundred things going on and they're distracted.

a bonus program to the phishing click rates of their employees. And that turned into a, in every daily huddle and in every management staff meeting, there was the, Okay, and before we close the meeting today, don't click on phishing emails, right? It became part of the culture of the conversation.

There's all those other things that can have an influence on this.

totally agree. And, again, just reading through a lot of this stuff, the interactive stuff seemed to do better than the, non interactive stuff. But if we think about the challenges with specifically in health care, right?

If that's, depending on where it is, if it's a on a floor or something like that, then you're not really going to be able to have sound and things like that. And the other thing is, if you think about doctors and nurses, and who, from a psychology perspective, who healthcare workers are, they're people that want to help.

Right? And urgency matters because seconds matter , in those, lives. So when you're sending somebody, Hey, I need you to click this thing real quick. I need some help that, there's probably a reason that healthcare higher, right? It's a natural tendency to want to help and to be helpful.

But it also leads to maybe getting tricked sometimes.

Yeah, that is such great insight. We talk about that regularly, how folks who work in our business are pre programmed. to be fireman, to be helpful. And yeah, that's a great point. Hey, I really appreciate you being on the show today.

Thank you for having me. I had a great time. I really enjoyed the conversation.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.