This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this week, health It Influence where we discuss the influence of technology on health with the people who are making it happen. My name is Bill Russell. Not the original recovering healthcare CIO, but one of the recovering healthcare CIOs and the creator of this week in health. it a set of podcasts and videos dedicated to developing the next generation of health IT leaders.

This podcast is sponsored by health lyrics. Professional athletes have coaches for every aspect of their life to improve performance, yet many CIOs and health executives. Choose to go it alone. Technology has taken center stage for healthcare. Get a coach in your corner. Visit health erics.com to schedule your free consultation.

Uh, two new free services on our website to, uh, make the listeners aware of this week in Health Insights or this week Health Insights for individuals looking to propel your health IT career forward, two emails a week designed to give you insights that set you apart. And then the second is this. This week Health's staff meeting is for teams.

This is for managers looking to introduce your team to new thinking from, from industry leaders, and to get the conversation for your staff meeting started on the right foot. Alright, so today we're joined by Michael Hamilton. Michael Hamilton, one of the founders of CI Security. Uh, good morning Mike, and welcome to the Hey, bill, thanks and, uh, happy to be here.

Thanks for the opportunity to talk. Yeah, I'm looking forward to it. We had a brief conversation before, uh, we hit record and, and, uh, I think it's gonna be exciting. So, some of our listeners may not be familiar with your background. You're the, uh, one of the founders of CI security. Um, maybe the best way to go about this is to say why did you, you know, what in your experience made you found.

Cybersecurity company. Yeah. Thanks. That's a great question. And um, uh, honestly, it's not just a company, it's a, it's a company with a real mission focus. And, you know, I spent the last 10 years about working in government as a, uh, policy advisor to, uh, governor Insley here in Washington State through the office of the CIOI was the chief of information security for the city of Seattle for almost eight years.

I've been the vice chair of a homeland security government coordinating council for state, local, tribal and territorial infrastructure protection. Um, but before that, uh, I spent about, uh. Information security career goes about 30 years back. Um, I, uh, spent a good lay amount of time as a consultant and, uh, eventually was the managing consultant for Verisign Global Security Consulting.

And when I made the transition from working, um, nearly, um, exclusively in the private sector with Fortune corporations, and then went over to, uh, have a look and become the CSO of the city of Seattle. When I looked around and I saw the criticality of things that are supported by your local government in particular, um, water purification, waste treatment, public health services, traffic management, all these things are held up by it, and it became very clear.

I. Two things. Number one, this infrastructure, if disrupted doesn't amount to a news story or a letter from a credit card company, it's something you need to live. Doesn't work anymore. You know, I, I, uh, do a lot of public speaking and I talk about the difference between, you know, getting another letter from a credit card company and we're gonna monitor your credit for free for the 29 time versus my toilet wouldn't flush for three days.

Or I called a hospital call center and it didn't work. There is a real difference in the impact to our, our, our lives because of the scale of those two things. And so the company exists really to serve, um, uh, what we call critical infrastructure at the local scale. And uh, really it's primarily the health sector because if there's one thing you don't wanna see, get knocked over, it's your local hospital.

They're on the ropes anyway. And man, they need help. So we're here to help them. That's amazing. I mean, one of the reasons I, I changed my intro and said, uh, not the original recovering, um, healthcare CIO is 'cause Drex to Ford. Uh, works pretty closely with you guys. Yes, he does. He's the original recovering healthcare.

CI . He's, he's still in recovery. still in recovery. Uh, so, you know, today's topic's gonna be cybersecurity. I love that intro. 'cause you know, a lot of times we're talking about, uh. You know, we talked about the incident in terms of, you know, PR and, uh, you know, getting out in front of the message and a breach of, uh, medical records.

And none of those are, uh, really at the, the heart of running the, the hospital per se. But there's, there's still a lot of, uh. A lot of incidents we need to worry about that would actually shut down the hospital. Don't, I would think. Yeah. Well, increasingly, you know, it's, um, there's a lot of weird things going on.

There are nation states that are disguising their operations as organized crime. Uh, some with the intent to steal. North Korea is known to be ripping off banks to fund their weapons of mass destruction program, and you're not really sure who you're dealing with and what their capabilities are, uh, anymore.

You know, and we've, we've reached the point where the organized crime business and it's a business, um, has, you know, sought out the low hanging fruit. And unfortunately, that's a lot of poorly protected hospitals. Um. You know, in addition to the annoyance of organized crime and the potential to, uh, you know, patient care there, you know, there are things going on.

Like, uh, the, the, uh, Chinese government has just come out and said, you know, we are really interested in cancer research data. And sure enough, the campaigns have started to infiltrate. Uh, uh, research organizations to, um, steal intellectual property cancer research data. So there's a variety of actors here.

I think the ones that we hear about in the news, um, really is around, you know, the dreaded records breach. You know, everybody thinks that's the worst thing that can happen. Uh, it is not, and, and frankly, you know, the conversation. And you hit on this a little bit, the conversation to have with executives, boards of directors, et cetera, is not about, you know, scary Russian cyber buffer, overflow SQL injection.

Uh, you know, it, it's good to, um, ground yourself in the outcomes you want to avoid and manage the risk around those. And there's a language and there's math around this. And if you have the right kind of conversation, you move that needle a little better. So we're gonna, yeah. So we're, we're gonna, as sort of our views for this conversation, you, you're gonna be the ciso, I'm gonna be the CIO.

We're gonna be going, we're gonna be essentially going to a board and, uh, we're gonna be doing a presentation to help them understand it. And we're also gonna be talking about, uh, we're gonna be asking for money. And so we're gonna identify some of the things we would ask, but just to, just to level set. I mean, we had, uh.

So we're gonna be going in front of the board. How do we ? You know, how do we get them up to speed on cybersecurity? You would think that everyone is up to speed, but there's so much confusion still. Yeah. Well, I, you know, my first tip is don't talk about cybersecurity. You know, talk about these things, these outcomes that we want to avoid, which would impact the mission.

Of the covered entity, which is patient care. Um, so, you know, I mean, you could fairly, um, put these outcomes into three buckets, and I'd even reduce it to two. But let's use three because we pulled out records, disclosures, this particularly nasty thing, you know, that we, that we'd focus on. So, uh, bucket number one is unauthorized disclosure.

Protected records, right? Breach. And this happens all time, every day. You brought yourself. This is, um, uh, bad. It has a cost associated with it. We know what that cost is. Uh, the Parliament Institute has done lots of research into this, and we know that, uh, the cost of, uh, cleaning up after unauthorized disclosure of records, given fines from, uh, you know, the, uh, uh, office of Civil right.

Compliance with the state's data breach reporting, uh, statute, uh, for hospitals. This ends up being somewhere in the neighborhood of $400 a record. So, I mean, just simple math. If we're talking about the, uh, potential risk from, uh, records disclosure, we have a million records in a database that, uh, meet the definition of, uh, personally identifiable information, protected health information, what have you.

There is a potential liability of. $400 million there. That's how we start this conversation. We start talking about the amount of liability that is around, you know, these pots of gold. So number one is unauthorized disclosure of protected records. Number two, theft and extortion. You know, we call it ransomware.

We use dumb names in the cyber business, starting with the word cyber. Uh, and uh, uh, you know, theft and extortion. We see empirically about how much this is worth, right? Ransomware does an extortion on a hospital, uh, business email compromise just fools somebody into sending money away, and we can kind of know what the magnitude of that is.

So, so we start to put dollar signs around these outcomes rather than talking about, you know, hacking. And I, and I would actually take some issue with that word hacking 'cause it's, it's really unspecific as to what that was. There's a difference between, I fooled giving me your password and. Versus I packaged some exploit and figured out how to get somebody to bite on something really exotic that will fly under the radar.

Those things are different, uh, but you can call 'em both hacking. So a little specificity there. I read the same article you did and I, you know, I thought that was, uh, remarkably on specific, but moving on, records disclosure, theft, and extortion, and that the third one. Is just disruption of critical services and disruption for the sake of disruption is also a growing trend.

And so when we're talking about things like the internet of things and medical devices that are vulnerable, um, the fact that if you, uh, attach a camera to the internet and you haven't done even the basics of changing the default credentials, it'll be taken over 90 seconds. Uh, and, and weaponized for other purposes.

So. You know, if that, uh, impacts your, uh, continuity of operations and your operation is patient care, uh, that's probably the worst outcome right there. The records disclosure is gonna be, you know, a kind of, uh, you know, interesting historical memory. If the ability for a hospital is intentionally.

Disrupted and, and there is no ransom to pay, there is no way to get it back and it's just rebuild. So that's how I would start the conversation. I would talk about these exposures, the dollar signs that are associated with them, and then talk about the two terms and risk lowering the likelihood of those outcomes.

And lowering the impact of those outcomes if and when they occur, because these are fairly foreseeable events, to your point in today's world. Well, let's, so that leads me in two directions. One is part of me wants to have us put on black hats and say, okay, how are we getting in? Because that's gonna be one of the questions they ask us is like, how, how are people gonna get in?

But the, the other thing is when you have conversations like that with the board, they immediately go to risk. Mm-Hmm. , they go, risk. Oh, I know how to mitigate risk. Mm-Hmm. , let's get insurance. And then when this happens, you know, we, we lean on that cyber liability policy and you know, first of all, you're not gonna get a fine for 400 million because the federal government's job is not to business negligent.

And for the most part, they, they need you providing care in those, in the communities that you're serving in. So those, those fines end up being, coming down, uh, pretty significantly. They could have easily put Anthem outta business. Yeah, absolutely. Just do the numbers. Um, and so to a certain extent, we have to educate the board on more than just.

Hey, you know, there's, there's a risk, there's a financial risk, there's a lot of other risks associated with, so let's put on our black hats for a second. Or white. Let's be Whitehead Hackers. I guess. How are we getting in? I mean, the easiest is through people, right? Right. Absolutely. It's, you know, fooling somebody as a, uh, a time honored tradition.

And, uh, if I can get you to give me your password so that I can just, . March into your network, maybe implant some kind of malware that's, uh, you know, put it on your computer. 'cause now I have access to it. Um, and, you know, uh, uh, start a ransomware event or something like that, uh, in order to extort the hospital.

So, so what are we gonna do? Credential theft is rampant right now. Can we, can we get. Can we, are we, are we closer to the point where people don't even know their own password, but they can still get into systems? Uh, yeah, we're getting there. You know, honestly, in fact, uh, you know, some of the controls that we use in order to, uh, administer our customer premise equipment, right?

The collection device we put on a customer network to hoover up a bunch of security events and send 'em to analysts. Um. When our, uh, analysts, uh, have a need to, uh, actually make a connection to those they don't know the password, and we do this well, they use onetime passwords that are not good anymore.

Right. So there are ways to do this, and I think we're getting to the point. Um, I don't know if you saw a story today. Amazon is experimenting with. Completely, um, facial and bio authentication methods, um, rather than anything else. So you walk into one of their stores, you're already recognized, they have your credit card on file, and that's that.

So, you know, I think it's being led by, um, you know, big corporations in the private sector, um, you know, to increase retail businesses. But these, um, these methods are gonna be pervasive sometime very soon. Because as long as people know their passwords, they're going, they're gonna potentially give them away, so, so that's one of the areas.

Another area is people just go into certain websites and. It, it, that's another way that this stuff gets transferred, right? It is, but I would make a distinction here because there is a difference between, um, a targeted attack, an actual attack where somebody did some research and they penetrated your organization on purpose with the intent to steal records or to extort you.

Versus somebody visited a website today that was bad. When, yesterday it was okay. That is the background noise of the internet and tripping over the background noise of the internet isn't personal, it's not targeted, it wasn't meant for you. Um, and, and there is a difference there. But yes, that is actually, uh, another, uh, way that's fairly prevalent.

Is, uh, it's called, you know, just a drive by attack. You, you hit a website. Now, there are times when, um, uh, there are websites that are known to be frequented by a certain sector or another. You know, I'll, I'll, I'll just pick one out of the air, uh, uh, uh, you know, the Becker's Hospital site. I know the kind of people that visit that site.

And so if I can compromise that site so that the visitors then are compromised with whatever malware I throw at them, I'm pretty sure I've gotten people in hospitals, uh, that's called a watering hole attack. So that's out there too. But, you know, I think it's, um, good to distinguish because the motivation of the threat actor, um, is something that we need to keep in mind here when we're talking about risk.

And, and just let me, uh, respond really quickly to, um, um, the issue of insurance. I live in Seattle. We don't insure against rain. It just happens all the time. It is a foreseeable event. Could a hurricane happen here? Well, yeah. You know what? It's not outside the realm of possibility it could happen. So when, when you identify risk, there's four ways to handle it.

Transferring your risk using insurance should be done at the end, after you've done those other three things. And that's residual risk. That's, you're not gonna be able to keep out a nation state if, if they want to steal your cancer research. They are, they're gonna be able to do that. That's the hurricane that you should insure for.

Soapbox off. Interesting. So, uh. Let's talk about, um, let's talk about intentions. So a majority of these are still financially related. Is that what I heard you say earlier? It's, it's organized crime and that kind of stuff? Yeah, for the most part it's, it's still organized crime and, you know, the value of a health record is pretty clear.

So, um, and, and nation, 'cause you know, when you sit on the board, they're, they, they'll sit there and go, well, you know, if China wants in, they're getting in and it, they sort of throw up their hands and you're like, okay. Yes, but we also have to keep the kid who's studying at uc, Irvine from Mm-Hmm. Just because he just learned a new way to do it.

Um, and we also have to keep, you know, the, the threat actors that we know we can keep out. We, we need to keep them out. Um, so if, if somebody's intent is, is money. So, so let, let's sort of put these things on a scale. We have, we have the kid in his basement who's, who's just learning how to hack and thinks it might be.

You know, what level, what can we really protect against and what, what are we gonna just struggle to protect against? Sure. Um, so, you know, I'm gonna, I'm gonna take this back to, uh, our, our expression for risk, right? The likelihood of a bad event multiplied by its impact. And that impact should really be dollar signs there.

Um, so you buy down the likelihood of a bad event. Using preventive controls, firewalls, URL, filtering, email security, antivirus. There's all kinds of stuff. Train your employees, do vulnerability. All those are designed to make bad things not happen, and they will fail against a determined actor. But as you build up that preventive control strategy, you are raising that risk bar so that you know the, the unsophisticated

Actor of opportunity is no longer a problem and then maybe insiders are no longer a problem and we've got pretty good controls there. And then hacktivists and I don't think the health sector is really have too much of a problem with hacktivists. They used to crawl up my backside all the time when I was at City of Seattle.

Let's just keep our risk bar Going to organized crime is fairly sophisticated and has, uh, uh, tools, techniques, and procedures that, uh, we can defend against. And then we're getting up into nation state and terrorists, uh, space up there. We can raise that risk bar through the combination of accept, avoid, mitigate through controls and transfer through insurance.

Um. And, and get that bar pretty high. What we then need to, uh, accept, admit, um, and uh, embrace is the fact that bad events will happen. That start the process of records disclosure, theft, and extortion and service disruption. But they can be stopped before any. Outcomes occur if a workstation is compromised.

And you see the signal of this because you are monitoring your network and you know that workstation has never talked to Ukraine before. What's up? Uh, and you go pull the wire on it. It's a tree falling in the forest. You didn't lose any records. You, you, your money's not stolen, nothing. So that's a focus on the impact term, not the likelihood term.

And so the way that you buy down impact is through the application of good monitoring, detection, and, and, and frankly, more importantly, uh, effective and rapid response. Put the little fire out before the house catches fire. There is no report to OCR. There is no brand damage, there is no fine. There's none of this.

And so focusing on both of those sides of the risk expression, uh, is more of a full featured way to go about this. And, and going back to our original, um, um, uh, premise here, having that conversation with the people that fund, uh, the controls. So, uh, we, we wanna monitor, detect, and respond, uh, pretty rapidly.

Are these tools getting more sophisticated? Because, you know, it's, when I think about it, okay, so they've gotten in, they're into the EHR. How long is it gonna take them to exfiltrate a million records? Um, it, before we're, we're looking at it, I mean, are the tools sophisticated enough that we're like. We're, we're seeing it pretty quickly and being able to respond and unplug it that quick.

Yeah. The tool, well, the tools are getting sophisticated. You know, it's, um, you know, we're, we're, we're, we're led to believe that, um, if we just keep buying tools, um, they, they're becoming more and more magic. And, and, and the root cause of that is the lack of people that we have to fill these roles, um, to be security analysts and security engineers, et cetera, et cetera.

Uh, they're in short supply. They're very expensive, and I can tell you with a good deal of authority, they're rather flaky. They can change jobs every six months and double their salary. So they will, um. So, you know, venture capitalists smell blood in the water here. So if you know you got a three slide PowerPoint deck talking about your magic technology, you can probably get funded.

So that's how we're kind, you know, we got AI coming outta the woodwork and machine learning and orchestration and automation and all of these promises that you don't need to rely on people anymore. Somewhat paradoxically, when you keep buying these tools, you have to throw more and more people at them to get them to work.

Uh, and so you have achieved an outcome that is exactly the opposite of the one you intended. Um, however, I. Uh, it is true that, uh, the ability to monitor your network for, uh, aberrational events is becoming better and better and better. There's something, uh, let's call it last decades new thing that's called UEBA, right User and endpoint Behavioral Analysis by where we build up a, uh, a baseline of what's your average behavior and when you do something, you being a computer, it can be a camera, you know, it can be lots of things.

When you do something that's two standard deviations from your mean behavior, an alarm goes off still there better be a person to receive that and investigate it and make sure that it's not a false positive and you're not about to pull a trigger, like, you know, shut down some, uh, subnet inside a hospital that's got a whole bunch of insulin pumps behind it, or something like that.

So the people are still critical. The ability to detect, uh, has definitely improved. Um, there are statistical methods, frequency based methods, behavioral based methods, um, signature based methods, uh, reputation methods. There's all of these things. In fact, we use all of those. Um, so you're pretty good at, you know, identifying those events on a network that should be looked at.

You still gotta throw some people at this, you.

Um, to the board. I we're gonna see if I actually am learning from this process of this conversation, but at what point should we be considering outsourcing, uh, you know, our security practices? Because I, I made that mistake. I, I installed a ton of security, uh, controls software, you name it. Mm-Hmm, . And, uh, then all of a sudden my team was like, look, each one of these things generates this many alerts.

This many alerts need to be, you know, gone through and, uh, signal noise. False positives and they were like, you know, we need to, we need to quadruple our team. Uh, which goal? So is there a point at which just look people and go. You're either you, you don't have the scale to protect yourself and you're gonna need to look outside.

Yeah, absolutely. Uh, you know, I mean, this is, it's just with respect to, you know, qualified practitioners in cybersecurity, it's a seller's market, and so there are, uh, a lot, you know, especially rural hospitals, you know, critical care facilities, things like that. They, they do not have access to that market of qualified practitioners.

And someday that will not be the case. You know, we in particular, uh, the company are working on, um, uh, improving the education system in Washington state by monitoring downmarket cities and counties for free, using the data we collect as curriculum in, uh, partnership with a number of universities. But set that aside.

We are where we are today. And so it, it, it makes a lot of sense and, you know, frankly, we saw this coming some. Time ago to have a focal point for qualified individuals that can be, uh, uh, allocated as a service. Um, that creates an efficiency that, uh, everybody understands fairly well. Um, you know, there's a, there's, there's a difference.

And, and, and you pointed this out, bill, you know, you, you, you brought up the, uh, the, the, what we call is alert fatigue. You know, all of these technologies are yaking at us. All the time. And there needs to be some way to boil this down to the high value, uh, targets for investigation. Um, and then have the ability to confirm and then initiate response so that you effectively, you know, put out the grease fire.

Um, you know, now is, now is that day depending on which part of the sector you're in, right? If you're Kaiser Permanente, you have access to qualified people. You know, if you are, uh, a rural hospital in Idaho, and some of those are our customers. Not so much. So, you know, one size does not fit all here, but I think the ability to outsource your monitoring, detection and response, um, is, is really, um, um, carving out its own space here in terms of the value proposition for the health sector, depending on where on the sector you are.

So, um, you know, I actually, one last thing before I go back to our presentation. So I hear people say all the time, you know, there's two types of organizations, those that have been breached and those that will be breached. I mean, it is, is that still the case? It seems kind of fatalistic in it's yes and no.

Um, so there's a interesting term from the legal profession, the standard of foreseeability. And, um, let's just, let's, let's, um, talk about, uh, all those technologies that are, that are screaming at you all the time. Look at me, look at me. Something's going on. Look at me. Um, there have been, uh, a number of instances of executives that had to disappear.

Um, target being a notable example, because they had not adequately resourced the evaluation of all the alerting coming off their technologies, therefore didn't follow it up and therefore had their behinds, uh, handed to them. And because in the legal profession, this standard of, for foreseeability, and I'll paraphrase this, if you, uh, uh, fail to, uh, take action to mitigate a foreseeable risk, you are guilty of negligence.

And now this is not the kind of thing you pull out in conversation when you're in the board, but it is something that needs to be part of the conversation if you want to get an executive's attention. You don't say scary Russians and sequel injection. You say gross negligence, right. Uh, actually one, one last thing before I go back to our forward presentation, and that is how should you know, I just got my Equifax thing this morning.

Hey, if you, you know, if, if you're a part of this, you know, you're, you're eligible for. Protection and, and, and, uh, you know, a part of a claim, which I'm sure will end up being a $5 check. Mm-Hmm, . Um, how should, how should patients, how should end users be thinking about this? Or have we just grown Numb? We're just like, look, if they have my Equifax data, they, they know an awful lot about me already.

You know? How should I be thinking about it? Well, I think it's a little different for health records. You know, it's true that we've been desensitized to this event, you know, and I, I joke around saying, you know, there are no records left to steal. You know, when they stole all of the records outta the Office of Personnel Management, they got my SF 86 form and my fingerprints, what else should I worry about?

Right? Uh, but. When you are talking about, um, health records in particular, this is a, this is a different thing. Um, because this can be used, um, this can be sold to, for example, uh, and I'm not gonna, you know, insinuate that this is occurring. I'm just gonna say this is a possibility. Insurance companies could be buying this data out the black market, and they could be using that to frankly, you know, manipulate, uh, you know.

Uh, you know, premium costs and things like that. Um, and, you know, potentially denying people claims based on something that they found in a record. So, you know, health records have value over and above what their value on the black market is. And, you know, you think you might have a case of identity theft, which is another dumb word we use in my it's fraud.

Um, but. You know, the thing that keeps coming back to me is, um, the, we, we were talking a lot about the confidentiality of records. Um, one thing that's starting to hit the radar more and more is the integrity of records, because if I can steal your records, I can change them and I can make it say no. I.

You're not allergic to penicillin in that record, and then you could have a real bad outcome. Okay. So, you know, I'm not saying this stuff is going on. I'm saying this is a threat. So, you know, when we're talking about the desensitization of, uh, you know, frankly the global population, uh, about this issue of records disclosure, I think health records are in a different class because of the potential impact there.

All right, so in the last five minutes, let's put, put our, uh, deck together. I hate that, that we're gonna put a deck together, . Um, so here's, here's what we're gonna say to the board. We're gonna say, uh, lemme think about this. So we're gonna talk to them in terms of what they, well, first of all, we're, we're gonna educate them on what our threats and our risks happen to be.

It's like, you know, we're there, there's the, those five levels that we were talking about in terms of nation states all the way down to the, you know, unintended hacker who happens to get our stuff. I, I, I think I want them to understand, Hey, you know what, these are the people that are potentially coming in.

Here's the risk to us in terms of, um. You know, of events that we should worry about. Mm-Hmm. , we should worry about a breach of patient records. We should worry about a, uh, a potential, uh, health incident where somebody is tapping into our internet of things and, um, you know, changing something, uh, literally a cyber attack that could be considered a, uh, a threat on someone's life, I guess is, is a way to do it.

That would be the impact. Yep. Um. So we, we, we, we have to sort of frame up those potential, uh, incidents, uh, that that could happen within our health system and sort of give them a, a, a flavor of what they are and then what the impact to the health system, uh, would be. Right? Yep. And, and, and frankly, what the financial impact would be as well, right?

Because when we're talking about extortion, you know, patient care is threatened, but so are the finances of the organization. Um, so, you know, re relating all this to impact, which is . Up to loss of life. You know, I think this is the way to have the conversation and then, you know, let's, let's, let's estimate how much risk we can knock down by focusing on reducing the likelihood of a bad outcome and reducing the impact of a foreseeable event that could potentially end up one of those bad outcomes.

And talking about the amount of funding it will take versus the amount, the dollar level of risk that it will, that, that will have a positive impact there. So, so we've educated on them. Then we're gonna talk about mitigation strategies. Then we're gonna talk about the things we're putting in place, measure, uh, measurement, uh, controls and response mechanisms for how we're going to address it.

And then we're gonna ask for some amount of money, right? Yep. And, and, and frankly, uh, bill, I would, I would also, um, make sure that we focus on the, the very high value actions we can take that will drive more of the problem off a cliff. Okay. So right now, credentials are king. Everybody's, you know, got stolen passwords or they'll fool somebody into giving up their password.

That's phishing, right? Um, multifactor authentication makes 98% of that a non-issue, and that is a simple control to put in place. It may irritate some people for a while, you know, but we gotta get used to this, right? Especially when we're talking about doctors, researchers, things like that, right? They have a lot of sway in medical organizations, and they may be irritated by that, but this is what we have to do.

Um, I would say secondarily, third party security management is really critical because supply chains are being exploited for access to covered entities. And so that's another place where we need to focus. And finally, yes, we need to improve monitoring, detection, and response so that when an event happens, we make it go away as quickly as possible so that we don't end up with the outcomes that we're trying to avoid.

Does. Yeah. And, but what about the downstream partners? What about the business associate that we have? Um, you know, are we extending our, our reach out into those business associates? Well, it's a requirement that we do so, right? It's third party, uh, uh, security management is, uh, uh, a requirement of a lot of regulatory, um, uh, statements, but.

What that usually ends up being is, here's my questionnaire, fill this out. And so we've checked the box. Okay. That doesn't do it. Um, I really had a, a very interesting conversation recently, uh, with somebody who is the CISO of a payer, and, uh, this CISO was talking about, um, an idea that I think has a lot of merit, and we're gonna drill down on this later when I, when I.

How about if that's covered entity? Um, conducted security monitoring for its supply chain. Its business associates, its third parties. So then there's a higher level. Yeah, we got, you know, the checklist and we see what kind of trolls they have in place and what the corrective action plan is, but we monitor that network.

Um. That doesn't have to be expensive, that can be put together fairly readily with open source tools. Um, and depending on whether or not this particular payer is willing to set up a security operations center to evaluate that stuff, um, this is actually kind of a good idea. You, you're making a great point here, right?

Where, where, how, how much of that management do we do? Um, and so maybe, maybe it's time to start having the conversation about, you know, monitoring your own supply chain. And I filled out some of those forms, and I'm sure you've seen some of those forms and they're Oh, yeah, they're almost comical. I mean, yep.

And you know, and it's when whenever you self-assess, you know, you, you can bet that a lot of those answers are aspirational . Absolutely. Well, uh, Michael, thanks for coming, uh, on the show and thanks for joining us. Really appreciate it. Um, is there anything you'd leave our listeners with or any way to follow you or additional information?

Uh, well, uh, yeah, I will, I'll say this. Um, so our, our site is CI security and at, you know, dot com, just CI security and there's a news tag there. And if you sign up for, um, the daily IT Security news blast, uh, every morning at 5:15 AM Pacific Time. You'll get, uh, somewhere in the order of 20 curated articles, uh, with the title, the Money quote, and the original link.

We don't do creepy tracking. This is just for everybody's situ situational awareness. Uh, this has been going on for about 10 years, uh, and it goes all over the place. There's always a section for the health sector. There's a section for the finance sector. There's government, there's privacy and surveillance.

Um, and then there's just a jaw dropper. I can't believe this just happened. So it's, it's, it's, it's a good thing and that way you can, um, um, you know, just stay up to speed on what's really current because we scrape the news every day to put this together. Fantastic. And, uh, you know, I don't promote any one company per se on the show, but if you like Drex and you like Michael , I wanna give CI security a call.

So, all right. Thank you Bill. Thank you. So, uh, this shows production of this week in Health It. For more great content, check out the website at this week, health com. Or the YouTube channel also at this week, health.com. Right at the top it says, uh, YouTube. Just go ahead and click on that. Thanks for listening.

That's all for.