Newsday: LockBit Shutdown, Healthcare Conferences, and Navigating Cloud Security with Drex DeFord
Episode 3926th February 2024 • This Week Health: News • This Week Health
00:00:00 00:24:12


 This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Newsday.

This idea of. Having pragmatic conversations, right? The ability to get the things that are actually useful, that when you go home you can do something about, are the things that happen in Starbucks, but it doesn't feel like often they're the things that happen on panels in the stage.   My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts and 📍 we want to give a big thanks to our Newstay partners, ClearSense, HealthLink Advisors, Order, SureTest, and TauCite.

Now, let's jump right in.

(Main)   📍 all right. It's news day. It's Monday, but actually Drex and I are recording this on Wednesday. Before we head out to Vive, and it's just Drex and I for this one. Hey Drex, how's it going? Good, how are you? Doing pretty well. It's great to work with you, by the way. That was the big news story last week, is that you joined This Week Health.

And really fun to be interacting with you this much. And don't think I've ever been this current on cyber security stories in my life.

it's great fun for me to put together a great team. The opportunity to come and do this, which, you and I have talked about this for a long time years and years.

But, this idea of if I wasn't doing what I'm doing maybe I'd like to do what you do. That has turned out to be Perfect fit for me, and so it's been a ton of fun. I love interacting with all the folks on the team, and I just, boiling over with cool ideas and things that we can do, and.

So your perception of what I do is but it's pretty easy. this is how you coast into retirement is doing what Bill does. Yeah, that's not really

true. I would say that I'm probably working harder now than I have in a very long time. But a lot of it is just, this really has appealed to the art and creative side of me, because there's a lot of creativity to what you do.

At the same time, there's a lot of process and, business thinking to the work that we're doing. And so It scratches all the itches, maybe is a good way to put it.

We're going to talk LockBit operations today. We're going to talk a bunch of things, but since this show is actually airing during the Vive event we should probably chat about that.

So we're a couple days ahead of time on this. what are you looking forward to? What do you think? We're going to see at this conference. What's the greatest value two conferences like this?

I think the greatest value is just the opportunity to see your friends, see people that you like, that you have long histories of maybe only seeing them once a year at one of these conferences, so you're able to get together.

And there's a lot of great opportunities to share information, right? And share. The work that you're doing, the things that you've found, the stuff that you've discovered. A lot of it is the after hour dinners and drinks and, those kind of conversations are incredibly valuable. Of course, you're going to get good stuff, I think, at the conferences, too, because some of your friends are also going to be the people on stage.

Some of the people that you follow on social media are going to be the people on stage and you're going to be able to hear them talk about, you Some of the work that they're doing, successes they have, and hopefully some of the failures that they've gone through because you and I both know you learn a lot more from stubbing your toe than you do being successful

So setting the right expectation, though we don't hear a lot of failures from the stage. if you're on a panel, there's four people up there. You got 45 minutes maybe an hour, which means your talk time is less than 10 minutes. And when asked the question, you're not going to sit there and go, yeah, man, we really screwed up rolling out that Epic module, man.

I tell you, I just, I didn't get in front of the project management and those. We tend to get a lot of, wow look at the great thing I did, or we have to be, I love the things that are so broad that they have no value whatsoever. It's we have as an industry need to be start thinking like consumer.

We got to be thinking about the consumer. I'm like, great. Just give me one or two examples. That's all I'm asking for is just one or two examples where your health system has adopted a consumer mentality. this format, if you will the panel discussions and whatnot. I'm a little disenchanted with it.

probably because I've been going to the 229 project events and we get, we have real conversations and I feel like if you're saying that here, why don't you say it there? I understand why they don't say it there. Why would you, if you got 10 minutes to be on stage, tell everyone what's going wrong.

And you're making, you're on stage, you're in a panel, you're in front of, 100 people or 200 people or whatever the number is. Somebody's recording you in the audience. You're going to say the most careful version of whatever it is that you say, and those often turn out to be platitudes.

You don't talk a lot about the problems or mistakes that you embraced. Some people do. This is not, I can't say everybody's in that category, but the idea of being able to I feel like I'm doing a little commercial for the 229, round tables, right? The ability to sit down with those people and actually unburden yourself about all the things that suck and all the things that are good in the same place is pretty awesome.

Yeah. So where that happens though, so at Vive, where you and I are going to have those conversations are in the hallway. At the bar, at Starbucks. That's where we're going to have those conversations. We're going to grab people. And it's funny because I tell people this all the time. It's like the best part of my interviews I don't record because it's the five minutes before we record and the five minutes after where people are honest with me look, they don't want healthcare IT or worse.

They don't want the Wall Street Journal listening to the conversation and going, hey, that's newsworthy. That guy's saying that this major health systems You know, situation is whatever

especially in the era of clickbait, like they look for the one super negative thing they can turn into a headline.

So yeah, no, everybody's in soundbites and nobody wants the bad soundbite.

I was on stage in San Diego and I took the bait and moderator said, Hey, be provocative. I can be provocative and I was just sitting CIO. And so I was provocative. I said, eHRs today are some of the most poorly written software I've ever seen.

I'm new to healthcare, blah, blah, blah. I said that, and I've heard other people say it. It's not, I'm not the first one to say it, but it got picked up in the news and got reported as, Bill Russell, CIO for St. Joe's, bemoaning the state of the industry. And they made me sound like just A bitter old man who didn't like the software he was given.

I'm like, okay, and so that happens to you once and then you're like the next time they say What do you think of software? There's a lot of great people working on this software and really runs hospitals very effectively. it's more of a, it has to adhere to regulations.

It's very complex, and you just say all these. platitudes, as we say, because you don't really want to get quoted later, but you and I will have great conversations at this event. And the reason we go is we're going to see our peers. We're going to get off on the side and we're going to have these conversations and we're going to hear it's yeah, man we just finished our workday implementation.

It went great, but here's the two or three things that we're struggling with workday that they're never going to say from stage. But we're going to get that information in those, five minutes of a discussion. And that's what's valuable to the CIOs. It's that trading of Hey, how did that implementation go for you?

Cause I'm getting ready to do one. where the

landmines are. Here's where the booby traps are. I was having a conversation with a friend the other day about like the specificity of language and this idea of. Having pragmatic conversations, right? And he uses that word very specifically.

The ability to get the things that are actually useful, that when you go home you can do something about, are the things that happen in Starbucks, but it doesn't feel like often they're the things that happen on panels in the stage. Not always, but I think you're way more likely to pick it up in a conversation with a small group in Starbucks.

Those pragmatic nuggets than you are in the broader audience.

somebody said to me, hey, this is my first VIVE conference I'm going to, or first large healthcare industry conference I'm going to. What's your recommendation? And my recommendation was know what questions you want to have answered.

prepare ahead of time. It's I would like to talk to somebody who's done. Or three people who have done an ERP solution. I'd like to talk to somebody who's done an enterprise imaging solution. I'd like to talk to somebody who's tackled this security issue. And then as you go around, you have those two or three things, and you go to people hey, what are you doing for ERP?

Oh we're on Infor. Are you planning anything different? That kind of stuff. You can be ready to have the questions that you want. Otherwise, The event will happen to you and you will just flow through it and get on the other side and you'll feel good But you'll go back and you'll sit at your desk and go Man, I wish I'd asked some people some questions.

Yeah, I didn't get my questions answered. And all of that kind of presupposes that you are connected to the people that you can sit down with to ask those questions, to get those pragmatic nuggets that you can go home and do something with, right? That's not always the case. A lot of people show up to these conferences.

They mostly do the work in their health system. They only maybe go to this conference or these conferences once a year. And so making those connections with others turns out to be a really important part of the effort that you need to go through at the conference too.

I will tell people if you see somebody on a panel discussion and they're coming off, they're going to get mobbed by the vendors.

And that's just the nature of these carnivals. The vendors are going to sit there and they're there. And they get, quite frankly, I don't fault them. They get measured by the conversations they have with these people. But I will tell you, if you're with a health system talking to a health system leader who just came off there, they're going to be happy to talk to you.

Because you're not trying to sell them anything. It's more I heard you talk about this. I know now might not be a good time, but I would love to just grab some time with you. And I have a, my best story of that is, Ed Marks had just finished presenting it back at the at that time, I think he was with Texas Health Resources, and it was a really well attended session.

And I just walked up to him. I'm like, Hey, we're having a challenge at our health system on this, and he goes, you know what, here's my number, call me. I'm not going to have time at this conference. Call me. So I called him. We connected our teams, had great conversation, that kind of stuff.

know a very few health system leaders. that don't think that way. They want to help each other.

Absolutely. I've been on both sides of that conversation, right? Where I've made a presentation and somebody came up to me afterwards and was like, can we dig into that a little bit more?

This thing about lean or the stuff you're doing with infrastructure or whatever the topic was at the time. And yeah, going back and getting teams together, not only connecting the CIOs, but connecting the folks in the organization who are doing the work, that turns out to be super valuable too.

So the connections that you're making at those conferences, especially healthcare leader are good for you, but they also can be great for your team because they may even get less exposure to their peers and other organizations because travel budgets are what travel budgets are right now.

They might not be able to go anywhere, but you can help facilitate that. Yeah,

Can I give you my one last pet peeve and then we'll go on to the LockBit thing because it's a, it's big news. My last pet peeve is people who keep reframing the problems with health care. it's the payers are getting paid too much.

There's a monopoly around these drugs. There's, and they just get up there and they start talking about these things like they're telling me something new haven't heard 10 years ago and then regurgitated every year after that. It's Stop. Take the two minutes you need frame up the problems of health care.

But then, for the love, start to get to, some sort of solution. I've seen people do a whole presentation on the problems of health care, and I'm like why did I sit through this? I don't want a gripe session that doesn't lead to anything. we need to make progress.

Sorry. Depending

on your mindset too, though, right? Sometimes it's misery loves company. And so it just feels good to sit in front of somebody who reaffirms that. all the problems that they have, you have too. It doesn't get to the problem solving part of it. And that's where, again, a lot of these connections can make sense.

When you're speaking from a stage about problems, you're not solving them. When you're sitting together in groups, you can talk about problems and about the things that you've done to solve them. And it's just a very different Starbucks conversation versus the stage.

  📍   In the ever evolving world of health IT, staying updated isn't just an option. It's essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don't be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. 📍 Increase 

All right. So this story comes from Hacker News.

It is contributed by Drex to Ford. So fill me in. LockBit ransomware operations shut down, criminals arrested, decryption keys released. What's going on?

Yeah, it's LockBit is a big time organization, Russian based. There were a couple of individuals indicted. LockBit not only does the ransomware work themselves, they also run franchises.

So they do ransomware as a service. So there are other companies. That are adversaries who use their services to run their own ransomware schemes. As part of this, they apparently, the good guys went in and shut down infrastructure, tore down servers. Identified a huge number of these people that were involved, including the ransomware affiliates, and harvested a bunch of keys that now are going to be in the good guy domain, so that if they're ever used somewhere, we have sets of keys we can actually try to help organizations unlock.

look, I don't, I want to say, yay, hooray, this is awesome, because it is, but I also know that. This world is a vacuum. And so as soon as somebody is taking out, somebody's going to slip into that vacuum and do a lot of the same work. This is good. This is a great blow against cyber thugs and a good.

Her courageous moment for the heroes and the good guys but it doesn't solve the problem. It's just great to see that when you gather enough information, you work hard enough, you can actually have this kind of a pretty major effect on cybercrime and cybercrime syndicates like LockBit. maybe those lessons can be used again and again.

How is cyber,

Crime being viewed by the courts? Will these people do time? Will they do significant time?

Yeah, so actually published a couple of stories on the two and a half minute drill in the last couple of weeks where individuals were indicted. They may have been irretrievable because they were in parts of the world where we don't have extradition treaties.

They go on vacation to Switzerland. There's a pretty heavy duty surveillance process on these folks and all of their aliases and their movement. They're found in Switzerland, they're arrested, they're extradited to the U. S., they're put on trial in the U. S., and then they face sentence. They go to jail, sometimes for, in some cases recently, 20 year sentences.

There's definitely, I would say, It's not like we're loaded with good news, but there is on occasion good news, where these cyber thugs are taken down and they actually go due time. All right,

Drex, I'm not going to let you end on good news. Okay. Recent zero day could impact up to 97, 000 Microsoft Exchange servers.

it's really interesting because your former company's CEO, Just has railed against Microsoft and for no other reason, scale is the reason that is appropriate, right? Because when there's a Microsoft problem, it's 97, 000 servers. Everybody's got it.

everybody's got it.

So somebody at some point after sort of some of this railing, because I, I've done it for a long time, even before I, joined my former company. I had this irritation a bit with Microsoft and somebody sent me a t shirt and said there's no Exploit Wednesday without Patch Tuesday.

And, that is just the reality of patch. That's obviously a thing that you have to do and you have to try to stay on top of, but it's it's actually really difficult to do. The kind of nugget of this story I think sometimes when I talk to health systems is that big things like this happen and it turns out they're really hot.

There's more of these emergency kind of patches, big exposures, things like that happen, and your team has to go patch those things. And when they do that, Sometimes, unfortunately, that means that they have to take those services offline. So you have to be down for a little while those servers get patched to the, that other work gets done.

That's the reality of the life that we live in right now. If you don't like it, I guess there's more investment to be made so that you make sure that you're never down and you have a duplicate of everything and all of that. But this is also a great opportunity to exercise your business continuity planning, right?

And see. Can we actually work while we're down for the four hours or the two hours or the 30 minutes or whatever it takes to do these patches? other part of it, I would say, is that there's another problem for things like this in general. And that is that we realize there's a problem, there's a vulnerability, but because we don't know of everything that's in the inventory, We may be exposed and we don't really know it.

So the whole other idea around managing risk is that you have to know what you have in the inventory and how you may be exposed and what operating system it's running and a whole bunch of other stuff. And, We know guys who can help you with that, so feel free to, drop me a note, but a lot of this stuff is it's fundamental baseline kinds of things, if you have them squared away, you're more able to deal with these things when they come along.

I think it was Boxworks, I spoke at Boxworks, it wasn't a panel, it was just me. about something. I don't even remember what I was talking about to be honest with you, but there was a Q and a session at the end and somebody said, do you think healthcare will be reluctant to move to the cloud because of security?

And I remember my response then was, I think healthcare will move to the cloud because of security. And I just think, and it was a flippant answer. And, platitude here is they have more people to oversee security than we do and they have better practices. And I think depending on who the cloud player is, that's probably true.

And, definitely true in a lot of cases. But we do have these, every now and then you have these like Kronos kinds of things, which remind us that, hey, you know what, you have the same exposure. You still are responsible for those things. But I still believe that the cloud architecture is just fundamentally.

better from an architecture standpoint than it's definitely better than the legacy architecture we had in health systems. And then the question becomes, have health systems kept up on the retiring tech debt and moving to new architecture in order to stay ahead? And if they haven't, then moving to the cloud really does.

Provide them a leg up on security.

Yeah, I think from a resilience and modernization, responsibility and all of that, you're much more paying a utility bill than you are trying to, rebuild or remodel a part of the house every year, which is the. Legacy versus cloud state of affairs.

I will tell you, though, that like doing security in the cloud is nothing like doing security on premise. And like most of the breaches that happen in the cloud today happen because there are misconfigured servers, meaning they leave ports or something open that There's no hacking involved.

the bad guy just has to find the folder or the file, the application, and then they can exploit it from there. And the other part is excess permission. So identity has become a big part of the conversation today too. And oftentimes. When cloud services are provisioned, they provision tons of capabilities, so that the analogy would be you say, I need to drive my car, and so what you're issued are keys to all the cars in the neighborhood, even though you don't need them, you just, I'm only going to drive this one car, but you keep all those keys in your house.

And if a bad guy gets into your house, he gets keys to all the cars across the entire neighborhood. Those same kind of misconfigurations are the things that make cloud really of IoT. scary and more vulnerable in many ways than the on premise stuff. Why

don't we hear about big like an Epic cloud breach or a Cerner cloud breach?

Why don't we hear about those?

I think a lot of it has to do with the discipline and professionalism that goes into how those Clouds, how that those capabilities are run and maintained and the discipline around everything concerning those. This is the sort of overlap now of not only cloud security, but cloud and IT operations and how everything's connected to everything else.

So if your folks do a really good job and they have good discipline and good procedures and protocols, you can keep those things secure and then that creates a better situation for. being able to defend those things. If you're an amateur at it, you have the tendency to make mistakes in the configurations and the operations, which leaves you open and vulnerable in ways that, uh, that obviously cause a lot of problems for you and your organization.


Drax, I appreciate the two and a half minute drill. It has been Great addition and appreciate people can find that out on LinkedIn. And they can track us down. You and I are both going to be at 5. Or, actually, as they're listening to this, we are at 5. Track us down. We'd love to see you.

We'd love to talk to you. We'll probably be the ones in the 229 church with the quarter zips and that kind of stuff. Hard to miss us. Hopefully with, if you see us with Captain, absolutely stop by and take a picture.

Oh my gosh, he's the best boy and you totally should give him a head rub and take a picture.

Gather up all your friends and take a picture. And I did

get this email, that what if I'm allergic to dogs, how do I participate? And here's my answer to that. It is find Drex to Ford and get a picture with Drex to Ford and post it. On LinkedIn and put Captain Lemonade on it and anyone in that picture will go ahead and give a dollar for everybody in that picture.

So that's Are you saying I'm like a suitable dog substitute? I'm just saying, only for those people who have a challenge with dogs, they can play where's where's Waldo with Drex? It's where's Drex? Find them, get your picture taken with them, post it, and we will accept that as well.

You can do it with me, too, if you want.

hashtag Captain Lemonade, hashtag I'm

allergic. I'm allergic. Yeah, that would work as well. We're having too much fun. This been great. I appreciate you being on board, and I appreciate the time today. Thank you very much.



  Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Big thanks to our Newsday sponsors and partners, ClearSense, HealthLink Advisors, Order, Shortest, and TauCite. You can learn more about these great partners at thisweekealth. com slash partners. Thanks for listening. That's all for now



More from YouTube