• 00:53 Discussing SBOM Guidance
• 09:22 Salesforce Security Issues
• 15:04 State and Local Government Security

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Newsday: Salesforce Breach Spreads and New Liability Era with George Pappas

Make cyber security a priority, not a headache. Cyber attacks put patients at risk and cost healthcare organizations millions. But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable and they feel little control over the safety of their patients, resources, and healthcare.

Reputations are bottom line. Intraprise Health brings together cybersecurity experts with over 100 years of combined experience in healthcare to offer a comprehensive suite of innovative software and services. It helps leaders finally unlock a unified human centric cybersecurity approach. With Intraprise Health, you can improve your cyber security posture, protect your patients, and simplify your employees lives.

Visit thisweekhealth. com slash Intraprise health to find out more.

Drex DeFord: Hey everyone. I'm Drex and I have George Pappas with me again today. How you doing, George? Good. Great. Drex, how about yourself? I'm great. I, you know, one of my favorite guests. We always have a ton of stuff to talk about. How's everything going in general, though, before we get started?

George Pappas: Great. Great. Looking forward to the fall at an interesting summer. We're cranking along and the industry gives us plenty to talk about, doesn't it? It

Drex DeFord: does. And I curse you for calling the end of summer. That's not no, I'm just kidding. I know. I'm trying to stretch it out as long as I can too. There's a bunch of good stories that we kind of did a little prelim a discussion on.

pretend none of us know anything about anything.

Tell me about SBOMs, why they're important, and what this story kind of tries to drive home.

George Pappas: Yeah I would basically say, you know, the SBOM is like an ingredients list on the side of a package you buy in a grocery store, right? Mm-hmm. But it's supposed to be thorough enough and useful enough so that we can look in the ingredients and say, well, do I really want 5,000 milligrams of sodium?

Well, maybe I don't, and you know, by the way, this other ingredient. Is it aged past its due date? How safe is it? Right? And now I'll kind of carve it and relate it to software. Does use open source or the modules? What's going on there? So it's a useful notion that's actually been out there for some time.

A lot goes into that.

that have to adjust if more accountability's gonna adjust. Or we need safe harbor or something. You know, Senator Warner talked about like almost three years ago now, right? We need some measurement and management of the liability environment that we all operate in to really address the problem.

And there've been some good proposals, but the other dynamic to this is that third party risk is about more than just the ingredients in the package. It's right. What are the security management practices of the thing you're buying besides ingredients? And the article talked about the lack of integration to the vulnerability database, right?

Are they, yeah, they're security program compliant. Right? Or the company that's making the software. The hardware. Yeah. Is it hipaa? Is it SOC two? Nist or hitrust? Right. So that wasn't really talked about. Another thing that we've been doing a lot of work in at. Intraprise and our products to help people consolidate and build security programs is building our systems using NIST OSTCAL,

which is an

open, controlled and assessment language.

So these are all coming from NIST in various shapes and fashions, but someone has to bring them all together.

Drex DeFord: Yeah.

George Pappas: So there's a more holistic picture of what's really going on besides the ingredient on the box.

Drex DeFord: Yeah. Ingredient

George Pappas: list. You know,

Drex DeFord: I like that. I think that too, when you think about healthcare in general, we're not, generally speaking, we're not builders.

More and more, not only did we get outta the baking business, right, but we're not even keeping the bread in our bread box anymore, right. We went to the cloud. And so more and more software as a service, more and more of those things were being built with ingredients. That were opaque to us.

Correct. We didn't know what was really happening inside of those applications. Right. So to your point, this becomes sort of like the ingredient list. What are the things that you're doing inside that application? What tools are you using? What databases are you using? What protocols are you using? How are you doing a lot of things inside that.

What kind of sometimes turns out to be a black box.

George Pappas: Yes.

Drex DeFord: Getting that set up so that we can actually sort of see it and understand it. But your point being too, like that's just one dimension. Correct. Multidimensional issue.

because the federal government's slowing down in some of this. Right.

Drex DeFord: Right.

George Pappas: And a law in Maryland that would've required a more explicit third party clearinghouse that. Went through the legislature, but was vetoed by the governor at the last minute. So you're seeing at local level an awareness that there needs to be a little more precision.

Just like the HIPAA NPRM that has not been put in the law yet, had more explicit third party requirements that have not been in. The HIPAA security risk assessment, you know, for the last 10 years or so, right? So there's a recognition of that and that's coming, but it's not here yet and we have to operate today, you know, so

Drex DeFord: that it is almost like there's, maybe there's something coming eventually, right?

It's the right thing

George Pappas: to do.

Drex DeFord: Yeah.

George Pappas: Well, it's the right thing to do. And by the way, this is another very important angle here. The liability pyramid that systems are facing now, when there's an event goes far beyond regulatory. It always has.

Drex DeFord: Yeah.

George Pappas: But you look at the last trailing 24 months. because we look at the data, the number of class action lawsuits, it's up like 10x.

Drex DeFord: Yeah.

George Pappas: Now, if you take. Change out. because that was obviously a massive event. So it's still up. I'm sorry, four and a half or five x, right?

Speaker 3: Yeah.

George Pappas: But when you look at what's in those class action lawsuits and the settlements, HIPAA does, it's what's the standard of care? You knew you didn't do anything. There's a very different barometer now on risk, right?

They had an event, it's about an $18 million.

Breach and the story. Yeah. They were not covered because they didn't implement the items that were in the conditions of the policy

Speaker 3: that

George Pappas: they stated they had.

The noose is getting tighter. Even while the regulatory part is still kind of rattling along.

Drex DeFord: Yeah.

George Pappas: It's so it's interesting. It's interesting

Drex DeFord: too. I, to your point, I just read a story the other day. There are more personal injury lawyers now getting in on this data breach.

Yeah. You know, so like the motorcycle lawyers and the car accident lawyers are now becoming a data breach lawyers. Yes. And so they're all over it. And it's, you know, this is like, I don't know, I missed the commercial usually there's something on tv. Have you had data breached in your health system?

Right. Call one 800 George now, and

Drex DeFord: That'll tell you it's really arrived. He, then he is jump, he's jumping on the top, on the very, very tippy top of the wave on this.

Yes. I wanna ask you about another story too. There's a whole mess of things that are happening with Salesforce customers around the world. And I know that you've been following that story closely. Tell me what you think about what feels to be just lots of big companies who just are in trouble, not because of something they did back to the third party kind of element of this, but because of something that.

Is happening in their sales force instance. How'd this all happen? How'd it come together?

Drex DeFord: Yeah.

George Pappas: You know, these cyber criminals are pretty clever. They can test the edge cases. Right. And in this case, you know, there was a, it was like a, I think it was a customer service, AI sales agent. That used a, I'm looking it up right now. I

Drex DeFord: read this story.

George Pappas: Yeah. This

Drex DeFord: other part of the

George Pappas: story

Drex DeFord: just the other day.

George Pappas: Yeah. Use, use the, you know, an a p Oh, SalesLoft drift ai. Yeah. Correct. SalesLoft, right. So, right. Good thing people wanna do. Right. API access into Salesforce because if you do a customer, you have to look up their thing. You have to tell them this, tell them that, well, the cyber attackers clever enough to use the weakness in that, or whatever had really happened to get access into those accounts.

Yeah. Guess what did they have there? Who did they breach first? By the way, all the cybersecurity companies notice that.

Drex DeFord: Yeah, exactly. They

George Pappas: stole AWS credentials.

Drex DeFord: Yes. A

Okay. It's

Drex DeFord: and they're reaching into Slack because the, you know, the customer service bot on the website also has access to Slack. It's also got access to sort of Google Drive right material in some cases. So that, thanks for all the APIs. They're really awesome and they let me connect to lots, you know, my tool to lots of other things.

But in the spirit of, and I say this all the time, everything's connected to everything else. You find a tiny crack over here and it's really easy to

George Pappas: make

Drex DeFord: those

George Pappas: hops right. And you know, to me, what was also very interesting about this, of course, it's still relatively new, we'll probably hear more in a little while, but Salesforce has health cloud.

You know, so last generation integration. Now we're gonna doing this AI agents through these, you know, MCP layers that are more dynamic and flexible. We talked about this last time. I mean, how are we gonna really measure that, you know, and how are we gonna really do our best to and trust? As well as we can, the veracity of these accesses and the safety of what an MCP layer is gonna allow to happen inside of a system like that.

Well, this is gonna require a new level of that. Do you think AI is

Drex DeFord: gonna be able to help with this? Is, I mean, I hate to pile ai. I think so. Ai, but

George Pappas: yeah. Used, Used. In very targeted fashions. I mean, already, do you have an agent

Drex DeFord: that's watching all these APIs or an agent that's watching each api I, yes.

George Pappas: That maybe

Drex DeFord: has some specific kind of Absolutely,

George Pappas: yes. Discover patterns. It's all pattern recognition. Mm-hmm. So that's why there's a lot of promise. I mean, in our product work, the RAI. Integrations have had massive product productivity improvements. We're just getting started. So I agree with you. There are patterns to be seen, patterns to be handled, identifier, automatic shutdown to be happened, right?

Right?

Drex DeFord: Yeah.

George Pappas: So how are they gonna do this, right? Yeah. Now I'm sure they can be as stringent as they choose to be. Right? And the best, most important way possible, which is certainly understandable and given their level of execution, would be, you know, expected. But you know. What will that bar look like?

What will their, that mean for everybody else? I think is a pretty important question. because MCP as a concept is very interesting, but executing it securely in some ways I think is, yeah, it's a lot more complex than building the original system. Original systems were designed for finite states.

Drex DeFord: Yeah.

George Pappas: So there's a lot going on there that I think we're, you know, in the very early beginning.

So. It's

clearly, I mean, it's really easy to just kind of do a search on this, but every day there's a state or local government or department in a state government that is breached judicial you know, major cities, small towns police departments. Right on down the road, there's series of industry groups that are asking Congress to expand state and local cyber grant funding because it's kind of a lot of this work is coming to the end. What's your take on this story?

George Pappas: well first I hope they not only renew, but expand it because in the article they talked about the group asking it to be more than tripled in size, which shows the extent of the need.

I

remember, you know, resources, margins, et cetera. And you know, that ended up not getting passed. But you know, we keep saying we have a problem. These are obviously public entities. Critical infrastructure too, right? Critical infrastructure too, right? The nine

Drex DeFord: one system work does exactly right.

Can we flush the toilets tomorrow? Right. And is the hospital open? Correct. So is the emergency department running?

But it's a bigger window onto this infrastructure need that we have. And you've seen attempts to address it. You know, Microsoft had this kind of in kind program for a while. Sure. They did some good stuff.

Drex DeFord: Yeah,

George Pappas: right. There are others, larger organizations

Drex DeFord: that can do that, but. And there are some states that have stepped into that gap for their own hospitals, New York and others.

Yep. Right. With their law and their funding.

George Pappas: So, but we are nowhere near a systemic problem and every year we don't, the adversary gets smarter, more adaptable.

Drex DeFord: It is compound interest, right? Yes. I mean, the more that we don't do what we're supposed to be doing, the worst. Yeah. Linearly the problem feels like it gets, yeah.

The more exposure that we have and the more risk, the more actual impact that could happen from an attack.

They make a care decision or there's a medical error. I mean, medical errors happen all the time anyway. They still do adverse drug events is kind of the nomenclature we use in the biz.

But you know, these things are happening more when a team doesn't have access to certain tools that are offline because of a cyber attack.

And people, it's a complex service. Healthcare, they're in harm's way. The

Drex DeFord: other thing that I hear and I've talked about this before all the time, when a system is offline cyber attack or not, just when the EHR is down I often get calls from friends who are who, clinicians, doctors, nurses, others who worry about their own.

Thanks. One connection at a time. Right. Thanks for being on the show today. I really appreciate it. It's always fun to talk to you. My pleasure take care.

That's Newsday on UNH. Hack with Drex De Ford. Get daily security insights delivered to your inbox because every healthcare leader needs a community to lean on and learn from. Sign up at this week, health.com/subscribe and stay safe out there. I'll see you around campus.