This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the News): Summer Breach’s Surge and Hidden Security Lessons with Josh Howell

A solution that not only secures your data, but puts you in the best possible position to recover faster from a ransomware attack. So. Reduce complexity and make sure your data is protected no matter what cloud provider you're using or how bad the cyber landscape looks. Find out more on how Rubrik can help you elevate your cybersecurity game.

Check it out at this week, health.com/rubrik. That's R-U-B-R-I-K this week. health.com/rubric. Today on Unhack the News.

Josh Howell: the faster we cross pollinate, the faster we as vendors, customers, providers, practitioners, lawyers, you know, whatever can come to this is how to solve this problem.

. And now, this episode of Unhack the News. (Main) Hey everyone, it's Drex.

Welcome to UnHack the News.. I have Josh with me today. Hey, Josh.

Josh Howell: It's nice to be with you. Drex. Good to see you again.

Drex DeFord: I'm glad you're here. you know, This is, I think the first time that we've had you or Rubrik on UnHack the news. So why don't you gimme a little bit about your background. We were talking before we started the show.

It's really interesting. Tell me a little bit about your background. Tell me a little bit about the work you're doing now with Rubrik.

Josh Howell: A little bit about my background. I've worked in it since I was 15. A couple different countries came back to the us My parents worked for nonprofits overseas and went to college.

Industry and practitioners are coming together to try and address the scourge that's racking it these days. So I feel like I have a wonderful job in that. I just get paid to go and have interesting conversations and meet interesting people. Tony Lakin at UTSW and Brad Busick at MultiCare and, all these interesting folks that it's fun to hang out with.

So I feel really fortunate.

Josh is super humble. If you get a chance to sit down with Josh and have a conversation, he's not somebody who's gonna run you over but ask you a lot of good questions and share a lot of stuff that he knows, and I know that you won't say that, so I'll say it for you. I always have a great time every time we sit down and have a chat.

I always come away smarter. So

Josh Howell: yeah, the discussions about hair advice. If nothing else, I've been trying to implement some of your tips.

I mean, the point of this whole story is really just about the way that the [00:04:00] bad guys are just continuing to be relentless on healthcare. Tell me what you guys are seeing as you talk to health systems across the country.

Josh Howell: It's difficult because we want to have empathy for the organizations we talk to.

And we know that, the fear is already there. Nobody needs to be convinced that this is a problem to take seriously and deal with. And every organization was already dealing with tight margins, budgetary cuts. And at the same time that we've seen cuts to rates and reimbursement, we're also seeing this just proliferation of threats.

And there's a number of reasons for it. As one, they're increasingly targeting places where we can't live without that service. So healthcare, it's critically important. Downtime can be measured in lives and there is a massive litigation risk if data's breached. So there's a lot of organizations that we've talked to.

And yet we know that every time an organization pays a ransom there is an increased odds. They get hit again really quickly. I really feel for CISOs, CIOs and security practitioners who are caught in this perfect storm of haves and have nots of like, if you've got everything and you're all set you're in a much better shape.

And if you're trying to justify cybersecurity investments at this point that's tough, right? So, like, there's a few trends. Dwell times seems to be decreasing, so it's gone from, a high number of days to weeks to, in some cases a day or less.

Drex DeFord: I've seen some of the reports coming outta some of the organizations saying sometimes it's even just minutes.

Depending on how the bad guy's set up and how they get in they crack open the safe and start exfiltrating data within just minutes.

And. It's just highlighting again, how identity, if you were privileged enough to hear Eric Decker speak at HIMSS this past time. I sat there and just kind of put my head in my hands at some of what he was sharing, and we had a chance to talk again in Chicago and he's an interesting guy.

But unless you have the right tooling and telemetry to spot those things happening, in my previous career when I was last responsible for active directory I would've never noticed those things. I had so many other things to do, so. It's kind of mind boggling.

And there's always this tendency to think that the things that we have are the most important. And then I'm always coaching our sellers to like try and put themselves in the shoes of their customer and think about how what we do is one small part of the vast number of things that organization has to worry about.

Think about that CISO, CIO, VP of Infrastructure has on their plate in any given moment just as a way of understanding how to approach them or be a good partner. So it's what's the curse? May you live in interesting times, right? We do.

Drex DeFord: And interestingly, I think that's a Chinese curse, if I'm not mistaken.

Josh Howell: It's been so repeated that I don't know.

They've done them that way for a number of years. And so for them, that's what good looks like.

And of course they know the world is changing and the bad guys are, getting better and faster and smarter and using AI and doing all of the things. But they keep looking at their same tool sets as this is how we're gonna solve the problem by buying more of that, or turning up the volume on it or something like that.

Instead of really sort of taking a step back. And I think this is a. I dunno if it's a culture thing. I think it might be a little bit of an ego thing that they can't take a step back and say, if I could empty out the entire shoebox, what would I really put in here now? It's hard for people to sort of put that aside.

You see the same thing sometimes when you're talking to customers or when you're hearing from folks at many conferences that you go to.

I understand why we do them. But boy, does it frustrate me when we get an RFP that feels like it was written in the late 1990s. Yeah. It's just all about data protection, like the traditional classical, can you restore an individual file? And I'm like, everybody should be able to do that by now.

And it doesn't ask any of the questions about the new set of capabilities. Yes. I mean, that's human nature, right? So like we still call these things phones, even though. That may be the thing that we spend the least time doing on them. But that was the mental box that we had. So we replaced the phone with this thing and now it has all these new capabilities, but we still think of it as a phone.

Right, right,

Speaker 3: right.

They're not in rubric terms, like use it or don't, whatever. But yeah, there, there is a new set of tooling and it's actually something I'm kind of fascinated with is there's. The things we are talking to organizations about, the importance of having downtime procedures, of identifying the minimum viable hospital of critical applications of understanding that DR.

Measures won't save you. Because what you're really struggling with is this loss of trust. So if you want to get back online in a reasonable amount of time while the forensic. Investigation and remediation is happening to regain trust, then you're going to need an isolated recovery environment. And once you arrive at that, then the needs that you have around data protection and the tooling are completely different.

And so,

Drex DeFord: and you see that's why sometimes these things take 30, 40, 50, a hundred days for people to recover from because they keep Yeah.

Shooting themselves in the foot as they go through this restoration process. And they have to go back to the beginning and clean up and restore. So have an IRE having understanding I have this clean environment to start kind of a huge deal.

Josh Howell: It is, and the, This is what I'm fascinated with is like how we as a vertical, an industry, a sector as a society, we come to develop this body of knowledge together in that, a health system that gets hit, they responded to their attack, but it was very specific to them.

I'm just so grateful to them for having the courage and for having worked with their legal team to get permission to share broadly. This is what happened. This is what it looked like. Here's what we dealt with. Here's what we were unprepared for. These are the takeaways. If you do a few things, do these well.

Right? I've heard other CIOs behind closed doors say, don't quote me. I don't want my name attached to this, but here's what I would want to have everybody know. And so I really admired them for sharing the Ardent Health folks. So we take that knowledge and then we try and build it into products.

And then we talk with Mandiant and others is like, we're slowly kind of arriving at here's how you address this. In a practical, repeatable, tested way. Right. So that's just. Something that I spend a lot of time thinking about is like, how is we as an industry can do more knowledge sharing in the wake of what's a very sensitive event?

Drex DeFord: I mean, not to toot our own horn, but it's a big part of what we do with the 229 project and the CISO summits is that when you get those people in the room, they will talk plainly and clearly to each other even though they will from time to time say. This is just between us, right? but that's the whole point is that you can get it off your chest.

You're not alone. You can get feedback from others in the room. And for the partners who are in the room, there's a lot of great sort of insights about. How the whole situation came about and where they made mistakes going through the process to recover and getting back on their feet.

Like you said, everybody lawyers up the instant that it smells at all, like maybe there's a breach going on minutes later there's a class action lawsuit that's been filed. All those things that happen that are counterproductive in a lot of ways, it keeps everybody's mouth shut when they should be talking to each other.

Yeah. Other great organizations through the healthcare isac health Sector Coordinating Council all about trying to help folks share information and do better, especially in the heat of the battle when something's going on.

Josh Howell: Yeah. I like the Chatham House rules format that you guys have.

So we actually took a lap with a couple vendors who we don't compete. And so we started thinking about like, how could we give the lawyers. Better grounds on which to write those attestation letters much earlier in the process. And restore some of those services that have been cut off, out of an abundance of caution.

Sure. So it's interesting the faster we cross pollinate, the faster we as vendors, customers, providers, practitioners, lawyers, you know, whatever can come to this is how to solve this problem. Right? Yeah.

Drex DeFord: And get systems back up and running for patients and families. Right. That's ultimately what resilience is all about.

Josh Howell: Yeah. Drex, I, you said earlier, I wouldn't toot my own horn, but I'm going to now. Okay, good.

And it's really fascinating when you start to apply facts like you're looking at a 20 to 40% decline in patient volumes the first week after the encryption event.

Speaker 3: And

Josh Howell: that's just top line, right? There's going to be increased rev cycle leakage for the patients that you do treat and the care that you do provide will be less

thorough. You're gonna order fewer tests, order less labs, et cetera, because the increased friction of that,

Drex DeFord: they're gonna be less well documented. Right. So you're not gonna paid as much for them. Yep.

Josh Howell: And then the coding will happen later on insufficient notes that were taken by hand, and then the billing may be, or, late, so reimbursement and denials Yeah.

And. The work that we've done in this model we've built isn't trying to convince anybody of a number, but when you go through and you put some number in every category, you quickly start to realize like this is a board level discussion. This is a existential threat to a number of organizations. So I know, and it's public and it's been for a while, so we can talk about it, but like there was an article, SMP Health.

Publicly said that ransomware attack was the nail in the coffin.

Speaker 3: We

Josh Howell: couldn't bill for three months.

Speaker 3: Mm-hmm.

Josh Howell: Shut down. And so there's all of these facts and statistics, like there's a 30% increase in medical errors. Mortality takes a quote, slight but significant increase from three in a hundred to four in a hundred patients, which you could look at as small or you could say that's a 28% increase, plus I'm the one.

One of the things that always people ask me about when I walk them through the math line by line is that the notification costs can dwarf the actual class action settlement. Right. And people think like they think in terms of the large numbers that are attached to the settlement, right?

But they don't think about how in the immediate wake of an incident, the lawyers are asking who was affected, how many records, who do we have to notify? And if you get that part wrong and later you have to go back and well, you've already spent $3 per person minimum to notify them. And that can be. Two to three times what you spend in the class action settlement.

Right. And the

Josh Howell: Right. Yeah. And not to talk about us, but like, that's one of the things that we're saying, like if you can determine not the sensitive records that were on that server now, but what was on there 30 days ago. When this happened. What changed right around that time? Anything you can do to constrain that list and be as accurate as possible, rapidly starts to constrain the overall costs of the data breach, the litigation, the eventual class action, settlement, et cetera.

Actually, I'm gonna put out an appeal, if it's okay with you, if there's anybody who's works in fp and a or A CFO for it who is willing to answer some questions. We're constantly. Working to improve our model, to flesh out other categories around like cyber insurance. We know things like.

There's a 67% increase in marketing and public relations costs in the wake of a ransomware incident and data breach.

look at this is the risk number, right? Because any investment in cybersecurity, whether it's. Something related to Rubrik or it's perimeter security, or I-D-S-I-P-S-M-F-A, what have you, right? Manage soc. You have to start with what is the risk that we're mitigating? Is this warranted? Right? And the white paper from Deloitte, their whole point was that these costs and impacts are being systematically underestimated.

We are drawn naturally to the headlines, which are usually about the ransom, the data breach, whatever. But that there's actually these factors that play out over a decade. That it takes a decade for the financial impacts to all settle out. And when you aggregate those, it's an eye watering number.

Drex DeFord: would love to do that. If you send me the link to the Deloitte paper, I'll make sure we also put it in the notes. And I'm sitting here thinking, I feel like we should do another show somewhere down the road where we actually maybe walk through some of the math that you guys do.

'Cause I, you don't have to be a rubric customer to walk through that math with you, right? You'll help anybody kind of think through that process.

Josh Howell: Yeah gimme a call. We'll get on a Zoom and I'll punch in some numbers and you can help me fill in some others and I'll share the results with you.

So, again, like I've been on all sides of the table. I've been a customer, I've ran a channel partner, I've been at a vendor a number of times, and I think, you develop empathy for those other roles and you just want to be a good partner and give something of value back to the organizations you call them.

So happy to do it.

And some of it is just, I think, getting started. So it's cool that you're doing that.

Josh Howell: Well, it's a fun job. Like I said, I think I have the best, coolest job in the world. So, no,

Drex DeFord: I got the coolest job in the world. But everybody, you're close. I can, Hey, thanks for being on today. I really appreciate it.

Sometimes we really get into the news and sometimes we go down a side path, and I love the side path today. So thanks for taking me on the trip.

Josh Howell: Yeah, of course. Thanks for having me. And apologies for going off on a weird tangent, but if we can help in some way, we'd love to, and maybe this is one of those ways.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.