Interview in Action @ HIMSS '23: Jim Hyman, Ordr & Keith Whitby, Mayo Clinic
Episode 77 β€’ 31st May 2023 β€’ This Week Health: Conference β€’ This Week Health
00:00:00 00:13:43

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong

interview in action from the:

Special thanks to our cDW, Rubrik, Sectra and Trellix for choosing to invest in our mission to develop the next generation of health leaders.

You can check them out on our website this week, health.com, now onto this interview.

t. Here we are from the hymns:

Sure. Yeah, I think the conversation is really centered around the journey towards zero trust and what Mayo Clinic has been able to achieve working with order together and really giving folks the idea of what it takes to go and start that journey. So zero trust is a big word now. I think everyone talks about it.

Not everybody thinks it means the same thing. And so I always look at it and think zero trust kind of starts with a single step along the journey. And Mayo is the gold standard in that process from a security perspective. And so hearing from Keith. Kind of what they've done, how they've done it, and how they've organized it is going to be really interesting.

Yeah, we, we have ten minutes, so you're not going to be able to give us your entire journey. But give us an idea of some of the things that, you've done to start the process.

Yeah, so I do, just to clarify I'm responsible for all of the, medical equipment support, lifecycle management at Mayo Clinic.

My organization sits within IT. And so own pieces and parts of that, more global journey. And what we're going to talk about today is really fundamentally speaking, how we may owe as an organization have invested in the people in the process and the technologies to be able to, to move down that path towards maturity and securing our organization, specifically the medical equipment, medical devices.

So when you're starting to zero zero trust in its simplest form is trust nothing. Right. Assume they're on your network. Assume they're, there. And then verify. I mean, am I oversimplifying it too much?

I think the theory of it is what you stated. I think the practice of it is much harder.

And so, the days of just taking devices that you think might be vulnerable and moving them away into a, cell somewhere where they can't touch anything, those days don't really exist anymore. Devices are all communicating, and so the idea of trust nothing is, is true, but you still have to be able to use these devices, especially in an environment where some of these devices are there for a long time.

So it's way more complicated than that, but that's the basic theory, yeah.

when we talk about the devices, what kind of devices are we talking about? , what encompasses the, the attack vectors today , that we're concerned about in protecting these.

Sure, I guess my specific area of expertise is medical equipment, medical systems, and facilities IOT devices , within the Mayo organization.

Obviously, the attack surface is far broader than that. It could potentially be any connected device sitting in the organization.

So, where does it start? I assume it starts with... As a CIO, I remember I would ask for inventories and every time I asked for it, I got a different number. And I was like, how can we never get to the one number?

Absolutely. That's actually the starting point, I think, of our journey. And that's really kind of the fundamental reason we brought order in initially was to in a passive fashion, be able to provide better clarity around, the inventory that exists within the organization, specifically the medical I.

O. T. And the O. T. Type technologies that exist within the organization and really streamline the amount of time and energy and effort we had to expend sending technicians and other folks around our organization to track down and capture very specific detail about our fleet of medical equipment and our fleet of O.

T. We've leveraged order as the starting point in our journey to really streamline that effort and really capture a great, crisp, clear, normalized data that can be stored in our, Nuvolo, which is our computerized maintenance management system, and subsequently CMMS databases.

The inventory, what do we now clearly we want to know the hardware. But a lot of times the software, I remember some of our devices, I, I hope this isn't the case anymore, but some of them were on Windows XP, some, and I was just like, when I saw that, I just said shivers through my bones. I mean, I assume we're inventory more than just the hardware itself.

Absolutely. There's many, many data attributes around the hardware that sits in our inventory. There's a lot of software information, software data. Obviously we're constantly working on ways to refine. The data that we store about each, specific asset. We're leveraging tools like the software bill of materials that we're capturing from, from vendors.

We're leveraging the MDS2 documentation that we're, pulling in at, at intake. We're leveraging tools like order to try and capture the, best picture of, all of those factors related to, to the medical equipment and the OT that we support.

I want to come back to the session.

I'm going to come back to you, because I want to talk about the people aspect of this, and bringing the culture along. Jim, I want to come back to you and ask, what are going to be the takeaways from your session this afternoon?

Yeah, I think that the journey towards securing medical devices for a lot of folks is a scary one, because it seems very big.

It's hard to know where to start, and I think one of the things that, I mean, Mayo, again, is kind of the gold standard. standard from this idea of a security perspective around medical devices. And so the two takeaways for me, one is, and I think Mayo's done a really wonderful job and Keith has done an amazing job in, in getting consensus around the organization because as he says, he doesn't own all of it.

And yet the networking team and the security teams, the biomed teams, they all need to be involved in these conversations. So the first takeaway is this is not a singular effort by one person. It's a group effort. The second piece is it's a long journey. And so we always say, you know, every long journey starts with a single step.

This is that. And so I think a lot of folks need to understand that you don't need to try to tackle it all in your first six months. And understanding the journey that Mayo's been through, and it's a long one. I think it's a really important thing for people to recognize it doesn't all need to be achieved by next May.

And that's a daunting thing in a lot of minds. And so I think understanding how they went about it will help a lot of people in that way.

πŸ“ β€Šβ€Šβ€Š πŸ“ We'll get back to our show in just a minute. I am excited about our webinars this year. They have been going very well. What I've done is I've gone out and talked to people in the community and said, what works in webinars?

And they came back and said, look, this is what we want. We want a webinar that is not product centric. It's really focused in on the problems of health care. And we want people on there that are actually solving those problems. And so we have done that. And the response has been fantastic this year. We have another webinar coming up.

It is the future of care spaces. Where care is being delivered is changing rapidly. Even the care spaces within the hospital themselves are changing. Technology is being added in different types of technology. A. I obviously computer vision and whatnot is changing that modality as well as what's going on in the home and whatnot.

So we're gonna have that webinar June 8th at one p. m. Easter time. We usually have it on the first Thursday. Happens to be a little too close to my anniversary. So we're going to do June 8th at 1 p. m. Eastern time future of care spaces. We would love to have you be a part of it. If you are interested in being there, go ahead and hit our website.

Top right hand corner. We have a card. You can click on that card and go ahead and fill out the form and get registered today. We would love to have you join us we look forward to seeing you there. Now back to our show.

πŸ“ β€Š πŸ“ Yeah, the reason I went to Inventory is, Inventory feels like the first step, but the first step really is the people and getting the organization and the culture right.

Talk a little bit about that.

Yeah, so, luckily Mayo has invested in the luckily, Mayo right, in my mind, the right level of subject matter expertise, the right group, the right team. To really help operationalize some of the things we've been talking about from, inventory from capturing the appropriate inventory information to starting to do vulnerability management, risk management, et cetera.

And so the way we approach that in Mayo, certainly we have a, significant office of information security. They're largely responsible for, the policy, the strategy, establishing the requirements. etc My group and HTM, we've spun up a separate smaller risk and vulnerability management team within my organization to actually handle the operational side of all of that work.

It's, it's kind of the output of our Office of Information Security, but there's a lot of really boots on the ground, roll up your sleeves, get the work done type of effort required around any of these things that we're talking about. And so we've, subsequently spun up a team that's responsible for all of that.

And really there's a small core team that kind of. sits at the top of that organizational structure that helps to , build out the processes, the procedures, the workflows, make sure that those workflows are really really standardized for a healthcare technology management or a biomed group, right?

The same language, same verbiage, same tools , and really leverage those, processes and workflows to accomplish a lot of what we've talked about here.

Normally I'd ask you. The presentation that got you funding the right amount of funding, but it's Mayo. So generally you walk in the door and you say, Hey, we need to protect.

And they go, absolutely. We're world class and all the things that we do. But a lot of people in your role at other health systems are like, I'm not getting the right level of funding. It's a really hard journey. Jim, I want to come back to you. A lot of the security companies I'm talking about are talking about partnerships and I noticed on your, on one of these panels over here, you have a bunch of partnerships.

Talk about the value of those partnerships and then share a couple of them with us.

Yeah, it's really interesting. You know, Our journey with Mayo has been one where it's taught us about the data. And so, from an Ordr perspective, we have this concept of see, know, and then secure. And so the see portion is what you've talked about a little bit.

It's just what's on your network. So first things first, you just have to know what's there. The know is you have to know what those devices are doing. Kind of what's the baseline? Who should they be communicating with? Do they need outside internet access, etc.? So what we've learned is that a lot of that data that we're collecting is very valuable for other people.

So you know the behavior of certain devices? We do. This is what it should be doing.

Correct. And so if you think about that baseline, if you have a device that only communicates internally and all of a sudden it's sending traffic externally, you should be aware of that. The security piece is the third part, which is that if you see that, what do you do?

And so we're trying to, we're trying to help our organizations automate a lot of those actions so that you don't need to go and a walk around with clipboards deciding what inventory you have, which I'm sure you remember but all the way to the other end of the spectrum. If something is behaving in a vulnerable way, how do you automatically take that offline in a medical environment where you can't just shut things down?

Right? So understanding what device you're taking offline and why and when is really important. So to your question about partnerships, what we've seen is that data we collect. No one else has it. And so if I am an EDR, if I am a SIM, if I am a log management tool, if I'm a trending tool, those folks have come to us saying your data is very valuable for us to be able to do what we do.

So if you look at our partnerships with Cisco, our partnerships with CrowdStrike, our partnerships with ServiceNow, we just announced the Service Graph connector with ServiceNow. We're feeding that data bi-directionally into those, platforms. to allow customers then to make those platforms even more robust.

And that's why, we have over 85 integrations at this point, because the data is what's really important. So that's where that stems from.

It's interesting, the, partners you talked about, a lot of them are talking about automation. Mm hmm. And you can, I mean, clearly they're medical devices, you have to be very careful.

But but there's just that whole if we can, identify it quickly and shut it down quickly. They don't have enough time to go horizontally across them. Correct. How do you do that? How do you automate that step knowing that these are sensitive devices?

Yeah, we haven't gotten to that point yet.

We're actually marching down that path. But we, we do put a significant amount of due diligence and rigor into those decision making processes. And certainly at this point don't want tools automating those processes at, Mayo. We are counting on, on order pretty heavily for the alerting and notification.

Side of that equation, like notify our staff, we're going to do the due diligence, do the investigation, et cetera, and understand what kind of a potential clinical impact is it going to have to shut down a piece of equipment.

So this is what you were talking about earlier,

you step into it.

Agreed. And this is a very common story. As a former CIO, you don't want people just changing your firewall rules, right, without telling you. But the point of order is to supply you with all the information that you need, and then you decide how far you want to go and when you want to get there from an automation perspective.

The key for us is really being able to identify what the device is, what it's meant to be doing. what the proposed action should be and then let the customers figure out, like, am I ready to take that next step? So having all of that data is really important, but that's where the partnerships come into play.

So at least you feed the data.

Fantastic. Jim, thank you.

Thanks a lot. Appreciate it.

Fantastic. Great. Thanks. Good luck this afternoon. Thank you very much.

Another great interview. I wanna thank everybody who spent time with us at the conference. I love hearing from people on the front lines and it's phenomenal that they've taken the time to share their wisdom and experience with the community. It is greatly appreciated.

We wanna thank our partners, CDW, Rubrik, Sectra and Trellix, who invest in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube