This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on Unhack the News.
(Intro) You realize that there's an executive in that organization who's saying, what is the minimum amount we can do to say we are being regulatorily compliant versus should we really be doing to be safe? And it's interesting because They almost don't wanna see it
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
We want to thank our Unhack the News partners, CrowdStrike, Fortified Health, Intraprise Health, Island, and Order for their support. And now, this episode of Unhack the News.
(Main) hi everyone, thanks for joining us for this episode of Unhack the News. And I'm joined today by George Pappas, CEO of Intraprise Health. And Intraprise Health is, of course, a partner of This Week Health. Thanks for being on the show today, George. Thanks Drex, pleased to be here. before we started the show, we were sort of riffing on the, there's no shortage of stories in cybersecurity right now.
There's a lot, there's a lot of stuff going on. You and I talk pretty regularly. A lot of these stories are sort of topics of our conversation just in the world that we live in and that we help health systems navigate every day. One of the stories that I'll start with is from CyberScoop and it's on the CyberSolarium Commission, CyberSolarium 2.
0's new report. There's a lot of stuff in that report, but part of it is just around rural hospitals. Being vulnerable to ransomware and everything else. And we could riff the whole show on rural health care. How what's going on? When you read the article, what did you think?
We have several clients that are in that category.
And, it's a very challenging situation because you think about a rural hospital in general. And they already have such challenging operational economics, they have government support at a federal level, but look at their patient census. and many of their patients are on public insurance, which means low reimbursement rates, then you add to that the fact that they have relatively low utilization rates against a fixed asset.
And right out of the bat, it's a very challenging place to be. The federal government rightfully supplies a lot of support because you want to have a certain amount of acute health care within a certain, driving distance of enough of the rural population. And it's interesting, Drex, you think about it, there's 60 million patients served by rural hospitals, right?
It is an amazing reality that if you're in the U. S. Odds are good that if you got sick, you probably would go to a rural hospital. You probably would go to a small hospital. And like you said, margins are really thin to begin with. Oh,
worse than thin. I'll give you just one example.
Some of our clients, I'll give you a little prototype. Even though the critical access definition is 25 beds, you look at the level of utilization that they operate under, they only staff 15 to 18 of them. You're talking about an organization that might have 35, 40 million net patient revenue and expenses near that, so they're at breakeven, close to it.
So every penny counts. And then, of course, if you're in a rural environment, Hiring cyber security talent, getting the appropriate governmental resources for security in general can be challenging and, some of our clients that are in this position, they use, and it's actually, it's interesting, I was meeting with the CEO of one of them, the FBI provides help as far as training, briefings, information, because the local field office recognizes that it's an important thing to do I think that in general, all the movements we've seen towards acknowledging the vulnerability of our entire healthcare sector to cyber security, you look at the sort of rural health, then the medium community size hospitals, and even go one tier above that sort of small IDNs, if you will four or five hospital systems.
They all have challenges of technological complexity. funding, boards that understand budgets. That'll be one of our next topics I know, right? But a rural hospital has the hardest piece of that of all because they have very little capacity to draw upon. So, there's some models the government has deployed for ambulatory care, HCCNs, health controlled care networks that try to pool resources.
There several companies that provide what I'll call Rural hospital shared service models across other facets of, revenue cycle management, ER staffing, automated accounting, things like that. I can see cyber trying to grow into that. A model like that would probably make some sense, but, we're still a ways away, and we work with a client of that type.
We're trying to help with our automation and our team trying to zero in pretty quickly. And what are the top two or three most important things?
Sure. What are the things that if you did these, you would probably eliminate them, more risk and be able to, it is interesting to look at this and think about when you talk to Small hospitals we have several over in eastern Washington.
And I remember sitting down with them a couple of years ago and the conversation that they were having around Wow, I can't believe you have three people working in IT. Because we only have two, how did you get permission to get another person in IT, let alone cyber security? That was all included in those three.
So trying to find somebody to move to eastern Washington a small rural community who is like a cutting edge cyber security pro, Look, this has nothing to do they're very smart and they're working as hard as they can, but they also probably have supply chain or they have some other responsibilities.
It's just too much. So this idea of being able to figure out how to work together, being able to figure out how to use partners to help you leverage what you can leverage. It's a big win for A lot of those small places that are trying to be secure. Nobody wants to go into this and say, Oh, of course, not going to do it
right.
And the other dynamic there is we have a lot of benchmarking data, so we can really try and show them, how good is good enough on certain measures, because that's, we'll get to boards in a minute, but that's a very important question, where board level governance and large organizations even are concerned, because they don't really know.
How much is enough? And we also try to explain to them that I think it was even you had at one of your sessions. You can't 100 percent guarantee you're not going to have one, an attack,
right?
So the real question is, how do you manage and mitigate your liability in the event one happens? You can't say, I'm not going to do an SRA or do a NIST assessment and not worry about my third parties.
Well, then you will, there'll be some problems, right? But if you do all those things, And you look at what's happening in the federal government, we're moving to a recognition of that over time. And with the right amount of some baseline economic support that it's been, in the wind now, the executive branch, the legislative branch arguing over how to pay for it and who gets it.
I think you're going to see some improvement there over time, but it's still a little ways away.
Well, speaking of boards I feel like there are a lot of CISOs who are concerned today because a few of the things that we've seen where individual CISOs have either been held specifically responsible or maybe have even been sued as the result of a breach.
A lot of CISOs are really worried about this, but there's a lot of stuff that's been written just in the last several weeks about boards now being squarely on the hook. for cybersecurity and understanding what's going on in that cybersecurity part of the business and what they need to be doing. And basically just being in the know and not being able to sort of put up blinders and saying, I didn't know that.
So boards are on the hook now. What are you seeing?
Yeah, it's very, to use a pun, acutely felt and, I would break it down in a couple of pieces. Clearly, when the SEC last year moved to sort of what I would call a CISO Sarbanes Oxley style, disclosure, disclosure.
If you're in a public trade organization, that got your attention, right? Because you have to sign off and the SEC deemed it to be material risk to shareholders, which is why they were really pressing that area of corporate governance. You think about the vast majority of healthcare organizations are non profits, 90 percent of them perhaps.
And so the governance question is still very real. But this gets back to something we were talking about when it came to rural healthcare. Take your, how many different kinds of facilities of sizes are there out there, right? If you look at, say, the top million beds in the United States, top 250 healthcare organizations cover half a million of those.
Well, what about the other 4, 750 that cover, The other half a million of those, right? This is where you have your 300 bed community hospital, right? There's sort of six, 700 bed kind of two hospital regional system. Look at those kinds of entities, they have more capacity than a rural critical access hospital, but still who are on the boards, local business people, local people from the community.
And so there's been a lot of work and we've seen it. to inform the board of, what really is the, are the stakes here? Because the other dynamic we see in a lot of cases is who owns the risk? Well, does the CISO report to the CEO, a chief legal officer, a CIO, a CFO? So someone has to be the risk manager for the Intraprise and hopefully not the CEO, but in many cases the CEO, right?
Ultimately, how that reporting works sort of governs the way they navigate those issues. And one of our clients, a great client of ours, has made a lot of progress in the last couple of years. She was able to have the AHA, American Hospital Association, come in. present to the board, explain the factors, models of board governance.
There are a lot of different models for that. There's another group out there, the Governance Institute. It's a subsidiary of NRC Health, which has been out for, oh, it's a 40 year old entity, consulting, best practices. And they serve non profits only, and so they run conferences where they talk about how should a board really be thinking about managing cyber security?
What are the stakes? What are the risks? How do you think about them? The other dynamic that we see a lot of I mentioned even the FBI earlier relative to the rural health care. There's a lot of good survey work out there now. If you think about what HHS did with the HCSC, they released it last fall, was the landscape analysis for cyber resiliency.
Yeah.
Very good benchmarking data.
Yeah.
Very good list of, what are the we like to use these nice words, attack vectors. What are the people doing? What are the methodologies they're using? So a lot of that information, there's been a lot of very good research that you could pull from. We do that for clients regularly to help present to their board, give them enough of a feeling of, hey look, here are the stakes.
Now the other thing that is sort of the ceiling of liability is cyber insurance, right? So how much do you have? What are the excluding conditions? Yes. Is the questionnaire you answered when you got the insurance accurate? Because
as it's still accurate, right? Because this is one of those things you answer these things sort of in the, in a moment in time.
And the threats change. And the capabilities that you have change. And so becomes a you need to be able to prove it because I can tell you that if you have a claim, they're going to go back through and say, yeah, now show me again how you actually had all of these things.
You
said in question six
technicality, we're gonna, we're not gonna, not covered. So
yeah, we actually do like insurance stress tests for people where we'll look at their. questionnaire, and it's probably doing a NIST assessment or a deeper assessment, we'll let them see where those gaps are because you have to be mindful of that.
Yeah. when you have the opportunity to brief a board, I've had several opportunities to brief boards. Certainly sometimes it's about, How well are we doing compared to everyone else? Sometimes it's just about, existing threats that are happening in the healthcare environment right now.
Do you see a lot of boards that actually have cybersecurity experts on the board?
in some cases. I'm thinking of a few examples as we're speaking, not perhaps cybersecurity experts. But much more cyber aware with a set of questions,
One of our clients that we've met with now for a couple of years from year one to year two, much more heightened sense of questioning, because we will present the findings to the board with the CSO or CIO and explain.
the dynamics, the risks we see, the benchmarking. The other part to that, too, is helping them understand, this sort of practical side of governance, Drex, because this is really where if you really boil down, you think about all the technical vulnerabilities in a hospital, even a medium sized hospital system, they're everywhere.
So the CISO or CIO, while they may have. accountability for all that don't really have authority for a lot of that. So how can they influence a facility issue with key locks, right? How can they influence, medical equipment that's five patch releases behind? How can they influence all these things?
How can they influence sharing through HIEs and the participants now with TEFCA as that becomes a more anonymous? Not really vetted, though HITRUST, which we do a lot of work in, is setting the table there. So they don't have the level of authority to truly provide a governance view at the top of the organization that says, Hey, here are really the issues and bring that in one place.
As it's something that we do because just the numerical, combinatorial aspects of trying to understand it all and put it in an executive action. Sure. The process is very challenging. 📍 📍 📍 📍 📍
against childhood cancer. In:This June, we're inviting you to join us. It's simple. Just visit ThisWeekHealth. com and click on the cancer ribbon to make your donation. Together, we can continue Alex's mission to make a significant impact. Every donation moves us closer to a world where no child has to face cancer. So, take a moment, click on that ribbon, and make your contribution.
Thanks for your support, and let's make this June a month 📍 to remember. 📍 📍 📍 📍
📍 📍 📍 📍 📍 So I was with probably CISO privacy officers, others in Philadelphia the other night for a city tour dinner.
And we had a really great in depth conversation around a lot of the challenges with the job. And one of the main challenges that they all sort of talked about was The ineffective governance and prioritization in health systems in general, in the spirit of everything's connected to everything else, the reality that we love to do really cool, interesting, fancy things.
AI and other stuff. We're doing M& A. We're doing lots and lots of stuff, but we're doing a lot of that without a net, right? Or we haven't made sure that the foundation of the house is really set and solid and good to go. And so there's the challenge of, as you said, I don't have authority over these things.
That relationship building turns out to be really important because I have to figure out somehow that I'm going to have influence all the way up to the board. To make sure that those issues and challenges and problems that I see that could disrupt the delivery of care to patients and families ultimately is taken care of.
No, that's big. The other thing, That you see in all the research that's out there, and it's very clear, no matter who the source of this research is there's still a very wide variability of cyber investment, even within hospitals that are similarly situated
and the other dynamic is that, because of that, There's a wide variation in this fundamental cyber program security posture.
We use the word resilience, which says, have you covered all the bases? So if something bad happens, you won't be hurt that badly. But essentially, there's a wide variation in that. And that is part of the real trick. You think about the HHS cybersecurity initiative, take our example earlier, 60 million patients are being served by rural healthcare.
Well, 330 million patients. are in vulnerable hands, whereas some very smart, dedicated people are doing all they can. But you're talking about Intraprise software, thousands of points of access, which we'll get to in the next topic in a minute. But basically it's a very challenging job and you've got to have enough of a backstop and enough investment.
I'm sure there's never been a CISO that says, Oh, I have enough budget. I'm good. Thank you.
They're always looking for ways to reduce risk and that's often tied to additional Financial resources, but we can move to the next story because the, in the spirit of everything's connected to everything else, all these stories are connected.
Actually, before we go there, one other thing I
wanted to mention because, when we work with larger clients, we see some of these patterns too. We use this word penetration test, which is really not a very good word because if you're doing it well, you want to simulate someone trying to attack you.
You want to actually do it in a more intensive way. And you want to simulate your disaster recovery, your incident response, because all of that, we worked with clients that have been hacked, and it's the first time they're peeling the envelope off the incident response folder. Oh wait, that person left.
Oh wait, we're not, and all of a sudden in real time.
Yeah.
This gets back to how do you bring systems back up? How do you protect? This is the actual meaning of the word
resilience, right? Yes. This idea of In the last Unhack the Podcast, I talked to a CISO who used an analogy of a boxer. If you get into a boxing ring for a fight, and you think that your strategy, the best strategy that you can have for that fight is to not get hit, you're probably not going to have a very successful fight, right?
That's excellent, yes. It's like all of our defenses, right? We put up lots of defenses, and we hope no one gets through, but clearly that's not a thing that's happening today. So you're going to take a punch and probably a few punches. And so from time to time you may wind up sitting on the mat, right? And so the resilience part of this is like, how do you get up and get back into the fight and ultimately win the fight?
So it's all these other things that happen
,
after an attack and hopefully if you're moving this stuff left too, right as far as you can move it left so that these incidents, you can have all the security incidents you want, but that they don't have any effect on your operation. And patients and families never feel it.
And, end users never feel it. That whole part of the, intentional resilience turns out to be a very key plan long term for building a cyber program that,
One more thing there I want to mention, and we could spend a whole day on this too, but this kind of hits essence of the topic.
If you consider the fact that preventing an attack, you can't guarantee that'll happen. And there's been a lot of discussion about standards. There's a discussion about cyber insurance rates and what they cover. I think it was Senator Warner, late 22, came out with a compendium that sort of tried to address cross federal agency and cross industry issues for healthcare.
And he put forth this notion of safe harbor. It applies in other parts of how we regulate anyway. So again, it's an election year. Can we get, Congress to really legislate? Probably not. But the notion of what is a safe harbor definition,
right?
If you're really doing, and there's been a lot of great work on HICCUP, CPGs, NIST 2.
0, HITRUST, they're all driving to the same general goal. And if you could figure out a way to have a true safe harbor, so you have a liability cap, makes it easier for cyber insurance to cover up to it. You could always have, the federal government or, this has been in private sector reinsurance above that.
And you could at least give people the incentive to drive to that practice level, be able to verify it. And then essentially people know what they have to go to and they have some level of risk mitigation certainty. I think it would help a lot of motivation, because right now it's like, well, it'll cost more than I have.
I'm with you, George. I think it could be really interesting to see something like that unfold and, whatever you call it. There's an opportunity there to get everybody to be this tall to ride the ride, which I think would be great for patients and families and honestly, all the people that work in health systems and all of that.
Okay. The next story it's just about human error and the reality that human error is still a big part of this. You
click one click. That's the mouse on the PDF from the, person who wants to give me a half a million dollars and transfer it on my account.
Yeah. Or though sometimes they're so believable, right?
Very clever. Yeah. You got Hey, we tried to make this Amazon delivery, but we think we have a wrong address. Can you update here? And it looks just like something from Amazon or any number of these things. The human error part of this also though, going back to the one of the points you made earlier, different organizations spend different amounts of money as a percent of revenue on their cybersecurity programs.
Sometimes that's because the environment is massively complicated. And so the more complicated an environment is, the more opportunity there is for errors to be made. Yes, exactly. You see that a lot?
Yeah, exactly. All the standard practices, multi factor authentication. Well, if it's not used, Hello, Change Healthcare, right?
Yeah.
All it takes is one failure. The whole concept of micro segmentation, service segmentation, all those, there's a lot of great work being done by a lot of great companies. But you know, you think about, 5, 000 people in an IDN, Integrated Delivery Network, 10, 000 people.
How do you provide, tunneled lanes for only what they need to do? It takes a little while to get that down and make them virtual enough and flexible enough and Cause things change so quickly, but there are those mechanisms that we see people struggling with. I had one of my clients, actually a great client, wanted to put in a micro segmentation system.
I think it was a CFO said, well, just use a VPN you'll be okay. Oh no, not really. It's a little different problem, a little different scope of the issue. And when you hear those kinds of responses, It gets back to what we've been talking about. You realize that there's an executive in that organization who's saying, what is sort of the minimum amount we can do to be positioned to say we are being regulatorily compliant versus should we really be doing to be safe?
Because what's VPN for a thousand people versus a. micro segmented network. let's call it three times the cost. What's the cost of a bad cyber attack in patient safety? Ten times the cost. So that's where I think calculating and showing those dynamics, we work with other partners who can help us find things inside of a network.
And it's interesting because They almost don't wanna see it as they think they have to address
it.
I've definitely seen that too. The, look if you show us this now we're responsible to do something about it. Look, I think you need to know, and that's the only way you're gonna build a better program.
Microsegmentation I think also is one of those things that it's a really great idea. You don't have to start with incredible micro segmentation. You can start with some one of my good friends talks about this macro segmentation idea. Just start somewhere, just divide your network in half so that if something bad happens, it only happens to half the network, just start somewhere and sort it out and make it better over time.
In that
study too, that was cited, it's very interesting where between. explicit human error, and then sort of, I'll call it mistakes of configuration and administration. Those two wedges of the pie were a pretty large chunk of how people get in the door and, make bad things happen.
Taking the loop all the way back to our rural healthcare conversation where we started if you don't have time to turn off those accounts, or if you don't have a good process to turn off those accounts, a lot of this is sort of fundamental stuff.
The reality is, user ID and passwords that have been stolen somewhere else are the things that are used to get into most organizations today. The identity attack is like the leading cause of the problem today. So you've got to have those mechanisms.
You think about even a Microsoft network is everyone's running, office and everything else, your MNA, you got a hundred hospitals. Well, gee, the access control. Active Directory served for this hospital, they never locked it down or, the ID wasn't changed when they bought the hospital because it was one of a thousand.
Yeah,
And the hackers are, they share information and they resell and license their techniques to each other. And they keep adapting because they're making money doing it.
We could talk forever.
Is there anything else you want to mention before we take off for the day?
No, enjoyed this segment. I look forward to doing more of them with you.
Yeah, thanks very much. I appreciate it, George. 📍 📍
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. 📍 Thanks to our Unhack the News partners CrowdStrike. Fortified Health, Intraprise Health, Island, and Order. You can learn more about these great partners at thisweekhealth. com slash partners. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.