This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack (the News): Unmanaged Credentials, CISO Role Shifts, and Chaos Engineering with George Pappas
[:But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.
It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more.
Today on Unhack the News.
George Pappas: you can't just go buy some products and say, Oh, we're good.
boration, vision, execution, [:Drex DeFord: . And now, this episode of Unhack the News. (Main) Welcome to Unhack the News. I'm your host, Rex DeFord. And over there is George Pappas, who's the CEO at Enterprise Health.
do today is get all the good [:And as usual, you've done an amazing job prepping and thinking about some of the articles you want to talk about. You and I have traded a lot of emails, so there's good stuff in the show today. I'm glad everyone's here. And again, thanks for being on. The first article is from Dark Reading.
It's called Unmanaged Cloud Credentials Pose Risk. To half of organizations, and this article reminds me of all the places I've visited and all the folks that I've talked to in particular, it reminds me of this conversation around identity and. Back in my days, like the service, it's not my days, it's still going on.
Service accounts that have been created inside the network or inside applications that have a lot of authority, non human identities that have a lot of authority to do a lot of things. And we don't touch them because we don't want to upset the apple cart. They were put in eight years ago. We don't change the password because we don't really know what happens if we've changed the password.
ple leave them alone, but it [:George Pappas: No, me too, a little bit, I think that it kind of mirrors. Really the evolution of the last, 10, 15 years of software development and healthcare and other fields where you're starting to connect systems to cloud services.
They're new. It reminded me of these certificate expiration problem that would pop up from time to time, right? Oh, I know what you're talking about. Yeah. And so basically I think it's just a symptom of how all these things were built, but then you turn around, you've got 500. A hundred?
A thousand of these? Is there a list? Who manages it? Is it an automated list? Are they connected? The answer is no, right? And how many modules have that little admin account stuck in a routine to access the service, to take the HL7 ADT feed and turn it into something else and all that? All of a sudden, you've got this, really hard collection of things to handle.
And it's a [:Drex DeFord: It's a, this is like you are making a huge case for like good, documented architecture, right? Because our tendency is to build this stuff over time. We add the next thing, we add the next thing, we add the next thing. We jimmy rig this thing so that it will, the new thing, so it will work with the old stuff.
And eventually, like you said, you got a hundred of these things. , there's that cartoon that shows like this whole giant machine. And then there's one little peg that's like holding the machine.
George Pappas: , let's be candid. You and I have been in software development a long time, right?
What is the thing a development team likes least to do? I think it's called documentation. Documentation, for sure. And you can talk about agile processes and all that in there. They all have their value, but it's this kind of these prosaic things that end up getting left on the cutting room floor that come back to hurt you.
rk every day and did a great [:And that work is Tough for a lot of folks who are very creative to take a breath and do.
George Pappas: That's also where Within a development team, there's no substitute for a really strong scrum master, because that kind of person is half product manager, half kind of development facilitator slash manager, and they tend to have more detail oriented methodical skills that link with all the creativity to harness it and track it, and as long as you're able to make that a fundamental And you can capture it along the way, then I think you have a better chance of at least having it in one place and being able to do something about it.
or something like that. This [:Have you seen anything like this that has blown up in somebody's face?
George Pappas: I could remember some times at past companies where it certainly happened, not for cybersecurity reasons, but for expired password reasons of these embedded admin accounts. The SSL certificates is a common one, but it's more where, people have turnover.
Developer leaves, they're a set of things. They kept them in a little Excel spreadsheet somewhere. It was on someone's admin account, et cetera. And then, time passes and you have an issue, you have to go dig it out and find the challenge. And that is a sort of benign symptom of a very real situation.
or vulnerabilities, look for [:All right. All of a sudden they borrow in the assets, they find a credentialed server or something somewhere in a network or another asset. And, it's just another link in the chain of potentially a really serious problem.
Drex DeFord: Yeah. One of the notes that we traded prior to this you mentioned APIs and monitoring APIs this is another sort of Another version of this problem, right?
itive because too many false [:What happens? Alert fatigue. Exactly. So I think there's a lot of room for improvement there and this is a good domain for it. So many in cybersecurity to take just enough of that intelligence, put it in the service of a team so you can really see gee, that API over the last has had XYZ more access.
And gee, those IPs, I think those are from Asia, aren't they? So there's a lot of ways to really. Screen it in a way that's very human centric and set some thresholds. And I'm sure a lot of these things exist in several products today, but it's a question of how much more finely tuned they're going to get.
maybe a role that artificial [:This next story is also really interesting to me. It comes from Cybersecurity Dive. It says, the majority of global CISOs want to split the role as the regulatory burden grows. A lot of this is happening, I think, because of stuff that is occurring in public companies, right? New and evolving reporting requirements.
But in a lot of ways, that's where it starts before it flows into other parts of it. So we see this happening in public companies, and it's not very long until not for profits have the same rules and regulations. What do you think?
George Pappas: We see this with so many of our clients, there's this, there really are two sides to a CISO role, but they're both are critical in some ways, the business risk manager, the board collaborator, the governance facilitator.
le for investment, what does [:And, I think it was in some of our back and forth, but I can A little earlier time when CIOs were considered. technologists, and they became, business enablers and business expanders. And I think this is following a similar pattern. Then you think about how Sarbanes Oxley was coming to legislation.
So now what's happening? The SEC is saying, because there are financial ramifications, if you certify to a certain level of cybersecurity maturity, something happens and you have an issue. This is also why With all of the evidence this year that was very, you could say dramatic around the vulnerabilities in healthcare organizations.
ngress, the White House, and [:The report to a CIO, the report to the CEO. They report to the CFO or do you have a general counsel? So
that
is another dynamic of where is the seat at what table and how do you handle both sides of that equation? Because for it really to be understood at the top of the house, it's going to take some evolution of that based on the size of the organization and its structure.
matter who the CISO reported [:But for me as a CIO, every place that I went, I did my best to break that CISO out of my department and give them independence. And the reason this was, it goes back to my military days. I was the chief technology officer for Air Force Health and the CISO reported to me. And in that conversation, at some point I said something like It looks like we're going to miss our launch dates for the networks in Europe because we have a patch challenge that we're going to have to work through before we actually, light those networks up.
And the CISO said something to me of the effect, to the effect of, I could write you a waiver for that. And I realized at that moment I'm writing the person's ticket and they're doing their best to try to make my life easier, but I don't know that's really what the organization, the big organization needs.
So [:I've heard of that person, when they're the CISO, refer to themselves as the combat CISO, right? Because they're under fire all the time, and they're trying to do that other stuff that they really should be doing. I think Peter Drucker said culture eats strategy for breakfast. And if that's the case, I'd say that tactics eat strategy for lunch when it comes to that CISO gig.
So I think the idea of separation is a good one, but you got to have the people and you got to have the attention to make it real.
culture, the dynamics of the [:But the other sort of argument, and this will be our next story, is that really true kind of cybersecurity risk management transcends the IT organization, right?
Absolutely.
How you credential providers, how you manage so many aspects of. You're introducing friction into workflow, how you're managing across the organization, the preparedness if something happens.
And so, there's so many ways you can actually, and I can remember at an earlier time when we would do these desktop kind of drills, but that was before cybersecurity was really more about an inadvertent HIPAA. Violation under the HITECH Act, right? So it was a little more, I almost want to call it nostalgic, right?
about crisis management and [:So all of a sudden, oh boy, now everything, do we really know how long they've been in our network? Do we know how bad it is? And so that level of organizational intimacy with the right leaders. And then realizing that, you need the company to take this seriously. That's another argument for the more general reporting or more general role.
lities assigned to the right [:George Pappas: Another dynamic that we've seen with some of our clients over the last, really it's become more prevalent in the last 12 months is that some of our CISOs and our CIOs have more concerns about their own personal liability they're being asked to. A test, I'll use that word, in a more public way, when they haven't had the resource, their budget requests have not been You know accepted, 12 months prior, cause this doesn't happen overnight.
e real teeth. For hospitals. [:The bills that are in the Senate and the House. There's gonna be more of this now coming to health care, not because it's for profit of your At HCA, you already have it because you're a for profit entity and the SEC is going to be governing you. If you're a non profit, which a large swath of healthcare is, most, yeah, these things are coming.
Drex DeFord: , if we don't figure out how to make this better and do this more effectively, the government is going to help us. Yes. And I use, and help would be, yeah, air quotes. Bye. The challenge, I was talking to Bill about this on another issue the other day.
The challenge with the government helping is that the government is built not to be really flexible and agile. And we pass laws and we write regulations, but they're hard to update and change. And there's a lot of intentionally in a good way, there's bureaucratic processes in place to make sure that those things don't just get thrown away and new ones get written and nobody had a chance to look at them.
t lend itself to being In an [:George Pappas: Like one of those construction rollers that goes on the asphalt like this, really slow, but when it presses it down, boy.
Yeah,
Drex DeFord: let's talk about this last story. Mainline Health deploys chaos engineering to bolster healthcare resilience. It's from CSO online. And I talked to Aaron Wiseman yesterday, who's the CISO at Mainline Health and on another topic. And I told him we were going to talk about him today. And he just laughed and, in a way that was like, I appreciate that somehow the story on us Mainline Health won an award from CSO for this.
Concept of chaos engineering. And they talk about a lot of different stuff in the article, but I think he was just appreciative that article made the hit list. That's pretty awesome.
George Pappas: Yeah, when I read it and you and I were talking about our articles for today, I just thought it was time to show someone who was doing it really well.
Drex DeFord: Yeah.
ystem, and like a lot of non [:We all understand non profit accounting and capital budgeting and everything, but the thing that I was impressed by Was that Aaron was able to get the company behind this. It took him four years. another really important aspect of this, you can't just go buy some products and say, Oh, we're good.
Yeah, no, it was a progressive year over year indoctrination, collaboration, vision, execution, adapting, adjusting process, and they found the budget to do it. And, part of what he did was that he did equate. Patient safety, access to care, patient dignity, with being more protective of records and of systems and no ransomware outages, etc.
lation, was exactly the same [:So he started there and then he basically methodically brought more and more people into the mix. But I also really appreciate it as, cause our company was the first high trust assessor in healthcare, was that he realized that the high trust process Has enough precision, enough discernment and enough actual evidentiary validation that you would be safer if you did it.
Because he took the time to do it. We know what that's like. We have processes and products that help, but ultimately it requires the organization to be more disciplined about how it operates. And he recognized the wisdom of that. So that to me was very noteworthy. You called out the chaos engineering part.
Which is [:We have all these varieties of simulated cyber attacks, and we do penetration tests. But what they did, according to the article, and you spoke to them, was they introduced vulnerabilities and let them sit there for a while and see what happened.
Yeah. I had the team used to handling, how they would deal with it. And they identified those and were able to basically, address them. The other part of that I thought was just very good common sense was that he recognized that this transition from digital to analog, if something happened, was a real place where everything is atrophy and they had to get used to doing it again, right
Everybody
ause I know that we struggle [:But he's built a system for that, right? He does. Yeah.
George Pappas: It was also obvious that he had to. Get the leadership team on board because, if you're managing the ER and he says to you we're gonna do an ER simulated attack, I can't tell you where, I can't tell you when, I can't tell you how, you have to be on board with that.
Yeah,
Drex DeFord: you do.
George Pappas: Yeah, so that was, it was just a great story about how you can really make progress when so many people believe there's no way they can make progress.
Drex DeFord: Yeah, the long term grind, too, of creating a plan, and executing the plan a little bit this year, a little bit next year. I'm sure part of the plan and the length and time of the initial pass of the plan was tied to resources and money and all of that.
cle actually refers to it as [:If you've ever read the stories about people painting like the Golden Gate Bridge, it's like you start at one end, you go all the way to the end. Back to the beginning, you start over again because it takes a long time to get the bridge painted. By the time you get to the far end, the first end needs to be touched up again.
And so it's a never ending process. And so that mentality I think that they have too Of being very humble we're glad we won the award, but that's not the end of it, right? There's still so much work to do and so much work to It could happen any day, right? Even in where we do well they continue to work on improvements.
I love that attitude. Yeah.
George Pappas: No, that was a great story. And, as I read the journey, at least as it was portrayed in the article, you could tell he had to have a lot of presence, great relationships with leaders. and found a way to communicate all that in such a way that they recognize we can't just sit on our hands and say there's nothing we can do.
re three or four, sound like [:that
had various, senior level responsibilities, that's quite an accomplishment, it really
Drex DeFord: is. It really is. One of the things that you may not know that I think I know about Aaron Wiseman is that he's a lawyer.
And so he's trained to, think logically and make those connections. And so that all has played very nicely into his role as CISO at Mainline Health. Excellent. Hey, thanks for being on the show today. I love the articles. I always have a good time talking to you, George.
I hope you'll come back again and I'm looking forward to seeing you somewhere on the road very time soon. Yes. Very soon. Sounds good. Thank you, Drex.
news straight to your inbox, [:Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.