Artwork for podcast This Week Health: Conference
COVID Series: Securing the Healthcare Enterprise with RSA
Episode 24511th May 2020 • This Week Health: Conference • This Week Health
00:00:00 00:26:39

Share Episode


This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Welcome to this Week in Health It where we amplify great thinking to Propel Healthcare Forward. My name is Bill Russell Healthcare, CIO, coach and creator of this week in Health. It a set of podcast videos and collaboration events dedicated to developing the next generation of health leaders. Have you missed our live show?

It is only available on our YouTube channel. What a fantastic conversation we had with, uh, direct Ford David Mutz. S Shade. Around what's next in health. It, uh, you can view it on our website with our new menu item appropriately named live. Or just jump over to the YouTube channel. And while you're at it, you might as well subscribe to our YouTube channel and click on Get Notifications to get access to a bunch of content only available on our YouTube channel.

Uh, live will be a new monthly feature only available on YouTube. How many times did I say YouTube in that paragraph? Subscribe to YouTube. We're gonna have some great stuff over there. This episode in every episode since we started the Covid 19 series has been sponsored by Sirius Healthcare. Uh, they reached out to me to see how we might partner during this time, and that is how we've been able to support producing daily shows.

Special thanks to Sirius for supporting the show's efforts during the crisis. Now on to today's show. Alright, today's conversation is.

Morning Bill, nice to be with you. I, I'm looking forward to this conversation. We've, we've had a lot of different, uh, conversations around security. Um, I, I like RSA as a company. I've used them in the past, and I know that you guys go at a really, gimme a different level, uh, of detail when we're talking about this.

So I'm looking forward to it. But before we get going, tell us a little bit about RSA and, uh, and your role with RSA. Yeah, so I'm, uh, part of a small team of, uh, prior practitioners, consultants, you know, we've, we've been in the trenches like our, our customers are managing security and managing resiliency recovery and managing compliance, risk management, those sort of things.

And so we, we are a part of a subject matter expert team, uh, in our marketing organization that helps, uh, our customers, uh, you know. How to, how to differently manage those domains of and compliance and. Yeah, the, the whole thing really is about risk. And we, we've, um, we've really, uh, increased the risk quotient.

Whenever you move this quickly, you've, uh, you, you really do create, uh, you know, just an awful lot of risk either with, uh, new partners or new technologies and just, uh, new ways. So, you know, pre covid, uh, we were seeing a, a significant amount of activity in cyber attacks against healthcare organizations.

The most common being phishing and ransomware. What, what are some of the most common attack vectors today as the, uh, COVID-19 crisis continues? Yeah. Uh, phishing campaigns, ransomware is still number one and two, two in one. You know, there, there's been a lot more, uh, malicious smartphone apps, for example, trying to get people to download, uh, you know, the app and then it delivers, uh, malware.

Uh, there's a lot of new websites being spun up with, uh. You know, trying to get information out there to, you know, around the pandemic and, uh, you know, funding and, uh, you know, stimulus act kinda kind of information, trying to get people to click and, and, uh, you know, and then there's a lot, still a lot of, uh, and there has been for a while, bill with the whole internet of medical things, but quite a bit of, uh, insecure endpoints in end users.

You know, a lot of people working from home and, you know, just basic hygiene, security hygiene, bad passwords, and. You know, security endpoints and, uh, third parties are still, unfortunately, you know, fortunately they're a great partner for any organization, but unfortunately they, they, they tend to bring risk for a lot of the same reasons I mentioned because they're in, they're in the healthcare, healthcare field.

And then, like you said, you know, believe it or not, bad actors are, are increasing their work during this pandemic, even even against the, the healthcare industry. Yeah. So let's talk about some of my, my favorite challenges, uh, that, that we were, we were facing and. You know, we, we have all these third parties, these, these partners that we have to deal, not deal with, that we choose to partner with within healthcare that do a lot of, a lot of things, call centers, billing, uh, collections, other things, uh, scheduling, uh, within healthcare.

How do you, during this crisis, how do you extend the, the perimeter, if you will, to really protect, uh, not only your organization, but even even moving employees to their homes? We've, we've extended the perimeter, haven't we? And, and what are some best practices around that? Well, like you said, it's all around risk management.

It's all around, uh, you know, going after those. Those attacks, those, you know, finding those vulnerabilities, uh, you know, in those systems that are most critical to your organization. It's knowing where your most critical data is and protecting it. It's, uh, you know, it's kind of going back to a lot of the basics where, where, you know, you're planning for those attacks.

You are, uh, you're managing sec, uh, access upfront, um, your. Detecting those security attacks, uh, understanding the impacts, right? Because you can't go after everything. And then responding to, you know, the areas that represent the most risk. So that's something we always teach and, and work with our customers on, is just, you know, you can, you can fight what's right in front of you, and sometimes you need to do that, but then it's also important to take a step back and get some good process in place, and it's never too late to do that.

Yeah. So it, it really is back to the basics. Um, you know, I'm gonna, I'm gonna reveal a little bit here. I'm actually working off of a, I have to prepare somehow for these conversations. And one of the things I did is I pulled up a, um, a, a document slide deck. I'll, I'll put it in the show notes. It's a really good document.

It's a four step approach to mitigating cyber attack risk in healthcare and, uh. And again, it's probably not, it's probably not, uh, anything new for organizations because security isn't anything new. It really is good process, good hygiene, good training. Um, it's understanding your risk profile. It's, it's the same things, but it's, it's really solidifying your, uh, your processes, your procedures, your people around it, uh, to make sure that you're carrying that out at any given time.

Um, so you guys have a four step, uh, approach to, to mitigating risk talk. Talk a little bit about that with us. Yeah, it's, uh, like I said, it's a good document. It's, it's, it's back to the basics. Um, in fact, the, the, the steps I just mentioned to you are lined out in that, in that document. So, and it goes through each of those four.

One, planning for the attacks, two detecting security threats, three. Assessing the impacts. And then four, responding to the risks. And it, you know, it talks about how, for example, hipaa, you know, requires you, uh, covered entities to have policies related to breach response and notification. But really, you know, policies need to go beyond that and talk about, um, you know, um, fuller cyber incident response plans that include investigation, remediation, and response.

You know that, that when you're putting all this in place too, you've gotta understand the organization's maturity and capabilities, uh, what the risk tolerance is. 'cause that varies by organization. That really should be, you know, from the, from the top down. And that risk tolerance should extend not just to security risks, but other risks as well.

Because, you know, I think about, you know, bill, you being ACIO, um, you, you're weighing a lot of different things, risks.

Alongside new products and services. Yeah, I guess the, I guess during the, the pandemic, it really was risk versus moving quickly to to Yeah. Potentially save lives, right? Exactly. Yeah. You know, you know, as an executive, you're, you're weighing a lot of different things side by side, so, you know, we try to get that good discipline in place.

And a big part of that also, I'll throw out there, and it's not in the ebook, but we talk a lot about is cyber risk quantification, because a lot security teams. Don't translate the risk of, of, of, you know, security risks well into business terms. And, and executives need to know that. So they can quickly translate that into, okay, you, you need a million dollars, or, you know, I've gotta take a million dollars from over here to put toward that risk.

So we really kind of say, Hey, you, you've gotta turn cyber risk into business value terms, so, so you can, you know, get the resources to do something about it. So let's, let's walk through these a little bit, you know, to detect security threats. One of the things that changed in my life was I was sitting down with someone like your organization and, you know, we were talking about, uh, you know, this was back in the day, there was maybe six or seven years ago, and, and we were talking about how strong our perimeter was and, uh, and someone.

Like yourself made the point to me that says, you know, you, you need to change your mindset and your thinking as how you approach this and really just assume they're already on the wire and start to create your security processes around that. Uh, so how has detecting security threats changed? Um, just, you know, over the years as, as we start to think of, I mean, at one point we were build that wall higher, higher, higher, stronger, deeper, and, and now we're looking at all sorts of new things to really, uh, provide visibility into the threats.

You know, I, I, you just hit on the word visibility and I think you get that through, uh, you know, being in the right place at the right time, uh, purposefully, but then through advanced analytics, I think is. You know, a, a key tool that, that you've gotta have in place. So you've gotta be, you know, looking across your logs, your network, your, your, your medical devices, your endpoints, gateways, uh, you know, so that, you know, you're looking across that, that whole, you know, battlefield, right?

And, and you hit the nail on the head. You've gotta assume that they're already in there. So, you know, how do you rapidly detect where they are? Well, you do that through. Analytics and, you know, so we work with customers around implementing, uh, you know, user and entity behavior analytics, which, you know, in the, in the ebook there.

But that's to detect those anomalies that are already there, you just haven't picked up on yet. Um, and that's, uh, oftentimes in the user's behavior, for example, and that allows you to kind of uncover those abnormalities and, uh, and to do something about, about them. But, but then you weigh those against, you know, your business context, right?

So what are they, what are they hitting? What's the exposure, what's the impact? Is it a critical system or not? Because you're gonna take different action and then that kicks off your incident management against those, uh, uh, you know, those, those, those bad elements. And then, you know, you can automate a lot of that through orchestration, you know, orchestrate and automate that.

So that your analysts are, you know, there's a weeding out process right through that automation, and then your analysts can really focus on what's most important. Yeah. Uh, I was, uh, I was an interim CIO for I think about three weeks before we had our first breach, and that taught me that, you know, either assess before you take the job, assess the security posture, or the day you get in.

Assess the security posture because three weeks in, you know, that really wasn't laid at my feet, but it could have been from the fact of I was there for three weeks. I probably should have done a little bit more. But essentially you get three weeks in, you have your first, uh, response, and we kick off a full blown incident response.

Uh, from an IT perspective, all projects really almost shut down. Everybody's involved. We're trying to. But I was also involved in other things where people said, well, we need to kick off incident response. And I just looked at it and I'm like, not for this. I mean this is, you know, this is like just flip that switch and do this and notify these people and have these conversations and we're good to go.

Um, how is that, is that something you do with policy ahead of time or is that something that every incident is really different? No, I think you have to set some guardrails for sure. And you do that through policy. Like you said, you do that through, uh, you know, some sort of impact analysis. So if, if you know, for you business continuity folks out there, you know, the exercise of a, a business impact analysis that helps you determine what's critical in the organization, uh, in terms of the business processes, in the systems that support them.

So that gives you an element of high, medium, low, or however you assess that critical. So you know that off against policy bill. Okay, this, you know, this, this is against a high criticality system or, or dataset. So we do need to kick off incident response. And you know, as you know, you activate those processes and it kick people into motion and, and takes resources and time.

So I think those are, those are two important elements. You know, set up that program so everybody you know, and then you've got roles and responsibilities depending on, on who and, and what it, what they need to do. And, and again, that, uh. The criticality. And then you can also set up different and really should think about different response types.

Right. Depending on what the, what the, what the issue is. So yeah, I think you set up some process ahead of time. So, so, you know, and then, and then there's some human, there's always the human element, there's always that human judgment based on what is going on that, but, but then you overlay that on top of the, the policy, the automation, the, the.

And it just cuts down so much on that chaos. Yeah. I'm, uh, you know, again, I'm looking at this thing and you have a, uh, self assessment actually on this document, risk risk assessment RSA com. So it's, it's an online tool to really take a look at. You know, how you stack up, I guess, uh, with regard to, uh, some of these risks, I mean, are can you, can you speak to the tool at all or, yeah, I mean, it's, it's, um, a little bit higher level, but I, I think it's, uh, it is a great tool just to, to see, uh, you know, it goes through areas of risk.

It talks about, it talks about security. It talks. Blocking and tackling. Yeah. Breach. Preparedness, breach deflection.

You know, I, I think this actually is a really good tool for people who are, are wondering is, you know, where do we stand? Do we have these things in place? I remember when we hired, so we had a chief information security officer, and then we finally decided to, to really go in and go all in and we, we hired a, uh, chief Security officer, which became the peer of the CIO.

And, uh, that person brought in a complete framework, and I remember the first time after he got done doing his assessment. He had 12 pillars and he sort of ranked us and I looked at the pillars and I thought, you're not gonna share that with anyone. Are you on some of these things? Because, because you know, I mean, if there's 12 pillars, you can't be a, it was a one to five scale.

You can't be a five on all of them because you just, again, it's based on risk and the risk you're willing to accept. You can't spend that much money to be a five on. Maybe you shouldn't. Maybe you shouldn't. Maybe, uh, maybe you can, but maybe you should not just because, uh, hey, we've, we've got limited resources.

We've gotta do, we've gotta do it elsewhere. Maybe we don't need the absolute, absolute Mercedes version. This step, but maybe step three we do. So it's take some judgment there, even with a, uh, a maturity model. Well, and it was interesting because Sam, Sam then, uh, went to the board meeting and we co-presented and Sam really walked them through 'cause they looked at it and were horrified by it the same way I was.

Uh, and he walked him through and said, look, most healthcare organizations are typically hanging out at a three for this and a two for this. They strive for a four year. And so we, we sort of set our goals for each one of these things, and then we came back with a plan to move each dial up by one over the next year, or even move it up two, based on how critical it was to move.

You know, I, again, I, for, for my audience, I'm gonna give you a little, I'm gonna give you a little license to talk about some things here. Um, because I, I do want you to share some of these things. You guys have a lot of different tools that people, uh, uh, you know, people can use. You have, um, you know, you've, uh, you know, net witness platforms, ID suite things.

What kind of tools does.

Well, we, we, we really help customers, uh, you know, just manage the whole, the whole life cycle of security and risk and do it in an integrated way. And that's one of the biggest challenges I think with, uh, with companies is the silos of organizations and approaches, you know, managing security and risks.

They don't follow the same standards and there's different groups and different teams that they're starting to merge together. And that's, that's what we help. So we really kind of take help, help companies understand what we call the domains of risk and focus on those similar to an approach like you just lined out when you were, when you were CIO, you know that your CISO did.

So some of the domains of risk are of course, cyber, cybersecurity, cyber attacks, third party risk compliance, uh, business resiliency. Um, risk management, just in general process automation. So, so there's eight or nine of these and we sit down with customers and say, okay, you know, let's evaluate where you are.

Let's talk about this topic and, and, you know, is it important to you or not? Um, another huge one. Right now, bill is dynamic workforce with everybody sending people home to work. Uh, that that's an element of, area of risk all in and of itself. Then we, uh, we, we, we kinda help them understand there, there are some disciplines and some processes to put in place.

And then our, our, our tools and our, our services, our, our solutions and services map to those. So, for example, you mentioned NetWitness, right? That's a, that's a tool that enables companies to, to monitor, uh, you know, um, network activity. What's coming in from those endpoints and those packets and logs and is, is it, is it good or bad?

And, and, and really through automation enables you to, to prioritize exactly. Go through the process we talked about earlier, and focus in on those, those areas of risk that you need to address. And then, uh, secure id, which is super important right now, uh, enables you to manage securing access upfront for your employees, your contractors, your providers.

Third parties, uh, your payers, whoever is coming into your systems, especially important right now with electronic health records and the whole tiers act and interoperability, you know that because access is gonna be an issue across the, those data sets that are being shared more and more. So, uh, and then Archer, we've got a governance risk and compliance tool that helps you put in those risk processes and manage these different areas of risk.

And I could talk for hours on each one of those. Yeah, so let's, let's, let's, let's end the show where we started, which is specifically around Covid 19, the pandemic and, and, you know, work from. I'm Telehealth remote monitoring, uh, interoperability are things in the last, uh, I don't know, three months or so, uh, and potentially created.

Uh, just new avenues for people to attack healthcare organizations or just new vulnerabilities, right? So work from home. Some of the risks from work, from home, from my understanding are, uh, you know, I'm on this computer, this computer is technically not part of the, uh, the company network And mm-Hmm, , I have, I have a, uh, uh, you know, I have a router in the house.

I'm Comcast.

From end to the, I mean, what, what kind of, what kind of things are you seeing people do or what kind of things are you talking to your, your, uh, clients about? Well, you know, the, the, the first, the first thing is just securing, um, you know, kind of goes back to that basic good hygiene. So if you've sent someone home, and, uh, you've gotta get 'em a corporate, uh, PC as soon as possible, right?

Because those follow the configuration standards. your company. Um, uh, another one is, you know, logging in through the VPN. Um, you know, using that, that, uh, that mechanism securing their wifi is another, um, a third is that, that secure id, right? So having, having through that, through that VPN mechanism, having a way to log to, to log in securely to your, your, you know, your corporate assets, your systems and, and data.

Then I think, uh, you know, once all that's, that's gotta be quickly in place. I think that's the basic blocking and tackling. And then, uh, you, you've gotta think about your help desk too. You know, are they equipped to handle the, the, the calls, you know, the, the calls for help. 'cause that's, you know, if I'm an employee and it's the first time I've gone home, uh, to work and something doesn't work, you know, I'm not gonna call Verizon or Comcast.

I'm probably gonna call my help desk at work. So they've gotta be scaled up. They've gotta have the policies and procedures ready to answer questions and, and address those issues. So they need to understand not only the, you know, the, the system issues, but the communication issues and the security issues as well.

Um, and then have a, have a quickly be able to, you know, address those. You can't send someone out to their house, so you've gotta be able to help them help themselves over, over Zoom or whatever mechanism you. Basics you've gotta have in place right now. I nightmares Patrick, help. Uh, a company that sold computers to, uh, to home users.

I mean, as they say, back in:

You know, it, it literally, people saying to me, you know that the coffee holder is stuck. It won't go back in . I'm like, that's, that's not a coffee cup holder. That's for whatever. It's a dis drive. a dis drive. Um, but, but that, that's, that's hard in this situation. I mean, because we did send a lot of people home and we just said, Hey, use what you have.

Uh, but you're saying, Hey, we should go back, uh, and just practice the same hygiene we would if they were working from the office. We've.

Yeah. Yeah. As much as you can. And, and, uh, you know, th this is, is probably not an overnight thing. I mean, they could be working from home for a while and, uh, you know, with, with healthcare you've got HIPAA considerations too, right? So if you've got a telemedicine, like I met with a doctor the other day on, on, on Zoom, you know, and what if I'd been in a, well, wouldn't have been in a Starbucks, but let's say telemedicine continues on, and maybe I am, you know, there's some.

Privacy considerations that, uh, you know, if that provider's asking me questions over the over zoom or on the, yeah.

It's, it's, uh, you know, it's compliance and there's other considerations too. Yeah. A lot of education, a lot of, a lot of the ways we have done work will change as a result of this. If nothing else, it'll remain changed for the next six to nine months. Um, it might come back, but, uh, it may not. So it is, it is time to shore this stuff up.

Patrick, thanks again for your time. I really appreciate, uh, really appreciate the conversation and looking at this important topic. My pleasure. Thanks for, uh, taking the time. Take care. That's all for this week. Special thanks to our sponsors, VMware Starbridge Advisors, Galen Healthcare Health lyrics, Sirius Healthcare and Pro Talent Advisors for choosing to invest in developing the next generation of health leaders.

If you wanna support the fastest growing podcast in the health IT space, the best way to do that is to share it with a peer. Send an email and let them know that you value and you are getting, uh, value out of the show. And also, you know, don't forget to subscribe to our YouTube channel while you're at it.

Uh, please check back often as we will continue to drop shows until we get through this pandemic together. Thanks for listening. That's all for now.