UnHack (the News): Redefining Board Communication and Insurance Realities with George Pappas
Episode 15412th August 2024 • This Week Health: Newsroom • This Week Health
00:00:00 00:26:22

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 This episode is brought to you by intraprise Health. Make cybersecurity a priority, not a headache. Cyberattacks put patients at risk and cost healthcare organizations millions.

But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.

It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more Today on Unhack the News.

(Intro)  so many of the challenges that our teams and our clients have is our needle in a haystack problem. Narrow the haystack. This part's okay. Go look at these pieces of hay over here. That's where you can really get to just a higher level of throughput for a lot less, wear and tear on a team.

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

(Main)   Hey everyone, I'm Unhack the News, and one of my favorite people is here with me today, George Pappas from Intraprise.

Intraprise, you guys, how you doing? Good Drex, how are you? Great to be with you today. I'm great. We have some really good stories. You've actually been digging around on the new site and some of the other stuff too, I've been talking to the background about some of these stories for the last few days.

And so I'm looking forward to the conversation. The first story is it's actually not necessarily a news story, but it's something that you and I both follow, a person that you and I both follow, because I think in your words when we were talking about it, you mean this person is like a been there, done that kind of person, and it's Paul Connelly and he is on Substack, he has a blog that he posts, and there's one in particular that we both struck a chord with us and it was connecting with your board of directors.

Yes. Yes.

There was a lot of great stuff in there. Any place you want to start?

Yeah, I think, and I also, there was another story that I pulled out after I read Paul's because you see examples of this from time to time, the essence of the story is as old as. Corporate governance, really.

And essentially what Paul had to say, and I think what he was trying to do was maybe pull CISOs away from the technical day to day grind and remind them that, wait a minute, management reports to someone else. It's called a board of directors.

That

board of directors is actually the group that has the fiduciary responsibility for the organization.

And oh, by the way, I think they're the ones who approve the budget. And Paul in his article, which was very good, really talked about building relationships with the board. And also, very importantly, speaking in business terms, this is something that Scott and I do with our clients and we present to boards on behalf of our clients, all the time.

And, part of what the board wants to hear on our end is a third party coming in who's done the work, but the concept is the same. And in Paul's case, I think where he really had a lot of great advice was you have to build a relationship with the board before you can really connect with them. He talked about, there are always regular board packages come up with just a very simple update on what are.

Some of the stories of the day, how they relate to the company situation. Yeah.

That free read thing that he talked about was like, give them like a one page education, free read thing that ultimately can go into a book and it becomes like collection of like things that you want to educate them on.

Exactly. He also reminded them, meaning CISOs, cause he's an ex CISO, speak in business terms, what is the big picture? Is it. Patient safety, care delivery, follow on liability, which we'll be talking about in our next couple stories because there's a lot going on there. And he reminded CISOs who read his article that you are a business professional in addition to a security professional.

And so that's what I got out of it anyway. And so he really, I thought, did a very nice job in a very compact usage of words, which I can't say a lot of authors do, really covering those bases. Another part that he, talked about, and Drex, you've been doing this forever as well, was about clear communication.

And, I use the words, just the facts, when you're talking to a management team in particular, but even the board, you feel more pressure. You want to say how great things are. That's not really the time for that. So how do you really describe what is your real security posture? What are your gaps?

What's the relative breadth and depth of remediation, the complexities of it? One thing that I have observed quite directly now with several of our clients is that boards over the last two years have become much more interested in cybersecurity and cyber resilience. A couple of years ago, we did our first one of these with a client not long after I joined the company.

We had board members that were interested, but weren't really deeply interested, asking a lot of penetrating questions. I can tell you over the last 18 months, that's almost changed 180 degrees. So he really had good sort of guidance on If it's bad. If it's good. I'm reading into that.

He didn't exactly say that, but that really talk about the facts, talk about the resources you have, the relative execution you can expect with what you have, the reasons why. the need for benchmarking. Yeah.

The help that you need. The things, the other thing that was really interesting that he talked about that.

I think if you've been in front of boards over and over again don't surprise the, your fellow executives and CEOs by saying something in that room that they have never heard before. Oh yeah. Make sure you've pre gamed here's the presentation. Here's some of the questions I think they might ask.

Here's what I'm going to say if they ask me that, so that nobody gets surprised in the middle of the

he covered that part and, the leadership team angle, right? What do you need in order to do that? You need one place, see where I'm going, where you have your security program information at a high enough level, you can actually share that with your leadership team and make sure that they understand what is your relative posture?

What are the exceptions? What are the big ones you haven't been able to get to yet? What does that mean? Because to your point, They're in that meeting too. And Paul talked about that. So in a lot of our clients cases, what we also see is they're still, the CISO does not report to the CEO. The CISO reports to a CIO or a chief legal officer or chief risk officer.

When you have a multi headed Hydra, and we'll talk about that in our next segment. Risk, liability, technical risk are handled up through different reporting chains. And you've got to make sure there's a unified view before you try to unify it in front of your board audit committee meeting.

Yeah great article there. Are you ready to move on? Is there anything else you want to pull out of that one?

He talked about building relationships beyond even the one pager. And I think that this is an area where I've seen this in a couple of our clients. I'll take a minute to describe it.

A lot of people in leadership teams feel that unless you're the CEO, you should only speak to the board when spoken to. I think the point I'm trying to make is that Obviously with the support of the CEO being a little more accessible and spending a little more time so they can begin to understand how you think,

because

when you're giving them challenging news.

Or good news, but really when it comes to challenging news, they're going to have to say do we understand how this person has handled these things in the past? Do we understand how he or she thinks? That's can be critical at critical moments, but it's like a deposit you have to make in the bank before you have to make the withdrawal.

Them knowing you, but you knowing them too, that ability to understand. There's a, one of the first Unhack the Podcasts that I did was around the analogies that you use to talk about cyber security, but those analogies that you use to talk about cyber security in the board meeting are especially important because sometimes you have people on that board who don't have Any technical expertise, are community and business leaders.

And so you have to think about how do you describe your problem or the issue or the impact that it might have in a way that they can easily get a hold of it and relate to it and immediately figure out how to help. They solve these kinds of problems. It's just, you have to give them a context to understand what the problems are.

And the last thing I'll say about that, I touched on it earlier in our discussion on this, the board approved the budget, and they heard from the CFO when that budget was approved, but if they knew that by some additional investment they could invest somehow improve their security posture in an important way.

The CEO might have even wanted that, but had a hard time getting a budget approved that they did. So this whole corporate governance tug of war, a CISO can be the CEO's best friend there, or the CFO's best friend. And it's about, being close enough to your leadership team to know that and know how you can be helpful there because we see it in a lot of our clients and there's still so many surveys that point to this that a lot of healthcare organizations are still winging it.

They're putting in place endpoint detection, they're doing all these things, but they don't have a comprehensive security plan. And that's where, especially as these regulations, and liability, accelerates. There's going to be much more emphasis on that.

Yeah. And that ties very well into the next article and the next conversation.

party stuff that's happened.:

The insurance companies are thinking about all of this very different too. So not only are you talking to your board, you're also talking to insurance companies and they're devising kind of new rules

No, and I found this article fascinating and a little ironic because it was not a cyber attack that caused this problem.

It was, a non malicious act, to use some of the words out of the article. And when you hear insurance industry vernacular, it's fascinating because cyber insurance coverage, some of our clients, have chosen to try and self insure for a year because the rates were getting too high or their ability to meet the pre existing conditions or the practices that the carriers are looking for, it was hard for them to meet.

ingle biggest and issue since:

From all these entities that had their operations disrupt and had to go through incident response procedures and all those things, let alone recovering, their operations, cause they had to do an update that was not using the normal update methodology, et cetera. And the other dynamic there was, when you think about what that product does, that sensor.

application does, it is about as deeply into Microsoft OS as you can get, at the kernel, yep.

Yeah, that's why

Microsoft is part of it, too.

It is a very interesting situation that we find ourselves in, right? There, insurers love a huge amount of history. I talked about this the two minute drill but the idea

that FHIR and Hurricane and those kinds of incidents have been litigated to death. And so everything's well defined. There's a hundred years worth of information that they use to build all of their tables and everything. Cybersecurity is so compressed down and it changes so quickly that. I think insurance companies trying to find their footing on yes, how do we define these things?

And what does this really mean? And does this qualify for that kind of coverage? Even though that's not what we meant when we sold you the policy, but it turns out that actually is The business interruption is a thing that happened. And so it's an odd, that's not what we meant but it is what we meant.

There's a lot of litigation that's going to happen to sort

that out.

  📍 📍 📍 📍

th,:

Join us for dynamic sessions, interactive workshops, and keynotes from trailblazing women in the industry. This event offers actionable strategies and fosters genuine connections. Whether you're a health system employee or a vendor partner, SOAR provides unique networking and growth opportunities.

at bluebirdleaders. org slash:

📍 The other part of that article that I found very interesting was that they talked about even if you had a cyber insurance line, there are parts of these damages that would be for other insurance lines, general liability, DNO other, Non malicious interruption acts that had thresholds.

So I think that like every marketplace, the carriers have done their best to compete on one hand, but make sure they could cover risks that they could, from an actuarial perspective evaluate. This is gonna cause You know, a fairly, I think, significant rethink of how all these different insurance lines get put together.

The article talked about a lot of modeling going on, so some will be done with 📍 AI agents, that's our next topic. But still it's clear that because this was so deeply embedded and affected so many industries that, I think there'll be rethink here. And, for our clients and for healthcare, part of this third party issue came home to roost, even though it wasn't thankfully a cyber attack, CrowdStrike is a third party vendor to all these healthcare organizations.

And now we're getting back to something we mentioned earlier in our discussion, which is. You've got how many years of software contracts that you've written for all of your vendors, several hundred in many cases, and all those contracts, because I've been doing software licensing for, 40 years, and they all have warranty disclaimers, they all have limitations of liability, carve outs for special and incidental damages, and all that.

So on one hand you have your license agreement with the software vendor. And in many cases, that license agreement will limit your liability to the last 12 months of license fees that you paid, for example, but then in our industry, when you get to the BAA, there's been further BAA carve routes that say there will be no special business interruption, other damages, but there will be direct damages for the incident response, which makes sense when you think about it.

So that's your legal posture, but now you look at what is your security posture? And who owns those two, and are they unified anywhere in the organization? That's one of the things we do for our clients, because third party risk is not just about the security posture, it's about your legal liability in the event something happens.

And these things all become this big layer cake that is owned by, in many cases, two or three different organizations and a client. So they don't really dig into that. It's one of the things we help them do. Because until you know that, you can't really understand then what is your cyber insurance, which is the roof, hopefully the ceiling of reliability, going to look based on all these things that are happening in there.

It's another great reason to have the CIO and the CISO involved in all of these conversations too, because they've got a view of the world that is different from straight legal or straight insurance.

And, it's, I think there was even a follow up article, cause this now CrowdStrike and Delta Airlines food fight, it's going to be out there and I think George Kurtz, I believe his name is, basically said, look, under direct damages, yeah, we would have, I think he said single number millions, which, Delta size, you could see that, the Delta CEO, Ed wants to go after him for 500 mil and he hired David Boies.

He's an Illuminati of high profile. Legal fights. He's done a lot of them in his years. So he's sending a message, but he's doing it in public, not private. I happen to think, and I'll just give you a little inside kind of baseball view. Maybe he's doing that for the FAA's benefit because, they're going to be asking, what did you do to take care of these, or, passengers that were stranded and the crews and everything else.

So I don't really know, but when I look at all that and think, Why would you pick a fight with your vendor who's deeply embedded in your operations and call attention to your team's execution and their system's architecture and those innate vulnerabilities? Why would you do that in the press? To me, it just seemed odd.

Yeah.

Even Delta has now in an article the other day talking about how they're rethinking the whole structure of their team and how many people they need and how they could have done things differently and should have done things differently. I think this is a great opportunity for everybody to rethink all of that, including the discontinuity part of it.

And the challenges around, if:

Scott Mattila was there from Intraprise. And great conversations about, people really thinking outside the box around all this business continuity stuff. Not necessarily tied to insurance, but just the idea of how are we going to operate when the things we've depended on aren't there for us to use anymore.

And, getting back to the third party piece of this too, the other thing that we see is. There's this, buyer excitement that builds during a process. How many times does a CIO or a head of cardiology say to legal, I need this machine tomorrow, sign this agreement.

When you can incorporate security assessment into the buying process, while before you sign the contract, you have more ability to, in a proactive way. Get your arms around that problem a little better, which is something we do with our platform. And the other dynamic this brings to mind, there's been a lot of talk from HHS, from Hiccup and others about this S BOM, Software Bill Materials.

And it's important. was thinking about after I read the article, I lived through the open source era, right? And for a while, and you still see it happening in many cases today, you've got to disclose what is open source. Because the open source model is inside the

product, right? That you wouldn't normally see.

So I think that we'll have to evolve as an industry, some better scanning techniques, which certainly now with the generative AI is there, you could look at what is the actual, pattern of a framework you're recognizing in code that you see elsewhere, which an agent, we'll be talking about in a minute, could do very well, right?

Also here in DC where I live. I have a lot of friends in the federal software space and they have a lot of these code locker concepts where once you get an object entity, it is locked down, in a very tight fashion. Even the software supply chain that went into it, locked down in a very tight fashion.

A

lot of these code management environments today pretty good, but basically You need to have, I think, a better way to manage all this.

Yeah, man, we could go on and on with this. We've got a few minutes left. I want to jump to the AI conversation, right? There's a great story, great report from McKinsey agents, the next frontier information to action.

It talks a lot about AI. Large language models really though the article is focused on this idea of those digital helpers, those assistants that are created with AI that can help us use the products that we've bought better. you seeing?

It's a really powerful area. The neural networks are really finally coming of age.

They've been in computer science labs for years and years. And you listen to Ilya on YouTube and his journey, and you can hear when you listen to him, how he's felt his way through this next level of capability, and they're very powerful. And the programming model for them is also extremely impactful.

Very high leverage, much more malleable than code, much more adaptable automatically, in a sense, because this network understands the world, so to speak. I'm using Ilya's terms there for a minute. So you can ask it lots of questions and we're finding that perspective,

right? It has built in kind of perspective.

When you ask a question, it can we're at the point now where it's understanding the context of the question. The more you use it, the more it gets the context of your question.

And so the article talked about the use cases. They had like insurance underwriting coding, and they also had marketing.

Yeah. Cybersecurity is a fabulous area to apply this, which we've been doing. We have agents now that are helping us with high trust assessments. We're going to have some announcements in September. It's really all about flattening the manual effort. Evaluating risk and risk correlation and risk normalization, remediate, all these things that today require an analyst to dive through lots of information.

It's a great opportunity for an agent to help a person do that same job in a fraction of the time with less drudgery. It's also, normalization. You think about what we try to do in our product set and with our clients, you're taking different kinds of information that are the same thing. But they have different names, different properties.

You can actually realize that the same thing with more leverage, you can now connect the dots with a lot more efficiency. And so we're doing a lot of work there and anything we can do to flatten that mean time to value and reduce the cost to get there is very powerful. The other benefit we see is for a lot of our smaller clients, if they had, You know, a CISO supported by an agent, they could get a lot of other things done with less costs, be available 24 seven that could then be reviewed by a human in the loop, which we still have and believe that's a very important part of this, but it's all about reducing that cost model and that effort model for all the things that we're trying to help our clients do.

This is the thing we've been talking about forever too. We're bombarded with information. There's tons of data. How do we take that data and make it usable and actionable and valuable? And if you can build assistance, if you can build agents that will help you do that. Again, a lot of the drudgery of the job and the stuff you've grown and roll your eyes about, because you've got to go through thousands of lines of whatever.

That stuff starts to go away and you can really focus your skill on the things that make the most difference. Like you said, and verified by the human once the assistant gives you the information. But the more we do it, the better we'll get.

Yeah, verified and even bird dog too, it, if you think about it, so many of the challenges that our teams and our clients have is our needle in a haystack problem.

Yeah. Narrow the haystack. This part's okay. Go look at these pieces of hay over here. That's where you can really get to just a higher level of throughput for a lot less, wear and tear on a team.

World where so many of the bad guys and the things that they do look like a normal piece of hay.

Yeah. It needs a lot more analysis because it looks like they're supposed to be there doing the things that they're doing, even though it's nefarious. Exactly. Hey, thanks for being on the show today, George. Sure. I really appreciate it. This is always great fun with you. Thanks for being on. Our pleasure.    📍

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus. 📍

Chapters

Video

More from YouTube