This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): A Peek Behind the Health ISAC Curtain with Sahan Fernando

Drex DeFord: Today on the UnHack channel with me Drex DeFord

Sahan Fernando: that's part of our philosophy is make it harder for them to do, the low cost stealthy stuff, force them into higher fidelity channels so that we can catch them.

Hey everyone. I'm Drex and this is UNH hack the podcast. Today I wanna bring you a conversation that I've really wanted to highlight, and that's Bill Russell's interview with Sahan Fernando, the CISO at Rady Children's. This is one of those discussions that gets right to the heart of what healthcare security leaders are dealing with day-to-day.

It's exactly the kind of mostly plain English, mostly non-technical cybersecurity and risk discussion that we all. Love the eavesdrop on, so let's jump into it and hear what they have to say. Here we go. (Main)

And. Orange County Cal. It's Southern California now,

Sahan Fernando: right? Indeed, yeah. We're fortunate. We serve pediatric populations for inpatient and outpatient, not just everything kind of south of Los Angeles, but we have patients coming in from all over the world.

Bill Russell: Yeah, children's hospitals are the coolest places on the planet now.

You don't want to be there for obvious reasons, but it's still when I was at St. Joe's, we were connected to CHOC Children's in orange California. And, man, I'll tell you, it was a stark contrast. Like you walk in there, beautiful paintings. It was bright, it was cheery, and then literally our buildings were connected.

Sahan Fernando: Yeah, absolutely. It is funny though that [00:02:00] you bring up that story because, you and I saw each other only last week in Madison and Judy Faulkner during her keynote actually touched on that exact paradigm, right? Children's hospitals really do strive to be very uplifting and not let your circumstances, affect you.

I think there is a lot in terms of. Your mental state being a part of your healing process and where you're at, and she really strongly put out there, we need to do more on the adult side

Bill Russell: I don't know about you, but if I ever become like a trillionaire, that's what I'm gonna do.

That's gonna be my new, and actually Judy should do this. She's a trillionaire or something. Like, she should literally go to every hospital and say, look, I've got some paint. And I've got some really talented artists from the local college and university, and we would like to spruce this place.

I don't think you can do that, but it would be great if they could.

Sahan Fernando: They certainly lead by example. That campus is top five been on.

Very lean organizations. And like when I was doing work with Chalk my team of, three or four people would meet with them who represented like, another 20 to 25 people and they would meet with two people over at Chalk. And that would be their whole department who is doing that thing.

And I would be like, wow. I can't imagine because you have the same issues, right? You have to protect against the same stuff. You have to you have the same attackers trying to get in, you have the same everything.

Sahan Fernando: Everything. And I think you touch on an important point there is that even from a patient experience, they have the same expectations.

But it is harder, and I think in California, and particularly, I don't think it's that controversial to say. Being so reliant on Medi-Cal, the reimbursement doesn't cover a lot of the cases, and I think especially in, in Southern California where we have some more unique patient loads. And so it's very lean it is still always catching up.

And then we still run into, I think healthcare has lived so long on big projects mean we're using CapEx and. They like the advantages from an accounting standpoint there, but it's so much harder to use capital if it's not directly on hardware anymore.

Bill Russell: you guys are an epic shop or are you a community connect or what are you.

Saw that as a big need, and that was obviously a massive transformation well ahead of meaningful use or any sort of other incentives. So we actually have

Bill Russell: And Epic wasn't necessarily built for children's hospitals like you guys had to help them build it. I'm sort of giving you words, but I've talked to enough children's hospitals that they were like, Hey, the reason we were all on Cerner is Epic didn't really pay attention to us until there was.

Some of us on the platform.

And so I know that epics great,

Bill Russell: But still, epic has made some pretty significant inroads. I assume that Chalk and Rady's will be on the same build.

Sahan Fernando: We will definitely converge onto a single electronic health record platform. I guess now we're supposed to just call it converged health record, according to Judy.

And I can't say publicly what that will be.

Bill Russell: Yeah. Nor do I expect you to, but but that's what the, converged health record, that's what the consumers expect now. Yeah. I'm curious, they announced so many things at UGM this year.

But essentially I would go to MyChart through my provider. I mean, that to me was an interesting. Play, especially in the pediatric space. 'cause you have a lot of specialists and specialties and kids moving from, a primary care doc and a health system over to children's back, potentially some people traveling to you guys.

I'm curious what your thoughts are on how that's gonna change things or how that's going to change the experience for them.

Sahan Fernando: Absolutely. It is exciting. I mean, I don't think there has been anyone pushing quite as hard as Epic has on the portability side of, hipaa and that interoperability is really one of those big buzzwords, but it does have meaning and value.

And so I know that is an active discussion topic among kind of chief information security information Officers and privacy officers right now. This sounds great. How do we do this in a way that we're not violating another state's laws? So it's really great to have that functionality and we see more and more folks that leverage CareLink right.

Really a more coordinated care team. And I think, especially when I think of, I travel quite a bit. I have my background blurred, but otherwise you would see so many planes and such. And, being abroad, the. Reducing barriers to relevant information for me, if I were to need care is a really powerful idea, right?

I really see that as. Very empowering. And I really hope it does play out.

Bill Russell: I love the fact that you brought up portability when talking about hipaa. I think it's the forgotten p in HIPAA is portability. But man, I, I also love what you're talking about there. becuase when I was at St. Joe's we had Southern California, Northern California, which was easy.

Then we had north west Texas. We had Lubbock, Texas and we had to navigate some of that stuff. And it was. It was interesting, like a child is considered a certain age in California. It's considered a different age in Texas. The access from the parent was handled differently in both those states.

Sahan Fernando: I believe we do. Yeah. I know that for us, we have a very clear policy that aligns with California law in terms of when a patient. Requires a proxy access versus direct. And there are even certain results and other parts of their record that are more controlled, let's say to protect, as they become a teenager and more involved with their own health, that they have a little bit more control over that.

It's really quite fascinating.

Bill Russell: Just outta curiosity, I'm gonna throw this question out. You don't have to answer it if you don't want. What's your data retention policy?

Sahan Fernando: It's hilarious. I actually had a very direct conversation about this about 16 hours ago. So

Bill Russell: it comes up in so many of our 2 29 meetings.

'cause people are like what's your retention policy? They'll go forever. But I'm like, seriously? They're like, I, but it's so all over the board that it's just forever.

Sahan Fernando: I can actually answer this to a meaningful level. So awesome. With Epic, it's essentially forever technically once a child reaches the appropriate age, which I believe is 23, you can start rolling off, I think seven years worth of history.

It's been about 10 minutes on retention policies and why that's. A burning topic for everyone because you gotta mention AI in our conversation, right? Right. A lot of people are using copilot and other transcription services and they aren't thinking about do I actually want those transcripts existing for two years as a part of my records retention policy?

So, I think that thankfully technology exists to facilitate a more nuanced approach, but. There is some risk there, I think, from a legal standpoint, right?

Bill Russell: the records represent the attack surface, right? I mean, if I get into your email and start tooling around I was talking to one CIO.

But the actual. PII and PPHI, that was in the email system out. And I'm like, well, how pervasive is that? And he goes, well, the farther back you go, the more pervasive it was. It represents an attack surface. I mean that, that has to be one of the biggest challenges for you guys is the attack surface.

Appears to be only getting. Broader. It's people wanna work from different locations. That increases the attack surface. Therefore they want remote access to certain things. They want data sharing with certain entities. As if your user communities like ours, they didn't want us to delete any email.

So three year retention policy would've been that would've been a fight at with somebody I'm sure within the health system. It's kind of crazy

Not my decision to make. I'm just here so we don't get fined. It's usually my response

Bill Russell: to that

Sahan Fernando: conversation. And the fine thing I think is very relevant to, when we talk about risk and attack therapist, right? There's that, the two risks I really think of are around one this type of risk.

When we think the amount of records that are in kind of unstructured locations, like email and chats, things like that. When a threat actor, gets access to an email inbox, right? If you can't prove that they didn't go through things, then all the records are considered in scope, and that starts to become a part of your, well, these are the amount of records that you have to report to the A OCR as has breached, right?

We're, in either case you can be talking about millions and in both cases then investigations, corrective actions, action plans, things like that. And so.

Bill Russell: No I wanna walk people through your role, I mean, without being too specific. So, one of the reasons we don't get too specific with CISOs is we don't wanna reveal too much, but let's take something that happened last year that was pretty widespread.

And that is the CrowdStrike outage. So what, it's one of those questions like, do you know where you were when, the first astronaut landed on the moon? This is like, do you remember where you were when you found out about the CrowdStrike thing? And did you know it was CrowdStrike right away, or did you have to go through that period of, I don't know if this is a ransomware attack or what this is?

Here are some potential workarounds fixes really I think. They took a really strong lead for the healthcare sector on, facilitating communications with CrowdStrike, with Microsoft and going from there. So that, it's incredible though because I think we've matured so much on the IT and information security side where, there's still some people that say, oh, monthly patching every month is really still a scary thing.

So they, they were very transparent. They owned it. But I think it really, like I said earlier, 2024 is do we understand risks in our digital supply chain? And so between change and CrowdStrike. Health sector Coordinating Council is really doing some great work on how do we map out our dependencies, where we have key concentrations of risk from a supply chain standpoint, and how do we empower different members of the healthcare sector to start applying that logic to their organizations?

And as a provider, I really think. We have to continue looking at that, right? Information security has really evolved from just a how do we keep threat actors out to, how do we manage systemic risk related to technology? And availability is core for us as providers. I mean, if a bunch of records do get breached, that's obviously a very bad thing, but patients are still getting treated.

Bill Russell: Yeah. I just, I pulled over here to LinkedIn, pulled up your profile rowing. You were a men's rowing coach for Division one athletics program.

Sahan Fernando: Am first practice of the year was yesterday actually as a volunteer.

Bill Russell: As a volunteer, yeah. I was gonna say you, you don't have two two full-time jobs,

Sahan Fernando: thankfully.

Not full-time. And they're understanding that, as I've gotten older, life shifts around and priorities. But I went to a Jesuit high school in Phoenix, Arizona called Brophy College Preparatory and. So that's how I came across Gonzaga and I just also happened to want to row in college.

Bill Russell: there's the, it's right there. Well, is it in Tempe? Is that what you're talking about? Town

Sahan Fernando: Lake? Yeah.

Bill Russell: Yeah. I mean, actually it's really nice area, I think.

Sahan Fernando: It's gorgeous. It's gotten better.

About 15 years ago though, when I was working there the dam blew up and it was an empty lake bed for a couple months. So that was a fun morning. But

Bill Russell: yeah. How did you, how'd you practice?

Sahan Fernando: Well, since I was working, I was there at 4:00 AM and we had to start making sure people, their natural inclination is, oh, empty lake bed.

Let me go in. People obviously have been throwing things into the lake for years. So there was a very big safety hazard there. A lot of glass, a lot of sunglasses, cell phones, fridges. But we also had to worry about humans that were camping downstream with a dam, shrink. There was no loss of life.

How can I ensure that I know how to communicate with them? Because again, being in the CISO role, you have to communicate with a very disparate group of stakeholders. You have to be able to talk to. The IT folks are doing the day-to-day work and explain risks and understand what they're saying, and also talk to the CEOs and the board and be able to essentially fly the plane at 35,000 feet as well as 10,000 feet and kind of seamlessly switch, but still be in the same flight.

And so. it's been great and it obviously keeps me away from the computer for a few hours. And thankfully also lets me go to Giza a basketball games.

Sahan Fernando: Yes. Yeah, it will be three years this December, and I'm actually up for reelection this fall.

Bill Russell: Okay. Well, I don't, I hopefully we'll help your reelection chances, but I'm curious, two and a half years ago we were talking about a really stringent set of rules coming in that health systems were all worried about, and that kinda stuff has that stuff like evaporated now

Sahan Fernando: in some senses.

I think yes. CPGs, I think is what we're referring to. And those are really strong security principles. And to our earlier conversation the disparity and maturity levels for different people that are under the purview of HIPAA as a covered entity. That's where I think we've seen a lot of debate on should we move forward with this?

And so I think there's a timing aspect of it. I think we still need to continue to push each other to mature and evolve and ensure that we're. We're handling risk, which is, I'm not just saying this 'cause I'm on the show. Opportunities like the 2, 2 9 summits are so valuable for that because you get the opportunity to say, here's something I'm struggling with.

How are you all handling it? And really kind of that iron sharpens irons approach and you hear about things that you wouldn't have even thought of. I still have on my desk. I own a notebook from each summit I've been at with just pages of notes that I need to go look at this and I should think about this.

Bill Russell: I'm sure somebody's gonna be upset with me saying, well, health systems didn't really care about security programs back then. But I do remember in 2012 coming into healthcare and I mean all the, it was established by then. I mean, we were looking at security and that kinda stuff, but I came in from outside the industry and I just looked at him and I'm like, we've gotta increase our security spending by.

Five x, maybe six x and they looked at me like I was insane. I'm like, no, you don't understand. We really have to increase our security spending five, five to six x and we need to hire some people. We need to change our practices. We probably need to stand up a soc. And they're just looking at me like, but we don't have that money.

I'm like,

And if I didn't feel vulnerable every time Deloitte came in and did an audit, they made me feel vulnerable. The but there's systems doing it for far less money with far less resources. And with health isac, you have to consider all of those. You have to consider the well-funded mayos, and then you have to consider the critical access hospital in Wyoming.

The breadth of that is staggering. Like how do you bring people along and you talk about carrots and sticks and best practices and sharing best practices. I love the security group in our country. I love the most 'cause you guys are very connected.

Sahan Fernando: one of the many things that excels at though, is it creates the space again, like 2, 2, 9, to have those conversations. Sometimes it feels, I think almost like imposter syndrome where I, I hear something and I think, wow, that's incredible.

And you do have to take a step and realize, hey, we aren't Merck or Pfizer. We maybe one day we could get to something close to that level. But relative to, if we look at it from a economical value relative to what we bring in, we're doing pretty well. And that's. What's the phrase? Comparison is the thief of joy.

I think one of the cool things with technology and security is that because things are changing, you don't get to just sit complacently on certain things and say, well, we solved that. Some things you do and that's great, but you'll always have a new challenge to, address. And so to your question on, how do those conversations go?

The, multi nation incident response and recovery and what they did from an after action standpoint and how that also fed into, how they approached reporting and, not just data lake, but their whole strategy on how they took security telemetry and turned that into more executive facing things.

Those are not always things you will think of on your own, but. They inspire you to think, what can we do? And those are things to maybe add to our roadmap. And I would say similarly, I think, I know that we have done a lot on embracing the Zero trust paradigm, and I'm really proud of just all the work that Ray Children's across the board.

My predecessor did a wonderful job. We're still in contact actually, and he. Left me some really great starting blocks, especially for what was next, and we get to share on that journey, how we've approached identity security. I think we really embrace the idea of we need to secure identity when we read forensics reports.

That is, lateral movement and privilege escalation are still all identity based attacks and we need to secure that. We need to tie more to your identity. As a result, because we wanna try and balance the friction with convenience that security tends to introduce. And so, those are some things that we're able to share with other organizations, both larger and smaller.

And the nice thing with, I think most CISOs is just because they're bigger, they don't assume that they have it all right. And they will absolutely take your opinion as a smaller organization we're all in it together.

I was just talking to somebody yesterday. One of their questions was if you're stranded on a desert island, what's the five albums you want to have with you? And not that wouldn't be interesting and fun to do with you, but we've come up with the escape room. Concept. Okay.

And here's your escape room question. And you're familiar with an escape room, right?

Sahan Fernando: Oh yeah.

Bill Russell: All right. So we lock you in this room.

Here's the challenge that you have. And this is a very real challenge. It happened a number of years ago as a ransomware attack, and I'm gonna put you as the Community Connect host.

For this. So the Community Connect host, CIO got a phone call from their community connect partner health system. And they were experiencing all sorts of anomalies on their network and systems were starting to go down and that kind of stuff.

Those kinds of challenges. 'cause hopefully you won't have to face any of those, but my guess is that's the world you live in. So

Sahan Fernando: It is, and being the Community Connect poster, we've run through those and tabletop form for sure. So for me, I think that starts with, it's not an InfoSec decision in a silo.

Right? Like if, going back to your question about last July and and CrowdStrike, right? A bunch of blue screens of deaths, essentially. I would probably start with, well, we have to assume breach until we have evidence otherwise. Now, in that case, we knew right away what was going on. Thanks to Health ISAC and our friends throughout the world, but.

If you really are embracing that zero trust paradigm, it is assumed compromised until you can essentially disprove that hypothesis. And so a lot of this is proactive work, right? If you are drilling and you are informing your stakeholders of potential risks and how you would manage them, especially when they're realized it's less of a surprise and you have an alignment from the beginning on the what, the why and the how, and

Great. But we've at least had that conversation. And if we haven't, we need to ensure that we have. The right people in that call to ensure that we know what are we doing? What are the, what's the impact and who do we need to let know and how that cascades down in terms of the staff, in terms of the patients.

Are we still able to move to downtime procedures and continue providing care? Right? What are we needing cancel? Do we have a means to contact patients? What is our public communications strategy going to be? Who's on point for that? What are we saying? Is it legally approved? Are we gonna call insurance?

Bill Russell: So let me move you forward about, I don't know, a couple days. It was ransomware, move it forward a couple days they had disconnected it.

Now the question becomes reconnecting. So. what's your thought process on reconnecting? Is this also something that you've played through and said, Hey, look, if somebody's been ransomed, these are the steps they're going to have to get through before they get back on.

Sahan Fernando: Yeah.

We, we have through less tabletop and more, other places policy, right? Yeah. And so we don't put a formal policy out on this because we haven't seen a need, but it's a generally understood. Cultural stance that , if we need to reconnect with someone who has been hit, we basically want a third party assurance of, this thing has been cleared forensically.

Just turn it back on. Oh, okay. Right, right. But I think it, that independent attestation also is a bit of us shielding ourselves so that we can say, well, we had someone independently come in, or they had someone independently come in and clear it.

So we did our due diligence and should something happen, we can show that trail of here was the rationale and the risk management process, and obviously the risk was never going to be zero. They could have had some other infection that hadn't taken hold yet. That's completely separate. And so it's, that's our normal process.

And so I think that allows you a bit more nuance on investigations because they're never going to be the same. And I think even with ransomware, it's, well, what was the scope? Where are you at from containment standpoint? Where are you at from a recovery standpoint? Then you get into the nuances of how good was their Dr, were they scanning their backups?

How long back are their backups? Where are they restoring from? What were the relevant tactics, techniques and procedures. 'cause I think that informs, are you okay with their backups

Bill Russell: That recovery took long? Yeah I mean. Based on, on, on the impact on healthcare.

It was it was pretty long. The metric which always shocks me is time on network, or time on time on network.

Sahan Fernando: do all time.

Sahan Fernando: It is. and As dwell time has reduced. The problem is they understand, well, we're just going to need to move faster. So dwell time reduces. But also the time to impact has also, correspondingly reduced. Right. And there's trade offs with that. I think because they're trying to move a little faster.

That gives you more detection opportunities. But to our earlier conversation around why we went so heavy on identity security is exactly these sorts of reason. I think you have really high fidelity telemetry and alerts and detection controls in place so that if you start forcing them through high visibility, channels, you shut off proactively.

And it can kind of continuously refine. And, detection tradecraft is another one of our passions that we look at a lot and, for a smaller place, I think we sometimes we get a little too eager about it. We have obviously some internal SOC functions, but we have partners that help.

But as they continue to get a bit more aggressive, there's things that are, like I said, good about that for us and maybe a little bit difficult for us. And I think we've seen that play out. I've given. Some talks over the last year and a half over where, if you can catch someone early, you can do quite a bit.

They started with something very esoteric where they put in a zero day on the external router. But then from there it was, well, here's where I looked at first from ACON standpoint. And then I found identities that I could compromise. I mean, this is going back they compromised the Blackberry service account at this hacking company or the spyware company.

And it was just very, that sort of trade craft I think is. Very much on my mind when I think at a higher level, what are we looking at? Because administrative controls are really great, but the technical controls that we're accountable for as well, on the prevention side, those are things I think of how do we really ensure that we're putting up the right gates and different types of gates and moats and other sorts of defenses, varying so that the layers are helpful, but still let the right stuff through.

And I appreciate you sharing your experience and wisdom with the community. Thanks.

Sahan Fernando: Thank you so much for having me on. I'm glad we didn't only talk about security stuff. Lot a great conversation.

Bill Russell: We can next, next time we're gonna talk about rowing and and get into much more detail on crew and whatnot.

So, all right. Hey, thanks man. Take care.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.