This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.

Learn more at fortifiedhealthsecurity. com Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Hey everyone, welcome to Unhack the Podcast. I'm your host, Drex DeFord. Today we'll be talking about some of the completely free and incredibly useful stuff that's produced by the Health Sector Coordinating Council Cybersecurity Working Group. It's the government.

I freely admit I'm a part of this, so there are a lot of acronyms, but we'll shorten that reference to CWG for today. Health Sector Coordinating Council Cybersecurity Working Group, or CWG, is composed of more than 400 industry and government organizations that work together to develop strategies to address Cyber challenges in the health sector.

And one of the many things CWG does through a task group process is that they develop these free resources based on sound cyber practices. And those go across a whole range of disciplines. And today we're going to talk about some of those resources. And in this episode of Unhack, in particular, we're focused on one of those documents called Information Sharing Best Practices, and I'm lucky enough to have a terrific guest.

With me today, who's way into info sharing. Hi Errol. Thanks for being on the show.

Thanks for having me Drex. It's great to be here.

Why don't we start with you introducing yourself? And I think that'll help set the stage for our discussion and help folks understand how you wound up being involved in helping to lead the creation of some of this material.

So I started my career actually at the national security agency. And the last gig that I had there was actually doing penetration testing and risk assessments. So phenomenal job, loved it. And that led me to actually leave the government and start to do things like penetration testing and InfoSec for commercial companies.

Yeah. And and now I've come full circle now back to on the service provider side. But after creating that financial services ISAC, I actually went to work in the banking and finance sector at places like Citibank and then Bank of America when I was at Citibank, I created and ran their cyber threat intelligence organization.

So I tell that long story because I was heavily involved in the financial services ISAC as a contributor as part of the leadership there on the board of directors for a few years itself. But really the bottom line was I was just active in terms of contributing and sharing on that side of it.

So I really understand what it's like to be on that side of the fence. And then I've been in this role with Health ISAC now as chief security officer. I've been here five years, and it's really all about enabling all of the info sharing And online tools that we provide and the content that we provide for our members at HealthISAC.

I love this story because it's the street cred then, from the government through the private sector, back to the government and helping to create this and having the experience of creating the financial services ISAC, being able to move that over into the HISAC and bring all those best practices help jumpstart that whole organization, right?

There's a lot of lessons learned, right? And so I always feel like when you do version two you do it better than the original. So I feel like we've improved upon a lot of those things.

Yeah, that's great. And you have a really awesome board at HISAC too. Some, obviously some good friends we share that have done an amazing amount of work helping you put everything together there.

So at some point, because I know when I go to HISAC or when I go to Health Sector Coordinating Council, CWG, all hands, I see you there. At some point you became involved with the CWG. How'd that happen?

So I think there's a natural synergy between the ISAC and the Sector Coordinating Council really in every sector.

I look at the ISAC as the tactical arm of the sector, really dealing with what vulnerabilities, what threats are we dealing with right now, this minute, that we need to make sure our members are aware of and make sure that our government partners are aware of. And then I look to the Sector Coordinating Council really being the strategic arm of that, right?

What are the long term issues that we need to be concerned about? What are the areas where the sector needs help? And as you mentioned earlier, a lot of the great documents and deliverables that the Sector Coordinating Council has provided fit into that longer term strategic goal that that I would imagine.

So we participate from the ISAC standpoint very regularly with the Sector Coordinating Council. I'd say we're very tight partners in lots of ways.

so even this information sharing best practices document is a joint effort. Between the two organizations, you're obviously one of the leaders on the team who works on that broader set of material that's called measuring effectiveness, but the information sharing best practices document in particular, that's just one of the resources in that set of documents.

You and a lot of other folks, all volunteers, mostly volunteers, have put a lot of time and effort into those resources.

Why? Why such an important document? Why such an important part of the conversation around cybersecurity?

Yeah I think in this case of the info sharing best practices document and it was really neat to be tackling this from a working group standpoint.

So we had so many different perspectives and ideas come to the table. The issue that I saw, especially even coming from the financial services sector, was that, we talk about the benefits of information sharing, talk about why it's such a good thing and why people need to do it. Everybody agrees, nods their heads.

Yeah, let's do it. But so often folks just don't know how to get started. They don't know where to begin. They don't know what to share. They don't know who to share it with. And so in my mind, when we saw this problem, I really wanted to tackle that part of it. How do you even get started? And then I'd say, just from the working group and others contributing to this paper, We started tackling things like how to get support from your leadership, right?

What are the barriers that people are often facing when it comes to that? It's the support from senior leadership and especially it's the backing from internal counsel. So many times internal counsel is the one that says, no, we can't do this. It sounds too risky and it ends all the sharing.

So there's much of the paper is dedicated to things like that. And then even there were others that contributed things like a governance model. So I thought it was pretty genius in terms of outlining how that sort of works. And we can get into that later. But but that to me really spells out what are the benefits to the sharing?

How to get started? What can you share and how to pull it off internally to get support? Yeah.

I'm With you, I hear a lot of folks talk about, we should share information more freely, but it's the person who always is saying that is the person who's not involved in the breach at the time, right?

Everybody wants more information. The organization that's under attack, the, the victim Feels like there's only so much that they can probably legally or whatever necessarily say. And so they get hung up in that. I know there's a lot of conversation about how to make that easier and better.

For those victims earlier in the process so that more of us can learn and understand how to protect ourselves from the attack that's going on right now. Is there a reference to that in this document or just tell me about some of the work you're doing? Yeah.

No, it's definitely a part of the issue.

And I think as you bring it up the incident is a classic example, right? So you have a victim who's suffering from a cyber incident. And the last thing, and I think it's a natural understanding is that the sort of last thing would be we want to air our dirty laundry out there and let people know what happened.

So there's certainly reputational damage that folks are worried about. And then, in this day and age, we're certainly also worried about class action lawsuits, right? Going after, again, this victim organization, who is a victim of a cybercrime, is now also being sued by their customers or other constituents because of maybe not implementing best security practices.

It's that vicious cycle. But, the thing that I would say and argue is that the ISACs offer a safe and secure way to share that information in a trusted environment, And even anonymously. And the best part of that also is that if you're suffering from an incident, malware, ransomware events, something like that, there may be somebody else in your community who has gone through something very similar.

And you might be able to learn from that. You might be able restore faster, learn how they were able to mitigate the circumstances and get back up and running quicker. So there are things that even the victim organization can benefit from by getting it out there and actively sharing with the community, but ultimately it just, it comes down to putting that information out there and helping the rest of the community better secure themselves.

Yeah, it's so there's, I'm gonna ask you to if you can briefly give me an overview of the document, but you just talked about one of the items, which is that crowdsourced expertise, that ability to be able to not only tell folks what's going on so you can make them safer, but at the same time, you are Asking for help.

Just by putting the story out, there are folks who will come to you and say, yeah, I can definitely help. But walk us through the document and tell us. Absolutely.

Yeah. So it actually starts off with going through the benefits of info sharing. We've been talking about some of them, but one of the ones that I would point out is actually the benefits that the individual gets from, The exposure, the experiences and learning and professional development, even opportunities as well.

And I would say just even in my time, when I was at places like Citibank and contributing and working with a financial services ISAC, in the heat of the moment, when things are on fire, there's a major incident going on and you're witnessing at the table, the behaviors of people under incredible pressure and dealing with these kinds of incidents and being able to say, look Behavior like that and say to myself wow that's how I want to be able to lead and practice when I'm in a similar situation and just being able to learn from others.

So there's lots of opportunity like that. So benefits of info sharing, I think you have to start off there. And then it talks about it breaks down what you should share. And we break it down into even tactical and strategic intelligence, because it's not just even about the threats or the incidents that we were dealing with, but it could be even things like best practices, how the organization is set up from the InfoSec standpoint disaster recovery practices, or, many of the InfoSec disciplines, people are sharing information about what they do internally.

We talk about how do you share and there's where we really talk about that governance model that I alluded to before. So it breaks down, actually, if you can picture a table and list all the kinds of things that you would want to share and we suggest you have things like, where's that information come from internally?

Who has the author's, the authority to release that information and who does it go to, and when you break it down in that kind of a format and you can share something like that with your internal counsel. It makes the whole info sharing thing, I think a lot less scary. So it puts really into very concrete black and white terms, what you're thinking about sharing.

And that I've seen as a great way to get the buy in and background from and support from others inside the organization.

I love that because that's a lot of what general counsel wants to understand, that there's a process that is you're thinking through and going through this before you're doing it.

And if they have. Visibility into that, the transparency is incredibly important, obviously.

They're way more likely to say yes, or it's okay, or I'm on board, or whatever.

Yeah, and I'll tell you one of the other things that has worked really well in the past is developing that matrix, that grid that I talked about.

And then doing some tabletop exercise. Yes. And invite general counsel, your internal counsel, to sit at the table with you and watch one of these things in action. And they'll see exactly that interaction and kinds of things that you want to share. And then maybe even you can demonstrate the benefit that you get from info sharing even from that instance.

Yeah, during the tabletop, if you have an injection that, oh, it turns out somebody from the HI SAC is giving me this new information because I shared it, right? That reinforces that, that good behavior. Yeah, that's great. I'm sorry, I cut you off there. I'm wondering if you were going to go on and talk about some other parts of the document.

Yeah. Thanks. I appreciate it. Yes. Definitely post the links to the documents, to the HSCC, to this document in particular, but to the whole document library for listeners.

Hey, thanks for being on the show today. I really appreciate it.

Yeah, Drex. Absolutely. And I would just say also, maybe you have some listeners who aren't necessarily in the health sector. I would say that, that InfoShare and Best Practices paper is good for any sector, so not just health.

I say this actually to a lot of my friends who are not in the healthcare industry, and then I point them to the library, the HSCC library, and I say, All of this stuff applies to you too. It's just take the word healthcare out and it probably, you can probably plagiarize and steal and use this stuff.

And so I love that shout out. I think that's a really good one. So for everyone else who's listening, who isn't in healthcare, but just keeping up that's definitely a big deal. That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.