This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Executive Interview: Solving Healthcare's Identity Access Management Complexity with Bill Willis

Since 2004, IDMWORKS has been delivering world class identity and access management solutions that build resilience, ensure compliance, and protect what matters most with vendor neutral expertise and a proven methodology. IDMWORKS has helped thousands of organizations streamline IAM while maintaining the highest security standards.

Learn more at this week. health.com/IDMWORKS. I'm Drex Deford, president of Cyber and Risk here at this week, health and the 2 29 Project. Our mission is Healthcare Transformation powered by community. Welcome to this executive interview on the UnHack Channel. Real conversations about managing risk at the highest levels.

Drex DeFord: Hey everyone, I'm Drex. Nice to see everyone here today. Thanks for being here. I have Bill Willis with me today from IDM Works. Say, hi, bill.

Bill Willis: Nice to meet you.

Drex DeFord: There's a lot of stuff. That I always have questions about when it comes to identity and access management and all the challenges around that.

Every time I sit down with CISOs, it's always a topic of conversation because it's always way more complicated than anybody ever imagined. Even after they buy the tool, they wind up jammed up 'cause they can't figure out how to get the tools in that the way that they want it to actually work. So let me start by just asking a little bit about you.

Tell me a little bit about your background and how you, because it's really interesting how you wound up getting into this field and really have become kind of like a world class leader in this field.

Bill Willis: Well, first of all, Rex, thanks for having me on. Always appreciate you and I having a chat, so it's good.

Drex DeFord: Uhhuh.

Bill Willis: So they actually asked me to build one.

So I built one inside of Amaco. Late eighties, been a minute. So you kind of

Drex DeFord: built one of the first identity access management systems. Yeah. Yeah. But not like you bought it, you literally just from scratch. Yeah.

Bill Willis: Yeah. So , once I built that inside of Amaco, there was some folks that wanted to take one out to market.

So I moved from Chicago to Southern California with my family and. Invented and build a product that IBM ultimately bought and still running today, 32 years and six months later. So if anybody's ever heard of tle Identity Manager, ICIM I'm the inventor founder that, how about that? With a core group of folks.

Drex DeFord: How did you wind up then at IDM works?

How did that

Bill Willis: Path cross? Yeah, so at some point I chose not to build product and look, to take, you know, this lifelong learning set, you know, and bring it to the people that needed the help. Instead of building stuff, actually going in and being kind of that that old voice in the wild that can help people solve their problems and actually look and see what technology stacks, if any, that people really needed instead of building something that people would come to.

And The interesting thing is, Drex, as you talked about, what some of the challenges are, we find almost it's never the technology.

What that then lets you do is recapture those people instead of having to shuffle people all day long to do really important work to try and protect the attack surface of the hospital or whatever that is, right? And then lastly, once you've got all those things in place, you can then pick the technology that fits you the best instead of the tail wagging the dog and you're then in a place where you can actually bring the bear savings to the C-suite and to leadership.

So, so that's how we look at it and we've been highly successful. There's a lot of times that people have already got the investment inside their house. They just haven't reimagined and transformed it to actually do these things. So

Drex DeFord: I literally just spoke to someone who said they had made an investment insert vendor partner here they bought a product they thought

Bill Willis: So one of the things we try and do is we'll actually sit down and have what we call the fireside chat. It's kinda like what you and I are doing today, right?

Drex DeFord: so anybody can call, anybody can reach out to you. Yep. And say, I wanna have a fireside chat. I wanna sit down and talk. About this problem. My whole eco, my

Bill Willis: whole identity, all it is a whiteboard and a bag of Marcus. We don't bring a fire point.

Drex DeFord: You don't bring a fire either.

So,

Bill Willis: nope. And it doesn't cost them anything. And again it's my life's work and it's my journey to try and make the world a better and a safer place like we talked about earlier today, right? It's like, why wouldn't I help people even if they choose not to continue down the path, at least guide them on what good looks like.

So, so that's what we do. We do about two a week actually.

The, all the ties of this is an HR problem, this is a training problem. This is tied to Epic. This is tied to how we let people go or let people retire. This is also mixed into. People move from one place in an organization to the other place in the organization. And changing what kind of access that there's so many, it's super complicated.

Tell me about the complications.

Bill Willis: So healthcare, I would say two things. Higher education and healthcare are two of the most complicated ecosystems of identity because they have personas that aren't just, Hey I'm either working there or I'm a staff augmentation. I'm a contractor there, or I might be a vendor.

So now you're doing Jenga or Rubik's Cube, right? And it's how do I make all that work? We've been working some with some of the largest hospital systems in the United States where we've actually created. Almost a filter, if you will, where all of that data comes in from all of these sources into a common data lake, if you will.

and all that data lake is intended to do, is one thing. Who am I? Even though I'm a volunteer and I'm a student and I'm a nurse, right? I've got three personas in there, but who am I? Right? From there, you can actually consume it and decide what access you're going to give to them. If they need certain access at certain times.

If I'm actually third shift, 12 o'clock doing the nursing thing just to make sure I can pay for tech, going to university, I also know that too, and so you just give them real time access.

The technology already exists as far as giving the access and access management. That's what that conditional access policy stuff is. And so we just make sure the consumption of who I am is part of that decision on what you get access at the time you're asking for. And so that's part if you boil it down into simplistic terms, whenever you have these complications, actually find, if you can answer the five basic questions of human life.

Who, what, when, where, why, how. You can always break it down into making it a process and a transaction.

Drex DeFord: You and I have also talked about the, It's not just the person, it may also be the device that they're on. Sure. Or how, so how does that all come into play in this?

We see it every single day. If we can eliminate the phishing exercise, so what they're phishing for doesn't exist anymore. Meaning the password.

Then you can't phish for that. You can't get to it. And again, this is not a technology problem. Every single healthcare organization that I've ever talked to has all the tools to do this work.

It is changing the philosophy of how you give people access and changing the way that whole relationship happens. Because they've gotten so ingrained and used to it, they think it's a cultural problem. When realistically people log into their own checking accounts or they go through TSA pre-check or whatever, they don't give a password anymore.

Drex DeFord: Something I am, that relationship exists.

Bill Willis: It's not a technology problem. Right? Yeah. So the way it works in healthcare that we see it, it working is that. The create relationship with me who is it and what device am I trying to use to gain access to an application?

You bind those two things together, who and what? And then you decide where am I going to go with that relationship? And that's the access part to the application. Again, every healthcare organization has a conditional access policy broker, CASB. If they have Microsoft, I can't think of anybody that doesn't.

They can confirm it and off they go, guess what? I don't need a password anymore. Okay. National Institute of Standards and Technologies already said, right, you don't need to do this anymore.

Drex DeFord: You don't have to change.

Bill Willis: So it's not a technology problem, and that's what I try and coach and advise people is that you don't have to go to the boss and ask for more money.

You just have to lean in and be proactive to show the art of the possible. And when people say, well, geez, that was easy and I didn't have to worry about it, and the attack surface goes away. I can take the help desk away from doing password resets at 25 bucks a pop. And that's real money I give back to leadership.

Drex DeFord: are there legacy technologies that we have in healthcare that keep this from happening? Does it really apply everywhere?

Bill Willis: So probably one of the biggest ones that, that everybody's waiting for is for Epic.

Drex DeFord: To

Bill Willis: get away from LDAP based authentication to token based authentication.

Drex DeFord: Right,

Bill Willis: right. Hair, it's like, yeah, we're, yeah. so that is happening. So when that ha So when you get to that point, then the only other thing you need to look for is these very specific. One off things that might've been in the hospital for 30 or 40 years that's been like a Windows seven or Windows, you know, like an all really old app.

Sure. That nobody knows where the source code is and nobody wants to touch it because it's whatever it is. It's like you need to just get rid of that thing. Right.

Drex DeFord: Maybe like a weird medical device or something to, or, yeah.

Bill Willis: Yeah. But again, that's my exception now, not my role. You can actually look and say, I can positively influence.

You can very straightforwardly protect that.

Drex DeFord: Yeah. That normal stuff will be protected like this. Okay. Very interesting. Very interesting. So we've talked a little bit about the fireside chat that you do to kind of help people get some of their processes kind of laid out what happens.

So they do that and they're, they have the light bulb goes on. This is amazing. Can you help us with the rest of the road trip? How does that look or how does that work for you guys?

Bill Willis: Yeah. So, you know, the art of the possible is what we talk about first is that when we have that fireside chat for the very first time, they actually see their entire ecosystem in one place.

So we try and bring them from tactical to strategic and then operationalize that. So once you can get to a baseline of tactical recovery. We help them with building a roadmap. It's called assessment. Basically sit down and say, okay, where do you want to go in three years? How do you want to get there?

You know, all of the normal things. And again, it's data and process and institutional knowledge, and then the technology that's last, not first.

I think that's been the problem with people thinking that if I buy the new shiny penny, I just plug it in the slot and it's going to actually, you know, return.

Drex DeFord: It's a, like the grill really almost has the least amount to do with the whole thing.

Bill Willis: That's exactly right. That's exactly,

Drex DeFord: we see this over and over again. I just think about, you know, back during my career as I, you know, kind of went from place to place The biggest problem with on time, on budget projects often had to do with us buying the technology.

And then in the process of that project having, realizing we have to go back and retrofit all that people process. Part and forcing change management because somehow this wound up being an information services project when it really should have been a clinical project. And now we are trying to make clinical people do change different processes.

Like that whole workflow is broken and I think as a CIO you realize that fairly on, or as a ciso you learn that, you know, fairly early on, but. Identity management seems to be one of those things that still stymies a lot of folks.

you have to partner with the leader of human capital management because the data that drives your part of the business comes from that person and their team. You have to show them why it is so important and what I will say that every single HR slash human capital management leader that we've ever talked to has said, yes, I understand the importance of this.

Yes, we will help you. Yes, we will lean in and we'll participate in partner. Doesn't

Drex DeFord: it make their life better too?

Bill Willis: Yeah, but the problem is that. The relationships that the IT teams have typically are at the level of just blocking and tackling. Instead of getting ahead above, and you and I have been around this a long time, if it rolls downhill, it's gonna happen here.

Then the person that we shake hands with every day gets it because now they've been empowered to help. Right Now they're not empowered to help, and so it's really part of that just creating an orchestrated team of people that recognize how important their piece of the 20 or 30 pieces. What needs to be done in identity are really sustainable and doable and super important.

So

Drex DeFord: who are. Some of the other people that are in that group, the HR leaders, obviously the folks who are doing identity access management and the M services department. Yeah, go ahead.

Right. Typically today, you give that nurse everything for both of them,

Drex DeFord: right?

Bill Willis: That's not the way it should be, right? You have these conditional policies that says when they're over here, they're doing this, and you give them that instead of just saying, you know, it's not black and white, right?

Drex DeFord: Yeah. Yeah.

Bill Willis: And so there is one thing that's fascinating. When you get all the right people in the room, the level of. Comradery and willingness to participate to make it a better and a safer place. They all get it and they wanna help, but they just don't know how.

Drex DeFord: Yeah.

Bill Willis: Right. And that, I guess that's my job, is to show them the how part and, you know, just kind of drive the bus that way.

So

Bill Willis: out. Yeah. We break down all that stuff and it's like, okay if we look at it together holistically, you know, and again, we talked a little bit about, you know, perimeters and boundaries and all that kind of thing.

If you look at it like the hospital has a problem than it is everybody's problem. And so that there, there's certainly a willingness. The other thing directs that we find is fascinating. Is that if we're able to find one of the tactical things when we do a fireside chat and say we're gonna, we're gonna fix that.

Once there is a success and they bring it to leadership and says, we have successfully solved this problem that's been there a really long time. There has never been a leader that says, no, stop. I don't want you to do anymore. They're like, cool. Finally, Finally let's, let's continue, let's continue down this and continue that momentum to continue to create and solve these problems and get to an operational state.

Not one leader has every set, every wants a success has said, no, I don't want another one. Like, no. Yeah, you do.

How do folks continue to kind of improve the process after?

Bill Willis: Yeah, so when we, and specifically in identity, we try and look at all three phases. We try and look at access management. Lifecycle management and governance and privilege. Right. All three of those together in harmony in Houston.

If you look at them together as one collective, you can answer a bunch of handful of questions and then you can rinse and repeat that. Same, exactly. You can do it by category in the hospital, you can do it by application stack, you can do it by classification in your CMDB. It's like, this is critical business critical.

'cause then you're just having one conversation with the application owner, the business owner, and if it's an internal one, whoever wrote it. To get all of those things collectively. The problem that most people have is they look at, all right, I'm gonna do single sign on first, and I'm gonna do, I'm gonna onboard all the lifecycle management stuff, and then if I ever get to it, I'll do the privilege uhhuh.

And it's like, it's not that. Yeah,

Drex DeFord: I'd say everything's connected to everything else. Problem. I've heard folks say this too. We were talking about perimeter at the beginning that there is. There's now no perimeter as we've known it in the past, but I've heard folks say identity is the new perimeter.

Is that, does that ring a bell with you? Does that kind of make sense? Given everything we've talked about?

That's how an attacker can't do. An attacker can't. You know, affix themselves to the device, right? That's what mobile device management MDM is intended to do is protect the endpoints, but the, it's never been thought, Phil, philosophically, that the endpoint is only half of the equation to be able to bind those two things together.

Drex DeFord: Yeah.

Bill Willis: When you do that, again, passwords gone away, you can shut down the help desk, make mo bring money back to the leadership. Of the hospital. Nobody says no to getting more money back. I haven't seen one person say no to that.

Drex DeFord: There's other things you can think about there too, like not just what device, but now you get into behavioral kinds of things too.

Yeah. Is that normal or weird? Yeah.

Bill Willis: Yeah. So the analogy we always use is why is the person logging in from Cabo at two in the morning with a margarita in their hand to log into the accounting system? I don't think so. I don't think so.

Drex DeFord: Hey. I really I really appreciate you coming on and talking about this.

It's a really interesting, really complicated issue. That I think you are doing a great job kind of simplifying and helping people understand and you get the right people in the room, you get the right whiteboard markers, the right whiteboard and the right markers and the right people in the room. Yeah, you can kind of map it out.

Bill Willis: Drex. I always look forward to having our conversations and thanks for having me on today. Appreciate,

Drex DeFord: thank you.