This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks for joining us. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated to keeping health it staff current and engaged. Welcome to our device security briefing. This is such a gnarly problem for healthcare leaders, and I'm excited to get into this topic today.
We're joined today by Samuel Hill director for healthcare for Medigate by Claroty. This podcast series is gonna culminate in an excellent webinar on September 8th at one o'clock Eastern time, we're gonna have two experts from leading healthcare systems. We're gonna have Intermountain and children's of LA Eric Decker is gonna join us and Andrew Sutherland.
And they're gonna talk about the challenges and solutions to unmanaged devices. In healthcare, check out more for more information, just check out the description box flow and the registration link. You could also just go to our website this week. health.com in the upper right hand corner. We will have a link to this upcoming webinar.
Love to have you join us. We wanna thank Medigate for giving us some time with Samuel today and for making this content possible. Now onto 📍 the show.
All right. Today, we're joined by Samuel Hill director for healthcare, for Medicaid, by clarity before working in technology, he spent seven years as an emergency room tech for two different health systems and lived through EHR transitions. We keep mentioning that at the beginning of these shows, that's sort of a badge of honor, I guess.
I mean, one, one of 'em was to epic and one of 'em was to Meditech and I'll let the audience guess which one went better.
I'm not gonna touch that.
No need to touch it. It's audience choice at this point,
audience choice. Let's see Samuel's husband and one father four and lives on a rural island near Seattle, Washington. So Samuel appreciate you coming on. We've been talking device security. We've been talking transparency as a foundation for zero trust.
And in our last conversation, we talked about holistic assessments and the value of holistic assessments, understanding what's actually going on not only on your network and your devices, but also with your team and your policies, your procedures, all that stuff. But today we're gonna, we're gonna touch a a little bit of a gnarly subject and that is M and a due diligence.
And I will take the credit for forcing you to have this conversation because I've talked to a lot of CIOs that struggle in this very space. You get to the point where it's time to do the M and a work and bring two organizations together. And there's moments in your life where you have to provide a full account. And M and a is like one of those times where you have to provide that full accounting. Right. And you come together with another organization and they say things like, Hey, what are your policies on your firewall? How do we connect up through your VPN? How do we, and one of those things is let's do an accounting of all the devices and everything that's going on.
And I think everybody in the world assumes that the CIO knows all this and can identify all the devices and knows what patch version and all that stuff they're on what the risk level is to the organization based on that. But that is not always the case.
No. I mean, every CIO I know typically goes to bed every night, reading their database of devices that are connected, just to make sure it's up to date.
I mean, that's typical behavior, right? Of course not. No. I mean, they got much bigger, much bigger things that they're worried about. They got businesses to run and value to drive for the organization. So I think when it comes to M and a though we're looking at it as obviously there's a reason why M and a is happening and it's one of the hardest things in business to achieve.
It's the successful merger and acquisition. There's always challenge. There's always stress. It's, it's a hard time. Like we, we all know this but what we could hope becomes a little bit easier is being able to assess and then assign some of the risk from the new organization. So if, if you're the, from the perspective of the acquiring organization and you're doing the assessment.
What do they have? What technology standards do they operate with? What best practices do they adhere to? And, but also what devices do they have in their environment. And that's really difficult to get a real fine point on. They might send you a list. Here's what we pulled out of our CMDB, or here's what our CMMS currently says.
And well, how accurate is that? Really? And so what happens then as bill, six months later, you've connected all the systems and you're just surprised by so many different things that did not come up in the due diligence process.
Yeah. Typically when two organizations come together, they're at different maturity points yeah. In the in, in the cycle. And it's interesting to me, how often you throw out the word CMDB, like I should trust what's in the CMDB. And my team would always say to me, it's like, be leery. I'm gonna give you this information, but be leery. They would much rather have like real time visibility into the entire network rather than rely on the CMDB.
Cuz it was not pulling from that real time. And populated at least back in the day. It wasn't, wasn't doing that. And the the other thing I will share here is we acquired medical practices. We, acquired hospitals and whatnot. One of the breaches we had was literally two days after we acquired a medical practice.
And it's one of those that you know, our, our practices prior to, I mean, that was back in the wild west days 20 12, 20 13 today I think we've gotten a lot more sophisticated because the attacks are just ever there. And I think about that and how do you, how do you get ahead of the risk that you've just assumed and should that be a part of the due diligence to make sure that the organization knows the risk that you're taking on?
Hey, here's. Here's the, nobody talks about how many devices you're bringing in and right. You know what, where they are on the life cycle. And. are they able to be patched? Do we have FDA blocking? I mean, where are we at on those things?
Well, that's the, that's the trick, right? It's, you're bringing all these devices now and you're connecting them to a joint network of some kind, right? There's some type of connection between your networks and these devices have vulnerabilities. They have risk they're at different life stages. And so it is a it's a data point. That's much easier to acquire now than maybe it was 5, 6, 7 years ago.
And so I think it's something that should be a part of the best practice for M and a is that full and robust accounting now, I mean the, the best outcome would be that your CMDB or other whatever tool you're using to maintain a database is kept up to date fairly dynamically as devices come on, as they go off, as they're retired, as they're brought on board, whatever that is, that would be the best.
So that way you can pull single reports and have a moment in time view of it. That's pretty accurate. But short of that, especially in an M and a activity it's fairly easy now to deploy accurate sensors, to get all of the information about those sites and that system in general, so that you can have that information in your back pocket, as you begin to put evaluation on the risk or maybe not evaluation, but start assessing and assigning and, and beginning to plan how you'll manage that risk for those devices.
what kind of data do you think we should have for M and a to go.
Well, I mean, obviously there's a ton of data that you would want, but talking about devices specifically. Yeah. I would say you wanna know at least a within a pretty good confidence interval, total number of devices connected what type of devices they are, what families they belong to, who makes them, what software versions they're running, what application versions, and then taking it to the real next step would be what are the actively exploited vulnerabilities that would be applicable to this device list?
What are some of the known risks and things are any of these devices currently communicating with known malicious, IP addresses, or other really nefarious behaviors inside their environment. And so having kind of that snapshot would give you a real good confidence. Okay. Yeah, we're gonna do this M and a, but I'm immediately quarantining that entire location until I can fix some of these issues or whatever that maybe it's in a better state than you thought it would be. And you can have a little bit of sleep at
night. Yeah. And the nice thing about having that information, I would assume is not only from a security standpoint, but from a, an integration standpoint. Right, right. So that the teams are gonna come together at some point, and they're gonna start that work.
And it would be nice to know what the overlap is and those kind of things. And I'd also like to plan for at the point of, of the actual event, there's actually some money floating around. Right. And there isn't necessarily money floating around later. And so there's an opportunity to say, look, we're acquiring this organization.
Here's the list. Here's what we're seeing. This actually presents a significant risk for us. Why don't we, why don't we end of life, this equipment move, move stuff in that we utilize in our other hospitals, that's utilizing a, a similar platform and whatnot. And so there there's opportunities at the point of M and a that you won't necessarily have six months after the event happens.
Yeah. The board's a little more willing to fund some of that work at that joint, that joint time versus a year later in your next capital plan. Yeah.
So gimme an idea. I mean, are we talking like. you just pop a tool in click a button and all of a sudden you have an inventory. I mean, cuz it used to be literally we used to send teams out and yeah, they would, they would walk the halls and see what was out there.
I mean, what are we looking at in terms of tools today? What does the process look like and how accurate are the tools.
With with today's deployment methodologies. And we've seen this with customers of ours, where they put the tools out there and within days they're seeing a pretty complete, accurate view of their data. And so from an acquiring organization perspective, you would have a good confidence within about a week of deployment to be able to see really everything that's connecting and communicating on their network and understanding what that device actually is, which becomes then your foundation to make some decisions off of that data.
And again, obviously if it's a distributed clinic site, you deploy it a little differently than if it's one large hospital there's there's questions in considerations there, but those can all be handled fairly, fairly quickly. And then you can start seeing your own data in short order.
So what does Medigate do in this area?
So we provide that collector and that analysis of all of that data traffic to understand every single device that's connected to the network, including reporting on the specific risks associated with each device, like their outdated firmware or certain vulnerabilities that are applicable, and that can help you then enforce your network strategies around how are we segmenting and architecting different parts of the network. So we would be that data collection source for you in the M and a strategy of deploying a Medigate sensor in that new environment and getting that read back. So you could have really strong data to make decisions off of
where can they go to get more information on that?
Well, medigate.io/demo would be a great place to go for that. And we're always happy to kind of work through some of the logistical challenges. You might be like, well, we can't buy it and that's fine. We'll get you the data and we'll figure all that stuff out afterwards. Cuz at the end of the day, it's about securing the devices that are in healthcare.
Fantastic Samuel as always. Great to talk to you. Appreciate the time.
What a great discussion. I wanna thank our sponsor for today. Medigate by Claroty for investing in our mission to develop the next generation of health leaders. Don't forget that this whole series ends culminates with a great webinar that we are going to have, and we have two great healthcare leaders. We're gonna join us. Intermountain, Eric Decker children's of LA Andrew Sutherland. And we are going to talk about the challenges and solutions to unmanaged devices in healthcare. You can check out the description box flow for more information and the registration link. You can also go to our website this week, health.com and look for a link to it in the top right hand corner of the page.
Love to have you join us again September 8th at one o'clock Eastern time. Thanks for listening. That's all for now.