This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.
Welcome to this Week in Health It Where we amplify great thinking to Propel Healthcare Forward. My name is Bill Russell Healthcare, CIO, coach and creator of this week in Health. It a set of podcast videos and collaboration events dedicated to developing the next generation. Of health leaders. This episode and every episode since we started the Covid to 19 series has been sponsored by Sirius Healthcare.
Now we're exiting that series, but Sirius has stepped up to be a weekly sponsor of the show through the end of the year. Special thanks to Sirius for supporting the show's efforts during the crisis and beyond. CliffNotes is live and it is available. Uh, if you can't listen to every show, but you wanna know what was on the show, you can sign up for CliffNotes.
You get a one paragraph summary, key moments in bullet point format with timestamps and one to four video clips from the show. Great way to stay current yourself, share insights with your team. Just get the email, shoot it over to them. It's a great way also for you to maintain your commitment to developing your team during these extraordinary times.
Sign up at any episode page or on the website, or send a note to CliffNotes, C-I-P-N-O-T-E-S at this weekend, health it.com, and it will kick off an automated workflow that'll get you an email that you can sign up. So our mission at this week in health, it is twofold. To amplify great thinking, to propel healthcare forward and to develop the next generation of health IT leaders.
For the first 180 episodes, we did the show with no outside financial support, and that changed in the fall of last year. Uh, we made a conscious decision to find sponsors who shared our vision sponsors who would help fund our growth and the development of the show with new offerings and content. Uh, we have a great group of founding channel sponsors and we have since opened it up.
To individual show sponsors. This is where we go in depth with a company or a solution and we ask questions as if I were sitting across the table from them as the CIO vetting their solution. We only do these shows with organizations that I feel comfortable with once we've, we've done an initial interview with them.
Uh, I have turned down, uh, a couple following the initial conversation. Uh, the ones that we do, the ones that I bring you are organizations or solutions that I believe will be worth your time to explore. Today's show is with RSA, a security firm that is part of, uh, a Dell's group's group of companies. Uh, we're gonna, we're gonna explore how organizations are securing the perimeter as the perimeter really changes pretty dramatically over the last couple of months.
Here's our show. Our workforce is in flu. Covid really moved a lot of our people around and, but that really wasn't the start of it. The workforce be made up working has given. And, and really specialists for hire. Uh, we also have business associates that help to, uh, get the work done and ex really extend our risk factors even further.
Healthcare is pushing beyond the four walls for delivery, and that creates even more complexities. The question we want to explore today is how do we manage the risk? This new and emerging dynamic workforce. And so today we have Tim Norris, RSA solutions strategist, uh, here to join us. Tim, how's it going?
Uh, it's great. Thanks for having me. So you're working outta the house? You probably worked outta the house before I would assume. Yeah. You know, I would spend a couple days a week at home, but certainly life is different with a 10 month old and a three and a half year old running around while I try to work.
So yeah. Wow. So what's, what, what's that like during Covid? I assume you've spent a lot of time with the kids. Yeah. You know, with two working parents, it's a lot of juggling. You know, I have a meeting here, you have a meeting there, where could I take the kids? I gotta record a podcast. Can you get 'em outta the house?
Kind of thing. So . So yeah, it's, it's, it's been fun. It's interesting to be able to be home and spend kind of that time, especially with a baby. But yeah, certainly presents challenges. Well, congratulations and, and that's fantastic. By the way, we, we've had kids on the podcast. We've had dogs on the podcast.
We've had workers come by behind windows during the podcast. . We, we, I think we've had just about everything I could think of. So, well forewarning, I think the UPS guy is just pulling up and my dog staring out the window in front of me. So , we might get from a.
You have a collage of great pictures behind you from, uh, it, it, it looks, it looks more artistic than family vacation. So any, any story behind that? Well, you know, I like to fancy myself an amateur photo photographer. Um. I think Photoshop,
but yeah, no, these are just some photos taken on our trips. saf, Kenya, or you know, across.
Wow. Yeah. And they, and it's not your typical, the two of you standing in front of something. That's the reason I commented on the, you know, the black and whites and those kind of things. But I assume if I have you on the show in three years, I'm gonna see pictures of you and the kids in front of those same places.
For sure. Now, throughout the rest of the house, there's the pictures of us. My, my wife and I both are in security spaces and this space is our front window, so we're like no pictures of kids and family. We don't people seeing, so yeah, we're a little, maybe security paranoid, I guess. I, I remember when, uh, we had a, we had a firm come in and they did a, a social media analysis of all of our executives, and they actually came back to us and said, Hey, you guys, you guys share too much?
And they pro produced a pro, uh, uh, a document for each one of us telling us how we should, uh, really call the information that we were putting out on social media and, and even some of the connections that we should take away. Like we were connected to other family members and they're like, look, hey, that could be utilized.
As a, uh, a way for people to take advantage, not necessarily of you as an executive for the health system, but they could take advantage of your nephews and your whatever to, to get in. I, I had never even thought of that. That's a, that's, that's like second level thinking in terms of security, I guess. Yeah.
Yeah. So, all right, let's, let's jump into this topic. Let's, I'm gonna start with a generic question. Talk a little bit about the risks that, that an organization or, or really that your organization's seeing out there in the market today with, with regard to this, this, uh, changing workforce and, and the dynamics around it.
Yeah. So I mean, I think from a security and IT perspective, there's really three major risks that, that we're seeing. I think, I mean, obvious is the cyber threat surface has really traumatically grown. The bad guys, you know, know how to cash in on a good pandemic, right? And so we're, we're very aware of the targets and sort of the expanded surface.
Everyone works from home technologies.
Where we've literally put people, you know, entire, almost organizations, um, in a remote posture almost overnight. You know, security is now trying to catch up on a lot of those cases. So there's certainly more vulnerabilities, um, across our environments. And then I think you look at things like phishing, that's nothing new.
Um, but the context and how the bad actors are using that to lower in unsuspecting users and fact spoofing and leveraging a lot of our wellknown healthcare brands and government entities. Credential information or, or inject malware? Um, I think it's interesting that, you know, I read Google reports. So in January they count somewhere around 149,000 active phishing sites.
Um, but by May there was 840,000. And largely those were focused on covid based premises, so PPE and those kind of things. So a lot of, um, activity in trying to steal and inject, steal credentials and inject malware. And as a result, we've seen definitely a large increase in ransomware. Ransomware is really no nothing new from a healthcare perspective.
We're seeing across all facets of the industry. You see headlines as early, you know, as late around, uh, hacking. There's a wide array of, of sort of direct impacts from a a pandemic perspective. Related, I think is also, you know, we talk about the remote workforce. That certainly has increased our security risk.
Um, I, you know, I think it was yesterday or the day before I was reading a study, um, that looked at the difference of cybersecurity difference between a corporate network and a home network and home networks. You know, they found, they, they were able to measure roughly about three and a half times more likely to have at least one form of malware on.
So you think about that in your entire workforce is at home and using their own wifi routers at various states of password 1, 2, 3 as their password or maybe no passwords at all. You know, certainly expands, uh, the opportunity for the bad guys. Uh, the third area I, I think is a direct result of, of Covid and how we're adapting is the.
Adoption of technology, you can just help, you know, telehealth as an example. Telehealth wasn't new, but the, you know, massive expansion almost overnight. To be able to provide services to patients vitally important. But, you know, navigating the security vulnerabilities and trying to understand, you know, the various platforms and also, you know, data security and data privacy issues has been a challenge.
And so we're seeing organizations start to address those. I mean, you give us three areas. So yeah, we, we, at the peak of, uh, COVID, if there was a, well, at the peak during New York City's peak, uh, uh, of Covid, we had a, uh, conversation and we were talking about how all, uh, all the attacks, all the, the phishing attacks had really coalesced around healthcare.
And it was really one of the first times in history that everything had coalesced around one topic across the entire internet. Uh, pretty crazy. In fact, my wife and I were talking last night about it. What, what's happening now is, is phone calls. Very sophisticated phone calls to people essentially saying, Hey, look, we're doing contact tracing, and you're one of the people that has been in, in contact with somebody who has had a covid 19.
So we are calling to get your test scheduled for, uh, COVID. So what we need is we need some information, we need a credit card, we need whatever. And it all sounds very official, very creative. In fact, my wife was commenting, it's like if these people would turn their. Energies towards good, the world would be so much better.
These are really creative from a technology perspective, from a psychology perspective, sociology perspective. I mean, these are smart people who are, who are creating these pretty sophisticated attacks to just prey on people. Absolutely. Even you look at, I, I've been a, not a victim, but I've had a couple come across my cell phone, just text messages.
They look official from, you know, doctor, Hey, you've been this, hit whatever, hit the lane, hit something to reply. All knowing that there's malicious stuff behind it, but it just looks, it looks real. It's, they've gotten really sophisticated. So I'm gonna dive into some, some healthcare, some health IT related topics in a second here.
But I, I wanna start, 'cause you, you talked about the work from home and the network at home. So whose responsibility is it to shore that up, do you think? I mean, if, if I'm the CIO for the health system, am I giving that work to my network team? Am I giving it to my security team? Am I giving it to maybe even to my VDI team?
Who am I giving it to, to say, Hey look, we, we need to. Are we sending people out to run scans on people's home networks? Their are. Yeah, so I mean, I think it's a little bit of all of the above, right? I mean, as far as who do I give that to, it's kind of everyone's responsibility and, and honestly we have to do a, a sort of a much better job at educating our own employee base.
'cause you know, if you're a large healthcare organization with a hundred thousand employee, like you're not sending someone out to, so I think there's an education and awareness piece with sort of very specific. Given the wide variety of sort of technical savviness of, of our employee base and users, that that's important.
I also think of it, it sort of goes to a topic of, you hear a little bit about identity being the perimeter or whatever, and, and I think there's a lot of credence to that because, you know, as we're accessing applications, whether it's directly to the
who. Who those users are, users, if they're entitled to, to use that, um, application and what they can do. And also sort of what are they doing with the data, sort of puts the, the onus right at the access point and how do we make sure we're really protecting that data so that that's, you know, that answer.
And I do think it's an all of the above kinda strategy and awareness is gonna, is a critical component, you know, working for.
A couple times a week, you know, there's a, Hey, did you do this? Or, Hey, did you think about that? Do you have a, you know, have you changed your password on this? And that's just sort of that constant drip of things to help bring that awareness to a, you know, there's two 25,000 Dell employees, um, that, that, that are working on that.
Yeah. Uh, so identity is the new perimeter. And I, I wanna come back to that and I really wanna talk about. Identity and access management projects. I just wanna hang at this, this home network thing real, real quick here. 'cause it's, it's interesting to me because I think that's a new thing that, that all these CIOs are sort of looking at.
And when you look at, you know, the cost of maybe putting something at the home and if we're telling people, Hey, we want you to work out of the home. At this point and, and moving forward, you know, does it make sense to, to buy that, you know, $300 device that now be, that sits at the home network that has, you know, security and malware protection and all that stuff that you're updating, just like you would update the, the computer and.
And the security functions on the computer. I mean, do you think that organizations will start to make investments around that? Because the other thing about my home network is I'm not the only one on the network. Yep. Right. So it's me and my kids and my wife and, and, and just a ton of devices. And so even if I'm being safe on this computer in this place, you know, my daughter's in the next room, I, who knows what she's doing on her computer.
Yeah, I, I think that's, you're absolutely right. The, even look at like devices where people with the BYOD type of environment, you know, in some cases, like the home computer is also just being shared. So it's not just the, the work computer you have, it's the computer that the kids are doing their homework on and everything else.
So, yeah, that's.
Personally, I, I, I do think you'll see a little bit of a shift as we focus on, on work from home in how do we get more control over those devices. I think identity, I think there's scanning and sort of endpoint, um, detection becomes a lot more, more important as we focus on sort of that detection response at the end point, because, you know, we're not gonna be able to touch every device that's touching on that network.
My 15 Alexas I have around the house, like, you know, that's. We're get to that point. So it's being able to detect those threats at that
identity.
I guess I gotta think about that maybe, maybe five or six years ago, and maybe I was late to the game. But it, it, it sounds like one of those phrases that should mean a lot more to me than it does. What does this mean to me and how does it play, play out in healthcare it? Yeah. So I mean, I think when you look at how decentralized our work lives are today, you know, no longer does everything sit behind a nice and tidy little firewall, um, that keeps all the bad guys out work.
Accessing information all over the place. Private clouds, public clouds, you know, maybe behind the VPN or direct to third parties in the SaaS application kind of world. So there's this single entry point. And you also think about, you know, just the data exchange and data sharing, especially in healthcare.
We think of cures, act and, and sort of the requirements that are coming in there. Datas crossing a. When you look at who's accessing that data, it, it's really kind of the, the front gate that kind of, I don't wanna say replaces the firewall because it certainly doesn't, but becomes almost as important or more important, uh, to be able to protect, uh, based on who's accessing.
Are they le legit? Is it really who they say they are? Are they supposed to have access? And then. Ultimately, what are they doing with that data once they get in, once we're looking inside the session and correlating those things together? Um, so I, it's across the, the wide environments that, that we have and the many environments we have.
And I think, you know, identity is really the, the critical factor there. And you see that I think played out, like you said, over the past few years, um, becoming much more. More important where things like multifactor authentication aren't just for the CEO and a couple of, you know, people who maybe sit in finance in some other places, you know, company-wide type of environments.
I think specifically for healthcare, it plays out in a couple of ways, you know? Access to electronic health records or even telehealth physicians, you know, doing, uh, work at home or wherever they may be. Certainly opens up more opportunities from a, a, how to service our, our patients, but also making sure we have really clean ways of determining who's actually accessing that.
Both from a compliance, but really from thinking of it more from a security standpoint. In, in, again, my, just my opinion, healthcare, but maybe even some other, definitely some other organizations and, and, and industries. You know, identity controls have really been driven out of a compliance, a need for compliance because that's required.
And not necessarily, it's like, yeah, password's good enough, but now, you know, as identity is the. The front line of, of defense, it, it has to sort of change in culture and how we manage and, and orchestrate identity governance, lifecycle management, authentication throughout sort of the various facets of an organization, right?
Just sharing a password or having password 1, 2, 3, be for an entire, you know, operating wing to to access anything.
But I also think it means from a security and IT perspective, we have to, as a vendor even, we have to make it as easy and as frictionless as possible, gain.
You know what I, it's security's getting much more granular, right? So it's, and it, it works off the identity. I think, you know, one of the things, I remember having a conversation with somebody and it was about, you know, we had, uh, blocking of certain sites at our, uh, health system. You know, normal software, it looked at different, uh, websites and to block those websites.
Now obviously you have to be more liberal at a health system 'cause you're doing research, you're doing some of those things. But at the end of the day, somebody was like, why are we blocking anything and, you know, why do you even care what I'm doing? And what it led to was a conversation that just opened that person's eyes where they're like, I'm like, we know everything that's going on on this network.
Like, we know, we know what folders you're in. We know what, uh, things you access. We know what email you open. We know what email you send. And I, I think some employees still today are under the impression that, you know, what I do on my computer is really my own business. But the reality is we. Have to, we are almost required.
We are required to in healthcare and we're required to in other industries to know what's going on on in our network in order to protect the assets that are on our network because a lot of the attacks are really exfiltration attacks that happen as a result of our employees. So we are watching that stuff on an ongoing basis.
Do you find employees still struggle with that concept or, or is everyone really starting to. So it grips with the fact that that is the case, that we are, we're required to, and we are watching just about everything that's going on on the network. Yeah, I think that's a good question. So I'll give you my personal opinion, uh, on that.
I think it, it's a mixed bag. I think it, it's also, and I hate to say it, but maybe a generational kind of issue as well. I. Younger, the millennial generation that's, you know, in the, the workforce I think has a lot less expectation of privacy, uh, in sort of a work environment and kind of understand that, that fact.
But maybe some of your, um, older workers have more of that. You know, they haven't lived in a world where they've put all their information out on the internet and kind of. I've given up a lot of privacy. So I think, I think there, there's a mixed bag of what that, that expectation is. I think it's really important for the organization, healthcare or whoever to be crystal clear, uh, and transparent with their employees about that.
And in most cases, in every handbook and everything you see, it's there. But, um, I. It's part of digital. Are you saying people aren't reading their handbook? . I mean, I might be guilty of that too. End the millennial generation. I can kinda say that. Yeah. Expect every. I guess I'm a little more exposed to it, but I, every key stroke I take and mouse click.
I do. I expect somebody's watching it. Alright. You're gonna have to help me. One of the worst projects I ran as ACIO was our identity and access management project. It was, it was an area that I thought, oh this, you know, this seems easy enough. You know, you need to make sure that as people come into the company or leave the company.
You are assigning them the correct rights. You need to make sure that you know none of the rights, you know, grow over time beyond what they should. Uh, you need to automate as much as possible. We.
To our service desk around identity access management. We were also, quite frankly, we were way behind. It was taking us, when, when I first heard this, I was horrified. You know, it was taking us almost two weeks to stand up a new employee. And I'm like, how can this be in today's day and age? So we, we did, we did what everybody else did.
You know, we went out, we, you know, what was available in the market. We talked to other health systems and.
Some of the things I may have overlooked. I mean, we can get into some of those things, but you know, I guess my question is, you know, there's, there's so much of this that we, that I think health it and myself included, that I thought, well, if we just get the right technology, this is one of those areas where I fell into the strap.
We just get the right technology in place, we're gonna be good. But there's an awful lot more to it than just throwing technology at this solution. Isn't there? Uh, yeah, absolutely. I, I would say if I had a nickel for every time I heard that the IM project was, you know, a pain in the, you know what, like, I, I, I'd be a rich man, but I, I think it, for me, it boils down to really two things when we talk about the IAM project and, and to your point, it's technology and people.
And even in the technology, I think it's about the approach. So many times have I seen organizations approach identity governance or I am as really just a provisioning problem, right? Coming at it from the help desk, um, hey, we got all these bajillions of requests and it's overwhelming and how do we solve it?
And certainly that is absolutely important and part of the, you know, the drive and the of identity. Most organizations, a organizations I've seen kind of get stuck because don't set up the right governance. Processes and governance program before they start automating all of these provisioning and de provisioning components.
And so what that really leads to is, yay, we've automated a bunch of stuff, but it's still bad stuff and I don't have visibility into it and I can't tell if it's really appropriate levels of access, uh, for a user. You know, are there access violations or.
It becomes even more complicated 'cause we've just made it easier and faster to put more stuff. Alright, so Tim, help me. Help me fix this, right? So yeah, I didn't set up governance correctly. Do I have to set up another, do you know how many governance organizations, parts that we are a part of in healthcare?
Do I have to stand up its own governance organization? Can this be. A part, another governance organization's, uh, purview. Does it, is it just it or is it, is it other parts of the organization? What are we looking at? Yeah, so I, so I think there's a, there's a technology piece and then there's, uh, the, the people side of that one.
So yeah, a lot of these tools provide a governance platform. The ability to kind of, once you establish the, the right rules, which I think your risk organization and your it, which these. Rules and, and policies established. Um, it can be applied in the technology. So, so I think that's it. Kind of the easy part is that it's not like a whole standing up of a brand new team and all this kinds of stuff.
You know, within some governance you can just the right policies and being able to then have visibility. The tool to be able to, to look at those policies. So example, you know, if I have visibility to every entitlement in my org organization, even if it's just my most critical applications, that's, that's the first step, right?
And being able to see that and then I can start to look at are there people who have, you know, elevated or privileged access and be able to sort and slice and dice to start to apply the right remediation. So I. Overwhelming, and I think you can take it step by step, but you know, getting everything in one place as a, as a visibility factor is, is first in mind and then you can start applying the right policies.
And then once you've got that kind of there, then automation is almost easier and it, you're automating things that are gonna be more in line with, with where you want from a. All right. So, you know, excess rights, uh, was a recurring problem as well. So, you know, for the most part what we want to do is be able to set and forget, but people move jobs, they take on new responsibilities, they leave old ones.
What's the best way to ensure that we keep people at the right, uh, level of rights across the entire enterprise? Yeah, it's a big challenge for everyone and I think too many times a lot of focus is on giving people access, but not enough focus on how to, you know, taking it away when, when it's appropriate to do so.
I, I can't tell you the number of conversations with organizations I've had where when we've done like an initial scan of, of identity is maybe part of a, you know, point. We'll see that there's so many of these employees that have left and have still have access to things even in the system, and it's just amazing.
We're not connecting the dots. Um, both from an HR perspective, but also not doing a good job at enabling those business users and business owners to really take ownership and certify. The, the access there. You know, we typically do these access certification rituals, you know, again, driven primarily by compliance and it's so overwhelming for the business user, you know, dumping a big spreadsheet of a bunch of data in and saying, Hey, I need you by Monday to tell me who, which access I should take away.
It's just not. Not reasonable for, for these business users to take in and put the level of, of time into it. So I think from a, how do we kind of solve this problem or start to evolve, I think it's good partnerships between your HR and, and IT identity types of teams to be able to, to have a free flow of that information.
So it's, it is more seamless as people say, leave the organization. Um, but also as you know, people are. Doing new projects, need new access, putting more onus on the business owner, but making it easy to prioritize access review. So Tim, who, you know, sits in a solutions kind of role, why is he accessing financial information?
Maybe I needed that for a project, but being able to highlight that on a very sort of continuous basis to my, you know, my manager or whatever, to be able to say, yep, that's still good. Is important without dumping a spreadsheet of a thousand records of, you know, Tim's entitlements and saying, Hey, tell me what he needs.
Uh, which I, you still find in, in a lot of organizations, we're still, you know, pumping data in spreadsheets and asking people to, to do stuff. It just isn't reasonable. You know, maybe this is, this is experience from a while ago because I haven't been ACIO for about three years now, but the, one of the things is we had to do, uh, an audit for licensing.
We did sort of an active directory dump and, and took a look at just the number of active directory accounts and it was way more than the number of employees we had. And as we sort of went through that, we have a ton of business associates who are access accessing that and, and, uh, also. Contractors are accessing our active directory, get access to different resources throughout.
Are there best practices around, uh, third party access of the healthcare systems? Yeah, I think first and foremost, aligning sort of your third party identity risk as a part of your overall third party risk management program is, is maybe a, a novel idea. Um, but it's critically important, especially we think of identity as kind of that primary component of a security security program.
And then I think being able to, I mean, simply say it, treat it. Access as it is your own employees, right? Someone has to own that. Someone owns that contract relationship. Somebody should be certifying that, yep, that's the right person, and that they really should have access to those types of materials.
And being able to look for any kind of anomalous activity that's happening in the third party, especially being able to flag those. In a way within your identity governance platform is, is I think, critical component to give it a little extra special care on the other side, I think from when they actually, the point of accessing things, applying more of a risk-based authentication, um, solution.
So you're not just looking at kind of a rigid on or off, you know, do I have this code or not? But you're looking at behaviors and sort of less static type of. Signals and look more dynamically so that you can, again, these people aren't sitting in your building, they're sitting wherever and they're, you know, your contractors or, or third party providers that you know, you wanna pay a little more extra, um, attention to.
So I think looking at a risk-based approach, I think, you know, treating them as if they're your own employee and, and. We've talked a little bit about, but really streamlining that business user experience so they can actually manage what identity and what access has been granted, um, in a more efficient way.
Are are sort of the two of the, so you're, you're distributing the, the visibility into access out to the business owners. What, what, I mean are, have the tools progressed? Are we seeing like real time visibility into those connections or? Uh, retrospective of this is what's been accessed and this is what they have the ability to access.
Yeah. So I think the tools definitely have, have, have come a long way, right? You're seeing a lot of use of sort of risk engines and analytics models that are automating some of the anomaly detection, um, for either the business user or even the, the administrator on the identity or it side. To be able to detect things, detect and identify things that don't look quite right and be able to flag them before, you know, before something happens.
And looking at it based on a, a business risk. Uh, you know, if it's bad access to the, well, this isn't as relevant now 'cause we're all at home, but the, um, intranet and the food menu and.
But you know, the employee health record system right is, is a whole different, so there's a lot of, I think, advancement and.
Components on the force enforcement side. So the actual authentication, I, I know one of the areas that, that we've spent a, a fair amount of time in looking at is combining, you know, bringing identity into the soc. And so looking at threat intelligence, threat detection and response platforms, and being able to combine that with identity, intelligence and identity risk as we see you.
Security threat come in, how do we help use identity as an enforcement tool and sort of linking the tool in a very automated way and, and really kind of in that real time capacity. So I, I, I really think you're seeing a lot of advancement in that space. That's fantastic. You know, I, I read a, an article once and it pointed out that most breaches in healthcare originally really internally, but now majority of them are user error, right.
So. Some configuration issue, some aspect of something, and it's caused by us user error. But the exfiltration number to me was kind of surprising. Um, the number of our employees that are actually, for whatever reason. Acting in a, in a way that is counter to the interest of the, uh, organization. Uh, what kind of tools or practices have we utilized to address, uh, you know, that specific, the exfiltration of data from a perceived good actor within our network.
Yeah. Yeah, that's a great question. And I think of the, the insider threats. You know, a lot of times when we talk about it, it automatically, people go, oh, it's a Snowden. He is the guy trying to steal stuff. And like you said, in most cases, it's the careless coworker who's unintentionally doing something, who's misusing a resource, who, I mean clicking a link in a phishing email, right?
Who's.
Oh, you mean I can't share stuff on that? , you know, on Dropbox was my favorite. Back, back in the day was not secured. And, and they're just like, oh yeah, I'm sharing stuff with that doctor through Dropbox. I'd be like, whoa. Yeah. And they're like, what do you mean it's real easy? You just sign up for Dropbox, you take it from our, from our secure network store and we just move it out to Dropbox and the, the physician has access can't to our network.
Yeah, no, I, and so I think looking at sort of all of the share files and sort of the unstructured data, there are definitely tools, even from an identity standpoint, to understand who has access to those types of file shares and, and, you know, different things, whether it be a Dropbox now or other kinds of stuff.
I, I think those are, those are some important tools, obviously some data loss, DLP type of, of solutions.
To.
Awareness and the training, um, that has to happen and it has to happen across the wide, um, swath of, of employees that we have and to, to let them, uh, try to make it real and make them understand why, uh, that's not a good idea and why maybe they should ask a question before they just open up a Dropbox account and, and do, because ultimately they have the best intentions.
They're not trying to do.
We have to do a better job at bite sizing, making that training more impactful than just, here's your 20 minute security awareness training and you know, video that you watched and click the button that certify you said it. The other piece I think is also goes back to a little bit of an access management standpoint of really making sure you're adhering to that least privileged type of.
Can't do things with very sensitive data that they shouldn't, such as throw it on a, you know, whatever kind of share that they wanna do. Yeah. Well, Tim, thanks for your time. We're gonna put a white paper up on the website, uh, that people can download if they want some more information. Are, are there any other ways that people can get more information or on the, some of the things we talked about today?
Yeah, absolutely. So I would say, first of all, go to the website, rsa.com. I would say check out our webinar section. There's a couple of, um, recent webinars around disruptions in healthcare that you might find interesting that span beyond sort of the identity conversation we had. So I would say check that out.
And there's a lot of great content. Specifically talk to healthcare it across the RSA. So I'm, you know, I'm gonna give you the last word and it's essentially, I'm gonna, I'm gonna get a do over, I'm gonna get hired tomorrow as ACIO, hypothetically, and I, I messed up our last IAM project and I, I approached it all wrong.
How should I approach it? I, that's, I want, I wanna give you the last word to sort of set me up for success moving forward. Yeah. So I think the first thing you need to look at is being able to have that, that full visibility. First, right across all of your assets, um, all of your applications, all of your environments, and who's doing what, who has access with what?
I think that's without that visibility at sort of a fine level, I think a lot of this just becomes an automation IT program and it sort of defeats some of the purpose of, of managing a.
Finding ways to help get identity more, uh, ingrained in the soc, um, as identity is kind of that, that frontline defense from, from the attack standpoint. Being able to connect the dots there, I think is an important piece in an evolution that that many organizations as they mature, um, are starting to bring in.
Fantastic, Tim. A again, thanks for your time. I, it's, uh, fantastic. I, I look forward to, you know, seeing the, the family pictures at some point in the, I guess I won't because you're a security guy, , I'll never see the family pictures behind you on a, uh, video podcast. Uh, maybe if I sit in a different room by then well, we'll sit in the, in the family room where there's lots of babies and yeah.
Kids everywhere. Fantastic. Hey, thanks again for your time. I really appreciate it. All right, thank you. I appreciate it. Thanks for having me. That's all for this week. If you want more information about RSA or any of the, uh, solutions we talked about, uh, feel free to hit the website or you can shoot me a note at Bill at this week in health it.com.
Special thanks to our channel sponsors, VMware Starbridge Advisors, Galen Healthcare Health lyrics, Sirius Healthcare Pro Talent Advisors, and HealthNEXT for choosing to invest in developing the next generation of health leaders. Uh, if you may, if this far, you're a fan of the show, please do me a favor and send an email to one other person.
And let them know that you're benefiting from the show and, uh, that you think it would be valuable for them to spend their time with us as well. Uh, you could do that or sign up for clip notes and just shoot them clip notes on the shows you think are valuable to them. We'll do our best to honor your support by producing great content with industry leaders to propel healthcare forward.
Uh, please check back on Tuesday for News Wednesday for solutions and Friday for interviews with industry influencers. Thanks for listening. That's.