This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is brought to you by Intraprise Health. Make cybersecurity a priority, not a headache. Cyberattacks put patients at risk and cost healthcare organizations millions.

But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.

It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more.  Today on Unhack the News. 

Cyber resilience means (Intro)  you have the third door window closed in case, the hurricane comes by your house, right?

  📍   📍

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

 Hey everyone. I'm glad you're here. This is Unhack the News and I'm with George Pappas from Intraprise the CEO.

You're the big cheese.

Let's not get carried away Drex. I'm the guy who has the team here and the board here. I'm the guy in the middle. Yeah, you are. Make everything happen and get our teams set up with the right tasks, the right level of capacity, the right reach. And make sure that our board members

are happy as well.

And our clients are happy. Yeah. Having been in that seat at one point in my past Good luck to you. I would never want to do that again, I don't think, based on my experience, but I'm glad you're there. And I'm glad Intraprise is there. We've got some cool stuff coming up. So we're to carry through some news stories though today, pretty interesting. In the spirit of the never ending saga of negative effects of a cyber incident, and what those cyber incidents can have on business and community and patients. There's this story out of San Diego about a decision that a medical group there has made to separate from the health system following an insecurity incident at the health system.

And there's a lot to this story and I know you've been looking into it. You want to unpack it a little bit and we can talk about the issues. Yeah,

As we were thinking about this episode, I looked into this, I first saw the headline. It really struck me as how sad it was. My initial reaction when I read the first article was that here were two organizations that merged with a third.

There's a lot of he said, she said in this

story, right?

Yes, and that's the fallout but the actual details of what was the hack, the gentleman who was responsible for Palomar, which is in effect, the parent infrastructure provider, couldn't confirm or deny that, PHI was exposing okay, it's like October.

And this thing ostensibly happened in April or May. I actually read the words of the current president of Graybill who, after months of not being able to schedule their patients,

months

of everything being, because you realize people operate on electronic systems.

Yeah, they do.

Yeah.

It's gotta be pretty bad. I think this is the other thing that we see. that I shouldn't say that we see it. I think we see some of the consternation when a health system decides through whatever mechanism they're going to start to offer some of their information services capabilities to other group practices or other hospitals in the area.

And then they start to realize what a challenge it is to become a vendor in that environment because those other organizations really depend on you now. And you have to have SLAs and they depend on you for uptime because they can't do things like schedule patients or drop bills or do all the other things.

So it's a challenge and that's probably some of what we're seeing in all of this.

Yeah, that was it. And the other thing that I took note of as I was looking at that first article and look at digging in a little bit is that, the Palomar was the parent hospital entity, they're already describing legal ramifications and all that.

So when you get to the, thems fightin word stages of something like this, you can imagine the people there when this was created, 45, 000 patients. From one group, a hundred and some odd thousand from another, they're not making these choices lightly.

That's the other tough part of this is that, again, it's affecting the business.

It's affecting the docs and the staff who are involved at both organizations. But, ultimately all this comes down to patients and families. Yeah. And so 45, 000 patients are going to have to make some kind of a decision about are they going right or are they going left.

And according to the article that's happening November.

They even had a couple of snippets where, Some of the patients like I want to save my doctor right now. I can't go see him or her at the same place. It's a different location. They don't have new offices yet because this decision was just made. And the whole idea that the industry has been trying to move to is, value based care, continuity, care coordination.

And obviously this combination was envisioned with that at the height of the pandemic with telehealth off the charts. And they decided they just couldn't do it anymore. Yeah. Yeah. So yeah, it's tough. And it is. The, do we know what kind of incident response plan they had? Do we know what their real protections were?

I've seen no information about any of that. I would hope that the physician group that decided to leave, had enough transparency to have the trust in what was happening in the process and the attempts to recover, but we can't tell any of that. And so to me, the patients lose Yeah. The physicians lose because they adjusted their lives when this group came together four years ago.

And it's, one of these ripple effects of cyber incidents that if you're not prepared and who knows what really your incident response was and things lag, damage happens.

You got to think too that As they pull away and start to, do their own thing they got to be taking a lot of with them, right?

In an ideal world, how would we want this to work, right? I think, For a lot of the folks who listen to this show and, read a lot of the stuff that, we post on the news site, a lot of this is in that context. Here's potholes. Here's landmines.

Here's things that have happened. This is real world risk. These are the things that could happen to you and your group practice and your affiliates and your association. What's your ideal world look like? What's it worth to keep something like this from happening? That's ultimately boils down to the risk conversation.

The reason I mentioned trust is we don't know What kind of incident response plan they had? We talked about doing drills last time. So were the people in the gray bill organization involved in the incident response plan? Did they have enough visibility to, cybersecurity as a team sport and what that meant?

Because the more involvement you have, the more voice you have. You can at least accept the results, even if they're not what you want and feel like you have a voice in them. So those are all big question marks. Neither of us have the information to judge or have an opinion, but, I just look at the cost of this change and the pain of this change and realize whatever was happening.

There had to be some real breaches of, collaboration in there. Yeah, that

trust, back to trust. There's no lack of trust. The transparency necessary when there's an event too. Just as we've seen, this has been the year of that, right? Of being able to see this is what no transparency looks like.

This is what You know, painfully, just lay it out on the table. Transparency looks like, and I think we've all figured out be as transparent as you possibly can. There's going to be legal implications and all of that, but ultimately the more transparent you are, more trust I think.

You continue to garner from those you're working with. Yeah.

And it gets back to, what used to be crisis management pre, cyber Lollapalooza is now really cyber security crisis management and the same principles of messaging and communication and collaboration and all that apply.

Cyber Lollapalooza.

Yeah. Is that what's been happening? The size of the wave is pretty big. I should call it a cyber tsunami. I think others have used that word. That one just popped in my head. Sorry. No, I like that one. We may have to we got to see

if that website's taken. That could be it.

The only reason it's not a good choice is that it almost connotes like, a big kind of, good thing, not a horrible thing. Oh, true. It's not a party.

That's right. It

was about the volume is really brought that word into my head.

Got it. There's another story. I've actually mentioned it in the two minute drill.

I really like, though, when we do these shows because this came up as part of our pregame conversation. Yeah. And I talk about it two minute drill and you whoa, we got to talk more about this. There's way more to it than that. And so this story is about the NIST digital identity guidelines and the fact that there's some really interesting new recommendations that guidance.

And yeah, let's talk about that. I know you've looked through it.

Yeah, I thought. I think the guidelines are fine. Obviously there's been a lot of, everybody's guidelines for, a hundred online services in your, Apple password manager, where the password manager that generates these hard to replace passwords isn't accepted by the online service.

So it's been this wild west. And so I think the guidelines fundamentally. seem pretty sound. The thing that I found so interesting about it, this really dates back to my time at Dr. First there with our business and medication management, and this whole notion of levels of assurance that are required for Controlled legend prescriptions.

From that level down, a common set of password guidelines, practices about, this whole thing of knowledge based authentication, you shouldn't do it without some kind of identification or authentication and everything else, as well as the Kind of automatic reset requirement.

And, it

just brought back to me memories of my time at Dr.

Furst. And the reason I call it iSTOP as this one example is that, New York state has something like a hundred thousand physicians and among those hundred thousand, there are a lot of individual practitioners in rural parts of the state, people in hospitals with a credentialing office. And so this notion of LOA2 and LOA3, it's been out there for a long time.

Imagine for a state law that's saying you have to be authenticated and identity proofed. We have to know that you are who you say you are, and then authenticate it each time. With the token, getting a therapist, in Lake George to go through identity proofing process on a retail kind of level, Compared to a credentialing office at Mount Sinai, and then connecting those dots to a hard token authentication, whether it's wireless or whatever.

To me, healthcare is already living in a much more tightly controlled world, especially for clinical access. But I also saw, and I've seen this the last couple of years, this blending of clinical constraint, and then you've got kind of office systems, growing hygiene with authenticator apps and companies like Okta and others out there.

And I think there's this convergence that's going to happen at some point. Because I can still remember going into a hospital of a client with a biometric scanner, like for their thumb to get access to this. And we had lots of discussions about as a soft token, as good as a hard token for someone writing controlled substance prescriptions, if they're not in the office, and so all these issues, I think about this NIST recommendation, I think they're trying to get to a better place, but for healthcare, We're bridging these two worlds of clinical systems access and not.

And I think there's a lot to be gained from taking the structure of what is clinical today, finding ways to leaven it throughout really the non clinical infrastructure. Because once you get them authenticated and once you get them identity proofed, right? You should be able to reuse that identity in the most frictionless way possible for the patient or the end user, in this case, the person who's a staff member.

 Hey everyone, Drex DeFord here, and we have an exciting webinar on October 22nd at 1 p. m. Eastern. It's sponsored by CrowdStrike and AWS. 📍 We're diving into building a resilient healthcare system, cloud security strategies for today. With cloud 📍 breaches up 75 percent over the last year, healthcare systems can't afford to rely on outdated defenses.

So join us as industry experts share practical strategies to strengthen your cloud security posture and adopt zero trust and boost operational resilience. Don't miss it. Register now at thisweekhelp. com slash cloud security. That's thisweekhelp. com slash cloud dash security.

  📍 📍

  📍

I think there's been a lot of lessons learned there. I'm also thinking about the there were just things as you read through it, I think if you've been in our business for a while. Things that just in the spirit of we tie our anchors to things that just seem to be there and are always going to be there.

So that's the truth and that's what good looks like. So when NIST comes out and says things like, you shall not have composition rules imposed. So no capital letter number, special character. Those are things that I feel. I feel like they're so standard for us too. There's going to be like this cultural thing that we're going to have to untangle.

The resetting of the passwords every 90 days or something. Like we're going to have to figure out how we untangle ourselves from this. the other thing too, tell me what you think about this. I don't think they mean this in the context of if the only thing you have going is the password.

That's what they don't mean this. They mean it in the context of and there's MFA and there's other things that are right. It's in an ecosystem of identity checking when they say it's okay to stop doing these things with passwords.

And I even think back to our rollout at Dr.

First and, at the time. Like Verizon was one of the credentialing service providers. And for someone who wasn't affiliated with an institution that an credentialing office, they're doing an effect, a retail form of auth of identity proofing, they would like mail a letter to their registered address in the, the physician, the MPI directory.

And so these processes were. And then ID. me came in the scene there, ended up being some issues with that. And the industry's been trying to find those solutions. And, to your point, we've had these sort of commonly accepted bedrock things that are changing, but there's been so much investment for clinical people accessing clinical systems already.

Yeah. Let's find a way to bring that together. If you have a Duo Authenticator on your phone can you connect a soft token to it to be able to access? Controlled substance prescribing. I'm sure you can, right? I haven't been out of that game for a couple of years. So you have to resolve that by now.

But it's an area that I think is going to get even more important as clinical staff and physicians are accessing, think about some of the data with DNA, right? Think about some of the issues with AI and some of the knowledge that was, so the depth of access is getting deeper. And so the need for a more frictionless, but, safe enough access is going to be, Pretty important.

Yeah. I like where your head's at. Whatever we've learned around physician access, especially with. prescribing, if we can figure out how to leverage those rules, privilege that know how to making it better for everyone else and safer for everyone else,

it was funny because after I saw the article, I went and, because I hadn't, it's been a while, I forgot what LOA stood for, I went and go looked it up, the level of assurance and I can still remember this because to access the SureScript e prescribing network, the minimum was LOA2, which is we think you are who you say you are to a reasonable degree when you're logging into the system with a user identity to write a legend prescription.

But LOA3 is, we have, almost 100 percent probability that you are who you are, because the DEA, Governing controlled substances. They basically had a much more stringent requirement, not just an identity proofing authentication, but the entire controlled substance pipeline, had tighter encryption, different standards, and companies that do have to be audited more frequently.

There's these gaps based on the explicit tactical security need that I think you can find a way to holistically manage it better.

Yeah, there's so many things in the spirit of you and I talk about this all the time, everything's connected to everything else. But that model of there are some things that need to be protected more than other things.

Yes. And we don't necessarily Absolutely. I don't know how to say this politically correctly, but it's, we don't do necessarily a really great job in healthcare, maybe in all businesses, but especially it feels like in healthcare, we don't do necessarily a really great job of saying, this is actually our top secret information, and this is our, confidential information.

And so we spend more time and energy really securing the things that need to be secured in less time. Focused on the, if this got out, it wouldn't really be that big of a deal. We locked down everything as top secret because we just don't know. What our data definitions are or other things.

So this whole idea, this whole concept around this could pile into a bunch of other work that we need to improve on too. Okay, I'm going to keep going. Sure, sure. The last article isn't really an article. It's a blog post. We do this also a lot when we're together. We have, we're fans of folks who are good aggregators of news and they have good opinions that are sound.

And one of those folks is a guy named Chris Hughes. And you can find him at resilientcyber. io and in newsletter number 16, he mentioned some of the latest news. And quite frankly, you can find a lot of these same stories at thisweekhealth. com slash news. But he has a really good way of looking at those stories and creating some Small amount of analysis that really hits home.

One of them is about the Health Infrastructure Security and Accountability Act. What do you think about his commentary there? I thought his

take was, right on. And you said it very well a second ago. That act was announced like last week, I think it was Thursday. The House had a bill, the White House had a bill.

So this is not the first time we've had these things. One of the things that, and we talked about on this, I think two episodes ago, but Senator Warner has been on this for a while, right? He published that piece back in the fall of 22 with this compendium of all the things he felt across agencies that needed to be addressed.

But what I really liked about what Chris did was he boiled it down and said, look, it's time. And he also said. The frog that's been slowly, as the water has been getting warmer and warmer, the frog is almost dead and this is coming. And he connected it to cyber insurance.

And that's where I have this conversation with stakeholders in our company all the time. It's Congress. Don't worry about it. Nothing's going to happen. Well, things happen slowly, but when they happen and then all of a sudden they're not slowly. It's like an earthquake,

right?

It's like the, it's like the tectonic plates rubbing against each other. Until somehow there's a magical agreement that happens, and it still does happen sometimes, even in this environment. And if there's anything that anybody can all get together and get behind, it's like cybersecurity. Yes. So there could be a jolt coming.

Chris, and he put his finger on it. So this bill was the latest of, the two houses of Congress and the White House saying we got to do this. Here's money. For entities that are small and need the cash, but you will be held accountable. That's in the title of the act. But where he connects the dots, he takes that and he says, okay, by the way, what's happened with cyber insurance?

Prices aren't going as crazy as they used to, but why is that? It's because the carriers are now doing more due diligence. Standards are increasing. Accountability for coverage is being enhanced. It gets back to that other story from late 22 of. common spirit and how they couldn't even say that the insurance carrier was going to cover their cyber event in one of their press releases back from early 23.

I remember seeing it. And so , he got back to stable pricing. You got to do the hard practical stuff.

It is.

Because if you don't do that, you can buy the tools and they're great, but without knowing what is your risk plan, because remember his his blog is like cyber resilience, right?

Cyber resilience means you have the third door window closed in case, the hurricane comes by your house, right? And that's where I think he connects those dots well, because in the end he said, look, people are getting better, but these two things are going to force change.

Yeah,

he's realistic enough, he's obviously experienced enough to know it's not just regulation, but it's the economic driver of cyber insurance coverage or not the price and the coverage itself.

Yeah, no, I think this idea of we've talked about this, my brain works in analogies and one of the analogies I use over and over is Maslow's hierarchy of needs. And so when I think about Maslow's hierarchy Those things that are at the very base are the audit and compliance things. They're the by regulation, by law, you have to do these things.

Now, if you build a program just based on those things you don't. It's a pretty brittle program and it's not, the world changes. And, it's hard to sometimes keep up if you've just built a program based on those things. I think what he's alluding to is this idea that, this orro and this is where I'm I'm a little concerned.

I'm from the government. I'm here to help. Here's standards that you need to adhere to. The problem with the government imposing those standards sometimes is that I think it's good because we probably need to be this tall to ride the ride. But it's bad from the perspective of the government is not very good about Moving quickly and being agile and changing those rules when the world changes or the bad guys change or technology changes.

Cyber liability insurance, on the other hand, has continued to be, look, they're not perfect either, but They're also, they don't have their hands tied and they're economically driven. And so they say, you have to be this tall to ride the ride. And here's what I need to see that you're doing. And here's how you have to show it to me.

And next year, when the renewal comes up, those rules are Slightly different, or maybe significantly different, depending on how the world has changed, and how they've faced risk, and the claims that they've had. I mean it's interesting to just see how do we continue to push people up that Maslow's Hierarchy of Needs, into a better program, and a better position.

Through compelling them through law. Is it, I can't get cyber liability insurance if I don't do this other stuff. There's a whole bunch of pressures.

The message is getting through, we actually, we haven't chatted about this, but I was up at the Class DHIS conference in early September.

And they put on a really good show. It's a great organization. And they had the first half day, they talk about a survey that Bain does with them. And cyber liability, cyber attack were like top, top concerns of the people that they surveyed. And you could see it across, you just called out the categories.

There's the audit piece, infrastructure piece, the whole range. They had a lot of good data. And, this whole notion of it isn't just about doing some tactical things. It's about looking at this whole picture and realizing, let's take your Maslow's hierarchy. You have to go up a couple of levels now.

It's not claiming to be safe and doing just the basics. You have to rise. And I was on a panel and, a lot of interest, a lot of conversation. The gentleman who moderated the panel was an attorney who deals in incident response and other things. So very interesting conversation about. What are these things you need to be paying attention to?

And so the awareness is there, and I think Chris was just showing us another push, in that direction.

Man, we could go on all day. I always have a good time talking to you. Thanks for being on the show. I really appreciate it. Our pleasure. Yeah. Okay. That's it for Unhack the News. We'll see you the next time around. 

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.