This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health It. This is a solution showcase. My name is Bill Russell. . Former healthcare CIO for 16 hospital system and the creator of this week in Health IT a channel dedicated to keeping Health IT staff current and engaged. Today we are joined by Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare and Ryan Witt, managing director and resident CSO and healthcare industry practice at Proofpoint.

If you wanna be a part of our mission, you can become a show sponsor as well. The first step. It's to send an email to partner at this week in health it.com. Just a quick note before we get to our show. We launched a new podcast today in Health it. We look at one story every weekday morning and we break it down from an health IT perspective.

You can subscribe wherever you listen to podcast at Apple, Google, Spotify, Stitcher, overcast, you name it, we're out there. You can also go to today in health it.com. And now onto today's show. Today we are joined by Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare, and Ryan Witt, managing director and resident CSO and healthcare industry practice at Proofpoint.

You guys and, and welcome to the show. I'm looking forward to this. Thank you. Great to be here. Yeah. So we're gonna , this is probably gonna be one of the most abrupt openings I've ever done on one of these shows, but I, I was thinking about this. We had a conversation earlier and I was thinking about this, and email is clearly the number one attack vector in healthcare.

So I'm gonna start with this question. Does every healthcare system in the country have a sound, email, cybersecurity plan or foundation in place? And I, I guess. Ryan, we'll start with you and Julie, I'd love to hear you comment on it after we hear from Ryan. God, we're gonna go right away. We're gonna go right to the, to the key point, aren't we?

I would think, unfortunately that's not the case, that not every health system in the country does have this level of resilience built into their defenses. In fact. Hims put out their survey, their most recent survey in December, and they asked that very question to what degree various security categories had adoption within healthcare and it's survey data, so you have to take that always with a little bit of grain of salt.

But there was a significant number of healthcare organizations who didn't have what we would consider to be rudimentary. Security controls in place. When I say rudimentary, like they didn't even have anti-virus or protection. They didn't have a firewall. There's like 10% of those survey didn't have a firewall or certainly didn't have no knowledge of a firewall.

So yeah, and I'm sure those are the smaller institutions. Maybe the practices, potential practices, et cetera, but just highlights the challenge just from a basic technology investment that that is lacking in healthcare in terms of why is this industry so under attack. And why do we have so many problems with regards to protecting patient data, protecting our health systems, and really as we're now seeing protecting patients, because there is now a linkage between cybersecurity and, and an institution's ability to actually protect patients.

Yeah. Julie, I mean, VP of Enterprise it. I would think this would be the starting point. Like if it has been the number one attack vector for the last 20 to 30 years, this is where you would start. Why are we struggling to get this in place across the board? Right. You're, you're absolutely right. You would think that would be where, where folks would start.

And I have some insight from participating in some local and some national CISO groups that are, you know, focused on healthcare and. We've seen all ranges, right? Some of the biggest healthcare companies are part of these forums and as well as some, some newer, I would say, smaller companies. And we're often finding ourselves as a community trying to help the new ones that, um, are clearly asking questions about, where do I start with this?

So I think probably they just haven't had the right investment and visibility on security and the right, um, resources to know and understand, right? That this is the number one. Threat vector. And then how do you go about protecting that? So a, a simple investment with a peer group that can help you and or calling in a a security firm would most certainly point this out as being one of the number one areas that, that they should protect.

Again, I'd like to hear from both of you. I mean, are, are we adding an inflection point? You had the. The attacks in the fall on healthcare. Now you have the scripts attack, which took them really offline for the better part of three and a half to four weeks. Has the conversation shifted and, and all the other industries, for that matter, we had the meat industry this past week we had, uh, the pipeline as well.

Is the conversation shifting? Is this an inflection point where this is finally gonna get on the c eos table and they're gonna go. They're gonna demand a plan and say, look, we can't afford to be shut down. Or boards saying we can't afford to be shut down. Are, are we feeling that kind of inflection point happening here?

Well, I think with the new rules that have come down from the Biden administration, that certainly cascaded, um, into the. Healthcare, uh, in all, all communities, but certainly that's a transition there. So that will spark some conversation. But I also have seen a change, particularly in healthcare in the last year or so, where, because of some of these attacks, um, maybe even starting back with WannaCry and I.

2017 that did such damage to the NHS. I'm now seeing a change where people are starting to talk about security and patient safety in the same conversation. Patient care. Right. And they're now realizing they have to go hand in glove and all of the investment used to just go towards medical things that were pertaining to, um, to patient care.

So I do think things are, uh, are changing a bit and, and something like the recent gas. One was something that really, I think everybody could relate to that one a little bit more maybe than some of these. They've heard another hospital's been attacked or a another bank, but when it starts to be that the west coast or the East coast all of a sudden can't get back and forth to work or get critical equipment.

Transported to their place of business simply because we can't get gas. It brings it closer to home. Gosh, I like to think we're at an inflection point, but I guess a Nic in me says we probably aren't. I mean, WannaCry should have been an inflection point. I mean, it was a tremendously significant ransomware attack.

It's the ransomware attack that took down. Hospitals. Okay. Albeit in the uk, but you know, they had to stop surgical procedures kind of mid operation, right? They had to close down eds and ship people to other hospitals. I mean, this was, uh, up at that point, kind of like the poster trial of like what could go wrong in a health system from a ransomware sort of attack.

And we didn't heeded that warning then. So I guess the cynic says, well. What happened to Scripps is, is very noteworthy 'cause it's a significant institution that had this, this attack. I hope healthcare learns from it. I, I suspect maybe we have to go through this cycle a couple more times before we truly get it and.

The pipeline incident, and I guess the supply chain with regards to the, the food supply chain incident earlier this week are noteworthy, but I think more if those are deemed to be nation state attacks and they might be then maybe health systems still kind of have these blinders on us, says, you know what?

I'm not the subject of nation state sort of activities, so it won't happen to me now. I would caution them to not think that way. And I would say particularly if you have any sort of research component to your institution, you definitely will be a possible target for nation, nation state activity because that's a lot of data, a lot of IP that is very desirable from those bad actors.

Yeah, and just to be clear, we, we don't really know much about scripts at this point. We know that it was ransomware because the president, the CEO, came out and said that it was a ransomware attack. But we don't have a lot of details per se, and so we don't wanna speculate, but we do know that. They were on diversion.

I mean, they were diverting patients for the better part of, uh, three weeks. The EHR took three and a half weeks to come back online in the portal as well. Those are significant incidents. That's an important point. It's an important point that we should emphasize, right? Because the amount of information about that event is, is very scarce, so we don't wanna draw any conclusions, but we do know the things you've already highlighted, and we do know the prominence of that institution.

So it's something that we should all be concerned about in terms of. What could happen or what will likely happen again in the near future in this industry? All. So Ryan, I, I'd like for you to walk us through a little bit the innovation that's happening on the attack side. And I was looking at some of the, some of the slides sent over to me.

I'm one of those who read slides and one point onto and. It was interesting to me to find that the slides show that 53.7% of malicious URLs originate from legitimate file shares from Microsoft, meaning that people have already gotten into your network. They somehow put file shares or files on your SharePoint site or on your Microsoft team site or wherever they happen to be, and that's where people are actually downloading the, the malicious code from.

Have, have the attackers gotten that sophisticated that they, they can even be attacking us from within 100%. They have. I, I think the way to look at this is think about how attacks occurred in yesterday year and yesterday year, and that might be five years ago or whatever. There was a significant focus on network architecture, network engineering, and you had these bad actors, had people who were steeped in security knowledge, and they went and tried to discover whether there was vulnerabilities in a network design or were patches that should have been deployed, weren't deployed, or they found zero day attacks.

That was a very detailed. Investigative sort of approach they had to take to discover those vulnerabilities. They take the same sort of methodology. Okay, but now they apply that to social engineering. Now they apply that. That to trying to understand your institution, trying to understand your hierarchy, try to understand your mission, your locations, your geography, your email addresses.

How the job functions work and now they can deploy not just a small number of people, because people, because finding resources who have deep security knowledge is pretty hard. Finding resources that can go mine, LinkedIn or Google is pretty straightforward, and they will use these profiles to go build.

Very, very compelling emails and lures that are pretty hard to spot from a user sort of standpoint. And so once they finally break in and they get into your, one of your file shares, like teams or whatever that you mentioned, they will then park and stay there and find a way to, again, navigate your network, navigate your your organization to try to figure out how they best want to attack you.

And Poman brings up some very important data on this point. Essentially, those bad actors are in your network for up to about, well, six months before they get discovered. So they're hanging out on one of your file share for six months. They're observing your activity, they're observing your organization before they decide they wanna strike.

That's ama, that's amazing. On average, it's about six months that they're in your network. All the while they're, and all the undetected, all the while they're in your network, they're, they're looking at the social media accounts of.

Why supply chain has specifically become a significant threat vector in, in healthcare, but they're, they're looking at all those things. Who are your, what information is publicly available about your health system? Who are you doing business with? Are you doing new buildings? Are your people sharing information about your successes as the health system and those kind of things?

Are you sharing personally about your vacation and.

If all of a sudden you now receive an email and it comes from what appears to be or actually is a legitimate email source 'cause it's within your organization and they talk about your project, your current business plans, your operation, your organization. You would not really deem that to be a threatening email.

So you're more inclined to respond and you're more recline inclined to give over information and they're not so absurd to say, okay, now I'm in. Can you tell me your password? They're not asking those sort of ridiculous. Questions, but they're asking for questions that will start to unlock the kingdom or give them jigsaw puzzle pieces that they can over time, assemble a picture of what they're trying, what they're trying to attack.

And I think that's what, that's how we need to think about it these days. So, Julie, why is supply chain such a, a ripe target for, for, for hackers? Right. I, I think it, particularly in healthcare, but it certainly applies to all industries, is bigger bang for the buck, right? You can go after a hundred different hospital systems one at a time, or you can go after the Epic system hack that you know happened.

Or, I mean, SolarWinds isn't obviously specific to healthcare, but think about the foothold that SolarWinds was actually able to get. By compromising one vendor, right? Which led to many, many, many of us that use that. So I think part of it is, is definitely the, the bigger bang for the buck. I think also that the supplier risk management is probably one of the areas that is most neglected, probably has the.

Maybe baseline controls if you are, if you are lucky. Even over the four or five years I've seen the types of questionnaire we're. Companies that we're doing business with, that they are maturing, but in many cases, I'm very surprised, right at the low level of information that they're asking for about how we're protecting our, our systems.

So I think that's a, that's an area that needs a lot of, uh, a lot of investment. I could add one, one point. I think the other factor to bear in mind here is successful attacks, phishing attacks of of this nature. Imposter style attacks is very reliant on sending emails that don't appear to be suspicious.

Okay. And. If you have an email which purports to come from your supply chain, they're okay. They don't have the status of being an internal employee, but they have much better status than an email coming from outside the organization from an unknown source. And so if you can't penetrate your actual health system, but you could penetrate one of your business associates or one of your partners.

Pretend to have that sort of business relationship. The guard just goes down a little bit, right? And that's all they need. I mean, kind of like as the old saying goes, they just need to be right one time. The defender has to be right every single time. When that guard goes down, they have an ability to to attack more aggressively, and that's why supply chain, in addition to the points that Julie already mentioned, is a huge threat factor.

So this is no small deal. How do they get me? To send them a check send. Right. So somehow I'm the one who's sending out checks or I'm the one who's has some sort of asset that's, that's worth going after. How are they gonna get me to do that? I mean, they would have to know a lot about me in order to get me to do that.

Sure. And it happens in multiple ways. I can give you a couple examples. So they would befriend you over time. Okay. So they would build up a relationship with you over time on email. And they might even build up a phone call relationship with you. So to the point in time when they're gonna going to essentially attack, and that attack could be, yeah, send me a check or whatever.

By the time that they ask you that question, which would be, Hey, by the way, I know you're about to send out the checks for the, these projects we've been working on. The construction example, if you want to use that one. Just before you do so, I wanted to alert you that we changed banks, so can you actually do the wire transfer to this bank instead?

Now I, I probably forgot to mention that to you. I just wanted to give you kind of a heads up, right? And that befriending process, and by the time that that sort of email or that request comes through, it appears to be natural because the person you're talking to, you think works with the supplier you're working with, and it's a very.

It, it, it appears to be a very natural, sort of requested conversation. So in many cases you just don't think anything of it and you just, you just do it. Now, of course, we're wising up over time and we're thinking, okay, you know what? I'm just gonna call that organization and I'm gonna, I'm gonna double check.

But they, they capture a lot that way. The second way is just spinning up lookalike domains. I mean, unfortunately, there was a. Heinous activity over the holidays where we saw an example of a health systems foundation. There was a lookalike domain who purported to be their foundation, their charitable raise, fundraising sort of function, and they were soliciting donations from their local citizen base.

And those citizen base, like I'm doing the good thing for the holidays, I'm gonna give money to this needy cause. And you're giving money and you think, it looks like their website, it all, the verbiage sounds like their website, the logos are all right, but you just unwittingly gave money to a, a bad actor.

So there are lots of sort of techniques that they could, they could use to do people. Are, are they in far enough to be reading my email or somebody else's? They, they're clearly in far enough to be impersonating a valid email address. If they have the credentials, they can read your email. This is why they're so patient and why they're able to go undetected for up to six months because they know that once they are in, that's a very, very valuable foothold.

And so yes, they could immediately go explore your calendar, explore your contact base, read your email, but that would be wasting this sort of foothold. So they want, they'd much rather go dormant, go. Observe, observe and figure out where they want to attack. And I think just to emphasize the point, because sometimes it's good to use an analogy here in a physical security sort of standpoint, if somebody is in your network undetected for six months, this is essentially the equivalency of them living in the closet of your spare bedroom for six months and observing your family, how they operate, what they do when they go out.

That's, I know that's really creepy, but that from a cyber standpoint is essentially what is happening, right? Yeah. And you can imagine the impact that would be to your household. Well, there's a similar impact happening to your institution. All right. Talk about the Proofpoint solution, because I assume that the, the best way to make sure that this happened is I don't, I never even see those emails or they, they have no way of getting those emails in front of me.

That would be the first line of defense. Second would be a set of controls.

Training obviously is a part of that as well. So I'd, I'd like to talk about all three of those. Let's start with the technology. Talk to me about Proofpoint and how have the Proofpoint solutions evolved around this? Sure. I mean, there are lots of starting points. I would argue the starting point would be your email gateway.

I mean, people are essentially being attacked. They're largely being attacked almost always on email or other sort of messaging channels. So you need to have this sophisticated sort of gateway that. Blocks, whatever, 90, up to 95% of the email that comes your way. So you're keeping almost all of the bad email away from your user immediately, so they're not, you're not forcing them to make a judgment call at all.

That would be kind of like your step number one. Step number two would be to introduce some sort of D capability so you can authenticate. Who is sending you an email. So if this person purports to come from your business associate, you can actually unmasks that to say, are they actually coming from my business associate?

So that's DA sort of kick uh, technology to, to guard against sort of fraud defense. Those would be important sort of security components. Then you kind of get into things like isolation. So if you have a portion of your organization who just by the nature of their job, they work in a vulnerable way, so.

They're in a department like maybe your supply chain, where they have to download documents, they have to click on links, they have to go onto third party cloud applications. You can put isolation technology so they can have all those interactions in a containerized sort of environment. So you kind of de-risked it.

You can use like DLP. So if you do get breached, you can at least prevent the exfiltration of some, some of that data. And I think I, I'm gonna borrow Julie's line here, and I'm sorry, Julie, but I, I think it's important to note that the technology is an important part of the component. Training's also important, but you, you can't train your way out of this.

I think your best sort of safeguard here is to make sure that as much of this. Traffic does not get through to your users, so you're not forcing them. Make a call. Yeah. And, and I want come back on the other controls and training. Let's, let's start with. I would assume that organizations can put a set of controls in here that even if, even if you are compromised and you're trying to do this, that you're gonna, you're gonna keep the money from being transferred or whatever the event is gonna be.

Give us an idea of what are some of the controls that people put in place? Yeah. Well, a couple of things we did, um, specific to finance, that was really kind of the, the top area for us that we were being attacked on. Looking for whether or not they were targeting the CFO directly or what we really saw was that they were attacking people that worked within his organization and asking for wire transfers.

And we came close one time to something happening and we put a new control in place that basically said that no wire transfer would, um, ever be, um, approved in email. Right. That had to be verbal approval from him. And we've had several attempts since then, and that has worked very well for us. We've had a legitimate need, right, that we'd need to send something.

We also had the scenario that Ryan, um, spoke about where it was actually our bank had initially been compromised at one point and we thought we were communicating with somebody that we had always been communicating with, and it turned out that there was kind of a bad actor behind there. And it was that scenario of, oh, by the way, we've changed the, the bank routing information.

So we put controls in place that any time that there's ever, um, a request from a supplier to change or set up new banking information, that it, it doesn't happen over email. It's a phone call that we actually generate to them so that we make sure right, that we're calling the contacts that we've always worked with.

Validate that the information, um, that we've received right, is, um, actually legitimate. So take the communications and your way out. This, that's an to because to CISOs, I talk to a lot of, uh, different people in organizations and one of the first areas they go to is training. We're gonna train all. 20,000, whatever.

In healthcare. It could be some fairly large organizations. Uh, we're gonna train all these people because we want them to be aware of what they're looking at clearly. That's good. What do you mean by you can't train your way out of it? Does that mean you just can't get to a hundred percent? Right? You can't get to a hundred percent, as Ryan said it, it only takes one.

So I've, I've seen various numbers. I've worked in various companies and industries and the goals, right, to get below a certain amount, even on phishing campaigns. Even if your goal was to get to that five or 8%, which is probably a bit loosey these days, think about, right? Based on the size of your company, right?

What that risk is. Companies also have turnover. So it's just, it's kind of constant. So not here to say that it's not table stakes. You have to do it, and it will absolutely reduce your risk. One of the things that a Proofpoint brings to the table is that it gives us more intelligence on kind of who's being attacked on our company and kind of how they're being attacked, and then we can customize training for those individuals.

That certainly provides a lot of value and reduces risk in addition to. There are certain subsets of, of users in, in all industries in healthcare, no exception, that you should probably do additional training anyway. Any, anybody in, in it with administrative rights, right? You're definitely gonna wanna have more, more controls and training around those folks, people that are developing software for your company, right?

That might be used at outside, um, organizations. So there's a. Teams, I would say, or job functions where that should just be an automatic that you would do training, but don't underestimate the power of what helpful to. About people that we would not have thought would've been targets in our company. And they are.

So now we're putting extra training in place to, to protect those individuals. So a Proofpoint is telling you that essentially, hey, the, this group within the finance organization or this group within it, or this group, that these, these are getting more hits and more targets. Is that Yes. Yes. So do idea.

Well, I mean, I think you'd go after it people, because they tend to have credentials that could lead into multiple systems, but finance o obviously follow the money. I think they've been, they've been a top target for years and years, with no exception. But other departments that, in the organization where we might have gotten surprised, like our, like our recruiting teams right, happen to be a, a top target.

We also do a lot of credentialing. Right. We employ, uh, clinicians and we do a lot of credentialing. So if you think about the information that would be gained there, what I also like about the visibility that comes from a Proofpoint is that I can also see how they're being attacked, right? The types of emails that they're sending in.

And sometimes it's the casually email that, that Ryan mentioned where they're just trying to strike up a simple conversation. It doesn't look like anything nefarious. And then other times it's the. Plain old things we see every day about click here and uh, something in Dropbox or whatever for, for example.

So that extra intelligence has been really valuable to us. Well, and that's the thing that I think is, is more sophisticated than it used to be. It used to be they, they attach APDF with some sort of code in it, and they'd send it out to a million users and just law of averages, somebody would click, click.

Now it seems like, back to this conversation where I. It starts with, Hey Bill, welcome back from vacation. It's great to have you back, because they were looking at my Facebook account or my family's Facebook account, and they saw that we were on vacation. They knew we were coming back next week. Hey, the building project is moving along and the building project is moving along as planned because they, they're looking at our press releases on.

And they're reading updates and things. 'cause there's a lot of information out there. So they're, they're just patient. They're getting more sophisticated in how they, they interact with us. So just, it feels so natural. I think people are wondering, it's like, how could I possibly get duped in this way?

It's probably not all that hard to get duped in this way when they have that much information about you. We've definitely seen that, but, and I also think in the era where social media is just, there are, there are people that go to bed with their phone. I mean, they are so addicted. In their personal lives, right?

They're much more casual about that, right? So if you're doing that 20 hours a day, right, that you're staying very in touch with social media, that's much more collaborative and natural. It's hard that if you come into work, right, that you're trying to wear a different hat and you're trying to think of all things security in mind.

So we've definitely seen that and even correlated, I almost hate to say this, but, but have correlated a little bit into age groups, right? Where we can see that there might be a little higher risk and uh, it might be with those that are much more comfortable with . Social technology. Right. I, I almost loath to bring up this example because it's, it's just so heinous, but it.

It illustrates the challenge that we're facing in industry. So yes, there's really strong insight and research into very precisely who is being attacked down to the person level or down to the departmental level. We think the departmental level's a really good way you could put controls against department, and it also, this example all also illustrates how closely the bad actors follow the news cycle.

Well, we were watching how Covid, in the early stages of Covid, how that was impacting the threat vector and whe whether there was a change in who was being attacked or whether it was geographical differences and who was being attacked. And if you catch your mind back to kind of the march April time timeframe of last year where co you know, ground zero for Covid was like the New York metro, right?

They were being just. Huge impact and those hospitals are really, really struggling to, to, to. To cope with what was happening. We found that in that April sort of timeframe, one of the most attacked departments in the New York Metro was the hospice organization. I mean, we don't talk to cyber criminals. We don't know why they were doing that.

We've spoken with some health systems and we've got their sort of point of view about why that might be the case. , but you know, we were able to alert these institutions to say, Hey, we think there is a real pronounced shift toward attack to your, so they were able to then decide what controls they wanted to put in place accordingly.

So whether that's training or whether there's other sort of procedurals procedures they could put in place to sort of mitigate against that attack. But it, I guess the lure of the. Access to controlled substances, Laura, of maybe be able to get, you know, access to patient data was, was so compelling they decided to attack that.

But having that insight is a great way for health systems to figure out where they want to put their defenses. And I, you, I'm a realist here, we're not gonna achieve the gold standard cybersecurity for all parts of your organization. That's from budget standpoint standpoint.

10% of your organization is more vulnerable because of their job functions, then you can, you know, layer in extra controls and have a much more reasonable approach from a budgetary resources standpoint and say, okay, I'm gonna defend these particular places. Yeah, you were talking about going after hospice.

I, and I was reminded of some of the conversations we had last year. It's like the attacks started in one place and then with each news cycle they shifted, right? It went to vaccinations, it went to, uh, tax reimbursement checks. It went to. So they're, they're definitely up on current events and that's how they stay current and, and go after those places.

Alright, so we've established this is where they're gonna come in. This has been where they've been coming in for a, a significant period of time. So where do we start? Which one of you wants to take this? Where, where are we gonna start to really put in the things that we need to do to put the foundation in, to protect from a.

An entry through our email and through that, that attack vector. Julie, you live this day in, day out. I'm gonna let you start . Okay. . I was gonna start with a technology like yours. I, I do think that if companies aren't sure what to do, right, the one thing that I would say is work with a cybersecurity vendor that can, that can help with this.

'cause it sounds overwhelming, but the reality is, is that . Ryan detailed out just some simple things that you, that you need to do, but if you don't have the right resources working in your company, if you've got an outsourced IT team, let alone a, a security team, it could feel pretty overwhelming. So that would be the first thing, right?

That I would, what I would tell folks to do, but then it is to find the right partner that is going to, um, protect the email. One of the things that's, I think a value prop for Proofpoint, I didn't really come on here to necessarily. Be a big showcase, for Proofpoint, but, but one of the things that I really like about being able to partner with someone that, that, slowly but surely you're building out your product line also.

So now it's, it's actually easier for me that I have a lot of capabilities within one vendor. Not only do I have my email and being protected right before it's even getting to my users, I have the insight on, on what those targets were that were deflected, the ones that actually made it through. I. I have training that's actually built into the, into the program, and I have phishing campaign management.

Right? And there's other tools that we don't even have yet that as we start to mature, that you could add it into, into one vendor, right? That, um, builds this ecosystem around old things that are associated with, um, email, right? They, they cascade into other parts of the company. So I, I would definitely start making sure that you are.

I partnered up with, with a leading provider in this area. This wouldn't be where if I was given the gold, silver, bronze, I wouldn't choose the bronze. If I, if I. But look, we saved a bunch of money, anyway. . Exactly. Now there's, there's certain things you wanna make sure are right. I actually talked to, uh, a Proofpoint client this morning, is, is happens to be one of my coaching clients.

I asked him just about this solution. His comment was some of these, this solution particularly was not as hard to implement as what they thought it was gonna be. So, yeah, it, it is probably daunting if you're starting from scratch. But if, if you have some knowledge in house and you have some things in place.

It we're, we're familiar with gateways, we're familiar with the thresholds, and we're familiar with setting controls and those kind of things. It sounded to me like it was a pretty, pretty logical solution to put in place for them, my understanding of it. Mm-Hmm mm-Hmm. . Right. And I, I guess one thing I would add to that also is that I think companies sometimes fall short that they'll actually do the training, but it's a compliance checkbox training.

Right. It's the annual training that's maybe 20 minutes a year. Companies definitely have to evolve, um, past that. So if you, if you partner with the right vendor, there's all sorts of training that not only meets the annual, um, training, um, requirement that most companies probably have, but there's just all this more robust training for, for targeted users.

So I think, I think that's an important piece to, to highlight. Well close.

Take us out five years in this area, what would the best case scenario be? What would the solution look like? What would the best case scenario be from a security standpoint, specifically around the attack vector of the, the supply chain through email and those kind of things. What would it look like?

What would we have in place across all of healthcare within five years? Ryan , I guess I'll with by saying best case scenario is we're not having this conversation anymore, right? and it's achievable, right? If you think about, again, where we used to have dialogue, it was around network vulnerability. We don't really have firewall conversations anymore.

We don't, I mean, we don't talk about zero day attacks anymore. They occur occasionally, but we really don't hear talk about those. We talk, we don't, because of the investment's been made and we need to make that similar sort of investment in email, but it's achievable. We're not, it's not like other industries where we're waiting for roadmap developments to go bring next generation solutions to the marketplace.

What healthcare needs to acquire is readily available today. So I think that would be our best case scenario. And then like in terms of where we're gonna be going, I mean, it's more and more moving to the cloud. So we're.

In that sort of arena. 'cause that will be undoubtedly, if not the next sort of attack area would be one that we have to be mindful of. And of course, medical devices are, I think they're a lot harder to not only attack, but to monetize, which is why we don't see as much activity there. But that's a looming challenge because we know they're vulnerable.

So I think you're kind of like the near term future. Hopefully we're not talking about this anymore because we've solved that problem, but we need to think about cloud and medical devices. Mm-Hmm. Yeah, it makes sense. Uh, Julie, any last words? I, I basically agree with the comments there. I think the, the, the one challenge will be is that if we are successful through technology.

Process, um, people, um, altogether really kind of defending this front, where are they gonna move to, right? There's going to be a new avenue that's, uh, gonna be a new foothold. And that's, that's always a challenge of sitting in this chair also, is that they're not just coming at you from one angle. And even though that's the number one angle, you've gotta, gotta keep your eyes on the ball, on, on all of that.

I wouldn't underestimate the, the comments on cloud, right? I think healthcare, um, has been slow to come to the cloud, and then when it started happening, it started happening so fast that I'm fairly shortened that for many companies they didn't have the opportunity to get the controls in place, um, that they, that they would've liked to.

Yeah, absolutely. I think one of you mentioned the earlier conversation that. For, for those listening who are in, in college, if you want a job coming out of, uh, of college, get a degree in it and technology, but if, if you want a career, get a degree in cybersecurity because this is gonna keep evolving.

That's what I heard from you guys. Yeah. We're gonna plug this hole and we're gonna get it across the board, but you know, then something else is gonna pop up and it's gonna keep going. For as long as we can envision. So there's always gonna be the need to stay ahead of this. So, hey, thank you. Thanks again for your time.

I really appreciate it. Great topic and great conversation. Thank you, bill. You enjoyed. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show.

It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google. Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well.

We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.