This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health it. This is a Solution showcase. My name is Bill Russell, former Healthcare CIO for a 16 hospital system and the creator of this week in Health, IT at channel dedicated to keeping health IT staff current and engaged. Today we have Summit Seigal, the Chief technology strategist, US Healthcare for McAfee to talk security strategy.

Special thanks to our Influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor. The first step is to send an email to partner at this week in health it.com.

A quick note. We launched a new podcast today in Health it. You're not gonna find it on this week in health IT podcast feed. It's a new channel. It's its own show. We look at one story every weekday morning, check it out. We, it's roughly about six to eight minutes long. It's a easy way to, you know, stay current on what's going on in the health IT space.

Subscribe wherever you listen to podcast, or you can hit our website this week, health.com. Hit the subscribe button and it'll show you how to find the podcast. If you're new to this show or returning after a while, we now do three shows on this channel. On this week in Health it on Monday, we cover the news and I do that now with a round robin group of about six to eight people.

So it's a back and forth on the news and what's going on. On Wednesday, we have an influence or a solution showcase episode, and every Friday we're gonna do an influence episode just like this one. Be sure to check back for more great content and now onto today's show. Uh, good Morning Summit and, uh, welcome to the show.

Thank you, bill. Thanks for having me. Yeah. I'm looking forward to the conversation and we're gonna, we're gonna cover a lot of ground today, but before we get going, you have a significant US healthcare background. Share with us how you got to where you're at today. Interesting. It's been a fun journey and a challenging one.

I started and helped it as an intern, actually back in the late nineties, early two thousands. When, so not much has changed since then. Yeah, just a little bit. And it's fun because having gone through internships and my early experience as systems engineering in hospitals, I had the good fortune of having very good mentors.

That actually firsthand showed me what the. impact technology and security due to clinical operations. So, so that was my, the genesis of my career in healthcare. And then from there I went on to do security engineering architecture. I. I worked through the regional health systems for-profit, national health systems, academic medical centers, and then even what I would call the, the safety net health systems and hospitals as well before joining McAfee.

So it's been, it's been a fun ride over the last, I would say, 20 years, almost 21 years in the field. And having gone through multiple EHR implementations and multiple security programmatic. I would say experiences as well. It's been a, it's been a fun ride and a challenging one is at that. Well, this is gonna be fun.

You just opened your yourself up. I can go in a lot of different directions. Academic medical centers, safety, net hospitals, IDNs, you've done the whole, the whole gang, including on the vendor side. Now

then. You work with a lot of health systems, you've worked for a lot of health systems. What do you see as the greatest, let's say, deficiency or challenge with regard to securing healthcare information today? I think it's, you asked me a very simple question, but it it's, it has a interesting answer because I'm gonna answer it in two different ways.

One is gonna be on the, what I would call the industry systemic issue side that has a security impact to it. And the other one is, as security practitioners, what we have done to ourselves in the last probably 10 years, that is causing some of those issues as well. So there are two things. From a systemic perspective, I think complexity of architecture is one of the biggest problems we have.

So that's creating a lot of . I would say interesting conversations when you're talking about security architecture and how it fits into the broader IT architecture conversation. So that complexity is probably technically challenging on how effective security solutions and security programs can be. So that's one.

The second thing I would say programmatically is. There is understanding of what security does from a risk management perspective, but it's not quite properly aligned with enterprise risk management in hospitals and let alone clinical safety and clinical risk management. So because that interplay is not there in a meaningful way, and it's starting to happen in some cases, that causes some friction from a

What is the role of the security program for this health system? To answer that question, you need to have that COHEs cohesion there, that communication there, and that's probably, I would say the two areas in the industry side that's causing a lot of angst from, for what we have to do as security practitioners.

That's one. The other piece on the security side is data hygiene is a problem. Now, you probably have talked, have heard your other podcasts, you've talked about analytics and the role of data governance and data hygiene. If you've gone through an Epic implementation, for example, you know what it takes to go through the templating process for role-based access for a physician trying to figure out who does what and at what times in the day.

So the ability. Uh, for us to have a good enough information to feed the security system and the security architecture for it to produce on the other side, useful data is a systemic problem on the security side that we're grappling with. They're getting better, but that still exists across the board, across the us.

And the last piece, I would say on the security side is on the incident response side of things. Security operations and healthcare is very spotty. You have the large health systems on the top end of the chain that do this very well. They have appropriately mature processes, technologies, people that do that.

But for the majority of them, this is shared FTEs that are doing security operations in addition to their day jobs as a systems engineer, backup engineer, application analyst, and stuff like that. So that causes some angst in . How that interplays with emergency management and continuity operations. All right.

So you're gonna help me to fix, uh, just in the short answer there, I'm having flashbacks and I'm starting to sweat as we have this conversation. Security was always one of those, one of those areas that was, uh, I, we all recognize, but one of the most important things that the C does. And they have the ability to bring in technology, hire the right team, put the right operations in place, and, and those kind of things.

But, but it, to say it's hard is an understatement. So I, I wanna lean into some of the things that, that you're talking about. So you talked about the architecture. And how the, the proliferation of tools is, uh, and, and, and not integrated into the larger strategy. There's a thousand point solutions in security.

How do we bring them all together? How do you make a cohesive strategy where your ciso, your CTO, your CI and your data person, they're all in sync. Sure. It boils down to, I think, what I was saying from the alignment of risk management and threat modeling, very similar to what the CIO and CTOs, for example, do today with business continuity and continuity operations to figure out, Hey, I'm spending $400 million for an HR implementation.

I'm spending X amount of dollars to, for the infrastructure to support it. One of the things that they do that security oftentimes doesn't is looking at the operational impact of what that is. So for example, to stand up an EHR, you will bring in hordes of teams, have help desk set up, have liaisons, have champions that.

Are responsible to make sure that the solution gets adopted the way it needs to be done. That doesn't happen in the security land. In the security land, it's always okay. We are gonna look at what we are gonna, we have an idea of what the security solution does. The noise in the market can help with competition from a price perspective, but the value proposition has to be.

What does the security solution do for me as the health system in the timeframe that I'm looking to do it in and for the reasons I'm trying to do it for? Those are critical questions that need to be answered that can help you isolate what you said of the tools sprawl conversation, right? For example, take, we have a category of two called software web gateways.

They look at outbound traffic to the internet. Great solutions work. They work with firewalls. They help. Exfiltrate data. Uh, they help prevent exfiltration of data, they help malware, stuff like that, blah, blah, blah. Key interesting point is when I ask questions of, okay, when you're planning a technology like that, is the information from that solution going into some other place from an analytical perspective that helps you tie together what Bill Russell's behavior on the web.

Has to do with his behavior on an endpoint in the environment. His behavior on that endpoint when he takes it home. His behavior in the cloud when he accesses SharePoint Online or Exchange online. And the last piece of it from a perspective of. Selfishly in it, can it help me improve Bill's experience if the solution ends up blocking his workflow?

Case in point, it's a pain for you as Bill to have be doing your work and all of a sudden be blocked, and then you have to call and sit on the help desk for three, four minutes and then to be triaged to the right analyst versus the tool having the capability to automatically integrate with the service management system.

And then do an automated workflow to hopefully triage 70% of the calls that come in. That's an example analysis that I have to help customers through when we, and have conversations to say, Hey, it's not just about I. EDR or endpoint detection, endpoint protection, web gateway network, whatever. Insert name of fancy security technology here.

It's about what it means for it running in your health system. And sometimes it can come down to the practice level. It can come down to the specialty level that we're looking at. So I would say understanding that and doing proper threat modeling can help you identify . What tools to use and then talk to the the partner community, the vendors that we have done a lot of innovation in the last three years to get the tools, talking to each other, having healthcare often says standards based approach.

It's trying to do data sharing. That's great. How does it apply at scale? If I take an action on one machine, can I replicate that across 30,000 of my machines in a matter of minutes? That's, those are some of the questions, for example, operational questions that can help alleviate how the solutions are picked and chosen for the appropriate workflow.

And everything that goes along with it. Things like machine learning, AI and stuff like that. Uh, so did I answer your question? Yeah. What does, what does a good threat modeling exercise look like? Uh, or activities around threat modeling? What does that look like? Sure. So threat modeling is very similar to the conversation that happens when you go through a business impact analysis for continuity operations.

The goal becomes is, hey, we have a solution. That we are trying to implement for this reason, for our business, for this clinical workflow, for this specialty. It has these pieces, X amount of pieces. So the threat modeling exercise goes through and figures out based on how the solution is built, where it, where does it sit, how is it scaled?

How is it accessed? What are the data flows in and out of that application to figure out how badly can that solution be affected in terms of a security incident? And then on the flip side of that, once you understand that, you can actually then use the output of that exercise to color your risk management decision to say, great.

This solution has APIs that are not really very well built. So I may have an exposure on. The, I may have an exposure on the data collaboration, data sharing side. What does that mean for me? Do I have funding, for example, coming in or on the reliance of that system, being able to share data, I. We see that for clinical research, use case applications as well, so that's what threat model looks like.

It's looking at who has incentive to go after what's in the application, or the means to get into the application to cause not only data theft, but also either impact to integrity of applications, so the ability to change data or the availability, which for health systems predominantly in that triad, the confidentiality, integrity, availability.

Piece of it. Sometimes availability and integrity trumps the confidentiality piece. So that's what threat modeling helps achieve. That's interesting. It's in the more I talk about security, everybody keeps talking about behavior. Now we're gonna identify the behavior. What's your behavior on that endpoint?

What's your behavior on the wire, uh, and those kind of things. What, what does that look like? Is that back in the day that would be signatures and.

What those activities should be. They're only able to access these systems. They're only able to traverse these VLANs. They're only able to do those things, and we used to have to literally manually program in, Hey, this is what they're able to do. And it built little walls around it so people could only stay within those walls.

But this whole behavior thing is really a different paradigm. You. Watching me determining what I do on an ongoing basis, creating a profile based on what I do, and then saying, okay, that is normal behavior flag. Anything outside of that? Is that, am I getting close to what behavior looks, uh, mapping behavior looks like you are.

And, and the only thing, so one of the things that happened is in the last probably five years or so, the com, the vendor community has used the words ML and AI to death, right? . It's everywhere. So the good part of leveraging those algorithms is the approach that you're talking about of manually understanding what that would look like, has been replaced by algorithms that are, that now stitch together.

Those not only builds behavior on the endpoint, they're stitching together, builds behavior as a user of the environment together. One of the things I say is Bill's behavior at home is different than Bill's behavior in the enterprise, and Bill's behavior on the enterprise is different than Bill's behavior on his cell phone going to the cloud.

So. That's where when we talk about behavior profiling, that's what we're talking about is trying to make sense of security. People like to use the word context, trying to build context around when something breaks, like an incident occurs, whether it's malware, data, exfiltration, or an sophisticated attack.

We are trying to figure out what is the context in terms of that incident tied to a particular user's profile. That's really the holy grail answer that we need to answer to a security practitioners, to you to, to ACIO or to ACTO, to CEO's leadership to say, Hey, how badly are we screwed? That's the answer we're trying to get to and , it's good.

You never like it when that question comes open a meeting, Hey, how badly are we? Are we hosed here? Are we just Yes. Yeah, we're pretty hosed . Correct. And, and, and the question, and I, and I laugh about this because it's in an enduring way of that answer could be different for a health system that's in the middle of a city competing with 19 other health systems for research and stuff like that than a regional health system that only has.

That has no other competitor, for example, in the 30 mile radius. So, so that's where I think organizational appetite for what the security solution needs to do and security program does is very important to figure out what solutions you pick and how you decide to deploy them. What things does the I I, I don't, so this behavior mapping isn't a holy grail.

What kind of things does it protect against? And then what kind of things may it not protect against and we need some other tools around it. Sure. So behavior mapping, all it does, it's not really protecting itself in a way. What it do. It's doing it's, it's essentially prioritizing what you need to focus on from a response strategy.

So this is one thing that McAfee, for example, does very well, and I've seen that kind of iterate through the last four years that I've been here is. For example, if I have a cloud security solution that's looking at all the stuff that's going on within my OneDrive environment, you could have thousands of people sharing data everywhere from teams to SharePoint.

It's going literally ev every direction you can possibly imagine. As a security practitioner, when I look at that console, I may have thousands of alerts that happen in a matter of 15 minutes. The ability for a solution to essentially behaviorally fingerprint you to say, Hey, bill does these 10 things when he comes in from this application normally during the work week, and he shares normally between five and 10 gigs of data.

That's the normal workflow. Today, bill shared 400 gigs of data, so that automatically gets elevated to a security analyst queue for response. Processes start to happen. And when that happens at scale across the board, it allows the security team work with the infrastructure team to have a very quick, cohesive strategy of how to respond.

And that's one of the reasons why when I talk to customers, for example, in the five years. That I've done this, we've gone from response times that used to be in the days now for the most part, to be in the six to eight to 15 minute mark. 20 minute mark. So that's so, so what does behavior do? That's the answer to your question, is it helps respond to incidents very quickly and hopefully help to contain them in a way that the recovery activity can start.

What, which. What's McAfee doing around alert fatigue? Just, I had a system where we were generating, I don't know, 30,000 alerts a day, and the team, I asked them once, how many alerts can you get to? And they're like, I don't know, a couple hundred a day

So what happening to the rest of 'em is they just fall on the ground and we see if they're still there tomorrow. I'm like, wow. So there's this need, first of all. How do we deal with all those, what's Mac doing in that area? And then there's also the need for seven by 24, which is always a challenge as well, so that that timing actually makes it, the cloud world makes it that timing worse, right?

Because we have the issue of what I would call security solutions, produce correct information. That's absolutely useless. From a operations perspective. So one of the things that McAfee has done, and selfishly for healthcare for me this is really good, is identify the process of, hey, we're not only looking at how we share what I would call usage data.

So this is looking at policies, configuration, stuff on one side and reporting on the other side. So this is more of the how do I manage a system workflow? Yeah. Also. Focused on making sure that we leverage the right type of algorithms and the innovation that we've done in the whole next generational machine learning AI space to say, Hey, can I team together with the human that's running me as a solution to be able to help identify based on peer examples, peer as in peer group examples, what should happen, not prescriptively.

But predictively, so take a ransomware attack, for example. They're, they're phenomenally disruptive. And there's a certain sense of chaos that happens when it first kicks in. The ability for a solution to, for example, go up and say, Hey, you have this going on based on this campaign that's happening on the dark web.

You are affected in your um, environment in this way. These are 10 machines that need to be updated. These are nine that needs to be quarantined, and these are the . Technical security indicators, things like IOCs and stuff that you can share with other stuff in your environment that's running that needs.

That's the first part. So it's the concept of it takes a village to respond to a security incident or a problem is the ability for us to share data bidirectionally. So that's what's happening, number one. Number two is we're taking what the analysts do from a workflow perspective and automating that. I dunno if you heard the word.

XDR. It's called extended detection and response. No, uh, give, give us a little background on it. Sure. So XDR is a new industry term. It's taking example, what we've done in the endpoint space to say, Hey, we're gonna try our best to protect stuff at the endpoint. We know we're not gonna be successful, so we are gonna then build things that help us to detect and respond very quickly from a forensics perspective and recovery perspective.

But now we are gonna take that whole concept that we've done on the endpoint space and extend that to the network, extend that to the cloud, extend that so we can have the same kind of methodology and information sharing that's happening across tools that makes me respond very quickly. So to your point, when you had your folks that said, I have 300 alerts coming an hour, and I can only look at the top 10.

A lot of the triage work of which 10 I should look at for the day is now automatically done by the system to be able to bubble up, Hey, your system generated a thousand alerts. These are the 300 that I went through, the thousand to say automatically that you need that are important. And then within that 300, these 10 you should really look at.

Because based on these 10. You are host or something that happened or something is going to happen given what I'm seeing happen here. So we're doing that. That's interesting. And so, so good. We're actually doing, I, I know there's so much buzzword going on in the industry that's hard. But we are doing a lot of machine learning and ai Yeah.

To process huge amounts of information in order to create a level of automation so that we can actually be responsive. Absolutely, and I go one step further because one of the things that I said it takes a village is for healthcare folks to understand that hey, vendors are not necessarily out to just to get the sale done or the money to get your money for the solution.

There's a tremendous amount of expertise that the vendor community has that you can leverage to help you improve. How your security tools functions across the board doesn't only mean what they sell to you. So case in point becomes, hey, we have, for example, a team that does threat research and vulnerability analysis.

There's no cost, for example, for a customer to call us and say, Hey, can I talk to those folks to see? I wanna see what's happening. In the biotech life sciences space or the healthcare space this month from a dark web perspective. I'd just like to see what's going on and we'll share that information with you.

Same thing goes along the lines of working with industry, so I think between the healthcare vendor space, the security vendor space, the community groups, which is the H ISACs of the world, and. I don't know if you've heard of this. So Health and Human Services has a 4 0 5 D task force for security that is doing phenomenal work to essentially take the threat security side of things and communicate that in healthcare language for or smaller scale and medium scale hospitals.

Then there's the consultant. Of the world and then the peer groups. So I think between those areas, there's so much tribal knowledge that exists that can help you improve not only what tools you're picking to do the solution, but actually how to tie them together, because that's what's probably the most important piece of it.

All right. There's three things I want to hit on before, uh, we get to the end of this show and one is.

I also wanna talk about the recent threats, vulnerabilities, attacks, I think is probably the best way to say it. So we've, let's start with the attacks. We've had ransomware and now we have the solar winds. Uh, i, I don't know what to call it. Events going on. What is McAfee doing around those specific.

The ransomware and the SolarWinds for the community, just so they can understand what's going on. And then what are kind some of the things that the industry and, and McAfee is doing around those? Sure. So from a threat profile perspective, like, like I said when we talked before, the threat profiles for health systems hasn't really changed over, for example, what can come in, what's changed is the way they can come in and how quickly can they come in.

So ransomware and other malware, . Sample samples and techniques like that are prevalent. They're coming in through email, they're coming in through cloud. What McAfee's doing is figuring out that we have 25 years of information that allow us to figure out from an algorithmic perspective, how do we build in automation that says we have this ridiculous data set for.

Traditional compute and non-traditional compute by that normal computers. We have telemetry from the cloud and we have telemetry from cell phones, from cable modems and tv, spark TVs and stuff like that to say, Hey, in the computing world of the internet, I. How does adversarial attacks take place based on type of device, based on type of data?

That's one area of research that we do to help us improve the efficacy of solutions. The other side is like what I told you in the sense of we understand that we're not gonna be the end all, be all for everybody for security. So we've taken a lot of time and effort to build in standardized what I would call

Standardized approaches to share data. There's a word that's, uh, lumped around in the industry called messaging fabrics. It's a way for us to share information bidirectionally in our systems for threat information. So for example, if you have a web application firewall that does a job really well, we'll probably work with that and then we can give them network specific information and learn from them and give them

That threat data so the applications can learn from each other and help the customer that's running it have a better security outcome. So a lot of our focus has been on creating that technology and creating that innovation that happens not only at the endpoint of the endpoint network, like the traditional data center environment, but also in the cloud.

We're looking at a lot of our, uh, focus has been right now . , how do you protect information when it's going cloud to cloud, like when you share it from OneDrive to Gmail or when you're using teams or Zoom and with this whole remote work aspect of things, and like I said, the complexity of architecture, our focus has been making sure people have the ability to go up and down the stack from the traditional security side up the application stack to say, Hey, I can secure my databases.

I have visibility into securing web. Web services for data sharing, and also if you have a development arm, how do you securely develop applications and then use a concept that've probably heard called DevSecOps on that side. So that's where McAfee has been focusing a lot over the last, I would say, five years.

Interesting. So you've been in the industry a long time. Have, have you gone through any m and a activity? Yes, yes. I've, I've gone through it as a employee and I've gone through it as . I was working in Mac and helping other customers do it when I was at Washington DC working for one of the, for-profit health systems.

There, we used to go through m many activities when they used to absorb either new practices or new behavioral health centers and stuff like that as well. So, yeah. So talk to me about that process a little bit. This, this is always fascinated me because I still remember two health systems coming together and the one health system, you know, essentially everybody's like.

You can get email going back and forth pretty easily, but then all of a sudden you're saying things like, Hey, let's get active directory connected. Let's get this, and there's, there's the level at which the business is saying, Hey, let's bring these things together. Then there's the IT data understanding of how we gonna bring this data.

They start zero trust. It's based on zero trust. It's based on, yeah, don't trust anything. But you're bringing these two organizations together and everyone's talking about how great we're gonna be together and trust each other and all. And the first thing the security person says is, yeah, don't connect to that network until we verify.

But yeah, but what, what is best practice? What does it look like to bring two organizations together? One of the Correct, so I would say it's three, three fundamental steps that happen. The first is the understanding that even though we want m and a activity to be co cookie cutter and most, some of the more, I would say I.

Efficient health systems that do this, try to get to that point. Security cannot be cookie cutter, partly because the risk frameworks that are coming in are different for the health system. So for the 20 that are coming in, you are gonna have a different risk profile given the, what I would call the IT maturity for one.

Secondly, it will have a different risk, uh, methodology for the security architecture that's deployed. And the third part, if they've done that work. From an operational maturity perspective, because one thing is, it's a lot of times you'll see for a compliance check marks, they'll say, we have this capability that we have this solution that takes care of this security for us.

But when you look behind the scenes as part of the acquisition and the merger process, it's, yeah, they have it, but they haven't touched the solution in two years or they have touched it, but they've, the solution's been running in. Only in a is running an inform only, but not take any action mode. So from that perspective, there's a evaluation that needs to happen from an enterprise risk perspective versus third party risk in, in the sense of where is the data flow happening in that incoming organization that can change the threat analysis that you've done for yours and, and how does that align and.

The third angle of that piece is process maturity. Now you can argue that do we have any frameworks? People will mouth out. NIST and high trust and stuff like that can help frameworks have a place. Uh, frameworks allow you to have essentially a tr train of thought exercise so you don't end up with scope creep, and you are clear on the directions of what needs to happen in sequence.

What it will not absolve you off is. The question that you just put is speed versus quality. Right? When MA happens, they happen for a reason of that needs to be done in nine months, in 12 months, 18 months, 24 months, whatever the timeframe is. So from a security perspective, the clinical, the enterprise risk group.

Takes the front step here, informed by the information security team to say, Hey, this is our footprint. This is the footprint of the organization that's coming in. This is how our threat profile changes by absorbing what they do in a bad way. This is how, or it could be the other way to say, Hey, these are problems we're trying to solve.

They've already done it. This is how we can do it better by taking the way they're doing it, as long as it doesn't hurt my overall kind of plan of what I wanna do. So that is the process that needs to happen. Unfortunately, what occurs is a lot of times it becomes a political fight of who has the money to control the budget and who wins the battle from an IT governance perspective, not necessarily information security, risk governance perspective.

So that's where I would see the, the folks that are going through this exercise can be better. And, and this is where it takes that, hey, you as a customer of the consulting outfits and the vendors that are helping you through this, is you can push to them and push them in helping you figure out that, hey, it's not about us versus you.

It's, it's not about the process of ingesting. My problem is I have to run this with a finite set of resources. I need to be able to do it in 18 months. And that, and the stuff that I said to you that we need to take care of the, the third party risk threat modeling, stuff like that, that can be used as a catalyst in addition to the frameworks to get, yeah.

So we could stay on that topic probably for a while, but I, there's so many other things I wanna talk. I, I do wanna hit on medical device security with you. What's McAfee doing? I assume progressed since we were vlan things off.

The FDA would allow us to upgrade the Windows XP underlying architecture, right? Have, have we moved forward? What's McAfee doing in that area? So have we moved forward? Is a loaded question. , the segmentation still happens a lot of the time. I'll give you two answers. One is on the industry side and what McAfee's doing.

Right. So from the industry side, it's pretty interesting. A lot of the conversation was for integrated clinical devices, and in my opinion, the conversation needs to have a broader set for not only just IOMT, which is internet or medical things, but also your IoT in generals. And the reason I say that is most health systems are going down the path of either reinventing what their campus looks like or going through capital projects for acquiring new buildings.

So as they figure out what the new clinical space would look like, they're doing things like smart buildings. They're doing things like smart energy efficient management, like green initiatives and stuff like that. All those things are part of your IoMT strategy to say, Hey, these are all things that touch my patient.

It doesn't bode me if I go down the path of securing a integrated infusion pump when somebody can turn off my water in my building in 10 minutes and I'm on bypass in 30 minutes. So from an industry perspective, there's a lot of back and forth that's going on. The what should I focus on? The solution sets that exist from a security perspective and McAfee's looking at this as well, is I.

Currently as it stands, we have an OEM division that we work, for example, with Siemens, with Phillips Healthcare, with Stryker, with Hillrom, Xerox machines, like stuff like that. We have a large OEM division that allows us to put security technologies at the point of manufacturer before they deliver to you as a health system customer.

So that helps you with the what's going on in my, in my environment and give you certain based of, uh, certain level of . Uh, compliance specific reporting and security specific stuff like application, white listing and, uh, control. So this is for like point of sale devices and stuff like that you may have in your cafeteria.

Some of the security technologies that we partner with in the medical device area or the IoT device area, those are, I would say in three categories. So they're mostly all startups that have been around for between two to 10 years at this point. These companies do everything from resource management, so looking at where a specific IoT type device is and where they're going, classification, and they work with us integration wise with regard to sharing threat data.

Some of the more clinical facing devices or hospital or healthcare facing devices will integrate with specific EHRs like Cerner or Epic from a . Order set delivery perspective that happens to say, Hey, I know where this device is. I know when it was turned on, so I can have an idea of when it is used, but I don't know what the quality of that use is.

The fact that it turned on five times important for you or not. But if I can quantify how much money that made you, then that can help guide some of the conversations. So, so a lot, a lot of these devices are. Understanding and helping you fingerprint what your threat profile would look like. By having these, it does not help you with the staffing conversation or the noise conversation, uh, that we talked about.

Where all these do is a lot of times is introduced, 4,000 alerts extra that somebody has to triage then at that point, yeah, I wanna close with, you know, two.

One of the things that I've, I would've recognize as a challenge for an AMMC is protecting intellectual property. Is there some, something special about that or is it essentially just a classification, a data classification that says, this is medical information, this is intellectual property, and you sort of tag that and you, you track, its exfiltration.

From the network. Uh, it, it's different from the point of, because when you're doing normal security practices or program for a health system, the focus is to make sure you are protecting the process of care delivery. At its core, that's what that is. So whatever it means, whether looking at the. Physician has the appropriate information at the time they need it to make the clinical decision.

Do I have the capability to be able to build for my services and maintain my brand? That's really the focus on, on the traditional healthcare operations side. When you switch from that to a innovation side of it where you're doing intellectual property, the focus starts to shift on . . Instead of protecting the workflow of that care delivery process, I'm now protecting the information that I'm innovating and creating.

So the focus goes from integrity and availability to more confidentiality, because now you're worried about things like insider threat. You are worried about fraud, you are worried about the ability. If you have a development arm, like a skunk works development shop that's doing coating, how is that coating done?

Is it done on the cloud or in traditional methods? Like what kind of secure software development lifecycle are they using? So this is where things like the secure development operations sector of ops come into place where traditional health systems have less of that because they're using off the shelf solutions so they don't have to worry about that piece of it.

Some of that is contractually handled. So those are the things where four academic medical centers that are now going down the path from a revenue perspective to say, Hey, . I'm gonna do this innovation thing and I'm gonna invest in companies that help me sell this product for a security person that's leading the security strategy.

It becomes a very interesting conversation because your staffing is not changed. The skillset required to do DevSecOps in the cloud is very different than running a traditional SecOps environment, security operations environment in your health system. So it's not fully different. It's still security, but how you use the tooling, how the reporting is handled, how do you respond to incidents, it's done differently.

Just, I know we've done some, some polling, . Our users, some of our users are gonna say, DevSecOps, that sounds really cool. Is that from a Tom Clancy novel? What? What are we talking about here? So what are we talking about when we say DevSecOps? Sure. So it's SecOps is security Operations, right? Yep. DevSecOps is a word that's done for securing development operations, essentially.

So it's what it's is, it's looking at the software development lifecycle. Of how we build things from a cloud application perspective or native application, native traditional application, and then trying to introduce security earlier on in the process. So this is done at the architecture design phase rather than after the testing phase.

And the goal is, there's another word you'll hear in this is called shifting left. It's we're trying to introduce our. We are trying to sh introduce security earlier on in the process. So we are shifting the ability for us to catch something that's gonna happen from a security perspective earlier in the software development lifecycle.

So that way we can prevent things like database attacks, we can prevent things of what we call . Security hygiene or security best practices from a coding perspective, how do you, if you're expecting me to give you numbers, if I give you alphabets, how do you deal with that in your application? Because that's what the attackers do.

They give you your application input, so it misbehaves and then it misbehaves. They leverage that to be, to get in. And then insert themselves in whatever payload they're trying to do. That's the fundamentals behind an attack situation. So that's what the DevSecOps is to be able to take security embedded in the security lifecycle earlier.

So we have better telemetry, better understanding. So when we do the response, it is way quicker and way cheaper or magnitude cheaper to have to deal with that. So is is what's next in security You've given us so. But is there something next? Is, is there something next that McAfee's we we can expect from McAfee?

Sure. I think you can, uh, so you can expect more innovation that's coming on the concept of the, that . Of cloud security from a containerization perspective, we are all getting into the space of when health systems are doing telemedicine and remote health, remote monitoring. They're all using SaaS applications.

That's built on containers in the cloud, so securing containers is a different . Aspect of how you do cloud security. You can expect innovations coming there. We have a lot of innovation that's going on that's looking at how do you make the triage process of security operations more efficient. So that's on the analyst side of things of, hey, when you have security analysts deal using the sit from different security applications to say, this is where I need to take this action.

How do you help that process? Get better. And the last piece is we're focused on providing our customers the ability to say, Hey, we have tremendous amount of threat intelligence. So you as a customer first can leverage that to say at any point in real time to say if there's operations happening. The sunburst and the solar winds thing that's going on right now is a prime example of that.

Covid is another example where if we have covid based attacks that are happening on the internet right now. What is your prevalence in the sense of that question of how badly am I screwed? It answers that question, by the way. I love the airplanes behind you. The, and I, I really do. I it makes it look like you, you work for Boeing or you're a, uh, I wish or you're an architect or, or engineer.

Uh, so, uh, what's the story behind the. Aviation is my passion. I grew up, uh, family of pilots, so it's unfortunately when I was getting into college, the market was opposite, so I went into technology, but still app geek. I, I do still a lot of flights in. I try to get my hours in as as much as I can for my license on the side.

But these, these are mostly, I love the 7 47. That's what my dad used to fly. I, at this point, they're only left flying freight, so it's . One of the things where I think the person that did these posters that did a phenomenal job, and it just reminds me to make sure that outside of security, keep trying to aim for the skies.

I, I like that part. I, I'm still amazed when I get I, the first 7 47 I saw, I was, I couldn't believe it got off the ground and I think the, the largest plane I was on was an Air France. It essentially has two full levels, two full, a top level, and a, and a bottom level. I, I just, I got on the plane, I looked at my wife and I'm like, there's no way this thing's getting off the ground and probably one of the smoothest I've ever been on.

And that's, I think, similar, like I draw a lot of parallels when we're talking about security with the aviation industry as well. It's, it's one of those things where we're trying to get to a model. We're trying to help solve problems and own experience and it's . I think we'll get there. I'm fairly optimistic that'll happen.

Yeah. We will have hiccups around the way, but a lot of fun stuff to happen in the future as well. Absolutely. Hey, thanks for your time. I really appreciate you, uh, coming on the show. Thank you. Appreciate it, bill. What a great discussion. If you know of someone that might benefit from our channel from these kinds of discussions, please forward them a note.

They can subscribe on our website this week, health.com, or you can go to wherever you listen to podcasts. Apple, Google Overcast. That's what I use, Spotify, Stitcher. We're out there. You can find us. Go ahead and subscribe today or send a note to someone and have them subscribe. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders.

Those are VMware, Hillrom and Starbridge advisors. Thanks for listening. That's all for now.