This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

  Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 Hospital system and creator of this week in Health it a channel dedicated to keeping Health IT staff current and engaged. Our topic for today is distributed threat and vulnerability management.

That is a health system that was ransom. And we have Lee Milligan, the CIO for Asante. And Asante is the EHR host for Sky Lakes. They're the community connect partner for Sky Lakes, and they're gonna recount the events. And the effects that it had on the interconnected health systems, some of the things that they did that, uh, they believed worked pretty well, and some of the things that they think could have prepared them better for the event.

Uh, we're also happy to be joined by our guest today, Matt Sickles. Who has walked many health systems through the early stages of a cybersecurity event straight through to the end. And I believe with his insights and the CIO's experience, this discussion is gonna provide valuable insights into the best practices that are being adopted across the industry and maybe that you can adopt.

Our topic for today is Distributed Threat and Vulnerability Management. Our sponsor for today segment is Tanium. Matt, this is, uh, an interesting topic. Distributed threat and vulnerability management. Frame up the problem for us. What are we trying to solve? What are we trying to address? So we think about a single building, we think about a set of clinics we set out to protect what we know.

Now we are ephemeral in where we work. We can pick up and go. Unfortunately in healthcare though, as a first responder, as a critical care resource, those individuals have to stay on campus. The information technology and security teams may be remote. So this now is not only a one-to-one relationship building by building, it's a one to many, the resources, the places they are operating from.

So now all of those controls that we've been building for 12 to 15 years, not only have to protect the buildings, but also regardless of where that individual or that group of individuals work has to protect them at all times. So that distributed threat now has gotten worse over the last 18 months. We are seeing this critical start of I have to get protections right away.

People are throwing tool sets in, people are throwing solutions in and not even defining the business problem. So that's where the problem statement comes from, is we are now in a much more diversified and distributed workforce globally as an enterprise, as a healthcare, regardless of what work industry you're in.

And that is really the compelling problem statement. We used to be able to draw a border around the outside of our network, and it was pretty defined. It was pretty easy. But at this point, physicians are accessing the medical record from all sorts of locations, any sort of clinician. You have higher levels of acuity in the home.

You have business associates. I mean, even defining the outside of our network. Becomes impossible. And each one of those different areas requires some aspect of, or some different approach to how we look at se securing that environment. Talk a little bit about the attack surface that exists within healthcare.

Yeah, and you hit it on the nail bill. Uh, when we're talking about perimeter controls, we draw the layers of the onion, the very outside where that we're going to attack the point of presence where the internet comes in to the routing equipment and the security features. Well, think about the fact that there used to be one layered onion.

For most organizations. We knew the outside layer had to be the crispiest and it had to be the most protected. But now think about the fact that that onion is one of many. We now have to have an onion that follows the resource. It follows the threat, and it now protects. So if you have an enterprise administrator who is now working from home that used to be sitting in the data center, that is probably one of your highest risk.

You also pointed out when now that you have a physician that is accessing electronic health and medical systems, any of the third party systems, that now becomes an extra threat vector as well. So as you mentioned, the attack surface has increased. Not only has that attack surface increased, it has become much more vulnerable just because of its distributed nature.

Processing power equipment can't handle the original design, so we're now making tiny modifications, but it's going to take some real thought and redesign to get to that next step of protecting everywhere. We used to try to build these, these massive perimeters as you talked about. And it sort of begs the question, are we ever going to get to a Fort Knox of healthcare information?

Are we gonna be able to build some aspect of security that is impenetrable? If you'll, yeah. And if we had a model that worked, regardless of what industry had developed it, that was totally foolproof, it would be everywhere. It would be omnipresent. Everyone would have that architecture. It would be in place.

Great. Now. Healthcare has a real opportunity here. Will we get to that, uh, panacea of protecting data? Will there always be a validation that no one can steal data? That's the hope and dream, right? But as we build out these micro perimeters, we start to have stateless controls that have to be everywhere in the industry, in the patient room, in the clinic, regardless of where they are.

We have to now adapt and think about all of these medical devices that are now coming in that also have the information. So until we get . 100% of your devices on board with some type of a standard for protecting that information. We're going to be behind and we're not going to be able to provide that level of protection.

So that's just gonna take time. It will be an evolution, but there's a lot of steps we can take today. I. Micro perimeters is a new word for me, but essentially there was a time in my career where we were really pushing flat networks and this whole idea of micro perimeters means, hey, they may be on your network already, as we talked about in the last show.

They might be on there for six months or so. But if you create those micro perimeters, it makes it harder for them to get around, talk about the path forward. All health systems really have these risks and it continues to be a burden for them. What is the path forward as you're starting to adopt new equipment as you're working with other vendors?

You have to impart on them what your policies are. If you have a security policy that cannot be violated, they need to adapt their methodologies to be able to support that. Because if we're just trying to bandaid things together, and as mentioned as we look at a micro perimeter, we also call microsegmentation for flat networks.

We can now start to put these technologies in on an iterative basis. Let's say that I have a critical care unit that I need to protect better than a public clinic. Let's look at a parking garage versus an air handler chiller for a a critical surgical ward. These are the things that we have to have different layers of protection on.

Regardless, there has to be redundancies. So working from what do I have? What is my clear inventory of equipment? What are their capabilities? Are they in fact potentially providing a risk? We know about supply chain attacks. We know how they happen, so these vulnerabilities might start out from a brand new shrink wrap device.

Work with your vendors to make sure that there are effective security programs in their organization so that you have those agreements, and most importantly, do some type of validation with perio to go in, validate and ensure that there is no longer a threat or a risk based on your functionality and what you need to accomplish.

Are the threats to healthcare distinct enough that our partners need to really have a healthcare background to understand the dynamic that we are dealing with? Or can we use general security tools to address these threat vectors that we're talking about? Yeah, so for the first 20 years of my career, I was in technology.

Then I moved to state and local government is, I was building on a lot of that acumen. The very first time that I really worked with healthcare was in combination with local government and education. As I started digging into it, uh, this has been 12 to 15 years ago, I. Healthcare does have a different lexicon.

While we would love to be able to just take a system that is designed for manufacturing, retail, distribution, or financial healthcare does have a lot of special characteristics. We all know this. There's just a lot of different. However, I think that there will be a place in time where that we can start taking reference architectures.

Minimum viable security controls and making sure that they are omnipresent. Every workload that you have will be protected by them regardless of its location or the volume of information being shared between it. Are there solutions available today specifically for the healthcare industry that are addressing this?

Or is this an area where we need to focus and develop some new solutions? So I think that one of the most compelling solution changes that we're seeing is around the, uh, internet of medical things. We're starting to see software solutions that look at these devices, categorize the vendor. Label them with a risk and show a workflow of how they potentially could impact and become more vulnerable.

So yes, the technology is there. We just haven't been an early adopter in healthcare, and no healthcare organization really wants to be that first. On the bleeding edge. You have to make sure that there are good use cases. The lab validates what's going on because taking downtime is not an acceptable method of just having a new shiny toy.

Fantastic. Alright, so one of the mistakes I made early on in my career is. I come into healthcare, we spend a boatload of money on tools. We had tools everywhere to address, uh, specific point problems. It used to be that we could just run a scanner, identify a problem, put a tool in place, and that would fix that specific problem.

It didn't work for me eight years ago. I, I'd love to hear you talk about why that doesn't work and why it really can't work moving forward. Yeah, so if we think about it, the very first thing that we will get if we run a vulnerability scan is a laundry list. It is now a, an inventory of legacy debt systems that need software upgrades that may not even have a one 800 number to call, uh, legacy systems that are no longer supported.

So the vulnerability scan where that, we just got a report of hundreds of thousands or millions of technology debt, legacy debt issues. Could not be resolved in completeness. So we would run these on a monthly basis. We would get the list, we would go patch machines, and then we would do it all over month after month.

So now we have to get into a vulnerability scanning methodology that is near real time. It is closer to the workload, so that vulnerability management, instead of just being an outside in scan, while you do need to do those for compliance, regulatory, and other methodology. It can now be a supporting cast member.

It can just be your validation that your distributed threat management, your distributed vulnerability management is working. We put it at the end point and we affect controls much more logically, and we don't have to wait for a report. I. Or a department meeting to go resolve these things. They are found, they're sent as an incident to your security operations center and you can tear them down one by one as they happen instead of just waiting over time to then deal with a bigger problem.

Fantastic. Matt, and you set up very well our next topic, which is gonna be near application security, so I'm looking forward to that conversation. Thanks again for your time. Oh, thank you Bill. Fantastic conversation. We wanna thank our sponsors, Sirius and Tanium, who are investing in our mission to develop the next generation of health leaders.

Thanks for listening. That's all for now.