UnHack (the Podcast): Finding the Essential Information In a Fast-Changing World
Episode 623rd September 2024 • This Week Health: Conference • This Week Health
00:00:00 00:34:21

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is 📍 brought to you by CrowdStrike. Protect your health system with CrowdStrike, a global security leader. CrowdStrike has redefined modern security with the world's most advanced cloud native platform for protecting critical areas of enterprise risk. Endpoints and cloud workloads. Identity, and data.

Powered by the CrowdStrike Security Cloud and world class AI, the CrowdStrike Falcon platform leverages real time indicators of attack, threat intelligence, insights on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper accurate detections, automated protection, and remediation.

All this, and elite threat hunting and prioritized awareness of vulnerabilities. CrowdStrike. Unified platform, one agent, complete protection.   📍  

Introduction

📍 Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.

And now this episode of Unhack the Podcast.

Podcast. I'm Drex DeFord. In:

breach, and remember this is:

Some articles speculated about who was behind the attack, others. Provided conflicting information about what consumers should do to protect themselves. And social media, of course, was flooded with advice, much of it unverified and potentially harmful and even telling people to sign up for fake credit monitoring services.

Amid this chaotic flow of information, a few trusted cybersecurity experts and organizations like the Federal Trade Commission and a few prominent security firms like Krebs on Security provided well researched, accurate, and actionable advice. They explained the breach's technical details, they warned against phishing attacks and the fraud that would follow, and they offered step by step guides on protecting personal information like passwords.

ormal stuff to do, but it was:

It didn't bring the practical insights that consumers needed to help them figure out how to do the right thing. It was chaos when what consumers wanted was some good order and good analysis. And ultimately, those who relied on this curated, thoughtful advice from credible cybersecurity sources were better equipped to take meaningful action to protect themselves and their identities and their families and their businesses.

And those who could not find signal in the noise were often left confused and drowning in chaos and taking ineffective steps that didn't fully protect them. The Equifax Breach is a great example of how a flood of media coverage can overwhelm individuals in the face of any major event of any kind. And given the world we live in today, A combination of healthcare and tech and cyber security and AI.

All of the channels seem like they're always flooded. So the moral of this story is that Facing that flood, we're forced to make choices on what we read or where we connect and how we stay informed. There's simply not enough hours in the day to read or listen to all of it, so we prioritize our choices.

In this episode of Unhack the Podcast, I'm asking CISOs this question. What's your best recommendation for how cyber professionals and others can stay on top of the latest news in cybersecurity? With this caveat, besides the UNH series or the two minute drill series of podcast or this week health.com/news, what are some of the other best places you can read or listen and get good cyber insights?

And to their credit, and I appreciate it, most of them told me that. That caveat, the second part actually really messed up their answers. And the question wasn't designed to be a commercial for this week health or a podcast. I hope we do a good job helping you find signal in the noise. And your feedback says that we're pretty much on track, but the intention from the outset was to get CISOs to share all the other tools and organizations and sources that they've prioritized for getting.

The best info on cyber. Now, maybe those are not the sources you use, and if not, maybe it's worth checking out some of those other options. Today, you'll hear from Greg Garneau, CISO of Hospital Sisters Health System, Joy Poletti, the CISO for Mosaic Life Care, Stephen Ramirez, the CTO slash CISO at Renown Health, and Teresa Tomphat, CTO and CISO at Texas Children's.

And then, as usual, we'll wrap things up with Shana Hofer, the CCO at St. Luke's in Boise, and the two of us will do a little post podcast discussion. You'll hear her comments about her best trusted news and intel sources. With every show, there are some great insights. From some amazing healthcare cyber leaders.

Don't blink. This will go by really fast. It's the, how do you stay on top of the latest cyber news episode on Unhack the Podcast. 📍

  📍 📍 📍 my kids often joke that Dad, why are you studying and why are you reading all the time? You're out of school. And I tell them the profession I've chosen means that I'm constantly reading, I'm constantly learning new things, and I'm just always, it seems, glued to my computer or listening to a podcast.

There are so many places and sources where you get good information, good intelligence. I think it's really important to plug into organizations like the HSCC and the AHA and frankly do your best to get as much Information from your federal partners, CISA, the FBI Cyber Division, make sure you're around for those alerts.

But the podcasts are also great. You can find a variety like nothing else on cybersecurity in the podcast world, right? And it's pretty much whatever it is you're interested in learning about, you can find it. And I think that's really great. Really interesting, very refreshing and as importantly, it's your colleagues.

It's your network. It's your professional network of CISOs around the country, especially in health care, right? And that's really important to stay dialed in to your colleagues and most of them will share information or other resources for you to go and explore that will help you be a better leader and a better cybersecurity practitioner.

So a lot of it is tied to the network. I'm thinking like my signal channels where I get often overnight, first thing in the morning, I'll get the, Hey, have you read this?

Yes. Yeah, absolutely. It's going to these, security aggregator sites that have a plethora of information from around the globe that, you just go sit and look at a few sites in the morning, right?

When you're having your coffee before you start your day, so to speak, and you get an idea of what's happening. In the overnight, what's happening globally, what's new and interesting that you may want to find more information on a specific technology, or a way of, managing your risk and your threats within your organization.

Having that network and also having the ability to just Allow people to provide trusted sources, your friends to give you insight into something that they found interesting and maybe of 📍 value to you.

  📍 📍 📍 So I think initially coming into this position, I was really overwhelmed with how many different resources That were available to get information from a, cyber intel perspective. And I found that it could get noisy and hard to really be able to focus in on what I needed to focus in on.

So I scaled it down a little bit and tried to get a little more intentional to get you know, really use my time the most effectively. And so where I really landed was a few different things. Very reliant on HISAC. They provide daily threat emails. that come directly into my inbox, they give me CVE scores, they're, a range.

They tell me exactly what technology, I understand kind of the scale and scope of it, and then I can go to their site and do extra reading up. We also ingest their information into our Threat management programs. So those new IOCs are something that we're leveraging. They also have webinars and podcasts. So again, if you want to go deeper, you can. It's a paid subscription, but it's very reasonable. So I really recommend that one. Enjoy Gartner more from a strategic perspective, and I know it's not for everybody and maybe in your role, it's not what everybody needs, but I found that not only do I get a daily threat intel email from them, that again, It seems to be a lot of the same themes I see in HISAC, maybe not to the same granularity level.

But again, just great resources where I can click into, read a larger story, get some background. And then what's nice about Gartner is you can schedule time with an analyst if you want more information. I use Gartner more from a strategic perspective, not necessarily always from a daily threat perspective.

But now that I know about these threats, I want to get strategic in this program, and I can leverage them for some of their resources and how they help pull those things together. So those are probably my big two I was actually introduced to the 229 project through this group of CISO friends, and that friendship has grown over the years. I literally rely on them. Through our chat channel, they usually are giving me Intel before I even get it from HISAC or Gartner or any of those others. They are just always seem to be looking out for each other.

We always have each other's back. If someone could say, Hey, I'm looking for this. Have you seen this vulnerability yet? What did you do? How did you approach it? And so to me, that's almost more beneficial than me just reading an article, because I'm getting real time conversation. I know that they're in healthcare.

I know what size their hospital is. I know what scale it is for them, so I can really apply it to my own environment.

applications they're running, the same applications you're running. Yeah.

We're using the same language and a lot of times we have a lot of the same tools, cyber tools, we have a lot of the same applicant business applications, medical applications.

So we are, again, the risk is similar, and the approach. And It doesn't matter what the subject is. Somebody has something to contribute. I would say that is my favorite resource and one that I feel like I can plug into at any time and going off of that, the 229 project and that group, those podcasts that you've mentioned Drex, the Unhack I just enjoy the content in those because, again, Being in healthcare, it's always relatable.

And so being in cybersecurity, you have to be a constant learner. You have to always be making time to learn something new or you're going to be behind. And so those are really some of my, my top resources that I leverage from a CISO perspective.

  📍 📍 📍 📍 Yeah, I get my information from a lot of various places, really staying ahead of the curve and having, a pulse on what's going on in the industry is super critical. I know there's a lot of pay to play, but there's also a lot of good information just, know a lot of members are HISAC members.

HISAC sends, daily threat bulletins, a lot of other information. 405D also has some good information. Back to HISAC, there's a lot of Slack channels as well, so I know there's a lot of different groups. I chair our information protection working group so I know there's a lot of, good information on that especially if there's any kind of vendor outages.

405D mentioned that. LinkedIn's awesome news source for us. I know the two minute drill, all the stuff that you do, Drex is great at boiling the ocean too for a lot of stuff that we're doing for board preps audit and compliance meetings, et cetera, to that also what CISO's repost.

So I think that's great to do that. And that also gets into, having your core group too. Also. In a lot of group chats with some various CISOs, a lot that I've met at 229 that, we get a lot of real time information, within minutes, I remember Brad from Guthrie told a lot of guys about the change healthcare thing, before that was even like public information and a lot of other stuff.

So it's also having your good friends and, colleagues in the industry, we're all in it together. It's great to really have, each other to not only bounce ideas off of, but have you seen this information? Are you hearing about this? So that's where it's great to have those colleagues and peers to see what's going on.

We're all in healthcare. Fighting the same fight and really a good way for us to just, interact and share 📍 information

  📍 📍 📍 So Drex, outside of this week's tell, there's a lot of media channels that my team and I, frequent every on a daily basis. Specifically right now, I am following news from Hacker News, from Threat Post, and also Dark Reading. And from time and time, I see what Brian Krebs is issuing out on his media posts as well.

My team across Texas Children's is part of the Health Care ISAC. We're part of the Chime Threat Group, and then we do a lot of collaboration with all of our security practitioners and CISOs across Texas. Healthcare in the Texas Medical Center, and then beyond as well, being part of the Children's Hospital Association.

We get a lot of great intel from CISOs from CHA. in addition to that, I think it's important too that threat intel doesn't just start and stop with our cybersecurity team. My entire technology team from infrastructure, data center, networking, they get real time insights from all of their partners and vendors from a technology standpoint, and they share that back within our security operation center to make sure that we holistically as an IT team stay ahead of the threat actors.

everything that's happened in:

What kind of advice do you have for others on business continuity and resilience?

So one of the things that we've talked about within Texas Children's is how do we continue maturing our cybersecurity program from a people process and technology standpoint, but still never lose sight of why we do it. The reason why we have cybersecurity programs and practitioners at a hospital at Texas Children's is because we're going to do everything we can to make sure we can keep operations running.

The resiliency of taking care of our patients, taking care of our members, is why we exist. Not just bringing up new technology. So if we keep the patient in the middle of everything we do, we really need to think about technology is never going to be 100 percent up and running, whether it's a cybersecurity incident that causes a ransomware attack, or if it's a technology that has a bug. We're at the mercy of that partner to bring their systems back up and running. So we've all witnessed that with recent change. Healthcare was an example of one.

At Texas Children's, we do Business continuity planning and simulation at least once a year. Who's in charge of communicating? Who makes the decision of flipping over to disaster recovery? Who makes the decision if we pay the ransomware or not? And these are very much people process, conversations that we need to be ready for.

That's just once a year, but we have an organization resilience team. We have a very strong resilience team within Texas Children's that meets with our clinical partners, specifically the ones that are so dependent on technology to run their operations.

And then they do downtime procedures and cybersecurity events and we're simulations with them as well. So I think it's a very critical topic and if any organization has not yet started working in partnership with their emergency management or resilience team, they definitely need to do so because.

The average health care downtime due to a ransomware attack is anywhere between 20 or so days. But I've seen some that takes over 40 plus days to restore full systems. So it is very impactful to patient care. So I think it's very important that we focus on that while still continually involving your cybersecurity program due to the emerging threats and risks that are coming our way.   📍 📍   📍 📍 📍 📍 📍 📍 📍 📍 📍 📍 📍 Hi, I'm Sarah Richardson, President of the 229 Executive Development Community and host at This Week Health. I'm thrilled to invite you to a must attend webinar on September 24th, where we'll be discussing the future of healthcare cybersecurity. Join me and top experts from Rubrik and Microsoft as we dive into their powerful partnership and explore how they're leading the way in protecting healthcare data.

This is your chance to gain critical insights and strategies to enhance your organization's cyberresilience. Don't miss out. Secure your spot now by registering at thisweekhealth. com slash healthcare dash cybersecurity dash excellence. I look forward to seeing you there. 📍

  📍 📍 📍 📍 Hey everyone, welcome to Unhack the Podcast. I'm here with Shauna Hofer, one of my favorite people from St. Luke's in Boise. And we always do the post game wrap up good time. What'd you get, what'd you learn?

And of course, I want to hear your story too. How's it going before we get started?

Let me Drex, in the favorite people category. And thanks for having me back. It's always a pleasure to be here with you.

if we could get more time together in person, I would actually really like that.

You do.

And we're going to work on that because there are 229 summits that are coming up. CISO summits, I'm actually in Washington DC right now. I'm doing a CMIO summit and a CIO summit. Those are running at the same time. I'm spending much more of my time in the CMIO room, which actually has been really eye opening and fun and interesting because docs are, amazing.

So it's always a good time in there. And then we have, I'll just put out a general kind of pronouncement. We usually don't announce these things usually by invitation only, but October 24th, just outside of Atlanta in a very nice place. It's actually really cool. We're doing a CISO summit. We have several folks signed up, but I think we still have a few seats available.

he events that we're doing in:

A lot of cool stuff that will happen next year between the city tour dinners and the summits.

You bet. Would love to come to a summit. And yeah, anyone who has not yet attended a 229 summit highly recommend.

ing about me attending one in:

I asked a good question, I think, and I had a caveat to the question, which was the, besides the two minute drill on Unhack the Podcast and Unhack the News, what do you listen to?

What do you go to for kind of your news sources and cybersecurity? And some really good answers. And some really good like consistency in some of the answers too. The world is really noisy. There's a lot of stuff going on. There's a lot of places you can go to for this stuff. In some cases, you can pay for it.

But if you're not paying for it, we got some really good answers. What were some of your favorites?

Honestly, my favorite is probably the one that rose to the top with everyone else, which is community, my

buddies. Yeah, exactly.

I heard it called something different. Every time it was peers, it was friends.

It was my core group. But all came back to my people and I just, I absolutely loved that.

I know that you have some signal channels. We've built some signal channels as part of the 229 events. Each kind of, I don't want to call it a class, a class. Each group usually winds up leaving with a signal channel, and in a lot of cases, it's really interesting to me, you all, the CISO world, are in many ways, it feels like way more connected than when we bring the CMIOs or this, the CIOs and others together.

I don't know if it's because it's just, you just, it's just the way it's worked out, right? You guys have a, you're shoulder to shoulder on this stuff.

I've wondered the same question over the years. And is it a cybersecurity thing? Is it a healthcare thing? I think , there's some magic in the combination because,, in those groups that I'm part of there's something about anytime someone new joins, they're just automatically.

Part of the team, right? There's something about just knowing that, and I loved the way it was brought up of, we all have the same challenges. Sometimes we have the same technology, we have the same risk, we have the same scope, right? There's just something about knowing that about the person on the other end of that signal chat that just, you're just already trust them.

Yeah. And there We talk about sometimes how it's little bit of misery loves company.

Yes.

And I

would love to go on my way. Yeah. The signal chat that I have, I think I have at times have been tempted to rename it CISO therapy because I think that's really what it is at times. Exactly that of, I hate this.

Yeah, we hate this too. Okay, I feel better. But there's certainly always some solutioning and problem solving there too, which is just Incredibly helpful.

And the amazing part of sometimes in those signal chats you get a message from somebody that is hey, heads up, there's this weird thing going on.

Is it, do you guys have the same weird thing going on? And that turns out to be a huge deal. Being able to get ahead of, things that are, not going to be great. That all the time in that chat. All the

time. All the time. \ one of my routines is when I drive to work in the morning, I'm listening to my news podcasts, And even though they're trying to stay on top of the daily news, they're still never ahead of the CISO And exactly right, we're going to hear about things more quickly in our network and understand it better, I think, too, right? When, because even if you haven't heard about it and you talked about this earlier is then you go start looking, right?

So then you're, there's that instant feedback where with thread intel and news or whatever it is, it's a one time input. And until you know quite a bit more, but it's where in the constant chatter it's that kind of back and forth and evolution together. As you're learning these types of things.

Change was a great example of that, of we all went through the same phases together and learning and understanding what was happening, how we were responding, right? And you were able to progress together in that.

It was, that was really interesting to me too, because you're all busy.

Everyone in that signal chat is busy. And because you're all in there together somebody was able to go to an, hISAC briefing, and then come back and give everybody kind of notes from what happened. Or I just had an opportunity to sit down with Change or, somebody from Change, and here's what they told me.

And that conglomeration of information was like way better than anything you were getting in the news. That was not stuff that was like generally available. You were really just picking things off. People were just like popping these little stories in on you that were Real time, news reporters live in the field.

It's we're all coming up with ways to solve problems and fix things. And who are you using for this? And I love that that thing about our community or, the CISO community.

You bet. And I think it's a good almost as you're trying to bring new people into the CISO community or new people into healthcare.

As I have the opportunity to meet them, one of my first questions is how are you connected? Who are you connected with? And so I think, if there are IRIS, FHIR. Newer to healthcare CISOs listening to this, it's which groups can I get connected with and making sure that if they're not already part of those communities, I think hopefully hearing this is recognizing how important it is for them to really to become part of that.

Yeah. The interesting part of a lot of that conversation that we, that I had with the CISOs in this episode was the reality too, that there were different groups of community. There was a giant Venn diagram in a lot of ways, right? Because there was a conversation about the HI SAC and there were other things that people went to and people, organizations, associations that people worked with.

That also gave them just a slightly different view of whatever was happening and all that perspective was good. Exactly. I think the one that surprised me the most, which I thought, Oh my gosh, that's absolutely genius, was Teresa mentioned that a really important source of intelligence for her is her IT teams, right?

And relying on them to share things from the vendors or whoever it may be. I think she's the only one who really, in my mind, Thought outside the cyber community, right? Everyone else was very much focused on cyber or healthcare, just in general with AHA and IHA or whomever it might've been, and her thought was, no.

I go to my IT partners too, because they're part of this. And I just thought that was such a cool call out.

We talk about this often when we're together at a summit, but the partners to blow the partners horn here for just a second, all those who were involved with they're often Involved with a hundred health systems or, whatever.

And they do have their fingers on the pulse often. And so they will, there are also people who will hear some signal in the noise and realize pretty quickly, like that turns out to be really important. Let me tell all of my partners or, some of them will blast it out, even way beyond their partners.

Just here's a thing you should know about. It's, uh, I love that We continue to build a community that is everyone's really trying to take care of each other, and in the taking care of each other, we're also taking care of patients and families.

I completely agree with you. And honestly, I'm just, I feel so fortunate to be part of it.

It's a really cool community.

So tell me about the stuff that you're listening to. What do you listen to as you're driving to work? What are the shows that you're listening to? And then what are the, what's the other stuff that you're reading or you're picking up on?

You bet. Obviously Two Minute Drill, This Week How, love the podcast.

Some of the ones that I listened to, I have a very short commute on my way in. Thankfully I don't have much time, but I like cybersecurity headlines. I hit them up every day, making sure, and I love the end of the tagline at the end which always ends with have a super sparkly day.

So love that. Um, it's fun. Cybersecurity day today is good. There's some Canadian influence there, but I think it's good to get an international perspective. I've got a bunch of others, but those are the two that at least every morning on my commute in, I've got them covering my cyber news before I move on to some other ones.

You'll have to send me links to those, or when we post this, then you can post in the chat the links to those. Yeah. Because it's always good. I just did a best of show or something last week, like other podcasts that I listened to. And people, I got notes from people who are like, why are you advertising other people's podcasts?

And it's the same conversation of I don't care. We're all like, I'm part of other associations. I do other things too. Let's just figure out how to make each other better. That's really what we should be worried about.

I think the value though and Greg brought this up when you met with him, is the value in what the two minute drill offers is It's that aggregator, right?

If you don't have time to go listen to everything else, which we don't, we are truly so busy, we know Drex is going to tell us the things that we need to pay the most attention to. So that's what's valuable, right? You don't have to listen to it every single day or you don't have to connect every single source that you've got just to have a quick hit on, here's what I need to make sure I'm aware of.

A lot of people don't know this. I don't know if you know this or not. was an independent consultant, one of the things I did was something called 3XDREX, and it was a text message that people could sign up for, and I would just like every other day, I would pick out three stories that I thought were the best stories, and I would send those messages, those Links to those stories through this 3x text.

So when I came to This Week Health, I told Bill I think I want to turn that into a show, and that turned into the two minute drill. And yeah, so here we are. Maybe we should rethink about

the text, though.

Rethink the text. We've talked about that. We've talked about that idea.

So we'll see. I think you should.

I think you should. It would be, it's the one medium of all of the ones we've talked about that isn't being used yet.

Yeah. It is, it's also, it is one of those safe places that if you ever give me, and I'm not you, but when I talk to people and I, and they give me their text message number, I always tell them like, this is for me.

I'm not going to put it into CRM system or something like that, because I know I hate getting those text messages too. So

yeah, opt in,

opt in absolutely.

Whatever it's called in the future.

Anything else you want to you want to talk about from that list? There were so many good comments in there.

There were

great ones. HISAC that got brought up a lot, but just that Culmination of Hsec chime, cisa, just good calls and all of that. I loved, you know what Steven brought up LinkedIn. Like I, that's I love LinkedIn for that because if one of my peers is talking about something on LinkedIn, yeah, I'm more likely to pay attention.

Then if I'm just scanning a Google website, whatever it is, right? Some random search page, I'm going to pay far more attention to if one of my peers highlights it. So I thought that was a really good call as well. But yeah, I think at the end of the day, it was right. It was really about people.

It really does come down To the network, like one of my favorite things is I have a Google search set up and it looks for certain terms like hospital breach or, things like that.

But and you guys don't know this, but I also had your names, many of your names, many of our community names are in there too, because I want to see if you're writing something and it shows up on a website, I want to go read that. And but that's a

lot to sift through.

It is a lot to sift through.

You

It's definitely a part of my job, and I don't mind it. I like to read. I read a lot like before I go to bed, I read first thing in the morning as I'm having coffee. I pound through a lot of stuff, and that's what I synopsize into 2 Minute Drill and some of the other stuff we do. I don't mind it.

I like it. I love it. It's really I'm a newshound anyway, so it works for me.

But it works for us, too, because you doing that saves all of us time, and doing that when you're sitting down pounding coffee in the morning and reading that I'm getting two kids ready for school. And then by the time I get to work, it's complete chaos.

So I appreciate the way that you live and work and what you're doing, because it certainly helps me.

Thanks. I appreciate that too. I don't know. I think that's it. We have anything else we need to talk about?

I thought this was a great topic. I loved everyone you brought on. I thought they did a great job sharing.

You and I will continue to talk about, you often make suggestions for what some of the questions should be for the shows that we do. I would invite others to send us notes too and say, This would be a good question. I'd like for you to ask four or five CISOs this question. So if you've got those kinds of interests and you want to drop us a note, DM on LinkedIn, or you can again, drexitthisweekealth.

com and we'll put those in the queue. Thanks for being on the show today. As always, I really appreciate it.

a good weekend, Drex.

  📍 That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.

Chapters

Video

More from YouTube