This Week Health

Don't forget to subscribe!

February 10, 2021: Cybersecurity. Don’t roll your eyes. This is serious stuff. There's stories out there of systems having been breached for over a year before they even know about it. Karl West, former CISO at Intermountain has moved over to Sirius Computer Solutions. He guides us through everything from architecture to governance, from incident response risk to e-discovery, forensics and artificial intelligence to compliance identity access. How do you catch security breaches efficiently and quickly? It starts with architecture. You MUST build programs, tools and processes around detection, response, and recovery. What about good governance? What about compliance? And what are the best methods out there today to ensure the person in front of the keyboard is someone you want on your system?

Key Points:

  • The NIST framework [00:08:40
  • The clearly defined response to security is people, processes and technologies [00:10:55
  • There’s so many different reporting models and governance models. Where should cybersecurity report to? [00:17:05
  • What is your tolerance for risk? Not the CISO tolerance. What's the business tolerance for risk? [00:21:30
  • Our security team were so busy responding that they were not able to be proactive in any way [00:27:05
  • Identity and access. Identity is the new perimeter. [00:31:05
  • Identity is making sure that the person on the other end of the line is who they say they are [00:33:55
  • Incident management and threatened vulnerability are the bread and butter, the block and tackle of cybersecurity [00:42:15
  • Sirius Computer Solutions
Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 hospital system and creator of this week in Health. IT a channel dedicated to keeping health IT staff current and engaged. Today's show is a deep dive into cybersecurity. So it would make sense that today's sponsor is Checkpoint.

Checkpoint is a complete cybersecurity solutions partner for healthcare. They have solutions around network security, cloud security, mobile security, endpoint security, and uh, security management. So if you are looking at solutions in this space, you're gonna wanna look them up@checkpoint.com. Carl West joins us today.

He is the former Chief Information Security Officer for Intermountain, and he has a new role in more on that in a minute. We cover nine distinct topics in cybersecurity and security in general for healthcare, and he just nails it. Phenomenal discussion. I, I think you'll get a lot out of it. Your response to clip notes has been incredible.

And why wouldn't it be you helped create it? CliffNotes is an email we send out 24 hours after each episode airs, and it has a summary of what we talked about. It has bullet points of the key moments in the show, and it has one to four video clips, so you can just click on those video clips and watch different segments that our team pulls out that we think, uh, really captures the essence of the conversation.

It's, uh, simple to sign up. You just go to this week, health.com, click on subscribe, put your information in there, and you'll start receiving, uh, clip notes. After our next episode airs, it's a great way for you to stay current. It's a great way for your team to get to stay current and a great really foundation for you and your team to have conversations.

So go ahead and get signed up, get your team signed up, and, uh, begin getting clip notes after the next episode. Special thanks to our influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you wanna be a part of our mission, you can become a show sponsor as well.

The first step. It's to send an email to partner at this week in health it.com. Just a quick note before we get to our show. We launched a new podcast today in Health it. We look at one story every weekday morning and we break it down from a health IT perspective. You can subscribe wherever you listen to podcasts at Apple, Google, Spotify, Stitcher, overcast, you name it, we're out there.

You could also go to today in health it.com. And now onto today's show. So today we are joined by Carl West, the former Chief Information Security Officer of Intermountain Healthcare, but that's not his current role. Uh, welcome. Welcome to the show, Carl. I appreciate you joining us. Thank you, bill. It's good.

And it's an honor to join, uh, this group. Appreciate what you do for healthcare and it, so this, so why. Hey, I appreciate, appreciate your comments. This is sort of a coming out party for you. You recently made the, uh, transition after being at Intermountain for, for many years as, as you know, in different roles.

But as a CISO predominantly, you're now with Sirius Computers talk. Talk about the transition and what you're gonna be doing with Sirius. You know, I chose to leave Intermountain in December and have connected with Sirius Health. They have a great team, great leadership. I enjoy the connection and they have a huge focus on healthcare.

It is a strategic direction for them, so it connected well with me, and what I hoped to be able to do is share some insights from . The last few years I spent at Intermountain on a strategy team there looking at healthcare strategy, the changing environment, what's going on, and helping healthcares as they try to balance and blend.

I. Cybersecurity. With all these new and evolving themes in healthcare, the the need to digitally transform the healthcare environment, the need to connect with the consumer and how healthcare has been set up is changing very quickly. Bill? Yeah, it's no. So this is gonna be a fun conversation. I'm gonna you some for some, some free consulting.

This.

Share it with the community and share. I, I have a, a, a series of questions on everything from architecture to governance to incident response risk and compliance, identity access. We're gonna, we're gonna march through about nine of these topics and I'd, I'd love to get you to just, you know, comment. We're not gonna be able to go in depth into any one of them, but just sort of.

Like a verbal, verbal exam that I'm gonna give you on, on cybersecurity in the state of, of that, in healthcare. Are you ready for this? You bet. Those items you just hit, those are hot buttons for every healthcare, so you're going in a great direction, bill. All right. So we'll see. We'll, we'll let's start with architecture architecture's.

One of my, uh, favorite conversations has how it changing or how has. New threats. I mean, really co covid and whatnot. We've got just a whole host of, of new things at.

I, I think how it has to adapt and how it's adapting are two different things. Bill, it, architecture, engineering of cybersecurity has to be at the forefront of every organization. And, and I would say if you look at key things, uh, this ability to identify threat, to protect against it, the ability to, to detect it all begins upfront in architecture.

And I would tell you, I think a couple of things are . Key number one, uh, third party has to be divided into two buckets, pre-purchase and PO post-purchase. And by that what I mean bill is what do you do before you purchase the product and, and an examination of the company, the product classification of the data that's in use, understanding

The risk classification pre-purchase, putting that all into what I would call a vendor inventory, where I list every vendor, every product, what's the classification of the risk associated with that vendor? What is the data? Where is it in motion? And then affecting the contract. That's what pre-purchase security architecture is all about.

And then if you shifted and said, what about post-purchase? We can't neglect that. We've seen too many healthcares. Who have had partner breaches and in those partner breaches, what . HHS and OCR are expecting, and what we have to do is look at some type of mechanism to examine what are they doing after we sign the contract?

What are the controls? Are they maintaining the controls? And so a third party assessment team security architecture has to have the, the pre-purchase and the post-purchase. And in that post-purchase, there are now today Bill, many organizations that are offering like credit bureaus, they're offering monitoring services to tell us

What's going on over at partner X or Y? And if you have breach, you certainly ought to be having in that post-purchase some type of analysis. What did they do? What did the breach look like? How did it affect me? Did it, did it cause harm to services? And so those two elements of security architecture are key.

And I would tell you, bill, I think . If you looked at the balance and the blend of an organization in security today, this is the heavy. This is the big and the important. This is where basic block and tackling will get done, is understanding and putting controls around every product, every development, activity, everything that happens, and then having another team to post purchase, monitor and using some services so that doesn't become too heavy, but I think this is a lion's share.

Healthcare security today, and in the past, most of our efforts in healthcare focused on let's just have some tools to protect us. Let's have an endpoint protection tool. This is the future of getting a good strategy into place. Bill. Yeah, it's a, you, you, you wouldn't start building a house without a good architectural diagram.

In fact, in most places, you, you're not allowed to, uh, build a house without a good architectural diagram. Essentially, essentially where we're, we're talking about stepping back to is, is there a framework that you adhere to more than the others in terms of the, this framework or other frameworks, or you just more of a proponent of pick one and, and use it?

Boy, you, you hit on, uh, one of the Achilles heels of healthcare bill. There are so many frameworks that are out there and most organizations have adopted some type of a. A-C-S-F-A framework that does a crosswalk for you and maps everything. I think in general, I, I like to recommend, and I use and have used NIST as the basis because H-H-S-O-C-R, Homeland Security, the FBI, all of these large Washington, FDA, all the large Washington organizations have adopted the standard.

Many people will say, what about the gaps in nist and. You know, I think I'm a proponent, become active, reach out to nist. They're a very participant body and you can share with them. Well, I looked at covid, I looked at iso. It had this, NIST lacks this. They're working very actively and I've been meeting with and talking to NIST folks for the last three or four years.

Sharing some gaps, but I think in general, they're filling those gaps. They're trying to make it, it does not get to the technical detail. That will be the things that people will say. It doesn't get to too deep of a technical. I think in general, all of the work I've been doing from risk assessment to architecture, I try to build it around the NIST framework.

Yeah. Uh, so this is gonna be, this gonna be a test of discipline to me. I off.

But, so as, as A-C-I-O-I have a couple questions for it. So we have the breach and incident response is, is the next category. And you know, there, there's stories out there of, of systems having been breached for over a year before they even know that they've been breached. And that as ACIO, if I were to hire you as a ciso, I'd wanna know how do you ensure, uh, that story isn't gonna be written about our health system?

I mean, what. Yeah, that is such a great question, bill. And it is the thing that is our concern. There are healthcares that are taking months and months. I, I hear some reports of eight to nine months before they understand that they have been re breached. And I think the response is clearly defined. People, processes, and technologies.

It's a thing I've been talking a lot with Sirius about what we've got to do is help organizations. To find the people, the processes, the technology that prevent the expansion. You can't prevent an event. You have to be able to quickly detect and mitigate the effects and resolve the incidents and, and I think it's critical in this process to have clear strategies.

I think. Defined playbooks and processes. If I were to give you a few, one, two, threes. Number one, start with some playbooks and processes. Define what are the common incidents that are happening? What does the process look like? I, I wouldn't start with technology, but you have to get to technology, get the people in the process, in place, the playbooks.

Get an enterprise strategy in place for your identity, for your multifactor, for all your significant privileged accounts and account management with vaults and safe safes. Get good sources for threat intelligence. You see all these things we're talking about right up front. There, there are people in process threat intelligence, something like H Isec, the FBI, there's numbers of good sources for threat intel.

Develop a, a defense in depth strategy. It's not a product, it's a strategy, but develop that strategy over in your security architecture team. Organize and participate with your team in regular fish tests. Work heavily in identity. Understand the identity, the motion of the identity, use the network, the endpoint, the server monitoring.

Now we're getting into tools. How do you manage that identity? How do you manage the network? How do you detect events in these places? I'd, I'd suggest to prevent these breaches. Another kind of key that comes to my mind is having some good sandbox technology, something that's going to prevent every email from coming into our mailboxes, because today,

70, 80% of what comes into the mailbox is either spam or it is a phish attack. And today, I don't know how you tell the difference. So what we've got to do is just help our caregivers, help the doctor, help the nurse because they can't detect, get a sandbox technology, then have a tested backup strategy and some detection and monitoring that that gets put into place because clearly the ability to prevent

To your question clearly, bill, to prevent this, you have to have good detection and identify these things in minutes instead of as we talked days and months, you know, so when I, I hear that as ACIO, I hear, I hear dollar signs. 'cause the first thing I hear is I need a, a, a, and I do this everywhere else, right?

I need a dev test prod. So I can move things in and do the, the appropriate level of testing. And I know that that's best practice. We've been taught that since, you know, we were in college for heaven's sake, and you know, and then we get, get into healthcare and we're like, well, we can't really afford three levels, so we'll, we'll do two or, yeah.

Or, or, you know what, our, our testing is really done by the vendor and when they send it.

It's funny, when I hear people process technology, my my mind sort of shuts off and it, it shouldn't shut off. 'cause in security it, there's, there's vigilance aspect and when you do the, the right education, I remember getting, we, we did this system-wide education program on cybersecurity and you know, people were rolling their eyes when they had to go to it and that kind of stuff.

But then I started receiving the emails. Hey, you know, I noticed this. I, you know, I didn't access this information, or I didn't access this file, or, or I got this email. Is this a problem? And what we did is we turned 20,000 people into, you know, part of the, the organization that's standing on the wall looking for, you know, incidents that were happening.

And so the people in the process was, was incredibly powerful in that, in that whole paradigm. . Yeah, you, you hit that so spot on Bill. And, and while I mentioned that, and it does cause eyes to roll, in fact, what happens in healthcare is because we're a little bit behind compared to other industries, the financial, the retail, the, the defense industry.

We're s we're way behind. I shouldn't say a little because we're behind. We have a propensity and a tendency just to go buy some product and throw technology at it, when in fact, . If you take a little bit of time upfront before you engage in the technology, get as we set up front, the security engineering happening, get the design, get the process, get the playbooks put into place, it can save you on the investments significantly because people,

Are your key resource. I used to tell our leaders at Intermountain, if we can get people engaged, they're gonna catch a high majority of these Phish attacks that are coming in. And if we just have people do what you just said, learn to spot something and say, wow, something's different today. My computer's running in incre credibly slow, or I got this email and it asked me to do this.

Does that seem right to you? Now I have the canary in the mind that can tell me before something goes dead wrong, we have a problem. And, and technology can certainly become a part, and it is critical. I wouldn't underestimate how important technology is, but engaging our people, every nurse, every physician on the front line, they're busy.

If they'll just take one minute to say and, and we put out at Intermountain a little mailbox, if you see something. Say something, send it to us. Tell us, we'll take a look. Our team will get back with you. And, and that's the, the power of the people. They can help so much in this security issue. If you see something, say something, governance, you know, this is one of my favorite topics.

I get this question all the time. Like there's a magic governance model or a magic reporting model that that works. And I've seen a lot of different ones. Let's start with reporting. What, what reporting relationship makes the most sense for the, the ciso? So I was ACIO. The CISO in my organization used to report to me.

I moved them out and that was a recommendation from, uh, Deloitte, I think. And it made perfect sense to me that they were a peer. So I was, you know, I was responsible for implementing security, but governance and kinds of.

I as well, uh, there a better reporting relationship for it. I think, bill, I've been asked that many times and I have talked to many CEOs about this question. Where should cybersecurity report it? It falls in every healthcare organization that I've talked to at at C-E-O-C-F-O-C-M-O level. It falls high on the risk list.

It's number one, number two, number three of every organization's risk. Risk inventory. That doesn't mean that there's a good or a bad model. I think the good model Bill comes down to, uh, how is the organization structured? And so as I talk to organizations, I don't see a magic model, but what I do see is I.

Need to understand. There are decision makers, there are leaders who are making things happen in the organization. Cyber has to be tied into that environment, and it may or may not mean that you shifted. There are pros and cons, and I have looked at five or six models from reporting it into finance reporting to the COO where all the nurses, the physicians, that COO model, there's the, the legal model.

There, there are numbers of different models, compliance and privacy model where it could, uh, effectively report. What has to happen is that healthcare, cybersecurity has to become an enabler and not a barrier. And today, I. Many times when it gets lost in an organization, whether that's under the CIO or whether it's up under legal, whether it's over under finance, if cybersecurity gets disconnected, then the cybersecurity leader starts to feel anxious, threatened, and starts to push an agenda.

That oftentimes becomes an A barrier and not an enabler. And so I think there's a couple of key things. Number one, you have to align cybersecurity with business, with medical, with strategy, it has to be aligned whether where it reports isn't as important as creating alignment. Cybersecurity has to have a framework and a mindset of we are an enabler to business.

And if cybersecurity comes in and says. This is a threat. This is a risk. First, what cybersecurity has to do is understand the business, understand the vision and the value of the transformation of healthcare and digitization and consumerization, and then become, instead of doctor know in the organization, they have to become.

Let me show you how I would challenge every team. Don't say no because if you say no. Informed, educated leaders like physicians are going to find a way to do what they need to do to deliver clinical care, and when they find that way, it may be worse than the way you just said no to. So I. I, what I would do is establish a governance approach that fits the organization.

Look at the leadership. In some organizations, one leader has more voice than another. Find that organizational model pulled together five or six key leaders that include . A-C-M-O-A-C-N-O-A-C-F-O-A-C-O-O, somebody from legal, somebody from clients. That would become a good governance body for cybersecurity.

The chair of the group should not be the cso. The CSO is the advisor. He's the educator. She becomes. The person who informs about what is risk and has to do that in the context of what is the business strategy. And so in this idea, I think a couple of things become very key. Number one, understand the tolerance for risk.

By the organization, not the cso. The CSO doesn't determine she or he doesn't determine the tolerance for risk. The business does. That's what governance is about. Number two, if we understand what's our tolerance for risk on a set scale, one to 10, then number two, what is an appropriate spend for our organization for cyber?

Understand your tolerance for risk, understand. Your spending model. What are you spending? What are other spending? What should you be spending? Not let me just have more money, what's appropriate for what we're doing? And then understand your maturity as an organization compared to I. All of healthcare.

And then I would want to go further because the maturity in healthcare isn't the best measure. It's like comparing yourself and saying, I am the best of the worst. What you ought to do is say, let's see how we compare against finance, against defense, against retail, and how does the organization want?

Spend and what is the appropriate maturity for the organization. So those ideas, those last three ideas of tolerance for risk, the spend, the maturity of the model, those are kinds of things that become governance. Questions that a body of leaders, including ACIO, because no matter where you report the CIO team.

Is, that's the hands, the eyes that are gonna be our best canaries in the mind. They're gonna be our enablers. So even if you aligned outside of the IT organization, you would have a definite uphill sled to try to create a good partnership over with IT ops and IT networking and the DBAs, the essays, they have to be a cybersecurity partner.

Yeah. I love, I.

CSO came in, did that analysis, uh, of our organization. He identified a framework. We had eight pillars that we were moving things up and down on. And prior to that, essentially I was deciding where we were gonna spend stuff. And our compliance and risk officer was really setting our threshold for risk. Uh, we didn't have a really governance model and so.

And I remember sitting down with him and having conversations, uh, around budget season and, and we would talk about, okay, this investment. And he'd go, okay, that's gonna take this style up. We had the eight pillars. He goes, that's gonna take this style up, uh, but we're gonna have to probably invest some money in security controls.

We're, and we had all these different pillars that we were playing with and we were trying to adjust to the, again, the, the governance group had decided, Hey, here's the areas we wanna, after we educated them, which was no small feed. You know, these are the areas we think we need to be more in line or to be pushing this forward.

And to be honest, I mean zero to five scale. And a lot of 'em, we were, you know, I think our highest was a three and most of 'em were, were twos and ones in terms of, you know, benchmarking against, uh, you know, other industries. And we were, we were just looking at it going, okay, how do we get to, how do we move this one from a one to a three?

And this one, I, you know, it was, it was interesting conversation, but good governance brings the whole organization into it, including the board to help make those decisions. Yeah. And Bill, even if you get it directly reporting in it or in legal or in compliance, that that doesn't really matter if the governance has shifted so that another body feels empowered to make decisions around.

What is the budget? Legal shouldn't make that decision, but neither should it and neither should. Compliance. A governance committee should set that threshold based on an educated, an an educated understanding and, and you made a comment about getting an assessment. I think I. Key to having good governance is having a good assessment.

Most of healthcare is taking that assessment A, a HIPAA assessment, or a SOC two, and they're doing it internal or a high tech. They're, they're doing it internally and, and that jades the response. It also puts the ciso, whether she or he is good or bad, doesn't matter. They become a lone voice. But if you can get a qualified, like you said, I heard you mention that one of the big four firms, if you get a larger firm to come and do a qualified assessment, somebody from external who can come and tell you, this is the real risk and here's a comparison for you of where you fit.

And, and then if you always put that in the context, what is our business strategy? I. Where are we going with consumerization Digital front door? Where are we going with all of our strategy m and a and and how does all of this fit? What is our tolerance for risk, not the CISO tolerance? What's the business tolerance for risk?

Then you'll have a successful organization. Much of the failure in cybersecurity is due to getting misaligned and thinking cyber drives, when in fact it is an enabler. Of the organization's strategy, and that's what the governance has to do is make this be an enabler. We'll get back to our show in just a minute.

We have something really exciting happening at this week in Health It, and I can't wait to tell you about it, but I'm supposed to wait for one more week. We've had the conversations, we've asked the questions, and now we finally feel like it's time to take the next step. I'm looking forward to sharing it with you, but until then, I just wanted to say thank you.

Thank you for your continued support of the show. Thank you for listening and joining with us on our mission of raising up the next generation of health leaders by amplifying great thinking to propel Healthcare forward. Now back to the show. So risk, risk and compliance. I'm gonna have to move a little quicker through these topics, but risk and compliance was the next one I about.

We got into this weird trap. We had an internal auditor, an external auditor, so we, you know. Health system, six and a half, $7 billion health system. So we, we did have an internal external auditor and we, the trap we got into was our security team was so busy just responding that we were not able to be proactive in any way.

And, and we were, you know, so the internal auditor would audit this or audit that, whatever, and they come back with their findings. And then we would mitigate those things and the team would be working on those. The external auditor would come in, you know, a couple times a year and they would do their thing and, and give us things.

So they were constantly working on a list, Hey, you need to bring this up, this up, this up. But we, we never, we never got to step back. I mean, does compliance drive the security programs and, and what level of risk should we be looking at? What's the right threshold? Yeah, some great questions, bill, and I think those are the things that, uh, frustrate and stall out the program.

I, what I would share with you first on the question of compliance and who drives the program, and, and there are two sides of this. There are the one, the naysayers who say good security is not about compliance, but I would say . The compliance is an integral part of your program. If you don't have compliance, you can't have good security.

But if your program is based on compliance, you'll never achieve a good posture, a good maturity. So compliance has to be an integral part, as does privacy, and sometimes those are separated in organizations. I think as you look at risk and compliance, . I, I would share with you that when the OCR comes in after breach, when the FBI takes a look, first questions they're gonna ask is.

Show us your risk inventory in, in many organizations where I have been, uh, engaged consulting, the risk inventory was a product that looked like I could have found it out on Google. It was not a good sample of the real risk Inside that organization, real risk is associated with the business, it's strategy, it's product, it's project, and having a real risk assessment completed with hard hitting.

You know, I, I, I think there are many organizations who are afraid to hire somebody because they'll be told that you get AD on the scorecard, you get an F. I'd rather have that and then have a program to be mitigating than to not note the real risks associated inside my organization and, and the way that the OCR is working.

If I have an inventory of the risk and I develop plans. To mitigate that risk. I don't have to solve everything in a moment, in a day or a week. I can put a plan together, be begin, and take real steps, actionable steps to bring us to a mature posture, not just compliant, but a mature posture and, and then the balance, the threshold.

Can you mitigate to, I heard you ask the question, can I mitigate a hundred percent of risk? I think what we can do is look at risk from the perspective of . Some risk can be mitigated. Some risk can be avoided through partnership. Some risk could be transferred, and some risk we'll choose to accept. And those are business decisions.

So four approaches in my mind to addressing risk. And will we ever reach 100%? I think in most organizations that I look at. Most folks are following, uh, a methodology, using a NIST and, uh, a critical high, moderate, or low. Take a look at the risk rate it, determine that it's critical. Determine that it's low.

Based on that. Throw resources at critical. Don't throw resources at low. Make sure someone in your organization has the assignment to tend the farm manage. The asset associated with low and moderate, but there ought to be projects and tasks associated with the high and the critical risk that gets identified.

Does that help Bill? Yeah, absolutely. I like the, the four ways to look at risk. That's, that's fantastic. Identity and access. Identity is new perimeter. I'm sure you've heard that. I've heard it at least a dozen times last year on the podcast. My first question is, is there a. Yeah, I have used that phrase a number of times and have spoken, and in fact, at my former

Employer I took perimeter and had it report into cybersecurity, which is not a traditional approach. You as ACIO know, you probably had I the perimeter over under probably a network team or something like that, which is a traditional kind of approach. I pulled it under cybersecurity. I also pulled identity in because identity is

The new perimeter. It is the way that we detect, and if you look at what happened in Covid and every organization moving to remote, the perimeter was lost. Prior to covid, most organizations had began to move large portions of data, maybe the EMR, maybe the enterprise resource planning. Maybe imaging had moved into the cloud, so a piece of the data had already moved outside, but the workers were inside the perimeter with C-O-V-I-D that all shifted.

And, and by the way, with, with a transformation strategy, that's very common. As I talked to healthcare CEOs, they want to do any person, any place, any time. That type of care delivery model means you will be outside of a traditional perimeter, the caregiver. She may be at her home and the care receiver that that patient

He may be on the mountain skiing when he picks up a device and calls and says, I fell. Here's what it looks like. Look at this contusion and tell me, do I need to see a doctor? Do I need to see, get an X-ray? And, and that model means that, yes, I think the perimeter is lost. And what we have to protect us is the identity.

And I think if, if you look at this whole question, . That, that you're asking around identity and access. Identity does become a new provision. A, a new, a new. So, so I identity is making sure that the person on the other end of the, uh, uh, line, the other end of the transaction, uh, the other end of the line is who they say they are.

It, it is the credentials that they have given us. Is that? Is that what we're, when we say identity is the new perimeter, is that what we're saying? Yes, exactly that. Who is this person? And not only that, but I think it's more because if you think of how do you protect, it has to be who are they? It has to be where are they?

It has to be, what is their role and is what they're doing appropriate. So the location affects me because if I see that, uh, bill is dialed in today and he's remote, what is he doing? What is the function that he has and is that ? Function. Do I know what the function is allowed to do and do I know what it's allowed to do geographically?

So I'm gonna apply controls and set a perimeter based on who's the user, where are they? What's anomalous behavior? If Bill has never done this before, I need intelligence inside my systems, my engineering systems. That, that my architects have engineered that tell me this is not what Bill normally does.

It's anomalous the amount of data he's moving, the systems he's accessing are different. The location he is at is different. So, so, so this is like, when I go on a trip, I have to notify my credit card company, Hey, I'm, I'm going overseas. So that they can, I can flag that behavior as, okay, this is expected behavior.

Yeah, that's exactly correct, bill. And not only that, not only should you flag 'em, I, I think our, our processes have to change so that you don't need to call me. I know I have intelligence. When you connect, I know what device you're on. There's, there's logic and, and I pick up every time you log in from cookies, from other technologies, I can pick up 20 to 30 things about who you are, what you're doing.

What your time zone is, what your geolocation is based on that intelligence. I can just force you right now and say you're gonna have to use multifactor authentication if I'm not already using that internally. For sure. It better be external. And by the way, if you're overseas, I'm gonna need to have you do VDI.

If you're at a geolocation, I don't understand in the US I'm gonna put VPN in front of you. And so those are controls that we . Architect solutions for, and you mentioned architecture right up front, and that's defense in depth where I say, I know who this person is. I know about where their location is. I check their access, I check their role, and I provision them appropriately.

And this identity and access, I think is, is, has to become a cybersecurity function. There has to, has to be a strategy. It isn't just about let's go buy . Uh, an IBM, an Oracle product, a SailPoint product. That's not the solution to identity. The solution is understanding . The provisioning, the governance of the identity.

How do you audit? Who's using what, where, when? How do you do attestation for hipaa? How do you do authentication? How do you do monitoring of those things? And privileged to count becomes a part of the identity strategy. So if people are looking at that seven or eight pillars that have to be looked at, and it doesn't have to become

Where we roll our eyes and say, oh my gosh, that's gonna kill us. We can build this program over three to five years. We just need to set a strategy, set a course, and say, this is a big thing. It will take us three years, five years to complete this type of a good strategy around identity and access and a new perimeter.

All right, so you've got, I've got four topics. We're gonna do this in eight minutes or less, which means two minutes per topic. The first. Do, uh, you know, uh, one of the things that drove me nuts, do we get to throw anything away anymore? What drives our retention strategy? I think yes, the answer is yes. We do throw, throw some things away, but I think we have to look at legal and regulatory and spend time with attorneys compliance to understand what we retain for what period of time.

And, and then probably this also means that in your organization, if you don't have an eDiscovery and a forensics team, you probably need to have a retainer with a good firm because you will need to recover and someone's gonna come in and say, I want to see. If you have policy and you have legal justification, I think you're okay to say.

Our policy says we retain for children 21 years. We retain for adults seven years. This is our policy, but you're going to have to have clear policy and then you're gonna have to have teams to help you to support all the litigation that's going on in healthcare around eDiscovery. So it's interesting.

Forensics was the next topic and, and so is one of the things, I mean, we used an external firm. We were a fairly large IT organization that was inter, but external firms for discovery and forensics, all the.

I think it is, but I do think many organizations are acquiring this expertise internal. Our legal firm came our legal, uh, attorney's insight. Intermountain with an external partner came to me a number of years ago and said, I. Why don't we look at bringing the expertise in-house? We, we did an ROI. We looked at the cost.

We, we determined it would probably take us three to four years to pay off, but because of the ramp up, all of the risk in those two areas, eDiscovery and forensics, we paid for this cost. In 10 months. What you'll discover if you start down the path is there are more of these going on than you know about, and if you don't have policy, procedure, and process around this, there are probably five to 10 times the number of discovery efforts and forensic collections.

Then you are aware of when you centralize and put policy around it, you can quickly pay off the cost. One thing that will trigger this in an organization is when you end up in court, . And someone presents data that wasn't . Forensically captured, and you have no chain of trust. You can't demonstrate custody of the data, and so you're not legally sound.

And and we had that happen in an organization that I was working with, and the the, the CFO asked me, what do I say? And I said, you're gonna have to admit you can't prove the forensics of that data. Capture some now start over. So because of those kinds of things, data had slipped out of an organization sideways.

It wasn't sound. There was no way to demonstrate the forensic chain of trust of the data. So those things, if you start to create policy, you'll find you may want to start to do some of this internally. And there's some little processes and things that we could share with organizations that'll help it to happen less expensively, and the ROI will occur.

If you start to track it all centrally, so, so four minute warning. We're only gonna be able to really just tap on these last two topics, which is artificial intelligence and advanced technologies. Obviously we could do a whole podcast on this, but what, what, what are you seeing with regard to advanced technologies being used in cybersecurity?

This is really such a hot thing for me. Bill and I have spent years with my team trying to shift away from. Technology, physical controls, technical controls, and I challenged my team in 2016, shut down technology. We purchased use artificial or machine learning, so I was a heavy. Embracer of this technology years ago.

I think it is the direction in our sims, in our socks, in the controls that we're deploying. And, and I think I would encourage, as you're looking at products, as, uh, our, our listeners are looking at products, look to see if the vendor has an AI and machine learning strategy and direction because that's where things are going and we need to be embracing it.

Interesting. So last one, vulnerability and incident management and you know, key components of an incident management approach. . Yeah. If you look at incident management and, and, and threatened vulnerability by, by the way, are just the bread and butter, they're the block and tackling of cybersecurity. If you're missing on these, you're going to have long response times When it comes to detecting and finding things out, I, I think, uh, having.

Pen testing going on, having it internal, having an external. Those are basic things, scanning for, and again, when you do this, you're gonna come up with hundreds of threats. Hundreds of vulnerabilities. Being able to come, come back and say, this is a critical, this is a high, this is a severe, we have got to have those.

And in our incident management processes, we've got to, I think three things that are key. The key components, number one, in incident management. Is, is to detect and you've gotta focus work. Make sure your detection is faster every day. If you could detect something in two days, work to get it to one day work, to get it to minutes detection, number one.

Number two is response. And response is what do you do while you're affected? While some, some service has been taken down. What is the process for your response? Practice that know it, understand the difference between response and recovery. Recovery then is number three. What, how do you recover? How do you spin back up services and transition?

And if you can work on those three components, build programs, processes, tools around detection, response, and recovery. Well, you, you, you're hired. You know, essentially I just did a, you know, CIO interview, the, the categories I would look at for a, for a ciso and, uh, man, I mean, you, you, you didn't, you didn't skate around any of these questions.

Fantastic. I, I, I really appreciate you taking the time. I appreciate you going into these. In fact, I, if people are, I, I've talked to Sirius about having you back on the show, we're they're of.

We won't specifically do cybersecurity, but we'll touch on it. But we'll just look at the news of the day and I'd love to have your perspective seeing things through a security lens and saying, Hey, that, that represents something. You know, it, it'll give people a picture of, I see it this way as ACIO, and you see it this way as a, as a ciso I think it would be a, a fun show to do.

I'd love to come and chat, bill, and thanks for having me on today. It was an honor. I sat with some CEOs and. And we sat and talked everything but cyber, that the strategy of healthcare, where it's going, how do you shift from a provider to a payer point of view? There are great topics and cyber does become key to how do you enable those things.

So I'd look forward to another opportunity. Thank you, bill, for what you're doing. Thank you. I appreciate your time. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show.

It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google. Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well.

We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

1 2 3 283
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved