This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Thanks for joining us. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated to keeping health it staff current and engaged. Welcome to our device security briefing. This is such a gnarly problem for healthcare leaders, and I'm excited to get into this topic today.

We're joined today by Samuel Hill director for healthcare for Medigate by Claroty. This podcast series is gonna culminate in an excellent webinar on September 8th at one o'clock Eastern time, we're gonna have two experts from leading healthcare systems. We're gonna have Intermountain and children's of LA Eric Decker is gonna join us and Andrew Sutherland.

And they're gonna talk about the challenges and solutions to unmanaged devices. In healthcare, check out more for more information, just check out the description box flow and the registration link. You could also just go to our website this week. health.com in the upper right hand corner. We will have a link to this upcoming webinar.

Love to have you join us. We wanna thank Medigate for giving us some time with Samuel today and for making this content possible. Now onto 📍 the show.

All right. Today we're joined by Samuel Hill director of healthcare for mitigate by clarity. And before working in technology, he spent seven years as an emergency room tech for two different health systems. One of which I was at and lived through EHR transitions both times. Samuel's a husband to one father to four and lives on a rural island near Seattle, Washington, Samuel. Welcome to the show.

It's good to be here again, bill. Thank you for having me.

Are you on the rural island today? What does that mean? A rural island in Seattle, Washington. Is that like in the sound out you have to take a ferry to get there.

Yeah. If you've ever flown into Seattle, then you probably have flown right over the island. I live on it is a ferryboat ride. You have to take a ferryboat to get here. I'd say it's rural. It's actually 15, 20 minutes from Seattle by ferry. But it's rural cuz it is once you get on the ferryboat you feel like you go an entirely different world?

Yeah, I would think so. I've only been up there once I went up to Victoria island which is actually in British Columbia, I believe.

Vancouver island actually, Victoria city on Vancouver island. Yes.

There you go. Yeah. Yeah. Victoria, we did high at the princess hotel. Man, it was not enough food for me, but anyway, I digress today. We're on our second topic. We talked about visibility which is the foundation for zero trust in our first topic today, we're gonna talk about really these holistic assessments that improve the overall security strategy and there's a lot of different ways you can approach this stuff.

You can look at people, process technology, they're all important and should work together. But it's so easy for gaps to emerge. And I want to talk to you about this, this concept of holistic assessments. So I'm trying to figure out where I wanna start here. So what kind of problems arise as a result of starting without these holistic assessments on with your security strategy?

Well, I think a lot of hospitals are on some part of a journey. Obviously we're all trying to improve cybersecurity across healthcare, and it's a never ending job, unfortunately, but I think really kind of knowing where you are at different mile markers or points in time. Can really help guide whatever the next step is.

We've all been a part of a situation where we started off on a plan or we had a strategy for something we get going a little bit, and then we realize we gotta pivot whether it's a big pivot or, or subtle change, there's something that has to change. And how do you acquire the data to evaluate and refresh your strategy as needed?

It can be really critical. And sometimes that data does need to come from outside your organization. Sometimes we're all a little too close to the situation or in the weeds on solving the problems, having a third party or somebody that can come outside that says, let's look at this holistically and help us understand it.

We talked about it in the last episode, how visibility is the first step towards a zero trust strategy of being able to be foundational. So once we have that visibility. About everything connected to the network. We can now start talking about, okay, now what security policies should we be implementing?

We might discover we have significant gaps on our vulnerability scanning tools, or we're not enrolling all the devices that we can inside of a an EDR or some type of agent based solution that those that are eligible for it, those gaps will emerge and we can then take steps for it.

So what are some of the things an assessment look, I mean, you gave us a couple right there. Yeah. That an assessment looks at. I, I assume it does look at the technology the policies the processes that are in place, but it also probably looks at the skill of the staff as well. So give us an idea of what a holistic assessment would Look.

Yeah, it is. You said it earlier, the people process and technology, obviously any security strategy has to embrace that as does security assessments. And so what are the skills of your team? Do you have these ex levels of expertise? Do you need to bring some in or contract some or whatever that is looking at it and saying, yeah, we we're a little weak on this discipline.

What processes are in place? How do you bring new devices onto your network? How do you apply or enforce security policy? What processes do you go to vet and challenge them? And then what technology do you have is, are, are you missing some key components or are some components not talking to each other?

Well is there gaps of information that is not being transmitted from one tool to another? Is there contextual information about devices? know, One thing that we see actually really regular. Is trying to use like a vulnerability management tool to look at medical devices or some of these critical devices, like a radiology device or MRI or something, and they'll run the VM scan and you can't really do that for a lot of devices in hospitals for these medical devices.

So you'll just exclude them, but some of them can, there's a lot of devices that could be included in the VM scan. They have the resource to support it. So knowing what those are, and then passing that information across different tools between them is really helpful to kind of keep the layers, all communicating and working together.

I love the word holistic assessments because there were times where we brought in third parties, they would find a whole bunch of things. And essentially we put that in front of the team and they would read these reports. And if I were honest, Because I didn't focus solely on, on security and those kind of things.

I would, I'd read some of these reports. I'd go, I don't know what these mean, but I'm sure somebody on my team does. And it would turn out that somebody on my team didn't really know what to do with the information. So you'd have the follow up audit and they'd say, Hey, you didn't really fix this. You still have that problem.

So from a holistic standpoint, it's not only finding the gaps. It's also finding the gaps of, Hey, we're gonna tell you all these things, but you might have a gap in actually fixing these things right. As well. So that, I mean, that's one of the reasons that the external third party really makes sense and they have to look at all the aspects of it in order to make sure that it's not just a document that gets handed over and yeah. Oh yeah. We're familiar with that. We know we have that problem, but it goes unsolved or unfixed.

Well, that's where obviously every hospital's concerned about. The talent that they're trying to acquire, retain and keep working for them, especially cybersecurity talent. It's difficult.

We all know this to be true right now. And so there probably are gaps in knowledge, scale certification, or certain disciplines that you might be able to reference or leverage in economy of scale bridge and economy is scale from a third party that would be qualified for that. So that might help. And that we might give you a an immediate near term plan to address some of the things that are found in a holistic assessment.

So what does success look like for an assessment? How do you measure success of an assessment engagement?

Well, we all know how hard it is for healthcare sometimes when you have a big, big problem. So I'm a fan of making 'em really small. So you start off when you get all of the data I'm not a fan of ignoring data. I'm a fan, let's look at everything and then let's pick the most critical things that we could affect in the next three to six months with longer term plans that we're obviously gonna put in place for other things. So I would say success would look like a clearly defined short term goal that we get a project in place. If we have to get funding for it, we get funding for it. And then we have a completion data and an execution timeline that, but we can track towards.

Absolutely. what separates the good from the great, a good assessment versus a great assessment process?

I would actually say investment and not from the frontend investment from the hospital. I would say investment from the assessing agency or the assessing partner. So buy

so, so buy in essentially.

Yeah. I mean, if, if bill, if I contracted you, if I was a hospital and I contracted you to come do an assessment of something in my environment, and you did, you did some great work, you came and you gave a report and you stood up and it looked pretty.

But then I never heard from you again. And I wouldn't be a very useful assessment. I think the investment on the, as assessing organization. So that third party you work with, if they were to cont, if they're continuously invested in helping your business get better, helping your systems get better. That's the type of things that separate good from.

Great. Anyone can come in and tell you, you have problems. Obviously we see the internet is full of people telling healthcare that they have problems. It's the long-term investment. And let's make this better together.

Who kicks off these assessments? Is it the chief information security officer, or is it the compliance people? Where do they generally kick off?

We've found it mostly at the CIO level because they're the ones that look that kind of get a, a wider view of the whole organization across the multiple disciplines of information technology, including security. But I honestly, I've also seen it come from somebody who's maybe at a director level in a hospital that says, I I'm noticing we have some gaps and skills, and I wanna know more, I need to know more in order to make better recommendations up the chain or for budget purposes.

So I I've seen it both ways, but typically obviously an assessment is not gonna get funded unless there's budget aligned to it, which means that you're not gonna get results from it, unless you can put it into the actual plan. So typically there's gonna be some executive buy-in

I mean, clearly we wanna do these assessments prior to an event. Do you find assessments follow an event from time to time?

Obviously we all wanna try and shut the barn door once the horses get out. Right. But at the same time typically yeah. If you can get it in and get some evaluation done ahead of something catastrophic, that's way better. But assessments post significant event as long as they steer away from like, just reporting the obvious and as long as they actually generate some, some actionable things that you're like, oh, actually we can, we can do this. And then those are then those become useful.

All right. Couple of closing questions. Tell me about the services that mitigate offices in the, in this specific area.

So we have partnered with a handful of very well known healthcare, specific technology organizations that provide these assessments.

And so we vetted them and certified them and have put them through the rigorous training that we require. And it's focused entirely upon the devices that connect to your, your hospital's network. And it can be your, it, your IoT, your building systems, and specifically your medical devices. And so that's where they come in and provide that view to your environment with specific guidance and next steps and things that you can do today and tomorrow to make that better.

how important is the healthcare specific?

We all know why in some ways it's because they, they actually realize actually bill, I'll tell you this story. I talked to somebody today and that person did not know the difference between an EKG machine and a patient monitor. You thought because both of them showed the heart electrical rhythm that they were the same thing. And that's the difference between healthcare specialized partners and some generalists.

Yeah. The generalists are gonna look at it and say, it's an IP address. And the right specialists are gonna are gonna see for what it is closing question, where can someone go to find a partner capable of assessing their needs?

Well, we have the list of them at IO slash services, and you can go see that list there. We'd be happy to connect you with some of these that have been again, vetted and trained and we'll hopefully provide longer term value to work together with you.

Fantastic, Samuel, we'll let you get back to your island.

Thanks 📍 bill.

What a great discussion. I wanna thank our sponsor for today. Medigate by Claroty for investing in our mission to develop the next generation of health leaders. Don't forget that this whole series ends culminates with a great webinar that we are going to have, and we have two great healthcare leaders. We're gonna join us. Intermountain, Eric Decker children's of LA Andrew Sutherland. And we are going to talk about the challenges and solutions to unmanaged devices in healthcare. You can check out the description box flow for more information and the registration link. You can also go to our website this week, health.com and look for a link to it in the top right hand corner of the page.

Love to have you join us again September 8th at one o'clock Eastern time. Thanks for listening. That's all for now.