This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Thanks for joining us. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a channel dedicated to keeping health it staff current and engaged. Welcome to our device security briefing. This is such a gnarly problem for healthcare leaders, and I'm excited to get into this topic today.

We're joined today by Samuel Hill director for healthcare for Medigate by Claroty. This podcast series is gonna culminate in an excellent webinar on September 8th at one o'clock Eastern time, we're gonna have two experts from leading healthcare systems. We're gonna have Intermountain and children's of LA Eric Decker is gonna join us and Andrew Sutherland.

And they're gonna talk about the challenges and solutions to unmanaged devices. In healthcare, check out more for more information, just check out the description box flow and the registration link. You could also just go to our website this week. health.com in the upper right hand corner. We will have a link to this upcoming webinar.

Love to have you join us. We wanna thank Medigate for giving us some time with Samuel today and for making this content possible. Now onto 📍 the show.

All right. We're joined by Samuel Hill director for healthcare, for Medigate by Claroty. Before working in technology, he spent seven years as an emergency room tech for two different health systems lived through EHR transitions twice. My condolences and Samuel is the husband to one father of four and lives on a rural island near Seattle, Washington, Samuel. Welcome to the show.

Hey bill, it's such an honor to be here. And I think actually one of the hospitals I worked at, you came in and had to clean up the mess after I left. So that's that's all good there.

Yeah. you did. You were, you were at St. Joe's. did we overlap at all?

I think I left right before you took on the role there at CIO and you got to inherit their their wonderful EHR transition. I think they had just completed,

man. I, I would've loved to have had you there as a partner. Would've been great. We have a great conversation planned this morning. We're gonna talk medical device security in healthcare. In fact, we're gonna talk about it over five episodes. We've broken the topic down.

They're gonna be short. So we're just gonna address a part of it in each one of these episodes. Today we're gonna talk about zero trust. So zero trust. We've talked about a bunch of times on the show and the reality is that. The threats in healthcare are getting much more complex, much more broader attack surface if you will, it's harder to know where all of our devices are. It was hard to know where they were before. And now it's extremely hard to know where they are. I, I guess I'm gonna ask you the question. I've wanted to ask people for a while, which is, is zero trust, even achievable in healthcare.

I think you hear that phrase so often there must be some kind of monetary reward for companies that talk about zero trust.

I agree with you. I have heard it thrown out as the buzzword. Like we practice zero trust. I'm like, okay, what does that mean?

So, I mean, we understand it, right? Zero trust is something that I think it's a useful concept. It's a, it's a great ideal state that we can all kind of shoot for and aim for. But really it's it's how do you get to that zero trust state?

Whether you call it zero trust, whether you call it something else, whether you just call it best practice security. I, I don't know. I don't care what you call it. The goals are that we get to a place where we do really understand the things that are connected, how they're connected, what they're doing, their identity, their limited access, the monitoring, all the things that go into what zero trust would say. Really I think it's useful, but you know, used with caution used sparingly.

And one of the things we've talked about, you and I have had a couple conversations about this and a bunch of 'em aren't recorded. So I'm glad we're finally recording some of this stuff. But it's, it's visibility into the environment, right?

And we've, I've shared this story with you at St. Joe's. We didn't have visibility into all of our medical devices. In fact, the medical devices didn't even report into me. But from time to time, they would come to me for an audit and say, Hey, do you know where all your devices are? And can you provide us information on all these things?

And the team would just look at me like that is a really hard thing to do. So talk to me a little bit about what visibility looks like and what it means.

Well, I think it really has to be a starting place, cuz you're right. If you don't know what device is out there or kind of where it is or anything like that. If, if you're not certain. That it is connecting to your network. It's really hard to apply anything, any security technique against that device, whether it's you put a whole list out there. So visibility understanding what devices are there and are connecting to it, to the network.

Very, very important. I'll say it this way though. I think seeing network traffic, there are a lot of tools that'll help you see network traffic, and you'd probably have multiple multiples of them inside of most hospital environments. So the seeing of traffic is, is pretty easy to do. You can see that there's something communicating, but knowing what that device is like with a real deterministic view, that's where visibility I think needs to separate itself.

And so it's not one thing to say, Hey, we see thousands of network traffic streams happening. It's understanding this specific device that happens to be in this specific location, using this specific, whatever, whatever other data points you would collect. That's where visibility really needs to separate itself. Because with that additional data is how you then begin to take the steps in your security program to do the right things by that device and by your network in your organization.

Well, I, I remember looking at one of the reports and there was a whole stack of things called unknown device. It had, it sees an IP address. It sees it doing something on our network and it, it knows it has an operating system of some kind and it, and it just goes, yeah, but you know, I, I can't tell you what it is. I just know it's an unknown device. Well, what that triggers at least back in 2011. And I don't know that it doesn't trigger this today is all right. We gotta figure out what all those devices are. How does, I mean, how do you get past that, that barrier?

Well, I mean, the way I look at it is being able to understand the network traffic. So visibility again, you see that those are there, that whole list of unknown devices, the network traffic can tell you a whole bunch about the device itself.

It tells you an incredible treasure trove. Of data about a device just by looking at the packet that it sends. So if you can look at the packet, you can start to understand with greater detail what that device actually is, and hopefully make that list a lot smaller, cuz you're right now some network technician or some staff has to go walk around, find a device, do a whole bunch of manual checks, write down a bunch of information and hopefully go input it into whatever record of truth you're keeping, whether it's your CMDB or whatever it is.

And hopefully it stays accurate. That's that's really the trick. But again, in order to do the next steps in your security posture, you've gotta have a lot of detail about the device itself. So there are tools out there ours included that will help you get that detail to whatever for whatever it is that you need to do with it.

Yeah. So how do the tools vary because there's network scan, you talked about network scanning before you talked about tools that can go out and do an inventory. and we had some of those tools, but that's right. Some of that led to a lot of just unknown device kind of thing.

We knew it was something and whatnot. So talk about the different types of tools and how they deliver on that promise of transparency and visibility to what's going on on your network.

I'll describe it this way. When I worked in emergency medicine as an ER, tech emergency doctors are they're some of the smartest and funnest people on the planet.

But they're not specialists. They, they have enough knowledge. They're actually sorry, one friend of mine who was an ER doctor, he says, they're specialists in the first 15 minutes of care of saving a patient's life. And that's obviously an incredible specialty, but if you need advanced services in cardiothoracic care or pulmonary or cancer or whatever that specialty is, you're gonna go rely on a doctor who's been trained in those disciplines.

And so similarly, a lot of those tools might be able to say, Hey, I think something's going wrong in this area, but the level of detail that you would need as a patient to get to the diagnosis and your treatment plan and all that stuff, they don't necessarily have that, but they're gonna get you to someone who does similarly. There's a lot of tools. I can see the network and see the traffic and see some of that stuff that's there. But being able to determinative say, I understand this device, cuz. Medical devices specifically, they actually use really weird language protocols that they communicate on the network with, which is why those tools aren't able to see them or understand them, or they gave you that unknown device categorization, but being able to translate and understand the language, these devices speak can allow you to really see what detail what they are.

So that's what separates the tools in my opinion. And then also how accurate is the profile of that device? What data points are you collecting about it are those data points useful to you? What can you do with them? That's where we take the next steps.

me throw out a closing statement and then ask you a question to close. My closing statement is this is sort of foundational for zero trust, right? If you're gonna go on this zero trust journey, one of the first things you have to identify is what's out there and what's supposed to be out there. Because once you establish that baseline, then you can see the anomalies of things coming on and off your network that maybe shouldn't be there.

And so it, it that's sort of. My hypothesis for this statement is this is foundational to establish your zero trust framework within your health system.

And we've seen a lot of health systems they, they get all excited about that. Zero trust word, and that's, and obviously an ideal, I think, many are looking towards and they get working on it.

They get started on it and they realize the limitation of poor visibility. So they start to see that very quickly. If they've started on the journey already, how much they actually need that, that kind of information to be able to take their journey even further.

So visibility foundation for zero trust where can people go for more information on zero trust if they were looking for it?

I think Forrester published a new update cuz it's Forrester that came out with the zero trust framework years ago. And they just published a new update to their definition of it that I think is helpful. Or you could also visit medigate.io if you wanna learn a little bit about how we provide visibility for zero trust, there's a lot of resources that are out there and if you need in-depth information, just call your favorite technology company and ask to talk about zero trust and I'm sure you'll get quite the presentation on all sorts of pieces of information.

Absolutely. Samuel. Thank you. Appreciate this as our foundation for the conversation.

Thank you 📍 bill.

What a great discussion. I wanna thank our sponsor for today. Medigate by Claroty for investing in our mission to develop the next generation of health leaders. Don't forget that this whole series ends culminates with a great webinar that we are going to have, and we have two great healthcare leaders. We're gonna join us. Intermountain, Eric Decker children's of LA Andrew Sutherland. And we are going to talk about the challenges and solutions to unmanaged devices in healthcare. You can check out the description box flow for more information and the registration link. You can also go to our website this week, health.com and look for a link to it in the top right hand corner of the page.

Love to have 📍 you join us again September 8th at one o'clock Eastern time. Thanks for listening. That's all for now. 📍