This Week Health

Don't forget to subscribe!

March 18, 2024: In this 2024 ViVE IIA double feature health leaders Kate Pierce, Senior vCISO at Fortified Health Security, and Tamer Baker, CTO at Zscaler. Pierce delves into the complex landscape of healthcare cybersecurity, with a particular focus on third-party risks, the implications of the Change Healthcare breach, and the burgeoning field of zero trust. How are health systems navigating the murky waters of third-party risks, and what lessons can be drawn from recent breaches to fortify defenses? Then, Tamer explores the role of zero trust in safeguarding health data and systems in an era where traditional security perimeters no longer suffice. Further, the discussion sheds light on the significance of HHS's Cybersecurity Performance Goals and their potential impact on healthcare's cyber resilience. Through engaging conversations with experts Kate Pierce and Tamer Baker, this episode not only poses critical questions about the current state and future of healthcare cybersecurity but also offers valuable insights into the strategic approaches being adopted by leaders in the field.

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

  Welcome to This Week Health. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare, one connection at a time. Today , we have an interview in action from the 2024 conferences, the spring conferences, VIVE in LA, HIMSS in Orlando.

Special thanks to our sponsors, Quantum Health, Gordian, Dr. First, CDW, Gozeo Health, Artisite, and Zscaler. You can check them out on our website, thisweekhealth. com. Now, onto our interview

  📍 Foord and we are here at Vive doing an interview in action. Should be a good time. This is my good friend, Kate Pierce. We're on the Health Sector Coordinating Council together. How's it going? It's going great. I know you just kind of got here and you've been looking around. You do a bunch of work with a bunch of health systems as a virtual CISO.

What are you seeing out there? What's driving people crazy right now?

Well, I think third party risk has become very apparent

this week as people are struggling with the change healthcare breach. So that's third party risk. We've seen a lot of people struggling to figure out how they're going to cope.

Obtain those risks in their organization and what their risk tolerance might be for those types of organizations. Because you really can't get away from involving third parties in your organizational structure. The change Healthcare breach has really brought that to light this week.

it really has highlighted a lot of stuff, including as you go through that process, there's the thing that happens at the end when they recover your third party, whoever it is, recover. And they want to reconnect to you. How do you advise folks to go through that process?

I would say that I would advise folks that if you don't have a letter from the third party certifying that their systems are good to go, I would be hesitant to turn on those VPNs get that data back flowing until then.

The other thing that I think folks need to be starting to think about, or hopefully they already have, is what are their responsibilities in their BAA with the client? If their data potentially is breached in this change healthcare situation, what's their responsibility on that end? From

a notification perspective and

all of that.

From a notification perspective, from a liability perspective. So hopefully they've got solid BAAs with them and have some good

processes in place. It's another thing we've talked about with third party risk management and the contracts, and that's things like making sure you write The contract, how long data should be retained by the third party and when they should, flush it so that it's not subject to a breach later on.

All those things are really important when you write these contracts. Right.

I think a lot of organizations don't necessarily know where all their data actually exists. There's a lot of different third parties within the organizations and where that data may be sitting. You might be oblivious to something that's going to actually impact you later on down the road.

Time to shore up those three parties.

  Okay you work with a lot of health systems. What's top of mind in those health systems right now?

I think there's a couple of things that have come out recently that folks are starting to ponder. One is the Cybersecurity Performance Goals that were recently released by HHS.

So those are top of mind. They're currently voluntary, but what's the next step going to be? The second thing I think is third party risk management. This week's breach from Change Healthcare, I think, has really got a lot of folks thinking about how they're managing their third parties. Yeah.

What are you looking forward to seeing at the show that you think is going to give you some great information to be able to take back to the health systems you work with? Well,

I work strictly in cybersecurity, so I'm looking forward to the announcement of the five year strategic plan for HSCC. So that we can see how we're going to move from our current state in healthcare to the state of being stable in 2029.

So I think that will be interesting.

Yeah. Okay, one more question. If you could have any fictional character as your life coach, who would it be? Any fictional character. Fictional character, Could be in a TV show, maybe a cartoon character.

You know who I'm going to pick? Who? The fairy godmother, because she's always happy.

She gives you your wishes can be granted, and she doesn't take life too seriously, so that's my choice today. I

love it. I love it. Hey, thanks for your time. I appreciate it. No

problem. Take care.

  📍 📍 📍 (Transition) ​

  📍 (Interview 2) hi. It's DrexDeFord and we're here at VIVE 2024. I'm hanging out with my good friend Tamer Baker from Zscaler. How are you feeling today?

I'm feeling good.

Yeah, it's been a great week at VIVE this week.

Awesome. Yeah, it has been. I got to see a lot of our friends. Got to see a lot of cool stuff here. A lot of folks coming by the booth. Zscaler, very unique solution for healthcare. Really interesting set of capabilities. Let's start with that. give me an overview.

What's the elevator pitch and maybe a little bit more.

There's three main things that we try and do for health system. We simplify, And by simplification, we mean reducing a lot of overhead, a lot of burning, a lot of point products, making things a lot easier for your teams so that they can provide the services they need for the care providers so that you can have better patient outcomes and beneficial care.

We help with transforming and evolving an organization so that you can actually be more agile. So agility is big right now everybody is so tight on margins, so we need to be able to be nimble and agile And then the other piece, of course, is the security element.

everything that we do, it just reduces your risk,

improves your security posture dramatically while you're getting that simpler technology stack in there, alright. That's just a, real quick.

There's a ton of m and a going on right now. Yeah. It seems every day you open up the newspaper, you open up, whatever your favorite storyline is and somebody's buying somebody else. Yep. You guys are really uniquely positioned to be able to help people through that process.

Very much yeah. That's part of the agility that I was just mentioning. In an MA perspective. Time to value is important. So once that day zero hits, everything becomes a time to value. How quickly can you assimilate and bring in that new organization, or even does investors choose to have it?

Sure. But that time to value is a critical component from a cost perspective. I

had a business plan and I thought we were going to get these guys on board this fast to be able to do these things.

You're right. Absolutely. One of the biggest struggles with that is the IT side of the house. How do you merge networks?

How do you merge users and applications? And what Zscaler does is, again, simplification. The network is agnostic. You don't have to de conflict IPs and de conflict networks. And you don't have to do any of that. Because we're a unicode position, we just connect users to applications. Directly network agnostic.

Wow. No matter where the user are or where the applications live So that means on day zero we can immediately turn on those connections between users and apps on both sides so that you can be Immediately get that time to value and start working and generating that revenue Another unique piece of an M& A is if you're already a Zscaler customer, for example www.

microsoft. com During the due diligence phases too, so before day zero, we're able to do some assessment and get some security posturing done on that new entity, as well as during due diligence, I've done it, you've probably done some M& A, I've done M& A in the past. We need to already connect legal and HR and finance folks to different sides.

So being able to do that even during due diligence phase happens pretty immediately.

The HR stuff, all that work is there can't be a delay. The day one, day zero, they've got to be ready to go. That's right. I've said zero like three or four times, so back to the security thing too.

There's a Zero Trust conversation happening up and down these aisles right now too. You guys play well into that and fit well into that. First of all, talk about what that means. And second of all, talk about how you fit into that conversation.

Sure. Yeah, Zero Trust has become such a market tecture term.

Right. Market tecture. Yeah. Trademark. to Amber Baker. Yeah, unfortunately it's been so blown out of proportion by so many different companies that say they do Zero Trust. First thing I'll say is there is no one single company that can do zero trust. So if there's anybody that tells you, buy me, we'll get you zero trust, that should raise some red flags.

Yeah, it is a multi vendored approach. You need multiple components and we are one of those components. So from our perspective, what we're doing is again, we're removing the network piece of your network. And we're connecting users directly to apps so that it prevents any kind of lateral movement.

When we think about zero trust, you're only getting access to the things that you're allowed to have access to and that's it. Also, when something bad does happen, your access gets removed immediately. That's just a very basic way of describing Zero Trust. And that's why it takes multiple vendors.

Because, somebody like CrowdStrike will know when some bad things are happening. And that's when we can also integrate and say, Oh! Well, CrowdStrike is selling us something bad here, so let's remove access to that application. The other component that we do that people often don't think about from a zero trust perspective is the attack surface.

One of the unique things that we do is we remove that visibility on the internet of your applications and your users, and because there's no VPN, That attack surface goes away. So part of Zero Trust in my mind isn't just connecting users and apps no matter where the users live and where the apps live, but it's also hiding that attack surface.

Even if an application has a vulnerability, if I can't knock on that front door, If I can't even see it as a bad actor, then I can't exploit it, so that's part of the

zero tolerance. And a lot of this also plays into this challenge that we see right now of patching. And there's too many patches.

They're all super urgent. We have to get them done right away. That becomes a nightmare for health systems who have to well I can't do it like that. I have to take the system offline. I have to do a test. I gotta make sure that the patch doesn't break something. That's right. You take a lot of that out of the mix.

Not saying don't patch. Just saying. a much more comfortable schedule to make sure that it's not going to break anything and make it work.

That's right. You can prioritize it a little bit more now because only the things that are still left exposed to the public for one reason or another.

Those are the only things you

really have

to be hot on. That's right. All the other stuff is hidden. Think about, oh my gosh, Avante, right? The VPNs are constantly getting new vulnerabilities, and that's really critical because as soon as somebody's in your VPN, they have access to everything. Again, it's the lateral movement component of it that we remove, right?

So that's the type of stuff that we want Get rid of and modernize and really help, disrupt the environment. No more VPNs.

Yes,

please. Thank you, God. We'd all be in a better place if they didn't exist anymore. Yeah, for

sure. So I'll ask you one more thing here, and maybe two more things. One more thing, which is what's next?

What's on the horizon? You're doing some really cool integrations. You've done some really cool integrations. Just recently talked

about those. Okay. Yeah. Yeah. Recently we just integrated with Improvata. Where Improvata is the only certified cybersecurity partner in existence right now.

And what that gives you is when you think about all those shared workstations and kiosks that everybody's tapping in and out of. Right now, today, you only have a generic security policy word. It's got that generic user on there. And as it's happening in and out, that context doesn't go So what we've done with this integration now is each person's security policy, as they tap in, gets applied to that user.

And when they tap out, it's removed, and no person taps in, and that policy applies. So when you think about it, a physician may have elevated privileges. More access to more things. Maybe they're allowed to send a medical record to Google Drive to share with another physician, whatever it may be. a nurse shouldn't be able to do that.

Right now you can't do that with shared kiosks and workstations. With this integration you can. So it's a big use case. We're solving a lot of pains with that one. Very cool. And then coming soon, you mentioned Yeah. We're starting the development of integrating with those medical device security vendors now, too.

So that we can apply security policies specific to the types of medical devices. And not just medical devices, these vendors also look to help with IoT, OT, and everything else. But the perfect example of that is, again, you've got an imaging workstation that doesn't have an agent and has very loose interfaces.

Security policies on it, and that's where you may have people logging in, going to their Gmail.

Because they can get there, it's from

that machine. Yes, so now that we can do this integration, pull in it's not really a workstation, it's actually an imaging workstation and it should only be talking to GE to get updates, as an example, right?

So this integration will bring in that context of these devices. Which they do best, and then we can apply policies based off of those contexts.

This feels like you're almost doing a form of network segmentation

without actually

messing with all the work that goes into network segmentation.

That's

a great way to put it, Trace, yes. Yeah that's what we aim for. We want to do that segmentation and Reduce the blast rate is remove that lateral movement, but I don't know anybody that's successfully implemented an actual network segment.

That's I think it goes back to the agility and simplification too, right?

You can make it easier to do then it's easier to secure. Yeah. Yeah. Yeah

And then the other thing too is a cost component, right? Removing a lot of complexity means you're doing a lot more with less money.

All those hours that would have to go into doing network segmentation, maintaining network segmentation, making sure somebody doesn't do something wrong to take something out of a, All that stuff disappears. That's incredible. Yeah, it's been great. It's been a great ride. Hey, thank you very much for the time. I appreciate it. I always

Drex. Yeah, thanks man. Yeah, thank you.

  Thanks

for listening to this Interview in Action episode. If you found value in this, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. If you could do that would be great, and we want to give a big thanks to our partners who make this possible.

Quantum Health, Gordian, Dr. First, CDW, Gozio Health, Artisite, and Zscaler. You can learn more about them by visiting thisweekhealth. com slash partners. Thanks for listening. That's all for now.

Thank You to Our Show Sponsors

Our Shows

Newsday - This Week Health
Keynote - This Week Health2 Minute Drill Drex DeFord This Week Health
Solution Showcase This Week HealthToday in Health IT - This Week Health

Related Content

1 2 3 251
Transform Healthcare - One Connection at a Time

© Copyright 2023 Health Lyrics All rights reserved