July 25, 2024: Alan Cain, the CISO of the Rail Delivery Group in the UK joins for this Keynote episode. With his extensive background in cybersecurity, he discusses the lessons that can be found in UK cyber regulations when applied to healthcare systems. Alan's insights into supply chain management, third-party risk, and the importance of proactive monitoring raise essential questions about the robustness of current cybersecurity practices. What measures can organizations take to ensure continuous compliance rather than mere certification? Alan also touches on the human element of cybersecurity, including the significance of educating clients and their families. How does this holistic approach contribute to overall security? This episode prompts listeners to reflect on their cybersecurity strategies and the importance of a collaborative and comprehensive approach.
Key Points:
Donate: Alexβs Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on Keynote
(Intro) β Let them make the decision because then you're never the bad guy because if you become the bad guy, people start to go around you. And they avoid security and they let's tell them later.
It's easy to ask for forgiveness rather than permission.
Yeah.
But if you're that friendly, it's friendly Alan, the security guy, let's go and ask him. He'll help me. And that is the whole point.
β π π
π My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare one connection at a time. Our keynote show is designed to share conference level value with you every week.
Today's episode is sponsored by Airwaves, Artisight, CDW, Doctor First, Gordian, Gozio Health, Nuance, Optimum, Quantum Health, and Zscaler
Now, let's jump right into the episode.
β (Main) π hi, it's Drex. Welcome to the program, Alan Cain. Psyched to have this conversation today. There's a couple of things I probably should start with.
Alan is not from the United States and Alan does not work in healthcare, which might beg the initial question, like why, Drex, are you having a conversation with Alan? And I think this will all be explained as we have our conversation today. For, for just a couple of things initially because Alan lives in the UK, different kind of healthcare system still have their own challenges and issues.
And as a consumer of healthcare there, he has that sort of experience. And then as a cyber pro he has experienced. doing the kind of stuff that we do in healthcare, maybe not the healthcare specialty, but a lot of the rest of the stuff is very much the same. And we'll talk about a lot of those components today.
So Alan, tell me a little bit about yourself. Tell me a little bit about the company that you work for and we'll just spin off from there.
Yeah. So I'll start The company I work with currently now is the Rail Delivery Group and I'm the CISO there. And we provide all the services to the rail industry.
Now, the rail is slightly different in the UK, where we are mainly passenger focused, but we do have freight as well and also services to the owning group, who own the trains as well, so it's slightly different. But every service you can imagine, from ticketing, to warboards, to timetables to everything other than driving the trains we do.
just starting off in bit of a comparison your stuff is all in real time and the services that you provide, the capabilities that you provide there Your consumers, your version of patients need that stuff right now. And if the trains don't run on time, as they say chaos ensues and we feel the same way in healthcare.
So it's interesting to see that overlap.
Exactly. Yeah, you are right. So even in the UK, we have these. When you leave a training, you have these doors that flick open, and they have to open within 500 milliseconds of someone tapping their card to get out and get in. All this information needs to be going right across the network extremely fast.
Wow. So
we can allow for any blips or any kind of downtime, and cyber is, what's the main
Yeah. Now you also besides your full time job as a CISO, you're also teaching courses, right? Can you talk a little bit about that?
Yeah. So I've worked in other industries as well. So I've also worked in retail and gambling as well.
but what I found is that Everybody, whatever industry you're in, has the same issues. And a big focus that I do around the university course, the master's degree, is we look at supply chain management and critical national infrastructure. We call it CNIO
here.
Actually the security around that. And I come in as the bad guy and I'm going to tell them how I'm going to attack the national infrastructure.
Now I'm going to attack them as well. We look at some really interesting things that are publicly available, that are open all across the world. Tools that you and your viewers can look at now, Shodan. And, you can go and explore things. Now, you shouldn't go too deep.
It's not illegal to look at these sites, but, it's got listings of infrastructure that maybe you shouldn't have on there. If you just put in the search bar, hospital, and then look on the left hand side, you'll see loads of countries and numbers. Those numbers are the amount of words with hospital in that these headers and servers have in them.
So you can see I think last time I counted was 344 in the United States were misconfigured servers in the healthcare
So the supply chain part of this obviously is really important. We talk about it as supply chain too. For us, I think our audience would probably more easily recognize it as like third party risk.
We've gone through this process. over the last several years. I'm wondering if it's the same there, but when we got to the pandemic, a lot of the like, I don't know if we're going to be able to get to the data center. So things that we used to run in the data center, maybe we should buy now as a subscription, as a service under a subscription kind of program from a third party.
And so a couple of things happen. A lot of your data goes into those systems. And the other thing is that There's a lot of connectivity between your system and their third and fourth party partners too. you addressing that?
Yeah, so you're right, that's exactly what happened, especially in the UK, where systems where would normally be locked down, you have to go to the site to access them.
framework and that's based on:It's very similar, if you can imagine SOC 2, it's a bit like that. But there's a lot more questions, to be honest. But that's how, monitoring your suppliers in a proactive manner, constantly monitoring, not just that once a year, let's get them to fill in a document and say, oh, that's really good.
Or once a year, they give you a say they're compliant against something.
so it's really interesting. We go through the same process where we send out the 400 question list to a potential third party. Supplier, and they answer that question, and we may not get back around to them again for a year, and lots of stuff changes in that year, right?
What is happening with that organization, and what kind of risks that they've decided to bear or not bear, and the environment's just changed too.
That's right, they fill that document out, it's a point in time document and this may not be the correct people to fill that document out. It comes across their desk and, oh, I've got to fill it out, okay, fine.
You don't know whether, they've actually considered everything they've got, so we use tools that proactively monitor our supply chain. So we can put in the supplier and the URL, it looks at their IP block, it looks at all of the servers that are in there and it looks at their security posture.
Whether there's missing patches, whether there's. Open ports open on the servers, and just by doing that alone, we can understand their security posture, whether they're going to be vulnerable to attack, whether they've got their email configured correctly, so with demarks configured and, whether their email could be spoofed, we can see immediately, which then poses a risk to us.
Of course,
If you think about any supplier, if you look on their webpage, any of your viewers have got suppliers, go to the webpage of the supplier, and look at the bottom, it says partners, and it may have their own logo on there. That's a vulnerability to you, because the attacker now knows where to go.
So they do a reverse Google search, they find all the logos here we go, here's all the supply chain, this is how I can start attacking you.
This is somebody who has a connection into that health system. So this is a route that we can use to try to make our way in there.
So that idea of external attack surface management or being able to look at everything that they have facing the internet and how it's configured and patched. Or even things like what services are turned on, like when you get a system, when you connect to a system, or there's something, in the cloud, sometimes there are services that are just turned on automatically, that maybe shouldn't be, or capabilities that are built into that, that maybe just shouldn't be.
You see all of that stuff too and give advice and guidance essentially to your partners about how to become more secure.
Yeah, so that's right, so we give them access to the platform as well. Yeah. They can then look at their vulnerabilities and fix them. So they get that for free. But it also gives them a it starts at 300 to 900.
900 being, you're absolutely secure, great. But that score then allows us to have a metric. That metric then allows us to score them, and us to be able to create what's called a PSL, or Preferred Supplier List. So the business or the industry comes up to me and says, Alan, I need someone to build websites.
so here's our 10 suppliers. And they've all got, these are the scores in Risk Exchange. Sorry, the tool we use is called Risk Exchange. But no advertisers in the tool, they don't sponsor me. But this allows us then to be able to go, these are the ones that are really good. we proactively monitor them.
They work with us, they're secure. And that, what you're doing then, you're driving security through the supply chain. Because no supplier wants to be at the bottom of the list. And they all want to be at the top, so they'll use this free tool, they've got, which would have cost them hundreds or thousands.
And they'll get better scores and then it will drive them work. We've seen it time and time again. It works great.
You're more likely then to do work or to select suppliers that have a higher security score, logically. There may be reasons not to do that for whatever, might be the requirement, but generally speaking, you do.
So I love the competition version of this.
Yeah. The trick is as well to have like contract clauses. in your contracts to say that you'll keep an 800 score and you'll also work with and comply to the third party compliance framework. So that then means they're contractually obliged do it. When we go out for for a product, now don't forget this is going to be a national product of the whole of the types of the UK.
So we'd have the vendors, we can literally put them in this tool and we can get a score, we can see their weak points, and then I literally did one before I came on the show where I wrote up a report about five vendors we got that They're bidding for proposal and one of them was really good and two of them were like really quite poor, but they may not have known.
And that definitely helps inform your business counterpart on their decision. you can encourage them not through emotion, but just by, pure data. Like here's a better decision that you can make that would keep us all more secure.
Exactly. But the key is don't, so in security, I've never been that person to say, Oh no.
And I've always been that person to say let's have a discussion. Do you think this is the best course of action to do now? Let them make the decision because then you're never the bad guy because if you become the bad guy, people start to go around you. And they avoid security and they let's tell them later.
It's easy to ask for forgiveness rather than permission.
Yeah.
But if you're that friendly, it's friendly Alan, the security guy, let's go and ask him. He'll help me. And that is the whole point. So we help people rather than say no,
I love that. That's a great lesson for us too. I think, there's a lot of chief information officers.
My background for most of my career has been as a CIO, but there's a lot of CIOs and CISOs who come at it from the yes, but, or yes, and right? It's not a pure yes often, but they do their best to try To be a partner, to help, like they're trying to enable the business, but there's risk always in that.
And part of your job is to help them understand the risks they're accepting.
Yeah. Yeah. And it's funny because. I've always done this business I've worked in, but we don't just do it for the business. So we do cybersecurity training for the staff, but also the families, the staff. So children have got, I think, Facebook, roadblocks, games, and parents, they'll ask about it.
Okay we'll teach you about it. I'll teach you about how to secure it, how to secure the passwords, what a good password is. They'll pass that down to their children, and they'll all be secure. Because if they use poor security practices at home, They're going to bring them into work, that's
right.
Yeah, so that's a really interesting, I want to make sure I understood that. You actually help train the family too? Yeah. About what good looks like when it comes to security practices?
Yeah, and that can be as simple as making a few videos for them. They're easy to understand, which we've done for years, me and my friends.
And they can just use them where they like, but as long as they understand, right? It's so important. You've got children now have got access to all sorts of technology. And, getting them to understand. The right way to use technology is really important because some of the parents that are a lot older, older than me that I work with, , they're not really techno people, they come in and, oh, you try and use password one.
It doesn't work. I'll try to use password two. It doesn't work. Let me tell you why.
Yeah, it's interesting too, that model of putting in the extra time and the extra effort to train the family, those kids then grow up with good cybersecurity habits. They eventually will become part of the workforce and maybe even work for you.
But even if they don't, there's a great benefit, across the population in general because in the spirit of everything's connected to everything else, they're probably going to work for somebody who's connected to me.
Yeah, and these things don't take long to do, and I feel that cybersecurity professionals have a duty to do these type of things, right?
It doesn't take us long. We know the information. Why not share it?
Yeah, a lot of it is pretty fundamental stuff too, so. I want to roll back to 27, 001. One of the things we talked about yesterday in offline about this was the idea that there's a difference between being certified and being compliant.
With 27, 001 or any of PCI, any of the standards that may be out there. And while I think a lot of our folks know that, it always bears saying it again, especially for the folks who are in the audience who aren't necessarily cyber professionals and do this every day for a living. So talk about that.
Yeah, so:It's got all of our policies and processes in it and how all things work and, and there's a very different mindset. To being certified to being compliant, because compliant anyone could be compliant, just could winker an auditor and do your best. they've done well, there you go.
someone's giving you an ISO:Can I have a look at your password control policy? And by rights, they should just go, yeah, of course, why not? It's not, top secret.
27001 also is after again, after talking about it and digging into it a little bit yesterday, it's a lot more about the systemness of security, not system as in computer system, but the sort of process of security too, right?
y give you a complete answer.:does. And when you get audited, the audit itself lasts like just over three days.
And the auditor makes you go through these processes with them. You go through, do them and prove the fact, and they'll then, they'll go out into your workforce and they'll ask people about security training. They'll ask them about the policies. Where'd you get the policy? It's a security incident.
What do you do sometimes it's been terrifying for the auditee, but when I've been the auditor. It's quite fun.
Yeah, I bet because you hope that you don't get caught and get caught in the trap. The one new guy that just showed up that doesn't know the answer to the question or something.
Exactly, yeah, you're always praying, don't go that way, don't go that way.
How many just another kind of, always interesting question for cyber pros for me is When did you decide, like, this is the thing that you wanted to do, cyber security? Most people in cyber have a really interesting, meandering path.
Some have a very direct, like, nope, I was this, and then I, and then the light bulb went off and I did that. Tell me your story.
For those that are just listening on audio, I am older than I sound and I've got grey beard and bald head and I'm very middle aged. I was around before the age of the internet and I used to be a hacker back then.
Phone phreaking was my thing. A bit like Kevin Miknik was, getting free phone calls and that kind of cool stuff. But then when computer age came about, I was hacking video games, to get better scores and stuff. And, then there was the internet. That's it. Came about and then there were servers online and we could do strange things with servers.
Oh, cool, look at this. Then the real kind of thing went, I went onto a service desk and then from there it was actually, there's a real, There was a job appearing here, and it's went into a SOC, that's Security Operations Centre, and then a pen tester came up, this role, this ethical hacker, it's been my Absolute hobby all the way from since I was a child, to be honest, even like, going on bug bounties and, doing that in my spare time and training people to do it as well.
One of the things I really love to train people to do is OSINT, so Open Source Intelligence, where they use the internet to find out information about something or person or whatever, normally themselves, to be honest, those are the kind of skills that are out there. And once people get it, they feel like a detective.
Yeah. is, it's very interesting. It's interesting to me too, how many times I ask that question and there's always a path at some point where somebody went through the service desk. And I think that's an interesting that's an interesting part of this too, because you get to talk to so many people and from the social engineering perspective, you're not really social engineering your own users, but sometimes.
always You get to know some of those users and the things that you can ask them to get them to tell you to help them, but it's also a skill that can be used for for bad stuff.
Very true. So should we all use social engineering all the time? When I train people about social engineering, There's loads of things you can train people about, but one of them is talking to people and just getting your mindset to understand that they really need to do what you're asking, that kind of importance around it.
We also do it, with things like, I'm terrible, I use my hands when I talk a lot, and that's a part of social engineering as well, where you get trust from people by, using your hands. I'm going to try not to use my hands now when I talk. But, and even now, as a CISO, you still use those skills, whether it be in a contract negotiation or whether it's to get a new supplier in, to get them to do the right thing, and, it's very common.
Yeah, when you're briefing the board, or when you're briefing your fellow execs, helping them understand, looking at them, watching for signs from them too, that they're engaged or it.
That's right. And the trick is to let them make the decision, but guide them on the right path to make that decision. The
right
path should be what you want them to make.
that way also. you're not the no person. You're the, yes, let me help you facilitate the business.
It's one of those things that Alan helped us get this in, it's one of those kinds of things that, it's definitely a, Definitely skills people should use and learn, yeah.
Hey, I really appreciate your time today. Any final thoughts?
Anything you want to leave the audience with? A tip or a trick or particular message that you think is important?
So there's loads of tips and tricks I could say to them, right? But I would say, look on the internet, there's a attack a couple of weeks ago on the supply chain for the NHS, the National Health Service and it crippled the NHS where they couldn't get pathology services and that was through third party clicking on a link, getting hit with ransomware, taking out their systems.
So a tier one supplier to the National Health Service of this country. was taken down by a piece of ransomware because they didn't check if they had the right controls in place to stop ransomware. So one thing I would say your listeners is make sure those checks and balances are in place. Ask the questions, you're a tier one service.
What protection are you giving us for that service? If they all get hit with ransomware, your service is going to go down, healthcare will suffer, data breaches everywhere. no one wants that,
yeah, and what's your backup plan? What's your backup plan if that service is offline for a while?
We just had an incident like that here, similar to that in the United States for filing claims and once that service was down the crisis ensued and people had to stand up other options. So think through that business continuity part of it too, right?
Yeah, that's it.
Yeah. Talk to your suppliers, make sure that you may have all your ducks in a row. You may be great. Great. But you only need one of them to be a little bit poor and, can really affect your business.
That's great. Thanks for that. I appreciate your time today. It was great to talk to you.
I hope our paths cross in person sometime soon. And I really appreciate you being on. Thank you very much. β
Thanks for listening to this week's keynote. If you found value, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. it if you could do that.
Big thanks to our Keynote Partners Airwaves, Artisight, CDW, Doctor First, Gordian, Gozio Health, Nuance, Optimum, Quantum Health, and Zscaler
you can learn more about them by visiting thisweekhealth. com slash partners. Thanks for listening. That's all for now..