This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is brought to 📍 you by Rubrik. Together with Microsoft, Rubrik works with you to better understand your data and workflow so they can help you build a better security solution that's just for you. A solution that not only secures your data, but puts you in the best possible position to recover faster from a ransomware attack.

So reduce complexity, with Rubrik. And make sure your data is protected no matter what cloud provider you're using or how bad the cyber landscape looks. Find out more on how the Rubrik plus Microsoft Alliance can help you elevate your cyber security game. Check it out at thisweekhealth. com slash Rubrik.

That's R U B R I K thisweekhealth. com slash Rubrik.

  Today on Keynote

(Intro)  Every time there's a bad outage, people see those headlines. And whenever organizations like Microsoft and Rubrik come together and pull off a speedy recovery in 24 hours, people don't see that.

And so our primary focus is helping leaders at all levels understand that this is a problem that can be solved, that it is being solved successfully today, and that your organization can bounce back really quickly.

  📍 📍

My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare one connection at a time. Our keynote show is designed to share conference level value with you every week.

Now, let's jump right into the episode.

(Main)   Welcome to our webinar, Healthcare Cybersecurity Excellence, the Rubrik and Microsoft Alliance.

We have an incredible panel lined up. I'm excited to dive into this topic with you today. A special thank you to our sponsors, Rubrik and Microsoft.

Their support helps us create and deliver valuable content like this. So let's jump in today's discussion. Our panelists are Josh Howell, Sales Engineering Manager, Healthcare West and Central at Rubrik. David Holding, Director of Global Healthcare Security Compliance Strategy at Microsoft and Bill Russell, former CIO for Sixteen Hospital System and creator of This Week Health.

As we get started, it's important to note the partnership between Microsoft and Rubrik is significant for healthcare organizations because it combines Rubrik's expertise in data security backup and ransomware recovery with Microsoft Azure's cloud infrastructure. With all that being said, gentlemen, I want to jump in and start with the partnership impact.

How does the Microsoft Rubrik partnership specifically benefit healthcare organizations in terms of data, security, and management?

I think one of the reasons that these ransomware attacks and data breaches have been so disruptive and painful for the industry is that there's a little bit of a no man's land. You've got IT operations and the things they're responsible for, Security and the things that they're responsible for and the tools they know how to use and, developers and application owners all have a different lens and different set of tools and operationally conducting these recoveries or securing complex hybrid environments has been a challenge.

And marrying together platform tools and, data security tools like we offer helps close that no man's land and provide a unified framework for responding to these events.

Yeah, just to add to that. So I think, yeah, unfortunately with ransomware and attacks like that, it's unfortunately it's not an if, but when as good as we all get at security, there's humans involved with the best intention under cost pressure and time pressure.

And, they're going to click sooner or later. What do you do? And so one of the things that I highly value and Microsoft we value is the alignment that we have with Rubrik on many levels. One of them is the alignment on zero trust security and also the integration of our solutions. So zero trust security is all about, limiting that blast radius.

When that click occurs, how do you make sure that you contain it quickly and you limit the impact? So you're using things like multi factor authentication, least privilege, segmentation, but also continuous monitoring and detection response containment remediation. And I think that's an area Rubrik and Microsoft shine in particular is, you've got these integrated security suites, the Microsoft suites integrated, but we're integrated as well with Rubrik.

And so it makes the security operations much more efficient. The security analysts have single dashboard they can look at whether it be Sentinel, for example, they're receiving the telemetry, they know when the incidents occurred, they can use Copilot for security, and they can understand what has happened, what do I need to do, Contain it quickly and then remediate.

And that remediate is really important. I think that's where Rubrik shines in particular, being able to remediate quickly, restore from a clean image. Look forward to going into more depth on that, but I think there's great alignment and great integration in summary.

I'll tell you the thing I would say from a CIO perspective is the gaps are important, especially in architecture.

This is where vulnerabilities happen. This is where outages happen. And so these kinds of partnerships become critical. So much of the infrastructure now is cloud based. We're moving it outside of our existing data center. And we, we need these partnerships to form in order to ensure that we're minding those gaps and we're closing those gaps and we're remediating issues, when there's a release of data.

On one platform, we want to know that it's been tested on another platform. We want to know that there's change management being coordinated between these cloud providers because they can make a change now in the cloud that could impact the delivery of services within our healthcare organization.

So these partnerships become more and more important. And as an example, we had the CrowdStrike outage and now we've seen Microsoft and CrowdStrike come together from an IT perspective, from a CIO perspective. I can't applaud that enough. These kinds of coalitions alignment really do help to address some of the significant, Challenges that we're facing just in terms of the complexity of the environment in health IT.

The Microsoft partnership has been huge for us. I think we're the only data protection company that Microsoft has ever invested in, and I think we're now the number one BCDR solution that Microsoft customers have purchased through Azure Cloud, and we're healthcare and life sciences partner of the year for Microsoft.

So for Rubrik, it's been tremendously beneficial, not only the partnership, but also the joint development and some of the solutions we've brought to market together.

Yeah, and I think, when you talk about gaps what's interesting and just driving that home to a really technical where the rubber meets the road.

We don't have any gap in our partnership. We're very closely aligned, aligned, strong partnership. But if you're talking about security solutions, if there's gaps between them, as can occur if organizations Take this solution from here, that solution from there.

They're not integrated. You have gaps between them. You have multiple dashboards. The security team needs to monitor multiple dashboards. They're going to start missing things. They're going to miss alerts. That means more dwell time for attackers. That means increased impact of ransomware. Increased disruption of healthcare.

So we're all about eliminating those gaps, both in the partnership and in the software by ensuring that integration out of the box. And to me, being able to get up and running quickly with solutions from Rubrik and Microsoft. That's where you'd want to be, right? You don't want to have to take on a huge.

integration task. And then if you don't do that integration you have that risk of missed alerts and so forth. And if you do that integration, then you've got technical debt to maintain over time, right? You can maintain that integration.

Sometimes I pursue this from where I sat, which is 16 hospitals, seven and a half billion dollar organization.

But these kinds of solutions are being looked at more and more. By smaller institutions, by clinical practices and rural healthcare and those kind of things. to hear how this benefits me if I'm, a rural hospital system and I'm looking to, clearly my budgets are tight.

I don't have a huge staff and those kind of things. this partnership help me?

Yeah, I think there's a span of solutions. A lot of organizations aren't clearly just on premises or in the cloud. A lot of organizations are spanning that gap and struggling with a proliferation of tools and costs as a result. And so having an ability to reduce spend across, seven different categories of tool sets while providing greater visibility.

not only for the legacy things that you have on premises and within your four walls, but also what organizations are building out in the public cloud and be able to provide, unified visibility across all of that. Helps control cost, helps control complexity, helps bring people who aren't specialists.

If you have a huge data security team that's great, but what I find is more and more people are wearing multiple hats, there's pressure to do a lot of things, and so if we can quiet the noise, give them the right information in the right context, regardless of where that exists in the environment, that really helps, budget stretch.

People do more, people find a more value added role within the workplace than just, managing a specific tool like backups, for instance.

Josh, I want to take this one to you because we've had a few conversations really about what I believe we're calling ransomware resilience and the ability to address the growing ransomware threats and data recovery in some of these healthcare environments.

When you think anecdotally about either preparedness that you've heard from organizations, how you prepare the conversation with the board, What is top of mind from the client meetings that you've been experiencing?

I think the most important thing is that leaders start to recognize that this is a problem that can be solved.

And there's another reason why that exists just beyond, imagination and knowing that the problem can be solved. It's that, Every time there's a bad outage, people see those headlines. And whenever organizations like Microsoft and Rubrik come together and pull off a speedy recovery in 24 hours, and there aren't a lot of headlines, people don't see that.

And so our primary focus is helping leaders at all levels understand that this is a problem that can be solved, that it is being solved successfully today, and that your organization can bounce back really quickly. And there's multiple stages to that. There's what we do in peacetime and in preparation.

There's what we do during the event, and hopefully the systems that we've put in place are resilient enough to stand up to attack and that your backups aren't compromised, your costs of recovery go up by 8x, if that happens, and then how do we speed the response and the recovery? And so there's Pillars that Rubrik and Microsoft have built across all three of those.

Discovering where your sensitive data lies ahead of time. What's misclassified. For instance, we can pull out any place that MIP labels haven't been applied correctly or haven't been applied at all. And so we're providing value back to, the other Microsoft products to prevent, data loss.

But also helping organizations clean up their data estate proactively. Last year we had an organization in Utah turn on our data classification product and they were really fine, surprised to find 3 billion hits in a user's home folder of sensitive data and every one of our applications has this export to Excel button in the top right, which kind of means that data can proliferate anywhere.

So being able to find the PHI ahead of time, allow organizations to do that proactively. clean up their data estate to secure some of that really helps. When, as David said, it's not an if, it's a when. When it happens, you have some handle on what data was out there, what each user was accessing at a baseline over time, how that changed during the event, and it allows you, for instance, to report to the OCR.

It was these records affecting these patients, which drastically limits the scope of your reporting challenges, your eventual class action settlements, etc. And then we can talk a bit about the, bounce back and resiliency piece of knowing exactly what happened, when it happened, what systems it's affecting, how far back you need to go.

To conduct a successful recovery. Recovering without fear is that you've run this a number of times, you know exactly what you're recovering, to what point in time, and you know it'll be successful on the first try. All of those things together are what give us the ability to have customers bounce back in 24 to 48 hours, instead of, weeks of downtime.

And David, I'm going to bounce to you, because we touched on this yesterday when you said, this is what you need to say to your board. In our partnership, here's the three things that are key. And by the way, when we think about how do we stay protected enough? What level of preparedness from high trust, HIPAA, GDPR, what are the different elements of compliance that are also important when you're working with your customers so that Bill as a CIO knows that he can get what he needs from you for that board conversation or those funding conversations, what are some of the things that are most important that you've been experiencing?

Yeah, it's, healthcare is under cost reduction pressure and so are security teams. They're often understaffed, they're sometimes underskilled, security experts are hard to hire, they're expensive, they're hard to retain. So oftentimes, healthcare is limping along with their security team and they need all the help and focus they can get, right?

So they have limited budget to guide, to, And how do they allocate that most efficiently? I think that's where it's super important, rather than just go after the latest sort of silver bullet solution, use your risk assessment, your risk analysis, but also use compliance. And Sarah, one of the bright silver linings, if you will, in the compliance front of late has been the HITRUST trust report.

That's in stark contrast to the industry average, where, depending on what data you look at, it's 1 in 3 or 1 in 2 chance. It's any year of being breached with ransomware or some other incident. And so radical reduction in risk through high trust certification and really exciting things. It's not just being able to platform on Microsoft cloud and Azure to leverage that, but also being able to take advantage of multiple levels of assurance.

So high trust has a sort of staircase. Multiple levels of assurance where you can start with the essentials, the E1 level, move up to the I1 level, and then the R2 level eventually over multiple years as budget and resources permit. And then the other really cool thing about the cloud is this notion of shared responsibilities and inheritance, where As you put a workload on top of the cloud, and let's say you're going for your HITRUST certification, you can actually inherit a huge chunk of your compliance from the cloud.

And for example, if it requires secure data center you got that covered, because Microsoft got that covered, and you're hosting on Azure, right? Really exciting things there. And, again, I think the very important thing is to guide limited resources time budget to where it can do the most good as soon as possible.

And the urgency is there, right? We're all seeing what's happening with ransomware. Unfortunately, the attackers are starting to use AI as well, right? With deep fakes, with phishing, with spear phishing at scale high speed, improving their efficacy, their click through rates. So we really need to move quickly and guide those resources to where they can do the most good.

And the other thing I'll mention as a sort of teaser, I'm sure we'll go into more depth, is how do we empower the security teams with AI? To help them improve their speed, scale, accuracy, and even help upskill them on the job. I think that's really important in this sort of looming threat of attackers using AI.

Yes,

and so Bill, when you think about your time as a CIO, and we still advise several CIOs today, We're talking about multiple cloud environments and a huge reliance on these SaaS platforms. And this truly, I think for most of us, it's about reality as much as choice. When you think about knowing where your data is and how the partners manage compliance, reducing the third party risk, as a CIO, what do you need from your partnership?

with Rubrik and Microsoft.

do these CISO roundtables. We do CIO roundtables as well. When we talk about security, I'm not going to speak from my experience, because my experience is, almost predates the ransomware environment. But what I'm hearing is two things our events. One is a significant focus on third party risk.

And we all know that's there and it does take up a lot of oxygen in the room, especially with change healthcare and some of the other things. But the other thing that we find is a pretty predominant conversation since ransomware really has become top of mind is time to fully restore the environment.

We never had to think about Okay, everything's lost. Active Directory, it's all gone and we have to rebuild it. And this is now a board level conversation. You can get pulled into the board and have them say, Okay, let's assume it's all gone. How long is it going to take you to rebuild? I would love for you guys to talk about, that conversation.

That's a very real conversation. conversation that's going on of how, resiliency is one thing. Recovery is now a significant conversation.

I think over the last several decades, our societies have come to terms with certain risks.

Bill, before we started the webinar this morning, you were talking about hurricanes. Where you're located in Florida. And society has figured out that there are certain early warning signs we should pay attention to. Certain mitigation efforts and strategies that are effective. And we've learned to prioritize those and then systematize them.

Putting them into our building codes. We've got requirements around evacuation times. We drill for these things, and we've seen this with other risks we've dealt with for a long time, like fires. You have to build with UL, approved materials, it's in your building codes, we are required to have, smoke detection, fire monitoring, we do fire drills.

And when you think about the impacts of these attacks one of these ransomware attacks, if you quantify not just the immediate attention grabbing headlines the size of the ransom or the revenue downtime, but Deloitte, beneath the surface, case studies point out that those immediate effects are only about 10 percent of what you'll experience over the course of one of these events.

So when you quantify the financial impact to a, medium sized healthcare organization. It can easily run three, four, five hundred million dollars and there are larger systems you're measuring impacts in the billions. So when you consider that the impact of one of these attacks is roughly, on par with the loss of an entire facility in a catastrophic fire, it really helps us think about what levels of investment and, how should we take this seriously.

And, Chero Goswami, I was watching some of your earlier videos. Podcast from earlier this month. And he said, if it doesn't affect workflow, workforce and wellbeing, like why should we even do anything? And these ransomware attacks affect all three, you'll have employees who've experienced a ransomware attack before quit on day one.

And they just say, this was so impactful to my family and wellbeing. I don't even want to live through this again. Good luck. And I think that gives us a sense of how traumatizing these events are. People aren't sleeping for days at a time. Sleeping on cots, working until exhaustion.

And boards across the country, I've got several healthcare systems where the board is coming to senior leaders, like you said, and saying, Tell us we're good. How long would it take to get back online? And, The answer for the past several decades has been IT will have to conduct really disruptive testing in the middle, of the night or the weekend, which again, goes to eroding well being and, what's good for the workforce.

And this is why it never happens. And so having solutions that we've built together with Microsoft where you can say, here are all of my applications, I know what's protected, I know that these runbooks work because I've tested them, here let me go ahead and kick that off into an isolated recovery environment during the middle of the business day because it's completely non disruptive, and I can start a stopwatch and tell you here's how long it will take for all of these things to come back online.

Having the ability to drill that is one of the biggest things that is the difference between, the organizations that take a month to recover and the organizations that take hours to recover as they've drilled with their tools and prepared. We can't control a lot of things, but how we prepare is one of the things within our control.

Yeah, great points. And just to add to that, how is Microsoft enabling ransomware from what we're seeing is definitely, something that degrades the quality of patient care, and in a worst case can impact patient safety. It can divert patients even to another facility. So we really need to limit the impact.

We need to get really good at quick, clean recovery, like Josh articulated, but we also need to limit the impact. A ransomware incident that affects one endpoint device is very different from a ransomware incident that affects your entire IT data estate and infrastructure. So to do that, we really have to do zero trust security, and that's where Rubrik and Microsoft are very closely aligned.

So multi factor authentication, least privilege, segmentation. But one of the most important things is continuous monitoring and fast detection. When an incident occurs, it's just the endpoint that's been, encrypted by ransomware. Detecting that very quickly before it moves across your network, right?

And being able to respond and contain and quarantine that endpoint, then remediate quickly in the clean recovery. This is where the integration between security is really important. You've got this complex end to end IT environment like Josh articulated. Multiple endpoint devices. You got some on prem stuff.

You got stuff in Microsoft Cloud. You might even have multi cloud. And so you need to be monitoring that whole environment. Rubriks integrated with Sentinel. You're getting your SIEM information to the security analysts. They can tell when an event occurs like ransomware. So that quick detection. And then, they can use AI to empower the security analysts.

So Copilot for Security can empower them with what happened. what to do about it. So it gives them recommendations and guidance on what to do about it. So it helps even upskill them on the job. And, it helps accelerate investigations, reporting, and then ultimately the quick remediation and recovery.

I think that's really important. So it's the, how quickly can you recover and restore to be resilient. But then how do you minimize that impact up front and realize what we talked about earlier that, with ransomware getting better and the phishing and spear phishing that generally leads to it.

It's a matter of when, not if. Assuming that it's a when, you need to detect it very quickly. And these are the kinds of tools and integration. That's why it's so important.

I think Sarah, you and I were in a room at a previous event when a CIO. Outlined what had happened with their ransomware attack and said if I'd known this was just around the corner I would have had a lot more urgency in how we prepared for it And they walked us through how in a particular case bill to your point and David there's a huge Difference between a small outbreak and something that gets, active directory and all of these infrastructure services that everything relies on, but what I found so interesting about what they were presenting is their EHR had actually been hosted and completely unaffected by the ransomware attack and definitely lost access to it anyway, is that a lot of their SAS providers said.

Listen, out of an abundance of caution, we're going to disconnect you until you can attest that you have things under control. So even those, minimal sized attacks still had massive outsized impact simply because everyone needs to be very cautious and having, the integration of the insight in the tooling to say, This is what happened.

Here's how we cleaned it up. We know it's under control. These were the records that the user expected and being able to attest that you're clean to re enable some of those services and resume normal business operations is really important.

  📍 📍

  📍 📍 📍 📍 📍 📍 Hey everyone, Drex DeFord here, and we have an exciting webinar on October 22nd at 1 p. m. Eastern. It's sponsored by CrowdStrike and AWS. 📍 We're diving into building a resilient healthcare system, cloud security strategies for today. With cloud 📍 breaches up 75 percent over the last year, healthcare systems can't afford to rely on outdated defenses.

So join us as industry experts share practical strategies to strengthen your cloud security posture and adopt zero trust and boost operational resilience. Don't miss it. Register now at thisweekhelp. com slash cloud security. That's thisweekhelp. com slash cloud dash security.

  📍 📍

  📍

As a CIO, in that partnership of thinking about the expense of doing some of these exercises, the cost efficiencies that need to be built in.

If I think about utilizing Microsoft and Rubrik together, how does it reduce my long term storage and disaster recovery costs and flip that script into how we're actually saving how much one of these attacks may cost us because of the inevitability of when and not if it happens.

I think that same recording that I was referencing earlier this month Donna Roach, the CIO at the University of Utah said, the better contract isn't always about the dollar amount.

Sometimes it's also about minimizing risk. And that's something we're seeing is that boards are making funding available, even out of cycle, just because these impacts are so high. And there may be investments that need to be made because it reduces risk, but also on an operational basis, we're finding that for some of our cloud customers, the ability to reduce spend in other tools or simply to have greater granularity and control over where your backups land and how we can move those around represents something like a 30 percent cost savings over using some of the native tools.

So under the covers, the fact that we can orchestrate those and show that, across Azure. All of your different services are protected. Here's new data that's been created. Do you wish to protect this? And then we have some granularity and control over which of Azure storage tiers we're using. Represents massive savings.

For one of our customers that was 273, 000 a month every month going forward. Just because of the tight between Rubrik and Microsoft. We can take Microsoft's data protection tools that they've built into all of their different services and orchestrate those at and drive down costs.

Yeah.

Just to add to that, I'm thinking of one of the research items I was looking at recently, the cost of a data breach is about 11 million according to the Ponemon research. And so being able to avoid or minimize the impact of that And it's not just dollars, right? It's avoiding degrading patient care.

It's avoiding the patient's safety issues. It's avoiding reputational damage. And having solutions that are integrated out of the box from Rubrik Microsoft, it avoids, You having to integrate those and the cost of integration and the time it takes you to do that and the technical debt you take on.

But it also improves the efficiency of your SOC teams. The other thing I'll mention on the ROI side is, especially when you're talking about a mission critical system like an EHR, split it into multiple environments. One of them is your DR, your disaster recovery environment. If you have ransomware or some natural disaster, what do you fall back on?

The reality is a lot of organizations don't do that well on prem, because you really have to have a separate data center and a separate geography, separate risk profile for earthquakes and that kind of thing, and it's expensive to set up a whole DR replica environment, have all the headroom to handle maximum production load, etc.

So the reality is that All on prem. And that is actually one of the highest ROI items in moving to cloud is DR environment. You can configure it in the cloud, do your data replication, but be ready to spin it up on a moment's notice to fall back on it. And so when you're thinking about cyber resilience DR is really important and there's a huge cost savings to doing that in the cloud versus on prem.

I'd love to hear your perspectives also, when you think about how much energy is put into. Making that presentation to an organization about we're going to do cloud migration. We're going to enhance this with the data management that comes with that, so that we have the necessary interoperability. Too often the conversation is it's a fixed cost to do certain elements, and it's not.

It's this continuation of managing your budget around resilience, around these capabilities. When you think about your ability to meet your client wherever they are, maybe they're a critical access hospital, maybe they're a 16 hospital system, how do you engage with your clients to make sure you truly meet them where they are and can help them get there in a really thoughtful and protected manner?

Yeah, so I think what's super important is when we talk about healthcare, start with the focus on healthcare itself. Like how does the cloud help healthcare? And it helps them focus more on healthcare, right? Because they're drastically reducing a lot of technical debt that they have in maintaining their own data center, their own servers, all that stuff.

But it also helps them improve their agility to innovate. And in, this era of, AI and very exciting new thing, being able to spin up new capability really quickly and take advantage versus having to build your own sort of AI hardware and software and stuff on prem. There's very clear advantages to agility to innovate.

The other thing I'll mention is elasticity. So in the event of unforeseen things like COVID there's a sudden need to ramp up in certain areas and, that's something you can do very quickly with the cloud. It's much harder to respond to that kind of a shock with on prem. And the last thing I'll mention, and security and compliance should always serve healthcare, not the other way around, but improving your security, improving your compliance with the cloud.

So as you're putting those workloads on the cloud, being able to lean on your cloud provider for security, for compliance. I think is one of the best things. It's ironic that in the early days of cloud, it was viewed as much more risky. Now, quite the opposite is true. A lot of organizations specifically going to the cloud so they can lean more and more on the cloud provider.

We literally employ over 10, 000 cybersecurity experts and Rubik plus Microsoft integrated. It's just so much better than what you could do alone in your own data center.

Sarah David's completely right on that metric, the 11 million dollars being the impact of a ransomware attack, but it's important to also note that's the median.

Cost, and that there's a lot of things that aren't included in those costs. So not to keep harping on this issue, but I am sometimes astounded by when you quantify all of these costs over time, the number it adds up to. So it's worth noting that the median U. S. healthcare organization is one to two hospitals and something in the neighborhood of 250 beds.

If you're larger than that you may be surprised to start skewing some of those median numbers to an organization of your size and recognize that there are a lot of costs that may not be included in that. For instance, just notifying. I was working with the chief compliance officer of a health care system in Arizona.

And she was walking me through the process of how notifications are handled when there's a data breach. And it's roughly a hundred dollars per person, per patient that has to be notified and that notification cost isn't included in this overall cost of a data breach. And she was walking me through how, if she can't articulate to OCR, which records and which patients, she may be required to consider that it was all records and all patients.

So then we notify all patients, and now all patients are eligible for credit monitoring and for, being part of the settlement. And so this these costs snowball drastically. And, my team has consumed over a hundred third party case studies, articles, et cetera, to arrive at a calculator that helps us quantify what those impacts are.

And so it takes us a few data points and inputs to say, over the first five years, your impact of a ransomware and data breach could be. This much and those are startlingly high numbers, and I think it drives some of that urgency the CIO was talking about of these are problems really worth solving.

Proactively remediating your sensitive data ahead of time might be pound for pound after MFA, one of the most prudent investments

you can make. Yeah the Scripps outage I think was 110 million was the reported amount, so that skews the average a little bit.

Now, the question I wanted to ask you guys is, environment is getting more complex and while I have some things in Azure, I also have some things in AWS, I also have some things in, fill in the blank in Rackspace and I have local stuff as well. complexity of that is really interesting and a bunch of that stuff hasn't really been in my control.

I purchase a SaaS application and they go, Hey, we're over here. And you go, okay, so our data's in Azure, or our our cloud could be hosted in Azure or somewhere our EHR could be hosted there somewhere else. I'd love for you guys to talk about those really. complex environments because it's not just the large health systems that have proliferated across these cloud environments, even some of the smaller ones have proliferated across these environments.

So definitely agree. The environment is more complex. The end-to-end it environment. On the end point even we've got, windows, you've got iOS, you've got Android but then you've got on-prem stuff, you've got stuff in Microsoft Cloud.

You could even have multi-cloud built to your point. And so how do you manage that? And, you need to know where your data is. You need to be able to discover it, identify it, classify it, label it, protect it. And so the whole data governance throughout the whole data lifecycle, really important from collection to disposal.

And it's a reality, and so we've really embraced that at Microsoft, and so our tools work across the end to end IT spectrum, across platforms, so even Linux and, of course, Windows, but, even Android, iOS. And for multi cloud, even tools like Azure Arc can see across the cloud. Different types of clouds.

I think it's all in the spirit of that integration, meeting reality where it is, empowering the security team with that integrated unified view so that they can monitor efficiently and they can detect quickly and respond and contain and remediate.

Bill, I think there's another thing that's driving the challenge that you're outlining, which is, traditionally, I grew up in IT infrastructure.

We owned everything on premises. In all humility, let me admit to being part of the problem. I was difficult to work with. So when developers wanted something, they were like, we're going to public cloud because that guy's insufferable. So a lot of organizations first forays into cloud is led by. not IT infrastructure some other group.

And then as not your SaaS applications are going to be owned by your line of business, owners and users who don't necessarily come from an IT background. And then you as the CIO bear responsibility for answering compliance questions around is our data protected? What sensitive data is where?

Who has access to it? And so that's why we've taken an approach of we'll translate your goals and intentions to these various clouds. So if you say these are data classification policies or I need to retain this data for this amount of time, you can then tag those workloads and we'll apply what you need to know or how to translate that goal to those various clouds, whether that's AWS, Azure, or others.

But the bringing all of that together so that a business owner or a CIO can have a view of these users are accessing this sensitive data at this rate, and all of a sudden that changed, or I didn't know that there were social security numbers out there on that application, in this cloud, or this user has in their phone.

Folders on my SharePoint, for instance, something that really shouldn't be there. The ability to abstract away that complexity and give you a holistic view across all those environments is something that our customers are appreciating.

was interesting to me when I got moving to the cloud was from IT.

It was not from the end. The end users were like, wow, yeah, I used this service and I'm able to share files with my grandmother. And yet, I had like radiologists saying, I can't share the image from here. to the physician who needs to read it like at the next hospital over. They're like, could you be more like this file sharing thing?

So they understood the power of cloud and what it could do and that kind of stuff. But from an IT perspective, it was people like you, Josh. It was people like you who were holding on and saying, you know what? This is more secure. It's more all this, all the things that we were saying back in the day.

And it's really proved not to be the case anymore. There is just, as you noted earlier, there's just, you guys have more security staff than we will ever hire. You have more resources. And wondering if we're still feeling pushback from the IT organizations, or if. The IT organizations are just saying, no, this is just part of the new architecture is you're going to be in cloud environments.

So Bill, I would throw out there that we, the architecture has to come first and expectation as a CIO, my last role, we were going completely cloud native and the expectation that our partners We're steps ahead of us. And so David, I'll start with you. As you think about the innovation that needs to be occurring to stay in front of what is next so that your partners or your clients can count on you and how you're sitting in front of product development so that the evolving healthcare challenges are something that I can put my trust into you and Rubrik as part of my partnership as a CIO.

Yeah. So we talked earlier about agility to innovate and the positive of that, enabling healthcare to innovate quickly and all kinds of use cases around improving patient quality of care and access and reducing costs and improving efficiency, etc. But it's a bit of a double edged sword, right? Because it's so easy to spin up a workload in the cloud.

And even in a data center halfway around the world, you do get the shadow IT sometimes happening. And so that's where it's really important to have the integration we're talking about. And enable the SOC team to manage that, have visibility and manage that efficiently and stay in compliance because it's not just, hey, we have too many workloads.

We're using too much of the cloud. It's costing us too much. That's one effect. But it can actually be a compliance issue if the raw, if sensitive data is put in some new jurisdiction and all of a sudden some new data protection law kicks in and so it can be a compliance issue. So you need to have that visibility, that integration, that compliance and efficiency of tools like a policy, like I don't just mean the written policy, the automated policy rules that say, Hey, for our organization, you got to keep it within the US.

It can go to our DR center over here, or it needs to stay in our production center over here, but you shouldn't be spinning up a workload in some foreign country. So I think that's super important. Sarah, did that fully answer your question, or was there more to it?

There's a bit more to it, and Josh, I'd love to hear your thoughts as well as I want to know that telling me what's coming and the things that you're thinking about allow me to be really thoughtful in my annual budgeting and the roadmap that I have to present because very often we're going to get a point finite amount of dollars, we're going to get a finite window in which we can plan out what's going to be happening next year to avoid all the, asteroids that come in separately, of course.

But as I think about you telling me 18 months from now, this is what your environment's going to look like because of the investments that we're making in R& D. What does that conversation look like with your clients?

Yeah, I think it's one of the biggest values that a good sales team, cause I happen to work around the sales team, can bring is saying, this is what we're seeing in your peer organizations.

And these are the challenges that we're being asked about. It's, our sharpest customers are the ones who ask those questions and are letting us talk a little bit about, what's happening and what we're seeing. Going back to David's discussion about security is. Definitely we reached that tipping point a long time ago where cloud is actually more secure and Bill, to your question, I don't see any pushback of organizations moving to cloud.

There's an agreement that it is probably more secure and that you'll never be able to employ nearly as many security specialists, but I think the same thing is also true from a product development and integration standpoint. When you're looking at, because no one organization can deliver all of the tools or solutions across all of the different needs that an organization has, it's a question of who owns the integration roadmap and the burden for closing those gaps between roadmaps.

Is that coming out of your budget? Bill and Sarah are you guys deploying a ton of developers and needing to own that IP going forward and every time Rubrik or Microsoft changes their roadmap it's, rework for you guys? Or do you choose, from families of companies that have decided to partner together that are doing active, co integration and co development and owning that roadmap going forward where you've got people who aren't on your team who are being paid to do that work that aren't coming from your budget and I think that's a powerful argument for specific vendors or ecosystems that you buy into is Who's going to own that integration going forward and how can we find the right the right balance between owning it ourselves and other organizations owning it for us?

I'm just so impressed that Sarah was taking it to cloud native. Aren't you impressed by, man I think we were like decades away from cloud native at our health system. So that's really impressive.

Infrastructure is code, and some of the things that people get scared to actually talk about.

I don't know how many times people have said, you could do that because of the size of your org. And I'm like, you can start anywhere in those spaces, especially when you have partners who have a passion for that. And David, I love the conversation we had about, okay, so IT is there, everyone's there. And now you actually have to make it happen.

The adoption of the technologies to keep it safe, asking a physician to put MFA. And what's been fascinating is, you go do your annual risk assessments, you go into some of these environments, and I've yet to not have a turnaround plan. That's been my responsibility when I go into an org, except for this week health.

And realizing that Now I have to ask clinicians to put extra steps into their workflow that they may believe is hindering their ability to provide quality care. And we threw a lot of point solutions in there. When you think about aggregating point solutions in a way that is thoughtful and protects your environment specifically for your clinicians, what works?

Yeah, the usability thing is super important, right? Because end users like clinicians are being empowered with so many different technologies that if something becomes cumbersome because too much security is in the way, they'll start with the best intentions doing workarounds for the benefit of the patients.

And unfortunately, other issues pop up when they start using bring your own device and apps and bring your own cloud and all that stuff. So it's super important when security is introduced for usability to be maintained. And so if you're talking about multi factor authentication, Sarah, to your point technologies like tap and go, technologies like biometrics can really help introduce MFA in a way that is minimally intrusive and actually, in some cases, actually improve efficiency of the end user while also greatly improving security.

It's one of the elements of zero trust, multi factor authentication. And usability is really important if we ignore it as security professionals. It's whack a mole, that risk you were trying to whack will pop up somewhere else because somebody has figured out a workaround. And again, with the best intention, they're focused on patient health, right?

We have to prevent that sort of workaround reaction. With a need for it. We have to take the need away by making what we introduce with security very usable, very efficient, and it works from the end user's standpoint. And I would even extend that to security. Sarah, I know your question was focusing on clinicians, but I think we really need to think about the security analyst.

Games and health and life sciences which are being just crushed with data and what can we do to make their job easier and that's one of the things we're really excited about is AI and co pilot for security and integration we have there with Rubrik around Sentinel and so you got all this telemetry coming in from the complex end to end IT environment even multi cloud.

The AI is helping them figure out real time, with threat intelligence coming in from Defender, what's going on, what should they do about it, and then accelerating their response containment and remediation. I think that's super exciting. That's another tool that doesn't add a lot of load. In fact, it greatly improves the job of the security analysts and even helps up skill them on the job.

Sarah, I think there's another lever there. And when we think about usability, there's how much inconvenience am I willing to put up with in order to be a good corporate citizen? And we learned the lessons in on premises IT of the importance of user education. And one of the things that I've seen some really forward thinking organizations do is.

That user education piece. I don't think it changes just because we've got generative AI and cloud and all of these new and cool things. The importance of helping end users understand here are the consequences of potentially end running this, or this is what's at stake. If you read some of the articles about what life is like for practitioners in some of these healthcare systems, day 10, day 15 of running on paper that was only meant to hold them over for three to four days, That level of pain is a huge motivator.

And there are organizations that I've worked with that are, for instance, running competitions to see which department gives up the fewest credentials in internal phishing tests. And that organization gets 10, 000 to spend on whatever the heck they want, right? And people who fail that internal phishing test too often may actually be separated from the organization because the consequences are so high.

There was a healthcare organization in Southern California that had 23 employees give up their credentials in a single afternoon's phishing attack that then resulted in a bad data breach. So when we conduct these ransomware experiences on premises with people from across Not just IT, but also, the line of business, Chief Nursing Officers and CMIOs.

And they walk through the implications of what could happen and how organizations get in. It gives you an appetite for putting up with that security control a little bit more and helping to understand what happens. In fact, in Rubrik, I've never worked at a company this security conscious. Some of our phishing tests are so realistic that people have started ignoring texts.

We're a relatively small organization, so there are actually cases where the CEO may be texting you. And we've had cases where sales leaders just ignore him because they think this is another phishing attack. And so it's created a healthy level of paranoia. And I think helping end users understand this is what's at stake, these are the impacts, is the other piece of that usability challenge.

Josh, you just gave us a reason to ignore our bosses.

I'm Bill Colton, I don't answer. I'm like, I thought you were fishing.

Weird.

The human element though is a big deal. Over and over again, we hear about the bad guys are logging in. They're not packing in. I remember reading Kevin book, what, 25 years ago. about social engineering and how much people, how much information they give up.

And this is before social media was even a thing. And now you can go and reconstruct a person's entire persona just by stalking them online or even watching them online. As you think about the importance of the human element, the technologies there are new to do it better than anybody. How do you really partner with your clients to make sure, to your point, that human element is at the forefront of what needs to be top of mind for an organization?

Yeah we don't do nearly the broad scope of things that Microsoft does, where we have more intense focus on just this one section of cyber resiliency. But one of the things that we do is we assume it could be an authorized backup or administrator of our product who accidentally gets his credentials compromised.

And so figuring out how to architect our solutions in such a way that even authenticated administrator that we can limit the impact that they can have if those credentials get taken is really important. And we do that through like quorum authorization where If somebody's going to make a change that is impactful, we can have a system of enforcement to have another user or another administrator or levels of approvers look at that and say, yeah, that makes sense.

Go and talk with that person. So that helps, MFA pound for pound the best preventative measure you can have. But there are ways that organizations have seen that spoofed or worked around. And so to the returning to this conversation about zero trust is, do we even trust? the authenticated administrators, right?

Or do we break it up such that no one person and no one person's credentials can cause too much havoc?

Great point. David, can you bring us home?

Yeah. Really important points there. And the zero trust is, I think, the cornerstone and least privilege is a really important one. So whatever the role of the individual, they should have minimal, but sufficient privileges to do their job.

And you also get least privilege in time, where if they need elevated privilege, like administrator for a particular task, they get it for that task, and then it gets rolled back. Super important. Cause again, what you want to avoid is attacker gets in, they get those admin, elevated privileges, and that allows them to pop up from that endpoint and spread right across your network.

You really want to avoid that, right? You want to keep them contained limit their lateral movement. The other thing I'll mention, if we look at the primary vectors of ransomware, it's phishing but even spear phishing used to be a very expensive activity that, high value targets like CEOs.

But now with the attackers using AI, that's becoming much more practical, feasible to do on a broader mass scale, right? Be skeptical. Deep fakes are out there. Be skeptical. It's zero trust. Don't trust. Verify. So be skeptical. Healthy skepticism. Don't trust by default. Do your due diligence to verify authenticity.

And that's us all in healthcare as good sort of citizens, whether you be a clinician or security analyst, but on a personal level, be very careful too, because, they're getting better at hacking individuals. So if you get a weird request from somebody that sounds like your son or daughter or wife, Be sceptic, ask them something that an attacker wouldn't know, like a code you two only know or a date you two only know, I think that's the kind of scepticism we need to adopt because these deep fakes, the use of spear phishing and phishing by attackers that are empowered by AI is going to increase.

We need to empower ourselves as individuals and as employees to do better.

team likes to say stay a little paranoid, Thank you so much for your perspectives today. What I appreciate most about your partnership and what you bring to our industry is that there is the technology element, which y'all figured out incredibly well.

The human element, all the way from educating the end user, all the way through that CIO's presentation to the board, is something that comes with that partnership. But before we wrap up, thank you for our panelists for sharing their time and expertise with us today. Your insights have been invaluable, and we truly appreciate you.

I also want to again thank our sponsors, Rubrik and Microsoft, for making this event possible. Their support allows us to bring these critical conversations to our healthcare. community. Have some good news for those of you who may have missed parts of today's webinar or want to share it with colleagues.

We'll be releasing this session on our This Week Health Conference channel a couple of weeks from today. Many of you reached out after past webinars asking how to catch up if you couldn't attend live, so now you can tune in on the podcast and share it with your peers. Thanks again to everyone for joining us.

We look forward to seeing you at our next webinar. That's all for today.

Thanks for listening to this week's keynote. If you found value, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. it if you could do that. Thanks for listening. That's all for now..