This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health IT Influence. My name is Bill Russell, former Healthcare CIO for 16 hospital system and creator of this week in Health it a channel dedicated to keeping Health IT staff current and engaged. Our topic for today is Modern Access Models for access management and directory services.

We are gonna take a unique look. At a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Getty joining us. That is a health system that was ransom. And we have Lee Milligan, the CIO for Asante. And Asante is the EHR host for Sky Lakes. They're the community connect partner for Sky Lakes, and they're gonna recount the events.

And the effects that it had on the interconnected health systems, some of the things that they did that, uh, they believed worked pretty well, and some of the things that they think could have prepared them better for the event. Uh, we're also happy to be joined by Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event straight through to the end, and I believe with his insights

And the CIO's experience. This discussion is gonna provide valuable insights into the best practices that are being adopted across the industry and maybe that you can adopt. So we would love to have you join us, and if you want, you can provide us questions ahead of time. It's in the signup form, and we will make sure we address as many of those as we possibly can.

Uh, identity is the new perimeter. Is that along the lines of what this is, or is it bigger? Yeah, that's one component. You have to be much more granular when you look at it. But yeah, it's who you are, where you want to get to and what you're trying to do. So think about that. We can now start to look at, are you supposed to be doing it?

Should you be doing it? And when can you do it? And those are some pretty cool things. I like the fact that our directory services are evolving, but the brutal fact is, I mean, we've been using the same directory, service baseline since the early two thousands. We have upgraded in place our directory system, and as those directory systems are getting older and older, they start to bring on more risk.

Because they have been upgraded in place. There has not been a solid health check on them. So this is one of the most risky areas of. All organization, not just healthcare, but all organization across the globe. Right now, it's interesting because I'm talking to more and more of these companies that are looking at the behavior on the, on the network and the behavior of data movement and those kinds of things.

That really starts with identity. Identity of you as a person, identity of your. Computer system of which system you're accessing it from, where you're accessing it from. They, they bring all that data together and they say, Hey, you know what? That laptop should never access that smart pump over there.

That's the kind of sophistication that we are hearing about in terms of these tools that people are bringing to bear. But it starts with a solid foundation of the the right access management in the right directory services. Yeah, and I, I can remember back to one of the first design and architecture engagements that I was working on with Role-based access control.

We were talking about directory services and how we would actually define when should someone be working, when should they be accessing a computer? So we built this system and we forgot one key component is that people go on vacations. People aren't available. So then we looked at integrating with the HR system.

So now we start to think about, okay, are we really getting to a point where that we need to have that user behavior analysis and information to the point where that we know when a person is working, where they're working and what they're working on. Well, effectively, yes. I mean, if we don't have a good understanding of that, how is all of the alert system that is responding to going to be meaningful?

How are we gonna start picking that apart without picking up the phone every time and calling the individual? We start to see these behaviors. We see the consistencies, and most importantly, we define and see the outliers. You know, you have mentioned the fact that our directory is.

Evolution from on-prem to cloud are, are we seeing the directory services systems start to morph and have, uh, systems that that can provide that identity infrastructure across the entire, the entire enterprise, be it in the cloud or on-prem? Yeah, and we used to look at Federation of our directory service to make sure that it was accessible by our partners, our contract firms, uh, and any of the third party, uh, resources that we needed access to.

When they started having much more access need, we started to integrate our directories. As we look at merger acquisition and divestiture activity, we see a lot more activity. Most of the directory services as mentioned, are getting very old. They've been upgraded over time. But what we don't always look at from a a compelling topic is what do we want to do next?

Now, in a cloud workload, if we go to an Amazon and Azure environment or Google environment in the three major public clouds, there are built-in capabilities to do this. If a new organization that's a startup, regardless of the industry wants to be effectively secure, they can go follow the path to success out of any of the public cloud platforms.

Our directory services on premise need to evolve as the cloud has, so that's going to be a very compelling and important topic as well. Now. When I look back at most of the breaches that we have been involved with from a response perspective, it's very interesting because it all comes down to access. It all comes down to credentials and permissions.

But most importantly, I. We forget the fact that those are all sourced in one directory, one directory service, and it was never designed to be a security or a repository of security information. Yeah. So those, those elevated privileges are really accessible through that directory, so that this has to be a core component of any security model, I would assume.

Why is that overlooked? I wish I had a quick answer for that. I don't know is the response, but some of the discussions that we've gone through. Of why it's overlooked is that that is not a security component. Our infrastructure team takes care of the active directory. Our directory service module is in the cloud, and that's our cloud team.

Security has not always been involved with the identity access management, provisioning and deprovisioning over the last several years. We're seeing that change drastically the policy and the need to have a much better control plane in place. It is something that we all desire with the cloud. I think that that was really the change.

Um, as we're going through all of these breach responses as we're looking at it, you hit it on the nail, right? It is the privileged and elevated permission accounts throughout the system that privileged access management is violated. Passwords are stored in text documents. They are in clear text on the devices ransomware and malware is written to harvest that data.

But if we could just do one thing and we could do one simple thing in organizations, which is layer on a multifactor authentication into every privileged account, we would drastically. Significantly reduce any event because only credentials that have elevation can make major change. If change control and change management is in place and an effective elevated permission structure with a multifactor authentication, something you have and something.

That is going to be a very, very important part of solving this problem. So you talk about modern models for access management, multi-factor authentication is one of those modern models. Are there other things that we're seeing in the industry to address this? Yeah, so if we take a look at the individuals, that's one of the easiest to solve.

We could give everyone a token. We could force them to have a secondary login. That is a real impact to the user experience. That's probably why it is not implemented more in healthcare systems. It's a drastic workflow impact to the operations. A lot of organizations have figured out how to put that into their workflow.

I. Getting into the patient room, not affecting it, but we also want to make sure that we're being consistent on how that's applied. So in a new modern system, we also have to take a look at those service accounts, the things that are driving all the systems in the background, so not just multifactor authentication, but a holistic privileged access.

Mechanism and privilege service management for their environment. So all of these access credentials, all of the service accounts, everything that runs the systems, the servers, and the footprint of a modern healthcare system need, they need drastically to have this layer of management. If that was in place, we would see only a fraction, a minimal fraction of the events that are occurring today.

Wow. So people are getting in via ransomware, but once they get in via ransomware, that's how they move around and that's how they take control of significant systems. Yeah. The dwell time is increasing. These attacks are sophisticated. So when we take a look at, okay, once you have the keys to the castle, this is what a modern attack firm is gonna do.

They're gonna go in and they're gonna manipulate things based on their . Permissions. So if you're a domain administrator, you're going to start going and locking systems down That lateral movement, as you described, going from system to system, and you may be unmonitored or even unnoticed for months, if not years in an environment.

Those are the types of attacks that could really be prevented. That lateral movement stops after computer one. So where we see a one to many relationship in most malware and or ransomware attacks, the one to many relationship can be made a one-to-one. This attack can stop there, and that is how a modern directory is doing that.

I give a lot of credit to the public cloud providers. They have come up with a very straightforward approach for organizations that don't have a legacy directory system to spin that up right away. We see that in all three of the major cloud platforms. So if we think about what they're doing right, why not apply some of that logic that is used right now in the public cloud providers?

Put that back on premise and follow a lot of those good practice to reduce the threat. Fantastic. All right. Special thanks to Duo for their partnership in making this content possible. Matt, as always, you really segued well into the next topic, which is going to be the evolution of ransomware, and thanks again for your time.

Really appreciate it. Hey, thanks, bill. What a great discussion. We want to thank our sponsors, Sirius Healthcare and Duo who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.