This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Thanks for joining us on this week in Health It Influence. My name is Bill Russell, former Healthcare, CIO for 16 hospital system and creator of this week in health. It. A channel dedicated to keeping Health IT staff current and engaged. Our topic for today is near Real-Time application security. Our sponsor for today's segment is VMware.

At a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Getty joining us. That is a health system that was ransom. And we have Lee Milligan, the CIO for Asante. And Asante is the EHR host for Sky Lakes. They're the community connect partner for Sky Lakes, and they're gonna recount the events.

And the effects that it had on the interconnected health systems, some of the things that they did that, uh, they believed worked pretty well and some of the things that they think could have prepared them better for the event. Uh, we're also happy to be joined by Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event straight through to the end, and I believe with his insights.

And the CIO's experience. This discussion is gonna provide valuable insights into the best practices that are being adopted across the industry and maybe that you can adopt. So we would love to have you join us. And if you want, you can provide us questions ahead of time. It's in the signup form, and we will make sure we address as many of those as we possibly can.

Application security frame up what that is for us addressing.

Bill, if we think about all the time that we have spent with vendors doing third party rationale checks, making sure that these systems were designed to be on our network and aren't going to expose us, we do a lot of that work with our vendors to make sure that as you're putting in technology, it's not going to impact you.

Well, when we think about the in-house developed applications, as we're starting to get to a more patient-focused experience in the clinic. As we are looking at how the payer and provider can start to blend these together, we want to make sure that there is a comfort level. We have to remember that most of the patients, when they're seeing this technology the first time, it's one of their worst days.

So on the backend application, security has to be some of the best In all industries. We can't have an impact, we can't have downtime. We are now seeing in hospital systems around the country we have advanced. Call, call it a kiosk. So we're getting menus ordered. The television is now integrated. Uh, you have ordering systems, status, weather, everything.

So think about all of those developments that have been done to make sure that your patients have the best care and the best experience. We want to make sure that all of the security layers are effective. So when you're building those custom applications, it's not just, will this cause a breach? It is how are we designing the application to not have any known issues?

So I. Our change. The paradigm shift for application development is now the technologies have come up to speed. We've seen this in financial, we've seen this in retail and distribution for the last several years, and now it's creeping into healthcare, real time application security. Through your CICD pipeline, the development and operations teams are now getting a security layer that go right inside of their development pipeline.

It is one of the most. Critical changes we've seen. So application security yields more of a secure, holistic environment. You know, mad thinking through this. We just came through the pandemic. We moved faster in healthcare and technology and healthcare than we ever have as an industry, and it's really amazing the things that we've we're able to and a lot systems would do.

Innovation.

We had to solve for X over the weekend. So individuals were doing something in a skunkworks methodology. They were just building their own system. I believe that one of our biggest impacts from that downtime of having a regular cadence of going through software development systems deployment, we're gonna have to go back and validate that.

Now, I have had these conversations with a lot of healthcare systems and they are concerned that there was a lot fast tracked and rolled out. So now we're gonna have to catch that up. So as we. Raced. As we were at that pace, we were pushing out new, new, new to adapt, adapt, adapt. Now we have to go back and build programs to validate, validate, validate.

So that is one of the biggest paradigm shifts I've seen, uh, especially surrounding the pandemic and the development life cycle. I'd like to ask you, are you seeing more agile versus waterfall? But I think probably before we do that, can you frame that up for us? The difference between agile and waterfall and then what are you seeing more in healthcare as we move forward?

Yeah, so think about it. Waterfall methodology from a product development as we look at software development. We define the requirements. We give a timeline and we say the scope. We get the deliverable content, and we develop it over months and months and months. We have version one that comes out as an alpha, goes to beta, and then it goes to production.

That's more of the waterfall methodology in software development. In the agile methodology, you now have the baseline of code. You have a feature set you want to introduce, and it's much less structured on the outcome that you have a development lifecycle. You have components and capabilities, but the waterfall to agile is a much more project methodology versus product and feature methodology.

And what am I seeing in healthcare? Little bit of a blend. Sometimes we joke and say it's waggle. It's waterfall and agile and, uh, so we have to do the dance like bees do. And, uh, I, I really like the fact that we're talking about it, but one of the most difficult things to do is to communicate and convince leadership teams around the world.

Right now I. That it is okay to have a blend, someone to be all into that agile, very quick, responsive app development, and someone to go back to the stalwart, what was the brick and mortar development lifecycle. So a blend of those is very good, and we're seeing a lot of advantage to using capabilities from each so near realtime application security.

I wanna come back to how we can do this. So how can this be accomplished with applications and systems that are incredibly interconnected at this point in healthcare? We're trying to move data across a lot of different systems. We're trying to connect experience. We're trying to build experience, so scheduling systems, backend data systems, operation systems, billing systems.

We're connecting a lot of things. How can we get to this near real-time application security? Yeah, so it starts with the development team. Those developers need to have education and awareness. As we have oasp coding standards, they need to be up to date on the latest list of the treacherous items. On that element.

We have to make sure that not only that education is done once, but it's done, you know, on a repeated basis with updates around. So as our developers are start, it also means that the tollgate of security has to change. There's a lot of security organizations who hold up a stop sign instead of a question mark.

We don't ask why there's something being done. It just doesn't fit within our granular policies that we have today. So what we have to do, and the culture shift that we have to put in is as follows, when a developer is working. On their code as they submit their snippet as they are responsible for the work that they're doing.

We need to check near real time. That means when you submit it into the repository as it's being validated, even before it is submitted for compiling. So before we turn into an application, we need to check it. Once we turn it into an application, we need to check and validate, and most importantly, before we deploy the overarching system, we have to make sure that the education, the expertise, and also the awareness of security problems are put right up front so that people know the currency of risk.

As well as what the method methodologies are to restrict or remediate. I want to ask you about the healthcare industry and the technology industry as a whole. Within healthcare, we have a lot of different code coming into our environment. We have a lot of partners that are developing code that get distributed.

We have individual practices that we're connecting to.

Enterprise with that kind of effort. I mean that kind of Mm-Hmm. a code be introduced from a lot of different points within the, within the healthcare ecosystem. So I kind of look at it product ratings. So when you go and buy a new tv, you take a look at other people's experience, you find out if they've had issues.

We get a star rating off of that. We now have code that's coming in from vendors. We have great partnership with those vendors. They go through a rigorous process, but you highlighted something, you can take a very secure system, something that in a greenfield is as secure as possible. The minute you introduce something customized, now you throw that out of balance.

So I think that we need to come up with, outside of our vulnerability scoring system, the Mitre framework that already exists. I think that we need to come up with a little bit of that balanced scorecard. That healthcare can use to show when you're integrating your, uh, HR systems, when you're integrating your electronic health systems, these are the components that need to be validated and trusted.

While we do have the HIPAA and high tech and high trust frameworks, we know that those frameworks are going to give us some controlled definition. . In financial, we have payment card industry compliance, but what we have to get to is much more of a healthcare centric focus to look at all of those data elements, how we are exchanging them, and when you're getting that code, when are you allowed to go validate that they're making good choices and have solid process and their background as well?

What kind of tools is the larger tech industry bringing to bear on this? Yeah. So in integrated developer environments, as the, uh, engineers and the developers are working on their code, we now are starting to see application scanning technologies built into these developer environments. As they're finishing a code segment, as they are reviewing it on their own, they can do these analysis.

In real time, they can do the code snippets instead of the entirety of the code. I think that that is a great step forward, and we now need to take that concept of developers and the technology that they use on their desktop, in their repositories, and we need to put a little bit more level up of validation of that, so as we do penetration testing.

For a lot of organizations is a standard in the security practices around the world. We also know that application scanning is a completely different approach that needs to be married together from a healthcare perspective so that it can be shared, and then other organizations can show those vulnerability, change the threat risks, and have them available to all systems.

Fantastic. Special thanks to VMware for their partnership in making this content possible. Matt, again, thank you for your time. Uh, absolutely. Thank you. What a great conversation. We wanna thank our sponsors, Sirius Healthcare and VMware, who are investing in our mission to develop the next generation of health leaders.

Thanks for listening. That's all for now.