This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Omnisa is the digital work platform leader, trusted by thousands of organizations worldwide as the former VMware end user computing business.

It enables IT teams to provide secure, personalized experiences for every employee on any device. The Omnissa platform integrates multiple industry leading solutions across unified endpoint management, virtual desktops and apps, digital employee experience and security, plus compliance based on the trusted Workspace ONE and Horizon product families.

Check them out today at thisweekealth. com slash Omnissa. .

Bill Russell: Today on Newsday.

Josh Tacey: it really should be the conversation of not necessarily network segmentation, but how do we do a better job protecting those credentials so that even if we do get hit, they can't escalate themselves to a role within active directory, where now all of a sudden they're everywhere. Right?

Now, let's jump right in.

(Main) All right. It's Newsday. And today we are joined by Josh Tacy with Omnia Enterprise Architect for Healthcare. What direction we want to go here. We could talk about a lot of things. You're very familiar with a lot of stuff, especially on the security side that's going on.

There's a WittKeefer study that I sent over to you that was interesting. It's gotten a lot of traction based on the article I just wrote about it. Let's start with the proposed HIPAA security rule that's sort of sitting out there now. My understanding of the security rule, when it first came out, I was like, oh my gosh, I can't believe this.

But then we had administration changes and those kind of things, and it became kind of murky where this was going to go. Do we have clarity on where this, before we talk about it in more detail, do we have clarity as to where it's going to go with this administration?

So, we are now in the kind of rule making process where the administration is taking in those public comments. Now, if we ever see the final rule kind of published, that remains to be seen. But talking with my colleagues throughout the industry, the general consensus is that we will see a final rule issued for this.

We just don't have a, known as to what the timing will be.

Bill Russell: Well, we've had major groups come out against this. We had CHIME and others send letter to HHS and to and to the president asking them to rescind the rule. Why such a reaction what's in the rule that we would be concerned as healthcare systems about this rule.

So one of the things in there was to, in case of a cyber attack or a breach. To be back up and running and being able to practice medicine capacity within 72 hours. And that's a tall ask for many organizations. So that was just one of the things in there.

Another thing that was in there, was really around network construction and how to kind of segment out the network. And those are all things that are going to require a very heavy lift. Throughout the industry and is going to require a lot of effort, a lot of time, and obviously a lot of money to get it done.

So, I think that's where a lot of the anxiety comes in, is not necessarily the spirit of the rule, but the implementation timelines and the amount of work that it's actually going to entail.

Bill Russell: I agree with you. I don't think, I don't, no one would say that CHIME is against moving cybersecurity forward or the American Hospital Association or any of those.

Like they just, they changed some rule, they changed something, and, oh, well, we've gotta redo how we're doing sharing. We're gonna redo how we connect up our practices, whatever, based on whatever they happen to spin up at DC. And so. DC or in our case Sacramento or Austin, because we were in several states and I feel for some of these health systems, because they're in, 25, 24 states and they don't only have to keep an eye on DC they have to keep an eye on 24 different.

I'll come back to the 72 hour. No I'll start with the 72 hour one. because that's probably the most difficult one. We've done interviews on our show of health systems that have been ransomed on average, to get back to EHR functioning again, this can be pretty broad, but it's two to four weeks essentially for the EHR to get back up and functioning.

And so you had Judy Faulkner stand on stage last year and propose a what's the best way I forget what the terminology was, but essentially it's Epic light. An Epic snapshot type thing that you can stand up and you could technically meet the rule and be functioning, like you could look up records and that kinda stuff.

But it's not a full functioning Epic by no, not

Josh Tacey: by a stretch.

Josh Tacey: Yeah, I think that's where you're saying, you mentioned Epic and I know the other major EHR vendors are looking at the, kind of the same thing as what can be provided right at a very near term, very almost real time kind of perspective when things have all gone very wrong and get patients seen, get people in the door, make sure your ORs and ERs are still functioning while you kind of reconstruct the overall IT landscape

because that's just going to take longer.

Bill Russell: But on the flip side, Epic's out telling people go back to thick clients. It's like, okay, we want to help you to get back up and running quickly, and we want to go back to thick clients. Well thick clients, if they actually ransom the entire environment

Josh Tacey: you're not fixing 30,000 machines in 72 hours.

You're, You're not. Right. That's.

I mean, because we could just spin those things up, spin those down if they're compromised. They're compromised. I mean, you could just, essentially just

Josh Tacey: salvation is a reboot away, so to speak, right? If you're doing a published app kind of regime, or you're doing a virtual desktop or those types of centralized technologies, then yes, at worst you might have to recover those.

But that's not recovering 30,000 of anything that's recovering one image or two images and getting those back up and running, it becomes a much more feasible task than an entire fleet of machines.

Bill Russell: Yeah. And I could create a clean room with all of my desktop images ready to go at a minute's notice.

I hadn't heard about the network segmentation and because amongst architects, amongst CTOs and others, there's a lot of different philosophies around. Around network segmentation, how to do it effectively, how to do it properly. There's no like common way to approach this that I've found.

And I said, look, there's still a whole bunch of services that need to traverse horizontally laterally across your network. I said, well, like what? He goes Active directory. He goes, active directory. If you can get on that stream, if you will, I mean, if you can get on that stream, He goes, so they ride that across the entire. Network. And I thought, oh that's really interesting. So no matter how much you segment, you still create a way for traffic to traverse the entire thing. And so now I hear people talking about even segmenting their active directory.

And will that stand the test of time? And if you tell everyone to segment it the same way, doesn't that help the attackers? Like they have a blueprint, right? They have a

Josh Tacey: perfectly good blueprint for everything. Yeah. And so that, that's one of the feedbacks, when we read a lot of the public comments especially, right, the larger organizations.

because the rule actually just says. Require network segmentation. That's it. That's all it says. Yeah. And so to your point, that could mean many different things to many different organizations and also to your point, this is why we see cybersecurity attacks. These aren't the old school, kind of the yester years worms that attack the actual windows.

To get more rights inside active directory, inside the organization. How do we do a better job protecting those credentials so that even if we do get hit, they can't escalate themselves to a role within active directory, where now all of a sudden they're everywhere. Right? How do we keep them, contained, not necessarily contained, but keep them away from services that touch everything and try to keep that blast radius down that becomes important.

How are we gonna enforce this?

Josh Tacey: one of the provisions of the rule is around kind of, not necessarily the enforcement, but kind of the auditing of being able to, because right, the old security rule said you had to have all these things, but there was no mechanism to like annually like check.

Right? It was, oh, okay. We had to do a disaster recovery table read, but that doesn't really mean anything. Right? We all just sat around and said, okay, these steps seem to make sense. Part of the rule is that. This becomes, to your point, how do you actually audit this? Well, part of the rule is to actually test and actually test your procedures to make sure that they work so that, yeah, you're right, an hour after an employee's been terminated, how do you actually know that their access has been revoked?

Bill Russell: yeah. Some of

Josh Tacey: those authentication tokens live. For longer than you might necessarily want them to in that particular instance. Right. It's balancing the normal, like clinician kind of, ease of use and security. We always have to walk that line.

Bill Russell: It's tough. This one doesn't make sense to me. I mean, let me rephrase this.

Exactly. A critical. That's forever, right? Because Drex and I have had conversations on the show talking about the use of AI to create attacks and and so we're monitoring those vulnerabilities, they're monitoring those vulnerabilities as, as well. They get notified, they take that, they put it into this thing, they create code and away they go.

If you give them 14 days to attack, or 15 days to attack, or 30 days to attack the, known vulnerabilities. And I'll tell you the other thing is it's not hard to figure out what key applications you're using because that's fairly public information.

And so if you're an Oracle Cerner client and there's a critical vulnerability. I can give you a list. I mean, I could search right now and within 15 minutes give you a list of everybody who's on Cerner, Oracle in the United States, and then I could just start those attacks.

Josh Tacey: Yeah, it is very easy, right?

right? You can find out a lot of that information and to your point, really what's scary about the 15 days or the 30 days is right. There's always going to be those very high-end organizations that take those zero day vulnerabilities and they can do something with them. Right? And those are usually highly targeted.

They're going after very specific organizations. And those are very tough, but at 14 or 15 days, that information gets democratized across the internet so that any bad actor, whether they're well financed or not, all of a sudden has those tools to run those attacks. Right. And that's where it becomes much scarier, right?

Because it's always gonna be difficult to go after the non-state actors that are very well financed and very good at what they do, so to speak. But when that information gets democratized and spread, that's when it becomes. Really scary.

So when I was doing turnaround work, I would go into organizations and they would invariably tell me how, their infrastructure's really good, but they're just having a problem over, just, over, just focus over here. This is the problem. And I would ask 'em some basic questions like hey, can you gimme an inventory of all your systems?

And they would say, well, and they'd give me a report of the, here's the inventory plus or minus 15%. I'm like, plus or minus. That's not good enough. Like you just gave me an inventory of 200,000 systems plus or minus 15% is a lot of systems that could be either on or not on this thing, and you're responsible for anything on the network.

To be making sure it's patched, fixed and all this other stuff. So I would ask 'em questions about, patching and they'd invariably say, well, here's our policy. And I'm like, all right, so if I go to all your servers, you're gonna be within that policy. Oh no, we're nowhere near that policy, but that's our policy.

I mean, this was the Biden administration. Alright, so we've been talking about this for about a year now. So you've had a year run up of, Hey, this is what they're commenting on, instead of waiting until the end to go. What's going to be there? Most of it's really good practice. It just is. It is. Good practice.

Yes. Yeah It shouldn't be like all of a sudden like, how am I gonna do this? Not only have you had a year, you've had like the entire tenure of your leadership to get this stuff in place because this is the basic blocking and tackling.

I mean, they're not putting something out there that's crazy. Business continuity within 72 hours. I understand how hard, trust me, I understand how hard that is. Given the number of systems and the complexity is ex extremely difficult and very smart people are working on this problem and making strides, but that's sort of the point.

Where do you think this is gonna go and what's your advice to health systems?

Josh Tacey: Where do I think it's gonna go? I think we're gonna see some flavor of this rule get approved regardless. I think it's going to happen. The same advice that, you just had there, I agree with, which is.

95% of what is in here is just good security practice and everybody should be working on this. And when and if this gets approved, none of this should be a surprise. Right? Everybody should be having written procedures for patching. Everybody should have a business continuity plan because at the end of the day it's a business, right?

Bill Russell: What's some architectural practice that you see in healthcare that's just every now and then you see it and you just sort of scratch your head and go we should be moving beyond this.

Josh Tacey: So one of the things we do see very popularly is around kind of bring your own device and mobile EMR applications. We see a lot that there's organizations are still allowing their clinicians to download and utilize mobile EMR applications on their own devices without any form of device management or any oversight of those devices, right?

They're just able to go download the apps and sign into the applications. And I understand that the apps are constructed in such a way that PHI shouldn't get on there, but because you have no control architecturally, you can't guarantee that. And so we see a lot of organizations that are doing that and it's somewhat concerning, right?

Bill Russell: Security is one of those interesting things. I remember early on in the days of the internet was my first exposure to security and we somehow, somebody in this organization had put a web server they thought it was in the firewall within the whole sandbox, dmz.

Yeah. The

Josh Tacey: sandbox.

Bill Russell: Yeah. And it was actually outside. And I thought, oh, well, we're gonna have to move that inside. Well. I think it was outside for like a day. And by the time we looked at it, it had been attacked and infected by a thousand different directions. And that was just one day sitting on the open.

Josh Tacey: Yeah. There, there needs to be some defense in depth, some control, some security right? Or at least at the very least, the audit ability to understand where your data is. To enforce the inventory side of it we architecturally, we know that there's lots and lots of healthcare organizations that have no good inventory of where their PHI is potentially within their network, where it's they have a big, giant fleet of machines.

They're dumping all of this information to the seam of your choice. But then they have no, then it's information overload. They have these security teams looking at all of this data and there's just all of these alerts and things coming in, and it's just way too much information and there's no good way to distill what is actionable, right, to what is actually important.

because you see these attacks that could be very easily stopped by, if we just had simple tools to flag like, oh, an account was created. Let's cross-reference that with our HR system. Oh, there was no person that was hired by that name at the same time this account was created. That should be a problem

right? It is very simple kind of connecting tissue that we're very much missing.

If you gave me that same problem today, I would fire up an army of AI agents, which would be combing through those log files and everything else, identifying the actionable items and surfacing them. And I think that's built into a lot of those tools today. I wouldn't have first of all, I mean the team made me aware that, hey, we don't have enough people to look through that stuff.

And we didn't give 'em more headcount. because it's not like, I mean, that appetite is insatiable. But now coming through those logs, not only is a human subpar at doing that over an AI agent. But an AI agent can, comb through logs, do the cross-referencing against the list of systems that you have.

Josh Tacey: Agreed. I think we just need to kind of mature that forward of, yes, there are plenty of AI agents that can do that, but we need to mature that forward where it's very easy to consume and easy to deploy. because a lot of that is still very bespoke and very kind of handwritten. As you see, different teams do different types of automations.

We, we need to kind of mature that, so it's much easier to kind of expand out.

Bill Russell: Cool. Hey Josh, thanks for coming on the show. Appreciate the time. Yeah, of course.

Josh Tacey: Absolutely.

Bill Russell: Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That's all for now