This Week Health

Don't forget to subscribe!

July 12, 2021: Vik Nagjee, Director of Healthcare & Life Sciences for Sirius joins Bill for the news. Microsoft announced that AT&T will move its 5G mobile network to the Microsoft cloud. AT&T’s 5G core will be the first service to move to Azure. Large hospital systems have around 85,000 medical devices connected to their network and a Department of Health and Human Services report shows that they lack consistent cybersecurity plans for these devices. Kaseya is the latest victim of a supply chain ransomware attack. And the GAO recommends that the VA address several critical aspects of its physical infrastructure otherwise it may jeopardize the $16B Cerner EHR rollout.

OPEN NOW! HRSA Announces New Loan Repayment Program for Behavioral Health Providers - Apply to the Substance Use Disorder Treatment and Recovery Loan Repayment Program

Every day you’re using skills to help end substance use disorders (SUD) within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP (Substance Use Disorder Treatment and Recovery Loan Repayment Program). 

Pay off your school loans with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff and many others trained in substance use disorder treatment are encouraged to apply. Applications are open until Thursday, July 22, 2021 at 7:30 p.m. ET. 

Key Points:

  • There's a long way to go before 5G is universally accessible [00:13:25
  • Is multi-factor authentication pervasive in healthcare now? [00:28:40
  • You cannot mitigate the risk of ransomware a hundred percent [00:31:50
  • Air gapping gives you the ability to sequester a copy of your backups to a completely separate network in the event that something bad happens to your main network [00:34:05
  • Sirius Healthcare Solutions

Stories:

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this Week in Health It, it's Newsday. My name is Bill Russell, former Healthcare CIO for a 16 hospital system and creator of this week in Health IT at channel dedicated to keeping Health IT staff current and engaged. Special thanks to Sirius Healthcare Health Lyrics and Worldwide Technology, who are our new state show sponsors for investing in our mission to develop the next generation of health IT leaders.

We set a goal for our show and one of those goals for this year is to grow our YouTube followers. Uh, we have about 600 plus. Followers today on our YouTube channel. Why You might ask because not only do we produce this show in video format, but we also produce four short video clips from each show that we do.

If you subscribe, you'll be notified when they go live. We produce, produce those clips just for you, the busy health IT professionals. So go ahead and check that out. Uh, we also launched today in Health It a weekday daily show that is on today in health it.com. We look at one story each day and try to keep it to about 10 minutes or less.

So it's really digestible. This is a great way for you to stay current. It's a great way for your team to stay current. In fact, if I were ACIO today, uh, I would have all my staff listening to today in health it so we could discuss it, you know, agree with the content, disagree with the content. It is still a great way to get the conversation started, so check that out as well.

Now onto today's show, it's Newsday and we're gonna talk about a lot of things, some stories that, quite frankly, I'm not sure I understand yet, and so we'll talk about those. Clearly we're gonna hit on cybersecurity. It's one of the top topics for health systems today, and so we'll try to take a little different angle with our, uh, guest today.

Vic Naji, before we get there, I wanna make you aware that this Thursday I'm.

Week health com register. It's on the state of health it. And what we're doing is we're just taking the interviews that we've done to date this year, and I'm going to, uh, package that all up and tell you what I'm hearing from health systems, what I'm hearing from, uh, cybersecurity leaders, government leaders around where healthcare is today and where it might be going over the next 12 months to say we know where it's going over the next three years, might be.

A little ludicrous because at this point we directionally we know which direction it's going, but we're not sure where it's gonna end up. Alright. So if, if you haven't yet signed up for that, we've had a great response. I'm looking forward to it. I'm only gonna talk for about 30 minutes in that and we have left 20 minutes for a dialogue for a back and forth because that's the, uh, setting I'm most comfortable in.

So, Vic Naji is in the house. Vic, how you doing? Doing great. Bill. Thanks for having me again, Vic is with Serious Healthcare and in Vic, I'm, man, there are so much we could talk about. There's so many interesting things going on. What kind of things are you working on right now with, with your clients? Uh, three areas.

I think one is no shock to anybody but around cybersecurity and ransomware preparedness, but with a little bit of a twist. It's more focused around the areas of what can we apply from what we've learned from organizations that we've helped to get out of an active ransomware attack and recover. How can we accelerate that recovery?

So that's, that's one area that I've been focused on is assuming that it's gonna happen. How do you get out of it a lot quicker than you normally would? So from a. 30 days at this point is that the 34, 30 to 45 days? I think it's, it's getting longer as we go further out because the sheer nature of the decimation that occurs is getting worse.

So it takes longer to recover because there's more stuff you have to recover and different things you have to do. So, so, so there are strategies to pull that back and that's some of the stuff you're working on with clients. Exactly. Exactly right. Yeah. Five days, two days, 10 days. Where, where are we at right now in terms of pulling it back?

I guess it depends on the investment, doesn't it? It depends on the investment and it depends on the organization. It depends on a few other things. But if I was to venture a range, I would say somewhere between five and 15 days is plausible. You could get a little bit more aggressive, but that's sort of the, the target that we're setting.

And you, and you have to be very clear, right? Like. The, the recovery efforts and the remediation efforts don't start until the cyber insurance and the, the outside council that are performing the forensics give you your seat back because as soon as an event occurs, you call them as the first step. They come in with their IR folks, you, you, as the IT organization move one seat to the left and you wait.

Get access back to the system till they're done. So from when they say done, we're looking at 30 to 45 days. So we're trying to shorten that substantially. Man, that's fascinating. You said there's some other things you're working on. So when, when. Covid started and, and it wasn't, its in its first round of heydays.

This whole notion around resiliency started becoming important, and it was wrapped on and buried under these. More generic terms that we're relatively familiar with around business continuity and disaster recovery. To say like, look, I need to have my systems be available and be running, and I need to have some disaster recovery capabilities and business continuity capabilities.

So as we looked at this, what we figured was that there's a half way point between. Your normal operations and a disaster recovery where you're sort of rebuilding. And the halfway point is about really understanding your resiliency or robustness of the environment. So we're, we're focused on a program where we work with healthcare organizations to understand very high acuity areas like inpatient nursing units, ORs, EVs, et cetera.

And just understanding the workflows that the clinicians, the caregivers, nurses, providers, et cetera, go through there. And then peeling apart, peeling back the applications associated with those, and then improving the resiliency and robustness of those applications. Therefore, applications and technologies, therefore improving the resiliency and robustness of those.

So that's the second piece that we're focused on. Wow. What's the third one? I'll give you only like 30 seconds to gimme the third one. Cloud. That's, yes. Okay, I got it. Well, hey, I'm gonna ask you a question. Where, where are we at with five G? Um, there's a story here that you and I are gonna pick apart a little bit, which is Microsoft to acquire AT&T's network Cloud technology, and Azure will power AT&T's five G network, five G on the hype cycle.

Are we looking at it in healthcare or is it still one of those that, hey, it's, it's out there a little bit. I think it's out there a lot bit, and it depends on who you ask as to how far out it is. It's definitely got a lot of potential. Definitely does. There's no question about it, but, but I think just like with everything else, there's so much else in the way before we get there, let alone the readiness of the providers in terms of the infrastructure, et cetera, that's needed for the antenna stuff.

But there's just so much before we get there that I think it's a ways out. Yeah. And that's, that's what I was telling people as well, especially as the hype was starting to, to grow. I'm like, look, my gosh, I mean, how, how much work do we have to do before we get coverage in major cities? How much work do we have to do before we get coverage across our internal networks and and whatnot?

And then we have competing, uh, standards essentially. And technology, which players are gonna win, which ones aren't? Alright, so let's try to pick this story apart. As I said, Microsoft to acquire AT&T's Network Cloud technology and Azure will power AT&T's five G Network. Just on that title alone, I'm like, so did Microsoft acquire all of AT&T's five G?

That's now run in Azure. That's, that's what the, the title would lead me to believe. So let me give you some of the story. Microsoft today announced that At&t will move its five G Mobile network to the Microsoft Cloud AT&T's five G Core. The software at the heart of the five G Network that connects mobile users and IoT devices with internet and other services will be the first service that will be moved to Azure at&t.

Will further bring its existing and future network workloads to Azure for operators, so Azure for operators. Okay, so Microsoft is gonna acquire AT&T's carrier grade network cloud platform technology, the platform that powers the at T five G core network and talent. So they're acquiring the core and the talent to further strengthen its five G cloud technologies.

Also, Microsoft will acquire at&t engineering and lifecycle management software used to develop and deploy a carrier grade cloud that runs containerized or virtualized network services. Microsoft will make this platform available to other network operators through Azure for operators. So let's, let's stop there.

I, I'm not sure where I'm getting this from, to be honest with you, ms. Power user.com. Anyway, so, so that's what they're saying. It's, it seems like essentially what we're going to do is we're going to turn the At&t five G backbone into a, as a service that can be provisioned through a cloud provider such as Azure.

And then we're gonna have operators, and I assume that that could be hospitals and health systems and whatnot who are gonna be able to provision those services through Microsoft AT&T's Partnership, five G Core Network. I, to be honest with you, I'm still, and, and I rarely do this until I really understand the story, but I was reading this, I thought you're a good person to do.

Do get a picture. No, . But, but, but I have, I have an idea because again, literally the first time I heard of this was when just as I dialed onto this thing as we were catching up before we, we hit the record button, was the first time I heard of it. So I haven't really even, even looked at the, the article you were talking about, but based on what you read, I.

Think like it's the, it's, you gotta look behind the curtain a little bit, right? I think that it makes sense for Microsoft as a cloud service provider to get into the telco business because in order for you to be able to take advantage of Azure capabilities, regardless of where you're running your stuff, where your data center is in a hybrid mode, et cetera, et cetera, where wherever you are in the country, the first thing you need is connectivity into Azure.

And right now there are a few different ways of doing that and there are long haul providers and carriers. At and t is one of them, at t is very, very prevalent in metro areas. Right. And, and I think what they're doing is they're making a play based on what you just said, is I think they're making a play for their entire carrier business, starting with the five G piece.

And I think that that's an interesting play. I, I didn't kind of see that one coming, I guess, and I wasn't tracking it. I didn't see it coming either. The last paragraph here says, with Azure operators can provide more flexible and scalable service models, which makes sense is if you do it as a service and it's cloud provision a save infrastructure and use AI differentiate.

I, I like it. I mean, the promise of five G right is, is low latency, high speed communication wirelessly, and we've heard the stories and, and the radiologists that can see the image on their phone, multi-level images, and they're, they're seeing it as if they're sitting at their desktop on five G. It's just not qui.

Five G on this three corner, and the next three corner, you're back down to 4g. The other thing too is like, it's all carrier dependent, right? That's the biggest challenge. It's like, it's not a, it's not a five G for all work across the various carrier. It's all dependent on what the carrier does. I mean, Verizon, I'm an at t customer, for example, and in the area that I live in, there's, there's not a chance that that's gonna be, and I, I'm, I'm in, I'm in, I'm in Chicago, like just outside of Chicago, right?

So if I was in Verizon, I would have a better chance. Based on what, what the reports say, experiencing five G. So it's not just location and proximity to towers, it's the carrier you're with. So yeah, I think there's a long ways to go before it's. Universally accessible. Like folks, if I were ACIO today, I would put this on my need to know more list I'd contact my Microsoft rep and you're gonna talk to your Microsoft rep and they're gonna go, I have no idea what this is, is my guess.

This seems like it's pretty early on in the process, but that's what we were getting to earlier. Five G is one of those things you're keeping an eye on today. You're watching it. I, I would commit to just being a fast follower. It's one of those that system goes in. You really start to see impact and really see to move forward and really impact healthcare.

That's at the point at which I'm going, alright, I'll, I'll move some more chips in. I, I, I, I really believe in a fast follower, uh, strategy for a lot of things. There's very few things that you want to get out there on the edge and take significant risk, and this is one of those, put it in the, the sandbox or.

I don't think you're rolling this out in 2021 and, and maybe not even 2022. We'll get back to our show in just one moment Every day, you're using your skills to help end substance use disorders within your community. The Health Resources and Services administration is here to help you with the new STAR LRP program, which is substance use disorder treatment and recovery loan repayment program.

Pay off your school loan with up to $250,000. From the star LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff, and many others trained in substance use disorder treatment are encouraged to apply.

Applications are open until Thursday, July 22nd. 2021 at 7:30 PM Easter time, which is right around the corner. To learn more and apply to join the star lrp, you can use the link in our show notes or visit b hw.hr a.gov to learn more. That's BHW as in behavioral health workforce.hrsa.gov. Now back to our show.

Alright, Vic. I hesitate to do this. We've been talking about cybersecurity so much on the show, but there's a couple of cybersecurity stories here. Cassia, ransomware, attack, everything you need to know. I could go in that direction or I could do hospitals lack consistent cybersecurity plan. I, I think I'm gonna start there.

It's a healthcare finance story and it's talking about the fact that large, large have upward of 85.

Right, and what this is about is the OIG is essentially making recommendation to CMS to essentially strengthen their requirements for cybersecurity in the hospitals that utilize CMS, which is just about all of them. And there are, they want to update the guidelines. Also also increase emergency preparedness.

There's just a whole host of things that OIG is saying that they want CMS to figure out a way to integrate into their, their measures of, of a health system. How big a deal. I mean, I would assume what's a big deal when you have 85,000 devices on your network? Some of which I know in our case, some of which we're still running, you know, windows xp.

They were FDA approved devices we couldn't update, and if we updated them, we'd lose the FDA approval. And so we had to segment those out and do all sorts of neat things with our network. But how big of a problem is this? Do you think? It's a really big problem, and it's something that. I, I know you've had Drex on, on the show several times, and Drex and I have talked about this quite a bit over the years.

I know you've had Carl on as well, and Carl and I have also talked about this quite a bit. It's a, it's a big challenge and it's a, it's a problem and a challenge, and you have to sort of think about like, what is the probability of something occurring. And sort of a risk matrix on, on that basis. And the risk matrix in this particular case also includes the impact to patient care, right?

Because these are, some of these connected devices are literally connected to the patient delivering medications to the patient, right? Programmable pumps, for example, is the most common one that, that, that folks talk about. and so, so it's a challenge because the, the risk to the organization and to patient care is significant.

It's a challenge because healthcare organizations, networks are not designed to relatively easily embrace. A model which would be necessary to provide the level of protection that really ought to be. And without speaking in tongues, we're talking about really implementing a zero trust framework for medical devices.

And you start from there. And that's super easy to say, bill, and it's really hard to do and it's really hard to do well in your environment without breaking stuff. And. You'll be told a lot of tales by folks in terms of, oh, if you just pick this platform, it's gonna do everything for you. Right? Not the case.

Like we've seen this movie over and over and over again in healthcare organizations where either the CIO or the CISO or the CTO or the board or whoever this size that they want to go in and start getting some visibility into connected devices. And they go down this path and suddenly they're like, shut it off.

I don't want the visibility anymore. 'cause now I've seen all this stuff that I need to take care of. And operationally I didn't have any structures in place to take care of it, right? Like I, I, if I had operational, if I had operationalized understanding what was going on on the network from these devices, I would've dealt with it already.

But I didn't, and I don't have the operational structures. Now you're showing me all this stuff and now I gotta go deal with it, then I don't know how to do it, so shut it off. So it's back to head in the sand and it's a problem and it's a multifaceted problem that needs to be solved. And what's interesting is that area didn't report to me as the CIO.

The biomed devices. Yeah, it go to facilities. It was facilities and it was outsourced. That's that one I have not heard of. So I've always heard that It goes through facilities and it goes through to the COO and, and what's interestingly happening Bill over the last few years is that there's more alignment now where clinical engineering is starting to move under the CIO.

And has a tighter relationship with it and cybersecurity. And that was the other, the organizational structure challenge that exists when you're trying to deal with this thing is that the folks that are responsible for the devices, and I'm not, I'm not trying to be insulting to any of them, but what they really care about is that these things are on the network.

So they care about the network, that's, they care about patient care. These things need to be on the network. They need to be connected. That's where they sort of focus their time, they focus their time on lifecycle management, et cetera, et cetera. Cybersecurity, and it, and everything else is like not their challenge or their purview or, or any of those pieces.

So bringing it into the organization with the CIO and the CISO really helps this conversation. Let's get to the bottom of why this is difficult. I mean, because when you think about it, it's a device. We network these devices. So that's the first thing. These devices in, in some cases, they move around and, and you have to take that into account.

They're not gonna be plugging into the same network port over and over again. Some of 'em are wireless and whatnot. So you have to, you have to take into account that they're moving, but it, let's assume if they were static, you have to know what the operating system is on it. You have to know, essentially, I'm.

Most of these are FDA approved advice. You have to know what you can and cannot do to them. Now, most of them are communicating information out. In a lot of cases that information, I think it's safe to say in a lot of cases that information is flowing to the EHR in, in which case, what we used to do on the network is just define that, that information type or.

We used to be able to create layers so that essentially, even if that thing was infected, it, it, the information could get through, but it could not infect the rest of your network. But that's only limited, limited response really, because it could be putting out misinformation if it's infected. So there, there's, this is a, are are there other ways that we've, uh, done this?

'cause it is really complex. Yeah. And, and you mentioned some of the, some of the main points, so I, I just to add on to what you said, like not only are they moving around, like now, a vast majority of these are wireless and, and so DHCP comes into play and there's no aspect of being able to tie down a MAC address to a particular thing, to a particular IP address anymore because again, it's dcp, just shut it off, come back on a new IP address that's been allocated to, in some cases, they need to have.

They may or may not need to have their own wireless network segment because there's some still some third party solutions that require you deploy their own wireless routers and you cannot use your own wireless access points to put it on the network. So you still have to create, you have to create these weird routing rules to go from there.

Subnets into your subnet through a firewall, et cetera, et cetera. So that's one piece that you mentioned. I think the, the, the biggest challenge is being able to authoritatively identify the device and categorize it. That's the challenge like that, like, and so there's some companies that have done really well with that, really, really, really well with that, with a high degree of fidelity.

And so that's the first thing you really gotta do. The second thing that you run into is simply because there's so many different sources of records and sources of truths for onboarding these equipment, this, this type of equipment. In order to be able to do something with this sort of stuff, you need to be able to know, again, from a central location, from one source of truth.

What is this thing? Where does it live? Where is it right now? What is it doing? Uh, and then the third piece that you mentioned about isolating an envi, a particular device, if it's infected, that's, I think, a little bit harder than it might seem because North South isolation, in terms of saying I can only talk from this system to this other system is relatively easy.

East West. From this system to another system of its own kind that's running in the same subnet is a lot harder. And for that, you really need to go down micro-segmentation and you need to have better controls in your network. And now you start going down this whole rabbit hole of, oh my God, I have to re-architect my net.

You don't, but that's what it seems like. So then it's like, oh my God, this is like a lot of work. Let's just. Work on other stuff and come back to this when, when it's a problem, there's so much friction and inertia too on the basis of like when you look at it on the surface and somebody throws out zero trust and you go Google zero trust and you find foresters, papers and gardeners and whoever else's.

You get overwhelmed. I get overwhelmed. Right. But this is a fair amount of work, isn't it? It is, there's no doubt about it. But the, the key is you don't have to do it all at one shot, and you don't have to do it all to be secure or more secure than you are right now. The idea is like, where do you start?

How do you scope it? What's the first series of things you do? And, and nine times out of 10 in the medical device, cyber security thing, what we found. Is that it's more the organizational culture and people process pieces that need to first get ironed out before you even start talking about any of the technical stuff.

Once you do that, everything else starts to fall into place really quick. You know, it's, it's, it's interesting. Good is the enemy of the our Yeah. Good is the enemy of the best. Is is one of the phrases, but best is the enemy of good.

Because invariably there's someone in, in your security department, in your consulting ranks, in your leadership team that's like, look, we need to be a hundred percent, you know, this is where we need to be today. And I will, I will admit that man, with what's going on today, I would be spending as ACIO, I'd be spending much more time on cybersecurity than I.

I think a portion of almost every day in a CIO's life today should be around cybersecurity. But with that being said, I think that concept of better is one of the most important concepts. And I, I would look at teams often and say, look, I every day I want to get better at cybersecurity. And if you multiply that times 365 days, we're by the end of the year.

And if we do that over two, three years, we're. More secure environment and we do underestimate, you know, what we can do over three years and we, we overestimate what we can do in a couple of weeks with a couple million dollars, I think. And this is one of those cases where it's figure it out, get started on the journey and just get better every day on it.

I mean, that's, that's my 2 cents on it. Absolutely 100%. That's, that's the way to do it. Incremental improvements. Move the needle just enough in the, in the correct direction. Not the right or left, but in the correct direction. And, and you just keep, you just keep moving, moving forward. Alright, so the other one was the Cassia ransomware attack and this really went after vs.

Yeah, their VSA software. Which targeted multiple MSP service providers that are out there, these, these big things. It was also a way of delivering patches and other things to organizations. They came out with a handful of things that you should do. There's a, a tool to determine whether you've been infected and they recommend multifactor authentication and, and some.

Finished when I left in 20, gosh, how long has it been? 2016. We had not finished our multifactor authentication rollout because of just pushback from the clinicians of, of some things. So we were working through some things. We had not finished it. Is that still the case, or is multifactor authentication pretty much pervasive in healthcare now?

It's not, but before I sort of elaborate on that, I don't, I don't understand. Why they're suggesting MFA to help protect against the supply chain attack because. It, the way I understand it, it wouldn't the supply chain attack. Are you questioning the FBI? Is that what you're questioning? This is what the FBI's telling us to do.

They're right, aren't they? They're cybersecurity experts. They're absolutely right. I would put more weight behind what CISA says, but, but I think that they're just providing that as a general best practice to do that has no relation to the supply chain attack itself because the supply chain attack itself.

Fundamentally exposes our intertwined nature. And again, Drex and I both have this saying is like everything is connected to everything, right? And this is, this is a fundamental example of how a supply chain attack that impacts a service provider could impact you as a healthcare organization because you have so many business to business.

Third party relationships. That no matter what you do, bill, there's always going to be a way that ransomware could impact you. And the two main vectors that we've seen through all of the organizations that we've worked with to try to help them get out of the recover from ransomware, one is fishing. To sort of get into a non-privileged user and get their credentials, because that's the easiest, fastest way into an organization.

And it's also an easiest, fastest way to exfiltrate data because in healthcare, every user has access to file shares. And once you start walking those file shares, you start to get all this very interesting PHI and PII information that you can exfil and you don't need to be an admin for that. Right? So that's one piece.

And the second one was pseudo supply chain, where. Of the third party vendors that provide you services that have these dedicated VPNs into your environment. If you go and, you know, impact their endpoints, well then Bob's your uncle. Right? So, so that's what we've been seeing and, and over and over again.

And so, so these vectors are like, again, it doesn't, your perimeter could be really shored up and secure, but, but they have ways to get in. So this, this, just to be clear, this is a Cisa FBI release. They say use this tool to determine if you have it, use MFA. Uh, their third thing was implement allow listing to limit communication with remote monitoring and management capabilities to known IP address pairs, which makes sense to me.

All right, so you're only communicating with a trusted payer. Administrative I rmm, remote monitoring manage network. A firewall on a dedicated administrative network. Okay. All, I mean, all those things really make sense to me. One of the things I wanna come back to, and, and actually to be honest, this is just, you mentioned it again here, which is you can't, you can't mitigate the risk of ransomware a hundred percent.

All right. So my understanding of ransomware, I, by the way, I don't disagree with you on, on that, but one of the things I've been saying is too many people are saying it. And so I agree, you're gonna get attacked and they're gonna, they're gonna infiltrate your network. I agree with both of those things, but I want to talk about the recovery, which is what you were talking about earlier, because I think that's one of the key components.

I don't think every ransomware attack has to be experienced that the way that Scripps is experienced theirs or the way that Sky Lakes experienced theirs or even. I mean there's even outside of our industry, some of those other organizations have experienced either by paying the ransomware or whatever.

I mean, just some of the basic things, which is we, we went away from air gapping our, our backups. And one of the reasons we went away from air gapping our backups is because it's, uh, labor intensive and.

Back in the day, we used to have tapes and we'd send 'em over to Iron Mountain and they'd bring 'em back when we needed them and all that kind of stuff. And we went away from that as soon as we could because first of all, the, the amount of data we're trying to back up now is, is far greater. It was growing exponentially while I was there, and, and it was, if you just multiply that as it tapes, were just not even really an option.

Are there options for air gapping or backups at this point so that if we go down, we can recover? Yeah, so that's, so that's definitely one area that, that we focus on with healthcare organizations. So every single vendor, enterprise grade vendor in the data protection space, which is fancy term for backup recovery, right, provides some measure of air gapping configuration capabilities.

But I think it goes a little bit beyond air gapping Bill, as we've learned more from these attacks. So air gapping gives you the ability to really sequester a copy of your backups to a completely separate network in, in the event. That's something that happens to your main network. Then at least you have a, a recent copy over here off to the side that you can, you can restore from right now.

Now, some of the challenges there are. The, the synchronization of data between your production systems and your data protection system has a couple of components. One is the, the actual data that gets backed up, and then there's the metadata that tells the system where the data is. And so what these attackers have done is that they've gotten very clever and instead of touching your backups, now they're just going and obliterating the metadata, which means that your backups are still there.

They're not encrypted, but you don't know how to get to them. Uh, so the question really is for the vendor that you're using, even if you're air gapping, you have a sequestered separate network. How is the platform that you're using synchronizing the metadata between the stuff that's on the outside to the stuff that's in, on the inside in your air gap?

So that, that's one question to ask. The second question to ask is, given that the dwell time for these attackers is on the order of 45 days, which which means that they. They get in and for 45 days they're in doing things like exfil trading data. They're moving around trying to understand your environment.

They're trying to harvest administrative credentials. They're doing bad stuff this entire time. So if you take 45 days as a number, is it worthwhile for you potentially to restore something from yesterday if the stuff that was backed up yesterday and air gap yesterday. Actually has the payload still in it, right?

Right. So, so the calculus has changed. The calculus is no longer, you gotta segment your network and have an air gap. Yes, you do. You still need to have a sacrosanct way to get your data, but you have to have a lot more intelligence in place to understand is something going on in my environment that's impacting my data?

Which then . I can take action on so that I don't have to go back 45 days to find, you know? And it, and, and then, and then the restoration time is another piece. It's like if you start right, if you start now, it's gonna take you a week, maybe two weeks. We're, especially if it's offsite, especially if it's in the cloud, like you're talking about moving a significant amount of data back, fine, you'll, you'll get it back, but it's gonna take your time.

Right. And again, in the meantime, the resolution we're trying to shrink, so. Yes, it is possible to air gap. Yes, there are other things that you need to take into consideration. Yeah, so we always had two, two main things. We were looking at recovery time objective. How long did it take? VE. How much data are you willing to lose If you, if you restore from 45 days ago, your recovery point objective is, is 45 days.

Imagine how much data you would lose if you had to restore from 45 days. Yeah, so this is, this is why ransomware is top of mind right now. I'm gonna hit two more stories and hit 'em real quick. This one public, anything Amazon.

Uh, state of Washington. And essentially what they're saying is, Hey, it's always on nature listening. Nature essentially violates privacy and violates, uh, some of the HIPAA restrictions around data and those kind of things. And so that is going to work its way through the courts and probably should.

The, uh, a bunch of hospitals have rolled those out as really patient convenience kinds of things. And so the more prevalent those devices come, the more we have to consider the, the ways those technologies work and how they capture data and how they, uh, store and share data. So that's. That's just an interesting one.

I don't know if you have any comments on that, but just I, I, I wanted to throw that out. I don't, other than somebody's always listening. So somebody's always listening. Yes. But we hope they're not listening in on, uh, private conversations in the, at the bedside. So that's, that's what the lawsuit's about.

We'll, we'll where it goes. The last one is.

Is overseen by multiple parts of the government and also hashed out as a political top, but, you know, topic on, on the house floor, and then is also reported out in the newspaper every day. I, I can't think of a harder EHR implementation to do than this one. And plus it's the va so it's, it's people we of.

I know you've been a part of EHR rollouts. When I think about it, I think of all the things that happened that if they had seen the light of day, people would've been crazy, but the reality is they weren't that big a deal, but you just needed to understand the context and you needed to understand the resolutions were right around the corner.

They weren't immediate, but they right around the corner and so.

Out, to be honest with you. Yeah, I think I was, for better or worse, I was at two organizations at the time when several conversations were ongoing with and at the va. So I was at InterSystems and InterSystems. So va, the Vista, EHR that the VA created is on InterSystems technology. And then subsequently at Epic, when Epic was making a proposal for, for the va, right?

We all know that the VA went with Cerner. But the, and, and then I actually have friends that are, are at, uh, so these are ex InterSystems friends who have joined or, or started up their own consultancy firms that, that work with the VA and advise them in terms of helping them sort of evolve the Vista application and helping them with the adoption of the new apps, et cetera.

And I, it's a mess, man. It's, it's very hard. It's a very hard problem to solve and I. Adding in those layers of bureaucracy and oversight is causing so much more of a, of a problem and really like at, at, at some point if you just, if everybody else got outta the way and just let the clinicians. And the people providing care, uh, sort of have their say and figure this out.

We'd be done and in so much better shape. And yeah, I, it's, it's, it's hard. It's hard to see. Yeah. All right. Last question. Are you going to hims? I am not. Is that a company travel policy thing or is that a. Uh, a conscious decision. There's just too much work going on. Yeah. No, it's not a company policy thing.

We're, I'm gonna have a lot of, I'm gonna miss a lot of my colleagues there and I'm gonna miss seeing folks like you and a whole bunch of other folks. It's a personal decision this year more than anything else. Yeah. Well, if you were just outta curiosity, if you were going to HIMSS outside of seeing everybody, which will.

And actually you look great, by the way. I like the beard. I, everything looks, you didn't put on the, the Covid 15 like I did. So I'm currently dieting to get ready to go back into the, into the, uh, the season where I'm gonna be seeing people again. What would you be looking for as you're going back? How would you prepare for him?

For me, it's always about reconnecting and just, just. It's all about relationships, right? Just meeting folks and understanding what they're doing, what they're focused on. Outside of that, the one area that I would be very, very curious about understanding better is what all is going on around data, and very specifically around machine learning, ai.

Healthcare both for clinical decision support, but as well historical data from a research perspective. 'cause there's a lot going on there. So that's, that's just something that I'd be, I would be super curious to, to study. We will miss you and it's always great to catch up with you. Thanks. Thanks again for coming on the show.

Appreciate it. Thanks for having me. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show.

It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google. . Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well.

We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved