This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Make cyber security a priority, not a headache. Cyber attacks put patients at risk and cost healthcare organizations millions. But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable and they feel little control over the safety of their patients, resources, and healthcare.

Reputations are bottom line. Intraprise Health brings together cybersecurity experts with over 100 years of combined experience in healthcare to offer a comprehensive suite of innovative software and services. It helps leaders finally unlock a unified human centric cybersecurity approach. With Intraprise Health, you can improve your cyber security posture, protect your patients, and simplify your employees lives.

Visit thisweekhealth. com slash Intraprise health to find out more.

Today on Unhack the News.

Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main) Hey everyone, welcome to hack the news. I'm Drex and that. Guy over there is George Pappas from Intraprise Health, a Health Catalyst Compay I still struggle with that a little bit.

George, how you doing? Good. I'm doing great. Good to see you again. Good. We haven't been on for a while. We haven't done this for a while. I always have a good time when we're running through the news and we got a lot of interesting stuff to talk about today. Exactly.

LinkedIn. And it's about north Korean fake employees and what you can do to not get catfished.

And it's gotten a great reaction. Like kind of blows me away sometimes when, every once in a while something like really hits. And one of the things that you sent me as we should talk about this, is from the health ISAC. And it's a TLP White document. Anyone can get access to it.

It's called Artificial Intelligence and Digital Identity. a CISOs Guide to implementing Advanced Technologies to fight cyber attacks and fraud. And in there they talk about the North Korean catfish problem. They don't call it that, but the same issue. What were you thinking about that as you went through it and read it?

I know.

Speaker 3: Yeah. Yeah.

George Pappas: And they also, were not just in identities, but you think about everything that revolves around the identity. Email phishing, right? Access to facilities, access to systems, we've spent a lot of time doing various forms of, white hat, black hat penetration tests, impersonating people, and seeing how far we can we do that kind of work and other things.

And what struck me about the article was that. You think about vulnerability management, which means how can you figure out among the 10,000 things what's important,

Drex DeFord: right?

George Pappas: How can you make a fish that is gonna be, impactful and are there a group of people that keep not paying attention?

Those are all things we kind of look at manually. Well, it's really good at doing those kinds of things right, aI looking at those things Yes. And saying,

Drex DeFord: no, that's not really an, o that's a zero. Or, they's they've camped out on a fake domain. Yeah.

George Pappas: Yeah.

And but then getting back to identity, I mean, this brought back from my time at Doctor First identity proofing as an idea. Because as we were really the first company back then to do electronic controlled substance prescribing,

Drex DeFord: right?

George Pappas: The DEA was rightfully very concerned about that. And so there was a whole system of identity proofing that was established.

You had to ask him, well that's like, that's the stone tablets age, let's use some intelligence to really make sure that person is who they say they are. Have some kind of warning flares that pop up, do some, non-electronic verification steps. let's also scale that based on the impact and severity and sensitive nature of the job we're hiring for.

Drex DeFord: a lot of this, the phrase zero trust is overused maybe, but Right. This idea of looking at the applicant and then going through a whole series of things that you wanna look about, that resume, what about their social profile online, right?

All these kinds of things. And maybe those things generate a score that if you're not, above this score, right? theres something fishy about this applicant and it requires a little more research or extra steps that you Correct. Normally take with other applicants.

Correct. So things like that maybe.

George Pappas: Exactly. And that's what think about credit card issuers, if you're buying a hat in Guadalajara one minute, and then, buying, at a bar in Prague the next, well, maybe there's an issue there, right?

Drex DeFord: I just got a notification on a credit card and the notification was, Hey, you just bought a game for an Xbox online.

That doesn't seem like a thing that you normally do. Was that you? And I was like, no, that, that actually wasn't me. So, yeah, it's using ai, lot of leverage there for things like that to,

So you get high reliability out of using AI in the state it is today to go address these kinds of problems. And it's a it's a way to firm up the infrastructure and take things that today are done with less precision and do them at higher precision at scale. So it made a lot of sense.

Drex DeFord: Yeah. Here's the another thing about AI.

We're sort of now sort of branched generally into AI, but one of the things I think I see happening with AI is that sometimes we do things today and we don't really do it well, right? We do it or sometimes there are things we're supposed to and we don't do it, and then. The idea is we implement AI and because AI isn't perfect and leaves gaps, we're like hypercritical of the AI, more hypercritical than we were about the broken process that we were right originally.

George Pappas: I agree, and I think some of that is. We're seeing this thing that's competing with us, maybe. I don't really think about it like that.

I also, don't make super high level of precision, the enemy of better precision, better economic result, and better leverage for the task you're trying to complete.

Drex DeFord: As we say, perfect is the enemy of good.

the thing is too. Once you start using AI and you continue to use it and train it, it is the employee that just can keep getting better and better too.

George Pappas: Yeah, and that paper that came out, it's not part of that article around, these steps for safeguarding AI, between NSA, AHA, John Rigging and the team there sent it out.

But how are we gonna do all that and who's gonna have the burden of doing that? I think this is where I. It's gonna take what we've been living in Drex for a while about third party risk. Bring it to a whole new level. It has to be contended with a little more precision. It's a very complicated problem.

because even in that document, it was sort of like we were using the techniques that we have today to describe something we don't yet know how to really measure at that level of broader, more general use.

Drex DeFord: I'm gonna wrap this one up and move into the next article. Okay. Sorry. But I mean, I think some of this is just like.

Congrats to H-ISAC. If you're not a member of H-ISAC, you probably should. Yeah, great organization should be in your health system. They have a bunch of these TLP white papers that are available and it's good. These are great references and great conversation pieces with your staff, so go out and take a look.

Gimme your thoughts on that.

George Pappas: I almost fell outta my chair when I was reading that one

Drex DeFord: Uhhuh.

George Pappas: I was like, wait a minute. They're letting people know this now. When it happened 12 months ago. and when you see a firm, Nationwide Recovery Service, it's likely a collection agency. With a name like that, which is not that big of a deal, but then in their message, the fact that they were so imprecise about what they were able to say tells you that, does anybody really know what happened? Did anybody really share what really happened? Yeah. And kind of, the problem I have with that.

There was nothing there. So the whole thing to me, I hate to use this phrase, it was like it was lawyered up. You lawyered up without really being of help to the people whose data was compromised.

Drex DeFord: There's, I mean, this is definitely a thing that we see, all the time. It's like there's breaking news.

Somebody's been breached. Here's what happened, right? We always get a feel like not necessarily in this case, but kind of in all cases, we get the general some data may have been taken. We're not sure how much so far, we have no evidence that any of that data's been misused.

But because I think lawyers probably get involved cyber liability insurance companies are called, who immediately kind of put the clamps on everything

George Pappas: bringing in the team. Clean

Drex DeFord: the area. Right? Nobody can say anything, right? I mean, the yellow tape goes up or the virtual version of the yellow tape goes up, right?

And nobody can see what happens behind that. And maybe if we're lucky, somebody tells us about what's going on, after the fact. But that's when the, my signal chats all go crazy, right? because there's a ton of speculation. A lot of people are maybe making things up, right? Because in that information gap as in the rest of our life, when there's no information, when you're not transparent, people just do make things up.

George Pappas: Correct.

George Pappas: Agreed. And the fact that this happened that long ago. I don't know how much time they actually waited until they were informed by this collections agency and then notified it.

But as I read the total lack of actionable information, I thought how little regard for the people that are the ones that are, could be affected by this? It makes me, that to me really

Drex DeFord: came out what? So I know that you guys work on a lot of this kind of stuff too. Yeah. Contract language that you have with third party partners and things that you say in those contracts, like, yeah.

George Pappas: other part to this drex, if you read that language, you don't know if it was because a staffer left. They didn't basically de-provision their credentials. They didn't really say anything. Correct.

Drex DeFord: You don't know. All

George Pappas: they said was unauthorized access, but we have no evidence that your data's been, exfiltrated or shared or, so, I mean, That to me was the part that was like, well, so what does this really mean and what should we do? And there's really no assistance at

Drex DeFord: all. A friend of mine I think who we probably both know, but I won't name the person told me about a business email compromise situation that they had a few years ago.

And what happened in that situation was that what was being sent internal to the company were reports that had lots of information about patients and lab results and other things. And so when their email was compromised and because the right, necessarily the logging capability wasn't there.

They have to assume that it's all been breached. And they have to report it that way sometimes even when nothing happens. Again, a ton of work and a ton of those letters that have to be sent out and more credit monitoring for everybody when in fact maybe that wasn't really necessary. Correct. You could see that same stuff all the time too.

George Pappas: Yeah, all the time.

Too many tools that are very complicated and hard to manage, and they take a lot of time to be babysat and updated and make sure all of the whatever, if you're trying to get tools to talk to each other, make the APIs work and all that kind of stuff. you take away the same thing or, I feel like in our little preliminary discussion, you might even have taken more away than that.

George Pappas: Yeah, I did, but I started where you were in that it's a natural instinct to protect what, you need to protect

by buying things. The best point solutions you can to endpoint detection. Yeah. You know, At least. So sim data, you know, fill in the blanks, but what does it all mean?

And you have to wonder, is it because they're not able to explain what it all means and why they need more help? And show it in some comprehensive fashion versus, Hey, I got, you know, two less vulnerabilities on this thing today. Well, how do you relate that to the big picture, right? And your assessment and your technical debt and all those other things that a CISO has to do and a CIO has to be a part of.

And so I even, and I'll get on my little psychology hat for a second, think that maybe some of this is, it's easier to deal with the problems you understand than the problems you don't understand or you have a hard time with. And at least you're doing something useful. But ultimately, the next generation of products are gonna have to allow people to put these things together and come up with a way to understand.

Sure. One throat to choke or at least five or two. With enough areas that are around the things you have to really make sure are getting done properly. So I think that's also what this is speaking to. They always, in this day and age, AI is sprinkled around as a solution to everything right now.

I do think clearly with a lot of the machine readable data at volume, there's lots of ways it can do a job that someone's doing today at scale, better highlight things that need human intervention. So I'm not discounting that at all. Mm-hmm. I think that will happen, but the bigger picture is, and there was another survey I saw, I can't remember where it was that said the average.

Okay. And it wasn't even with hospitals, it has like 25 different tools. So I've seen that's, those numbers even be higher

The threat changes. The tech changes. A lot of folks. Like what they have and what they do, and that's what they, for the last five years. And so that's what good looks like. We run it like this. We hire these people to do these things, right? We're built in, as you kind of refer to silos of excellence, right?

space for a lot of cybersecurity professionals who talk a lot about risk, but don't have a great way of sort of translating that into business and clinical and board speak. How do you coach people on that? Or how do you advise people around that risk conversation?

George Pappas: It really is trying to get an integrated view, however we do it with some of our tools or just getting the client to normalize

the things that they're coping with and putting them into some kind of framework because the frameworks are out there, and then bringing that all together along with the other organizational choices that have been made and finding a way to present that in the business language. To the board of the audit committee, that's who we normally present with our CISO or CIO client who we're representing.

Speaker 3: Yeah.

George Pappas: But it takes a little longer time, but the more you can truly bring it together and clarify it and that's the work we do with our platform, the more understanding you're gonna engender among the directors who have to make these choices because. Dollars are tough to come by. You're asking 'em to spend more money, and so they wanna know that you understand where it's gonna go.

Mm-hmm. Not just that you're gonna provide them with a resource.

Drex DeFord: You're building a business plan right. Against risk. And that is the conversation that you're having. Yes. And that risk changes all the time correct. Group practices or decide to build a surgery center or whatever the case may be.

Correct. Yeah. Correct. Hey, thanks for being on today. I always feel like we could spend a couple hours doing this. Yes, same here. I love the show. Love

George Pappas: the way we do it. So appreciate being here.

Drex DeFord: Yeah,

George Pappas: thanks. Alright. Talk to you soon. Alright, take care.

Drex DeFord: Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

As always, stay a little paranoid, and I'll see you around campus.