July 19, 2024: Wes Wright, Chief Healthcare Officer at Ordr joins Drex for the news. They explore the persistent vulnerabilities of medical devices, highlighting the importance of segmentation and the challenges posed by unpatched systems. How can healthcare organizations balance the need for cybersecurity with the operational realities of small, resource-constrained hospitals? Drex and Wes also delve into the implications of upcoming regulations and the potential benefits and limitations of tech giants like Google and Microsoft offering free services to support smaller hospitals. The conversation covers the complexity of third-party risk management and the necessity of rigorous attestation processes post-breach. As cybersecurity threats evolve, what strategies should healthcare providers adopt to protect their networks and ensure patient safety?
Key Points:
News articles:
Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks to our show sponsor, Ordr, the Connected Asset Visibility and Security Company. If you want to see every asset and protect against threats, Ordr is a great way to find and eliminate blind spots. They also integrate with more than 180 other security, network, infrastructure, and clinical solutions.
Find out more at Ordr. net slash healthcare. That's O R D R Ordr. net slash healthcare
Today on Unhack the News. (Intro)
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories. And now, this episode of Unhack the News.
(Main) hey, I'm Drex and this is Unhack the News. And wow, we're already off to the races. There's a bunch of stuff that happened before I clicked the record button just for fun. But I'm with my buddy Wes Wright from Order. How you doing, buddy?
Good morning, Drex. Pretty well. you might hear a dog in the background every now and then. I have a Bernadoodle, a big Bernadoodle. Yeah. And a little Chihuahua comes over like every Monday and Tuesday in the morning and plays with it. About this big. Oh. Does
he agitate it? Is it like a cyber attack by the little chihuahua?
It's like a friendly, it's like
asking me to come in,
it's like, it's a pen test. It's like a friendly pen test, like a purple team exercise that you're doing over there.
But my dog has come inside and it's still outside and wants to play more. So you might hear it.
Oh, that's okay. I hear a little nip every once in a while in the background.
That's okay. We all have dogs and that's the world that we live in.
I just got a dog like four months ago and documented my blood pressure went down 20 points. Documented. No way. Yeah.
That's amazing.
Got a cap and it went up 20%.
That sounds totally right. Hey, listen, there's a bunch of stuff happening in the news. We could go all over the place, but I'm just going to start with one. I was reading a story about an IOT and OT lab.
in Switzerland and a bunch of work that they're doing over there to look at medical devices and how easy they are to break into just super simple stuff. Like they don't get patched. They don't have operating system updates. They've been out there forever. Sometimes they're exposed to the internet. I know this is an easy story for us to talk about cause this is what you guys do in order, but what's I sent you the story ahead of time.
What do you think about that?
was pretty interesting. I think it's, beating a dead horse comes to mind. We all know that we have to do something about medical devices and the vulnerabilities and that kind of thing. Sure. It's super cool that these folks may be discovering unknown vulnerabilities, but I didn't really get that since when I was reading it. But you know, it's the same thing we've been dealing with in, in healthcare IT since the inception of healthcare IT. Actually healthcare IT came from radiology as we've talked about before.
So we've just been sticking all these clinical devices together and keeping track of them. And now you can finally see everything. That's on your network. And sure, it's great to know down the nitty gritty, the NATs, uh, what kind of vulnerabilities are on there.
But shoot, if it's a medical device, it should be segmented off away from your network and not accessible via the internet to begin with. Yeah every, in my opinion, every medical device. Vulnerability should not be executable unless you have proximity. Medical devices have hardly any reason.
To talk to the internet, so don't let the internet talk to them. Yeah it's all about, in my mind, and we've talked about this it's blast radius, and damage control, if you've got those medical devices intermixed on any network, your OT network, if those are out there you've just made your OT network that Get them by themselves so that you can protect them better.
That's the bottom line. It's great whenever I see something come out on vulnerability of medical devices, just because that's another voice out in the wilderness saying, do something about your medical devices, but I think that was the cumulative effect of that article on me.
Like, yep, got another one saying, do something on this, do something about this.
when you and I chat about this, a lot of it comes back to the just, reading is fundamental, like the basics of being able to find the stupid things on your network and know that they're there and then understand what four other things that device might be talking to. And the other thing you talk about this segmentation idea, right? If we talk about micro segmentation and it's a lot of work to do micro segmentation and put everything in its own, separate piece of the network. It's a lot of work if you do it, right?
A lot of it is just getting started. Just do something.
Yeah, I think you don't even have to micro segment, let's do some macro segment. Let's get our PCI, and this really is not supposed to be intermixed on your network anyhow, but a lot of it is, let's get your PCI devices off on their own segment.
Let's get your radiology imaging devices off on their own segment. Let's get your PCs on floor one on their own segment. And the ones on floor two on their own segment and floor three on their own. So that's macro segmentation and that, yeah, it's not super easy, but my goodness, it will save your bacon.
That's where you talk about blast radius.
Yes. Yes.
Along the same line. So , that was an interesting story. And like you said, it's always good to hear somebody else chiming in and saying, this is a problem and we need to work on it. The other one is. Coming regulation.
We keep hearing from folks. We were in Philly together a few weeks ago, and somebody who was in the room actually talked about the conversation they just had in D. C. on coming regulation. The regulations are coming, and they're coming soon, and certainly some of this is gonna somehow address this.
Medical devices and the challenges with medical devices, right?
frankly, I wish people didn't split out medical devices from basic cyber security. They're just They're devices on your network. Yeah, you can't do some stuff. You can't scan them. You can't actively scan them. Remember we were together at a location. they're not porcelain dolls and stuff. They still use TCP IP to communicate. They use the same protocols. Let's lock those down along with everything and then it's like the micro segmentation it and then once you get everything else locked down, now you can really focus on the medical devices because frankly, I've had several people ask me.
I don't know of a successful attack that has originated from a medical device. I've, medical devices have been compromised, but it's through another attack vector. And that to me tells me, if you've got your basic security down, lock those medical devices down like you would. Shoot a different group of PCs that are running a different application.
that special to it. They're just on the network. Lock them down like they're just on the network to begin. Then you can dive into them. But that's, we'll go back to the essentials and expanded stuff on the CPGs. To me that's, finding the stuff and giving it. The blast rate, that is just that's fundamental.
Yeah. Fundamental and essential. Yeah.
Yeah. Hey, here's another interesting story. And we may or may not agree on this. I wonder the Biden administration announced that there was some free stuff coming from Google and Microsoft to support smaller hospitals. I think, I have an opinion on that, but I'd like to hear what you think about this idea of them setting down with those two companies and getting them to give up some free stuff to to help small hospitals.
You mentioned something like this on one of your two minute drills. I did, yeah. And I said something, yeah. Yeah, it's free, you get what you pay for. But that was a little flippant. think that it'll probably be a good thing. With the rural hospitals, They don't need more free stuff, but hey, Google and Microsoft, you want to, I said, Hey, Google and my Google, what do you want?
This is the top result. See, there it went popping off. How about just not charging me for the stuff I am using from you right now? That would help me a ton because then I don't have to, I don't have to decide whether everybody gets. Office 365, where we get a new CT machine. Hey, in the rurals, if they want to give them pricing, I think that would be cool.
Give them pricing like they do academics. out in the rurals. That would go a long ways to helping the rurals, I think.
📍 📍 📍 📍 Hi everyone, I'm Sarah Richardson, president of the 229 Executive Development Community at This Week Health. I'm thrilled to share some exciting news with you. I'm launching a new show on our conference channel called Flourish. In Flourish, we dive into captivating career origin stories, offering insights and inspiration to help you thrive in your own career journey.
Whether you're a health system employee in IT or a partner looking to understand the healthcare landscape better, Flourish has something valuable for you. It's all about gaining perspectives and finding motivation to flourish in your career. .
You can tune in on ThisWeekHealth. com or wherever you listen to podcasts. Stay curious, stay inspired, and keep flourishing. I can't wait for you to join us on this journey.
I think the other challenge with this, idea of free stuff is that it's a, it's product and you get the product, but you still don't have anybody to run it or to run it well.
And so it's the services part. I think it's the sort of mental misalignment that small hospitals have. A hundred people in an information services team doing this work. It's like, we've been in the room with these guys where they argue they poke fun at each other because, wow, I can't believe you got a second person in your IT department.
Like, how did you justify that? Those conversations are real conversations in these small places. And that guy is doing, that lady is doing. The CISO job, the CTO job, the CIO job, and maybe running supply chain or something on the side, right? Biomedical devices, they're running contracts, they're doing all this stuff, and it's only one person.
You can give them free stuff, they don't have time to do anything like that.
Yeah, and that's an excellent point. My first hospital I started at was me. Two other guys that knew what they were doing, thankfully, because I sure didn't. And some new airmen that just came in from basic training a couple of those that I needed to train up.
And actually they ended up working out super well. But yeah, I was CIO, CTO, CISO, everything that had anything. We were up in the ceilings, that's pulling cable. So that's the life of a rural, and that's a great point. Let's give them academic pricing and why don't you run a SOC for them for all your rurals?
Maybe this, or yeah, the services component, if we could figure that out. The other part about that, I think I would say, I'd like to get your opinion on this. Google and Microsoft is a good start. There's a lot of other companies who could probably come up with some kind of a program like that too, right?
We don't need to name them, but like, there's a lot of other companies who are really involved in this kind of work with these small and rural health systems. That the critical access hospitals need help, however they can get it. It doesn't necessarily need to be just around cybersecurity.
Helping in another way could free up funds that might help them do the right thing for cybersecurity.
Exactly. We've been talking about this for a long time and I, trying to do some stuff inside of order for those rurals.
'cause they need our stuff just as much as the big folks. But they healthcare we're kinda only as strong as our weakest link. And the more we can help our weakest links, the better off we are. 'cause a, as a community Really, most of the vendors that I'm talking with, that I associate with, they feel part of the community, of the healthcare community.
So I think we'll start seeing folks. Step up to the plate, I hope.
Yeah, fingers crossed. And there's one other story that I shared with you that I thought was pretty interesting. And I just want to get your take on it. There's a story in Wired and the title of the story is red tape is making hospital ransomware attacks.
And the assertion in the article is that it's very problematic that when a healthcare organization or any organization is hit with a cyber attack, that the organizations that connect to that attacked organization ask for things like attestation documents to prove that they're clean before they reconnect.
That's a problem in the world. Maybe, I'm not sure it totally says like we shouldn't be doing that, but it's a bit of a head scratcher to me because I just can't imagine, like, so what would we just connect back to those organizations?
Yeah. As you can get this in technology, I thought it was clickbait, frankly.
of course, you've got to do some kind of attestation for somebody. Yeah. It takes a while. And if you're only doing, if you've done it your first time, yeah, sure, it's difficult, but you know, remember back Khronos, nuance, change how many people were they getting asked for attestations?
It's one of those, if it's good for the goose, it's good for the gander kind of thing. I was there for nuance and man, they had to promise like their second child in order for me to hook back up to them. So yeah, it's an onerous process.
But to me it's completely necessary and I don't see how you streamline it or why you'd want to streamline it, right? Do you
think one way to streamline it might be? So a lot of this also gets into the, one of these things is also like the other thing. It's like third party risk management programs.
And when somebody new comes into your organization that you send them the. giant, questionnaire and it comes back. If you're the third party and you're connecting to a bunch of different health systems, every time you want to connect to a new health system, you get a questionnaire that isn't like the other questionnaires.
Now, some of the questions overlap. There's a Venn diagram to this, but there's a lot of other new weird, like, what does that mean? Why are they asking that kind of one? What, how did they define that word or whatever? So there's a lot of time and effort. on the part of vendor partners to answer. Some of these questions, it's a real challenge.
And I feel like that, this whole attestation post breach before you reconnect feels a lot of the same, like every, so if you've got 140 partners or 400 partners and they all want to reconnect, they're all going to ask slightly different sets of questions.
It's like, you got your base of 10 and then there's this five wild cards out there.
Yeah. They mix and matches those five, but at least you got those 10 critical ones. But yeah, here on this side of the fence now, and ran my vendors through it on the other side of the fence. Now, everybody's got their unique security questionnaire, and it's just part of we just take it as part of doing business.
I know there's some chatter, I wouldn't even call it momentum, chatter out there about somehow defining a standard set of questions around, what you ask your vendors. But to me, I know what the risks in my network are. Way more than some standard sheet does. And some of the questions I'm asking are specific to the risks that I know exist in my network.
And that I might have to mitigate because I have things set up differently than somebody else. So I don't think we'll ever get away or shouldn't ever get away from at least some kind of maybe we'll get 13 of those 15 locked in questions and allow the wildcards only two questions.
I like that idea.
Yeah, if we could just get the core squared away. And you could get those answers done it might make life easier. Anyway, really interesting
that article I did pull out I think it was the University of Minnesota. Yeah, did actually quantified the cost.
of a ransomware attack and they're saying it's between a half and one percent. That's of your margin. So if you've got a three percent margin, a ransomware, they've calculated that a ransomware attack is going to cost you a half a point to a point of that margin. stuff you can take, that's some stuff you can take to the boardroom with you when you're asking for some funding.
Although I don't really think you need a lot of justification in today's society, but it's pretty cool paper.
Hey, I really appreciate the time. It's always fun to hang out with you. What else is going on? You're on the road anytime soon? Where are you going?
Yeah. My next big trip is to the Naples 229 event that you are seeing.
The 2, 2 9 CISO round table. Looking forward to seeing a bunch of old friends and meeting some new ones there, which is always what happens in a 2, 2 9 event. Between then and there, order will be at Black Hat. There's some stuff out if you want to, I won't be there. Kevin Jim and Pandian Pandian's the founder, they'll all be there.
So anybody that wants to meet up and talk about order and what we can do for it, come on out and see us.
Sounds great. All right. Thanks again. On Hack the News, that's it. I appreciate you being on the show today. Talk to you soon.
Always a pleasure, my friend. Always a pleasure. Hey, see you around campus.
Stay paranoid, my brother.
Bye, man. 📍
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.