The Front Door Is Wide Open: Healthcare's IAM Wake-Up Call | Executive Interview with Mark Ferrari

The Front Door Is Wide Open: Healthcare's IAM Wake-Up Call | Executive Interview with Mark Ferrari Speaker 3: [00:00:00] Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program. Learn more at fortifiedhealthsecurity. com Speaker: I'm Drex Deford, president of Cyber and Risk here at this week, health and the 2 29 Project. Our mission is Healthcare Transformation powered by community. Welcome to this executive interview on the UnHack Channel. Real conversations about managing risk at the highest levels. Let's dive in. Drex DeFord: Hey, everyone. I'm Drexel. I've got Mark Ferrari from Fortified Health Security with me today. Hey, Mark, Ferrari, like the car. How you doing? Mark Ferrari: [00:01:00] Doing well, Drex. How are you doing today? Drex DeFord: Always fun to have somebody on who has a name that's also memorable. I really hated my name when I was a kid. But it's fun. I mean, at this point, because I'm DeFord and you're Ferrari, so- It Mark Ferrari: is. It's- I know that Drex DeFord: was- ... That's the Mark Ferrari: connection. Drex DeFord: Well, tell me a little bit about your background and, uh, a little bit about yourself and, and a little bit about Fortified too. Mark Ferrari: Sure. Yeah. So, uh, my name's Mark Ferrari. I'm the Vice President of Advisory Services for Fortified Health Security. Um, started my career as a military officer in the, uh, United States Air Force where I commanded a nuclear missile combat crew, uh, and performed, uh, missile combat instructor duties as well. Um, and once I, uh, transitioned out of the service, uh, immediately got into healthcare IT, uh, starting at shared medical systems for, for those with gray hair in the, in the, uh, audience, um, and then cycled through, uh, Siemens Healthcare, uh, and worked, uh, for quite a while at Mainline Health, which is a Philadelphia [00:02:00] suburban, uh, health system. Drex DeFord: Mm-hmm. Mark Ferrari: Uh, as I got into security more and more through, uh, projects at Siemens, I then got into consulting, um, through a number of, uh, organizations and then started my own organization, Latitude Information Security, serving the healthcare industry, uh, and then decided to partner with Fortified, was acquired by Fortified, um, in, uh, 2025 and, uh, have been running their advisory services, uh, since then. Drex DeFord: Love that. So the, so let's talk about the, a little bit, if you're okay with it, I wanna talk about the kind of the transition of, like, why was Fortified the right place for Latitude to land and how has your transition been from CEO to vice president? Uh- Sure. I mean, uh, like, this is a very selfless thing. I, I feel like when I look at it, how, how have you, uh, how have you kind of dealt with that whole transition? Mark Ferrari: Sure. Yeah. And, uh, I think any, uh, entrepreneur that, uh, merges that, that gets acquired by, uh, another organization, it's oftentimes it's a very, uh, tumultuous story. It's a difficult transition. Um, why [00:03:00] did we choose Fortified? Um, Latitude, uh, we had great client relationships. We were dedicated, uh, uh, to the healthcare industry. Uh, one thing I hadn't mentioned in my background is in addition to, uh, healthcare IT, I've also been an emergency medical technician for the past 30 years, both in paid and in volunteer capacity. I love healthcare. I, I love serving the healthcare industry. And so finding, number one, a partner that shares that priority of the healthcare industry- Yeah. ... that is dedicated and expert at the healthcare industry, uh, there's really not that many, and I think Fortified is the top of the list. Um, also, when it came to culture, uh, you know, what we developed in Latitude was a very, um, familiar, close, tight knit team of people that really love what they do, that are great at what they do. Uh, when I went and met the Fortified team, I, it was, it was contagious. Uh, they were, the, the culture fit has been fantastic, and it feels like we've always been a part of one another. So, um, kind of, you know, there, there are always the, the growing pains of merging two organizations, but, uh, in terms of culture, in terms of just the quality of people, it's been fantastic. Uh, Fortified, I am [00:04:00] proud to say share is a very high client retention and, and, uh, class score ratings. And so it's, it's exciting to be a part of that. Um, as far as working now, having a boss basically now, other than my clients, um, it's great. Uh, it's, you know, I thought it might be difficult, but when you work with people that you respect and from whom you know you can learn things, uh, that, that's all the better. So, so far, you know, knock on wood, uh, it's, it's just been a fantastic transition. Drex DeFord: That's great. I, I mean, I know Dan and I feel like that, you know, being part of that team that he has built, uh, definitely creates a lot of good comfort. And like you said, people you can, people you can lean on and learn from inside your, inside your own company. Culture is such a huge thing too when you put companies together. When you have a good fit, when there's a good mesh, um, that uptake, that connection can happen really, really quickly. And it, it feels like that's what's happened with, with you and Fortified. Mark Ferrari: It is. And, and I'm, I'm happy to see that not only has it happened, you know, at, at, at my level, but, uh, among kind of the rank [00:05:00] and file, uh, from both organizations, uh, have really kind of reached out to one another at their levels and, um, and are, you know, comparing notes and, and already the integrations happening organically, which is beautiful because I can, I can now think about how do we wanna structure this organization moving forward when it's happening naturally, um, it's, it's so much easier to see this is the path we, we need to follow forward. Drex DeFord: Yeah, makes sense. So you're out, you're seeing a lot of customers, you're, um, you're going to a lot of, uh, conferences and meetings, you have folks come to Nashville and sit down with you all. Um, what, what's top of mind? What are you hearing? What are you seeing? What's like, what's the hot topic of the day or the hot topics of the day? Mark Ferrari: There's a couple things. And I've always been, a big, uh, proponent of the basics, right? I teach cybersecurity, uh, at Temple University and I, I tell my students, uh, cybersecurity is, is not complicated, uh, and, and, you know, it's very simple, it's straightforward, but it's not easy, right? And so what we're seeing with clients, uh, I think is reflective of that, you know, asset management, [00:06:00] asset inventory, having a proper one, knowing what you have and where it is- Those fundamentals. ... that we don't have nice, simplified defenses and we're, we're, we're federated out throughout multiple locations, multiple states, et cetera. Um, so that's number one. Number two, I think the biggest thing that, uh, is, is rising to the top of, uh, healthcare's list is identity and access management. Um, we are seeing a lot more attacks leveraging compromised credentials, right? They're not having to come in the back door anymore. They're walking in the front door as if they belong there because according to the system they do. And so that's a problem. It's a problem with education, number one, uh, in that people need to understand just how valuable even their basic level credentials can be. Um, but also identity and access management is, is an enterprise-wide or, uh, issue. It, there's a lot of moving parts to it, and it's very hard to get your arms around it. Too often, I think is, uh, typical of, of healthcare [00:07:00] that I've seen is we try to buy our way into the solution. We try and implement tools, we try and implement platforms, but sometimes, you know, that six-month, one-year-long project of really hunkering down and defining what is it we wanna do in terms of identity access management, how do we wanna control it? What do we want the rules to be? Defining that first, those, those administrative controls, the process, that sometimes understandably gets shortchanged. And that's really why, you know, organizations have had trouble implementing it. Um, so IAM's big, asset management big. And of course, third party risk management is, is, uh, uh, a tremendous, uh, issue. And I don't think that, I don't think that any one specific technology or platform or service has made any client incredibly happy, um, because ultimately you get a score, but you lack context. Uh, and so what we've done is we're kind of turning that around [00:08:00] and yes, we're using some, uh, intelligence, we're certainly using- mm-hmm. uh, technologies that are out there, but we, we, uh, by definition in our process, we, uh, interject, uh, an analyst into that process to do interviews of the business side, to do interviews of the vendor, and to identify what is the true scope of what this vendor platform is doing for you. Right. It might do 20 things, but you're only implementing two. Mm. So your risk is only gonna align those two. And so we can hone in on not only where does the risk lie, but also what can you do as the organization to protect yourself from it? Because too often, uh, like with, as with medical devices, you're not really gonna get the vendor to change all that quickly, if at all. Drex DeFord: Yeah. Mark Ferrari: Um, you know, unfortunately, even the larger health systems have very little leverage in that regard, uh, particularly if it's a popular surgeon that wants this platform, right? Mm-hmm. But, um, when we turn it back on the organization, say, "Here's what we found, here's what we suggest you do, " it kind of puts control back into their home, [00:09:00] their, their hands, and we've had a lot of positive, uh, response to that. Uh, and the other aspect to that is if and when there's an incident with that third party, those reports that we produce are the first thing that they reach for because what do we do with that? Who's using it? Where is it? What kind of connections do we have? Mm. It's all defined right there. So they're, they, they kinda are the gift that keeps on giving in, in terms of not only identifying what risk we're getting, but also, uh, serving as an, a useful tool, uh, if and when that, you know, inevitably that third party has an in- uh, an incident or a potential incident. Drex DeFord: It does feel inevitable right now too. I was reading something the other day that said, I, I probably have the numbers wrong, but something like 70, 75% of all, uh, medical records that are breached, that are made known come through third parties. It, there, it's a third party that actually gets breached that has access to your data [00:10:00] that's probably downloaded it for, or it's been shared for some kind of billing or other information. Mark Ferrari: Yeah. Drex DeFord: And that's how the data gets out there. So the third party risk management stuff is really important. I, I know that you've been kind of critical too of sort of like the third party risk management, uh, the, the blanket questionnaires that kind of the old school way of how we've sort of done third party risk management. How, how do you, how do you advise people to do that stuff and, you know, how do you help them- Yeah. ... connect the dots? Mark Ferrari: Well, you know, there certainly has to be some degree of gathering information. Um, you know, and, you know, whether it's through a platform or whether it's through ... You know, questionnaires are kind of the old way, but in a platform, you're, you're really gathering information anyway, but I think what you, what's, what's a differentiator is adding to it that, that discussion with not only, uh, the vendor, but also the business side within the health system. What are you, what are you using this for? Um, who's gonna use it? What functions are you gonna use it for? Um, that's a differentiator, um, and so we kinda give a full, a fuller [00:11:00] picture, uh, of risk. Um, again, if you go to a platform and you get a score for a specific vendor, that's terrific. Once that vendor has an incident, that score may as well be zero, right? Because they've, they've been hit. So what, what value is that information at this point? It's not really valuable. If you have the context of this is what we're doing, this is our exposure, and this is what I was told I could do to mitigate that, I think that has a lot more value, uh, in terms of reducing risk, right? We're, we're good at identifying risk. I've always said where the, the industry is overassessed and under remediated, right? But, you know, what steps can you take to actually start to chip away and lower that risk? And that's, um, unfortunately, sometimes the, you can't avoid just rolling up your sleeves, talking to people, learning about what's going on and, and making, you know, some, some very simple but straightforward, uh, risk remediation, uh, recommendations. I, Drex DeFord: I've, you know, I've talked to Fortified customers, uh, they've been, uh, you [00:12:00] know, on, that's still on this third party risk thing, but things like, uh, not offering kind of that blanket, you know, the, the lazy version of this is that we get access to all your data and we can keep it forever. Yeah. So that's simple part of like, no, you only need this, these data elements, you only need to keep them for this long. Those simple things, right, can cut a lot of risk out of that- Sure. ... third party exposure. Sure. Mark Ferrari: And, and, and a lot of potential headache because if there's limitations to how you're using that third party, you might realize you're not as exposed as you need to be too. So, you know, we always think of worst case, but in some cases, it might, might actually calm your nerves a little to know, uh, we're, our exposure's really low and, and, uh, you know, wouldn't that be nice? Yeah. Um, but, you know, you mentioned with, with just how much health data has been breached, right, through all these third parties and et cetera, one of the other elements that, um, we try to emphasize with healthcare organizations is, um, related to incident response, right? Number one, y- you're, you have to be proficient at it, um, but you have to sort [00:13:00] of also know some metrics, right? How fast can you detect, how quickly can you recover, um, you know, how well do you deliver care during that period of degradation? Um, those are things that the more you spend on those, I think the better you are because again, getting hit by some kind of an attack is, uh, unf- unfortunately inevitable. Um, so what can you control? You can control your ability to respond and recover. Um, we always think of data breach in terms of that, but, you know, a- as, as I know, you have, been a proponent of and, and as have I over the years, you know, s- healthcare cybersecurity is about patient safety- Drex DeFord: Mm. ... Mark Ferrari: first and foremost, right? So what these incidents do, sometimes they'll result in a breach, sometimes they won't, but they will always impact operations- Drex DeFord: Yeah. ... Mark Ferrari: to one degree or another. And as soon as you are disrupting healthcare operations, you are putting that patient at a greater degree of risk. However, you know, however stepwise you get to, uh, [00:14:00] you know, a very significant risk, um, that patient is less better off because attention and resources of that health system are focused elsewhere. Uh, and, and that's a terrible thing. And that's really why I, I love being in the healthcare industry. Um, you know, listen, I've been that ambulance driver that's been diverted with a critical patient in the back, right? That's not good. I've,, you hear them back there, you know that, that it's critical and you're trying to get them to care as quickly as possible to be diverted because of a cyber incident is just, that'll boil your blood. And so, um, again, I see that same kind of passion at Fortified, and that's kinda why I responded to, to them as an organization and, uh, happy to be part of them. But, you know, that's a, that's a big, uh, uh, element is, is understanding the operational disruption is, is really just as bad as, as the potential breach. Drex DeFord: I love you come at this, uh, as an EMT. Um, it's interesting to me how many EMTs and firefighters and folks who respond to emergencies wind up in their career path at some point in [00:15:00] cy- in cybersecurity. Is there a connection there for you too? Mark Ferrari: That's a very good question. I think, , there I have reflected on the fact that there are similarities in what we do, uh, with, uh, let's say that the discipline of emergency management, even military- Hmm. ... um, in that, um, and if we take, you know, cybersecurity incident response as an example- mm-hmm. ... um, or even program development, we know that something bad can happen. We live in that world. We know it. We're comfortable in it. We know how to escort organizations through that. Um, and so as I tell kind of junior EMTs as, as I've trained them over the years, the best thing you can do, number one, is show up, right? And so when a cyber incident happens to a healthcare organization, the first thing they need is they need that trusted partner to be there. Then we get into deeper specialties such as forensics and, and, uh, insurance and attorneys and all that, um, but they need someone there to [00:16:00] apply order to the chaos. And that's, you know, that's what, you know, Fortified does. That's, that's what, uh, that's what the, the nature of the business is about. Drex DeFord: Hey, I really appreciate you being on the show today, uh, Mark. Um, any, any last words before we take off? Mark Ferrari: No, just, uh, I appreciate, uh, the time to, to talk about this. Uh, you know, I could go another hour. This is certainly, you know, a passion and, uh, could, could talk about it all day long. So thank you for having me. Drex DeFord: Of course. You and me both. Um, thanks for being on and, um, I don't know, stay a little paranoid. Thanks for joining this executive interview on UnHack with me Drex Deford here this week. Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at this week, health.com/subscribe and share this with a colleague because together we're stronger.