Top of Mind for Healthcare CIOs #2 – Cybersecurity

Speaker 00:00:03 Today in health. Speaker 00:00:03 It, this story is the second item of our top of mind issues for healthcare CEOs. Speaker 00:00:10 Cybersecurity. Speaker 00:00:12 My name is bill Russell. Speaker 00:00:13 I'm a former CIO for a 16 hospital system and creator of this week in health. Speaker 00:00:16 It. Speaker 00:00:17 A channel dedicated to keeping health it staff current and engaged. Speaker 00:00:21 Just quick reminder, this time. Speaker 00:00:24 Very quick. Speaker 00:00:25 We have four shows for next year, this week health news to stay current. Speaker 00:00:29 This week health conference for keynote interviews and emerging products. Speaker 00:00:34 This week health community, where we hear from you about interesting solutions Speaker 00:00:39 to the problems facing healthcare from the people who are solving them. Speaker 00:00:43 And finally this week health academy, where you can go or send people to learn Speaker 00:00:48 about the intersection of technology and healthcare, you can sign up at this week. Speaker 00:00:52 health.com/shows. Speaker 00:00:55 All right. Speaker 00:00:55 We said, we're going to run through this week. Speaker 00:00:58 The top five. Speaker 00:00:59 Top of mind issues. Speaker 00:01:01 For CEO's from the conferences I was at recently doing interviews Speaker 00:01:05 and having conversations. Speaker 00:01:06 Those were labor, cyber, digital automation, and caravan use we'll cover Speaker 00:01:12 the next three over the next three days. Speaker 00:01:15 We covered labor yesterday. Speaker 00:01:17 And went into detail on the battle for staff and retention. Speaker 00:01:23 Today's cybersecurity. Speaker 00:01:26 2020. Speaker 00:01:27 Or 2021, take your pick. Speaker 00:01:30 It's hard to really determine where this actually happened, but let's just Speaker 00:01:33 say over the last 24 months, It felt like a scene from the garden of Eden. Speaker 00:01:38 We ate the apple and we found out we were naked exposed at Speaker 00:01:42 risk healthcare is vulnerable. Speaker 00:01:45 There were warnings clearly before that there was one a cry. Speaker 00:01:48 Was a wake up call, but it wasn't until hospitals started being held hostage. Speaker 00:01:53 And being taken offline for days that we started to realize that there was Speaker 00:01:58 more involved here than a slight ding to our reputation or a small fine. Speaker 00:02:04 I'm not saying that it wasn't aware of the risk before, but we couldn't Speaker 00:02:07 sell it at most of the health systems. Speaker 00:02:10 The events of the past 24 months gave us credibility. Speaker 00:02:14 In our claims that the sky actually was falling. Speaker 00:02:17 No longer was the, Cisco. Speaker 00:02:19 . Chicken little Speaker 00:02:20 the worst had actually come to pass and we were right. Speaker 00:02:23 But you know what? Speaker 00:02:25 It's not that great being right systems went down sometimes for weeks at a time. Speaker 00:02:29 And sometimes with data loss that will never be recovered. Speaker 00:02:33 There was at least one incident that claimed that a cyber Speaker 00:02:36 event had caused a death. Speaker 00:02:38 Again, not that neat being right. Speaker 00:02:41 So what now you don't want me to recount all the incidents, Skylake Speaker 00:02:44 scripts and countless others that may not have been as prominent. Speaker 00:02:47 I've told you that I would cover these by putting my CIO hat back on. Speaker 00:02:53 And telling you how I would be approaching this challenge today. Speaker 00:02:56 If I were in the chair. Speaker 00:02:57 Let me start by saying this. Speaker 00:02:58 There is no one size fits all solution here. Speaker 00:03:01 My listeners come from health systems with thousands of it, Speaker 00:03:04 staff to Jess, 20 it staff. Speaker 00:03:07 These call for different tactics, different investments, and AMC Speaker 00:03:12 may have risks that a single hospital CIO may not have. Speaker 00:03:16 So let's explore some of the common things before I explore Speaker 00:03:18 some of the distinct challenges. Speaker 00:03:21 All right. Speaker 00:03:21 I think the approach I would take right now is we are under attack. Speaker 00:03:25 At all times we are under attack. Speaker 00:03:27 That is our posture. Speaker 00:03:28 And that is what I would take from this day forward. Speaker 00:03:31 Every day being treated as we're under attack. Speaker 00:03:34 Let's have our standup calls. Speaker 00:03:36 Let's have all those procedures in place. Speaker 00:03:38 Where we are treating it. Speaker 00:03:39 Like we are under attack today. Speaker 00:03:40 Do we have our defenses in place? Speaker 00:03:42 Do we know what's going on? Speaker 00:03:43 Which brings me to my second item here, which is, I would know the threats. Speaker 00:03:48 No who's after the information that you have know who's going to benefit the most Speaker 00:03:52 from shutting down your health system. Speaker 00:03:54 No. Speaker 00:03:54 The tactics that they're using stay current on their approaches and how they Speaker 00:03:59 are infiltrating systems like yours. Speaker 00:04:02 The third thing is assess your defense. Speaker 00:04:05 So really assess them. Speaker 00:04:06 You have to be honest at this point. Speaker 00:04:09 One of the things that I found over the years is that people will say Speaker 00:04:15 things like we're all vulnerable. Speaker 00:04:17 That's great. Speaker 00:04:18 And that all may be true, but at the end of the day, you have to Speaker 00:04:22 honestly assess your defenses. Speaker 00:04:23 And I'm going to come back to this in a little bit. Speaker 00:04:26 And talk about what you do with that honest assessment. Speaker 00:04:29 But at this point, Really look at it. Speaker 00:04:33 Ask yourself, the question, are we vulnerable? Speaker 00:04:36 Don't just say well, everyone's like this. Speaker 00:04:38 No. Speaker 00:04:39 How vulnerable are you? Speaker 00:04:40 How prepared are you? Speaker 00:04:42 And you have to have that assessment done. Speaker 00:04:44 And it has to be honest, if you need a third-party to do Speaker 00:04:47 it, which in most cases we do. Speaker 00:04:49 Have that done by the third party? Speaker 00:04:51 Number four assume they are already in your network. Speaker 00:04:55 And at that point, Understand your ability to identify their Speaker 00:05:00 movements from within your network. Speaker 00:05:02 Assume they're in because they probably are. Speaker 00:05:05 Already in your network and understand that this capability Speaker 00:05:09 of identifying what they're doing. Speaker 00:05:11 And how they're moving within your network is a must have moving forward. Speaker 00:05:17 The next thing I would say is assume you will be completely ransomed at Speaker 00:05:21 some point and plan accordingly. Speaker 00:05:24 All right. Speaker 00:05:24 So there's enough information out there. Speaker 00:05:26 We do a great webinar. Speaker 00:05:27 With the people from sky lakes, the CIO was kind enough to come on and Speaker 00:05:32 share his experience in some detail. Speaker 00:05:34 So if you want to know what it's going to feel like. Speaker 00:05:36 He shares what it feels like. Speaker 00:05:37 And what goes on in those first couple of minutes of the cyber Speaker 00:05:42 attack as you're watching systems just shut down one after another. Speaker 00:05:45 Not being able to gain access to your systems and having to rely Speaker 00:05:50 on vendors that you previously had worked with, but they're part of your Speaker 00:05:53 cybersecurity insurance contract. Speaker 00:05:56 And so they come in and actually ask you to step away from Speaker 00:05:59 the keyboard while they do Speaker 00:06:00 they're forensics on the event itself. Speaker 00:06:03 If you have that information assume you're going to be ransomed. Speaker 00:06:07 What is your plan to come back online? Speaker 00:06:09 What is your plan? Speaker 00:06:10 Are you going to pay the ransom? Speaker 00:06:11 Are you not going to pay the ransom? Speaker 00:06:13 Are you going to start a recovery? Speaker 00:06:15 Do you have the systems in place? Speaker 00:06:16 Have you air gapped your backups? Speaker 00:06:18 Is it enough to air guy, your backups? Speaker 00:06:20 Do you have immutable backups? Speaker 00:06:22 It's a, is it enough to have immutable backups? Speaker 00:06:24 What, what is going to work and what is not going to work. Speaker 00:06:27 But plan accordingly, you're going to get ransomed plan accordingly. Speaker 00:06:30 That's how I would be thinking about it right now as a CIO. Speaker 00:06:33 All right, let's move on. Speaker 00:06:34 So from the point of an honest assessment plan, your investments wisely. Speaker 00:06:41 Acknowledge what you can and cannot do well. Speaker 00:06:44 And I'm going to get to this in a little bit, but the smaller Speaker 00:06:46 health systems, there's an awful lot of things you cannot do well. Speaker 00:06:50 And you're going to want to look outside your four walls for some Speaker 00:06:53 help, and who's going to help you. Speaker 00:06:54 Today to prepare for an event and in the future, if you actually have Speaker 00:06:58 an event so acknowledge what you can and cannot do well and go find help. Speaker 00:07:04 Second thing is be open and honest with the executive team. Speaker 00:07:07 And the board went asked. Speaker 00:07:08 Hide nothing from the leadership. Speaker 00:07:11 You don't want to be found, hiding important information from those that Speaker 00:07:14 could have made a difference that can make the investments to shore Speaker 00:07:18 up your foundation in your system. Speaker 00:07:20 I wouldn't want to be that CIO. Speaker 00:07:22 Who's trying to explain. Speaker 00:07:24 Why they did not have an honest assessment or why they withheld any Speaker 00:07:27 information about that environment? Speaker 00:07:29 Honest open here's where we're at. Speaker 00:07:32 The executive team needs to be brought into the loop. Speaker 00:07:34 The governance team needs to be brought into the loop. Speaker 00:07:37 So that they can determine what the risk is to the organization Speaker 00:07:41 and what needs to happen. Speaker 00:07:42 So that's table stakes. Speaker 00:07:44 I assume everyone knows that. Speaker 00:07:45 I just wanted to say it again out loud. Speaker 00:07:47 And then the next thing is ask for help, seek help, be open to help. Speaker 00:07:51 This is not the kind of thing. Speaker 00:07:53 That every health system is going to have the resources and the wherewithal. Speaker 00:07:58 We need to utilize the resources that are out there. Speaker 00:08:01 That are designed to help us and designed. Speaker 00:08:04 To bring us together as a community to fight this. Speaker 00:08:07 This threat. Speaker 00:08:08 All right. Speaker 00:08:08 The next thing I would say is planted complete strategy. Speaker 00:08:11 I remember standing at a conference, listening to CISOs share. Speaker 00:08:16 And person after person talked about their education program. Speaker 00:08:19 And while I was impressed with the programs they had Speaker 00:08:21 developed, I couldn't help. Speaker 00:08:23 But to think how unsophisticated the approach was to cybersecurity. Speaker 00:08:27 You have to prevent, detect, remediate and recover. Speaker 00:08:30 And that's not even a complete list of the things that need to Speaker 00:08:33 be discussed and planned for. Speaker 00:08:35 My point being you can't have a single threaded approach to cybersecurity. Speaker 00:08:41 It needs to be multifaceted. Speaker 00:08:43 You need a technology layer, you need a people and education layer. Speaker 00:08:47 You need a remediation layer, you need a recovery layer. Speaker 00:08:50 You need all those things in place. Speaker 00:08:52 If you are going to be able to be effective in the world Speaker 00:08:56 that we currently live in. Speaker 00:08:57 All right, let me get moving here. Speaker 00:08:58 I'm running out of time. Speaker 00:09:00 So next thing I would say is no, what your contracts say? Speaker 00:09:03 It's interesting. Speaker 00:09:04 How many times this came up in conversations, post breach event? Speaker 00:09:08 I didn't realize what my BAA agreement actually called for. Speaker 00:09:11 I didn't realize what my cybersecurity policy gave power. Speaker 00:09:14 During an incident to others and called for me to utilize Speaker 00:09:18 companies, I wasn't familiar with. Speaker 00:09:20 We didn't have an agreement that protected us from an incident Speaker 00:09:22 at our community connect site. Speaker 00:09:24 It's things like that, know what your contracts say? Speaker 00:09:26 Those are just a few stream of consciousness. Speaker 00:09:27 Thoughts . Let me address some of the specifics for smaller players. Speaker 00:09:31 You can't do this on your own. Speaker 00:09:33 You have to find the right partners that can help you to Speaker 00:09:35 build a sustainable program. Speaker 00:09:37 You can't do it with one cyber person and an engineer. Speaker 00:09:41 It's not even remotely possible line up the players that can Speaker 00:09:44 help you get them lined up today. Speaker 00:09:46 Prior to an event. Speaker 00:09:48 For an AMC, you have to be aware that nation states want the Speaker 00:09:51 information that your research teams are working on nation states. Speaker 00:09:55 You know, the ones. Speaker 00:09:56 The, the ones I'm talking about, the ones with well-funded armies of cyber Speaker 00:10:00 specialists, the tactics are varied. Speaker 00:10:03 And while a traditional phishing attack may not work in this Speaker 00:10:08 case, they have other ways. Speaker 00:10:09 And in those cases, you have to be tracking the motion of critical Speaker 00:10:13 information around your network. Speaker 00:10:14 You have to have complete visibility into the motion of your Speaker 00:10:18 critical data assets at all times. Speaker 00:10:21 This is going to serve you well, since attacks are no longer just Speaker 00:10:24 being initiated from afar, disgruntled employees are now offered money Speaker 00:10:29 to get back at their employers. Speaker 00:10:31 Place this code on your network and we will take care of the Speaker 00:10:34 rest ransomware as a service. Speaker 00:10:36 Oh. Speaker 00:10:37 And by the way, if we successfully ransom your organization, we will Speaker 00:10:41 give you a cut of the cryptocurrency. Speaker 00:10:43 You have to track the movement of the data. Speaker 00:10:47 In order to do that, you have to have a very accurate data inventory as well. Speaker 00:10:52 All right. Speaker 00:10:52 As I said this is going to be exhausted. Speaker 00:10:54 I just wanted to share a few thoughts. Speaker 00:10:55 This is top of mind for CEOs and it should be, it should have been Speaker 00:10:59 for CEOs and it should have been. Speaker 00:11:01 Probably for at least the last decade. Speaker 00:11:04 Now we know. Speaker 00:11:05 So let's try to make 20, 22, a transformative year in this area. Speaker 00:11:11 All right. Speaker 00:11:12 That's all for today. Speaker 00:11:12 If you know someone that might benefit from our channel, Speaker 00:11:14 please forward them a note. Speaker 00:11:15 They can subscribe on our website this week out.com or wherever you Speaker 00:11:18 listen to podcasts, apple, Google, overcast, Spotify, Stitcher. Speaker 00:11:22 You get the picture. Speaker 00:11:23 We want to thank our channel sponsors who are investing in our mission to develop Speaker 00:11:27 the next generation of health leaders. Speaker 00:11:29 VMware Hill-Rom Starbridge advisors, McAfee and Aruba networks. Speaker 00:11:34 Thanks for listening.