A 9-Point Synopsis of Cybersecurity with CISO Karl West

With

Bill Russell / Karl West

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

February 10, 2021: Cybersecurity. Don’t roll your eyes. This is serious stuff. There’s stories out there of systems having been breached for over a year before they even know about it. Karl West, former CISO at Intermountain has moved over to Sirius Computer Solutions. He guides us through everything from architecture to governance, from incident response risk to e-discovery, forensics and artificial intelligence to compliance identity access. How do you catch security breaches efficiently and quickly? It starts with architecture. You MUST build programs, tools and processes around detection, response, and recovery. What about good governance? What about compliance? And what are the best methods out there today to ensure the person in front of the keyboard is someone you want on your system?

Key Points:

  • The NIST framework [00:08:40] 
  • The clearly defined response to security is people, processes and technologies [00:10:55] 
  • There’s so many different reporting models and governance models. Where should cybersecurity report to? [00:17:05] 
  • What is your tolerance for risk? Not the CISO tolerance. What’s the business tolerance for risk? [00:21:30] 
  • Our security team were so busy responding that they were not able to be proactive in any way [00:27:05] 
  • Identity and access. Identity is the new perimeter. [00:31:05] 
  • Identity is making sure that the person on the other end of the line is who they say they are [00:33:25] 
  • Incident management and threatened vulnerability are the bread and butter, the block and tackle of cybersecurity [00:41:45] 
  • Sirius Computer Solutions

A 9-Point Synopsis of Cybersecurity with CISO Karl West

Episode 363: Transcript – February 10, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. 

[00:00:17]Today’s show is a deep dive into cybersecurity. So it would make sense that today’s sponsor is Check Point. Check Point is a complete cybersecurity solutions partner for healthcare. They have solutions around network [00:00:30] security, cloud security, mobile security, endpoint security, and security management. So if you are looking at solutions in this space, you’re going to want to look them up at checkpoint.com.

[00:00:42]Karl West joins us today. He is the former Chief Information Security Officer for Intermountain, and he has a new role and more on that in a minute. We cover 9 distinct topics in cybersecurity and security in general for healthcare. And he just nails it. [00:01:00] Phenomenal discussion. I think you’ll get a lot out of it.

[00:01:03]Your response to Clip Notes has been incredible. And why wouldn’t it be? You helped create it. Clip Notes is an email. We send out 24 hours after each episode airs, and it has a summary of what we talked about. It has bullet points of the key moments in the show, and it has one to four video clips. So you can just click on those video clips and watch different segments that our team pulls out that we think really captures the essence of the conversation. It’s a simple to sign up. You just go to this [00:01:30] week. health.com. Click on subscribe, put your information in there and you’ll start receiving, uh, Clip notes. After our next episode airs, it’s a great way for you to stay current. It’s a great way for your team to get to stay current and a great really foundation for you and your team to have conversations. So go ahead and get signed up. Get your team signed up and begin getting clip notes after the next episode. 

[00:01:51]Special thanks to our influence show sponsors Sirius Healthcare and Health Lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you [00:02:00] want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]

[00:02:06] Just a quick note, before we get to our show, we launched a new podcast Today in Health IT. We look at one story every weekday morning and we break it down from a health IT perspective. You can subscribe wherever you listen to podcasts. Apple, Google, Spotify, Stitcher, Overcast. You name it, we’re out there. You can also go to todayinhealthit.com. And now onto today’s [00:02:30] show.

[00:02:30]So today we are joined by Karl West, the former chief information security officer of Intermountain healthcare, but that’s not his current role. Welcome to the show, Karl. I appreciate you joining us. 

[00:02:43] Karl West: [00:02:43] Thank you Bill. It’s good. And it’s an honor to join this group. I appreciate what you do for healthcare and IT. 

[00:02:50] Bill Russell: [00:02:50] So this is why, Hey, I appreciate your comments. This is sort of a coming out party for you. You recently made the transition after being at Intermountain for [00:03:00] many years as different roles, but as a CISO predominantly. You’re now with Sirius computers. Talk about the transition and what you’re going to be doing with Sirius.

[00:03:10] Karl West: [00:03:10] I chose to leave Intermountain in December and have connected with Sirius Health. They have a great team, great leadership. I enjoyed the connection and they have a huge focus on healthcare. It is a strategic direction for them. So it connected well with me. And what I hoped to be [00:03:30] able to do was share some insights.

[00:03:32] From the last few years I spent at Intermountain on a strategy team. They’re looking at healthcare strategy, the changing environment what’s going on and helping health cares as they try to balance and blend. Cybersecurity with all these new and evolving things in health care, the need to digitally transform the healthcare environment, the need to connect with the [00:04:00] consumer and how healthcare has been set up is changing very quickly Bill.

[00:04:04] Bill Russell: [00:04:04] Yeah. It’s no. So this is going to be a fun conversation. I’m going to tap you some for some, some free consulting. I joke that this, this podcast is the education of bill Russell, and I just happened to share it with the community. And I have a series of questions on everything from architecture to governance, to incident response risk and compliance identity access.

[00:04:29] We’re gonna, we’re gonna [00:04:30] March through about nine of these topics. And I’d love to get you to just comment. We’re not going to be able to go in depth into any one of them, but just sort of get the lay of the land. So if you’re ready for this, this is sort of like a like a verbal verbal exam that I’m going to give you on cybersecurity and the state of, of that in healthcare. Are you ready for this? 

[00:04:53] Karl West: [00:04:53] You bet, those items you just hit. Those are hot buttons for every health care. So you’re going in a great direction, Bill. 

[00:05:00] [00:05:00] Bill Russell: [00:05:00] All right. So we’ll see. We’ll let’s start with architecture. Architecture is one of my favorite conversations. How has security architecture how is it changing? Or how has it changed to adapt to the new, threats and the new mean really COVID and whatnot. We’ve got just a whole host of new things coming at us. How security adapting to that? 

[00:05:26] Karl West: [00:05:26] I think how it has to adapt and how it’s adapting are two [00:05:30] different things, Bill. Architecture engineering of cybersecurity has to be at the forefront of every organization. And I would say, if you look at key things, this ability to identify threat, to protect against it, the ability to detect it all begins up front in architecture.

[00:05:51] And I would tell you, I think a couple of things here. He number one, a third party has to be divided into two buckets. Pre-purchase [00:06:00] and post-purchase, and by that, what I mean Bill is what do you do before you purchase the product. And an examination of the company, the product, classification of the data that’s in use, understanding the risk, classification pre-purchase. Putting that all into what I would call a vendor inventory, where I list every vendor, every product. What’s the classification of the risk associated with that vendor. What is the data? [00:06:30] Where is it in motion and then affecting the contract? That’s what pre-purchased security architecture is all about.

[00:06:36] And then if you shifted and said, what about post-purchase? We can’t neglect that we’ve seen too many healthcares who have had partner breaches and in those partner breaches, what HHS and OCR are expecting? And what we have to do is look at some type of mechanism to examine what are they doing after we signed the contract?

[00:06:57] What are the controls? Are they [00:07:00] maintaining the controls? And so a third-party assessment team security architecture has to have the. The pre-purchase and the post-purchase. And in that post-purchase, there are now today, bill many organizations that are offering like credit bureaus, they’re offering monitoring services to tell us what’s going on over at partner X or Y.

[00:07:20] And if you have breaches you certainly ought to be having in that post-purchase some type of analysis. What did they do? What did the breach look like? How did it affect me? [00:07:30] Did it cause harm to services? And so those two elements of security architecture are key. 

[00:07:36] And I would tell you, Bill, I think if you looked at the balance and the blend of an organization in security today, this is the heavy, this is the big heavy important, this is where basic blocking and tackling will get done is understanding and putting controls around every product, every development activity, everything that happens, and then having another team to post-purchase monitor [00:08:00] and using some services. So that, doesn’t become too heavy.

[00:08:02] But I think this is a lion’s share healthcare security today. And in the past, most of our efforts in healthcare focused on let’s just have some tools to protect us. Let’s have an endpoint protection tool. This is the future of getting a good strategy into place Bill. 

[00:08:20] Bill Russell: [00:08:20] Yeah, I’d say you wouldn’t start building a house without a good architectural diagram. In fact, in most places you’re not allowed to build a house without a good architectural [00:08:30] diagram and that’s essentially where we’re talking about stepping back to. Is there a framework that you adhere to more than the others in terms of the NIST framework or other frameworks or you just more of a proponent of pick one and use it?

[00:08:46] Karl West: [00:08:46] Well, you, you hit on one of the Achilles heels of healthcare Bill. There are so many frameworks out there and most organizations have adopted some type of a CSF. A [00:09:00] framework that does a crosswalk for you and maps everything. I think in general, I like to recommend, and I use and have used NIST as the basis., Because HHS OCR, Homeland security, the FBI, all of these large Washington FDA, all the large Washington organizations have adopted the standard.

[00:09:19] Many people will say, what about the gaps in NIST? And. , I think I’m a proponent become active, reach out to NIST. They’re a very participant body and you can share with [00:09:30] them while I looked at COBIT, I looked at ISO, it had this NIST lacks, this they’re working very actively and I’ve been meeting with and talking to NIST folks for the last three or four years, sharing some gaps.

[00:09:42] But I think in general, they’re filling those gaps. They’re trying to make it. It does not get to the technical detailed. That will be the things that people will say. It doesn’t get too, too deep of a technical, I think in general all of the work I’ve been doing from risk assessment to [00:10:00] architecture, I try to build it around the NIST framework. 

[00:10:03] Bill Russell: [00:10:03] Yeah. So this is gonna be, there’s going to be a test of discipline to me. I could bounce off of each of these questions and we can talk for an hour. But so as a CIO, I will a couple of questions for it. So we have the breach and incident response is the next category. And there’s stories out there of systems having been breached for over a year before they even know that they’ve been breached. And as a CIO, if I were to hire you as a CISO, [00:10:30] I’d want to know how do you ensure that, story isn’t going to be written about our health system? I mean, what are you going to do? 

[00:10:38] Karl West: [00:10:38] Yeah, that is such a great question, Bill. And it is the thing that is our concern. There are health cares that are taking months and months. I hear some reports of eight to nine months before they understand that they have been breached. And I think the response is clearly defined people, processes and technologies. It’s a thing I’ve been [00:11:00] talking a lot with serious about what we’ve got to do is help organizations. Define the people, the processes the technology that prevent the expansion, you can’t prevent an event.

[00:11:11] You have to be able to quickly detect and mitigate the effects and resolve the incidents. And I think it’s critical in this process to have clear strategies. I think defined playbooks and processes. If I were to give you a few one, two threes, number one, start with some playbooks and processes. Define what are [00:11:30] the common incidents that are happening?

[00:11:31] What does the process look like? I wouldn’t start with technology, but you have to get to technology. Get the people in the process in place the playbooks. In an enterprise strategy in place for your identity, for your multi-factor for all your significant privileged accounts and account management with vaults and safes.

[00:11:53] Get good sources for threat intelligence. You see all these things we’re talking about right up front. [00:12:00] There, there are people in process, threat intelligence, something like HDI sec, the FBI there’s numbers of good sources for threat Intel. Develop a defense in depth strategy. It’s not a product, it’s a strategy, but develop that strategy over in your security architecture team, organize and participate with your team in regular phish tests.

[00:12:23] We’re heavily in identity, understand the identity, the motion of the identity. Use the network, [00:12:30] the end point, the server monitoring. Now we’re getting into tools. How do you manage that identity? How do you manage the network? How do you detect events? 

[00:12:38] And these places I suggest to prevent these breaches another kind of key that comes to my mind is having some good sandbox technology, something that’s going to prevent every email from coming into our mailboxes because today. 70 80% of what comes into the mailbox is either spam or it is a phish attack. And [00:13:00] today, I don’t know how you tell the difference.

[00:13:01] So what we’ve got to do is just help our caregivers help the doctor, help the nurse because they can’t detect. Get a sandbox technology, then have a tested, backup strategy and some detection and monitoring that, that gets put into place because clearly the ability to prevent, to your question, clearly, Bill, to prevent this, you have to have good detection and identify these things in, [00:13:30] minutes instead, as, we talked days and months. 

[00:13:33] Bill Russell: [00:13:33] , so when I hear that as a CIO,, I hear dollar signs because the first thing I hear is I need  a, and I do this everywhere else right. I need a dev test prod environments so I can move things in and do the appropriate level of testing. And I know that’s best practice. We’ve been taught that since we were in college for having to say, and and then we get into healthcare and we’re like, well, we can’t really afford [00:14:00] three levels. So we’ll do two or  what our testing is really done by the vendor. And when they send it to us, it’s ready to go into prod. And those are just bad practices. But the other thing I hear is it’s funny when I hear people process technology, my mind sort of shuts off and it shouldn’t shut off cause insecurity, there’s this vigilance aspect.

[00:14:23] And when you do the right education, I remember getting, we did this system wide education program [00:14:30] on cybersecurity and people were rolling their eyes when they had to go to it and that kind of stuff. But then I started receiving the emails. Hey I noticed this, I didn’t access this information or I didn’t access this file or or I got this email, is this a problem?

[00:14:45] And what we did is we turned 20,000 people into part of the, the organization that’s standing on the wall, looking for, incidents that were happening. And so the people in the process was [00:15:00] incredibly  powerful in that whole paradigm.

[00:15:05] Karl West: [00:15:05] Yeah you hit that so spot on Bill and I mentioned that and it does cause eyes to roll. In fact, what happens in healthcare is because we’re a little bit behind compared to other industries, the financial, the retail, the defense industry. We’re way behind. I shouldn’t say a little because we’re behind we have a propensity and a tendency just to go buy some product and [00:15:30] throw technology at it.

[00:15:31] When in fact, if you take a little bit of time up front, before you engage in the technology, get, as we said up front, the security engineering happening, get the design, get the process, get the playbooks put into place. It can save you on the investments significantly because people are your key resource.

[00:15:51] I used to tell our leaders at Intermountain, if we can get people engaged, they’re going to catch a high majority of [00:16:00] these phish attacks that are coming in. And if we just have people do what you just said, learn to spot something and say, wow, something’s different today. My computer’s running incredibly slow, or I got this email and it asked me to do this. Does that seem right to you? Now I have the canary in the mine that can tell me before something goes dead, wrong. We have a problem. And technology can certainly become a part in. It is critical. I wouldn’t underestimate how [00:16:30] important technology is, but engaging our people, every nurse, every physician on the frontline.

[00:16:36] They’re busy. If they’ll just take one minute to say, and we put out at Intermountain a little mailbox. If you see something, say something, send it to us, tell us, we’ll take a look. Our team will get back with you. And that’s the power of the people that can help so much in this security issue. 

[00:16:55] Bill Russell: [00:16:55] If you see something, say something. Governance, this is one of my [00:17:00] favorite topics. I get this question all the time. Like there’s a magic. Governance model or a magic reporting model that, that works. And I’ve seen a lot of different ones. But let’s start with reporting. What reporting relationship makes the most sense for the CISO though? So I was a CIO, the CISO in my organization used to report to me. I moved them out. And that was a recommendation from a Deloitte, I think. And it made perfect sense to me that they were a peer. So I was, , [00:17:30] I was responsible for implementing security, but they were oversight, governance and and those kinds of things within the organization. But I’ve also seen the CISO underneath the CIO as well. Is there a better reporting relationship for security within IT? 

[00:17:49] Karl West: [00:17:49] I think I’ve been asked that many times and I have talked to many CEOs about this question, where should cybersecurity report. It falls in every [00:18:00] healthcare organization that I’ve talked to at CEO, CFO, CMO level, it falls high on the risk list.

[00:18:08] It’s number one, number two, number three of every organization’s risk, risk inventory. That doesn’t mean that there’s a good or a bad model. I think the good model Bill comes down to how is the organization structured? And so, as I’ve talked to organizations, I don’t see a magic model, but what I do [00:18:30] see is need to understand there are decision makers. There are leaders who are making things happen in the organization. Cyber has to be tied into that environment and it may or may not mean that you shifted. There are pros and cons, and I have looked at five or six models from reporting it into finance reporting to the COO where all the nurses, the physicians, that COO model there’s the legal model.

[00:18:55] There, there are numbers of different models, compliance and [00:19:00] privacy model, where it could affectively report. What has to happen is that healthcare cybersecurity has to become an enabler, and not a barrier. And today many times when it gets lost in an organization, what did that’s under the CIO or whether it’s up under legal, whether it’s over under finance, if cybersecurity gets disconnected, then the cybersecurity leader starts to feel anxious, threatened, and starts to push an agenda.

[00:19:29] That [00:19:30] oftentimes becomes a barrier and not an enabler. And so I think there’s a couple of key things. Number one, you have to align cyber security with business, with medical, with strategy. It has to be aligned whether where it reports isn’t as important as creating alignment, cybersecurity has to have a framework and a mindset of we are an enabler to business.

[00:19:54] And if cybersecurity comes in and says, This is a threat. This is a risk. First, [00:20:00] what cybersecurity has to do is understand the business, understand the vision and the value of the transformation of healthcare, digitization, and consumerization, and then become, instead of Doctor “no” in the organization, they have to become, let me show you how.

[00:20:16] I would challenge every team: don’t say no, because if you say no, informed educated leaders like physicians. Are going to find a way to do what they need to do [00:20:30] to deliver clinical care. And when they find that way, it may be worse than the way you just said no to. So what I, what I would do is establish a governance approach that fits the organization.

[00:20:42] Look at the leadership in some organizations, one leader has more voice than another. Find that organizational model pulled together five or six key leaders that include a CMO, a CNO, a CFO, a COO, somebody from legal, somebody from clients. That would [00:21:00] become a good governance body for cybersecurity. The chair of the group should not be the CISO. The CISO is the advisor. He’s the educator. She becomes the person who informs about what is risk and has to do that in the context of what is the business strategy. And so in this idea, I think a couple of things become very key. Number one, understand the tolerance for risks by the [00:21:30] organization. Not the CISO, the CISO doesn’t determine she or he doesn’t determine the tolerance for risk.

[00:21:35] The business does. That’s what governance is about. Number two, if we understand what’s our politics for risk on a set scale, one to 10, then number two, what is an appropriate spend for our organization for cyber? Understand your tolerance for risk. Understand your spending model. What are you spending?

[00:21:54] What are other spending? What should you be spending? Not let me just have more money. [00:22:00] What’s appropriate for what we’re doing, and then understand your maturity as an organizational compared to all of healthcare. And then I would want to go further because the maturity in healthcare, isn’t the best major.

[00:22:14] It’s like comparing yourself and saying, I am the best of the worst. Once you have to do is say, let’s see how we compare against finance, against defense, against retail, and how does the organization want to spend and what is the appropriate [00:22:30] material for the open organization? So those ideas, those last three ideas of tolerance for risk, the span, the maturity of the model, those are kinds of things that become governance questions.

[00:22:41] That a body of leaders, including a CIO, because no matter where you report the CIO team is. That’s the hands, the eyes that are going to be our best canaries in the mine. They’re going to be are in a where. So even if you aligned to outside of the it organization, you would [00:23:00] have a definite uphill sled to try to create a good partnership over with it. Ops and 18 networking. And the DBA is the essays. They have to be a cybersecurity partner. 

[00:23:11] Bill Russell: [00:23:11] Yeah. I love how you described that. It takes me back to my. My CISO came in and did that analysis of our organization. He identified a framework. We had eight pillars that we were moving things up and down on. And prior to that, essentially, I was deciding where we were going to spend stuff. And our [00:23:30] compliance and risk officer was really setting our threshold for risk. We didn’t have a really good governance model. And so when he came in and he did that analysis, he compared us benchmarks us against other healthcare benchmarks against other industries.

[00:23:44] And I remember sitting down with them and having conversations around budget season and, and we would talk about, okay, this investment and you go, okay, that’s going to take this style. We have the eight pillars because that’s going to take this. But we’re going to have to probably invest some money in security controls.

[00:23:59] And we have [00:24:00] all these different pillars that we were playing with. And we were trying to adjust to the, again, the governance group had decided, Hey, here’s the areas we want to, after we educated them, which was no small feat. , these are the areas we think we need to be more in line or to be pushing this forward.

[00:24:18] And to be honest, I mean, zero to five scale. And a lot of them, we were, , our, I think our highest was a three and most of them were, were twos and ones in terms of [00:24:30] benchmarking against the, other industries. And we were, we’re just looking at it going, okay, how do we get to how do we move this one from a one to a three?

[00:24:37] And this one. It was interesting conversation, but good governance brings the whole organization into it including the board to help make those decisions. 

[00:24:48] Karl West: [00:24:48] Yeah. And Bill even if you get it directly reporting into IT or in legal or compliance. That doesn’t really matter if the governance has shifted so that another body [00:25:00] feels empowered to make decisions around what is the budget? Legal shouldn’t make that decision, but neither should it, and neither should compliance a governance committee should have set up that threshold based on an educated, an educated understanding. And you made a comment about getting an assessment. I think key to having good governance is having a good assessment. Most of healthcare is taking that assessment, a HIPAA [00:25:30] assessment or a SOC two, and they’re doing it internal or a high-tech that they’re doing it internally.

[00:25:37] And that jades the response. It also puts the CISO, whether she or he is good or bad, doesn’t matter, they become a lone voice. But if you can get a qualified, like you said, I heard, you mentioned that one of the big four firms, if you get a larger firm to come and do a qualified assessment, somebody from external who can come and tell you, this is the real risk, [00:26:00] and here’s a comparison for you of where you fit.

[00:26:04] And then if you always put that in the context, what is our business strategy? Where are we going with the consumerization digital front door? Where are we going with all of our strategy M and A. And how does all of this fit? What is our tolerance for risk? Not the CISO tolerance. What’s the business tolerance for risk?

[00:26:26] Then you’ll have a successful organization, much of [00:26:30] the failure in cybersecurity getting misaligned and thinking cyber drives. When in fact it is an enabler. Of the organization strategy. And that’s what the governance has to do is make this be an enabler. 

[00:26:45] Bill Russell: [00:26:45] So risk, and compliance. I’m going to have to move a little quicker through these topics..

[00:26:49] The risk and compliance was the next one I wanted to talk to you about. We got into this weird trap. We had an internal auditor, an external auditor. So seven and a half, $8 billion. Health system six and a half to $7 [00:27:00] billion health system. So we, we did have an internal, external auditor and the trap we got into was our security team was so busy just responding that we were not able to be proactive in any way.

[00:27:13] And we were, the internal auditor would audit this or audit that whatever they come back with their findings. And then we would mitigate those things and the team would be working on those. The external auditor would come in , a couple of times a year and they would do their thing and give us things.

[00:27:28] So they were constantly working on a list. [00:27:30] Hey, you need to bring this up, this, up this up, but we never, we never got to step back. I mean, does compliance drive the security programs? And what level of risk should we be looking at? What’s the right threshold? 

[00:27:42] Karl West: [00:27:42] Yeah, some great questions Bill. And I think those are the things that frustrate and stall out the program. I, what I would share with you at first on the question of compliance and who drives a program, and there are two sides of this. There are the naysayers who say good security [00:28:00] is not about compliance, but I would say that compliance is an integral part of your program. If you don’t have compliance, you can’t have good security. But if your program is based on compliance, you’ll never achieve a good posture. A good maturity. So compliance has to be an integral part. As does privacy. And sometimes those are separated in organizations. I think, as you look at risk and compliance I would share with you that. When [00:28:30] the OCR comes in after breach, when the FBI takes a look, first questions they’re going to ask is okay.

[00:28:36] Show us your risk inventory. And in many organizations where I have been engaged consulting, the risk inventory was a product that looked like I could have found it out on Google. It was not a good sample of the real risk inside that organization. Real risk is associated with the business its strategy, its product, its project, and having [00:29:00] a real risk assessment completed with hard-hitting.

[00:29:04] I think there are many organizations who are afraid to hire somebody because there’ll be told that you get a D on the score card, you get an app I’d rather have that and then have a program to be mitigating than, to not note the real risks associated inside my organization and the way that the OCR is working.

[00:29:24] If I have an inventory of the risk and I develop plans, To mitigate that risk. I don’t [00:29:30] have to solve everything in a moment in a day or a week. I can put a plan together B begin and take real steps, actionable steps to bring us to a mature posture, not just compliant, but a mature posture. And, and then the balance, the threshold.

[00:29:48] Can you mitigate? To I heard you ask the question, can I mitigate a hundred percent of risk? I think what we can do is look at risk from the perspective of some risks can be mitigated. Some risk [00:30:00] can be avoided through partnerships. Some risks could be transferred. And some risks we’ll choose to accept, and those are business decisions.

[00:30:09] So four approaches in my mind to addressing risk and we ever reach 100%. I think in most organizations that I look at. Most folks are following a methodology using a nest and a, a critical high, moderate, or low. So take a look at the risk rate. It [00:30:30] determined that it’s critical, determined that it’s low based on that.

[00:30:33] Throw resources at critical don’t throw resources at low. Make sure someone in your organization has the assignment to tend the farm manage. The asset associated with low and moderate, but there ought to be projects and tasks associated with the high and the critical risk that gets identified. Does that help?

[00:30:57] Bill Russell: [00:30:57] Yeah, absolutely. I like the the [00:31:00] four ways to look at risks. That’s fantastic. Identity and access. Identity is the new perimeter. I’m sure you’ve heard that. I’ve heard it at least a half dozen times last year on the, podcast. My first question is, there a perimeter anymore? 

[00:31:16] Karl West: [00:31:16] Yeah, I have used that phrase a number of times and have spoken. And, in fact at my former employer I took perimeter and had it report into cybersecurity, which is not a traditional [00:31:30] approach. You, as a CIO know, you probably had the perimeter  over unde pprobably a network team or something like that, which is a traditional kind of approach. I pulled it under cyber security.

[00:31:42] I also pulled identity and because identity is the new perimeter, it is the way that we detect. And if you look at what happened in COVID in every organization, moving to remote, the perimeter was lost prior to COVID most [00:32:00] organizations have began to move large portions of data, maybe the EMR, maybe the enterprise resource planning. Maybe imaging had moved into the cloud. So a piece of the data had already moved outside but the workers were inside the perimeter with COVID that all shifted. And by the way, with. With a transformation strategy, that’s very common. As I talked to healthcare CEOs, they want to do any person, any place, any time that type of [00:32:30] care delivery model means you will be outside of a traditional perimeter.

[00:32:34] The caregiver, she may be at her home and the care receiver that patient. He may be on the mountain skiing when he picks up a device and calls and says, I fell. Here’s what it looks like. Look at this contusion. And tell me, do I need to see a doctor? Do I need to see get an x-ray? And that model means that yes, I [00:33:00] think the perimeter is lost and what we have to protect us as the identity.

[00:33:04] And I think. If you look at this whole question that you’re asking around identity and access identity does become a new provision, a new-

[00:33:16] Bill Russell: [00:33:16] So identity is making sure that the person on the other end of the line, the other end of the transaction and the other end of the line is who they say they are. It is the credentials that they’ve given us. [00:33:30] Is that what we’re saying? When we say identity is new perimeter, is that what we’re saying? 

[00:33:35] Karl West: [00:33:35] Yes, exactly. That who is this person? And not only that, but I think it’s more because if you think of how do you protect it has to be who are they? It has to be, where are they?

[00:33:46] It has to be what is their role and is what they’re doing appropriate. So the location affects me because if I see that a bill is dialed in today and he’s remote, what is he doing? What is the [00:34:00] function that he has in his, that function? Do I know what the function is allowed to do? And do I know what it’s allowed to do geographically?

[00:34:08] So I’m going to apply controls and set a perimeter based on. Who’s the user, where are they? What’s anomalous behavior. If bill has never done this before, I need intelligence inside my systems, my engineering systems. That, that my architects have engineered that. Tell me, this is not what bill normally does. It’s anomalous the amount of data he’s moving. The systems [00:34:30] he’s accessing are different. The location he is at is different. 

[00:34:34] Bill Russell: [00:34:34] So this is like when I go on a trip, I have to notify my credit card company. Hey, I’m going overseas so that they can, I can flag that behavior as, okay. This is expected behavior.

[00:34:45] Karl West: [00:34:45] Yeah. That’s exactly correct Bill. And not only that, not only should you flag them. I think our, our processes have to change so that you don’t need to call me. I know. I have intelligence when you connect. I know what device you’re [00:35:00] on. There’s logic. And I pick up every time you log in from cookies from other technologies, I can pick up 20 to 30 things about who you are, what you’re doing, right.

[00:35:10] What’s your time zone is what’s your geo location is based on that. And intelligence. I can just force you right now and say, you’re going to have to use multi-factor authentication if I’m not already using that internally, for sure. It better be external. And by the way, if you’re overseas, I’m [00:35:30] going to need to have you do VDI.

[00:35:31] If you’re at a geo location, I don’t understand in the U S I’m going to put VPN in front of you. And so those are controls that we. Architect solutions for, and you mentioned architecture right up front and that’s defense in depth where I say, I know who this person is. I know about where their location is.

[00:35:50] I check their access, I check their role and I provisioned them appropriately. And this identity and access I think is, has to become. A [00:36:00] cybersecurity function. There has, it has to be a strategy. It isn’t just about let’s go buy an IBM and Oracle product or SailPoint product. That’s not the solution to identity.

[00:36:11] The solution is understanding. The provisioning, the governance of the identity. How do you audit who’s using what, where, when, how do you do an attestation for HIPAA? How do you do authentication? How do you do it? Monitoring of [00:36:30] those things? And privileged account becomes a part of the identity strategy.

[00:36:34] So people are looking at that seven or eight pillars that have to be looked at, and it doesn’t have to become. Where we roll our eyes and say, Oh my gosh, that’s going to kill us. We can build this program over three to five years. We just need to set a strategy, set a course and say, this is a big thing. It will take us three years, five years to complete this type of a good strategy around identity and access and a new [00:37:00] perimeter. 

[00:37:01] Bill Russell: [00:37:01] All right. So you’ve got, I’ve got four topics. We’re going to do this in eight minutes or less, which means two minutes per topic. The first one is e-discovery. Do , one of the things that drove in us, do we get to throw anything away anymore? What drives our retention strategy? 

[00:37:17] Karl West: [00:37:17] I think, yes, the answer is yes, we do serve, throw some things away, but I think we have to look at legal and regulatory and spend time with attorneys compliance to understand what we retain for what [00:37:30] period of time. And then probably this also means that in your organization, if you don’t have an e-discovery and a forensics team, You probably need to have a retainer with a good firm because you will need to recover.

[00:37:44] And someone’s going to come in and say, I want to see if you have policy and you have legal justification. I think you’re okay to say our policy says we retain four children. 21 years. We retrained for adults seven years. And this [00:38:00] is our policy, but you’re going to have to have clear policy and then you’re going to have to have teams to help you to support all the litigation that’s going on in healthcare, around e-discovery.

[00:38:11] Bill Russell: [00:38:11] So it’s interesting. Forensics was the next topic and, and so it is one of the things, I mean, we used an external firm. We were a fairly large it organization as was inner mountain, but we used external firms for e-discovery and forensics all the time. Is that pretty much the norm now? 

[00:38:29] Karl West: [00:38:29] I think [00:38:30] it is, but I do think many organizations are acquiring this expertise internal. Our legal firm came our legal attorneys, insight Intermountain with an external partner came to me a number of years ago and said, why don’t we look at bringing the expertise in house? We did an ROI. We looked at the cost. We determined it would probably take us three to four years to pay off.

[00:38:54] But because of the ramp up all of the risks in those two areas, e-discovery and [00:39:00] forensics, we paid for this cost in 10 months. What you’ll discover if you start down the path, is there are more of these going on than you know about, and if you don’t have policy procedure and process around this, there are probably five to 10 times the number of discovery efforts and forensic collections, then you’re aware of when you centralize and put policy around it, you can quickly pay off the cost. One thing that will trigger this in an [00:39:30] organization is when you end up in court and someone presents data that wasn’t forensically captured and you have no chain of trust. You can’t demonstrate custody of the data. And so you’re not legally sound. And we had that happen in an organization that I was working with and. The CFO asks me, what do I say? And I said, you’re going to have to admit you can’t prove the forensics of that data. Capture some now start over.

[00:39:58] So because of those [00:40:00] kinds of things, data had slipped out of an organization sideways. It wasn’t sound, there was no way to demonstrate the forensic chain of trust of the data. So those things, if you start to create policy, you’ll find you may want to start to do some of this internally. And there’s some little processes and things that we could share with organizations that’ll help it to happen less expensively, and the ROI will occur. If you start to track it all. 

[00:40:27] Bill Russell: [00:40:27] So 4 minute warning, we’re only going to be able to [00:40:30] really just tap on these last two topics, which is. Artificial intelligence and advanced technologies. Obviously we could do a whole podcast on this, but what are you seeing with regard to advanced technologies being used in cybersecurity?

[00:40:42] Karl West: [00:40:42] This is really such a hot thing for me Bill. And I have spent years with myteam trying to shift away from technology, physical controls, technical controls, and I challenged my team in 2016. Shut down [00:41:00] technology we purchase. Use artificial or machine learning. So I was a heavy embracer of this technology years ago.

[00:41:09] I think it is the direction in our sims, in our socks, in the controls that we’re deploying. And I think I would encourage, as you’re looking at products, as our listeners are looking at products, look to see if the vendor has an AI and machine learning strategy and direction because that’s where things are going. [00:41:30] And we need to be embracing it.

[00:41:32] Bill Russell: [00:41:32] Interesting. So last one vulnerability and incident management and , key components of an incident management approach. 

[00:41:41] Karl West: [00:41:41] Yeah. If you look at incident management and threatened vulnerability by the way are just the bread and butter there, the block and tackle of cybersecurity. If you’re missing on these, you’re going to have long response times when it comes to detecting and finding things out.

[00:41:58] I think having [00:42:00] pen testing going on, having it internal and having an external, those are basic things scanning for. And again, when you do this, you’re going to come up with hundreds of threats, hundreds of vulnerabilities. Being able to come back and say, this is a critical, this is a high, this is a severe, we have got to have those.

[00:42:20] And in our incident management processes, we’ve got two, I think, three things that are key. The key components, number one in incident management. Is [00:42:30] is to detect and you’ve got to focus, work, make sure your detection is faster every day. If you could detect something in two days, work to get it to one day work to get it to minutes detection.

[00:42:40] Number one, number two is response. And response is what do you do while you’re affected while something some service has been taken down. What is the process for your response practice that know and understand the difference between response and recovery. Recovery. Then as number three, what, how do you [00:43:00] recover?

[00:43:00] How do you spend backup services and transition? And if you can work on those three components, build programs, processes, tools around detection, response, and recovery. 

[00:43:12] Bill Russell: [00:43:12] Well you’re hired. Essentially I just did a CIO interview. The categories I would look at for it for a CSO and man I mean you didn’t, you didn’t skate around any of these questions. Fantastic. I really appreciate you taking the [00:43:30] time. I appreciate you going into these, in fact, I’ve it particular I’ve talked to Sirius about having you back on the show where they’re a sponsor of the news day show and I think it would be fun to have you on their show.

[00:43:43] We won’t specifically do cybersecurity, but we’ll touch on it, but we’ll just look at. The news of the day. And I’d love to have your perspective, seeing things through a security lens and saying, Hey, that represents something. , it’ll give people a picture of, I see it this way as a CIO and you [00:44:00] see it this way as a CISO, I think it would be a fun show to do.

[00:44:04] Karl West: [00:44:04] I’d love to come and chat bill. And thanks for having me on today. It Was an honor. I sat with some CEOs and and we sat and talked to everything but cyber..The strategy of healthcare where it’s going, how do you shift from a provider to a payer point of view? There are great topics and cyber does become key to how do you enable those things? So I look forward to another opportunity. Thank you Bill, [00:44:30] for what you’re doing. 

[00:44:31] Bill Russell: [00:44:31] Thank you. I appreciate your time.

[00:44:32]What a great discussion. If  someone that might benefit from our channel from these kinds of discussions, please forward them a note. They can subscribe on our website thisweekhealth.com or you can go to wherever you listen to podcasts, Apple, Google, Overcast, that’s what I use. Spotify, Stitcher. We’re out there. You can find us. Go ahead, subscribe today or send a note to someone and have them subscribe. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those [00:45:00] are VMware, Hill-Rom and Starbridge Advisors. Thanks for listening. That’s all for now.