RSA Security This Week in Health IT
May 10, 2020

 – Episode #

Guest Information

Share this clip:

Share on linkedin
Share on twitter
Share on facebook
Share on email

May 11, 2020: As health IT systems have had to expand and adapt to the current times, risks have increased in conjunction with these developments. Today’s guest, Patrick Potter, Digital Risk Strategist with RSA, joins us to share insights into securing healthcare enterprise. We kick off the episode by learning more about RSA and the services they offer their clients. From there, we take a look at some of the current cybersecurity threats healthcare organizations face. While phishing and ransomware still top the list, there has been an increase in malicious smartphone apps and new fraudulent websites. After this, we turn our attention to RSA’s four-step approach to mitigating risk. We dive deeper into planning for the attacks, detecting security threats, assessing the impacts, and, responding to the risks. Then, we take a look at how RSA helps its clients understand the varying domains of risks. Not all threats are equal, which is why it’s important to respond appropriately with a pre-planned policy. Finally, we round the show off by talking about remote work risks and how our thinking going into the future needs to be reshaped. Be sure to tune in today!

Key Points From This Episode:

  • Learn more about RSA and the work that Patrick does.
  • The most common cyberattacks against healthcare organizations wit the current crisis.
  • How to think about protection when the perimeter has been extended multiple times.
  • RSA’s four-step approach to mitigating risk and the importance of cyber risk quantification.
  • How detecting security threats has evolved over time.
  • Find out more about incident response and two important elements that must be in place.
  • Bill’s experience as a CIO and breach preparedness.
  • Some of the tools that RSA has available to help with different domains of risk.
  • How RSA is helping its clients to think about work from home-related risks.

COVID Series: Securing the Healthcare Enterprise with RSA

Want to tune in on your favorite listening platform? Don't forget to subscribe!

Thank You to Our Show Sponsors

Related Content

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2021 Health Lyrics All rights reserved

COVID Series: Securing the Healthcare Enterprise with RSA

Episode 245: Transcript – May 11, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:04] BR: Welcome to This Week in Health IT, where we amplify great thinking to propel healthcare forward. My name is Bill Russell, healthcare, CIO, coach, and creator of This Week in Health IT, a set of podcasts, videos, and collaboration events, dedicated to developing the next generation of health leaders. 

If you missed our live show, it is only available on our YouTube channel. What a fantastic conversation we had with Drex DeFord, David Muntz, Sue Schade around what’s next in health IT. You can view it on our website with our new menu item appropriately named live or just jump over to the YouTube channel. While you’re at it, you might as well subscribe to our YouTube channel and click on get notifications to get access to a bunch of content only available on our YouTube channel. Live will be a new monthly feature only available on YouTube. How many times did I say YouTube in that paragraph? Subscribe to YouTube. We have some great stuff over there. 

This episode and every episode since we started the COVID-19 series has been sponsored by Sirius Healthcare. They reached out to me to see how we might partner during this time, and that is how we’ve been able to support producing daily shows. Special thanks to Sirius for supporting the show’s efforts during the crisis. Now, onto today show. 

[00:01:13] BR: All right, today’s conversation is with Patrick Potter with a cool title of Digital Risk Strategist with RSA. Good morning, Patrick, and welcome to the show. 

[00:01:21] PP: Good morning, Bill. Nice to be with you. 

[00:01:23] BR: I’m looking forward to this conversation. We’ve had a lot of different conversations around security. I like RSA as a company. I’ve used them in the past and I know that you guys going at it really give me a different level of detail when we’re talking about this, so I’m looking forward to it. But before we get going, tell us a little bit about RSA and your role with RSA. 

[00:01:47] PP: Yes. I’m a part of a small team of private practitioners, consultants. We’ve been in the trenches like our customers, managing security and managing resiliency and recovery, and managing compliance, risk management, those sort of things. We are part of a subject-matter expert team in our marketing organization that helps our customers kind of think about how to differently manage those domains of risk and compliance and security. 

[00:02:20] BR: The whole thing really is about risk, and we’ve really increased the risk. Whenever you move this quickly, you really do create just an awful lot of risk, either with new partners or new technologies and just new ways. Pre-COVID, we were seeing a significant amount of activity in cyber-attacks against healthcare organizations. The most common being phishing and ransomware. What are some of the most common attack vectors today as the COVID-19 crisis continues?

[00:02:58] PP: Phishing campaigns, ransomwares are still number one and two, two and one. There’s been a lot more malicious smartphone apps, for example, trying to get people to download the app, and then it delivers malware. There’s a lot of new websites that’s been spun up with trying to get information out there around the pandemic and funding and Stimulus Act kind of information and trying to get people to click. There’s still a lot of and there has been for a while go with the whole Internet of medical things but quite a bit of insecure endpoints and end users, a lot of people working from home, and just basic security hygiene, bad passwords, and security end points. 

Third parties are still unfortunately – Fortunately, they’re a great partner for any organization, but unfortunately, they tend to bring risk for a lot of the same reasons I mentioned because they’re in the healthcare field. Then like you said, believe it or not, bad actors are increasing their work during this pandemic, even against the healthcare industry. 

[00:04:14] BR: Yeah. So, let’s talk about some of my favorite challenges that we were facing, and these were during normal times, and that is we have all these third parties, these partners that we have to deal – Not deal with. That we choose to partner with within healthcare that do a lot of things, call centers, billing, collections, other things, scheduling within healthcare. During this crisis, how do you extend the perimeter, if you will, to really protect not only your organization but even moving employees to their homes? We’ve extended the perimeter, I believe. What are some best practices around them?

[00:04:57] PP: Well, like you said, it’s all around risk management. It’s all around going after those attacks, finding those vulnerabilities in those systems that are most critical to your organization. It’s knowing where your most critical data is and protecting it. It’s kind of going back to a lot of the basics for your planning for those attacks, your managing, access upfront, you’re detecting those security attacks, understanding the impacts, right? You can’t go after everything, and then responding to the areas that represent the most risks. 

That’s something we always teach and work with our customers on is you can fight what’s right in front of you and sometimes you need to do that. But then it’s also important to take a step back and get some good process in place, and it’s never too late to do that. 

[00:06:01] BR: Yes. So, it really is back to the basics. I’m going to reveal little bit here. I’m actually working off of a – I have to prepare somehow for these conversations, and one of things I did is I pulled up a document, slide deck. I’ll put it in the show notes. It’s a really good document. It’s a four-step approach to mitigating cyber-attack risk in healthcare. You guys go through – Again, it’s probably not anything new for organizations because security isn’t anything new. It really is good process, good hygiene, good training. It’s understanding your risk profile. It’s the same things but it’s really solidifying your processes, your procedures, your people around it to make sure that you’re carrying that add at any given time. 

You guys have a four-step approach to mitigating risk. Talk a little bit about that with us. 

[00:07:02] PP: Yeah. Like you said, it’s a good document. It’s back to the basics. In fact, the steps I just mentioned here are lined out in that document. I’ll go through each of those four. One, planning for the attacks; two, detecting security threats; three, assessing the impacts; and then four, responding to the risks. It talks about how – For example, HIPAA requires you covered entities to have policies related to breach response and notification, but really policies need to go beyond that and talk about fuller cyber incident response plans that include investigation, remediation, and response. 

When you’re putting all this in place too, you got to understand the organization’s maturity and capabilities and what the risk tolerance is, because that varies by organization. That really should be from the top down. That risk tolerance should extend not just to security risks but other risks as well, because when I think about it, Bill, you being a CIO, you’re weighing a lot of different things; risks alongside acquisitions, alongside new systems, alongside new products and services. 

 [00:08:21] BR: Yeah, I guess during the pandemic, it really was risk versus moving quickly to potentially save lives, right?

[00:08:30] PP: Exactly, yeah. As an executive, you’re weighing a lot of different things side-by-side, so we try to get that good discipline in place and a big part of that also throughout there. It’s not in the e-book but we talk a lot about it is cyber risk quantification, because a lot of times security teams don’t translate security risks well in the business terms. Executives need to know that, so they can quickly translate that into, “Okay, you need $1 million or we’re going to take $1 million from over here to put toward that risk.” We really kind of say, “Hey, you’ve got to cyber risk into business value terms, so you can get the resources to do something about it.” 

[00:09:17] BR: Let’s walk through this a little bit. Detect security threats. One of the things that changed in my life was I was sitting down with someone like your organization, and we were talking about – This was back in the day. This is maybe six or seven years ago, and we were talking about how strong our perimeter was. Someone like yourself made the point to me that says you need to change your mindset and your thinking as how you approach this and really just assume they’re already on the wire and start to create our security processes around that. 

How has detecting security threats changed just over the years as we start to think of – I mean, at one point, we built that wall higher and higher and higher, stronger, deeper. Now, we’re looking at all sorts of new things to really provide visibility into the threats. 

[00:10:09] PP: You said on the word visibility, and I think you get that through being in the right place at the right time and purposefully but then through advanced analytics. I think it’s really a key tool that you’ve got to have in place. You’ve got to be looking across your logs, your network, your medical devices, your endpoints, gateways so that you’re looking across that whole battlefield, right? 

You hit the nail on the head. You’ve got to assume that they’re already in there, so how do you rapidly detect where they are? Well, you do that through that analytics. We work with customers around implementing user and in the behavior analytics, which [inaudible 00:10:57] in the e-book there. But that’s to detect those anomalies that were already there and you just haven’t picked up on yet. That’s oftentimes in the user’s behavior, for example. That allows you to kind of uncover those abnormalities and then do something about them. 

But then you weigh those against your business contacts, right? What are they really hitting? What’s the exposure? What’s the impact? Is it a critical system or not? Because you’re going to take different action, and then that kicks off your incident management against those bad elements. Then you can automate a lot of that through orchestration. Orchestrate and automate that so that your analysts are – There’s a weeding out process through that automation, and then your analysts can really focus on what’s most important. 

[00:11:51] BR: Yeah. The incident response is interesting to me, because I was an interim CIO for, I think, about three weeks before we had our first breach. That taught me that before you take the job, assess the security posture. Or the day you get in, assess the security posture, because three weeks in – That really wasn’t laid at my feet, but it could have been from the fact that I was there for three weeks. I probably should’ve done a little bit more. But essentially, you get three weeks in, you have your first response, and we kick off a full-blown incident response from an IT perspective. All projects really almost shut down. Everybody’s involved. We’re trying to determine things or whatnot. 

But I was also involved in other things where people said, “Well, we need to kick up incident response.” I just looked at it and I’m like, “Not for this.” I mean, this is like, “Just flip that switch and do this and notify these people and have these conversations, and we’re good to go.” Is that something you do with policy ahead of time? Or is that something that every incident is really different?

[00:13:01] PP: No. I think you have to set some guardrails. For sure. And you do that through policy, like you said. You do that through some sort of impact analysis. For you business continuity folks out there, you know the exercise of a business impact analysis. That helps you determine what’s critical in the organization in terms of the business processes in the systems that support them, so that gives you an element of high, medium, low or however you assess that criticality. You’ve been on [inaudible 00:13:30] policy, Bill, and then you know, “Okay, this is against a high-criticality system or data staff, so we do need to kick off incident response.” As you know, you activate those processes, and it kicks people into motion and takes resources and time. 

I think those are two important elements. Set up that program for everybody. Then you’ve got roles and responsibilities, depending on who and what they need to do. Again, the criticality. Then you can also set up and really should think about different response types, depending on what the issue is. Yeah, I think you set up some process ahead of time, so you know. Then there’s always the human element. There’s always that human judgment based on what is going on that – But then you overlay that on top of the policy and the automation, the standard practice procedures, and it just cuts down so much on that chaos. 

[00:14:40] BR: Again, I’m looking at this thing, and you have a self-assessment actually on the site risk, riskassessment.rsa.com. It’s an online tool to really take a look at how you stack up I guess with regard to some of these risks. I mean, our – Can you speak to the tool at all or –

[00:15:03] PP: Yeah. I mean, it’s a bit of higher level but I think it is a great tool just to see – It goes through areas of risk. It talks about security. It talks about kind of some of the basic blocking and tackling. 

[00:15:22] BR: Yeah. Breach preparedness, breach deflection, breach incident response, remediation, post breach. I think this actually is a really good tool for people who are wondering, “Where do we stand? Do we have these things in place?” I remember when we hired –We had a Chief Information Security Officer and then we finally decided to really go in and go all in, and we hired a Chief Security Officer, which became the peer of the CIO. That person brought in a complete framework, and I remember the first time after you got done doing his assessment. He had 12 pillars and he sort of ranked us. I looked at the pillars and I thought, “You’re not going to share that with anyone, are you?” 

Some of these things – Because you know, I mean, if there’s 12 pillars, you can’t be a – It was a one to five scale. You can’t be a five on all of them because you just – Again, it’s based on risk and the risk you’re willing to accept. You can’t spend that much money to be a five on all. 

[00:16:18] PP: Maybe you shouldn’t. Maybe you shouldn’t. Maybe you can but maybe you should not just because we’ve got limited resources. We got to do it elsewhere. Maybe we don’t need the absolute Mercedes version of this step but maybe step three we do. Take some judgment there, even with a maturity model. 

[00:16:40] BR: Well, I know it’s interesting because Sam then went to the board meeting, and we co-presented. Sam really walked them through, because they looked at it and were horrified by the same way I was. He walked them through and said, “Look, most healthcare organizations are typically hanging out on a three for this and a two for this. They strive for a four here.” We sort to set our goals for each one of these things and then we came back with a plan to move each dial up by one over the next year or even move it up two based on how critical it was to move. 

Again, for my audience, I’m going to give you a little license to talk about some things here because I do want you to share some of these things. You guys have a lot of different tools that people can use. You have Netwitness platform, SecurID sweep. A bunch of things are talked about in here. What kind of tools does RSA bring to the table on this?

[00:17:41] PP: Well, we really help customers just manage the whole the lifecycle of security and risk, and do it in an integrated way, and that’s one of the biggest challenges I think with companies is the silos of organizations and approaches, managing security and risk. They don’t follow the same standards and there’s different groups and different teams that they’re starting to merge together. That’s what we help do. So, we really kind of take and help companies to understand what we call the domains of risk and focus on those. 

It’s similar to an approach like you just lined out when you were CIO that your CISO did. Some of the domains of risk are, of course, cyber security, cyber-attacks, third-party risk, compliance, business resiliency, risk management just in general, process automation. There’s eight or nine of these, and we sit down with customers and say, “Okay, let’s evaluate where you are. Let’s talk about this topic. Is it important to your or not?” 

Another huge one right now, Bill, is dynamic workforce with everybody sending people home to work. That’s an element of area of risk all in and of itself, but then we kind of help them understand. There are some disciplines and some processes to put in place. Then our tools and our services, our solution services map to those. For example, you mentioned NetWitness, right? That’s a tool that enables companies to monitor network activity. What’s coming in from those endpoints and those packets and logs? Is it good or bad? Really, through automation, it enables you to prioritize, exactly go through the process we talked about earlier and focus in on those areas of risk that you need to address. 

Then SecurID, which is super important right now, enables you to manage deterring access up front for your employees, your contractors, your providers, your third parties, your payers, whoever is coming in your systems. Especially important right now for electronic health records and the whole CURES Act and interoperability, because the access is going to be an issue across those data sets that were being shared more and more. 

Then in Archer, we’ve got a governance risk and compliance tool that helps you put in those risks, processes, and manage these different areas of risk. I could talk for hours on each one of those. 

[00:20:23] BR: Yes. Let’s end the show where we started, which is specifically around COVID-19, the pandemic, and things that are going on. Work from home. I’m just going to walk through some of these. So, work from home, telehealth, remote patient monitoring, interoperability, big data analytics. These are some of the things that have really boomed in the last, I don’t know, three months or so and potentially have created just new avenues for people to attack healthcare organizations or just new vulnerabilities, right? 

So, work from home. Some of the risks for work from home for my understanding are – I’m on this computer. This computer is technically not part of the company network, and I have a router in the house, I’m going across the Comcast network, and I have to figure out some way to secure from one end to the other. I mean, what kind of things are you seeing people do or what kind of things are you talking your clients about?

[00:21:27] PP: Well, the first thing is just securing – It kind of goes back to that basic good hygiene. If you’ve sent someone home, you got to give him a corporate PC as soon as possible, because those follow the configuration standards of your company. Another one is [inaudible 00:21:51] in through the VPN using that mechanism. Securing their Wi-Fi is another. A third is that SecurID, right? So, through that VPN mechanism, having a way to log in securely to your corporate assets, your systems and data.

Then I think once all that’s – That’s got to be quickly in place. I think that’s the basic blocking and tackling. Then you got to think about your helpdesk too. Are they equipped to handle the calls for help because that’s – If I’m an employee and that’s the first time I’ve gone home to work and something doesn’t work, I’m not going to call Verizon or Comcast. I’m probably going to call my help desk at work, so they’ve got to be scaled up and they’ve got to have the policies and procedures ready to answer questions and address those issues. So they need to understand not only the system issues but the communication issues and the security issues as well, and then have it – Quickly be able to address those. You can’t send someone out to their house, so you got to be able to help themselves over Zoom or whatever mechanism you can. I think those are some of the basics that you got to have in place right now.

[00:23:15] BR: I’ll tell you, you’re giving me nightmares, Patrick. I started my career on a helpdesk and it was a company that sold computers to home users. This was back in the day, I mean, as they say. Back in the 1990, and the first thing we had to do is we had to determine everything, right? What computer we have, what processor. They were – Back then, it was 286, 386. We had to determine – Some of the calls are just hysterical. Literally, people are saying to me that the coffee holder is stuck. It won’t go back in. That’s not a coffer cup holder. That’s for whatever. 

[00:23:57] PP: The disk drive. 

[00:23:58] BR: The disk drive. That’s hard in this situation. I mean, because we did send a lot of people home and we just said, “Hey, use what you have.” But you’re saying, “Hey, we should go back and just practice the same hygiene we would if they were working from the office. We’ve got to secure that one end to the other.” 

[00:24:16] PP: Yeah, as much as you can. This is probably not an overnight thing. I mean, they could be working from home for a while. With healthcare, you’ve got HIPAA considerations too, right? If you’ve got telemedicine – I met with our doctor the other day on Zoom. What if I’d been in a – Well,I would’ve been in a Starbucks but let’s say telemedicine continues on and maybe I am. There are some privacy considerations that if that provider is asking me questions over Zoom or on the phone. It’s more than security. It’s compliance and there’s other considerations too. 

[00:24:59] BR: Yeah, a lot of education. A lot of the way we have done work will change as a result of this. If nothing else, it will remain changed for the next six to nine months. It might come back but it may not, so it is time to shore this stuff up. 

Patrick, thanks again for your time. I really appreciate the conversation in looking at this important topic. 

[00:25:21] PP: My pleasure. Thanks for taking the time too.

[00:25:24] BR: Take care.

[00:25:25] BR: That’s all for this week. Special thanks to our sponsors; VMware, Starbridge Advisors, Galen Healthcare, Health Lyrics, Sirius Healthcare, and Pro Talent Advisors for choosing to invest in developing the next generation of health leaders. If you want to support the fastest growing podcast in the health IT space, the best way to do that is to share with a peer. Send an email and let them know that you value and you are getting value out of the show. 

Also, don’t forget to subscribe to our YouTube channel while you’re at it. Please check back often as we will continue to drop shows until we get through this pandemic together. Thanks for listening. That’s all for now.

Play Video