July 14, 2021: Aruba, a Hewlett Packard Enterprise Company is the king of healthcare networking solutions. What kind of conversations are they having with CIOs today? Vice President, CTO Office, David Logan is here to tell us. The architecture that was developed in the 90s and 2000s either doesn’t scale or it’s not secured or it doesn’t perform. CIO’s today MUST undertake new digital transformation initiatives. They have to create a multi-layered security architecture network application with end points detection and response. But balancing security with usability and delivering the end user experience that sits on top of the network is not as easy as it sounds.
OPEN NOW! HRSA Announces New Loan Repayment Program for Behavioral Health Providers – Apply to the Substance Use Disorder Treatment and Recovery Loan Repayment Program
Every day you’re using skills to help end substance use disorders (SUD) within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP (Substance Use Disorder Treatment and Recovery Loan Repayment Program).
Pay off your school loans with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff and many others trained in substance use disorder treatment are encouraged to apply. Applications are open until Thursday, July 22, 2021 at 7:30 p.m. ET.
Designing the Network for Agility and Security with David Logan from Aruba
Episode 424: Transcript – July 14, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT. This is a Solution Showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and the creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Today, we are joined by David Logan, the CTO for Aruba Networks.
[00:00:25] Special thanks to our solution showcase sponsor for today, Aruba Networks for choosing to invest [00:00:30] in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:41] Just a quick note, before we get to our show, we launched a new podcast Today in Health IT. We look at one story every weekday morning and we break it down from a health IT perspective. You can subscribe wherever you listen to podcasts. Apple, Google, Spotify, Stitcher, Overcast. You name it, we’re out [00:01:00] there. You can also go to todayinhealthit.com. And now onto today’s show. Today, we are joined by David Logan, the CTO for Aruba Networks. Good afternoon David. Welcome to the show.
[00:01:11] David Logan: [00:01:11] Good day everyone. Thanks. Appreciate the opportunity to be here Bill.
[00:01:15] Bill Russell: [00:01:15] This will probably air in two weeks, but as we sit here today, there has been so much activity in the area of security and those kind of things.
[00:01:24] And one of the topics I want to sort of dive into with you is balancing security [00:01:30] with usability and really delivering the end user experience that sits on top of the network. It’s not as easy as it sounds I don’t think.
[00:01:38] David Logan: [00:01:38] It’s not. It’s a topic that we’ve talked about often in our almost 20 year existence and it’s it’s a topic of almost every conversation we have at a CIO level, CSO level on, down into the It infrastructure teams.
[00:01:55] Bill Russell: [00:01:55] It’s interestingly, I was reviewing the Sky Lakes Medical [00:02:00] center hack. They’ve put out some, some things which I really applaud them for sharing but one of the first recommendations to them from the outside firm that came in was implement two factor authentication.
[00:02:12] And I remember back in the day when I tried to implement two factor authentication in healthcare and it was not well received.
[00:02:21] David Logan: [00:02:21] Come on, man. It’s simple. You got a phone and you just have everybody get an SMS message when they need to log in every time. Not a problem.
[00:02:27] Bill Russell: [00:02:27] I, I felt like, I dunno. I [00:02:30] felt like I was trying to get my kids to eat the broccoli again. It was really, it was really a challenge. And we did it. We did it because really we had to. Our internal auditor really set the groundwork for us to get that implemented. And sometimes that’s what you need is a strong push like that. Before we get into the conversation, tell us a little bit about your role at Aruba.
[00:02:50] David Logan: [00:02:50] Sure glad too. So I’ve been fortunate to be with Aruba since 2006 in a few different roles. Always technical and always [00:03:00] market-facing so to speak. I’m currently the CTO for Aruba Americas and I focus in addition to that as a general purpose role, I focus specifically on healthcare and higher education because I have a long background in both of those industries, so to speak.
[00:03:17]Bill Russell: [00:03:17] Wow. It’s interesting. We could talk about higher Ed too, because I was a CIO in higher Ed, but we won’t do that today. That by the way, a lot easier role than being a CIO in healthcare was my [00:03:30] personal take. Although you do deal with a lot of similar challenges. I guess where I would start is the conversation you’re having with CIOs today, I would assume it’s easier to get a meeting with a CIO today than it was maybe a year and a half ago, given all the activity that’s going on around the network.
[00:03:49] David Logan: [00:03:49] Yeah. 15 months ago we were all in reactive mode to respond to the pandemic in whatever way, that meant for our respective organizations and [00:04:00] CIO conversations at that time were pretty tough.
[00:04:03]Visibility into dramatically declining revenues, dramatically expanding healthcare requirements especially in urgent health care whether it was triaged or treatment. Today, fortunately is with Aruba is part of the greater HPE organization. We have phenomenally great conversations with CIOs because there is another wave of digital transformation taking place where the [00:04:30] architecture’s that we’ve put into place in the 90s and 2000s which may have worked at the time either don’t scale or they’re not secured or they don’t perform the way that we want them to.
[00:04:41] And so the CIO’s that undertaking new digital transformation initiatives are really coming to us to seek our assistance.
[00:04:50] Bill Russell: [00:04:50] Yeah. And the architecture that you laid down, I was talking to somebody about data architecture and they were talking about E-Pox and it was a professor so he was just talking about a lot of E-Pox [00:05:00] that he was looking at or a 20, 30 year E-Pox and when we’re looking at architecture, architecture in our lifetime you and I were just talking to ES 400 prior to getting on the show. We were talking ES 400 and Windows 2. And that’s where we were way back in the day.
[00:05:15] And those servers in some cases they were in departments and whatnot then we moved to the data center. Now we’re moving to the cloud and the architecture to support whatever the next round of [00:05:30] applications or next layer of technology is really important to lay down correctly.
[00:05:34] I mean, when you do it with first level thinking, when you really do it by design, it changes what you’re going to be able to do a year from now three years from now, five years from now, I would assume.
[00:05:46] David Logan: [00:05:46] Yeah, certainly. And in fact a lot of the conversations that I have center around what, what are the experiences you expect to deliver in your organization to your [00:06:00] constituents. In healthcare, patients, providers, clinicians, service, personnel, vendors, guests whoever is coming into the facility, whoever’s having to digitally interact with the organization or benefit from digital services.
[00:06:15] There’s a whole set of experiences that all those different constituents need. And you mentioned security and usability earlier. It has certainly been a general tenant that you couldn’t have really [00:06:30] effective security and have ease of use at the same time or deliver on the experiences that or perhaps desired.
[00:06:37] And I think, I think BYOD as a phenomenon starting 10, 11, 12 years ago is a really good example of that enterprise IT’s reaction to BYOD at the time was personal mobile devices. We don’t control them. We don’t know what’s on them. We don’t trust them. We’re going to put them on the guest network. But then different parts of the organization at a departmental level started to [00:07:00] sponsor applications, started to sponsor use cases and experiences that required the use of personal devices, BYOD devices.
[00:07:09] So how do you, from an IT perspective, how do you write a security policy for a personal device using an enterprise app? You couldn’t do that 10 years ago. It just wasn’t possible to mingle those two things together. And so from Aruba’s perspective, that’s one of the problems that we set out to solve.
[00:07:24]Bill Russell: [00:07:24] Well that’s an interesting one. So in healthcare today, we do have a lot of [00:07:30] devices that we put into the safe network, the secure network, right. And that’s a pretty common practice, but we also have so many new applications that are coming online that require mobility. Devices that are moving through and even some devices that we, as you sort of described, we don’t even know what they are.
[00:07:49] We can’t put in the Mac address and say, allow this Mac address. Cause we don’t know what exists. How do you start to architect for a network where you don’t necessarily know all those [00:08:00] mobile devices?
[00:08:01] David Logan: [00:08:01] So it really begins with understanding what, how a human would think about a security policy. For example, it’s very clear that a radiologist or radiology tech or somebody involved in imaging systems inside a healthcare organization, we’re going to need access to the radiology system because that’s human definable. We can understand that. We can also understand the physical systems that are [00:08:30] involved in the delivery of these, of these imaging solutions, whether it’s the machines themselves like an MRI or a pet scanner, the workstation, the radiology reading stations, perhaps in the radiology suite or maybe it’s an computer on wheels in the ED. All of these are involved in the practice if you will, of imaging and delivering images to providers. That’s all human understandable. And so that’s really where it starts. You have to start with a human [00:09:00] understandable concept. Map that into applications, map that into devices and users and then you find that there is a source of truth in the enterprise for users, and it could be active directory.
[00:09:14] It could be something else. There is a source of truth for at least in some enterprises for application access like Workday, Workday might define Dave Logan gets access to these applications. It’s really important then for the network to be able to take advantage of those sources of [00:09:30] truth and say these professionals are involved in radiology.
[00:09:34] Therefore they should have access to the radiology system, perhaps to the exclusion of any other user or perhaps to the exclusion of any other device. And then you start to get some really interesting security concepts of allow lists. For the devices and users that matter for radiology and block lists for the devices and users that don’t, those are, those are pretty simple concepts that now machines can understand, and you can have [00:10:00] the network enforce that kind of policy.
[00:10:01]Bill Russell: [00:10:01] We’ll get back to our show in just one moment. Every day you’re using your skills to help end substance use disorders within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP program, which is substance use disorder treatment and recovery loan repayment program.
[00:10:21] Pay off your school loan with up to $250,000 from the STAR LRP in exchange for six years of full-time service [00:10:30] at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff, and many others trained in substance use disorder treatment are encouraged to apply.
[00:10:39] Applications are open until Thursday, July 22nd, 2021 at 7:30 PM Eastern time, which is right around the corner. To learn more and apply to join the STAR LRP. You can use the link in our show notes or visit bhw.hrsa.gov to learn more. That’s bhw [00:11:00] as in behavioral health workforce dot HRSA.gov. Now back to our show.
[00:11:07]Let’s walk through the pandemic. So we enter the pandemic. What kind of things were you doing for your clients or talking to your clients about?
[00:11:17] David Logan: [00:11:17] So the immediate need that what was almost universally discussed was preparation activity for testing triage and patient treatment. And nobody really knew the [00:11:30] scale that at at an individual organizational level or the geographic level of what the situation that was going to be faced. And so contingency planning modes went into effect and people said, you know what?
[00:11:43] We need to set up networks in gyms. We have organizations that set up triage and treatment environments on cruise ships. Our response as a networking vendor was to say, we have a set of software defined network architecture tools available to you. [00:12:00] You can take an extend your network using our technology wherever it needs to go, and we’re going to help you do that.
[00:12:06]And so we marshaled our own resources in terms of our supply chain, providing, providing gear, providing expertise consulting systems, engineers to help help do implementations and and also just serve as a sounding board for CEO’s and their staff to to prepare for the unexpected and then help them work through what actually happened.
[00:12:27]Bill Russell: [00:12:27] Software defined [00:12:30] network is a term that’s been around for a little while. I mean, it doesn’t go back too far, but help us understand the difference between software defined network and what the alternative to a software defined network is.
[00:12:41] David Logan: [00:12:41] Sure. So you and I both having gray hair we’re used to network concepts like V lands and ether net ports and segmentation. And those are static concepts. Those are, those are concepts where, for example, if you have a printer attached to an ethernet port [00:13:00] in a wiring closet, if a user decides to move that printer, that’s very easy for them to do. They move it in and all of a sudden the printer is not on the network anymore because the configuration associated with that port lent itself to providing connectivity to the printer. So you move the printer and the print report, and all of a sudden it’s not connected anymore. These are really static concepts. A software defined network says. We need to be able to adapt to the changing conditions at [00:13:30] the edge mobile devices, fixed devices, known users, unknown users shouldn’t really matter.
[00:13:38] And we need to add connect time, allow those devices and those users to use some methods for identifying themselves. Using security protocols and then connect them to the virtual network that they, that they should be attached to. And so for example if a healthcare organization has an in-building wifi network [00:14:00] and they also use our access points to provide remote access for telehealth.
[00:14:08] The user experience looks exactly the same. A doc will log in a provider will log in from their laptop or from a mobile device. And their authentication credentials would be the same. Their access applications would be the same. And that’s because the software defined network concept says, you know what? This user has changed locations, but that’s okay. Because [00:14:30] policy says we can extend the network concept all the way to that remote location to this remote access point. And we can use the internet as a backhoe mechanism to do that. That’s fine. Let’s nail up a tunnel, let’s tunnel their traffic back to some control point in the middle of the healthcare network and let them let them get access.
[00:14:47] And so ultimately, a software defined network architecture says let’s abstract away. The static concepts that we used to use still use them. Cause you know, we need interoperability, but let’s make them [00:15:00] software programmable. Let’s make them automatic. Let’s make the user experience really easy. Let’s make mobility a primary primary outcome.
[00:15:08] Bill Russell: [00:15:08] So that gives you a lot of flexibility. I remember back in the day, switches ports, as you define them, we had simplified our network and then our security professionals came in and said, you know what you simplified it too much. And if somebody gets in there with a ransomware attack, they can move across the network a little too freely.
[00:15:26] And they wanted us to resegment the network [00:15:30] and significantly do that. And we had one of those. Fix architecture so that you’re talking about. And so we had to go in and put all the policies and things back into all the routers and the switches. And it’s not that you can’t manage those centrally because you can, but it’s complex.
[00:15:49] There’s a lot to think about. Iit’s not as flexible as you sort of described and it doesn’t really, it doesn’t really grow with you. So you go into a pandemic and they say, do this, do this, do this. [00:16:00] Now all of a sudden, you bring in your network person and you say, all right, we need to extend this network over here and whatnot.
[00:16:06] And they’re doing all sorts of policy changes to the routers and switches. A software defined architecture just sort of adapts as you move into that. Did you find that to be a significant benefit for your clients going into the pandemic?
[00:16:20]David Logan: [00:16:20] It really has been. If you, if you look over the shoulder of a network administrator, That is managing a network [00:16:30] that professionals like you and I helped build 10 years ago, 20 years ago. And you ask them to create the ability to, for this remote location, like a gymnasium to be connected up into the, into the healthcare primary network architecture so that, so that EMR access could be provided or telemetry access could be provided. They would pound away on various CLI systems from their networking vendors [00:17:00] to create new configuration concepts, new IP address schemes, new access control lists to provide security.
[00:17:08] And they would configure boxes and hand them to people and say, okay, when you get out there, you got to do all these 18 steps. What that really creates an opportunity for, really creates a condition for is error because it’s really easy to mess up this 500 lines of new CLI code, if you will, [00:17:30] that was just created.
[00:17:32] It requires an expert to go out and actually deploy this network in this facility. That’s never, not, probably not even owned or physically controlled by an entity. And so the challenges were very significant. In Aruba’s architecture some of the same concepts still exist, like an access control list as an access control list, but it’s possible to abstract that away and use again, human concepts like usernames and [00:18:00] application names and device types like apple iPhone, and use those in policy definitions.
[00:18:06] So that a machine system, a piece of software can actually build the access control list. So when you have a machine system automate the process of building the configuration and pushing out a configuration, you get two things. You get humans removed from the tedium of creating these configurations and you get the ability to deliver that configuration wherever it needs to go. And if it [00:18:30] needs to go remote, it goes remote. If it needs to stay local, it stays local. And so you can automate the process of standing up a brand new network, as long as it’s got basic IP connectivity, because the system can say, Hey, I just went live.
[00:18:42] Can you give me my config? Yes, here it is. Let me validate that. Yep. It’s valid. Okay. Go. That doesn’t require humans other than plug them in and turn them on.
[00:18:49]Bill Russell: [00:18:49] I was a CCMP certified back in the day without mentioning the vendor’s name and those command line interfaces that we use to build those things out. I [00:19:00] mean it’s amazing to me to think about having the network be smart enough to auto configure devices to pull across. I mean, we were able to do that before to auto configure devices to pull across. Access control lists and those kinds of things, but not to the level we are today. I mean, when you talk about the pandemic, there was a lot of people going remote. There was a lot of remote locations. Describe what it’s like to extend the network in the new era.
[00:19:28]David Logan: [00:19:28] So with [00:19:30] with software defined networks and then specifically with the Aruba’s architecture, literally when we revamped our supply chain, so to speak and, and pivoted some of our manufacturing process to opt for physical products that are meant to be remote deployed or deployed in a home, for example . That was really the only major change that we needed to go through in order to then enable our customer base to be able to, to react to the pandemic and [00:20:00] build remote networks of any kind of any size in any location.
[00:20:03] And so literally what then happened, we had organizations come to us and say, Hey, we need you to stand up all these remote sites. It’s for our employees, we need 2000 employee homes lit up. And so they would buy 2000 access points from us. Our access points have ethernet ports on them have wifi radios in them obviously. And some of them have USB ports, so you can actually attach an LTE or 5G modem to them. So if you need wireless [00:20:30] wan connectivity, that’s, that can be provided, but literally they would give them out to their end users and say, Plug this into your internet connection at home, or if you don’t have one, here’s the some USB, LTE dongle plug it in from Verizon, plug it in from at and T and and then within five minutes or so, that device is going to connect up to Aruba’s cloud infrastructure, validate its basic customer configuration, and then it will connect up to our network and then you’re [00:21:00] going to get a secured total experience from your home, back into our network. And so we, we talk about that as extending the enterprise network out to, out to the end user, just as if they were in their office. And instead they can attach VoIP phones that can attach printers that can attach specialized devices like a Phillips telemetry monitoring system. Whatever it is, they can attend.
[00:21:24] And literally the experience is plug it in, turn it on, give it five minutes. And you’ve got [00:21:30] the hospital SSID running in your home.
[00:21:33] Bill Russell: [00:21:33] And the other thing I liked about software defined networks was just the agility. I mean, literally you could come up with new capabilities, you can enable new capabilities and roll those things out pretty, pretty rapidly. And I’d imagine the pandemic gave you some opportunities to do that as well.
[00:21:51]David Logan: [00:21:51] It allowed us to solidify architectures that that will ultimately be even more strategic [00:22:00] in the long-term, even more important than longterm. Healthcare organizations have gone through cycles of merger and acquisition activity for decades.
[00:22:09] And we’ll continue to see cycles of this. And one of the common sticking points slash challenges is the ability to integrate two different disparate IT networks together. Organization A and organization B they’ve been running for [00:22:30] some period of time independently, and now there’s an expectation from the CFO that they will be blended together and common services will be available from both locations. And there’ll be a common architectural approach. Well again, back to the, back to the discussions of legacy architectures versus software defined architectures. Legacy architectures don’t really allow for a lot of flexibility in how those systems would be merged together. It really comes down to resetting how [00:23:00] organization systems are configured from the bottoms up and reconfigure them to some master architecture that both organizations can agree on within a software defined architecture.
[00:23:12] At least for the Aruba architecture it’s easy for some amount of the existing network to remain in place, perhaps a lot of the existing network to remain in place. But new capabilities can be extended to that that acquired organization, so that [00:23:30] security can now be common. And then you can move into having operating models of network performance management and application performance management, be common as well, just because of software defined environments.
[00:23:42] Bill Russell: [00:23:42] So you’re doing that atAnd Aruba and a third party network as well.
[00:23:47] David Logan: [00:23:47] Yes. Yeah. Frequently, in fact, 95% of the time, 99% of the time when when an organization begins their journey to migrate some or [00:24:00] a lot of their network architecture to Aruba, they’re starting with a third party already in place.
[00:24:05] And we knew all the vendors are they’re not going to replace everything. Day, zero. Number one, you can’t do an operationally. And number two, the CFO won’t allow it. I mean, there’s a there’s assets that are in place that need to be taken advantage of and take it off the books over a period of time.
[00:24:25] And so it’s very easy for us to go to a customer and say, yeah, actually, [00:24:30] that’s not a problem. What you, what you want to do is take a strategic, look at your environment, decide the area of reinvestment that’s necessary, whether that’s the data center network or the wireless edge or the remote access network and the land, whatever it is. And you start there. And you work over a period of time, but to augment your environment in a Aruba architecture, but you leave everything in place and because of our attention to detail on interoperability, [00:25:00] because of our from founding intent and strategy to operate on top of third-party environment seamlessly, our customers enjoy the ability to just come in and install our stuff and have it work really, really well on top of what already exists.
[00:25:16] Bill Russell: [00:25:16] Yeah. So the other thing, when you extract the hardware and the software layers from each other, do you get a longer device life cycle, if you will, a longer time until you get to end of life on those [00:25:30] devices?
[00:25:31] David Logan: [00:25:31] Yeah, absolutely. It’s a little counterintuitive. I mean, we as IT professionals and generally speaking it, professionals look at software as software and hardware as hardware Sometimes that’s true. I mean, if you look at a competing platform, for example, it has a little bit of software and a little bit of firmware but by and large, it’s going to be configured and managed with a software tool, a set of software tools that would be augmented by whatever that compute platform is.
[00:25:56] When you look at an ethernet switch or an access point or an SD [00:26:00] wan gateway, these are systems that are not actually truly hardware. Sure. They’re hardware based, but ultimately it’s the software that runs on top of the hardware that is what’s important to the customer because it delivers the features that are necessary for the capabilities to be extended throughout the environment.
[00:26:18] And it contains the security and operations management features that are, that are required. When we talk about hardware, what we’re really talking about as an entire hardware software system. [00:26:30] Now Aruba strategy, going back a very long time and still, still present today. We continue to design and build our own hardware on purpose. Much like how Apple designs and builds their own phone platform. It’s because they want the user experience to be great. And it’s because they want the software that they build to run exactly the way they want it to. On that piece of hardware, we do the same thing. We want our software to run exactly as intended on the hardware that we built.
[00:26:59] And so we’re, we’re doing [00:27:00] all of our own designs still to this day because of that. And to your point we’re fortunate that in our customer base is fortunate because they’ve been able to take advantage of. Our strategy in that regard. And they have products that they have installed from us that have lasted seven years, 10 years, 12 years, even 15 years.
[00:27:20] I mean, I’ve talked to customers that are still running access points that are 14, 15 years old from us.
[00:27:25]Bill Russell: [00:27:25] Yeah, the lifecycle. So we had a framework where we [00:27:30] determined how long each device was going to last and the networks. So we could have the right budgeting in place to replace the equipment. And I think I’m on wireless devices, on wireless access points and whatnot.
[00:27:40] We had a four-year lifecycle because it was just a foregone conclusion that the technology was moving so fast that we were going to need new devices every four years. Is that not the case anymore?
[00:27:52] David Logan: [00:27:52] The life cycles of extended for sure. I, that was certainly true. 15 years ago, even 10 years ago. But [00:28:00] when you look at the rate of innovation, if you will, as a mathematical curve, the rate of innovation 15 years ago, it was incredibly steep. There was a ton of innovation taking place on the client end points for wifi connectivity and the same thing for the access points. We went through the 11 ABG shift to 11 N, we went from the 11 N shift, 11 AC. We’re in the midst of the shift to 11 AX, and now we’ve added a whole new spectrum in the six gigahertz [00:28:30] spectrum to 11 AX. So we definitely are seeing some pretty steep innovation curves, but it’s an interesting, it’s an interesting 3 dimensional problem or multidimensional problem.
[00:28:47] University of ?? made really a really good example of this one. When a university allocates their IT budget for network refreshes in a given year, they have to make a choice between how much of their existing wifi infrastructure are they [00:29:00] going to replace to enhance its performance? And while they do that, are they going to increase the density of access points in a certain area? So they can not only increase coverage, but increased capacity at the same time or. And or how do they juxtapose against increasing coverage across areas of their campus that might not be covered well, like outdoor spaces or event venues or parking lots parking garages. And so the [00:29:30] consideration of, okay, are we going to extend our network?
[00:29:32] Are we going to make it more connectivity friendly for low power devices for IOT? Are we going to dramatically increase? Performance, because we’re going to have all these high-performance workstations attached. These are really the the choices that these types of organizations wrestle with. And so th the ability to choose a type of device choose a type of access point is pretty easy today you can standardize, but then you start to wrestle with how much of my budget is going to go [00:30:00] towards which of these strategic choices.
[00:30:02]Bill Russell: [00:30:02] One of the things you mentioned to me earlier was about the agreements or the work that you’ve done with the various carriers. And I found that interesting, especially in a hospital setting. We have so many people coming in, sitting in waiting rooms, waiting for loved ones and those kinds of things, or even physicians that are bouncing around from location to location.
[00:30:21] They come in and they use their mobile phone. And you guys have a pretty unique and interesting way of authenticating those devices. [00:30:30] Can you give us a little background on that?
[00:30:33] David Logan: [00:30:33] You bet. And I’ll apologize ahead of time. I might nerd out really, really heavy on this because I think it’s, I think it’s really fascinating at an organizational level and at a IT services and then a technology level the basic premise is pretty simple.
[00:30:49] It should be really easy for a patient or their family or a guest or a vendor to come into a healthcare facility and get easily connected up [00:31:00] to the guests network which we all are operating these days. Easily and seamlessly. 99% of organizations today are using captive portals or maybe they have an open guest network because they’re just tired of dealing with it.
[00:31:12] Or maybe they have a mechanism where a guest fully to register and they’ll get an email with some temporary credentials. They’re going to have some sort of guest management system putting aside some of the useful aspects of that. Security and safety and the like it’s not a great user [00:31:30] experience because you’ve got to go through a multi-step process to get temporary access to a resource.
[00:31:35] If the cellular coverage in a building is good enough, the users aren’t going to do it, they’re just going to use their cell provider. Because data plans are pretty cheap these days. A lot of organizations don’t have good cell coverage throughout their entire facility. And so getting easy access to a wifi network is a really nice benefit for these types of individuals.
[00:31:55] And so we’ve implemented a solution in partnership with [00:32:00] the cellular wireless industry. And it’s based on an industry standard called PassPoint. And basically what it says is if you have a PassPoint enabled phone, like an iPhone 10 or 11 or 12, or a similar Android devices, your device can authenticate using the PassPoint protocols.
[00:32:18] Okay, great. So now what you need is a wifi network that supports supports being able to listen to the PassPoint protocol. Authenticate to the carrier [00:32:30] networks. And so what Aruba did using Aruba central, which is our cloud management platform and our cloud services platform. We formed technical relationships of all of the carriers, so that an end organization, a healthcare organization can subscribe to this authentication service from Aruba that allows users to come in with their personal devices.
[00:32:53] And as long as they have a valid subscriber relationship with Verizon at and T or [00:33:00] T-Mobile or whoever they’re going to automatically. And seamlessly authenticate to that carrier using their carriers, credentials to the local wifi network. And so what’s interesting about this is, and this is the geeky organizational it services part.
[00:33:15] This means that we’re actually federating networks together. We are using the healthcare’s wifi network. What we we in the industry would call a radio network or radio access network, but we’re authenticating using a [00:33:30] third party. We’re authenticating using the. The carrier trusts, Dave Logan, the carrier trusts Bill Russell. They trust our devices and they say, you know what? That is Dave Logan’s device. And he’s trying to authenticate to UNC healthcare. Let’s let them do it. And and the process is instantaneous. And so this ability to federate user knowledge and subscriber knowledge and security policy knowledge from one party, but then allow access into another party’s environment and that this Federation process. This is really what’s going to [00:34:00] drive innovation over the next 10 years.
[00:34:02] Think about IOT systems. Think about other vendors coming in and wanting to deploy their own tech inside a hospital Federation is going to be, and orchestration are going to be the two key words that make this all happen.
[00:34:14] Bill Russell: [00:34:14] Federation and orchestration. So Federation. Sharing those credentials and giving that the ability to work cross networks. Orchestration, in what way orchestration?
[00:34:26] David Logan: [00:34:26] Well it’s really necessary to orchestrate in, [00:34:30] in, in this case using Aruba central as a services platform, it’s necessary to orchestrate two different organizations systemsa t the same time. I walk into UNC healthcare. My device sees a PassPoint SSID being advertised. My device requests PassPoint access.
[00:34:50] It says it’s a Verizon device. The system that’s locally running in the healthcare facility signals to Aruba central. [00:35:00] Hey, this device is trying to authenticate here’s his credentials. Is it authentic? The Ruby central will go and communicate with Verizon. Is this device authentic? Yes, it is. So this is the orchestration in this case of authentication and access control, which traditionally has been an insight.
[00:35:18] A single enterprise function only, but now we’re doing security orchestration amongst organizations themselves.
[00:35:26]Bill Russell: [00:35:26] And so we come full circle back to the user experience. And it’s [00:35:30] interesting when you sit down with the chief information security officer, they’re going to want to know that the security is robust, that it’s defined really well, that you have the capabilities to do at rest and transit kinds of security protocols. You’re supporting the various frameworks that are out there and whatnot. But to give them the ability also to enhance the user experience, to listen to the business, understand what the business requirements are and to build out those [00:36:00] those mechanisms have the ability for IOT devices to be rolled out as you were expanding your hospital at home kind of infrastructure, but to have them be rolled out by non certified network professionals just essentially have the network be smart enough to identify those devices, to to authenticate those devices and bring those devices onto the network. I would think that’s a significant [00:36:30] opportunity or leg up for for a lot of these changing business models in healthcare
[00:36:36]David Logan: [00:36:36] Completely. When you can enable an environment where the CIO can say yes can say no problem. I’m sure we can support that. We just need to answer these three questions when they can go to a vendor and say we’ve we’ve recently changed architectures and [00:37:00] you no longer have to go through a str ienuousn in lab technology evaluation process. You just need to give us a couple of days to profile a couple of things about your product and your devices. When you can streamline the process for everybody, whether it’s an end-user or a vendor providing healthcare tech or. The CFO that wants to streamline operations or the CEO that wants to do acquisitions when you can be in that position, being able to say yes, most of the time and not be in the [00:37:30] experience prevention business, it’s ultimately it comes back down to satisfaction all the way around and being personally satisfied.
[00:37:40] Bill Russell: [00:37:40] Let’s talk about this. From a ransomware perspective. So ransomware has taken down it’s three, four, maybe even five hospitals at this point, the largest, lots of small regional facilities, lots of smaller regional. And then you had Scripps which is probably the largest and the CEO just dsid [00:38:00] an article in the San Diego Union Tribune or San Diego union newspaper about their lessons learned around that. And so that’s probably the largest health system that was taken offline. I’m sure you’re having these conversations. So how are we thinking about the network different? How does your system enable us to, to be ready for those kinds of things?
[00:38:22]David Logan: [00:38:22] So let me let me reflect on a couple of different angles. One’s a risk management angle, and one is a security architecture angle. From a risk management [00:38:30] perspective, obviously every organization has an operating culture that will be both digital and non-digital and an organization’s ability to fall back to a non-digital process may mitigate the concerns that they would have about their security architecture.
[00:38:46] And so it really does come down to first asking and answering the question of how critical are specific digital processes and digitally enabled functions to our day-to-day practice [00:39:00] and be methodical and analytical about it. And I’ll point out one use case, which I scratch my head to be able to identify anything, but a digital process think about home healthcare and hospital in the home and those kinds of initiatives.
[00:39:14]Unless there’s a a provider or a healthcare professional in the home or nearby in the community, home, healthcare is all going to be about being digitally enabled telemetry active control systems to ensure that that all of the activities taking plac [00:39:30] aare within protocol.
[00:39:31] And sot here are going to be plenty of environments where it’s simply not possible from a risk management perspective to ignore the possibilities of the network being used to attack the infrastructure and deny service. And so from a security architecture perspective, you can take as simple or as a complex view as as either warranted or as necessary as one ones human [00:40:00] psyche would like. Our simplistic point of view is by applying segmentation as a strategy for the network and by applying finer grain, finer green policies and getting more and more and more segmented segmentation, if you will, the network is going to have less opportunities to. Be permissive military talks about permissive and non permissive environments.
[00:40:30] [00:40:29] You want to create an environment that is non permissive to ransomware. And the only way to do that is to prevent its ability from executing reconnaissance in the environment and moving laterally. The only way to do that is through segmentation. And Aruba’s answer to this is don’t use static designs. Back to the software defined architecture that we talked a lot about earlier.
[00:40:52] It is possible to automate the entire segmentation process from user experience all the way down to ID administration [00:41:00] and these capabilities should be taken advantage of in this regard.
[00:41:03]Bill Russell: [00:41:03] It’s interesting. I mean, that is one of the questions that I get often when I’m talking to people who maybe aren’t in the field and they say, so let me get this straight. One person on this network clicked on an email and it took down the entire system? And to be honest with you, that the attacks, some of the attacks we’re reading about aren’t that much more sophisticated than that. They got into one system, one [00:41:30] workstation and then when, as you saywent laterally across that network and got really to the crown jewels of the entire health system. That’s a scary concept from where I sit.
[00:41:41] David Logan: [00:41:41] It’s, it is a scary concept and we used to takea position going back a few years that using concepts like role-based access control and escalating privilege management using multi-factor authentication, those kinds [00:42:00] of capabilities were Absolutely important to investigate. Absolutely too important to consider as part of a security architecture, but we weren’t particularly forceful about the position were or the point of view.
[00:42:17] It’s clear that the financial motivations to attack inadequately protected environments, regardless of the financial cost or [00:42:30] human costs to that organization are so, the financial advantages to the attackers are so, so skewed. It’s just so easy. And the potential rewards are so great that we really just don’t have a choice anymore as IT professionals. We have to create a multi-layered security architecture network application, end points detection and response and the like.
[00:42:56] Bill Russell: [00:42:56] I want to thank you for this conversation. I love, I love [00:43:00] mixing and bringing the the idea of user experience and security and suffered find architecture together. I think it’s great to look at all of those things. I close a lot of these interviews with this question, which is, is there anything we haven’t talked about that we should have covered?
[00:43:15]David Logan: [00:43:15] This would be a podcast in and of itself. With the movement to BYOD and the movement to SAS and cloud architectures you, as an IT professional, as a, as a leader would recognize that we’ve removed [00:43:30] instrumentation that we used to have access to, to do performance management in the environment.
[00:43:34] We used to be able to instrument the endpoint. We used to be able to instrument the server and the application. We don’t control those anymore, as IT architects. The network is now the only place where you can actually instrument end to end what’s taking place. And so the network is not only responsible and important to security. It’s now responsible for end user application management and performance management. Going back to experience.
[00:43:56] Bill Russell: [00:43:56] Yeah, that was the age, the thing is CIO hates to [00:44:00] hear is this workstation slow. Because you’re sitting there going, oh my gosh, the variables you just gave me are, are huge. I mean, it could be the, it could be the workspace. It could be any number of applications. Could be firmware, could be the network could be the server on the other end but as you said we had instrumented all those things. So a lot of times we would just go in and be able to go, okay, the slowdown is somewhere between here. And we’d be able to [00:44:30] identify that pretty quickly.
[00:44:31] Are you, are you saying that because we’re moving to the cloud and we’re moving to a lot of different, new types of architectures that it’s harder to identify those things?
[00:44:40] David Logan: [00:44:40] Absolutely. Think about the, think about the radiologist that is getting access to imagery on their iPad. And it may be even a hospital issued iPad healthcare issued iPad.
[00:44:54] And they are moving through the hospital from the radiology suite down to the emergency department to help [00:45:00] the eighties or the case. And they’re doing a read while they’re physically moving around just to get our, just to get a preview, to see what’s going on. And they have a, they have a lag, they have a performance problem where the images aren’t coming through very well.
[00:45:11]They’re going to file a help desk ticket if it, if it reaches a certain escalation point. There’s no instrumentation on that iPad that’s available to IT staff to help them, help them understand what’s going on. If the PAC system is running in a cloud hosted environment, there’s no instrumentation on that system to tell them what’s taking place there on the servers [00:45:30] and the application stack itself between all the application elements.
[00:45:34] So where’s the IT staff gonna look, they’re going to have to use the network as a single point of instrumentation to look in both directions simultaneously.
[00:45:43]Bill Russell: [00:45:43] When we used to hear that kind of stuff, one of the first things we did is we put a sniffer on the network. And I then tried to identify what was going on, especially when it was, we knew it was a communication problem.
[00:45:54] And the people that could look at the packets, identify those things. They were, [00:46:00] they were brilliant to me. They were like detectives, they’d be looking at some packets and essentially tell us exactly what was going on. There’s a conflict here, or there’s a slow down here and back kind of stuff. It was pretty amazing stuff.
[00:46:13]Aruba. Aruba has, I think one of the most identifiable logos in the industry with the bright art. Do you consider those Halloween colors, orange and black?
[00:46:24] David Logan: [00:46:24] They are bold that’s for sure. Halloween is certainly a fun [00:46:30] time in the office, not so much last year, but generally speaking The naming of Aruba has an interesting origin. The founders came from other prominent networking vendors and they wanted to choose a name thematically that meant that our customers could go to a place of happiness to a go to a place of comfort and support. And in the brainstorming that apparently took place behind the, [00:47:00] behind the walls of a venture capital firm during the founding of thecompany. Aruba and the island of Aruba and the experiences that one would expect to have when you’re there. What was really what evoked that theme of comfort and the happy place. And so that’s where the name comes from.
[00:47:18] Bill Russell: [00:47:18] Yeah, well, it’s if you’ve been to Aruba, I, that is exactly I’ve, I went there once. I took my family there once. Yeah, [00:47:30] it’s a place you can hang out and really, really feel comfortable. That’s for sure. Really appreciate your time and your expertise and sharing that with us. I’m really looking forward to seeing where this progresses.
[00:47:41] We’re not, we’re not static anymore. We’re constantly moving. So my guess is that by the time, next time we talk that you’re going to have stories of how users have utilized this technology and the software defined architecture and moved it out into the home. And it’ll be interesting to see the [00:48:00] flexibility that, that people are able to when you provide people the flexibility, they come up with some really interesting solutions.
[00:48:06] David Logan: [00:48:06] Yeah, you’re absolutely right. We really appreciate the opportunity to be here today too. We’ve both been doing this awhile. Every now and then I have to stop myself from saying, yeah, I’m not sure if there’s really any other problems to solve in this area, to your point of flexibility. People will find incredibly compelling uses for the capabilities like the vendors, like that we’re privileged to provide. [00:48:30] And so, so I look forward to finding out what, what happens too.
[00:48:33] Bill Russell: [00:48:33] Yeah. And I just finished an interview earlier this week. And we were talking about hospital in the home and I was just thinking through that and yeah, we have some, some initial pilots and those kinds of things, but it was with all that static hardware.
[00:48:49] And that’s not going to be doable with what some people are saying, which is essentially replacing 20% of your hospital room. With beds that are out and out and about in the [00:49:00] community. And those beds are going to shift from that home to that home over time. But 20% of your beds at any given one time that you’re monitoring centrally are going to be are going to be flexible, that you’re going to change from location to location. It’s going to require that level of flexibility and ease to to enable that, that new paradigm that’s right around the corner.
[00:49:22] David Logan: [00:49:22] Yep. Absolutely.
[00:49:24] Bill Russell: [00:49:24] All right, David. Thanks for your time. Really appreciate it.
[00:49:27] David Logan: [00:49:27] Thank you Bill. Great to see you.
[00:49:29]Bill Russell: [00:49:29] What a great [00:49:30] discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and [00:50:00] have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now.