August 26, 2021: Technology enablement for healthcare providers has not changed overnight. We continue to innovate and enable in a positive manner however as systems are maintained, there is always a potential for risk. Managing risk is a crucial element of the information security lifecycle management. Through the routine use of existing control-planes for security technology, areas of improvement should be desired to promote an “always-on” threat detection and remediation model. Is there ever going to be a ‘Fort Knox’ of healthcare information? What is the next disruption that will change the perspective of patient care and protection?
Join our webinar “Coming Through a Ransomware Event – Best Practices and Lessons Learned” on Thursday, October 7th at 11:00 AM eastern time. We are going to take a unique look at the Sky Lakes Medical Center ransomware event with guests:
S2: Distributed Threat & Vulnerability Management with Sirius and Tanium
Transcript – Aug 26, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Our topic for today is distributed threat and vulnerability management. Our sponsor for today’s segment is Tanium.
[00:00:23] We want to invite you to a special event that we have coming up Thursday, October 7th at 11:00 AM eastern time. [00:00:30] We are going to take a unique look at a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Gaede, joining us. That is a health system that was ransomed.
[00:00:42] And we have Lee Milligan the CIO for Asante. Asante is the EHR host for Sky Lakes. They’re the community connections for Sky Lakes and they’re going to recount the events and the effects that it had on the interconnected health systems. Some of the things that they did that they believed, [00:01:00] worked pretty well and some of the things that they think could have prepared them better for the event.
[00:01:05] We’re also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event, straight through to the end. And I believe with his insights and the CIO’s experience, this discussion is going to provide valuable insights into the best practices that are being adopted across the industry and maybe that you could adopt. So we would love to have you join us. [00:01:30] And if you want, you can provide us questions ahead of time. It’s in the sign up form, and we will make sure we address as many of those as we possibly can. So there’s a webinar Thursday, October 7th at 11:00 AM. Eastern time, you can sign up on our website thisweekhealth.com/register.
[00:01:46] Our topic for today is distributed threat and vulnerability management. Our sponsor for today’s segment is Tanium. Matt this is an interesting topic. Distributed threat and vulnerability management. Frame up the problem for us. What are we [00:02:00] trying to solve? What are we trying to address?
[00:02:01] Matt Sickles: So we think about a single building. We think about a set of clinics. We set out to protect what we know 2019 into 2020 change this dynamic considerably.
[00:02:15] We started sending workforce remote. We started having more requirement for home health care telemetry and visibility monitoring of patient care. So now when we had all of the tool sets focused on the brick and mortar buildings the clinic [00:02:30] environments that were something physical that we could attach to, that was a much more consumable and palatable problem set.
[00:02:36] Now we are a femoral in where we were. We can pick up and go. Unfortunately in healthcare though, as a first responder, as a critical care resource, those individuals have to stay on campus. The information technology and security teams may be remote. So this now is not only a one-to-one relationship building by building it’s a, one-to-many the resources, the places they are [00:03:00] operating from.
[00:03:01] So now all of those controls that we’ve been building for 12 to 15 years, not only have to protect the buildings, but also regardless of where that individual or that group of individuals work has to protect them at all times. So that distributed threat now has gotten worse. Over the last 18 months, we are seeing this critical start of, I have to get protections right away.
[00:03:24] People are throwing tool sets in. People are throwing solutions in and not even defining the business problem. [00:03:30] So that’s where the problem statement comes from is we are now in a much more diversified and distributed workforce globally as an enterprise, as a healthcare, regardless of what work industry you’re in. And that is really the compelling problem statement
[00:03:45] Bill Russell: Yeah. We used to be able to draw a border around the outside of our network and it was pretty defined. It was pretty easy. But at this point, physicians are accessing the medical record from all sorts of locations. Any sort of clinician. You have higher levels of acuity in the home, you [00:04:00] have business associates.
[00:04:01] I mean, even defining the outside of our network becomes impossible. And each one of those different areas requires some aspect of, or some different approach to how we look at securing that environment. Talk a little bit about the attack surface that exists within healthcare.
[00:04:18] Matt Sickles: Yeah. And you hit it on the nail Bill. When we’re talking about perimeter controls, we draw the layers of the onion, the very outside, where that we’re going to attack the point of presence, where the internet comes in to the routing [00:04:30] equipment and the security features. Well, think about the fact that there used to be one layered onion for most organizations. We knew the outside layer had to be the crispiest and it had to be the most protected.
[00:04:41] But now think about the fact that that onion is one of many. We now have to have an onion that follows the resource, say it follows the threat and it now protects. So if you have an enterprise administrator who is now working from home, that used to be sitting in the data center, that is probably one of your highest [00:05:00] risk.
[00:05:00] You also pointed out when, now that you have a physician that is accessing electronic health and medical systems, any of the third party systems that now becomes an extra threat vector as well. So as you mentioned, the attack surface has increased. Not only has that attack surface increased, it has become much more vulnerable just because of its distributed nature processing power equipment, can’t handle the original design.
[00:05:25] So we’re now making tiny modifications, but it’s going to take some real thought and [00:05:30] redesign to get to that next step of protecting everywhere.
[00:05:33] Bill Russell: We used to try to build these, these massive perimeters as you talked about, and it sort of begs the question, are we ever going to get to a Fort Knox of healthcare information? Are we going to be to build some aspect of security that is impenetrable if you will?
[00:05:48] Matt Sickles: Yeah and if we had a model that worked regardless of what industry had developed it, that was totally foolproof, it would be everywhere. It would be omnipresent. Everyone would have that architecture, it would be [00:06:00] in place. Great. Now healthcare has a real opportunity here.
[00:06:04] Will we get to that panacea of protecting data? Will there always be a validation that no one can steal data? That’s the hope and dream, right? But as we build out these micro perimeters, we start to have stateless controls that have to be everywhere in the industry, in the patient room, in the clinic, regardless of where they are.
[00:06:27] We have to now adapt and think about [00:06:30] all of these medical devices that are now coming in that also have the information. So until we get 100% of your devices on board with some type of a standard for protecting that information, we’re going to be behind and we’re not going to be able to provide that level of protection. So that’s just going to take time. It will be an evolution, but there’s a lot of steps we can take today.
[00:06:52] Bill Russell: You know micro perimeters is a new word for me but essentially there was a time in my career where we were really [00:07:00] pushing flat networks. And this whole idea of micro perimeters means, hey, they may be on your network already as we talked about in the last show. They might be on there for six months or so. But if you create those micro perimeters it makes it harder for them to get around. Talk about the path forward. All health systems really have these risks and it continues to be a burden for them. What is the path forward?
[00:07:20] Matt Sickles: As you’re starting to adopt new equipment, as you’re working with other vendors you have to impart on them what your policies are. If you have a [00:07:30] security policy that cannot be violated, they need to adapt their methodologies to be able to support that. Because if we’re just trying to band-aid things together, and as mentioned, as we look at a micro perimeter, we also call micro-segmentation for flat networks.
[00:07:44] We can now start to put these technologies in on an iterative basis. Let’s say that I have a critical care unit that I need to protect better than a public clinic. Let’s look at a parking garage versus an air handler chiller for a a [00:08:00] critical surgical ward. These are the things that we have to have different layers of protection on, regardless there has to be redundancies.
[00:08:06] So working from what do I have? What is my clear inventory of equipment? What are their capabilities? Are they in fact, potentially providing risk? We know about supply chain attacks. We know how they happen. So these vulnerabilities might start out from a brand new shrink wrap device, work with your vendors to make sure that there are effective security programs in their organization so that [00:08:30] you have those agreements.
[00:08:31] And most importantly, do some type of validation with periodicity to go in validate and ensure that there is no longer a threat or a risk based on your functionality and what you need to accomplish.
[00:08:45] Bill Russell: Are the threats to healthcare distinct enough that our partners need to really have a healthcare background to understand the dynamic that we are dealing with?. Or can we use general security tools to [00:09:00] address these threat vectors that we’re talking about?
[00:09:03] Matt Sickles: Yeah. So for the first 20 years of my career, I was in technology. Then I moved to state and local government is I was building on a lot of that acumen. The very first time that I really worked with healthcare was in combination with local government and education. As I started digging into it, this has been 12 to 15 years ago, healthcare does have a different lexicon. While we would love to be able to just take a system that is designed for manufacturing, [00:09:30] retail, distribution, or financial healthcare does have a lot of special characteristics. We all know this. There’s just a lot of differentation.
[00:09:38] However, I think that there will be a place in time where that we can start taking reference architectures, minimum Bible security controls, and making sure that they are omnipresent. Every workload that you have will be protected by them regardless of its location or the volume of information being shared between it.
[00:09:57] Bill Russell: Are there solutions available today [00:10:00] specifically for the healthcare industry that are addressing this, or is this an area where we need to focus and develop some new solutions?
[00:10:07] Matt Sickles: So I think that one of the most compelling solution changes that we’re seeing is around the internet of medical things. We’re starting to see software solutions that look at these devices, categorize the vendor.
[00:10:20] Label them with a risk and show a workflow of how they potentially could impact and become more vulnerable. So, yes, the technology is there. We just [00:10:30] haven’t been an early adopter in healthcare and no healthcare organization really wants to be that first on the bleeding edge, you have to make sure that there are good use cases, the lab validates what’s going on because taking downtime is not an acceptable method of just having a new, shiny toy in the arsenal.
[00:10:49] Now while it can provide great value, we’ve got to be very systematic on introducing this into healthcare, mainly for the continuity, that whole continuity of care. The last [00:11:00] piece of this is we are seeing some technology innovations start to emerge due to the threat in healthcare. I believe that we’ll see more of those over the next 12, 24 and even 36 months.
[00:11:12] Bill Russell: Fantastic. All right. So one of the mistakes I made early on in my career is I come into healthcare, we spend a boatload of money on tools. We have tools everywhere to address a specific point problems. It used to be that we could just run a scanner, identify a problem, put a tool in place, and that would fix that specific [00:11:30] problem. It didn’t work for me eight years ago. I’d love to hear you talk about why that doesn’t work and why it really can’t work moving forward.
[00:11:37] Matt Sickles: Yeah. So if we think about it, the very first thing that we will get, if we run a vulnerability scan is a laundry list. It is now a, an inventory of legacy debt systems that need software upgrades that may not even have a one 800 number to call a legacy systems that are no longer supported. So the vulnerability scan where that we just got a report of hundreds of [00:12:00] thousands or millions of technology, debt, legacy debt issues could not be resolved in completely.
[00:12:06] So we would run these on a monthly basis. We would get the list, we would go patch machines, and then we would do it all over month after month. So now we have to get into a vulnerability scanning methodology that is near real time. It is closer to the workload, so that vulnerability management, instead of just being an outside in scan, while you do need to do those for compliance, regulatory and other [00:12:30] methodology, it can now be a supporting cast member.
[00:12:33] It can just be your validation that your distributed threat management, your distributed vulnerability management is working. We put it at the end point and we affect controls much more logically, and we don’t have to wait for a report or a department meeting to go resolve these things. They are found they’re sent as an incident to your security operation center, and you can tear them down one by one as they happen, instead of just waiting over time [00:13:00] to then deal with a bigger problem.
[00:13:01] Bill Russell: Fantastic. Matt and you set up very well, our next topic, which is going to be near real-time application security. So I’m looking forward to that conversation. Thanks again for your time.
[00:13:11] Matt Sickles: Oh, thank you Bill.
[00:13:12] Bill Russell: Fantastic conversation. We want to thank our sponsors Sirius and Tanium, who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That’s all for now.