Managing Workforce Risk in Healthcare with RSA


Bill Russell / Tim Norris

This Week in Health IT

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

August 19, 2020: Data security and risk management flaws, cyber threats, phishing, ransomware. The bad guys know how to cash in on a good pandemic. With so many people working remotely, they are getting really creative. From a technology perspective, a psychology perspective and a sociology perspective. How do we manage the risk of this new and emerging dynamic workforce? Who is accessing data? Are they legit? Is it really who they say they are? Identity is the critical factor. It’s the front gate. Tim Norris, RSA Solutions Strategist shows us how to double deadbolt, smart lock, alarm and protect that precious entry point.

Key Points:

  • The three major security risks [00:06:30]
  • How to set up your next IAM project for success [00:36:30]
  • Protect credential information and malware threats against spoofing [00:07:20]
  • How do I manage and orchestrate identity governance, life cycle management and authentication throughout the various facets of my organization? [00:18:00]
  • Exfiltration attacks [00:19:50]
  • Most breaches in healthcare originate internally through user error  [00:32:40]
  • Better partnerships between HR and IT [00:27:30]
  • What are best practices around third party access of healthcare systems? [00:29:00]
  • Check out RSA’s recent webinars around disruptions in healthcare [00:36:00]

Managing Workforce Risk in Healthcare with RSA

Episode 292: Transcript – August 19, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: Welcome to This Week in Health IT where we amplify great thinking to propel healthcare forward. My name is Bill Russell, healthcare, CIO, coach, and creator of This Week in Health IT, a set a podcast videos and collaboration events dedicated to developing the next generation of health leaders. This episode and every episode since we started the COVID-19 series has been sponsored by Sirius Healthcare. Now we’re exiting that series, but Sirius has stepped up to be a weekly sponsor of the show through the end of the year. Special [00:00:30] thanks to Sirius for supporting the show’s efforts during the crisis and beyond.

Clip notes is live and it is available if you can’t listen to every show, but you want to know what was on the show. You can sign up for clip notes, you get a one paragraph summary key moments in bullet point format with timestamps and one to four video clips from the show. Great way to stay current yourself, share insights with your team.

Just get the email, shoot it over to them. It’s a great way also for you to maintain your commitment to developing your team during these extraordinary times, [00:01:00] sign up at any episode page or on the website, or send a note two clip notes, C L I P N O T E [email protected] and it will kick off an automated workflow.

That’ll get you an email that you can sign up. So our mission at This Week in Health IT is twofold. To amplify, great thinking, to propel healthcare forward and to develop the next generation of health IT leaders for the first 180 episodes. We did the show with no outside financial support and that changed in the fall of last year.

We [00:01:30] made a conscious decision to find sponsors who shared our vision sponsors, who would help fund our growth and the development of the show with new offerings and content. We have a great group of founding channel sponsors and we have since opened it up. Two individual show sponsors. This is where we go in depth with a company or a solution.

And we ask questions as if I were sitting across the table from them as the CIO vetting their solution. We only do these shows with organizations that I feel comfortable with. Once we’ve done an initial interview with them, I have turned [00:02:00] down a couple of following the initial conversation. 

The ones that we do bring to you are organizations or solutions that I believe will be worth your time to explore. Today’s show is with RSA a security firm that is part of Dell’s group of companies. We’re going to explore how organizations are securing the perimeter. As the perimeter really changes pretty dramatically over the last couple of months. Here’s our show. 

Our workforce is in flux. [00:02:30] COVID, really moved a lot of our people around but that really wasn’t the start of it. The workforce used to be made up predominantly of full time employees working on site but that has given way to remote workers. And really specialist’s for hire.

We also have business associates that help to get the work done and really extend our risk factors even further. Healthcare is pushing beyond the four walls for delivery and that creates even more complexities. The question we want explore today is how do we manage the risk [00:03:00] of this new and emerging dynamic workforce?

And so today we have Tim Norris, RSA Solutions Strategist here to join us, Tim. How’s it going? 

Tim Norris: It’s great. Thanks for having me. 

Bill Russell: So you’re working out of the house. You probably worked out of the house before? I would assume. 

Tim Norris: Yeah. You know, I would spend a couple of days a week at home but certainly life is different with a 10 month old and a three and a half year old running around while I try to work. So yeah, that makes things fun. 

Bill Russell: Wow. So what’s what what’s that like during COVID? I assume you’ve spent a lot [00:03:30] of time with the kids?

Tim Norris: Yeah. You know, with two working parents, it’s a lot of juggling, you know, I have a meeting here, you have a meeting there, where could I do you take the kids? I got to record a podcast and to get them out of the house kind of thing.

So, so yeah it’s been fun. It’s interesting to be able to be home and spend kind of that time, especially with a baby, but, But yeah, it certainly presents some challenges. 

Bill Russell: Congratulations. That’s fantastic. By the way, we’ve had kids on the podcast. We’ve had dogs on the podcast. We’ve had workers come by behind [00:04:00] windows during the podcast.

Wait, I think we’ve had just about everything I could think of. So. 

Tim Norris: Well fore warning. I think the ups guys just pulling up and my dog is staring out the window in front of me. So they might get a visit from Ms. Birdie here in a few.

Bill Russell: Any story behind the picture? So, so some people, a lot of people are gonna be listening to this on the podcast, but you have a collage of great pictures behind you. It looks, it looks more artistic than family vacations. So, and any story behind that? [00:04:30] 

Tim Norris: well, you know, I like to fancy myself an amateur photographer. Focus on  amateur. I think Photoshop can do a lot better than what I capture and the raw, but, but yeah, no, these are just some photos that, my wife and I have taken on our various trips whether it be Safari in Kenya or, you know, across the Great Wall or Rush Weinstein in Germany, so. 

Bill Russell: Wow. Yeah. And they, it’s not your typical, the two of you standing in front of something. That’s the reason I commented on the. You know, [00:05:00] the, black and whites and those kinds of things. But I assume if I have you on the show in three years, I want to see pictures of you and the kids in front of those same places.

Tim Norris: For sure. Now, throughout the rest of the house, there’s the pictures of us, my wife and I both are in security spaces and this faces our front window. So we’re like no pictures of kids and family. We don’t people seeing. So yeah, we’re a little, maybe security, paranoid, I guess. 

Bill Russell: You know, I, I remember when we had a firm come in and they did a social media analysis of all of our executives.

And they actually came [00:05:30] back to us and said, Hey, you guys, you guys share too much. And they produce a document for each one of us telling us how we should really cull the information that we were putting out on social media. And even some of the connections that we should take away. Like we were connected to other family members and they’re like, look, Hey, that could be utilized.

As a way for people to take advantage, not necessarily of you as an executive for the health system, but they could take advantage of your nephews and your [00:06:00] whatever to get in. I had never even thought of that. That’s a that’s that’s like second level thinking in terms of security, I guess. 

 All right. Let’s jump into this topic. Let’s I’m gonna start with a generic question. Talk a little bit about the risks that an organization that really that your organization is seeing out there in the market today with, with regard to this is a changing workforce and the dynamics around it. 

Tim Norris: Yeah. So, I mean, I think, from a security I T [00:06:30] perspective, there’s really three major risks that we’re seeing. I think, I mean, obvious is the cyber threat surface has really traumatically, grown  The bad guys, you know, know how to cash in on a good pandemic. Right. And so, we’re very aware of the targets and sort of the expanded surface where everyone works from home where you’re all using new technologies to try to just get our work done. and so, that’s certainly, opened up a lot more opportunities. I think also you’ve seen, you know, where we’ve literally put people, you know, entire analyst [00:07:00] organizations in a remote posture almost overnight, you know, security is now trying to catch up on a lot of those cases.

So there are certainly more vulnerabilities across our environments. And then I think you look at things like phishing. it’s not the new, but the context and how the bad actors are using that, to Lauryn. So there’s unsuspecting users. And in fact, you know, spoofing and, and leveraging a lot of our well-known healthcare brands and government entities, you know, to try and capture credential information or, or inject malware, I think is [00:07:30] interesting that, you know, I read a Google reports  in January, they count them somewhere around 149,000 active phishing sites.

But by may, there was 840,000. and largely those were focused on COVID based premises, so PPE and those kinds of things. So, a lot of activity in trying to steal and inject, still cringe. Hey, as a result, we’re seeing definitely a large increase in ransomware and ransomware is really nothing new from a healthcare perspective.

We’re seeing across all facets of the industry. You see headlines. As early, [00:08:00] as late as last week around nation States hacking into research facilities. So there’s, you know, a wide array of, of, sort of direct impacts from a pandemic perspective. Related, I think is also, you know, we talk about the remote workforce that certainly has increased our, security risk.

And I, you know, I think it was yesterday the day before I was reading a study. And that looked at the differences of cybersecurity diff between a corporate network and a home network and home networks, you know, they found, they were able to measure roughly about three and a half times more likely to [00:08:30] have at least one form of malware on, on them.

So you think about that and your entire workforce is at home and using their own wifi routers and various States of password one, two, three as their password, or maybe no passwords at all. you know, certainly expands the opportunity for the bad guys. The third area. I think as a direct result of, of COVID and how we’re, adapting is the Rapids adoption of technology.

You think just help, you know, telehealth as an example, telehealth wasn’t new, but the [00:09:00] massive expansion almost overnight to be able to provide services to, patients, vitally important, but navigating the security vulnerabilities and trying to understand, you know, the various platforms, and also, you know, data security and data privacy issues has been a challenge and so we’re seeing organizations start to address those. 

Bill Russell: You know, I mean, you give us three areas. So yeah at the peak of COVID, if there was a, well, at the peak during New York city’s peak [00:09:30] of COVID, we had a conversation and we were talking about how all, all the attacks and all the phishing attacks had really coalesced around healthcare.

And it was really one of the first times in history that everything had coalesced around one topic across the entire internet. It was. I’m pretty crazy. In fact, my wife and I were talking last night about, what’s happening now is, phone calls, very sophisticated phone calls to people essentially saying, Hey look, we’re doing contact tracing and you’re one of the people that [00:10:00] has been in contact with somebody who has had a COVID-19 and, so we are calling to get your test scheduled for a COVID. so what we need is we need some information, we need a credit card, we need whatever. And it all sounds very official. Very crazy. In fact, my wife was commenting. Yeah. Like if these people would turn there energies towards good for world would be so much about, these are really creative from a technology perspective, from a psychology perspective, [00:10:30] sociology perspective.

I mean, these are smart people who are, who are creating these pretty sophisticated attacks to just prey on people. 

Tim Norris: Absolutely. Even you look atD I’ve been a victim, but I’ve had a couple of come across my cell phone, just text messages. They look official from, you know, Dr. Hay. You’ve been this it’s, whatever, hit the lane kits, something to reply all, knowing that there’s lots of malicious stuff behind it.

But it just looks, it looks real. It’s that they’ve gotten really sophisticated. 

Bill Russell: So I’m going to dive into some, [00:11:00] some healthcare, some Health IT, irelated topics in a second here, but I want to start cause you, you talked about the work from home and the network at home. So who’s responsibility is it shore that up?

Do you think? I mean, if, if I’m the CIO for the health system, am I giving that work to my network team? Am I giving it to my security team? Am I giving it too? maybe even to my VDI team, who am I giving it to to say, Hey look, we, we need to, are we sending people out to run scans on people’s home networks, their home computers?

[00:11:30] How are we, how are we thinking about those things? 

Tim Norris: Yeah. So, I mean, I think it’s a little bit of all of the above, right? I mean, as far as who do I give that to. It’s kind of everyone’s responsibility and honestly we have to do a sort of a much better job at educating our own employee base because, you know, if you’re a large healthcare organization with a hundred thousand employees, you’re not sending someone out to a hundred thousand houses.

Right. so I think that there’s an education and awareness piece with sort of very specific given the wide [00:12:00] variety of sort of technical savviness of, of our employee base and users. That’s important. I also think of it, it sort of goes to a topic of you hear a little bit about identity being the perimeter or whatever.

And I think there’s a lot of credence to that because, you know, as we’re accessing applications, whether it’s directly to the cloud, some SAS based EHR or any of the kinds of stuff like who we are and involve making sure we know. who those users are, if they’re entitled to, to use that [00:12:30] application and what they can do, and also what are they doing with the data?

It sort of puts the onus right at the access point. And how do we make sure we’re really protecting that data? so that that’s, you know, I do think it’s an, all of the above kind of strategy and awareness is going to is a critical component, you know, working for part of Dell. And I think it’s about every once.

A couple of times a week, you know, there’s a, Hey, did you do this? Or, Hey, did you think about that? Do you have a, you know, have you changed your password on this? And that’s just sort of that [00:13:00] constant drip of things to help bring that awareness to a, you know, there’s 225,000 Dell employees that are working on that.

Bill Russell: Yeah. So identity is new perimeter and, I want to come back to that and I really want to talk about identity and access management projects. I just want to hang at this, this home network thing wrote real quick here. Cause it’s, it’s interesting to me, cause I think that’s a new thing that, that all these CEO’s are sort of looking at.

And when you look at, you know, the [00:13:30] cost of maybe putting something at the home, and if we’re telling people, Hey, we want you to work out of the home. at this point and moving forward, you know, does it make sense to, to buy that $300 device that now sits at the home network that has, you know, security and malware protect and all that stuff that you’re updating, just like you would update the computer and the security functions on the computer. I mean, do you think that organizations will [00:14:00] start to make investments around that? Cause the other thing about my home network is I’m not the only one on the network, right? So it’s me and my kids and my wife and, and, and just a ton of devices. And so even if I’m being safe on this computer, in this place, you know, my daughter’s in the next room, who knows what she’s doing on her computer.

Tim Norris: Yeah, I think that’s, you’re absolutely right. the, even look at like devices where people, the BYOD [00:14:30] type of environment, you know, in some cases like the home computer is also just being shared. So it’s not just the, the work computer you have. It’s the computer that the kids are doing their homework on and everything else.

So, yeah, that’s certainly creates additional challenges and I think. I personally, I do think you’ll see a little bit of a shift as we focus on work from home and how do we get more control over those devices? I think identity, I think there’s, scanning and sort of endpoint [00:15:00] detection becomes a lot more,  important cause we focus on sort of, that detection and response at the end point, because you know, we’re not going to be able to touch every device that’s touching on that network by 15 Alexa’s, I have around the house. Like, you know, that’s, that’s just, we’re never going to get to that point. So it’s being able to detect those threats, at that end point as, as quickly and remediate them as, as quick as possible.

Bill Russell: Yeah. So identity is new parameter. I think I heard that for the first time. I guess I got to think about that maybe [00:15:30] maybe five or six years ago, and maybe I was late to the game, but, it sounds like one of those phrases that should mean a lot more to me than it does. What does this mean to me? And how does it play, play out in healthcare IT?

Tim Norris: yeah. So, I mean, I think when you look at how the central yeah, our work lives are today, you know, no longer does everything sit behind a nice and tidy little firewall that keeps all the bad guys out. We’re, you know, accessing information all over the place, private clouds, public clouds, you know, maybe behind the VPN or direct to third [00:16:00] parties in the SAS application kind of world. So there isn’t this single entry point. And you also think about, yeah, just the data exchange and data sharing, especially in healthcare, we think of the Cures Act and sort of requirements that are coming their data’s crossing of a bunch of different, platforms.

And so. When you look at who’s accessing that data, it’s really kind of the front gate. It kind of to say replaces the firewall, it certainly doesn’t, but becomes almost as important or more important to be able to protect based on who’s accessing. Are [00:16:30] they legit? Is it really who they say they are?

Are they supposed to have access and then ultimately, what are they doing with that data once they get in, once we’re looking inside the session and correlating those things together, it’s across the wide environments we have in the mini environments we have. and I think, you know, identity is really the critical factor there.

And you see that played out, like you said, over the past few years becoming much more. And more important, where things like multifactor authentication, aren’t just for the [00:17:00] CEO and a couple of people who maybe sit in finance and some other places, you know, company-wide type of environments, I think specifically for healthcare, it plays out in a couple of ways.

You know, access to electronic health records or telehealth physicians, you know, doing work at home or wherever they may be. certainly opens up more opportunities from a how to service our patients. but also making sure we have really, clean ways of determining who’s actually accessing [00:17:30] that, but from a compliance but really from thinking of it more from a security standpoint, and again, my, just my opinion, Health care, but maybe even some other, definitely some other organizations and industries, no identity controls have really been driven out of them compliance and need for compliance. because that’s, that’s required and not necessarily, it’s like, yeah, password’s good enough.

But now, you know, as again, Really the front line of defense. it has to sort of change in culture and how we [00:18:00] manage and orchestrate identity governance, life cycle management, authentication, throughout sort of the various facets of an organization, right. Just sharing a password or having password one, two, three before an entire, you know, operating, waiting to access anything like isn’t, isn’t viable anymore. but I also think it means from a security and it perspective we have to, and as a vendor, even we have to make it as easy and as frictionless as possible for those users to be able to gain that [00:18:30] access. As we sort of put it as at the front of a security control. 

Bill Russell: Yeah. You know, security is getting much more granular.

Right. So it’s, and it works off the identity. I think, you know, one of the things I remember having a conversation with somebody and it was about, you know, we had a blocking of certain sites at our health system. you know, normal software, it looked at different websites in a block, those websites. Now, obviously you have to be more liberal at a health system.

Cause you’re doing [00:19:00] research, you’re doing some of those things, but at the end of the day, somebody was like, why are we blocking anything? And you know, why do you even care what I’m doing? And it’s funny, what it led to was a conversation that just opened that person’s eyes for they’re like, I’m like we know everything that’s going on on this network.

Like we know we know what folders you’re in. We know what things you access. We know what email you open. We know what email you sent. And  I think some employees still today you are under the impression that you know, [00:19:30] what I do on my computer is really my own business. But the reality is, we have to, we are almost required, we are required to in healthcare and we’re required to in other industries to know what’s going on on our network in order to protect the assets that are on our network, because a lot of the attacks are really exfiltration attacks that happened as a result of our employees. So we are watching that stuff on an ongoing basis.

Do you find employees still struggle with that concept or is everyone really starting to [00:20:00] just come to grips with the fact that that is the case that we are, we’re required to. And we are watching just about everything that’s going on on the network. 

Tim Norris: Yeah, I think that’s a good question. So I’ll give you my personal opinion on that. I think, it’s a mixed bag. I think it’s also, and I hate to say it, but maybe a generational kind of, issue as well. I think younger, the millennial generation that’s, you know, in the workforce. And he has a lot less [00:20:30] expectation of privacy in sort of a work environment. I kind of understand that, that fact, but maybe some of your older workers have more of that.

you know, they, haven’t lived in a world where they’ve put all their information out on the internet and kind of, you know, given up a lot of privacy. so I think, I think there’s a mixed bag of what that expectation is. I think it’s really important for the organization, the healthcare or whoever, To be crystal clear and transparent with their employees about that and in most cases in every handbook and everything you see [00:21:00] it’s there, but it’s part of our digital world. 


Bill Russell: you saying people aren’t reading their handbook?

Tim Norris: I mean, I might be guilty of that too. At the older end of the millennial generation, I can kind of say that. Yeah, I look, I expect every coming into security world, I guess I’m a little more exposed to it, but I, every keystroke I take and mouth click, I do, I expect somebody is watching it.

Bill Russell: All right, you’re going to have to help me. One of the worst projects I ran as a CIO was our [00:21:30] identity and access management project. It was an area that I thought, Oh, this, you know, this seems easy enough. You know, you need to make sure that as people come into the company or leave the company. That you are assigning them to correct rights.

You need to make sure that, you know, none of the rights, you know, grow over time and what they should, you need to automate as much as possible. Well, we were getting a ridiculous number of phone calls to, to our service desk, around identity access management. [00:22:00] We were also, Quite frankly, we were way behind.

It was taking us. When I first heard this, I was horrified, you know, it was taking us almost two weeks to stand up a new employee. And I’m like, how can this be in today’s day and age? So we, we did, we did what everybody else did. You know, we went out, we, you know, looked at what was available in the market.

We talked to other health systems and we kicked off our, IAM project. you know, some of the things I may have overlooked, I mean, we can get into some of those things, but, No, I guess my question is, [00:22:30] you know, there’s, there’s so much of this that we, that I think health IT and myself included. I thought, well, if we just get the right technology, this is one of those areas where I fell into this trap.

We just get the right technology in place. We’re going to be good, but there’s an awful lot more to it than just throwing technology at this solution. Isn’t there. 

Tim Norris: Yeah, absolutely. I would say if I had a nickel for every time I heard that the IAM project was, you know, a pain in the, you know what, like I’d be a rich man but I think for me, it boils down to really two things. We [00:23:00] talked about that IAM project. And to your point it’s technology and people, and even in the technology, I think it’s about the approach. So many times have I seen organizations approach identity governance, or IAM as really just a provisioning problem right.

Coming at it from the help desk. Hey, we’ve got all these bajillions of requests and it’s overwhelming and how do we solve it? And certainly that is absolutely important. And part of the, you know, the drive and the need of any identity program, but [00:23:30] most organizations, a lot of organizations I’ve seen, kind of gets stuck because they don’t set up the right governance, processes and governance program before they start automating all that, these provisioning and deprovisioning, components. And so what that really leads to is yay. We’ve automated a bunch of stuff, but it’s still bad stuff. And I don’t have visibility into it and I can’t tell if it’s really appropriate levels of access for a user, you know, are there access violations or socks or segregation of duties?

Like all [00:24:00] those kinds of things. You know, it becomes even more complicated because we’ve just made it easier and faster to put more stuff. 

Bill Russell: So Tim, help me help me fix this. Right. So I didn’t set up governance correctly. Do I have to set up another, do you know how many governance organization parts that we are a part of in healthcare?

Do I have to stand up its own governance organization? Can this be. A part of another governance organizations, purview. does it, is it just IT or is it, is it other parts of the organization? What do we like? 

Tim Norris: Yeah. [00:24:30] So I think there’s a, there’s a technology piece and then there’s the people side of that one.

So yeah, a lot of these tools provide a governance platform, the ability to kind of once you establish the right rules, which I think from your risk organization and your it, which you already probably have these, these. Rules and policies established. It can be applied in the technology. So, so I think that’s it.

Kind of the, the easy part is that it’s not like a whole standing up of a brand new team and all this kinds of [00:25:00] stuff, you know, within some governance org, you can just, it’s applying the right policies, and being able to then have visibility. The tool to be able to look at those policies. So example, if I have visibility into every entitlement in mind or organization, even if it’s just my most critical application that’s the first step.

Right. And being able to see that, and then I can start to look at, are there people who have, you know, elevated or privileged access and be able to sort, and slice and [00:25:30] dice to start to apply the right remediation? So I don’t think it has to be overwhelming. And I think you can take it step by step. but you know, getting everything in one place as a, as a visibility factor is, is first, in mind.

And then you can start applying the right policies. You’ve got that kind of there then automation is almost easier. and you’re automating things that are going to be more in line with where you want from a process perspective. 

Bill Russell: All right. So, you know, excess rights was a recurring problem as well. [00:26:00] So, you know, for the most part, what we want to do is be able to set and forget, but, people move jobs.

They take on new responsibilities, they leave old ones. What’s the best way to ensure that we keep people at the right a level of right across the entire enterprise. 

Tim Norris: Yeah, it’s a big challenge for everyone. And I think too many times, a lot of focus on giving people access, but not in a focus on and how to take it away, when, when it’s appropriate to do so.

I can’t tell you the number of [00:26:30] conversations with organizations I’ve had, where, well we’ve done like an initial scan of, of identity is maybe part of a, you know, a point of, point of reference for our customer. Oh, we’ll see that there’s so many of these employees that have left, and have still have access to things even in the system and it’s just amazing. We’re not connecting the dots both from an HR perspective, but also not doing a good job at enabling those business users and business owners, to really take ownership and certify the access there, you know, we typically do [00:27:00] these access certification rituals, you know, again, driven primarily by compliance. And it’s so overwhelming for the business user, you know, dumping up big spreadsheet of a bunch of data and saying, Hey, I need you by Monday. Tell me, what’s excess. I should take away. It’s just not, not reasonable for, for these business users to take in and put the level of time into it. so I think for a, how do we kind of solve this problem or start to evolve?

I think it’s good partnerships between your HR and it, [00:27:30] identity types of teams to be able to, to have a free flow of that information. So it’s more seamless as people say, leave the organization, but also as, you know, people are acquiring. Doing new projects need new access, putting more onus on the business owner, but making it easy to prioritize access review.

So Tim who sits in a solutions kind of role, why is he accessing financial information? Maybe I needed that for a project, but being able to highlight that on a very [00:28:00] sort of continuous basis to my, You know, my manager or whatever, to be able to say, yep, that’s still good. Is important without dumping a spreadsheet of a thousand records of, you know, Tim’s entitlements and saying, Hey, tell me what he needs, which you still find in.

A lot of organizations are still pumping data in spreadsheets and asking people to do stuff. It just isn’t reasonable. 

Bill Russell: You know, maybe this is, this is experienced from a while ago cause I haven’t been a CIO for about three years now. But one of the things is we had to do is [00:28:30] an audit for licensing and we did sort of an active directory dump.

And it took a look at just the number of active directory accounts. And it was way more than the number of employees we had. And as we sort of went through that, we have a ton of business associates who were accessing that and also. Yeah, contractors who were accessing our active directory to get access to different resources throughout the health system, you know, are there best practices [00:29:00] around a third party access of the healthcare systems?

Tim Norris: Yeah, I think first and foremost, aligning sort of your third party identity risk, as a part of your overall third party risk management program is, is maybe a novel idea. Yeah. But it’s critically important, especially we think of identity as kind of that primary component of their security program.

and then I think being able to, I mean, simply say it, treat the access as it is your own employees, right? Someone [00:29:30] has to own that someone owns that contractor relationship. Somebody should be certifying that y  that’s the right person. and that they really should have access to those types of materials and being able to look for any kind of anomalous activity that’s happening in a third party, especially, being able to flag those in a way within your identity governance platform, is, is I think critical component to give it a little extra special care. on the other side, I think from when they actually the point of accessing things, applying more of our, Risk-based [00:30:00] authentication solution. So you’re not just looking at kind of a rigid on or off, you know, do I have this code or not, but you’re looking at behaviors, and sort of less static type of signals look more dynamically so that you can, again, these people aren’t sitting in your building, they’re sitting wherever and they’re, you know, your contractors or third party providers that, You know, you want to pay a little more extra attention to, so I think looking at a risk based approach, I think, you know, treating them as if they’re your own [00:30:30] employee and you know, we’ve talked a little bit about, but really streamlining that business user experience so they can actually manage what identity and what access has been granted in a more efficient way are sort of the two. 

Bill Russell: So you’re distributing the visibility into access out to the business owners. What, what I mean are, have the tools progressed? Are we seeing like real time visibility into those connections or is it, is it more. A retrospective of this is what’s been accessed and [00:31:00] this is what they have the ability to access. 

Tim Norris: Yeah. So I think the tools definitely have, I’ve, I’ve come a long way, right?

You’re seeing a lot of use of sort of risk engines and analytics models, that are automating some of the anomalies early detection for either the business user or even the administrator on the identity or it side to be able to attack things. And identify things that don’t look quite right and be able to flag them before.

you know, before something happens, I’m looking at it based on a business [00:31:30] risk, you know, if it’s bad access to the, well, this is as relevant now. Cause we’re all at home, but the intranet and the food menu in the cafeteria, like, okay, we’ll fix it at some point. But you know, the employee health records system right is a whole different level of risks. So, there’s a lot of, I think you’re seeing a lot of advancements and I know our own solution of advancing those models to be able to flag those. Deflect those components. On the force enforcement [00:32:00] side. So the actual authentication, I know one of the areas that we’ve spent a fair amount of time looking at is combining, you know, bringing identity into the SOC and so looking at threat intelligence and threat detection and response platforms, and being able to combine that with identity, intelligence and identity risk, as we see, you know, potential, Security threat come in. How do we help use identity as an enforcement tool and sort of linking the two in a very automated way and really kind of in that real time capacity? So I [00:32:30] really think you’re seeing a lot of advancement in that space. 

Bill Russell: It’s fantastic. Yeah. I read an article once and it pointed out that most breaches in healthcare originate really internally. now a majority of them are user error, right? So we. Some configuration issue, some aspect of something, and it’s such caused by useful user error.

But the actual treatian number to me was kind of surprising number of our employees that are actually for whatever reason, [00:33:00] acting in a, in a way that is counter to the interest of the organization. What kind of tools or practices have we utilized to address that specific, the actual treatian of data?

From a perceived good actor within our network?

Tim Norris: Yeah. Yeah. That’s a great question. And I think of the, the insider threats, you know, a lot of times when we talk about it, it automatically people go, Oh, it’s the Snowden, he’s the guy trying to steal stuff. And like you said, in most cases, it’s the careless coworker who’s [00:33:30] unintentionally doing something who’s misusing a resource who, I mean, clicking a link in a phishing email.  

Bill Russell: We had people that were like, Oh, you mean, I can’t share stuff on that on Dropbox was my favorite back, back in the day was not secured. And they’re just like, Oh yeah, I’m sharing stuff with that doctor through Dropbox, I’d be like, Whoa. Yeah. They’re like, what do you mean it’s real easy. You just sign up for Dropbox, you take it from our, from our secure [00:34:00] network store and we just move it out to Dropbox and the physician has access to it because they can’t get to our network. It’s like, there’s another way to do that anyway. 

Tim Norris: And so I think looking at, sort of all of the share files and sort of the unstructured data, they’re definitely tools even from an identity standpoint to understand who has access to those types of file shares and, and, you know, different things, whether it be a Dropbox now or other kinds of stuff. I think those are, those are some important tools, obviously some data loss, DLP type [00:34:30] of solutions, provide some support there’s to see where assets are actually being moved to and from, and who’s doing what, but in the end, you know, I, I think there’s, there’s kind of two components here.

One is the awareness and the training that has to happen. And it has to happen the wide swath of employees that we have and to let them try to make it real and make them why that’s not a good idea and why maybe they should ask a question before they just [00:35:00] open up a Dropbox account and do, because ultimately they have the best intentions.

They’re not trying to do something malicious, but they’re putting things at risk. And I think they. We have to do a better job at bite sizing, making that training more impactful than just here’s your 20 minutes security awareness training and, you know, video that you watched and click the button that certified.

You said it. the other piece, I think is also goes back to a little bit of an access management standpoint of really making sure you’re adhering to that least privileged, type of  access controls. [00:35:30] And so that people don’t have access to things they shouldn’t have. And can’t do things with very sensitive data that they shouldn’t such as throw it on up, you know, whatever kind of share that they want to do.

Bill Russell: Yeah. Well, Tim, thanks for your time. We’re going to put a white paper up on the website that people can download if they want some more information. Are there any other ways that people can get more information or, on some of the things we talked about today? 

Tim Norris: Yeah, absolutely. So I would say, first of all, to the website,, I would say check out our webinar section. There’s a [00:36:00] couple of recent webinars around disruptions, in healthcare, that you might find interesting that span beyond sort of the identity conversation we had. so I would say check that out. and there’s a lot of great content, specifically talk to healthcare it, across the RSA, a website. So I would certainly send folks there. 

Bill Russell: So I’m, you know, I’m going to give you the last word and it’s essentially, I’m going to, I’m going to get a do over. I’m going to get hired tomorrow as a CIO, hypothetically and I messed up our last IAM project and I [00:36:30] approached it all wrong. How should I approach it? I bet. I want to give you the last word to sorta set me up for success. Moving forward. 

Tim Norris: Yeah. So I think the first thing you need to look at is being able to have that full visibility first, right across all of your assets on all of your applications, all of your environments, and who’s doing what, who has access with what I think that’s, without that visibility and sort of a fine level.

I think a lot of this just becomes an automation. IT [00:37:00] program, and it sort of defeats some of the purpose of, of managing a security identity for security program. I also say finding ways to help get, identity more ingrained in the SOC as identity. Yeah. Kind that, that frontline defense, from, from the attack standpoint, being able to connect the dots there, I think is an important piece in an evolution that that many organizations, as they mature are starting to bring in.

Bill Russell: Fantastic, Tim again. Thanks for your [00:37:30] time. It’s fantastic. I look forward to seeing the family pictures at some point in the future, I guess I won’t, because you’re a security guy. I’ll never see the family pictures behind you on a video podcast. 

Tim Norris: Maybe if I sit in a different room by then, well, we’ll sit in the family room where there’s lots of babies and, yeah.

Bill Russell: Fantastic. Hey, thanks again for your time. I really appreciate. 

Tim Norris: All right. Thank you. I appreciate it. Thanks for having me 

Bill Russell: That’s all for this week. If you want more information about RSA or any of the solutions we talked about, [00:38:00] feel free to hit the website, or you can shoot me a note. At [email protected] 

Special thanks to our channel sponsors, VMware, Starbidge Advisers, Galen Healthcare, Health Lyrics, Sirius Healthcare, Pro Talent Advisors and Health Next for choosing to invest in developing the next generation of health leaders. If you made it this far, you’re a fan of the show. Please do me a favor and send an email to one other person and let them know that you’re benefiting from the show and that.

You think it would be valuable for them to spend their time [00:38:30] with us as well? You could do that or sign up for clip notes and just shoot them clip notes on the shows you think are valuable to them. we’ll do our best to honor your support by producing great content with industry leaders to propel healthcare forward.

Please check back on Tuesday for news, Wednesday for solutions and Friday for interviews with industry influencers. Thanks for listening.