A Data Security Deep Dive with Former Chief Technology Strategist


Bill Russell / Sumit Sehgal

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

January 20, 2021: What are the greatest challenges around securing healthcare information today? How effective can security programs really be? Sumit Sehgal, Former Chief Technical Strategist at McAfee shows us what a good threat modeling exercise looks like and how to get your CISO, CTO and CIO working together on a cohesive strategy. Behavior mapping might not be the holy grail but what kind of things does it protect against? What’s McAfee doing around alert fatigue? And with so many mergers and acquisitions going on, how do you bring two systems together safely?

Key Points:

  • Data hygiene is a problem. We need good information to feed the security system architecture so that it can produce useful data on the other side. [00:05:55] 
  • How do you get your CISO, CTO and CIO all in sync when it comes to security? [00:08:06]
    XDR: Extended Detection and Response [00:08:20]
  • Machine Learning and AI process huge amounts of information in order to create a level of automation so that we can actually be responsive [00:24:25]
  • Messaging fabrics is a way for us to share information bi-directionally in our systems for threat detection [00:28:42]
  • McAfee

A Data Security Deep Dive with Former Chief Technology Strategist

Episode 354: Transcript – January 20, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT. This is a Solution Showcase. My name is Bill Russell, former healthcare CIO for a 16 hospital system and the creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. 

[00:00:20] Today we have Sumit Sehgal, the Chief Technology Strategist, US healthcare for McAfee to talk security strategy.

[00:00:26]Special thanks to our influence show sponsors Sirius [00:00:30] Healthcare and Health Lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor. The first step is to send an email to [email protected]

[00:00:43] A quick note, we launched a new podcast Today in Health IT. You’re not going to find it on This Week in Health IT podcast feed. It’s a new channel. It’s its own show. We look at one story every weekday morning. Check it out. We it’s roughly about [00:01:00] six to eight minutes long. It’s an easy way to stay current on what’s going on in the health IT space. Subscribe wherever you listen to podcasts or you can hit our website this weekhealth.com, hit the subscribe button and it’ll show you how to find the podcast. 

[00:01:15] If you’re new to this show or returning after a while, we now do three shows on this channel on This Week in Health IT. On Monday we cover the news and I do that now with a round robin group of about six to eight people. So it’s a back and forth on the news and what’s going [00:01:30] on. Wednesday we have an influence or a solution showcase episode, and every Friday we’re going to do an influence episode just like this one. Be sure to check back for more great content and now onto today’s show.

[00:01:43]Good morning Sumit, and welcome to the show.

[00:01:46] Sumit Sehgal: [00:01:46] Thank you, Bill. Thanks for having me. 

[00:01:48] Bill Russell: [00:01:48] Yeah, I’m looking forward to the conversation and we’re going to, we’re going to cover a lot of ground today. Before we get going you have a, significant us healthcare background share [00:02:00] with us how you got to where you’re at today.

[00:02:02] Sumit Sehgal: [00:02:02] Interesting. It’s been a fun journey and a challenging one. I started and held it as an intern actually back in the late nineties, early two thousands. When how much has changed since then? Yeah, just a little bit. And, it’s fun because having gone through internships and my early experience as systems engineering in hospitals I had the good fortune of having very good mentors that actually. First [00:02:30] hand showed me what the impact technology and security due to clinical operations. So that was my, the Genesis of my career in healthcare. And then from there I went on to do security engineering architecture. Worked through the regional health systems for profit national health systems, academic medical centers, and then even what I would call the the safety net health systems and hospitals as well before joining McAfee.

[00:02:57] So it’s been it’s been a fun ride over the [00:03:00] last, I would say 20 years, almost 21 years in the field and having gone through multiple EHR implementations and multiple security programmatic I would say experiences as well. It’s been a, it’s been a fun ride and a challenging one is at that.

[00:03:18] Bill Russell: [00:03:18] This is going to be fun. You just opened yourself up. I can go in a lot of different directions. Academic medical centers, safety net hospitals IDNs. You’ve, done the [00:03:30] whole the whole gamut, including on the, vendor side now. So you’ve done the whole gamut, all right.

[00:03:35] So let’s, start then you work with a lot of health systems, you’ve worked for a lot of health systems. What do you see as the greatest, let’s say deficiency or challenge with regard to securing healthcare information today? 

[00:03:48] Sumit Sehgal: [00:03:48] I think it’s you asked me very simple question, but it’s it has a interesting answer because I’m going to answer it in two different ways.

[00:03:56] One is going to be on the, what I would call the industry [00:04:00] systemic issue side, that’s has a security impact to it. And the other one is as security practitioners, what we have done to ourselves in the last probably 10 years that is causing some of those issues as well. 

[00:04:10] So the two things from a systemic perspective, I think complexity of architecture is one of the biggest problems we have. And I say that because the pandemic situation has even brought that to the forefront in the sense of hospitals, health systems, trying to run what I [00:04:30] would call legacy applications. And they’re trying to reinvent themselves from moving from doing it the way they did it in late early two thousands, late two thousands into the 2020, we are doing IT by jumping head first into cloud and SAS applications with the telehealth and the analytics stuff that’s going on now. So that’s creating a lot of, I would say, interesting conversations when you’re talking about security architecture and how it fits into the broader it architecture [00:05:00] conversation.

[00:05:00] So that complexity is probably technically challenging on how effective security solutions and security programs can be. So that’s one, the second thing I would say, programmatically is. There is understanding of what security does from a risk management perspective, but it’s not quite properly aligned with enterprise risk management in hospitals and let alone clinical safety and clinical risk management.

[00:05:26] So because that interplay is not [00:05:30] there in a meaningful way, and it’s starting to happen in some cases that causes some friction from a “what is the role of the security program for this health system?” To answer that question, you need to have that cohesive cohesion there, that communication there. And that’s probably, I would say the two areas in the industry side that’s causing a lot of angst from, for what we have to do as security practitioners.

[00:05:55] That’s one The other piece on the security side is [00:06:00] data hygiene is a problem. You probably have talked- I have heard your other podcasts- you’ve talked about analytics and the role of data governance and data hygiene. If you’ve gone through an Epic implementation, for example, you know what it takes to go through the templating process for, role-based access for a physician, trying to figure out who does what, and at what times in the day, So the ability for, us to have a good enough information to feed the security [00:06:30] system and the security architecture for it to produce on the other side, useful data is a sustaining problem on the security side that we’re grappling with getting better.

[00:06:40] But that still exists across the board, across the US and the last piece I would say on the security side is on the incident response side of things. Security operations in healthcare is very spotty. You have the large health systems and the top end of the chain that do this very well. They have appropriately mature, [00:07:00] processes, technologies, people that do that.

[00:07:02] But for the majority of them, this is shared FTs that are doing security operations. In addition to their day jobs as a systems engineer, backup engineer, application analysts, and stuff like that. So that causes some angst and how that interplays with emergency management and Camilia operations.

[00:07:21] Bill Russell: [00:07:21] All right. So you’re going to help me to fix that. Just in the short answer there, I’m having flashbacks that I’m starting to sweat, [00:07:30] as, we have this conversation, security is always one of those, one of those areas that was we, all recognize, but one of the most important things that the CIO does is secure the environment.

[00:07:43] And they, have the ability to bring in technology, hire the right team, put the right operations in place and those kinds of things. But but to say it’s hard is, an understatement. So I want to lean into [00:08:00] some of the, things that you’re talking about. So you talked about the architecture.

[00:08:06] And how the proliferation of, tools is it and not integrated into the larger strategy. There’s, a thousand point solutions in security. How do we bring them all together? How do you make a cohesive strategy where your, CISO, your CTO, your CIO, and your data person, they’re all in sync?

[00:08:30] [00:08:30] Sumit Sehgal: [00:08:30] Sure. It boils down to, I think what I was saying from the alignment of risk management and threat modeling. Very similar to what the CIO’s and CTO’s for example, do today with business continuity and cognitive operations to figure out, Hey, I’m spending $400 million for an HR implementation.

[00:08:47] I’m spending X amount of dollars for the infrastructure to support it. One of the things that they do that security, oftentimes doesn’t, is looking at the operational impact of what that is. So for example, to [00:09:00] stand up an EHR, you will bring in hoards of teams have help desks set up, have liaisons, have champions that are responsible to make sure that the solution gets adopted the way it needs to be done. That doesn’t happen in the security land in the security land. It’s always okay, we’re going to look at what we have. We have an idea of what the security solution does. The noise in the market can help the competition from a price perspective, but the, [00:09:30] value proposition has to be what does, the security solution do for me as the health system, in the timeframe that I’m looking to do it in, and for the reasons I’m trying to do it for those are the critical questions that need to be answered.

[00:09:43] That can help you isolate what you said of the tools pro conversation, right? For example, take we have a category of, to call software web gateways. They look at outbound traffic to the internet, great solutions work. They work with firewalls. [00:10:00] They help exfiltrate data. They help prevent exfiltration data. They help malware stuff like that. Blah, blah, blah. 

[00:10:07] The key interesting point is when to ask questions of, okay. When you’re planning a technology like that is information from that solution, going into some other place from an analytical perspective that helps you tie together what Bill Russell’s behavior on the web has to do with his behavior on an endpoint, in the environment, his behavior on that [00:10:30] endpoint, when he takes it home, his behavior in the cloud, when he accesses SharePoint online or exchange online.

[00:10:37] And the last piece of it. From a perspective of, selfishly in IT, can it help me improve Bill’s experience? If the solution ends up blocking his workflow case in point, it’s a pain for you as Bill to have been doing your work and all of a sudden be blocked, and then you have to call and sit on the help desk for three, four [00:11:00] minutes, and then to be triaged to the right analyst versus the tool, having the capability to automatically integrate with the service management system.

[00:11:08] And then do an automated workflow to hopefully treat our 70% of the calls that come in. That’s an example analysis that I have to help customers through when me and have conversations to say, Hey, it’s not just about eDR or endpoint detection, endpoint protection, web gateway network, whatever insert, name of fancy [00:11:30] security technology here.

[00:11:31] It’s about what it means for it running in your health system. And sometimes it can come down to the practice level, can come down to the specialty level that we’re looking at. So I would say understanding that and doing proper threat modeling can help you identify. What tools to use and then talk to your partner community.

[00:11:55] The vendors that we have done a lot of innovation in the last three years to [00:12:00] get the tools talking to each other. Having healthcare often says standards based approach, it’s trying to do data sharing. That’s great. How does it apply at scale? If I take an action on one machine. Can I replicate that across 30,000 of my machines in a matter of minutes.

[00:12:21] That’s those are some of the questions, for example, operational questions that can help alleviate how the solutions are picked and chosen for the [00:12:30] appropriate workflow. And everything that goes along with it. Things like machine learning, AI and stuff like that. Yeah. So 

[00:12:38] Bill Russell: [00:12:38] Yeah. What does a good threat modeling exercise look like or, activities around threat modeling? What does that look like? 

[00:12:46] Sumit Sehgal: [00:12:46] Sure. So threat modeling is very similar to the conversation that happens when you go through a business impact analysis for cognitive operations. The goal becomes is, Hey, we have a solution. That we’re trying to implement for [00:13:00] this reason, for our business for, this clinical workflow, for this specialty, it has these pieces, X amount of pieces.

[00:13:07] So the threat modeling exercise goes through and figures out based on how the solution is built, where does it sit? How is it scaled? How is it accessed? What are the data flows in and out of that application? To figure out how badly can that solution be effected in terms of a security incident.

[00:13:26] And then on the flip side of that, once you understand that you can [00:13:30] actually then use the output of that exercise to color your risk management decision to say, great, this solution has API APIs that are not really very well built. So I may have an exposure on the. I may have an exposure on the data, collaboration, data sharing side.

[00:13:48] What does that mean for me? Do I have funding, for example, coming in Alma on the reliance of that system, being able to share data we see that for clinical [00:14:00] research use case applications as well. So that’s what threat model looks like. It’s looking at, who has incentive to go after what’s in the application.

[00:14:08] Or the means to get into the application to cause not only data theft, but also either impact integrity of applications. So the ability to change data or the availability, which for health systems prime predominantly in that triad, the confidentiality, integrity, availability piece of it, sometimes availability and integrity [00:14:30] trumps the confidentiality piece. So that’s what threat modeling helps achieve. 

[00:14:34] Bill Russell: [00:14:34] That’s interesting. It’s, the more I talk about security, everybody keeps talking about behavior. Now we’re going to identify the behavior. What’s your behavior on that end point, what’s your behavior on the wire and those kinds of things. What does that look like? Is that, back in the day, that would be signatures and that would be us defining, what those activities should be. They’re only able to [00:15:00] access these systems. They’re only able to traverse these V lands, they’re only able to do those things. And we used to have to literally manually program and Hey, this is what they’re able to do. And it built little walls around it. So people could only stay within those walls. But this whole behavior thing is really a different paradigm. You’re watching me determining what I do on an ongoing basis creating a profile based on what I [00:15:30] do and then saying, okay, that is normal behavior flag anything outside of that is that am I, getting close to what behavior looks like, the mapping behavior looks like? 

[00:15:40] Sumit Sehgal: [00:15:40] You are. And the, only thing. So one of the things that happened is in the last probably five years or so, the con the vendor community has used the words, ML and AI to death, right?

[00:15:51] It’s, everywhere. So the good part of leveraging those algorithms is the approach that you’re talking about of manually understanding what that would [00:16:00] look like has been replaced by algorithms that are, that now stitch together, those. Not only builds behavior on the end point, they’re stitching together, builds behavior as a user of the environment together.

[00:16:16] One of the things I say is Bill’s behavior at home is different than Bill’s behavior in the enterprise and build behavior on the enterprise is different than Bill’s behavior on his cell phone, going to the cloud. So. [00:16:30] that’s where, when we talk about behavior profiling, that’s what we’re talking about, is trying to make sense of security. People like to use the word context. Trying to build context around when something breaks, like an incident occurs, whether it’s malware data exfiltration, or a sophisticated attack. We’re trying to figure out what is the context in terms of that incident tied to a particular user’s profile? That’s really the [00:17:00] Holy grail answer that we need to answer to a security practitioners to, to, to a CIO or to a CTO, to CEO, to leadership to say, Hey, how badly are we screwed? That’s the answer we’re trying to get to. 

[00:17:14] Bill Russell: [00:17:14] You never liked it. When that question comes up in a meeting, it’s Hey, how badly are we? Are, we host here? Are we, just, it’s yeah, we’re pretty hosed. 

[00:17:22] Sumit Sehgal: [00:17:22] Correct. And the question that I’ll, and I laugh about this because it’s in an endearing way of. that answer could be different for a [00:17:30] health system. That’s in the middle of a city competing with 19 other health systems for research and stuff like that. Then a regional health system that only has, that has no other competitor, for example, in a 30 mile radius. So that’s where I think organizational appetite for what the security solution needs to do and security program does is very important. To figure out what solutions you pick and how you decide to deploy them. 

[00:17:57] Bill Russell: [00:17:57] What things does the, I [00:18:00] don’t so this behavior mapping isn’t the Holy grail, or what kind of things does it protect against? And then what kind of things may it not protect against that? We need some other tools around it. 

[00:18:10] Sumit Sehgal: [00:18:10] Sure. So behavioral mapping, all it does. It’s not, really protecting itself in a way what I do is doing it. It’s essentially prioritizing what you need to focus on from a response strategy. So this is one thing that McAfee for example, does very well. And I’ve seen that kind of iterate through the last four years that I’ve been here [00:18:30] is for example, if I have a cloud security solution, that’s looking at all the stuff that’s going on within my one drive environment.

[00:18:38] Okay. You could have thousands of people sharing data everywhere from teams to share point it’s going literally every direction you can possibly imagine as a security practitioner. What I look at that console, I may have thousands of alerts that happen in a matter of 15 minutes, the ability for a solution to essentially behaviorally fingerprint you to say, Hey, [00:19:00] bill.

[00:19:01] Does these 10 things when he comes in from this application, normally during the work week and he shares normally between five and 10 gigs of data, that’s the normal workflow today. Bill shared 400 gigs of data. So that automatically gets elevated to a security analyst he’ll for response, processes to start to happen.

[00:19:27] And when that happens at scale across the board, [00:19:30] it allows the security team work with the infrastructure team to have a very quick cohesive strategy of how to respond. And that’s one of the reasons why, but I talked to customers for example, in the five years. That I’ve done this. We’ve gone from response times that it used to be in the days now for the most part to be in the six to eight to 15 minute Mark, 20 minute Mark. So that’s also, what does behavior do? That’s the answer to your question is it helps [00:20:00] respond to incidents very quickly and hopefully help to contain them. In a way that the recovery activity can start. 

[00:20:09] Bill Russell: [00:20:09] What’s McAfee doing around alert fatigue? Just, I, had a system where regenerating, I don’t know, 30,000 alerts a day and the team, I asked them once how many alerts can you get to? And they’re like, I don’t know, a couple hundred a day. All right. So, what’s happening [00:20:30] to the rest of them. It’s they just fall on the ground and we see if they’re still there tomorrow. I’m like, wow. So, there’s this need, first of all, how do we, deal with all those what’s back to doing in that area? And then there’s also the need for seven by 24, which has always challenged as well. 

[00:20:44]Sumit Sehgal: [00:20:44] So, that that timing actually makes it the, cloud world makes it that timing worse, right? Because we have the issue of what I would call security solutions produce correct information that’s absolutely useless. From an operations [00:21:00] perspective. So one of the things that McAfee has done and selfishly for healthcare for me, this is really good, is identify the process of, Hey, we’re not only looking at how we share what I would call usage data. So this is looking at policies configuration stuff on one side and reporting on the other side. So this is more of the, how do I manage a system workflow. 

[00:21:25] Also focused on making sure that we leverage the right type of [00:21:30] algorithms and the innovations that we’ve done in the whole next generational machine learning AI space to say, Hey, can I team together with the human that’s running me as a solution to be able to help identify based on peer examples, peer as in peer group, examples, what should happen? Not prescriptively. But predictively. 

[00:21:54] So take a ransomware attack for example. The phenomenally [00:22:00] disruptive. And there’s a certain sense of chaos that happens when it first kicks in the ability for a solution to, for example, go up and say, Hey, you have this going on. Based on this campaign, that’s happening on the dark web you’re affected in your environment in this way. These are 10 machines that need to be updated. These are nine that needs to be quarantined. And these are the. Technical security indicators, things like IOC and stuff that you can share with other stuff in your [00:22:30] environment that’s running. That means that’s the first part. So it’s the concept of it takes a village to respond to a security incident, or a problem is the ability for us to share data by directionally.

[00:22:40] So that’s, what’s happening. Number one, number two is we’re taking what the analysts do from a workflow perspective and automating that. I don’t know if you’ve heard the word. XDR is called extended detection and response. 

[00:22:55] Bill Russell: [00:22:55] No. Give us a little background on it. 

[00:22:59] Sumit Sehgal: [00:22:59] XDR is a new [00:23:00] industry term. It’s taking example what we’ve done in the end point space to say, Hey, we’re going to try our best to protect stuff. At the end point, we know we’re not going to be successful. So we’re going to then build things that help us to detect and respond very quickly from a forensics perspective and recovery perspective.

[00:23:18] But now we’re going to take that whole concept that we’ve done on the endpoint space and extend that to the network, extend that to the cloud, extend that so we [00:23:30] can have the same kind of methodology and information sharing that’s happening across tools that makes me respond very quickly. So to your point, when you had your folks that said, I have 300 alerts coming an hour and I come home and look at the top 10.

[00:23:45] Alot of the triaged work, which 10 I should look at for the day is now automatically done by the system to be able to bubble up, Hey, your system generated a thousand alerts. These are the 300 that I went through the thousand [00:24:00] to say automatically, that you need that are important. And then within that 300, these 10, you should really look at because based on these 10.

[00:24:10] You are a host or something that happened or something is going to happen given what I’m seeing happen here. 

[00:24:18] Bill Russell: [00:24:18] So that’s interesting. So we’re actually doing it. I know there’s so much buzz word going on in the industry. That’s hard. But we are doing a lot of machine learning and AI [00:24:30] to process huge amounts of information in order to create a level of automation so that we can actually be responsive.

[00:24:38] Sumit Sehgal: [00:24:38] Absolutely. And I go one step further because one of the things that I said, it takes a villages for health care folks to understand that Hey vendors are not necessarily out to just to get the sale done or the money to get your money for the solution. There’s a tremendous amount of expertise that the vendor community has that you can leverage to help you improve how your [00:25:00] security tools functions across the board. Doesn’t only mean what they sell to you. So case in point becomes, Hey, we have, for example, a team that does threat research and vulnerability analysis. There’s no cost, for example, for a customer to call us and say, Hey, can I talk to those folks to see, I want to see what’s happening in the biotech life sciences space or the healthcare space this month from a dark web perspective, I just like to see what’s going on and we’ll share that information with you.

[00:25:27] Same thing goes along the lines of [00:25:30] working with industry. So I think between the healthcare vendor space the security vendor space, the community groups, which is. The HII Sachs of the world. And I don’t know if you’ve heard this so health and human services has a four or five D task force for security that is doing phenomenal work to essentially take the threat security side of things and communicate that in healthcare language for smaller scale and medium scale [00:26:00] hospitals then there’s the consultant.

[00:26:04] Area of the world and then the peer groups. So I think between those areas, there’s so much tribal knowledge that exists that can help you improve not only what tools you’re picking to do the solution, but actually how to tie them together because that’s, what’s probably the most important piece. 

[00:26:21] Bill Russell: [00:26:21] All right. There’s three things I want to hit on before we get to the end of this show. And one is M and A. I want to know, want to talk to you [00:26:30] about bringing two systems together. I want to talk about medical device security. And I also want to talk about the recent, threats, vulnerabilities, attacks I think is probably the best way to say it.

[00:26:42] So we’ve let’s start with the attacks. We’ve had ransomware, and now we have the solar winds I don’t know what to call it. Events going on. What is McAfee doing around those specific? If you can focus in on, first of [00:27:00] all, give us a little background on, on both the ransomware and the solar winds for the community, just so they can understand what’s going on. And then what are some of the things that the industry and magazine is doing around those? 

[00:27:13] Sumit Sehgal: [00:27:13] Sure. So from a threat profile perspective, like I said, when we talked before the threat profiles for health systems, Hasn’t really changed with, for example, what can come in what’s changed is the way they can come in and how quickly can they come in?

[00:27:27] So ransomware and other malware [00:27:30] samples and techniques like that are prevalent. They’re coming in through email, they’re coming in through cloud. What McAfee’s doing is figuring out that we have 25 years of information that allow us to figure out. From an algorithmic perspective, how do we build an automation that says we have this ridiculous dataset for.

[00:27:57] Traditional compute and non traditional compute. [00:28:00] And by that normal computers. We have telemetry from the cloud and we have telemetry from cell phones, from cable modems and teeth, spark teas and stuff like that to say, Hey, in the computing world of the internet, How does adversarial attacks take place based on type of device based some type of data.

[00:28:18] That’s one area of research that we do to help us improve the efficacy of solutions. The other side is like what I told you in the sense of we understand that we’re not going to be the end, all be all for everybody [00:28:30] for security. So, we’ve taken a lot of time and effort to build in standardized what I would call Standardized approaches to share data.

[00:28:42] There’s a word that’s lumped around in the industry called messaging fabrics. It’s a way for us to share information bi-directionally in our systems for threat information. So for example, if you have a web application firewall that does the job really well, we’ll probably work with that. And then we can [00:29:00] give them Netflix specific information and learn from them and give them.

[00:29:04] That threat data. So the applications can learn from each other and help the customer that’s running it have a better security outcomes. So a lot of our focus has been on creating that technology and creating that innovation that happens not only at the endpoint other endpoint network, like the traditional data center environment, but also so in the clouds we looking at a lot of our focus has been right now.

[00:29:30] [00:29:30] How do you protect information when it’s going cloud to cloud? Like when you share it from one drive to Gmail or when you’re using teams or zoom and with, this whole remote work aspect of things, and like I said, the complexity of architecture, our focus has been making sure people have the ability to go up and down the stack from the traditional security side.

[00:29:53] Up the application stack to say, Hey, I can secure my databases. I have visibility into securing web [00:30:00] web services for data sharing. And also if you have a development arm, how do you securely develop applications? And then use the concept? They’ve probably heard called DevSecOps on that side. So that’s where McAfee has been focusing a lot. Over the last, I would say five years. 

[00:30:18] Bill Russell: [00:30:18] Interesting. So you’ve been in the industry a long time. Have you gone through any M&A activity? 

[00:30:23] Sumit Sehgal: [00:30:23] Yes. Yes. I’ve gone through it as, a employee and I’ve gone through it as [00:30:30] working in McAfee, helping other customers do it. When I was at Washington DC working for one of the for-profit health systems there, we used to go through them and activities when they used to absorb either new practices or new behavioral health centers and stuff like that as well.

[00:30:45] Bill Russell: [00:30:45] Yeah. So, talk to me about that process a little bit. This has always fascinated me because.I still remember two health systems coming together and, the one house essentially, everybody’s like, all right, get us communicating immediately. You can get an email [00:31:00] going back and forth pretty easily, but then all of a sudden you’re saying things like, Hey let’s, get active directory connected, let’s get this.

[00:31:07] And, there’s, there’s, the level of which the business is saying, Hey, let’s bring these things together. Then there’s the it data understanding of how we’re going to bring this data and our business processes together. And then there’s the security understanding, which is they start zero trust is based on zero trust. It’s based on don’t [00:31:30] trust anything. But you’re bringing these two organizations together and everyone talking about how great we’re going to be together and trust each other. And all the first thing a security person says is, yeah, don’t connect to that network until we verify. But what is best practice? What does it look like to bring two organizations together? 

[00:31:48] Sumit Sehgal: [00:31:48] One of the correct. So, I would say it’s three, three fundamental steps that happen. The first is the understanding that even though we want M any activity to be cookie cutter and most, some of [00:32:00] them are, I would say yeah.

[00:32:03] Efficient health systems that do this, try to get to that point. Security cannot be cookie cutter, partly because the risk frameworks that are coming in are different for the health system. So for the 20 that are coming in, you’re going to have a different risk profile. Given the, what I would call the it maturity for one, secondly, it will have a different risk methodology for the security architecture that’s deployed.

[00:32:29] And the [00:32:30] third part, if they’ve done that work. From an operational maturity perspective, because one thing is it’s a lot of times you’ll see for compliance marks, they’ll say we have this capability that we have this solution that takes care of the security for us. But when you look behind the scenes as part of the acquisition and the merger process it’s yeah, they have it, but they haven’t touched the solution in two years or they have touched it, but they’ve the solutions been running in.

[00:32:58] Only in a, is [00:33:00] running an inform only, but not taking any action mode. So from that perspective, there’s a evaluation that needs to happen from an enterprise risk perspective versus third party risk. In the sense of where is the data flow happening in that incoming organization that can change the, threat analysis that you’ve done for yours.

[00:33:21] And how does that align? And then the third, angle of that piece is process maturity. Now you can argue [00:33:30] that, do we have any frameworks? People will mouth out nest and high trust and stuff like that can help frameworks have a place. Frameworks allow you to have essentially a train of thought exercise.

[00:33:44] So you don’t end up with scope creep and you’re clear on the directions of what needs to happen in sequence. What it will not absolve you off is. The question that you just put is speed versus quality, right? When I’m to happens, they happen [00:34:00] for a reason of that needs to be done in nine months in 12 months, 18 months, 24 months, whatever the timeframe is.

[00:34:06] So from a security perspective the, clinical, the enterprise risk group takes the front step here informed by the information security team to say, Hey, This is our footprint. This is the footprint of the organization that’s coming in. This is how our threat profile changes [00:34:30] by absorbing what they do in a bad way.

[00:34:34] This is how, or it could be the other way to say, Hey, these are problems we’re trying to solve. They’ve already done it. This is how we can do it better by taking the way they’re doing it. As long as it doesn’t hurt my overall kind of plan of what I want to do. So that is the process that needs to happen.

[00:34:52] Unfortunately, what occurs is a lot of times it becomes a political fight of who has the money to control the budget. [00:35:00] And. Who wins the battle from an it governance perspective, not necessarily information security, risk governance perspective. So that’s where I would see the the folks that are going through this exercise can be better.

[00:35:14] And, and this is where it takes that, Hey, You as a customer of the consulting outfits and the vendors that are helping you through this is you can push to them and push them in helping you figure out that, Hey, it’s not about us versus you. [00:35:30] It’s. It’s not about the process of ingesting. My problem is I have to run this with a finite set of resources.

[00:35:38] And I need to be able to do it in 18 months and that, and the stuff that I said to you that we need to take care of the third-party risk, threat modeling, stuff like that. That can be used as a catalyst in addition to the frameworks. 

[00:35:49] Bill Russell: [00:35:49] Yeah. We could, stay on that topic probably for awhile, but I there’s so many other things I want to talk. I do want to hit on medical device security with you. What’s [00:36:00] McAfee doing? I assume we’ve progressed since, we were V landing things off, and just hoping that the FDA would allow us to upgrade the windows XP, underlying architecture. How have we moved forward? What’s McAfee doing in that area.

[00:36:16] Sumit Sehgal: [00:36:16] Have we moved forward as a loaded question? The segregation still happens a lot of the time. I’ll give you two answers. One is on the industry side and what McAfee is doing, right? So, from the industry side, it’s pretty interesting. [00:36:30] The flow of the conversation was for integrated clinical devices.

[00:36:34] And in my opinion, the conversation needs to have a broader set for not only just IOMT, which is internet or medical things, but also your IOT in general. And the reason I say that is. Most health systems are going down the path of either reinventing what their campus looks like or going through capital projects for acquiring new buildings.

[00:36:56] So as they figure out what the new clinical space would look [00:37:00] like, they’re doing things like spark buildings, they’re doing things like smart energy, efficient management, green initiatives, and stuff like that. All those things are part of your IoMT strategy to say, Hey, these are all things that touch my patient.

[00:37:14] It doesn’t bother me. If I go down the path of securing a integrated infusion pump, when somebody can turn off my water in my building in 10 minutes and I’m on bypass in 30 minutes. So, from an industry perspective, there’s a lot of back and forth that’s going [00:37:30] on the, what should I focus on?

[00:37:33] The solution sets that exist from a security perspective, and McAfee’s looking at this as well, is. Currently as it stands, we have an OEM division that we work. For example, with Siemens, with Phillips healthcare, with Stryker, with Hill-Rom Xerox machines, like stuff like that. We have a large OEM division that allows us to put security technologies at the point of manufacturer before they delivered to you as a health system customer.

[00:37:59] So that [00:38:00] helps you with the what’s going on in my mine, in my environment and give you certain based of a certain level of Compliance specific reporting and security specific stuff like application white listing and a control. So this is for like point of sale devices and stuff like that you may have in your cafeteria.

[00:38:20] Some of the secret technologies that we partner with in the medical device area or the IOT device area, those are, I would say in three categories. So they’re [00:38:30] mostly all startups that have been around for between two to 10 years at this point.

[00:38:35] These companies do everything from resource management. So looking at where a specific IOT type devices and where they’re going in classification, and they work with us integration wise with regard to sharing threat data. Some of the more clinical facing devices or hospital or healthcare facing devices will integrate with specific HRS like Cerner or Epic from a [00:39:00] order set delivery perspective.

[00:39:02] That happens to say, Hey, I know where this device is. I know when it was turned on, so I can have an idea of When it is used, but I don’t know what the quality of the use is. The fact that it turned out five times important for you or not. But if I can quantify how much money that made you will, then that can help guide some of the conversations.

[00:39:24] So a lot of these devices are. Understanding and helping you [00:39:30] fingerprint what your threat profile would look like by having these, it does not help you with the staffing conversation or the noise conversation that we talked about, where all these do is a lot of times it’s introduced 4,000 alerts extra that somebody has to triage. Then at that point. 

[00:39:47] Bill Russell: [00:39:47] Yeah. I want to, close with two things. You’ve worked at an academic medical center, one of the things that I’ve, I would recognize as a challenge for an AMC [00:40:00] is protecting intellectual property. Is there, some, something special about that or is it essentially just a classification, a data classification that says, this is medical information, this is intellectual property and sort of tag that. You track it’s exhiltration from the network. 

[00:40:21] Sumit Sehgal: [00:40:21] It’s different from the point of, because when you’re doing normal security practices or program for a health system, the focus is to make sure you’re [00:40:30] protecting the process of care delivery at its core. That’s what that is. So whatever it means, whether looking at the physician has the appropriate information at the time they needed to make the clinical decision.

[00:40:41] Do I have the capability to be able to build for my services and maintain my brand. That’s really the focus on the traditional health care operation side. When you switch from that to innovation side of it, where you’re doing electro property, the focus starts to shift on, instead of protecting the [00:41:00] workflow of that care delivery process, I’m now protecting the information that I’m innovating and creating.

[00:41:06] So the focus goes from integrity and availability to more confidentiality, because now you’re worried about things like insider threat. You’re worried about fraud. You’re worried about the ability. If you have a development arm, like a skunkworks development shop, that’s doing coding. How has that coding done?

[00:41:28] Is it done on the cloud or in [00:41:30] traditional methods? Like what kind of secure software development life cycle are they using? So this is where things like the, secure development operations sector of ops come into place where traditional health systems have less of that because they’re using off the shelf solution.

[00:41:44] So they don’t have to worry about that piece of it. Some of that is contractually handled. So those are the things where. For academic medical centers that are now going down the path from a revenue perspective to say, Hey, I’m going to do this innovation thing. And I’m going to invest in companies that [00:42:00] helped me sell this product for a security person.

[00:42:03] That’s leading the security strategy. It becomes a very interesting conversation because your staffing is not changing. The skill set required to do DevSecOps in the cloud is very different than running a traditional SecOps environment, security, operations environment in your health system. So, it’s not fully different, still security, but how you use the tooling, how the reporting is handle how to respond to incidents. It’s done differently.

[00:42:30] [00:42:30] Bill Russell: [00:42:30] Just, I, know we’ve done some polling of our users. And some of our users are going to say DevSecOps. That sounds really cool. Is that from a Tom Clancy novel? What are we talking about here? So what are we talking about when we say dev sec ops? 

[00:42:47] Sumit Sehgal: [00:42:47] Sure. So sec ops is security operations, right? Dev sec ops is a word that’s done for securing development operations, essentially. So it’s what it is it’s [00:43:00] looking at the software development life cycle. Of how we build things from a cloud application perspective or a native application, native traditional application, and then trying to introduce security earlier on in the process.

[00:43:14] So this is done at the architecture design phase rather than after the testing phase. And the goal is there’s another word you’ll hear in this is called shifting left. It’s we’re trying to introduce our. We’re trying to sh introduce security earlier on in [00:43:30] the process. So really shifting the ability for us to catch something that’s going to happen from a security perspective earlier in the software development life cycle.

[00:43:40] So that way we can prevent things like database attacks, we can prevent things of what we call Security hygiene or security, best practices from a coding perspective. How do you, if you’re expecting me to give you numbers, if I give you alphabets, how do you deal with that in your [00:44:00] application?

[00:44:01] Because that’s what the attackers do. They give me your application input. So it misbehaves, and then it misbehaves. They leverage that to be, to get in. And then insert themselves in whatever payload they’re trying to do. That’s the fundamentals behind the tax situation. So that’s what the DevSecOps is to be able to take security embedded in the security life cycle earlier. So we have better telemetry, better understandings. When we do the response, it is way [00:44:30] quicker and way cheaper or magnitude cheaper to have to deal with that. 

[00:44:34] Bill Russell: [00:44:34] So is what’s next in security? You’ve given us so many things. To think about, but is there something next? Is there something next that McAfee’s, we can expect from McAfee?

[00:44:45] Sumit Sehgal: [00:44:45] Sure. I think you can, eh, so you can expect more innovation that’s coming on the concept of the, that of cloud security from a containerization perspective we’re all getting into the space of when health systems are [00:45:00] doing telemedicine and remote health, remote monitoring. They’re all using SAS applications.

[00:45:04] That’s built on containers in the cloud. So securing containers is a different aspect of how you do cloud security. You can expect innovations coming there. We have a lot of innovation that’s going on. That’s looking at how do you make the triage process of security operations, more efficient. So that’s on the analyst side of things of, Hey, when you have security analysts deal using the central different [00:45:30] security applications to say, this is where I need to take this action.

[00:45:33] How do you help that process get better? And the last piece is we’re focused on providing our customers the ability to say, Hey, we have tremendous amount of threat intelligence. So you as a customer of ours can leverage that to say at any point in real time to say, If there’s operations happening, the sunburst and this, solar winds thing that’s going on right now is a prime example of that.

[00:45:59] COVID is another [00:46:00] example where if we have COVID based attacks that are happening on the internet right now, What is your prevalence in the sense of that question of how badly am I screwed? It answers that question. 

[00:46:12] Bill Russell: [00:46:12] By the way. I love the airplanes behind you. And I really do. I just it’s, it makes it look like you, you work for Boeing or you’re a, or you’re an architect or an engineer. What’s the story behind the airplanes? 

[00:46:30] [00:46:29] Sumit Sehgal: [00:46:29] Aviation is my passion. I grew up a family of pilots. So it’s, unfortunately, when I was getting into college, the market was opposite. So I went into technology, but still week I do still a lot of like same. I try to get my hours in as, as much as I can for my license on the side. But these are mostly, I love the seven 47. That’s what my dad used to fly. At this point, they’re only left flying freight. So it’s one of the things where I, think the person [00:47:00] that did these posters that did a phenomenal job and it just reminds me to make sure that outside of security keep, trying to aim for this guys. I like that part. 

[00:47:11] Bill Russell: [00:47:11] I’m still amazed when I get, the first 747 I saw I was, I couldn’t believe he got off the ground. And I think the largest plane I was on was an air France. And it essentially has two full levels, two full, a top level and a bottom it, [00:47:30] and, just I, got on the plane, I looked at my wife and I’m like, there’s no way this thing’s getting off the ground. And probably one of the smoothest flights I’ve ever been on it was, an unbelievable flight. 

[00:47:42] Sumit Sehgal: [00:47:42] Yeah, those are amazing. The fact that like a machine that’s 400 tons can take off and then, and be able to get you in a place that’s halfway across the globe. And then a couple of hours. We’ve come a long way.

[00:47:55]Bill Russell: [00:47:55] I haven’t flown since February of no [00:48:00] February, of 2020. That’s amazing to me. I did consulting for 20 years and traveled so much and I don’t think I’ve gone this long without traveling since since I was in college. It’s crazy. 

[00:48:17] Sumit Sehgal: [00:48:17] I know one year has passed. February, 2020 is when I traveled last too. So it’s been, interesting. I keep telling my wife, I need my my aviation gas fix for hanging out at the airport. [00:48:30] And that’s, I think it similar. Like I draw a lot of parallels when we talk about security with the aviation industry as well. It’s, it’s one of those things we were trying to get to a model we’re trying to help solve problems and own experience. And it’s. I think we’ll get there. I’m fairly optimistic. That will happen. We will have hiccups along the way, but a lot of fun stuff to happen to the future as well. 

[00:48:51] Bill Russell: [00:48:51] Absolutely. Hey, thanks for your time. I really appreciate you coming on the show. 

[00:48:56] Sumit Sehgal: [00:48:56] Thank you. I appreciate it Bill.

[00:48:58]Bill Russell: [00:48:58] What a great discussion. [00:49:00] If you know someone that might benefit from our channel from these kinds of discussions, please forward them a note. They can subscribe on our website thisweekhealth.com or you can go to wherever you listen to podcasts, Apple, Google, Overcast, that’s what I use. Spotify, Stitcher. We’re out there. You can find us. Go ahead, subscribe today or send a note to someone and have them subscribe. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom and Starbridge Advisors. Thanks for [00:49:30] listening. That’s all for now.