Michael Hamilton with a Clear Cyber Plan

With

Bill Russell / Michael Hamilton

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

Our homework for this week. Build out a board presentation to get cybersecurity funding. Michael Hamilton, founder of CI Security helps me build the presentation to the board. Hope you enjoy.

Bill Russell: 00:05 welcome to this week health it influence where we discuss the influence of technology on health with the people who are making it happen. My name is Bill Russell, not the original recovering healthcare CIO, but one of the recovering healthcare CIOs and the creator of this, we can help that t a set of podcasts and videos dedicated to developing the next generation of health it leaders. This podcast is sponsored by health lyrics. Professional athletes have coaches for every aspect of their life. To improve performance, yet. many CIOs and health executives choose to go in alone. Technology has taken center stage for healthcare. Get a coach in your corner, visit healthlyrics.com to schedule your free consultation, uh, to new free services on our website to make the listeners aware of this. We can help insights are this week health insights for individuals looking to propel your health it career forward. Two emails a week designed to give you insights that set you apart. And then the second is this, this week health staff meeting is for teams. This is for managers looking to introduce your team to new thinking for from industry leaders and they get the conversation for your staff meeting started on the right foot. All right, so today we’re joined by Michael Hamilton, one of the founders of CI security. Uh, Good Morning Mike, and welcome to the show.

MichaelHamilton: 01:13 Hey Bill, thanks. And happy to be here. Thanks for the opportunity to talk.

Bill Russell: 01:17 Yeah, I’m looking forward to it. We had a brief conversation before, uh, we hit record and, and uh, I think it’s going to be exciting. So some of our listeners may not be familiar with your background. You’re the, uh, one of the founders of CI security. Um, maybe the best way to go about this is to say, why did you, you know, what in your experience made you found a cybersecurity company?

MichaelHamilton: 01:38 Yeah. Well, thanks. That’s great question. And um, uh, honestly it’s not just a company, it’s a, it’s a company with a real mission focus. And you know, I spent the last 10 years about working in government as a policy advisor to governor Inslee here in Washington state through the office of the CIO. I was the chief of information security for the city of Seattle for almost eight years. Uh, I’ve been the vice chair of the Homeland Security Government Coordinating Council for state local tribal and territorial infrastructure protection. Um, but before that, uh, I spent about, uh, my information security career goes about 30 years back. Um, I, uh, spent a goodly amount of time as a consultant and, uh, eventually was the managing consultant for verisign global security consulting. And when I made the transition from working, uh, nearly, um, exclusively in the private sector with fortune corporations and then went over to, uh, have a look and become the CSO of the city of Seattle.

MichaelHamilton: 02:38 When I looked around and I saw the criticality of things that are supported by your local government in particular, um, water purification, waste treatment, public health services, traffic management, all these things are held up by it. And it became very clear. Two things. Number one, this infrastructure, if disrupted, doesn’t amount a new story or a letter from a credit card company, it’s something you need to live, doesn’t work anymore. You know, I, I, I do a lot of public speaking and I talk about the difference between, you know, getting another letter from a credit card company and we’re gonna Monitor your credit for free for the 29 time versus my toilet wouldn’t flush for three days or I called the hospital call center and it didn’t work. There is a real difference in the impact to our, our, our lives because of the scale of those two things. And so the company exists really to serve, um, a, what we call critical infrastructure at the local scale. And uh, really it’s primarily the health sector because if there’s one thing you don’t want to see, get knocked over, it’s your local hospital. They’re on the ropes anyway and man, they need help. So we’re here to help them.

Bill Russell: 03:50 That’s amazing. I mean, one of the reasons I changed my intro and said, uh, not the original recovering, um, healthcare CIO is because Drex DeFord, uh, works pretty closely with you guys. And he does, he is the original recovering healthcare CIO. He’s still recovering. Uh, so, you know, today’s time is going to be cybersecurity. I love that intro cause you know, a lot of times we’re talking about, uh, you know, we talked about the incident in terms of, you know, PR and, uh, you know, getting out in front of the message and a breach of, uh, medical records. And none of those are, uh, really at the heart of running the hospital per se. But there’s, there’s still a lot of, uh, a lot of incidents we need to worry about that would actually shut down the hospital, don’t, I would think.

MichaelHamilton: 04:37 Yeah. Well, increasingly, you know, it’s, um, there’s a lot of weird things going on. There are nation states that are disguising their operations as organized crime. Uh, some with the intent to steal. North Korea is known to be ripping off banks to fund their weapons of mass destruction program. And you’re not really sure who you’re dealing with and what their capabilities are anymore. You know, and we, we’ve reached a point where the organized crime business and it’s a business, um, has, you know, sought out the low hanging fruit and unfortunately that’s a lot of poorly protected hospitals. Um, you know, in addition to the annoyance of organized crime and the potential to uh, you know, patient care there, there are things going on like, uh, the, the, uh, Chinese government has just come out and said, you know, we are really interested in cancer research data.

MichaelHamilton: 05:32 And sure enough, the campaigns have started to infiltrate, uh, research organizations to, um, steal intellectual property. You had cancer research data. So there’s a variety of actors here. I think the ones that we hear about in the news, um, really is around, you know, the dreaded records breach. You know, everybody thinks that’s the worst thing that can happen. It is not, and frankly, you know, the conversation and you hit on this a little bit, the conversation to have with executives, boards of directors, et Cetera. It is not about, you know, scary Russian cyber buffer overflow, SQL injection. Uh, you know, it’s good to ground yourself in the outcomes you want to avoid and manage the risk around those. And there’s a language and there’s math around this and if you have the right kind of conversation, you move that needle a little better.

Bill Russell: 06:25 So we’re gonna yeah. So we’re, we’re gonna as sort of our views for this conversation. You, you’re going to be the CSO. I’m gonna be the CIO. We’re going to be going, we’re going to be essentially going to a board and we’re going to be doing a presentation to help them understand it. And we’re also going to be talking about, uh, we’re going to be asking for money. And so we’re going to identify some of the things we would ask, but just to, just to level set, I mean, we had, uh, you know, just a couple of stories just this week, you know, 32 million patient records have been breeched in the first half of 2019 32 million, 88% of those are caused by hacking. Uh, the HIPAA fines for 2018 alone or close to 30 million for, uh, hospitals. Um, you know, these can be breaches of providers, business associates, which is a little harder, you know, the hospitals one, but now you have to worry about the systems of the people you’re connected to.

Bill Russell: 07:15 And then the payers, you know, the anthem 2015 breach was, was massive. It’s whenever you see a, a chart, you see this massive spike and you’re like, what happened there? And it was, it was anthem and their breach. And I think what it shows is that no one’s really immune and, uh, incidents appear to continue to be increasing. So we’re going to be going in front of the board. How do we, you know, how do we get them up to speed on cyber security? You would think that everyone is up to speed, but there’s so much confusion.

MichaelHamilton: 07:44 Yeah, well, I, you know, my first tip is don’t talk about Cybersecurity, you know, talk about these things, these outcomes that we want to avoid, which would impact the mission of the covered entity, which is patient care. Uh, so, you know, I mean, you can fairly, um, put these outcomes into three buckets and I’d even reduce it to two, but let’s use three because we pulled out records. Disclosure is this particularly nasty thing, you know, that we, that we focus on. So bucket number one is unauthorized disclosure of protected records, right? And that the records breach, and this happens all the time, every day you brought it up yourself. Um, this is, um, uh, bad. It has a cost associated with it. We know what that cost is. Uh, the eponymous institute has done lots of research into this and we know that, uh, the cost of, uh, cleaning up after unauthorized disclosure of records, given fines from, uh, you know, the, uh, office of civil rights from, uh, a potential brand damage from compliance with the state’s data breach reporting, uh, statute, uh, for hospitals.

MichaelHamilton: 08:54 This ends up being somewhere in the neighborhood of $400 a record. So I mean, just simple math. If we’re talking about the potential risk from a records disclosure, we have a million records in a database that, uh, meet the definition of a personally identifiable information, protected health information, what have you, there is a potential liability of $400 million there. That’s how we start this conversation. We start talking about the amount of liability that is around, you know, these pots of gold. So number one is unauthorized disclosure of protected records. Number two, theft in extortion. You know, we call it ransomware. We use dumb names in the cyber business, starting with the word cyber, uh, and uh, you know, theft and extortion. We see empirically about how much this is worth, right? Ransomware, it doesn’t extortion on a hospital, a business email compromise. Just fool somebody into sending money away and we can kind of know what the magnitude of that is.

MichaelHamilton: 09:51 So, so we start to put dollar signs around these outcomes rather than talking about, you know, hacking in. Uh, and I would actually take some issue with that word hacking cause it’s, it’s really unspecific as to what that was. There’s a difference between I fooled you in giving me your password and I walked into your network versus I packaged some exploit and figured out how to get somebody to bite on something really exotic that will fly under the radar. Those things are different, but you can call them both hacking. So a little specificity there. I read the same article you did and I, you know, I thought that was a remarkably on specific button moving on records, disclosure, theft and extortion. And that that third one is just disruption of critical services and disruption for the sake of disruption is also a growing trend. And so when we’re talking about things like the Internet of things and medical devices that are vulnerable, um, the fact that if you, uh, attach a camera to the Internet and you haven’t done even the basics of changing the default credentials, it’ll be taken over 90 seconds, uh, and, and weaponized for other purposes.

MichaelHamilton: 10:55 So you know, if that, uh, impacts your, uh, continuity of operations and your operation is patient care, uh, that’s probably the worst outcome right there. The records disclosure is going to be, you know, a kind of, you know, interesting historical memory. If the ability for a hospital is intentionally, um, disrupted and there is no ransom to pay, there is no way to get it back and it’s just rebuild. So that’s how I would start the conversation. I would talk about these exposures, the dollar signs that are associated with them, and then talk about the two terms in risk lowering the likelihood of those outcomes and lowering the impact of those outcomes if and when they occur. Because these are fairly foreseeable events to your point in today’s world.

Bill Russell: 11:43 Well, let’s, uh, so that leads me in two directions. One is part of me wants to have us put on black hats and say, how are we getting in? Because that’s going to be one of the questions they ask us. It’s like, hey, how are people going to get in? But the other thing is when you have conversations like that with the board, they immediately go to risk, you know, risk. Oh, I know how to mitigate risks. Let’s get insurance. And then when this happens, you know, we, we lean on that cyber liability policy and you know, first of all, you’re not going to get a fine for 400 million because the federal government’s job is not to put you out of business unless you’re grossly negligent. Um, and for the most part, they, they need you providing care in those, in the communities that you’re serving in. So those, those fines end up being coming down pretty significantly. They could have easily put anthem out of business. Yeah, absolutely. Just do the numbers. Um, and so to a certain extent, we have to educate the board on more than just, hey, you know, there’s, there’s a risk, there’s a financial risk. There’s a lot of other risks associated with, so let’s put on our black hats for a second. Oh wait, let’s be Whitehead hackers. I guess, how are we getting in? I mean, the easiest is through people, right?

MichaelHamilton: 12:51 Right. Absolutely. It’s, you know, fooling somebody is a, a time honored tradition. And, uh, if I can get you to give me your password so that I can just march into your network, maybe implant some kind of malware that’s uh, you know, put it on your computer. Cause now I have access to it. Um, and you know, uh, start a ransomware event or something like that in order to extort the hospital. But what are we going to, credential theft is rampant right now.

Bill Russell: 13:20 Can we, can we get, can we, are we, are we closer to the point where people don’t even know their own password but they can still get into systems?

MichaelHamilton: 13:28 Uh, yeah. We’re getting there. You know, honestly, in fact, uh, you know, some of the controls that we use in order to administer our customer premise equipment, right? The collection device we built on a customer network to Hoover up a bunch of security events and send them to analysts. Um, when our, uh, analysts, uh, have a need to, uh, actually make a connection to those, they don’t know the password and we do this that well, they use one time passwords that are not good anymore. So there are ways to do this. And I think we’re getting to the point, um, I don’t know if you saw a story today. Amazon is experimenting with completely, um, facial and bio authentication methods, um, rather than anything else. So you walk into one of their stores, you’re already recognized, they have your credit card on file and that’s that. So, you know, I think it’s being led by, um, you know, big corporations in the private sector, um, you know, to increase retail businesses. But these, um, these methods are going to be pervasive sometime very soon.

Bill Russell: 14:26 Yeah. Because as long as people know their passwords, they’re going to, they’re going to potentially give them away. So, so that’s one of the areas. Another area is people just go into certain websites and it, that’s another way that this stuff gets transferred,

MichaelHamilton: 14:39 right? It is. But I would make a distinction here because there is a difference between um, a targeted attack and actual attack where somebody did some research and they penetrated your organization on purpose with the intent to steal records or to extort you versus somebody visited a website today that was bad when yesterday it was okay. That is the background noise of the Internet and tripping over the background noise of the Internet isn’t personal. It’s not targeted, it wasn’t meant for you. Um, and, and there is a difference there, but yes, that is actually a, another way that’s fairly prevalent is that it’s called, you know, just a drive by attack. You, you hit a website. Now there are times when, um, uh, there are websites that are known to be frequented by a certain sector or another. You know, I’ll, I’ll, I’ll just pick one out of the air.

MichaelHamilton: 15:33 Uh, uh, you know, the Becker’s hospital site, I know the kind of people that visit that site. And so if I can compromise that site so that the visitors then are compromised with whatever malware I throw at them, I’m pretty sure I’ve gotten people in hospitals, uh, that’s called a watering hole attack. So that’s out there too. But you know, I think it’s good to distinguish because the motivation of the threat actor, um, is something that we need to keep in mind here when we’re talking about risk and, and just let me, uh, respond really quickly to, um, um, the issue of insurance. I live in Seattle. We don’t insure against rain. It just happens all the time. It is a foreseeable event. Could a hurricane happened here? Well, yeah. You know what? It’s not outside the realm of possibility. It could happen. So when you identify risk, there’s four ways to handle it.

MichaelHamilton: 16:26 You can completely avoid the risks. You say, we’re just not going to do that thing that’s risky anymore. You can accept the risk, right? The 1971 Ford Pinto method of risk management, they blow up. We know it. We’ll just pay people off. We don’t want to fix them. Uh, you can mitigate that risk through the application of controls. And this is where we ask for money or you can transfer it through risk, transferring your risk using insurance should be done at the end after you’ve done those other three things. And that’s residual risk that you’re not going to be able to keep out a nation state if, if they want to steal your cancer research, they are going to be able to do that. That’s the hurricane that you should insure for soapbox off.

Bill Russell: 17:06 Interesting. So, uh, let’s talk about, um, let’s talk about intentions. So a majority of these are still financially related. Is that what I heard you say earlier? It’s, it’s organized crime and that kind of stuff.

MichaelHamilton: 17:18 Yeah, for the most part it’s, it’s still organized crime and you know, the value of a health record is pretty clear.

Bill Russell: 17:23 So, uh, and, and nature, cause you know, when you’re sitting on the board there, they’ll, they’ll sit there and go, well, you know, if China wants in, they’re getting in and it, it they sort of throw up their hands and you’re like, okay, yes, but we also have to keep the kid who’s studying at UC Irvine from him cause he just learned a new way to do it. Um, and we also have to keep, you know, the, the threat actors that we know we can keep out. We need to keep them out. Um, so if, if somebody’s intent is, is money art. So, so let’s, let’s sort of put these things on a scale. We have, we have the kid in his basement who’s, who’s just learning how to hack and who thinks it might be interesting. And then we have nation states. Yep. Um, you know, what level, why can we really protect against and what, what are we going to just struggle to protect against?

MichaelHamilton: 18:18 Sure. Um, so, you know, I’m going to, I’m going to take this back to, uh, our, our expression for risk, right? The likelihood of a bad events multiplied by its impact and that impact should really be dollar signs there. Um, so you buy down the likelihood of a bad event using preventive controls, firewalls, URL filtering, emails, security, antivirus, there’s all kinds of stuff. Train your employees, do vulnerability, all of those are designed to make bad things not happen and they will fail against the determined actor. But as you build up that preventive control strategy, you’re raising that risk bar so that you know, the unsophisticated actor of opportunity is no longer a problem and then maybe insiders are no longer a problem. And we’ve got pretty good controls there. And then hacktivists and I don’t think the health sector is really have too much of a problem with hacktivists.

MichaelHamilton: 19:12 They used to crawl up my backside all the time when I was sitting in Seattle, but let’s just keep our risk bar going. That organized crime is fairly sophisticated and it has, uh, uh, tools, techniques, and procedures that, uh, we can defend against. And then we’re getting up into nation state and terrorist, uh, space up there. We can raise that risk bar through the combination of accept avoid, mitigate through controls and transfer it through insurance, um, and, and get that bar pretty high. What we then need to, uh, accept admit, um, and, uh, embraced is the fact that bad events will happen that start the process of records, disclosure, theft and extortion and service disruption. But they can be stopped before any outcomes occur. If a workstation is compromised and you see the signal of this because you are monitoring your network and you know that workstation has never talked to Ukraine before, what’s up?

MichaelHamilton: 20:15 Uh, and you go pull the wire on it. It’s a tree falling in the forest. You didn’t lose any records. You, you were gonna be, your money’s not stolen. Nothing. So that’s a focus on the impact term, not the likelihood term. And so the way that you buy down impact is through the application of good monitoring detection and, and, and frankly, more importantly, a effective and rapid response. Put the little fire out before the house catches fire. And there is no report to OCR. There is no brand damage. There is no fine. There’s none of this. And so focusing on both of those sides of the risk expression, uh, is more of a full featured way to go about this. And, and going back to our original, uh, um, uh, premise here, having that conversation with the people that fund, uh, the controls.

Bill Russell: 21:04 So, uh, we, we want to monitor, detect and respond, uh, pretty rapidly. Are these tools getting more sophisticated? Cause you know, it’s, when I think about it, okay, so they’ve gotten in there, into the EHR, how long is it going to take them to exfiltrate a million records? Um, it, before we’re, we’re looking at it. I mean, are the tools sophisticated enough that we’re like, we’re, we’re seeing it pretty quickly and being able to respond and unplug it that way?

MichaelHamilton: 21:31 Yeah. The tools, well, the tools are getting sophisticated, you know, it’s, um, you know, we’re, we’re, we’re, we’re led to believe that, um, if we just keep buying tools, um, that they are becoming more and more magic. Uh, and, and, and the root cause of that is the lack of people that we have to fill these roles, um, to be security analysts and security engineers, et Cetera, et cetera. Uh, they’re in short supply. They’re very expensive. And I can tell you what a good deal of authority. They’re rather flaky. They can change jobs every six months and double their salary. So they will. Um, so you know, venture capitalists smell blood in the water here. So if, you know, you got a three slide PowerPoint deck talking about your magic technology, you can probably get funded. So that’s how we’re kind of, you know, we got AI coming out of the woodwork and machine learning and orchestration and automation and all these promises that you don’t need to rely on people anymore.

MichaelHamilton: 22:26 Um, somewhat paradoxically, when you keep buying these tools, you have to throw more and more people at them to get them to work. Uh, and so you have achieved and outcome that is exactly the opposite of the one you intended. Um, however, uh, it is true that, uh, the ability to monitor your network for, uh, aberrational events is becoming better and better and better. There’s something, uh, let’s call it last decades new thing. It was called UVA, right? User and end point behavioral analysis by where we build up a, a baseline of what’s your average behavior. And when you do something, you being a computer, it can be a camera, you know, it can be lots of things. When you do something that’s two standard deviations from your mean behavior and alarm goes off, still there better be a person to receive that and investigate it and make sure that it’s not a false positive and you’re not about to pull a trigger like, you know, shut down some, a sub-net inside a hospital that’s got a whole bunch of insulin pumps behind it or something like that. So the people are still critical. The ability to detect, uh, has definitely improved. Um, there are statistical methods, frequency based methods, behavioral based methods, um, signature based methods, uh, reputation methods. There’s all of things. In fact, we use all of those. Um, so you’re pretty good at, you know, identifying those events on a network that should be looked at. You still gotta throw some people at this,

Bill Russell: 23:55 you know, we’re going to come back to our presentation to the, to the, um, to the board and we’re going to see if I actually am learning from this process of this conversation. But at what point should we be considering outsourcing a, you know, our security practices. Cause I made that mistake. I, I installed a ton of security, uh, controls software, you name it. And, uh, then all of a sudden my team was like, look, each one of these things generates this many alerts, this many alerts that need to be, you know, gone through and a signal noise, false positives. And they were like, you know, we need to, we need to quadruple our team. Uh, which, which was never the goal. So it, is there a point at which you just look at people and go, look, um, you’re either, you don’t have the scale to protect yourself and you’re going to need to look outside.

MichaelHamilton: 24:42 Yeah, absolutely. Uh, you know, I mean, this is, it’s just with respect to, you know, qualified practitioners in cybersecurity. It’s a sellers market. And so there are a lot, you know, especially rural hospitals, you know, critical care facilities, things like that, that they do not have access to that market of qualified practitioners. And some day that will not be the case. You know, we in particular, uh, the company are working on, um, uh, improving the education system in Washington state by monitoring down markets, cities and counties for free. And using the data we collect as curriculum in a partnership with a number of universities. But set that aside, we are aware we are today. And so it makes a lot of sense. And you know, frankly, we saw this coming some time ago to have a focal point for qualified individuals that can be, uh, allocated as a service, um, that creates any efficiency that, uh, everybody understands fairly well.

MichaelHamilton: 25:42 Um, you know, there’s a, there’s, there’s a difference. And, and, and you pointed this out, Bill, you know, you, you, you brought up the, uh, the, the, what we call is alert fatigue. You know, all of these technologies are yacking at us all the time and there needs to be some way to boil this down to the high value targets for investigation. Um, and then have the ability to confirm and then initiate response so that you effectively, you know, put out the grease fire, um, you know, now is now is that date depending on which part of the sector you’re in, right? If you’re Kaiser Permanente, you have access to qualified people, you know, if you are a rural hospital in Idaho. And some of those are our customers, not so much. So, you know, one size does not fit all here, but I think the ability to outsource your monitoring detection and response, um, is, is really, um, um, carving out its own space here in terms of the value proposition for the health sector depending on where on the sector you are.

Bill Russell: 26:39 Right. So, um, you know, actually one last thing before I go back to our presentation. So I hear people say all the time, you know, there’s two types of organizations that happened, breach and those that will be breached. I mean is, is that still the case? It seems kind of fatalistic in

MichaelHamilton: 26:55 it’s it. Yes and no. Um, so there’s a interesting term from the legal profession, the standard of foreseeability and um, let’s just list, let’s, uh, talk about, uh, all those technologies that are, that are screaming at you all the time. Look at me, look at me and someone’s gonna look at me. Um, there have been, uh, a number of instances of executives that had to disappear. Um, target being a notable example because they had not adequately resourced the evaluation of all the alerting coming off their technologies and therefore it didn’t follow it up and therefore had their behinds handed to them. And because in the legal profession, this standard of foreseeability, and I’ll paraphrase this, if you, uh, fail to take action to mitigate a foreseeable risk, you are guilty of negligence. And now this is not the kind of thing you pull out in conversation when you’re in the board, but it is something that needs to be part of the conversation. If you want to get an executive’s attention, you don’t say scary Russians and sequel injection, you say gross negligence.

Bill Russell: 28:02 Right. Uh, actually one, one last thing before I go back to our board presentation and that is how should, you know, I just got my fax thing this morning. Hey, if you, you know, if, if you’re a part of this, you know, you’re, you’re eligible for, you know, protection and, and, uh, you know, a part of a claim which I’m sure will end up being a $5 check. Um, how should, how should patients, how should end users be thinking about this? Are we just grow numb? We’re just like, look, if they have my Equifax data, they, they know an awful lot about me already. Uh, you know, w you have, should I be thinking?

MichaelHamilton: 28:43 Well, I think it’s a little different for health records, but you know, it’s true that we’ve been desensitized to this event. You know, and I joke around saying, you know, there are no records left to steal. You know, when they stole all of the records out of the office of Personnel Management, they got my SF 86 form and my fingerprints. What else should I worry about? Right? Uh, but when you are talking about, um, health records in particular, this is a, this is a different thing, um, because this can be used. Um, this can be sold to, for example. Uh, and I’m not gonna, you know, insinuate that this is occurring. I’m just gonna say this is a possibility. Insurance companies can be buying this data, the black market, and they could be using that to frankly, you know, manipulate, uh, you know, uh, you know, premium costs and things like that.

MichaelHamilton: 29:34 Um, and you know, potentially denying people claims based on something that they found in a record. So you health records have value over and above with their value on the black market is, and you know, you think you might have a case of identity theft was another dumb word we use, in my opinion, it’s fraud. Um, but you know, the thing that keeps coming back to me is, um, we were talking a lot about the confidentiality of records. Um, one thing that’s starting to hit the radar more and more is the integrity of records. Because if I can steal your records, I can change them and I can make it say, no, you’re not allergic to penicillin in that record. And then you could have a real bad outcome. Okay. So, you know, I’m not saying this stuff is going on. I’m saying this is a threat. So, you know, when we’re talking about the desensitization of, uh, you know, frankly the global population, uh, about this issue of records disclosure, I think health records are in a different class because of the potential impact there.

Bill Russell: 30:36 All right, so in the last five minutes, let’s put our dech together. I hate that. That we’re going to put it deck.

MichaelHamilton: 30:42 Yeah.

Bill Russell: 30:43 So here’s, here’s, here’s what we’re going to say to the board. We’re going to say, uh, let me think about this. So we’re going to talk to them in terms of what they, well, first of all, we’re, we’re going to educate them on what our threats and our risks happened to be. It’s like, you know, we’re there, there’s those five levels that we were talking about in terms of nation states all the way down to the, you know, unintended hacker who have to get our stuff. I think I want them to understand, hey, you know, what, these are the people that are potentially coming in. Here’s the risk to us in terms of, um, you know, of events that we should worry about. We should worry about a breach of patient records. We should worry about a potential a health incident where somebody is tapping into our internet of things and, um, you know, changing something, uh, literally a cyber attack that could be considered a, uh, a threat on someone’s life, I guess is a way to do it. And that would be the impact. Yep. Um, so we, we, we have to sort of frame up those potential incidents, uh, that, that could happen within our health system and sort of give them a, a flavor of what they are and then what the impact to the health system, uh, would be. Right.

MichaelHamilton: 32:03 Yep. And, and, and frankly, what the financial impact would be as well. Right? Because when we’re talking about an extortion, you know, patient care is threatened, but so are the finances of the organization. Um, so, you know, relating all this to impact, which is up to loss of life, you know, I think this is the way to have the conversation and then, you know, let’s, let’s, let’s estimate how much risk we can knock it down by focusing on reducing the likelihood of a bad outcome and reducing the impact of a foreseeable event that could potentially end up one of those bad outcomes. Um, and talking about the amount of funding it will take versus the amount, the dollar level of risk that it will, that we will have a positive impact there.

Bill Russell: 32:52 So was educated on them. Then we’re going to talk about mitigation strategies. Then we’re going to talk about the things we’re putting in place, measure, uh, measurement, uh, controls and response mechanisms for how we’re going to address it. And then we’re going to ask for some amount of money, right?

MichaelHamilton: 33:07 Yup. Yup. And, and frankly, uh, bill, I would, I would also, um, make sure that we focus on the, the very high value actions we can take that will drive more of the problem off a cliff. Okay. So right now, credentials are king. Everybody’s got stolen passwords or they’ll fool somebody into giving up their password. That’s fishing rights. Um, multifactor authentication makes 98% of that a nonissue and that is a simple control to put in place. It may irritate some people for awhile, you know, but we got to get used to this, right? Especially when we’re talking about doctors, researchers, things like that, right? They have a lot of sway in medical organizations and they may be irritated by that, but this is what we have to do. Um, I would say secondarily, third party security management is really critical because supply chains are being exploited for access to covered entities. And so that’s another place where we need to focus. And finally, yes, we need to improve monitoring, detection and response so that when an event happens, we make it go away as quickly as possible so that we don’t end up with the outcomes that we’re trying to avoid. Does that make sense?

Bill Russell: 34:18 Yeah. And, but what about the downstream partners? What about the business associates that we have? Um, you know, are we extending our, our reach out into those business associates?

MichaelHamilton: 34:29 Well, it’s a requirement that we do so, right. It’s third party. A security management is a requirement of a lot of regulatory, um, uh, statements. But, uh, what that usually ends up being is, here’s my questionnaire, fill this out. And so we’ve checked the box. Okay. That doesn’t do it. Um, I really had a very interesting conversation recently, uh, with somebody who is the CISO of a payer and, uh, this CISO was talking about, um, an idea that I think has a lot of merit and we’re gonna drill down on this later. When I, when I looked back, um, how bout if that’s covered entity, um, conducted security monitoring for it’s supply chain, it’s business associates, it’s third parties. So then there’s a higher level. Yeah. We’ve got, you know, the checklist and we see what controls they have in place and what the corrective action plan is. But we monitor that network. Um, that doesn’t have to be expensive. That can be put together fairly readily with open source tools. Um, and depending on whether or not this particular payer is to set up a security operation center to evaluate that stuff, um, this is actually kind of a good idea. Yeah. You’re making a great point here, right? Where, where, how, how much of that management do we do? Um, and so maybe, maybe it’s time to start having the conversation about, you know, monitoring your own supply chain.

Bill Russell: 35:55 Yeah. And I filled out some of those forms that I’m sure you’ve seen some of those forums and they’re, yeah. They’re almost comical.

MichaelHamilton: 36:01 I do. Yep. And you know, and it’s a whenever you self-assess, you know, you can bet that a lot of those answers are aspirational.

Bill Russell: 36:11 Absolutely. Well, Michael, thanks for coming on the show and thanks for joining us. Really appreciate it. Um, is there anything you’d leave our listeners with or any way to follow you or additional information?

MichaelHamilton: 36:22 Uh, well, uh, yeah, I will. I’ll say this. Um, so our, our side is ci.security and it, you know, dot com c i dot security and there’s a news tag there. And if you sign up for, um, the daily it security news blast, uh, every morning at 5:15 AM Pacific time, uh, you’ll get, uh, somewhere on the order of 20 curated articles, uh, with the title, the money quotes, and the original link. We don’t do creepy tracking. This is just for everybody’s Situational awareness. Uh, this has been going on for about 10 years. Uh, and it goes all over the place. There’s always a section for the health sector. There’s a section for the finance sector, there is government, there’s privacy and surveillance. Um, and then there is, uh, just a jaw dropper. I can’t believe this just happened. So it’s, it’s, it’s a, it’s a good thing. And that way you can, um, um, you know, just stay up to speed on what’s really current because we scraped the news every day to put this together.

Bill Russell: 37:19 Fantastic. And, uh, you know, I don’t promote any one company per se on the show, but if you like Drax and you like Michael, I’m going to give CIA\ security call. So thank you bill. Thank you. So, uh, this shows production of this week health it for more great content. Check out the website at this week, health.com or the youtube channel also at this week, health.com right at the top. It says a youtube. Just go ahead and click on that. Thanks for listening. That’s all for now.