August 31, 2021: While moving to an agile-based methodology for core development processes, we must provide a consistent and effective model to protect not only the production of application development, but the process. Development of large healthcare systems places an undue burden on ensuring no additional threats are being added. As we evolve into the rapid digital-approach for ensuring patient experience satisfaction, how can the desire of being innovative be balanced with a secure approach? There are two methodologies: Agile and Waterfall, what is the difference? How is the larger technology industry wrapping their arms around healthcare to support this evolution?
Join our webinar “Coming Through a Ransomware Event – Best Practices and Lessons Learned” on Thursday, October 7th at 11:00 AM eastern time. We are going to take a unique look at the Sky Lakes Medical Center ransomware event with guests:
S3: Near Real-Time Application Security with Sirius and VMware
Transcript – Aug 31, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. Our topic for today is near real-time application security. Our sponsor for today’s segment is VMware.
[00:00:23] We want to invite you to a special event that we have coming up Thursday, October 7th at 11:00 AM eastern time. We are going to [00:00:30] take a unique look at a healthcare ransomware event, an actual event that occurred. We have the CIO for Sky Lakes Medical Center, John Gaede, joining us. That is a health system that was ransomed.
[00:00:42] And we have Lee Milligan the CIO for Asante. Asante is the EHR host for Sky Lakes. They’re the community connections for Sky Lakes and they’re going to recount the events and the effects that it had on the interconnected health systems. Some of the things that they did that they believed, worked pretty [00:01:00] well and some of the things that they think could have prepared them better for the event.
[00:01:05] We’re also happy to be joined by our guest today, Matt Sickles, who has walked many health systems through the early stages of a cybersecurity event, straight through to the end. And I believe with his insights and the CIO’s experience, this discussion is going to provide valuable insights into the best practices that are being adopted across the industry and maybe that you could adopt. So we would love to have you join us. And if [00:01:30] you want, you can provide us questions ahead of time. It’s in the sign up form, and we will make sure we address as many of those as we possibly can. So there’s a webinar Thursday, October 7th at 11:00 AM. Eastern time, you can sign up on our website thisweekhealth.com/register.
[00:01:46] Our topic for today is near real-time application security. Our sponsor for today’s segment is VMware, and let’s just get to it. Near real-time application security. Frame up what that is for us and what it’s addressing in [00:02:00] healthcare.
[00:02:01] Matt Sickles: Sure. So Bill, if we think about it all the time that we have spent with vendors doing third-party rationale checks, making sure that these systems were designed to be on our network and aren’t going to expose us. We do a lot of that work with our vendors to make sure that as you’re putting in technology, it’s not going to impact you.
[00:02:22] Well, when we think about the in-house developed applications, as we’re starting to get to a more patient focused experience in the [00:02:30] clinic as we are looking at how the payer and provider can start to blend these together, we want to make sure that there is a comfort level. We have to remember that most of the patients when they’re seeing this technology the first time it’s one of their worst days.
[00:02:44] So on the back end application, security has to be some of the best in all industries. We can’t have an impact. We can’t have downtime. We are now seeing in hospital systems around the country. We have advanced [00:03:00] CA call it a kiosk. So we’re getting menus ordered. The television is now integrated. You have ordering systems, status, weather everything.
[00:03:10] So think about all of those developments that have been done to make sure that your patients have the best care and the best experience. We want to make sure that all of the security layers are effective. So when you’re building those custom applications, it’s not just will this cause a breach. It is how are we designing the application [00:03:30] to not have any known issues?
[00:03:32] So our change, the paradigm shift for application development is now the technologies have come up to speed. We’ve seen this in financial. We’ve seen this in retail and distribution for the last several years, and now it’s creeping into healthcare real time, application security through your CICD pipeline.
[00:03:50] The development and operations teams are now getting a security layer that go right inside of their development pipeline. It is one of the [00:04:00] most critical changes we’ve seen. So application security yields more if a secure holistic environment.
[00:04:08] Bill Russell: You know Matt I’m thinking through this, we just came through the pandemic.
[00:04:11] We moved faster in healthcare and technology and healthcare than we ever have as an industry. And it’s really amazing. The things that we’ve were able to accomplish and a lot of health systems would like to maintain that base. But how do you balance that pace? The pace of innovation that’s really desired and [00:04:30] required with security. There’s like a tug there. Moving fast and staying secure.
[00:04:35] Matt Sickles: I can’t tell you how many conversations I’ve had with clients over the last six months, over the last year, even the last 18 months. As 2020 was really emergingt he pandemic was a game changer. Everybody had to start to adapt.
[00:04:49] I started having now conversations with that frenetic pace as there was outcome of customizing application, building new things we had to solve for [00:05:00] X over the weekend. So individuals were doing something in a skunkworks methodology. They were just building their own system. I believe that one of our biggest impacts from that downtime of having a regular cadence of going through software development systems deployment. We’re going to have to go back and validate that now. I have had these conversations with a lot of healthcare systems and they are concerned that there was a lot fast tracked and rolled out. So now we’re going to have to catch that up.
[00:05:26] So as we raced, as we were at that pace, [00:05:30] we were pushing out new, new, new to adapt, adapt, adapt. Now we have to go back and build programs to validate, validate, validate. So that is one of the biggest paradigm shifts I’ve seen, especially surrounding the pandemic and the development life cycle.
[00:05:45] Bill Russell: I’d like to ask you, are you seeing more agile versus waterfall, but I think probably before we do that can you frame that up for us? The difference between agile and waterfall and then what are you seeing more in healthcare as we move forward.
[00:05:56] Matt Sickles: Yeah. So think about it. Waterfall methodology from a [00:06:00] product development. As we look at software development we define the requirements. We give a timeline and we say the scope, we get the deliverable content and we develop it over months and months and months, we have version one that comes out as an alpha, goes to beta, and then it goes to production.
[00:06:18] That’s more of the waterfall methodology and software development in the agile methodology. You now have the baseline of code. You have a feature set you want to introduce, and it’s much less structured on the [00:06:30] outcome. That you have a development life cycle. You have components and capabilities, but the waterfall to agile is a much more project methodology versus product and feature methodology. And what am I seeing in healthcare? A little bit of a blend. Sometimes we joke and say it’s waggle, it’s waterfall and agile. And so we have to do the dance like bees do. And I really like the fact that we’re talking about it, but one of the [00:07:00] most difficult things to do is to communicate and convince leadership teams around the world right now that it is okay to have a blend, someone to be all into that agile, very quick response of app development in someone to go back to the stalwart, what was the brick and mortar development life cycle? So a blend of those is very good and we’re seeing a lot of advantage to using capabilities from each.
[00:07:24] Bill Russell: So near real-time application security, I want to come back to how we can do this. So how can this be [00:07:30] accomplished with applications and systems that are incredibly interconnected at this point? In healthcare we’re trying to move data across a lot of different systems. We’re trying to connect experience. We’re trying to build experience. So scheduling systems, backend data systems, operations systems, billing systems, we’re connecting a lot of things. How can we get to this near real-time application security?
[00:07:50] Matt Sickles: Yeah. So it starts with the development team. Those developers need to have education and awareness. As we have O wasp coding standards, they need to [00:08:00] be up to date on the latest list of the treacherous items on that element. We have to make sure that not only that education is done once, but it’s done on a repeated basis with updates around.
[00:08:12] So as our developers are starred, it also means that the toll gate of security has to change. There’s a lot of security organizations who hold up a stop sign, instead of a question, mark, we don’t ask why there’s something being done. It just doesn’t fit within our granular policies that we have [00:08:30] today. So what we have to do, and the culture shift that we have to put in is as follows.
[00:08:36] When a developer is working on their code, as they submit their snippet, as they are responsible for the work that they’re doing, we need to check near real-time. That means when you submit it into the repository, as it’s being validated, even before it is submitted for compiling. So before we turn into an application, we need to check it.
[00:08:56] Once we turn it into an application, we need to check and validate. [00:09:00] And most importantly, before we deploy the over-arching system, we have to make sure that the education, the expertise, and also the awareness of security problems are put right up front so that people know the currency of risk, as well as what the method of methodologies are to restrict or remediate.
[00:09:18] Bill Russell: I want to ask you about the healthcare industry and the technology industry as a whole. Within healthcare, we have a lot of different code coming into our environment. We have a lot of partners that are developing code that gets distributed. [00:09:30] We have. Individual practices that we’re connecting to. We have business associates that we’re connected to. There’s a lot of code that gets brought in. How do we achieve the goal of really having secure applications across the entire enterprise with that kind of effort. I mean, that kind of a code be introduced from a lot of different points within the within the healthcare ecosystem.
[00:09:53] Matt Sickles: So I kind of look at a product ratings. So when you go and buy a new TV, you take a look at other people’s experience. You [00:10:00] find out if they’ve had issues, we get a star rating off of that. We now have code that’s coming in from vendors. We have great partnership with those vendors. They go through a rigorous process, but you highlighted something, you can take a very secure system.
[00:10:15] Something that in a green field is as secure as possible. The minute you introduce something customized, now you throw that out of balance. So I think that we need to come up with outside of our vulnerability scoring system, the MITRE [00:10:30] framework that already exists. I think that we need to come up with a little bit of that balanced scorecard that healthcare can use to show when you’re integrating your HR systems, when you’re integrating your electronic health systems, these are the components that need to be validated and trusted while we do have the HIPAA and high-tech and high trust frameworks, we know that those frameworks are going to give us some control definition. In financial, we have payment card industry compliance, but what we have to get [00:11:00] to is much more of a healthcare centric focus to look at all of those data elements, how we are exchanging them. And when you’re getting that code, when are you allowed to go validate that they’re making good choices and have solid process and their background as well.
[00:11:15] Bill Russell: What kind of tools is the larger tech industry bringing to bear on?
[00:11:20] Matt Sickles: Yeah. So in integrated developer environments, as the engineers and the developers are working on their code, we now we’re starting to see [00:11:30] application scanning technologies built into these developer environments. As they’re finishing a code segment, as they are reviewing it on their own, they can do these analysis in real time. They can do the code snippets instead of the entirety of the code. I think that that is a great step forward. And we now need to take that concept of developers and the technology that they use on their desktop, in their repositories. And we need to put a little bit more level of a validation of that.[00:12:00]
[00:12:00] So as we do penetration testing for a lot of organizations is a standard in the security practices around the world. We also know that application scanning is a completely different approach that needs to be married together from a healthcare perspective so that it can be shared. And then other organizations can show those vulnerability chains, the threat risks, and have them available to all systems.
[00:12:26] Bill Russell: Fantastic. Special thanks to VMware for their partnership in making this [00:12:30] content possible. Matt, again, thank you for your time.
[00:12:33] Matt Sickles: Absolutely. Thank you.
[00:12:34] Bill Russell: What a great conversation we want to thank our sponsors Sirius Healthcare and VMware who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That’s all for now.