July 12, 2021: Vik Nagjee, Director of Healthcare & Life Sciences for Sirius joins Bill for the news. Microsoft announced that AT&T will move its 5G mobile network to the Microsoft cloud. AT&T’s 5G core will be the first service to move to Azure. Large hospital systems have around 85,000 medical devices connected to their network and a Department of Health and Human Services report shows that they lack consistent cybersecurity plans for these devices. Kaseya is the latest victim of a supply chain ransomware attack. And the GAO recommends that the VA address several critical aspects of its physical infrastructure otherwise it may jeopardize the $16B Cerner EHR rollout.
Newsday – Ransomware Recovery, Azure Meets 5G, and Cybersecurity Vigilance with Vik Nagjee
Episode 423: Transcript – July 12, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Welcome to This Week in Health IT. It’s Newsday. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:18] Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders. We set a goal for our show. And one of those [00:00:30] goals for this year is to grow our YouTube followers. We have about 600 plus followers today on our YouTube channel. Why you might ask? Because not only do we produce this show in video format but we also produce four short video clips from each show that we do. If you subscribe, you’ll be notified when they go live. We produced those clips just for you the busy health IT professionals. So go ahead and check that out. We also launched Today in Health IT. A weekday daily show that is on [00:01:00] todayinhealth it.com. We look at one story each day and try to keep it to about 10 minutes or less. So it’s really digestible. This is a great way for you to stay current. It’s a great way for your team to stay current. In fact, if I were a CIO today, I would have all my staff listening to Today in Health IT so we could discuss it. You know, agree with the content, disagree with the content it is still a great way to get the conversation started. So check that out as well. Now onto today’s show.
[00:01:26] It’s news day. And we’re going to talk about a lot of things, some stories that [00:01:30] quite frankly, I’m not sure I understand yet. And so we’ll talk about those. Clearly we’re going to hit on cybersecurity. It’s one of the top topics for health systems today.
[00:01:39] And so we’ll try and take a little different angle with our guests today. Vik Nagjee. Before we get there. I want to make you aware that this Thursday I’m doing a webinar one o’clock Eastern time and you can sign up for that at thisweekhealth.com/register it’s on the state of health IT and what we’re doing is we’re just [00:02:00] taking the interviews that we’ve done to date this year and I’m going to package that all up and tell you what I’m hearing from health systems. What I’m hearing from cybersecurity leaders, government leaders around where healthcare is today and where it might be going over the next 12 months. To say we know where it’s going over the next three years might be a little ludicrous because at this point we directionally we know which direction it’s going, but we’re not sure where it’s going to end up. All right. So if you haven’t yet [00:02:30] sign-up for that. We’ve had a great response. I’m looking forward to it. I’m only gonna talk for about 30 minutes.
[00:02:35] And we have left 20 minutes for a dialogue, for back and forth because that’s the setting I’m most comfortable with. And so Vik Nagjee is in the house. Vik, how are you doing?
[00:02:48] Vik Nagjee: [00:02:48] Doing great Bill. Thanks for having me again.
[00:02:51] Bill Russell: [00:02:51] Vik is with Sirius healthcare and Vik, I’m man, there are so much we could talk about there’s so many interesting [00:03:00] things going on. What kind of things are you working on right now with, with your clients?
[00:03:06] Vik Nagjee: [00:03:06] Okay. Three areas. I think one is no shock to anybody, but around cyber security and ransomware preparedness. But with a little bit of a twist, it’s more focused around the areas of what can we apply from what we’ve learned from organizations that we’ve helped to get out of an active ransomware attack and recover. How can we [00:03:30] accelerate that recovery? So that’s, that’s one area that I’ve been focused on is assuming that it’s going to happen, how do you get out of it a lot quicker than you normally would.
[00:03:39] Bill Russell: [00:03:39] So from a recovery standpoint, what are we normally looking at? Like 30 days at this point is that.
[00:03:45] Vik Nagjee: [00:03:45] 30 to 45 days. I think it’s getting longer as we go further out. The sheer nature of the decimation that occurs is getting worse. So it takes longer to recover because there’s more stuff you have to [00:04:00] recover in, different things you have to do. So,
[00:04:01] Bill Russell: [00:04:01] So, so there are strategies to pull that back and that’s some of the stuff you’re working on with clients.
[00:04:05] Vik Nagjee: [00:04:05] Exactly, exactly. Right. Yeah.
[00:04:08] Bill Russell: [00:04:08] Interesting. Where are we at? Can we get it to like five days, two days, 10 days? Where, where are we at right now in terms of pulling it back? I guess it depends on the investment.
[00:04:17] Vik Nagjee: [00:04:17] It depends on the investment and it depends on the organization. It depends on a few other things, but if I was to venture a range, I would say somewhere between five and 15 days is plausible.
[00:04:29] You [00:04:30] could get a little bit more aggressive but that’s sort of the target that we’re setting and you have to be very clear, right? Like the recovery efforts and the remediation efforts, don’t start until the cyber insurance and the the outside counsel that are performing the forensics, give you your seat back because as soon as an event occurs, you call them as the first step.
[00:04:56] They come in with their are folks, you, you, as [00:05:00] the IT organization, move one seat to the left and you wait to get access back to the system until they’re done. So from when they say done we’re looking at 30 to 45 days. So we’re trying to shorten that substantially.
[00:05:14] Bill Russell: [00:05:14] Man, that’s fascinating. You said there’s some other things you’re working on?
[00:05:17] Vik Nagjee: [00:05:17] So when, when COVID started and and it wasn’t in its first round of hey days this [00:05:30] whole notion around resiliency started becoming important. And it was wrapped and buried under these more generic terms that we’re relatively familiar with around business continuity and disaster recovery. To say like, look, I need to have my systems be available and be running.
[00:05:46] And I need to have some disaster recovery capabilities and business continuity capabilities. So as we looked at this what we figured was that there’s a halfway point between your normal operations and a disaster recovery [00:06:00] where you’re sort of re rebuilding and the halfway point is about really understanding your resiliency or robustness of the environment.
[00:06:06] So we’re, we’re focused on a program where we work with healthcare organizations to understand very high acuity areas like inpatient nursing units full CDs, et cetera. And just understanding the workflows that the clinicians, the caregivers, nurses, providers, et cetera, through there, and then peeling apart, feeling bad, the applications [00:06:30] associated with those.
[00:06:30]And then improving the resilience and robustness of those applications therefore, applications and technologies therefore improving the resilience and robustness of those. So that’s the second piece that we’re focused on.
[00:06:42] Bill Russell: [00:06:42] What’s the third one I’ll give you only like 30 seconds to give me the third one.
[00:06:46] Vik Nagjee: [00:06:46] Cloud
[00:06:48] Bill Russell: [00:06:48] That’s yes. Okay. I got it. Well, hey I’m gonna ask you a question where, where are we at with 5G? There’s a story here that you and I are going to pick apart a little bit, which is Microsoft to acquire [00:07:00] AT&Ts network cloud technology and Azure will power AT&T’s 5G network. 5G on the hype cycle, are we looking at it in healthcare or is it still one of those that, hey it’s out there a little bit.
[00:07:12] Vik Nagjee: [00:07:12] I think it’s out there a lot bit, and it depends on who you ask as to how far out it is. It’s definitely got a lot of potential. Definitely does. There’s no question about it, but but I think just like with everything else, there’s [00:07:30] so much else in the way.
[00:07:32] Before we get there, let alone the readiness of the providers in terms of the infrastructure, et cetera, that’s needed for the antennas and all the other stuff. But there’s just so much before we got there that I think it’s a ways out.
[00:07:46] Bill Russell: [00:07:46] Yeah. And that’s what I was telling people as well, especially as the hype was starting to grow, I’m like, look my gosh, I mean, how, how much work do we have to do before we get coverage in major cities? How much [00:08:00] work do we have to do before we get coverage across our internal networks and whatnot. And then we have competing standards essentially around it and technologies. Which players are gonna win, which ones are.
[00:08:16] Alright, so let’s try to pick this story apart. As I said, Microsoft acquired AT&T’s network cloud technology, and Azure will power AT&T’s 5G network. Just on that title alone. So did [00:08:30] Microsoft acquire all of AT&T’s 5G network, that’s going to now run on Azue. That’s that’s what the title would lead me to believe.
[00:08:39] So let me give you some of the story. Microsoft today announced that AT&T will move its 5G mobile network to the Microsoft cloud. AT&T’s 5G core. The software at the heart of the 5G network that connects mobile users and IOT devices with internet and other services will be the first service that will be moved to [00:09:00] Azure. AT&T will further bring its existing and future network workloads to Azure for operators. So Azure for operators. Okay. So Microsoft is going to acquire AT&T’s carrier grade network cloud platform technology, the platform that powers the AT&T 5G core network and talent.
[00:09:22] So they’re acquiring the core and the talent to further strengthen its 5G cloud technologies. Also Microsoft will acquire AT&T [00:09:30] engineering and lifecycle management software used to develop and deploy a carrier grade cloud that runs containerized or virtualized network services. Microsoft will make this platform available to other network operators through Azure for operators.
[00:09:48] All right. So let’s, let’s stop there. I’m not sure where I’m getting this from, to be honest with you, MSpoweruser.com. Anyway so, so [00:10:00] that’s what they’re saying. It’s it seems like essentially what we’re going to do is we’re going to turn the AT&T 5G backbone into a, as a service that can be provisioned through a cloud provider, such as Azure and then we’re going to have operators. And I assume that that could be hospitals and health systems and whatnot who are going to be able to provision those services through Microsoft AT&T partnership, 5G core network. To be honest with you, [00:10:30] I’m still, and I rarely do this until I really understand the story, but I was reading this and I thought you’re a good person to talk to. Just do you get a picture for what this is going to be?
[00:10:40]Vik Nagjee: [00:10:40] No, but I have, I have an idea because again, literally the first time I heard it, this was when just as I dialed onto this thing, as we were catching up before we hit the record button was the first time I heard of it.
[00:10:54] So I haven’t really even even looked at the article you were talking about, but based on what you read. [00:11:00] Think like it’s the it’s you got to look behind the curtain a little bit, right? I think that it makes sense for Microsoft as a cloud service provider to get into the telco business. Because in order for you to be able to take advantage of Azure capabilities, regardless of where you’re running your stuff, where your data center is in a hybrid mode, et cetera, et cetera, where wherever you are in the country, the first thing you need is connectivity.
[00:11:28] And right [00:11:30] now, there are a few different ways of doing that. And there are long haul providers and carriers hat is one of them it’s kinda is very, very prevalent in Metro areas. Right. And I think what they’re doing is they’re making a play based on what you just said is I think they’re making a play for their entire carrier business starting with the five 5G.
[00:11:56] And I think that that’s an interesting play. I didn’t [00:12:00] kind of see that one coming, I guess. And I wasn’t tracking.
[00:12:03]Bill Russell: [00:12:03] I didn’t see it coming either. The last paragraph here says with Azure, operators can provide more flexible and scalable service models, which makes sense is if you do it as a service and it’s cloud provisional. Save infrastructure costs and use AI to automate operations and differentiate customer offerings.
[00:12:19]It’s an interesting collaboration. I like it. I mean, the promise of 5G right is low latency, high speed communication wirelessly. And we’ve heard the [00:12:30] stories and the radiologists that can see the image on their phone multilevel images. And they’re, they’re seeing it as if they’re sitting at their desktop on 5G.
[00:12:41] It’s just not prevalent. It’s just not ubiquitous at this point. You could be on 5G on this street corner and the next street corner you’re back down to 4G.
[00:12:50]Vik Nagjee: [00:12:50] The other thing too is like, it’s all carrier dependent, right? That’s the biggest challenge. It’s like, it’s not a it’s not a 5G for all work across the [00:13:00] various carriers.
[00:13:00] It’s all dependent on what the carrier does. I mean, Verizon, I’m an AT&T customer for example and the area that I live in theres, there’s not a chance that it’s going to, and I I’m, I’m in I’m in, I’m in Chicago, like just outside of Chicago. Right. So if I wasn’t Verizon, I would have a better chance based on what what the reports say who are experiencing 5G.
[00:13:19] So it’s not just location and proximity to towers, right. It’s the carrier you’re with so, yeah, I think there’s a long ways to go before it’s universally accessible like folks.
[00:13:29]Bill Russell: [00:13:29] If I were a CIO [00:13:30] today, I would put this on my need to know more list. I’d contact my Microsoft rep. And you’re going to talk to your Microsoft rep and they’re going to go, I have no idea what this is my guess. This seems like it’s pretty early on in the process. But that’s what we were getting to earlier. 5G is one of those things you’re keeping an eye on today. you’re watching it. I would commit to just being a fast follower. It’s one of those that you know once a health system goes all in and you really start to see impact and really seek to move forward [00:14:00] and really impacts health care. That’s at the point at which I’m going, all right, I’ll move some more chips in. And I, I really believe in a fast follower strategy for a lot of things. There’s very few things that you want to get out there on the edge and take significant risks.
[00:14:16] And this is one of those. Put it in the sandbox or the toy box, play around with it and have somebody who understands what’s going on. But I don’t think you’re rolling this out in 2021 and maybe not even 2022.
[00:14:29]We’ll get back to our [00:14:30] show in just one moment. Every day you’re using your skills to help end substance use disorders within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP program, which is substance use disorder treatment and recovery loan repayment program.
[00:14:49] Pay off your school loan with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health [00:15:00] clinicians, paraprofessionals, clinical support staff, and many others trained in substance use disorder treatment are encouraged to apply.
[00:15:07] Applications are open until Thursday, July 22nd, 2021 at 7:30 PM Eastern time, which is right around the corner. To learn more and apply to join the STAR LRP. You can use the link in our show notes or visit bhw.hrsa.gov to learn more. That’s bhw as in behavioral health [00:15:30] workforce dot HRSA.gov. Now back to our show.
[00:15:35] All right Vik let’s go. I hesitate to do this. We’ve been talking about cybersecurity so much on the show, but there’s a couple of cybersecurity stories here.
[00:15:44]Kaseya ransomware attack. Everything you need to know. I can go in that direction or I can do hospitals lack consistent cybersecurity plan. I think I’m going to start there. I’s a healthcare finance story and it’s talking about the fact that large hospital systems [00:16:00] have upwards of about 85,000 medical devices connected to its network.
[00:16:04] Right. And what this is about is the OIG is essentially making a recommendation to CMS. To essentially strengthen their requirements for cybersecurity in the hospitals that utilize CMS, which is just about all of them. And they’re they want to update the guidelines also increase [00:16:30] emergency preparedness.
[00:16:31]There’s, there’s just a whole host of things that OIG is saying. That they want CMS to figure out a way to integrate into their measures of a health system. How big a deal? I mean, I would assume it’s a big deal when you have 85,000 devices on your network. Some of which I know in our case, some of which we’re still running windows XP because they were FDA approved devices.
[00:16:59] We couldn’t [00:17:00] update and if we updated them, we’d lose the FDA approval. And so we had to segment those out and do all sorts of neat things with our network. But how big of a problem is this, do you think?
[00:17:11]Vik Nagjee: [00:17:11] It’s a really big problem. And it’s something that. And I know you’ve had Drex on the show several times and Drex and I have talked about this quite a bit over the years.
[00:17:22]I know you’ve had Carl on as well, and Carl and I have also talked about this quite a bit. It’s a big challenge and it’s a [00:17:30] problem and a challenge. And you have to sort of think about like, what is the probability of something occurring and sort of a risk matrix on that basis.
[00:17:39] And the risk matrix in this particular case also includes the impact to patient care, right? Because these are some of these connected devices are literally connected to the delivering medications to the patient. Right. Programmable pumps for example is the most common one that that folks talk about.
[00:18:00] [00:18:00] And so, so it’s a challenge because they’re the risk to the organization and to patient care is significant. It’s a challenge to, because healthcare organizations, networks are not designed to relatively easily embrace. A model, which would be necessary to provide the level of protection that really ought to be.
[00:18:23] And without speaking in tongues, we’re talking about really implementing zero trust [00:18:30] framework for medical devices and you start from there and that’s super easy to say Bill, and it’s really hard to do, and it’s really hard to do well in your environment without breaking stuff. And You’ll be told a lot of tales by folks in terms of, oh, if you just pick this platform, it’s going to do everything for you, right?
[00:18:51] Not the case. Like we’ve seen this movie over and over and over again at healthcare organizations where either the CIO or the CSO or the [00:19:00] CTO or the board, or whoever just decides that they want to go in and start getting some visibility into connected devices. And they go down this path and suddenly they’re like, shut it off.
[00:19:10] I don’t want their visibility anymore. Cause now I’ve seen all this stuff that I need to take care of. And operationally, I didn’t have any structures in place to take care of it. Right. I, if I had operational, if I had operationalized understanding what was going on on the network from these devices, I would have dealt with it already, [00:19:30] but I didn’t, I don’t have the operational structure.
[00:19:32] And now you’re showing me all this stuff and I hang out, I go deal with it. Then I don’t know how to do it. So shut it off. So it’s back to head in the sand. And it’s a problem and it’s a multifaceted problem that needs to be solved.
[00:19:46] Bill Russell: [00:19:46] What’s interesting is that area didn’t report to me as the CIO, the biomed, it was facilities and it was outsourced.
[00:19:54]Vik Nagjee: [00:19:54] That one I have not heard of. So I’ve always heard that it goes through facilities and then goes through to the [00:20:00] seal. And what’s interestingly happening bill over the last few years is that there’s more alignment now where clinical engineering is starting to move under the CIO. And has a tighter relationship with it and cybersecurity.
[00:20:15] And that was the other, the organizational structure challenge that exists when you’re trying to deal with this thing, is that the folks that are responsible for the devices and I’m not, I’m not trying to be insulting to any of them, but what they really care about is that these things are on that network.
[00:20:30] [00:20:29] So they care about them. That’s they care about patient care. These things need to be on the network. They need to be connected. And that’s where they sort of focus their time. They focus their time on life, cycle management, et cetera, et cetera, cybersecurity. And it, and everything else is like not their challenge or their purview or any of those pieces.
[00:20:49] So bringing it into the organization with the CIO and the CSO really helps this conversation.
[00:20:55]Bill Russell: [00:20:55] Let’s get to the bottom of why this is difficult. I mean, because when you [00:21:00] think about it, it’s a device. We can identify that biased on the network, but these devices move around. Right? So that’s the first thing.
[00:21:07] These devices, in some cases, they move around and you have to take that into account. They’re not going to be plugging into the same network port over and over again. Some of them are wireless and whatnot. So you have to you have to take into account that they’re moving, but let’s assume if they were static you have to know what the operating system is on it. You have to know essentially, I’m walking through the things I [00:21:30] remember that hopefully you can add to some of this stuff. You have to know what operating systems audit. You have to know. Most of these are FDA approved advices.
[00:21:37] You have to know what you can and cannot do to them. That most of them are communicating information out in a lot of cases, that information. I think it’s safe to say in a lot of cases, that information is flowing to the EHR. In which case what we used to do on the network is just define that that information type or that packet [00:22:00] type or whatever, we used to be able to create layers.
[00:22:03] So that essentially, even if that thing was infected it, the information could get through, but it could not inspect the rest of your network, but that’s only limited it’s limited. Response really? Because it could be putting out misinformation if it’s infected. So there there’s, this is a are, are there other ways that we’ve done this? Cause it is really [00:22:30] complex.
[00:22:31] Vik Nagjee: [00:22:31] Yeah. And you mentioned some of the, some of the main points. So I just to add onto what you said like not only are they moving around, like now a vast majority of these are wireless. And so DHCP comes into play and there’s no aspect of being able to tie down a Mac address or a particular thing, to a particular IP address anymore, because again, it’s DHCP, just shut it off. Come back on. This is a new IP address that’s been allocated to it. In some cases they need to have, they may [00:23:00] or may not need to have their own wireless network segment, because there are some still some third-party solutions that require you deploy their own wireless routers, and you cannot use your own wireless access points to put it on the network.
[00:23:16] So you still have to create, you have to create these weird routing rules to go from there. Subnets into your sub-net through a firewall, et cetera, et cetera. So that’s one piece that you mentioned. I think the biggest challenge is being [00:23:30] able to authoritatively identify the device and categorize it.
[00:23:37] That’s the challenge like that. And so there are some companies that have done really well with that. Really, really, really well with that, with a high degree of fidelity. And so that’s the first thing you really gotta know. The second thing that you run into is simply because there’s so many different sources of records and sources of truths for onboarding these equipment, this type [00:24:00] of equipment, in order to be able to do something with this sort of stuff, you need to be able to know again, from a central location, from one source of truth.
[00:24:10] What is this thing? Where does it live? Where is it right now? What is it doing? And then the third piece that you mentioned about isolating and in a particular device, if it’s infected that’s I think a little bit harder than it might seem because north, south [00:24:30] isolation, in terms of saying, I can only talk from this system to this other system is relatively easy.
[00:24:36] East-west is from this system to another system of its own kind that’s running in the same sub-net is a lot harder. And for that, you really need to go down micro-segmentation and you need to have better controls in your network. And now you start going down this whole rabbit hole of, oh my God, I have to rearchitect my nap.
[00:24:54] You don’t, but that’s what it seems like. So then it’s like, oh my God, this is like a [00:25:00] lot of work let’s just work on other stuff and come back to this one. When it’s a problem, there’s so much friction and inertia to on the basis of it. When you look at it on the surface and somebody throws out zero trust and you go Google zero, trust me, find foresters, papers and gardeners and whoever else’s you get overwhelmed. I get overwhelmed right.
[00:25:21]Bill Russell: [00:25:21] But it is a fair amount of work isn’t it?
[00:25:23] Vik Nagjee: [00:25:23] It is. There’s no doubt about it but the key is you don’t have to do it all at one shot and you don’t have to do it all [00:25:30] to be secure or more secure than you are right now. The idea is like, where do you start?
[00:25:34] How do you scope it? What’s the first series of things you do. And nine times out of 10 in the medical device service screen thing, what we found is that it’s more the organizational culture and people process pieces that need to first get ironed out before you even start talking about any of the technical stuff. Once you do that, everything else starts to fall into place really quick.
[00:25:55]Bill Russell: [00:25:55] It’s interesting. Good is the enemy of our yeah. Good as the enemy of the [00:26:00] best is one of the phrases but best is the enemy of good and good enough as well. It goes both ways. And one of the things I used to always say to my team, because invariably, there’s someone in your security department, in your consulting ranks in your leadership team.
[00:26:16] That’s like, look we need to be a hundred percent. This is where we need to be today. And I will, I will admit that man with what’s going on today, I would be spending, as a CIO I’d be spending much more time on [00:26:30] cybersecurity than I did when I was in the chair. And I think today it’s warranted that I think a portion of almost every day in a CEO’s life today should be around cybersecurity.
[00:26:43] But with that being said I think that concept of better is one of the most important concepts. And I would look at teams often and say, look, I, every day I want to get better at cybersecurity. And if you multiply that times 365 days, we’re going to be a [00:27:00] lot better by the end of the year. And if we do that over two and three years, we’re going to be A more secure environment and we do underestimate what we can do over three years.
[00:27:11] And we we overestimate what we can do in a couple of weeks with a couple million dollars, I think. And this is one of those cases where it’s figure it out, get started on the journey and just get better every day on it. I mean, that’s, that’s my 2 cents on it. Does that make sense?
[00:27:28] Vik Nagjee: [00:27:28] Absolutely [00:27:30] 100%. That’s that’s the way to do it. Incremental improvements. Move the needle just enough in the correct direction, not the right or left, but in the correct direction. And, and you just keep, you just keep moving, moving forward.
[00:27:45] Bill Russell: [00:27:45] All right. So the other one was the Kaseya ransomware attack, and this really went after via the other VSA software, which targeted multiple MSP service providers that are out there. These, these big things. It was also [00:28:00] a way of delivering patches and other things to organizations. They came out with a handful of things that you should do. There’s a tool to determine whether you’ve been infected and they recommend multifactor authentication and some other things with this.
[00:28:17]I’m curious in your rounds, and I’ll be honest we had not finished when I left in 20 .. gosh, how long has it been? 2016? We had [00:28:30] not finished our multi-factor authentication rollout because of just pushback from the clinicians of some things. So we were working through some things we had not finished. It is that still the case? Is multifactor authentication, pretty much pervasive in healthcare now?
[00:28:47] Vik Nagjee: [00:28:47] It’s not. But before I sort of elaborate on that, I don’t, I don’t understand why they’re suggesting MFA to help protect against the supply chain attack because it, [00:29:00] the way I understand it, it wouldn’t, the supply chain attack.
[00:29:03] Bill Russell: [00:29:03] Are you questioning the fBI? Is that what you’re questioning? This is what the FBI is telling us to do. They’re right aren’t they?
[00:29:12] Vik Nagjee: [00:29:12] They’re absolutely right. I would put more weight behind what CISA says, but but I think that they’re just providing that as a general best practice to do that has no relation to the supply chain attack itself because the supply chain attack itself fundamentally [00:29:30] exposes our intertwined nature. And again, Drex and I both have the saying is like, everything is connected to everything, right? And this is, this is a fundamental example of how a supply chain attack that impacts a service provider could impact you as a healthcare organization, because you have so many business to business third-party relationships.
[00:29:56] No matter what you do, Bill, [00:30:00] there’s always going to be a way that ransomware could impact you. And the two main vectors that we’ve seen through all of the organizations that we’ve worked with to try to help them get out of the recover from ransomware. One is fishing. Get into a non privileged user and get their credentials because that’s the easiest, fastest way into an organization.
[00:30:25] And it’s also the easiest, fastest way to exfiltrate data because in healthcare, every [00:30:30] user has access to file shares. And once you start walking, those file shares, you start to get all of us, very interesting Phi and Pii information that you can exfil and you don’t need to be an admin for that. Right. So that’s one piece.
[00:30:42] The second one was pseudo supply chain. Any of the third-party vendors that provide you services that have these dedicated BPMs into your environment. If you go into you’ll impact their end points, well then Bob’s your uncle, right? So that’s what we’ve been [00:31:00] seeing and over and over again. And so, so these vectors are like, again, it doesn’t mean your perimeter could be really shored up and secure, but, but they have ways to get in.
[00:31:12] Bill Russell: [00:31:12] All right. So this, this is just to be clear. This is a CISA-FBI release. They say, use this tool to determine if you have it. Use MFA. Their third thing was implemented, allow listing to limit communication with remote monitoring and management capabilities to known IP address pairs, which makes sense [00:31:30] to me.
[00:31:30] All right. So you’re only communicating with a trusted pair placed administrative interfaces of RMM remote monitoring and management behind any virtual private network or. A firewall on a dedicated administrative network. Okay. All, I mean, all those things really make sense to me. One of the things I want to come back to, and actually be honest.
[00:31:49] So this is just, you mentioned that again here, which is you can’t, you can’t mitigate the risk of ransomware a hundred percent. All right. So [00:32:00] my understanding of ransomware, I, by the way, I don’t disagree with you on that. But one of the things I’ve been saying, yeah too many people are saying it’s not if, but when and so I agree, you’re going to get attacked and they’re gonna, they’re gonna infiltrate your network.
[00:32:15] I agree with both of those things but I want to talk about the recovery, which is what you were talking about earlier, because I think that’s one of the key components. I don’t think every ransomware attack has to be experienced the way that [00:32:30] Scripps has experienced theirs or the way that Sky Lakes experienced theirs.
[00:32:35] Or even I mean, even outside of our industry, some of those other organizations have experienced either by paying the ransomware or whatever. I mean, just some of the basic things, which is we went away from air gapping our backups, and one of the reasons we went away from air gapping, our backups because it’s a labor intensive and [00:33:00] expensive and cumbersome.
[00:33:02] And back in the day, we used to have tapes and we’d send them over to iron mountain and they’d bring them back when we needed them and all that kind of stuff. And we went away from that as soon as we could, because first of all, the, the amount of data we’re trying to back up now is far greater. And it was growing exponentially while I was there.
[00:33:20] And it was if you just multiply that is it, tapes were just not even really an option. What are their options for [00:33:30] air gapping, our backups at this point, so that if we go down, we can recover.
[00:33:36]Vik Nagjee: [00:33:36] Yeah. So that’s, that’s definitely one area that we focus on with healthcare organizations. So every single vendor. And our prize grade vendor in the data protection space, which is a fancy term for a backup recovery, right provides some measure of air gapping configuration capabilities. But I think it goes a little bit beyond air gapping Bill, [00:34:00] as we’ve learned more from these attacks.
[00:34:02] So air gapping gives you the ability to really sequester a copy of your backups to a completely separate network in the event that something bad happens to your main network. Then at least you have a recent copy over here, off to the side that you can, you can restore from right now. Now, some of the challenges there are B the synchronization of data [00:34:30] between your production systems and your data protection system has a couple of components. One is the, the actual data that gets backed up. And then there’s the metadata that tells the system where the data is. And so what these attackers have done is that they’ve gotten very clever. And instead of touching your backups, now they’re just going into obliterating the metadata, which means that your backups are still there.
[00:34:53] They’re not encrypted, but you don’t know how to get to them. So the question really is for the vendor that you’re using, even if you’re air gapping, you [00:35:00] have a Quester separate now. How is the platform that you’re using synchronizing the metadata between the stuff that’s on the outside to the stuff that’s in, on the inside, in your air gap.
[00:35:12] So that’s one question to ask. The second question to ask is given that the dwell time for these attackers is on the order of 45 days which means that they, they get in and for 45 days, they’re in doing things like exfiltrating data, [00:35:30] they’re moving around, trying to understand your environment.
[00:35:32] They’re trying to harvest administrative credentials. They’re doing that stuff this entire time. So if you take 45 days as a number, is it worthwhile for you potentially to restore something from yesterday? If the stuff that was backed up yesterday and air gap yesterday actually has the handle. It’s still in it.
[00:35:56] Right. Right. So to the calculus has changed, the calculus is [00:36:00] no longer, you got to segment your network and have an air gap. Yes, you do. You still need to have a Sacra saying way to get your data, but you have to have a lot more intelligence in place to understand is something going on in my environment, that’s impacting my data, which then I can take action on so that I don’t have to go back 45 days.
[00:36:23] Define, you know it and then, and then the restoration time is another piece. It’s like, if you start [00:36:30] right, if you start now, it’s going to take you a week, maybe two weeks, especially if it’s off site, especially if it’s in the cloud, like you’re talking about moving a significant amount of data back. Fine.
[00:36:42] You’ll get it back. But it’s going to take your time. Right. And again, the meantime resolution we’re trying to shrink, so yes, it is possible to integrate. Yes, there are other things that you need to take into consideration.
[00:36:52]Bill Russell: [00:36:52] Yeah, so we always had had two main things we’re looking at, recovery time objectives. How long did it take you to recover and then [00:37:00] recovery point objectives. So how much data are you willing to lose if you, if you restore from 45 days ago, your recovery point objective is 45 days. Imagine how much data you would lose if you have to restore from 45 days. Yeah. So this is, this is why ransomware is top of mind right now. I’m going to hit two more stories and hit them real quick. This one is more of a information and public service announcement than anything. Amazon Alexa was hit with a healthcare privacy [00:37:30] lawsuit coming out of the state of Washington. And essentially what they’re saying is, Hey, it’s always on nature, listening nature essentially violates privacy and violates some of the HIPAA restrictions around the data and those kinds of things. And so that is going to work its way through the courts. And probably should. I know of some some businesses that their model is based on Amazon Alexa, and I know that the a [00:38:00] bunch of hospitals have rolled those out as really patient convenience kinds of things.
[00:38:05] And so the more prevalent those devices come, the more. We have to consider the ways those technologies work and how they capture data and how they store and share data. So that’s, that’s just an interesting one. I don’t know if you have any comments on that, but just, I wanted to throw that out.
[00:38:31] [00:38:30] Vik Nagjee: [00:38:31] I don’t, other than somebody is always listening so
[00:38:35] Bill Russell: [00:38:35] Somebody is always listening. But we hope they’re not listening in, on private conversations in the at the bedside. So that’s, that’s what the lawsuit’s about. We’ll see. We’ll have to follow that one and see where it goes. The last one is GAO and GAO’s oversight of the VA implementation of their EHR project.
[00:38:54] Can you think of a harder EHR project to roll out than one [00:39:00] that is overseen by multiple parts of the government and also hashed out as a political topic, but you know, topics on the house floor. And then it’s also reported out in the newspaper every day. I can’t think of a harder EHR implementation to do than this one. And plus it’s the VA as well. I mean, so it’s, it’s people that we want to take care of. I know you’ve spent a part of the EHR roll-outs. When I think [00:39:30] about it and think of all the things that happened, that if they had seeing the light of day, people would have been crazy.
[00:39:37] But the reality is they weren’t that big a deal, but you just needed to understand the context and you needed to understand the resolutions were right around the corner. They weren’t immediate, but they were right around the corner. And so it wasn’t a big deal, but if that stuff had hit the newspapers.
[00:39:52]People would have gone crazy. And that seems to be how this one’s being being played out to be honest with you.
[00:39:59] Vik Nagjee: [00:39:59] Yeah. I [00:40:00] think I was, for better or worse, I was at two organizations at the time when several conversations were ongoing with and at the VA. So I was at Intersystems and their systems. So VA, the Vista EHR that the VA created is on InterSystems technology and then subsequently at Epic, when Epic was making a proposal for the VA, right. We all know that the VA went with Cerner. But the, [00:40:30] and then I actually have friends that are at so these are ex InterSystems friends who have joined or started up their own consultancy firms, that worked with the VA and advised them in terms of helping them sort of involved the Vista application and helping them with the adoption of the new apps, et cetera. And I, it’s a mess, man. It’s, it’s very hard. It’s a very hard problem to solve. And I think that adding in those layers of bureaucracy and oversight is [00:41:00] causing so much more of a, of a problem. And it really like at, at, at some point, if you just, if everybody else got out of the way and just let the clinicians and the people providing care. And sort of have their say in figuring this out, we’d be done and in so much better shape. And yeah, I it’s, it’s, it’s hard. It’s hard to see.
[00:41:21] Bill Russell: [00:41:21] Yeah. All right. Last question. Are you going to HIMSS?
[00:41:25] Vik Nagjee: [00:41:25] I am not.
[00:41:26]Bill Russell: [00:41:26] Is that a company travel policy thing or is that [00:41:30] a conscious decision. There’s just too much work going on.
[00:41:34] Vik Nagjee: [00:41:34] Yeah, no, it’s not a company policy thing. I’m going to have a lot of I’m going to miss a lot of my colleagues there and I’m going to miss seeing folks like you and a whole bunch of other folks. It’s a personal decision this year. More than anything else
[00:41:46] Bill Russell: [00:41:46] Yeah well, if you were just out of curiosity, if you were going to HIMSS outside of seeing everybody, which will be fantastic. And if you want take a Vik Nagjee doll with me or something around just to remind people. And [00:42:00] actually you look great by the way. I like the beard. Everything was you didn’t put on the COVID 15, like I did. So I’m currently dieting to get ready to go back into the the season where I going be seeing people again. What would you be looking for as you’re going back? How would you prepare for HIMSS?
[00:42:17] Vik Nagjee: [00:42:17] For me, it’s always about reconnecting and just, just it’s all about relationships, right? Just meeting folks and understanding what they’re doing, what they’re focused on. Outside of that, that one area that I would be [00:42:30] very, very curious about understanding better is what all is going on around data.
[00:42:36] And very specifically around machine learning AI in healthcare, both for clinical decision support, but as well historical data from a research perspective. Cause there’s a lot going on there. So that’s, that’s just something that’d be, I would be super curious to study.
[00:42:50]Bill Russell: [00:42:50] We will miss you and it’s always great to catch up. Thanks. Thanks again for coming on the show. Appreciate it.
[00:42:55]Vik Nagjee: [00:42:55] Thanks for having me.
[00:42:56]Bill Russell: [00:42:56] What a great discussion. If you know someone that might benefit from our [00:43:00] channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our [00:43:30] channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now.