Continued Threats Require a Major Shift in Healthcare Cybersecurity Risk Perception

Hello, everyone, and welcome to another episode of experts talk. Market Scale's pre EM debate and discussion roundtable where we sit down with the top voices in your industry to break down the biggest news, trends, timely topics, technologies, you name it. That are shaping your industry and again pulling from the voices of the experts, the thought leaders, the professionals, the researchers, the folks that are making it happen every day. Them down at the table and getting their perspectives on what's going on, what needs to change, and how we can knock our heads together to see some of that actionable change in your industry. So again, I'm your host Daniel Litwin, the voice of b to b. Folks, thanks so much for joining us on another episode. It's a beautiful day here on Tuesday. Look how green and lush it starting to look behind me in Dallas, Texas. That means spring is upon us, and I'm excited to dig into today's topic because it's not only a timely one. But there's a lot of sort of strategic disagreement on how to move forward. And so we're, sitting down with some great voices today who are gonna shed some light on those things. But before we introduce our guests, I wanna make sure that y'all are pointed in the right direction for previous content and future discussions on experts talk. Make sure you're headed to market scale dot com. Again, market scale dot com for more information on not only other episodes of expert talk, but a deeper look at some of the thought leadership that we host on our publication, and also ways to reach out to us if you yourself would like to be featured as an expert and highlighted and platformed here on our publication because we're here to empower the voices of b to b. I it might say I'm the voice of b to b, but I'm the only one. Right? Y'all out there have probably more to say than even I do, and I'm quite the yapper. So make sure you reach out because we'd love to hear your voice here on experts talk. Alright, folks. Let's get into it. So we're gonna be talking health care cyber security. Today. In the wake of a major cybersecurity breach that left one of the nations, excuse me, largest health insurers. United Health Group, right, out not only two billion in financial advances for struggling providers, and there's more dollars on that front, still stacking up, but then also a reported twenty two million in ransomware payouts. The conversation around shoring up health care cybersecurity strategies at large have gone from urgent to mission critical. Right? It's now something that, there's a little more fire under the seat for professionals the industry to come together and try to figure out what went wrong here and what needs to change. What gaps do we need to fill? Right? Health care organizations from the care providers themselves to the insurance giants are now tasked with reassessing not only their own cybersecurity strategies, but also the ones of their partners because this is a massive expanding ecosystem with more networks, more devices, more software providers, and all of them need to have their own standards they adhere to and sort of ad adhere to, in synergy with each other. Right? So the major question we wanna pose today is how is this shifting and more acute risk perception now in health care after, you know, twenty two million in ransomware payouts, how is this impacting some of the relationships between care organizations and some of their third party software and cybersecurity solution partners. Right? How is this impacting internal standards. How is this impacting industry wide standards? And, you know, with advanced connected med tech, you know, an increasing number of risk access points to sensitive medical information and mission critical infrastructure. How's the industry responding to this? Right? What is its answer? To shore up its defenses, and is it enough? And where does this recent ransomware attack refocus some of the healthcare industry's priorities in terms of cyber security, hygiene, and how they can actually gauge, not only their own safety, but the safety again, of their network and those of their partners so that everyone is up to snuff. So we, again, try to prevent some of these costly ransomware or otherwise types of breaches. So let's go ahead and let the experts talk here on experts talk and welcome our panel of thought leaders and pros in the industry to again help us get a feel for the strategic guidance needed to make it through this shifting risk perception landscape in health care. So welcome to the three of y'all. It's a real pleasure getting to sit down with you all today and source your now let's go down the list and welcome everyone to the show. We're joined first by doctor Robin Bertier. He's CEO and cofounder of network perception. Doctor. Robin. Great to have you on. How you doing? Oh, looks like I'm doing really well. There we go. Yeah. Thank you so much for having me. Hey. Yep, man. To be to be here. Absolutely. Thank you so much for joining us. We're also joined by mister Davey Wittock. He's chief business officer at influx technologies, Davey. How are you today? Good morning. Good. Good morning. In sync topic. Yes. It sure is. It's a layered one and as I'm finding more and more with these, we're probably only gonna scratch the surface, honestly, because we could be going for two hours on this. But I appreciate you taking some time here to educate our audience. And last but not least, we're joined by Mike Isbitsky. He's director of cyber security strategy at SISDigg. Mike, great to have you on as well. How are you? Yeah. Likewise. Thanks, Daniel. It's really great to be here. I'm very excited for the panel. And, yeah, I'm, like, sweating, sweat the time. Like, how much can we get through in forty minutes? Literally. I know. It's a lot. Yeah. I was looking as well. Well, luckily y'all, this is just, you know, round one. I'll pocket you because I know that we're gonna have to get the crew back together here down the line to keep breaking this down. But again, let's just go ahead and jump into it and start to put some meat on the bone. The change health Care ransomware attack on February twenty first is, the big one that's informing this panel not the only thing we're gonna be talking about, but it's definitely a major motivator for why we're sitting down to chat. Right? This was a massive breach. It affected operations and finances across hospitals, physician offices, pharmacies, insurers, and patients. So it was sort of a whole ecosystem attack here. Right? What do you see as some of the fallout from this massive breach? As professionals in the space, what was the reaction? How are other pros in the space responding to this, reacting to this, and sort of strategizing around this. Let's sort of set the tone. Now that we're basically a month out from that major breach. What did y'all see what happened here? It's it's not the first time this happens, unfortunately. I mean, we've seen this before. This one, it's it's a big player in the in the radiology space, with Chase Healthcare. But we've unfortunately seen this before. And and and the first reaction, of course, is with every IT, company and, and, and department within, within every organization can this happen to us. And most people will say, no, no, this will not happen us. We were recovered. We we got our patches in. We got our security in. But these type of attacks are so mean your skill from nature to start off with, and then it just balloons into your system. That's that's what I've seen, unfortunately. It's a USB stick with, with images from a patient that can often trigger this type of attack, unfortunately. Absolutely. Like, we've seen this also in Where the tricky part is. In in other industries, I'm thinking of the colonial pipeline, ransomware, just three years ago, that completely woke up the oil and gas industry, and the the government came back with a strong regulation, the TSS equity directives or pipelines. So I think we can expect a much greater sense of urgency in in the healthcare industry around No longer adapting these practices on a voluntary basis, but having some requirements being enforced, and receiving that across all sixteen critical sectors that, DHS and and CSA are are monitoring and and and pushing to, to improve in terms of cybersecurity. Yeah. I would, I agree. So I was kind of, My first reaction was kind of a great another ransomware attack, because we we see these regularly. Sometimes certain industries might feel they're immune because they're following certain best practices or think they are. What is exactly what Davey was, describing. Right? It's kind of there's a lot of distributed technology, and then the environments, and then how our workers working within those environments, things, very quickly fall down. Right? There's a lot of security gaps we'll probably get into that today. So, yeah, that was my kind of professional first reaction. Right? And then it's, other industries got hit with this. Right? There was the Clorox breach, MGM, severe operational impacts, but the the type of impact is different. Right? It's not necessarily patients. So United Healthcare was, cert certainly different in that aspect. But then personally, it hit me, right, because I I have a four year old and, couldn't necessarily get the script. Right? You call the pharmacy, and they're they have the, the voice voice memo. Like, there might be delays because we can't connect because the systems are down, ransomware attacks. So it's like, wow. This is, And that's the scary part. Really hitting home. Right? Yep. Yep. Yeah. That's the scary part. Right? There's a lot of patient data involved. There's a lot of very private data involved from all sorts of levels in in society that that all of a sudden are vulnerable to to to these people. They're they're locked up. The doctors can't get to them. But at the same time, you don't know who has access to these files now. That's that's the scary part. And I don't want to fear monger, but unfortunately, like I said, this this has happened before in in health care. I've seen it in in in a Belgian hospital once, and and when these things happen, you have to realize there's a lot of vendors and suppliers that are interconnected with these systems, via VPN tunnels, and then then the risk exists that it starts spreading to other, bigger providers. And and I don't know the full details on how this came to be, but that could have been one of the reasons that these guys got attacked as big as it because one of their customers might have been affected and then it trickled down. That's the scary part of these type of things is that you don't always know exactly where the source comes from. Right. And then the attack surface that we have to put. It's just expanding in the last five to ten years. Right? That way, you know, you you're right. I agree with those VPNs, we're just no longer having to protect our own network, we also have to protect. I mean, we also have to consider the the risk that the set parties, the solution providers are bring to our network through their connectivity. And and for me, what's very surprising whenever I see those the post mortem on those attacks is just a lack of segmentation, between the critical systems and the the general IT and, you know, email system. And and when a large organization is shutting down those operations, that means a lack of confidence in the way they can segment and and cut off those critical systems from the rest. So Oh, you're hitting you're hitting it. Yeah. Absolutely. There is no segmentation when it comes in IT and in in hospitals, it's all in the same data center. They're all in the same VLAN as often. There there's really no segmentation. This is our email and and our active director and this is a pure medical IT focus driven. I don't that that is not a common thing to do. I've seen it here and there. Folks who take a really serious and they do patch Tuesday and all that fun stuff, but the segmentation is is is definitely lacking in a lot of hospitals. And it speaks to the The lack of maturity in the industry, right, because, like, I always take the analogy of, a large boat where we learn to segment the, you know, the the the bottom of the boat to make sure that if, if you eat something, then the water won't, sink your entire entire vessel. It took I'm sure, like, like, decades or maybe centuries to come up with that technological solution And, I think we're still at the beginning of that in in cyber, where we have to learn to, implement segmentation as a just the the base foundation of fall cyber security program. Right. Yeah. There's a lot of, I agree and disagree. Because I would say segmentation absolutely helps, or you can even go broader, right, and say access access controls. So there's a broader theme of digital supply chains and then the risk that gets introduced there. So I I agree wholeheartedly with you guys there. But that also creates the problem. Right? Cause it's like, well, how do you segment effectively and then not impact business or delivery? Right. And then when you're talking about health care, it's when are you talking about patient care, right? Like, somebody could theoretically die. Right? That is a real risk. So, the You're kind of trading security risk for patient risk, and I think health care is maybe guilty of that, but, is it really that bad of a decision? You know, that's that they have to weigh those those, those options. So now though, like, kind of how this is played out, it's right. Alright. The security risk can actually get as bad as kind of those patient risks. So we're we're at a crossroads. I I would say health care is not is unique here because of the types of technologies that get interconnected and then the ecosystem of partners. But, technologically, I agree fully Doctor. Robin, it's it's kind of we're we're talking about basics of access control, but it it's basic in theory. It's incredibly complex. In practice. Right? How how do we connect very distributed technology that's serving very advanced use cases right now. Now we're kind of on that. Trajectory towards AI, and there there's even more. Right? And it's it's just moving very rapidly. So, yeah, and I've had a lot of advisory discussions on segmentation, micro segmentation, like, the technology exists, but very, very difficult in in practice, when you're when you're trying to balance with, business needs. But that that's my experience personally and professionally. Mike, you're absolutely right. The the workflow and the business needs sometimes dictate the security piece too. That's the scary part sometimes, especially in in the health care. And and it goes as simple as a workstation and an every doctor around and nurse needs to be able to get to that, look at files. And it starts with the Windows login, where that these often use, and it's a universal one so that they can all log in quickly without having to go through passwords because they need to go in right now. It starts there. Like, that's just an example of lacking security for easier access to the patient data. And you can argue for both ends. Right? Like, makes sense that they need to be able to get in quickly, but at the same time you open the door for for bad actors. And that's that's just an example that you see that in in hospitals everywhere, unfortunately. Yep. And I don't want to ask anybody to leave a bus because, again, like I said, It's it's a workflow consideration too. Yeah. I'll be perfectly honest when I walk into any medical setting. I if I look around at technology, I'm like, it probably has some issue that I could exploit, and I just have to kind of block that on my out of my head because I'm like, I'm probably surrendering data. I am accepting some risk just by being here as a patient, but that's just my background as a, you know, cyber security practitioner. Is knowing all the things that can go wrong. Yeah. So let's jump over to how, health care firms are approaching their cybersecurity strategies kind of at large. Right? Obviously, data rich health care firms, whether it's a care organization, an insurance provider, some kind of third party company in the ecosystem, They're pretty juicy targets. There's a lot of data there to exploit. And so you would imagine that IT spending or security spending or cyber security spending at large would be a priority. But what we're seeing is that it seems like it's really not. Some statistics point to healthcare allocating around eight percent of its IT budget to cyber security, which is lower than most sectors. And twenty twenty three was the worst year for data breaches in health care. Then now maybe after this last one, twenty twenty four might be up for, you know, competing for that first place spot. And experts suggest that cyber security spending as a percentage of revenue falls somewhere around point four two to point seven five percent. Again, as a percentage of revenue towards cybersecurity efforts. So it sounds like people are saying, you know, just as a foundation, the investments aren't there. Is that what y'all are seeing that health care at large is under spending or not prioritizing their cybersecurity investments or does this have to do more with better leveraging the existing investments and sort of the education around the users of these various forms, like, where where is the incongruence here? Is it really just lack of spending or is it something else? It's actually a multitude of things. Right? So a lot of these healthcare providers are, they have networks that are multi decades old at this point. Right? So it's it's it's It's an infrastructure that's not as young as, as a lot of other facilities. That doesn't help the these guys, they're probably the other piece that you have to keep in mind is the software that the health care has to use. The cost of these are enormous. Radiology software, medical records software, the cost of these are are enormous. So automatically that puts things a little bit in perspective that their spending might not be as high on on security, but I do know that a lot of, IT folks in the medical space do take security very seriously. And, and they're doing everything they can from patching buttoning down firewalls intrusion detection. All of these things are definitely put in place, but at the same time, these IT folks also have to battle the hospital and and their users and, and and and the workflows that are coming with this. And and often enough, they get overruled, within at the end of the tunnel, they get blamed for for for the intrusion of that that actually happened. So I know there's courses that people do to make it revising attacks and and and phishing attacks. All of that is is all in place for a lot of these big providers, but yet still, things happen. And and it it's it's always an ongoing battle, when it comes to security is there's always an angle somebody might not have thought of. Yeah. And her attackers pivot very quickly too. You know, I'd say from my perspective, And I worked for a telco for close to twenty years, which is now critical infrastructure provider. Right? And then they become the interconnect to all other verticals, like health care or utilities. Right? So if you can attack communications, then you can now bring down anything. So then you start rabbit holing into that whole topic of resiliency. But, you know, my career at that telco, very difficult. Right? A lot of the things that Davey's hitting on. Right? You're you're always fighting for that budget. You're fighting for the head count. You you know the things that you have to do for security program, but, you just don't have the teeth. So one of the things that I like that has been a more recent trend is kind of the wave of cybersecurity regulations that are hitting, things like you use, NIS two directive, the US National Cyber Security Strategy cyber security disclosure rules. And they're, you know, there's a lot of regs, right, and I could probably spend the next ten minutes just listing all of them, right, every nation state gonna have their own, and then verticals are gonna have their own, implementations of them. But they're saying a lot of the things that security practitioners have been saying for decades at this point. Right? Like, we have to be better at access control. We have to, monitor for intrusions. What does our threat detection and response capability look like? Can we detect things timely? And then is that disclosed? How do we coordinate vulnerability response. So the regulations are finally starting to catch up with that. But then in tandem with that is also penalties. Right? And that that's the reality. Right? We are talking about businesses, and we're kind of in weird Macra economic times. Although, hopefully, coming out of that, right, but globally, things were very suppressed. So most organizations were scaling back, all, all of their spend. Right? Whether it was IT or security, and and usually security is first to go. Right? Like, well, let's be honest. They're not revenue generating. The risk is just accepted by organizations. So now regulation kind of has more of that teeth. So if you're making sacrifices on your risk management approach, whichever aspect that might be, maybe it's access control, maybe it's threat detection. There's multiple pieces, right, patching, how are you managing supplier All these are components of that. If you're making sacrifices there, it has to be disclosed, to the regulatory body or maybe the public And then, if you have a failure, like in the case of an incident or breach, there might be financial repercussions to that. Right? Your leadership might be at fault. Eventually can't practice. Right? Maybe there's criminal criminal penalties on the table. So that looks much different than it did. Twenty years ago. So as a practitioner, and and a leader, right, I was managing or leading the application security efforts, component of it at Verizon. And that was a large team. Right? Many organizations don't even have adequate staff, right, their security are are juggling all of the security roles. But I never had enough, people, and they never had enough money. And I was constantly fighting those battles and it's exhausting. So, yeah, as a practitioner, a leader, an advisor, it's like, this is great. Right? This is music with my ears. We need to ride that wave. Because that's gonna improve all industries, certainly, certainly health care. But, yeah, the tech hasn't really changed. We're talking about a lot of the same problems that just kind of got swept under the rail down, unfortunately. Yeah. I don't see a three go ahead. Go ahead. Well, well, my kid had hit an important piece there. It might have been swept under the the the what he said, but often enough, the security guy is one guy. And he's responsible for the regular IT that he's working on, and he manages an intrusion system, but that's that's one guy with many hats that that he's wearing, unfortunately. And and luckily, some hospitals to take this serious enough to include a third party and to to manage that, but you're absolutely right, Mike. At the moment budget comes along and it's too expensive. That's the first thing that goes because it's a third party. It's a vendor. We can we can cut back. Plus, we we got Bob who's who's really good at IT and he can do the security piece. Sorry about it. You know, it's I I don't see your Out, like, outside of really having regulation, I don't see a solution for, making those resources more aligned with the the need. I mean, we we keep hearing those three problems from our, you know, the organization we're working with, like, one is these greater system of urgency around just gaining visibility over what we have, second to understand the the the complexity, like you you mentioned, like, how complex the the those applications and equipment were interacting with each other. So it's really hard for an organization now to do just risk assessment on on top of that complexity. And then the third challenge is is the limited workforce, that you're right. Like, it's just one one person often, and they don't have the the resources or the staff to to be able to just adopt, the the best practice, cybersecurity solutions. So other than regulation, I I really that's why I mentioned the, the the TSSU directive in the the oil and gas pipeline and, have experience with the on the electric side, with the the NERC SIP, which is the most punitive OTIP cyber security framework in the US. Like, if you don't comply, you you get fined up to one million drop a day. But but without that big hammer, I just don't see organizations having the the capacity to allocate more budget or or or, interest those those internal, internal files. Yep. I agree fully. Yeah. And I I should say, you know, risk prioritization is always the name of the game, right, particularly for Cisco. Limited resources and and many things they have to do for the business. So it's it's constantly a a juggling act for sure. The good news there is that we are seeing I mean, we've seen a shift last year where that discussion, reached the the board level in many organization. I think the visibility on those reaches is helping. I was really pleased to see the new version of the NICE, the CSF, really emphasizing governance so putting responsibility at at the highest level in organization to to take cybersecurity seriously. Yeah. I think the human problem is a good one too. I don't I don't know if we'll get to it here because it it can be a a Pandora's box But, you know, there's never enough humans, right, it is a human problem, and I know there's efforts to kinda train up the cyber security workforce, right, and and now there's discussions about maybe we need a cybersecurity military, like, an an in, division, which I I could see the arguments for that. I wouldn't necessarily debate against it. But it's very hard to train up people and all these things, right, any even in four trained practitioners like myself, right, I I've spent a good portion of my career focusing on the application security side of things. Certainly dabbled in network security and infrastructure security, but I haven't spent the bulk of my twenty five year career just engineering networks and securing them. So, m I s me on that topic? Maybe. Right? But it's, like, if it's a very advanced threat that's kind of attacking network backbones and now traversing networks, and maybe that becomes a global risk. I might be in over my head. So Are there enough humans? Right? And it's, like, I've been at this over twenty five years. Like, it's hard to find that. And then somebody that wants to take on all of responsibility. So there's very fundamentally a human problem. And that's typically, in fact, for me, by thinking about how this could be fixable, it's like we have to start trusting machines more. And what does that look like? You know, there's variations of that with automation and scripting and now generative AI. Like, there there's tools that are becoming available to us, but, you know, they they bring new risks. Right? So it's not, like, all aboard. Right? Like, let's let's all start doing generative AI. But these are ways that you can augment the workforce because there there's always gonna be, a staff shortage that that's just reality. It's not gonna get better. I mean, you could throw all the money you want at it. There's just not enough human workers. Period. So let's jump over. I like the idea of a. Go ahead. Oh, yeah. Well, I was just gonna say I'm I'm curious now, you know, obviously, the human element is huge. And as the ecosystem of health care digitizes, and it evolves, and there are now more nodes for sort of how you even interact with a healthcare operation. More decentralized care as well at home care being facilitated not just for end of life care, but you know, even virtual care, for primary care in a lot of instances, This is now, you know, again, it's a major education lift that involves educating a lot of end users. But the one that I wanna hone in on more here sort of the synergized strategy between care organizations and some of the partners that they have for these MedTech devices or EHRs or other sort of third party softwares, IoT networks, right, that are facilitating this digital ecosystem of data gathering and really sensitive, you know, data collection, that I feel like is where there needs to be a little bit more strategic alignment. And so I'm curious after this major UHD breach, and sort of in the wake of this more acute risk perception shift in health care. How are you seeing this again impact some of the ships between care organizations and some of their third party software providers or partners in the space. Right? And any advice or strategy on how there can be a little more alignment on their standards and, their cybersecurity goals. Yeah. The risk of, supply chain has been really, the major point of discussion, like, pushed by the executive order, a couple of years back, from the White House, it's it's really, you know, the practical advice there is to adopt a an approach where, you know, you you you develop a standard questionnaire for all your vendors that will help you assessed to the research you're introducing. And, you know, what type of secure coding best practices they are doing, how they are they securing their build environment. Like, we all having, you know, the the memories of, solar wind, being being breached, like, attackers being able to introduce malware directly inside the source code of a major IT, platform And then, and then once we're in the build environment, every customer is patching their sort of instance, we we'll get infected. And so we we have, you know, eighteen thousand organization infecting in just a few weeks. So, so, really vetting the risk that you're bringing with those solution providers, and then also applying those concepts of segmentation to, to your software. To, to the software introducing to make sure that if something goes bad, then it's contained into, into the proper risk level. Yep. Yeah. I'd say sometimes it gets lumped under zero trust as an umbrella or maybe zero trust architecture, but, yeah, it's it's absolutely accurate, doctor Robin. Yeah. And the supply chain risk is, is definitely a big component of national cybersecurity strategy. You know, then technologically, that that starts to get into bills of materials, you know, SBOM is usually one of the more well known, but there's also hardware bombs, right, because, specifically, in this sector, right, with med tech and, you know, connected devices that it's gonna look substantially different than just the software piece. So now you have multiple bombs, then you have to rationalize that. But are your providers even creating and maintaining them and then furnishing them to you. That's that's a big gap. Right? We have a lot of work to do there. I do like that the cybersecurity strategy called it out. The other thing I that I should call attention to is, like, the FDA FDA just, issued cyber security guidance, draft guidance, on this topic. Right? So very specific to these industries. Right? It's the technology is very much the same. Right? We're talking about segmentation, micro segmentation, access control, detection and response capabilities. You know, bills and materials managing your suppliers, but how do you put that in the language of the specific health care industry or when you're dealing with medical devices. So that draft guidance exists, you know, hopefully that moves along very quickly, and then organizations start to adopt it. But Yeah. Fundamentally, like, those security principles are there. We just we really need this to start doing it. Right? And then for myself, you know, kind of in my career, how I've approached the problem is, you know, if I get involved in a discussion on how I'm gonna solve a problem, it's kind of how are we gonna scale this? And then how are we gonna automate it? Right? Cause if you start pulling out a piece of paper and then you're expecting to track that. Right? And this is going back twenty five years, I'm like, that's never gonna work. Right? And now, you know, twenty twenty four, it's like, there's no way. Like, so if you're doing that, you've already lost So we we need to be thinking, you know, ten steps ahead, and then how are people gonna compromise this data? Right? You might say that's threat modeling and that that would be another, concept within the cybersecurity strategies, but you you have to kind of retrain your brain to think that way. Been in a similar situation before. First thing that's gonna happen now is is is that those IT folks from the affected things they're gonna basically go around to all their suppliers and vendors and say, Hey, I want you to review all your documentation are these ports, and certificates, are they still okay? Are they still is that still the requirement of the security you guys have? So what they're gonna do first is go go through an entire checklist of older vendors and suppliers and make sure that that's all buttoned down again. And there is standards and and as such, but I'll I'll keep saying it, unfortunately, the workflow and and and the appetites on the floor has to be there as well. It's gonna be a form of education again, and and actually showcasing, hey, these type of behaviors can lead to what we just saw in that impact patient care because that's the ultimate problem here is is that the impact on the patient care was there. Nobody get their subscriptions. You don't know the history of a patient at this point. You can have patient x come in. You don't know what happened with that patient before. That is a huge So the biggest thing that they're gonna do now is just go through all their vendors and all their security pieces and and really button it down to the point leading that it's like Fort knocks almost, and then they'll slowly open things up where, where it's needed. And, and that's, that's a human reaction. But at the same time, that's that type of army reaction you were talking about, but like I was gonna say, a swap team have, have, have, have, an, a government agency. And I, I'm, I'm not the one who normally preaches for these, but have a team available that this profession, and that that's their main profession is is deal with cybersecurity. And and I hate to throw Bob under the bus again, but Bob doesn't know all the intricacies that come with security. He might be really good at what he's learned and certified for. But being an expert and being somebody who has to deal with an attack like this by somebody who's very proficient at doing these type of attacks, you need professional help with that, and and third parties can help with that. But having an agency that can come in and swoop in and say, Hey, these are the vulnerabilities that we've seen already from the gateway. Let's button these down. Let's let's really start hammering it down. I think that might actually be something that a lot of healthcare providers would really love seeing, and keep in mind budgets are tight when it comes to health care worldwide. So if if that comes at an extra cost, then I'm unfortunately, we're gonna see a repeat of this again. We don't find the solution to to helping these folks. Reminding reminding me that, a really good way to surface those gaps that you may have in your server security posture. It's just a simple tabletop exercise. It it doesn't cost much. We do that at least once a year at network perception. You just lay out a few scenarios like, okay. This, you know, this business unit was hit by a ransomware. And then you have the stakeholders around the table discussing, okay, how do we detect? How do we identify that we contain? How do we recover? And and you you start documenting this and and it's it's pretty magical because you you clearly see where do you where you have, important weak points in your defencing, you know, lay on defenses that, you need to address, with your strategy. Yeah. I agree. Like, you you need to engage a trusted third party. Right? And there's there's government entities that are also being established to assist the different verticals. And then there might be resources made available to you. But, yeah, I, I, I very much agree with Davey. Like, it's it's a human problem. Right? I wanna wrap my arms around this. I gotta get my head around it, and that implies slowness. Right? So those point in time validations and attestations. Unfortunately, sometimes the regulations are still zoning in on that, right, because it's a more achievable problem. But realistically, it has to be continuous because things are gonna change. Right? Even even even from the point that you do the threat model, if you're doing that, the production thing is gonna change. Right? Particularly when you consider the whole ecosystem of connected suppliers, that's a dynamic attack surface. It will change. Right? And attackers are gonna find the weakness. So if your validations are point in time with that checklist approach, again, it's You gotta challenge yourself. How can we do this better? Because that's it it never worked. Right? Like, let's be realistic. That's why solar winds happened. Right? And we could probably spend another hour just talking through that, and it will happen again. Right? Because if you're testing to your access control, and then you're not continuously checking that, you're gonna have gaps. Like, that that just happens. So, yeah, it has And this is kind of that machine assistance angle. Right? Those have to be automated where you're constantly checking things. It can't be. Once a year, we're gonna sit down and do the review with that trusted third party. That trusted third party should be steering you towards. Alright. Let's get something that helps you continuously validate these things. And maybe it even furnaces some digital document or artifact that you use for your audits. So if we if we kinda pull the lens back then a little bit, I I think those are incredibly useful strategies, right, that, care organizations and, the third party software providers or partners, whoever, can start to, you know, help refocus some of their priorities. But when we pull back also, there's industry wide standards that attempt to set the tone for some of this. And, there was a recent, I guess, article out there. The American Hospital Association wrote to, the Department of Health and Human Services to try to get more clarity on this data each, from UHD and change health care. And really the goal here is to see where they compliant with HIPAA rules. Right? Because they said, quote, we are reminded entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associates excuse me, ensuring that business yet agreements are in place and that timely breach notifications, to HHS and affected individuals occur as required by HIPAA So that's just some, you know, kind of boilerplate text there. But what I'm trying to highlight here is there's sort of an emphasis on guys, make sure that you're compliant with these rules. But I wanna just get a touch point here on are the standards in place? Are the rules in place giving enough guidance. Right? Is this foundation that we're supposed to be building upon whether it's for communicating in a reactive fashion. There was a breach Here's what happened. Let's act accordingly or whether it's proactive, you know, your systems, your networks, your devices, your relationships to your partners, should have this level of scrutiny and security. Are those standards in place and doing a good enough job to motivate the industry forward or are there gaps there And if so, what do we need to shore up? Yeah. As I said earlier, without the strong hammer, it's really hard for those standard to be, you know, taken seriously. So, yeah, the the the the penalty system and the the audit, like making sure we have. System in place to to to audit this periodically. Yeah. One thing Oh, go ahead. Go ahead, Mike. Yeah. I was gonna say, you know, I'm kind of emerging from reviewing this to directive and it I kinda interpreted your question. Daniel is, like, is it prescriptive? No. The regulation tends not to be, right, because it needs to be enforceable. So it's gonna be more generalized, but the does the prescriptive guidance exist? Very likely, right, then you start going into ISO standards or NIST supporting practices or special publications. Right? It's, there's a lot There's a lot of material you have to unpack, and then you have to contextualize it for your environment and your ecosystem. And that that's where things tend to break down. That, I mean, my entire career, that's that's always been the gap. Right? Because now you're talking about language barriers too. Right? You you your GRC teams likely don't understand that technology ins and outs, and then security gaps are gonna arise. So that that becomes another for me, personally, but also professionally, that's kinda where machines can help Right? Like, let's bridge that gap, put this in the language of what our risk teams are expecting. But here's actually the tech technology back on the implementation, and then all the things you have to configure and verify and code, right, in your build pipelines, like doctor Robbins was talking to, all of that's in scope. Within how do you actually contextualize that for the regulatory language. So those, divides have always existed. I wouldn't say getting better. The guidance is there. But how do you parse thousands of pages of guidance? Good luck, right, without that trusted third party? Mike is absolutely right. The software definitely needs to improve when it comes to HIPAA violations and and all that. There's definitely There is a guideline, right, the HIPAA guideline, and and that's followed in in North America all over. I know in Canada, Alberta, they do audits on, on their healthcare providers, making sure that they're sticking to it. They they go on-site, they go through, two pieces of what type of documentation is on the desk, is that patient care documentation should that be there? There's a lot of in Canada, there's a lot more regulations regarding that. Think in U. S. They can use some of that too. I don't know the full intricacies there. But when it comes to the software, I know, there's there's some software already out there that is really looking and seeing if there's any HIPAA violations happening within this software. You know, Susie, uses no effector out of Germany. They they have a software that's literally build out to find intrusions, but also violations when it comes to hip So there there is software already being created and utilized in this space. But there's there again, that's early stages where we really need to get that almost, rolled out everywhere. And personally as a cloud provider, and it's my job as well to make sure that if we create something and and anything medical comes on it, even if that's on a blockchain or not, we have to make sure that we still follow that HIPAA of that paper and regulation as well. We have to do anything you can. And that's that's kinda how it's written is. You have to do everything in your power to make sure you don't, disclose any patient data that to people that shouldn't have it. That's that's the rule. Like, that's rule number one. That's what everybody from your receptionist all the way to your to your CEO at the hospital has to follow and and Unfortunately, things broke down. And, and, and, and, yes, there will be some consequences, and, and I'm, I'm looking forward to what the cause was of this and and how the entire sector can learn from this. It can, it can, like I said at the start, it can be Silly as a USB stick that was offered to a receptionist, and she saw the images of of of the previous exams. And she didn't take anything else of it. It all launched perfectly and and patient locked out. But he was, that that could have been it right there, right then. Antivirus scans might not pick that up. It can be it can be a PDF file that can be sent to somebody in in in an email Like, there's so many things that can cause this. So it's unfortunately happened, and and and the patient care that got impacted that. And that's why I always come back to segmentation, right, because there's no way that you won't prevent all those USB sticks or, phishing attempts to not succeed. So you'll have intrusions, and now you need to learn how to be resilient. Right? Like, there's a whole set of conversations around cyber resiliency, like, when we get breached, how do we make sure that our critical operations keep running? And and what are the the the the the layer of segmentation of of defense layers we need to put in place to make sure that, we can run despite being an attack. Alright. Your voice is an interesting one. Yeah. Go ahead. No. It's, like, I it could be a whole another conversation. I know. Because I'm and I I love that. Doctor. Rob had said that. Right? It it's a very heavy topic. And sometimes, you're seeing now the regulation is pushing multi vendor or multi multi cloud as a solution for resiliency. And, actually, that can create more risk right, availability risk or security? I was gonna say you just have more things. The the segmentation is important, but like I said, at one point, like, all the vendors are connected to these systems, right? They have to be able to support them. So they have, they have entryways into these systems. They have, satellite computers or something like that, what they call them, or, or jump stations, as they call them in the industry. And then they do their thing. And but It it can be as, you know, like, if you have a university hospital, they have students there with their own machines that are doing research things. They're running Python scripts. They get excluded because they're doing something for research so that that Python Skip might be flagged as something, but it's not. And then, so it it's it's a it's a give and take for a lot of these things, but the security piece, yeah, is is often very lenient when it comes to certain individuals in the company, and, and, and, and, and, and workflows that need to happen, whoever speaks the loudest often gets gets away with it. And then, but then at the end, something happens, unfortunately. The mental piece of that too, like, the folks who had to deal with this, this, this intrusion, I my head's off to them because this is not a, this is not a fun time to be in, finding the the solution. How do you get the systems back online? How do we prevent it the next time? But also for folks trying to reach, this fender and not being able to connect to them, no support. Yeah, there there there's a lot more to it than just the security piece of it. The trust levels, clearly, because of that hospital now asking for more information, you can see that the trust levels, are affected by this too. And and the folks who are in this on the daily, they don't like seeing this. This this is not This is not something they opened the door for, because this was, this was brutal to to deal with. Absolutely. It's a huge amount of pressure And and Daniel to your question earlier on reactivious is proactive. I mean, you need both, but I'm a strong proponent of of being prepared if you're a CSO of a organization, you won't be judged on whether or not you got breached, but you're going to be evaluated on how did you react and how were you prepared to that bridge. Right? So so the amount of, yeah, proactive measures you can take, is is important. And if you're if you're listening to us and and you have a hard time understanding the the that that big space of regulation and requirements to navigate because it's it's daunting. Like, it's just a new one every sure. Every few months. I really recommend, a good resource is the cybersecurity performance goals that the CSAT published. About a year ago. I like it because it's it's very simple. It's it's it's a checklist. And also like it because it's takes into account a maturity level. You know, you won't be able to go from from no security to completely secure on, you know, they won, but you have a journey. And, and and there's a a path to get there. And so those CPGs are making it really straightforward to distill all those different requirements into a into a pretty simple checklist. That single manager. Too, Doctor. Rama, and the, CSF, governance there's there's maturity elements in there too. But, yeah, I just wanted to offer that up. Right? Things you could start with because it's it is a lot. Absolutely. I think we'll go ahead and wrap things up folks. Thank you so much for your analysis today. That was incredibly insightful, and I appreciate all of the really actionable, advice offered here today as well because I think what we're looking at here is such a layered ecosystem that is constantly evolving. Not only are there, you know, sort of new risky access points for some of this mission critical, data and highly sensitive data. But also you know, with an industry that has quite a bit of turnover to and a lot of burnout. You know, training up a nurse to make sure that she is fully educated on how to approach her day to day with cyber security activity in mind, that's a whole other lift. Right? The education component of this. And then on top of that, the relationships and the standard set between the third party software providers, the network providers, the care organizations, the insurers, it's quite a, convoluted and, you know, difficult to corral, environment. And so I think having tangible baby step style, you know, action points is key for this industry to move forward and to help shore up its defenses to hopefully, avoid more of these massive breaches that tend to ripple out across the whole industry. And y'all got my wheels turning on some follow-up topics, so I appreciate that too. But for now, we'll go ahead and wrap things up. Thank you to the three of you for your great analysis today. It was a real pleasure. Again, folks, we've been joined by Doctor. Robin Bhatier, CEO and cofounder of Network Perception, Davey Wittock, chief business officer at influx Technologies, and Mike Isbitsky, director of, cyber security strategy at SIS Digg, Mike, Davey, and Robin. Real pleasure again. And I'm really looking forward to the next one. Lot to talk about. Yep. Thank you. Great. Great discussion. Absolutely. And thank you everyone for joining us on today's episode of experts talk. If you like what you heard and saw today and you wanna tap into some future. Experts talk roundtable discussions, or you wanna catch up on all of our previous thought leadership, head to our website market scale dot com. You'll find all previous episodes as well as more information on the upcoming live round tables on the radar. We'll be back tomorrow and Thursday with more common Terry tomorrow on some building and facility management topics similar to today's, but more on the physical security side of things as we gear up for ISC West twenty twenty four, And on Thursday, we'll be chatting big box retail and some of the ways that the big box brick and mortar store is changing its role in omni channel retail. Lots of good stuff on the horizon folks, and I can't wait to platform your voice on experts talk. Thanks again for joining us. I'm Daniel Littwin, the voice of B2B, and we'll catch you on the next episode of experts talk.