Transcript
I'm your host, Rick Vanover, the Rickertron. And joining me today for fresh perspectives to wake up to is David Holding. How you doing, David? Doing great. So, David, we were talking a little bit about this before the show. I got a lot to ask you, but take a moment, introduce yourself to the audience. Yeah. So, David Holding, my role is Director of Global Healthcare Security and Compliance of Microsoft. So, I work within the industry team at Microsoft, and I'm at that interesting intersection of healthcare and life sciences and security and compliance, and work a lot with partners, clearly Veeam, and also with a lot of customers, providers, payers, pharmaceuticals, medtech worldwide. So, really interesting perspectives across those areas. Yeah, it's super critical, because really, at a personal level, that affects all of us. But secondly, from a technology perspective, you could challenge this as the heart of innovation and a great opportunity to really do so much more with our data. So, that's what we'll talk about here today. And now, I'll start with one probing, compelling question that really has been consistent through this season of The Wake Up Podcast, and it's a challenge that the data that organizations have, so much of it, not necessarily all of it, but so much of it, is not trustworthy. What's your initial reaction to that claim? Yeah, so there's several facets to trust. One of the facets is, is the data there when you need it? Do you have timely and reliable access to the data? And if the data's not there when you need it, that can really impact patients, right? It can affect patient quality of care. It can affect patient safety, even, right? It can, you know, if it's mission-critical data for healthcare, and it's not there at the point of care, at the point of need, you know, the healthcare doesn't happen, so it's a real risk. And, you know, for the trust to be there, the data has to be there reliably and timely. I think what's really important, especially with healthcare data, is truly thinking about the access of it, because we're in this world where providers, and when I say providers, I'm not just referring to line healthcare providers, but maybe even technology providers that those would use, are really racing this innovation press with AI. And I'll tell you one example before, you know, I throw you a question. A good colleague of mine, CTO to healthcare provider in a country, a national-run healthcare provider, told me this fascinating story about feeding unstructured imagery into custom-built AI solutions to detect potential issues years and years ahead based on prior diagnosis and things like that. So there's really solid business benefit for the mission of healthcare here. But it also poses a question. Do organizations, providers, or solution providers, or the whole space, do they have enough control over who can access data, what can access data, especially in the era of non-human identities? Is there really good visibility on the access and control of that data? Yeah, a really interesting question, and, you know, in a sense, AI is an information power tool. And one of the things that AI is surfacing, I think a lot of organizations are realizing that data governance is super important. It's always been important to ensure only authorized access to sensitive healthcare data. But in, you know, 10 years, 20 years ago, it was fairly common to have a confidential document sitting in some corner of the network that people just didn't happen to stumble upon. But now when AI is activated, again, information power tool, if it can see that data and people ask the right query, the right prompt, it'll find that data, right? So what it's really underscored is the importance of data governance in terms of knowing where your data is, and that's right across the end-to-end IT spectrum, and by the way, it's shifting all the time. So migration to cloud, AI is this new center of gravity for data, but know where your data is, identify it, non-trivial if it's unstructured data, but you've got to identify it. What is it? Is it PII? Is it PHI? Is it intellectual property? Be able to, you know, classify it according to its sensitivity, label it, and then the other thing that's really important is the identity and access management you were talking about, and in particular, the principle of least privilege across roles and over time. It's super important that the healthcare workers have access to minimal but sufficient information to do their job, but not more than they need for security reasons. I think that's super important to get right, and I would further safe bet say that healthcare isn't alone in this type of journey. Private sector, other regulated environments, I have a lot of experience in financial services, for example. That problem exists, same phenomena, just different risks and different GRC standards to go by, but what I think would be really important is really identifying just the visibility of who has that. Do you see healthcare, that industry, do you see that as they have a good grasp on the visibility of those challenges, or is there still a lot of work to be done? I think there's a lot of work to be done in general, even AI aside, just doing data governance well, knowing where the data is, again, identifying it, classifying it, labeling it, doing the identity and access management well, least privilege, again, across role and over time, but then comes AI, and you've got this whole other level to do for data governance in terms of training data, inference data, if it's retrieval augmented generation, you've got all kinds of systems feeding data in to augment the prompt during the inference and so forth. What we're seeing is some healthcare organizations are doing the data governance and identity and access management fairly well, but they weren't necessarily AI ready. How do you make your data governance AI ready? One of the interesting ways is to use compliance frameworks out there. One of the interesting ones is ISO 42001 for AI data governance, and it can provide a useful lens, if you will, to hold up to your current data governance practice, identify gaps that you can address to get AI ready with your data governance. That's a useful tool for organizations out there to up-level their data governance to be AI ready. You walked right into a really good opportunity for me to mention that one of the newest parts of Veeam's portfolio is the data command center, and this is a really powerful way that these frameworks can be visualized with a data command graph of the different data sets that an organization may have in connection with the different compliances that it may be subject to, so check it out at Veeam.com, and then specifically the security AI capabilities, but David, I think that that underscores a massive risk in a way that there's a lot of work to be done on this visibility standpoint, but do you think that there's a lot of over-permissioning people, systems, et cetera, that might be like a blind spot when it comes to this type of assessment of the data? Yeah, there definitely is, and it happens in two dimensions. It happens across roles. All over their career, they take on different roles, and it's not uncommon to see a given person have multiple roles, basically the history of all roles they've had, and the other facet is they need some elevated privilege over time. Maybe they've got a particular task that needs admin-level privileges, and so they acquire those privileges, but they aren't necessarily rolled back afterwards, so you get this sort of scope creep, if you will, of privileges, and the problem with that is it gives the individual access to much more than the minimal but sufficient for the role, and another big problem is when attackers get in, whether it's through phishing or weaknesses or vulnerabilities in the external attack surface, if they get hold of the credentials for an individual with those elevated privileges, that greatly increases the blast radius and the lateral movement, and it could be the difference between one segment of the network being compromised with ransomware and the entire organization. So a lot to unpack there, and you're speaking to some of the near and dear things to my heart. For one assumption, but healthcare probably always has an urgency, should there be, when you mentioned blast radius, we're referring to cyber threats, ransomware, et cetera. There's always an urgency to resolve. Now we're in the business of keeping this good data safe from bad things across the board, whether it's, you know, I see three real generations of risk. There's the old school fire, flood, and blood, ransomware, cybersecurity risks, and now today upon us is this agentic world where data can be made unavailable or wrong from nonhuman identities or potentially human malicious actors, so there's nothing but evidence telling us that we need to really work hard to keep this data safe, but you also kind of brought up a good point when I think about some of the decisions that go into response to a blast radius. You know, lives can be on the line, and I think that organizations need to prioritize the processes because it's not really a technology decision. I think it's a people and a process part of it. How often does that come up in your circles when it comes to advising organizations about permissions and, you know, these blast radius type things? Is that pretty common? Yeah, super interesting line of discussion, and it's fairly common, I think, in the wake of some of the third-party disruptions. A lot of CISOs are starting to look at, you know, when we are disrupted. Unfortunately, it's a when, not an if. When we're disrupted, what are the mission-critical systems, like the EHR, but there could be a whole set of them, labs, radiology, et cetera, and what are the mission-critical third parties, the business associates, the data processors on which I depend? And then, underneath those mission-critical business processes and third parties, what is the data footprint? And we really need to make sure that data is available, going back to the trust discussion earlier. Make sure that data is available. Make sure reliable, timely, you know, access to the data at the point of need, at the point of time, and, you know, that's essential for trust. As we say in security, trust is one in drips and lost in buckets, right? Wow. That's good. That is a wake-up moment. One in trust, or it's one in drips and lost in buckets. Wow. Yeah. Yeah, unfortunately. I love that. That's a zinger. I'm going to hold on to that one. You also mentioned, you know, this thought of being at a company a long time and having these broad-stroke permissions. We actually had a joke at Veeam. This was probably, you know, stealing something from 12, 14 years ago. We used to actually joke when customers would enter a support case, and we'd be reviewing the logs or something like that. And the account name that was in use for the Veeam support case that the client was calling about was, let's just call it about that time, domain name slash service account name. That service account name was the name of one of Veeam's competitors. And we would kind of joke that, hey, that organization switched from that product to us. But it actually probably means everybody's got that password. It's not been changed. It's got permissions everywhere. So I think that's a cheeky example, but it probably exists, that type of stuff, in health care as well. Absolutely. And, you know, health care is focused on patient care, and sometimes the cybersecurity hygiene doesn't get done as timely or as strictly as it really should be. And I think AI is just vaulting the importance of that by an order of magnitude. You mentioned agentic AI. You know, we need to do identity and access management at least privilege really well for humans and for agents, right? Now we've got agents being added into the mix. Can we also make sure we're tight as far as identity and access management at least privilege for the agents? When those agents are running, do we have a way of monitoring those agents to make sure they're still inside the guardrails? Because if they're going outside of the guardrails, the longer it takes you to detect that, the more damage can be done, right? Well, let's also think about really the supply chain. And health care is really interesting. There's a lot of partners, external providers, medical record systems also. You know, there's the actual line providers and then the systems they use. What happens when information is shared across this different flow? What happens when that breaks, right? And discovering that, that can get complicated, I think. Yeah. And we've seen, you know, several examples of third party risks and disruptions. You know, whether it's from ransomware, whether it's from a wiper type attack, whether it's a clearinghouse, whether it's a medtech, whether it's some other mission critical third party, the reality is when that disruption occurs, it has ripple impact back on the, what we call the relying parties, you know, like the health care providers. And unfortunately, if it's something mission critical, like claims or, you know, eligibility checks, authorizations, pre-auths, remittance advice, or again, medtech type functionality, it can actually stop them. It can stop patient care and, you know, it's one thing if the hospital's in a big city and there's other hospitals nearby, but what if it's a rural hospital and there isn't another facility nearby? It could be life threatening for the patient. So super important. That resilience is so important. And I think of it, and I think increasingly health and life sciences CISOs are thinking about their attack surface as not just the immediate surface of their health care organization, but the surface area of their mission critical business associate as well. And sometimes it's a hierarchy, right? Like they depend on one, but that one depends on another one. And so the disruption can actually sort of work its way back through that tree. Now when we go through these examples, David, I truly love these perspectives. And for those listening and watching, there's a lot of details. IT is complicated now and the stakes are high. The threats are even more. But there is hope. I do talk to organizations that have done it well. One Veeam customer I spoke to, a hospital in the United States, university level, we've all heard of that organization. They had an incident and they were really transparent with us. And they had to make a decision. Do we recover the data or do we let cybersecurity law enforcement and response teams engage? What was lost in that example was time. Because that was time lost. The organization was ready to recover. And they had to make a decision, right? This is back to those people and processes part. They had to make a decision. Do we recover and forego our ability to find root cause because lives are on the line? And they chose to recover. And I think that organizations, first of all, kudos to that organization for being prepared and ready to act upon a plan and having the organizational courage to have presumably a rather powerful element, cybersecurity response, cybersecurity law enforcement, to push those colleagues out of the equation and drive recovery. That's how it in a perfect world could and should go. But have you ever talked to organizations that really did it right and were able to confidently act upon their plans? Yeah. Yeah. So important. And so important, A, to have the cyber resilience, the ability to recover quickly. And for example, make it feasible for them to not have to pay the ransom, right? Where they could recover instead of going and paying the ransom. Because healthcare always prioritizes patients' top, and rightly so. But you touched on plan. It's so important to have the cyber resilience capability, but have the incident response plan. I know I'm preaching to the choir, but have the plan. Do the tabletop exercises. Everybody knows what their role is. It's accurate, complete, and up to date. Sometimes even external actors like cybersecurity services may be involved, PR firms may be involved. But everything's accurate, complete, and up to date. Everybody knows their role. The resilience is actually tested. It's not just a placebo. It's there, and you actually restore it, and you get confidence, okay, everything we needed is restored. All the mission-critical systems are functioning. And then the last thing I'll add back to our third-party risk management is the third parties that are mission-critical, do they have the cyber resilience that they need? Because it's one thing for the healthcare provider to have it, but if the mission-critical third parties don't have it, and one of them gets disrupted, it's going to disrupt the healthcare provider back and any other customers that that third party has. So I think there's just many dimensions to it, and it's just so important to, A, have the capability across that whole surface, that multi-organization surface, and then test it and be sure it's there when you need it. I like to say the only way to learn how to swim is by swimming. You cannot read it in a book. And so what I think people learn from that, David, is that there's dependencies. When you go through those discoveries, you'll find things that you didn't think about. And I can come up with examples. When organizations get it right, they have to go through all of the details. The details are real. But they always find something. There's always some dependency that they didn't think about. Do you have any example in your practice where you've advised an organization through a drill, whether it could be a compliance drill, it could be a resiliency drill, it could be just a modernization drill, any surprise dependency come into the mix that actually they didn't account for? Do you have any examples of that? Yeah, I think it's very common because the original sort of mapping out what is my minimum viable business, what is the set of mission-critical business processes, and at an analytical level trying to determine all the dependencies. But they're always going to miss something, right? That's why I think it's so important to do the tabletop exercise and actually test the resilience, test the restore, run the systems that are restored. Because if there's a missing dependency, that will be surfaced, right? And sometimes you can waive it, there's a dependency here, but it's not mission-critical. It's like a monthly reporting job or something I can forego in the instance of an emergency. But if it's mission-critical, it truly is, hey, we need this for patient care. The fact that that's surfaced, then that can be addressed and be pulled into that sort of minimum viable business and be built out. So iteratively working towards ensuring you've actually got the resilience you think you've got. And what I think's important for organizations to really act on this in a practical standpoint, you know, when you wake up tomorrow and you say, okay, I want to improve my resilience, I want to improve the data quality I have, I want to live in a world where I have trusted data to feed my AI initiatives and more, my advice is to start small. Get a success in your organization, get the stakeholders aligned and believing and trusting that these mechanisms, these processes work. You don't have to boil the ocean today, but we definitely want to warm up one area and make some progress, right? So if I was to ask you, David, if you're going into a meeting today with an organization that's on an initiative to, you know, modernize, get ready for AI, mindful of compliance, save money, all these things that they want to do, what kind of questions are you going to ask a leadership team at a healthcare provider before you even get into any type of advice? What's your core discovery that you're going to do? Yeah, I think one thing that's just become incredibly important is the concept of zero trust security. And one of the key elements of that, of course, is it's all the preventative things that are done, you know, segmentation, identity and access management, least privilege, encryption, all that good stuff. But at the end of the day, we've got humans involved, best intentions, but sometimes there's a click on an email, whatever the case may be. So we must do that continuous monitoring, detection, alerting, response, containment, remediation. And one of the things I'd want to check, first off, are they doing the zero trust strategy? Second off, how is the continuous monitoring done and are they overwhelmed? Because one thing we see very often is the SOC team, the Security Operations Center team is just absolutely overwhelmed. And what exacerbates that problem? So first, we've got attackers now using AI and even agentic frameworks. So they're improving their speed, scale, efficacy in terms of spear phishing, or even just phishing at scale, but click through rate, more sophisticated malware, et cetera. They're improving their scale, it's overwhelming the SOC team. And then the SOC teams very often have sort of disjoint, not integrated security solutions. So they have too many dashboards. It's an efficiency problem. It's a risk problem, because if they've got too many dashboards, they can miss things or it can delay their detection of new issues. If that happens, then, you know, the impact of an attack can be vastly greater, right? It could be the difference between one laptop being encrypted and the whole network, right? So is the SOC team doing their monitoring well? Are they overloaded? Or do they have the right scale? And, you know, is integration a challenge? If integration's a challenge, it must be solved for the efficiency and avoiding burnout and lowering risk of missed alerts and decreasing dwell time and impact. But the other thing that's emerging is we've got to empower the SOC team with AI-powered defense, right? And to do that well, for the AI on the defense side to work well, we've got to have more than just a large language model. We've got to have all of the telemetry from all of these security solutions integrated near real-time telemetry from Veeam, from Microsoft, from whoever, right? Whoever's in that mix, that telemetry needs to converge at the AI. So the AI's got all of the data. It can be the greatest force multiplier for whatever size and skill level that SOC team is, and empower the defenders with speed, scale, accuracy, and even upskilling. Help upskill the junior analysts on the job. Yeah, absolutely. AI will absolutely give more capabilities to the existing teams. I'll go one step further and say that the effort to learn a little bit of AI for whatever the role may be, two, three, four hours, will pay dividends beyond. So the investment is worth it. You mentioned Zero Trust, and I'll pull something out of the Veeam history book here. So a couple years ago, we were really talking about Zero Trust Data Resilience, or ZTDRs. I like to roll it. And now we have a great Zero Trust story across specifically the Data Command Center and the established ZTDR approach that we've been doing here at Veeam. So look into that. There's plenty of information on our website about that. You also brought something I want to talk about when the AI threat actors, or the threat actors are using AI as well. That's like living off the land version three, basically. They're using the same tools, maybe even additional tools as the non-threat actors. So I think that it's important to note that living off the land goes into the AI realm as well. So- For sure. Really important points here. David, thanks for joining us on the podcast today. Thank you, Rex. It's been great. All right, that wraps this episode of The Wake Up Podcast, powered by Veeam. You can find this episode and more at a podcast platform near you, and more information to wake up to at Veeam.com.