Transcript
Good. How are you? Good. Thanks for joining me. So I want to talk about risk management, risk mitigation, but I want to start off with a question about complexity. And just I'm curious, in your position, your experience, how do you characterize the complexity either in your environment or in a typical hospital clinical environment? Yeah. Complexity is very difficult, right? So right, I'll explain it like this, right, in a normal office environment, right? The complexity is very low, right? You have desktop computers, you have copiers, right? That's all you generally have. In a hospital, you have all of that plus all the equipment that I manage. So all the medical devices, right? Usually IT will standardize the type of computer and copier that you have. So maybe you have five or six different makes and models. In the medical device world, right, because of the different types of equipment we have, there are hundreds of thousands of makes, models, and manufacturers, right? So that's the medical equipment. And then on top of that, you have all the OT stuff, right? The card readers, the security cameras, right? All of that kind of stuff. So from a complexity perspective, I would go low from an IT, medium from a medical equipment, and then we add all the OT stuff, which just makes it really, really complicated. I was going to say, medical stuff's probably not too far off from OT in terms of a whole picture. It is, but the maturity of how we handle it is probably further along, right? I think most hospitals have developed programs to try and understand exactly what they are and try and start garnering how to manage them. I'll say OT is so far behind a lot of organizations, whether you're in a hospital or not a hospital, still don't have mature programs around managing them. So the risk is still very different or higher, I guess, right? For OT stuff than it is for medical devices. So I guess that's my next natural question is like the impact of that complexity on risk on healthcare organizations, et cetera. Yeah, so it's very interesting when you talk about risk because you can talk about risk from about like five different perspectives, right? You know, your enterprise risk management team has one view of risk and that's a holistic, you know, enterprise vision of risk. And they care about every risk there is and they want to measure and mitigate everything that's out there, right? Our organization looks at risk in a very different way, right? So we look at risk from something called a materiality perspective, right? I care about things that are going to shut my hospital down, right? So I look at workflows that keep my doors open, right? So anything tied to that workflow then is something I really want to make sure is highly available, is up and running, right? I'm patching vulnerabilities on, right? I'm making sure that that function continues to run. Now, if that function has OT assets, if it has medical device assets, if it has IT assets, all of those have to be highly available, highly reliable, up to date, all that fun stuff. So it's more on a function versus specific device. Correct, correct. So we don't look at a vulnerability, right? And care about that particular vulnerability regardless of what that vulnerability impacts. We look at it from a functional perspective. So from a risk management perspective, I guess you start with the assessments first. How often, how intense are they, and are we talking about, in addition to the known frameworks, bringing in pen tests, red teams, et cetera? Yeah, so GRC assessments occur all the time, right? We all have so many different assessments that go on. Obviously, there are different assessments based on the type of things that are coming across your desk, right? You know, if it's wholly owned within the organization, it's one level of risk because I manage it. If it's a third party, it's a different kind of assessment because I don't necessarily manage all of that. So the risk is very different. You know, if it's AI, oh my God, that's a whole other level of risk. And we've got a whole different type of risk assessment around that. All of those different levels indicate exactly then what you're talking about, the follow-up, right? So do I do a reoccurring assessment? Do I require a pen test? Do I require, right, any additional level of scrutiny, right, based on the risk and complexity of what we're actually implementing? You can't do the nth degree for everything that crosses your desk. We just don't have enough resources to do that. So when you get that shiny new thing like AI, how painful is that for you to kind of just go through all the machinations of just kind of assessing the risk? It is. So most organizations have stood up, you know, an AI governance group to try and understand exactly what's coming in. Because AI is changing so quickly. A lot of us are even still trying to get our hands around exactly how to govern, right, the AI that's coming in. And, right, it's not just physicians. It's any AI that's coming through at this point. We need to make sure it's safe, right? And to do that, all of the guardrails that we need to put in place continue to change. And the pace of that innovation, right, is very hard to keep up with. And so it takes a village to make sure that we're all doing it successfully. And in terms of communicating risk to your population, whether it's staff, whether it's on the clinical side or the business side, how adept have you become at those conversations? I can imagine they're very different. Oh, and they have to be very different. So that's the one thing I think CISOs and IT organizations and biomeds have to understand is that the language that you use, the lexicon that you use has to change based on who you're talking to, right? If I'm talking about risk to my clinical teams, right, and I'm trying to explain why we're putting together downtime plans for whatever it is, right, whatever device that we're working on, they need to understand, right, the impact to them, right? If I take this system offline, here's what's going to have to happen. I need to understand their workflow so that I can talk in their language, right? That risk conversation is very tactical, very operational, right? But when I go to my enterprise risk management committees and teams, right, they don't want to know about tactics. They want to know about exposure. They want to know about much larger types of conversations. And so I think part of the change in leadership, right, that has to be made for those individuals running the IT, the CISO level type thing is you have to become very adept at having risk discussions at very different levels with very different people, right? And do they get it? Like, how do you know they get it? So you'll know they've gotten it when they've signed on to your, right, your plan, right, whatever you're trying to implement from an action perspective. And they can talk through exactly what needs to happen and why. So not just what you're doing, but the actual reason behind it, right? So trying to change the culture of your organization really means making security understandable to everyone. So it's not just about, hey, I'm implementing this, you know, mitigation because it's right for the organization. It's because we're doing A, B, and C. Because we're, right, trying to increase reliability. Because we're trying to increase uptime. Because, right, whatever those 15 things are, if you can enunciate that and your end user can articulate that back to you, right, they're really buying in then to the culture of safety. So in terms of risk mitigation, I always like to ask folks in healthcare security about patching and just kind of like, I would imagine there are prolonged windows of exposures that require compensating controls, et cetera. But just, is this the bane of your existence, kind of this whole dynamic around patching and the FDA's involvement, et cetera? What's the reality? Patching is abhorrent at this point, right? And a lot of places will point to patching as the solution, right? And we write them in our SLAs, right? You know, you must patch a critical vulnerability, right, within one day and write mediums within 15 days. I laugh. We don't have patches for months and years in some instances. And medical device manufacturers may never generate a patch. Your only option, right, is a compensating control. And fundamentally, some medical device manufacturers may not even get you that compensating control for three to six months. And so you're taking on a lot of risk without really knowing, right, when you're going to be able to mitigate. And so you have to take the accountability and responsibility to say, I'm going to implement compensating controls that aren't validated by the manufacturer. And so that's microsegmentation, right? That's a lot of network level controls that a lot of us have moved to because patching is not a panacea. We can't operationalize it fast enough. And I think the OT world is seeing that exact same thing, right? And I think a lot of the same tools are going to be very applicable on the OT side that they are on the medical device side. Has this whole patching dilemma kind of fed this ransomware epidemic across the industry? Is there that exposure that they're leveraging? So most of the ways that threat actors get into systems actually aren't through medical devices. And so we're not necessarily the threat vector by which we get in. Now, we are a vector by which they move laterally throughout our organization. And so I'm not going to say that, right, it's not a problem because it is a problem. But we're normally not, right, the public facing on the internet, right, point of breach. But I will say, right, fundamentally, patching is a tool and we need to be able to leverage it. And so, right, continued pressure to the vendors to go ahead and produce patches in a timely manner absolutely needs to happen. How bad is the ransomware problem? I'm sure you meet with your peers all the time and other hospitals. Is this what kind of keeps you guys up at night? Yeah. And it's not just ransomware for our organization. It's ransomware for our third parties, right? Anything that's going to impact my organization, right? So there was a stat earlier today that Mandian showed us, right, that 46% of organizations have had a third party breach this year, right? That's one out of two. So if I haven't been hit personally, right, I probably have been hit by a third party breach. And so we have to be prepared, right? The theme of this entire session has been resiliency. And it's because we're going to get hit over and over and over again. We just have to become resilient. How hard is it to get visibility into what your partners are doing around security? It depends on the partner. You know, and there are partners who have been very transparent about exactly what needs to happen and exactly what's happening. And then there are partners that are very much, you know, a black box. Sure. And that can be frustrating, obviously. You know, when you're trying to secure an entire enterprise, and even from our perspective, when it's a critical part of our enterprise, right, that we want to make sure we're resilient towards, black boxes are very problematic for us. You know, and it becomes very difficult for us to try and manage our way around. Yeah. All right. So last question, from a risk mitigation standpoint, how important is it to empower users around security? And is it more than just awareness training? Yeah, it's critical to make sure that your end users are definitely part of your security training. Now, there's a lot of research out there that says security training isn't necessarily as effective, right? We have a lot of AI that's now coming out that, you know, emails are not as easy to understand and identify as, you know, malware. So I'm not going to say that we should all throw away our security awareness training. We do need to have it. But I think creating a culture of security awareness is actually much more important, right? Even if it's as simple as empowering your front end users, right? To stop the line when something happens, right? If a vendor brings in a piece of equipment that has something that hooks to the network, right? Empowering them to say no until they've called IT and IT has gone ahead and looked at it. That's incredibly important in your organization. And I think that empowerment actually helps secure, right? Your environment much more, right? Than just relying on IT to be the only point of failure. Right. Perfect. All right. Thanks, Sam. Thank you very much.