This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] This episode is brought to you by First Health Advisory. Health IT leaders strengthen and streamline your healthcare system with First Health Advisory. They offer comprehensive cyber risk management, governance and security optimization, and strategic advisory services to enhance patient safety and bolster cyber resilience.
Their expert solutions ensure compliance and boost operational efficiency. Visit ThisWeekHealth. com slash First Health Advisory today and elevate your cyber strategy with First Health Advisory.
Today on Unhack the News.
We should not be afraid to communicate with each other.
Build those bridges in the good times. So when the bad times happen, I, as a nurse will come to you and escalate my concerns.
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's [00:01:00] 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News.
Hey everyone, it's Drex and this is Unhack the News. Brad and I have been having a good conversation actually before we actually clicked record and so it's always fun to hang out with you. It's Brad Marsh from First Health Advisory.
How you doing, Brad?
Doing well, Drex. Glad to be here.
You know this first time on the show, right?
I think it's on this one. Yeah.
Yeah. First time on Unhack the News. Tell folks a little bit about yourself and what First Health Advisory does, what you're working on right now.
Thanks. So Brad Marsh.
I'm the executive vice president for government, health and security technology at First Health Advisory. I'm a retired army nurse with a cyber security background, and I spend most of my time working both in the commercial sector and in the government [00:02:00] sector everything from clinical informatics all the way through endpoint security, IOMT and security in the environment of care.
What's unique is I'm a nurse with that cyber security perspective, so I make it my mission every day drex to engage with our clinicians to part the cyber security capabilities that need to be there for our own safety to continue to take care of patients. But then also I relate the clinical perspectives.
back to our cyber security professionals. So really it's that Rosetta stone between these two significantly different bodies.
We were talking earlier I'm a retired Air Force officer, you're a retired Army officer we talked a little bit about the places that we have been deployed and how I'm barely sure we chewed some of the same dirt at one time or another but this overlap of the work that you did clinically and the work that you do is cyber security.
There's a lot of parallels that are drawn there, right? It's about [00:03:00] patient safety. It's about making sure the data is available to be able to give great care to patients and families. It's interesting to see that overlap in that focus that you have and how you've brought that together here.
one of the things that we like to say with my company is cyber security is patient safety. As a clinician, we have the five rights of medication and the right medication, the right patient, right time, right reason, right route, those kinds of things apply in the cybersecurity perspective as well.
If I don't have the right data about the right patient at the right time for the right reason in front of the right practitioner, I could harm my patient. And so really where we bring that fusion together between cybersecurity and patient care.
Yeah, love it. Let's hit on a couple of news stories here.
A really interesting story., bleeping computer. This is a story about, a ransomware gang that encrypted ransomware A network this wasn't specifically a health care story, [00:04:00] but I like to use some of these other stories, too, because sometimes they're just good lessons.
It just hasn't happened to us yet. Right? The ransomware gang encrypted network going through a webcam. And bypassing EDR because an endpoint detection and response client couldn't be placed on that camera. You guys ever see anything like this or?
If we go back many years, my, one of my first hymns in around about 2015 I was attending a talk and Bo Wood stood up there and he talked about finding ATM hacking software on a chip on a fetal monitor.
What's interesting is there's not a lot of people that understand what we're using the same chip sets across multiple industries, across multiple infrastructures. When we see this kind of thing, it should not surprise us now according to bleeping computer, as they got access in again. Something on an IOT.
It's an internet of things. It wasn't a person behind a keyboard on the network, [00:05:00] and it was unable to have an EDR put upon it. Now, if we pause there and look at our healthcare infrastructure. Let's look at medical devices. I don't know many I. V. Pump manufacturers that allow people to put E. D. R. Software on the device.
Absolutely. It's one of the challenges that generally we have our medical devices across the board and how we can secure them.
And that is when I use the term environment of care. That's what I'm talking about. It's the patient in the bed. By the way, the bed is pulling an I. P. Address. Mhm. The IV pump.
There's a roughly and it's a normal multiplier about seven devices per bed, right? Hospital. So when we start to look at that, IV pumps, ventilators, all of those things are drawing IP addresses. All of these things can be this. I'm not all about the fear, uncertainty, and doubt. That is not my [00:06:00] thing. There are capabilities out there that can help monitor.
When I was with 1st Brigade 25th Infantry years ago in the Army in Mosul, one of the things that then Colonel Brown, now General Brown, retired said was we need to see first. Understand first and act decisively. That has always hung with me a key thing that we can do. If I bring you something that will increase fear, uncertainty and doubt, I want to bring with me a capability that says, Hey, not all is lost.
No. What is your network? That is the see first. You need to see everything, whether somebody is touching the keyboard or whether it's living on his own. In a happy little subnet, you need to make sure you know what's there. Understand first, understand where it's going, understand what it's connecting to.
There are multiple capabilities out there and will never talk about a [00:07:00] specific vendor. There are always capabilities out there to see an inventory this and to watch where these devices are going. You need to understand where those devices are going, what they are doing what is the protocol they're using, what ports are they using, monitor that.
Because you need to understand what normal looks
like, right? And you have to know from day one. And then as soon as you deviate from normal, that's where you act decisively. You have to engage, but as an I. T. I. S. People, you can't just engage without pulling in your functional people. You need to bring in clinicians.
The devices we're using are literally keeping people alive, have to be able to act decisively. With your clinical input. That's why I'm a nurse with cyber security background. We have to know which clinician to bring in at what time to see first, understand first and act decisively.
Yeah, that's great feedback. We used to talk about with my [00:08:00] teams lab and rad and pharmacy and nursing and docs are partners to be engaged. In the provision of great care to our patients and families. So this partnership not being isolated in that conversation when you see the bad thing happening, having that partner that you can pull into the conversation to make sure that you're not going to do something that's really.
Going to mess up operations really going to hurt a patient
When you look back at in your experience and I know you're I have followed you for years. So I have I've paid attention to that I think one of the things that I would absolutely put in there is Most executive leaders don't know how an I.
V. Pump normally looks the people that will tell you if it's deviating from normal. If you don't have one of those spiffy technical devices, that is the nurse at the bedside. That is the respiratory therapist involved at the ventilator, it's the biomed [00:09:00] technician. We need building those bridges before what we would refer to as left of boom.
Boom being the cyber event left of boom is before it. We need to be engaging. Most clinicians I have found are resistant to meeting with the ITIS departments. They don't feel comfortable doing that. And I think that's really one of the things that I really want to keep pushing forward is. We should not be afraid to communicate with each other.
Build those bridges in the good times. So when the bad times happen, I, as a nurse will come to you and escalate my concerns.
Because I already have a relationship. Yeah. Perfect. We could talk about this all day, but I'm going to move to the next story. It's from Dark Reading and it says cybersecurity's future is all about governance, not more tools.
And I think that. This whole conversation kind of flows right into this next part of the conversation. It's not [00:10:00] necessarily about buying more stuff. It is about the relationship and the prioritization.
Absolutely. I think one of the biggest things that I am concerned about and it's interesting because we do services, we do sales.
Sure. We sell different softwares. We were asked to sell this. Organization a new software. We actually said, Hold up. Let's operationalize what you've got first. I will tell you it was a less expensive thing because while we could have sold something, it wasn't important to do that. What was important is we have to get this right.
And then what's really more important is getting the governance behind it. Just buying software, just buying tools. It's the old check the block. And that's exactly as the article went into it. It talked about checking the block we need as clinicians, as cyber security professionals, as cyber security clinicians.
We need to be advising the board. We need to be there and we need to make sure we are making the maximum use [00:11:00] of what we've got. Budgets are tight. Profit margins are practically non existent. We're seeing funding challenges coming in, be it through Medicare, Medicaid, other federal funding. There's a lot of uncertainty there.
But what's important is we have a lot of the tools. This is where as a team, we need to come together and identify what it is. Not saying to be a blocker, but the governance as we saw with NIST CSF, including governance.
Now it needs to be part of our normal thought process. Thanks. The CFO needs to be able to see if there is a benefit for the finance side from security devices. There's stuff there. We can reduce risk outside of normal cybersecurity with some of these devices. And it takes people to look at this in an asymmetrical methodology.
You and I, when we were talking before, we talked about different things we did in our military career. And sometimes you have to be [00:12:00] creative of what you're doing,
right?
That's really where you need to rely on your SMEs, your subject matter experts, pull them in and say, okay, doing Apollo 13 hackathon, Hey, we got to get this square filter into this round hole, figure it out.
You've got three hours. We might need to have to do that. What inventory do we have of our capabilities? What tools do we have? What is our unmet needs? And how can we rationalize with what we've got first? You rationalize, operationalize, and then you modernize. But it has to be deliberate. And it has to be involved in governance.
We have to make sure everybody is on board. Because if we operate in a silo, we end up breaking the business. And that's the problem. Because then we can't deliver care, which is what we're here for.
Yeah, and it comes back again to these partnerships and relationships that you have both inside the organization and with your vendor partners outside the [00:13:00] organization.
Just touch on this really quickly. Talk about risk because I think there's a lot of organizations who still really struggle with. Understanding the risk that they really have in their organizations
when you look at risk go back to the CT scanner analogy. So I'm an emergency nurse, certified emergency nurse. And, I was at a stroke center where it has a specific slice parameters that have to be met. We had two CTs. One that was the hyper specific and one that was less everybody evaluated them as the same. If the specific one went down, we had to go on divert because we could not get to the specificity needed to be able to make that diagnosis. If it was not understood, it was understood on the clinical side all night and day. The CMO knew this. They understood what certifications they had and what they needed to maintain it.
The I. T. and Biomed department saw that we have these two devices, way different. Oh if that one goes down, we've got this backup. Back to relationships. By [00:14:00] ensuring that we share the knowledge across multiple verticals, and we say, Hey, look, this is the composite risk. What can we do to mitigate that while still providing care?
I've been really focusing my CEO and I sit down regularly and we talk about this. I have been concerned with downtimes. Downtimes happen regardless if it was a cyber incident or maybe a dump truck took out the fiber. Right. A variety of things that can happen. Because you cut the internet, you've got a DDoS attack, whether it's in per Right.
Denial of service. So when you're talking about those things, when you're talking about the all hazards approach, you need to look at the cost overall. Yes, everybody is worried about your name getting associated with a cyber breach, your name being associated with potential patient harm. That is an impact.
That is a financial [00:15:00] risk when you're in downtime. As a nurse who has gone through multiple downtimes in my career, used to be on paper. We used to have to manage those paper records and coding and billing was based on what we wrote. So we had to go back and it. Update our notes and revise and make sure that we are getting the credit for what we're doing in downtime.
How many of these organizations have looked at their denial rates? It's probably as important because they're trying to pay either possible ransom, possible mitigation for ransom. They're not thinking about the other costs here. Really, that's what I have been focusing on is our ability to deliver on that.
So I, I actually brought in coders and I've got a forensic coder, which is really cool to look at why. What is this? So what if it how is this impacting that environment of care? It's the full spectrum from the time a patient walks into the time that it's paid. All of that is impacting. And it goes back to what you were asking, which is risk.
We need [00:16:00] to know the complex risk. We'll have to decompose it into its components, but it comes to be a complex risk that Okay. Are we willing to take this off? And if we fail, do we fail like the Hindenburg or do we fail like the miracle on the Hudson?
Yeah.
Both of those involves an air catastrophe. One of those had everybody walk off that plane.
Yeah. Yeah.
These are the things we need to consider. We need to be a resilient organization. All of us, my company, hospitals, your company, we need to be resilient. Because the threats are emerging. saw additional articles coming out about Basta and how their messages all got leaked. You have a great, and I want to make sure that you go into your analogy because when you said it, I was like, Ooh, I like that.
They're decentralized as well. They're going to be coming after us. They've got people like me sitting there thinking of new and unique ways to do things [00:17:00] in a nefarious manner. That compromise our security and say,
sure they're also trying to be resilient, right? And so the last story is around these black Basta messages chat messages that got leaked.
But, they're thinking the same thing. They're trying to share a lot of information, try to understand how to be as good as they can be, how to code as high as they can code, right? To make sure that they get paid. For as good as they actually look, they are businesses and they're also talking to each other about different products and different companies and things that they're finding as they attack cloud services and all of that, they're in high speed relationship building and communication too.
It's not just us. The bad guys are doing the same kind of work we're doing to make sure that they can make as much money and and do as much damage in many cases as they can.
Yeah, and it's the not everybody can have the expertise in-house So they've got to go out and get it. They've got to be able to share that.
And that's where [00:18:00] in improving our resistance, our defense in depth. Absolutely. That is an essential priority, but then we need to be able to be resilient in depth as well because your clinicians that are on the ground, they will look at you. And I know every CISO that is listening to this podcast is saying, they will say, all I want to do is take care of my patient because that is every clinician Anytime I have brought up cybersecurity, I get, Oh, I just want to take care of my patient.
That's what they want to do. Guess what? That's what we want to do too. Because patient safety is cybersecurity and cybersecurity is patient safety. And so we need to keep tying that back around saying, yes. So when we have to go to a downtime, does everybody know it?
It's all about pulling back into this conversation about how do you talk about cyber security in the language of the person that you're trying to talk to cyber security, about you have to use concerns and their challenges to help [00:19:00] them understand why what you're doing is actually really important to them and patients and families.
And so as a nurse, we talked about this earlier as well as a nurse, I had to be able to talk to patients and meet them where they were at. I can't go to my patient who is extremely obese and say, I need you to go run a marathon.
You're not, yeah,
that's not realistic. What I was able to do is saying, what do you do now?
Okay. What if we did this one thing? What if we did this one simple improvement? Every time. One more thing. Just keep building upon it. When we talk cyber hygiene we expect sterility. We expect them to be totally clean. But when was the last time we asked them?
Hey, what is your understanding? Not for us here at the hospital, but you at home. Do you understand why it's important to encrypt your packets? Do you understand why it's important not to connect to that public Wi Fi unless you've got some security in there? You [00:20:00] have to meet them where they're at and what matters to them?
When we started the gel in gel out capability. In the hospitals. Did I tell people they had to take a shower before coming into work? No, there was a foundational level of cleanliness. All I did was add one more thing on. But in cyber security, I am expecting with no foundation them to be on the third floor.
Not realistic. So let's get back to some basics,
right?
Let's start talking about, hey, what's in it for me? What's in it for you? How do you take care of your family self? The things that matter to you. If I can help you understand that when I say, Hey, now in the hospital, I'm gonna need this one more thing, it's less of a step up, right?
And we start to build on it. That's why the CPGs are out there.
Yeah.
There were many out there that felt that the CPGs put out by the health sector coordinating council that [00:21:00] they were, oh, they're not enough. We
know a good start. Yeah,
we have to get the foundation when I was on the healthcare industry, cybersecurity task force report to Congress in 2016 I was supporting dr Lauren Thompson at the time while I was active duty.
And working with Josh Corman and the rest of the HCIC team, that was one of the things we were working on is trying to make sure that there was a foundational knowledge because the workforce it we're losing people. We don't have the people we need to do what we need to do. So in order to get there.
We need to start with a foundation.
Yeah I feel like I say this a lot of times to my guests. We get into it and we could record for two hours but out of time. I really appreciate you being here today. Brad Marsh from First Health Advisory. It's really great to see you.
I hope this isn't the last time we do this.
I look forward to the next time, Drex.
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest [00:22:00] stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.