This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
UnHack (the News): Unmanaged Credentials, CISO Role Shifts, and Chaos Engineering with George Pappas
[00:00:00] This episode is brought to you by Intraprise Health. Make cybersecurity a priority, not a headache. Cyberattacks put patients at risk and cost healthcare organizations millions.
But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.
It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more.
Today on Unhack the News.
George Pappas: you can't just go buy some products and say, Oh, we're good.
It was a progressive year over year collaboration, vision, execution, [00:01:00] adapting, adjusting process, Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
Drex DeFord: . And now, this episode of Unhack the News. (Main) Welcome to Unhack the News. I'm your host, Rex DeFord. And over there is George Pappas, who's the CEO at Enterprise Health.
Say hi, George. Hey Drex, how you doing? Great to be here. Good to have you here. We always get involved in a lot of good conversation before we start the recording and we have a lot of good conversation after we turn off the recording and so What I'm trying to do today is get all the good [00:02:00] conversation in during the recording, because there's so many good things for us to talk about today.
And as usual, you've done an amazing job prepping and thinking about some of the articles you want to talk about. You and I have traded a lot of emails, so there's good stuff in the show today. I'm glad everyone's here. And again, thanks for being on. The first article is from Dark Reading.
It's called Unmanaged Cloud Credentials Pose Risk. To half of organizations, and this article reminds me of all the places I've visited and all the folks that I've talked to in particular, it reminds me of this conversation around identity and. Back in my days, like the service, it's not my days, it's still going on.
Service accounts that have been created inside the network or inside applications that have a lot of authority, non human identities that have a lot of authority to do a lot of things. And we don't touch them because we don't want to upset the apple cart. They were put in eight years ago. We don't change the password because we don't really know what happens if we've changed the password.
So people leave them alone, but it [00:03:00] creates a lot of exposure. And as I read this I have PTSD only for cloud.
George Pappas: No, me too, a little bit, I think that it kind of mirrors. Really the evolution of the last, 10, 15 years of software development and healthcare and other fields where you're starting to connect systems to cloud services.
They're new. It reminded me of these certificate expiration problem that would pop up from time to time, right? Oh, I know what you're talking about. Yeah. And so basically I think it's just a symptom of how all these things were built, but then you turn around, you've got 500. A hundred?
A thousand of these? Is there a list? Who manages it? Is it an automated list? Are they connected? The answer is no, right? And how many modules have that little admin account stuck in a routine to access the service, to take the HL7 ADT feed and turn it into something else and all that? All of a sudden, you've got this, really hard collection of things to handle.
And it's a [00:04:00] liability in a lot of ways.
Drex DeFord: It's a, this is like you are making a huge case for like good, documented architecture, right? Because our tendency is to build this stuff over time. We add the next thing, we add the next thing, we add the next thing. We jimmy rig this thing so that it will, the new thing, so it will work with the old stuff.
And eventually, like you said, you got a hundred of these things. , there's that cartoon that shows like this whole giant machine. And then there's one little peg that's like holding the machine.
George Pappas: , let's be candid. You and I have been in software development a long time, right?
What is the thing a development team likes least to do? I think it's called documentation. Documentation, for sure. And you can talk about agile processes and all that in there. They all have their value, but it's this kind of these prosaic things that end up getting left on the cutting room floor that come back to hurt you.
Drex DeFord: One of the things I always talk to my team about was the less Superman, more Clark Kent. This idea that good old reliable Clark came to work every day and did a great [00:05:00] job documenting everything. And as a result, they never had to put on their capes and be Superman because everything just ran and worked.
And that work is Tough for a lot of folks who are very creative to take a breath and do.
George Pappas: That's also where Within a development team, there's no substitute for a really strong scrum master, because that kind of person is half product manager, half kind of development facilitator slash manager, and they tend to have more detail oriented methodical skills that link with all the creativity to harness it and track it, and as long as you're able to make that a fundamental And you can capture it along the way, then I think you have a better chance of at least having it in one place and being able to do something about it.
Drex DeFord: It's like there's somebody in the room whose ultimate responsibility is to sweep up all that stuff and make sure that it goes into a file or gets categorized or something like that. This [00:06:00] is a really interesting story to think about how many organizations and how many applications are exposed in this way.
Have you seen anything like this that has blown up in somebody's face?
George Pappas: I could remember some times at past companies where it certainly happened, not for cybersecurity reasons, but for expired password reasons of these embedded admin accounts. The SSL certificates is a common one, but it's more where, people have turnover.
Developer leaves, they're a set of things. They kept them in a little Excel spreadsheet somewhere. It was on someone's admin account, et cetera. And then, time passes and you have an issue, you have to go dig it out and find the challenge. And that is a sort of benign symptom of a very real situation.
Cause the other dynamic here that I think is so dangerous is. Your classic intrusion into a network where, what do the cyber criminals do? They move around laterally, look for vulnerabilities, look for [00:07:00] things. So they're moving around. They find, Oh, this has admin password as the account.
All right. All of a sudden they borrow in the assets, they find a credentialed server or something somewhere in a network or another asset. And, it's just another link in the chain of potentially a really serious problem.
Drex DeFord: Yeah. One of the notes that we traded prior to this you mentioned APIs and monitoring APIs this is another sort of Another version of this problem, right?
George Pappas: Yes. Yes, and I think that's where you think about a sim all these machine data Kind of reading analyzing platforms. I think this is one area as well where better heuristic AI application to patterns We'll make it easier for the people inside of a sim who are watching, thousands of bits flying across the screen to discern, a real issue, not a false positive because too many false [00:08:00] positives.
What happens? Alert fatigue. Exactly. So I think there's a lot of room for improvement there and this is a good domain for it. So many in cybersecurity to take just enough of that intelligence, put it in the service of a team so you can really see gee, that API over the last has had XYZ more access.
And gee, those IPs, I think those are from Asia, aren't they? So there's a lot of ways to really. Screen it in a way that's very human centric and set some thresholds. And I'm sure a lot of these things exist in several products today, but it's a question of how much more finely tuned they're going to get.
Drex DeFord: How do they work together too? Yes. Because, if you think about a typical CISO's department, they, they may have 30 to 50, different kinds of applications that they're running that are specific to security. So sometimes that harmonization, that interactivity and coordination, and that's a huge part of maybe a role that artificial [00:09:00] intelligence could play in all this.
This next story is also really interesting to me. It comes from Cybersecurity Dive. It says, the majority of global CISOs want to split the role as the regulatory burden grows. A lot of this is happening, I think, because of stuff that is occurring in public companies, right? New and evolving reporting requirements.
But in a lot of ways, that's where it starts before it flows into other parts of it. So we see this happening in public companies, and it's not very long until not for profits have the same rules and regulations. What do you think?
George Pappas: We see this with so many of our clients, there's this, there really are two sides to a CISO role, but they're both are critical in some ways, the business risk manager, the board collaborator, the governance facilitator.
Is becoming more important, not less, because having the entity understand the rationale for investment, what does [00:10:00] progress look like? How much is enough? How much is too much? How about this shared accountability for other organizations that are allowing exceptions to linger, right? All that is part of a leadership and a governance function.
And, I think it was in some of our back and forth, but I can A little earlier time when CIOs were considered. technologists, and they became, business enablers and business expanders. And I think this is following a similar pattern. Then you think about how Sarbanes Oxley was coming to legislation.
So now what's happening? The SEC is saying, because there are financial ramifications, if you certify to a certain level of cybersecurity maturity, something happens and you have an issue. This is also why With all of the evidence this year that was very, you could say dramatic around the vulnerabilities in healthcare organizations.
That's why you have both houses of Congress, the White House, and [00:11:00] entities now saying something's got to change. New York will be the first example of that, and we'll talk about that at a later time. Yeah. That it's this measure of you really need both hats. And the other dynamic to this, Drex, is who does that person report to?
The report to a CIO, the report to the CEO. They report to the CFO or do you have a general counsel? So
that
is another dynamic of where is the seat at what table and how do you handle both sides of that equation? Because for it really to be understood at the top of the house, it's going to take some evolution of that based on the size of the organization and its structure.
Drex DeFord: It's interesting. So every time we do a CISO summit we just came out of one near Atlanta. That sort of reporting topic comes up and a lot of it has to do with the size of the organization and who, where, and how complicated the organization structure is. For me, ultimately, it always came down to, it didn't really, matter who the CISO reported [00:12:00] to as long as the relationship between the CIO and general counsel and compliance was one where they were really transparent and worked with each other.
But for me as a CIO, every place that I went, I did my best to break that CISO out of my department and give them independence. And the reason this was, it goes back to my military days. I was the chief technology officer for Air Force Health and the CISO reported to me. And in that conversation, at some point I said something like It looks like we're going to miss our launch dates for the networks in Europe because we have a patch challenge that we're going to have to work through before we actually, light those networks up.
And the CISO said something to me of the effect, to the effect of, I could write you a waiver for that. And I realized at that moment I'm writing the person's ticket and they're doing their best to try to make my life easier, but I don't know that's really what the organization, the big organization needs.
So [00:13:00] we push them out. And what that winds up being for me in my experience had been, we had the CISO that did all the things that you talked about, talk to the board, create policy do all of those kinds of things. And then we had like security operations that worked. in the CIO's department that did a lot of the firewalls and a lot of the other stuff.
I've heard of that person, when they're the CISO, refer to themselves as the combat CISO, right? Because they're under fire all the time, and they're trying to do that other stuff that they really should be doing. I think Peter Drucker said culture eats strategy for breakfast. And if that's the case, I'd say that tactics eat strategy for lunch when it comes to that CISO gig.
So I think the idea of separation is a good one, but you got to have the people and you got to have the attention to make it real.
George Pappas: And your point about culture, the dynamics of the [00:14:00] leadership team really would drive the right version of that choice as well as the size of the organization and resource envelope.
But the other sort of argument, and this will be our next story, is that really true kind of cybersecurity risk management transcends the IT organization, right?
Absolutely.
How you credential providers, how you manage so many aspects of. You're introducing friction into workflow, how you're managing across the organization, the preparedness if something happens.
And so, there's so many ways you can actually, and I can remember at an earlier time when we would do these desktop kind of drills, but that was before cybersecurity was really more about an inadvertent HIPAA. Violation under the HITECH Act, right? So it was a little more, I almost want to call it nostalgic, right?
There'd be a tabletop exercise. The legal team would be there and there is as much about crisis management and [00:15:00] messaging as it is about all the fact that there was a leak because of liability concerns and all that, but now you take. Sprinkle it with cyber security, it's like to the fifth, exponent.
So all of a sudden, oh boy, now everything, do we really know how long they've been in our network? Do we know how bad it is? And so that level of organizational intimacy with the right leaders. And then realizing that, you need the company to take this seriously. That's another argument for the more general reporting or more general role.
Drex DeFord: It would be great to say that there is a specific org structure that is perfect for everyone, or a particular alignment that's perfect for everyone. But because every organization's in a different place, this is, Not the science, but this is the art of what a lot of leaders work on every day is finding the right people in the right mix and the right balance, the right responsibilities assigned to the right [00:16:00] person to make sure that they cover all their bases and that they don't create some kind of recognized bias that causes them to fail, especially in the heat of the moment when something really important like cybersecurity events happening.
George Pappas: Another dynamic that we've seen with some of our clients over the last, really it's become more prevalent in the last 12 months is that some of our CISOs and our CIOs have more concerns about their own personal liability they're being asked to. A test, I'll use that word, in a more public way, when they haven't had the resource, their budget requests have not been You know accepted, 12 months prior, cause this doesn't happen overnight.
And then, what is DNO coverage handle? What does that look like? And so the ripple effects go through the entire sort of corporate management, governance, kind of liability, food chain, if you will. And I think that as some of these laws, like the New York law that has some real teeth. For hospitals. [00:17:00] Yeah.
The bills that are in the Senate and the House. There's gonna be more of this now coming to health care, not because it's for profit of your At HCA, you already have it because you're a for profit entity and the SEC is going to be governing you. If you're a non profit, which a large swath of healthcare is, most, yeah, these things are coming.
Drex DeFord: , if we don't figure out how to make this better and do this more effectively, the government is going to help us. Yes. And I use, and help would be, yeah, air quotes. Bye. The challenge, I was talking to Bill about this on another issue the other day.
The challenge with the government helping is that the government is built not to be really flexible and agile. And we pass laws and we write regulations, but they're hard to update and change. And there's a lot of intentionally in a good way, there's bureaucratic processes in place to make sure that those things don't just get thrown away and new ones get written and nobody had a chance to look at them.
But that process also doesn't lend itself to being In an [00:18:00] environment where the world changes really quickly. And so the policy and the laws have to change really quickly.
George Pappas: Like one of those construction rollers that goes on the asphalt like this, really slow, but when it presses it down, boy.
Yeah,
Drex DeFord: let's talk about this last story. Mainline Health deploys chaos engineering to bolster healthcare resilience. It's from CSO online. And I talked to Aaron Wiseman yesterday, who's the CISO at Mainline Health and on another topic. And I told him we were going to talk about him today. And he just laughed and, in a way that was like, I appreciate that somehow the story on us Mainline Health won an award from CSO for this.
Concept of chaos engineering. And they talk about a lot of different stuff in the article, but I think he was just appreciative that article made the hit list. That's pretty awesome.
George Pappas: Yeah, when I read it and you and I were talking about our articles for today, I just thought it was time to show someone who was doing it really well.
Drex DeFord: Yeah.
George Pappas: And a couple of dynamics too, because I dug into the numbers for the health system, and like a lot of non [00:19:00] profits, they have sizable net patient revenue, five hospitals, but they're running negative margins, right? And so people say gee, everybody is basically not making money now.
We all understand non profit accounting and capital budgeting and everything, but the thing that I was impressed by Was that Aaron was able to get the company behind this. It took him four years. another really important aspect of this, you can't just go buy some products and say, Oh, we're good.
Yeah, no, it was a progressive year over year indoctrination, collaboration, vision, execution, adapting, adjusting process, and they found the budget to do it. And, part of what he did was that he did equate. Patient safety, access to care, patient dignity, with being more protective of records and of systems and no ransomware outages, etc.
And his rationale, by the way, if you look into the regulation, was exactly the same [00:20:00] rationale that New York State basically relied on to put into place The regulations that took effect in like earlier this month, because they made the point across the 250 hospitals in New York state, it's access to care is compromised, patient safety is compromised.
So he started there and then he basically methodically brought more and more people into the mix. But I also really appreciate it as, cause our company was the first high trust assessor in healthcare, was that he realized that the high trust process Has enough precision, enough discernment and enough actual evidentiary validation that you would be safer if you did it.
Because he took the time to do it. We know what that's like. We have processes and products that help, but ultimately it requires the organization to be more disciplined about how it operates. And he recognized the wisdom of that. So that to me was very noteworthy. You called out the chaos engineering part.
Which is [00:21:00] why they received that award, though I think the broader story is a really great one. What I really liked about that is that to me it was a new spin on the penetration test, right?
We have all these varieties of simulated cyber attacks, and we do penetration tests. But what they did, according to the article, and you spoke to them, was they introduced vulnerabilities and let them sit there for a while and see what happened.
Yeah. I had the team used to handling, how they would deal with it. And they identified those and were able to basically, address them. The other part of that I thought was just very good common sense was that he recognized that this transition from digital to analog, if something happened, was a real place where everything is atrophy and they had to get used to doing it again, right
Everybody
Drex DeFord: sees that too. That is another one of those like major topics. Every time I sat down with a group of CISOs, that issue of business continuity is not my responsibility as the CISO, but I lose sleep over it every night because I know that we struggle [00:22:00] with that more than we probably should.
But he's built a system for that, right? He does. Yeah.
George Pappas: It was also obvious that he had to. Get the leadership team on board because, if you're managing the ER and he says to you we're gonna do an ER simulated attack, I can't tell you where, I can't tell you when, I can't tell you how, you have to be on board with that.
Yeah,
Drex DeFord: you do.
George Pappas: Yeah, so that was, it was just a great story about how you can really make progress when so many people believe there's no way they can make progress.
Drex DeFord: Yeah, the long term grind, too, of creating a plan, and executing the plan a little bit this year, a little bit next year. I'm sure part of the plan and the length and time of the initial pass of the plan was tied to resources and money and all of that.
One of his folks in the article even talks about the to your point, you don't just get to go buy a bunch of stuff and put it in and say, okay, we're all good here. One of the folks in the article actually refers to it as [00:23:00] painting a bridge. Like it's never done.
If you've ever read the stories about people painting like the Golden Gate Bridge, it's like you start at one end, you go all the way to the end. Back to the beginning, you start over again because it takes a long time to get the bridge painted. By the time you get to the far end, the first end needs to be touched up again.
And so it's a never ending process. And so that mentality I think that they have too Of being very humble we're glad we won the award, but that's not the end of it, right? There's still so much work to do and so much work to It could happen any day, right? Even in where we do well they continue to work on improvements.
I love that attitude. Yeah.
George Pappas: No, that was a great story. And, as I read the journey, at least as it was portrayed in the article, you could tell he had to have a lot of presence, great relationships with leaders. and found a way to communicate all that in such a way that they recognize we can't just sit on our hands and say there's nothing we can do.
There are things we can do. And to sustain that over a multi year effort and have, I think there were three or four, sound like [00:24:00] senior leaders in his team
that
had various, senior level responsibilities, that's quite an accomplishment, it really
Drex DeFord: is. It really is. One of the things that you may not know that I think I know about Aaron Wiseman is that he's a lawyer.
And so he's trained to, think logically and make those connections. And so that all has played very nicely into his role as CISO at Mainline Health. Excellent. Hey, thanks for being on the show today. I love the articles. I always have a good time talking to you, George.
I hope you'll come back again and I'm looking forward to seeing you somewhere on the road very time soon. Yes. Very soon. Sounds good. Thank you, Drex.
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, [00:25:00] ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.