This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Omnisa is the digital work platform leader, trusted by thousands of organizations worldwide as the former VMware end user computing business.

It enables IT teams to provide secure, personalized experiences for every employee on any device. The Omnissa platform integrates multiple industry leading solutions across unified endpoint management, virtual desktops and apps, digital employee experience and security, plus compliance based on the trusted Workspace ONE and Horizon product families.

Check them out today at thisweekealth. com slash Omnissa. .

Bill Russell: Today on Newsday.

Josh Tacey: it really should be the conversation of not necessarily network segmentation, but how do we do a better job protecting those credentials so that even if we do get hit, they can't escalate themselves to a role within active directory, where now all of a sudden they're everywhere. Right?

Bill Russell (2): My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are [00:01:00] dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Now, let's jump right in.

(Main) All right. It's Newsday. And today we are joined by Josh Tacy with Omnia Enterprise Architect for Healthcare. What direction we want to go here. We could talk about a lot of things. You're very familiar with a lot of stuff, especially on the security side that's going on.

There's a WittKeefer study that I sent over to you that was interesting. It's gotten a lot of traction based on the article I just wrote about it. Let's start with the proposed HIPAA security rule that's sort of sitting out there now. My understanding of the security rule, when it first came out, I was like, oh my gosh, I can't believe this.

But then we had administration changes and those kind of things, and it became kind of murky where this was going to go. Do we have clarity on where this, before we talk about it in more detail, do we have clarity as to where it's going to go with this administration?

Josh Tacey: We don't, but we do know that, [00:02:00] public comments were issued and were closed.

So, we are now in the kind of rule making process where the administration is taking in those public comments. Now, if we ever see the final rule kind of published, that remains to be seen. But talking with my colleagues throughout the industry, the general consensus is that we will see a final rule issued for this.

We just don't have a, known as to what the timing will be.

Bill Russell: Well, we've had major groups come out against this. We had CHIME and others send letter to HHS and to and to the president asking them to rescind the rule. Why such a reaction what's in the rule that we would be concerned as healthcare systems about this rule.

Josh Tacey: I mean there, a lot of things in this rule, and I don't think that those organizations necessarily were against the overall spirit of the rule, which was to, improve cybersecurity throughout the industry, which I don't think anybody is going to argue is a bad thing. But the rule itself [00:03:00] included a lot of provisions, especially around things such as kind of a business continuity.

So one of the things in there was to, in case of a cyber attack or a breach. To be back up and running and being able to practice medicine capacity within 72 hours. And that's a tall ask for many organizations. So that was just one of the things in there.

Another thing that was in there, was really around network construction and how to kind of segment out the network. And those are all things that are going to require a very heavy lift. Throughout the industry and is going to require a lot of effort, a lot of time, and obviously a lot of money to get it done.

So, I think that's where a lot of the anxiety comes in, is not necessarily the spirit of the rule, but the implementation timelines and the amount of work that it's actually going to entail.

Bill Russell: I agree with you. I don't think, I don't, no one would say that CHIME is against moving cybersecurity forward or the American Hospital Association or any of those.

They're absolutely for [00:04:00] security and privacy and those kinds of things. But it is the burden on the health systems that every time a rule comes down, there's a significant burden on the health systems and they have to spin things up. I used to tell people that, I only controlled two thirds of the projects that we were going to do every year because a third of which were spun up by the government.

Like they just, they changed some rule, they changed something, and, oh, well, we've gotta redo how we're doing sharing. We're gonna redo how we connect up our practices, whatever, based on whatever they happen to spin up at DC. And so. DC or in our case Sacramento or Austin, because we were in several states and I feel for some of these health systems, because they're in, 25, 24 states and they don't only have to keep an eye on DC they have to keep an eye on 24 different.

State legislatures, which may or may not decide to change things based on something that's going on in those states. So, yeah. And so that's a [00:05:00] major consideration. So the public comments period is done. Let's talk about some of those provisions.

I'll come back to the 72 hour. No I'll start with the 72 hour one. because that's probably the most difficult one. We've done interviews on our show of health systems that have been ransomed on average, to get back to EHR functioning again, this can be pretty broad, but it's two to four weeks essentially for the EHR to get back up and functioning.

And so you had Judy Faulkner stand on stage last year and propose a what's the best way I forget what the terminology was, but essentially it's Epic light. An Epic snapshot type thing that you can stand up and you could technically meet the rule and be functioning, like you could look up records and that kinda stuff.

But it's not a full functioning Epic by no, not

Josh Tacey: by a stretch.

Bill Russell: Any stretch. I mean, is that the direction we're looking? We're looking at, we can stand things up and actually function, but we're limping [00:06:00] along.

Josh Tacey: Yeah, I think that's where you're saying, you mentioned Epic and I know the other major EHR vendors are looking at the, kind of the same thing as what can be provided right at a very near term, very almost real time kind of perspective when things have all gone very wrong and get patients seen, get people in the door, make sure your ORs and ERs are still functioning while you kind of reconstruct the overall IT landscape

because that's just going to take longer.

Bill Russell: But on the flip side, Epic's out telling people go back to thick clients. It's like, okay, we want to help you to get back up and running quickly, and we want to go back to thick clients. Well thick clients, if they actually ransom the entire environment

Josh Tacey: you're not fixing 30,000 machines in 72 hours.

You're, You're not. Right. That's.

Bill Russell: It's almost an impossible act. It's sort of a, I'm glad I'm having a conversation with an architect. because I mean, you just get that, you're just sitting there going, well, I have to send people out to touch 30,000 endpoints. That's just not gonna cut it. In the thin client world, though, [00:07:00] I could fix that and turn those things back up and running.

I mean, because we could just spin those things up, spin those down if they're compromised. They're compromised. I mean, you could just, essentially just

Josh Tacey: salvation is a reboot away, so to speak, right? If you're doing a published app kind of regime, or you're doing a virtual desktop or those types of centralized technologies, then yes, at worst you might have to recover those.

But that's not recovering 30,000 of anything that's recovering one image or two images and getting those back up and running, it becomes a much more feasible task than an entire fleet of machines.

Bill Russell: Yeah. And I could create a clean room with all of my desktop images ready to go at a minute's notice.

I hadn't heard about the network segmentation and because amongst architects, amongst CTOs and others, there's a lot of different philosophies around. Around network segmentation, how to do it effectively, how to do it properly. There's no like common way to approach this that I've found.

We know that network segmentation is good [00:08:00] because in theory it keeps people from moving horizontally across the network. I'd say in theory because over and over again, even across segmented networks, they've been able to traverse. Horizontally. And I asked somebody about that because it didn't make sense to me.

And I said, look, there's still a whole bunch of services that need to traverse horizontally laterally across your network. I said, well, like what? He goes Active directory. He goes, active directory. If you can get on that stream, if you will, I mean, if you can get on that stream, He goes, so they ride that across the entire. Network. And I thought, oh that's really interesting. So no matter how much you segment, you still create a way for traffic to traverse the entire thing. And so now I hear people talking about even segmenting their active directory.

So you have different nodes in each one of the segments and whatnot. It is a complex thing and it's not like a, that, that's why I'm wondering how you write it into legislation, like you will segment your network. [00:09:00] Well, okay, it's segmented. You will segment it in this way. Well, is that the best way?

And will that stand the test of time? And if you tell everyone to segment it the same way, doesn't that help the attackers? Like they have a blueprint, right? They have a

Josh Tacey: perfectly good blueprint for everything. Yeah. And so that, that's one of the feedbacks, when we read a lot of the public comments especially, right, the larger organizations.

because the rule actually just says. Require network segmentation. That's it. That's all it says. Yeah. And so to your point, that could mean many different things to many different organizations and also to your point, this is why we see cybersecurity attacks. These aren't the old school, kind of the yester years worms that attack the actual windows.

Right? They're going after active directory. That is the first target because. Everything is active directory authenticated. You can have all the fun network segmentation you want, but everything needs to talk to ad. it really should be the conversation of not necessarily network segmentation, but how do we do a much better [00:10:00] job protecting and doing a better job auditing, kind of privilege escalations within the network to make sure that me as an administrator, right, even though I may have the ability.

To get more rights inside active directory, inside the organization. How do we do a better job protecting those credentials so that even if we do get hit, they can't escalate themselves to a role within active directory, where now all of a sudden they're everywhere. Right? How do we keep them, contained, not necessarily contained, but keep them away from services that touch everything and try to keep that blast radius down that becomes important.

Bill Russell: I'm pinging AI right now just to get some of the key provisions of this thing. because I, I haven't been keeping up on it. So you tell me if I'm hallucinating here or not. One of the things, access control is pretty interesting to me. 24 hours after termination of an employee, you have to, what's that? Terminate a HIPAA workforce member's access within one hour after the termination of employment. My gosh. We [00:11:00] used to do that. Like the minute well, that's when we knew something was happening. That's an interesting one. The, with each one of these, my question to you is, how are we gonna measure this?

How are we gonna enforce this?

Josh Tacey: one of the provisions of the rule is around kind of, not necessarily the enforcement, but kind of the auditing of being able to, because right, the old security rule said you had to have all these things, but there was no mechanism to like annually like check.

Right? It was, oh, okay. We had to do a disaster recovery table read, but that doesn't really mean anything. Right? We all just sat around and said, okay, these steps seem to make sense. Part of the rule is that. This becomes, to your point, how do you actually audit this? Well, part of the rule is to actually test and actually test your procedures to make sure that they work so that, yeah, you're right, an hour after an employee's been terminated, how do you actually know that their access has been revoked?

As we get more and more into like federated authentication and single sign on and all these things that are really good for. [00:12:00] Password fatigue and clinicians typing in passwords over and over again, right? These all help the day-to-day operations. The problem with federated identity is that all of a sudden, that lag time, potentially, right, the lag time between you being terminated and all of your access being removed, starts to slow down because,

Bill Russell: yeah. Some of

Josh Tacey: those authentication tokens live. For longer than you might necessarily want them to in that particular instance. Right. It's balancing the normal, like clinician kind of, ease of use and security. We always have to walk that line.

Bill Russell: It's tough. This one doesn't make sense to me. I mean, let me rephrase this.

This one's not gonna age well and it says in a reasonable, appropriate time period. Patch critical vulnerabilities would be 15 calendar days of identification, high risk vulnerabilities requiring patches within 30 days. I don't think that one's gonna age well. I think, in like. Three to five years, people are gonna be like, can you believe they gave them [00:13:00] 15 days?

Exactly. A critical. That's forever, right? Because Drex and I have had conversations on the show talking about the use of AI to create attacks and and so we're monitoring those vulnerabilities, they're monitoring those vulnerabilities as, as well. They get notified, they take that, they put it into this thing, they create code and away they go.

If you give them 14 days to attack, or 15 days to attack, or 30 days to attack the, known vulnerabilities. And I'll tell you the other thing is it's not hard to figure out what key applications you're using because that's fairly public information.

And so if you're an Oracle Cerner client and there's a critical vulnerability. I can give you a list. I mean, I could search right now and within 15 minutes give you a list of everybody who's on Cerner, Oracle in the United States, and then I could just start those attacks.

Josh Tacey: Yeah, it is very easy, right?

I mean, you really just gotta look at, what are those public facing, like me as a [00:14:00] patient, right? What website am I using? For those particular health systems will tell me a lot. Are they Epic? Are they, Oracle, Cerner? Are they Meditech? Or whatever those major organizations are

right? You can find out a lot of that information and to your point, really what's scary about the 15 days or the 30 days is right. There's always going to be those very high-end organizations that take those zero day vulnerabilities and they can do something with them. Right? And those are usually highly targeted.

They're going after very specific organizations. And those are very tough, but at 14 or 15 days, that information gets democratized across the internet so that any bad actor, whether they're well financed or not, all of a sudden has those tools to run those attacks. Right. And that's where it becomes much scarier, right?

Because it's always gonna be difficult to go after the non-state actors that are very well financed and very good at what they do, so to speak. But when that information gets democratized and spread, that's when it becomes. Really scary.

Bill Russell: Some of this stuff to me is basic [00:15:00] blocking and tackling.

So when I was doing turnaround work, I would go into organizations and they would invariably tell me how, their infrastructure's really good, but they're just having a problem over, just, over, just focus over here. This is the problem. And I would ask 'em some basic questions like hey, can you gimme an inventory of all your systems?

And they would say, well, and they'd give me a report of the, here's the inventory plus or minus 15%. I'm like, plus or minus. That's not good enough. Like you just gave me an inventory of 200,000 systems plus or minus 15% is a lot of systems that could be either on or not on this thing, and you're responsible for anything on the network.

To be making sure it's patched, fixed and all this other stuff. So I would ask 'em questions about, patching and they'd invariably say, well, here's our policy. And I'm like, all right, so if I go to all your servers, you're gonna be within that policy. Oh no, we're nowhere near that policy, but that's our policy.

It's like, okay. So those things are indicators. If you if I saw this thing coming down the road and [00:16:00] it's gonna be amazing to me. because what's gonna happen is this is gonna get approved. And a whole bunch of CIOs are gonna be like, how do you expect me to do this? We've been talking about this for a about a year now.

I mean, this was the Biden administration. Alright, so we've been talking about this for about a year now. So you've had a year run up of, Hey, this is what they're commenting on, instead of waiting until the end to go. What's going to be there? Most of it's really good practice. It just is. It is. Good practice.

Yes. Yeah It shouldn't be like all of a sudden like, how am I gonna do this? Not only have you had a year, you've had like the entire tenure of your leadership to get this stuff in place because this is the basic blocking and tackling.

I mean, they're not putting something out there that's crazy. Business continuity within 72 hours. I understand how hard, trust me, I understand how hard that is. Given the number of systems and the complexity is ex extremely difficult and very smart people are working on this problem and making strides, but that's sort of the point.

They're [00:17:00] working on this problem. I shouldn't ask you what's your plan to get to 72 hour business continuity and have you look at me and go, well, that's just not possible. Some faction of business continuity is possible within 72 hours. Yeah. Figure that out. So anyway that's my 2 cents.

Where do you think this is gonna go and what's your advice to health systems?

Josh Tacey: Where do I think it's gonna go? I think we're gonna see some flavor of this rule get approved regardless. I think it's going to happen. The same advice that, you just had there, I agree with, which is.

95% of what is in here is just good security practice and everybody should be working on this. And when and if this gets approved, none of this should be a surprise. Right? Everybody should be having written procedures for patching. Everybody should have a business continuity plan because at the end of the day it's a business, right?

We do healthcare, we help patients. these Are all just good practices that everybody should be following. Because, no, because no one wants to end up on the news, right? We everybody's gets way too much mail already for breach notification. So anything we can do as an industry to tighten this [00:18:00] up, regardless of whether it is a law, a rule, it's just good practice and we should all be doing it.

Bill Russell: What's some architectural practice that you see in healthcare that's just every now and then you see it and you just sort of scratch your head and go we should be moving beyond this.

Josh Tacey: So one of the things we do see very popularly is around kind of bring your own device and mobile EMR applications. We see a lot that there's organizations are still allowing their clinicians to download and utilize mobile EMR applications on their own devices without any form of device management or any oversight of those devices, right?

They're just able to go download the apps and sign into the applications. And I understand that the apps are constructed in such a way that PHI shouldn't get on there, but because you have no control architecturally, you can't guarantee that. And so we see a lot of organizations that are doing that and it's somewhat concerning, right?

Because it's kind of the wild west of devices at that point, and [00:19:00] you don't know what you're gonna get.

Bill Russell: \ Security is one of those interesting things. I remember early on in the days of the internet was my first exposure to security and we somehow, somebody in this organization had put a web server they thought it was in the firewall within the whole sandbox, dmz.

Yeah. The

Josh Tacey: sandbox.

Bill Russell: Yeah. And it was actually outside. And I thought, oh, well, we're gonna have to move that inside. Well. I think it was outside for like a day. And by the time we looked at it, it had been attacked and infected by a thousand different directions. And that was just one day sitting on the open.

Mm-hmm. On the open web. Now this was way, way back. This was back in early internet. So around 2000 or somewhere around there, you get the idea? Sometime around there. It's interesting to me that we still don't have a basic understanding of how security works at the technician level, and so we're like, well, it has this on it, we're secure. And I'm like, well, [00:20:00] if you really understood security, you would understand, we need to have, different levels on top of these things. Now you're not saying you wouldn't allow bring your own devices. You're saying that there needs to be stack around it.

Josh Tacey: Yeah. There, there needs to be some defense in depth, some control, some security right? Or at least at the very least, the audit ability to understand where your data is. To enforce the inventory side of it we architecturally, we know that there's lots and lots of healthcare organizations that have no good inventory of where their PHI is potentially within their network, where it's they have a big, giant fleet of machines.

They have all these services. They got really nice firewalls sitting out on the edge and they're going, okay, everything is good. I've protected my organization from the big bad internet and there's not a lot of attention paid to, looking inside, looking to see where things can go within the network, within the organization and [00:21:00] less and less visibility or you see architecturally that everybody says, okay, we have all of these great security tools.

They're dumping all of this information to the seam of your choice. But then they have no, then it's information overload. They have these security teams looking at all of this data and there's just all of these alerts and things coming in, and it's just way too much information and there's no good way to distill what is actionable, right, to what is actually important.

because you see these attacks that could be very easily stopped by, if we just had simple tools to flag like, oh, an account was created. Let's cross-reference that with our HR system. Oh, there was no person that was hired by that name at the same time this account was created. That should be a problem

right? It is very simple kind of connecting tissue that we're very much missing.

Bill Russell: it's gonna be interesting to see how architecture, ad just, and morphs moving forward. One of the problems I had at St. Joe's when I was there is we had that problem of the log files and too much [00:22:00] information our security team couldn't get ahead of it and that kinda stuff.

If you gave me that same problem today, I would fire up an army of AI agents, which would be combing through those log files and everything else, identifying the actionable items and surfacing them. And I think that's built into a lot of those tools today. I wouldn't have first of all, I mean the team made me aware that, hey, we don't have enough people to look through that stuff.

And we didn't give 'em more headcount. because it's not like, I mean, that appetite is insatiable. But now coming through those logs, not only is a human subpar at doing that over an AI agent. But an AI agent can, comb through logs, do the cross-referencing against the list of systems that you have.

It can go against the CMDB, it can go against your ServiceNow infra infrastructure and all that other stuff. It can give you a ton more information, cross-reference, a lot more stuff, and it can do that almost. Not instantaneously, but in a matter of [00:23:00] minutes, seconds or minutes versus a human that's going to take hours to do that same task.

Josh Tacey: Agreed. I think we just need to kind of mature that forward of, yes, there are plenty of AI agents that can do that, but we need to mature that forward where it's very easy to consume and easy to deploy. because a lot of that is still very bespoke and very kind of handwritten. As you see, different teams do different types of automations.

We, we need to kind of mature that, so it's much easier to kind of expand out.

Bill Russell: Cool. Hey Josh, thanks for coming on the show. Appreciate the time. Yeah, of course.

Josh Tacey: Absolutely.

Bill Russell: Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That's all for now

[00:24:00]