This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the Podcast): A Peek Behind the Health ISAC Curtain with Sahan Fernando

[00:00:00]

Drex DeFord: Today on the UnHack channel with me Drex DeFord

Sahan Fernando: that's part of our philosophy is make it harder for them to do, the low cost stealthy stuff, force them into higher fidelity channels so that we can catch them.

Hey everyone. I'm Drex and this is UNH hack the podcast. Today I wanna bring you a conversation that I've really wanted to highlight, and that's Bill Russell's interview with Sahan Fernando, the CISO at Rady Children's. This is one of those discussions that gets right to the heart of what healthcare security leaders are dealing with day-to-day.

It's exactly the kind of mostly plain English, mostly non-technical cybersecurity and risk discussion that we all. Love the eavesdrop on, so let's jump into it and hear what they have to say. Here we go. (Main)

Bill Russell: Today we're joined by Sahan Fernando ciso, chief Information Security Officer for [00:01:00] Rady Children's Health out of San Diego, I guess out of San Diego.

And. Orange County Cal. It's Southern California now,

Sahan Fernando: right? Indeed, yeah. We're fortunate. We serve pediatric populations for inpatient and outpatient, not just everything kind of south of Los Angeles, but we have patients coming in from all over the world.

Bill Russell: Yeah, children's hospitals are the coolest places on the planet now.

You don't want to be there for obvious reasons, but it's still when I was at St. Joe's, we were connected to CHOC Children's in orange California. And, man, I'll tell you, it was a stark contrast. Like you walk in there, beautiful paintings. It was bright, it was cheery, and then literally our buildings were connected.

And you walk through a hall and it's like you entered like the 1950s and everything's in black and white. And like, we need to do something with the non children's hospitals, like hire a painter or something and make them more bright.

Sahan Fernando: Yeah, absolutely. It is funny though that [00:02:00] you bring up that story because, you and I saw each other only last week in Madison and Judy Faulkner during her keynote actually touched on that exact paradigm, right? Children's hospitals really do strive to be very uplifting and not let your circumstances, affect you.

I think there is a lot in terms of. Your mental state being a part of your healing process and where you're at, and she really strongly put out there, we need to do more on the adult side

Bill Russell: I don't know about you, but if I ever become like a trillionaire, that's what I'm gonna do.

That's gonna be my new, and actually Judy should do this. She's a trillionaire or something. Like, she should literally go to every hospital and say, look, I've got some paint. And I've got some really talented artists from the local college and university, and we would like to spruce this place.

I don't think you can do that, but it would be great if they could.

Sahan Fernando: They certainly lead by example. That campus is top five been on.

Bill Russell: One of the things that has always impressed me about children's hospitals is how they're able to do so much with [00:03:00] so little. They are fairly well funded, however, they're not, there's not money, dripping out the sides of the walls. And so they're very lean, especially on the IT side.

Very lean organizations. And like when I was doing work with Chalk my team of, three or four people would meet with them who represented like, another 20 to 25 people and they would meet with two people over at Chalk. And that would be their whole department who is doing that thing.

And I would be like, wow. I can't imagine because you have the same issues, right? You have to protect against the same stuff. You have to you have the same attackers trying to get in, you have the same everything.

Sahan Fernando: Everything. And I think you touch on an important point there is that even from a patient experience, they have the same expectations.

They don't see it as. When I take my child to a pediatric specialty, that I'm going to have a different experience, a less well-funded experience than when I go as an [00:04:00] adult. And so there is that drive and that pressure to ensure consistency and excellence which I believe our organization really strives for that every day.

But it is harder, and I think in California, and particularly, I don't think it's that controversial to say. Being so reliant on Medi-Cal, the reimbursement doesn't cover a lot of the cases, and I think especially in, in Southern California where we have some more unique patient loads. And so it's very lean it is still always catching up.

And then we still run into, I think healthcare has lived so long on big projects mean we're using CapEx and. They like the advantages from an accounting standpoint there, but it's so much harder to use capital if it's not directly on hardware anymore.

Bill Russell: you guys are an epic shop or are you a community connect or what are you.

Sahan Fernando: very timely question. So the San Diego region is actually a very early Epic customer. [00:05:00] We began our implementation, I believe in 2008 and went live in 2010, but I might be off by two years late there. And my old boss was a very big champion of bringing them in. He came in as CIO in 2006.

Saw that as a big need, and that was obviously a massive transformation well ahead of meaningful use or any sort of other incentives. So we actually have

Bill Russell: And Epic wasn't necessarily built for children's hospitals like you guys had to help them build it. I'm sort of giving you words, but I've talked to enough children's hospitals that they were like, Hey, the reason we were all on Cerner is Epic didn't really pay attention to us until there was.

Some of us on the platform.

Sahan Fernando: I think that's a fair take. Absolutely. It's helping them understand more of those nuances between pediatric care and adolescent care. For sure. I mean, there are differences and there are still certain modules that we can't use in Epic because it doesn't fit [00:06:00] pediatric workflows versus adult ones.

And so I know that epics great,

Bill Russell: But still, epic has made some pretty significant inroads. I assume that Chalk and Rady's will be on the same build.

Sahan Fernando: We will definitely converge onto a single electronic health record platform. I guess now we're supposed to just call it converged health record, according to Judy.

And I can't say publicly what that will be.

Bill Russell: Yeah. Nor do I expect you to, but but that's what the, converged health record, that's what the consumers expect now. Yeah. I'm curious, they announced so many things at UGM this year.

One of the things they announced was a single, I forget what they called it, but single MyChart login, essentially. And you have that converged record behind it. So what used to have to happen is I would log into multiple. MyCharts and have to see what's going on. Or I'd have to re, from whoever I'm seeing now, I'd have to request those records and care [00:07:00] everywhere would move 'em all.

But essentially I would go to MyChart through my provider. I mean, that to me was an interesting. Play, especially in the pediatric space. 'cause you have a lot of specialists and specialties and kids moving from, a primary care doc and a health system over to children's back, potentially some people traveling to you guys.

I'm curious what your thoughts are on how that's gonna change things or how that's going to change the experience for them.

Sahan Fernando: Absolutely. It is exciting. I mean, I don't think there has been anyone pushing quite as hard as Epic has on the portability side of, hipaa and that interoperability is really one of those big buzzwords, but it does have meaning and value.

I'm really excited for the overall idea. I think the risk management side of me being an information security says. The privacy portions and some of the nuances, especially in pediatrics, are going to be the hurdles. And I don't know if that's going to be incumbent on us to fix [00:08:00] or if Epic is going to lead the charge because state by state we're going to have different regulations and governing laws.

And so I know that is an active discussion topic among kind of chief information security information Officers and privacy officers right now. This sounds great. How do we do this in a way that we're not violating another state's laws? So it's really great to have that functionality and we see more and more folks that leverage CareLink right.

Really a more coordinated care team. And I think, especially when I think of, I travel quite a bit. I have my background blurred, but otherwise you would see so many planes and such. And, being abroad, the. Reducing barriers to relevant information for me, if I were to need care is a really powerful idea, right?

If I had allergies, things and basic things like the mar being able to reduce barriers to sharing that information is really great. And they've obviously been really pushing on the teca side of things as well. So there is a cohesive [00:09:00] thought I think there on. How do we empower patients to have more agency over their data, their records, and really more ownership of their care plan and being able to work with the care teams that they want to and need to.

I really see that as. Very empowering. And I really hope it does play out.

Bill Russell: I love the fact that you brought up portability when talking about hipaa. I think it's the forgotten p in HIPAA is portability. But man, I, I also love what you're talking about there. becuase when I was at St. Joe's we had Southern California, Northern California, which was easy.

Then we had north west Texas. We had Lubbock, Texas and we had to navigate some of that stuff. And it was. It was interesting, like a child is considered a certain age in California. It's considered a different age in Texas. The access from the parent was handled differently in both those states.

Like when does the parent stop having access to the medical record and the child has agency over their own [00:10:00] record we had a distinction in that we owned those hospitals, so we had to navigate that. So you still have to navigate the sharing outside. Even if you don't own those hospitals you still have to figure that out.

Sahan Fernando: I believe we do. Yeah. I know that for us, we have a very clear policy that aligns with California law in terms of when a patient. Requires a proxy access versus direct. And there are even certain results and other parts of their record that are more controlled, let's say to protect, as they become a teenager and more involved with their own health, that they have a little bit more control over that.

So that's actually, I think, a, an ongoing. Let's say not burden, but an ongoing workload for, our health information management teams is kind of the appropriate release of information and validating proxies and guardianships. There's a lot on, I think that people don't realize on the administrative side to ensure proper [00:11:00] access to different parts of the controlled information.

It's really quite fascinating.

Bill Russell: Just outta curiosity, I'm gonna throw this question out. You don't have to answer it if you don't want. What's your data retention policy?

Sahan Fernando: It's hilarious. I actually had a very direct conversation about this about 16 hours ago. So

Bill Russell: it comes up in so many of our 2 29 meetings.

'cause people are like what's your retention policy? They'll go forever. But I'm like, seriously? They're like, I, but it's so all over the board that it's just forever.

Sahan Fernando: I can actually answer this to a meaningful level. So awesome. With Epic, it's essentially forever technically once a child reaches the appropriate age, which I believe is 23, you can start rolling off, I think seven years worth of history.

But we don't, so we do keep all the health data essentially forever in terms of Epic. We have a business records retention policy that is completely separate for [00:12:00] email and those sorts of communications. It's currently two years or three years. It's, I think it's set for two years. And, that's enforced in a few different ways.

It's been about 10 minutes on retention policies and why that's. A burning topic for everyone because you gotta mention AI in our conversation, right? Right. A lot of people are using copilot and other transcription services and they aren't thinking about do I actually want those transcripts existing for two years as a part of my records retention policy?

So, I think that thankfully technology exists to facilitate a more nuanced approach, but. There is some risk there, I think, from a legal standpoint, right?

Bill Russell: the records represent the attack surface, right? I mean, if I get into your email and start tooling around I was talking to one CIO.

Interestingly, a CIO talking about security is awesome. And he was saying that they were undertaking a process and it was a research institution. They were undertaking a process to go through all the historic [00:13:00] email and identify the PHI and PII and all those emails and strip them out and leave markers where they could click on it and go to get it.

But the actual. PII and PPHI, that was in the email system out. And I'm like, well, how pervasive is that? And he goes, well, the farther back you go, the more pervasive it was. It represents an attack surface. I mean that, that has to be one of the biggest challenges for you guys is the attack surface.

Appears to be only getting. Broader. It's people wanna work from different locations. That increases the attack surface. Therefore they want remote access to certain things. They want data sharing with certain entities. As if your user communities like ours, they didn't want us to delete any email.

So three year retention policy would've been that would've been a fight at with somebody I'm sure within the health system. It's kind of crazy

Sahan Fernando: and it still comes up for sure, but that, thankfully is you would like an exception of [00:14:00] policy. I'm happy to refer you to compliance, legal and corporate leadership because that is not.

Not my decision to make. I'm just here so we don't get fined. It's usually my response

Bill Russell: to that

Sahan Fernando: conversation. And the fine thing I think is very relevant to, when we talk about risk and attack therapist, right? There's that, the two risks I really think of are around one this type of risk.

When we think the amount of records that are in kind of unstructured locations, like email and chats, things like that. When a threat actor, gets access to an email inbox, right? If you can't prove that they didn't go through things, then all the records are considered in scope, and that starts to become a part of your, well, these are the amount of records that you have to report to the A OCR as has breached, right?

And that adds up quickly. If you have trauma coordinator that sent out a spreadsheet of 600 patients, right, where that can add up over weeks and weeks very quickly. And so. Those fines are no joke. And [00:15:00] sometimes that's from my recollection, pretty equivalent to, when you look at downtime from, let's say ransomware, lost revenue, direct costs from recovery, things like that.

We're, in either case you can be talking about millions and in both cases then investigations, corrective actions, action plans, things like that. And so.

Bill Russell: No I wanna walk people through your role, I mean, without being too specific. So, one of the reasons we don't get too specific with CISOs is we don't wanna reveal too much, but let's take something that happened last year that was pretty widespread.

And that is the CrowdStrike outage. So what, it's one of those questions like, do you know where you were when, the first astronaut landed on the moon? This is like, do you remember where you were when you found out about the CrowdStrike thing? And did you know it was CrowdStrike right away, or did you have to go through that period of, I don't know if this is a ransomware attack or what this is?

Sahan Fernando: I did know it was [00:16:00] CrowdStrike very quickly. I do have thankfully contacts and friends in APAC region and we worked very closely with Health isac and so they were very much on point for, hey, this is going on. Setting up information sharing channels and starting to try and connect people with resources on.

Here are some potential workarounds fixes really I think. They took a really strong lead for the healthcare sector on, facilitating communications with CrowdStrike, with Microsoft and going from there. So that, it's incredible though because I think we've matured so much on the IT and information security side where, there's still some people that say, oh, monthly patching every month is really still a scary thing.

I think CrowdStrike handled it incredibly admirably. They owned their mistake. They were very transparent. used their resources to help out different organizations and they even, I think they took it so much in Stride that they accepted a pony award at I wanna say that was at DEFCON for essentially [00:17:00] causing such a large out.

So they, they were very transparent. They owned it. But I think it really, like I said earlier, 2024 is do we understand risks in our digital supply chain? And so between change and CrowdStrike. Health sector Coordinating Council is really doing some great work on how do we map out our dependencies, where we have key concentrations of risk from a supply chain standpoint, and how do we empower different members of the healthcare sector to start applying that logic to their organizations?

And as a provider, I really think. We have to continue looking at that, right? Information security has really evolved from just a how do we keep threat actors out to, how do we manage systemic risk related to technology? And availability is core for us as providers. I mean, if a bunch of records do get breached, that's obviously a very bad thing, but patients are still getting treated.

But if I have and I do run a, an annual tabletop [00:18:00] with our operations folks every year. One of the first things we do when we kick that off is, okay, we've got kids on the tables in the or, this is our inpatient census. Are we still running ambulatory clinics? And if you really think about it from an availability, downtime standpoint, that's the risk that really bothers me.

Bill Russell: Yeah. I just, I pulled over here to LinkedIn, pulled up your profile rowing. You were a men's rowing coach for Division one athletics program.

Sahan Fernando: Am first practice of the year was yesterday actually as a volunteer.

Bill Russell: As a volunteer, yeah. I was gonna say you, you don't have two two full-time jobs,

Sahan Fernando: thankfully.

Not full-time. And they're understanding that, as I've gotten older, life shifts around and priorities. But I went to a Jesuit high school in Phoenix, Arizona called Brophy College Preparatory and. So that's how I came across Gonzaga and I just also happened to want to row in college.

I rode in high school which I know sounds a bit strange rowing in Arizona, [00:19:00] but there is a scene for it there in West. Oh yeah,

Bill Russell: there's the, it's right there. Well, is it in Tempe? Is that what you're talking about? Town

Sahan Fernando: Lake? Yeah.

Bill Russell: Yeah. I mean, actually it's really nice area, I think.

Sahan Fernando: It's gorgeous. It's gotten better.

About 15 years ago though, when I was working there the dam blew up and it was an empty lake bed for a couple months. So that was a fun morning. But

Bill Russell: yeah. How did you, how'd you practice?

Sahan Fernando: Well, since I was working, I was there at 4:00 AM and we had to start making sure people, their natural inclination is, oh, empty lake bed.

Let me go in. People obviously have been throwing things into the lake for years. So there was a very big safety hazard there. A lot of glass, a lot of sunglasses, cell phones, fridges. But we also had to worry about humans that were camping downstream with a dam, shrink. There was no loss of life.

So, yeah, that was, that feels like a lifetime ago, but I do love to continue to coach. I think one, being in a leadership position, it helps me to. [00:20:00] Continue to hone those skills and coaching college athletes. As I continue to grow older, that allows me to ensure that I'm still able to work with, the next generation and understand a bit more of how do they think, how do they see the world?

How can I ensure that I know how to communicate with them? Because again, being in the CISO role, you have to communicate with a very disparate group of stakeholders. You have to be able to talk to. The IT folks are doing the day-to-day work and explain risks and understand what they're saying, and also talk to the CEOs and the board and be able to essentially fly the plane at 35,000 feet as well as 10,000 feet and kind of seamlessly switch, but still be in the same flight.

And so. it's been great and it obviously keeps me away from the computer for a few hours. And thankfully also lets me go to Giza a basketball games.

Bill Russell: That's actually kinda sweet. So, talk to me about Health ISAC a little [00:21:00] bit. So you served for what, a couple years now?

Sahan Fernando: Yes. Yeah, it will be three years this December, and I'm actually up for reelection this fall.

Bill Russell: Okay. Well, I don't, I hopefully we'll help your reelection chances, but I'm curious, two and a half years ago we were talking about a really stringent set of rules coming in that health systems were all worried about, and that kinda stuff has that stuff like evaporated now

Sahan Fernando: in some senses.

I think yes. CPGs, I think is what we're referring to. And those are really strong security principles. And to our earlier conversation the disparity and maturity levels for different people that are under the purview of HIPAA as a covered entity. That's where I think we've seen a lot of debate on should we move forward with this?

Because if we're doing. All stick and no carrot. If we very candidly look at right now, there's [00:22:00] the paradigm is a reduction in funding from the federal governments. And so to try and increase funding at the same time mandate increase funding into certain programs, that's a really difficult proposition.

And so I think there's a timing aspect of it. I think we still need to continue to push each other to mature and evolve and ensure that we're. We're handling risk, which is, I'm not just saying this 'cause I'm on the show. Opportunities like the 2, 2 9 summits are so valuable for that because you get the opportunity to say, here's something I'm struggling with.

How are you all handling it? And really kind of that iron sharpens irons approach and you hear about things that you wouldn't have even thought of. I still have on my desk. I own a notebook from each summit I've been at with just pages of notes that I need to go look at this and I should think about this.

And that idea of information sharing the community aspect is so, so critical in our sector, right? And we don't, we're not competitors. At the end of the day. We [00:23:00] are all in this together for our patients. If I go down, I know that's going to affect you, right? I mean, when Yeah. Providers go down around us, we have to coordinate with them.

Bill Russell: I'm sure somebody's gonna be upset with me saying, well, health systems didn't really care about security programs back then. But I do remember in 2012 coming into healthcare and I mean all the, it was established by then. I mean, we were looking at security and that kinda stuff, but I came in from outside the industry and I just looked at him and I'm like, we've gotta increase our security spending by.

Five x, maybe six x and they looked at me like I was insane. I'm like, no, you don't understand. We really have to increase our security spending five, five to six x and we need to hire some people. We need to change our practices. We probably need to stand up a soc. And they're just looking at me like, but we don't have that money.

I'm like,

Yeah. We're gonna find that money. because you can't operate a hospital and the data that we're dealing with, without putting all these things in place. [00:24:00] And the thing that has struck me at the 2 29 conversations is the amount of money we were spending, and I still felt fairly vulnerable back then.

And if I didn't feel vulnerable every time Deloitte came in and did an audit, they made me feel vulnerable. The but there's systems doing it for far less money with far less resources. And with health isac, you have to consider all of those. You have to consider the well-funded mayos, and then you have to consider the critical access hospital in Wyoming.

The breadth of that is staggering. Like how do you bring people along and you talk about carrots and sticks and best practices and sharing best practices. I love the security group in our country. I love the most 'cause you guys are very connected.

Sharing stuff all the time. 'cause we don't really compete on cybersecurity and privacy and risk. We share those things so that we can get better. But still, the disparity between some of this is pretty broad. I'm curious how the [00:25:00] conversations go at Health ISAC to say, look. Is there a middle ground that you shoot for and say, well, let's shoot for the middle, or do you just go, no, we gotta shoot for the top, but we gotta figure out a path to get everybody there. The calculus on that is really hard.

Sahan Fernando: one of the many things that excels at though, is it creates the space again, like 2, 2, 9, to have those conversations. Sometimes it feels, I think almost like imposter syndrome where I, I hear something and I think, wow, that's incredible.

And you do have to take a step and realize, hey, we aren't Merck or Pfizer. We maybe one day we could get to something close to that level. But relative to, if we look at it from a economical value relative to what we bring in, we're doing pretty well. And that's. What's the phrase? Comparison is the thief of joy.

I think you can still be satisfied with that. You've done a good job with the resources allocated and still have that [00:26:00] pursuit of perfection because that's part of the fun, I would say, is how do we make this as good as possible? Knowing that in a couple years what that means will absolutely have changed and so.

I think one of the cool things with technology and security is that because things are changing, you don't get to just sit complacently on certain things and say, well, we solved that. Some things you do and that's great, but you'll always have a new challenge to, address. And so to your question on, how do those conversations go?

I'll try and think of a really good example here where for us, where I found. The venues of the isac, the summits working groups, things like that. Hearing directly from my friend Terry Rice, who was at Meck at the time, his experience through NotPetya and being, I don't wanna take too much of his story, it's a wonderful story, but he was on Machu Picchu and NotPetya hit and just that whole story of how they [00:27:00] handled.

The, multi nation incident response and recovery and what they did from an after action standpoint and how that also fed into, how they approached reporting and, not just data lake, but their whole strategy on how they took security telemetry and turned that into more executive facing things.

Those are not always things you will think of on your own, but. They inspire you to think, what can we do? And those are things to maybe add to our roadmap. And I would say similarly, I think, I know that we have done a lot on embracing the Zero trust paradigm, and I'm really proud of just all the work that Ray Children's across the board.

It's not me, it's the entire team. Buying in and working together across all of it. And really ops also giving us the grace to do a lot of work. I actually have a talk that I'm debuting this year around that whole journey because when I think about where we started and where we are [00:28:00] now, we've continued to mature, a good program into, continuing to make it even stronger.

My predecessor did a wonderful job. We're still in contact actually, and he. Left me some really great starting blocks, especially for what was next, and we get to share on that journey, how we've approached identity security. I think we really embrace the idea of we need to secure identity when we read forensics reports.

That is, lateral movement and privilege escalation are still all identity based attacks and we need to secure that. We need to tie more to your identity. As a result, because we wanna try and balance the friction with convenience that security tends to introduce. And so, those are some things that we're able to share with other organizations, both larger and smaller.

And the nice thing with, I think most CISOs is just because they're bigger, they don't assume that they have it all right. And they will absolutely take your opinion as a smaller organization we're all in it together.

Bill Russell: That's awesome. A lot of [00:29:00] these podcasts have gone to the really personal, they'll ask you like, if you were stranded.

I was just talking to somebody yesterday. One of their questions was if you're stranded on a desert island, what's the five albums you want to have with you? And not that wouldn't be interesting and fun to do with you, but we've come up with the escape room. Concept. Okay.

And here's your escape room question. And you're familiar with an escape room, right?

Sahan Fernando: Oh yeah.

Bill Russell: All right. So we lock you in this room.

Here's the challenge that you have. And this is a very real challenge. It happened a number of years ago as a ransomware attack, and I'm gonna put you as the Community Connect host.

For this. So the Community Connect host, CIO got a phone call from their community connect partner health system. And they were experiencing all sorts of anomalies on their network and systems were starting to go down and that kind of stuff.

So the CIO who's not at the Community Connect partner [00:30:00] site has to determine, is this ransomware, and if it's ransomware, do I disconnect our link between the two, which will essentially take their EHR down? I'm curious what we're trying to get to here is how do you think through these things, how do you process through those?

Those kinds of challenges. 'cause hopefully you won't have to face any of those, but my guess is that's the world you live in. So

Sahan Fernando: It is, and being the Community Connect poster, we've run through those and tabletop form for sure. So for me, I think that starts with, it's not an InfoSec decision in a silo.

This is a business decision and we need to ensure that the clinical folks. Operation folks, they're all in alignment, especially from a leadership standpoint on here's what we're proposing, can we move forward? Now, sometimes you need to move fast and accept that you might have had it wrong. Because if you shut off the link, for instance, at at worst you turn it back on [00:31:00] and you apologize. Right? I think that's part of your leadership, gut instinct. Depending on what you hear, when I hear anomalies and things shutting down. I would err on more towards that side, but it also depends on what does shutting down mean?

Right? Like if, going back to your question about last July and and CrowdStrike, right? A bunch of blue screens of deaths, essentially. I would probably start with, well, we have to assume breach until we have evidence otherwise. Now, in that case, we knew right away what was going on. Thanks to Health ISAC and our friends throughout the world, but.

If you really are embracing that zero trust paradigm, it is assumed compromised until you can essentially disprove that hypothesis. And so a lot of this is proactive work, right? If you are drilling and you are informing your stakeholders of potential risks and how you would manage them, especially when they're realized it's less of a surprise and you have an alignment from the beginning on the what, the why and the how, and

that's a big part of, I think [00:32:00] the CISO role is, again, risk management, proactive and reactive. So you have basically the buy-in to have certain actions already authorized. And so in that situation, I would say, yeah we are on the side of turning down the link if we need to do that physically or it's just cutting off, VPN tunnels or MPS circuits.

Great. But we've at least had that conversation. And if we haven't, we need to ensure that we have. The right people in that call to ensure that we know what are we doing? What are the, what's the impact and who do we need to let know and how that cascades down in terms of the staff, in terms of the patients.

Are we still able to move to downtime procedures and continue providing care? Right? What are we needing cancel? Do we have a means to contact patients? What is our public communications strategy going to be? Who's on point for that? What are we saying? Is it legally approved? Are we gonna call insurance?

Are we activating IR retainer? Do we want to do that? There's a whole bunch of nuance there. And who is on point for [00:33:00] investigations? What's the cadence of updates? Things like that.

Bill Russell: So let me move you forward about, I don't know, a couple days. It was ransomware, move it forward a couple days they had disconnected it.

Now the question becomes reconnecting. So. what's your thought process on reconnecting? Is this also something that you've played through and said, Hey, look, if somebody's been ransomed, these are the steps they're going to have to get through before they get back on.

Sahan Fernando: Yeah.

We, we have through less tabletop and more, other places policy, right? Yeah. And so we don't put a formal policy out on this because we haven't seen a need, but it's a generally understood. Cultural stance that , if we need to reconnect with someone who has been hit, we basically want a third party assurance of, this thing has been cleared forensically.

At that point we're really talking about the legal liability. From my standpoint on, I don't think that any other [00:34:00] party would say, oh yeah, we're fine. And willingly give you Yeah, we're fine.

Just turn it back on. Oh, okay. Right, right. But I think it, that independent attestation also is a bit of us shielding ourselves so that we can say, well, we had someone independently come in, or they had someone independently come in and clear it.

So we did our due diligence and should something happen, we can show that trail of here was the rationale and the risk management process, and obviously the risk was never going to be zero. They could have had some other infection that hadn't taken hold yet. That's completely separate. And so it's, that's our normal process.

And so in for instance, last year with change, we had blocked all all traffic to them. We had shut down the limited scope that we had there. We were a part of the very large group planning for give us official updates. We want forensics, things like that as we resume [00:35:00] whatever we are allowing.

And so I think that allows you a bit more nuance on investigations because they're never going to be the same. And I think even with ransomware, it's, well, what was the scope? Where are you at from containment standpoint? Where are you at from a recovery standpoint? Then you get into the nuances of how good was their Dr, were they scanning their backups?

How long back are their backups? Where are they restoring from? What were the relevant tactics, techniques and procedures. 'cause I think that informs, are you okay with their backups

Bill Russell: That recovery took long? Yeah I mean. Based on, on, on the impact on healthcare.

It was it was pretty long. The metric which always shocks me is time on network, or time on time on network.

Sahan Fernando: do all time.

Bill Russell: Dwell is Dwell time. Is that what it is? It the number? Well, it's getting a lot better. A lot better, but man, some of these attacks, it's like they had been on network for 60 days, 90 days, [00:36:00] and you're like, oh my gosh. That's scary. because the amount of movement you can do in 90 days is pretty significant.

Sahan Fernando: It is. and As dwell time has reduced. The problem is they understand, well, we're just going to need to move faster. So dwell time reduces. But also the time to impact has also, correspondingly reduced. Right. And there's trade offs with that. I think because they're trying to move a little faster.

That gives you more detection opportunities. But to our earlier conversation around why we went so heavy on identity security is exactly these sorts of reason. I think you have really high fidelity telemetry and alerts and detection controls in place so that if you start forcing them through high visibility, channels, you shut off proactively.

Those kind of stealthier tactics. You have more opportunities to reduce [00:37:00] that dwell time and prevent impact. That's part of our philosophy is make it harder for them to do, the low cost stealthy stuff, force them into higher fidelity channels so that we can catch them.

And it can kind of continuously refine. And, detection tradecraft is another one of our passions that we look at a lot and, for a smaller place, I think we sometimes we get a little too eager about it. We have obviously some internal SOC functions, but we have partners that help.

But as they continue to get a bit more aggressive, there's things that are, like I said, good about that for us and maybe a little bit difficult for us. And I think we've seen that play out. I've given. Some talks over the last year and a half over where, if you can catch someone early, you can do quite a bit.

But when we look at forensic reports, one of , my favorite walkthroughs, I was actually an attacker. I don't think it's online anymore unfortunately, but a threat actor actually wrote, this is how I hacked into a spyware company. And they [00:38:00] walked through, kind of a multi-week approach of well.

They started with something very esoteric where they put in a zero day on the external router. But then from there it was, well, here's where I looked at first from ACON standpoint. And then I found identities that I could compromise. I mean, this is going back they compromised the Blackberry service account at this hacking company or the spyware company.

And it was just very, that sort of trade craft I think is. Very much on my mind when I think at a higher level, what are we looking at? Because administrative controls are really great, but the technical controls that we're accountable for as well, on the prevention side, those are things I think of how do we really ensure that we're putting up the right gates and different types of gates and moats and other sorts of defenses, varying so that the layers are helpful, but still let the right stuff through.

Bill Russell: Sahan, I want to thank you for coming on the show. Everybody wants to go on with Drex now since he's a lot cooler than I am, and I appreciate you coming on this show and talking [00:39:00] to us. I don't want to be one of those former CIOs that doesn't talk about security because it's such a critical aspect of everything we do.

And I appreciate you sharing your experience and wisdom with the community. Thanks.

Sahan Fernando: Thank you so much for having me on. I'm glad we didn't only talk about security stuff. Lot a great conversation.

Bill Russell: We can next, next time we're gonna talk about rowing and and get into much more detail on crew and whatnot.

So, all right. Hey, thanks man. Take care.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.