This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] zero trust again, disconnects all of these hyperconnected things and makes that connectivity happen in a more seamless way, a more efficient way, and also in a way that means that if a bad actor gets in on that one device, they can't find everything else. (Main) Welcome to This Week Health. Today we are starting a six part series on Zero Trust Hospital, the CXO vision. This is a new book by Zscaler. We have one of the authors here, Tamer Baker, healthcare CTO for Zscaler.
And Drex DeFord, who is not one of the authors, but he's the president of the 229 Project Cyber and Risk Community. Gentlemen, welcome to the show.
Thanks for having me. Happy to be here. It's good to
see you guys. I'm looking forward to this conversation. Tamer, you wrote a book. You wrote a book with David Anderson.
So the two of you came together and wrote this book. What inspired you to write this book? specifically focus on Zero Trust for healthcare organizations?
Yeah we [00:01:00] really recognize that over the last several years, Zero Trust has been overused and overhyped by so many marketing organizations from all these different vendors out there.
And it's created a lot of chaos and confusion around what Zero Trust is. So we wanted to try and figure out a way to talk about Zero Trust in a healthcare setting specifically, as well as make can easily digest and understand it and bring it to their organizations.
I was going through the book and I was looking at the forward written by Cris Ross, former CIO for Mayo Clinic, and in this paragraph from reading, says, as healthcare organizations defend against cybercrime, they were also seeking to maintain the privacy of patient data while adopting more sophisticated digital services to improve care and provide a better patient experience.
It's interesting because we hear now HHS has said this and we hear this all the time. Cyber care is patient care. We're being driven as healthcare leaders. We're being driven to innovate, to push the [00:02:00] envelope on digital transformation. Why is now the time to look at zero trust architecture in healthcare?
At this moment in time with so much being required.
Yeah. So one of the other things that I really loved about Cris is he. Really embraced this transformation concept and transformation can really only come from the top down. You really can't get it Unless the leaders of an organization wanting to also embrace it The thing that caught my attention the most is that he had said something along the lines of you know We can't keep trying to innovate On technology that was built in 1999, right?
But there's no way to innovate with our security and architectures from that old because it becomes a challenge. So this transformation effort is something that we all need today in order to be more effective as an organization. Innovate faster and better as well as be more secure while we're doing it.
So an imperative that not only is it for an organization from [00:03:00] an infrastructure or security perspective, But an organization as a whole your clinicians wanting new Fandangled apps and new things, new robots, the next version of DaVinci, etc. All these things that we want to provide better patient care.
Requires a new way of putting them in your environment to make it secure and seamless and easy to do.
I'm wondering if we shouldn't start with just what is zero trust? Let's just start with that basic concept because , it could be some people listening right now who are wondering, okay this, yes, we need to be secure.
And this is part of what happened to zero trust, right? People were like, I'm not really sure what that means. I think it means we don't trust anything. And what does it actually mean?
Yeah, here's the, Because it's gotten such a negative connotation, when security people are trying to speak to other parts of the organization, I almost always take a step back from the word zero trust and just say, look, it really is transformation.
I have a digital transformation project. I need to transform how we do infrastructure and security [00:04:00] in order to accomplish zero trust. And essentially all that means is zero trust is making sure that. Only the things that are allowed to talk to certain things can talk to only those things. So that could be users or devices as an example.
It also incorporates things like, reducing your attack surface and that lateral movement, et cetera. So there's a lot that goes into Zero Trust, but you can't ever get to Zero Trust at that network layer. So if you're trying to accomplish Zero Trust using traditional technologies on the network layer, That's where we struggle, right?
That's a big component of zero trust that I think people are misunderstanding when we think about what zero trust is. The network is abstracted from that.
So how does Zero Trust address the threats that healthcare organizations are experiencing right now? Specifically idea of moving laterally.
Most of these ransomware attacks we've seen, if they just attacked one device, we wouldn't read about them. It's the fact that they get in and then they move across the entire network.
And this goes back [00:05:00] to why we need to transform digitally, because when we think about the old school castle mode technologies the data center was the center of your universe and everything went through there and everything inside your network was trusted.
The changes that have happened over the years and why we need to modernize this infrastructure and security is because now your data lives everywhere. And your users live everywhere. So when a bad actor comes in, we actually had to hyperconnect everything. We had to hyperconnect data across multiple clouds, your clouds that you don't own across users that are everywhere across all your systems and networks, everything.
Everything is now hyperconnected, which means when a bad actor gets a hold of that one little user that clicks on that bad link opening up their personal email on a work laptop as an example, Now that a bad actor has carte blanche access to everything because it's all hyperconnected. So zero trust again, disconnects all of these hyperconnected things and makes [00:06:00] that connectivity happen in a more seamless fit way, a more efficient way, and also in a way that means that if a bad actor gets in on that one device, they can't find everything else.
They can't even see the rest of that stuff to try and move laterally with.
Yeah, Drex, I want to pull you into the conversation. The pandemic was interesting for us as healthcare. And I love the fact that we keep saying the word zero trust architecture, because when the pandemic hit, we were asked to do a lot of things very quickly.
And we did a lot of things very quickly. And a lot of times architecture goes out the window for speed and expediency and those kinds of things. Talk a little bit about how we recover from moving too quickly or doing things. Because we just have to stand them up.
Yeah. This is one of those things that we see, not just with the pandemic, but, in a lot of the summits that we do, we have conversations with the CISOs and they talk about going through some sort of a traumatic transition, whether it was an MNA or something else. And there's always a lot of exceptions to the [00:07:00] rules.
There's a big hurry to get something up and running, but then there's a bunch of broken glass. They have to go sweep up later. And that takes a lot of time and effort. And in many cases, it can be a lot of wasted time and effort. If you're built correctly up front using a zero trust architecture, you actually can.
Make those traumatic in a good way. Maybe experiences that you have to do as a CIO or a CISO, you can make those experiences actually a lot easier to implement because the agility for what you need to make security work in that environment is already in place, but it starts with the architecture.
Yeah.
You know, Tamer, I want to come back to you because Drex brings up a good point. It wasn't just the pandemic. There was a big shift to the cloud that has happened and is continuing to happen in health care. There's cloud based applications. There's remote work, significant amount of remote work that's going on.
How does zero trust addressed those kinds [00:08:00] of changes? And they're pretty dramatic changes. When you think about it, we went from our data center. We went from everybody working in Yeah. Within the four walls of the system and wow, it's now I talked to some health systems. Yeah, we employ people in 33 states and they're only in three states as a health system.
It's a great opportunity. This is exactly why digital transformation needs to happen and how zero trust fits into that because of that explosiveness and where all your data has gone and applications as well as where all your users are. So if we think about. Where Zero Trust fits and why this transformation is imperative.
Cloud was a great example because cloud is meant to give users a quick and easy and fast way to reach applications, right? Applications that you no longer have to house in your data centers and manage. But how are we doing it today? Everything still back calls right back to your data center to be able to connect to your cloud.
So instead of users going straight to the cloud, everybody is still back calling it all back in and then threw up an expensive direct [00:09:00] connector express route. So where zero trust comes into play is we make those connectivities happen without the backhaul anymore, right? You're able to do that connectivity.
It's much better for the user experience. much more cost effective for the health system much easier. So operationally speaking, it makes it so much simpler to migrate an application from your data center into the cloud because this architecture automatically shifts that traffic to that cloud application very simply and easily.
And it all happens in a more secure manner because it's all hidden from the internet. going straight to that cloud resource without backhauling, it's all hidden from the internet. as well as it's all going through there's a security stack that follows the user no matter where the user is.
All right let's close out with this again. This is the first of a six part series. We're going to cover zero trust lot of detail. We're going to keep moving through this, but I want to close out this episode by giving people something practical. So what initial steps can a health care organization take to ensure a secure digital [00:10:00] transformation?
very first steps I would recommend is going to be communication because transformation has a lot of inertia within your organization, and that inertia is very difficult to overcome. So really. All the leaders have to be on board with transformation once the leader start overcoming that inertia and you know that the CTO organization needs to overcome the inner inertia.
Your CISO organization needs to overcome that inertia and everybody else needs to overcome that resistance to change because it's different once you get through those conversations, you can start overcoming that inertia. That's a very strong first step because now people are open to these changes and can start implementing some of the things that we're going to talk about in later episodes.
Tamer, Drex, I want to thank you guys for joining us. And I want to thank everybody for tuning in to episode one of our. Zero trust series. you want to dive deeper, you can pick up a signed copy of the book at either VIVE or HIMSS. Plus [00:11:00] get the accompanying architectures approach guide to your team.
you can't wait, register now with the. link in the video description to receive the ebook automatically in your inbox during We also have five more episodes coming up in this series and don't miss our special webinar with industry experts on March 27th. You can register at this week health dot com slash zero trust.
Thanks for listening. That's all for now.