This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Executive Interview: Solving Healthcare's Identity Access Management Complexity with Bill Willis
[00:00:00] Today's episode is brought to you by IDMWORKS. Healthcare organizations face growing cybersecurity threats and complex identity management challenges that put patient data and operations at risk.
Since 2004, IDMWORKS has been delivering world class identity and access management solutions that build resilience, ensure compliance, and protect what matters most with vendor neutral expertise and a proven methodology. IDMWORKS has helped thousands of organizations streamline IAM while maintaining the highest security standards.
Learn more at this week. health.com/IDMWORKS. I'm Drex Deford, president of Cyber and Risk here at this week, health and the 2 29 Project. Our mission is Healthcare Transformation powered by community. Welcome to this executive interview on the UnHack Channel. Real conversations about managing risk at the highest levels.
Let's dive [00:01:00] in.
Drex DeFord: Hey everyone, I'm Drex. Nice to see everyone here today. Thanks for being here. I have Bill Willis with me today from IDM Works. Say, hi, bill.
Bill Willis: Nice to meet you.
Drex DeFord: There's a lot of stuff. That I always have questions about when it comes to identity and access management and all the challenges around that.
Every time I sit down with CISOs, it's always a topic of conversation because it's always way more complicated than anybody ever imagined. Even after they buy the tool, they wind up jammed up 'cause they can't figure out how to get the tools in that the way that they want it to actually work. So let me start by just asking a little bit about you.
Tell me a little bit about your background and how you, because it's really interesting how you wound up getting into this field and really have become kind of like a world class leader in this field.
Bill Willis: Well, first of all, Rex, thanks for having me on. Always appreciate you and I having a chat, so it's good.
So yeah, I've been in this space a really long [00:02:00] time. I was in the office of the chief Information secure officer at Amaco before there was an identity industry, and they were like, you know, we got all this problem with all these access all over the world, and we don't know what to do,
Drex DeFord: Uhhuh.
Bill Willis: So they actually asked me to build one.
So I built one inside of Amaco. Late eighties, been a minute. So you kind of
Drex DeFord: built one of the first identity access management systems. Yeah. Yeah. But not like you bought it, you literally just from scratch. Yeah.
Bill Willis: Yeah. So , once I built that inside of Amaco, there was some folks that wanted to take one out to market.
So I moved from Chicago to Southern California with my family and. Invented and build a product that IBM ultimately bought and still running today, 32 years and six months later. So if anybody's ever heard of tle Identity Manager, ICIM I'm the inventor founder that, how about that? With a core group of folks.
Yeah. So, so yeah, some of that, and if you've ever used eyes to clear anything like a clear at the airports or facial recognition, that's all the [00:03:00] foundational stuff that I've done as well. So. Yeah, it's been a random collection of accidents called Recruiter for sure.
Drex DeFord: How did you wind up then at IDM works?
How did that
Bill Willis: Path cross? Yeah, so at some point I chose not to build product and look, to take, you know, this lifelong learning set, you know, and bring it to the people that needed the help. Instead of building stuff, actually going in and being kind of that that old voice in the wild that can help people solve their problems and actually look and see what technology stacks, if any, that people really needed instead of building something that people would come to.
And The interesting thing is, Drex, as you talked about, what some of the challenges are, we find almost it's never the technology.
It's almost always the data. And the process and the institutional knowledge inside of somebody's environment inside of their company. And once you can solve the data so the data comes [00:04:00] in on time and you can weaponize it, and it is a good context, you can then take all these manual processes that everybody's had since the beginning of time and automate those.
What that then lets you do is recapture those people instead of having to shuffle people all day long to do really important work to try and protect the attack surface of the hospital or whatever that is, right? And then lastly, once you've got all those things in place, you can then pick the technology that fits you the best instead of the tail wagging the dog and you're then in a place where you can actually bring the bear savings to the C-suite and to leadership.
So, so that's how we look at it and we've been highly successful. There's a lot of times that people have already got the investment inside their house. They just haven't reimagined and transformed it to actually do these things. So
Drex DeFord: I literally just spoke to someone who said they had made an investment insert vendor partner here they bought a product they thought
the [00:05:00] bread box was gonna be this big, and they had put that much money into the bread box, and now they've spent all the money out of the bread box and they still don't have it. Right. And they know they don't have it right.
Bill Willis: So one of the things we try and do is we'll actually sit down and have what we call the fireside chat. It's kinda like what you and I are doing today, right?
Drex DeFord: so anybody can call, anybody can reach out to you. Yep. And say, I wanna have a fireside chat. I wanna sit down and talk. About this problem. My whole eco, my
Bill Willis: whole identity, all it is a whiteboard and a bag of Marcus. We don't bring a fire point.
Drex DeFord: You don't bring a fire either.
So,
Bill Willis: nope. And it doesn't cost them anything. And again it's my life's work and it's my journey to try and make the world a better and a safer place like we talked about earlier today, right? It's like, why wouldn't I help people even if they choose not to continue down the path, at least guide them on what good looks like.
So, so that's what we do. We do about two a week actually.
Drex DeFord: Yeah. You, and you and I have kind of talked through what these things [00:06:00] really look like a huge amount. I mean, I think this is for the chief information security officer I talked to earlier today, I don't think they understand necessarily what they're really getting into.
The, all the ties of this is an HR problem, this is a training problem. This is tied to Epic. This is tied to how we let people go or let people retire. This is also mixed into. People move from one place in an organization to the other place in the organization. And changing what kind of access that there's so many, it's super complicated.
Tell me about the complications.
Bill Willis: So healthcare, I would say two things. Higher education and healthcare are two of the most complicated ecosystems of identity because they have personas that aren't just, Hey I'm either working there or I'm a staff augmentation. I'm a contractor there, or I might be a vendor.
Right. Kind of those three things are typical in any [00:07:00] environment. That's not what healthcare is. I'm a doctor, I'm a nurse, I'm a volunteer. I'm a student. I'm a traveling nurse. I am, I'm part of the IT infrastructure. I'm a third party vendor like Siemens coming in, it's like you've got seven or eight of these, right?
So now you're doing Jenga or Rubik's Cube, right? And it's how do I make all that work? We've been working some with some of the largest hospital systems in the United States where we've actually created. Almost a filter, if you will, where all of that data comes in from all of these sources into a common data lake, if you will.
and all that data lake is intended to do, is one thing. Who am I? Even though I'm a volunteer and I'm a student and I'm a nurse, right? I've got three personas in there, but who am I? Right? From there, you can actually consume it and decide what access you're going to give to them. If they need certain access at certain times.
You can also know that from from the application, if the application is part of the university, you know that person's [00:08:00] currently a student and that's all they get.
If I'm actually third shift, 12 o'clock doing the nursing thing just to make sure I can pay for tech, going to university, I also know that too, and so you just give them real time access.
The technology already exists as far as giving the access and access management. That's what that conditional access policy stuff is. And so we just make sure the consumption of who I am is part of that decision on what you get access at the time you're asking for. And so that's part if you boil it down into simplistic terms, whenever you have these complications, actually find, if you can answer the five basic questions of human life.
Who, what, when, where, why, how. You can always break it down into making it a process and a transaction.
Drex DeFord: You and I have also talked about the, It's not just the person, it may also be the device that they're on. Sure. Or how, so how does that all come into play in this?
Bill Willis: There is no technology perimeter for a business of any kind, whether it's healthcare, grocery stores, like there's no perimeter, right? Once you have a [00:09:00] SaaS-based application, I need to reach out and use it to do something in my business. What am I doing? You now need to add another layer, the attack surface of healthcare as an example and really anybody is always predicated on phishing for access, right?
We see it every single day. If we can eliminate the phishing exercise, so what they're phishing for doesn't exist anymore. Meaning the password.
Then you can't phish for that. You can't get to it. And again, this is not a technology problem. Every single healthcare organization that I've ever talked to has all the tools to do this work.
It is changing the philosophy of how you give people access and changing the way that whole relationship happens. Because they've gotten so ingrained and used to it, they think it's a cultural problem. When realistically people log into their own checking accounts or they go through TSA pre-check or whatever, they don't give a password anymore.
They, here's my [00:10:00] driver's license, here's my face. Off you go.
Drex DeFord: Something I am, that relationship exists.
Bill Willis: It's not a technology problem. Right? Yeah. So the way it works in healthcare that we see it, it working is that. The create relationship with me who is it and what device am I trying to use to gain access to an application?
You bind those two things together, who and what? And then you decide where am I going to go with that relationship? And that's the access part to the application. Again, every healthcare organization has a conditional access policy broker, CASB. If they have Microsoft, I can't think of anybody that doesn't.
They paid for it with their license. It's there. If you say, okay, I've already got endpoint management with Intune as an example specific to Microsoft, that means I have the certificate for that endpoint. I've already multifactor authenticated bill to his laptop. I bind those two things and I simply [00:11:00] provide it to the CASB.
They can confirm it and off they go, guess what? I don't need a password anymore. Okay. National Institute of Standards and Technologies already said, right, you don't need to do this anymore.
Drex DeFord: You don't have to change.
Bill Willis: So it's not a technology problem, and that's what I try and coach and advise people is that you don't have to go to the boss and ask for more money.
You just have to lean in and be proactive to show the art of the possible. And when people say, well, geez, that was easy and I didn't have to worry about it, and the attack surface goes away. I can take the help desk away from doing password resets at 25 bucks a pop. And that's real money I give back to leadership.
Drex DeFord: are there legacy technologies that we have in healthcare that keep this from happening? Does it really apply everywhere?
Bill Willis: So probably one of the biggest ones that, that everybody's waiting for is for Epic.
Drex DeFord: To
Bill Willis: get away from LDAP based authentication to token based authentication.
When that happens and you can take your EMRs and be able to do that, that opens up the doors. Because [00:12:00] then I don't have to do an LDAP authentication into Microsoft Active Directory or any of the other ones that, the legacy stuff that's been out there when you and I were had different color hair.
Drex DeFord: Right,
Bill Willis: right. Hair, it's like, yeah, we're, yeah. so that is happening. So when that ha So when you get to that point, then the only other thing you need to look for is these very specific. One off things that might've been in the hospital for 30 or 40 years that's been like a Windows seven or Windows, you know, like an all really old app.
Sure. That nobody knows where the source code is and nobody wants to touch it because it's whatever it is. It's like you need to just get rid of that thing. Right.
Drex DeFord: Maybe like a weird medical device or something to, or, yeah.
Bill Willis: Yeah. But again, that's my exception now, not my role. You can actually look and say, I can positively influence.
90 x percent of the way that we have a relationship with accessing technology and information now because and [00:13:00] eliminate the attack surface. And because that attacker isn't gonna look for that old school piece of equipment out, out in the garage somewhere. They want to get to the data lake, they wanna find the person that can write checks, you know, all of the normal stuff that, that they hack for that normal stuff.
You can very straightforwardly protect that.
Drex DeFord: Yeah. That normal stuff will be protected like this. Okay. Very interesting. Very interesting. So we've talked a little bit about the fireside chat that you do to kind of help people get some of their processes kind of laid out what happens.
So they do that and they're, they have the light bulb goes on. This is amazing. Can you help us with the rest of the road trip? How does that look or how does that work for you guys?
Bill Willis: Yeah. So, you know, the art of the possible is what we talk about first is that when we have that fireside chat for the very first time, they actually see their entire ecosystem in one place.
It's almost like a realtime buso that's orchestrated. And they're like. Here are the 10 things I have a problem with. So [00:14:00] it, it allows them the freedom to actually look at and say, well, if I could fix that or if I could fix that, or what about this, so they can think about tactics, right?
So we try and bring them from tactical to strategic and then operationalize that. So once you can get to a baseline of tactical recovery. We help them with building a roadmap. It's called assessment. Basically sit down and say, okay, where do you want to go in three years? How do you want to get there?
You know, all of the normal things. And again, it's data and process and institutional knowledge, and then the technology that's last, not first.
I think that's been the problem with people thinking that if I buy the new shiny penny, I just plug it in the slot and it's going to actually, you know, return.
That's not how it works. So, you know, it's like anything that when you make your favorite meal or your barbecue and something, right? You need the raw materials. You need to have a plan. You need to know how, implement the plan. And then when it comes off the grill, I've got a perfect stick.[00:15:00]
Drex DeFord: It's a, like the grill really almost has the least amount to do with the whole thing.
Bill Willis: That's exactly right. That's exactly,
Drex DeFord: we see this over and over again. I just think about, you know, back during my career as I, you know, kind of went from place to place The biggest problem with on time, on budget projects often had to do with us buying the technology.
And then in the process of that project having, realizing we have to go back and retrofit all that people process. Part and forcing change management because somehow this wound up being an information services project when it really should have been a clinical project. And now we are trying to make clinical people do change different processes.
Like that whole workflow is broken and I think as a CIO you realize that fairly on, or as a ciso you learn that, you know, fairly early on, but. Identity management seems to be one of those things that still stymies a lot of folks.
Bill Willis: [00:16:00] so the one thing we try and coach folks that are in the technology part of the stack, CIO ciso, identity management leader, that kind of thing, we try to have them think like non-technology people.
you have to partner with the leader of human capital management because the data that drives your part of the business comes from that person and their team. You have to show them why it is so important and what I will say that every single HR slash human capital management leader that we've ever talked to has said, yes, I understand the importance of this.
Yes, we will help you. Yes, we will lean in and we'll participate in partner. Doesn't
Drex DeFord: it make their life better too?
Bill Willis: Yeah, but the problem is that. The relationships that the IT teams have typically are at the level of just blocking and tackling. Instead of getting ahead above, and you and I have been around this a long time, if it rolls downhill, it's gonna happen here.
I'm just trying to keep things rolling the way it's [00:17:00] going. It's like I'm not here to be a change agent at that level. When you get to the point of I need to solve that problem first, make sure that the data is of good quality and timeliness upfront, and they, it's like, yes, we're gonna do that.
Then the person that we shake hands with every day gets it because now they've been empowered to help. Right Now they're not empowered to help, and so it's really part of that just creating an orchestrated team of people that recognize how important their piece of the 20 or 30 pieces. What needs to be done in identity are really sustainable and doable and super important.
So
Drex DeFord: who are. Some of the other people that are in that group, the HR leaders, obviously the folks who are doing identity access management and the M services department. Yeah, go ahead.
Bill Willis: The MR team for sure. I would say all the clinical folks, like how do you wanna run your business? You know, if I've got a nurse that's working a double shift and [00:18:00] second shift, she's working in neonatal and then over here she's working in the cancer area, it's like, how do we make that work?
Right. Typically today, you give that nurse everything for both of them,
Drex DeFord: right?
Bill Willis: That's not the way it should be, right? You have these conditional policies that says when they're over here, they're doing this, and you give them that instead of just saying, you know, it's not black and white, right?
Drex DeFord: Yeah. Yeah.
Bill Willis: And so there is one thing that's fascinating. When you get all the right people in the room, the level of. Comradery and willingness to participate to make it a better and a safer place. They all get it and they wanna help, but they just don't know how.
Drex DeFord: Yeah.
Bill Willis: Right. And that, I guess that's my job, is to show them the how part and, you know, just kind of drive the bus that way.
So
Drex DeFord: it, it breaks down the, because they don't know how they continue to try to protect their fiefdom and make their stuff work. And I don't know what you guys are gonna do about this other problem, but that's your problem as opposed [00:19:00] to everyone setting down and figuring it
Bill Willis: out. Yeah. We break down all that stuff and it's like, okay if we look at it together holistically, you know, and again, we talked a little bit about, you know, perimeters and boundaries and all that kind of thing.
If you look at it like the hospital has a problem than it is everybody's problem. And so that there, there's certainly a willingness. The other thing directs that we find is fascinating. Is that if we're able to find one of the tactical things when we do a fireside chat and say we're gonna, we're gonna fix that.
Once there is a success and they bring it to leadership and says, we have successfully solved this problem that's been there a really long time. There has never been a leader that says, no, stop. I don't want you to do anymore. They're like, cool. Finally, Finally let's, let's continue, let's continue down this and continue that momentum to continue to create and solve these problems and get to an operational state.
Not one leader has every set, every wants a success has said, no, I don't want another one. Like, no. Yeah, you do.
Drex DeFord: Do you find [00:20:00] once you have success and you get the process squared away and you get the tool implemented, now there continues to be in Toyota Lean production. We talk about continuing to sort of lower the water level and you find new rocks poking up, and then you have to deal with those.
How do folks continue to kind of improve the process after?
Bill Willis: Yeah, so when we, and specifically in identity, we try and look at all three phases. We try and look at access management. Lifecycle management and governance and privilege. Right. All three of those together in harmony in Houston.
If you look at them together as one collective, you can answer a bunch of handful of questions and then you can rinse and repeat that. Same, exactly. You can do it by category in the hospital, you can do it by application stack, you can do it by classification in your CMDB. It's like, this is critical business critical.
Runs the business general, normal, whatever. You know, you pick whatever you think is right. But if I can say who are you? What do I have access to? [00:21:00] And do you have an elevated privilege? Then I can actually defend and provide protection to the business. And if you do all three of those things from an application at the same time, it makes perfect sense.
'cause then you're just having one conversation with the application owner, the business owner, and if it's an internal one, whoever wrote it. To get all of those things collectively. The problem that most people have is they look at, all right, I'm gonna do single sign on first, and I'm gonna do, I'm gonna onboard all the lifecycle management stuff, and then if I ever get to it, I'll do the privilege uhhuh.
And it's like, it's not that. Yeah,
Drex DeFord: I'd say everything's connected to everything else. Problem. I've heard folks say this too. We were talking about perimeter at the beginning that there is. There's now no perimeter as we've known it in the past, but I've heard folks say identity is the new perimeter.
Is that, does that ring a bell with you? Does that kind of make sense? Given everything we've talked about?
Bill Willis: I'm in violent agreement with that drex. I mean, if I can answer who am I, then I have the answer of what should, what can I get access [00:22:00] to? Right? Then the last part about it is I bind what I'm using to get that access to me.
That's how an attacker can't do. An attacker can't. You know, affix themselves to the device, right? That's what mobile device management MDM is intended to do is protect the endpoints, but the, it's never been thought, Phil, philosophically, that the endpoint is only half of the equation to be able to bind those two things together.
Drex DeFord: Yeah.
Bill Willis: When you do that, again, passwords gone away, you can shut down the help desk, make mo bring money back to the leadership. Of the hospital. Nobody says no to getting more money back. I haven't seen one person say no to that.
Drex DeFord: There's other things you can think about there too, like not just what device, but now you get into behavioral kinds of things too.
The way the device and the way that the person acts too, like does it have a particular EDR on it is. EDR up to date, all of these would be things that would allow you to say yes or no to that access. But also just the, [00:23:00] is this a normal time when this person on that device logs into our network to get to that particular application?
Yeah. Is that normal or weird? Yeah.
Bill Willis: Yeah. So the analogy we always use is why is the person logging in from Cabo at two in the morning with a margarita in their hand to log into the accounting system? I don't think so. I don't think so.
Drex DeFord: Hey. I really I really appreciate you coming on and talking about this.
It's a really interesting, really complicated issue. That I think you are doing a great job kind of simplifying and helping people understand and you get the right people in the room, you get the right whiteboard markers, the right whiteboard and the right markers and the right people in the room. Yeah, you can kind of map it out.
Bill Willis: Drex. I always look forward to having our conversations and thanks for having me on today. Appreciate,
Drex DeFord: thank you.
Thanks for joining this executive interview on UnHack with me Drex Deford here this week. Health, we believe every healthcare leader needs a community to lean on and learn from. Build [00:24:00] your network at this week, health.com/subscribe and share this with a colleague because together we're stronger.