This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Drex DeFord: [00:00:00] today on Keynote,
Ryan Winn: And so it really is how do we clean up our environment? How do we create resilience? How do we, build a partnership where instead of making your life harder, we're actually giving you tools that, reduce the burden of InfoSec on top of your already busy day.
Drex DeFord: I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor for some of the world's most innovative cybersecurity companies.
Now I'm president of Cyber and Risk at This Week Health and the 229 Project, where we are dedicated to transforming healthcare one connection at a time. Our keynote show is designed to share conference level value with you every week. Now, let's get started with today's episode
(Main) Hey, welcome everyone. I'm really glad you're here. This is the webinar that you've been looking for. We're talking about the Zero Trust Hospital revolutionizing healthcare security in the digital age, and we'll get into how to embrace the zero [00:01:00] trust concepts.
Ultimately, how that will help secure the future. Of patient care. Today's webinar is sponsored by the good folks at Zscaler. I'm Drex Ford. I'm your host today, the cyber and risk guy at this week Health and if you would please hang in there with me. We're gonna give folks a couple of minutes to show up late.
Because that's the world that we live in today, folks will be a little bit late. The last meeting ran over. We'll want to give everybody a couple of minutes. So we'll get underway with the webinar shortly. For those who've already joined us, thanks for being here. Thanks for submitting questions for the webinar.
We've been looking at those. For those of you who put questions in when you're registered we've got a lot of them. And as a reminder, you can submit additional questions. During the webinar, through the webinar sidebar, there's a q and a block for that, and I have that up and running and Holly's gonna keep me squared away.
On that I have Ryan Winn from Advent Health here and Tamer Baker from Zscaler here, and I'll ask you guys to do a quick intro, but [00:02:00] in a couple of minutes. So while we're waiting for folks to join, here's a goofy little question Ryan. What was your first computer? You've been doing this for a while.
What was your very first computer?
Ryan Winn: my first computer, I don't even know if you could qualify it as a computer. It was a Timex Sinclair, T-1000, I think is what it was. I bought it for $48 mostly in rolled quarters as I recall. And yeah. It was one of those things that had only volatile memory.
You couldn't save anything unless you bought a tape deck Which I couldn't afford at the time, so if I wrote a program, I just had to leave it on.
Drex DeFord: I love that. Tamer, I know we've talked about this before you didn't buy your first computer, right?
You built it.
Tamer Baker: That's right. Yeah. So the first computer I built because we couldn't afford to buy a computer for a long time, and I had a friend of the family that was more well off. He saw my inclination to it and he offered to buy me a computer and I said no, just get these parts for me.
And it was a 3 86 [00:03:00] SX 33 megahertz with a, think it was a 9,600 Bo modem. Yes. Jumping DBS systems Prodigy, it was a MS. DOS system at the time. And then I remember how revolutionary it was when I installed Windows 3.0, it was just a fun time as a child, right? Building all that stuff.
So
Drex DeFord: amazing. Yeah, so amazing back then too.
Tamer Baker: It was really fun to upgrade, right? Like you buy next extra one little meg Rams stick and you're like, yes, this is great. This thing
Drex DeFord: screams now. Yeah. Yeah, when you had little ports we could actually plug things in and make your computer better. Yeah, I was a Commodore 64 guy yeah, I had a little black and white TV that it plugged into.
And like you Ryan, anything that I did on it. It had to stay on all the time. I think I wound up getting some sort of a cassette player or something that I could save off to the cassette so I could reload stuff later. But yeah, what a terrible way to start. And look at us now. I.
Look at where we are now. Those are fun times. Those are good times. [00:04:00] Okay, it's a few minutes past the top of the hour. Again thanks to everyone for joining. I really appreciate it. Let me take a look down here.
Tamer Baker: We got our first Q and A question in.
Drex DeFord: Oh, the K Pro people answering the question too. The K Pro. Yeah. Yeah. That's a classic too. You can tell when people answer this question. There's a little bit about being able to figure out their age by the answer to this question too. Especially if you're a bunch of nerds like us. Okay. As I said earlier, this is the Zero Trust Hospital revolutionizing healthcare security for the digital age.
A webinar sponsored by Zscaler. Again, I'm Drex DeFord, a long time recovering healthcare, CIO. Now I'm the cybersecurity and risk leader of This Week Health in the 229 project, and I'll be your moderator today in the virtual room with me here are a couple of my friends and a pair of folks who can really get into the practical parts of how to do Zero Trust.
It's Ryan from Advent Health [00:05:00] and Tamer from Zscaler. Gentlemen, thanks for being here with us.
Tamer Baker: Thank you for having us. Yeah, thanks for having us.
Drex DeFord: Again, to the audience thanks for being here. Thanks for submitting questions when you register. And of course, thanks to Zscaler and our panelists and a quick thanks to Holly too.
'cause Holly, our producer actually is the one who keeps us on the straight and narrow. So let's start with some introductions. Ryan why don't you go first, tell us a little bit about your background and then we'll flip over to Tamer.
Ryan Winn: Sure. Sounds good. Yeah. My name's Ryan Winn. I'm the chief Information Security Officer for Advent Health.
Some of you may know us, some of you maybe not. We're a fairly large healthcare system based out of Orlando, Florida. We're in nine states, 50 plus hospitals. We're growing pretty fast and we just crested a hundred thousand users and really excited about the growth and trajectory and glad to be here and be able to talk with you guys today
Drex DeFord: Appreciate it. Tamer what's going on buddy?
Tamer Baker: Yeah, so for those of you that don't know me yet, I'm Tamer Baker. I'm the healthcare [00:06:00] CTO at Zscaler. So all of the healthcare audience business I'm the CTO for, I've been at Zscaler for a few years now, ever since we started the vertical for healthcare.
And for those of you, again, that don't realize we're not just a verticalized healthcare in the sense of we've got an account team that does healthcare. It's everything from myself, from the product side building in all the, and providing integrations, medical device security, et cetera all the way down to our architects, our customer success managers, and, everything.
Like we have a full portfolio of healthcare specific folks here to support the team. So, happy to be here. Happy to have this conversation with both of you.
Drex DeFord: Yeah. Thanks. I'm really glad you're both here too. I've enjoyed all the prep time and the prep conversations with this too. so here's another thing.
By the way, there is a book associated with this webinar. I was lucky enough I think at hims. He gave me a copy of the book, and Tamer actually signed it because Tamer is the author of the book. You can download this book Zero Trust Hospital, the CXO Vision Tamer [00:07:00] Baker and I, of course, I should mention your co-author, David Anderson.
You can download the book we'll make sure we put a link in the comments, but just in case you can go to this week, health.com/zero trust, and then scroll down. There's a link down there that says, download the book Now. It's in bright red, so go do that right now so you can get a copy of the book. This is just one
book in a series of books about Zero Trust, right. Tamer? Tell me a little bit about the others
Tamer Baker: so we it's a two book series right now. The second book is The Architect's Guide that was primarily authored by our principal engineers Steven Hajny. So. Between the two books, my CXO Vision book was tailored more towards this
it is not Zscaler specific. It's really under understanding the business value of zero trust and the operational efficiencies and financial gains how you foster a zero trust environment with the other leaders in your organization, et cetera. So it's all way more on the business value side for CXO.[00:08:00]
The architect's guide is the detailed, like, how do you actually do it, and example, policies, examples of how you deploy this is so it's very detailed. So if you're on the webinar and you're CXO. I would still grab both books because you can get your architect's guide out to your teams as well.
And if you are an architect or a director or something that's not CXO level grab both books and hand it up to your CXO if that's of interest. So I highly recommend both books in the series.
Drex DeFord: This webinar actually is like the punchline of a whole series of podcasts that Tamer and I did around Zero Trust.
If you haven't seen those. We'll also send you a link to those podcasts so that you can read the book and follow along in the podcast. 'cause we track the chapters to the podcast too. Okay. Here we go. You guys ready?
Tamer Baker: Yeah, let's do it.
Drex DeFord: I'm gonna start obviously I'll start with Ryan.
can you give me kind of the 50,000 foot view of what you've done with Zero Trust at Advent Health, your approach. Has it been a little bit different? Tell me how you started, gimme the high [00:09:00] level story.
Ryan Winn: I think I'm probably in a similar position to many of you on the call.
I came into this role about a year and a half ago and made a lot of changes, to update and put better technologies in place so that our security team had a, a. Decent chance of trying to secure our organization and be successful. So we basically ripped and replaced every piece of protective technology that we had out there the backend and support systems, ticketing privacy systems, all of those sorts of things.
So we went soup nuts and built completely new architecture for security. And in the process what we wanted to keep in mind was taking a zero trust. Lens and applying the framework principles. As we purchased, we made selections and we started to move forward. Obviously one of the partners that we selected to work with was Zscaler.
So we went live, we actually had a really fast project we started in. I don't know. Tamer was that July? I think it was July of last year. And we were fully displaced the previous technologies [00:10:00] by October 12th, I think was our go live date for Zscaler. So four months in an organization our size.
So we were rapid pace there. So, we started with, the proxy side of it and, what we're doing right now is we're actually moving into the ZPA space which, Tamer, I'll talk about the technical details of that later, but ultimately what we're really trying to do is solve some business problems with it.
So, there's absolutely security benefits. But what we're trying to prove is that there's also cost and benefits from just simplifying the way that your network works. And what we're trying to do is create models and we're really looking at the ambulatory space a lot as well to see if we can create a lower cost, go to market, speed to market.
For our ambulatory services because those are areas that are under significant financial pressure. So we're looking to start standing up zero trust clinics here very shortly. And ZPA is a basis of that branch connector, et cetera. And then a lot of this other infrastructure that we've put in place.
So that's where our [00:11:00] heads are going. And I know everybody comes at this from a little bit different angle, but again we all have different business problems, but it's a business problem solution that we're trying to implement.
Drex DeFord: It's interesting to me that you rope into this, the idea that there's tech debt, there's other challenges in the organization.
You used the Zscaler project and the Zero Trust Program to help simplify the environment. Simpler is easier to operate and run, and it's obviously easier to secure too. How did you get everybody on board with that?
Ryan Winn: it's an ongoing process, so, we're in the early stages of what we're doing and when people talk about a zero trust journey, I think it's just that, and it's one that doesn't really end.
I don't think you ever get to a point where you feel like, Hey, I've nailed it. I am totally zero trust. We're good. What we're really trying to do is build a level of flexibility into the infrastructure that we put in place because, again, I assume, many of you suffer the same challenges.
A lot of different things are thrown at you in a given year. A lot of different [00:12:00] acquisitions. Different business trends, different cyber threats that are coming down the road as well. And so, what we need to do, and it gets back to that simplicity point is. If you can't move quickly, you can't take advantage of opportunities.
And so, what we're hoping to do is our model, continues to progress. Speed to market is one of the key factors. And you can't move fast unless you have something that's repeatable. Repeatable tends to be simple and, simple is easier to secure than complex for sure.
Tamer Baker: I would say it's almost split 50 50 as far as a, who's a business owner of something like this? About half of our health systems, the business owners, the CISO, and then the other half is a CTO because, the CISOs want the security, et cetera that this provides.
And the CTOs want that simplicity and new way of doing things one of my favorite quotes that I actually put in the book, and I'm gonna paraphrase it 'cause I don't remember exactly how it was quoted by the CIO, it was the CIO of a. Large, [00:13:00] very well-known brand. And he said we can't keep innovating by trying to put new technologies, new applications, new innovations into, 20-year-old architectures, right?
It doesn't work well today. So when you do this simplification, it allows you to innovate faster. If it's a new physician that wants a new thing. New application, new da Vinci robot, whatever it may be. Or it's a business innovation, new acquisition, whatever it may be. Being able to have a simpler architecture, which is also secured, but allows you to do this innovation faster.
And that's one of the business values, that we actually talk about in the CXO vision.
Yeah, I love that. So for you, Tamer, what opportunities do emerging technologies like AI opportunities and maybe challenges that new tech like AI present when you are trying to integrate and field a zero trust [00:14:00] framework?
I guess we can't have a webinar without talking about ai. We never, we can't have anything anymore without talking about ai. There's so many different forms of ai, so this can go in many different directions. Of course AI is one of those innovations that everybody wants, right?
Tamer Baker: Everybody needs it. If you're not using it some way, shape or form, or multiple different ways, right? For the clinician side, for the admin side, et cetera, you're gonna get left behind, right? You have to get on that train. The challenge becomes how do you do it? Securely because many organizations, haven't even stood up.
How do we govern it? What are the governance processes? So a lot of people have put just blocks into place and it's stifling that innovation. With something like this in place, though, this structure this way of doing quote unquote zero trust, like what Ryan was talking about, it allows you to implement these new innovations in AI
but doing it securely so that, okay, allow the users to talk to the AI that you want 'em to talk to, which you don't even have visibility on all the, dozens of AI that exist. We'll give you that visibility, [00:15:00] show you which ones users are trying to use, and then instead of just putting a block on there, just because we can see all the prompts and we're decrypting all the traffic, we can see exactly what goes into the AI
you can just block p sensitive data going in their PHI either sensitive information about the health system, et cetera. Just don't let that go through to it. Or the other flip side of it is maybe you're building an LLM, maybe you're building some models for, whether it's research or diagnostics or whatever it may be.
We wanna make sure that stuff isn't getting poisoned. We wanna make sure only the right users are accessing it. Make sure that bad actors can't get to it if they have compromised your system. Those are the challenges, like how do I do this securely and how do I do it to where I can't lose data and I can't compromise patient care, by a poisoned LLM,
but also enabling that business to do it.
Drex DeFord: Yeah. I'm gonna follow up here. Another question that I see practical advice that you would offer CXOs who are hesitant to embrace the zero trust. Process due to perceived barriers. And [00:16:00] you have a great chapter in here about kind of myth busting all this stuff that goes into this, but hit a couple of highlights there.
It's, they're pretty interesting.
Tamer Baker: I'll talk two quick barriers that I've seen commonly. One is the perceived notion of disruption because people have tried to do zero trust in the past with, at the network layer, whether that's, acls, firewall rules dac, l, microsegmentation with other things.
There's so many different ways people have attempted to do it at the network layer, and. It's very disruptive. Lots of failed projects I've seen in the past that just gave zero trust that negative connotation, right? It became a four letter word in a lot of organizations and outside those organizations.
But in reality, once you see the modern way of trying to do it. You're not doing it at the network layer and you're not trying to deal with ips and firewall rules, et cetera. It becomes a lot simpler, as Ryan has talked about, and it becomes possible to do this a lot easier. Another perceived barrier is cost.
[00:17:00] And typically that's operational headaches, operational cost, operational burdens on top of, what it would cost to put in a whole bunch of boxes, et cetera. That's another myth that we talk about and bust because. What you find and Ryan also touched on this a little bit, is when we're simplifying architectures, you're also removing.
Costs. You're also taking out legacy tech debt. You're also lowering the cost to manage and maintain this because operationally now you're able to do this with fewer human capital hours because it's a lot simpler way to do it. So those are some of the barriers, and you can have these discussions across different teams in your organization to just alleviate that burden.
What you'll find is if you talk to our customers that have gone through this journey. The care providers actually are happier because we've made it easier for them to do their work with less burden. The security is in the background, they don't even realize they're getting zero trust access to things because it's a lot faster for them and a lot less clicks as an [00:18:00] example.
So it's a much easier process for those care providers and they don't even know it's zero trust 'cause you don't talk about it. In those terms. But we talk about it, well, we're gonna do a transformation or monetization or whatever. that helps alleviate that burden as well.
Drex DeFord: Yeah. I love where the story's going here. Simplification, creating agility for the business to be able to do the things that the business wants to do and needs to do quickly so that they're not hindered by the legacy stuff and the legacy. Mm. Way of doing things. I guess that a lot of organizations are mired in Ryan.
How do healthcare organizations measure success and progress in their zero trust journey? You talked about it being a journey, what are the measurement tools, the measurement things that you're looking at to see that you're making progress?
Ryan Winn: To Tamer's point, when we're talking about Zero Trust, we know that it's an embedded concept in what we're trying to do, but I almost never talk about Zero Trust from how do you brand it?
How are you
Drex DeFord: branding it?
Ryan Winn: Well. So [00:19:00] what we've talked about is, how do you decrease the blast radius when something bad happens? This is in the technical areas outside of technology. We talk about it a little bit differently, but it's really, how do you create more resilience for your organization?
'cause resilience is key, particularly in healthcare. I. We see this time and time again being more and more of a focus. So, how do you create resilience by having redundancies and simplification and, easier ways to do things than we've done historically. The other sort of like internal branding is what we're really trying to do is for years as a CISO.
And I've been on both sides of the fence. I've been a CIO, I've been a CISO and I've, delved on the technology side as well. You know what information security would typically do is they'd make your life harder. They'd say, Hey network team, this is all the stuff that you need to do in order to make us secure.
And as the tools have improved as the approach has changed. As you look at things like, Zscaler and Zero trust in those sorts of things, you get to go back and say, Hey, I'm going to actually make this easier for you. And a lot of those protections that [00:20:00] we relied on in the past. You can take out some of those things.
So we talk about network simplification that has absolutely nothing to do with a zero trust architecture necessarily. And so it really is how do we clean up our environment? How do we create resilience? How do we, build a partnership where instead of making your life harder, we're actually giving you tools that, reduce the burden of InfoSec on top of your already busy day.
Tamer Baker: Yeah. It makes it so that. Your InfoSec or IT teams are no longer a quote unquote cost center in a a black hole. It's, you guys are helping to enable :innovation, right? You're enabling those that are outside of it to be able to be innovative and do what they wanna do. Pretty sure I quoted this in the book. There was another CISO in Florida, not you, Ryan I didn't quote you in the book this time, but he said that. This gives me the opportunity, this being, this model, this architecture. It gives me the opportunity to default on my technical debt. Like for once, I can't keep trying to innovate on top of [00:21:00] my current technologies and just do another update and another upgrade to the latest version of that.
I can default on all that debt and just start fresh. Right. That was powerful to me. I told him, as soon as he told me that line, I was like, I'm gonna reuse this over and over again. Like, defaulting on your tech debt was a fantastic way to put it.
Drex DeFord: Ryan, what's your vision for the role of Zero Trust?
Shaping the future of patient care. You talked on it there or maybe it was, Tamer mentioned it very briefly, physicians, they don't know why they like it, but they know it feels good, right? Yeah. What's the future tied to patient care and obviously operational efficiencies in general on the clinical side.
Ryan Winn: Yeah. I think it's a little bit of a cascading effect. So, when you're able to do things easier and faster for providers and they don't have to think about it it lets them pay more attention to patient care. So, I seriously doubt there's ever gonna be a time that's a physician comes to me and says, Hey, I really appreciate this zero trust stuff that'll never happen.
That's not gonna be a conversation that we have. But what we [00:22:00] can see is. When we reduce the number of times they're exposed to making decisions that could either cause them problems or help them out when we make it. I think we talked about this earlier, when you make it hard to do the wrong thing and easy to do the right thing, it makes their days easier.
So I think ultimately the technology should be fairly transparent. It should be providing a layer of security without an extra layer of operational burden. And as a result, it gives providers the time to, refocus in the work that they really wanna be doing, which is, interacting and taking care of the communities that we serve.
Tamer Baker: I'm gonna be contrary to one statement that you made, which was, nobody will ever tell you thank you for, this is better. Because I've had two different CTOs of two different orgs tell me this. One of them said that their chief radiologist, and they were just deploying this to a couple of the radiologists, including the chief and, one or two others as a test.
That chief, radiologist told him, like, how do I get this out to the rest of my radiologist because this is so much better. It's the best thing I've ever, you've ever put in [00:23:00] my environment Like I need this everywhere. And then the other, CTO told me that their chief also came up to him and actually in the hallway, gave him a hug and said, thank you.
You've made our lives so much faster and better. So that has happened at least. I've heard two different stories of it where you do get a thank you from some of the squeakiest wheels, which are those, remote imaging folks out there. So yes. If I get a hug I'll text the group and I will uh,
Ryan Winn: affirm your assertions there.
Drex DeFord: I want a photo of the hug in that's right in progress, like a selfie that we can, post. A good problem to have, right? When you have folks coming to you and starting to demand that you hurry up and get it to them because we're not gonna have great place to work scores this year if you guys don't get that tech to us
Tamer Baker: And it's not like he was happy that they were more secure. They was happy 'cause they were getting more reads in per day, life is easy per week. Yeah. Like that. That was exciting for 'em. Instead of clicking on the image and then going and making a sandwich, eating lunch and all this other stuff and then coming back to it, they were able to get a lot more reads [00:24:00] in.
So that's what made them happy. And again, they had no idea they were getting zero trust access and it was way more secure.
Drex DeFord: Yeah. And just a reminder of the folks in the audience, if you want to submit questions, you absolutely can. There's q and a in the sidebar. Let me hit a couple of those.
These kind of could be maybe merged into the same question. The question I'll start with you, Tamer. Go to Ryan. How much difficulty is involved in handling the medical device space versus hospital users versus hospital guests. And the other question is in the same vein, how do you handle zero trust on IOT and medical devices that typically don't have things like user logging or don't support loading a client that whole group of kind of medical device stuff,
how do you guys handle that?
Tamer Baker: Yeah. I think that's a great question. It's done a little differently in the sense that we're not doing medical devices to apps, right? It's usually device, et cetera. The [00:25:00] way you handle it. And the, and I mentioned this earlier, if you were trying to do zero trust at the network layer with, acls, VLANs, firewall rules becomes exceedingly difficult.
We've changed that paradigm even at that level.
Drex DeFord: The problem there often is that we take, because the only way to do this is. Through the legacy way we've always done it. Yeah. That it's so burdensome that we take shortcuts and create risk that we didn't intend to create, but just, dude, there's only so many hours in the day and so,
Tamer Baker: yeah. The difference now is, again, going back to the simplification and doing things easier, is instead of trying to create rules that way we're able to control their traffic flows by saying, Hey. It's human readable language on a screen. These types of devices are communicating to these things, and do you want to create a rule for this.
You're not looking at ips, you're not looking at VLANs. It doesn't matter. Any of that stuff doesn't matter. Now. You're easily seeing how things are flowing, and then you can isolate them, so you're creating bubble wraps around them, but in a [00:26:00] human readable way. So now they're protected. then additional protections are, a lot of these devices today, now are reaching out to the internet, right?
They have to get their updates from GE or whoever that you're using. So we're monitoring the communications as well externally and making sure that, hey, if this device starts talking to command and control. We need to do something about it. So a block that command and control so that the bad actors can't use it as a pivot point to move laterally and then also alert the team that something's going on there. There's a couple of ways that we handle those devices and we do it again in a simpler, easier to read way to do it.
Drex DeFord: Ryan give us some of the practical, real world? What are you guys thinking about medical devices and
things that have traditionally been, like both of you, I've been doing this for 30 plus years.
It's always been a very painful thing to try to figure out.
Ryan Winn: If anybody thinks they're doing a fantastic job um, I'll up your pay if you come work for me. Yeah, it's one of those areas that I think we've struggled with for quite a while. So I would say [00:27:00] what does Zscaler implementation, particularly the data fabric associated with Zscaler has been able to help us do is I feel like we have a much better understanding of all of the things that are on our network.
Our inventory systems, inventory spread between a bunch of different things, the logging platforms that we're using. When we started using this we were able to see what users were interacting. And, where they sat on the network to a certain extent, in a way that we never had done so before.
And we have the fingerprinting services and stuff to, you know, kind of define the devices. What it really has allowed us to do is understand how big the bread basket is a little bit better, and then start developing the strategy. So I think, with all of these kinds of problems, so first that you've gotta solve is do you know how big your problem is and do you know where things are? And if you can answer that, then you can come up with a strategy to move forward. The other thing, just from a very simplistic perspective is if you do it kind of depending on where you start from a zero trust perspective, one of the things you can do is get your users off the network.
If you users are off the network where all of your biome and [00:28:00] iot devices are, it makes those a lot less likely to be impacted by attacks and that sort of thing. Segmentation works on a couple different levels there,
but I don't think we're really in a place to, you know, pontificate on our particular segmentation strategy at this point, but I think we're getting really close to having a great plan because of a lot of, you know, the data that we've been able to aggregate.
Drex DeFord: so, one of the things we talked about prior to the webinar and the prep was using zero trust for you to be able to not only see the things that are on your network, but the apps that are on your network, and how that has changed the way you've thought about.
Driving prioritization and risk management and all of that. Tell me a little bit about that story, Ryan.
Ryan Winn: Very much the same way that we were looking for an accurate asset inventory for the things that are on our network. We were able to use telemetry from a variety of different systems to see all of the different applications that were being used.
And it [00:29:00] was a significantly higher count than we did. don't know that it was 10 x, but it certainly was at least four x what we knowingly had in our databases. But we were looking at, through various versions and all of those sorts of things. And again, going back to the data fabric piece of this, we were pulling in our vulnerability system as well, so we could actually do a little bit better triage of what we needed to work on.
Because again, to your point, Drex knowing what you have is. Maybe it's not half the battle, but it's probably a quarter of the battle. And then you can decide based on the, counts and if you feel like you've got accurate data at that point you can focus your remediation efforts on the vulnerabilities that are gonna give you the greatest level of protection.
So, again, I think it's the same play as the assets. You've gotta have the inventory and then you know, you can attack your vulnerabilities a lot more effectively. And then as you see that, one of the reasons for doing this is, eventually you want to be able to understand what your users are actually using.
So you've got users, you've got assets, you have applications, and then [00:30:00] the data that is behind the applications in a lot of cases. So if you really understand that you can do better identity. Management and understanding what typical use looks like. And I think there's a play ultimately for this where we can take a look at one of our ambulatory clinics and say, Hey, a family practice office that's very successful, has happy patients is doing well financially, uses this suite of tools.
In this frequency. That's what our licensure model should look like because yeah, right now we have a model that says, okay, we don't really know, so we're gonna buy everything. And I think that's another opportunity to maybe decrease some of the costs associated with There's a lot of
Drex DeFord: money to be there.
Yeah. License management. Yeah. App rationalization. Tamer, what else?
Tamer Baker: So I think a lot of what. Ryan's describing there's an actual Gartner framework that exists that he's actually talking about whether you were talking about it intentionally or not. But for those of you that have seen this it's one of the top trends that Gartner's put out called CTEM, which is Continuous Threat Exposure Management.
For those of you that haven't seen that framework, [00:31:00] there's a number of elements for it. Step one in CTEM would be. First, defining what you're gonna look for. What types of things are you gonna add into your visibility that you've described. So it's not just assets, but it's also vulnerabilities, it's configuration management.
It's,, my phishing tests in the who's more susceptible to clicking those links, et cetera. Once you've defined that business from a business level. Next is what you've described Brian as just seeing what all the bad is. I gotta just uncover the bad, open those skeletons, shine the flashlight.
It gets uncomfortable because you're seeing that stuff, but now you have a complete picture of what all the bad looks like. The third step in it is that prioritization that you mentioned. So I'm going again through the CTEM meth mythology. When I look at all that information, I'm also looking at,
the way to prioritize is understanding well, where the real risk is. If, even if it's the same vulnerability with the same CV SS score and it's, they're both on the kev, then un exploited vulnerability. But this device is actually, not exposed to the internet. It has its, [00:32:00] we'll say CrowdStrike agent, whichever you're using for EDR.
That's gonna be a lower priority for you versus another system that it is exposed to the internet. It's missing your EDR agent as an example that's gonna have a higher prioritization, but. More than that. It also takes into account your mitigating factors, right? So I'm understanding what mitigations I have in place today to help judge your prioritization.
Because I already have this segmented, I already have this, whatever, those lower prioritizations on that risk. And again, the CTEM there's a few other steps to it, but I'll stop there since this isn't a CE conversation, but that's a big part of the data fabric that Ryan talks about, which we offer as part of this package of zero trust.
So
Drex DeFord: to be able to look and see. That kind of data. The zero day vulnerability patches come out and I'm always on the two minute drill. I always talk about, patch patch, this new thing came out. But the reality is it's a lot of patching if you do it. And [00:33:00] because you've got that kind of information, you can actually make some good, solid decisions about.
What patches are the ones we really need to focus on. And that might not be the ones that you would naturally think of
Tamer Baker: Just to close off on the CTEM thing, there is a step in that too, which is remediating and having this extra context and workflow management between the different teams so that your Linux team sees, here's the top 10 things you gotta work on and why.
These are the ones you need to work on. And here's the, this team gets that. This team gets that and having that workflow being a closed loop so that when things get fixed, it automatically updates to somebody like Ryan who's tracking this so that he can report to the board or report to whoever he needs to report to.
Drex DeFord: This is our current status of risk, or this new zero day that's all over the news. And the board doesn't even understand why they're asking, but like, Hey, I'm hearing about this. Where do we stand with this? Zero day? Right? Like. It gives you an easy way to track and answer that.
I'm going to go to some of the [00:34:00] questions from the field here.
Drex DeFord: Ryan, where do you start and what is a typical implementation lifecycle and what are the steps and how long do they take and you've talked about this a little bit, but I think this person's trying to get a little more specific on the. Where did you start and what were the steps that you went through, to get there?
Again, knowing it's a journey too. I think that's an important
Ryan Winn: Right, right. And I will say this, I think Tamer probably has a a better kind of general response to this for the steps. If you're working with Zscaler, these are the kind of sequence of events and what, is the fastest path going forward.
But I'll tell you, from my perspective, you just start, you have to find a place where you have a problem that you can solve with the technology. And that's where you start. In our instance, we were having performance issues with our proxy. And okay, well that opens the door to start the journey because we have the underlying.
thought process that, look, we wanna go down this path. We want to, move to [00:35:00] more of a zero trust orientation of the way that we do things. And so every problem that you have winds up being an opportunity to take a step in the right direction. So I don't know that there's a perfect place to start, but if you don't, then you know, ultimately you never get to the destination.
And I think once you start getting traction and seeing success, and you really do solve a problem. You have the opportunity to take on that next problem and then advance, that thinking forward, to the next place. Yeah. So Tamer, I, you probably have a more direct answer than that.
Tamer Baker: so the answer I have, we've seen the journey differently across different organizations based off of the business needs that they're trying to solve for, which dictates the order of operations, right? Just doing something is the best advice. Just get started because one of the quote unquote barriers that you mentioned earlier, Drex, I only went over two.
A third. One is this myth that this is a five year thing. It's gonna take us forever to do this. And that's hard for people to want to get started on something that's gonna take so long. it doesn't have to be. So Ryan's [00:36:00] deployment only took a couple months, for an organization that size.
And that's not atypical many of our organizations are doing this within the year, right? This is not a multi-year journey. Some of our organizations start where Ryan did, right? That's a great start to it. Other ones start where they go down the path of just take everything off the internet.
I don't want internet exposed things anymore. Let's hide that from the internet, because that's a step one that dramatically reduces your risk as well, right? Once you've gotten started, what does a phase two look like? What does a phase three look like?
And we have on our side when we're helping our customers architect this through. We utilize what your business needs are first. So some people's Phase two is, I wanna work on the data protection side of it, right? And then they start doing data protection across internet, CASB endpoint, et cetera, and all these different ways to do data protection.
Some people's phase two goes into the cloud. And we're doing zero trust in workload to workload. And we're looking for misconfigurations there because they're they're doing a whole bunch of cloud work right now and it's multi-cloud. It's hard to do [00:37:00] security across multi-cloud. So that's somebody's phase two as well.
So where to start typically is from your business need perspective, right? As Ryan mentioned, like he had a business need. That was his starting point. But the beauty of this is once you've gotten started, it's very easy to expand into the next phases because you're not getting more and more things.
You're just flipping on more switches, right? You're just saying, okay, let's turn this on. Now, let's turn this on. Now let's turn this on next, right? The hard part's done. The very initial implementation, no matter where you're starting point is.
Drex DeFord: A lot of us are perfectionists.
We really want to like have a good plan before we start. But the problem is that sometimes, on the Zero trust journey can feel like I'm paralyzed. I don't know what to do because I have to have everything figured out before I start and it just isn't the case. Right. Ryan?
Ryan Winn: it's one of those things and you get into a place where you've got so much complexity and there's that saying that's when you find yourself in a hole, stop digging, there's your [00:38:00] opportunity, look for a different path where you're not recreating or adding to, historical decisions that you've made.
And I think that's where you break out. And then you have something that allows you, like Tamer stated, it's a platform for innovation going forward. So yeah, a hundred percent agree.
Tamer Baker: I think even a precursor starting point would be having the conversations across the other business units, because if you really want to get started.
We want other folks on board. And again, you may not use zero trust as your terminology, as Ryan mentioned. You may just call it, Hey, we're gonna modernize, we're gonna transform, this is how it's gonna help you. CMIO. This is how it's going to help your teams chief radiologists, whatever it may be, so that the other business units are involved in that conversation.
Because if you start it without their buy-in it's a lot harder to get their buy-in later. So I think that's a good starting point as well, is those business conversations across the board, which we cover in that CXO vision book.
Drex DeFord: So one of the questions from the field, and Ryan, I'll probably just try to [00:39:00] wrap it up with this one.
I can't believe we've been on this long already. There are so many things we could talk about. This is a great conversation. The question is very much tied to, Tamer's reference there. What service lines and stakeholders have you engaged with? And which of those have become the most valuable partners in justifying and implementing a zero Trust enterprise?
Ryan Winn: Yeah. I try to be really transparent about things. So I talk to everybody. I talk to our applications team, our technical folks, networking. what I find is, it's our operations areas that are actually strong advocates for trying things because they're the ones who experience the pain on a day-to-day basis of, how long it takes us to do X or the outages that we're creating with y kind of thing.
So I, think you build advocacy for a product by solving people's problems and that's, ultimately they become the folks who help drive things forward. But for those people that you need help with, in order to implement these, [00:40:00] you have to make 'em part of the decision making process.
They have to be included in everybody thinks they're a change agent until they're not involved with a decision that they've, gets forced upon 'em. So I think it's a really good idea. Pull as many people as you can and make it a group effort. Not have it be a CTO thing or a CISO thing.
This is really a organizational effort and we're gonna try to make things better.
Tamer Baker: Yeah, I'll say our most successful deployments in healthcare are always the ones where it's all the various teams working together in it. Because it is multi beneficial, it is beneficial to the CISOs team, the CTOs team, the CMIOs team, like everybody benefits from it.
And when they're all working together on it, it makes things so great. I love those partners that are working together like that.
Drex DeFord: Everything's connected to everything else. So when you can get the right sheet music and get everybody playing the same tune, whatever the right analogy is, had it in the right direction, it can be really cool.
Thanks guys. I really appreciate it. This has been The Zero Trust Hospital [00:41:00] revolutionizing Healthcare Security for the Digital Age. A webinar with Ryan Winn, the CISO at Advent Health. And Tamer Baker, the healthcare CTO at Zscaler. Thank you guys for being part of this today. It's been it's been a lot of fun.
Tamer Baker: Yeah. Thank you. I can't believe we talked for over 45 minutes and it, and it was just a breeze. So thank you for moderating. I.
Drex DeFord: Of course.
Thanks to everyone who joined us today. We really appreciate you. We appreciate the questions that you asked. Some of them were incredibly insightful.
Don't forget, you can download Tamer's book right now. Go to this week, health.com/zero trust, and then scroll down. There's a link to download the book. It's in bright red. You can't miss it. Go do that right now. And of course, thanks to our partner Zscaler, who made the whole thing happen.
We're really thankful to the great relationship we have with your team. I'm Drex Deford from this Week Health and the 229 Project. Again, thanks for being here and it's cyber security, so stay a little paranoid and we'll see you around [00:42:00] campus.
Thanks for listening to this week's keynote.
If you found value, share it with a peer. It's a great way to discuss the issues and in some cases, even start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. That would be really appreciated. Thanks for listening. That's all for now.