This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Newsday: Salesforce Breach Spreads and New Liability Era with George Pappas
GMT20241127-170018_Recording: [00:00:00] This episode is brought to you by Intraprise Health, a health catalyst company.
Make cyber security a priority, not a headache. Cyber attacks put patients at risk and cost healthcare organizations millions. But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable and they feel little control over the safety of their patients, resources, and healthcare.
Reputations are bottom line. Intraprise Health brings together cybersecurity experts with over 100 years of combined experience in healthcare to offer a comprehensive suite of innovative software and services. It helps leaders finally unlock a unified human centric cybersecurity approach. With Intraprise Health, you can improve your cyber security posture, protect your patients, and simplify your employees lives.
Visit thisweekhealth. com slash Intraprise health to find out more.
Hey everyone. I'm Drex Deford, one of the principles of this Week Health and the 2 29 project [00:01:00] here. Our mission is healthcare transformation powered by community. This is Newsday on the UN hacked channel, breaking down the cyber and risk stories that are impacting healthcare. Here's some stuff you might want to know about.
Drex DeFord: Hey everyone. I'm Drex and I have George Pappas with me again today. How you doing, George? Good. Great. Drex, how about yourself? I'm great. I, you know, one of my favorite guests. We always have a ton of stuff to talk about. How's everything going in general, though, before we get started?
George Pappas: Great. Great. Looking forward to the fall at an interesting summer. We're cranking along and the industry gives us plenty to talk about, doesn't it? It
Drex DeFord: does. And I curse you for calling the end of summer. That's not no, I'm just kidding. I know. I'm trying to stretch it out as long as I can too. There's a bunch of good stories that we kind of did a little prelim a discussion on.
One of them is about SBOM guidance. From CISA, it comes out of healthcare IT news. Yeah. And it's about their draft guidance for SBOM minimum data elements, all those kinds of things. [00:02:00] Start off,
pretend none of us know anything about anything.
Tell me about SBOMs, why they're important, and what this story kind of tries to drive home.
George Pappas: Yeah I would basically say, you know, the SBOM is like an ingredients list on the side of a package you buy in a grocery store, right? Mm-hmm. But it's supposed to be thorough enough and useful enough so that we can look in the ingredients and say, well, do I really want 5,000 milligrams of sodium?
Well, maybe I don't, and you know, by the way, this other ingredient. Is it aged past its due date? How safe is it? Right? And now I'll kind of carve it and relate it to software. Does use open source or the modules? What's going on there? So it's a useful notion that's actually been out there for some time.
Uhhuh, and this is the latest I'll call, it's kind of tightening of the wrench on the actual specifications. I think what got my attention about this story was that, you know, the government [00:03:00] in many ways as the largest customer for all s Fism helping to slowly drive better practices because as the government's been transitioning to cloud-based operation you know, you can just imagine the massive numbers of risks that they're trying to really guard against. And so this guidance, from what I understand, you know, is gonna be required for us government use or you know, there's this notion a TO of people a lot smarter than me understand all the nuances, but it's like authority to operate.
A lot goes into that.
But to me, what really resonated in healthcare was that we continue to have a massive third party problem. And we have it for a lot of reasons. You know, having done this now for a while and just presenting to a audit committee of a billion and a half dollar hospital last week, you know, it is as much a software licensing challenge because we have 40 years of liability and, you know, [00:04:00] damage liability practices and pricing models.
that have to adjust if more accountability's gonna adjust. Or we need safe harbor or something. You know, Senator Warner talked about like almost three years ago now, right? We need some measurement and management of the liability environment that we all operate in to really address the problem.
And there've been some good proposals, but the other dynamic to this is that third party risk is about more than just the ingredients in the package. It's right. What are the security management practices of the thing you're buying besides ingredients? And the article talked about the lack of integration to the vulnerability database, right?
And you know, even a basic best practice for a penetration test as the. Go check those public facing things. Look them up, look up vulnerabilities in the database. Are they not? Are they applied? Are they not? And so that integration needs to happen. The other thing that needs to happen is that what's [00:05:00] their security posture?
Are they, yeah, they're security program compliant. Right? Or the company that's making the software. The hardware. Yeah. Is it hipaa? Is it SOC two? Nist or hitrust? Right. So that wasn't really talked about. Another thing that we've been doing a lot of work in at. Intraprise and our products to help people consolidate and build security programs is building our systems using NIST OSTCAL,
which is an
open, controlled and assessment language.
So these are all coming from NIST in various shapes and fashions, but someone has to bring them all together.
Drex DeFord: Yeah.
George Pappas: So there's a more holistic picture of what's really going on besides the ingredient on the box.
Drex DeFord: Yeah. Ingredient
George Pappas: list. You know,
Drex DeFord: I like that. I think that too, when you think about healthcare in general, we're not, generally speaking, we're not builders.
So we're not bakers. We don't go out and get our own ingredients and make our own bread, right. We're way more likely to go buy bread, go to the bakery, right. And then maybe put some [00:06:00] jelly on it or something. And that's the bread that we use, right? That's the product that we use. And then we hit the pandemic and we really got out of the baking business it seemed like.
More and more, not only did we get outta the baking business, right, but we're not even keeping the bread in our bread box anymore, right. We went to the cloud. And so more and more software as a service, more and more of those things were being built with ingredients. That were opaque to us.
Correct. We didn't know what was really happening inside of those applications. Right. So to your point, this becomes sort of like the ingredient list. What are the things that you're doing inside that application? What tools are you using? What databases are you using? What protocols are you using? How are you doing a lot of things inside that.
What kind of sometimes turns out to be a black box.
George Pappas: Yes.
Drex DeFord: Getting that set up so that we can actually sort of see it and understand it. But your point being too, like that's just one dimension. Correct. Multidimensional issue.
George Pappas: Right. And [00:07:00] this third party problem is really not going away. It's fascinating to me that just in the last few months, there was a law passed in Ohio, cybersecurity law.
because the federal government's slowing down in some of this. Right.
Drex DeFord: Right.
George Pappas: And a law in Maryland that would've required a more explicit third party clearinghouse that. Went through the legislature, but was vetoed by the governor at the last minute. So you're seeing at local level an awareness that there needs to be a little more precision.
Just like the HIPAA NPRM that has not been put in the law yet, had more explicit third party requirements that have not been in. The HIPAA security risk assessment, you know, for the last 10 years or so, right? So there's a recognition of that and that's coming, but it's not here yet and we have to operate today, you know, so
Drex DeFord: that it is almost like there's, maybe there's something coming eventually, right?
But the reality is I think the, you wind up sort of with people in sort of two camps. One is the [00:08:00] compliance group of security people who kind of say. I'll do it when they tell me I have to do it. Right. And then there's the, I think the much more realistic group of people who are like, I don't really care that nobody's telling me that I have to do it.
It's the right thing
George Pappas: to do.
Drex DeFord: Yeah.
George Pappas: Well, it's the right thing to do. And by the way, this is another very important angle here. The liability pyramid that systems are facing now, when there's an event goes far beyond regulatory. It always has.
Drex DeFord: Yeah.
George Pappas: But you look at the last trailing 24 months. because we look at the data, the number of class action lawsuits, it's up like 10x.
Drex DeFord: Yeah.
George Pappas: Now, if you take. Change out. because that was obviously a massive event. So it's still up. I'm sorry, four and a half or five x, right?
Speaker 3: Yeah.
George Pappas: But when you look at what's in those class action lawsuits and the settlements, HIPAA does, it's what's the standard of care? You knew you didn't do anything. There's a very different barometer now on risk, right?
Yeah. And there was a, and now how is cyber [00:09:00] insurance related to this? There was a story, it was a municipality, not a healthcare system that had a policy.
They had an event, it's about an $18 million.
Breach and the story. Yeah. They were not covered because they didn't implement the items that were in the conditions of the policy
Speaker 3: that
George Pappas: they stated they had.
The noose is getting tighter. Even while the regulatory part is still kind of rattling along.
Drex DeFord: Yeah.
George Pappas: It's so it's interesting. It's interesting
Drex DeFord: too. I, to your point, I just read a story the other day. There are more personal injury lawyers now getting in on this data breach.
Yeah. You know, so like the motorcycle lawyers and the car accident lawyers are now becoming a data breach lawyers. Yes. And so they're all over it. And it's, you know, this is like, I don't know, I missed the commercial usually there's something on tv. Have you had data breached in your health system?
Right. Call one 800 George now, and
George Pappas: Hey, by the way, you heard it here first. There will be a John Grisham novel about this within the [00:10:00] next few years because he's such a great writer about these things. Yeah, he has over time.
Drex DeFord: That'll tell you it's really arrived. He, then he is jump, he's jumping on the top, on the very, very tippy top of the wave on this.
Yes. I wanna ask you about another story too. There's a whole mess of things that are happening with Salesforce customers around the world. And I know that you've been following that story closely. Tell me what you think about what feels to be just lots of big companies who just are in trouble, not because of something they did back to the third party kind of element of this, but because of something that.
Is happening in their sales force instance. How'd this all happen? How'd it come together?
George Pappas: Yeah. Well these, These tokens, right? These author, you know, to me, as I read about it and dug into it some more, we have already such ingrained integration mechanisms for cross system involvement, and we store a credential here to be used over [00:11:00] here.
Drex DeFord: Yeah.
George Pappas: You know, these cyber criminals are pretty clever. They can test the edge cases. Right. And in this case, you know, there was a, it was like a, I think it was a customer service, AI sales agent. That used a, I'm looking it up right now. I
Drex DeFord: read this story.
George Pappas: Yeah. This
Drex DeFord: other part of the
George Pappas: story
Drex DeFord: just the other day.
George Pappas: Yeah. Use, use the, you know, an a p Oh, SalesLoft drift ai. Yeah. Correct. SalesLoft, right. So, right. Good thing people wanna do. Right. API access into Salesforce because if you do a customer, you have to look up their thing. You have to tell them this, tell them that, well, the cyber attackers clever enough to use the weakness in that, or whatever had really happened to get access into those accounts.
Yeah. Guess what did they have there? Who did they breach first? By the way, all the cybersecurity companies notice that.
Drex DeFord: Yeah, exactly. They
George Pappas: stole AWS credentials.
Drex DeFord: Yes. A
George Pappas: lot of brothers. So they're going to the safe manufacturers to get the combinations that are stored. [00:12:00] For clients in their Salesforce system.
Okay. It's
Drex DeFord: and they're reaching into Slack because the, you know, the customer service bot on the website also has access to Slack. It's also got access to sort of Google Drive right material in some cases. So that, thanks for all the APIs. They're really awesome and they let me connect to lots, you know, my tool to lots of other things.
But in the spirit of, and I say this all the time, everything's connected to everything else. You find a tiny crack over here and it's really easy to
George Pappas: make
Drex DeFord: those
George Pappas: hops right. And you know, to me, what was also very interesting about this, of course, it's still relatively new, we'll probably hear more in a little while, but Salesforce has health cloud.
Number of hospitals have been using it as their, you know, CRM effectively. So Health Cloud is HIPAA compliant. Would they find a way to get in there once they got in. We don't know. Right. Yeah. So there's some ramifications there. But the bigger picture, [00:13:00] which Bill is writing about a lot, right, is this notion of, you know, that's kinda.
You know, so last generation integration. Now we're gonna doing this AI agents through these, you know, MCP layers that are more dynamic and flexible. We talked about this last time. I mean, how are we gonna really measure that, you know, and how are we gonna really do our best to and trust? As well as we can, the veracity of these accesses and the safety of what an MCP layer is gonna allow to happen inside of a system like that.
And you know, I thought, to their credit, ONC after a meaningful use right, had a real slog getting Tef FCA up and running. Yeah. Because it was the best logical example of trusted exchange framework. Yes, technical protocol, security, common agreements. So we wanna have 1500 BAAs. We have one to [00:14:00] allow interoperability.
Well, this is gonna require a new level of that. Do you think AI is
Drex DeFord: gonna be able to help with this? Is, I mean, I hate to pile ai. I think so. Ai, but
George Pappas: yeah. Used, Used. In very targeted fashions. I mean, already, do you have an agent
Drex DeFord: that's watching all these APIs or an agent that's watching each api I, yes.
George Pappas: That maybe
Drex DeFord: has some specific kind of Absolutely,
George Pappas: yes. Discover patterns. It's all pattern recognition. Mm-hmm. So that's why there's a lot of promise. I mean, in our product work, the RAI. Integrations have had massive product productivity improvements. We're just getting started. So I agree with you. There are patterns to be seen, patterns to be handled, identifier, automatic shutdown to be happened, right?
You know, that's not in place yet. And this is running ahead. The other thing that struck me about it, last thing on this story is clearly epic at UGM had a very large announcement, which is really. Right. Epic as a [00:15:00] platform. Yeah. With agentic access through various swim lanes around different topics.
Right?
Drex DeFord: Yeah.
George Pappas: So how are they gonna do this, right? Yeah. Now I'm sure they can be as stringent as they choose to be. Right? And the best, most important way possible, which is certainly understandable and given their level of execution, would be, you know, expected. But you know. What will that bar look like?
What will their, that mean for everybody else? I think is a pretty important question. because MCP as a concept is very interesting, but executing it securely in some ways I think is, yeah, it's a lot more complex than building the original system. Original systems were designed for finite states.
Drex DeFord: Yeah.
George Pappas: So there's a lot going on there that I think we're, you know, in the very early beginning.
So. It's
Drex DeFord: man, I mean, there's so many places we could go with that. One more story, I wanna make sure we hit. Yeah. A lot of overlap with a lot of my friends in state and local government. They've been on a [00:16:00] series of grant programs for the last several years that have helped them build better cybersecurity programs, buy more tools, do more things that they wouldn't normally be able to do given the resources that they don't have. And
clearly, I mean, it's really easy to just kind of do a search on this, but every day there's a state or local government or department in a state government that is breached judicial you know, major cities, small towns police departments. Right on down the road, there's series of industry groups that are asking Congress to expand state and local cyber grant funding because it's kind of a lot of this work is coming to the end. What's your take on this story?
George Pappas: well first I hope they not only renew, but expand it because in the article they talked about the group asking it to be more than tripled in size, which shows the extent of the need.
And I kind of foil that back to [00:17:00] healthcare, rural healthcare and you know, early 24, the then Biden administration had a billion and a half dollars just for healthcare, and I think it was about 700 million and 800 million. Seven was for everybody. Eight was for the rural hospitals, you know, and you could take that definition up to a hundred beds, maybe, and down.
I
remember, you know, resources, margins, et cetera. And you know, that ended up not getting passed. But you know, we keep saying we have a problem. These are obviously public entities. Critical infrastructure too, right? Critical infrastructure too, right? The nine
Drex DeFord: one system work does exactly right.
Can we flush the toilets tomorrow? Right. And is the hospital open? Correct. So is the emergency department running?
George Pappas: So, you know, and you know, there's enough bipartisan belief, but given the climate and you know, and the capital getting something like this really done. I think it'll be challenging, but at least I hope the [00:18:00] basic renewal will be done and upsize.
But it's a bigger window onto this infrastructure need that we have. And you've seen attempts to address it. You know, Microsoft had this kind of in kind program for a while. Sure. They did some good stuff.
Drex DeFord: Yeah,
George Pappas: right. There are others, larger organizations
Drex DeFord: that can do that, but. And there are some states that have stepped into that gap for their own hospitals, New York and others.
Yep. Right. With their law and their funding.
George Pappas: So, but we are nowhere near a systemic problem and every year we don't, the adversary gets smarter, more adaptable.
Drex DeFord: It is compound interest, right? Yes. I mean, the more that we don't do what we're supposed to be doing, the worst. Yeah. Linearly the problem feels like it gets, yeah.
The more exposure that we have and the more risk, the more actual impact that could happen from an attack.
George Pappas: Yeah. I mean there were, you know, going back to the liability thing for a second, there were like, three [00:19:00] lawsuits are on patient deaths from cyber attack, right. Right, because people are using paper, they don't have access to a certain MRI or other machine.
They make a care decision or there's a medical error. I mean, medical errors happen all the time anyway. They still do adverse drug events is kind of the nomenclature we use in the biz.
But you know, these things are happening more when a team doesn't have access to certain tools that are offline because of a cyber attack.
And people, it's a complex service. Healthcare, they're in harm's way. The
Drex DeFord: other thing that I hear and I've talked about this before all the time, when a system is offline cyber attack or not, just when the EHR is down I often get calls from friends who are who, clinicians, doctors, nurses, others who worry about their own.
You know, personal license. Yeah. Because if they make a mistake, then they wind up under investigation. Correct. And they may wind up losing their livelihood. And god forbid that anything happens to the patient they're taking care of. I mean, that's even, you know, a more tragic situation. Right. So, all in an environment [00:20:00] where those clinicians are already overstressed and there's not enough of them. And right there, you know, there's too much work for them to do. Yeah we live in a super complicated world, George. We gotta keep making it better. Yeah. One step at a time. One step at a time.
Thanks. One connection at a time. Right. Thanks for being on the show today. I really appreciate it. It's always fun to talk to you. My pleasure take care.
That's Newsday on UNH. Hack with Drex De Ford. Get daily security insights delivered to your inbox because every healthcare leader needs a community to lean on and learn from. Sign up at this week, health.com/subscribe and stay safe out there. I'll see you around campus.