This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] part of what we talk about when we bust these myths is it's not disruptive. You can actually implement this in a good user experience fashion where your health care clinicians, don't even know what's going on in the sense that everything actually gets better for them.
Welcome to This Week Health. Today, we are continuing a six part series on Zero Trust Hospital, the CXO Vision.
It's a new book by Zscaler. I have one of the authors, Tamer Baker. He's the healthcare CTO for Zscaler. He's with me today. I'm Drex DeFord, president of Cyber and Risk at This Week Health and the 229 Project. Welcome to the show, Tamer.
Thank you, Drex. Happy to be here. Excited to be here with you as usual.
This is a great time.
It's always a good time. We always have lot of fun together, whether we are at the Health Sector Coordinating Council Cybersecurity Working Group, or one of your favorite conferences, or we sometimes we just actually hang out with each other. So [00:01:00] I'm really glad you're here.
Thank you.
I'm happy to be here.
We are going to cover in this episode some of the common misconceptions about Zero Trust. We're going to do some Zero Trust myth busting. What do you think?
I love it. Yeah, it's one of my favorite topics in the book.
Yeah, let's just start , from the big perspective.
What's one of the biggest misconceptions about Zero Trust that healthcare leaders face? And how do you address them?
would say one of the biggest myths. There's a number of them that we cover in the book, of course. But one of the big things that immediately am drawn to is almost like you bring up the word zero trust, you can get the eye roll.
No, that's a three to five year project. We're nowhere near ready for that, right? That's a big myth in the sense that they think it's this long, big. Cumbersome project that's going to take years and years that you're not ready for the team isn't ready for everybody needs You know, there's so many changes all these things that happen I think that's probably the biggest myth that we want to bust using This chapter in the book which basically boils down to its It's actually [00:02:00] not as long of a project as you think, it's not as hard as you think.
There's been so much market texture out there and so much, FUD being put out about Zero Trust because of that huge explosion of that buzzword a few years ago and now we have to bust through all that FUD. There's other myths of course that are pretty major ones, like it's super disruptive in a health care environment.
So disrupts patient care. And the expense of it too is another piece of it that people think that zero trust is there are other myths in the book, but we don't want to spoil the whole book, but those I think would be pretty big, important myths to break, through.
So if you think about just starting with the beginning of that this is a long project.
It's going to take us years to get it done. It's going to be hugely expensive. I'm trying to think we were in a meeting together not too long ago. I think it was maybe 1 of the cyber security working group meetings and somebody said, You It's hard to eat the elephant one bite at a time when the elephant is standing on top of you and just basically stomping the crap out [00:03:00] of you.
That's right. Hopefully I can say that. But zero trust is really built to still allow you to eat that elephant one bite at a time, even when it feels like on some days the elephant standing on top of you.
That's right. And not only standing on top of you, but dragging you with it as a stampeding, right?
That's what it is. absolutely can be done in that way. And part of what we talk about when we bust these myths is it's not disruptive. You can actually implement this in a good user experience fashion where your health care clinicians, for example, don't even know what's going on in the sense that everything actually gets better for them.
Examples, we have customers that I can talk about where we've got 50, 000 users at a health system that were able to deploy this in three weeks using an intern, right? So an intern obviously very quickly got a job as an engineer after that, but if you can deploy such a large health system in that short amount of time, it makes it viable, right?
Because it doesn't have to disrupt how you do [00:04:00] things today. It just simplifies a lot of it and then you quickly and easily start not renewing contracts for all the other stuff as time goes on. That's how you do it one bite at a time. The other beauty of it is, and we talked in the previous episode, where Zero Trust helps in all the different phases of an attack.
And when you think about it. You start being able to phase out all these other pieces products and platforms that you may have already invested in as those things are, coming up for renewal. So it makes it easy to just turn those things on. And once you've deployed, let's say the agent as an example.
All you're doing is turning switches on, right? Say, yep, let's turn this feature on now and then start configuring it. We'll turn this feature on. We see how everybody's talking to everybody else. We see what applications are being accessed and then start narrowing it down from there. So you just flipping on switches, the quote unquote deployment part of it becomes drastically reduced because it's already deployed.
That's amazing. There's this myth about needing a single vendor for zero trust. True, false. [00:05:00] What's the myth and why is that one harmful?
Yeah, one is a huge red flag. If you ever go to sell or have a meeting with somebody and they say, if you buy me, we'll get you zero trust, that should raise some significant red flags in your head.
There is no one single vendor solution for this. And if somebody's trying to tell you they can do it all, I would be very leery about that you don't want the fox gaurding, the hen house as an example, especially when that guarding the henhouse part is not very good at all the different pieces of Zero Trust.
It is a multi vendored approach. You're going to have to use multiple vendors. It is a way to do this where you narrow down from many different vendors in your ecosystem to just a handful of strategic vendors. And the beauty of this ecosystem of Zero Trust Is that handful of strategic vendors are all interconnected, right?
They're all partnered. They all work well together. They all work well for you as well. They're, everybody works as this ecosystem to make it happen in a really smooth and seamless way.
Yeah, I came from that [00:06:00] space too. So the world of a set of very trusted partners who are actually helping to superpower every other partner's product.
Because of the specialty, the special things that they bring to that party is pretty incredible. Can you talk about that? Can you give any examples of that? The way that the partners in that whole Zero Trust ecosystem work together to make Zero Trust better?
Yeah, I'll give a couple of quick examples and we're actually about to launch a webinar too
with an ecosystem of partners talking specifically about this. A great example would be one that you're very familiar with, which is CrowdStrike. So when we are making these decisions, if these users are allowed to access something or not, we take into account, does CrowdStrike think that they're safe enough?
Are they healthy enough? Is that machine, they actually have a zero trust assessment score. We'll take that score and say the score is high enough. Give them access to that medical record. Maybe their score is [00:07:00] lukewarm, right? Not dangerous, but not very great. Give them read only access. We can, let them still operate and do their job, but I can't actually access the file to be able to put malware into it as an example or exfiltrate data.
We also do that intelligence sharing, the threat intel, right? Because CrowdStrike gathers a lot of threat intelligence and we gather a lot of threat intelligence. We actually share them by directionally. So they have when we discovered something brand new, CrowdStrike protects all their users with it to in both directions.
The other great pieces. I'll talk about the Improvata integration. We're Improvata's only certified cyber security partner right now. And it's a great use case because if you think about zero trust and security on a shared workstation today. Your users are tapping in and out of that shared workstation.
Today, the way you're doing it is you have to have one all or nothing generic security policy on that workstation. They are either allowed to do something or not, whereas with this integration, as soon as a clinician taps in, maybe it's a nurse, they get a security [00:08:00] profile on that workstation for what they're allowed to do, and then as soon as they tap out, and then doctor, as an example, taps in, maybe they have a different profile, and they're allowed to share a medical record with a colleague over in India, as an example.
So there's different personalized security policies that come into play as they tap in and out with our Improvata integration. So these are two very short examples of how we work well together to make sure the ecosystem works for you. And it's supercharged in both directions now to be able to empower your teams to do their jobs easier and your users are happier because it's all happening behind the scenes.
We talked about this in a previous episode, this sort of being able to scratch the itch of both these issues, making it easier for end users and helping them feel more comfortable that they are only allowed to do the right things and that they can't do the wrong thing from a security perspective and at the same time make operations better.
a great example with improvata. And clinicians, do you have similar examples for business [00:09:00] operations folks or researchers that you've worked with and how Zscalers made their life easier?
We talked about a squeaky wheel before of remote radiologists as an example Institutions nowadays health systems have researchers bring in money, right?
They have to have the access that they need That you're not allowed to manage their systems. it's wild west when it comes to the research side of your house, right? Oftentimes you can't control a lot of it and you can't control other parts.
And sometimes it's the other way around. This is where again, zero trust helps. And this is part of the myth busting, right? Makes it seamless and easier and more cost effective. All these air myths that people think it's going to take a long time. You give researchers access to what they need, you give them, you host a web portal you give them a cloud browser where they don't even need to install an agent or browser or anything like that, and they have access to everything that they need, but they're coming in.
Securely using whatever browser they want, whatever thing that they want to use to access their research so that you don't have to mess with them, but as [00:10:00] they're coming in, no malware can enter environment, and they have only access to what they need and can't move laterally anywhere else in case somebody does try and take over that box, somebody's infected it, whatever it may be.
So that's another fantastic use case that we can talk through.
researchers are challenging. Health care in general is challenging. It's why the zero trust model is so appealing to me in a lot of ways.
Hey, thanks for being with me today, Tamer. I really appreciate it.
Thank you. This was a fun conversation as usual.
Thanks for tuning in to episode four of our Zero Trust series. You want to dive deeper? Don't miss your chance to get a signed copy of the book at HIMSS along with the other book in this series, which is called The Architect's Approach. That book is really more targeted at your team.
And if you can't wait. You can register now with the link that we'll put in the video description to receive the ebook right to your inbox. So we've got two more episodes in the series and an upcoming webinar on March 27th. There's still a whole bunch more on this topic to [00:11:00] explore, so stick with us if you want to register for that webinar.
Visit this week health. com slash zero trust and get your name in there again. Thanks Tamer. Glad you're here
Thank you tracks. Happy to be here