This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] This episode is sponsored by ARMIS. Are your medical devices truly secure? ARMIS allows you to see, protect, and manage every device and asset in your environment, from the most common to the most complex across your health system, medical, IoT, or operational. Reduce risk, ensure compliance, and safeguard patient care with a trusted partner in cybersecurity.

Don't leave your devices and your patients exposed. Visit thisweekhealth. com ARMIS today to learn more.

Today on Unhack the News.

(Intro) By no due fault of their own, there is a supply chain of what happens in the patient care continuum. And any one particular piece gets broken, yeah, have something compromised. But the question is, what level of exposure were you willing to give in that clinical setting?

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of [00:01:00] this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. Hey everyone, I'm Drex. This is Unhack the News, and I'm really happy that you're here today.

I've got Mick from Armis, and it's the first time you've been on the show, Mick. I can hardly believe it, actually.

I've done a couple of things with Bill, but some of them where we did it at HIMSS and I don't think the recording, the background noise and everything else that went on, I think it was last year.

But no, mostly everything else I've done with you guys tends to be more on the intimate side of, the round table or the dinners or whatever else. But yes, it's the first time you and I have known each other well enough, long enough, but yeah, I look forward to having a good conversation today.

excited about it. Let me start here since it's the first time Armis has been on the show. First time you've been on the show. Tell me a little bit about the company. Tell me a little bit about you.

Yeah Armis has been in this space. I've known Armis for a long time. Formerly when I was at [00:02:00] PwC, I knew them.

We were building out our OT lab a while back and got to know Armis from that perspective. Got to introduce them based upon what they did in that space. Obviously then, the entire platform for Armis basically covers the IT, OT, IOMT, MedDevice, obviously side of it. We've added a couple of different tuck in acquisitions in the past 12 months.

That'll allow us to do a couple of things that are slightly different around remediation, and also then what we call early warning or advanced threat. The overall platform operates in that space. It's highly evolved into what we do for seeing assets. In any shape or form identifying them and then prioritizing what needs to happen with them based upon vulnerability, based upon actions, class one FDA recall, something like that, basically that links to how they work.

It's been a very interesting ride since I've been here. It's 18 months as of this month.

18 months. Tell me a little bit about your background prior to coming to Armis.

Yeah. So prior to that I did a quick stint over at Worldwide Technology. I got exposed to working in the value added reseller space worked with them and the executives there over some different pieces and [00:03:00] parts of working on their centers of excellence and what they were doing to build out parts of that.

Prior to that, I was almost 10 years at PricewaterhouseCoopers. I was involved, they brought me on initially to help run the healthcare vertical Later on, I worked heavily also in the oil and gas space, but if anyone goes into my LinkedIn, they'll quickly see that I've done stint with three of the four, big four.

Hopefully no one holds that against me, but I've had a pretty good and great consultative career. I had a quick stop with a group called Stockwell Consulting, two brothers who basically allowed me to build out a kind of a forensics based business that focused a lot on healthcare. Their entire market was as a healthcare centered an EMR.

That worked back in the day on Windows 95.

I think sometimes consultants take a bit of grief. I know that I did when I was a consultant too. But, I think there's a part of this that is just, you get to see so many things at so many different places so quickly that you get, instead of Going to an organization and being there for four years and going to the next organization and being there for four years, you get so much exposure to so much stuff so quickly that [00:04:00] I think it's a great experience if people can at some point become a consultant, they should because of all that pickup.

Look, the thing is that it's different from a perspective of as much as I'd clean up and, suit, shirt and tie I happen to be a wrench turner, right? So I grew up on the technical side of it. They always said I was the nerd in sheep's clothing based upon how I present myself.

So that was just the way it was. But. It's good to have a balance. I had some great experiences while I've been in those situations. I've played the acting CISO temp role in a couple of hospital sittings while I was working in those things, which was very interesting in itself, but they called upon my expertise through breaches or through identity management or forensics response, or a whole litany of different things.

So yes, you get very much exposed to a bunch of different things, but culturally then you get exposed. to how different either hospitals or payers or providers in general will operate and every culture can be different when it comes to that depending on whether you're mid size, large, specialty, pediatrics, maybe cancer centers, it's all very different.

Absolutely. Okay, cool. Let's get to the stories. There's a story in [00:05:00] ink, but there's a bunch of stories that have been written about Salt Typhoon and all this stuff that's going on with the Chinese. Last week, the FBI, along with CISA, issued warnings about messaging apps and sending, encrypting messages.

I'm sure you all are involved in this and have a take on it. what are your thoughts about that story?

I have varying degrees of thoughts on this. There's a lot of different parts and pieces of lots of organizations DREX work here, right? So there's the aspects of being open form.

Everyone uses traditional messaging, whether it's through the Google function of what you do on your phone, iMessage, or then you've got the WhatsApps of the world or all the other things. As somebody who happens to be living in America with a ton of relations and friends at home in the European isles, I have to have other apps to communicate with my friends and relations.

So it's not uncommon for me to have WhatsApp. It's not uncommon to have this. But back in the day, if you really want to go back to the original I'd say back in 2014, 15, if I'm not mistaken, was Signal, right? We all know who's been very involved in what they did. They [00:06:00] have probably led the way.

I would say one of the earlier adopters of how you had handled messaging and encrypting messaging. looked at what that article was talking about and where they're thinking all of this should go. Obviously you can go through the adoption of what you would want to do with maybe moving that application into your form.

I think there's going to be a balance in the United States of how we're going to manage making sure certain specific types of data gets encrypted or messaging goes associated with that. I think we've got plenty of regulatory oversight that talks about whether you're pushing PII. Healthcare information, banking information, everything else that ties into us taking a little bit more time and care on how we move information around from, one phone to another.

I'm not saying that we all may or may not have children who are always asking, dad, can I have a credit card, please? Can you send it to me? Or can you send me a snapshot? And what do we do? We fall prey to that thing when it's a quick, instant thing. My windshield's broken, AAA hasn't arrived, pick your du jour.

So I think with the way they message it is that we need to consider it, right? I think this is giving the [00:07:00] warnings of what needs to be done. I would say then on the other side of it, I am very surprised that more corporations across the globe Haven't moved to an actual consistent platform for encrypted messaging.

And, the regulatory laws may change some of that. There's elements of GDPR that can be brought into this, right? You've got the elements of European privacy law that we'll have along to. South Africa now has its own privacy laws. There are a lot of different ways you can go with this.

Lots of states now,

too. Lots of states are implementing their own privacy rules.

Texas has, I can't remember the exact numbers off the top of my head, but Massachusetts, California,

each one has doubled down on their own versions of what they want to do around the privacy law.

So would say there's more to come, but if you're going to consider it, then there's ramifications to availability, right? Obviously, is it viable for all levels of risk? Are you going to hone it into specific types of information or conversations? Maybe it's board level, but this goes back to data protection, data classification.

Do you already have all that kind of organized properly [00:08:00] first? Before you start, compromising how you're going to push out and think about how , this would impact a cultural effect within an organization. There's a lot to consider.

I think to the there's seems to be a challenge of just if I decide I'm going to use Signal, then all of my people that I'm going to text with also need to be on Signal or WhatsApp or whatever the case may be.

And then, one of the articles goes on to talk about the sort of strange situation of the FBI and CISA saying use encrypted apps. But out of the other side of their mouth, they talk about how encrypted apps keep. Them from being able to solve crimes.

That's correct. And so there's a little tug of war there, don't you think?

Exactly. And and I can speak on this from the forensics world specifically, that is that it almost seems like they're, and I'm not saying they're doing it intentionally. But it is counterculture to say, I won't do this, and this until, a corporation per se has done something nefarious it may go all the way to the CEO and lo and behold, we can't unencrypt what was going on with the messaging for any of that.

And there are pockets of good and [00:09:00] bad for both sides of it. But again I, you really have to think about your own corporate culture of what you're going to do within an organization. We obviously are highly interested in what happens in healthcare. I'm sure there are pockets of where this exists already in healthcare.

When it comes to it, it'll be very interesting to see how you start pushing clinicians into a space of using this stuff. They, some may go with it and some may push back, right? And that's the kind of the world we live in healthcare.

Speaking of privacy, there's another story that I thought was weird and interesting.

And that is that Walmart The big box store Walmart bought a TV manufacturer called Vizio for 2. 3 billion month ago, or a few weeks ago. And as it turns out, when you really dig into it, the reason that they bought Vizio wasn't the logic would be like, we're going to sell Vizio TVs. And so we're just going to be able to build them and, make even more money.

And I'm sure that's probably part of it, but Vizio has this underlying proprietary operating system called [00:10:00] SmartCast and SmartCast has 19 million active subscribers and what they really want is the data and then the ability to be able to broadcast commercials into those Vizio TVs into your living room and your bedroom.

The unintended consequences of the things that we do that gives up privacy? you think about that?

would say, look, Vizio, okay, the entire TV market in general an anomaly. Like, We've all been switching out over slow periods of time. I would have said, Drex, we would have had TVs that would have been non smart.

Let's go with that version first. The more and more we switch into, the more and more we connect into our own direct homes via Wi Fi, via hard line connectivity. These Samsung, Sony, Piccard, Dijour, all sit out there and they've got their own platform. That then allows you to pull up applications, right?

In each application. happen to be a Samsung house, but I am all Samsung all the time. Everything that I have is connected through a singular email address, but everything that's fed to me is [00:11:00] fed to me based upon the subscriptions of what I have in the background, running, whether it's ESPN, whether it's Hulu or whether it's everything else, all of that information is captured and aligned.

On to the platform that sits on that TV. So there is a consistency of replica around the house of how those applications are consistently presented to you. There's good and bad for that. This is the consumer battle of what we fight with the privacy side of this, right?

We want to subscribe and we want to have ease of use. But you have to give to get and there are plenty of situations and it just happened, I think, right after Thanksgiving here in the U. S. That an alert came up on the TV. Our terms and conditions have changed. Something.

Most people go click okay. Yep, that's it.

I actually, not being the nerd I was, I just from out of pure curiosity linked into it and yeah, there were some changes into what they said they were going to be doing with the data. Nothing that was not anonymized. But they didn't mention that it was not, it was going to be anonymized information on what they were going to be feeding back to help support what they needed to do to improve their platform.[00:12:00]

But

that kind of leans into, if you've got 19 million subscribers, on any given day that's quite a chunk of change in the U S or across the globe , on what they're doing. I think you're brushing up against what we fight with the telco companies, right? When it comes to what that anonymized data, quote unquote, that ends up being Data protected information on how we consume, we do our phones.

You've just literally taken what we've been doing on the phones and fighting with the telcos for over the past five years, you just shifted it to the TV.

it feels like it keeps shifting too. One of the big stories from a month ago was 23andMe and the stuff that's been happening with all the genetic testing data.

And as these companies start to struggle a little bit, what happens with that data? It seemed really not a big deal when we spit in the tube and sent it off. 10 years ago, and we found out that we were Irish. it just seems like there's a chronic condition now that's

Yeah and they're not the only ones, right?

So I would say at the end of the day, I have three younger [00:13:00] brothers and maybe we're a little bit more closely aligned to what happened on our side of the ocean. So I don't have to go searching. I don't think I've more than three different bloodlines in me, so I'm not going to be all that interested.

So at the end of the day, but I understand the the ideas of always searching and looking for what that is and everything else in the historic parts of what makes up what your bloodline is. That's all well and good, but you did give over Basic DNA and informational things that tie into what happens.

And I always go back to certain things that were going on between 2012 through 2016 when specific institutions across the United States, particularly healthcare, we're being attacked. And they were playing, the shiny object game, which was we're over here to steal information around.

PII and lo and behold, they weren't, they were actually studying and looking where they were looking for specific types of things. Back in the day, the largest genomic institute in the world is in Beijing. So if you don't think that there are parts and pieces of what you want to look at when it comes to that genomic or DNA based information [00:14:00] and that there may be something longer or bigger, what I would call the long game around what it is.

Yeah, there's going to be an impact to your personal information. Sure, I'll take that. But what is the long term effects of what you're going to do when you have basic sets of DNA that can be exposed there based upon blood type? Based upon history, based upon an awful lot of different things that make up you.

Not just you, but many people like you.

Yeah, it's the lesson here ultimately in all of this is, Be really thoughtful about what put in when you sign up for things, because you think it's no big deal, or you may think at the time it's no big deal, but just look out over the curvature of the earth and think about how this data might be used by somebody you did not intend to give it to.

And that's the thing is that, again, I don't know if we're always looking at everything through the lens of everyone's doing something nefarious, everything could be a conspiracy theory, right? can't live your life that way either. There has to be give to get, and there are ramifications of that. We still go into hospital settings, we still go into clinic settings.

We still have, our information could be [00:15:00] compromised easily, or there as it could be anywhere else. By no due fault of their own, there is a supply chain of what happens in the patient care continuum. And any one particular piece gets broken, yeah, have something compromised. But the question is, what level of exposure were you willing to give in that clinical setting?

Or in a consumer based setting, such as what Vizio is doing? Or in any kind of setting when it happens to your iPhone or your Google phone?

I think about, so going back to the TVs, I think about these TVs also being in rooms and healthcare systems. Do you all what, how do you help with that?

What do you see? How do you help? Can you help with that kind of a situation? If nothing else, just letting people know what's there.

Yeah, first things first. think the world has changed quite a bit there is even impacts recently to Sarbanes Oxley, we'll call it 2. 0, that kind of got released last July, went into effect in December of last year, which is now leading to specific categories of different parts of the regulations as you're signing your annual code.

Your K's or Q's, [00:16:00] that there is a written function of what is tied into what happens within IT or in the broader system of any corporation in the United States is, or people following Sarbanes Oxley, is your inventory and inventory is categorized vaguely and broadly. So what does that mean?

You could be held accountable if you're not inventorying things at a level. That at least shows non basic negligence, that I had an idea of what was going on. I think what happens in these settings with the unbelievable levels of intelligence, like a TV, that is dramatically changed is one, they're showing up in the network, and you don't realize need outbound or inbound connections for them to work, right?

First things first, I'd love to know that it's there. Two, it's connected to a network. Three, it needs access to the internet. There are ports of, now you've added RISC. Manageable risk, but still it's risk. But if I didn't know it wasn't there, how am I going to manage it at all?

You

have an idea though, what good looks like when the TV is communicating with the outside world, right? And that you can [00:17:00] talk to this IP address or you can talk to this IP range, but nothing else.

Correct. Between myself and Mo, we're in front of customers, either weekly, daily, all the time, and I'm constantly listening and learning of what everyone's dealing with, and even from the ramifications of the medical devices.

that are also now linked to the TVs, right? So now you're walking into extremely intelligent hospitals. Some new, brand new hospitals have come up. I know one recently just got stood up. It was the 229 CIO round table over in Lake Oconee, and just going through an amazing journey of what Atlanta Children's Hospital looks like now.

And it's an amazing situation, what they've done. And creating speed to care for pediatrics. But yeah, there's a lot of technology involved and a lot of it is based on moving smart boards, smart TV, smart aperture things. And yeah, you've got to get your hands around it on how all that information is going to be used.

Put to it, through it, and then for it, right? From a perspective of how you're going to manage it. But yes, creating [00:18:00] visibility is rudimentary, right? You need to see it first. can't even think about managing it or even trying to lock down or protect anything until I at least know it's there. So yes, the segmentation of what we see particularly and even our competitors as well as once I see it, one of the things we do quickly is bracket into what levels of telemetry are speaking to it.

So that can be categorized and normalize it, right? So if something starts to communicate to it that shouldn't or we haven't seen in the past, we alert on it, right? And, or quickly have an ACL built, immediately push it and send it over to your firewall, that basically allows it to be blocked for the next hour until we figured out why has that got a UDP port calling in from the 26, 000 and above level?

Maybe not the right thing, right? So that is how we would go you got to see it, manage it, and then ultimately protect it.

I hate to say this, I feel like we're out of time, but before I go, I probably should ask you one more question. Tell me about your accent.

Oh maybe we have the accent.

It all [00:19:00] depends in any given situation or parts of America. I find it very funny that everyone claims that I'm the one that has the accent. I'm going like, But don't you have the accent? I live down in Texas for God's sake. You don't think they have accents?

I go up to Boston, it's a whole, cadre of different accents. And then across the Midwest, there's, the further Northern into Midwest into Dakotas, the Minnesotas, the Wisconsins, they also have their own version of it. I'm originally from a section, a small village North of Dublin called Swords, and I'm what we call a north sider

so that's basically where I'm from. And that's where the homogeneous version of my accent is. Although I've lived in America for a long time, it's not as wickedly bad when I'm particularly, one, I've got to be on video with you. And two, when I'm trying to slow down and not be so quick unless of course I have a wee bit too much coffee in me or.

Anyway, or something like what I have behind me, in me. But anyway, at the end of the day that's the origins or whatever I've as of this year, actually, it's been a great 30 plus years of living in America. And that's where I'm originally from.

Thanks, I appreciate that.

I'm looking forward to seeing you as we get into the spring and some of the conferences, and I'm sure we'll

cross

paths and [00:20:00] maybe we'll have a little coffee.

Yes. A little something else in it, possibly. We'll see. We'll wait till dinner or evening time for that, but for sure, yes. Yeah, and I look forward to seeing you.

We've got quite a cadre of things that hit us early in healthcare, in the springtime. Yeah, I look forward to catching up with you again.

Yeah, thanks for being on the show, Unhack the News. Always a pleasure. I'll talk to you soon.

Thanks, Drex. Appreciate it.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus. [00:21:00]