Newsday: Healthcare Caught in the Crossfire of Iran War with Drex and Sarah
Drex DeFord: [00:00:00] If you're still paying maintenance fees on legacy systems, you can't shut down, you're not alone. Health systems are drowning in cost and risk just to store old data. Harmony Health IT Migrates that clinical and financial data into a secure archives so you can finally decommission those systems and keep every record compliant and accessible.
Find out more@harmonyit.com.
Drex DeFord: Hey everyone. I'm Drex Deford, one of the principles of this Week Health and the 2 29 project here. Our mission is healthcare transformation powered by community. This is Newsday on the UN hacked channel, breaking down the cyber and risk stories that are impacting healthcare. Here's some stuff you might want to know about.
Sarah: Hey, welcome to Newsday. I'm Sarah Richardson and joined by Drex to Ford Drex. Happy birthday today.
Drex : Oh, thanks. It's, uh, yes, it's good to be alive. It [00:01:00] was great to wake up this morning and um, life is good.
Thanks for that. Best. Thanks for the good wishes.
Sarah: Of course, and our listeners are hearing this probably a week or two after your birthday. So what's even better is we will make this officially birthday month. So please send well wishes to direct for his birthday because you know, today we're diving into something that should absolutely be on everyone's radar.
And it's not just a geopolitical story, it's an operational reality that's gonna affect your systems, your vendors, your partners, and most importantly your patients. Two stories broke this week and actually one overnight that together paint a picture of what 21st century warfare actually looks like. Uh, and a spoiler, as Drex would say on his two minute drill, doesn't play out on a battlefield.
It plays out in your data center, your cloud, your medical device ecosystem. So Drex, we're gonna break this down and, uh, tell you what it means for our listeners.
Drex : Okay, I'm ready. What do you, what do you wanna talk about? Which, which story? What do you
Sarah: talk about? I wanna talk about the loop one. Now. Do I say that OODA loop because that's where
Drex : my head went.
[00:02:00] Oh, the UTA loop one? Yeah. Okay. Remind me, 'cause I, I know we've traded some stories, uh, last night. This is basically the, uh, warfare is a whole new ball game. Uh, kind of story, right? Yeah. The, the, the kind of, it's really interesting, the, the thing that kind of came out yesterday and the, the intention that, the warning, I guess, that the, um, the IRGC, the is Islamic Revolutionary Guard Corps, um, gave the world yesterday was that there's a bunch of companies.
That they now have put on the target and attack list, and it's companies like Google and Apple and Boeing and Intel and Meta because in their words, in their mind they think that they assert that, um, those companies are the companies that are providing the infrastructure and the tools that enable the high tech warfare that they're up against right now. So those companies in their minds now have become legitimate combatants in the [00:03:00] war. Um, it's interesting to kind of see, you know, how this evolves in the spirit of, one of the things I say all the time is, you know, everything's connected to everything else that. I, I can, you know, if you can suspend, you know, reality for a moment and kind of follow along with their logic, I can see how they can get there.
Not crazy about the idea. And part of the challenge too is that. There's lots of other companies and lots of other things that we depend on in healthcare that are also tied to many of those companies. Um, we've already seen, uh, AWS data centers in the Middle East come under physical attack from Iranian drones, so they're actually attacking.
Data center infrastructure and that is again, one of the things that I don't know that we necessarily rely on a data center in the Middle East, but we might, it could be a backup data center for something else that you're doing in the us but it's just interesting how warfare. [00:04:00] This particular instance has continued to evolve.
It's not just combatants on the battlefield, as you said, it's now definitely cyber warfare is, is a whole new ballgame. It's not just attacking that government, whoever you're fighting and their computers. It has exploded. It's EE, everyone and everything is a target.
Sarah: When you shared, you've been sharing earlier, the deep fake, the employment, the nation states, China, Russia, Iran, North Korea.
Drex : Mm-hmm.
Sarah: They don't hack for espionage. Their positioning inside critical infrastructure for the ability to like, like degrade, disrupt, destabilize the concept of persistent access where they get in and they wait.
Drex : Mm-hmm.
Sarah: So it's not like a strike against a system, it's an occupation.
Drex : Yeah, we've seen the, you know.
Conversations this happened with telecom, um, systems and you know, the [00:05:00] Chinese, the fact that they sort of just like, they get in and once they're in, they don't do anything, right. They just wait. The, the other interesting thing about the Iranian attack, the Iranian attack on Striker, the pro Iranian group Pala, and their attack on Stryker is that it wasn't for money.
And it wasn't for, uh, I mean, it, it was just a destructive attack. It was one of those things they put, you know, they put in malware that wiped machines and, and, uh, wiped, um, wiped the phones and it wasn't done because they were trying to hold anybody ho hostage. They were just making the point. We can do this now, and so we're going to do this especially against critical infrastructure and critical infrastructure companies.
These are all things we've talked about in the past too. The idea that I'm not going to attack. I mean, maybe they will, but you know, the point being it, it's not necessarily necessary for me as a bad guy to attack one hospital [00:06:00] at a time. I can go to these centers of gravity, like change healthcare or Stryker, and if I can take that company down, I have this cascade effect across the whole industry.
Sarah: Isn't that really a fundamentally new doctrine that whether you agree with the framing that these communications and AI companies are being used to track and plan strikes, and now you helped aim the weapons, so you're part of it that is. That has massive implications for health systems. I mean, if you've got Azure, AWS, Google Cloud, these aren't a neutral utility anymore.
I mean, if you're an adversary, could they be considered instruments of war?
Drex : I think this is the, this is the logic that the Iranians are using right now is that yes, in that AWS data center, there may be hospitals, but also in that AWS data center are components, tools that are used by war fighters to actually [00:07:00] fight a war, including maybe government systems that are in there too, that under the Geneva Convention could somehow be construed.
I mean, I'm not a lawyer and I'm, you know, I'm a. Retired Air Force officer, but under the Geneva Convention could possibly, maybe be considered, um, a legitimate target. And we've co-located all of these things with that legitimate target, which makes it very difficult to say, I'm only going to hit server.
78 and 79, and I'm not gonna blow up the other servers, especially in the physical attack, um, scenario. So, I mean, it is interesting, right? We've gone, we went through, uh, COVID the, a lot of this is unintended consequences too, right? Mm-hmm. We used to have all these things in our data centers, and when COVID came and we kind of went hands off, we started having a lot of conversations about how do we get things out of the data center, move them to the cloud, do software as a service.
A lot of companies shifted their gears. To become software as a service company. And we did that because it was [00:08:00] easier, more convenient. It was a different kind of, you know, sort of billing process. It was opex versus CapEx. We could, we could do some stuff with,, the way that we funded some of our, applications.
But the unintended consequences of that has turned out to be some of these things we're seeing now as part of the US Israeli war.
Sarah: So is it fair to say then when a nation state takes action, and that could be kinetic, economic, cyber, we really shouldn't be surprised when the response isn't contained to where I guess it was created.
I mean, isn't that kind of how conflict works? And for us, it's not, are you right or are you wrong? It's are you prepared to be caught in the crossfire? And there were two different CIOs I spoke with yesterday who said, wow, our business continuity, resilience, and planning has hit a whole new level because of the A, the Stryker incident, but also what might be happening otherwise with some of these presences in the Middle East.
Like how should be thinking about all that?
Drex : [00:09:00] Yeah, I mean, I think from a resilience perspective, you're right, things are thrown in another gear, right? We used to, we used to think about, um, the things I need to come back from are the. The hack that might happen in my data center. And then it became a, the hack that might happen to me and my organization in the cloud.
And now we're definitely spending a lot more time talking about third parties and supply chain and looking at every contract I have and every partner who supplies anything to me and the health system and asking the question if that organization goes offline, if that partner goes offline. What's my backup plan?
Like how do I continue to run with Stryker out of the mix? How do I continue to run with change outta the mix? But as you know, we have hundreds of partners in our health systems. Mm-hmm. And this isn't obviously just about the. Computer companies. The computer vendors, right, the technology vendors that are supporting us.[00:10:00]
It's about all of our suppliers now. So, you know, how are you getting bandages? How are you getting, I mean, everything, if that company goes offline. Blood, you know, the, the whole blood event that happened a couple of years ago where, um, the donation system, the, you know, how do you cross type and match.
Mm-hmm. All, you know, all of the blood supply system in the southeast wound up jammed up because there were only a couple of companies down there. And when those companies were breached and they went offline, hospitals across the region were like, oh, no. Like, what's our backup plan? How do we do this? So the resilience planning kind of does kick into a new gear, and you do spend a lot of time now thinking you should spend more time thinking about now the whole supply chain, and how do you survive if any one or two or five of those partners go down, not just from a cyber attack, but it could be anything.
Sarah: Well, heck, the hurricanes disrupted IVs.
Drex : Absolutely.
Sarah: And other aspects. And so there are [00:11:00] perfect storms of things that could all be lining up. And I mean, I'm not the bad guy, but I've also been told like you have to think like the bad guy to be able to, to a degree, even keep up with them. 'cause sometimes it's even harder to outsmart 'em.
Especially, I mean, AI makes bad guys matter. You know, it's one of the things that I was sharing with a friend last night.
Drex : It's really interesting too. So this idea of resilience and learning from the bad guys. So when. This pro Iranian Hacker Group ela
Sarah: mm-hmm.
Drex : Uh, hit Stryker, uh, within literally a couple of weeks, the FBI Department of Justice, other law enforcement organizations, took down the ELA websites, um, just went out and completely tour them down.
And within a couple of days, those sites were. Back up and running. And so the bad guys are really good at resilience. They don't build for permanence, right? They build for, we've gotta be able to get back up and running as soon as possible. That's their whole business model. And so, I mean, really it's, it's been very interesting to watch the last.[00:12:00]
Month, all things that we know, but then we get to actually kind of see it in action and, you know, double check ourselves like, this is, this really is how they work, this really is how they think.
Sarah: Yeah, I mean, Stryker's attack, you Stryker's own software against them. And to think that your supply chain could be at that level of risk because you may not even know it.
It might just be sitting in, wait for something to happen and if you're watching, you know, weather patterns or other aspects of what is that true, perfect storm of things coming together. Drex, as we close out, just this part of the conversation is you're the CISO and you're at a regional health system.
You may or may not have all of the uh, dollars available to you or all the support operationally for some of this continuity, resilience planning. What's the call you're making right now? Who are the people that you are presenting the facts to so that the appreciation [00:13:00] for how real this really is is being heard?
Drex : Yeah. If you're, um, you know, I think if you're in the seat right now, uh, the power of storytelling, uh, becomes incredibly important. And a lot of this is the story of. What's happening, how it's happening, why it's happening, uh, using examples of other companies who've been affected and how that's affected healthcare.
And then. Helping to tell the story about how that impacts business and clinical operations and patients and families. And that's the, that's the story your executive peers need to hear. They don't need to hear the details around the server names that go down or the, the hacks that are being used, the all the mumbo jumbo language.
Talk to them like you're trying to help them stay afloat, uh, stay above the water. And, um, if you can do that and you can do it in, in, you know, true business language, I think [00:14:00] you have a much better chance of sort of getting the resources and the internal support, which is really important on this resilience issue.
It's not about more money, it's about you have to get folks inside the organization to jump on board with this idea that we are going to be more resilient. And a lot of this doesn't have to do specifically with the Chief Information Security Officer or even the CIO. It has to do with clinical leaders and business leaders and research leaders in that case.
So,
Sarah: okay. I lied. You made me think of one other question or another.
Drex : No, no, go ahead.
Sarah: Because I mean, it's, I keep thinking about some of the conversations I had last night just with some of our community and. Some of 'em are exceptionally well prepared, and I keep thinking if you're that much more prepared, does the bad guy do a sniff test and realize, eh, you know what?
Direct access hospital is actually pretty good shape. I'm gonna go after, you know, XY Z's hospital, but so you've got your EMR vendor, you've got medical device manufacturers, cloud providers, all these different partners that you have to maintain your systems. Now they're on somebody's target [00:15:00] list. How do you have that conversation with them about what is in your contract?
Like if now your vendor is targeted by a nation state mm-hmm. How should the contracting language change, or what would that dynamic look like in, in that conversation? Because that's probably not in your contract right now.
Drex : Yeah, the, the important part I think in all of this is this whole conversation that we have all the time, um, with our community around partnership, and partnership with, with our, with our vendor support.
Um, there's gonna be a lot of things that probably you just can't think of everything and put it in your contract. I mean, you can try and there's, you know, there's probably a ton of stuff that if you are working with the right general counsel. Or the right outside counsel who's done a lot of this work, they'll give you good language that you should put into your contract, but it's hard to think of everything.
And as this whole dynamic environment continues to sort of [00:16:00] grow and change and flow and um, you're never gonna get all the perfect language in there, the partnership becomes incredibly important. This, it's not the letter of the law, the letter of the law, or the letter of the contract. It's the spirit of the contract.
It's the spirit of the relationship, and that's what you've gotta work with your vendors on.
Sarah: Having that incident response plan that includes supply chain failure. Yeah. And maybe what their footprint looks like in the Middle East. Like those are legitimate questions
Drex : when you think even you have something going when going on.
Yeah. When you ha think you might have something going on, you need to let us know. And again, that's hard, vague language and you can make it much more specific. But again, when lawyers get involved, it, it can be, um. To be, you know, more specific can be a problem and more vague can be a problem. So it's again, comes down to the partnership, I think.
Sarah: And if you're listening to this, I hope you're also always watching two minute drill, listening to those updates. And then your weekend edition is kind of the wrap up of everything. Plus the new [00:17:00] info. I was cracking up. 'cause I always obviously read, listen to what you produce and it was like Saturday morning I'm drinking my coffee and I started reading through all the stuff you posted.
I'm like, ah. I went from like Saturday morning coffee to like high anxiety alert until I realized, okay, I'm not running a health system anymore. Accept that. So many people we support and care about are obviously, and just that fear factor of like 5,800 cyber attacks have been linked to Iran aligned groups since this conflict began.
Yeah. I mean, and they're targeting infrastructure across us, Israel, Gulf States. I mean, that's not a campaign. Again, that goes back to the sustained offensive,
Drex : It's, it's very, it, it's not, it's not necessarily super well organized either, right? Yeah. So you have the Iranian government who have their own set of hackers, who honestly are some of the most battle hardened cyber warriors in the world because they've been fighting Israel on a minute to minute basis for years now.
So they're really, really, really good at what they do, [00:18:00] but they also have a group of hackers. That are, um, you know, hackers for hire. They're folks that you just give them money and give them some general initiative and they go and destroy things and do bad stuff. And so that's another group that they have under their wing.
And then the other interesting thing about the Iranians is that they have. Lots of volunteers, lots of folks who are just out trying to deface websites and they wait for direction from the, from the IRGC, and then they sort of take that as their. Marching orders to go do some stuff. So there and all of that is decentralized.
There's no one place to go to sort of like stop it all from happening. And that's the challenge with cyber warfare today. It's hard to tell who's winning. It's hard to tell who's ahead and who's behind because. There's not a central command and control system for a lot of this stuff, especially in [00:19:00] this war.
And so it'll be a, it's gonna be an adventure. We're all learning a lot of, a lot of new lessons, and I do talk about the new lessons almost every day during the 2 Minute drill or an extra, or just in the regular posts, uh, up on LinkedIn.
Sarah: Which is so good because that's the operational reality of 2026, that the, I guess perimeter of your health system extends to every vendor, cloud platform, geopolitical decision made in a region where your infrastructure may live.
And it's not to scare you, it's just what it is. And you need to know where all of those assets are sitting.
Drex : Yeah. Everything's connected to everything else. Yeah. So stay a little paranoid,
Sarah: stay a little paranoid, have that conversation with your board. All right, Drex, we're wrapping up. It's your birthday.
Uh, I'll be curious to see what happens between now and the airing of this episode. I know you'll cover it in two minute drill, but how, uh, close this out.
Drex : Close this out with what?
Sarah: I don't know. Happy birthday to yourself. Listen to minute drill, stay paranoid. All the good. It's all the reasons. It's, people wanna hear [00:20:00] what you have to say.
Drex : It's, it's all the, you know, it's all the good stuff that, um, you know, that I think we're working on with the community. Um, I, I, I get a lot of great notes from the community too. Folks who give me heads up on things that are happening that, um, even sometimes aren't, are aren't widely known. And we started talking about Stryker before Stryker was being reported in the news because.
Somebody, a member of our community sent me a note and said. Hey, somebody I know their phone just got wiped at Stryker. There's something weird going on, you know, you need to look into this. And that was, you know, we were off to the races. So, uh, a lot of this isn't just stuff that I'm finding out, you know, because.
I'm especially good at digging at things. A lot of it is people sending me notes and tips and have you seen this or look into this. So thanks for doing that. I think that is another indication of just great community and folks who are trying to help everyone else in the community. So keep doing that. I appreciate it.
That'd be my birthday present for the, for the next year if you keep doing that. [00:21:00]
Sarah: Sounds good. Hey, thanks for tuning into Newsday. That's all for now.
Drex DeFord: That's Newsday on UNH. Hack with Drex De Ford. Get daily security insights delivered to your inbox because every healthcare leader needs a community to lean on and learn from. Sign up at this week, health.com/subscribe and stay safe out there. I'll see you around campus.