Emerging Cybersecurity Risks

The Need to Bring Cybersecurity Front and Center in the Healthcare Industry with Bill Scandrett, Chief Information Security Officer at Allina Health

👉 IoT and the FDA guidelines on
medical devices

👉 Best practices while
implementing GRC

👉 Protecting healthcare
data while adopting new technologies

SHARE EPISODE

Welcome to this episode of the Emerging Cyber Risk podcast, brought to you by Ignyte and Secure Robotics, where we share our expertise on cyber risk and AI to help you prepare for the risk management of emerging technologies. We are your hosts, Max Aulakh and Joel Yonts. Our guest today is Bill Scandrett, Chief Information Security Officer at Allina Health. Our discussion pivots around the awareness and implementation of cybersecurity protocols in the healthcare industry. The discussion focuses on oversight of the FDA on medical devices,  best practices in operationalizing GRC, managing third-party risk, and protecting healthcare data while innovating new technologies. 

Topics we discuss:

  • IoT and oversight of FDA on medical devices
  • What are the best practices in operationalizing GRC?
  • How is the healthcare industry managing third-party risks?
  • What are the steps taken to protect healthcare data while innovating new products?

 

Bill Scandrett Bio:

 Bill Scandrett is the Chief Information Security Officer at Allina Health. He is an experienced Chief Information Security Officer with a demonstrated history of working in the financial, retail, and hospital & healthcare industries. He is skilled in Risk Management, Security Governance and Regulatory Management, Identity Management, and Cybersecurity. 

Bill Scandrett on LinkedIn 

Allina Health Website

 

Get to Know Your Hosts:

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website

 

Joel Yonts Bio:

Joel is CEO & Research Scientist at Secure Robotics and the Chief Research Officer & Strategist at Malicious Streams. Joel is a Security Strategist, innovator, advisor, and seasoned security executive with a passion for information security research. He has over 25 years of diverse Information Technology experience with an emphasis on Cybersecurity. Joel is also an accomplished speaker, writer, and software developer with research interests in enterprise security, digital forensics, artificial intelligence, and robotic & IoT systems.

Joel Yonts on LinkedIn

Secure Robotics Website

Malicious Streams Website

Max – 00:00:00: Welcome to The Future of Cyber Risk, a podcast by Ignite and Secure Robotics. We share our expertise on cyber risk and artificial intelligence to help you prepare for the risk management of emerging technologies. We’re your hosts, Max Aulakh 

 

Joel – 00:00:17: and Joel Yonts. Join us as we dive into the development of AI, evolution in cybersecurity, and other topics driving change in the cyber risk outlook.

Max – 00:00:25: Hey, Bill, how are you doing today?

Bill – 00:00:29: I am good. How about yourself?

Max  – 00:00:31: I’m doing good, man. I’m doing good. Well, I just wanted to thank you for coming on this and having a conversation about the world of a CISO in healthcare. Just to kind of start off, why don’t you give us an introduction about yourself, who you are, and what you do? I’ll introduce myself, and then I’ve got some really good questions for you, and then we’ll just kind of go back and forth and take it from there. So, yeah, Bill, tell us a little bit about yourself.

Bill – 00:00:55: Yeah, thanks for having me. It’s always fun to have a conversation like this and just kind of talk shop a little bit, so I enjoy doing that. So, yeah, career background-wise, I’ve been a CISO at a couple of different organizations for over a decade. Most of my CISO career is probably in healthcare, but I would say I’ve got probably as much equal time in finance and retail as that, even subprime mortgage, that kind of stuff. So, I would say I’ve been a practitioner for close to 20 years. But yeah, about half of that’s been in the CISO role. So it’s been a fun journey.

Max – 00:01:33: That’s awesome, man. And I’ve certainly enjoyed working with you and being part of that journey. So, for those of you who are listening, my name is Max Aulakh. I started my career about 15 years ago in the military. Worked there, worked within healthcare, then did a little bit of financial services as well. So a very similar background here. Bill, let’s talk about let’s park on regulations, right? Everywhere you go, whether you’re in financial services, the military, and obviously in healthcare, you hear about frameworks, you hear about legislations, HIPAA, high trust, and all of that. From your point of view, what’s going on in healthcare, right? What are you seeing? Where’s the uptake? Maybe there’s not an uptake. What are your thoughts when it comes to regulatory frameworks in cybersecurity?

Bill – 00:02:18: Yeah, it’s funny. In healthcare, we move a little slower, I would say, than a lot of other spaces, especially on the provider side, but it’s always been HIPAA. HIPAA has always been kind of our guiding light, and things that are associated with that high trust, act, omnibus rule, those kinds of things I think, are still probably the most important thing that we have to deal with. Certainly, there are things for anti-kickback or Stark Law. We get involved in some of those things, especially from a forensic perspective, but I would say by and large, HIPAA still probably wins the day.

Max – 00:02:51: Okay. Yeah, I kind of feel the same about healthcare. HIPAA was written in the mid-nineties, and it’s been pretty stagnant. And they’ll do some modifications, some enhancements, and when we go to other industries like financial services, they’re much more dynamic. Right. They move. What do you think of all this stuff going on with IoT and with the oversight of the FDA with medical devices? And whatnot, are you seeing that sort of stuff movement on that front?

Bill – 00:03:18: Yeah, I think in that space, what we’re seeing is positive movement. So, if we talk about IoT or the IoT, I think manifestation in healthcare is medical devices. And I think everybody in all Prudent organizations on a provider side has some version of a medical device security program. There has been some positive movement in that space. When you think about that space, there is a speed-to-market problem. There is an FDA approval process and certain things that we go through before a certain medical device can hit the market. And sometimes, that process is two to three years. So if you think about the technology space, what we were doing three years ago versus what we’re doing today, it’s not uncommon for us to see things that were brand new, that had embedded Windows XP and that stuff in it. So, I think from an FDA perspective, what we’re seeing is a little bit more speed. Some of the medical device manufacturers are getting better at building devices that are easier to update, or they might have the client-server type of structure where I might be able to update a device without voiding the warranty and that kind of thing. So I think we’ve seen some positive things in that direction, kind of that fusion of what’s happening, like with the FDA and with some of our medical device manufacturers. I mean, before that used to be a really big problem for us.

Max – 00:04:33: Yeah, I think, like, about ten years ago, when I did my first engagement with the FDA, we were working through a process called 510(k). I think it’s still in place. And I remember working with a medical device firm, and they said, hey, we’ve been doing this for ten years. They were trying to bring a device into the market, and cyber was like the last of their concerns. Right?

Bill – 00:04:55: Yeah.

Speaker C – 00:04:55: And what I’ve seen is that over the last decade, I guess it’s not only sped up, but they’re also starting to inject modern standards. Right. The FDA is starting to recognize HIPAA is not sufficient, but they’re trying to bring in NIST and other best practices. They’re even writing up their own rules. I don’t know if you’ve been part of any of that to kind of help the regulators, but this is a massive problem. How can regulators keep up with the threat? Is that even possible?

Bill – 00:05:26: Yeah, it’s a great question. We see a lot of this interaction at the state level. We’re commenting on a lot of rules and things that are starting to happen at the state level, which can be good but can be bad. We’re starting to see some interesting things, and this isn’t specific to healthcare; everybody’s dealing with this, but we’re starting to see certain states, for example, push legislation to make it illegal to pay a ransom. Those kinds of things seem helpful at face value. It can be really damaging. We had certain cases, like a recent case with the City of Baltimore in some ransomware situation where they were not allowed to pay a $75,000 ransom, which ended up incurring $18 million worth of damage. So I think some of those things can be good. I think there is a lot of good legislation happening. For example, a number of states are working on legislation to make it illegal to possess damaging ransomware. So if you’re caught with ransomware, with the intent to act on that, there are certain things written into the penal codes for each state. That kind of stuff can be extremely helpful. Telling companies what they can and can’t do to mitigate risk, I’m not sure. Is it going to be effective? I don’t know, but I think we’re seeing a lot of activity at the state level, which I think has been a long time coming, and I think can be helpful if done in the right way.

Max – 00:06:43: Yeah, I think as long as we can figure out how not to create conflicting rules, because it’s just very difficult, right, to say, oh, you’ve got something, and then one state has a different kind of rule about payment and things like that, I think that’s going to be challenged. We’ve seen this in the breach notification rules. In each and every state, there’s a patchwork, and it’s very difficult to create kind of a high watermark, and you basically end up like, hey, I got to do a notification before the breach even ever happens because that’s the high watermark, right? So, yeah, I think as long as they don’t conflict, it would be interesting. But personally, my belief is that regulators are not able to move fast enough. It’s just really difficult for them to keep up. Ignite deals with all these regulations as a GRC enterprise risk kind of company. And we see there’s an interesting crossroad between what we do and then, of course, all the cyber operations. What’s the future like, in your opinion, on that crossroad? And what are some of the things that you’re seeing from your organization or best practices that are being developed when it comes to moving GRC to more of an operational state?

Bill – 00:07:50: Yeah, so that’s a really great question. At the end of the day, it’s still about the basic blocking and tackling things that we do around NIST frameworks, and that kind of general control type of structures still have tremendous value. We try to get really creative with how we’re doing things, and things like CVS scores and that kind of stuff are very helpful. But at the end of the day, fundamentals, I think, still wins the day. And that’s the nice thing, I think, for GRC. Is it going to be different? You bet. We’re seeing this transition from an infrastructure client-server type of atmosphere to a very cloud-centric atmosphere, and that changes our risk practices. Right. We have to be good at not only assessing incoming software but we have to almost beef up our somewhat legal chops to look very closely at contracts and to look very closely at what some third-party provider might have. Look at their tanks and their ten Q’s. Are they a reliable organization? That kind of stuff. But I think it’s still those fundamentals. It’s still those things that kind of came around during the Sarbanes Oxley Act of 1999, where these are things we all should have been doing anyway. And there’s no reason that the Sarbanes Oxley Act ever should have really existed because we all should have been good stewards of our processes and doing these things as a natural byproduct of running a solid program. And I think those things still have value, and I think there’s still the basic framework by which we’re building all this cool stuff.

Max – 00:09:16: Yeah, I would agree with that. No matter how much we get away from it, we have to, from a leadership perspective, just look at it from how are we managing all of these concerns. Right. As we go into a service model, everything is in the cloud from our perspective. We always get asked about, do you have a sock, too? Do you have this certification or that certification? Have you seen a trend or a difference in recruitment and perhaps the kind of talent you’re bringing in? It’s not necessarily they’re working within the cybersecurity team, but they’re maybe working for the legal department to manage the third party. Or are you seeing where you’re taking ownership of the third-party risk management program?

Bill 00:09:55: Yeah, I think it’s a lot of the latter. Back in the day, when we wanted to bring new software in-house, there was some type of help needed from it. We had to spin up a server; there was some infrastructure involvement. It was pretty heavy build stuff, and we had 30 years to get good at doing that. Right? Well, with the speed and the introduction of the cloud stuff, we’re still doing that infrastructure stuff that we were. But now we have this new battlefront where we’re spending less time on this physical server hardening and that kind of stuff, but a lot more time on application architecture and a lot more time on config. And we haven’t had 30 years to get good at it. We kind of had to get good at it overnight. So we need a lot of help from our vendor partners. And that’s where I think that transition of risk comes in. So we think about that comment about our legal chops and that kind of thing. That’s where we have to transition to becoming less of a technical group and becoming more of a risk management group. There is a risk trade-off conversation where we look at a third party that might be offering a service for us now, and we have to look at the way they do their operations and their breach history. Are they a company that started yesterday? Are they reliable? Right? So it is a bit of a migration, and I think a lot of organizations, and this is just not healthcare, I think a lot of organizations are struggling with, how do we get that knowledge? We haven’t had time to develop it in-house, so we’ve got to work with our third-party friends to make that happen. And we have to treat that risk profile a little bit differently. We have less control, but we have to spend more time on the pre-of  side of it before that contract is ever signed.

Max  00:11:38: Yeah, I have seen, and this is just from my history working within healthcare. Ten years ago, everything had to be on Prem, had to be I’ve got my Epic or any other EHR, whatever. This is where it plugs in. Anything going outside is not going to happen. I’m starting to see that transition quite a bit where there are a lot of innovative third-party companies, but you’re absolutely right; a lot of them are just popping up everywhere, right? And so when you’re sending that data out, there’s got to be diligence throughout. Not just pre, but post and then, of course, data agreements. We’re seeing that a lot, especially if somebody is tapping directly into the EHR. What are your thoughts on that? Because I think we’ll continue to see a proliferation of innovative healthcare technologies that are really just trying to get into the big, large healthcare systems. What is your advice to those kinds of innovative companies, SaaS companies, that need that healthcare data? What should they be doing to make sure that they are safe and protected?

Bill – 00:12:40: Yeah, that’s a difficult question. It’s one of those things. It’s like when you got your first job, everybody’s asking for ten years of experience, and you’re like, man, I just graduated from college. I’m trying to get the experience so I can get the job right. It’s this vicious downward cycle that you can’t really ever survive from. And I think a lot of really cool, innovative companies are struggling with this, right? They don’t have a reputation; they don’t have a very solid balance sheet. They don’t have a history of performance that we can glob onto, but the thing that makes us comfortable. So when we’re going out, looking at these third parties, it’s pretty easy to see the focus on cybersecurity, the focus on integrating that into your solution, if it’s a medical device or if it’s software, whatever it is, it’s pretty easy for us to see whether that was a last-minute decision. We see a lot of these organizations that come to us to sell something, and they go through our risk management cycle. And what we hear is, that’s the first time anybody’s ever told us that, right?

Max – 00:13:40: Yeah.

Bill – 00:13:40: That is not the response that we want. I think if your partner that you’re trying to sell to is the first person telling you that there are some cybersecurity holes in your platform, that’s a pretty bad position to get in, and it’s hard to recover from that. You’ve put a black mark on yourself, and the next time you come, we’re going to be like, oh yeah, we have a risk assessment for these guys. Right. So I think I’ll do that stuff in advance. If you really want to be successful in this market, it has to be part of your design process. It has to be something that is ingrained into not only your solutions but your corporate culture.

Max – 00:14:15: Yeah, I think Bill, kind of a true confession here, right? It’s all about buying down risk from all perspectives. Financial people risk, quality, and cyber are no different. We often get calls all the time like, hey, I’m doing this because this healthcare or this big company is asking me through their third party program. And so it’s very reactive, right? It’s like there’s pressure to get it done, but it’s only, okay, so I can get the contract, but not necessarily to do it as a business strategy or to institutionalize it, which really helps buy down the risk because we tell them, hey, you’re just wasting money. You might get the contract, but it’s all lost investment; you’re not going to do anything with it. Right?

Bill – 00:14:56: Yeah, I think that’s true. I think a lot of organizations are willing to offer free consulting services. If you’ve got a relationship with a physician and you say, hey, can I spend a little bit of time with your team at the line to say, hey, I’m not selling you guys here? We’re in the design process, and we need some advice. I think the community, in general, is very willing to help. If you’re a startup and you don’t have a lot of cash to burn on a tier-one consulting service, he’s going to architect that for you. Go ask your friends.

Max – 00:15:26: Free consulting. I think it’s just you, Bill. I’ve never gotten free. No, but you’re right. The community is healthy. We’re passionate about what we do, even this webinar, right? It’s all about educating and getting an understanding of what a CISO goes through. But yes, I think free consulting in advance prior to actually working on your third-party problem with healthcare that’s going to go well, right? Instead of just, hey, I just rolled over, and somebody sent me, and this is our security program. Your security questionnaire –

 is my security program, which is really the wrong way to go

Bill – 00:15:59: And most organizations do have the authority, most healthy CiSOs, and organizations have the authority to say that product is never going to come in ever. Right? And that’s never a position you want to be in because that’s an unforgivable sin. I think that advice there is. The CISO does have the ability to torpedo your deal.

Max – 00:16:17: I am so glad you said that because I’m just looking at it from an outsider’s perspective. Do you find, Bill, that a lot of people ignore that advice? Like, I would think CISO is at the decision-making table as a key input. Do you find that common, where they’re just completely ignoring your advice on these matters?

Bill – 00:16:36: Not for long. It’s really a process question. It depends on how healthy your procurement processes are. We still see we have some fairly healthy processes, but there are still ways that organizations kind of just try to go around behind the bar. And sometimes, it’s not with ill intent; it’s just awareness of the process. When we get involved up front, it usually goes pretty well, and for a number of reasons, it’s hard on us, but it’s also hard on our organization. We don’t want the organization to spend all these resources trying to bring something online only to get to us at the end and say all the work that you’ve done is no good because we’re not even close. From a risk appetite perspective, you’re well beyond what we would possibly consume, and we’ve had to do that. And that’s a tough conversation. It can be embarrassing for the business partner who’s trying to bring this application in. So, involve security upfront. It can be a lot more helpful than at the end after you’ve spent all of your resources trying to get this again; we see a lot of situations where we’re brought in at the contract stage. That’s the wrong time to do it, guys. It needs to be a little bit earlier than that.

Max – 00:17:43: Yeah, and I can completely understand this because we went through this with you, Bill, so that made sense to us. But I can only imagine how negative it looks, unintentionally or intentionally, if somebody tries to totally work around a proper procurement and supply chain management process. We went through a diligent cycle with you guys. It helped improve our company. Like, truly, it really helped us improve. But also, why did you choose to work with us? And you had a choice as one of the top CEOs to work with any company; why did you choose to work with Ignite?

 

 

Bill – 00:18:15: Yeah, I’m happy to answer that, actually, and I will say nice things, Andrew, but for us, it was a number of things that came together. Certainly, one is, I’ll say, size. It is really easy to get in over your head in GRC with your solutions. There are a number of solutions out there that are really big, and they’re really heavy, and there are solutions out there that cost more than your GRC budget for staffing. And I think it’s really easy to go for a big, major package and never unlock a lot of that potential. So, for us, what we were looking for was flexibility. We were looking for the right size. And we’re a $4 billion company, so we’re still a pretty good size. But it certainly doesn’t make sense for us to have a dedicated team of developers or whatnot who are developing solutions in some of these other platforms. So for us, we like the size, we like the flexibility. And for us, it’s so much more than just the software platform. I think it’s the team that you’re working with. And for us, we got really good vibes about working with the team and just kind of the commitment to what we were doing and believing in that commitment. And our speed to market with Ignite was exactly what we hoped it would be. It was fast; it was quick. It was what we needed. It was reliable, and it was the right size platform for us to have that flexibility and that nimbleness that we knew we were going to need. Because for us, we were just starting our internal risk management journey. We did a risk assessment, but for our risk register and our quantification of risk and these kind of things, we needed something that we knew could learn with us because we weren’t going to get it right the first time. And we’re going to say, hey, Max, you know, when we told you to do that thing? Just kidding. We were wrong. We need that thing, right? So I think a lot of it was that.

Max – 00:20:02: Bill, I certainly appreciate you responding to that, and that gives us insight into what our strengths are. So I really appreciate that.

Bill – 00:20:09: Yeah, you bet.

Max – 00:20:11: The Future of Cyber Risk is brought to you by Ignite and Secure Robotics. To find out more about Ignite and Secure Robotics, visit ignyteplatform.com or securerobotics.ai

Joel – 00:20:22: Make sure to search for cyber in Apple Podcasts, Spotify, Google Podcasts, or anywhere else podcasts are found. And make sure to click subscribe so you don’t miss any future episodes. On behalf of the team here at Ignyte and Secure Robotics, thanks for listening.