A Conversation with Healthcare Security Expert Bill Pelletier

0:00 0:00
Bill Pellitier discusses what 2021 may look like for security vendors

Healthcare security veteran Bill Pelletier has seen the industry from all sides. In this episode he shares his thoughts on what 2021 may look like for security vendors and CISOs alike.


Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In this episode, Mike has a candid conversation with healthcare security expert Bill Pelletier. Mike and Bill worked alongside one another as Scope’s first employees, then Bill moved on to work on medical devices, with a payer, and deep into the healthcare system with his wife as she runs a practice. You don’t want to miss out on the immense wisdom Bill has to offer from his great breadth and depth of experiences.

Mike starts off their conversation by asking Bill what the world of 2021 is going to look like. Listen as Bill expounds upon his prediction that it will be regarded as “the great supply chain chase.” There is no broad solution for everything, so the singular events and specific purposes various products serve are proven to be battles in the supply chains. While this issue seems to be focused on the software side of the chain, Bill talks about the hardware pieces that are also being affected. Learn about the history of medical devices as they moved from highly customized pieces to off-the-shelf hardware options that are more accessible and less expensive. With this shift, Bill presents the issue and risk of “leakage” that goes unnoticed.

Mike asks about the idea of “security by obscurity” and they discuss the issue of “what do you do with it” for older systems in digital transition. Bill sheds light on the limitations of software bills and materials with the constrained details, and the risks even for higher coverage rates. It’s all about the maturity conversation for data and the risk compilation perspective that cannot go ignored. Where does pragmatic realism fit into the finite resources available for these various situations?

Shifting the conversation towards security specifically, Bill observes that senior managers who are working on limited timelines and budgets oftentimes cut security. Asserting that security ought not be seen as an “additional component”, Bill discusses the need to set security as a baseline that applies across everything. People are often optimistic to a fault with security, but we cannot assume products are perfect upfront.

The conversation draws to a close as Mike asks Bill about his targets for 2021 and where he ultimately sees healthcare security going over the course of the next 3-4 years. They talk about the remote work and changes with COVID and the digital transformation that has considerably shifted policy. Telehealth has presented a landscape that medical security has never had to consider before. Finally, the intense issues of cost pressures and insurance space for the industry are discussed. With rich data ecosystems moving to the CLOUD and API as the cheaper ways of moving forward, Bill says it is a scary future. Bill leaves the listeners with the question of how can we help teams to diagnose the right structures to insure even better integrity than the multi-tier data bases previously offered. Learn that while it’s crucial that teams are enabled to design the best models, they must also not create an impediment in the overall business process!


– Welcomes Bill to the podcast

– What is the world of 2021 going to look like?

– Supply chain issue in hardware

– Idea of “security by obscurity”

– Question of “what do you do with it?”

– Security as an additional component, or a baseline?

– Optimistic to a fault with security

– Top targets for 2021?

– Where is healthcare security going over the next 3-4 yrs?

– Rich data ecosystem passing across API

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:20.6 Mike Murray: Hello again, and welcome to this week’s episode of In Scope, The Healthcare Cybersecurity Podcast. As always, I’m Mike Murray. With me today… I’m really excited about this one. With me today is someone who I’ve known for a long time, and he’s one of the most interesting people in the security industry. Bill Pelletier was actually Scope’s first employee other than me. He now is off doing other interesting things. Bill is one of the most interesting people I’ve known because he is the only person I’ve ever met who has worked on medical devices, has worked at a payer, has worked at a company like ours, and has also spent so much time deep into healthcare because Bill’s wife, Tracy, is in healthcare and runs a healthcare practice. And so there’s almost no one I’ve ever met who has the breadth and depth of experience that Bill has. And so he’s my favorite advisor and also one of my favorite people on the planet to just have a glass of whiskey with, shoot the breeze about the world of security as it happens to be. So Bill, welcome to the podcast finally.

0:01:26.3 Bill Pelletier: Mike, I’m glad to be here finally. And apologize for that clinking ice cubes. I’ll keep those to a minimum. I’ve been looking forward to this for quite a while.

0:01:33.2 MM: You and me both, man, you and me both. This is gonna be a good time. But we recently came into 2021, and actually we also recently posted our 2021 predictions podcast, which I don’t think I made you listen to yet, but that’s where I wanna start. You’re my favorite curmudgeon in the whole world. What is the world of 2021 for all of us cybersecurity folks in healthcare gonna look like?

0:01:55.9 BP: Well, I’m gonna really, really irritate the crap outta you and say it will be the great supply chain chase and by our security vendor community. I hate to even say that ’cause it’s gonna come back to haunt me, but all you’re gonna hear over the next six months and the entire year is supply chain this and supply chain that. It is… It’s the target of sales opportunity right now. And we know this, and everybody in the industry knows this or at least those of us who’ve been around for more than a few years, the products that we have out in this space today, not just supply chain security or whatever, but in the security space, the vast majority of those… I’ll stop short of saying all ’cause there are… Some of them are different, but the vast majority exist because of singular specific events. There’s been nothing that I’ve known of that’s ever been developed, deployed and sold to be a broad spectrum security solution. Everything out there serves a purpose, and that’s why we have so much of it, and that’s why there’s so much of it that we don’t use.

0:03:02.4 MM: I wonder how many vendors are popping up right now trying to solve the solar winds hack?

0:03:07.7 BP: Yeah, I’ll check my LinkedIn profile the day after this airs. I’ll let you know. [laughter] I’ve been fortunate in that I’ve been at my current gig not that long. The folks haven’t quite figured out where I’m at yet, but I’ve only seen one or two ambulance calls so far regarding supply chain hacks. So that’s good.

0:03:28.7 MM: That’s a reflection of that they haven’t found you yet. I’ve got 50 in my email, and I don’t even have a security title anymore. I’m the CEO, and they’re sending me things like that.

0:03:37.3 BP: Yep, yep. The other part of it too is a lot of these cold calls is because I know these people. These are not strangers. For the most part, they’re folks I’ve dealt with for the last 25 years. I’ve gone through four companies in the last 25 years, and they’ve gone through five, six, seven, eight, nine, 10 different companies. The business cards change.

0:04:00.0 MM: Yeah. That’s our industry, right?

0:04:02.3 BP: It is. It is and one of those things where in my current situation we have a lot of the usual suspects in that space vendor-wise. I really should stop talking right there as far as that goes. But it’s a thing. It’s how we have to exist. There’s nothing I can do to snap my fingers and make it all go away because it’s all sync clocked. It can be bought. We have it… It’s on a shelf. Parts are being used. Good parts are being used, but…

0:04:30.9 MM: So I wanna pick on the supply chain thing. So we were both at GE Healthcare back in the day working on medical devices. The amazing thing for me about this whole supply chain conversation is it seems to be focused on the software side of supply chain, but when you think about medical device manufacturers, supply chain is a huge challenge for those folks. Share what you saw. Talk about some of those challenges, man.

0:04:54.6 BP: Yeah. Software is one thing regardless of whether you’re using COTS stuff, commercial off-the-shelf software, or open source, Linux or Linux variants, what have you. That’s one thing. And depending on who you talk to, the whole software digital bill of materials efforts that are in the way may help slash… Will help address some of those challenges at least, helping people understand what they have in their environments. I’m waving my hands in the air, if you can’t see them. The more interesting aspect, more academic aspect though is what about the hardware stuff? What about the firmware stuff?

0:05:32.2 BP: Up until probably… This is all anecdotal. Up until maybe 10 or 15 years ago, the vast majority of medical devices were custom hardware, custom chip sets, custom-built boards. There was nothing that you could go to a supply warehouse or a distributor and say, “I need 28 of these and 30 of those.” You built the things yourself because you had to. When PCs became widely available and minis became widely available, these manufacturers realized, “Hey, I can get 80% of the functionality with off-the-shelf hardware at one-tenth of the cost. And the 20% functionality that I’m missing, I’ll figure out how to do that,” either the software tweaks or what have you, which a lot of folks do. Where does that bring us? It brings us to a situation where we now have hardware embedded in systems. They’ve already gotten replaced, but they may not necessarily know what else is in there. Any time that you’ve got… This is like a long ramble around here. I think any time you have unknown hardware in your communication path, there is something that risk data loss, data leakage. You’re just not gonna see it.

0:06:46.5 MM: I think that’s one of the things that blows my mind about some of the software bill of material stuff is. Software bill of material is a great idea, don’t get me wrong. I’m not challenging that. I’ve been a big proponent of that over the years, but you can only include so much. You can’t include all… The software bills of materials that I’ve seen, they don’t include what firmware is on the graphics card, what firmware is on the BIOS. You can only include so much detail, and unfortunately, security is an edge case, right?

0:07:16.6 BP: It is, and even if you could get close to a 99% coverage with your SBOM… I love that term, SBOM. It’s a great term by the way. It sounds kinda close to say S-bomb when we talk about software. Even if you get a high coverage rate with identification, what do you do with it? Now you’re gonna say either, “Holy crap, what will I do with all these old crap that I have?” And you know that you can’t change it or does that increase your liability? I don’t know. It’s one of those old programing storages that you can have new spaces. Is it better to lay everything out so everybody knows what you have so you can better prepare for it or you’re potentially close to home? I don’t know.

0:08:04.6 MM: There’s the old STO, security by obscurity, right? But the thing about security by obscurity is there’s still an amount of security in it and we tend to discount that.

0:08:13.1 BP: It’s always a really interesting first step to take. As long as it’s not the only step, it’s a good thing to do. As long as you’re doing, many more things happen. It just raises the bar and makes it a bit more difficult.

0:08:28.9 MM: Dude, you laid out a really important point there that I think is easy to miss, that the “What do you do with it” problem. Suppose I bought a CT scanner in 2005, and it’s running some old library of… Some version of Java bins ’cause Java bins was a thing back then. Most hospitals I know are not going to throw out and go acquire a new $5 million machine just because of some old version of a library that happens to exist on a bill of materials from an old piece of hardware. I’m not suggesting we bury our heads in the sand, of course, and it’s useful to know if you can manage it, but sometimes, and I remember some of the original SBOM arguments back in a prior life, which is, “Okay, great. You’ve got this list of things. What good is it?”.

0:09:17.5 BP: Right. I said in some of those calls with the NTIA and whatnot, we’re talking about this, what? Five years ago at this point?

0:09:26.3 MM: Yup.

0:09:26.7 BP: Allan Friedman and Josh Corman and others, Josh visited and told me to, “Let’s talk about this off the phone” ’cause I’ve talked too much on the phone. Hopefully, he’s think of something. But yeah, it’s like, what do you do with it? I mean this is a maturity conversation. You have all this data, but, you know, I’ve seen them, I want them, not three but five, I mean, what do I do with them? I suppose you can deal with it from a risk calculation perspective, I don’t know. I’d like to be able to say that if you have a high quality, high insurance level of your data quality in any of the SBOM that you did, they like an exact rule, what can I do with it? Am I gonna plan all the mitigations around that, but nobody has the stuff to do that, right?

0:10:17.7 MM: Certainly not in healthcare.

0:10:18.9 BP: Not in healthcare, they don’t.

0:10:20.6 MM: Maybe if you’re Bank of America and you have 5000 people on your security team, you have that ability. But we were talking offline about one of the folks that we’re working with, where the major hospital up here in the northeast, that their entire security team is two people and they have a 1000 medical devices on their network. What are you gonna do? Are they gonna go read the SBOMs for every one of those machines? Are they gonna… Are they even going to have time to mechanically process those, ingest them all into some system and then do something with them? Unless you have some sort of advanced data processing system that up till a year and a half ago didn’t exist, how do you even deal with that?

0:11:00.4 BP: Yeah, it’s… I feel bad for a lot of our teams or… I say teams and individuals ’cause in many cases it’s like you said, it is an individual. No matter how much data you give them, there is not going to be any ability for them to any… Capability for them to do that. They have the ability to do it. It’s a capacity issue. It’s a resource issue. It’s all about resources, and we have that conversation every single day. If I say, “No, you really should be doing things this way,” then the developers/project managers/business sponsor comes back and says, “Well, my one- or two-person data analytics personal team is gonna take them 12 months to do that.” “Okay, what if you had six people or 12 people, can they do that in one to two months.” “Well, Yes.” Okay, let’s do the cost benefit. What’s gonna be better for you? Send the money upfront? It’d be done quicker which you probably can put in the production process so you need more money? Or do you string it out, and then run a risk of priorities changing ’cause priorities will always change. If you get eight tenth of the mile down the road, you never make that last, almost quarter mile because stuff changes. I don’t know how go off on that tangent, but that’s an example.

0:12:14.6 MM: It’s an important tangent, I think we tend to forget, especially in the security community and on security Twitter, we tend to forget that there’s a pragmatic realism to the amount of resources that can be applied to a given problem, right?

0:12:27.9 BP: Those resources are finite. There’s never enough. And if someone does think they have enough resources, then there’s something else wrong. They’re not seeing the right things or you get a serious management issue.

0:12:41.7 MM: I think there’s a thing about senior managers, especially now that I kinda am one. There’s a thing about senior managers wanting to be able to do 12 months of work in three months because that’s what the business… The business says, “We have to get this project done by X date.” And you’re like, “Well, that’s humanly impossible with the number of resources we have, so what do we cut?” And far too often, in the past, especially back when we first worked together, 15 years ago or so, back then, the idea of, “Oh, we’re just going to… We’re gonna not do this because security,” that just wasn’t an option, especially if you think about the medical devices that were built from 2000 to 2014. When the first FDA guidance comes out, what do you do?

0:13:28.3 BP: Yeah, you just brought up a painful point. It is… I was gonna say it’s 2020. It sounds 2021. It was a great year while it lasted, the seven-day thing. We are still building stuff. They’re still treating security in airports as not so much as an after thought ’cause that has changed in many cases so security has been taking no count. But it is still being treated as an additional component, and not part of your baseline and not something that is spread across all aspects of that thing that you’re doing, whether it’s development, deployment operations, Tech-ops, DevSecOps, DevSecOps, DevOps, pick a combination, right, pick a combination of syllables and put them together and it’s still going to be a challenge.

0:14:27.5 BP: And looping back to predictions for the year in addition to the supply chain stuff, I think we’re gonna see more conversations around… I hope we see more conversations around what it means to embed security at layers at all aspects of product, project, system life cycles, al of the above. And I’m waving in the air my hands again, but that’s one of those things that really was going to bear full force, I think is a bad analogy but we should do that. But we have to keep pressing that really hard with the team we’ve ever seen whether it’s operations or development and/or the business. The stuff is not optional. You can risk for it, you can absent the risk, assess it, you can risk accept things, you can do stuff with it, but it has to be done upfront. You can’t have somebody come in and say, “Yeah. I’m gonna make a product. Can you give me an assessment, give me your sign-off?” No, no, no, no. That was like 1998, but this is 2021. Things don’t work out like that anymore.

0:15:40.4 MM: Do you know who you sound like right now?

0:15:43.2 BP: I really don’t wanna know. [chuckle]

0:15:44.9 MM: You sound like our old friend, Rich Seiersen. I was reading an article that Rich wrote the other day about the importance of and forgive the buzzword of shift left, but that’s what you’re talking about. You’re talking about embedding security as a discipline early in the process and making sure that if you embed it from the beginning, that it’s a practice that goes across the entire lifecycle. It’s not something that you’ve… Remember the old days, we get to the end of 12 or 18 months of development and, “Here, you got two weeks till a pen test, figure it out, and by the way, don’t find anything ’cause you’ll delay our launch.”

0:16:19.5 BP: Yeah, or if you do find stuff don’t… Make sure you rank it or risk it such that it’s not another stuff.

0:16:25.8 MM: Right. Nothing’s critical. I mean, you and I have lived through that conversation with senior leadership.

0:16:31.4 BP: We have over and over and over again. It is… Again, it’s about expectation set. You say it’s gonna take three weeks from engagement to do your full assessment and you’re putting me into your schedule four weeks before your ship date. That’s not gonna work out very well. It might, but I doubt it. It’s entirely possible that you will ship a product with no faults but I highly doubt it. And why we think that shipping products with exceptions as a feature is beyond like…

0:17:07.4 MM: I think there’s a piece of humanity that is optimistic to a fault, and I think that the security industry is anathema to that sort of generic optimism of, “I will build something and it will be right the first time.” And it’s our job to be the ones that raise our hands and say, “Hey! You know, it’s probably not right, the first time.” With that, I wanna take you in a different direction just to hear your thoughts on this. So we’ve lived on… We’ve lived on all the sides of that, right? We’ve lived on medical devices, we’ve lived in the architecture side, we’ve lived in response. If you’re a hospital CSO, put your hospital CSO hat on, what are you focused on for 2021?

0:17:48.2 BP: Oh, good. Apart from leading the trade rhymes like it should be, ransomwares is gonna be on the top of my list still, which is a little ironic I think because that is becoming a target of opportunity that we’re still not really a targeted, really not a direct target and these are all drive-bys. That’s an interesting question. You know, with the adoption of telehealth, with the adoption of remote work, with all the stuff going on, there’s a lot more data outside of your envelope. This just didn’t exist in this way here. Yes, there were pockets of it. Now, if you are a medical practice or a hospital system with 10,000 users, before COVID, you may have had 8000 of those who were within the confines of your country exterior perimeter, right? Now, the vast majority of these folks are at Starbucks or in their home office, or surfing for Wi-Fi down the street… This is all stuff that now is out in the blue. I’m gonna be seriously worried. Not worried, I’m gonna be more concerned about my endpoint security than I ever had been in the past. My device is going who they’re talking to? How’s my VPN? Am I doing split tunneling? Am I keeping the patch? They weighted insurance. He’s on VPN so maybe they don’t necessarily check the domain assembles. They don’t get policy object pushes like you would if you run the entire network. All of these stuff comes into play now. It didn’t exist a year ago.

0:19:27.0 MM: I quoted often, you were on the call when we talked to a healthcare CIO in the middle of the whole first wave of COVID who said, “We underwent three years of digital transformation in six weeks.”

0:19:39.0 BP: Yep. Exactly.

0:19:40.4 MM: Right? And so, it’s funny, if you follow the podcast and everyone’s heard me talk about the three environments of a healthcare organization, the IT environment, the clinical environment, and the EMR. I’m more and more cautiously starting to talk about that as five environments, a traditional IT environment, your clinical environment, your EMR. Now, you have your employee’s homes, which is what you’re talking about, and more and more, especially during the pandemic and telehealth and things like that. Now, you also have your patient’s homes. We’re pushing medical devices to the home. We’re pushing… In telehealth, the patients are literally getting care from their cell phone, while they’re in a Starbucks, talking to your doctor, while they’re in their Starbucks. This is not something that healthcare organizations ever had to think about before.

0:20:30.9 BP: It’s insane. I sit here in my home office. I’ve been full remote now for almost six years, right at this point. I was 18 years in a corporate campus office, and then six years now working out of the house. So I’ve got three laptops on my desk. I’ve got three 27-inch monitors arrayed the typical cockpit orientation here, never really quite knowing which one I’m looking at when I’m talking to somebody. And I actually had a personal telehealth call the other day with my provider. She was working out of her house with her cell phone propped up on a book on her desk, behind the patient, with six feet of new monitor, multiple laptops on my desk, and she’s working with a cell phone. What’s wrong with that picture? Probably not a lot of security issues there in general, but it’s indicative of the state of the industry as to what we say, what the HDOs or healthcare delivery organizations are working with for the technology to continue to provide these necessary services.

0:21:41.2 MM: The world is definitely getting crazy. Alright. Question I love to ask, where do you see it all going? You look three, four years out into the future. What is healthcare security look like? And from whatever perspective, from the payers, from the providers, from all of it.

0:21:55.8 BP: You’ve worked in property and casualty insurance as we worked together years ago. I spent 18 years and in that space, health insurance working now, working for a payer, the model isn’t much different. It’s the same thing. The policyholders that claims provision, claims processing, to lots and lots of data, like in our case, it’s all PHI. That’s my definition. It’s all PHI. I mean, where is it all going? I don’t wanna be snarky about it and say it’s all going to the moon, to the Cloud, but cost pressures in insurance space regardless of the industry are intense. Not to go on a tangent, but in the property and casualty space, and someone complains about or has a conversation about their cost of their auto insurance saying, “I’m paying $1000 dollars a year for my premium,” then when you explain to that person, “Well it’s costing that insurance company $1030 dollars a year to provide that insurance to him.” And gonna say, “It doesn’t make any sense, losing money on my insurance policy.”

0:23:01.8 BP: The answer is, sort of. They’re taking your policy dollars that you pay them. They’re investing that, and rather than getting $30 dollars back in $1000, they’re getting $35 dollars back in $1000. So off that $1000 dollars you pay them a year, they’re making five bucks. That’s how insurance works. It’s no different in healthcare space. Although in the healthcare space, you’ve got the additional dimension of negotiating rates between the providers and the payer, customers, clients, patients, members, whatever you call them. So there is a bit more complexity for the cost factor, but it’s still a razor thin margin, which is very dependent upon catastrophic events. So where am I going with this rambling thought here? It’s all about cost cutting, all about cost reduction. How do you do that? We’ll go to the Cloud. We’ll go to the resources that don’t cost as much but more flexible, a bit more tangible. They’re a bit more predictable from an expense perspective. So great, let’s go on to Cloud. But most companies do when they go from on-prem to the Cloud, they lift and shift. They lift and rock, which is architecturally, security wise, performance wise, is the absolute worst thing you can do, except that, it’s the cheapest way to do it.

0:24:24.2 BP: What are some things said. Everything’s going through the Cloud? Once you get beyond your core claims type processing, everything is gonna be an API. That’s gonna be rich client experience in the web. You’re gonna have… A few years ago with your insurance company in our prior life. We shot a bunch of JavaScript beyond the browser, and that becomes your application. Everything is just and API in the back end. It’s a single-page app, maybe on the back end of this single page app. That’s where everything’s going. The challenges for us are going to be, how do we help those development teams, and those soccer teams, design the right structures to ensure the same level of integrity or better than what they would get with a traditional multi-tiered web app database? That’s 2021 of the next five years. That transition is gonna keep moving. I think by the time we get to 2025, 2026, you’re gonna see the vast majority of applications. Even internal ones are gonna be nothing more than browser and a bunch of API endpoints. To me, being an old conventional tech guy, it’s scary as hell, but that’s the way things are going. We absolutely must not create an impediment to the business process in that regard. We have to support that. We have to figure out how to deal with it. We have to figure out how to enable teams to design that model. We should be always about enablement and not hindrances.

0:25:58.5 MM: It’s really funny that you say this. I mentioned the predictions podcast earlier and in our predictions podcast, and I don’t remember if it was John or Jeremy who said this, but one of them said that they believe that the one of the big trends of 2021 for healthcare was going to be API security. And I didn’t question them on it at the time, but to me, that feels early. But everybody I talk to is talking about these massive data lake projects, these massive data sharing projects, especially between payers and providers. And you end up with this incredibly rich data ecosystem with people passing things back and forth across APIs, and unfortunately, especially in the provider space. The provider space is not… No healthcare organization that I’ve ever been in could be mistaken for Facebook in terms of being a tech company. DevSecOps is not really a thing in healthcare delivery the way it is in financial services, but you’re right. As we move to this much more data heavy and data integrated world, all of our healthcare organizations are gonna have to figure this out. So maybe you all are right and I’m the old stodgy guy who’s like, “Oh no, that’s three years off.” No, it’s probably not. You guys are probably much more on the ball than I am for that.

0:27:19.3 BP: Yeah. In the healthcare space, it gets more complicated questions. And it’s all complicated, but the theory behind going to these types of designs is rather than building this big monolithic, compile it and ship it monstrosity of application, you change bits of pieces, you change a page, you change a screen, you change a field. And you can do on the fly and not have to deploy everything all at once. It upends the traditional waterfall process model. When you start looking at things that we used in the healthcare space from the payer space, I mean, two words, right? Actually, an acronym and a word, CMS interoperability. If you haven’t heard about that, you should look it up because it’s scary as hell.

0:28:06.0 BP: It’s about you as a patient being able to log into your payer site, your payer portal, or even to your HDO portal, right to your healthcare provider portal, and say, “I’m gonna give Dr. Mike Murray access to all my stuff.” Click, sound simple. Only though, it’s not simple. You’re not just talking about your data from your healthcare provider. You’re talking about data from your healthcare provider, your healthcare insurer. And if you’re a person like me who has their PCP in one state but their primary care insurer is in a different state, and now you’ve got two completely disparate EMRs to work with who also have to work, interoperate with each other, it becomes almost… I don’t use the word impossible very often but this one is pretty close. It becomes almost impossible to have a monolithic structure that works with all these things. It just doesn’t work that way. So API is the only way you can do it. They chain things together.

0:29:13.5 MM: You know, I’m sure there are some EMR vendors who are not very happy at the truth bomb that you just dropped on them there.

0:29:18.7 BP: I know. EMRs, for the most part, are still these old school, albeit modern technology, but old school, monolithic, non interoperable structures, even though that’s what the boat told them to do back in 1990, freaking seven, or 1990 something, right?

0:29:40.5 MM: Almost 25 years ago.

0:29:42.0 BP: Was 25 years ago, and they still haven’t done it. I didn’t say they haven’t figured it out because figuring it out is extraordinarily easy. They just haven’t done it.

0:29:53.3 MM: I mean, there’s a benefit to data lock-in, and I think that we have… Though we trumpet the idea of interoperability, I mean, the security industry has been this way for a long time. I mean, we’ve tried to force interoperability with things like CVE and CVSS and OVAL. And although… I’m literally just listing all the minor projects that we’ve ever worked with, but we’ve been trying to force that same thing, and you still find security vendors find one common name for a threat actor across our industry. Even something as simple as what is the GRU from Russia called? Every vendor’s got their own name.

0:30:29.5 BP: Yeah. They’re all different.

0:30:31.6 MM: Right? And it’s the same thing in healthcare. It’s the same thing in security. It’s the same thing everywhere.

0:30:36.4 BP: One thing I can think of off the top of my head that comes close to security or IT that’s common is something like LDIF, right? When talking about directories, LDIF is pretty common, right? You know, that has to be. Above and beyond that, oh, that’s right.

0:30:50.8 MM: Right. Exactly. Dude, thank you so much. So hold on, before we wrap this up, where can the world find you, where, you know, if the world wants more Bill Pelletier?

0:31:00.4 BP: On twitter at A-W-P-I-I-I, not two I’s, it’s three I’s. And that’s a long story behind that one. Actually, Facebook, it’s the same thing. Just search Bill Pelletier. On LinkedIn, same thing, Bill Pelletier. And I think between those three, I’m pretty accessible.

0:31:19.1 MM: And drinking with me at some conference once we are able to go back to conferences.

0:31:23.8 BP: Absolutely. You know it for as much as I have really enjoyed and excited about the amount and breadth of the remote content that all the traditional conference providers have come up with, especially the small ones, there’s still that aspect of face to face, meet and greet, sit down in the bar or a restaurant somewhere on a park bench in San Francisco or wherever to talk about how we’re solving the world’s problems. I miss that part.

0:32:00.2 MM: You and me both, man. Alright. Well, with that, this has been another episode of In scope. Bill, thank you so much. We’ll do this again sometime in a couple of months and just catch up on the world. And I’m sure there’s always gonna be interesting news for us to chat about. So with that, thank you so much.

0:32:16.2 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode. Hop on over to www.scopesecurity.com to sign up or you can listen on Apple podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

About Bill Pelletier


Bill Pelletier is an Information and Product Security pragmatist with 20+ years of excellence in Information Security, IT infrastructure, and Product Security.

Navigator of Large Organizations; Challenger of Long Held Beliefs; Champion for The Right Thing; Debunker of the Assumption; Questioner of the As Is; IT Speak translator for Business; Business Speak translator for IT; Intern Inculcator; Puller of Threads; Builder of Consensus; Purveyor of Rational Thought.


Leave a Reply

Your email address will not be published.