A Conversation with Esmond Kane: Shortcuts Have Sharp Edges
Managing security in a healthcare environment during COVID-19 is not for the faint of heart. Steward Health Care CISO Esmond Kane discusses the impacts and opportunities of managing cybersecurity in a pandemic.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
On today’s episode of In Scope, host Mike Murray is joined by Esmond Kane, Chief Information Securities Officer at Steward Healthcare. Their conversation begins with Mike asking Esmond about his experience working in an early COVID hotspot. Esmond explains he had just recently joined the organization when COVID first hit. They quickly became the nation’s first dedicated COVID treatment facility. They dealt with the immediate issue, and he hopes some of the preparation work they did will help communities who are now a hotspot. The pandemic, Esmond explains, tested the organization’s resilience.
Esmond explains that many transformations have happened in healthcare over the course of the pandemic. Things like waiting rooms, elective procedures and visitors were now potential sources of infection and had to be stopped and reimagined. Digitally, the hospital also had to come up with new strategies, both for patients and for internal work. Telehealth, Esmond explains, had to be ramped up almost overnight. They’ve also had to rely more heavily on Teams and video conferences to increase telework and collaboration across technology. A lot of securities teams are overstressed and the pandemic only adds to that stress and fatigue. Esmond stresses that you have to think about your staff and their morale and leaders have to remember the human element.
Next, Esmond and Mike discuss the increase in attacks on healthcare systems. Esmond explains that there has been an increase in phishing during COVID. On top of that, security professionals also had to begin thinking about working from home, and securing home networks, as well as teaching employees good physical printing, and shredding practices at home. The bad guys, he explains have not taken a break. OCR relaxed some regulations on platform use for telehealth as well as giving some privacy exemptions. Esmond explains that while he thinks they did great, these exemptions will not last forever, and organizations should be thinking about how they’ll get ahead of the changes that are coming.
Increasingly through the pandemic, the idea of telehealth and wearable medical technology is growing. Esmond believes that they can be beneficial, but expresses his concern that when you’re not paying for something, you may be the product. When it comes to data there is money to be made in being insecure, healthcare professionals have to be especially careful moving into more digital spaces. There’s a lot of elementary blocking and tackling that needs to happen in healthcare, Esmond explains. Biomedical device security and wearables is a huge space where the healthcare industry needs to rigorously work on privacy.
The episode ends with an installment of Vital Signs, a segment on the updates in the healthcare security community. Medical devices are expensive, and because of the price they can’t be updated regularly or replaced at any time. There have only been security requirements for these types of devices for about six years. One of the first big hurdles to jump in the medical device community is the useful life principal. So that healthcare organizations can spend millions of dollars on machines that will not only last a long time physically, but also digitally secure.
– Mike introduces today’s guest, Esmond Kane.
– Mike asks Esmond about his experience as a CISO during COVID.
– Mike asks what type of digital transformations his organization has experienced over 2020.
– Esmond talks about the importance of empathy for patients and staff.
– Esmond and Mike discuss how the bad guys used the pandemic.
– Mike asks Esmond about OCR regulations on telehealth.
– Esmond and Mike discuss privacy and the future of medicine.
– Mike asks Esmond what the future of healthcare looks like.
– Vital Signs – healthcare security update.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.4 Mike Murray: Today with us, we have Esmond Kane. Esmond serves as the Chief Information Security Officer at Steward Health Care, up in the northeast outside of Boston. He’s a well-known thought leader and expert on digital transformation and security, especially in healthcare. He’s been around for a long time, just like a lot of us. Esmond’s been doing this for over 20 years. Previously, he was the deputy CISO at Partners, Partners HealthCare, up in Boston, and just a really smart guy who I’m really excited to have around and to chat about all the interesting things that have been going on for the life of a healthcare CISO in the last few months. So Esmond, welcome.
0:00:58.0 Esmond Kane: Thank you very much, $10 as promised for all that nice words and flattery.
0:01:02.7 MM: Absolutely. Actually, some of the things that I find most uncomfortable about things like this is when someone else is reading my bio and I have to just sit there quietly, so it was fun for me to get to do it to somebody else for once ’cause usually, I’m the one sitting while my bio is being read, but welcome. And so one of the things I wanted to start with is… You and I talked a few months ago when you were in the midst of COVID and it seems like, because you’re in the northeast and obviously, I’m in New York, we went through this at the beginning. In a lot of ways, you’re on the other side of it and not on the other side of it as the case is. How did it change things for you, how was your experience, what do you see? Just what are your thoughts over the last six months? It’s been quite a time to be a healthcare CISO.
0:01:43.0 EK: Yeah, and I’d only just joined, I’m just coming up on 12 months, so COVID has been leading us my last six months. It’s been interesting. So, to our organization’s credit, they had taken action pretty early and they jumped into creating the nation’s first COVID dedicated facility, this is prior to some of those hot spots and New York really becoming a problem space. And in Carney Hospital over here in Massachusetts, we dedicated that facility, we took together all the staffing, those kinds of tiger team efforts, all the PPE, all those ventilators and we also were flying people in from the other states to them to see what we were doing and what it was like to go to a hot spot. So we dealt with the immediate issue in Massachusetts being a hot spot, not as bad as New York, thankfully, and fingers crossed, not in the future either, and hopefully some of that prep that we had done will also help these other states that are now going through their own increase, which is quite severe.
0:02:46.0 EK: We do have facilities also in Florida and in Texas, and we focus on that kind of community healthcare perspective so that transition of this being an urban to a rural issue were there. And to my organization’s credit and to my leadership’s credit, they thought ahead, they prepared, they put together a lot of the things that I think, hopefully, have benefited Massachusetts and New York and hopefully, they’ll now be having effect in these other states that we serve. Nobody could have anticipated this. You and I had spoken a little bit about whatever your planning looked like prior to this. It really did survive first contact, patient zero. It really tested and what it tested was the organization’s resilience. And as a relatively new security leader to this space, I had to come up to speed quickly. It was a baptism of fire, as it were. It was interesting, it was enjoyable, it was terrifying and it was also tragic. We took those necessary expediencies and hopefully, we’ll continue to reap the benefit.
0:03:51.6 MM: Yeah, and you guys had the luck of foresight. I don’t wanna say you were lucky, because it was preparation but you had the opportunity to have been somewhat prepared. I don’t remember if it was you and I, we had this conversation, but I think somebody said to me that this was an opportunity, especially for healthcare to undergo five years of digital transformation in three months. You’ve been living that. And especially from the security perspective, how do you feel about that? What’s your thoughts on that? It’s just been a lot compressed in a very little time.
0:04:25.9 EK: Yeah, that digital transformation was the necessary expediency to adopt cloud, in a dramatic function. A lot of it was communication technologies, collaboration technologies, [inaudible] immediately on work from home. These were all measures that a lot of organizations or competing industry verticals perhaps have taken in the past but healthcare, up until relatively recently, still had that big plant mentality. They still had the perception that patients showed up and sat in waiting rooms and now all of a sudden, your waiting room is a potential infection vector, so we had to change that. A lot of those elective procedures became a potential infection vector, so those were no longer necessary. You couldn’t have visitors. There’s immediate impact on our revenue, I’ll be honest. That was really tough to deal with. Some of the slow and steady income that you look at to pay, to keep the lights on, like simple things like parking or elective procedures, [inaudible], shelter, other kinds of things, were no longer there, so we jumped into action and looked at what was necessary to support the increased stress on our emergency rooms and our hope of treatment center.
0:05:37.0 EK: We had to shed a lot of strategies and projects that perhaps weren’t near-term beneficial, it’s what I call pilot purgatory and project purgatory if it didn’t necessarily benefit our patients or if it didn’t have any revenue impact. Perhaps it wasn’t completely necessary right now. You gotta come back to it. We were very lucky to be held by some measures that our regulator took. So as much as we have to accelerate some streams, project streams, there is risk associated with that. You know I have talked about how shark guts have sharp edges, right? If you make the wrong decision, the wrong leap, your bleeding edge can become much more of an acute care incident. So what we have to deal with there was, “What could we do? What did we have trust with?” And listening to the guidance either internally from our subject matter experts or leaning on our vendors heavily, or embed the measures that OCR took were extremely beneficial. So Telehealth had to be ramped up almost overnight. OCR granted to the industry as a whole, a relaxation in some of their enforcement function fosters. So technologies that hopefully you already had in play for enterprise collaboration, like Microsoft Teams or some of my peers work with Zoom.
0:06:57.5 EK: You accelerated those, so now that you had an outreach perspective for your patients, but by that same measure, you also had to examine, well, could that also be an enterprise collaboration platform? Because now you have teams that are no longer sheltered behind that perimeter that they plant in tests not just patients [inaudible]. So now you had to extend your perimeter if you thought that one existed it no longer did. So we leverage things like Microsoft Teams and other collaboration platforms, not just as outreach as Telehealth, but also to keep that team cohesion going, to keep the lights on. Teams is changing a lot of how we’ve worked in the past, it’s no longer emails and then wait 5, 10 minutes, 24 hours for a response messaging, it’s available, pervasively with their cute little gifs and emojis and other kinds of things. So it was extremely beneficial. The other aspect of this is, as much as we may, or the industry took necessary experiences, the focus was also on giving the best patient care that we could, but also making sure we look after our staff members. There was a huge element of this where not only our frontline workers exposed to the virus disproportionately.
0:08:15.1 EK: We have staff members who all of a sudden now have to deal with care issues or we’ve got eldercare issues or maybe some of your staff have chronic issues [inaudible], but you have to look after your staff as well so that you could leverage what they’re doing, security and health care is always a people problem. Your people are your best, but also sometimes your worst assets, so we have to be empathic, you and I had discussed sometimes about how we are living in a world where we all know that BBC reporter with his toddlers running in behind him. That was also an element, and I know I’ve touched upon a bunch of things there, the immediate impact was coping with the influx of patients preparing, but also dealing with how to keep the lights on, but also how to keep your staff motivated throughout some pretty stringent circumstances, it was tough.
0:09:10.3 MM: That team piece is been hard for everybody, I think, I gave a talk over the weekend actually at Bayside, San Antonio about, that centered a lot on the fatigue that we’re all experiencing right now, but even the best prepared, best-equipped people, this is not an easy time to work, and it’s especially a challenge, especially if you had an on-site stock and you now, suddenly everybody’s remote or something in that nature, if you’ve got thoughts on that, I’d love to hear, how you manage your team through this, because we talk a lot about the technology impacts of COVID and the attacker impacts of COVID, but I haven’t heard very many people go deep into how they kept their team sane. If you’ve got thoughts on that, I’d love to hear.
0:09:49.4 EK: Yeah, I was lucky. I’ve inherited a team that’s already multistage, so they’re already accustomed to working virtually, but I could necessarily say that about some of our constituents that the staff we’re working with, but we did have to change some of our mentality, for instance, obviously no more face-to-face meeting, so you’re doing virtual ones, no more ability to go grab a coffee talk or a coffee office visit, now you’re kind of scheduling those ad hoc, you’re drinking coffee remotely, god forbid if you are able to drink something a little bit more spun, you’re doing those virtual happy hours remotely. I’ve also heard some of my colleagues talk about, do those goofy things that I ask to build your team and keep the morale running, have your crazy hair day, virtual conferences, have your everybody’s wearing pajamas conferences. It’s good, but as you were saying there, a lot of security teams, a lot of security operation staff, they’re already over-subscribed, stress is an issue, it’s far to be easy to get into your office, your home office, if you have one, at 8 o’clock in the morning and not get up at all, so remember to take those breaks.
0:11:01.9 EK: Andy Ellis from Akamai has a lovely phrase, which is also when you go into your office, remind whoever else is in the house with you, that you’re working, make sure you’re dressing up, that you’re groomed to the extent that you can, so that mentally you’re in the right headspace that you’re still going to the office and you might come out for lunch or a bathroom break, but you may not be available to walk the dog or empty the dishwasher, but we also need to accept the fact that people are people, we’re human. So allow for some experiences, allow to take some measures to be empathic, to be human. If somebody has a child care issue, screaming children, now on Cam-call, we’ve all been dealing with these, dogs barking on Cam-call, we’re dealing with it. It’s necessary to think about your staff, to think about their morale, to think about their fatigue, it’s far too easy to isolate yourself, and when you isolate yourself, you’re losing that human element where the workspace pulls you out of that, you need some staff, may not have a choice, they may be isolated at home, so a video-con can be a lifeline. The other aspect of that is, some of the things that we’ll be dealing with at the human element from COVID are gonna be exacerbated, stress or other kinds of things, it’s good to leverage virtual conferences to kinda break that ice, to reach out.
0:12:30.6 EK: One of the things we’ve been doing is things like quizzes, certainly with my family and they’re good. It’s challenging, they’re not easy, sometimes when it’s your turn to do the quizzes, it takes a pain of work, but it’s good to be empathic, it’s good to be human, it’s good to keep that morale going, it’s good to take what you used to do physically and now do it virtually, whether it’s checking in or one-on-ones, turn on the video camera. Definitely let people know you’re there. That’s if your line will support it, the other issue to this is sometimes, that some of your staff may not have had a really good internet connection. Now they have no choice, They may not have had the microphones or video cameras and they were unable to buy them because everybody else was doing it at the same time. Nevermind this huge crunch on PPE, there was this huge crunch on virtual conferencing technology, so just be forgiving, be human and move on. But by that same measure, check in and measure, make sure your team is being productive and keep things moving forward. The bad guys are not taking a break, you’ve gotta remember that.
0:13:39.2 MM: And then the numbers I saw were the 300% increase in attacks over this time. In some ways, the bad guys that… I was saying about ransomware authors. This is effectively a time where you’re guaranteed your customers are gonna pay and they’ll pay higher prices because they’re under stress, they’re under load. They don’t have time… Whereas before, maybe I would take a week and worry about, like see if I can unlock the files and all that stuff. In the middle of the things you guys have been going through, not possible, and so the bad guys know that.
0:14:11.1 EK: Yeah, so some of the ransomware coalitions, they announced that they would take a break in the middle of the Geneva Convention and there’s no equivalent from a cyber crime perspective. They do not do so, that allowance lasted very, very short time frame. So if they did, that’s great, thank you guys, but I would really appreciate a little bit more forbearance. When you’re dealing with a potential issue with a patient, the last thing you wanna do is make that connection harder to deal with. The more security you add, it tends to add the necessary inconvenience and the rule of thumb here is, we wanna inconvenience the bad guys but the bad guys are not taking a break, they’re not making it easier. So we certainly have a plausibility issue here where we’re trying to jump to light speeds to introduce these new technologies and the bad guys are already there waiting and setting pitfalls and traps. It wasn’t just the 300% increase in phishing or business email compromises, or ransomware, they’re also going after the home network. If you send users home and their device wasn’t secured appropriately, did the home router attack your work computer, DLNA or UPnP device attack? Who knows, the printer itself becomes an issue.
0:15:25.5 EK: Things like, you don’t have a shredder at home, so if you have an unwise employee printing something, how is it getting disposed off securely? A lot of those foundational elementary standard where healthcare tries to get it done and very often, if you look at the wall of shame from HIPAA, tends to fail. So encryption and multi-factor, and email hygiene, and printing hygiene, and physical attacks are where the bad guys come up against us and now that you have this new remote workforce, now they have new avenues, they have new vectors. For instance, if they’re going to you send an email, well, is that email gonna go to your personal email? Is your work computer? Is your VPN now split tunneled so maybe your Hotmail or your Gmail is now accessible where it wouldn’t have been if they were on the premise? But by that same measure, if you block a link, do you have that level of endpoint controlled? And is that link actually going to be blocked on the remote endpoint if you’re doing it at the infrastructure? The bad guys did not take a break.
0:16:30.1 EK: You and I were joking that the bad guys do some things better than enterprise IT, in particular, the encrypt. Are they certainly… If you look at ransomware, they’re doing a better job encrypting the blue teams. Not only did we have to accelerate quickly but we had to overcome some of those functional challenges. We’ve accelerated and I can hope that we haven’t postponed much maintenance. I can hope that what grew in the shadow of COVID wasn’t a lot of shadow IT, that these homegrown remedies aren’t worse than the actual component. We won’t know. Now is certainly the time. If you’re in a state that you’ve been able to return to work and your revenue impact has been such that you can start putting back on more of those medium to long-term strategies, now is the time to unroll some of those. I certainly hope that you took the expedient measures to flag something that you knew was a short-term fix that had to be revisited. Hopefully, you prepared. Again, it was about being resilient. I also hope, for the record, if you allow me to stand on a soapbox for the record, that someone or the security teams use this opportunity to align with the business. We saw, during the pandemic, that Zoom were unfairly victimized for having, perhaps, not a level of security rigor that we would have liked seen.
0:17:50.2 EK: I applaud what Citizen Lab did with that security analysis of Zoom, but realistically speaking, Zoom’s [0:17:56.2] ____ and came out of the ground. They didn’t expect a thousandfold increase in customers. If some of the people are listening to your podcast, we’re an impediment to progress or security or stood on principle rather than being pragmatic. You failed at the first ask of HIPAA, that first [0:18:17.2] ____, so I don’t victimize Zoom. I think they did a fantastic job. I hope they continue to do so. I certainly applaud what OCR did as well, and they allowed us to use things like Apple FaceTime and Google Hangouts, so hopefully you incorporated that into your planning and didn’t just prohibit access to patients who are scared as much as our staff.
0:18:41.0 MM: With that you segued really wonderfully, and the next thing I wanted to ask you about, which is… So you mentioned OCR did relax a bunch of rules, specifically around certain platforms being available to use for Telehealth. Do you feel like that’s about to snap back and hit a lot of people, both that and some of the things that happened during this time, like CCPA, and coming for a while but now it’s coming for real? How do you see that and the OCR coming back, and additional regulations? What are you thinking?
0:19:10.7 EK: I think OCR did great but as I already did flag during the week that these kinds of exemptions aren’t going to be any long-term fix. As much as it was a band-aid, we need to look at attacking the problem at the roof. And I think, certainly around some of the Telehealth issues, hopefully, at this point, you’ve been able to get a risk assessment done, you partnered appropriately. I do think the exemptions that OCR put in play for a public data sharing they’re probably gonna resist until we get a vaccine in play some of those privacy exemptions. I do think some of what OCR has done to make sure that some of the states didn’t victimize pre-existing conditions or disallow certain populations, particularly around age, from getting access to some of these things. I can hope that that kind of capitalist market that was created for PPE doesn’t exist. That’s not something that I thought was very productive on making sure that states had access to this equipment when we needed it, but CCPA, GDPR, these kinds of wants and other kinds of wants that are starting to come online.
0:20:19.7 EK: I’m a privacy advocate. I can hope that you are being proactive and getting ahead of some of these requirements and putting together those systems or maybe to tokenize or to mask, or to de-identify, so that you are attacking the problem on its roots, I hope you’re partnering with your vendors, you’re leaning on them heavily. It’s a business problem at its root, right? Not only are you impacting the business culture of the organization as a whole, those states, those regulations that you’re subject to ultimately, it’s a lot of compliance. A lot of it is nuanced and hopefully, you’re getting ahead of it. I don’t think it’s gonna exist for very much longer. By that same measure, I do wanna touch upon something you and I have talked about which was the way vendors attempted to capitalize and going heavy on this. So throughout this emergency, every vendor was being overly helpful and giving you all of their products for free, even if they had nothing to do with COVID. That was less than helpful in my opinion. I understand the need from a startup mentality to try and help and to leverage every opportunity, but I was getting almost as many spam calls from vendors as phishings I was getting from bad guys. That was less than helpful.
0:21:31.7 EK: I give them the benefit of the doubt, their intent was to help because these startups, everybody who works in that world, is also some of our patients. So I feel for them and they do wanna contribute but they need to understand that it’s not necessarily a priority unless it has a direct impact on our patient care and our staff care.
0:21:51.4 MM: I don’t think I sent you the blog entry that I wrote a few months ago. I was so frustrated by everything you were just talking about. The thing that kicked off this blog entry was, I saw a friend of mine who, like you said, heart in the right place, offer healthcare organizations free phishing testing during this time and I thought, “What is the last thing I wanna do to a doctor who’s worked for 100 hours this week and is exhausted is fake phish them right now. How to be hated as a security organization within your hospital.” And it was just like, I get the point but I went off on this whole rant about, “Look, you can either make money during this time, like you said, there’s lots of those capitalist people selling PPE, there’s people who do that, or you can build trust with the people that are in your community and are part of your customer ecosystem. We would absolutely have done anything for anybody who wanted help during that time but the last thing you needed was for me to call you and be like, five times a week, “Hey man, need help? I’ll help.” That’s the last thing that anybody needs when they’re stressed out.
0:22:54.2 MM: I’ve been on your side of the table, I’ve been a CISO. I get the vendor noise. It’s like,”Ugh, so frustrating.” Alright, let me take a different direction ’cause you said something really important that I wanted to hit on. You said, “I’m a privacy advocate,” and you and I touched on this much of the really interesting privacy stuff that’s gonna happen over the next couple of years, both with contact tracing, but also, we’re really moving into an era of wearables, and I think the remote health is gonna become even more of a big deal than it’s been to this point. We’re starting into this world of personalized health being attached to this device, right? And so what are your thoughts on that? What are your thoughts on the contact tracing stuff, especially malware vendors like NSO offering to get into contact tracing? There’s so many interesting places we can go here.
0:23:43.9 EK: Yeah, yeah, and actually, NSO wasn’t forbidden from their export license by the Israeli justices. I think you need to plan as much as you can. I think if you’re waiting for the federal government to chime in with some privacy guidance or the FDA to help you around these biomedical devices, you’re lost, you’re done. I do like some of the industry consortiums that are stepping up there around those connected health, those devices that are increasing the available at home. I also like that stunt that… I forget the name of the company in Florida that they pulled on St. Jude’s. It was Justine Bone.
0:24:18.5 MM: The MedSec people.
0:24:19.2 EK: MedSec, there you go. I thought that was funny to galvanize interest. Can we do better? Absolutely. We need to. The issue here is, a lot of these vendors that healthcare [inaudible] do partner with are mining that data for other purposes. Fitbit isn’t going to necessarily work with, that’s a broad example, I’m not going to accuse Fitbit of everything. But if you wanna aggregate some of your biometrics or you wanna aggregate some of your other kind of statistics into your healthcare platform, and if you’re gonna use that vendor as [inaudible], what are they doing with them? Now, these ones that help with your health or dietary concerns, is it great to establish a relationship with your physicians and clinicians? Absolutely. It will help patients and they can focus on behaviors which aren’t necessarily some of what a surgeon would necessarily focus on. But speaking as an industry professional, I have concerns of, if you’re not paying for something, it’s because you have the product, right?
0:25:15.1 MM: Right, always.
0:25:16.5 EK: And contact tracing, I have similar fears around. If you’re not paying for that, what are these people who are giving it to you going to do with it? So we had spoken around NSO and such. Certainly, the level of technology that is available on the mobile platform right now is Krampus, and I hope it’s a force for good. But if you look at what the NSO Group can do, if you look at what the stunts pulled in in Europe with [inaudible], you don’t need to interject or hijack the vendor or the cloud service anymore. Your population can potentially install a Trojan. Maybe there’s something in the Play Store or the App Store that your users can uninstall. What’s that gonna do with that data? Is that gonna scrape your device? There’s a lot of concern recently over TikTok, for instance, scraping data and sending it to certain governments. It’s an absolute real concern. You certainly, from a corporate perspective, you need to make sure that you’re monitoring for those mobile devices, that you’re putting together that posture assessment and hygiene. I hope that we can leverage that more. Those privacy-benefiting locations can be more useful for education and authorization and maybe steps towards Zero Trust.
0:26:31.7 EK: I hope that our users aren’t concerned that we’re necessarily going to be looking at their photos of their grandmother or things of that nature. But we do encounter those issues. Mobile devices are replacing laptops. They’re replacing computers, and I do worry about that. I like the way Apple are doing healthcare and making sure that some of this stuff never leaves the device. I applaud Google for stepping up and working with the federal government around several initiatives. Android is a moving target, in my opinion, it’s very hard to secure.
0:27:04.6 MM: It is.
0:27:04.9 EK: But they’re getting better. But when it comes to privacy, right now it’s kind of caveat inventory. The buyer needs to be informed, and I think there’s money to be made in making it too easy to be insecure. I worry about some of our brethren in the social media space. That’s what they do. They create all of this data mining opportunity and they scrape your data and sell it. There’s certainly, there’s no perception yet that you are your data and you own your data. I think that was the heart of what we were trying to achieve with GDPR and CCPA, and we’ll see. I don’t trust a politician to get anything done in this day and age.
0:27:43.3 MM: No.
0:27:43.7 EK: But it would be nice if it was a little bit of help. I do also applaud, by the way to go back to our earlier topic, DHS and CISA were great through this pandemic and alerting us when there were particular issues. The ISACs and the Information Sharing Consortium also helped. But there isn’t necessarily something that’s equivalent from the privacy space, and I think it’s room for improvement. I have thought one of the things that would get blockchain off the ground would be the concept of differential privacy and putting it in the hands of the consumer. But blockchain isn’t at a level yet where your grandmother could use it, and it’s far too easy to lose some of those settings and expose yourself, in my opinion. I don’t know if that really answers your question Murray, but that’s some of my thoughts.
0:28:29.6 MM: Of course it does, and I just like getting you off on your soapbox. I mean social media is the definition of if it’s free or the product, right? That’s really where that model started is the Facebooks, the LinkedIn, etcetera, etcetera. With that, I know we’ve been talking for a while, I wanna kind of wrap up with the thing that we do at the end of everything. Giving you a crystal ball for a second. Take your crystal ball out. What does the next three-ish years in healthcare security look like? ‘Cause I think healthcare security is very different than everywhere else, so that’s my first sort of hypothesis, but what do you think are the big parts of the next three years, especially things we haven’t maybe talked about? ‘Cause I think privacy and everything you just said, that is a lot of the next three years, but I think there’s a lot of other things too, and I’d love to hear what your thoughts are.
0:29:14.3 EK: I think there’s a lot of elementary blocking and tackling that needs to be applied consistently in healthcare. And I’m not speaking about my organization. I’m speaking as the industry as a whole. I think there’s an over-reliance on compliance, there’s over-reliance on insecurity, and it’s not necessarily been designed from the ground up to be secure, to be private. And I do think you were touched upon this earlier, biomedical device security is going to become an increasing issue. Every three months we get a new Mirai equivalent or something like that, which is the latest IoT piece of bloatware, right? It is a concern. But now, as you had mentioned, these implantables, these wearables, these adoption of consumer level technology is a concern for them. So I think we need to do some better rigor in that space. Obviously that’s a huge issue. You’ve got this, not only just this global information warfare, you’re dealing with all these attacks on the supply chain. You’re dealing with all these accusations from different national governments over one doing something and the other one doing something. Who knows, and they’re starting to arrest citizens at this point. It’s a little interesting shall we say.
0:30:20.0 EK: So back to your question, Murray. I would think, healthcare, IoT and biomedical at home is really interesting. I can hope that there’s an increasing maturity. Hopefully that these healthcare organizations who have been slow to adopt the cloud and do so to scale out and meet customer demand to be able to help their patients, but in doing so, they also adopt a more secure model. Certainly easier to do in the cloud than to architect on-prem, which has been our traditional way of doing things. I do hope to see around identity and access management, I would hope Zero Trust becomes easier to adopt. I think continuous assessment, continuous validation is hugely interesting. And Dr. Cunningham over in Forrester, you know I always view his seminars when he does them. At its heart it starts with do you know what assets are on your network, do you know where your data is? I think that’s a problem across the entire industry, and hopefully we step up. Are you okay? You banged your mic.
0:31:20.2 MM: Yeah I smacked my mic there. Sorry about that. Yes, I’m in such violent agreement that I’m slapping my microphone around. I completely agree. Alright with that, thank you, dude. Seriously, this has been so much fun. Where can people find more of you, you know? Where can they go to hear your writing to hear what you have to think?
0:31:40.1 EK: It tends to be just on LinkedIn. I do tend to speak about once a month or so. I’ll be on a Secure Role Boston shortly. I’ll be on Healthcare Internet of Things forums. And a couple other speaking engagements lined up over the summer and into the fall. You know really, it’s about a dialogue. One of the things that I miss about conferences and these kinds of sessions is meeting people and having these side bars. It’s far too easy to sensor yourself when you’re being recorded. It’s nice to check in with my peers and say, “Hey, is this vendor full of it or are they really helping you?” It’s nice to combat that fog, but also to get that word for the people who are actually on the front lines. And if I’m interested in technology, I’ll reach out to my network. If you’re one of those people and you meet me at a conference, either virtually or physically, please do come up and talk. Ask good questions. There’s no bad questions. We’re all in the same boat. The issue is this perception that the rising tide is gonna lift all boats is some of our industries and organizations are in super yachts. And some of the other ones are in the life rafts.
0:32:43.3 EK: So as we’re increasing our ability to react and combating these adversaries, it feels sometimes that we’re in the Renaissance Age, we’re crafting every single tool as if it was a silver bullet. And forget about that. The bad guys are in the space age and they’re fighting each other with a lightsabers. So, I certainly encourage open dialogue. Reach out to me on LinkedIn, reach out to me if I’m at a conference. And it’d be good to talk.
0:33:10.2 MM: I completely agree. And same. We talked about it the other day. I missed the, let’s just go grab a beer, part of this whole community. So everything that Esmond says, I think everybody whose ever met me knows the same. Come talk to me, let’s continue this dialogue, there’s not enough of us having this conversation. So with that, Esmond, thank you so much. You know, its been a blast. We’d love to have you back sometime. This is always interesting and always insightful, but thanks again.
0:33:37.2 EK: Thank you, and best of luck guys.
0:33:41.2 MM: Up next, is the latest installment of Vital Signs, where the Scope Security Team shares their insights and advice on issues we think the healthcare security community should know about. Today, I wanna talk about the useful life of medical devices and the challenge that that creates for cybersecurity. Medical devices are expensive. This is especially true when you talk about large and highly sophisticated medical devices, examples being cardiology and radiology devices like a CT scanner and an MRI machine, or large-scale systems like those that you’d find in a heart catheterization lab. These systems can easily run into the hundreds of thousands or millions, sometimes even above the millions, into the 10 millions of dollars. Because of the price, these aren’t pieces of equipment that can be replaced every couple of years like your laptop, nor do hospitals just have tons and tons of money sitting around to replace equipment that’s already working. So if you’re a hospital administrator buying a new CT scanner and spending $2 million on it, you are investing in that equipment expecting that it’ll have a useful life in your hospital of 10, 15 or even 20 years at times.
0:34:51.4 MM: The challenge of this becomes evident when you realize that the FDA cybersecurity guidance for pre-market devices was first released in 2014. This means that only for the past six years have medical device manufacturers had to build towards stringent requirements for the security of their devices, and that many of the products that were built before 2014, because of this useful life challenge, still are deployed in hospitals today. The bigger challenge for the manufacturers, of course, is to build a product that can remain secure in the market for decades at a time. Imagine if you were a brilliant product developer back in 2005, developing your state-of-the-art CT scanner running Windows XP. Imagine being in charge of securing that same Windows XP-based CT scanner still running in your hospital today, and expect it to run for the next five or six years. It’s not like you can just rip it out because you don’t have the millions of dollars to replace it, and the manufacturers are somewhat limited by the hardware and device that existed in 2005 when they deployed the machine. When people talk about medical device security, they don’t realize that one of the first big hurdles we need to consider is this useful life challenge. It’s incredibly challenging to build a computer system today that’ll still be secure in 20 years.
0:36:07.9 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Esmond Kane currently serves as Chief Information Security Officer (CISO) at Steward Health Care, a 35 hospital, multi-state healthcare organization that provides world class care to millions of patients annually. In his role at Steward, Esmond’s focus has been on transforming Steward’s approach to information security, threat and risk management to comply with industry frameworks, regulations and best practices.
Esmond has over 20 years’ experience leading IT and Security programs in multiple industries. Before joining Steward served as Deputy CISO at Partners Healthcare in Boston working with executives and advisors on cyber security and business practice. In his spare time, Esmond likes to gargle Pan-galactic Blasters and annoy people who read bios.