In this episode Mike welcomes Esmond Kane, CISO of Steward Health. Join us as they discuss the risks accompanying advances in technology allowing doctors to treat patients remotely. As a CISO Esmond knows these risks can’t be eliminated entirely, but they must be managed.
0:00:02.8 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.1 Mike Murray: Really excited about this episode, and I can’t tell you how excited I am because one of the very first episodes we did was with Esmond Kane from… The CISO of Steward Health. I was just telling him before we started recording that it was one of my all-time favorite episodes and that I still quote him as saying shortcuts have sharp edges, and really excited because this is a book-end kind of episode for us. When we started this podcast, we were talking to Esmond about what it was like to be a CISO at the beginning of COVID, and now, we’re talking to Esmond again about what it’s like to be a CISO as we start to come out of COVID. And I think it’s… The way that the world has evolved is so fascinating. So Esmond, welcome back. Maybe tell everybody a little bit about yourself, if people haven’t gone all the way back and listened to the first episodes, and good to see you again, man.
0:01:04.9 Esmond Kane: Good seeing you. Congratulations on your continued success. And hopefully, you’re out there getting the vax and other kinds of things, so we can all enjoy, maybe meet up at some point.
0:01:15.3 MM: Yeah, we were just talking about DEF CON and Black Hat. Maybe not this year, but hopefully in the future.
0:01:20.1 EK: Yeah, I hope. So if people aren’t familiar, I work for a multi-national healthcare organization called Steward Health Care. We’re in about nine states in the US, and in about three international locations as well. We kind of focus on that suburban healthcare hospital that prevents you having to go to that large urban plant, and certainly with what we just went through with COVID, you really want to avoid some of those densely-populated areas, and the other aspect to that we had spoken last time, was our staff, our workforce tends to be in the community that they’re serving. So it’s been both a blessing that they can help the community that they live, but also mixed blessing ’cause they then have to go home, and that’s been tough for some of our practitioners. But like you had said, there’s light at the end of the tunnel, at least in the US, for those locations that are having success with their vaccination programs, long may that continue. But certainly, I think you will join me and everyone else with wishing some of the less fortunate locations that are less reached to vaccines and it’s really tough watching what’s going on in India right now. It’s heartbreaking.
0:02:28.6 MM: Absolutely, it really is. And Brazil before it. This is certainly, as much as we in the sort of Western world like to celebrate, I don’t think we’re anywhere near done with this. The challenges have shifted, but I think this is a long road for all of us.
0:02:44.4 EK: It is, but also it’s almost fortunate that we can start to think about life beyond COVID. What’s at the end of the COVID rainbow, right? Certainly, there’s a lot of clean-up, there’s a lot of things that we had to accelerate through the pandemic, and now we gotta go back and clean them up, gotta remember the bad guys didn’t give us a break, so if you took some shortcuts, now you gotta go back and make sure that you clean them up and rough down or burr down those edges. I think we’ll be dealing with this for years. There’s also a lot of mental health issues and a lot of other kinds of domestic things that we’re dealing with. There’s also fortunate ones. Hopefully, you’ve been able to accelerate cloud adoption. I saw a report recently from HIMSS that some industries have accelerated their cloud adoption by seven years, right. The average is something like three years, so it’s been a boon to cloud companies, and certainly if you look at some of their bottom lines, they’re reporting it, but the bad guys, won’t give us much of a break, and they’ll start looking for those shortcuts pretty soon. Yeah.
0:03:44.8 MM: Well, I think accelerating the things we’ve accelerated, like cloud adoption is a really wonderful example, but telehealth and some of the other things that you’ve probably had to really accelerate over the last year, they present an entirely new attack surface that the industry as a whole might not have caught up with yet.
0:04:00.7 EK: I would agree, I would agree. We were also talking before you hit record around IoT, right? If you look at the numbers, there’s gonna be something like 20, 30 billion of the devices in short order, and through the pandemic, we’ve adopted some of those technologies, and we’ve put those in front of patients and the patients are using their phones to telehealth into their physicians and things of that nature. I hope we don’t reverse that course. That’s great. That’s so nice to be able to talk to your doctor from the comfort of your home, not having to go into those big plants and sitting in a waiting room. It’s so much more convenient just to sit there with your coffee and wait for your scheduled time. There’s also some benefit. Now, you’ve got those applications on your phone, and maybe we can now start collecting some of that telemetry. There’s other kinds of things that we can think about.
0:04:53.0 MM: People who have listened to this have heard me talk off, and I’m a big wearable guy, I am often connected to my phone in some sort of way that’s gathering some telemetry that’s useful from a health perspective, but I think one of the really interesting things… And we had a couple of episodes ago, we had Elisa Knight on who had just done a paper on mobile health apps, and she looked at, with the permission of the vendors, 30 different mobile health apps, and in all 30 was able to exfil data out of them, and exfil, not her own data, other patients’ data. And 30 out of 30, massive vulnerabilities, and I think that that whole… Mobile apps have been a challenge for a while, but mobile health apps is kind of, like you said, we’re moving very fast into that area, and I think that we’re gonna have to catch up on security development and how do you monitor what’s happening on that phone once that app is in the hands of that user?
0:05:48.6 EK: Yeah, I don’t know when this will get published but we’re not long after the 21st Century Cures Act being dropped, and with that, became that reinforced federal mandate that patients have access to their data, it’s their right, it’s theirs. And Apple are pushing this with healthcare and other kinds of platforms, and they’ve been pushing some of the envelope when it comes to privacy. So I think it’s certainly a very interesting time across healthcare that we have really interesting opportunity to put some of that responsibility in the hands of the patients in a much more convenient way than it has been to date, but also, as you had indicated, there’s some risk. Not only have we had our adversaries weaponize some attacks through the pandemic, in general, infosec has had to kind of adapt and focus on that patient care prerogative. And like we’ve said, there will be some cleanup that we need to get ahead of, ’cause the sad fact of life is the bad guys are out there, and they’re moving very fast, and they don’t need to care about destabilizing platforms and destroying a mobile health app.
0:07:02.3 EK: Whereas, that’s something that a blue team member has to think about. We don’t want to prevent a clinician from having access to data and being able to treat patients, but the bad guys don’t care, right? There’s a quote from a gentleman called Seamus Heaney, he’s an Irish poet, and he talked about we’re surrounded with truth and risk. Right? And the goal from a security perspective, isn’t necessarily to completely eliminate risk, it’s really to manage it, because risk is at the heart of being able to provide patient care, being able to expand business and put innovations in front of our patients. And what OCR has been advocating for for decades now is that we measure, we manage, and we mitigate. They chose to relax some of their enforcements through the pandemic, but at some point soon, they will relax that relaxation and all of a sudden, now we’ll be subject to that same enforcement that we were in the past, so yeah, like I said, we’re gonna have some reversal of course to take, yeah.
0:08:11.7 MM: Something that I’m sure is interesting to everybody listening, in your role, how do you prepare for that? How do you, in your organization and your other executive stakeholders, start to think about snapping some of those things back into place?
0:08:23.7 EK: It’s a good question. The first part of that is, you need to have a line of communication. You need to be able to talk to those practitioners that are front line, and whether that’s the board of directors or some of your business leads or IT leads, you need to know what the risk appetite is of your organization before you turn around and say, “Well, it’s my way or the highway.” You need to understand when an organization solves problems and what their tolerance for risk is. And hopefully, through the pandemic, you adopted solutions that are future-proof, that weren’t necessarily short-term. That previous podcast that you spoke to, if you opened up a new target for exploitation, well, what did you think about closing down that target? If you took a shortcut, how do you get back on to the longer road? It’s about resilience, it’s about being strategic as much as you’re required to be tactical, it’s also about just straight mental preparation, it’s about perseverance, it’s about looking at the goal, the long term, it’s about absorbing and adapting to that short-term disruption, at least I hope it’s short term.
0:09:36.0 EK: But hopefully you’ve adopted cloud and IT solutions that you can perpetuate and indeed maybe even improve your security solution. That’s kind of certainly how I focused on it. If you looked at a point solution, well, now can you unroll to something that you have available, another vendor? Some of our vendors have been really good to us throughout this pandemic, but the criminals aren’t gonna give us any leeway around exploiting the system vulnerabilities. We were talking very quickly about supply chain attacks. As much as ransomware was, and phishing was a headline item through the first six, nine months of the pandemic, certainly the last three, four months have been ridden with solar wind, sunburst, hafnium, all these other kinds of attacks. It’s an interesting time to be involved in IT and infosec.
0:10:32.4 MM: Well, and especially when it comes to attackers, success always breeds copycats, right? I think the success of the three attacks you just mentioned is gonna mean supply chain’s gonna be a conversation we’re gonna be having for at least the rest of this year.
0:10:46.4 EK: And it is a conversation. So it’s never a good idea for your first introduction as a CISO to be to some of those thought leaders to be cleaning up, but it is our job to put that toothpaste back in the tube on occasion, but if you can be proactive, hopefully you’ve had that outreach and you’ve baked into things with your supply chain and procurement, like proactive vendor risk assessment and good contractual terms and conditions around contracts and legal liability, and maybe you’re having conversations with your risk management and cyber insurance team around how to counter some of those ransomware threats. But as I was just saying, it’s a terrible thing to do to be the no guy, right? If you show up, and it’s like, “Well, you shouldn’t be doing this.” It’s like if you’re growing a spine in the middle of an incident, you’ve failed. If you wanna be the guy that says, “Go,” stop being the guy that always says no. The new normal is digital presence, it’s some element of consumerization. It’s cloud on everything, and having that proactive outreach, talking to those constituents, and having them come to you with simple questions is a great way to establish trust and build a relationship.
0:12:04.2 MM: I think the word trust is a really important one. For the CISO to get anything done, it’s not… You don’t control the business, the business has to trust you and has to believe in you for your influence to work, and I know that that’s something you’re particularly good at. It’s trite to say soft skills are important as a CISO, but how many times have you heard that and then how many have… All of our peers have challenges in those areas. We think that if we get the technology right and we say no enough, that it’s good enough. But to your point, especially in trying to clean up and move back, I think you’re gonna have to have the really great relationships with the rest of your organization.
0:12:42.3 EK: I would agree ’cause it’s an interesting time right now, not only were we deal with the pandemic, we were dealing with some societal unrest, and it was certainly trying times. But being adaptive, being flexible, being conscious of bias and focusing on some of those diversity measures, it’s been an interesting time. There’s a guy out there called Dan Geer. Dan was famous for getting fired from ATstake for the software monoculture that I guess some of ATstake and Semantics customers didn’t like, but he talks about this concept of resilience, and he takes it to the Nth level. He’s a biological engineer by trade, and he deals with pandemics. That’s what he deals with, that’s what he trained in, not software, not IT, not infosec. But he talks about this concept of hybrid figure and how trying times and having these trials are good for the overall health, how having a diverse background… If you have people that just grew up in IT or infosec, maybe they’re belonging to some of the risks that we’re dealing with, and it’s an interesting concept. I always like to hear Dan think or at least to think as his audience.
0:13:55.8 EK: So this journey we’re all on to improve patient care in healthcare, it’s not going to be a seamless road, it’s gonna be a little bumpy. The road ahead through the pandemic maybe it’ll be international focus, maybe we’ll continue focusing on some of the problems in the US and Europe, but it’s great to see and tap into the mindset, that hive mind and what people have learned through this. It’s certainly a great time for people like yourself to challenge and say, “Well, what is history gonna look back on?” You might have had the best laid plan, but Bismarck said, “No plan survives first contact.” So when it fell apart, what did you do? I often think about that when I talk to my peers around ransomware. You might have had the best prepared plan ever, but what was your approach to be vigorous, to be resilient when the bad guys found that… And poked a hole in that armor? It’s interesting. Threat hunters are both a good thing and a bad thing, and these trying times, I think will be good, hopefully for information security. We didn’t touch upon it, but there’s about to be an executive order dropped, right?
0:15:06.0 MM: Yes. Yes, there is.
0:15:07.8 EK: And that’s interesting. Are you talking about that with some of your audience and other…
0:15:11.5 MM: Not one person that I’ve had on recently has talked about it, so let’s talk about it. I think it’s fascinating. We’re starting to see real government movement in this way, and the FDA is being very vigorous lately, they’re out there and being very vocal. And it’s the first time in the last few years, at the very least, that we’ve really seen strong regulatory action towards cyber security, since perhaps the Obama executive order 12 years ago.
0:15:38.5 EK: Yeah, I agree, it’s good to have those executives at that federal level leading and CISA has been doing a good job advising OCR and other kinds of ones. The Safe Harbor bill in January, which said that if healthcare adopts an acknowledged risk management framework, it should be considered by OCR, if they’re looking at any penalties. That was a huge win. What I’ve seen of the executive order is that it’s gonna be focused on some elements of incident response and coordination. Certainly, it’ll move the needle on FISMA and FedRAMP, and when they do that, obviously that would be a huge gift to big tech. But big tech has some growth of its own to do. They’ve been conducting some horrendous abuses against privacy. As much as there’s growing appetite for legislation, California is about to drop CCRA, the executive order, I think hopefully, will encourage tech to coordinate and the ISACs and ISAOs will be rewarded, I hope. There’s an opportunity here. Healthcare has led for privacy, for instance, for decades now and…
0:16:46.0 MM: Forever.
0:16:47.7 EK: If this Executive Order encourages more of that kind of federal level stuff beyond what’s happening at the state level, that’s gonna be interesting. Privacy isn’t easy, it’s hard, which is why big tech is failing at it. It’s not just because we are the product, it’s also because it requires nuance.
0:17:05.7 MM: Well, and it’s anathema to most technologists. If you grew up in IT, it’s, “How can I open my system? Information should be free. Things should move around.” And that’s great when I’m doing telemetry off of an aircraft engine, it’s a very different thing when I’m streaming your medical records across the Internet to some random app somewhere.
0:17:25.0 EK: Yeah, it’s… Yeah, good luck with your S3 bucket or your unprotected MongoDB or whatever. The interesting thing about that is hopefully that the feds will do it properly, we don’t know. Maybe I look a bit too cynical, but I think if you’re waiting for any action at the federal level, you’ll probably continue to wait, don’t hold your breath. But the people who aren’t waiting are the bad guys, they’re also adopting these tools. And as much as we’re on the journey to things like a smart hospital or adopting these technologies to help the patients, if we don’t do it properly, there will be privacy concerns and the bad guys will find that and exploit it. Ransomware actors just recently started naming and shaming, so we’ll see what happens. I certainly think we can do privacy better and hopefully we can inform some of our colleagues and big tech to do it. We’ll see, it will be interesting.
0:18:20.2 MM: I’ve been in this industry for 25 years, and the bad guys haven’t given up or taken their ball and gone home yet. No matter what we do, they’re gonna do something. Actually, there’s something that you said earlier that I wanted to jump on. I’m also a big Dan Geer fan, just FYI. And Dan, one of Dan’s concepts that I talk about way too often is the idea of no silent failure, and you talked about handling ransomware, and I think far too often, one of the big challenges, especially in healthcare with limited budgets and perhaps lesser staffing than other industries, we tend to tune our alerts down, we tend to make them too quiet. And I was talking to somebody earlier who had gone through a ransomware incident and they were saying, “Yeah, we went back in the logs and there it was the whole time, but we turned it all down ’cause we didn’t have enough people to deal with it.” I wondered what you thought of that. And just in the whole no silent failure idea, how do you even manage, especially as you’re moving outside the four walls of the hospital with all these care devices and things? How do you get that telemetry? How do you… How do you get the visibility you need to do those things? And what do you see in your peers?
0:19:31.5 EK: Yeah, it’s an interesting problem. I don’t really know if I have an answer to it. I was having a conversation with a colleague the other day, and I said how… It was almost like COVID was the world’s longest PowerPoint slide deck, and it felt like we were coming to the end of it. But when you were describing the problem space, it was like, well, are we repeating what Feynman learned in The Challenger Disaster where some of these problems exist on slide 25, like an eight-point font line in that, “Here’s this one problem, oops.” How do you get ahead of that so that you’re not ignoring what is a ____? The bad guys… If you talk to some of our colleagues in three letter agencies, there’s two teams doing some of this. There’s the one guy that goes away and acts as misdirection, and then there’s the other guy that’s over here that’s doing the real attack, so when you’re busy fending off one attack, you don’t know that there’s something else going on.
0:20:32.7 EK: And I remember that dealing with one of the local Boston hospitals when they were getting hit with Anonymous and things of that nature, it is a concern. What’s hiding in plain sight? These tools sometimes present their own gravity, and signal to noise is an issue. Certainly, what my thoughts of recent are some ML is better than other ML. And usually, the bad ML is stuff that they’re slapping an AI label on and pretending it’s intelligence, it’s really not. It’s really just statistical aggregation, but if you do find one of those data scientists who’s good at this stuff, those outliers, mathematically can stand out significantly.
0:21:17.7 EK: When I talk to some of my vendors and they’re investing in behavioral analytics and stuff, it didn’t overwhelm the industry as we had all thought that it was the next evolution of SIEM. It’s just complementing it. They’re slapping new labels on it as if it’s new, it’s not. It’s, in my opinion, just an iteration. But with that evolution, my opinion has the opportunity to distinguish signal from noise. The problem is, is a lot of us, especially in healthcare, are still dealing with basic foundational problems, right? So getting asset management done properly, getting points done properly, but then if you try and align that with a particular industry, you go talk to those ones that have perceived more maturity, and they’re sitting there going, “No, asset management is still difficult in finance. Application security is still tough.” Those kinds of problems, I think, are foundational in the security business, and I don’t have an answer for you, but I certainly would like to think that ML can get us more or in a better position than we are currently.
0:22:27.7 MM: Yeah, I have to introduce you to our chief scientist, Jeremy Richards, at some point. He will talk your ear off. He’s one of those good ones. He’s one of those folks that actually knows how to apply ML in a way that isn’t just marketing spin. Very lucky to have him, but there’s a lot of marketing around it, and there’s not necessarily that many products that are doing it at the level that I think we need to. And I have to admit, I’m a little scared that we haven’t really seen the first adversaries that are good at it yet.
0:22:55.5 EK: Well, you wouldn’t see them. It’s astonishing the extent to which the recent attacks, like you had said, were somewhat done in plain sight, and they were overt. I’ve heard from thought leaders like Kevin Mandia and such that different adversary techniques are punching above their weight, different countries are… Or certain TTPs are more pronounced in certain nation states. But to use your point or analogy from earlier, some of them are in an option and it’s right there, and you just need to do… To be aware of it and to have the team to look at it, and we’ll have to see where we go from here. There’s a Ransomware Task Force at the federal level, they’ll come up with some recommendations, things like privileged account management, things like lateral movement and flow analysis and things are, they’re not new, they’ve been around for decades. So we’ll have to see where the federal space takes it, and indeed if big tech’s even gonna have time, ’cause that executive order is gonna be a huge gift to them.
0:24:01.7 MM: Yeah, for sure. Esmond, thank you so much for coming on. Where can everybody find you? What are you up to? And if people wanna find more of you, where are we gonna… Where are we gonna find more Esmond?
0:24:12.3 EK: So I’m on LinkedIn, I’m hoping to get to DEF CON. I’m probably gonna be virtual. The Biohacking Village is where I tend to hang out a lot. I’m certainly gonna be speaking for a couple of other organizations soon, SecureWorld and Cisco, so just find me on LinkedIn and reach out and hopefully the conversation will be beneficial to both of us.
0:24:33.6 MM: Very cool. As always, thank you so much. It’s so much fun to talk to you and hear your thoughts and just sort of meander through the world of your brain, and I appreciate it a great deal. Thanks again.
0:24:43.7 EK: Thank you, guys. Have a great day.
0:24:48.1 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests, or technical tips, please contact us at [email protected]
Connect with Esmond Kane on LinkedIn.
If you have ideas for topics, guests, or technical tips, contact [email protected]