Jonathan Knepher:
Welcome to to the Point Cybersecurity Podcast. Each week join Jonathan Knepher and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life.

Rachael Lyon:
Now, let's get to the Point. Hello everyone. Welcome to this week's episode of to the Point Podcast.

Rachael Lyon:
I'm Rachel Lyon here with my co host Jon Knepher. We're excited to welcome back for a part two discussion with Russell Teague, the CISO at Fortified Health Security. He has more than three decades of infosec experience spanning healthcare, tech, pharma and financial sectors, among many others. And he's contributed his expertise to the White House National Cybersecurity Healthcare Strategy. We couldn't be more excited to continue this conversation. So everybody buckle in for part two with Russell Teague. And now let's get to the Point. Switching gears a little bit kind of.

[01:01] How is Uncertainty Affecting Cyber Preparedness for healthcare organizations?

Rachael Lyon:
You mentioned Greg Garcia earlier and I can't think of financial services. Healthcare regulations are absolutely critical for governance and particularly in the US where we don't even have state by state privacy, you have to really count on these sector regulations. But we're seeing a lot of uncertainty happening right now. I believe Greg's calling for the HIPAA security rule update. You know, in these times of uncertainty, how is that affecting cyber preparedness for health healthcare organizations?

Russell Teague:
Well, quite honestly, it's creating paralysis.

Russell Teague:
Right.

Russell Teague:
People aren't making critical decisions to move forward because of the uncertainty. They don't know whether they're going to have the funds. Most the feedback I'm getting from, from most of my clients and you know, the folks I meet with on a regular basis at conferences is their, they're anticipating a 30% reduction in budgets, 30% reduction in funding. That is a massive impact when you're only dealing with very thin margins. Healthcare operates on a 3, 4, 5% margin and today we're only investing a very small portion of our IT budget towards cyber. It's slowly creeping up.

Russell Teague:
Right.

Russell Teague:
I think the latest stats is we're running maybe around 7% of it budget on, on a path to maybe do 9. But if funding cuts by 30%, we're not going to make it to 9. We're going to stagnate and this problem is going to get amplified. Uncertainty is the right word. I was in D.C. 45 days ago, you know, met with HS, HHS to try to understand the deputy director there, try to understand where some of these bills are going. Many of us are under the belief that the hipaa, the New HIPAA proposed security rule update is dead right. There's no, there's no viable way to implement it.

Russell Teague:
Every major organization, including Greg Garcia and so many others have all come out vocally against it because doesn't for two reasons. It doesn't do enough. It doesn't move the guidance to a hard regulatory. A regulated environment, and there's no funding to achieve it. And then the time to implement is too short. You've got to give a longer Runway or a longer entry ramp into this fast highway of cybersecurity. And so you can't take an industry that is roughly 15, 20 years behind and expect them to close that gap in 60 days or 90 days or even 12 months. They need a much longer roadmap.

Russell Teague:
The Cyber Performance goals was an attempt to do that. CPGs, they were aligned with the 405D framework framework or hiccup is known. And they're all based on nist.

Russell Teague:
Right.

Russell Teague:
And so my guidance to the audience is if I was going to pick one framework to try to build my cyber program, I'd pick nist.

Russell Teague:
Right.

Russell Teague:
That's what OCR is looking for. That's what CIS is looking for. HHS ultimately is adopting it. Federal government, in terms of critical infrastructure are all adopting nist. So let's just go where everyone else is going and be accountable for it and don't wait.

Russell Teague:
Right.

Russell Teague:
Don't wait to whatever happens on the Hill in Washington, it's your business, your operations, and it's your community. We're all patients, so we all deserve access to health care. And so let's do our part to make sure that we're implementing a program that maintains continuity of care and provides patient safety.

[04:38] What is Secure by Design?

Jonathan Knepher:
So given all of that. Right. Like, that's a lot and that's scary. But we also hear FDA calling for Secure by design and basically things that are gonna take a lot of funding and a lot of work. How do we reconcile that and what's that mean?

Russell Teague:
Yeah, and I'm a big supporter of Secure by Design because it's holding the manufacturers accountable. I talk with CIOs daily about the legacy equipment that they have within their environment. And the CFOs that say, is it functional? Does it deliver care?

Russell Teague:
Right.

Russell Teague:
What's the alternative? Well, the manufacturer doesn't have a fix for it. You gotta upgrade.

Russell Teague:
Right.

Russell Teague:
Well, that upgrades millions of dollars.

Russell Teague:
Right.

Russell Teague:
And it's difficult for a struggling business to say, stop using that MRI machine and we're gonna buy another one and it's Gonna cost us $3 million. To do it, let alone the rip out, replace and implementation of it and the downtime associated with it and the impact to the patients in the patient continuity of care. It's a really difficult decision for CFOs and CIOs to make. And so the accountability has to be put back. And this is what this bill is working on, is put the accountability back on the manufacturers.

Russell Teague:
Right.

Russell Teague:
Build it with security in mind. Don't build it the cheapest, fastest way and let the security problem be someone else's problem because. But you know, we're gonna, we're gonna have a long tail on, on, on this legacy device item, right. And we're gonna have to think about network segmentation and other control mechanisms to control that blast radius. But I think it's a good movement. The problem is, I think it's stalled right now. I mean, I don't, I don't think we're getting good movement because we're focusing on so many other things that that word uncertainty fits in here again as well. Right.

Russell Teague:
But you know, software, SBoM and the whole, you know, section, you know, 5248, you know, is, is the right direction, right. In terms of it and holding accountability. I just don't know that there's enough teeth in the bill to actually get it accomplished and get it over the, you know, over truly on the desk and get the gavel to swing.

Rachael Lyon:
And that's been an ongoing problem for some time. I mean, as I recall, I think the medical devices have been in this weird gray area and how do you hold them accountable? I mean, who has the teeth to do that, Russell? Because it's so critical, I mean, particularly as we talked about earlier, the significant reliance on suppliers and third party vendors that healthcare organizations have. Something like this is significant.

Russell Teague:
Yeah, no, it really is. I think the mechanism, unfortunately has to be done grassroots. We can, we can try to get the regulatory movement to support it. And I think we're, we're having the right conversations. I just don't think we're moving fast enough on it with, with, you know, everything that's going on, you know, in D.C. but own accountability at your individual level.

Russell Teague:
Right.

Russell Teague:
Make choices, integrate into your procurement process to ask, right, will you support this? Right. Will you upgrade it if new vulnerabilities are discovered?

Russell Teague:
Right.

Russell Teague:
Engage with those strategic partners that provide you the equipment, that stand behind their equipment and move off the ones that don't.

Russell Teague:
Right.

Russell Teague:
I know that is a long strategy, a long game strategy, but what else? Look, we're left with Very few choices, right. We're going to continue to pray that the regulatory and legislative landscape will support us. But what can I do today? I can take action in my own organization. I can make better decisions, right. I tell my customers all the time, right? You've got long term vendor relationships. I know those are the ones that are most likely going to take advantage of you the most. Just like car insurance, renegotiate every year, right? Shop that every year, you'll get better prices if you shop your vendors every year. Shorten up the term of the contract, give you exit roads or exit ramps to be able to change vendors and be willing to do so.

Russell Teague:
And I know that's hard and I can hear CIOs in the back of my head going, that's just not reasonable. I don't have the resources, I don't have the skills and expertise, I don't have the downtime. Those are all real problems. But, but those are the direct answers, right? I mean, and then when you can't make changes, then you just, you wrap it with security, right? Can't try to control the blast radius and have alternative options.

[09:32] Third-party Risk in Healthcare

Jonathan Knepher:
I think that connects to you very much. Back to your initial comments on third party risk too. Right. But it's not just the vendors, right? The third party risk is much broader than that. Can you talk about what that risk as a whole is and how to manage third party risk altogether?

Russell Teague:
Yeah. I mean, when you think about third party risk, right. Healthcare organizations run on third parties. They do everything. You know, think about all the medical devices, they're considered third parties, all the enabling technologies, they're all third parties. All the software packages, they're all third parties. They can't do and provide services to local communities without third parties. So third parties is a critical component to their overall ecosystem in terms of, of operations and operation resiliency.

Russell Teague:
So understanding which third parties deliver the most critical elements of your, of your operation. If you can't register patients and get them brought into the ED or brought into the hospital for services, everything behind it just doesn't matter.

Russell Teague:
Right.

Russell Teague:
And so what are those critical business processes that are delivered by third parties? Make sure you understand them, make sure you map them and make sure you're doing data flow analysis. If we had done that, we would have identified single points of failure, like change, where we were only processing payments through a single provider. And if that provider, if you do the scenario and X that provider out and says change is no longer here, CFOs would go, wait a minute, right? We only Have a time to survive about 15, 30 days. I can't do. We can't run this hospital without cash. And so cash flow is king. And so understanding those data flows, understanding those critical business processes, building in monitoring elements to ensure continuity and capability is I think is the biggest way. Use things like, do you have a SOC 2? Are you doing high trust compliance? Give me access to your external vulnerabilities and penetration testings.

Russell Teague:
Look at the S boms, right? I guess really what I'm talking about is a third party risk management program, right. It is one of the top three things I hear at boards, right. On a regular basis where chairmans are asking, hey, what are we doing in our third party ecosystem? Change really hurt us, move it hurt us, and so on. So it is a board level topic. And third party risk is one of those critical elements that I think we really need to, to focus on and continue to evolve. It's more than check the box, right? I hear so many people say, you know, well, it's just, you know, you know, vendors don't respond, vendors don't do this. There are, there are a lot of really great enabling tools with the age of AI that will go out and compile a bunch of publicly available data as well as kind of hidden data on the dark web and other stuff. Which vendors are being targeted? Which vendors are at risk? Which vendors have suffered a data breach in the background? If you bring all of that data into view for you when you're evaluating, you might make a different choice, right? In terms of which vendors you select, is there.

Rachael Lyon:
Do you see things like move it or is the healthcare industry kind of reliant on incidents like that to help them better identify blind spots? Is that kind of how they're relying on figuring out cracks in the system given they don't have a lot of money to be proactive, right. To do all this searching, I mean, is this largely driving these discussions at the higher level?

Russell Teague:
It is because it does give us. It pinpoints where weak points are, right. We didn't know about Change Healthcare until Change Healthcare occurred, right? And we didn't really think about it in that way. Change Healthcare also exposed the risk not only to third parties, but also fourth and fifth parties. Because organizations that didn't even use Change as a processor found that their partners that they rely on did use change and they were down. So it was a rippling effect, right. That went all the way down to third, fourth and fifth parties. So understanding data flows and data maps, and if I'm extending my data out to a service to do something with and then they outsource it to, to another service to do a much smaller component of it and then maybe they outsource it to something else.

Russell Teague:
Right.

Russell Teague:
Contractually the contract should all be obviously links right through limits of liability to ensure that not only the vendor that I engage with, but all of its subsidiaries, third parties, so drive legally down, so give you some legal protections and limits of liability. But then also ask those questions during your third party risk management reviews to try to understand them. Because you know, if you have one vendor that does everything in house and they maintain it, they don't use any third party, that risk is much lower than a vendor that may be sharing that data and distributing it.

Russell Teague:
Right.

Russell Teague:
And because when you get get beyond third party, get to fourth and fifth, there's a lot less control and a lot less visibility at that level.

Jonathan Knepher:
Yeah, I mean that's the whole dependency tracking thing that you know, in technology we deal with everywhere.

Russell Teague:
Right.

Jonathan Knepher:
And I mean that's just a very real version of it.

Russell Teague:
Yeah.

Russell Teague:
Again, contract, you know, getting contract limits of liability, getting contract security obligations embedded in there notifications.

Russell Teague:
Right.

Russell Teague:
When something does go wrong.

Russell Teague:
Right.

Russell Teague:
An example we incorporated a year or so ago, we incorporated breach notifications in our third party risk management program. So that if the list of vendors that are critical to your operations and we hear or see about a breach or a potential breach on the dark web where we're seeing threat actors begin to target or focus on them, we'll notify.

Russell Teague:
Right.

Russell Teague:
And says, hey, we've got to shore up something going on with this vendor.

Russell Teague:
Right.

Russell Teague:
Let's look for alternative paths. Let's look for reducing or segmenting or limiting. Let's do an access control review to make sure that what access they have is limited. I think all of those are major factors tied to managing that risk and treating them with high impact. Understand that they are critical to your continuity of care.

Jonathan Knepher:
Yeah. So you've talked about the risk side of it, but how do we balance?

Russell Teague:
Right.

Jonathan Knepher:
Like when we talk about data minimization, you're talking about all the value we get out of it. There's so much value in further innovation, but yet all this risk, what's the right balance?

Russell Teague:
Yeah, it's balance is going to be, you know, if you think about the CIA triad, confidentiality integrity and availability.

Russell Teague:
Right.

Russell Teague:
In certain sectors or industries.

Russell Teague:
Right.

Russell Teague:
The C or the I, the integrity, data integrity means more than the availability.

Russell Teague:
Right.

Russell Teague:
But in healthcare, availability is everything.

Russell Teague:
Right.

Russell Teague:
And so that that triad spins with availability up top and it's paramount.

Russell Teague:
Right.

Russell Teague:
Because when care services aren't available, loss of life will and can occur.

Russell Teague:
Right.

Russell Teague:
Not having the right mammogram systems, not having right imaging systems to be able to help a mother in pregnancy, forcing them to drive an hour down the road to get the care. Maybe they make it, maybe they don't.

Russell Teague:
Right.

Russell Teague:
Same thing with critical care needs if ED's down because they're underneath a ransomware attack and everything's in encrypted, you know, you lost a life, it's, it's, it's a real thing and it's proven and now has hit litigation. So yeah, do what you can. Understand your data architecture, understand your data inventory, understand which systems interact, store, process and, or transmit that data and then build security. Security the security in, in layers, build it defense and in depth to be able to, you know, provide operational resiliency in your program. It requires funding, it requires conversations with the board.

Russell Teague:
Right.

Russell Teague:
And understand the criticality of it. But yeah, start now and continue.

Russell Teague:
Right.

Russell Teague:
Build those relationships at the executive level that opens up funding for you. We do what we can in the subsidy side of the house looking for grants, looking for subsidized fundings like USAC Universal Service Account Consortium. There's several of those. Join buying groups to be able to reduce, you know, and get discounts. There's all of those things you have to apply. It's not, there's not a silver bullet in this, in this situation.

Russell Teague:
Yeah.

[18:36]: AI’s Role in Healthcare Cybersecurity

Rachael Lyon:
What role does AI have to play in all of this? I mean, is there a world where, you know, healthcare could tap into AI to help them, you know, gain that 20 year gap or in summer's response, leapfrog ahead? I mean, I'm just thinking in an ideal world here, I mean, it's. What, what, how are we looking at AI here to help move things forward?

Russell Teague:
Rachel, it's, it's, I mean it's a, it's a, it's a great question and actually a very forward thinking question in terms of, you know, when I, when I talked about AI, I talked about three worlds. One of those is the defensive side side. I think that's where we're going to get speed to value.

Russell Teague:
Right.

Russell Teague:
You know, I met with Gardner last week and talking with the analyst around where AI is going and what the implications of AI will be to healthcare and to cyber defenders like Fortified. And it's using AI on the front end to be predictive.

Russell Teague:
Right.

Russell Teague:
To, to, to help identify changes in, in system behavior, user behavioral, network traffic, behavioral changes that gives us the early indicators that something is happening. The quicker that we can identify, provide that visibility, the faster we can engage in an instant response plan.

Russell Teague:
Right.

Russell Teague:
You know, a lot of us have motion lights on the house. We have cameras that trigger off alarms and alerts. That's visibility, Right. Someone's in the driveway.

Russell Teague:
Right.

Russell Teague:
Okay, well, I need to go check who is it, Right. If I don't have that visibility and I'm just locked in a dark, in a dark room, you can't be, you can't be proactive. You're 100% reactive, and that's not moving forward. So getting healthcare to move into a proactive state, even if it's the most basic visibility, but have some visibility so that your team can take action. And in most cases, I think the current trend is really engaging, outsourcing and engaging, you know, managed security service provider as an example to try to bring those services. Because, you know, one of the, one of the critical challenges in healthcare is attracting and retaining top talent in cyber.

Russell Teague:
Right.

Russell Teague:
So many of the other industries, quite honestly pay more. People that are in healthcare are there because they're passionate about healthcare, they're passionate about serving people. You know, caring for people doesn't always mean that they're the best cyber talent in the world because some of the working environments inside of a health system, you know, you don't have in other industries.

Russell Teague:
Right.

Russell Teague:
You know, banks aren't open 24 hours a day, seven days a week. Hospitals are.

Russell Teague:
Right.

Russell Teague:
And so which means, you know, your need, your, you know, your ability to reboot systems, take them offline, do maintenance. You know, it's much harder in the healthcare environment. So young, young talent, you know, we have to do more to incentivize young talent to go into the healthcare cybersecurity realm and, and stay there. And, and we've got to find a way to get, get the, not only the training and education we need, but also just the, the pay scales in a more appropriate way.

Rachael Lyon:
There seems to be a, a lot of folks we have here on the podcast do come from a military background, such as yourself. And, you know, is there kind of, I call it like a feeder program as folks kind of look to what's next after military service. Is that an opportunity then to start trying to push forward for folks? Hey, you know, you could put your lens here because I know a lot of folks coming out of military backgrounds. Sometimes there's uncertainty because you come from a very regimented scale, scheduled world and now you're kind of plotting your own course. And I love to hear when folks find their way to cyber. But it sounds like, you know, I mean, healthcare in particular is such an important critical industry for daily lives. You know, how could we get more driving folks of interested in that path?

Russell Teague:
Yeah, the White House took this up as well as, you know, security training and cybersecurity, cybersecurity skills. They've taken it up in K12 as well.

Russell Teague:
Right.

Russell Teague:
And so CISA actually has a series of interns, apprenticeships, things like that to help you transition. Obviously there's some priorities for people coming out of the military and making that transition. You know, I came out of the military, did 10 years, did a number of government service important, you know, three letter agencies across D.C. and then ultimately landed in industry.

Russell Teague:
Right.

Russell Teague:
And so I highly recommend that kind of transitional plan and path. Cybersecurity is a great place to go in general and healthcare is a, is, is a, is a sector in need. So lots of opportunity. I forget the recent number, I guess I can look it up quickly. But the recent number in terms of the cybersecurity scale, skills gap.

Russell Teague:
Right.

Russell Teague:
In terms of the need, lots of opportunity here, you know, and it doesn't take a significant amount of training and education to begin moving in that direction.

Russell Teague:
Right.

Russell Teague:
There are great programs. CISA's website has a ton of interns and apprenticeships that you can get started with while you still go to school and get paid.

Russell Teague:
Right.

Russell Teague:
And so it's best of both worlds while you learn and begin to start your, your either your career or a new career.

Rachael Lyon:
Yeah, there's a lot to be said for interest and aptitude in cybersecurity. And I think people kind of don't realize that.

Russell Teague:
You know, what's interesting in health care, you know, a lot of the IT directors, you know, are actually were prior nurses.

Russell Teague:
Right.

Russell Teague:
So you know, they went in with a passion to take care of people. They did bedside, you know, for, you know, 10, 15 years. They move into data and informatics and to try to improve overall operation of care. And then next thing you know they find themselves wearing an IT security hat or an IT director hat.

Russell Teague:
Right.

Russell Teague:
And so, so many different ways to get into, to get into cyber.

Russell Teague:
Right.

Russell Teague:
It doesn't always have to be the more traditional path. You know, coming up through a help desk, there's so many other ways to do it. And healthcare affords that opportunity to laterally move within the sector, within the care. I mean some of my both best friends and what I consider very forward thinking, we're prior nurses or clinicians, doctors that have moved over and says we see and recognize the problem. And I'm going to use my capabilities to try to bring that security forward.

Rachael Lyon:
It's wonderful. Yeah. When you see the cracks in the system and then you're able to do something about it, that's powerful. Yeah, very powerful.

Russell Teague:
Yeah. And self governance.

Russell Teague:
Right.

Russell Teague:
I mean, if I roll the clock back 20 years and I think about, you know, the days before PCI and the days before, you know, so many other industries, retail, you know, were struggling. You know, gas stations were, you know, the credit card servers were sitting in the gas stations. Right. And storing every credit card transaction in an unencrypted way. And people were smashing and grabbing those servers. You know, it's the same thing. Back then we used the term as we'd much rather self govern by the industry than have then have federal government demand or tell us what it is. And so healthcare's gotta do the same thing.

Russell Teague:
We have to self govern.

Russell Teague:
Right.

Russell Teague:
And so we need to take responsibility for running a business.

Russell Teague:
Right.

Russell Teague:
And protecting that operational business.

Russell Teague:
Right.

Russell Teague:
And so when we do that, the uncertainty in D.C. goes away.

Russell Teague:
Right.

Russell Teague:
It really becomes, look, it's a priority because I want resiliency in my operations. Hospitals are businesses, whether we like it or not. Their businesses, most of them are for profit. There are many nonprofit ones that are tied to critical access and rural facilities. But it's still a business and you need to think about protecting that business. Providing operational resiliency, business continuity and security is a critical element of. Associated with that.

Rachael Lyon:
Absolutely. Well, I know we're kind of on time. Thank you for your generosity of time. I know we went a little long today, Russell, but thank you. Thank you so much. And I do want to encourage all of our listeners. I was kind of stalking you on LinkedIn, but I highly recommend folks follow Russell on LinkedIn. He's initiating and encouraging really important and insightful conversations on these themes and, and it's very beneficial to follow it and find out what's going on and also to be part of the conversation, particularly if you are in healthcare or in the cybersecurity world.

Rachael Lyon:
So to all of our listeners, again, thank you for joining us this week as always, and I'm going to drumroll please to Jon Knepher of what we like to ask them to do.

Jonathan Knepher:
Oh, it's definitely smash that subscribe button.

Rachael Lyon:
That's right. I need to get like a big green hulk fist that weekend.

Russell Teague:
Smash.

Rachael Lyon:
Smash. So again, Russell, thank you so much for your time today and to all of our listeners. We look forward to being with you next week, so be sure to subscribe and get that fresh episode on Tuesday and you get to hear from Russell in the next episode. How awesome is that? So until next time, everybody stay secure.

About Our Guest

Russell Teague, CISO at Fortified Health Security

Russell Teague, CISO at Fortified Health Security, is an innovative cybersecurity leader who shields healthcare organizations from digital threats. Experience spans three decades in information security, covering the Healthcare, Pharmaceutical, Financial, Retail, and Technology sectors.

A distinguished U.S. Army Intelligence veteran with extensive leadership experience. Served as Chief Security Officer (CSO), Chief Technology Officer (CTO), and a founder and board member for multiple leading cybersecurity companies.

Sought-after cybersecurity expertise, which led to consult with the White House on the National Cybersecurity Healthcare Strategy, Health and Human Services (HHS), and actively participate with the Health Sector Coordination Council (HSCC).

Often contributes thought leadership to numerous publications and has presented at leading industry conferences, including CHIME, VIVE, MUSE, HIMSS, Healthcare IT Institute, Health Connect Partners, Oracle Health Conference, RSA, and Blackhat.