Don't Be the Next Healthcare Headline - Automate Mindfully to Lower Network Risk

On-Demand

Video Transcription

Keith Brennan:
Good afternoon or morning, depending upon which time zone you’re in, and welcome to the FireMon webinar; Don’t Be the Next Healthcare Headline – Automate Mindfully to Lower Network Security Risk. I am your presenter, Keith Brennan. I’m the director of field engineering for FireMon. I have over 25 years of IT experience 15 years of which were healthcare-centric, including doing a few as a CISO for a central California healthcare organization. So a fair amount of experience here, and I’ve lived the life, so hope to tell some fun stories as we go through this.

Keith Brennan:
Let’s talk about today’s agenda and what we’re going to discuss here. I plan on spending roughly 30 to 40 minutes discussing healthcare customer challenges; what customers are seeing out there. Then we’re going to talk about enabling security to mitigate risk, because at the end of the day, that’s what security is all about. It’s all about controlling, evaluating, and mitigating the risks that need to be mitigated.

Keith Brennan:
We’ll talk about mergers and acquisitions. This is a huge hot button topic right now, particularly in the healthcare industry. Lots of consolidation going on, whether it’s at the individual provider level they’re merging together to form smaller smart clinics, or if it’s the giant organization levels, like for instance, CHI, or… We see a lot of that going on right now, and we’ll discuss that. Also, talk about IoT risks. IoT is a very real thing we all have to deal with in the healthcare industry, whether we want to or not it’s there. So we’ll work our way through it and discuss that.

Keith Brennan:
Also, talk about consumerization of healthcare networks, big thing going on and on multiple levels; from the frameworks people are adopting from a compliance standpoint, from the technologies being used in inside, the clinical environment, even to how customers are viewing their information, all that falls into play here. And we’ll talk about the compliance challenges wrapped around all of this. We’ll discuss one of our customers Convey Health Solutions and do a case study on them and how they’re using FireMon to handle that. And then we’ll discuss FireMon solutions to these issues.

Keith Brennan:
So let’s talk about the healthcare customer challenges here. They’re definitely out there, they are significant and they need to be addressed. So let’s talk about the first one security risk and business continuity. These two are lumped in, even though to some extent they are almost mutually exclusive to each other. The truth is invaluable in the healthcare world. Our number one goal is availability it’s priority, particularly healthcare IT. We need to be able to provide care for our customers. In this case, this care can’t just be, “Hey, here’s two pills, call me in the morning when the system’s backup.” No, no, no. We need to be able to provide well-informed care. We need to know allergies, the information that exists inside the HR, what medications the patient is currently under, previous conditions.

Keith Brennan:
Again, all this is information that we need to have access to. And fortunately today’s modern day and age, or actually, fortunately, it’s all stored electronically now. So if we can’t provide availability to that data, that information, then that’s an issue. We’ll discuss that a little bit later on in the presentation.

Keith Brennan:
Then we’ll talk about eliminating network blind spots from mergers and acquisitions. This is a huge topic that is often overlooked. Everybody looks at financials, everybody looks at other areas of organizational health when a merger and acquisition happens. Unfortunately, cybersecurity is not one of those areas that organizations look at. And it’s weird too. This isn’t just healthcare specific. It is actually fairly… It’s a global issue. I can even talk about some casinos I deal with, people who are really tight on cybersecurity, building that last when I talk about merger and acquisition. Then finally compliance, how we wrap that all together and prove that we are in compliance today.

Keith Brennan:
So let’s talk about enabling security and mitigating risk. Again, two things that seem to be mutually exclusive in nature. But again, this is why it’s something we need to do. We’re under a mandate, whether it’s internal policy procedures, we live in a state like California under state mandates, and also federal mandates all around; HIPAA, obviously, HITECH guidelines, et cetera, and we need to be able to address those. So let’s talk about this and so enabling security.

Keith Brennan:
There’s some key things I want to point out here as we discuss this. First of all, medical records are valuable. And not just valuable for your patient, or your clinicians, they are also valuable to the hackers out there, the negative actors in the world. And it’s sad too, what it’s become. So again, I mentioned, I have 25 years professional IT experience. I was a little mini kitty hackers in the day of war dialing. Before the internet, we would actually dial random phone numbers, see if we get a mom to answer and figure out what was on there. But then it was for fun. It was, “Let’s go in there, let’s see what’s there, let’s gather some information. Let’s tag and let them know I was there and call it good, but we’re not going to go out and do anything negative to the environment or negative information.” Well, that story has changed. We all know now that, unfortunately, the bad guys out there in it for the money. And where’s a lot of money to be had? Unfortunately, on medical health records. They literally capture almost 10 times the price of a credit card number on the black market, which is scary in of itself.

Keith Brennan:
Now, consequently, this also reflects back on the price of what does it cost now to help mitigate the impacts of that loss record? And so we noticed healthcare, it’s actually at the highest cost of data breach at $429 per record. Now this is a mixture of things here. This could be the cost of a credit monitoring service. This could be the cost of an evaluation service. And also there are regulatory costs associated with it, case in point. Again, I live in California, so in California we will be fined for this. Again, that’s another cost per record that’s going to be in there.

Keith Brennan:
Now, what’s really interesting is, in 2017, this cost per record was only $380. In 2018, it was $408. And what we’re really seeing here is somewhere between a 5-8% per year increase in the cost of data breach per record. That’s scary. Actually, in particular, if you’re talking about an organization that has millions of records under management. So again, something we need to hear and take in mind and evaluate as we talk about it.

Keith Brennan:
Here’s the scariest out of all. And as I do my research for this, in just two breaches alone so far this year, 32 million patient records have been exposed, which is double the entire total for 2018. So let’s talk about this in general. So between AMCA and LabCorp, there’ve been a total of 32.7 million records that were breached in the first half of 2019 just in two organizations. And this in part is, well, why is this happening now versus why didn’t the same thing happen in 2018 or 2017? Was there a big tech breakthrough or anything else? No, I think the big reason now you’re seeing breaches is the focus;2017 and 2018 were the years of ransomware, “Hey, I’m going to lock your stuff and make you pay me and call it good.” That’s been mitigated. So now we’re seeing here is a lot of extraction at this point. How do we get the most value for the data and how do we make that… How do we profit from that? And that’s what, again, the bad guys are looking for.

Keith Brennan:
So what I noticed, the healthcare CISO’s key pain points around here. I see three big things happening; one is I see a lack of visibility, which you can’t see, you can’t protect. This is network-level visibility. It is what’s in my environment, it’s what in the environment that we’re acquiring, what exists out there. That’s the stuff I see right now. And I see that being a fundamental pain point for a lot of organizations. It was a pain point of mine back in the day.

Keith Brennan:
Again, I see also risk introduction into network when adopting new technologies, devices, and applications. Particularly for a lot of your larger healthcare organizations, again, the CHI, the Sutter’s, the Venice’s of the world, what I’m seeing them actually doing is adopting a security by design methodology where they actually have a department that is out there doing that now, that is their sole job. It is to evaluate this risk and mitigate the risk as we adopt the technology, not after. Back in my day… Again, I’ve been in FireMon for five years now in the CISO role. It was, “Hey, we did X technology now secure it.” Well, great, sometimes I could secure it easily, sometimes they handed me a heaping pile and I had to do the best with it. In this case, now organizations are actually attacking IT security as part of the initial discovery and procurement process per on through implementation, which is good.

Keith Brennan:
The third thing I see is a serious shortcoming in vulnerability analysis and management, which again is a handicap to determining the risk surface. There’s lots of tools out there. These tools are able to help provide you a picture of vulnerability… actually, what vulnerabilities do exist out there, but what they fail to do is put those vulnerabilities in context. And context is key, because context gives you what is the true risk surface. So yeah, I have a root level of vulnerability on this host. If this host can knock it out to anywhere on the network, if they can’t do anything in particular, then there’s not a lot of value to patch it and say, maybe patching a user level vulnerability that may exist out there in a more prominent system. So again, context is key and that’s something that’s missing from a lot of the solutions out there.

Keith Brennan:
So how does FireMon help reduce security risk? We actually address this in several ways. So the first thing, and again, I’ll go through these in more detail later on. The first time we do is real time device discovery. We’ll discover everything from your IoT medical devices such as IV pumps, surgical equipment, the beds as they come onto your networks, as well as existing traditional architecture. One of the cool technologies we have is named Lumeta and its ability to literally in real time… And I mean that in the best of terms here, it’s not five days from now, it is within minutes of something popping on the network, be able to find it fingerprinted and notify you of the presence of this asset. Also, some other cool features we’ll talk about later.

Keith Brennan:
A Traffic Flow Analysis is also another tool FireMon has. And this actually allows you to evaluate the access that’s been granted or needed for a particular, say, application workflow for some safe PACS system. What exactly do we need to get images to the PACS system and for the radiologists to view them. So Traffic Flow Analysis is a tool that allows you to directly evaluate that, to make sure that you’re following the principle of least privilege, handing the access needed, and also making sure that again, we are capturing all the access needed. So we’re not having any sort of denial service. So great tool for that.

Keith Brennan:
We also provide Hybrid Network Infrastructure Analysis. And of course, this is the big buzz term now. Two years ago with cloud, everybody’s going 100% up in the cloud. Then everybody realized that, “Hey, nobody’s really doing that, it’s not working for them.” So now we have these hybrid networks, so a combination of cloud infrastructure, whether it’s public or private cloud and traditional infrastructure. So one of the great things FireMon is able to do is provide you analysis on that, and again, give you the networks and devices that are out there, seeing through multiple platforms, whether it be through the VMware or whether it’s out there in AWS, whether it’s in your traditional network, it’ll be there and be ready for you.

Keith Brennan:
Finally, we have Breach Detection Analysis, which is also a great tool to help you figure out not only is something leaving your network from this activity, but also figure out if leaked password stuff can leave your network. So again, multiple tools to help you with the security risk standpoint. I’ll get a little bit more detail as we go through these.

Keith Brennan:
Let’s talk about mergers and acquisitions and avoiding network blind spots. M&A’s are cool. M&A’s mean your company’s growing, or if you’re a subject of an acquisition, it also means you’re entering a larger organization. So while it is scary, to some extent, it is also cool, because it’s the natural… To be honest, it’s a natural effect of the ACA and also the meaningful use stuff and all that, that was all designed to help bring consolidation, whether it’s consolidation technology, consolidation organizations that is all meant to bring solidation, and that’s coming to fruition. So we see that just in the first quarter of 2019, there’ve been 201 healthcare mergers and acquisitions. And as a matter of fact, my previous employer where I was CISO, they’re one of those numbers. They were one of the acquisitions made in first quarter of 2019.

Keith Brennan:
Interesting stats associated with here is that, 40% of companies discover cybersecurity issues post-merger and acquisition. This is actually a stat from Forbes. When I look at this, I know that number is far more. Everybody has skeletons in the closet or out there. So I actually say 40% of companies look for cybersecurity issues post-merger and acquisition. And that actually needs to change. Everybody needs to do it and they need to do it pre-M&A. It literally needs to be, as you’re looking at financials, we’re also evaluating the network or seeing what’s out there, we’re seeing what IT assets exist. And so we could plan for that accordingly as part of the M&A.

Keith Brennan:
There’s a reason you need to do that. I’m going to use actually a non-healthcare example for this. Let’s look at Marriott. We all remember the Marriott breach that happened last year. Well, actually it wasn’t the Marriott breach, that was the Starwood breach. That bad actor had been Starwood for three years previous to the acquisition when Marriott purchased Starwood. Well, great. And unfortunately, Marriott got the bad name for it. Marriott assumed all the liability for it. And so now Marriott’s dealing with the blow back for that. The same thing happens in healthcare. The second acquisition happens, you assume all the liability and risks that exists there.

Keith Brennan:
Again, it’s one of those things that we really need to be wise and we need to actually look ahead of time. We need to actually evaluate the environment before we ever do the acquisition. I don’t think we need to do it as a blocker, the acquisition say, “Hey, look, we can’t acquire this company because they have 52 skeletons in the closet. No, that’s not the case at all. It’s just so you go into the acquisition eyes wide open and with an active plan to help mitigate these once the acquisition is completed.

Keith Brennan:
All right. The question becomes, so how do you do this due diligence? How does FireMon assist with that? Well, FireMon assist with this due diligence, and Lumeta is one of the key discovery tools we have to do that. Again, as I mentioned earlier, it gives you 100% real time infrastructure visibility, discover what you do not know and cannot discover manually. And again, I read that verbatim, but it’s true. And on top of this, this all happens in real time. So as it’s evaluating the network, it is effectively looking at this and what happens in real time; as things change on the network, it’s taking into account, as assets are added to a network, again, it’s taking that in account and reporting on them. As different pathing outside the network happens, say for instance, somebody temporarily installs a DSL router inside your database network, not that anybody’s ever done that, it will detect that quickly and show that as a leak path in a valid way for data to potentially leave your environment. This is the type of stuff that Lumeta is able to do for you.

Keith Brennan:
Again, it does this across all platforms, whether it’s traditional network infrastructure running safe on a Cisco, Backbone or Juniper Backbone, or if it’s sitting in the cloud environment, again, you have your private cloud through VMwares or some other private cloud provider, or weather out there in Azure. Again, it’s going to span all the different platforms to provide you this information in real time. Now, there’s some really cool stuff we could do with this information later on, and I’ll talk about that later in the slides around automation, but even right now, if we’re just talking to straight M&A and we just want to know what’s out there, Lumeta is a key point solution to help you discover that. And be honest, I haven’t seen anything better in IT industry at doing what it does for that purpose.

Keith Brennan:
Let’s talk IoT. IoT has been a hot button topic for me before it was ever a hot button topic. The facility I worked for, the organization, we were actually, I believe the fifth or sixth organization that tested meaningful use stage two. In order to do that, we had thrown out… I mean, literally in a big, giant hurry, we had thrown out over 300 IV pumps, we had the fancy patient beds that weighed the patient, everything else reported all that in. We literally had a… And I mean catastrophic because it was epic in nature, bloat of devices now that were communicating on the network. And specific point solution devices that did that. And so being an early adopter of that technology, living through that, it created some very interesting scenarios.

Keith Brennan:
One of the things we’ve noticed as we go out and we do our research out there, and we also do a lot of talking to our existing healthcare customer self. We see that 80% of healthcare organizations that have adopted IoT in 2019. And really this is skewed because organization’s a very basic term. If you actually go look at how it skews out by revenue and size, basically any large organization, anything that is beyond the size of a one or two provider clinic has IoT inside of it. It is just that simple. Some of them have huge IoT footprints, others have very small, but they still have IoT inside of them. And again, that tends to scale directly with how large the organization is.

Keith Brennan:
Now, even more importantly we noticed that, hey, 87% of organizations have that, 73% are actually actively using this IoT technology for monitoring and maintenance. Again, that’s a very vague term ‘monitoring and maintenance’, but it is… That’s how vague IoT is, how pervasive it is. From monitoring perspective, it may very well be an IV pump. From maintenance perspective, it may be the security cameras out there that are tracking stuff. Who knows what it is? But there’s a lot of IoT bloat out there that organizations are having a problem with. And consequently, because of this 89% of organizations using IoT have suffered a security breach.

Keith Brennan:
And why I say catastrophic, I’m going to tell you a story now about how we got bit by the IoT bug. So again, we dumped out hundreds…. I think we actually, when it’s all said and done, I think we’re at “900 IoT”, but that in air quotes, so you guys can’t see me doing that, devices in our organization within one year. Unfortunately, we had a situation where, as wise as we thought we were and as pretty as we thought we were, we thought we had them all segmented off and away with no access. Well, turns out somehow, again, nobody is fired for this, but somehow over the internet. Luckily this happened in testing. When we were first appointed patient data on it. But that was actually used as a pivot point, and we had an active event going on.

Keith Brennan:
Again, luckily, it was in a segment of the network that was in a testing stage, had fake patient data in it and everything else. But that was scary, that was catastrophic, that was an eye-opening event for us that forced us to really, truly reevaluate how we’re doing everything. So it’s also consequently, how I became a FireMon customer before I was an employee. Again, I’ll talk about that story here in a little bit further.

Keith Brennan:
Now, the consumerization of healthcare networks creates an interesting scenario here. We see that many healthcare organizations are shifting from self-developed security frameworks to more standardized ones. And again, if we all remember the early days of HIPAA, it was, “You must have a policy and procedure do X. You must have a process in place to remediate access when it is no longer needed, et cetera.” And it was overarchingly vague. And it was vague for a reason because nobody quite knew what needed to be done or how to make something happen, particularly when you had organizations that were in all sorts of different stage of maturity, particularly around information security and actually information deployment out there. And so initially it was vague. And so you wrote your own policy procedures, and then you created your framework. So you did your best to adhere to the framework, so when the auditor showed up and did your HIPPA audits said, “Hey, look, here’s my policies, here’s my procedures, and here’s the stuff they test and I’m doing that.” And it was good.

Keith Brennan:
Well, unfortunately now, just because of the fact that you have a policy and procedure doesn’t necessarily mean that you are doing what is necessary. And so while initially having a policy procedures enough to make an auditor happy, no longer it is. So now we see people doing or testing the more standardized frameworks such as NIST, HITRUST, also seen few organizations adopt ISO 27001. It’s solutions like that that allow people now to say, “Hey, look, I have a common well-known framework, this will do here too.” Again, that’s their way of saying that, “Hey, I’m doing my candid to evaluate and mitigate risk. I’m doing this initially in my policies procedures that need to be done.”

Keith Brennan:
Well, we see that despite the cybersecurity proves in place, there is definitely a growing use of personal devices. Actually, we go to the far right-hand side, that top bullet point in orange shows that three and five physicians and two and five nurses admit to using personal devices when they are not allowed. And that’s the ones that admit to it. I’m sure there’s also a small fraction of people who are not admitting to that. And again, I can tell stories about that, about literally walking into med surge and seeing a physician using his iPhone… I think it was four at the time. And he was looking at he was looking at films that he had grabbed from the PACS system and emailed to himself and was using that as he was walking around talking to patients. Again, scary moment for me as information security practitioner; how do I stop that? And at the end of the day, you don’t stop it.

Keith Brennan:
So the better question becomes now is, “All right, we allow it, how do we secure it and enable it?” Again, all that goes into the story of the consumerization. No longer are there purpose-built devices specifically for healthcare. They’re still out there, don’t get me wrong, but people are using iPads, iPhones, just common everyday stuff you go buy at Best Buy as part of their job as clinicians. So again, it’s one of the reasons why we need to start allowing BYOD but also keep track of it, but know what’s out there and know what people are using, et cetera.

Keith Brennan:
The other interesting stat, and I mentioned this way back earlier. I think we’re on slide two or three, is now how consumers are using it. And by consumer actually means the patient; how Americans are tracking their healthcare data on their mobile phones. I mean, when you think about it and in particular with the explosion of devices such as Apple Watches, Fitbits, et cetera, it’s all merging together. And their phone is going to become the central hub where everything gets reported. So think about this because it is coming quickly. I actually know a couple of companies out developing technologies like this, technology that will take data from your Apple Watch around your activity, your heart rate, everything else, and automatically upload it to the clinician. The clinician see how you’re doing on a day-to-day basis. Of course, this is great from a health perspective but terrible from the perspective that my cardiologist is going to be chewing me out when he sees I haven’t been hitting my move goal for the past three days in a row. But again, it’s cool because that’s what enable health and for a healthier community but also something we need to account for as providers of that healthcare.

Keith Brennan:
How FireMon is going to address that consumerization is through several methodologies. First of all, is we’re going to make continuous security for interconnect health as possible, for one, segmented and controlled access. And we have the ability to do this for any type of system out there, any type of IP based system out there, let me be a little specific out there. And again, we could do this in real time, whether if it’s just providing intelligence for how to do it, or we handle it on our own, we will do that where you provide segment and control that access.

Keith Brennan:
Additionally, we’ll do the what if analysis. So, “Hey, there’s this new host on there.” We say, “Hey, we’ve discovered host on this IP address, we feed it to Tenable, for example, Tenable runs a scan, feeds a scan data back to us, and then we can form what if analysis.” “Okay, great. Does this create a pivot point for an attacker to come in? Does this expose a leak path out of the network?” Et cetera. And we can do that again in real time.

Keith Brennan:
And then finally, full on orchestration. I actually gave you an orchestration example right there but Tenable. But it’s also taking the source solutions out there or any other data point. It could be ServiceNow, it could be additional data points from an inventory management system, whatever it may be, taking all those data points together, putting them together, and then creating a context aware security policy that can… Again, we got to get to that stage within the organization, not FireMon but within the organization we’re dealing with, that can automatically react and adjust to make sure that we’re keeping the network secure as assets are added and removed in real time.

Keith Brennan:
The compliance challenge inside healthcare is real. It was my nightmare for a couple of years and to the extent that it was a moving target. So again, I’m in California, California is great at making laws about stuff. And so we just always adapting, always doing the best I can to adapt to those laws. And the sad part is, and this is the part that I think really was my frying event as CISO that burned me out, was even if you do everything right, you could still be wrong from a compliance standpoint.

Keith Brennan:
Let me give you this example. We had discovered medical records clerk looking at her neighbors medical record. We actually discovered this through part of our regularly prescribed log review. I mean, we found it the next day, nailed it. The medical records clerk admitted to it. She was disciplined. We went out and notified the patient of what happened. Again, provider for all the services necessary to make her feel secure, et cetera. Even though the patient said it was no big deal, hey, the sender is my best friend, still, it was something we had to deal with and we dealt with it. And then we reported to the state. And of course, the state fined us 30 grand for it. So compliance always is a challenge, if you do everything right, you could still be wrong.

Keith Brennan:
But in fast-paced environments, we see that healthcare companies look to do a couple things. One is they look to manage the changes in their workflows more effectively. And this is actually something that I see as being a really significant barrier inside healthcare organizations. They become very process-oriented, and which is great because process is repetitive, process means you have the same outcomes. The problem is, is landscapes change and so processes need to change.

Keith Brennan:
And so one of the things FireMon is great at is helping organizations manage changes to those workflows, evaluate where the change needs to happen, evaluate where the process is wrong or needs to be corrected and then assist in that. And then on top of it, they take it to the next step to automate that change management process. You automatically provide the security assessment when somebody is requesting new access, determine exactly what that access needs to look like in terms of firewall rules or access control lists on a router or something like that.

Keith Brennan:
Again, part of the deal in doing this is not only do we provide the visibility, but then we’re able to not provide the intelligence and we’re able to actually make the changes. With human eyes on or not depends on what the organization wants. But again, that there’s a secure environment from a compliance standpoint. And again, whether that compliance framework is HITRUST with its own internal policy procedures, whatever it may be.

Keith Brennan:
Then again at the end of the day… I’m going to skip, actually, that’s pretty straight forward here. But let’s talk about real time reporting and the necessity of real-time reporting. I’m going to pull us a little bit out of the healthcare world, I’m going to go into the retail world for a second. If we look at Verizon’s PCI report they do. They do a data PCI and they go and evaluate all the breaches that happened in the previous year.

Keith Brennan:
In the past two years, what they have discovered is that every time a PCI breach has happened, the company has drifted out of compliance. And so what does that mean? So that means the organization, whether they have to do a test annually, every six months, quarterly, whatever it may be, your physician gets ready, they get everything clean and pretty, they attest, and then they quickly drift out of compliance because nobody’s paying attention to that anymore. It’s not the concern, so we don’t have to worry about that for another six months. And so that’s often dealing with the next disaster they have to go deal with. And so what happens is compliance drift happens. So having a real time picture of what your compliance and audit looks is huge. Because not only does that allow you to, again, visualize what’s going on and report on it, it also allows you to act upon it, again, through workflows. If something drifts out of compliance, let’s go and open a ticket, somebody can address it immediately and keep us within compliance.

Keith Brennan:
Again, as a former CSO, to me, that’s huge, because again, if I could prove that I was doing my due diligence, my organization was daily evaluating compliance, making sure we were in compliance, if a breach does happen, hey, I can at least say, “Yeah, it’s actually happened on my watch but I did my due diligence and here’s my proof for it.” That is huge, and that’s all helps an organization too.

Keith Brennan:
Again, going back to the California fining us. When I talked about story about the fine we got from the state of California for the one breach, I appealed it. And in the process of the appeal, I was speaking with the adjudicator for it, I’m like, “Really, why is it 30 grand?” “So yeah, well, if you guys haven’t done anything, we’ve been over $100,000.” So yeah, we’re still fined, but if we do not have the process in place to catch it, that fine would have been far worse. So again, all that is mitigating risk, and if you’re doing it in real time, the organization’s far more healthy for it.

Keith Brennan:
What does continuous compliance with FireMon look like? It’s a three-tiered beast. It first starts off with vulnerability management. Vulnerability management is a vague term. I actually like to call it asset management instead. We like term vulnerability because it’s a little bit more catchy, but know your assets, know your assets out there, know how they communicate with each other, know the exposed vulnerabilities or potential paths of attack inside these assets, that’s the first part. So in FireMon we’ll assist with that. We go out there, we’ll do the discovery, we’ll go out and let your assessment tools, case in point, like Tenable, know that, “Hey, this host is out there, please go scan it, give me the information from it.” And we put all that information together inside a realistic model. Again, that is a real time picture of the network.

Keith Brennan:
Then we’ll go turn around and apply whatever framework the provider wishes to use. Again, whether it’s HITRUST, whether it’s NIST, whether it’s ICE, or if they want to stick to the one we’ve acquired up above, and massage it against that framework to see exactly what the impact is. “Hey, are we out of compliance now because of this? If we are, what is the remediation step?”

Keith Brennan:
And that takes us to the third step; orchestrating. So it’s integrating or even replacing the existing change management solutions to take the data we’ve acquired above from the multiple different sources and then deploy rules to devices. This is with a single click, but actually automatically if you guys want. For healthcare, we see single clicks, people still like to have some control. But the system can then synthesize all this data together to both allow and disallow access based upon criteria set up that we managed up above, which is cool. Because now not only do you have real-time compliance, but now you actually have real time reaction to that.

Keith Brennan:
Some falls out of compliance, let’s do perfect example, Telnet. Something’s allowing Telnet between two hosts, we see that happening and we decide that’s bad. We do not want unencrypted protocols at all on the network. The system could turn around and remediate that. And you put exceptions in. But say, for instance, this is a very old ancient legacy system, does not support SSH, and you have to use Telnet to mine data out of it for whatever reason. Again, you put exception in that, so allow that. But the trick is to build this out where the system makes the network almost self-healing, in a way. Again, that is the next step; going to the slide before where I was talking about, “Hey I can show that FireMon helps the compliance challenge and, hey, I am compliant in real time,” now I can actually get the network to perfectly reflect that too, and actually heal itself before I ever have to say that we are no longer compliant.

Keith Brennan:
Of course, anytime I do a webinar presentation like this, I like to bring up a use case; one of our customers that has used FireMon to achieve their goals. And so this case, actually, we chose Convey Health because they’re really interesting scenario. They’re one of these multi-tiered organizations that’s a provider. They also provide solutions to other healthcare providers, et cetera. So they have a very wide environment and stuff they do is very diverse. So it creates a unique scenario here.

Keith Brennan:
Convey Health came to us and said, “Hey, we have some issues here. The yin yang, lots of stuff I’m getting beat up on. And also, we’re going to go and adopt HITRUST as our framework. And I know that’s going to be in this, literally, the worst from. I know that’s going to be a big nightmare for us, but we think at the end of the day, that’s the one that’s going to best mitigate risk for us. We’re going to do that.” And in order to make that happen, they needed a framework of prescriptive and scalable security controls for its networks. So again, one of the things FireMon’s great at is not only having controls like first it’s HITRUST, but also the ability to have controls for specific stuff inside your organization and getting controls in the individual check; security trigger, if you would.

Keith Brennan:
Now, what we saw also is that much of the process crosses 40 firewalls as manual decentralized, the recipe for disaster. And it really truly is for multiple reasons. And let’s talk about, first of all, why manual is bad and also, secondly, why decentralized is bad. Manual is bad because humans are inherently flawed, and they may be perfect in one area, but have a flaw in another.

Keith Brennan:
Let’s take the example here. I had a firewall admin… Actually, let’s go way back to the IoT example I gave earlier. So discover the reason why we actually had that single IoT host exposed was there is a legacy rule inside the firewall that was entered twice in the past. And what happened was, was my firewall admin deleted the first instance of that rule which was in the first 100 lines. We didn’t see the second instance of that exact same rule down in line number… I think it was Nine hundred and seventy something or another back in the day. So we didn’t see that. So in and of itself, he was flawed in his approach. He took the firewall’s approach, “I’m going to go down the line, so I find the matching access, delete it, and call it good.” He stopped right there. The same thing a firewall do so it’s interpreted. That was flawed. It wasn’t a full review of the device.

Keith Brennan:
Now, let’s take another example. I may have somebody who’s super-duper meticulous. And he would have found that one in 972, but unfortunately, because he’s so meticulous he’s not meeting his because it takes him eight times… Because he’s doing such a thorough job, it takes him eight times the amount of time in order to implement a change that it would take somebody else. So we have a situation there, where either we’re meeting our security goals and not meeting our SLAs or the reverse. Again, something that’s out there and that’s an issue there. It used to be that firewall changes had to be a manual process because humans were the best at interpreting that, but the technology is out there now where that’s not the case anymore.

Keith Brennan:
Now, decentralization in of itself is a whole other disaster. And I see this in so many organizations. You will have different organizations with multiple security frameworks inside the same organization applied to different departments or say different sub units. And so that creates a whole new disaster as they start conflicting with each other, “Hey, no, no my internal policies just say I can allow stuff going across port 80.” “Well, mine say they can’t.” And so again, that creates disasters from an availability standpoint and also from an SLA standpoint. So now you’ve got to go into this process of negotiation, re-evaluations, application, everything else, just to allow this access through. Again, all that’s bad stuff. It’s something that needs to be rectified inside an organization. So how to FireMon do that for them?

Keith Brennan:
We actually streamline their compliance efforts out of the box, customizable compliance assessments. And again, we also include PCI, SOC 1, SOC 2, and also HITRUST for them, but they had some other stuff they want to look for and we provide that for them. We also help them with their documentation and reporting. Two huge things that lack in almost every IT organization out there, in particular documentation.

Keith Brennan:
We then help them create workflows processes for review and re-certification. So we all know everybody happily gives you a change control for when they want access. Nobody ever tells you when they’re done with it. So one of the things we help them put in place, the process help people identify when that access is no longer needed. So it can be automatically removed as we know in the next bullet point.

Keith Brennan:
Then finally, what we really truly help them do is remove the complexity associated meeting their compliance requirements. I mean, I think that is the huge part right there. I think Patrick put it best, the manager for data network services at Convey said, “Hey, with FireMon tracking compliance for us, we’ve been able to shrink our overall audit time by two thirds of our original schedule. I mean, for them, that is huge. Not only that, he’s also able to show now real time compliance again, which is huge. It’s not point in time, it’s at any point in time, “Look at me, I am compliant with what I need to be compliant with.”

Keith Brennan:
FireMon uses all this. And this was mentioned earlier. You find security automation for the hybrid cloud. Again, I talked a little bit about this at a previous slide, but what I really want to do is I want to talk about the levels about how we provide that as an organization. So you see levels of automation adoption. Again, they vary depending upon organization. In healthcare in general, I see most organizations sitting at here. Is somewhere here inside… I’m actually going to go ahead and forward through all these little, pretty pictures.

Keith Brennan:
It’s somewhere in between what we call automated design and automated push. We call these level one and level two, where they may have a solution in place and it may help them design the thing, and it may actually even implement the change. Some really basic, but in all actuality, most health care organizations are sitting here at the automated design stage where they’re still trying to handle the basic blocking and tackling that’s necessary for automation.

Keith Brennan:
One of the things I view it as my mission here at FireMon is to help organizations get past that stage. And it’s for multiple reasons; one is SLAs and availability. At the end of the day, if you can’t provide the access needed in a secure manner to clinician, chances are somebody’s going to cheat and provide it in an insecure manner. So we want to definitely help provide quick, responsive answers to request for access and make sure that happens. And so, one of the things I evangelize a lot is, “Hey, let the system do that for you. You no longer need human eyes on this.” Let the system evaluate the environment, tell you what changes need to be made based upon all these other data feeds we get and help you out with that.

Keith Brennan:
Then on top of it, let’s go ahead and let the system also make sure that, “Hey, if we make this change, as it needs to be made in order to allow access to the application from point A to point B, let’s also make sure it doesn’t violate risk and compliance frameworks. So there’s a lot of intelligence that happens there automatically in that first two steps.

Keith Brennan:
Now, thirdly, once we get interested, let the system automatically implement it. Because we know that, “Hey, this is a good change, is well designed and meets our frameworks, let’s push it in.” And now it’s crunch our SLAs. Again, using the average example, I’ve noticed inside most healthcare organizations is they’re running roughly 21… Let me rephrase that, larger healthcare organizations, they’re running from 21 to 28 days from the time a ticket’s created to the time the access is granted. That’s a long period of time. That’s a long period of time for people be waiting for that access. And in the long periods of time, sometimes people find their own workaround so they get the access.

Keith Brennan:
What I’ve noticed is, once people just get to this automated design and automated implementation stages; stage one and two, right there, that time actually cuts down into days and sometimes into hours, depending upon the change. And so what do you have? You have secure access being granted and you don’t have your users looking for workarounds. You don’t have your users trying to get around security in order to get the access they need to do their jobs.

Keith Brennan:
Well, let’s talk about the next two steps here, and where I think most organizations really, truly need to get here within the next couple years. And that is true zero-touch automation. So again, let’s say for instance, FireMon discovers an asset, we recognize this asset is an IV pump due to fingerprinting. We see that sitting on the right sub-net for IV pumps, why not have FireMon just automatically provision traditional IP pump access for it? We know that IP pumps need these eight ports and protocols, these three applications, and great let them run and let it go into automatically provision that access. Let’s take in those mundane changes of stuff. It’s going to get approved every time, and let the system automatically do this for you within the period of minutes. Biomed doesn’t need to call anybody because they’re deploying stuff, it just automatically happens.

Keith Brennan:
Now, the next step past that, the stage four is actually what I call continuous adaptive enforcement. And this really, truly is the holy grail. So now we’re automating the mundane, so we know that, hey, basic changes we’re going to live through. Now let’s automate our security. Say for instance, Lumeta detects a leak path through the network. Hey, for some reason now I could get out over through this router and I can get out to their net to exfiltrate data. Why not let the system automatically provision that access. It detects it, it sees it, let’s go ahead and block that access immediately.

Keith Brennan:
Or going back to the Telnet example, I have, what if… Say for instance, you have a bad actor. One of your firewall admins is very truly disgruntled with the organization. He decides just, for fun, “I’m going to open any rule on the firewall and just see what chaos happens because I’m out of here. I’m done.” Let’s have the system automatically detect that the second it happens and remove that rule. Or let’s say we have a rule that comes out, it’s going to violate a certain aspect of our compliance. Again, just because somebody went in and manually did it or situation changed because of vulnerabilities, again, let the system automatically heal that.

Keith Brennan:
At the end of the day, when we’re truly talking about evaluating and mitigating risk and actually reducing our exposure, because that’s what’s all about, it’s how exposed am I? Does somebody have a window, get in there and get my data, that is the holy grail and really truly where, I think, most organizations need to be. They truly, really want to say that, “Hey, we have a secure environment.”

Keith Brennan:
But what does this mean? Well, actually. Oops. Excellent. Next part. So how does FireMon do that for you? Well, we have a complete platform designed for that purpose. And it’s interesting that in the vision of ours for the past 10 years to get to the stage, and we’re finally there, actually been there for about a year now, where we truly give you that reactive instant approach granting access, assuming it is proper and necessary inside the organization.

Keith Brennan:
Hey, you curious if you want to see it for yourself, feel free to take a look at our website or visit the URL right here to request a demo. Tons of great people will talk to you and give you a demo, show you what it might look in your environment. Yeah, but that’s it. I’ll open up for questions. Any questions out there? Go look in here.

Keith Brennan:
All right. I got one question here. Why do you think there’s a large uptick in breaches? I guess referring back to slide three or four, I noticed I pointed out that there were big, huge uptick. Well, first of all, one is you had two very large breaches early on that were reported. One is AMCA, which again is a billing agency with 32 million records. I mean that in itself… I’m sorry, it’s 25 million records. That in itself is huge.

Keith Brennan:
The second one, LabCorp, everybody knows LabCorp. Just went there three months ago and had my blood drawn. Again, 7 million records extracted from there. So that’s why, it’s just the size of the breaches. Well, I don’t have actually has a number on the total number of breaches. That’d be really interesting, but just the size of them has made it huge. But I also think that the next thing we’re seeing here, and I alluded this a little bit earlier, is that there is a situation now where it used to be that ransomware is the way people were going to try to get money from you. As a matter of fact, my old hospital that I worked for… doesn’t work for them at this time now, I’ve been at FireMon, they actually got hit by ransomware. And so that was the mechanism people were using to extract money because it was easy and direct versus trying to sell the medical records. I think they’re now going back to the old methodology, just selling the records. So I think that’s also why you’re seeing that uptick there.

Keith Brennan:
Next question. How is the healthcare industry compared to others in terms of automation, to be honest. And, I think part of that is we go back, I was talking about process. The healthcare establishing processes for everything. And you need process. Particularly, you’re talking about patient health. Oh, absolutely, if you’re taking care of me, I want there to be processes for stuff you’re doing. Unfortunately processes are slow to change unless there’s a sentinel event. So as a result, I think it’s lagged a little bit. I think there’ve been a couple… I’ll call it nascent sentinel events that are happening, kind of hidden a little bit. One is all the mergers and acquisitions. I think that’s creating a situation now where a lot of organizations are now starting to look to automate.

Keith Brennan:
I’ve had several conversations with very large organizations who are specifically looking at to achieve that level of automation I mentioned earlier in that stage four. And the second one is just the lack of personnel. At the end of the day, finding qualified people is still hard. We’re a native 10% unemployment in particular inside cyber security industry here in the United States.

Keith Brennan:
I was actually in Australia, gosh, three weeks ago and was talking to some people there. And I guess they’re actually at like negative 20% cybersecurity unemployment there. So that’s a global phenomenon. So finding the right people, it seems to be hard. So again, anything you can do from a system wide standpoint, it helps mitigate that risk and just finding the right people, because again, the system can handle it.

Keith Brennan:
C) Do you see a lot of organizations adopting a security by design standard? Yeah, I’ve mentioned that a little bit earlier, so that’s actually something that came out of GDPR. So the European privacy regulation, security by design and it’s since caught on a lot of other organizations and the way I’ve seen whole departments now granted that inside healthcare organizations, which is super cool. Fortunately part of what they’re doing, the security by design is still reactive. It isn’t necessarily full evaluation through initial demos, through procurement. Usually, they get involved once procurement happens, so at that point, the system’s not installed yet but it’s still reactive in nature.

Keith Brennan:
I see that actually rectifying itself quite a bit, and in particular for healthcare. I think healthcare will be one of the lead adopters of security by design methodology in United States, because I think it’s the best way for them to avoid and mitigate risk before the risk ever gets inside network, because once inside the network, bad stuff happens and again, expensive stuff happens. So absolutely I see security by design happening there.

Keith Brennan:
The final question about this from users is, what I see as the biggest hurdle to security automation. People, the answer to that simple, it’s mindset. And I admit, I’m a control freak too. So do I want to relinquish that control. That comes from two things. And what I’ve seen from lower level technical individuals, they’re worried about job security. So there’s some job security worries in there, which are really truly unfounded given today’s market. And the second one is control. So I am an upper level analyst, I do my thing. I analyze stuff, that’s my job and I’m really good at it. Do I want to trust another system to do that for me, even if it frees me up to do better tasks? There’s still that element of control there. So I see that as being two of the biggest things.

Keith Brennan:
Then of course, there’s the process mentioned earlier. Healthcare is very ingrained in process, so it’s a matter of changing those process. But again, I think there, there are sentinel events happening to allow that.

Keith Brennan:
That was it for the questions, any additional questions. All right. Well, if that’s it, then, I appreciate you all for attending and I will give you back three minutes and 30 seconds of your day. Thanks a lot. And once again, feel free to visit our website. Reach out to us if you just want to talk more, if you want a demo, any questions or answers they’ll happily… If you just want to talk to me, they’ll happily refer you to me, give you my contact info and all that stuff, and talk, discuss, and just see where your organization is and where you need to be. Thanks a lot for attending.

 

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO