Read Transcript
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. Speaking with Taylor Lehmann. He is the director at the Office of the CISO for Google Cloud. Morning, Taylor, how are you?
Taylor Lehmann: Good morning! I am good, thanks.
Novinson: Let's get into healthcare cybersecurity here. Starting at a high level, what are some of the biggest challenges that organizations have when it comes to securing healthcare-type environments?
Lehmann: Healthcare is an industry that has many different flavors. You have hospitals, health plans, life sciences companies, and all sorts of different flavors in there. Some that do research, pharmaceuticals, manufacturing technology that delivers care and treats people. All of these industries or sub industries have different sets of issues. And all of these industries are populated by companies with different levels of capabilities. So, the big pharma tech companies tend to have specific types of threats and specific types of technologies they protect, and specific capabilities aligned to protect them, whereas a hospital has a different technology. So each of them are a little different. But broadly, I would say, protecting patient health data is required by law almost everywhere in the world, but certainly has value from a variety of perspectives. And people want it, both from a confidentiality and as we've learned more and more, the availability of that information is super important, and has value too as well. Intellectual property, especially when it comes to research, new technology to treat patients and populations and make them healthy, but also sustain and thrive - super valuable to a variety of threat actors around the world. And, beyond the data and the intellectual property, I'd say just generally, allowing these industries to operate and innovate, individuals have found ways to threaten the safe operation of organizations of all types, through things like ransomware. And, just different targeted attacks on the infrastructure to basically affect their ability to thrive as businesses and run and treat. And so it's an interesting set of dynamics. Each industry has its own sorts of unique issues. But, confidentiality, intellectual property theft and availability of systems tend to be, where I'd say most people are focused on - both attacking and securing.
Novinson: Let's double click for a moment here in terms of the patient data issue, and I want to get a sense from you of what are some of the newer emerging challenges associated with safeguarding patient data? What are some threats you're seeing that are making that more challenging?
Lehmann: Well, it's HIPAA as one of the earlier rules, but now, every country around the world has its own flavor of it. They were focused originally on the confidentiality of this information. I think, for years, people said, well, as long as it's safe and private, then I'm compliant. And I think two things have changed. One is compliance is not the goal, necessarily, when it comes to protecting data. This data has value that I don't think the original rule makers could have predicted when they set the rules. And so some of the rules around what do I need to do to be compliant, differ greatly from what do I need to be secure in this day and age. And I would say, what's new or recently new is now the availability and integrity of that information, which some would say, was contemplated in the original rules. I would say, probably not. But let's go with it. Integrity and availability are important. And here's why. Availability of patient data basically makes sure that if you show up at the hospital, you can get care. And that's threatened with things like ransomware. So if you can't get care, because your data can't be accessed, your ability to live healthy is challenged. And that is something that, again, I've mentioned before, has value from a threat actor's perspective, and that will compel payment and motivate different people to do different things. The more interesting thing, especially with the advent of machine learning and artificial intelligence, is integrity of data. Integrity has always been important. But now when we start talking about adopting new technologies to streamline care delivery, to make research move faster, and bring different parties together, and basically increase the reliance we have on information like patient protected health information, that integrity piece becomes important - not just for care delivery, but for the next phase of innovation in healthcare. And so we're starting to see a tax on integrity. Because we know that downstream of data is being used to build machine learning models and then affect how care is delivered, research is done, or new products are developed. You can insert yourself very early in the supply chain to those products and, eventually have different interesting kinds of outcomes that you might be looking for. So integrity is a big thing right now.
Novinson: What are some of the unique challenges associated with safeguarding IoT and OT devices in a healthcare setting?
Lehmann: Age and the complexity and the variety of the IT and OT, I'd say are probably the two biggest. Your ability to adopt a uniform security strategy with respect to that technology is basically impossible. In my sort of travels, what I've noticed probably the only similarity with any individual piece of IT and OT is that if it's network connected, you have a network connection, you can pull and use to build a security strategy from. If it's not, you have far fewer options. And so when I think teams try to approach IT and OT, it's a different approach to saying how you might secure corporate infrastructure, where there are more standards and more commonality. IT and OT require heavy emphasis on threat modeling; on understanding what tech you have and how to inventory and find it; on being able to at least understand what's going on the device to determine good from bad. And those are challenging problems that require a lot of time.
Novinson: And from a supply chain perspective, what are some of the biggest obstacles that healthcare organizations have to deal with to ensure the safe operation of their supply chain?
Lehmann: Well, I think, all industries are challenged with this. And we talk a lot about this at Google, in terms of my role, when I'm working with CISOs is, look, your security program with any technology depends heavily on your supply chain. And on a variety of factors - quality of what you're buying, the tendencies of the vendors, and their ability to maintain and manage things. And the quality of that is important. Those are hard things to bat out until you have something running in your infrastructure. So those are lessons that are difficult to learn until you've learned them a little too late. But most importantly, and I think IT and OT are uniquely challenged by that it's expensive, which means it's subject to less technology refresh than, say, a server, a storage array or cloud service - those have a lifetime of one to three years, and relatively easy to replace. An MRI machine or lab equipment lives for 10 to 15 years, sometimes even longer past their end of life. And to me, one of the most important indicators of your ability to protect yourself is how frequently you are refreshing technology. And that technology is not frequently refreshed.
Novinson: And what are the security implications then of the fact that healthcare technology often is used past its end of life?
Lehmann: Well, there's a variety of implications, like quality of the products they produce has issues, safety in terms of their use, whereas some of these devices are implanted in people's bodies to keep them alive. So I don't know about you, but I wouldn't want a piece of medical equipment that was touching me that was keeping me alive to be 20 years out of date and vulnerable. Now, that's an extreme example. But there are examples like that, that are out there. You were asked earlier about supply chain and risks around it. I think, to me considering the relevance and the importance of this stuff, and life safety issues, and not just life safety, but like the criticality of an organization's systems, how they flow, what operations they support, and how important they are. I'm not sure it's always gotten the same level of understanding and therefore, awareness of the risks that it carries and ability to then mitigate those risks throughout what I would say is a typically normal or unsophisticated security program, which many organizations have to run and use to try to understand and secure this stuff.
Novinson: Let me ask you here finally. What should healthcare organizations be expecting from upcoming regulations?
Lehmann: I think it depends. There's been a lot of talk around what U.S. government is doing in the federal space or in the financial space around boards, equipping boards with more security expertise, with the belief that that's going to compel organizations to get better at cyber. You're seeing those rules in Europe. You're seeing different flavors of it. But eventually, the same idea is that in order to make progress against cyber risks, we have to engage the business more and more, and there's no better way to do that, then do it through those who hold the business accountable to not only themselves but to shareholders. This is something that Google Cloud has been doing a lot. And some of the things that we've recently published is trying to equip boards with the information and knowledge they need to not only ask the right security questions of the security team, but ask the right security questions of the others at the board. And also ensure that what information they're being provided is effective and helps them in their role as leaders and overseers of an organization to do their job effectively. I think with what the FDA has recently done with finalizing guidance around medical device safety, security is positive. I know there's some deadlines later this year. This is a summarization. But organizations that sell regulated medical equipment will need to meet security standards in order to sell their product, which is new. And it's something the industry has been pushing for, for a long time. Because the end-of-life software or hardware, it's not something that is secure. And nobody believes that should be allowed, such equipment being bought in these days and used. So what's been done in terms of securing medical devices now, adding a regulatory angle to that I think is positive. I think we're seeing and hearing, mostly in Europe, but issues around digital sovereignty, data residency, protecting information of individuals, and ensuring that information about those individual stays within those countries that includes health data. But it includes a broader array of data. And so organizations, I'd say, who are operating in those countries - health data is, in a sense, personal data as well - have to meet those regulations too. So you're starting to see further progression of an implementation of security rules in Europe, and you're seeing different approaches and strategies that are needing to be adopted in this day and age to comply with the way the rules now work, which not only just say, you need to be careful on who you share it with and how it's secured. You need to make sure it never leaves certain areas, especially if you're working in cloud and other distributed technologies. Where not, it's not always been easy to figure that out.
Novinson: Interesting stuff. Taylor, thank you so much for the time.
Lehmann: Thank you.
Novinson: We've been speaking with Taylor Lehmann. He is the director at the Office of the CISO for Google Cloud. For Information Security Media Group, this is Michael Novinson. Have a nice day.