January 24, 2022

EP49 Lifesaving Tradeoffs: CISO Considerations in Moving Healthcare to Cloud



Topics covered:

Do you have something cool to share? Some questions? Let us know:


Tim: Hi there. Welcome to Cloud Security Podcast at Google. Thanks for joining us today. Your hosts here are myself, Tim Peacock, the product manager for threat detection here at Google Cloud, and Anton Chuvakin a reformed, tamed, and altogether really nice guy nowadays, former analyst and member of the cloud security team here at Google. You can find and subscribe to this podcast wherever podcasts are available, as well as at our website If you like our content and want it delivered to you piping hot every Monday afternoon, please do hit that subscribe button. You can subscribe to the show's Twitter account as well. Anton, we've got a fun episode. Today, we are talking about healthcare, and the cloud and security, and healthcare and the cloud. And it's quite interesting sort of content I think.
Anton: Indeed, you guys are making fun of me. I guess in a few minutes, the audience would listen to it for saying fun about challenges like ransomware in the hospital. Okay, that sounds fine, fine. Maybe I wouldn't draw the line. But the point is that we are talking about a pretty fascinating convergence of circumstances we have environments with a fair bit of legacy IT somewhat budget constrained with interesting priorities, pressured by the pandemic, and by the threats. So to me, I don't envy our guest in his previous role when he was a healthcare CISO. And I don't envy all other current healthcare CISOs because the challenges are quite dramatic, especially given the current well, healthcare pandemic, not only ransomware pandemic as IT people or security people like to say.
Tim: I thought one of the really interesting things about this was we're always arguing about budget, but in this case, he's literally arguing about budget for systems versus budget for patient care. It's a very difficult set of trade-offs, these people have to navigate. I hadn't thought about how stark that is in that context before.
Anton: True. And this one comes to me as well to my former [inaudible] days when I've seen this, and you'd assume that it's the same for every industry. 
Tim: No. 
Anton: If I'm making shovels, I have a choice of investing into more shovel making or IT. But it's just not the same with any other business. Because you literally know that the 100 bucks you would not spend on some IT security control may save a person. 
Tim: That's right. 
Anton: From well, dying. So to me, I can see why it's a different story. Okay, I'll be very tame and very mild. 
Tim: With that, let's welcome today's guest.
Anton: And today we have Taylor Lehmann, director at the office of the CISO at Google Cloud. Hey, Taylor, how are you?
Taylor: I'm doing great. Thanks. How are you, folks?
Tim: Thanks for joining us today.
Anton: Indeed, indeed. And we'll talk about a very fun area, namely, security, cloud security, and healthcare. Now, that sounds scary to some people, especially in the... 
Tim: Is that a fun area? 
Anton: Okay, well I call every area fun area, sorry, I'm just that type of person. 
Taylor: That's insane.
Tim: Anton has also never seen an ugly baby, folks.
Anton: There is that, yes. 
Taylor: We've been to, like, an amusement park because those are like always fun I feel like.
Tim: Life is an amusement park when you're Anton. It's wonderful. 
Taylor: There you go.
Anton: Okay. So what's up with the mind for healthcare organizations CISOs now that we are almost two years into pandemic?
Taylor: The pandemics put a lot of stress on the healthcare system. Unfortunately, many of the things that we're putting stress on the healthcare system are the same thing. It's just sort of more of them, they're arguably having an increased amount of effectiveness. But to just get into the details, obviously, ransomware sort of continues to plague the industry, health systems across the spectrum. It's not just hospitals, it's the payers, it's the CLS organizations, it's the life sciences, pharma folks are really still relying on legacy technologies to run the great majority of their operations, especially now, given many of these organizations under massive financial constraints coming out of the pandemic, are still dealing with the pandemic, dealing with a variety of other things that they need to focus on to deliver patient care, that are demanding that investment, not having the ability to get off legacy technology creates this--I would say it's an opportunity, but the stability of the industry hasn't been addressed necessarily to the extent [inaudible] help these organizations get through the next couple of years, safely and securely given the tech they are on. We've seen a lot of organizations solve this or try to solve this by adopting new tech, which with it carries a variety of other potential risks that need to manage around their supply chain. But it's still, unfortunately, doesn't provide an avenue to getting completely off this stuff. So getting off legacy technology onto support technology is still a challenge for these organizations, and ransomware and specifically, how it works and spreads when you've got organizations that are using legacy technology across all their facilities and across most of their--most critical business processes. And you know, in a hospital setting, you're seeing much of the medical equipment they're using even to treat patients is relying on legacy technology to deliver treatment into the lower therapy, you're seeing not only the ransomware risk present itself as one of disruption of the hospital itself, but also in some cases, getting close to threatening quality at the point of care. That's the big one ransomware continues. The one perspective that's unique about healthcare it's not always easy to put together is, you know, when you think of what's at risk, and this is how ransomware operators think you'll look at a hospital, shutting down a hospital or let's just say shutting down a bank or shutting down a retail store, you know, the consequences of shutting down a retail store, are very different than the consequences of shutting down hospital. Shutting down hospitals or affecting the hospital's ability to deliver care, puts people at risk, or shutting down, a retail organization might put your Gatorade at risk, put your bag of chips at risk, but it doesn't carry the same consequences. And so threat actors know that. And they use that to increase the amount that they're able to extort out into organizations and use it as a lever to get the pay or do whatever, right. So ransomware will continue to be issued both because of the legacy issue, as well as the incentives for the attackers to go after it. I mentioned supply chains that's pandemic forced many, many organizations to work from home and work remotely. This led to a huge adoption of SAS, as well as other sort of vendor control of managed support software. And so while there was a big hurry to get off of legacy platforms, to the extent they couldn't get onto the new bottom platforms, the proper governance and oversight and risk management and shifting all of your security resources, or some of your security resources to focus on, those risks didn't come at the same time, there's such a push to get out of the new tech. And so making sure that organizations now have proper insight to where they're getting the technology from, how it's being developed, how it's being released, what vulnerabilities are in it, how it's being managed like those are really important things that organizations need doing. If they're not, then you're saying, you know, in many cases, these under-resourced, financially strapped organizations, again, not being able to put the resources to managing these risks, supply chain, definitely on the list. And there's a variety of other things around medical devices that that sort of touch that legacy IT world, but also this like, hey, medical devices are a special blend of tech, it's closed systems don't really know what our vendors are doing necessarily. So touching on that supply chain risk as well. But what medical devices often represent is that sort of critical care or safety aspect you don't read about in your security journals growing up and being taught about safety is a really critical outcome for security, especially within health organizations, and medical IoT, and medical technology. It's like, technical security becomes safety for the patient and the patient's care. Unfortunately, due to the lack of visibility into some of that tech and the lack of regulation that's been there for years. You're starting to see major concerns crop up, you're starting to see these devices get compromised, and you're starting to see it become a major focus for caregivers.
Tim: That's really interesting. So you touched on this a little bit, but to draw it out explicitly, what's changed during the pandemic, because surely, you know, people are still going into medical offices, and you can't deliver all of your care remotely.
Taylor: I think the pressure on organizations to upgrade their systems has gone up dramatically, to deal with these risks. And say, for all the reasons I mentioned, security, safety, resiliency, IT teams simply not being on-site, you know, of course, being able to make sure that we can keep the tech running and keep the people on site that need to be there on a minimum basis to ensure systems operate. But I'd say the biggest thing that changed like the tech didn't change so much as the urgency in which to transform your technical footprint did change, to be responding to this increased focus by threat actors on these systems plus the need to adopt new technology to facilitate new working patterns, not everything--Before healthcare went into pandemic mode was able to be--like healthcare itself wasn't able to really be delivered remotely ever. Fact, insurance organizations weren't paying at the same rates they were paying, if you showed up to the doctor, they pay more for that, as opposed to paying more for treatment remotely. That's all changed now. So being able to now deliver care remotely is also something that has changed because it's imperative to the business of healthcare. If you can't deliver care remotely, and you do it safely, you're missing a major opportunity. So that has also changed to. I think the pressure that organizations were under to respond to the threats and risks that emerged during the pandemic. And then it's more of the shift to delivering care remotely. And all of that entails relying on your vendors making sure the tech is up to date and working correctly. Making sure users are trained to do the right thing, making sure the systems that Celtic capture diagnostic information are reliable. And make sure that they can be maintained and secure. They're all top of the line.
Anton: So it sounds like when people talk about how COVID pandemic accelerated digital transformation for a lot of companies. This has happened even more dramatically in healthcare. And that opened up all sorts of interesting security, you know, paths, whether they opportunities or challenges, separate story, but it sounds like that rapid digital transformation have caused problems.
Taylor: There's like two camps on this for my tech Thursday. The health systems that we're ready for it. We're already in the cloud, doing interesting things. And then there was the ones that were hanging on to legacy tech that weren't in a position to take advantage of digital transformation and you'll see ones who weren't ready for it are still struggling to adopt cloud services. Are still struggling to adopt some of these futuristic ways of delivering and monitoring care. Organizations who were ready--who are already in the cloud are already leveraging SAS and who are already leveraging services like Google Cloud, we're ready to take these changes and stride, because they effectively have gotten used to operating in the cloud. But I do think there are many health systems in the US and worldwide who just simply were doing their best to stay in business to treat patients because that's what they're in the business for their aren't technology companies. They're there to process claims. They are there to treat patients, and that was their business, their business never previously was, let's be the latest and greatest on the bleeding edge of tech. So that we can adapt rapid market changes, and you know, keep our business going in times of strife, like now. But they're learning that lesson and they're positioning themselves, or at least the forward-thinking, insurance companies and health cares are positioning themselves to take advantage of the opportunities that they have now, to do this.
Tim: That makes sense. So to summarize a little bit, if people were already leaning forward, it's a lot easier for them to have gotten going during the pandemic, and get ahead of the stuff. And there are a significant group in your mind of like laggards who are still a little flat-footed here. 
Taylor: Absolutely. 
Tim: I want to make sure that we give advice to the people that are lagging, how do we really help them stop lagging other than you know, get good?
Taylor: I mean, it's a complicated problem. There's no silver bullet...
Tim: that counts is a hard question. 
Taylor: It's okay. It's a good question. I think that you have to sort of frame the problem correctly in order to answer it. So number one, what you're asking is, how do organizations to shift their resources more effectively to take advantage of what digital transformation offers? how do organizations shift resources to address their security vulnerabilities? You know, how do organizations change the resources to pursue more revenue opportunities to then reinvest in a company? All of those questions and with how do I take money away from treating patients and customers and give it to dealing with legacy debt, or technology adoption issues that are oftentimes a result of just failure to execute or failure to see the future. It's a hard question to ask when you're going to the CEO of a company say, "Hey, I want to spend a million dollars to transform our technology footprint to be one of more resilient." And say also that's our angle, what could that $100 be used to treat more patients? Could that be used to treat people more healthy? And so I come back to you like security leaders really need to understand it's not necessarily how to win an argument, but you need to understand how to articulate the value and benefits of going to the cloud, in terms of the things that your business is in business to do. If you're going to argue to set up a modernization project on your data center, you need to be able to clarify and explain how that will benefit the ultimate mission of the organization. In this case, it's helping people. How many more? How safely is there? So you have a seem to understand the impact of those proposals on your business to then successfully. Because I'll guess arguing against spending money on patients is a really hard thing that healthcare CISOs need to do. 
Tim: Yeah. 
Taylor: And it's unique, right? It's different. We're gonna--how do I prevent fraud? How do I prevent loss events, how do I overriding negative outcomes for consumers? Well, usually making a decision to prevent someone from getting care versus not getting care, which is often the case that gets brought up.
Anthon: That came up quite a few times and like Gartner experience is that that decision between money spent on Security money spent on care, it's very real, I mean, obviously, Taylor knows it better than I did. But it's interesting how that theme was always brought up by the healthcare clients, by the healthcare orgs I've encountered. It's kind of like, "Yeah if we do this, we'll be more secure. But that means we won't treat one more patient." Kind of thing right?"
Taylor: I will throw a few things out there. One, the technology opportunity we have today is huge. Number one, the ability to predict care when it's needed and intervene based on historical medical data of a given individual that can now be studied. And those predictions can be made. Almost all those predictions are based on having an analytics platform and data to do it that are often only operating in [inaudible] on cloud. Now, the reason it's important to get to cloud is rebuilding security to our platform. So when you do take advantage of those capabilities. In Cloud, the security burden is shifted to your cloud service provider to take care of our last so out of the gate by either taking on a project or using the case to say, "Hey, we can get more predictive, which means we can control costs better, which means we have better clinical outcomes long term, that's great for our patients." By taking advantage of the technology to do that, which is used typically in cloud, you get the benefits of cloud by going in that direction. And that's not the only reason that getting to cloud is the only outcome. But finding ways to get predictive finding ways to use data to make more data-driven decisions across all fronts, whether it be operational or clinical are huge opportunities to shift the conversation away from let's spend less money on customers more on tech. Let's focus on things that actually matter to my business. So case management, operational improvements, and finding opportunities to take cost out of situations by studying data of given business process and standard stuff. There's a lot of money gets spent on health care, there's a lot of ways--finding ways to remove waste provides opportunities to pivot a conversation around how do we modernize? How do we get to new technologies that help us secure ourselves more favorably? I've never been a fan of leading with scare tactics. I don't think anybody should either. And especially in health care, the consequences are great.
Anthon: Let's shift gears a little bit. And of course, when we talk about healthcare, there's always somebody who brings up HIPAA and other regulations. And last time I checked the calendar, it was 2022. And of course, HIPAA is from 1996, which is like decades old. So how do healthcare security leaders live in the world where regulations are from the '90s? But technology is kind of from the 2020s? Maybe that's a cynical way to ask it, but like, what regulations are shaping the healthcare industry, how it approaches security? And how does this whole 1990s regs 2020s Tech is working together?
Taylor: Specifically the HIPAA Security rule, which was a component of HIPAA and which was a part of the Administrative Simplification Act, which was the underlying, overlying however you want to describe it, law that put it all into action back in the 90s. It's been amended a number of times, it's been amended to keep up with changes in how to report data breaches, how to manage service providers, additional publications have been put out on how to clarify and comply with the requirements. The Office of Civil Rights has begun enforcing the HIPAA security rule on those who don't demonstrate compliance and through those engagements that rules have sort of been updated, similar to like establishing case law, as one would in terms of guiding what an organization should be compliant. So all of those things are happening. And it's been a mechanism to keep HIPAA up to date. But it is fundamental, at least it here in the US. It's the fundamental law that shapes how organizations need to secure medical information or health information.
Tim: So Taylor, I want to switch gears a little bit and ask you to speculate, which is always fun. Could you share why you think we're not seeing more cloud ransomware? Medical sector gets hit with ransomware all the time. Why aren't we seeing more cloud ransomware?
Taylor: I think if you look at the successful campaigns, the threat actor groups, the tools, techniques, and procedures they follow. Most of those attacks are designed to take advantage of weaknesses out of prem, like known systemic vulnerabilities that effectively everyone on-prem has. If you look at the typical kill chain, or whatever the new hot term is for understanding how the attack has occurred, you'll typically see the same things, email with attachments that have bad things in them that get detonated on an endpoint that bring more bad things that then result in threat actors getting footholds moving around environments and doing all sorts of actions to facilitate a ransomware attack. The assumptions the threat actors make are true when you imagine systems in an on-prem fashion, poorly patched, loaded, no segmentation of the network, and a variety of other issues create the perfect environment for ransomware to be successful. And the reason I don't see as much of this in cloud, although there are ransom events and types of ransom and extortion that occurs with respect to cloud resources, you don't see the traditional ransomware attacks we're reading about. Which is number one, most malware is designed to propagate an on premise network, not jumping on-premise network to a cloud. Right? It's not smart enough. I'm not saying it can't be but currently isn't smart enough at scale to jump into a cloud environment, understand the cloud environments, particulars and move laterally. Second, Cloud is done well, you know, Cloud is secure by design. So when you deploy a new workload, if you do it right, you're deploying workloads into an isolated environment that's separate from other things that you care about and wish to keep. And so if in the event, something does have the wire and gets into a cloud environment, your blast radius is typically small. And that's by default because you've set it up correctly. So you can get ransom, the chances of you getting ransom, and having that have a big impact versus a small impact or lower, given some of the sort of primitives of how cloud works. There's a variety of other factors, but I'd say specifically getting specific details on specific threat actors and specific campaigns. But I'd say primarily, it's due to the fact that most ransomware games and ransomware operators and the tools they use are designed for highly vulnerable, highly susceptible on-premise infrastructure.
Tim: That makes a ton of sense. And I think that's a really interesting answer, looking at both the way the ransomware ecosystem works, as we've discussed previously, on the show, with actors using tools from other actors, and the tooling not being there yet, as well as kind of the nature of cloud that you touched last. I think that's a really interesting answer.
Taylor: Thanks. I think we'll see evolution here. But I think over time, hopefully, we all get better at this and we see ransomware reduce and go away. Let us go back to focusing on treating patients.
Anton: Yeah, indeed. And I think that we definitely expect more research to kind of explore the ransom events and type of ransom in activities that may be in the cloud, even though they may not involve malware as we discussed in the past. So Taylor, sometimes healthcare orgs are seen as IT laggers but we do know they adopt the cloud. Today they adopt off to the service. So What are some of the key cloud security migration lessons that you've seen from healthcare that can be useful to others?
Taylor: I think the first thing that comes to mind is taking advantage of the built-in security properties of the cloud. What that means is security teams can--not to say that they can eliminate focus, I think they can, but they can reduce the amount of things they need to know to secure the workload effectively. They don't need to know 100 things like they might need to know on-prem from, you know, the silicon up to the app, they can instead focus on a smaller subset of the infrastructure that they themselves are accountable for managing this gets back to the shared responsibility [inaudible] model. But I think the migration guidance number one would be fully understand the model and understand what you're accountable for. And then build strength and depth in those areas, you'll find that a much smaller volume of information needs to be good at. That it needs understanding than demonstrate technical capability to be good at. The opportunity to be more focused, and build stronger security. And because you're more focused on a couple security opportunities versus you know, trying to manage the entire second, and it's huge and it shouldn't be overlooked. The second is, this is more of a warning necessarily like a best practice. But teams who try to repeat what they're doing on-prem in the cloud, do not miss the opportunity. Trying to manage a server at the cloud, using native cloud services offer tremendous opportunity to reduce toil within your IT teams that they're experiencing trying to maintain that same infrastructure on-prem. The tools are different. The tools built for cloud are meant to provide, in some cases, continuous services to secure the workload continuous and autonomous mechanisms to make sure workloads stay up to date said the tread workloads are reporting into centralized logging and monitoring servers. And deploying things with code offers you an opportunity to completely rebuild your infrastructure from a known set of good anytime you want ensure that the security parameters and policies you want apply are the ones that actually apply. And your ability to secure the workload goes away from necessarily having to watch every bell and whistle to understanding when those configs change. And when you see anomalous activity, which again, if done well, you're reducing the scope that that security professional has to manage to a few things versus a whole host of things. So trying to manage security on-prem, that's very different than trying to manage security in the cloud, it requires a different approach because the tech is different. The opportunity to build on Cloud means you get to take advantage of a lot of security that's already there. And you use code to define and deploy your architecture, you get what you asked for because those are two things that pop right out to the top. I think the other beautiful thing, I was actually talking about this to someone earlier today like there's this whole concept of bolt-on security, which is a concept that exists in certainly those who are adopting club early and trying to figure out where security fit in the process of building and deploying tech. But a bolt-on security refers to security controls we apply right before we deploy it into production. In many cases, the same way we'd apply tech on-premise. Let's figure out how it all works. Let's deploy the architecture and then let's call the security folks two weeks before we go live to make sure it's safe. Done well we can move all of that compliance, security testing all of that activity to occur much much earlier in the deployment process. And it occurs in many cases at the same time other validations occur. So when testing is done, it means all testing includes security testing is done. When this code is ready to be deployed, it means all specific sets of requirements have been addressed, not just functional or non-functional requirements. When code is running, you know, we can tell anomalous behavior and activity from all the angles, user activity infrastructure activity, we can build and engineer these controls into the deployment process. So in fact, they're seamless and invisible in some cases but gets us out of having to react late in the process to try strap on whatever security controls we can at the very end, going on Cloud specifically being able to deploys infrastructure as code and applications as code in some cases, not security as code, able to define that as code side by side with potentially other code you're writing to support the app is a huge, huge opportunity can't be overlooked. So if you're just using services to deploy a server, and Google Cloud create, you can do that as code as well. But you're missing the point, being able to define the entire workload end to end with code. That includes security code is a huge opportunity and why not to be less? That's a game-changer.
Anton: Perfect. Thank you very much for this. And let me ask you a very brief final question. It's our traditional, final question. Any one action item the audience presumably in healthcare can use to improve security. So anyone tip any one corporate quick thing to make things better?
Taylor: I'd say the most important thing that's made a huge difference to me, that's not technical related. If you're at your desk, maybe this is not the best advice to give during COVID. But I'd still encourage folks to think about it this way. You will never see the impact your security program has until you throw scrubs on and go follow physicians and clinicians around Your facility or sit with claims processors, and less than work or sit at a customer service support desk and listen to support calls coming in, you will never see--truly see the impact your security program has on how well you enable your business until you get out there and watch it happen. The book is the Phoenix Project, the example is standing on top of facility sort of scaffolding to watch how facility goods get moved around. Same concepts exist in health care, you need to get out you need to follow you need to listen to doctors, you need to talk to them, you have to understand how they work, you need to understand how security enables them or disables them from getting their job. And most importantly, you need to talk to them, building relationships, understanding where they're coming from developing that deep, deep empathy. And then taking that back and framing how you're going to solve for security is critical to be successful in this job.
Anton: That actually does make sense. I'm not surprised at all that your tip isn't about, oh, adopt this tech and you're good. It's the process. It's the quintessential 1990s advice that's still as valid in 2020s, as ever was. See how the business actually does well, the business right?
Taylor: Yeah, you're not going to know everything, so you need to do it often and regularly.
Anton: Perfect with this. Thank you very much, Taylor, appreciate you spending time with us. And looking forward to future episodes. 
Taylor: Thank you. 
Anton: And now we are at time. Thank you very much for listening in and of course for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website security/podcast. Please subscribe so that you don't miss episodes. You can follow us on Twitter at and of course, your hosts are also on Twitter @Anthon_chuvakin and @_TimPeacock. Tweet at us, email us, argue with us and if you'd like or hate what you hear, we can invite you to the next episode. Of course, now you know that we have restarted our weekly cadence for 2022. So we will be with you hopefully every Monday. See you on the next cloud security podcast episode.

View more episodes