Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

9 min read

32. Kurt Hagerman: "The key for healthcare is understanding and containing the risks as best you can"

32. Kurt Hagerman:

Have you ever wondered how to mitigate the vulnerabilities that stem from IoT?  Well, in this episode, that is what you will find out. We're going to give you key points for building or maintaining your overall cybersecurity strategy, as well as provide examples of how IoT is a real and growing force in healthcare.

 

 

Rather read?

Here's the full transcript of this episode.

Sierra Reed Langston: I'm Sierra Reed Langston, and this is the HIPAA Critical Podcast. The Internet of Things is transforming healthcare from telemedicine to augmented reality to AI. All systems, network mobility, collaboration, security etiquette need to connect and work together.  Have you ever wondered how to mitigate the vulnerabilities that stem from IoT?  Well, in this episode, that is what you will find out. We're going to give you key points for building or maintaining your overall cybersecurity strategy, as well as provide examples of how IoT is a real and growing force in healthcare.  Today, we are very lucky to have Kurt Hagerman, Principal cloud security adviser at Oracle to discuss these topics in greater detail. Kurt was previously chief information security officer at Armor Defense, Inc, formerly Fire Hosting, which provides threat detection and response services.  In addition to his work at Armour and Oracle, he has spoken and presented at security industry events and trade shows in the US and internationally, such as RSA, HITRUST, and HIIMS, to name a few.  Hi, Kurt, can you provide some background on Oracle? Who are you guys, where you are located, and who you all serve? I think that would be a really good starting point.

Kurt Hagerman: Well, Oracle is about a 47-year-old company that was founded as a database company. Most folks in the industry recognize the Oracle name for the Oracle database. Oracle has since expanded its products to a number of applications space. They have human capital management; they’ve made several acquisitions. They're providing a lot of enterprise, front office, and back-office applications as well. 

Most recently, they entered the public cloud space through Oracle Cloud infrastructure. About three years ago, was the relaunch of Oracle Cloud infrastructure, where we provide AI services to customers all over the world. 

Oracle is a global company; we operate out of multiple countries. There was a recent article that the corporate office is relocating from Redwood Shores, CA, to Austin, TX. 

What we're really doing now with Oracle Cloud is moving a lot of its applications and SAP applications that are being served up from the Oracle Oracle Cloud infrastructure. We're making lots of inroads with our enterprise customer base and others in providing public cloud infrastructure services.

Sierra: OK, great. Thanks so much for that overview.  I know from my research that you created your first strategic cybersecurity programs from scratch. Do you mind telling our audience a little bit more about these programs and what they entailed?

Kurt: It's creating a cybersecurity program from scratch is a big, big task. What you do is break it down and keep it simple. The high points really are, know what you're protecting and where it is. 

In other words, you need to understand what data of the organization is considered sensitive. And that's what you need to protect. Then you really need to know where it is. A lot of organizations suffer from data sprawl. You have to have a good handle on where all that sensitive data lives and where it is because you can't protect it if you don't know where it is true. 

Once you have a handle on that, then I think the next step is to really understand and catalog the risks that your organization faces, based on how it effectively handles, collects processes, and stores this data. 

Everybody does things slightly differently. They have different kinds of applications, and they have different ways that they work internally. You can look at a common set of risks, like the top 10, when you when you're talking about applications, but what you really need to do is understand all the risks that are out there in the context of your organization, and how you're working with the data that you have. 

Once you have those risks, understood then you can start understanding how do I now mitigate those risks, what security controls do I need to put in place? Most people start with a framework like ISO 27,001, or they'll start with NIST 853. Depending upon what industry you're in, you may have banking and financial services, regulatory requirements, healthcare requirements, like HIPAA, payment card requirements. So you have to understand what your regulatory environment is in terms of what kinds of controls are required. 

Then you really need to work on taking all of those things that you have to do and making sure that they're actually mitigating risks. And you build it from there. Really, what you've got to do is get the basics right. You really need to understand how to segment and isolate that sensitive data very well. You need to have very strong access controls. That goes from the governance side for how you grant access to things to the actual technical side where you actually enforce access control. 

Encryption is another basic thing. Encryption of data is a pretty easy thing to do. But you need to have good encryption for that sensitive data. In the event that some of the other controls you have failed, if people get the data, they're not necessarily getting anything that they can use. 

Then, have a strong vulnerability management program. 

Those are the four basic building blocks that I think are really important. Unfortunately, a lot of companies don't focus on the basics a lot; they figure they got them already nailed. A lot of times, that's where the problems are. Then really, it's a matter of addressing your most significant risks first. 

So, once you understand the risks and what are the most significant ones, prioritize your risks and put controls in place to reduce the most risk you can right away. 

Sierra: Well, I appreciate you outlining that for our audience. That was extremely informative.  For the next question, I know you touched on a few items, but if you could continue. The question is, one of your recent presentations was titled “Healthcare's Losing Battle Against the Hyper-Connected Machines,” can you give us a summary and key learnings from this presentation?

Kurt: I co-presented this with a colleague a little while back. IoT is a real and growing force in healthcare. Everything in a healthcare setting is now connected. It used to be that there was very little conductivity inside a hospital or healthcare setting. All the devices until a few years ago were mostly analog. 

Everything is now connected from things like supply cards, which you wouldn't even think are connected; they are connected to the network. They use NFC technology to keep track of inventory for supplies that they are using, all the way up to the most sensitive equipment used in the OR, and in intensive care units, along with medical imaging. 

You've got all these devices that are not connected, very few of them were ever designed to be connected, or when they were connected, it was a bolt-on, and security wasn't really an important thing. 

All these connected devices that have varying levels of security that can be enabled represent additional threat vectors into healthcare and into the healthcare environment. So it kind of took them by surprise. 

Healthcare is about patient outcomes. It’s not about technology, and all this technology came and got put in place. I think they got caught a little bit surprised. They're behind things like financial or the industries like financial services in terms of their maturity, but they are catching up quickly. 

I think the key for healthcare folks is understanding and containing the risks as best you can from these IoT devices. And migrating while you are can afford to migrate to more secure devices, as your budget allows. 

I have a buddy who was the CISO of a hospital chain, and he came in and realized that he had a list that he could never accomplish all at once. And so he would prioritize the list and knock off two or three major items a year. The other thing he did is he researched and built a list of approved devices. So as old things like ultrasounds and other sorts of devices became end of life are no longer needed, and then they had to be replaced with a device that he could protect. 

He made a lot of progress over five or six years. Pretty soon, he had a way more secure environment because now everything new was able to be secured. And that allowed him to focus his efforts on how he could contain the risks for the device that didn't have the kind of security that he needed.

Sierra: Yeah, we hear that a lot of old devices are exponentially creating a lot of risks that people don't even know about. So I'm really glad you touched on that. I love that you used a case study example that helped me, and I'm sure it will help our listeners.  Additionally, you spoke at Paubox SECURE, which was this last October. Your topic was “Shiny Object Syndrome: Ensuring Your Security Puzzle is Complete.” Do you mind providing a summary and key learnings from that talk for the folks who were not able to attend our conference?

Kurt: What I call shiny object syndrome is where security teams are buying the shiniest, the latest, new security toy. There has become a bit of an uncontrolled phenomenon. 

We hear about all these new threats and all these new risks out there, and the security market itself is quick to try to fill those holes. So they developed tools designed to plug the latest holes and address the latest risks, right? What ends up happening is organizations buy a whole bunch of tools, but they don't really fully realized them and utilize them. 

Part of the issue is that focusing on the basics, as I talked about before, network segmentation, access control encryption, that's kind of boring. It's hard to get money as a security leader for those kinds of basic building blocks. But because there's been so much focus on responsibility for cyber, at the boardroom, now and executive levels, these cybersecurity companies market their tools, and often over market their tools as being the next great solution that everybody has to have. 

So, a lot of the CISOs and security leaders find that it's easy to buy the new tool because they can get a budget for that, but they think it’s budget for the other thing, right? So you end up with this sprawl of tools that are being poorly managed, poorly used. 

Then you've got the additional trouble of how do you correlate all the information? That's the data that's coming from these different disparate tools because they don't talk to each other. How do you define some useful information that helps you actually understand the threats that you're facing and how you can protect yourself from all? 

So really, I think it was kind of painting the picture that what you really need to do is try to make sure that as a security leader, that you have a plan that is aligned with the risks of the organization and align with the business of the organization and that you clearly communicate that plan to your executive management and board so that you can avoid some of these shiny object syndrome tendencies. And basically be able to resist and say, “this tool sounds great, but I've already got two other tools that do most of what it does, and they're already in place, I don't really want that. I'd rather have this because we have this risk that we still have to plug. And so I'd rather spend the money there.” 

By getting the board involved and buying into your plan, then oftentimes and you can combat this idea of buying the latest new toy.

Sierra: Okay, great. That sounds like a great strategy. You've given us some great info today.  Which leads us to our next question, how do you keep up with industry trends and best practices?

Kurt: That's a great question. It's a lot of reading. You know, there are a lot of articles and blogs and all kinds of things out there. Most of it is through conversations I have with colleagues, both present and past, I've stayed in contact with. We trade stories and get together, and we continue to have conversations where we share things with each other. 

A lot of it is through networking and that circle of folks that I’ve built up over the past, as well as trying to read all the stuff I can read.

Sierra: Right, thank you so much for that! I agree with you. Collaborating with industry professionals is huge.  And last but not least, what do you do to de-stress and relax?

Kurt: Well, I'm a cyclist. So I have a road bike, and I like to ride. I was in Texas for a long time, so I could ride ten months out of the year and moved recently a couple of years ago moved back up to the Seattle area, so I don't get as much in. So, I end up riding inside on a trainer but probably bicycling, walking, and playing with my dog are the two biggest things that I do to relax. 

Normally, I read a lot because I have a lot of travel and airplane time, but that's been cut short and 2020. So focus more on bicycling and my dog.

Sierra: We have the same activities, my dogs and cycling as well. I live in Texas, so it is flat here, and I can cycle ten months out of the year. So I agree with you. That is a good outlet.

Kurt: Yeah, I was. I was an athlete most of my life, and I'm kind of battered, battered with my body a little bit. So, cycling is the best thing left for me to do.

Sierra: Kurt, thank you again for your time today.  And listeners, thank you for joining the HIPAA Critical Podcast.  Some exciting news. We have set a date for our next virtual event so mark your calendars.  Paubox Spring Summit 2021: Secure Communication for Testing and Vaccinations in a Pandemic will take place virtually on April 6.  We are actively looking for event speakers and sponsors. If you have any interest, please send me an email at sierra@paubox.com For more info on how Paubox can help with your email security needs, please visit paubox.com As a reminder, you can listen to other podcasts at paubox.com or subscribe via Apple Podcasts, Spotify, IHeartRadio, Stitcher, or Amazon Music.  Thanks again, and see you next time. SEE ALSO:  HIPAA Compliant Email: the Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.