April 2023 Webinar: Zero Trust and Why It Matters from Edward Stringfellow on Vimeo.
Daniel Buchanan: Hello and welcome to the Stringfellow April 2023 webinar and podcast. Our topic this month is Zero Trust and Why It Matters, protecting Patient Data and Enhancing Security. I’m joined again with Edward Stringfellow today. Say, hi, Edward. Hello. How’s everyone doing today? Doing good. Doing good. I think this is a really important topic, but if anybody else is like me, they may be, you know, a little confused as far as to what Zero Trust is and why it matters.
So, I think we’ve titled this appropriately. So, let’s just get right into what Zero Trust is.
Edward Stringfellow: Yeah, I think that’ll be helpful. First of all, zero trust is not probably what maybe potentially some of your past relationships have been like, or maybe it is. That’s, that’s not what we’re talking about today.
What we are talking about though is, is how to effectively protect, you know, your information and access to your systems. Which, which typically means patient data and PHI, that, that many providers have in their practices and are obligated to take care of. So, when we talk about cybersecurity and healthcare, I mean, it, it can look like this.
Like there can be the landscape. It can just be really overwhelming. So today we’re really going to focus in on just, just part of it. And that’s, that’s what this concept of zero trust and we’re going to kind of walk you through what that looks like. I think it’s important to, to point out though, There’s, there’s some very unique challenges with cybersecurity and healthcare, right?
Unlike just what we would call general businesses, non-regulated businesses, there are some very stiff fines and penalties if PHI (personal health information) is leaked, I think it currently is $10,000 a record. So, there’s some financial impact to not doing some of these things. On the flip side, it should be possible to justify getting some of these things put in place because you do get a return on your investment.
So, a lot of groups go, well, we’re not doing this today. That’s like, well we hadn’t had an attack yet, but it, but if, if an attack would cost x and we can spend not x, but way less the return on investment is, is there. So, there’s definitely a value to understanding and doing these types of things. Obviously, ransomware, we hear about it every day.
Literally, I think Microsoft and another group announced a partnership to stop this ransomware group from attacking a couple of hospital systems. Daniel, anything to add to the healthcare landscape before we kind of dive into the more tech details?
Daniel Buchanan: Well, I just wanted to say, you know, I’ve got this corporate firewall. I mean, look, I’ve put a lot of money in that firewall and I’m really proud of it, and it’s, it’s awesome. You know, like nothing can get through by corporate firewall, right?
Edward Stringfellow: So, it’s funny you say that about your corporate firewall. Let’s not say it’s useless, but that is the old model, Daniel. So, it used to be we would build our kingdom and we’d put our moat, we’d put all our valuable stuff in our treasure chest, and then we’d put the treasure chest in the castle, and then we’d build a moat around the castle.
Then we have a firewall to access our treasure chest. We had to go to the castle. Well, guess what? Now people access the data, the treasurer, from everywhere. So, you, you might have a provider that is at multiple rural clinics. You know, coming back into to the central data, you might have a provider at home potentially catching up on charting.
Mobile devices are prolific now, so they could be anywhere. So, the reality is this firewall literally protects generally a location and one in which we’re typically not in. So, while firewalls we’re not, we’re not throwing them out. That is a, a firewall is really not part of what we would consider a zero, a zero-trust model.
So, when we’re talking about: what does it look like? What is zero trust really? What, what are the inputs? Or the signal is a good term for it. So, a firewall, it just kind of say, hey, where are you coming from? And yes or no, but it doesn’t really have any intelligence.
The Zero Trust model says, “Who are you?” So, what’s, what user are you, what’s your location, right? And has your location. So, so that, the cool thing with Zero Trust, it’s actually there’s a reason that it’s even possible is really ai, it’s artificial intelligence and it’s making decisions in real time about your access.
Before we didn’t have AI, we didn’t have the computing power to do that. It just wasn’t possible, right? The amount of logins that would have to be processed and thought about, I mean, it just wasn’t possible. I mean, it’d take you an hour to log in. Well, guess what? No provider’s going to wait an hour every time they have to sign in.
But with artificial intelligence and taking all these signals, we can make decisions so quickly running through this. Who are you? Where are you coming from? I’m going to look at that. What application are you trying to access? Are you trying to go to our corporate internet? Are you trying to go to the EHR system or are you trying to just access the web?
So, depending on what you’re accessing, I can make a more informed decision. What device are you on? So, you’re on a mobile device versus a workstation. Okay, you’re on an edge browser versus a compliant windows machine we know. So that is an input into our decision.
And then real-time risk, that’s really this AI component where it’s awesome. It will learn that this provider will go to this rural clinic in Northeast Georgia every Thursday and log in and over time it will learn that’s your pattern. And guess what? It’ll quit requiring you to log in with MFA every time.
Right? So super cool from a productivity standpoint too. It’ll learn patterns over time and it makes the security, that zero trust model part of it, it should just fade into the background and not be super intrusive. Anyway, it looks at those things, it verifies, it goes, hey, you’re allowed in.
It might say, hey, you know, everything’s cool, but you’re not in your normal Thursday location, let’s prompt you for MFA.
Or it might be like, you just logged in from Georgia and this log in is from Seattle in an hour. It’s not possible. Block access. Does that, Daniel, does that make sense? Like we’re looking at inputs and we’re making a decision, and the decision is to trust or not to trust in real time. Does that right? Does that make sense?
Daniel Buchanan: It does make sense, yeah. It seems like the old model was: trust but verify. And so, there was like, well, okay, you’re a trusted user, you’re coming in. It almost looks like with this it’s: never trust anybody ever, always verify who’s coming in is who they say they are.
Edward Stringfellow: Well, we start over every time. We start over every time, every login, we look at the signals and we make a decision. And so the default is: we don’t trust and then we verify and let you in. It really works. The other challenge though is this is AI based.
Well, the flip side is, AI is also in the hands of the people with ransomware and trying to perform an attack and stuff like that. So, we’ll get to more on that later. But, but anyway, this is the basic model. We’re going to take inputs in real time and we’re kind of kind of make a decision on what to do.
And so, okay, great. So, yet another two IT guys telling me about signals and logins. Like what? Like why do I care, especially in healthcare? I think first and foremost, for better or for worse, regulatory requirements.
So, we care because data breaches are becoming very public and they’re becoming more frequent.
Cybersecurity and liability insurance are getting more expensive, just like tail insurance from many providers has gone up over the years. It’s the same thing. So, you have to as a healthcare provider you’re going to have to do some form of zero trust.
A cyber liability application used to be like two pages and said, do you have antivirus, and do you have backups? Today we do them every week for our clients and they can run 60 to 100 pages. So, you know, that’s why it matters because you have to have that.
Hybrid and Remote Work: So, we specialize in multi-site practices and typically the providers are moving between those practices. And so that zero trust model is very important there as they move around that hybrid, moving-around kind of work structure.
It keeps you healthy there. And then we, we talked about the whole AI situation.
Zero trust is based on AI and so is the bad guy stuff.
So, you’ve got to keep up. Your firewall doesn’t stand much of a chance. Your firewall combined with your username and password on your local server? That’s probably not the super secure moat and fortress that it used to be.
Daniel Buchanan: You’re almost making it sound like it is AI fighting with each other on either side!
Edward Stringfellow: It kind of is. And so, we want our zero trust and we’re heavily invested in the Microsoft stack which has billions of signals coming in a day.
So, they are training their model to see things. So, the other cool thing is if you implement zero trust in the way that we suggest, you are not an island anymore.
Now you are getting not only the signals from your organization, but from hundreds of thousands of other groups, and that’s very helpful.
So, when they see an attack over here that has nothing to do with you, the AI understands it and can help, you know, help prevent it from happening on your side.
So, this is great, right? Like, so well, what’s next? How do we do this? So, I think we can all establish security matters. You know. Okay, great. So where’s the switch? Where’s Zero Trust? Where’s the zero-trust switch?
Just flip it. Yeah, just turn it on. Sign like, cool. Yeah. So, turn the firewall off, turn to zero, trust box on and then we’re done. Right? Well, not so much.
Step one is, where is our treasure chest that we talked about earlier? Where is that?
So now a lot of the EMRs, EHRs, they’re in the cloud, right?
They’re not even, they’re not on premise. So how do I access them? Does your provider, your EHR, EMR practice management, do they have the ability to utilize your Microsoft 365 logins and SSO and all those things? Because if you tie them together, then you can do the zero-trust thing.
Right. Super cool. So, when we’re working with clients that potentially are thinking about an EMR implementation or change, you know, one of the things we ask now is, can this be part of our zero-trust security model? So, we got to figure that out. You know, what, what goes on there? Where is the data and how are we accessing it?
And once we kind of pull all those pieces together, we put together an implementation kind of plan and a pilot too. So, you, you also want to roll this out, you know, it doesn’t do any, zero trust doesn’t mean a hundred percent lockout either. So, if you, if you don’t know what you’re doing, you, you can, you can set this up accidentally where no one can get in and that’s a problem, right?
It doesn’t do your providers any good If every time they go to a conference in Vegas and they’re not on an airplane, they can’t get into anything or, you know, they’re locked out constantly, none of, you know, none of that matters.
So, it helps to have a partner with experience and implementation too and helping kind of with the training side: you want to have a good experience. And once it’s implemented, you need a group that can continue to monitor it.
This isn’t a one and done, you know, the firewall you put in, you put your firewall rules in for the three applications you want to have access and, and then you, you look at it once a year, well, this doesn’t really work that way.
So, in this model, there’s, there’s a couple of different pieces. Couple of different pieces that can be used in the zero-trust world. MFA is the most common. So, codes, you know, I get a, a text code or authenticator, you know, an authenticator code. That’s, that’s certainly part of it.
Conditional access rules, you know, in 365, that’s really it. The firewall is a box at the perimeter of my network, and is, in my opinion, going to get replaced by this conditional access rule, zero trust, real-time decision. So, it’s a software or an AI-based firewall. That’s really where, where this is headed.
Right? I’m not picking on firewalls specifically, but I, I don’t think they’re super helpful or as helpful as they used to be. Microsoft has a number of technologies that can look in real time at what’s going on and make decisions and you have to have that happening, right?
The biggest thing is that zero-day exploit where the second you click on the link things start happening. So, imagine you click on the link and go and put in your credentials on the site that you didn’t realize wasn’t really the login for your EMR, but it looked just like it.
Before the fallout can happen, or when those credentials are used across the country at the ransomware location, well guess what?
Zero Trust will catch that and lock them out.
The goal is to have no incidents. Obviously, that’s always the goal, but the reality is that’s not going to happen no matter how well it’s setup. But with zero trust, not only do you have vastly fewer incidents, but you also contain those that you have. Does that make sense?
Daniel Buchanan: So they can’t log in anywhere else because there’s a whole new set of conditions that have to be met before they can even log in.
Edward Stringfellow: That’s right. That’s right. So, so it’s, it’s the firewall after the firewall. So, okay, now they’re through the firewall, well that’s not good. But once that does happen, then we can see, oh, this is a high risk sign on, and then we can block it. So, from, from that perspective I think, I think zero trust can be super helpful.
Daniel Buchanan: I was really interested because as we were talking about this and getting ready for this, you know, you were saying this is kind of starting to be mandated on Microsoft’s side. We’ve done this for a long time and we have a long track record of successes of rolling this out for years.
So, could you speak a little bit about that?
Edward Stringfellow: Sure. Love the, love the slide here. This guy’s conquering the world. So yes, zero trust is, is an evolution, right? We used to not really think you needed a firewall, then you had to have a firewall. You kind of need antivirus, then you had to have it.
And so, I mean, it’s just a progression, right? And so, we’re definitely at the point where implementing a zero-trust model is, is in our opinion, a must have. I do think our very extensive experience in the 365 ecosystem is unique because we’ve been dealing with authentication, which is key to this zero-trust model.
But the bottom line is we’re very good at centralizing all of our logins and connecting all our systems to this one place that then we can have the AI involved in looking and making these real time decisions with zero trust. I think that we’ve had a number of groups private-equity-backed startups, and, and they didn’t have anything, right?
So, for us, it was a blank canvas, and it really validated our approach. It was awesome, actually. No, I’m not going to ever name who they are because then, then, then the ransomware guys maybe put a target on them, but nothing’s foolproof. But in these instances where we started day one with the zero-trust model, and did everything according to our standards and our way, we have not experienced any incidents.
And any incidents we have experienced were immediately caught and neutralized.
I’m reluctant to ever say zero because I think that’s a little bit of a falsehood. But I do think from our time with implementing Zero Trust from an environment that had nothing, that’s worked very well.
The other side of the coin is we’ve found many practices and they need help and they’ve got on-premises servers and just usernames and passwords and providers have got sticky notes with them. It is what it is. It’s like this security thing is killing my business because every time I try to log in it takes 10 minutes and all that kind of stuff.
And so for those groups, success is for us to first kind of get the mindset changed that security can make you more productive.
Obviously more secure, but also more productive if done right. So, we have a number of groups and they’ve come to us, and they said, we’re really struggling with this.
Typically, it’s unfortunately after some type of event, and we found out the hard way that what we were doing wasn’t right. Can you help?
And, and the answer is yes. So again, that’s back to the implementation, understanding where everything is, and having the experience to quantify where everything is and how we work.
Specifically with healthcare, we understand intimately how, how patients flow through a practice and how a provider might work during the day. And everybody logs in from all these different places and you know, all that we, we get so we can set it up in a way that supports your practice rather than slows it down.
Daniel Buchanan: Well, what are some of the things that stop anybody from just rolling this out? I mean, it’s got to be done right, of course. But I mean from what I’ve seen in the conversations I’ve had recently, it doesn’t sound like a lot of this is in place even though companies like Microsoft are starting to try to make this mandatory. What’s the hold up? Why isn’t everybody doing it?
Edward Stringfellow: Well, you know, like anything, it’s just time and money, right? Time and money. And so, you know, oftentimes legacy systems are, are. They weren’t designed for it.
With server-based in-office systems to go multi-site, we put up VPNs, which are a technology that we’re trying to get rid of entirely. And so it was that corporate network and there’s just not the infrastructure there.
These legacy systems just aren’t necessarily designed to connect to this AI powered zero trust model. That said, most EMRs, EHRs there, there’s a lot of cloud options. Yes. It a lot of times will require going through a conversion which is not necessarily fun but can be done.
And we’re looking to help our client’s roadmap out their need to evolve. We try to put a roadmap together to say, hey, over time, here’s how we’re going to get there. And part of that’s just balancing security with usability.
So, I’ve said it many times, if you want to completely secure, you know it, infrastructure, power off everything and unplug it, right? And don’t touch it. You’re, you’re totally secure and usability is zero.
The flip of that is just free for all, no passwords. Like obviously that would be super usable and then quickly from a security perspective, it would go down. So I think the considerations are just back to that implementation phase and having a group that understands that can talk to you specifically as a practice and say, hey, what are your expectations for usability?
And if a group says, hey, we don’t care, we want it all turned off. Well then, we’re probably not a fit to work together because we do have some level of baseline security that we’ve got to meet. But over time, you know, we can help get buy-in from your organization. I think that’s important.
Training is important and all those kinds of things.
Daniel Buchanan: Oh yeah, I’ve, I’ve added a lot of training resources to the website. We have a lot of learning resources there that are good links and articles and things that I’ve added over the year as this stuff has started to grow. I see a lot of people using those, so that’s, that’s really good.
I mean, I think the buy-in is a big part there though, right? Like if there’s no buy-in from the top, like it almost has to be a culture shift. There has to be buy-in at the highest level. Got to like kind of trickle down because if the providers aren’t using the technology, the secure technology, then kind of what, you know, what difference does it make if everybody else in the, in the company is right?
If they’re having to go through the extra security. Does that, does that make sense?
Edward Stringfellow: It does historically, you know, right, wrong or indifferent historically, you know, the providers and the folks on the front lines, they see a lot of this as a hindrance to them seeing patients and having less encounters in a day.
And it’s just, you know, I’m trying to get to the OR to my next case. I don’t have time to mess with this stuff. The, the one thing I would say is, I agree with you, but if you’ll let us walk you through how this could be, the zero trust actually can sit quietly in the background and actually increase productivity, because it doesn’t bother you as much.
You know, for me, I, we’ve got biometrics, so I just look at my laptop, it takes my face, I’ll log, right. I don’t even. It’s, it’s fine. Like it’s totally, totally, it doesn’t ever do anything. I just look at it and it opens much like your, probably your, your mobile device, you know, you just bio in and that, and that’s it.
And so, it sits in the background. It never bothers me. Sure. If I take this laptop and, and, you know, go 500 miles away and I’ve never been there before and I’ve, and I’m trying to access something strange, well, when I look at it, it’s going to prompt for that next thing. But the point is, it, it, it should not interrupt your day.
If done correctly. Right. And so, I think a lot of organizations are missing that. They just see it as one more thing to deal with. When I would say if it was done correctly, not only are you more secure, but you’re also more productive. Mm-hmm.
Daniel Buchanan: Okay. So, I mean, so say you do have buy-in. Say you have got the, you know, you’ve got the, the, the license, whatever’s required.
What’s the stop organizations from just doing this themselves? Great. We’ll just have the office manager flip the switch or we’ll have our in-house team try to take a stab at it, you know, I mean, it sounds pretty straightforward, right?
Edward Stringfellow: I mean its experience. I probably could get on YouTube and figure out could a, a, maybe a single bypass heart surgery once, and they, they might live.
But that’s not, you know, but I, I don’t want, I want my provider to have done hundreds and have experience and understand all that goes to it, this security thing. There’s, there’s a rise of, of like security specific groups that are different from your, your IT partner and, and my take on that is if you have an IT partner, they better also be a security expert.
It’s, you know, so, so to answer the question, it’s like it’s not, unless you do this every day and have lots of experience across tons of practices, it is just not really possible to, to have the knowledge and experience to, to do this in a way that’s going to have the highest level of success. Right. You might get it right; you might file some documentation.
But I don’t think for this specifically, the risk reward is to find a good partner and, and let them be part of, of helping you get this put in.
Daniel Buchanan: Makes sense. I mean, that’s, I guess, yeah, you can Google it and find out what to do or how to do it, but unless you understand the why and you have a comprehensive sort of understanding it’s probably a fruitful and fruitless endeavor ever.
Right. Like it’s just kind of a wild goose chase that well have really bad consequences.
Edward Stringfellow: Well, yeah. Worse than a while. Goose chase. The way you find out you didn’t do it right, is, is it, it wasn’t turned. So, I’ll leave with that kind of, so we, we do a number of, of assessments and reviews for, for prospects of their 365 environment and zero trust and.
Is there a trend that those that are most confident in how it’s set up are actually the ones we find that are, that are set up the, the worst. It’s, I don’t, I can’t quite put my finger on it, but it’s you go in and everything is on. You know, it kind of seems like it’s set up, but it’s actually not turned on.
And I think that that’s back to that experience and that false sense. Oh, we, we did that. It’s, it’s turned on. And, and the reality is, yeah, it is turned on and it’s scoped to no users. Right. You know, or the flip side is it’s turned on in a way that it, it, it locked, locked everybody out.
And so, we just turned it back off. So that experience is a really big deal. And not. Even, even reading the documentation and following the notes and, you know, all these products and services, you know, they have got kind of the guides. There is just no substitute for having done it multiple times and, and just doing it, you know, for, for a lot of different groups.
Daniel Buchanan: Yeah. Good. Well, that’s great, Edward. I appreciate you sharing that with us today. I think that’s a lot of good information and I definitely have a way better understanding about Zero Trust and why it would matter to a healthcare clinic. So hopefully everybody that’s joined us today got something good out of this.
If you have any questions or comments, be sure to leave them in the comments section below. And we look forward to meeting up with you next month at our next webinar. Thank you so much.
Edward Stringfellow: Thanks for having me, Daniel.
If you’re interested in learning more, please contact us at firstname.lastname@example.org and schedule your discovery call with one of our senior healthcare business analysts.
For more information
Zero Trust deployment plan with Microsoft 365 | Microsoft Learn
5 Reasons to Adopt a Zero Trust Security Model (makeuseof.com)